diff options
Diffstat (limited to 'regenerate-secrets.sh')
-rwxr-xr-x | regenerate-secrets.sh | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/regenerate-secrets.sh b/regenerate-secrets.sh new file mode 100755 index 00000000..08d54821 --- /dev/null +++ b/regenerate-secrets.sh @@ -0,0 +1,54 @@ +#!/bin/sh -e + +port () { + case $1 in + lud|vin) echo 22022 ;; + pi3) echo 51022 ;; + *) echo "port: unknown device: $1" >&2; return 1 ;; + esac +} + +hostkey () { + case $1 in + # lap has no SSH host keys, so use a special age key. + lap) echo age1r2q54q6phf47ssc2wrw6enpdlghfaj0pdhp879se4d47zlkgq4sskzlj25 ;; + *) ssh-keygen -F "[$1.twilken.net]:$(port "$1")" | + awk '$2 == "ssh-ed25519" { print $2, $3 }' ;; + esac +} + +store () { + # Overwriting an existing encrypted file will change its content, even if + # its decrypted content does not change, so leave it alone. + [ -e "$3" ] && return 0 + pass show "$2" > /dev/null || return 1 + pass show "$2" | head -1 | age -e -a -r "$(hostkey "$1")" -o "$3" +} + +store_restic () { + store "$1" "computers/vin/restic-repos/$2" "tw/system/files/restic/$2.enc" +} + +# Wireguard secret keys and pre-shared keys. +for host in lap lud vin; do + store "$host" "computers/wireguard/private/$host" "tw/system/files/wireguard/$host.key.enc" + for host2 in lap lud vin pi3 fp4; do + [ $host = $host2 ] && continue + store "$host" "computers/wireguard/preshared/$host-$host2" "tw/system/files/wireguard/$host-$host2.psk.enc" + done +done + +# Restic repository passwords. +for repo in vin-grafana timo-laptop timo-phone timo-sync; do + store_restic vin $repo +done + +store_restic lud lud-nextcloud + +store lud www/nextcloud/database tw/system/files/nextcloud-database-password.enc + +[ -e tw/system/files/mythic-dns.scm.enc ] || # do not overwrite existing file + cat << EOF | age -e -a -r "$(hostkey lud)" -o tw/system/files/mythic-dns.scm.enc +"$(pass show www/mythic-beasts/dns-lud | sed -rn '/^username: /s///p')" ; username +"$(pass show www/mythic-beasts/dns-lud | head -1)" ; password +EOF |