From 1a64deeb894dc95e2645a75771732c6cc53a79ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Wed, 4 Oct 2023 01:35:06 +0200 Subject: Squash changes containing private information There were a lot of changes since the previous commit, but a lot of them contained personnal information about users. All thos changes got stashed into a single commit (history is kept in a different place) and private information was moved in a separate private repository --- scripts/fetch_version | 173 ------------------------------------------------- scripts/make-nur | 2 +- scripts/refresh_flakes | 71 ++++++++++++++++++++ scripts/setup | 90 +++++++++++++++++++++++++ scripts/update_flake | 18 +++++ scripts/with_env | 27 ++++++++ 6 files changed, 207 insertions(+), 174 deletions(-) delete mode 100755 scripts/fetch_version create mode 100755 scripts/refresh_flakes create mode 100755 scripts/setup create mode 100755 scripts/update_flake create mode 100755 scripts/with_env (limited to 'scripts') diff --git a/scripts/fetch_version b/scripts/fetch_version deleted file mode 100755 index 5c4715a..0000000 --- a/scripts/fetch_version +++ /dev/null @@ -1,173 +0,0 @@ -#!/usr/bin/env bash - -usage() { - echo "$0 file.json" - echo "$0 [-n|--name name] [-b|--branch branch_or_rev] [-f|--file out_file] [-h|--help] (-u|--url) url" - exit -} - -branch="master" -while [[ $# -gt 0 ]]; do - a="$1" - shift - case "$a" in - *.json) - file=$a - content=$(cat $a) - name="$(echo "$content" | jq -r ".meta.name")" - url="$(echo "$content" | jq -r ".meta.url")" - branch="$(echo "$content" | jq -r ".meta.branch")" - ;; - -n|--name) - name=$1 - shift - ;; - -u|--url) - url=$1 - shift - ;; - -b|--branch) - branch=$1 - shift - ;; - -f|--file) - file=$1 - shift - ;; - -h|--help) - usage - ;; - esac -done -if [ -z "$url" ]; then - usage -fi -if [ -z "$name" ]; then - name=$(echo "$url" | cut -d"/" -f5) -fi -if [ -z "$file" ]; then - file=$name.json -fi - -# function fetch_ledger () { -# pushd $HOME/projets/ledger >/dev/null 2>/dev/null -# git fetch origin -# tag="$(git describe origin/next | sed -e "s/^v//")" -# rev="$(git show-ref -s refs/remotes/origin/next)" -# sha="$(nix-prefetch-url --unpack file://<(git archive --format=tar.gz HEAD) 2>/dev/null)" -# popd >/dev/null 2>/dev/null -# } - -# awk_describe='BEGIN { -# FS = "[ /^]+" -# while ("git ls-remote " ARGV[1] "| sort -Vk2" | getline) { -# if (!sha) -# sha = substr($0, 1, 7) -# tag = $3 -# } -# while ("curl -s " ARGV[1] "/releases/tag/" tag | getline) -# if ($3 ~ "commits") -# com = $2 -# printf com ? "%s-%s-g%s\n" : "%s\n", tag, com, sha -# }' - -function get_ref () { - case "$1" in - refs/*) - echo "$1" - ;; - *) - echo "refs/heads/$1" - ;; - esac -} - -function get_name () { - branch="$1" - rev="$2" - minirev=${rev:0:7} - - case "$branch" in - refs/tags/*) - b="${branch#refs/tags/}" - echo "${b//\//-}" - ;; - refs/heads/*) - b=${branch#refs/heads/} - echo "$minirev-${b//\//-}" - ;; - refs/*) - b=${branch#refs/} - echo "$minirev-${b//\//-}" - ;; - *) - echo "$minirev-${branch//\//-}" - ;; - esac -} - -function fetch_github () { - rev="$(git ls-remote --refs $url $(get_ref $branch) | head -n1 | cut -f1)" - sha="$(nix-prefetch-url --unpack $url/archive/$rev.tar.gz)" - # Différent du git-describe et github-spécifique - #tag=$(echo "$awk_describe" | awk -f - $url | sed -e "s/^v//") - tag=$(get_name $branch $rev) -} - -function fetch_other () { - rev="$(git ls-remote --refs $url $(get_ref $branch) | head -n1 | cut -f1)" - sha="$(nix-prefetch-git --url $url --rev $(get_ref $branch) | jq -r '.sha256')" - tag=$(get_name $branch $rev) -} - -case "$url" in - https://*github.com/*) - fetch_github 2>/dev/null - owner=$(echo "$url" | cut -d"/" -f4) - repo=$(echo "$url" | cut -d"/" -f5) - - F='{ - "tag": $tag, - "meta": { - "name": $name, - "url": $url, - "branch": $branch - }, - "github": { - "owner": $owner, - "repo": $repo, - "rev": $rev, - "sha256": $sha, - "fetchSubmodules": true - } - }' - ;; - *) - fetch_other 2>/dev/null - F='{ - "tag": $tag, - "meta": { - "name": $name, - "url": $url, - "branch": $branch - }, - "git": { - "url": $url, - "rev": $rev, - "sha256": $sha, - "fetchSubmodules": true - } - }' - ;; -esac - -jq -n \ - --arg name "$name" \ - --arg owner "$owner" \ - --arg repo "$repo" \ - --arg tag "$tag" \ - --arg rev "$rev" \ - --arg url "$url" \ - --arg branch "$branch" \ - --arg sha "$sha" \ - "$F" > $file diff --git a/scripts/make-nur b/scripts/make-nur index 127f8bd..2b7278f 100755 --- a/scripts/make-nur +++ b/scripts/make-nur @@ -19,7 +19,7 @@ git rebase --onto=$nur_root $first_commit master # The list below musn't get shrinked, it is used by filter-branch on # every commit clean_folder=' - rm -rf config lib/private modules/private pkgs/private nixops + rm -rf config lib/private modules/private pkgs/private deploy for broken in pkgs/crypto/cardano/default.nix; do if [ -f $broken ]; then rm -f $broken diff --git a/scripts/refresh_flakes b/scripts/refresh_flakes new file mode 100755 index 0000000..2bbcad6 --- /dev/null +++ b/scripts/refresh_flakes @@ -0,0 +1,71 @@ +#!/usr/bin/env bash + +set -e + +declare -A refreshed + +while [ -n "$1" ]; do + case "$1" in + --no-new-inputs) + no_new_inputs="y" + shift;; + *) + flake_or_dir="$1" + shift;; + esac +done + +refresh_deps() { + local flake + local inputs=() + local depname + local deppath + flake="$(realpath $1)" + if [ "${refreshed[$flake]}" = 1 ]; then + return + fi + pushd "$flake" 2>/dev/null >/dev/null + if [ -z "$no_new_inputs" ]; then + nix --no-warn-dirty flake lock + fi + if [ ! -e "$flake/flake.lock" ]; then + popd 2>/dev/null >/dev/null + refreshed[$flake]=1 + return + fi + + deps=$(jq -r '. as $root | .nodes[.root].inputs|values|to_entries|map({ key: .key, value: $root.nodes[.value].original.path })[]|select(.value != null)|.key + " " + .value' < flake.lock) + if [ -n "$deps" ]; then + while read depname deppath; do + refresh_deps "$deppath" + inputs+=(--update-input "$depname") + done <<<"$deps" + fi + nix --no-warn-dirty flake lock "${inputs[@]}" + popd 2>/dev/null >/dev/null + refreshed[$flake]=1 +} + +git_dir=$(git rev-parse --show-toplevel) + +# If argument is given (flake.nix or directory containing), refresh that argument +# Otherwise, if we are in a subdirectory containing a flake.nix, refresh that +# Otherwise, refresh all +if [ -n "$flake_or_dir" ]; then + if [ -d "$flake_or_dir" -a -e "$1/flake.nix" ]; then + refresh_deps "$flake_or_dir" + elif [ -f "$flake_or_dir" -a -e "$(dirname $flake_or_dir)/flake.nix" ]; then + refresh_deps "$(dirname $flake_or_dir)" + else + echo "No flake.nix file in specified location" + exit 1 + fi +else + if [ "$(pwd)" != "$git_dir" -a -e "$(pwd)/flake.nix" ]; then + refresh_deps "$(pwd)" + else + find $git_dir -name "flake.lock" | while read flake; do + refresh_deps "$(dirname $flake)" + done + fi +fi diff --git a/scripts/setup b/scripts/setup new file mode 100755 index 0000000..db0f353 --- /dev/null +++ b/scripts/setup @@ -0,0 +1,90 @@ +#!