Implement sops support, add rekeying script

mikroskeem · Feb 18, 2022 · 6b54e65 · 6b54e65
1 parent 0a24336
commit 6b54e65
Show file tree

Hide file tree

Showing 4 changed files with 70 additions and 1 deletion.
diff --git a/common.sh b/common.sh
@@ -4,11 +4,16 @@
 
 default_key_prog="rage"
 
+: "${SOPS_GPG_KEYSERVER:=keys.openpgp.org}"
+export SOPS_GPG_KEYSERVER
+
 propagated_envvars=(
 	PATH
 	ZORG_DEBUG
 	ZORG_SSH_KEY
 	ZORG_USE_BORG_CACHE
+	SOPS_PGP_FP
+	SOPS_GPG_KEYSERVER
 )
 
 decho () {
@@ -66,10 +71,17 @@ _determine_key_prog () {
 
 encrypt_key () {
 	local credsdir="${1}"
-	local key_prog; key_prog="$(_determine_key_prog "${credsdir}")"
+	local key_prog="${2:-}"
+	if [ -z "${key_prog}" ]; then
+		key_prog="$(_determine_key_prog "${credsdir}")"
+	fi
 	if [ -z "${key_prog}" ]; then
 		key_prog="${default_key_prog}"
 	fi
+	if ! [ -x "${scriptdir}/key/${key_prog}" ]; then
+		echo >&2 ">>> Unsupported key program '${key_prog}'"
+		exit 1
+	fi
 
 	"${scriptdir}/key/${key_prog}" encrypt "${credsdir}"
 	echo "${key_prog}" > "${credsdir}/type"
@@ -79,5 +91,10 @@ decrypt_key () {
 	local credsdir="${1}"
 	local key_prog; key_prog="$(_determine_key_prog "${credsdir}")"
 
+	if ! [ -x "${scriptdir}/key/${key_prog}" ]; then
+		echo >&2 ">>> Unsupported key program '${key_prog}'"
+		exit 1
+	fi
+
 	"${scriptdir}/key/${key_prog}" decrypt "${credsdir}"
 }
diff --git a/flake.nix b/flake.nix
@@ -48,6 +48,7 @@
               gnupg
               rage
               shellcheck
+              sops
             ] ++ lib.optionals stdenv.isDarwin [
               zfs-mac
               (sanoid.override {

diff --git a/key/sops b/key/sops
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+action="${1}"
+creds_dir="${2}"
+
+case "${action}" in
+	encrypt)
+		tmp="${creds_dir}/.creds.json.${RANDOM}"
+		cat > "${tmp}"
+		sops --input-type json --in-place --encrypt "${tmp}" </dev/null
+		mv "${tmp}" "${creds_dir}/creds.json"
+		;;
+	decrypt)
+		sops --output-type json --decrypt "${creds_dir}/creds.json" </dev/null
+		;;
+	*)
+		echo >&2 "Unsupported action '${action}'"
+		exit 1
+		;;
+esac
diff --git a/rekey.sh b/rekey.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+scriptdir="$(dirname -- "$(readlink -f "${BASH_SOURCE[0]}")")"
+source "${scriptdir}/common.sh"
+
+repo="${1}"
+credsdir="$(creds_dir "${repo}")"
+current_type="$(_determine_key_prog "${credsdir}")"
+
+new_credsdir="$(dirname -- "${credsdir}")/.$(basename -- "${credsdir}").${RANDOM}"
+new_type="${2:-"${current_type}"}"
+
+[ -n "${credsdir}" ]
+[ -n "${new_credsdir}" ]
+[ -n "${new_type}" ]
+
+mkdir -p "${new_credsdir}"
+
+cleanup () {
+	if [ -d "${new_credsdir}" ]; then
+		rm -rf "${new_credsdir}"
+	fi
+}
+
+trap 'cleanup' EXIT
+
+decrypt_key "${credsdir}" | encrypt_key "${new_credsdir}" "${new_type}"
+rm -rf "${credsdir}"
+mv "${new_credsdir}" "${credsdir}"