sane-secrets-unlock: work around race condition during system boot
This commit is contained in:
@@ -1,7 +1,6 @@
|
|||||||
#!/usr/bin/env nix-shell
|
#!/usr/bin/env nix-shell
|
||||||
#!nix-shell -i bash -p bash -p coreutils-full -p openssh -p ssh-to-age
|
#!nix-shell -i bash -p bash -p coreutils-full -p openssh -p ssh-to-age
|
||||||
# unlocks the SOPS store (i.e. populate a SOPS key from the user's SSH key)
|
# unlocks the SOPS store (i.e. populate a SOPS key from the user's SSH key)
|
||||||
set -e
|
|
||||||
|
|
||||||
if test -f ~/.config/sops/age/keys.txt; then
|
if test -f ~/.config/sops/age/keys.txt; then
|
||||||
exit
|
exit
|
||||||
@@ -11,15 +10,27 @@ set -x
|
|||||||
|
|
||||||
mkdir -p ~/.config/sops/age
|
mkdir -p ~/.config/sops/age
|
||||||
|
|
||||||
# unlock the SSH key
|
tryUnlock() {
|
||||||
cp ~/.ssh/id_ed25519 ~/.config/sops/age/id_ed25519
|
# unlock the SSH key
|
||||||
ssh-keygen -p -N "" -f ~/.config/sops/age/id_ed25519
|
cp ~/.ssh/id_ed25519 ~/.config/sops/age/id_ed25519
|
||||||
# convert ssh -> age
|
ssh-keygen -p -N "" -f ~/.config/sops/age/id_ed25519
|
||||||
ssh-to-age -private-key -i ~/.config/sops/age/id_ed25519 > ~/.config/sops/age/keys.txt
|
# convert ssh -> age
|
||||||
chmod 600 ~/.config/sops/age/keys.txt
|
ssh-to-age -private-key -i ~/.config/sops/age/id_ed25519 > ~/.config/sops/age/keys.txt
|
||||||
|
chmod 600 ~/.config/sops/age/keys.txt
|
||||||
|
}
|
||||||
|
|
||||||
|
# there are some dependencies not properly conveyed within the services which may invoke sane-secrets-unlock.
|
||||||
|
# so show some grace if invoked e.g. before ~/.ssh/ symlinks have been created
|
||||||
|
tryUnlock \
|
||||||
|
|| (sleep 1 && tryUnlock) \
|
||||||
|
|| (sleep 1 && tryUnlock) \
|
||||||
|
|| (sleep 2 && tryUnlock) \
|
||||||
|
|| (sleep 4 && tryUnlock) \
|
||||||
|
|| (sleep 4 && tryUnlock) \
|
||||||
|
|| (sleep 4 && tryUnlock) \
|
||||||
|
|
||||||
# remove the unlocked SSH key
|
# remove the unlocked SSH key
|
||||||
rm ~/.config/sops/age/id_ed25519
|
rm -f ~/.config/sops/age/id_ed25519
|
||||||
|
|
||||||
# present the pubkey for convenience (e.g. if this sops key is new)
|
# present the pubkey for convenience (e.g. if this sops key is new)
|
||||||
echo pubkey: $(cat ~/.ssh/id_ed25519.pub | ssh-to-age)
|
echo pubkey: $(cat ~/.ssh/id_ed25519.pub | ssh-to-age)
|
||||||
|
Reference in New Issue
Block a user