Squash changes containing private information

There were a lot of changes since the previous commit, but a lot of them contained personnal information about users. All thos changes got stashed into a single commit (history is kept in a different place) and private information was moved in a separate private repository
author: Ismaël Bouya <ismael.bouya@normalesup.org> 2023-10-04 01:35:06 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2023-10-04 02:11:48 +0200
commit: 1a64deeb894dc95e2645a75771732c6cc53a79ad (patch)
tree: 1b9df4838f894577a09b9b260151756272efeb53 /scripts
parent: fa25ffd4583cc362075cd5e1b4130f33306103f0 (diff)
download: Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.gz
Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.zst
Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.zip
6 files changed, 207 insertions, 174 deletions
diff --git a/scripts/fetch_version b/scripts/fetch_version
deleted file mode 100755
index 5c4715a..0000000
--- a/scripts/fetch_version
+++ /dev/null
@@ -1,173 +0,0 @@
-#!/usr/bin/env bash
-usage() {
-  echo "$0 file.json"
-  echo "$0 [-n|--name name] [-b|--branch branch_or_rev] [-f|--file out_file] [-h|--help] (-u|--url) url"
-  exit
-}
-branch="master"
-while [[ $# -gt 0 ]]; do
-  a="$1"
-  shift
-  case "$a" in
-    *.json)
-      file=$a
-      content=$(cat $a)
-      name="$(echo "$content" | jq -r ".meta.name")"
-      url="$(echo "$content" | jq -r ".meta.url")"
-      branch="$(echo "$content" | jq -r ".meta.branch")"
-      ;;
-    -n|--name)
-      name=$1
-      shift
-      ;;
-    -u|--url)
-      url=$1
-      shift
-      ;;
-    -b|--branch)
-      branch=$1
-      shift
-      ;;
-    -f|--file)
-      file=$1
-      shift
-      ;;
-    -h|--help)
-      usage
-      ;;
-  esac
-done
-if [ -z "$url" ]; then
-  usage
-fi
-if [ -z "$name" ]; then
-  name=$(echo "$url" | cut -d"/" -f5)
-fi
-if [ -z "$file" ]; then
-  file=$name.json
-fi
-# function fetch_ledger () {
-#   pushd $HOME/projets/ledger >/dev/null 2>/dev/null
-#   git fetch origin
-#   tag="$(git describe origin/next | sed -e "s/^v//")"
-#   rev="$(git show-ref -s refs/remotes/origin/next)"
-#   sha="$(nix-prefetch-url --unpack file://<(git archive --format=tar.gz HEAD) 2>/dev/null)"
-#   popd >/dev/null 2>/dev/null
-# }
-# awk_describe='BEGIN {
-#   FS = "[ /^]+"
-#   while ("git ls-remote " ARGV[1] "| sort -Vk2" | getline) {
-#     if (!sha)
-#       sha = substr($0, 1, 7)
-#     tag = $3
-#   }
-#   while ("curl -s " ARGV[1] "/releases/tag/" tag | getline)
-#     if ($3 ~ "commits")
-#       com = $2
-#   printf com ? "%s-%s-g%s\n" : "%s\n", tag, com, sha
-# }'
-function get_ref () {
-  case "$1" in
-    refs/*)
-      echo "$1"
-      ;;
-    *)
-      echo "refs/heads/$1"
-      ;;
-  esac
-}
-function get_name () {
-  branch="$1"
-  rev="$2"
-  minirev=${rev:0:7}
-  case "$branch" in
-    refs/tags/*)
-      b="${branch#refs/tags/}"
-      echo "${b//\//-}"
-      ;;
-    refs/heads/*)
-      b=${branch#refs/heads/}
-      echo "$minirev-${b//\//-}"
-      ;;
-    refs/*)
-      b=${branch#refs/}
-      echo "$minirev-${b//\//-}"
-      ;;
-    *)
-      echo "$minirev-${branch//\//-}"
-      ;;
-  esac
-}
-function fetch_github () {
-  rev="$(git ls-remote --refs $url $(get_ref $branch) | head -n1 | cut -f1)"
-  sha="$(nix-prefetch-url --unpack $url/archive/$rev.tar.gz)"
