From c73441631440dd60b1cfab0db0ddde8fdbe45b33 Mon Sep 17 00:00:00 2001 From: William Carroll Date: Tue, 18 Jan 2022 12:11:30 -0800 Subject: [PATCH] feat(wpcarro/configs): Define {import,export}-gpg in Nix Note: Calling `export-gpg` (relying on the symlink to `__dispatch.sh`) hangs because it's prompting the user for the password to decrypt the secrets, but for some reason no prompt displays. When I call... ```shell $ nix-build /depot -A users.wpcarro.configs.export-gpg $ ./result ``` ...it WAIs. I need to debug this, but I'm committing the work for now because it's making my `magit-status` noisy. TODO(wpcarro): Merge and reconcile configs, dotfiles. Change-Id: I2b91323824cab37daa9d880cbb42f38e33ca10e1 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4998 Reviewed-by: wpcarro Autosubmit: wpcarro Tested-by: BuildkiteCI --- users/wpcarro/bin/__dispatch.sh | 6 +++ users/wpcarro/bin/export-gpg | 1 + users/wpcarro/bin/import-gpg | 1 + users/wpcarro/configs/default.nix | 67 +++++++++++++++++++++++++++++-- 4 files changed, 72 insertions(+), 3 deletions(-) create mode 120000 users/wpcarro/bin/export-gpg create mode 120000 users/wpcarro/bin/import-gpg diff --git a/users/wpcarro/bin/__dispatch.sh b/users/wpcarro/bin/__dispatch.sh index b7671562e..17556ad2e 100755 --- a/users/wpcarro/bin/__dispatch.sh +++ b/users/wpcarro/bin/__dispatch.sh @@ -12,6 +12,12 @@ case "${TARGET_TOOL}" in deploy-diogenes) attr="users.wpcarro.nixos.deploy-diogenes" ;; + import-gpg) + attr="users.wpcarro.configs.import-gpg" + ;; + export-gpg) + attr="users.wpcarro.configs.export-gpg" + ;; *) echo "The tool '${TARGET_TOOL}' is currently not installed in this repository." exit 1 diff --git a/users/wpcarro/bin/export-gpg b/users/wpcarro/bin/export-gpg new file mode 120000 index 000000000..8390ec9c9 --- /dev/null +++ b/users/wpcarro/bin/export-gpg @@ -0,0 +1 @@ +__dispatch.sh \ No newline at end of file diff --git a/users/wpcarro/bin/import-gpg b/users/wpcarro/bin/import-gpg new file mode 120000 index 000000000..8390ec9c9 --- /dev/null +++ b/users/wpcarro/bin/import-gpg @@ -0,0 +1 @@ +__dispatch.sh \ No newline at end of file diff --git a/users/wpcarro/configs/default.nix b/users/wpcarro/configs/default.nix index 5b0b6a7dc..81ba5b4d4 100644 --- a/users/wpcarro/configs/default.nix +++ b/users/wpcarro/configs/default.nix @@ -1,11 +1,72 @@ { pkgs, ... }: -{ - install = pkgs.writeShellScript "install-configs" '' +let + inherit (pkgs) writeShellScript; + inherit (pkgs.lib.strings) makeBinPath; +in { + install = writeShellScript "install-configs" '' cd "$WPCARRO/configs" && ${pkgs.stow}/bin/stow --target="$HOME" . ''; - uninstall = pkgs.writeShellScript "uninstall-configs" '' + uninstall = writeShellScript "uninstall-configs" '' cd "$WPCARRO/configs" && ${pkgs.stow}/bin/stow --delete --target="$HOME" . ''; + + # Run this script to import all of the information exported by `export.sh`. + # Usage: import-gpg path/to/export.zip + import-gpg = writeShellScript "import-gpg" '' + set -euo pipefail + + if [ -z "''${1+x}" ]; then + echo "You must specify the path to export.zip. Exiting..." + exit 1 + fi + + PATH="${makeBinPath (with pkgs; [ busybox gnupg ])}" + destination="$(mktemp -d)" + + function cleanup() { + rm -rf "$destination" + } + trap cleanup EXIT + + unzip "$1" -d "$destination" >/dev/null + + gpg --import "$destination/public.asc" + gpg --import "$destination/secret.asc" + gpg --import-ownertrust "$destination/ownertrust.txt" + + # Run this at the end to output some verification + gpg --list-keys + gpg --list-secret-keys + ''; + + # Run this script to export all the information required to transport your GPG + # information to a zip file. + # Usage: export-gpg + export-gpg = writeShellScript "export-gpg" '' + set -euo pipefail + + PATH="${makeBinPath (with pkgs; [ busybox gnupg zip ])}" + output="$(pwd)/export.zip" + destination="$(mktemp -d)" + + function cleanup() { + rm -rf "$destination" + } + trap cleanup EXIT + + gpg --armor --export >"$destination/public.asc" + gpg --armor --export-secret-keys >"$destination/secret.asc" + gpg --armor --export-ownertrust >"$destination/ownertrust.txt" + + # Strangely enough this appears to be the only way to create a zip of a + # directory that doesn't contain the (noisy) full paths of each item from + # the source filesystem. (i.e. -j doesn't cooperate with -r). + pushd "$destination" + zip -r "$output" ./* + popd + + echo "$(realpath $output)" + ''; }