Improve vault password installer options
This commit is contained in:
@@ -4,6 +4,7 @@ set -euo pipefail
|
||||
REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
||||
DEST="${VAULT_PASS_FILE:-$HOME/.config/vault-pass.txt}"
|
||||
ARCHIVE="${1:-$REPO_DIR/secrets/vault-pass.txt.zip}"
|
||||
VAULT_FILE="${VAULT_FILE:-$REPO_DIR/secrets/vault.yml}"
|
||||
|
||||
usage() {
|
||||
cat <<USAGE
|
||||
@@ -12,53 +13,207 @@ Usage: scripts/install-vault-pass.sh [archive.zip]
|
||||
Installs the Ansible Vault password file to:
|
||||
${VAULT_PASS_FILE:-$HOME/.config/vault-pass.txt}
|
||||
|
||||
The archive must be password-protected. The user will be prompted by unzip/7z.
|
||||
Default archive path:
|
||||
Behavior:
|
||||
1. If the password file already exists, keep it and verify permissions.
|
||||
2. If missing, prompt the user to choose one of four setup methods:
|
||||
[1] Create a new vault password and initialize/re-encrypt vault.yml
|
||||
[2] Paste/type vault-pass.txt content manually
|
||||
[3] Download vault-pass.txt from a user-provided URL
|
||||
[4] Extract vault-pass.txt from a password-protected zip archive
|
||||
|
||||
Default archive path for method [4]:
|
||||
$REPO_DIR/secrets/vault-pass.txt.zip
|
||||
USAGE
|
||||
}
|
||||
|
||||
ensure_dest_dir() {
|
||||
umask 077
|
||||
mkdir -p "$(dirname "$DEST")"
|
||||
chmod 700 "$(dirname "$DEST")" || true
|
||||
}
|
||||
|
||||
secure_dest() {
|
||||
chmod 600 "$DEST"
|
||||
}
|
||||
|
||||
verify_existing() {
|
||||
if [ -f "$DEST" ]; then
|
||||
secure_dest
|
||||
echo "Vault password file already exists: $DEST"
|
||||
return 0
|
||||
fi
|
||||
return 1
|
||||
}
|
||||
|
||||
require_cmd() {
|
||||
if ! command -v "$1" >/dev/null 2>&1; then
|
||||
echo "Missing dependency: $1" >&2
|
||||
echo "Please install it first." >&2
|
||||
exit 3
|
||||
fi
|
||||
}
|
||||
|
||||
create_new_password() {
|
||||
require_cmd ansible-vault
|
||||
require_cmd python3
|
||||
ensure_dest_dir
|
||||
umask 077
|
||||
python3 - <<'PY' > "$DEST"
|
||||
import secrets
|
||||
print(secrets.token_urlsafe(48))
|
||||
PY
|
||||
secure_dest
|
||||
echo "Created new vault password file: $DEST"
|
||||
|
||||
if [ -f "$VAULT_FILE" ]; then
|
||||
if ansible-vault view "$VAULT_FILE" --vault-password-file "$DEST" >/dev/null 2>&1; then
|
||||
echo "Existing vault is already readable with the new password. No re-encryption needed."
|
||||
else
|
||||
cat <<WARN
|
||||
|
||||
WARNING: $VAULT_FILE exists but is not readable with the new password.
|
||||
To avoid destroying existing encrypted secrets, this script will NOT overwrite it automatically.
|
||||
If this is a brand-new install, create a plaintext YAML file and run:
|
||||
./scripts/vault.sh encrypt /path/to/plaintext.yml
|
||||
If this is an existing vault, choose method [2], [3], or [4] with the correct password instead.
