From c0dad51c6aa275f4b601c754889db4968ede4c26 Mon Sep 17 00:00:00 2001
From: colin <colin@uninsane.org>
Date: Mon, 20 Jun 2022 15:22:57 -0700
Subject: [PATCH] add sane script to convert ssh -> sops key

---
 pkgs/sane-scripts/src/bin/sane-unlock-secrets | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100755 pkgs/sane-scripts/src/bin/sane-unlock-secrets

diff --git a/pkgs/sane-scripts/src/bin/sane-unlock-secrets b/pkgs/sane-scripts/src/bin/sane-unlock-secrets
new file mode 100755
index 00000000..a767a346
--- /dev/null
+++ b/pkgs/sane-scripts/src/bin/sane-unlock-secrets
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+# unlocks the SOPS store (i.e. populate a SOPS key from the user's SSH key)
+set -ex
+
+mkdir -p ~/.config/sops/age
+
+# unlock the SSH key
+cp ~/.ssh/id_ed25519 ~/.config/sops/age/id_ed25519
+ssh-keygen -p -N "" -f ~/.config/sops/age/id_ed25519
+# convert ssh -> age
+ssh-to-age -private-key -i ~/.config/sops/age/id_ed25519 > ~/.config/sops/age/keys.txt
+chmod 600 ~/.config/sops/age/keys.txt
+
+# remove the unlocked SSH key
+rm ~/.config/sops/age/id_ed25519
+
+# present the pubkey for convenience (e.g. if this sops key is new)
+echo pubkey: $(cat ~/.ssh/id_ed25519.pub | ssh-to-age)