blob: 1451d5b624842a3cca84fd6b136a72d6a2065545 (
about) (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
#!/bin/sh -e
port () {
case $1 in
lud|vin) echo 22022 ;;
pi3) echo 51022 ;;
*) echo "port: unknown device: $1" >&2; return 1 ;;
esac
}
hostkey () {
case $1 in
# Laptops have no SSH host keys, so use a special age key.
lap) echo age1r2q54q6phf47ssc2wrw6enpdlghfaj0pdhp879se4d47zlkgq4sskzlj25 ;;
frm) echo age1wm9cn6pwguc6a26ltlf39c00qlyka8c48dfc2fcj9w7j522ekcaq5hg2e8 ;;
*) ssh-keygen -F "[$1.twilken.net]:$(port "$1")" |
awk '$2 == "ssh-ed25519" { print $2, $3 }' ;;
esac
}
store () {
# Overwriting an existing encrypted file will change its content, even if
# its decrypted content does not change, so leave it alone.
[ -e "$3" ] && return 0
pass show "$2" > /dev/null || return 1
pass show "$2" | head -1 | age -e -a -r "$(hostkey "$1")" -o "$3"
}
store_restic () {
store "$1" "computers/vin/restic-repos/$2" "tw/system/files/restic/$2.enc"
}
# Wireguard secret keys and pre-shared keys.
for host in lap lud vin frm; do
store "$host" "computers/wireguard/private/$host" "tw/system/files/wireguard/$host.key.enc"
for host2 in lap lud vin pi3 fp4 frm; do
[ $host = $host2 ] && continue
store "$host" "computers/wireguard/preshared/$host-$host2" "tw/system/files/wireguard/$host-$host2.psk.enc"
done
done
# Restic repository passwords.
for repo in vin-grafana timo-laptop timo-phone timo-sync; do
store_restic vin $repo
done
store_restic lud lud-nextcloud
store lud www/nextcloud/database tw/system/files/nextcloud-database-password.enc
[ -e tw/system/files/mythic-dns.scm.enc ] || # do not overwrite existing file
cat << EOF | age -e -a -r "$(hostkey lud)" -o tw/system/files/mythic-dns.scm.enc
"$(pass show www/mythic-beasts/dns-lud | sed -rn '/^username: /s///p')" ; username
"$(pass show www/mythic-beasts/dns-lud | head -1)" ; password
EOF
|
