mynix/agenix
1
0
Fork 0
mirror of https://github.com/ryantm/agenix.git synced 2024-11-01 00:29:56 +03:00
Code Issues Projects Releases Packages Wiki Activity
agenix/age.sh

69 lines
1.5 KiB
Bash
Raw Normal View History

initial prototype
2020-09-01 07:37:26 +03:00
#! /usr/bin/env nix-shell
#! nix-shell -i bash -p age yq-go
set -euxo pipefail
RULES=example.yaml
function cleanup {
if [ ! -z ${CLEARTEXT_DIR+x} ]
then
rm -rf "$CLEARTEXT_DIR"
fi
if [ ! -z ${REENCRYPTED_DIR+x} ]
then
rm -rf "$REENCRYPTED_DIR"
fi
}
trap "cleanup" 0 2 3 15
function ageEdit {
FILE=$1
KEYS=$(yq r "$RULES" "secrets.(name==$FILE).public_keys.**")
if [ -z "$KEYS" ]
then
>&2 echo "There is no rule for $FILE in $RULES."
exit 1
fi
CLEARTEXT_DIR=$(mktemp -d)
CLEARTEXT_FILE="$CLEARTEXT_DIR/$(basename "$FILE")"
if [ -f "$FILE" ]
then
DECRYPT=(--decrypt)
while IFS= read -r key
do
DECRYPT+=(--identity "$key")
done <<<$(find ~/.ssh -maxdepth 1 -type f -not -name "*pub" -not -name "config" -not -name "authorized_keys" -not -name "known_hosts")
DECRYPT+=(-o "$CLEARTEXT_FILE" "$FILE")
age "${DECRYPT[@]}"
fi
$EDITOR "$CLEARTEXT_FILE"
ENCRYPT=()
while IFS= read -r key
do
echo "$key"
ENCRYPT+=(--recipient "$key")
done <<< "$KEYS"
REENCRYPTED_DIR=$(mktemp -d)
REENCRYPTED_FILE="$REENCRYPTED_DIR/$(basename "$FILE")"
ENCRYPT+=(-o "$REENCRYPTED_FILE")
cat "$CLEARTEXT_FILE" | age "${ENCRYPT[@]}"
mv -f "$REENCRYPTED_FILE" "$1"
}
function rekey {
FILES=$(yq r "$RULES" "secrets.*.name")
for FILE in $FILES
do
EDITOR=echo ageEdit $FILE
done
}
Reference in a new issue Copy permalink