Refactor secrets

2022-04-20 13:07:39 +02:00 · 2022-04-20 13:07:39 +02:00 · d056b385d7
commit d056b385d7
parent 9c9c776213
2 changed files with 16 additions and 4 deletions
--- a/7
+++ b/7
@ -7,18 +7,17 @@ cmd mkdir -p /var/lib/nomad/pki /var/lib/consul/pki

 for file in consul-ca.crt consul$YEAR.crt consul$YEAR.key consul$YEAR-client.crt consul$YEAR-client.key; do
 	if [ -f "$PKI/$file" ]; then
-		copy $PKI/$file /var/lib/consul/pki/$file
+		copy_secret $PKI/$file /var/lib/consul/pki/$file
 		cmd chown consul:root /var/lib/consul/pki/$file
-		cmd chmod 0400 /var/lib/consul/pki/$file
 	fi
 done

 cmd systemctl restart consul
 cmd sleep 10

-for file in nomad-ca.crt nomad$YEAR.crt nomad$YER.key; do
+for file in nomad-ca.crt nomad$YEAR.crt nomad$YEAR.key; do
 	if [ -f "$PKI/$file" ]; then
-		copy $PKI/$file /var/lib/nomad/pki/$file
+		copy_secret $PKI/$file /var/lib/nomad/pki/$file
 	fi
 done

--- a/13
+++ b/13
@ -68,6 +68,19 @@ EOG
 EOF
 }

+function copy_secret {
+	local FROM=$1
+	local TO=$2
+	cat <<EOF
+echo '- write secret $TO from $FROM'
+base64 -d <<EOG | tee $TO > /dev/null
+$(base64 <$FROM)
+EOG
+chown root:root $TO
+chmod 0600 $TO
+EOF
+}
+
 for NIXHOST in $NIXHOSTLIST; do
 	NIXHOST=${NIXHOST%.*}