blob: bb433babbdf13fafc6dfb5a15d5a93a9b9494667 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
|
#!/bin/bash
RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Mes_Sites/Paul"
NixChannelUrl='https://releases.nixos.org/nixos/18.09/nixos-18.09.1834.9d608a6f592'
NixChannelName='immaeNixpkgs'
DeploymentUuid="cef694f3-081d-11e9-b31f-0242ec186adf"
if ! which nix 2>/dev/null >/dev/null; then
cat <<-EOF
nix is needed, please install it:
> curl https://nixos.org/nix/install | sh
(or any other way handled by your distribution)
EOF
exit 1
fi
if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_REMOTE" \
-o -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then
cat <<-EOF
Two environment variables are needed to setup the password store:
NIXOPS_CONFIG_PASS_SUBTREE_PATH : path where the subtree will be imported
NIXOPS_CONFIG_PASS_SUBTREE_REMOTE : remote name to give to the repository
EOF
exit 1
fi
if ! pass $NIXOPS_CONFIG_PASS_SUBTREE_PATH > /dev/null 2>/dev/null; then
cat <<-EOF
/!\ This will modify your password store to add and import a subtree
with the specific passwords files. Choose a path that doesn’t exist
yet in your password store.
> pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
> pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
Later, you can use pull_environment and push_environment scripts to
update the passwords when needed
Continue? [y/N]
EOF
read y
if [ "$y" = "y" -o "$y" = "Y" ]; then
pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
else
echo "Aborting"
exit 1
fi
fi
if [ ! -f /etc/ssh/ssh_rsa_key_nixops ]; then
cat <<-EOF
The key to access private git repositories (websites hosted by the
server) needs to be accessible to nix builders. It will be put in
/etc/ssh/ssh_rsa_key_nixops (sudo right is needed for that)
> pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null
> pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey.pub | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null
> sudo chmod u=r,go-rwx /etc/ssh/ssh_rsa_key_nixops
> sudo chown nixbld1:nixbld /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub
Continue? [y/N]
EOF
read y
if [ "$y" = "y" -o "$y" = "Y" ]; then
if ! id -u nixbld1 2>/dev/null >/dev/null; then
echo "User nixbld1 seems inexistant, did you install nix?"
exit 1
fi
mask=$(umask)
umask 0777
# Don’t forward it directly to tee, it would break ncurse pinentry
key=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey)
echo "$key" | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null
sudo chmod u=r,go=- /etc/ssh/ssh_rsa_key_nixops
pubkey=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey.pub)
echo "$pubkey" | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null
sudo chmod a=r /etc/ssh/ssh_rsa_key_nixops.pub
sudo chown nixbld1:nixbld /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub
umask $mask
else
echo "Aborting"
exit 1
fi
fi
if ! nix-channel --list | grep -q "$NixChannelName $NixChannelUrl"; then
cat <<-EOF
A new nix channel will be installed (or upgraded) to freeze the packages
version:
$NixChannelName $NixChannelUrl
> nix-channel --add $NixChannelUrl $NixChannelName
> nix-channel --update
If this step fail, you may have to disable sandboxing in
/etc/nix/nix.conf and rerun
> nix-channel --update
manually.
Continue? [y/N]
EOF
read y
if [ "$y" = "y" -o "$y" = "Y" ]; then
nix-channel --add $NixChannelUrl $NixChannelName
nix-channel --update
else
echo "Aborting"
exit 1
fi
fi
if ! which nixops 2>/dev/null >/dev/null; then
cat <<-EOF
nixops is needed:
> nix-env -i nixops
If it fails, please check that $HOME/.nix-profile/bin is in your PATH.
Continue? [y/N]
EOF
read y
if [ "$y" = "y" -o "$y" = "Y" ]; then
nix-env -i nixops
if ! which nixops 2>/dev/null >/dev/null; then
echo "Installation failed, please check that $HOME/.nix-profile/bin is in your path."
exit 1
fi
else
echo "Aborting"
exit 1
fi
fi
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
export NIXOPS_STATE="$(dirname $DIR)/state/eldiron.nixops"
export NIXOPS_DEPLOYMENT="$DeploymentUuid"
if ! nixops info 2>/dev/null >/dev/null; then
cat <<-EOF
Importing deployment file into nixops:
Continue? [y/N]
EOF
read y
if [ "$y" = "y" -o "$y" = "Y" ]; then
deployment=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixDeployment)
echo "$deployment" | nixops import
nixops modify "$(dirname $DIR)/eldiron.nix"
else
echo "Aborting"
exit 1
fi
fi
cat <<-EOF
All set up.
Please make sure you’re using scripts/nixops_wrap when deploying
EOF
|
