colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

sane-scripts.private-unlock-remote: init

Browse Source
This commit is contained in:
Colin
2024-07-26 20:16:12 +00:00
parent 91263b9dcf
commit 0f084b19f1
2 changed files with 19 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
pkgs/additional/sane-scripts/default.nix
View File

@@ -138,6 +138,11 @@ let
srcRoot = ./src;
pkgs = [ "util-linux.mount" ];
};
private-unlock-remote = static-nix-shell.mkBash {
pname = "sane-private-unlock-remote";
srcRoot = ./src;
pkgs = [ "openssh" "sane-scripts.secrets-dump" ];
};
rcp = static-nix-shell.mkBash {
pname = "sane-rcp";
srcRoot = ./src;

14
pkgs/additional/sane-scripts/src/sane-private-unlock-remote Executable file
View File

@@ -0,0 +1,14 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p bash -p openssh -p sane-scripts.secrets-dump
# unlock a remote private store by dropping the password in a discoverable place.
# this only works if our own private store has been unlocked and this machine has access to the relevant secret.
set -xeu
host=$1
passwd=$(sane-secrets-dump --field password "$host")
test -n "$passwd"
echo "$passwd" | ssh "$host" 'if ! test -f /mnt/persist/private/init; then cat /dev/stdin > /run/gocryptfs/private.key; fi'