|
|
|
|
@ -1,7 +1,6 @@
|
|
|
|
|
#/usr/bin/env bash
|
|
|
|
|
# Purpose: manage .sops.yaml based on gpg keys in the same dir
|
|
|
|
|
# Purpose: manage .sops.yaml based on gpg keys in the same dir _and_ verify correct configuration
|
|
|
|
|
set -euo pipefail
|
|
|
|
|
# sops.yaml doc: https://github.com/getsops/sops?tab=readme-ov-file#using-sops-yaml-conf-to-select-kms-pgp-and-age-for-new-files
|
|
|
|
|
|
|
|
|
|
sops_config=".sops.yaml"
|
|
|
|
|
|
|
|
|
|
@ -26,7 +25,8 @@ function fn_extract_uid(){
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function fn_update_sops_config(){
|
|
|
|
|
# CAVEAT: dirty hacks, just get it done. Not DRY at all.
|
|
|
|
|
# sops.yaml doc: https://github.com/getsops/sops?tab=readme-ov-file#using-sops-yaml-conf-to-select-kms-pgp-and-age-for-new-files
|
|
|
|
|
# CAVEAT: dirty hacks, just get it done. Not DRY, very WET.
|
|
|
|
|
|
|
|
|
|
echo "# Fingerprint | User Type | User ID"
|
|
|
|
|
for gpgkeyfile in *automation*gpg.pub; do
|
|
|
|
|
@ -57,4 +57,22 @@ EOM
|
|
|
|
|
done
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
(fn_update_sops_config) >> "${sops_config}"
|
|
|
|
|
# UPDATE SOPS CONFIG
|
|
|
|
|
(fn_update_sops_config) > "${sops_config}"
|
|
|
|
|
|
|
|
|
|
# VERIFY
|
|
|
|
|
fn_verify_sops_config(){
|
|
|
|
|
sops_enc_file="${1}";shift;
|
|
|
|
|
# update keys in mock secret file
|
|
|
|
|
# prereq: create a file with a mock secret, src: https://bash-org-archive.com/?244321
|
|
|
|
|
test -e mock_secrets.yaml || (yq -n '.demo.credentials.secret = "hunter2"' > mock_secrets.yaml && sops -e -i mock_secrets.yaml )
|
|
|
|
|
|
|
|
|
|
# "update the keys of SOPS files using the config file"
|
|
|
|
|
sops updatekeys mock_secrets.yaml
|
|
|
|
|
|
|
|
|
|
# dump secrets, GPG_TTY src: https://www.varokas.com/secrets-in-code-with-mozilla-sops/
|
|
|
|
|
GPG_TTY=$(tty) sops -d mock_secrets.yaml
|
|
|
|
|
}
|
|
|
|
|
fn_verify_sops_config
|
|
|
|
|
|
|
|
|
|
echo "# SUCESS: all users with keys in this dir should have functional keys"
|
|
|
|
|
|
LeeW
11 months ago