Refactor secrets

deploy_pki

@@ -7,18 +7,17 @@ cmd mkdir -p /var/lib/nomad/pki /var/lib/consul/pki
 
 for file in consul-ca.crt consul$YEAR.crt consul$YEAR.key consul$YEAR-client.crt consul$YEAR-client.key; do
 	if [ -f "$PKI/$file" ]; then
-		copy $PKI/$file /var/lib/consul/pki/$file
+		copy_secret $PKI/$file /var/lib/consul/pki/$file
 		cmd chown consul:root /var/lib/consul/pki/$file
-		cmd chmod 0400 /var/lib/consul/pki/$file
 	fi
 done
 
 cmd systemctl restart consul
 cmd sleep 10
 
-for file in nomad-ca.crt nomad$YEAR.crt nomad$YER.key; do
+for file in nomad-ca.crt nomad$YEAR.crt nomad$YEAR.key; do
 	if [ -f "$PKI/$file" ]; then
-		copy $PKI/$file /var/lib/nomad/pki/$file
+		copy_secret $PKI/$file /var/lib/nomad/pki/$file
 	fi
 done
 

sshtool

@@ -68,6 +68,19 @@ EOG
 EOF
 }
 
+function copy_secret {
+	local FROM=$1
+	local TO=$2
+	cat <<EOF
+echo '- write secret $TO from $FROM'
+base64 -d <<EOG | tee $TO > /dev/null
+$(base64 <$FROM)
+EOG
+chown root:root $TO
+chmod 0600 $TO
+EOF
+}
+
 for NIXHOST in $NIXHOSTLIST; do
 	NIXHOST=${NIXHOST%.*}