1 files changed, 54 insertions, 0 deletions

diff --git a/regenerate-secrets.sh b/regenerate-secrets.sh
new file mode 100755
index 00000000..08d54821
--- /dev/null
+++ b/regenerate-secrets.sh
@@ -0,0 +1,54 @@
+#!/bin/sh -e
+
+port () {
+  case $1 in
+    lud|vin) echo 22022 ;;
+    pi3) echo 51022 ;;
+    *) echo "port: unknown device: $1" >&2; return 1 ;;
+  esac
+}
+
+hostkey () {
+  case $1 in
+    # lap has no SSH host keys, so use a special age key.
+    lap) echo age1r2q54q6phf47ssc2wrw6enpdlghfaj0pdhp879se4d47zlkgq4sskzlj25 ;;
+    *) ssh-keygen -F "[$1.twilken.net]:$(port "$1")" |
+         awk '$2 == "ssh-ed25519" { print $2, $3 }' ;;
+  esac
+}
+
+store () {
+  # Overwriting an existing encrypted file will change its content, even if
+  # its decrypted content does not change, so leave it alone.
+  [ -e "$3" ] && return 0
+  pass show "$2" > /dev/null || return 1
+  pass show "$2" | head -1 | age -e -a -r "$(hostkey "$1")" -o "$3"
+}
+
+store_restic () {
+  store "$1" "computers/vin/restic-repos/$2" "tw/system/files/restic/$2.enc"
+}
+
+# Wireguard secret keys and pre-shared keys.
+for host in lap lud vin; do
+  store "$host" "computers/wireguard/private/$host" "tw/system/files/wireguard/$host.key.enc"
+  for host2 in lap lud vin pi3 fp4; do
+    [ $host = $host2 ] && continue
+    store "$host" "computers/wireguard/preshared/$host-$host2" "tw/system/files/wireguard/$host-$host2.psk.enc"
+  done
+done
+
+# Restic repository passwords.
+for repo in vin-grafana timo-laptop timo-phone timo-sync; do
+  store_restic vin $repo
+done
+
+store_restic lud lud-nextcloud
+
+store lud www/nextcloud/database tw/system/files/nextcloud-database-password.enc
+
+[ -e tw/system/files/mythic-dns.scm.enc ] ||   # do not overwrite existing file
+  cat << EOF | age -e -a -r "$(hostkey lud)" -o tw/system/files/mythic-dns.scm.enc
+"$(pass show www/mythic-beasts/dns-lud | sed -rn '/^username: /s///p')"  ; username
+"$(pass show www/mythic-beasts/dns-lud | head -1)"  ; password
+EOF