-  # Différent du git-describe et github-spécifique
-  #tag=$(echo "$awk_describe" | awk -f - $url | sed -e "s/^v//")
-  tag=$(get_name $branch $rev)
-}
-function fetch_other () {
-  rev="$(git ls-remote --refs $url $(get_ref $branch) | head -n1 | cut -f1)"
-  sha="$(nix-prefetch-git --url $url --rev $(get_ref $branch) | jq -r '.sha256')"
-  tag=$(get_name $branch $rev)
-}
-case "$url" in
-  https://*github.com/*)
-    fetch_github 2>/dev/null
-    owner=$(echo "$url" | cut -d"/" -f4)
-    repo=$(echo "$url" | cut -d"/" -f5)
-    F='{
-      "tag": $tag,
-      "meta": {
-        "name": $name,
-        "url": $url,
-        "branch": $branch
-      },
-      "github": {
-        "owner": $owner,
-        "repo": $repo,
-        "rev": $rev,
-        "sha256": $sha,
-        "fetchSubmodules": true
-      }
-    }'
-    ;;
-  *)
-    fetch_other 2>/dev/null
-    F='{
-      "tag": $tag,
-      "meta": {
-        "name": $name,
-        "url": $url,
-        "branch": $branch
-      },
-      "git": {
-        "url": $url,
-        "rev": $rev,
-        "sha256": $sha,
-        "fetchSubmodules": true
-      }
-    }'
-    ;;
-esac
-jq -n \
-  --arg name "$name" \
-  --arg owner "$owner" \
-  --arg repo "$repo" \
-  --arg tag "$tag" \
-  --arg rev "$rev" \
-  --arg url "$url" \
-  --arg branch "$branch" \
-  --arg sha "$sha" \
-  "$F" > $file
diff --git a/scripts/make-nur b/scripts/make-nur
index 127f8bd..2b7278f 100755
--- a/scripts/make-nur
+++ b/scripts/make-nur
@@ -19,7 +19,7 @@ git rebase --onto=$nur_root $first_commit master
 # The list below musn't get shrinked, it is used by filter-branch on
 # every commit
 clean_folder='
-  rm -rf config lib/private modules/private pkgs/private nixops
+  rm -rf config lib/private modules/private pkgs/private deploy
  for broken in pkgs/crypto/cardano/default.nix; do
    if [ -f $broken ]; then
      rm -f $broken
diff --git a/scripts/refresh_flakes b/scripts/refresh_flakes
new file mode 100755
index 0000000..2bbcad6
--- /dev/null
+++ b/scripts/refresh_flakes
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+set -e
+declare -A refreshed
+while [ -n "$1" ]; do
+  case "$1" in
+    --no-new-inputs)
+      no_new_inputs="y"
+      shift;;
+    *)
+      flake_or_dir="$1"
+      shift;;
+  esac
+done
+refresh_deps() {
+  local flake
+  local inputs=()
+  local depname
+  local deppath
+  flake="$(realpath $1)"
+  if [ "${refreshed[$flake]}" = 1 ]; then
+    return
+  fi
+  pushd "$flake" 2>/dev/null >/dev/null
+  if [ -z "$no_new_inputs" ]; then
+    nix --no-warn-dirty flake lock
+  fi
+  if [ ! -e "$flake/flake.lock" ]; then
+    popd 2>/dev/null >/dev/null
+    refreshed[$flake]=1
+    return
+  fi
+  deps=$(jq -r '. as $root | .nodes[.root].inputs|values|to_entries|map({ key: .key, value: $root.nodes[.value].original.path })[]|select(.value != null)|.key + " " + .value' < flake.lock)
+  if [ -n "$deps" ]; then
+    while read depname deppath; do
+      refresh_deps "$deppath"
+      inputs+=(--update-input "$depname")
+    done <<<"$deps"
+  fi
+  nix --no-warn-dirty flake lock "${inputs[@]}"
+  popd 2>/dev/null >/dev/null
+  refreshed[$flake]=1
+}
+git_dir=$(git rev-parse --show-toplevel)
+# If argument is given (flake.nix or directory containing), refresh that argument
