#!/bin/bash # # Create keys for new nodes. # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as # published by the Free Software Foundation, either version 3 of the # License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public # License along with this program. If not, see # . function hydra_newkeys { # Generates ssh and gpg keys for new or existing nodes # GPG keys should be manually imported in the nodes local node local which if [ -z "$1" ]; then which="new" else which="$1" fi if [ ! -z "$2" ]; then shift NODES="$*" else NODES="`hydra $HYDRA nodes`" fi for node in $NODES; do node="`hydra_get_fqdn_from_nodename $node`" sshkey="$HYDRA_FOLDER/keyring/keys/nodes/$node/ssh/id_rsa.asc" gpgkey="$HYDRA_FOLDER/keyring/keys/nodes/$node/gpg/key.asc" borgkey="$HYDRA_FOLDER/keyring/keys/nodes/$node/borg/key.asc" # Ensure we have eyaml keys hydra $HYDRA eyaml $node if [ "$which" == "all" ]; then hydra_genpairs ssh $node hydra_genpairs openpgp $node elif [ "$which" == "new" ]; then if [ ! -e "$sshkey" ]; then hydra_genpairs ssh $node fi if [ ! -e "$gpgkey" ]; then hydra_genpairs openpgp $node fi if [ ! -e "$borgkey" ]; then hydra_genpairs borg $node fi elif [ "$which" == "ssh" ]; then hydra_genpairs ssh $node elif [ "$which" == "openpgp" ]; then hydra_genpairs openpgp $node elif [ ! -e "$borg" ]; then hydra_newkeys_borg $node fi done } # Borg does not support using pre-generated keys anymore (as of 2024-05-16). # # This code is therefore deprecated, but will stay here for a while, as maybe # in the long term borg starts to support this again. # # Check also https://github.com/borgbackup/borg/issues/7047 # https://borgbackup.readthedocs.io/en/latest/faq.html#how-important-is-the-home-config-borg-directory function hydra_newkeys_borg { # Check for borg #if ! which borg &> /dev/null; then # echo "Please install borgbackup to be able to generate borg keys" # return 1 #fi hydra_install_package borgbackup # Set working folder hydra_set_tmpfile hydra.newkeys.borg -d mkdir -p $TMPWORK/keys # Set password # BORG_PASSCOMMAND is supported only on recent borg #read -s -rep "Borg key password: " password #export BORG_PASSCOMMAND='keyringer $HYDRA decrypt nodes/$node/borg/key.passwd 2> /dev/nul' keyringer $HYDRA pwgen nodes/$node/borg/key.passwd password="`keyringer $HYDRA decrypt nodes/$node/borg/key.passwd 2> /dev/null`" export BORG_PASSPHRASE="$password" # Set borg parameters export BORG_CONFIG_DIR="$TMPWORK" export BORG_KEY_FILE="$TMPWORK/keys/key" # Create key borg init --encryption=keyfile $TMPWORK/repo # Encrypt key cat $BORG_KEY_FILE | keyringer $HYDRA encrypt nodes/$node/borg/key if [ -e "$HYDRA_FOLDER/puppet/config/secrets/node/$node.yaml" ]; then # Add Borg passphrase into secret node config #keyringer $HYDRA decrypt nodes/$NODE/borg/key.passwd | \ #hydra $HYDRA eyaml $NODE encrypt --stdin -o block -q -l nodo::subsystem::backup::borg::password >> $HYDRA_FOLDER/puppet/config/secrets/node/$NODE.yaml #PASSWORD="`keyringer $HYDRA decrypt nodes/$node/borg/key.passwd`" #echo -n "$PASSWORD" | hydra $HYDRA eyaml $node encrypt --stdin -o block -q -l nodo::subsystem::backup::borg::password >> $HYDRA_FOLDER/puppet/config/secrets/node/$node.yaml echo -n "$password" | hydra $HYDRA eyaml $node encrypt --stdin -o block -q -l nodo::subsystem::backup::borg::password >> $HYDRA_FOLDER/puppet/config/secrets/node/$node.yaml fi # Cleanup if which wipe &> /dev/null; then wipe -rf $TMPWORK else rm -rf $TMPWORK fi } function hydra_genpairs { BASEDIR="/tmp" local which="$1" local node="$2" if [ "$which" == "openpgp" ]; then keyringer $HYDRA genpair gpg nodes/$node/gpg/key $node if [ -e "$HYDRA_FOLDER/puppet/config/secrets/node/$node.yaml" ]; then # Add OpenPGP key ID into secret node config KEYID="`keyringer $HYDRA decrypt nodes/$node/gpg/key.pub 2> /dev/null | gpg --with-colons 2> /dev/null | grep ^pub: | cut -d : -f 5`" echo "nodo::subsystem::backup::encryptkey: '$KEYID'" >> $HYDRA_FOLDER/puppet/config/secrets/node/$node.yaml # Add OpenPGP passphrase into secret node config # We cannot simple pipe keyringer output into hiera-eyaml otherwiser the newline after the password will be interpreted as part of the password #keyringer $HYDRA decrypt nodes/$node/gpg/key.passwd | \ #hydra $HYDRA eyaml $node encrypt --stdin -o block -q -l nodo::subsystem::backup::password >> $HYDRA_FOLDER/puppet/config/secrets/node/$node.yaml PASSWORD="`keyringer $HYDRA decrypt nodes/$node/gpg/key.passwd`" echo -n "$PASSWORD" | hydra $HYDRA eyaml $node encrypt --stdin -o block -q -l nodo::subsystem::backup::password >> $HYDRA_FOLDER/puppet/config/secrets/node/$node.yaml fi elif [ "$which" == "ssh" ]; then keyringer $HYDRA genpair ssh nodes/$node/ssh/id_rsa $node elif [ "$which" == "borg" ]; then hydra_newkeys_borg $node fi hydra_set_tmpfile genpair echo "Importing $which keys for $node" > $TMPWORK keyringer $HYDRA git commit -F $TMPWORK keyringer $HYDRA git push hydra_unset_tmpfile $TMPWORK } # Load. source $APP_BASE/lib/hydra/functions || exit 1 hydra_config_load # Check for keyringer. if ! which keyringer &> /dev/null; then hydra_install_package keyringer fi hydra_newkeys $*