diff options
| -rw-r--r-- | Makefile | 5 | ||||
| -rwxr-xr-x | regenerate-secrets.sh | 34 |
2 files changed, 14 insertions, 25 deletions
@@ -1,4 +1,4 @@ -.PHONY: test tw/system/%.test tw/home/%.test images tw/system/installer/%.image +.PHONY: secrets test tw/system/%.test tw/home/%.test images tw/system/installer/%.image systems = $(wildcard tw/system/*.scm) homes = $(wildcard tw/home/*.scm) @@ -15,3 +15,6 @@ tw/system/%.test: tw/system/%.scm tw/system/installer/%.image: tw/system/installer/%.scm guix system image -L $(CURDIR) -t iso9660 --label=GUIX_$$(date -Idate) $< + +secrets: regenerate-secrets.sh + $(CURDIR)/$< diff --git a/regenerate-secrets.sh b/regenerate-secrets.sh index 1451d5b6..3441b960 100755 --- a/regenerate-secrets.sh +++ b/regenerate-secrets.sh @@ -1,29 +1,16 @@ #!/bin/sh -e -port () { - case $1 in - lud|vin) echo 22022 ;; - pi3) echo 51022 ;; - *) echo "port: unknown device: $1" >&2; return 1 ;; - esac -} - -hostkey () { - case $1 in - # Laptops have no SSH host keys, so use a special age key. - lap) echo age1r2q54q6phf47ssc2wrw6enpdlghfaj0pdhp879se4d47zlkgq4sskzlj25 ;; - frm) echo age1wm9cn6pwguc6a26ltlf39c00qlyka8c48dfc2fcj9w7j522ekcaq5hg2e8 ;; - *) ssh-keygen -F "[$1.twilken.net]:$(port "$1")" | - awk '$2 == "ssh-ed25519" { print $2, $3 }' ;; - esac +encto () { + # Overwriting an existing encrypted file will change its content, even if + # its decrypted content does not change, so leave it alone. + [ -e "$2" ] && return 0 + hostkey=$(awk '$1 ~ /^\[?'"$1"'(\.twilken\.net|\.local|\.fritz\.box)\]?(:[0-9]+)?$/ && $2 == "ssh-ed25519" { print $2, $3 }' ~/.ssh/known_hosts) + age -e -a -r "${hostkey:?No hostkey found for $1}" -o "$2" } store () { - # Overwriting an existing encrypted file will change its content, even if - # its decrypted content does not change, so leave it alone. - [ -e "$3" ] && return 0 pass show "$2" > /dev/null || return 1 - pass show "$2" | head -1 | age -e -a -r "$(hostkey "$1")" -o "$3" + pass show "$2" | head -1 | encto "$1" "$3" } store_restic () { @@ -32,10 +19,10 @@ store_restic () { # Wireguard secret keys and pre-shared keys. for host in lap lud vin frm; do - store "$host" "computers/wireguard/private/$host" "tw/system/files/wireguard/$host.key.enc" + store "$host" "computers/wireguard/private/$host" "tw/services/files/wireguard/$host.key.enc" for host2 in lap lud vin pi3 fp4 frm; do [ $host = $host2 ] && continue - store "$host" "computers/wireguard/preshared/$host-$host2" "tw/system/files/wireguard/$host-$host2.psk.enc" + store "$host" "computers/wireguard/preshared/$host-$host2" "tw/services/files/wireguard/$host-$host2.psk.enc" done done @@ -48,8 +35,7 @@ store_restic lud lud-nextcloud store lud www/nextcloud/database tw/system/files/nextcloud-database-password.enc -[ -e tw/system/files/mythic-dns.scm.enc ] || # do not overwrite existing file - cat << EOF | age -e -a -r "$(hostkey lud)" -o tw/system/files/mythic-dns.scm.enc +encto lud tw/system/files/mythic-dns.scm.enc << EOF "$(pass show www/mythic-beasts/dns-lud | sed -rn '/^username: /s///p')" ; username "$(pass show www/mythic-beasts/dns-lud | head -1)" ; password EOF |