+# Otherwise, if we are in a subdirectory containing a flake.nix, refresh that
+# Otherwise, refresh all
+if [ -n "$flake_or_dir" ]; then
+  if [ -d "$flake_or_dir" -a -e "$1/flake.nix" ]; then
+    refresh_deps "$flake_or_dir"
+  elif [ -f "$flake_or_dir" -a -e "$(dirname $flake_or_dir)/flake.nix" ]; then
+    refresh_deps "$(dirname $flake_or_dir)"
+  else
+    echo "No flake.nix file in specified location"
+    exit 1
+  fi
+else
+  if [ "$(pwd)" != "$git_dir" -a -e "$(pwd)/flake.nix" ]; then
+    refresh_deps "$(pwd)"
+  else
+    find $git_dir -name "flake.lock" | while read flake; do
+      refresh_deps "$(dirname $flake)"
+    done
+  fi
+fi
diff --git a/scripts/setup b/scripts/setup
new file mode 100755
index 0000000..db0f353
--- /dev/null
+++ b/scripts/setup
@@ -0,0 +1,90 @@
+#!/usr/bin/env bash
+set -euo pipefail
+if ! which nix 2>/dev/null >/dev/null; then
+  cat <<-EOF
+        nix is needed, please install it:
+        > curl https://nixos.org/nix/install | sh
+        (or any other way handled by your distribution)
+        EOF
+  exit 1
+fi
+if [ "${NIX_STORE:-/nix/store}" != "/nix/store" ]; then
+  cat <<-EOF
+        Nix store outside of /nix/store is not supported
+        EOF
+  exit 1
+fi
+if ! which direnv 2>/dev/null >/dev/null; then
+  cat <<-EOF
+        direnv is needed, please install it
+        EOF
+  exit 1
+fi
+if [ -z "$NIXOPS_ENV_LOADED" ]; then
+  cat <<-EOF
+        direnv environment needs to be loaded
+        EOF
+  exit 1
+fi
+if [ "$(git config --get include.path)" != "../.gitconfig" ]; then
+  cat <<-EOF
+        it is recommended to include the .gitconfig file into (local) git configuration:
+        git config --local include.path '../.gitconfig'
+        Run this command? [y/N]
+        EOF
+  read y
+  if [ "$y" = "y" -o "$y" = "Y" ]; then
+    git config --local include.path '../.gitconfig'
+  fi
+fi
+for key in public_keys/*; do
+  fpr=$(cat "$key" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5)
+  gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no
+  # /usr/share/doc/gnupg/DETAILS field 2
+  (cat "$key" | gpg --import-options show-only --import --with-colons |
+      grep -E '^pub:' |
+      cut -d':' -f2 |
+      grep -q '[fu]') && signed=yes || signed=no
+  if [ "$signed" = no -o "$imported" = no ] ; then
+    echo "The key for $key needs to be imported and signed (a local signature is enough)"
+    cat "$key" | gpg --import-options show-only --import
+    echo "Continue? [y/N]"
+    read y
+    if [ "$y" = "y" -o "$y" = "Y" ]; then
+      cat "$key" | gpg --import
+      gpg --expert --edit-key "$fpr" lsign quit
+    else
+      echo "Aborting"
+      exit 1
+    fi
+  fi
+done
+if nix show-config --json | jq -e '.sandbox.value == "true"' >/dev/null; then
+  cat <<-EOF
+        There used to be some impure derivations (grep __noChroot), you may need
+          sandbox = "relaxed"
+        in /etc/nix/nix.conf
+        you may also want to add
+          keep-outputs = true
+          keep-derivations = true
+        to prevent garbage collector from deleting build dependencies (they take a lot of time to build)
+        and
+          allow-import-from-derivation = false
+        as an attempt to avoid having build-time derivations (doesn’t work for all packages)
+        press key to continue
+        EOF
+  read y
+fi
+cat <<-EOF
+        All set up.
