diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-08-27 23:53:36 +0200 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-08-27 23:53:36 +0200 |
| commit | 1052bfda27ad0607cd4dc5dc91e2d8e8220c30c7 (patch) | |
| tree | bb6335465082ec87ac6503f0fccecda7d89ad958 /nixops | |
| parent | 7e214bf9e1bb58b83317db95dfb70dbeac0a4e28 (diff) | |
| download | Nix-1052bfda27ad0607cd4dc5dc91e2d8e8220c30c7.tar.gz Nix-1052bfda27ad0607cd4dc5dc91e2d8e8220c30c7.tar.zst Nix-1052bfda27ad0607cd4dc5dc91e2d8e8220c30c7.zip | |
Simplify management of secrets in nixops
Diffstat (limited to 'nixops')
| -rw-r--r-- | nixops/Makefile | 37 | ||||
| -rwxr-xr-x | nixops/scripts/setup | 39 | ||||
| -rwxr-xr-x | nixops/scripts/with_env | 9 | ||||
| m--------- | nixops/secrets | 0 |
4 files changed, 12 insertions, 73 deletions
diff --git a/nixops/Makefile b/nixops/Makefile index c521682..a7b24cd 100644 --- a/nixops/Makefile +++ b/nixops/Makefile | |||
| @@ -1,8 +1,5 @@ | |||
| 1 | export | 1 | export |
| 2 | ifndef NIXOPS_CONFIG_PASS_SUBTREE_PATH | 2 | PASSWORD_STORE_DIR = $(shell pwd)/secrets |
| 3 | $(error Please set NIXOPS_CONFIG_PASS_SUBTREE_PATH to the password-store subtree path) | ||
| 4 | endif | ||
| 5 | |||
| 6 | NIXOPS_STATE ?= ./state/eldiron.nixops | 3 | NIXOPS_STATE ?= ./state/eldiron.nixops |
| 7 | NIXOPS_DEPLOYMENT = cef694f3-081d-11e9-b31f-0242ec186adf | 4 | NIXOPS_DEPLOYMENT = cef694f3-081d-11e9-b31f-0242ec186adf |
| 8 | nixpkgs ?= $(shell cat ../nix/sources.json | jq -r '."nixpkgs-nixops".url') | 5 | nixpkgs ?= $(shell cat ../nix/sources.json | jq -r '."nixpkgs-nixops".url') |
| @@ -34,6 +31,9 @@ ifdef TARGET | |||
| 34 | endif | 31 | endif |
| 35 | SSH_ARGS ?= | 32 | SSH_ARGS ?= |
| 36 | 33 | ||
| 34 | edit_env: | ||
| 35 | pass edit Nixops/files/environment.nix || true | ||
| 36 | |||
| 37 | nixops: | 37 | nixops: |
| 38 | $(NIXOPS_PRIV) $(NIXOPS_ARGS) | 38 | $(NIXOPS_PRIV) $(NIXOPS_ARGS) |
| 39 | 39 | ||
| @@ -101,17 +101,6 @@ cleanup: delete-generations | |||
| 101 | .PHONY: cleanup | 101 | .PHONY: cleanup |
| 102 | 102 | ||
| 103 | ###### Pull environment and deployment from remote | 103 | ###### Pull environment and deployment from remote |
| 104 | # Don't include pull_deployment by default as this should happen only rarely | ||
| 105 | pull: pull_environment; | ||
| 106 | .PHONY: pull | ||
| 107 | |||
| 108 | pull_environment: | ||
| 109 | ifndef NIXOPS_CONFIG_PASS_SUBTREE_REMOTE | ||
| 110 | $(error "Please set NIXOPS_CONFIG_PASS_SUBTREE_REMOTE to the password-store subtree remote name") | ||
| 111 | endif | ||
| 112 | pass git subtree pull --prefix=$(NIXOPS_CONFIG_PASS_SUBTREE_PATH) $(NIXOPS_CONFIG_PASS_SUBTREE_REMOTE) master | ||
| 113 | .PHONY: pull_environment | ||
| 114 | |||
| 115 | pull_deployment: | 104 | pull_deployment: |
| 116 | @if $(NIXOPS) info -d $(NIXOPS_DEPLOYMENT) 2>/dev/null >/dev/null ; then \ | 105 | @if $(NIXOPS) info -d $(NIXOPS_DEPLOYMENT) 2>/dev/null >/dev/null ; then \ |
| 117 | echo "This will remove your current deployment file and recreate it!. Continue? [y/N]" && \ | 106 | echo "This will remove your current deployment file and recreate it!. Continue? [y/N]" && \ |
| @@ -119,7 +108,7 @@ pull_deployment: | |||
