generated from coulomb/repo-seed
bootstrapping guidance ui and missing stuff
This commit is contained in:
@@ -2,13 +2,16 @@
|
||||
# encrypt-secrets.sh — encrypt secrets/ directory to secrets.enc/ using age
|
||||
#
|
||||
# Usage:
|
||||
# ./encrypt-secrets.sh [SECRETS_DIR] [AGE_KEY_FILE]
|
||||
# ./encrypt-secrets.sh [SECRETS_DIR] [AGE_RECIPIENT_OR_KEY_FILE]
|
||||
#
|
||||
# SECRETS_DIR plaintext secrets directory (default: ./secrets)
|
||||
# AGE_KEY_FILE age private key file (default: ~/.config/net-kingdom/age.key)
|
||||
# SECRETS_DIR plaintext secrets directory (default: ./secrets)
|
||||
# AGE_RECIPIENT_OR_KEY_FILE age public key, public-key file, or private-key
|
||||
# file with public-key comment
|
||||
# (default: ~/.config/net-kingdom/age.key)
|
||||
#
|
||||
# Reads the public key from the age key file and encrypts each *.env file
|
||||
# (and pi.enc if present) to secrets.enc/<component>/<filename>.age.
|
||||
# Encrypts each *.env file (and pi.enc if present) to
|
||||
# secrets.enc/<component>/<filename>.age. Prefer passing a public age recipient
|
||||
# for normal bootstrap; the private key is needed only for decrypt/apply.
|
||||
#
|
||||
# After a successful encrypt, shreds the plaintext secrets directory unless
|
||||
# --no-shred is passed.
|
||||
@@ -19,7 +22,7 @@
|
||||
set -euo pipefail
|
||||
|
||||
SECRETS_DIR="${1:-./secrets}"
|
||||
AGE_KEY="${2:-$HOME/.config/net-kingdom/age.key}"
|
||||
AGE_RECIPIENT_OR_KEY="${2:-$HOME/.config/net-kingdom/age.key}"
|
||||
NO_SHRED=false
|
||||
for arg in "$@"; do [[ "$arg" == "--no-shred" ]] && NO_SHRED=true; done
|
||||
|
||||
@@ -29,18 +32,40 @@ if [[ ! -d "$SECRETS_DIR" ]]; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ ! -f "$AGE_KEY" ]]; then
|
||||
echo "ERROR: age key not found: $AGE_KEY" >&2
|
||||
echo "Generate with: age-keygen -o $AGE_KEY" >&2
|
||||
exit 1
|
||||
fi
|
||||
resolve_recipient() {
|
||||
local source="$1"
|
||||
if [[ "$source" == age1* ]]; then
|
||||
printf '%s\n' "$source"
|
||||
return 0
|
||||
fi
|
||||
if [[ ! -f "$source" ]]; then
|
||||
echo "ERROR: age recipient/key file not found: $source" >&2
|
||||
echo "Pass an age public recipient such as age1... or a file containing it." >&2
|
||||
return 1
|
||||
fi
|
||||
local recipient
|
||||
recipient=$(grep -m1 '^age1' "$source" || true)
|
||||
if [[ -n "$recipient" ]]; then
|
||||
printf '%s\n' "$recipient"
|
||||
return 0
|
||||
fi
|
||||
recipient=$(grep -m1 'public key:' "$source" | awk '{print $NF}' || true)
|
||||
if [[ -n "$recipient" ]]; then
|
||||
printf '%s\n' "$recipient"
|
||||
return 0
|
||||
fi
|
||||
if grep -q 'AGE-SECRET-KEY-1' "$source"; then
|
||||
recipient=$(age-keygen -y "$source" 2>/dev/null || true)
|
||||
if [[ -n "$recipient" ]]; then
|
||||
printf '%s\n' "$recipient"
|
||||
return 0
|
||||
fi
|
||||
fi
|
||||
echo "ERROR: could not resolve an age public recipient from $source" >&2
|
||||
return 1
|
||||
}
|
||||
|
||||
# Extract public key from the private key file
|
||||
PUBKEY=$(grep 'public key:' "$AGE_KEY" | awk '{print $NF}')
|
||||
if [[ -z "$PUBKEY" ]]; then
|
||||
echo "ERROR: could not read public key from $AGE_KEY" >&2
|
||||
exit 1
|
||||
fi
|
||||
PUBKEY=$(resolve_recipient "$AGE_RECIPIENT_OR_KEY")
|
||||
|
||||
ENC_DIR="$(dirname "$SECRETS_DIR")/secrets.enc"
|
||||
mkdir -p "$ENC_DIR"
|
||||
|
||||
Reference in New Issue
Block a user