#! /bin/sh # # copy-secrets system_name target # set -euf system_name=$1 target=$2 nixos_config=$config_root/modules/$system_name secrets_nix=$secrets_root/$system_name/nix secrets_rsync=$secrets_root/$system_name/rsync if ! test -e "$secrets_rsync"; then exit # nothing to do fi # XXX this is ugly # Notice NIX_PATH used from host # Notice secrets required to evaluate configuration NIX_PATH=$NIX_PATH:nixos-config=$PWD/modules/$system_name NIX_PATH=$NIX_PATH:secrets=$PWD/secrets/$system_name/nix export NIX_PATH case $(nixos-query tv.retiolum.enable 2>/dev/null) in true) retiolum_secret=$(nixos-query tv.retiolum.privateKeyFile) retiolum_uid=$(nixos-query users.extraUsers.retiolum-tinc.uid) esac case $(nixos-query services.ejabberd-cd.enable 2>/dev/null) in true) ejabberd_secret=$(nixos-query services.ejabberd-cd.certFile) ejabberd_uid=$(nixos-query users.extraUsers.ejabberd.uid) esac (set -x rsync \ --rsync-path="mkdir -p \"$2\" && rsync" \ -vzrlptD \ "$secrets_rsync/" \ "$target:/") ssh "$target" -T <<EOF set -euf retiolum_secret=${retiolum_secret-} retiolum_uid=${retiolum_uid-} ejabberd_secret=${ejabberd_secret-} ejabberd_uid=${ejabberd_uid-} if test -n "\$retiolum_secret"; then chown -v "\$retiolum_uid:0" "\$retiolum_secret" fi if test -n "\$ejabberd_secret"; then chown -v "\$ejabberd_uid:0" "\$ejabberd_secret" fi EOF