aboutsummaryrefslogtreecommitdiff
path: root/nixops/scripts
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-20 00:42:49 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-20 00:42:49 +0200
commitd07d139ae42fb2c4263c96167ca6ca67f562bbe9 (patch)
tree71e2876a24746fb1a7aecac4450a6b74e0fc33b7 /nixops/scripts
parent08822d6f730053c97cfd9c27111b4302d9a94081 (diff)
downloadNix-d07d139ae42fb2c4263c96167ca6ca67f562bbe9.tar.gz
Nix-d07d139ae42fb2c4263c96167ca6ca67f562bbe9.tar.zst
Nix-d07d139ae42fb2c4263c96167ca6ca67f562bbe9.zip
Add GPG keys importing from password store
Diffstat (limited to 'nixops/scripts')
-rwxr-xr-xnixops/scripts/setup27
1 files changed, 26 insertions, 1 deletions
diff --git a/nixops/scripts/setup b/nixops/scripts/setup
index 38cee65..81ba8aa 100755
--- a/nixops/scripts/setup
+++ b/nixops/scripts/setup
@@ -1,6 +1,6 @@
1#!/bin/bash 1#!/bin/bash
2 2
3set -euxo pipefail 3set -euo pipefail
4 4
5RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Sites" 5RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Sites"
6DeploymentUuid="cef694f3-081d-11e9-b31f-0242ec186adf" 6DeploymentUuid="cef694f3-081d-11e9-b31f-0242ec186adf"
@@ -52,6 +52,31 @@ if ! pass $NIXOPS_CONFIG_PASS_SUBTREE_PATH > /dev/null 2>/dev/null; then
52 fi 52 fi
53fi 53fi
54 54
55gpg_keys=$(pass ls $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2)
56for key in $gpg_keys; do
57 content=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys/$key)
58 fpr=$(echo "$content" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5)
59 gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no
60 # /usr/share/doc/gnupg/DETAILS field 2
61 (echo "$content" | gpg --import-options show-only --import --with-colons |
62 grep -E '^pub:' |
63 cut -d':' -f2 |
64 grep -q '[fu]') && signed=yes || signed=no
65 if [ "$signed" = no -o "$imported" = no ] ; then
66 echo "The key for $key needs to be imported and signed (a local signature is enough)"
67 echo "$content" | gpg --import-options show-only --import
68 echo "Continue? [y/N]"
69 read y
70 if [ "$y" = "y" -o "$y" = "Y" ]; then
71 echo "$content" | gpg --import
72 gpg --expert --edit-key "$fpr" lsign quit
73 else
74 echo "Aborting"
75 exit 1
76 fi
77 fi
78done
79
55nix_group=$(stat -c %G /nix/store) 80nix_group=$(stat -c %G /nix/store)
56if [ "$nix_group" = "nixbld" ]; then 81if [ "$nix_group" = "nixbld" ]; then
57 nix_user="nixbld1" 82 nix_user="nixbld1"