forked from Deuxfleurs/nixcfg
manage wesher key with pass
This commit is contained in:
parent
d056b385d7
commit
a8717f9bf5
4 changed files with 35 additions and 1 deletions
4
deploy_wesher_key
Executable file
4
deploy_wesher_key
Executable file
|
@ -0,0 +1,4 @@
|
|||
#!/usr/bin/env ./sshtool
|
||||
|
||||
write_pass deuxfleurs/cluster/$CLUSTER/wesher_key /var/lib/wesher/secrets
|
||||
cmd systemctl restart wesher
|
17
gen_wesher_key
Executable file
17
gen_wesher_key
Executable file
|
@ -0,0 +1,17 @@
|
|||
#!/usr/bin/env sh
|
||||
|
||||
cd $(dirname $0)
|
||||
|
||||
CLUSTER="$1"
|
||||
if [ -z "$CLUSTER" ] || [ ! -d "cluster/$CLUSTER" ]; then
|
||||
echo "Usage: $0 <cluster name>"
|
||||
echo "The cluster name must be the name of a subdirectory of cluster/"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
K=deuxfleurs/cluster/$CLUSTER/wesher_key
|
||||
if ! pass $K >/dev/null; then
|
||||
pass insert -m $K <<EOF
|
||||
WESHER_CLUSTER_KEY=$(head -c 32 /dev/urandom | base64)
|
||||
EOF
|
||||
fi
|
|
@ -7,7 +7,7 @@ set -xe
|
|||
cd $(dirname $0)
|
||||
|
||||
CLUSTER="$1"
|
||||
if [ ! -d "cluster/$CLUSTER" ]; then
|
||||
if [ -z "$CLUSTER" ] || [ ! -d "cluster/$CLUSTER" ]; then
|
||||
echo "Usage: $0 <cluster name>"
|
||||
echo "The cluster name must be the name of a subdirectory of cluster/"
|
||||
exit 1
|
||||
|
|
13
sshtool
13
sshtool
|
@ -81,6 +81,19 @@ chmod 0600 $TO
|
|||
EOF
|
||||
}
|
||||
|
||||
function write_pass {
|
||||
local PASSKEY=$1
|
||||
local TO=$2
|
||||
cat <<EOF
|
||||
echo '- write secret $TO from pass $PASSKEY'
|
||||
base64 -d <<EOG | tee $TO > /dev/null
|
||||
$(pass $PASSKEY | base64)
|
||||
EOG
|
||||
chown root:root $TO
|
||||
chmod 0600 $TO
|
||||
EOF
|
||||
}
|
||||
|
||||
for NIXHOST in $NIXHOSTLIST; do
|
||||
NIXHOST=${NIXHOST%.*}
|
||||
|
||||
|
|
Loading…
Reference in a new issue