+        Please make sure you’re using make commands when deploying
+        EOF
diff --git a/scripts/update_flake b/scripts/update_flake
new file mode 100755
index 0000000..3a9cd17
--- /dev/null
+++ b/scripts/update_flake
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+searched_file="$1"
+get_inputs() {
+  flake=$1
+  name=$2
+  cat "$flake" | jq -r --arg name "$name" '.nodes|to_entries[]|select(.value.original.path != null and (.value.original.path|test("(../)+" + $name)))|.key'
+}
+find flakes -name "flake.lock" | while read flake; do
+  for input in $(get_inputs "$flake" "$searched_file"); do
+    echo "updating $input in $(dirname "$flake")"
+    pushd "$(dirname "$flake")" >/dev/null 2>/dev/null
+    nix flake update --update-input "$input"
+    popd >/dev/null 2>/dev/null
+  done
+done
diff --git a/scripts/with_env b/scripts/with_env
new file mode 100755
index 0000000..783d86c
--- /dev/null
+++ b/scripts/with_env
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+if [ -z "$SOPS_VARS_FILE" ]; then
+  echo "Variable SOPS_VARS_FILE is needed with a path to the sops variables"
+  exit 1;
+fi
+umask 0077
+TEMP=$(mktemp -d /tmp/XXXXXX-nixops-files)
+chmod go-rwx $TEMP
+finish() {
+  rm -rf "$TEMP"
+}
+trap finish EXIT
+sops -d $SOPS_VARS_FILE | yq -r .ssl_keys.nix_repository > $TEMP/id_ed25519
+cat > $TEMP/ssh_config <<EOF
+Host *
+IdentityFile $TEMP/id_ed25519
+EOF
+export SSH_CONFIG_FILE="$TEMP/ssh_config"
+export SSH_IDENTITY_FILE="$TEMP/id_ed25519"
+"$@"
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2023-10-04 01:35:06 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2023-10-04 02:11:48 +0200
commit	1a64deeb894dc95e2645a75771732c6cc53a79ad (patch)
tree	1b9df4838f894577a09b9b260151756272efeb53 /scripts
parent	fa25ffd4583cc362075cd5e1b4130f33306103f0 (diff)
download	Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.gz Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.zst Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.zip

diff --git a/scripts/fetch_version b/scripts/fetch_version deleted file mode 100755 index 5c4715a..0000000 --- a/scripts/fetch_version +++ /dev/null
@@ -1,173 +0,0 @@
1	#!/usr/bin/env bash
2
3	usage() {
4	echo "$0 file.json"
5	echo "$0 [-n\|--name name] [-b\|--branch branch_or_rev] [-f\|--file out_file] [-h\|--help] (-u\|--url) url"
6	exit
7	}
8
9	branch="master"
10	while [[ $# -gt 0 ]]; do
11	a="$1"
12	shift
13	case "$a" in
14	*.json)
15	file=$a
16	content=$(cat $a)
17	name="$(echo "$content" \| jq -r ".meta.name")"
18	url="$(echo "$content" \| jq -r ".meta.url")"
19	branch="$(echo "$content" \| jq -r ".meta.branch")"
20	;;
21	-n\|--name)
22	name=$1
23	shift
24	;;
25	-u\|--url)
26	url=$1
27	shift
28	;;
29	-b\|--branch)
30	branch=$1
31	shift
32	;;
33	-f\|--file)
34	file=$1
35	shift
36	;;
37	-h\|--help)
38	usage
39	;;
40	esac
41	done
42	if [ -z "$url" ]; then
43	usage
44	fi
45	if [ -z "$name" ]; then
46	name=$(echo "$url" \| cut -d"/" -f5)
47	fi
48	if [ -z "$file" ]; then
49	file=$name.json
50	fi
51
52	# function fetch_ledger () {
53	# pushd $HOME/projets/ledger >/dev/null 2>/dev/null
54	# git fetch origin
55	# tag="$(git describe origin/next \| sed -e "s/^v//")"
56	# rev="$(git show-ref -s refs/remotes/origin/next)"
