nixos-infra-framework/scripts/gen-secrets-keys.sh

#!/usr/bin/env bash
set -euo pipefail

# --- gen-secrets-keys.sh ---
# Generate age public keys from SSH host keys for all known hosts.
#
# This script retrieves each host's SSH host key, converts it to an
# age public key using ssh-to-age, and stores it in
# secrets/pubkeys/<hostname>.age for use with agenix.

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
PUBKEYS_DIR="${PROJECT_DIR}/secrets/pubkeys"

# Ensure ssh-to-age is available
if ! command -v ssh-to-age &> /dev/null; then
  echo "❌ Error: 'ssh-to-age' is required."
  echo "   Install it with: nix-shell -p ssh-to-age"
  exit 1
fi

mkdir -p "$PUBKEYS_DIR"

echo "🔑 Generating age public keys from SSH host keys..."
echo "   Output directory: $PUBKEYS_DIR"
echo ""

# Known hosts (hostname, user@host, ssh port)
# Add entries as hosts are deployed in the infrastructure
HOSTS=(
  # Hypervisors
  # "pve01:root@pve01.prod.lagraula.fr:22"
  # "pve02:root@pve02.prod.lagraula.fr:22"
  # LXC containers (once deployed)
  # "dns01:root@dns01.lagraula.fr:22"
  # "gitea01:root@gitea01.lagraula.fr:22"
  # "vault01:root@vault01.lagraula.fr:22"
  # "rp01:root@rp01.lagraula.fr:22"
  # Workstations
  # "sting:root@sting.lagraula.fr:22"
)

if [ ${#HOSTS[@]} -eq 0 ]; then
  echo "⚠️  No hosts configured. Edit the HOSTS array in this script first."
  echo ""
  echo "For a single host, you can also run manually:"
  echo "  ssh-keyscan <host> 2>/dev/null | grep ed25519 | awk '{print \$3}' | ssh-to-age > $PUBKEYS_DIR/<hostname>.age"
  exit 0
fi

for entry in "${HOSTS[@]}"; do
  IFS=':' read -r hostname ssh_user_port <<< "$entry"
  IFS='@' read -r ssh_user ssh_host <<< "$ssh_user_port"

  echo "🖥️  Processing $hostname ($ssh_user@$ssh_host)..."
  
  age_key=$(ssh-keyscan -t ed25519 "$ssh_host" 2>/dev/null | \
    grep "ed25519" | \
    awk '{print $3}' | \
    ssh-to-age 2>/dev/null || true)

  if [ -z "$age_key" ]; then
    echo "   ⚠️  Could not retrieve age key for $hostname. Skipping."
    continue
  fi

  echo "$age_key" > "$PUBKEYS_DIR/$hostname.age"
  echo "   ✅ Saved age public key: $age_key"
done

echo ""
echo "🎉 Done! Generated $(ls -1 "$PUBKEYS_DIR"/*.age 2>/dev/null | wc -l) key(s)."
echo ""
echo "To encrypt a secret for specific hosts:"
echo "  age -r \$(cat $PUBKEYS_DIR/<hostname>.age) -o secrets/<name>.age"
echo ""
echo "Or with agenix:"
echo "  agenix -e secrets/<name>.age"