sane-scripts: port sane-secrets-* to nix-shell
This commit is contained in:
parent
af4cfc29b1
commit
c8d5411462
|
@ -35,7 +35,6 @@ let
|
|||
inetutils
|
||||
iwd
|
||||
jq
|
||||
oath-toolkit
|
||||
openssh
|
||||
openssl
|
||||
nix-shell-scripts.ip-check
|
||||
|
@ -77,7 +76,6 @@ let
|
|||
"cannot:${gocryptfs}/bin/gocryptfs"
|
||||
"cannot:${ifuse}/bin/ifuse"
|
||||
"cannot:${iwd}/bin/iwctl"
|
||||
"cannot:${oath-toolkit}/bin/oathtool"
|
||||
"cannot:${openssh}/bin/ssh-keygen"
|
||||
"cannot:${rmlint}/bin/rmlint"
|
||||
"cannot:${rsync}/bin/rsync"
|
||||
|
@ -238,6 +236,21 @@ let
|
|||
pname = "sane-reclaim-boot-space";
|
||||
src = ./src;
|
||||
};
|
||||
secrets-dump = static-nix-shell.mkBash {
|
||||
pname = "sane-secrets-dump";
|
||||
src = ./src;
|
||||
pkgs = [ "gnugrep" "sops" "oath-toolkit" ];
|
||||
};
|
||||
secrets-unlock = static-nix-shell.mkBash {
|
||||
pname = "sane-secrets-unlock";
|
||||
src = ./src;
|
||||
pkgs = [ "coreutils-full" "openssh" "ssh-to-age" ];
|
||||
};
|
||||
secrets-update-keys = static-nix-shell.mkBash {
|
||||
pname = "sane-secrets-update-keys";
|
||||
src = ./src;
|
||||
pkgs = [ "coreutils-full" "findutils" "sops" ];
|
||||
};
|
||||
};
|
||||
in
|
||||
symlinkJoin {
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
#!/usr/bin/env bash
|
||||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i bash -p gnugrep -p oath-toolkit -p sops
|
||||
# use: `sane-dump-secret /path/to/accounts/website.yaml`
|
||||
# dumps relevant information about the account, include a OTP code if present
|
||||
secrets=$(sops -d --output-type dotenv $1)
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
#!/usr/bin/env bash
|
||||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i bash -p coreutils-full -p openssh -p ssh-to-age
|
||||
# unlocks the SOPS store (i.e. populate a SOPS key from the user's SSH key)
|
||||
set -ex
|
||||
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
#!/usr/bin/env bash
|
||||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i bash -p coreutils-full -p findutils -p sops
|
||||
# after modifying .sops.yaml, run this to re-encode all secrets to the new keys
|
||||
# pass the base directory (under which *everything* is a secret) as argument
|
||||
for i in $(find "$1" -print)
|
||||
|
|
Loading…
Reference in New Issue
Block a user