Merge pull request 'feature/sops-preflight' (#13) from feature/sops-preflight into master
Some checks failed
CI / checks (push) Has been cancelled
Some checks failed
CI / checks (push) Has been cancelled
Reviewed-on: #13
This commit is contained in:
commit
458ff3d60e
1 changed files with 31 additions and 7 deletions
|
|
@ -6,6 +6,7 @@ source deploy/env.sh
|
|||
|
||||
AGE_KEY_FILE="${SOPS_AGE_KEY_FILE:-$HOME/.config/age/keys.txt}"
|
||||
AGE_RECIPIENT="age1hkehkc2rryjl975c2mg5cghmjr54n4wjshncl292h2eg5l394fhs4uydrh"
|
||||
ENCRYPTED_SECRETS_FILE="${ENCRYPTED_SECRETS_FILE:-$PWD/creds/secrets.enc.env}"
|
||||
|
||||
require_cmd() {
|
||||
local cmd="$1"
|
||||
|
|
@ -31,21 +32,44 @@ check_age_setup() {
|
|||
return
|
||||
fi
|
||||
require_cmd sops
|
||||
local repo_age_key="$PWD/creds/age-key.txt"
|
||||
if [[ ! -f "$AGE_KEY_FILE" ]]; then
|
||||
echo "Age key file not found at $AGE_KEY_FILE. Copy creds/age-key.txt or set SOPS_AGE_KEY_FILE." >&2
|
||||
exit 1
|
||||
fi
|
||||
local has_key="0"
|
||||
if command -v age-keygen >/dev/null 2>&1; then
|
||||
if ! age-keygen -y "$AGE_KEY_FILE" 2>/dev/null | grep -q "$AGE_RECIPIENT"; then
|
||||
echo "Age key file at $AGE_KEY_FILE does not contain the expected public key ($AGE_RECIPIENT)." >&2
|
||||
echo "Ensure your ~/.config/age/keys.txt includes the repo key (see creds/age-key.txt)." >&2
|
||||
exit 1
|
||||
if age-keygen -y "$AGE_KEY_FILE" 2>/dev/null | grep -q "$AGE_RECIPIENT"; then
|
||||
has_key="1"
|
||||
fi
|
||||
else
|
||||
# Fallback: best-effort text check for the public key comment
|
||||
if ! grep -q "$AGE_RECIPIENT" "$AGE_KEY_FILE"; then
|
||||
echo "Age key file at $AGE_KEY_FILE is missing the expected public key comment ($AGE_RECIPIENT)." >&2
|
||||
echo "Install age-keygen to verify keys or copy creds/age-key.txt." >&2
|
||||
if grep -q "$AGE_RECIPIENT" "$AGE_KEY_FILE"; then
|
||||
has_key="1"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [[ "$has_key" != "1" ]]; then
|
||||
echo "Age key file at $AGE_KEY_FILE does not contain the expected public key ($AGE_RECIPIENT)." >&2
|
||||
if [[ -f "$repo_age_key" ]] && grep -q "$AGE_RECIPIENT" "$repo_age_key"; then
|
||||
cat >&2 <<EOF
|
||||
Found the repository age key at $repo_age_key.
|
||||
Import it with:
|
||||
mkdir -p "$(dirname "$AGE_KEY_FILE")"
|
||||
cat "$repo_age_key" >> "$AGE_KEY_FILE"
|
||||
Or set: SOPS_AGE_KEY_FILE="$repo_age_key"
|
||||
EOF
|
||||
else
|
||||
echo "Ensure your ~/.config/age/keys.txt includes the repo key (see creds/age-key.txt)." >&2
|
||||
fi
|
||||
exit 1
|
||||
fi
|
||||
|
||||
export SOPS_AGE_KEY_FILE="${SOPS_AGE_KEY_FILE:-$AGE_KEY_FILE}"
|
||||
if [[ -f "$ENCRYPTED_SECRETS_FILE" ]]; then
|
||||
if ! sops -d "$ENCRYPTED_SECRETS_FILE" >/dev/null 2>&1; then
|
||||
echo "sops could not decrypt $ENCRYPTED_SECRETS_FILE with the configured keys." >&2
|
||||
echo "Export SOPS_AGE_KEY_FILE to point at the correct key (e.g., creds/age-key.txt)." >&2
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue