aboutsummaryrefslogtreecommitdiff
path: root/nixops/scripts/setup
blob: cfa8d64092365c3e513b86201fb9c3dac1ac920d (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
#!/bin/bash

set -euo pipefail

RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Sites"
DeploymentUuid="cef694f3-081d-11e9-b31f-0242ec186adf"

if ! which nix 2>/dev/null >/dev/null; then
  cat <<-EOF
	nix is needed, please install it:
	> curl https://nixos.org/nix/install | sh
	(or any other way handled by your distribution)
	EOF
  exit 1
fi

if [ "${NIX_STORE:-/nix/store}" != "/nix/store" ]; then
  cat <<-EOF
	Nix store outside of /nix/store is not supported
	EOF
  exit 1
fi

if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_REMOTE" \
    -o -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then
  cat <<-EOF
	Two environment variables are needed to setup the password store:
	NIXOPS_CONFIG_PASS_SUBTREE_PATH : path where the subtree will be imported
	NIXOPS_CONFIG_PASS_SUBTREE_REMOTE : remote name to give to the repository
	EOF
  exit 1
fi

if ! pass $NIXOPS_CONFIG_PASS_SUBTREE_PATH > /dev/null 2>/dev/null; then
  cat <<-EOF
	/!\ This will modify your password store to add and import a subtree
	with the specific passwords files. Choose a path that doesn’t exist
	yet in your password store.
	> pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
	> pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
	Later, you can use pull_environment and push_environment scripts to
	update the passwords when needed
	Continue? [y/N]
	EOF
  read y
  if [ "$y" = "y" -o "$y" = "Y" ]; then
    pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
    pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
  else
    echo "Aborting"
    exit 1
  fi
fi

# Repull it before using it, just in case
pass git subtree pull --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master

gpg_keys=$(pass ls $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2)
for key in $gpg_keys; do
  content=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys/$key)
  fpr=$(echo "$content" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5)
  gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no
  # /usr/share/doc/gnupg/DETAILS field 2
  (echo "$content" | gpg --import-options show-only --import --with-colons |
      grep -E '^pub:' |
      cut -d':' -f2 |
      grep -q '[fu]') && signed=yes || signed=no
  if [ "$signed" = no -o "$imported" = no ] ; then
    echo "The key for $key needs to be imported and signed (a local signature is enough)"
    echo "$content" | gpg --import-options show-only --import
    echo "Continue? [y/N]"
    read y
    if [ "$y" = "y" -o "$y" = "Y" ]; then
      echo "$content" | gpg --import
      gpg --expert --edit-key "$fpr" lsign quit
    else
      echo "Aborting"
      exit 1
    fi
  fi
done

nix_group=$(stat -c %G /nix/store)
if [ "$nix_group" = "nixbld" ]; then
  nix_user="nixbld1"
else
  nix_user="$(stat -c %U /nix/store)"
fi

if [ ! -f /etc/ssh/ssh_rsa_key_nixops ]; then
  cat <<-EOF
	The key to access private git repositories (websites hosted by the
	server) needs to be accessible to nix builders. It will be put in
	/etc/ssh/ssh_rsa_key_nixops (sudo right is needed for that)
	> pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null
	> pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey.pub | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null
	> sudo chmod u=r,go-rwx /etc/ssh/ssh_rsa_key_nixops
	> sudo chown $nix_user:$nix_group /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub
	Continue? [y/N]
	EOF
  read y
  if [ "$y" = "y" -o "$y" = "Y" ]; then
    if ! id -u $nix_user 2>/dev/null >/dev/null; then
      echo "User $nix_user seems inexistant, did you install nix?"
      exit 1
    fi
    mask=$(umask)
    umask 0777
    # Don’t forward it directly to tee, it would break ncurse pinentry
    key=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey)
    echo "$key" | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null
    sudo chmod u=r,go=- /etc/ssh/ssh_rsa_key_nixops
    pubkey=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/SshKey.pub)
    echo "$pubkey" | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null
    sudo chmod a=r /etc/ssh/ssh_rsa_key_nixops.pub
    sudo chown $nix_user:$nix_group /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub
    umask $mask
  else
    echo "Aborting"
    exit 1
  fi
fi

if nix show-config --json | jq -e '.sandbox.value == "true"' >/dev/null; then
  cat <<-EOF
	There are some impure derivations in the repo currently (grep __noChroot), please put
	  sandbox = "relaxed"
	in /etc/nix/nix.conf
	you may also want to add
	  keep-outputs = true
	  keep-derivations = true
	to prevent garbage collector from deleting build dependencies (they take a lot of time to build)
	EOF
  exit 1
fi

DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
nixops="$(nix-build --no-out-link -A nixops "$(dirname $(dirname $DIR))")/bin/nixops"
export NIXOPS_STATE="$(dirname $DIR)/state/eldiron.nixops"
export NIXOPS_DEPLOYMENT="$DeploymentUuid"

if ! $nixops info 2>/dev/null >/dev/null; then
  cat <<-EOF
	Importing deployment file into nixops:
	Continue? [y/N]
	EOF
  read y
  if [ "$y" = "y" -o "$y" = "Y" ]; then
    deployment=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/Deployment)
    echo "$deployment" | $nixops import

    $nixops modify "$(dirname $DIR)/eldiron.nix"
  else
    echo "Aborting"
    exit 1
  fi
fi

cat <<-EOF
	All set up.
	Please make sure you’re using scripts/nixops_wrap when deploying
	EOF