aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlex Auvolat <alex@adnab.me>2022-04-20 14:14:15 +0200
committerAlex Auvolat <alex@adnab.me>2022-04-20 14:14:15 +0200
commita8717f9bf5dbc9b102d872678f4e5d3d2790a408 (patch)
tree3cbee336ec67f9a1758de462480a8eccce3e0342
parentd056b385d71d5b33165ab87cbedffb243d168c8a (diff)
downloadnixcfg-a8717f9bf5dbc9b102d872678f4e5d3d2790a408.tar.gz
nixcfg-a8717f9bf5dbc9b102d872678f4e5d3d2790a408.zip
manage wesher key with pass
-rwxr-xr-xdeploy_wesher_key4
-rwxr-xr-xgen_wesher_key17
-rwxr-xr-xgenpki.sh2
-rwxr-xr-xsshtool13
4 files changed, 35 insertions, 1 deletions
diff --git a/deploy_wesher_key b/deploy_wesher_key
new file mode 100755
index 0000000..8f7ed77
--- /dev/null
+++ b/deploy_wesher_key
@@ -0,0 +1,4 @@
+#!/usr/bin/env ./sshtool
+
+write_pass deuxfleurs/cluster/$CLUSTER/wesher_key /var/lib/wesher/secrets
+cmd systemctl restart wesher
diff --git a/gen_wesher_key b/gen_wesher_key
new file mode 100755
index 0000000..c66fade
--- /dev/null
+++ b/gen_wesher_key
@@ -0,0 +1,17 @@
+#!/usr/bin/env sh
+
+cd $(dirname $0)
+
+CLUSTER="$1"
+if [ -z "$CLUSTER" ] || [ ! -d "cluster/$CLUSTER" ]; then
+ echo "Usage: $0 <cluster name>"
+ echo "The cluster name must be the name of a subdirectory of cluster/"
+ exit 1
+fi
+
+K=deuxfleurs/cluster/$CLUSTER/wesher_key
+if ! pass $K >/dev/null; then
+ pass insert -m $K <<EOF
+WESHER_CLUSTER_KEY=$(head -c 32 /dev/urandom | base64)
+EOF
+fi
diff --git a/genpki.sh b/genpki.sh
index d41d3b8..6afb160 100755
--- a/genpki.sh
+++ b/genpki.sh
@@ -7,7 +7,7 @@ set -xe
cd $(dirname $0)
CLUSTER="$1"
-if [ ! -d "cluster/$CLUSTER" ]; then
+if [ -z "$CLUSTER" ] || [ ! -d "cluster/$CLUSTER" ]; then
echo "Usage: $0 <cluster name>"
echo "The cluster name must be the name of a subdirectory of cluster/"
exit 1
diff --git a/sshtool b/sshtool
index b5de384..1396c87 100755
--- a/sshtool
+++ b/sshtool
@@ -81,6 +81,19 @@ chmod 0600 $TO
EOF
}
+function write_pass {
+ local PASSKEY=$1
+ local TO=$2
+ cat <<EOF
+echo '- write secret $TO from pass $PASSKEY'
+base64 -d <<EOG | tee $TO > /dev/null
+$(pass $PASSKEY | base64)
+EOG
+chown root:root $TO
+chmod 0600 $TO
+EOF
+}
+
for NIXHOST in $NIXHOSTLIST; do
NIXHOST=${NIXHOST%.*}