57	# sha="$(nix-prefetch-url --unpack file://<(git archive --format=tar.gz HEAD) 2>/dev/null)"
58	# popd >/dev/null 2>/dev/null
59	# }
60
61	# awk_describe='BEGIN {
62	# FS = "[ /^]+"
63	# while ("git ls-remote " ARGV[1] "\| sort -Vk2" \| getline) {
64	# if (!sha)
65	# sha = substr($0, 1, 7)
66	# tag = $3
67	# }
68	# while ("curl -s " ARGV[1] "/releases/tag/" tag \| getline)
69	# if ($3 ~ "commits")
70	# com = $2
71	# printf com ? "%s-%s-g%s\n" : "%s\n", tag, com, sha
72	# }'
73
74	function get_ref () {
75	case "$1" in
76	refs/*)
77	echo "$1"
78	;;
79	*)
80	echo "refs/heads/$1"
81	;;
82	esac
83	}
84
85	function get_name () {
86	branch="$1"
87	rev="$2"
88	minirev=${rev:0:7}
89
90	case "$branch" in
91	refs/tags/*)
92	b="${branch#refs/tags/}"
93	echo "${b//\//-}"
94	;;
95	refs/heads/*)
96	b=${branch#refs/heads/}
97	echo "$minirev-${b//\//-}"
98	;;
99	refs/*)
100	b=${branch#refs/}
101	echo "$minirev-${b//\//-}"
102	;;
103	*)
104	echo "$minirev-${branch//\//-}"
105	;;
106	esac
107	}
108
109	function fetch_github () {
110	rev="$(git ls-remote --refs $url $(get_ref $branch) \| head -n1 \| cut -f1)"
111	sha="$(nix-prefetch-url --unpack $url/archive/$rev.tar.gz)"
112	# Différent du git-describe et github-spécifique
113	#tag=$(echo "$awk_describe" \| awk -f - $url \| sed -e "s/^v//")
114	tag=$(get_name $branch $rev)
115	}
116
117	function fetch_other () {
118	rev="$(git ls-remote --refs $url $(get_ref $branch) \| head -n1 \| cut -f1)"
119	sha="$(nix-prefetch-git --url $url --rev $(get_ref $branch) \| jq -r '.sha256')"
120	tag=$(get_name $branch $rev)
121	}
122
123	case "$url" in
124	https://github.com/)
125	fetch_github 2>/dev/null
126	owner=$(echo "$url" \| cut -d"/" -f4)
127	repo=$(echo "$url" \| cut -d"/" -f5)
128
129	F='{
130	"tag": $tag,
131	"meta": {
132	"name": $name,
133	"url": $url,
134	"branch": $branch
135	},
136	"github": {
137	"owner": $owner,
138	"repo": $repo,
139	"rev": $rev,
140	"sha256": $sha,
141	"fetchSubmodules": true
142	}
143	}'
144	;;
145	*)
146	fetch_other 2>/dev/null
147	F='{
148	"tag": $tag,
149	"meta": {
150	"name": $name,
151	"url": $url,
152	"branch": $branch
153	},
154	"git": {
155	"url": $url,
156	"rev": $rev,
157	"sha256": $sha,
158	"fetchSubmodules": true
159	}
160	}'
161	;;
162	esac
163
164	jq -n \
165	--arg name "$name" \
166	--arg owner "$owner" \
167	--arg repo "$repo" \
168	--arg tag "$tag" \
169	--arg rev "$rev" \
170	--arg url "$url" \
171	--arg branch "$branch" \
172	--arg sha "$sha" \
173	"$F" > $file


diff --git a/scripts/make-nur b/scripts/make-nur index 127f8bd..2b7278f 100755 --- a/scripts/make-nur +++ b/scripts/make-nur
@@ -19,7 +19,7 @@ git rebase --onto=$nur_root $first_commit master
19	# The list below musn't get shrinked, it is used by filter-branch on	19	# The list below musn't get shrinked, it is used by filter-branch on
20	# every commit	20	# every commit
21	clean_folder='	21	clean_folder='
22	rm -rf config lib/private modules/private pkgs/private nixops	22	rm -rf config lib/private modules/private pkgs/private deploy
23	for broken in pkgs/crypto/cardano/default.nix; do	23	for broken in pkgs/crypto/cardano/default.nix; do
24	if [ -f $broken ]; then	24	if [ -f $broken ]; then
25	rm -f $broken	25	rm -f $broken


