aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xnixops/scripts/nixops_wrap6
-rwxr-xr-xnixops/scripts/setup82
-rw-r--r--nixops/ssh/config5
3 files changed, 90 insertions, 3 deletions
diff --git a/nixops/scripts/nixops_wrap b/nixops/scripts/nixops_wrap
index c23d308..1efe8a9 100755
--- a/nixops/scripts/nixops_wrap
+++ b/nixops/scripts/nixops_wrap
@@ -1,7 +1,7 @@
1#!/bin/bash 1#!/bin/bash
2 2
3if [ -z "$NIXOPS_CONFIG_PASS_PATH" ]; then 3if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then
4 echo "Please set NIXOPS_CONFIG_PASS_PATH to the password-store environment file path" 4 echo "Please set NIXOPS_CONFIG_PASS_SUBTREE_PATH to the password-store subtree path"
5 exit 1; 5 exit 1;
6fi 6fi
7 7
@@ -15,7 +15,7 @@ finish() {
15 15
16trap finish EXIT 16trap finish EXIT
17 17
18pass show "$NIXOPS_CONFIG_PASS_PATH" >> $TEMP 18pass show "$NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixConfig" >> $TEMP
19nixops set-args --argstr environment "$TEMP" 19nixops set-args --argstr environment "$TEMP"
20 20
21nixops "$@" 21nixops "$@"
diff --git a/nixops/scripts/setup b/nixops/scripts/setup
new file mode 100755
index 0000000..ff20fc9
--- /dev/null
+++ b/nixops/scripts/setup
@@ -0,0 +1,82 @@
1#!/bin/bash
2
3RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Mes_Sites/Paul"
4
5if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_REMOTE" \
6 -o -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then
7 cat <<-EOF
8Two environment variables are needed to setup the password store:
9NIXOPS_CONFIG_PASS_SUBTREE_PATH : path where the subtree will be imported
10NIXOPS_CONFIG_PASS_SUBTREE_REMOTE : remote name to give to the repository
11EOF
12 exit 1
13fi
14
15if ! pass $NIXOPS_CONFIG_PASS_SUBTREE_PATH > /dev/null 2>/dev/null; then
16 cat <<-EOF
17/!\ This will modify your password store to add and import a subtree
18with the specific passwords files. Choose a path that doesn’t exist
19yet in your password store.
20> pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
21> pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
22Later, you can use pull_environment and push_environment scripts to
23update the passwords when needed
24Continue? [y/N]
25EOF
26 read y
27 if [ "$y" = "y" -o "$y" = "Y" ]; then
28 pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
29 pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
30 else
31 echo "Aborting"
32 exit 1
33 fi
34fi
35
36if [ ! -f /etc/ssh/ssh_rsa_key_nixops ]; then
37 cat <<EOF
38The key to access private git repositories (websites hosted by the
39server) needs to be accessible to nix builders. It will be put in
40/etc/ssh/ssh_rsa_key_nixops (sudo right is needed for that)
41> pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null
42> pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey.pub | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null
43> sudo chmod u=r,go-rwx /etc/ssh/ssh_rsa_key_nixops
44> sudo chown nixbld1:nixbld /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub
45Continue? [y/N]
46EOF
47 read y
48 if [ "$y" = "y" -o "$y" = "Y" ]; then
49 if ! id -u nixbld1 2>/dev/null >/dev/null; then
50 echo "User nixbld1 seems inexistant, did you install nix?"
51 exit 1
52 fi
53 mask=$(umask)
54 umask 0777
55 # Don’t forward it directly to tee, it would break ncurse pinentry
56 key=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey)
57 echo "$key" | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null
58 sudo chmod u=r,go=- /etc/ssh/ssh_rsa_key_nixops
59 pubkey=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey.pub)
60 echo "$pubkey" | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null
61 sudo chmod a=r /etc/ssh/ssh_rsa_key_nixops.pub
62 sudo chown nixbld1:nixbld /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub
63 umask $mask
64 else
65 echo "Aborting"
66 exit 1
67 fi
68fi
69
70DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
71nix_config="ssh-config-file=$(dirname $DIR)/ssh/config"
72if echo "$NIX_PATH" | grep -q "$nix_config"; then
73 cat <<EOF
74All set up
75EOF
76else
77cat <<EOF
78All set up, please add
79ssh-config-file=$(dirname $DIR)/ssh/config
80to your NIX_PATH environment variable (colon-separated)
81EOF
82fi
diff --git a/nixops/ssh/config b/nixops/ssh/config
new file mode 100644
index 0000000..3d4dc3e
--- /dev/null
+++ b/nixops/ssh/config
@@ -0,0 +1,5 @@
1Host git.immae.eu
2IdentityFile /etc/ssh/ssh_rsa_key_nixops
3StrictHostKeyChecking no
4UserKnownHostsFile /dev/null
5CheckHostIP no