diff options
| author | Timo Wilken | 2023-11-08 20:36:24 +0100 |
|---|---|---|
| committer | Timo Wilken | 2023-11-08 20:36:24 +0100 |
| commit | aa850e391ac1995e0e0288cc76975a9b49143394 (patch) | |
| tree | 05ae284b23f9e98d78aeaf3e70c0a0132371ab89 | |
| parent | ce00f9c7071a92199596ae19c58bdb623cdf67a6 (diff) | |
Add script to generate secret files
This documents where the secrets come from and allows recovering them upon
deletion or host key change, in the latter case by deleting the affected .enc
files and regenerating them with the new host key from known_hosts.
| -rwxr-xr-x | regenerate-secrets.sh | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/regenerate-secrets.sh b/regenerate-secrets.sh new file mode 100755 index 00000000..08d54821 --- /dev/null +++ b/regenerate-secrets.sh @@ -0,0 +1,54 @@ +#!/bin/sh -e + +port () { + case $1 in + lud|vin) echo 22022 ;; + pi3) echo 51022 ;; + *) echo "port: unknown device: $1" >&2; return 1 ;; + esac +} + +hostkey () { + case $1 in + # lap has no SSH host keys, so use a special age key. + lap) echo age1r2q54q6phf47ssc2wrw6enpdlghfaj0pdhp879se4d47zlkgq4sskzlj25 ;; + *) ssh-keygen -F "[$1.twilken.net]:$(port "$1")" | + awk '$2 == "ssh-ed25519" { print $2, $3 }' ;; + esac +} + +store () { + # Overwriting an existing encrypted file will change its content, even if + # its decrypted content does not change, so leave it alone. + [ -e "$3" ] && return 0 + pass show "$2" > /dev/null || return 1 + pass show "$2" | head -1 | age -e -a -r "$(hostkey "$1")" -o "$3" +} + +store_restic () { + store "$1" "computers/vin/restic-repos/$2" "tw/system/files/restic/$2.enc" +} + +# Wireguard secret keys and pre-shared keys. +for host in lap lud vin; do + store "$host" "computers/wireguard/private/$host" "tw/system/files/wireguard/$host.key.enc" + for host2 in lap lud vin pi3 fp4; do + [ $host = $host2 ] && continue + store "$host" "computers/wireguard/preshared/$host-$host2" "tw/system/files/wireguard/$host-$host2.psk.enc" + done +done + +# Restic repository passwords. +for repo in vin-grafana timo-laptop timo-phone timo-sync; do + store_restic vin $repo +done + +store_restic lud lud-nextcloud + +store lud www/nextcloud/database tw/system/files/nextcloud-database-password.enc + +[ -e tw/system/files/mythic-dns.scm.enc ] || # do not overwrite existing file + cat << EOF | age -e -a -r "$(hostkey lud)" -o tw/system/files/mythic-dns.scm.enc +"$(pass show www/mythic-beasts/dns-lud | sed -rn '/^username: /s///p')" ; username +"$(pass show www/mythic-beasts/dns-lud | head -1)" ; password +EOF |