From 0f084b19f124a03203e11cba6e053733a7f7582c Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Fri, 26 Jul 2024 20:16:12 +0000
Subject: [PATCH] sane-scripts.private-unlock-remote: init

---
 pkgs/additional/sane-scripts/default.nix           |  5 +++++
 .../sane-scripts/src/sane-private-unlock-remote    | 14 ++++++++++++++
 2 files changed, 19 insertions(+)
 create mode 100755 pkgs/additional/sane-scripts/src/sane-private-unlock-remote

diff --git a/pkgs/additional/sane-scripts/default.nix b/pkgs/additional/sane-scripts/default.nix
index 54ee13050..8ce696712 100644
--- a/pkgs/additional/sane-scripts/default.nix
+++ b/pkgs/additional/sane-scripts/default.nix
@@ -138,6 +138,11 @@ let
       srcRoot = ./src;
       pkgs = [ "util-linux.mount" ];
     };
+    private-unlock-remote = static-nix-shell.mkBash {
+      pname = "sane-private-unlock-remote";
+      srcRoot = ./src;
+      pkgs = [ "openssh" "sane-scripts.secrets-dump" ];
+    };
     rcp = static-nix-shell.mkBash {
       pname = "sane-rcp";
       srcRoot = ./src;
diff --git a/pkgs/additional/sane-scripts/src/sane-private-unlock-remote b/pkgs/additional/sane-scripts/src/sane-private-unlock-remote
new file mode 100755
index 000000000..a333356f8
--- /dev/null
+++ b/pkgs/additional/sane-scripts/src/sane-private-unlock-remote
@@ -0,0 +1,14 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p bash -p openssh -p sane-scripts.secrets-dump
+
+# unlock a remote private store by dropping the password in a discoverable place.
+# this only works if our own private store has been unlocked and this machine has access to the relevant secret.
+
+set -xeu
+
+host=$1
+passwd=$(sane-secrets-dump --field password "$host")
+
+test -n "$passwd"
+
+echo "$passwd" | ssh "$host" 'if ! test -f /mnt/persist/private/init; then cat /dev/stdin > /run/gocryptfs/private.key; fi'