diff --git a/scripts/refresh_flakes b/scripts/refresh_flakes new file mode 100755 index 0000000..2bbcad6 --- /dev/null +++ b/scripts/refresh_flakes
@@ -0,0 +1,71 @@
		1	#!/usr/bin/env bash
		2
		3	set -e
		4
		5	declare -A refreshed
		6
		7	while [ -n "$1" ]; do
		8	case "$1" in
		9	--no-new-inputs)
		10	no_new_inputs="y"
		11	shift;;
		12	*)
		13	flake_or_dir="$1"
		14	shift;;
		15	esac
		16	done
		17
		18	refresh_deps() {
		19	local flake
		20	local inputs=()
		21	local depname
		22	local deppath
		23	flake="$(realpath $1)"
		24	if [ "${refreshed[$flake]}" = 1 ]; then
		25	return
		26	fi
		27	pushd "$flake" 2>/dev/null >/dev/null
		28	if [ -z "$no_new_inputs" ]; then
		29	nix --no-warn-dirty flake lock
		30	fi
		31	if [ ! -e "$flake/flake.lock" ]; then
		32	popd 2>/dev/null >/dev/null
		33	refreshed[$flake]=1
		34	return
		35	fi
		36
		37	deps=$(jq -r '. as $root \| .nodes[.root].inputs\|values\|to_entries\|map({ key: .key, value: $root.nodes[.value].original.path })[]\|select(.value != null)\|.key + " " + .value' < flake.lock)
		38	if [ -n "$deps" ]; then
		39	while read depname deppath; do
		40	refresh_deps "$deppath"
		41	inputs+=(--update-input "$depname")
		42	done <<<"$deps"
		43	fi
		44	nix --no-warn-dirty flake lock "${inputs[@]}"
		45	popd 2>/dev/null >/dev/null
		46	refreshed[$flake]=1
		47	}
		48
		49	git_dir=$(git rev-parse --show-toplevel)
		50
		51	# If argument is given (flake.nix or directory containing), refresh that argument
		52	# Otherwise, if we are in a subdirectory containing a flake.nix, refresh that
		53	# Otherwise, refresh all
		54	if [ -n "$flake_or_dir" ]; then
		55	if [ -d "$flake_or_dir" -a -e "$1/flake.nix" ]; then
		56	refresh_deps "$flake_or_dir"
		57	elif [ -f "$flake_or_dir" -a -e "$(dirname $flake_or_dir)/flake.nix" ]; then
		58	refresh_deps "$(dirname $flake_or_dir)"
		59	else
		60	echo "No flake.nix file in specified location"
		61	exit 1
		62	fi
		63	else
		64	if [ "$(pwd)" != "$git_dir" -a -e "$(pwd)/flake.nix" ]; then
		65	refresh_deps "$(pwd)"
		66	else
		67	find $git_dir -name "flake.lock" \| while read flake; do
		68	refresh_deps "$(dirname $flake)"
		69	done
		70	fi
		71	fi


diff --git a/scripts/setup b/scripts/setup new file mode 100755 index 0000000..db0f353 --- /dev/null +++ b/scripts/setup
@@ -0,0 +1,90 @@
		1	#!/usr/bin/env bash
		2
		3	set -euo pipefail
		4
		5	if ! which nix 2>/dev/null >/dev/null; then
		6	cat <<-EOF
		7	nix is needed, please install it:
		8	> curl https://nixos.org/nix/install \| sh
		9	(or any other way handled by your distribution)
		10	EOF
		11	exit 1
		12	fi
		13
		14	if [ "${NIX_STORE:-/nix/store}" != "/nix/store" ]; then
		15	cat <<-EOF
		16	Nix store outside of /nix/store is not supported
		17	EOF
		18	exit 1
		19	fi
		20
		21	if ! which direnv 2>/dev/null >/dev/null; then
		22	cat <<-EOF
		23	direnv is needed, please install it
		24	EOF
		25	exit 1
		26	fi
		27
		28	if [ -z "$NIXOPS_ENV_LOADED" ]; then
		29	cat <<-EOF
		30	direnv environment needs to be loaded
		31	EOF
		32	exit 1
		33	fi
		34
		35	if [ "$(git config --get include.path)" != "../.gitconfig" ]; then
		36	cat <<-EOF
		37	it is recommended to include the .gitconfig file into (local) git configuration:
		38	git config --local include.path '../.gitconfig'
		39	Run this command? [y/N]
		40	EOF
		41	read y
