Initial framework: reusable modules, lib, pkgs, overlays, scripts, sample environment
This commit is contained in:
@@ -0,0 +1,78 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
# --- gen-secrets-keys.sh ---
|
||||
# Generate age public keys from SSH host keys for all known hosts.
|
||||
#
|
||||
# This script retrieves each host's SSH host key, converts it to an
|
||||
# age public key using ssh-to-age, and stores it in
|
||||
# secrets/pubkeys/<hostname>.age for use with agenix.
|
||||
|
||||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
PROJECT_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
|
||||
PUBKEYS_DIR="${PROJECT_DIR}/secrets/pubkeys"
|
||||
|
||||
# Ensure ssh-to-age is available
|
||||
if ! command -v ssh-to-age &> /dev/null; then
|
||||
echo "❌ Error: 'ssh-to-age' is required."
|
||||
echo " Install it with: nix-shell -p ssh-to-age"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
mkdir -p "$PUBKEYS_DIR"
|
||||
|
||||
echo "🔑 Generating age public keys from SSH host keys..."
|
||||
echo " Output directory: $PUBKEYS_DIR"
|
||||
echo ""
|
||||
|
||||
# Known hosts (hostname, user@host, ssh port)
|
||||
# Add entries as hosts are deployed in the infrastructure
|
||||
HOSTS=(
|
||||
# Hypervisors
|
||||
# "pve01:root@pve01.prod.lagraula.fr:22"
|
||||
# "pve02:root@pve02.prod.lagraula.fr:22"
|
||||
# LXC containers (once deployed)
|
||||
# "dns01:root@dns01.lagraula.fr:22"
|
||||
# "gitea01:root@gitea01.lagraula.fr:22"
|
||||
# "vault01:root@vault01.lagraula.fr:22"
|
||||
# "rp01:root@rp01.lagraula.fr:22"
|
||||
# Workstations
|
||||
# "sting:root@sting.lagraula.fr:22"
|
||||
)
|
||||
|
||||
if [ ${#HOSTS[@]} -eq 0 ]; then
|
||||
echo "⚠️ No hosts configured. Edit the HOSTS array in this script first."
|
||||
echo ""
|
||||
echo "For a single host, you can also run manually:"
|
||||
echo " ssh-keyscan <host> 2>/dev/null | grep ed25519 | awk '{print \$3}' | ssh-to-age > $PUBKEYS_DIR/<hostname>.age"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
for entry in "${HOSTS[@]}"; do
|
||||
IFS=':' read -r hostname ssh_user_port <<< "$entry"
|
||||
IFS='@' read -r ssh_user ssh_host <<< "$ssh_user_port"
|
||||
|
||||
echo "🖥️ Processing $hostname ($ssh_user@$ssh_host)..."
|
||||
|
||||
age_key=$(ssh-keyscan -t ed25519 "$ssh_host" 2>/dev/null | \
|
||||
grep "ed25519" | \
|
||||
awk '{print $3}' | \
|
||||
ssh-to-age 2>/dev/null || true)
|
||||
|
||||
if [ -z "$age_key" ]; then
|
||||
echo " ⚠️ Could not retrieve age key for $hostname. Skipping."
|
||||
continue
|
||||
fi
|
||||
|
||||
echo "$age_key" > "$PUBKEYS_DIR/$hostname.age"
|
||||
echo " ✅ Saved age public key: $age_key"
|
||||
done
|
||||
|
||||
echo ""
|
||||
echo "🎉 Done! Generated $(ls -1 "$PUBKEYS_DIR"/*.age 2>/dev/null | wc -l) key(s)."
|
||||
echo ""
|
||||
echo "To encrypt a secret for specific hosts:"
|
||||
echo " age -r \$(cat $PUBKEYS_DIR/<hostname>.age) -o secrets/<name>.age"
|
||||
echo ""
|
||||
echo "Or with agenix:"
|
||||
echo " agenix -e secrets/<name>.age"
|
||||
Reference in New Issue
Block a user