/usr/bin/env bash + +set -euo pipefail + +if ! which nix 2>/dev/null >/dev/null; then + cat <<-EOF + nix is needed, please install it: + > curl https://nixos.org/nix/install | sh + (or any other way handled by your distribution) + EOF + exit 1 +fi + +if [ "${NIX_STORE:-/nix/store}" != "/nix/store" ]; then + cat <<-EOF + Nix store outside of /nix/store is not supported + EOF + exit 1 +fi + +if ! which direnv 2>/dev/null >/dev/null; then + cat <<-EOF + direnv is needed, please install it + EOF + exit 1 +fi + +if [ -z "$NIXOPS_ENV_LOADED" ]; then + cat <<-EOF + direnv environment needs to be loaded + EOF + exit 1 +fi + +if [ "$(git config --get include.path)" != "../.gitconfig" ]; then + cat <<-EOF + it is recommended to include the .gitconfig file into (local) git configuration: + git config --local include.path '../.gitconfig' + Run this command? [y/N] + EOF + read y + if [ "$y" = "y" -o "$y" = "Y" ]; then + git config --local include.path '../.gitconfig' + fi +fi + +for key in public_keys/*; do + fpr=$(cat "$key" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5) + gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no + # /usr/share/doc/gnupg/DETAILS field 2 + (cat "$key" | gpg --import-options show-only --import --with-colons | + grep -E '^pub:' | + cut -d':' -f2 | + grep -q '[fu]') && signed=yes || signed=no + if [ "$signed" = no -o "$imported" = no ] ; then + echo "The key for $key needs to be imported and signed (a local signature is enough)" + cat "$key" | gpg --import-options show-only --import + echo "Continue? [y/N]" + read y + if [ "$y" = "y" -o "$y" = "Y" ]; then + cat "$key" | gpg --import + gpg --expert --edit-key "$fpr" lsign quit + else + echo "Aborting" + exit 1 + fi + fi +done + +if nix show-config --json | jq -e '.sandbox.value == "true"' >/dev/null; then + cat <<-EOF + There used to be some impure derivations (grep __noChroot), you may need + sandbox = "relaxed" + in /etc/nix/nix.conf + you may also want to add + keep-outputs = true + keep-derivations = true + to prevent garbage collector from deleting build dependencies (they take a lot of time to build) + and + allow-import-from-derivation = false + as an attempt to avoid having build-time derivations (doesn’t work for all packages) + press key to continue + EOF + read y +fi + +cat <<-EOF + All set up. + Please make sure you’re using make commands when deploying + EOF diff --git a/scripts/update_flake b/scripts/update_flake new file mode 100755 index 0000000..3a9cd17 --- /dev/null +++ b/scripts/update_flake @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +searched_file="$1" + +get_inputs() { + flake=$1 + name=$2 + cat "$flake" | jq -r --arg name "$name" '.nodes|to_entries[]|select(.value.original.path != null and (.value.original.path|test("(../)+" + $name)))|.key' +} + +find flakes -name "flake.lock" | while read flake; do + for input in $(get_inputs "$flake" "$searched_file"); do + echo "updating $input in $(dirname "$flake")" + pushd "$(dirname "$flake")" >/dev/null 2>/dev/null + nix flake update --update-input "$input" + popd >/dev/null 2>/dev/null + done +done diff --git a/scripts/with_env b/scripts/with_env new file mode 100755 index 0000000..783d86c --- /dev/null +++ b/scripts/with_env @@ -0,0 +1,27 @@ +#!/usr/bin/env bash + +if [ -z "$SOPS_VARS_FILE" ]; then + echo "Variable SOPS_VARS_FILE is needed with a path to the sops variables" + exit 1; +fi + +umask 0077 +TEMP=$(mktemp -d /tmp/XXXXXX-nixops-files) +chmod go-rwx $TEMP + +finish() { + rm -rf "$TEMP" +} + +trap finish EXIT + +sops -d $SOPS_VARS_FILE | yq -r .ssl_keys.nix_repository > $TEMP/id_ed25519 + +cat > $TEMP/ssh_config <