blob: f5a448b2bba8df3f8d3d521353da390e2f02e6e0 (
about) (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
#!/bin/sh -e
encto () {
# Overwriting an existing encrypted file will change its content, even if
# its decrypted content does not change, so leave it alone.
[ -e "$2" ] && return 0
hostkey=$(awk '$1 ~ /^\[?'"$1"'\.(twilken\.net|local|fritz\.box)\]?(:[0-9]+)?$/ && $2 == "ssh-ed25519" { print $2, $3 }' ~/.ssh/known_hosts)
age -e -a -r "${hostkey:?No hostkey found for $1}" -o "$2"
}
store () {
# Overwriting an existing encrypted file will change its content, even if
# its decrypted content does not change, so leave it alone.
[ -e "$3" ] && return 0
pass show "$2" > /dev/null || return 1
pass show "$2" | head -1 | encto "$1" "$3"
}
store_restic () {
store "$1" "computers/vin/restic-repos/$2" "tw/system/files/restic/$2.enc"
}
# Wireguard secret keys and pre-shared keys.
for host in lap lud vin frm btl; do
store "$host" "computers/wireguard/private/$host" "tw/services/files/wireguard/$host.key.enc"
for host2 in lap lud vin pi3 fp4 frm btl; do
[ $host = $host2 ] && continue
store "$host" "computers/wireguard/preshared/$host-$host2" "tw/services/files/wireguard/$host-$host2.psk.enc"
done
done
# Restic repository passwords.
for repo in vin-grafana timo-laptop timo-phone timo-sync; do
store_restic vin $repo
done
store_restic lud lud-nextcloud
store_restic lud lud-git
store lud www/nextcloud/database tw/system/files/nextcloud-database-password.enc
encto lud tw/system/files/mythic-dns.scm.enc << EOF
"$(pass show www/mythic-beasts/dns-lud | sed -rn '/^username: /s///p')" ; username
"$(pass show www/mythic-beasts/dns-lud | head -1)" ; password
EOF
encto vin tw/system/files/grafana/metrics-credentials.enc << EOF
GF_METRICS_BASIC_AUTH_USERNAME=$(pass show computers/vin/grafana/metrics | sed -rn '/^username: /s///p')
GF_METRICS_BASIC_AUTH_PASSWORD=$(pass show computers/vin/grafana/metrics | head -1)
EOF
|