blob: cfa8d64092365c3e513b86201fb9c3dac1ac920d (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
|
#!/bin/bash
set -euo pipefail
RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Sites"
DeploymentUuid="cef694f3-081d-11e9-b31f-0242ec186adf"
if ! which nix 2>/dev/null >/dev/null; then
cat <<-EOF
nix is needed, please install it:
> curl https://nixos.org/nix/install | sh
(or any other way handled by your distribution)
EOF
exit 1
fi
if [ "${NIX_STORE:-/nix/store}" != "/nix/store" ]; then
cat <<-EOF
Nix store outside of /nix/store is not supported
EOF
exit 1
fi
if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_REMOTE" \
-o -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then
cat <<-EOF
Two environment variables are needed to setup the password store:
NIXOPS_CONFIG_PASS_SUBTREE_PATH : path where the subtree will be imported
NIXOPS_CONFIG_PASS_SUBTREE_REMOTE : remote name to give to the repository
EOF
exit 1
fi
if ! pass $NIXOPS_CONFIG_PASS_SUBTREE_PATH > /dev/null 2>/dev/null; then
cat <<-EOF
/!\ This will modify your password store to add and import a subtree
with the specific passwords files. Choose a path that doesn’t exist
yet in your password store.
> pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
> pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
Later, you can use pull_environment and push_environment scripts to
update the passwords when needed
Continue? [y/N]
EOF
read y
if [ "$y" = "y" -o "$y" = "Y" ]; then
pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
else
echo "Aborting"
exit 1
fi
fi
# Repull it before using it, just in case
pass git subtree pull --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
gpg_keys=$(pass ls $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2)
for key in $gpg_keys; do
content=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys/$key)
fpr=$(echo "$content" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5)
gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no
# /usr/share/doc/gnupg/DETAILS field 2
(echo "$content" | gpg --import-options show-only --import --with-colons |
grep -E '^pub:' |
cut -d':' -f2 |
grep -q '[fu]') && signed=yes || signed=no
if [ "$signed" = no -o "$imported" = no ] ; then
echo "The key for $key needs to be imported and signed (a local signature is enough)"
echo "$content" | gpg --import-options show-only --import
echo "Continue? [y/N]"
read y
if [ "$y" = "y" -o "$y" = "Y" ]; then
echo "$content" | gpg --import
gpg --expert --edit-key "$fpr" lsign quit
else
echo "Aborting"
exit 1
fi
fi
done
nix_group=$(stat -c %G /nix/store)
if [ "$nix_group" = "nixbld" ]; then
nix_user="nixbld1"
else
nix_user="$(stat -c %U /nix/store)"
fi
if [ ! -f /etc/ssh/ssh_rsa_key_nixops ]; then
cat <<-EOF
The key to access private git repositories (websites hosted by the
server) needs to be accessible to nix builders. It will be put in
/etc/ssh/ssh_rsa_key_nixops (sudo right is needed for that)
> pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null
> pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey.pub | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null
> sudo chmod u=r,go-rwx /etc/ssh/ssh_rsa_key_nixops
> sudo chown $nix_user:$nix_group /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub
Continue? [y/N]
EOF
read y
if [ "$y" = "y" -o "$y" = "Y" ]; then
if ! id -u $nix_user 2>/dev/null >/dev/null; then
echo "User $nix_user seems inexistant, did you install nix?"
exit 1
fi
mask=$(umask)
umask 0777
# Don’t forward it directly to tee, it would break ncurse pinentry
key=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey)
echo "$key" | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null
sudo chmod u=r,go=- /etc/ssh/ssh_rsa_key_nixops
pubkey=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey.pub)
echo "$pubkey" | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null
sudo chmod a=r /etc/ssh/ssh_rsa_key_nixops.pub
sudo chown $nix_user:$nix_group /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub
umask $mask
else
echo "Aborting"
exit 1
fi
fi
if nix show-config --json | jq -e '.sandbox.value == "true"' >/dev/null; then
cat <<-EOF
There are some impure derivations in the repo currently (grep __noChroot), please put
sandbox = "relaxed"
in /etc/nix/nix.conf
you may also want to add
keep-outputs = true
keep-derivations = true
to prevent garbage collector from deleting build dependencies (they take a lot of time to build)
EOF
exit 1
fi
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
nixops="$(nix-build --no-out-link -A nixops "$(dirname $(dirname $DIR))")/bin/nixops"
export NIXOPS_STATE="$(dirname $DIR)/state/eldiron.nixops"
export NIXOPS_DEPLOYMENT="$DeploymentUuid"
if ! $nixops info 2>/dev/null >/dev/null; then
cat <<-EOF
Importing deployment file into nixops:
Continue? [y/N]
EOF
read y
if [ "$y" = "y" -o "$y" = "Y" ]; then
deployment=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/Deployment)
echo "$deployment" | $nixops import
$nixops modify "$(dirname $DIR)/eldiron.nix"
else
echo "Aborting"
exit 1
fi
fi
cat <<-EOF
All set up.
Please make sure you’re using scripts/nixops_wrap when deploying
EOF
|