| 119 | [ "$$y" = "y" -o "$$y" = "Y" ] && \ | 108 | [ "$$y" = "y" -o "$$y" = "Y" ] && \ |
| 120 | $(NIXOPS) delete --force -d $(NIXOPS_DEPLOYMENT); \ | 109 | $(NIXOPS) delete --force -d $(NIXOPS_DEPLOYMENT); \ |
| 121 | fi | 110 | fi |
| 122 | pass show $(NIXOPS_CONFIG_PASS_SUBTREE_PATH)/Nixops/Deployment | $(NIXOPS) import | 111 | pass show Nixops/Deployment | $(NIXOPS) import |
| 123 | $(NIXOPS) modify -d $(NIXOPS_DEPLOYMENT) "$$(pwd)/default.nix" | 112 | $(NIXOPS) modify -d $(NIXOPS_DEPLOYMENT) "$$(pwd)/default.nix" |
| 124 | .PHONY: pull_deployment | 113 | .PHONY: pull_deployment |
| 125 | 114 | ||
| @@ -127,17 +116,7 @@ deployment_is_set: | |||
| 127 | $(NIXOPS) info -d $(NIXOPS_DEPLOYMENT) 2>/dev/null >/dev/null | 116 | $(NIXOPS) info -d $(NIXOPS_DEPLOYMENT) 2>/dev/null >/dev/null |
| 128 | .PHONY: deployment_is_set | 117 | .PHONY: deployment_is_set |
| 129 | 118 | ||
| 130 | ###### Push environment and deployment information to password store | 119 | ###### Push deployment information to password store |
| 131 | push: push_deployment push_environment; | ||
| 132 | .PHONY: push | ||
| 133 | |||
| 134 | push_deployment: | 120 | push_deployment: |
| 135 | $(NIXOPS) export | pass insert -m $(NIXOPS_CONFIG_PASS_SUBTREE_PATH)/Nixops/Deployment | 121 | $(NIXOPS) export | pass insert -m Nixops/Deployment |
| 136 | .PHONY: push_deployment | 122 | .PHONY: push |
| 137 | |||
| 138 | push_environment: | ||
| 139 | ifndef NIXOPS_CONFIG_PASS_SUBTREE_REMOTE | ||
| 140 | $(error "Please set NIXOPS_CONFIG_PASS_SUBTREE_REMOTE to the password-store subtree remote name") | ||
| 141 | endif | ||
| 142 | pass git subtree push --prefix=$(NIXOPS_CONFIG_PASS_SUBTREE_PATH) $(NIXOPS_CONFIG_PASS_SUBTREE_REMOTE) master | ||
| 143 | .PHONY: push_environment | ||
diff --git a/nixops/scripts/setup b/nixops/scripts/setup index 3b364ac..22f43ce 100755 --- a/nixops/scripts/setup +++ b/nixops/scripts/setup | |||
| @@ -2,7 +2,6 @@ | |||
| 2 | 2 | ||
| 3 | set -euo pipefail | 3 | set -euo pipefail |
| 4 | 4 | ||
| 5 | RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Sites" | ||
| 6 | MAKEFILE_DIR="$( cd "$( dirname $( dirname "${BASH_SOURCE[0]}" ))" >/dev/null 2>&1 && pwd )" | 5 | MAKEFILE_DIR="$( cd "$( dirname $( dirname "${BASH_SOURCE[0]}" ))" >/dev/null 2>&1 && pwd )" |
| 7 | 6 | ||
| 8 | if ! which nix 2>/dev/null >/dev/null; then | 7 | if ! which nix 2>/dev/null >/dev/null; then |
| @@ -21,43 +20,9 @@ if [ "${NIX_STORE:-/nix/store}" != "/nix/store" ]; then | |||
| 21 | exit 1 | 20 | exit 1 |
| 22 | fi | 21 | fi |
| 23 | 22 | ||
| 24 | if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_REMOTE" \ | 23 | gpg_keys=$(pass ls Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2) |
| 25 | -o -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then | ||
| 26 | cat <<-EOF | ||
| 27 | Two environment variables are needed to setup the password store: | ||
| 28 | NIXOPS_CONFIG_PASS_SUBTREE_PATH : path where the subtree will be imported | ||
| 29 | NIXOPS_CONFIG_PASS_SUBTREE_REMOTE : remote name to give to the repository | ||
| 30 | EOF | ||
| 31 | exit 1 | ||
| 32 | fi | ||
| 33 | |||
| 34 | if ! pass $NIXOPS_CONFIG_PASS_SUBTREE_PATH > /dev/null 2>/dev/null; then | ||
| 35 | cat <<-EOF | ||
