From ba42cfca8631fb719716c0d3216ca4c983aa62e5 Mon Sep 17 00:00:00 2001 From: Timo Wilken Date: Sun, 25 Aug 2024 14:20:47 +0200 Subject: Allow encrypting secrets to multiple hosts at the same time --- regenerate-secrets.sh | 33 ++++++++++++++++++++------------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/regenerate-secrets.sh b/regenerate-secrets.sh index a93b4488..b0c0c3fc 100755 --- a/regenerate-secrets.sh +++ b/regenerate-secrets.sh @@ -1,20 +1,27 @@ -#!/bin/sh -e +#!/usr/bin/env -S bash -e -encto () { +enc () { # Overwriting an existing encrypted file will change its content, even if # its decrypted content does not change, so leave it alone. - [ -e "$2" ] && return 0 - hostkey=$(awk '$1 ~ /^\[?'"$1"'\.(twilken\.net|local|fritz\.box)\]?(:[0-9]+)?$/ && $2 == "ssh-ed25519" { print $2, $3 }' ~/.ssh/known_hosts) - mkdir -p "$(dirname "$2")" - age -e -a -r "${hostkey:?No hostkey found for $1}" -o "$2" + local destination=$1; shift + [ -e "$destination" ] && return 0 + local age_recipients=() + while [ $# -gt 0 ]; do + recipient=$1; shift + hostkey=$(awk '$1 ~ /^\[?'"$recipient"'\.(twilken\.net|local|fritz\.box)\]?(:[0-9]+)?$/ && $2 == "ssh-ed25519" { print $2, $3 }' ~/.ssh/known_hosts) + age_recipients+=(-r "${hostkey:?No hostkey found for $recipient}") + done + mkdir -p "$(dirname "$destination")" + age -e -a -o "$destination" "${age_recipients[@]}" } store () { + local recipient=$1 key=$2 destination=$3 # Overwriting an existing encrypted file will change its content, even if # its decrypted content does not change, so leave it alone. - [ -e "$3" ] && return 0 - pass show "$2" > /dev/null || return 1 - pass show "$2" | head -1 | encto "$1" "$3" + [ -e "$destination" ] && return 0 + pass show "$key" > /dev/null || return 1 + pass show "$key" | head -1 | enc "$recipient" "$destination" } store_restic () { @@ -42,20 +49,20 @@ store_restic lud lud-git store lud www/nextcloud/database tw/system/files/nextcloud-database-password.enc -encto lud tw/system/files/mythic-dns.scm.enc << EOF +enc tw/system/files/mythic-dns.scm.enc lud << EOF "$(pass show www/mythic-beasts/dns-lud | sed -rn '/^username: /s///p')" ; username "$(pass show www/mythic-beasts/dns-lud | head -1)" ; password EOF -encto vin tw/system/files/grafana/metrics-credentials.enc << EOF +enc tw/system/files/grafana/metrics-credentials.enc vin << EOF GF_METRICS_BASIC_AUTH_USERNAME=$(pass show computers/vin/grafana/metrics | sed -rn '/^username: /s///p') GF_METRICS_BASIC_AUTH_PASSWORD=$(pass show computers/vin/grafana/metrics | head -1) EOF -encto lud tw/system/files/paperless-secret-key.enc << EOF +enc tw/system/files/paperless-secret-key.enc lud << EOF PAPERLESS_SECRET_KEY=$(pass show computers/lud/paperless/secret-key | head -1) EOF -encto vin tw/services/files/personal-data-exporter/conso.json << EOF +enc tw/services/files/personal-data-exporter/conso.json vin << EOF {"prm": "$(pass www/conso-api | sed -rn '/^prm: /s///p')", "api-token": "$(pass www/conso-api | head -1)"} EOF -- cgit v1.2.3