diff options
-rwxr-xr-x | nixops/scripts/nixops_wrap | 6 | ||||
-rwxr-xr-x | nixops/scripts/setup | 82 | ||||
-rw-r--r-- | nixops/ssh/config | 5 |
3 files changed, 90 insertions, 3 deletions
diff --git a/nixops/scripts/nixops_wrap b/nixops/scripts/nixops_wrap index c23d308..1efe8a9 100755 --- a/nixops/scripts/nixops_wrap +++ b/nixops/scripts/nixops_wrap | |||
@@ -1,7 +1,7 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | 2 | ||
3 | if [ -z "$NIXOPS_CONFIG_PASS_PATH" ]; then | 3 | if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then |
4 | echo "Please set NIXOPS_CONFIG_PASS_PATH to the password-store environment file path" | 4 | echo "Please set NIXOPS_CONFIG_PASS_SUBTREE_PATH to the password-store subtree path" |
5 | exit 1; | 5 | exit 1; |
6 | fi | 6 | fi |
7 | 7 | ||
@@ -15,7 +15,7 @@ finish() { | |||
15 | 15 | ||
16 | trap finish EXIT | 16 | trap finish EXIT |
17 | 17 | ||
18 | pass show "$NIXOPS_CONFIG_PASS_PATH" >> $TEMP | 18 | pass show "$NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixConfig" >> $TEMP |
19 | nixops set-args --argstr environment "$TEMP" | 19 | nixops set-args --argstr environment "$TEMP" |
20 | 20 | ||
21 | nixops "$@" | 21 | nixops "$@" |
diff --git a/nixops/scripts/setup b/nixops/scripts/setup new file mode 100755 index 0000000..ff20fc9 --- /dev/null +++ b/nixops/scripts/setup | |||
@@ -0,0 +1,82 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Mes_Sites/Paul" | ||
4 | |||
5 | if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_REMOTE" \ | ||
6 | -o -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then | ||
7 | cat <<-EOF | ||
8 | Two environment variables are needed to setup the password store: | ||
9 | NIXOPS_CONFIG_PASS_SUBTREE_PATH : path where the subtree will be imported | ||
10 | NIXOPS_CONFIG_PASS_SUBTREE_REMOTE : remote name to give to the repository | ||
11 | EOF | ||
12 | exit 1 | ||
13 | fi | ||
14 | |||
15 | if ! pass $NIXOPS_CONFIG_PASS_SUBTREE_PATH > /dev/null 2>/dev/null; then | ||
16 | cat <<-EOF | ||
17 | /!\ This will modify your password store to add and import a subtree | ||
18 | with the specific passwords files. Choose a path that doesn’t exist | ||
19 | yet in your password store. | ||
20 | > pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo | ||
21 | > pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master | ||
22 | Later, you can use pull_environment and push_environment scripts to | ||
23 | update the passwords when needed | ||
24 | Continue? [y/N] | ||
25 | EOF | ||
26 | read y | ||
27 | if [ "$y" = "y" -o "$y" = "Y" ]; then | ||
28 | pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo | ||
29 | pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master | ||
30 | else | ||
31 | echo "Aborting" | ||
32 | exit 1 | ||
33 | fi | ||
34 | fi | ||
35 | |||
36 | if [ ! -f /etc/ssh/ssh_rsa_key_nixops ]; then | ||
37 | cat <<EOF | ||
38 | The key to access private git repositories (websites hosted by the | ||
39 | server) needs to be accessible to nix builders. It will be put in | ||
40 | /etc/ssh/ssh_rsa_key_nixops (sudo right is needed for that) | ||
41 | > pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null | ||
42 | > pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey.pub | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null | ||
43 | > sudo chmod u=r,go-rwx /etc/ssh/ssh_rsa_key_nixops | ||
44 | > sudo chown nixbld1:nixbld /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub | ||
45 | Continue? [y/N] | ||
46 | EOF | ||
47 | read y | ||
48 | if [ "$y" = "y" -o "$y" = "Y" ]; then | ||
49 | if ! id -u nixbld1 2>/dev/null >/dev/null; then | ||
50 | echo "User nixbld1 seems inexistant, did you install nix?" | ||
51 | exit 1 | ||
52 | fi | ||
53 | mask=$(umask) | ||
54 | umask 0777 | ||
55 | # Don’t forward it directly to tee, it would break ncurse pinentry | ||
56 | key=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey) | ||
57 | echo "$key" | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null | ||
58 | sudo chmod u=r,go=- /etc/ssh/ssh_rsa_key_nixops | ||
59 | pubkey=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey.pub) | ||
60 | echo "$pubkey" | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null | ||
61 | sudo chmod a=r /etc/ssh/ssh_rsa_key_nixops.pub | ||
62 | sudo chown nixbld1:nixbld /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub | ||
63 | umask $mask | ||
64 | else | ||
65 | echo "Aborting" | ||
66 | exit 1 | ||
67 | fi | ||
68 | fi | ||
69 | |||
70 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" | ||
71 | nix_config="ssh-config-file=$(dirname $DIR)/ssh/config" | ||
72 | if echo "$NIX_PATH" | grep -q "$nix_config"; then | ||
73 | cat <<EOF | ||
74 | All set up | ||
75 | EOF | ||
76 | else | ||
77 | cat <<EOF | ||
78 | All set up, please add | ||
79 | ssh-config-file=$(dirname $DIR)/ssh/config | ||
80 | to your NIX_PATH environment variable (colon-separated) | ||
81 | EOF | ||
82 | fi | ||
diff --git a/nixops/ssh/config b/nixops/ssh/config new file mode 100644 index 0000000..3d4dc3e --- /dev/null +++ b/nixops/ssh/config | |||
@@ -0,0 +1,5 @@ | |||
1 | Host git.immae.eu | ||
2 | IdentityFile /etc/ssh/ssh_rsa_key_nixops | ||
3 | StrictHostKeyChecking no | ||
4 | UserKnownHostsFile /dev/null | ||
5 | CheckHostIP no | ||