		42	if [ "$y" = "y" -o "$y" = "Y" ]; then
		43	git config --local include.path '../.gitconfig'
		44	fi
		45	fi
		46
		47	for key in public_keys/*; do
		48	fpr=$(cat "$key" \| gpg --import-options show-only --import --with-colons \| grep -e "^pub" \| cut -d':' -f5)
		49	gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes \|\| imported=no
		50	# /usr/share/doc/gnupg/DETAILS field 2
		51	(cat "$key" \| gpg --import-options show-only --import --with-colons \|
		52	grep -E '^pub:' \|
		53	cut -d':' -f2 \|
		54	grep -q '[fu]') && signed=yes \|\| signed=no
		55	if [ "$signed" = no -o "$imported" = no ] ; then
		56	echo "The key for $key needs to be imported and signed (a local signature is enough)"
		57	cat "$key" \| gpg --import-options show-only --import
		58	echo "Continue? [y/N]"
		59	read y
		60	if [ "$y" = "y" -o "$y" = "Y" ]; then
		61	cat "$key" \| gpg --import
		62	gpg --expert --edit-key "$fpr" lsign quit
		63	else
		64	echo "Aborting"
		65	exit 1
		66	fi
		67	fi
		68	done
		69
		70	if nix show-config --json \| jq -e '.sandbox.value == "true"' >/dev/null; then
		71	cat <<-EOF
		72	There used to be some impure derivations (grep __noChroot), you may need
		73	sandbox = "relaxed"
		74	in /etc/nix/nix.conf
		75	you may also want to add
		76	keep-outputs = true
		77	keep-derivations = true
		78	to prevent garbage collector from deleting build dependencies (they take a lot of time to build)
		79	and
		80	allow-import-from-derivation = false
		81	as an attempt to avoid having build-time derivations (doesn’t work for all packages)
		82	press key to continue
		83	EOF
		84	read y
		85	fi
		86
		87	cat <<-EOF
		88	All set up.
		89	Please make sure you’re using make commands when deploying
		90	EOF


diff --git a/scripts/update_flake b/scripts/update_flake new file mode 100755 index 0000000..3a9cd17 --- /dev/null +++ b/scripts/update_flake
@@ -0,0 +1,18 @@
		1	#!/usr/bin/env bash
		2
		3	searched_file="$1"
		4
		5	get_inputs() {
		6	flake=$1
		7	name=$2
		8	cat "$flake" \| jq -r --arg name "$name" '.nodes\|to_entries[]\|select(.value.original.path != null and (.value.original.path\|test("(../)+" + $name)))\|.key'
		9	}
		10
		11	find flakes -name "flake.lock" \| while read flake; do
		12	for input in $(get_inputs "$flake" "$searched_file"); do
		13	echo "updating $input in $(dirname "$flake")"
		14	pushd "$(dirname "$flake")" >/dev/null 2>/dev/null
		15	nix flake update --update-input "$input"
		16	popd >/dev/null 2>/dev/null
		17	done
		18	done


diff --git a/scripts/with_env b/scripts/with_env new file mode 100755 index 0000000..783d86c --- /dev/null +++ b/scripts/with_env
@@ -0,0 +1,27 @@
		1	#!/usr/bin/env bash
		2
		3	if [ -z "$SOPS_VARS_FILE" ]; then
		4	echo "Variable SOPS_VARS_FILE is needed with a path to the sops variables"
		5	exit 1;
		6	fi
		7
		8	umask 0077
		9	TEMP=$(mktemp -d /tmp/XXXXXX-nixops-files)
		10	chmod go-rwx $TEMP
		11
		12	finish() {
		13	rm -rf "$TEMP"
		14	}
		15
		16	trap finish EXIT
		17
		18	sops -d $SOPS_VARS_FILE \| yq -r .ssl_keys.nix_repository > $TEMP/id_ed25519
		19
		20	cat > $TEMP/ssh_config <<EOF
		21	Host *
		22	IdentityFile $TEMP/id_ed25519
		23	EOF
		24	export SSH_CONFIG_FILE="$TEMP/ssh_config"
		25	export SSH_IDENTITY_FILE="$TEMP/id_ed25519"
		26
		27	"$@"