81 lines
2.8 KiB
Bash
Executable file
81 lines
2.8 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
|
cd "${root}"
|
|
|
|
in_file="${1:-secrets/token.txt}"
|
|
out_file="${2:-secrets/codeberg-token.age}"
|
|
|
|
rules_file="${EVERY_CHANNEL_AGE_RULES_FILE:-${root}/secrets.nix}"
|
|
identity_file="${EVERY_CHANNEL_AGE_IDENTITY_FILE:-$HOME/.config/every.channel/keys/founder_ed25519}"
|
|
|
|
if [[ ! -f "${in_file}" ]]; then
|
|
echo "error: input file not found: ${in_file}" >&2
|
|
exit 2
|
|
fi
|
|
if [[ ! -f "${rules_file}" ]]; then
|
|
echo "error: agenix RULES file not found: ${rules_file}" >&2
|
|
exit 2
|
|
fi
|
|
if [[ ! -f "${identity_file}" ]]; then
|
|
echo "error: agenix identity file not found: ${identity_file}" >&2
|
|
exit 2
|
|
fi
|
|
|
|
if ! command -v agenix >/dev/null 2>&1; then
|
|
echo "error: agenix not found in PATH (run: nix develop)" >&2
|
|
exit 2
|
|
fi
|
|
if ! command -v ssh-keygen >/dev/null 2>&1; then
|
|
echo "error: ssh-keygen not found in PATH" >&2
|
|
exit 2
|
|
fi
|
|
|
|
# Verify that the configured identity corresponds to the recipient in secrets.nix.
|
|
founder_key="$(
|
|
sed -nE 's/^[[:space:]]*founder[[:space:]]*=[[:space:]]*"([^"]+)".*/\\1/p' secrets.nix | head -n 1
|
|
)"
|
|
if [[ -z "${founder_key}" ]]; then
|
|
echo "error: could not parse founder key from secrets.nix" >&2
|
|
exit 2
|
|
fi
|
|
|
|
if ! grep -q "\"${out_file}\"" "${rules_file}"; then
|
|
echo "error: no rule for ${out_file} in ${rules_file}" >&2
|
|
echo "hint: add it to secrets.nix or pass a different output path" >&2
|
|
exit 2
|
|
fi
|
|
|
|
priv_line="$(ssh-keygen -y -f "${identity_file}" 2>/dev/null || true)"
|
|
if [[ -z "${priv_line}" ]]; then
|
|
echo "error: unable to derive public key from identity file: ${identity_file}" >&2
|
|
echo "hint: if the key is passphrase-protected, run an interactive shell or provide a different identity" >&2
|
|
exit 2
|
|
fi
|
|
priv_pub="$(printf '%s\n' "${priv_line}" | cut -d' ' -f1-2)"
|
|
founder_pub="$(printf '%s\n' "${founder_key}" | cut -d' ' -f1-2)"
|
|
if [[ "${priv_pub}" != "${founder_pub}" ]]; then
|
|
echo "error: identity public key does not match secrets recipient" >&2
|
|
echo "identity_file: ${identity_file}" >&2
|
|
echo "identity_pub: ${priv_pub}" >&2
|
|
echo "recipient_pub: ${founder_pub}" >&2
|
|
echo "hint: set EVERY_CHANNEL_AGE_IDENTITY_FILE to the correct private key path" >&2
|
|
exit 2
|
|
fi
|
|
|
|
tmp_dec="$(mktemp "${TMPDIR:-/tmp}/ec-agenix-dec.XXXXXX")"
|
|
trap 'rm -f "${tmp_dec}"' EXIT
|
|
|
|
# Encrypt: non-interactive mode reads plaintext from stdin.
|
|
RULES="${rules_file}" cat "${in_file}" | agenix -e "${out_file}" -i "${identity_file}" >/dev/null
|
|
|
|
# Decrypt and verify byte-for-byte equality.
|
|
RULES="${rules_file}" agenix -d "${out_file}" -i "${identity_file}" > "${tmp_dec}"
|
|
if ! cmp -s "${tmp_dec}" "${in_file}"; then
|
|
echo "error: verification failed: decrypted secret does not match input file" >&2
|
|
exit 2
|
|
fi
|
|
|
|
rm -f "${in_file}"
|
|
echo "ok: wrote ${out_file} and removed ${in_file} after verification"
|