From 385f51f3fa4b5a0d48d9fbfa124ec92c0b6b393c Mon Sep 17 00:00:00 2001 From: Timo Wilken Date: Tue, 28 Nov 2023 20:12:31 +0100 Subject: Encrypt to new laptop SSH host keys Also, follow WireGuard secrets renaming. --- regenerate-secrets.sh | 34 ++++++++++------------------------ 1 file changed, 10 insertions(+), 24 deletions(-) (limited to 'regenerate-secrets.sh') diff --git a/regenerate-secrets.sh b/regenerate-secrets.sh index 1451d5b6..3441b960 100755 --- a/regenerate-secrets.sh +++ b/regenerate-secrets.sh @@ -1,29 +1,16 @@ #!/bin/sh -e -port () { - case $1 in - lud|vin) echo 22022 ;; - pi3) echo 51022 ;; - *) echo "port: unknown device: $1" >&2; return 1 ;; - esac -} - -hostkey () { - case $1 in - # Laptops have no SSH host keys, so use a special age key. - lap) echo age1r2q54q6phf47ssc2wrw6enpdlghfaj0pdhp879se4d47zlkgq4sskzlj25 ;; - frm) echo age1wm9cn6pwguc6a26ltlf39c00qlyka8c48dfc2fcj9w7j522ekcaq5hg2e8 ;; - *) ssh-keygen -F "[$1.twilken.net]:$(port "$1")" | - awk '$2 == "ssh-ed25519" { print $2, $3 }' ;; - esac +encto () { + # Overwriting an existing encrypted file will change its content, even if + # its decrypted content does not change, so leave it alone. + [ -e "$2" ] && return 0 + hostkey=$(awk '$1 ~ /^\[?'"$1"'(\.twilken\.net|\.local|\.fritz\.box)\]?(:[0-9]+)?$/ && $2 == "ssh-ed25519" { print $2, $3 }' ~/.ssh/known_hosts) + age -e -a -r "${hostkey:?No hostkey found for $1}" -o "$2" } store () { - # Overwriting an existing encrypted file will change its content, even if - # its decrypted content does not change, so leave it alone. - [ -e "$3" ] && return 0 pass show "$2" > /dev/null || return 1 - pass show "$2" | head -1 | age -e -a -r "$(hostkey "$1")" -o "$3" + pass show "$2" | head -1 | encto "$1" "$3" } store_restic () { @@ -32,10 +19,10 @@ store_restic () { # Wireguard secret keys and pre-shared keys. for host in lap lud vin frm; do - store "$host" "computers/wireguard/private/$host" "tw/system/files/wireguard/$host.key.enc" + store "$host" "computers/wireguard/private/$host" "tw/services/files/wireguard/$host.key.enc" for host2 in lap lud vin pi3 fp4 frm; do [ $host = $host2 ] && continue - store "$host" "computers/wireguard/preshared/$host-$host2" "tw/system/files/wireguard/$host-$host2.psk.enc" + store "$host" "computers/wireguard/preshared/$host-$host2" "tw/services/files/wireguard/$host-$host2.psk.enc" done done @@ -48,8 +35,7 @@ store_restic lud lud-nextcloud store lud www/nextcloud/database tw/system/files/nextcloud-database-password.enc -[ -e tw/system/files/mythic-dns.scm.enc ] || # do not overwrite existing file - cat << EOF | age -e -a -r "$(hostkey lud)" -o tw/system/files/mythic-dns.scm.enc +encto lud tw/system/files/mythic-dns.scm.enc << EOF "$(pass show www/mythic-beasts/dns-lud | sed -rn '/^username: /s///p')" ; username "$(pass show www/mythic-beasts/dns-lud | head -1)" ; password EOF -- cgit v1.2.3