manage wesher key with pass

This commit is contained in:
Alex 2022-04-20 14:14:15 +02:00
parent d056b385d7
commit a8717f9bf5
Signed by untrusted user: lx
GPG key ID: 0E496D15096376BE
4 changed files with 35 additions and 1 deletions

4
deploy_wesher_key Executable file
View file

@ -0,0 +1,4 @@
#!/usr/bin/env ./sshtool
write_pass deuxfleurs/cluster/$CLUSTER/wesher_key /var/lib/wesher/secrets
cmd systemctl restart wesher

17
gen_wesher_key Executable file
View file

@ -0,0 +1,17 @@
#!/usr/bin/env sh
cd $(dirname $0)
CLUSTER="$1"
if [ -z "$CLUSTER" ] || [ ! -d "cluster/$CLUSTER" ]; then
echo "Usage: $0 <cluster name>"
echo "The cluster name must be the name of a subdirectory of cluster/"
exit 1
fi
K=deuxfleurs/cluster/$CLUSTER/wesher_key
if ! pass $K >/dev/null; then
pass insert -m $K <<EOF
WESHER_CLUSTER_KEY=$(head -c 32 /dev/urandom | base64)
EOF
fi

View file

@ -7,7 +7,7 @@ set -xe
cd $(dirname $0)
CLUSTER="$1"
if [ ! -d "cluster/$CLUSTER" ]; then
if [ -z "$CLUSTER" ] || [ ! -d "cluster/$CLUSTER" ]; then
echo "Usage: $0 <cluster name>"
echo "The cluster name must be the name of a subdirectory of cluster/"
exit 1

13
sshtool
View file

@ -81,6 +81,19 @@ chmod 0600 $TO
EOF
}
function write_pass {
local PASSKEY=$1
local TO=$2
cat <<EOF
echo '- write secret $TO from pass $PASSKEY'
base64 -d <<EOG | tee $TO > /dev/null
$(pass $PASSKEY | base64)
EOG
chown root:root $TO
chmod 0600 $TO
EOF
}
for NIXHOST in $NIXHOSTLIST; do
NIXHOST=${NIXHOST%.*}