From 9f5da6d7e9dbde93330f8c69ccdee9fac643696e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Fri, 1 Feb 2019 11:06:44 +0100 Subject: Add setup script --- nixops/scripts/nixops_wrap | 6 ++-- nixops/scripts/setup | 82 ++++++++++++++++++++++++++++++++++++++++++++++ nixops/ssh/config | 5 +++ 3 files changed, 90 insertions(+), 3 deletions(-) create mode 100755 nixops/scripts/setup create mode 100644 nixops/ssh/config diff --git a/nixops/scripts/nixops_wrap b/nixops/scripts/nixops_wrap index c23d308..1efe8a9 100755 --- a/nixops/scripts/nixops_wrap +++ b/nixops/scripts/nixops_wrap @@ -1,7 +1,7 @@ #!/bin/bash -if [ -z "$NIXOPS_CONFIG_PASS_PATH" ]; then - echo "Please set NIXOPS_CONFIG_PASS_PATH to the password-store environment file path" +if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then + echo "Please set NIXOPS_CONFIG_PASS_SUBTREE_PATH to the password-store subtree path" exit 1; fi @@ -15,7 +15,7 @@ finish() { trap finish EXIT -pass show "$NIXOPS_CONFIG_PASS_PATH" >> $TEMP +pass show "$NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixConfig" >> $TEMP nixops set-args --argstr environment "$TEMP" nixops "$@" diff --git a/nixops/scripts/setup b/nixops/scripts/setup new file mode 100755 index 0000000..ff20fc9 --- /dev/null +++ b/nixops/scripts/setup @@ -0,0 +1,82 @@ +#!/bin/bash + +RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Mes_Sites/Paul" + +if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_REMOTE" \ + -o -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then + cat <<-EOF +Two environment variables are needed to setup the password store: +NIXOPS_CONFIG_PASS_SUBTREE_PATH : path where the subtree will be imported +NIXOPS_CONFIG_PASS_SUBTREE_REMOTE : remote name to give to the repository +EOF + exit 1 +fi + +if ! pass $NIXOPS_CONFIG_PASS_SUBTREE_PATH > /dev/null 2>/dev/null; then + cat <<-EOF +/!\ This will modify your password store to add and import a subtree +with the specific passwords files. Choose a path that doesn’t exist +yet in your password store. +> pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo +> pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master +Later, you can use pull_environment and push_environment scripts to +update the passwords when needed +Continue? [y/N] +EOF + read y + if [ "$y" = "y" -o "$y" = "Y" ]; then + pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo + pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master + else + echo "Aborting" + exit 1 + fi +fi + +if [ ! -f /etc/ssh/ssh_rsa_key_nixops ]; then + cat < pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null +> pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey.pub | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null +> sudo chmod u=r,go-rwx /etc/ssh/ssh_rsa_key_nixops +> sudo chown nixbld1:nixbld /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub +Continue? [y/N] +EOF + read y + if [ "$y" = "y" -o "$y" = "Y" ]; then + if ! id -u nixbld1 2>/dev/null >/dev/null; then + echo "User nixbld1 seems inexistant, did you install nix?" + exit 1 + fi + mask=$(umask) + umask 0777 + # Don’t forward it directly to tee, it would break ncurse pinentry + key=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey) + echo "$key" | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null + sudo chmod u=r,go=- /etc/ssh/ssh_rsa_key_nixops + pubkey=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey.pub) + echo "$pubkey" | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null + sudo chmod a=r /etc/ssh/ssh_rsa_key_nixops.pub + sudo chown nixbld1:nixbld /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub + umask $mask + else + echo "Aborting" + exit 1 + fi +fi + +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" +nix_config="ssh-config-file=$(dirname $DIR)/ssh/config" +if echo "$NIX_PATH" | grep -q "$nix_config"; then + cat <