#!/bin/bash
#
# Wrapper for hiera-eyaml.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License along with this program. If not, see
# .
# Load
source $APP_BASE/lib/hydra/functions || exit 1
hydra_config_load
# Parameters
BASENAME="`basename $0`"
NODE="$1"
ACTION="$2"
FQDN="`hydra_get_fqdn_from_nodename $NODE`"
DOMAIN="`echo $FQDN | cut -d . -f 2-`"
shift
# Check for eyaml
hydra_install_package hiera-eyaml
# Check for node
if [ -z "$NODE" ]; then
echo "usage: hydra $HYDRA $BASENAME [opts]"
echo ""
echo "examples:"
echo ""
echo -e "\thydra $HYDRA $BASENAME encrypt -p -l my::hiera::param"
echo -e "\thydra $HYDRA $BASENAME decrypt --stdin"
exit 1
fi
# Ensure keystore exists
mkdir -p $HYDRA_FOLDER/puppet/keys/$FQDN/eyaml
# Set pub and privkey paths
PRIV="$HYDRA_FOLDER/puppet/keys/$FQDN/eyaml/private_key.pkcs7.pem"
PUB="$HYDRA_FOLDER/puppet/keys/$FQDN/eyaml/public_key.pkcs7.pem"
PRIV_CRYPT="nodes/$FQDN/eyaml/private_key.pkcs7.pem.asc"
PUB_CRYPT="nodes/$FQDN/eyaml/public_key.pkcs7.pem"
# Test for single-key setup
if [ -e "$HYDRA_FOLDER/keyring/keys/domains/$DOMAIN/eyaml/private_key.pkcs7.pem.asc" ] && [ ! -h "$HYDRA_FOLDER/puppet/keys/private_key.pkcs7.pem" ]; then
PRIV="$HYDRA_FOLDER/puppet/keys/private_key.pkcs7.pem"
PUB="$HYDRA_FOLDER/puppet/keys/public_key.pkcs7.pem"
PRIV_CRYPT="domains/$DOMAIN/eyaml/private_key.pkcs7.pem"
PUB_CRYPT="domains/$DOMAIN/eyaml/public_key.pkcs7.pem"
fi
# Then set eyaml args
ARGS="--pkcs7-private-key $PRIV --pkcs7-public-key $PUB"
# Generate keypair if needed
if [ ! -e "$PRIV" ]; then
if [ -e "$HYDRA_FOLDER/keyring/keys/$PRIV_CRYPT.asc" ]; then
echo "Getting eyaml keys for $FDQN from keyringer..."
keyringer $HYDRA decrypt $PRIV_CRYPT > $PRIV
keyringer $HYDRA decrypt $PUB_CRYPT > $PUB
else
echo "Generating eyaml keys for $FQDN..."
eyaml createkeys $ARGS
echo "Saving generated keys into keyringer..."
keyringer $HYDRA encrypt $PRIV_CRYPT $PRIV
keyringer $HYDRA encrypt $PUB_CRYPT $PUB
fi
fi
# Now call eyaml directly
if [ ! -z "$ACTION" ]; then
eyaml $* $ARGS
fi