From bf81ecbd279a0d641dbc80c9026b0e198e49344d Mon Sep 17 00:00:00 2001 From: Joey Hafner Date: Thu, 15 Aug 2024 16:14:07 -0700 Subject: [PATCH] #3 Init working encrypt-filter and testsecret. TODO: Test decrypt-filter, write setup script --- homelab/.sops/decrypt-filter.sh | 13 ++++++------- homelab/.sops/encrypt-filter.sh | 14 +++++++------- homelab/fighter/testsecret.env | 9 +++++++++ 3 files changed, 22 insertions(+), 14 deletions(-) create mode 100644 homelab/fighter/testsecret.env diff --git a/homelab/.sops/decrypt-filter.sh b/homelab/.sops/decrypt-filter.sh index f793bed1..85fe4d7a 100755 --- a/homelab/.sops/decrypt-filter.sh +++ b/homelab/.sops/decrypt-filter.sh @@ -1,15 +1,14 @@ #!/bin/bash -# Takes one file path as input -# Outputs to a new file with `.enc` stripped from the end - -# if [ "$#" -ne 1 ]; then -# echo "Usage: $0 " -# exit 1 -# fi +# Takes file path from stdin +# Outputs to stdout +# Set age key file path +# If no private key exists at the expected location, +# Create the key file at the expected location SOPS_AGE_KEY_FILE=$HOME/.age/key if [[ -f $SOPS_AGE_KEY_FILE ]]; then export SOPS_AGE_KEY_FILE=$HOME/.age/key + age-keygen -o $SOPS_AGE_KEY_FILE fi # Set age directory and default recipients diff --git a/homelab/.sops/encrypt-filter.sh b/homelab/.sops/encrypt-filter.sh index cf8e799b..d709d7da 100755 --- a/homelab/.sops/encrypt-filter.sh +++ b/homelab/.sops/encrypt-filter.sh @@ -1,17 +1,17 @@ #!/bin/bash -# Takes input on stdin +# Takes file path from stdin # Outputs to stdout # Set age directory and default recipients AGE_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &> /dev/null && pwd) SOPS_AGE_RECIPIENTS="$(<$AGE_DIR/.age-author-pubkeys)" +FILE_PATH=$(realpath $1) -# Get host to which input file belongs -FILE_PATH=$1 -HOST_AGE_PUBKEY="$AGE_DIR/../$(realpath -m --relative-to=$AGE_DIR $FILE_PATH | cut -d'/' -f2)/.age-pubkey" - -if [[ -f $HOST_AGE_PUBKEY ]]; then +# Check for host pubkey, add as recipient if present +if [[ -f "$AGE_DIR/../$(realpath -m --relative-to=$AGE_DIR $FILE_PATH | cut -d'/' -f2)/.age-pubkey" ]]; then + HOST_AGE_PUBKEY=$AGE_DIR/../$(realpath -m --relative-to=$AGE_DIR $FILE_PATH | cut -d'/' -f2)/.age-pubkey + HOST_AGE_PUBKEY=$(realpath $HOST_AGE_PUBKEY) SOPS_AGE_RECIPIENTS="$SOPS_AGE_RECIPIENTS,$(<$HOST_AGE_PUBKEY)" fi -sops --encrypt --age ${SOPS_AGE_RECIPIENTS} /dev/fd/3 \ No newline at end of file +sops --encrypt --age ${SOPS_AGE_RECIPIENTS} $1 \ No newline at end of file diff --git a/homelab/fighter/testsecret.env b/homelab/fighter/testsecret.env new file mode 100644 index 00000000..9d8e61f0 --- /dev/null +++ b/homelab/fighter/testsecret.env @@ -0,0 +1,9 @@ +MYSECRET=ENC[AES256_GCM,data:fNAgaJQhUYK+bIKbFQHZ9dvhIBAlGgcAdLrBUJAdne1u46Kq7v6j983XJV9d+2sq,iv:mCuuf0smlkL3/K2oHv88qjsL6uwt5DTXXgVDmHajTcI=,tag:zjAkW6lfKVyOZ/I0ViHEyg==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvK1F1RFVjemtJdzVZdS96\nTVppM1BESE9JZHRsWTdPenlnbHA0TGZ6QVVJCldDNlRrYytUUVNCUUdXaU4rdytS\neURqWnJJUVJzUDJQZml1SDhzN0VjUkEKLS0tIHlGR2VLemJrUVRCdXNyOCtOM2dq\nMXJ1TzFSSGloMEQrQ2xoMEQzUlg4a2MKhD7eosNdYBnKwsT89fUdsi0k2aHuv/6a\nhfJBjed/Bu+PgVA6owlmEQwpetL4WG9BRRCzVL9Yg5d1P+nAs11rwA==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00 +sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4S3RsUlVHUlZ0UkpJQVJS\nMldaSlcxejJFVEdjbVJhb2NTOHBEUnkyL0NZClRmMVpxb1VGQWg5RFpPOC9HWDlK\nTGNRRDBVZjZiU0tPRzhEbWF2d0VDOVkKLS0tIFoxYTVLQ1R2L3F6ckp5dVFtdjdK\neHkzZGdpcUl0MllnempkM1ExeGtSUlkK8uCcH3a8c8EHh2vb08czG5k2WsXFAIGb\nbQrtjqAcdJJ2HG7WUMhQdtFpnxZHjfu+BLgLdogcIYHZH2J6mmMsJw==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_1__map_recipient=age13prhyye2jy3ysa6ltnjgkrqtxrxgs0035d86jyn4ltgk3wxtqgrqgav855 +sops_lastmodified=2024-08-15T23:13:08Z +sops_mac=ENC[AES256_GCM,data:93KiNX13U3O04oxPFsTsNzlSHnakBw2umncaVhLpq7FMBxrFpGFMQSYq29qW+kkMWW+ySY9JtCgNGthzoMQIThn0vWVIN7Ko633boqRo1Du0uZvBSqH0YgJmXRe3yfMvl2VgKWI2cnijyGv8RnJQEW9KDb3huzSI45ABdunXnqQ=,iv:iUIYk4b67U+r131gKuIQouFy6JdpQiNejFfx5LodcXg=,tag:nYyvV6kQ6dE8iBwVXLSxdQ==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.9.0