From a8166f6cbc893f0d133e70ba278f287d191f09b8 Mon Sep 17 00:00:00 2001 From: John Van de Meulebrouck Brendgard Date: Wed, 25 Apr 2018 12:03:50 +0200 Subject: [PATCH] Merge of edit-secrets from nunoc-ops --- edit-secrets | 40 ++++++++++++++++++++++++++++++++++------ 1 file changed, 34 insertions(+), 6 deletions(-) diff --git a/edit-secrets b/edit-secrets index 742321f..149715e 100755 --- a/edit-secrets +++ b/edit-secrets @@ -1,17 +1,36 @@ #!/bin/bash +# +# Script to edit secrets for a host. +# +# This script is used by an administrator on his/hers local machine. The +# general principle is for this script to ssh to the target host, decrypt +# the secrets and allow changes to be made, and then fetch the encrypted +# secrets from the host and add it to the Cosmos repository on the +# administrators machine. +# +# Funnily enough, this script will execute itself (with the argument +# '--on-host') on the target host in order to do the decryption etc. Don't +# allow this to confuse you and everything will be fine. +# set -e umask 077 LAST_OUTPUT_FILENAME="/root/.last_edit-secrets_output" +if [[ "x${EDITOR}" != "x" ]]; then + declare -r REMOTE_EDITOR="${EDITOR}" +else + declare -r REMOTE_EDITOR='/usr/bin/vim.tiny' +fi + if [ "x$1" = "x" ]; then echo "Syntax: $0 -l OR fqdn" exit 1 fi if [ "x$1" != "x-l" ]; then - host=$1 + host=$(echo $1 | sed -e 's!/*$!!') # remove trailing slashes if [ ! -d $host ]; then echo "$0: No host-directory for '$host' found - execute in top-level cosmos dir" @@ -19,12 +38,12 @@ if [ "x$1" != "x-l" ]; then fi # Execute this very script, on a remote host - TMPFILE=$(mktemp) + TMPFILE=$(mktemp edit-secrets.$$.XXXXXXX) if [ ! -f $TMPFILE ]; then echo "$0: Failed creating temporary file" exit 1 fi - TMPFILE2=$(mktemp) + TMPFILE2=$(mktemp edit-secrets.$$.XXXXXXX) if [ ! -f $TMPFILE2 ]; then echo "$0: Failed creating temporary file" exit 1 @@ -32,7 +51,7 @@ if [ "x$1" != "x-l" ]; then trap "rm -f $TMPFILE $TMPFILE2" EXIT - ssh -t root@$host /var/cache/cosmos/repo/edit-secrets -l + ssh -t root@$host EDITOR="${REMOTE_EDITOR}" /var/cache/cosmos/repo/edit-secrets -l scp -q root@$host:$LAST_OUTPUT_FILENAME $TMPFILE if grep ^"STATUS=UPDATED" $TMPFILE > /dev/null; then @@ -98,8 +117,11 @@ fi trap "rm -f $TMPFILE $TMPFILE2" EXIT -if [ ! -f "$GNUPGHOME/secring.gpg" ]; then - echo "$0: Secret keyring $GNUPGHOME/secring.gpg does not exist." +if ! $GPG --list-secret-keys | grep -q ^"sec\s"; then + echo "$0: Secret key does not exist (in $GNUPGHOME)." + echo "" + echo "Generate it with /var/cache/cosmos/model/pre-tasks.d/040hiera-gpg" + echo "" exit 1 fi @@ -126,10 +148,16 @@ else # figure out this hosts gpg key id recipient=$($GPG --list-secret-key | grep ^sec | head -1 | awk '{print $2}' | cut -d / -f 2) + save_to="`hostname --fqdn`/overlay${SECRETFILE}" echo "" ( echo "STATUS=UPDATED" echo "" ) > $LAST_OUTPUT_FILENAME $GPG --output - --armor --recipient $recipient --sign --encrypt $TMPFILE >> $LAST_OUTPUT_FILENAME + echo "" + echo "GPG output saved in $LAST_OUTPUT_FILENAME - save it in Cosmos as" + echo "" + echo " $save_to" + echo "" fi