gitea-admin
/
communication-keys
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
add_pubkey_Andreas_Rother
key_change
add_pubkey_Christos-Adalis
add_pubkey_Daryl-SauerNeumann
ADP-231_group_argocd-os-nso-adp-dev
ADP-216-wrapup
ADP-216-uat-sops-step2_003
ADP-216-uat-sops-step2_002
ADP-216-uat-sops-step1
ADP-216-uat-sops-step2
ADP-216-uat-sops-onboarding
ADP-216_sops_automation
ADP-179_doc_sops
ADP-179_sops_manage_keys
gpg-key-peichhorn
feature/gpg_key_tobias_Stroehl
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '20c2a79808'
${ noResults }
communication-keys/__update_sops.sh

79 lines
2.6 KiB
Bash
Raw Blame History

#/usr/bin/env bash
# Purpose: manage .sops.yaml based on gpg keys in the same dir _and_ verify correct configuration
set -euo pipefail
sops_config=".sops.yaml"
function fn_extract_fpr(){
gpgkeyfile=$1;shift;
# fingerprint
# caveat: restrict to netgo.de email, use-case:
# uid ... <...@mehrwerk.net>
# uid ... <...@netgo.de>
fpr="$(gpg --show-keys --list-options show-only-fpr-mbox "${gpgkeyfile}" | grep '@netgo.de' | awk "{print \$1}")"
echo "${fpr}"
}
function fn_extract_uid(){
gpgkeyfile=$1;shift;
# user id
# caveat: restrict to netgo.de email, use-case:
# uid ... <...@mehrwerk.net>
# uid ... <...@netgo.de>
uid="$(gpg --show-keys --with-colons "${gpgkeyfile}" | awk -F':' '$1=="uid" {print $10}' | grep '@netgo.de')"
echo "${uid}"
}
function fn_update_sops_config(){
# sops.yaml doc: https://github.com/getsops/sops?tab=readme-ov-file#using-sops-yaml-conf-to-select-kms-pgp-and-age-for-new-files
# CAVEAT: dirty hacks, just get it done. Not DRY, very WET.
echo "# Fingerprint | User Type | User ID"
for gpgkeyfile in *automation*gpg.pub; do
u_type="autom"
echo "# $(fn_extract_fpr "${gpgkeyfile}") | ${u_type} | $(fn_extract_uid "${gpgkeyfile}")"
done
for gpgkeyfile in $(ls *gpg.pub | grep -v automation); do
u_type="human"
echo "# $(fn_extract_fpr "${gpgkeyfile}") | ${u_type} | $(fn_extract_uid "${gpgkeyfile}")"
done
echo "# keys in https://git.dev-at.de/smardigo-hetzner/communication-keys"
cat <<EOM
creation_rules:
# list of keys for encryption in stage
- pgp: >-
EOM
for gpgkeyfile in *automation*gpg.pub; do
echo " $(fn_extract_fpr "${gpgkeyfile}"),"
done
# all but last line get comma
for gpgkeyfile in $(ls *gpg.pub | grep -v automation | sed '$d'); do
echo " $(fn_extract_fpr "${gpgkeyfile}"),"
done
# last line no comma
for gpgkeyfile in $(ls *gpg.pub | grep -v automation | tail -n 1); do
echo " $(fn_extract_fpr "${gpgkeyfile}")"
done
}
# UPDATE SOPS CONFIG
(fn_update_sops_config) > "${sops_config}"
# VERIFY
fn_verify_sops_config(){
sops_enc_file="${1}";shift;
# update keys in mock secret file
# prereq: create a file with a mock secret, src: https://bash-org-archive.com/?244321
test -e mock_secrets.yaml || (yq -n '.demo.credentials.secret = "hunter2"' > mock_secrets.yaml && sops -e -i mock_secrets.yaml )
# "update the keys of SOPS files using the config file"
sops updatekeys mock_secrets.yaml
# dump secrets, GPG_TTY src: https://www.varokas.com/secrets-in-code-with-mozilla-sops/
GPG_TTY=$(tty) sops -d mock_secrets.yaml
}
fn_verify_sops_config
echo "# SUCESS: all users with keys in this dir should have functional keys"
Reference in New Issue View Git Blame Copy Permalink