manage wesher key with pass

deploy_wesher_key

@@ -0,0 +1,4 @@
+#!/usr/bin/env ./sshtool
+
+write_pass deuxfleurs/cluster/$CLUSTER/wesher_key /var/lib/wesher/secrets
+cmd systemctl restart wesher

gen_wesher_key

@@ -0,0 +1,17 @@
+#!/usr/bin/env sh
+
+cd $(dirname $0)
+
+CLUSTER="$1"
+if [ -z "$CLUSTER" ] || [ ! -d "cluster/$CLUSTER" ]; then
+	echo "Usage: $0 <cluster name>"
+	echo "The cluster name must be the name of a subdirectory of cluster/"
+	exit 1
+fi
+
+K=deuxfleurs/cluster/$CLUSTER/wesher_key
+if ! pass $K >/dev/null; then
+	pass insert -m $K <<EOF
+WESHER_CLUSTER_KEY=$(head -c 32 /dev/urandom | base64)
+EOF
+fi

genpki.sh

@@ -7,7 +7,7 @@ set -xe
 cd $(dirname $0)
 
 CLUSTER="$1"
-if [ ! -d "cluster/$CLUSTER" ]; then
+if [ -z "$CLUSTER" ] || [ ! -d "cluster/$CLUSTER" ]; then
 	echo "Usage: $0 <cluster name>"
 	echo "The cluster name must be the name of a subdirectory of cluster/"
 	exit 1

sshtool

@@ -81,6 +81,19 @@ chmod 0600 $TO
 EOF
 }
 
+function write_pass {
+	local PASSKEY=$1
+	local TO=$2
+	cat <<EOF
+echo '- write secret $TO from pass $PASSKEY'
+base64 -d <<EOG | tee $TO > /dev/null
+$(pass $PASSKEY | base64)
+EOG
+chown root:root $TO
+chmod 0600 $TO
+EOF
+}
+
 for NIXHOST in $NIXHOSTLIST; do
 	NIXHOST=${NIXHOST%.*}