| 36 | /!\ This will modify your password store to add and import a subtree | ||
| 37 | with the specific passwords files. Choose a path that doesn’t exist | ||
| 38 | yet in your password store. | ||
| 39 | > pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo | ||
| 40 | > pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master | ||
| 41 | Later, you can use pull_environment and push_environment scripts to | ||
| 42 | update the passwords when needed | ||
| 43 | Continue? [y/N] | ||
| 44 | EOF | ||
| 45 | read y | ||
| 46 | if [ "$y" = "y" -o "$y" = "Y" ]; then | ||
| 47 | pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo | ||
| 48 | pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master | ||
| 49 | else | ||
| 50 | echo "Aborting" | ||
| 51 | exit 1 | ||
| 52 | fi | ||
| 53 | fi | ||
| 54 | |||
| 55 | # Repull it before adding keys, just in case | ||
| 56 | make -C $MAKEFILE_DIR pull_environment | ||
| 57 | |||
| 58 | gpg_keys=$(pass ls $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2) | ||
| 59 | for key in $gpg_keys; do | 24 | for key in $gpg_keys; do |
| 60 | content=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys/$key) | 25 | content=$(pass show Nixops/GPGKeys/$key) |
| 61 | fpr=$(echo "$content" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5) | 26 | fpr=$(echo "$content" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5) |
| 62 | gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no | 27 | gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no |
| 63 | # /usr/share/doc/gnupg/DETAILS field 2 | 28 | # /usr/share/doc/gnupg/DETAILS field 2 |
diff --git a/nixops/scripts/with_env b/nixops/scripts/with_env index dd0fecb..26e74b5 100755 --- a/nixops/scripts/with_env +++ b/nixops/scripts/with_env | |||
| @@ -5,11 +5,6 @@ if [ -z "$NIXOPS" ]; then | |||
| 5 | exit 1; | 5 | exit 1; |
| 6 | fi | 6 | fi |
| 7 | 7 | ||
| 8 | if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then | ||
| 9 | echo "Please set NIXOPS_CONFIG_PASS_SUBTREE_PATH to the password-store subtree path" | ||
| 10 | exit 1; | ||
| 11 | fi | ||
| 12 | |||
| 13 | TEMP=$(mktemp -d /tmp/XXXXXX-nixops-files) | 8 | TEMP=$(mktemp -d /tmp/XXXXXX-nixops-files) |
| 14 | chmod go-rwx $TEMP | 9 | chmod go-rwx $TEMP |
| 15 | 10 | ||
| @@ -21,10 +16,10 @@ finish() { | |||
| 21 | trap finish EXIT | 16 | trap finish EXIT |
| 22 | 17 | ||
| 23 | # pass cannot "just" list files in a directory without showing a tree :( | 18 | # pass cannot "just" list files in a directory without showing a tree :( |
| 24 | files=$(pass ls $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/files | sed -e '1d' -e 's/^.* //') | 19 | files=$(pass ls Nixops/files | sed -e '1d' -e 's/^.* //') |
| 25 | 20 | ||
| 26 | for file in $files; do | 21 | for file in $files; do |
| 27 | pass show "$NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/files/$file" > $TEMP/$file | 22 | pass show "Nixops/files/$file" > $TEMP/$file |
| 28 | done | 23 | done |
| 29 | $NIXOPS set-args --argstr privateFiles "$TEMP" | 24 | $NIXOPS set-args --argstr privateFiles "$TEMP" |
| 30 | 25 | ||
diff --git a/nixops/secrets b/nixops/secrets new file mode 160000 | |||
| Subproject d34d5490226809ff9863ce4e66bd59a68ead861 | |||