manage wesher key with pass

2022-04-20 14:14:15 +02:00 · 2022-04-20 14:14:15 +02:00 · a8717f9bf5
commit a8717f9bf5
parent d056b385d7
4 changed files with 35 additions and 1 deletions
--- a/4
+++ b/4
@ -0,0 +1,4 @@
+#!/usr/bin/env ./sshtool
+
+write_pass deuxfleurs/cluster/$CLUSTER/wesher_key /var/lib/wesher/secrets
+cmd systemctl restart wesher
--- a/17
+++ b/17
@ -0,0 +1,17 @@
+#!/usr/bin/env sh
+
+cd $(dirname $0)
+
+CLUSTER="$1"
+if [ -z "$CLUSTER" ] || [ ! -d "cluster/$CLUSTER" ]; then
+	echo "Usage: $0 <cluster name>"
+	echo "The cluster name must be the name of a subdirectory of cluster/"
+	exit 1
+fi
+
+K=deuxfleurs/cluster/$CLUSTER/wesher_key
+if ! pass $K >/dev/null; then
+	pass insert -m $K <<EOF
+WESHER_CLUSTER_KEY=$(head -c 32 /dev/urandom | base64)
+EOF
+fi
--- a/genpki.sh
+++ b/genpki.sh
@ -7,7 +7,7 @@ set -xe
 cd $(dirname $0)

 CLUSTER="$1"
-if [ ! -d "cluster/$CLUSTER" ]; then
+if [ -z "$CLUSTER" ] || [ ! -d "cluster/$CLUSTER" ]; then
 	echo "Usage: $0 <cluster name>"
 	echo "The cluster name must be the name of a subdirectory of cluster/"
 	exit 1
--- a/13
+++ b/13
@ -81,6 +81,19 @@ chmod 0600 $TO
 EOF
 }

+function write_pass {
+	local PASSKEY=$1
+	local TO=$2
+	cat <<EOF
+echo '- write secret $TO from pass $PASSKEY'
+base64 -d <<EOG | tee $TO > /dev/null
+$(pass $PASSKEY | base64)
+EOG
+chown root:root $TO
+chmod 0600 $TO
+EOF
+}
+
 for NIXHOST in $NIXHOSTLIST; do
 	NIXHOST=${NIXHOST%.*}