aboutsummaryrefslogtreecommitdiff
path: root/nixops/scripts/setup
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2021-10-07 15:17:30 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2021-10-13 00:00:55 +0200
commit282c67a117b7d349b30a96972b050d630f906dec (patch)
tree6686bdc126d5c0bd548cd6286a41be5c8cfdc01f /nixops/scripts/setup
parent97f5a24bc8839328571b23eb5f910de206ddbe1f (diff)
downloadNix-282c67a117b7d349b30a96972b050d630f906dec.tar.gz
Nix-282c67a117b7d349b30a96972b050d630f906dec.tar.zst
Nix-282c67a117b7d349b30a96972b050d630f906dec.zip
Refactor secrets handling
Diffstat (limited to 'nixops/scripts/setup')
-rwxr-xr-xnixops/scripts/setup12
1 files changed, 5 insertions, 7 deletions
diff --git a/nixops/scripts/setup b/nixops/scripts/setup
index 9bdb8df..db0f353 100755
--- a/nixops/scripts/setup
+++ b/nixops/scripts/setup
@@ -44,23 +44,21 @@ if [ "$(git config --get include.path)" != "../.gitconfig" ]; then
44 fi 44 fi
45fi 45fi
46 46
47gpg_keys=$(pass ls Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2) 47for key in public_keys/*; do
48for key in $gpg_keys; do 48 fpr=$(cat "$key" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5)
49 content=$(pass show Nixops/GPGKeys/$key)
50 fpr=$(echo "$content" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5)
51 gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no 49 gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no
52 # /usr/share/doc/gnupg/DETAILS field 2 50 # /usr/share/doc/gnupg/DETAILS field 2
53 (echo "$content" | gpg --import-options show-only --import --with-colons | 51 (cat "$key" | gpg --import-options show-only --import --with-colons |
54 grep -E '^pub:' | 52 grep -E '^pub:' |
55 cut -d':' -f2 | 53 cut -d':' -f2 |
56 grep -q '[fu]') && signed=yes || signed=no 54 grep -q '[fu]') && signed=yes || signed=no
57 if [ "$signed" = no -o "$imported" = no ] ; then 55 if [ "$signed" = no -o "$imported" = no ] ; then
58 echo "The key for $key needs to be imported and signed (a local signature is enough)" 56 echo "The key for $key needs to be imported and signed (a local signature is enough)"
59 echo "$content" | gpg --import-options show-only --import 57 cat "$key" | gpg --import-options show-only --import
60 echo "Continue? [y/N]" 58 echo "Continue? [y/N]"
61 read y 59 read y
62 if [ "$y" = "y" -o "$y" = "Y" ]; then 60 if [ "$y" = "y" -o "$y" = "Y" ]; then
63 echo "$content" | gpg --import 61 cat "$key" | gpg --import
64 gpg --expert --edit-key "$fpr" lsign quit 62 gpg --expert --edit-key "$fpr" lsign quit
65 else 63 else
66 echo "Aborting" 64 echo "Aborting"