mandersson/matrix-ops
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merge of edit-secrets from nunoc-ops

Browse source
This commit is contained in:
John Van de Meulebrouck Brendgard 2018-04-25 12:03:50 +02:00
parent ffdb1aa4d1
commit a8166f6cbc
No known key found for this signature in database
GPG key ID: 807A5FD4B3337B77
1 changed files with 34 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

40
edit-secrets
View file

@ -1,17 +1,36 @@
#!/bin/bash #!/bin/bash
#
# Script to edit secrets for a host.
#
# This script is used by an administrator on his/hers local machine. The
# general principle is for this script to ssh to the target host, decrypt
# the secrets and allow changes to be made, and then fetch the encrypted
# secrets from the host and add it to the Cosmos repository on the
# administrators machine.
#
# Funnily enough, this script will execute itself (with the argument
# '--on-host') on the target host in order to do the decryption etc. Don't
# allow this to confuse you and everything will be fine.
#
set -e set -e
umask 077 umask 077
LAST_OUTPUT_FILENAME="/root/.last_edit-secrets_output" LAST_OUTPUT_FILENAME="/root/.last_edit-secrets_output"
if [[ "x${EDITOR}" != "x" ]]; then
declare -r REMOTE_EDITOR="${EDITOR}"
else
declare -r REMOTE_EDITOR='/usr/bin/vim.tiny'
fi
if [ "x$1" = "x" ]; then if [ "x$1" = "x" ]; then
echo "Syntax: $0 -l OR fqdn" echo "Syntax: $0 -l OR fqdn"
exit 1 exit 1
fi fi
if [ "x$1" != "x-l" ]; then if [ "x$1" != "x-l" ]; then
host=$1 host=$(echo $1 | sed -e 's!/*$!!') # remove trailing slashes
if [ ! -d $host ]; then if [ ! -d $host ]; then
echo "$0: No host-directory for '$host' found - execute in top-level cosmos dir" echo "$0: No host-directory for '$host' found - execute in top-level cosmos dir"
@ -19,12 +38,12 @@ if [ "x$1" != "x-l" ]; then
fi fi
# Execute this very script, on a remote host # Execute this very script, on a remote host
TMPFILE=$(mktemp) TMPFILE=$(mktemp edit-secrets.$$.XXXXXXX)
if [ ! -f $TMPFILE ]; then if [ ! -f $TMPFILE ]; then
echo "$0: Failed creating temporary file" echo "$0: Failed creating temporary file"
exit 1 exit 1
fi fi
TMPFILE2=$(mktemp) TMPFILE2=$(mktemp edit-secrets.$$.XXXXXXX)
if [ ! -f $TMPFILE2 ]; then if [ ! -f $TMPFILE2 ]; then
echo "$0: Failed creating temporary file" echo "$0: Failed creating temporary file"
exit 1 exit 1
@ -32,7 +51,7 @@ if [ "x$1" != "x-l" ]; then
trap "rm -f $TMPFILE $TMPFILE2" EXIT trap "rm -f $TMPFILE $TMPFILE2" EXIT
ssh -t root@$host /var/cache/cosmos/repo/edit-secrets -l ssh -t root@$host EDITOR="${REMOTE_EDITOR}" /var/cache/cosmos/repo/edit-secrets -l
scp -q root@$host:$LAST_OUTPUT_FILENAME $TMPFILE scp -q root@$host:$LAST_OUTPUT_FILENAME $TMPFILE
if grep ^"STATUS=UPDATED" $TMPFILE > /dev/null; then if grep ^"STATUS=UPDATED" $TMPFILE > /dev/null; then
@ -98,8 +117,11 @@ fi
trap "rm -f $TMPFILE $TMPFILE2" EXIT trap "rm -f $TMPFILE $TMPFILE2" EXIT
if [ ! -f "$GNUPGHOME/secring.gpg" ]; then if ! $GPG --list-secret-keys | grep -q ^"sec\s"; then
echo "$0: Secret keyring $GNUPGHOME/secring.gpg does not exist." echo "$0: Secret key does not exist (in $GNUPGHOME)."
echo ""
echo "Generate it with /var/cache/cosmos/model/pre-tasks.d/040hiera-gpg"
echo ""
exit 1 exit 1
fi fi
@ -126,10 +148,16 @@ else
# figure out this hosts gpg key id # figure out this hosts gpg key id
recipient=$($GPG --list-secret-key | grep ^sec | head -1 | awk '{print $2}' | cut -d / -f 2) recipient=$($GPG --list-secret-key | grep ^sec | head -1 | awk '{print $2}' | cut -d / -f 2)
save_to="`hostname --fqdn`/overlay${SECRETFILE}"
echo "" echo ""
( (
echo "STATUS=UPDATED" echo "STATUS=UPDATED"
echo "" echo ""
) > $LAST_OUTPUT_FILENAME ) > $LAST_OUTPUT_FILENAME
$GPG --output - --armor --recipient $recipient --sign --encrypt $TMPFILE >> $LAST_OUTPUT_FILENAME $GPG --output - --armor --recipient $recipient --sign --encrypt $TMPFILE >> $LAST_OUTPUT_FILENAME
echo ""
echo "GPG output saved in $LAST_OUTPUT_FILENAME - save it in Cosmos as"
echo ""
echo " $save_to"
echo ""
fi fi