|
||||
WARN
|
||||
fi
|
||||
else
|
||||
mkdir -p "$(dirname "$VAULT_FILE")"
|
||||
tmp="$(mktemp)"
|
||||
chmod 600 "$tmp"
|
||||
cat > "$tmp" <<'YAML'
|
||||
# Initial placeholder vault. Replace with real secrets using ./scripts/vault.sh edit.
|
||||
gitea: {}
|
||||
openclaw_alice:
|
||||
http_nodes: {}
|
||||
ssh_nodes: {}
|
||||
YAML
|
||||
cp "$tmp" "$VAULT_FILE"
|
||||
ansible-vault encrypt "$VAULT_FILE" --vault-password-file "$DEST"
|
||||
rm -f "$tmp"
|
||||
echo "Created encrypted placeholder vault: $VAULT_FILE"
|
||||
fi
|
||||
}
|
||||
|
||||
manual_create() {
|
||||
ensure_dest_dir
|
||||
cat <<MSG
|
||||
Paste/type the vault password content now, then press Enter.
|
||||
Input is hidden. The content will be written to:
|
||||
$DEST
|
||||
MSG
|
||||
read -r -s pass
|
||||
printf '\n'
|
||||
if [ -z "$pass" ]; then
|
||||
echo "Empty password is not allowed." >&2
|
||||
exit 4
|
||||
fi
|
||||
umask 077
|
||||
printf '%s\n' "$pass" > "$DEST"
|
||||
secure_dest
|
||||
echo "Installed manually provided vault password file: $DEST"
|
||||
}
|
||||
|
||||
download_from_url() {
|
||||
ensure_dest_dir
|
||||
printf 'Enter vault-pass.txt URL: '
|
||||
read -r url
|
||||
if [ -z "$url" ]; then
|
||||
echo "URL is required." >&2
|
||||
exit 4
|
||||
fi
|
||||
case "$url" in
|
||||
http://*|https://*) ;;
|
||||
*) echo "Only http:// or https:// URLs are supported." >&2; exit 4 ;;
|
||||
esac
|
||||
if command -v curl >/dev/null 2>&1; then
|
||||
umask 077
|
||||
curl -fsSL "$url" -o "$DEST"
|
||||
elif command -v wget >/dev/null 2>&1; then
|
||||
umask 077
|
||||
wget -qO "$DEST" "$url"
|
||||
else
|
||||
echo "Missing dependency: curl or wget" >&2
|
||||
exit 3
|
||||
fi
|
||||
if [ ! -s "$DEST" ]; then
|
||||
echo "Downloaded file is empty or missing." >&2
|
||||
exit 4
|
||||
fi
|
||||
secure_dest
|
||||
echo "Downloaded vault password file to: $DEST"
|
||||
}
|
||||
|
||||
extract_from_archive() {
|
||||
require_cmd unzip
|
||||
ensure_dest_dir
|
||||
if [ ! -f "$ARCHIVE" ]; then
|
||||
cat >&2 <<ERR
|
||||
Missing archive: $ARCHIVE
|
||||
|
||||
Create/provide a password-protected archive that contains one file named:
|
||||
vault-pass.txt
|
||||
ERR
|
||||
exit 2
|
||||
fi
|
||||
tmpdir="$(mktemp -d)"
|
||||
cleanup() { rm -rf "$tmpdir"; }
|
||||
trap cleanup EXIT
|
||||
|
||||
# unzip will prompt for the archive password interactively.
|
||||
unzip -q "$ARCHIVE" -d "$tmpdir"
|
||||
|
||||
src="$tmpdir/vault-pass.txt"
|
||||
if [ ! -f "$src" ]; then
|
||||
echo "Archive extracted, but vault-pass.txt was not found inside." >&2
|
||||
exit 4
|
||||
fi
|
||||
|
||||
install -m 600 "$src" "$DEST"
|
||||
echo "Installed vault password file from archive: $DEST"
|
||||
}
|
||||
|
||||
verify_vault_readable_if_possible() {
|
||||
if [ -f "$VAULT_FILE" ] && command -v ansible-vault >/dev/null 2>&1; then
|
||||
if ansible-vault view "$VAULT_FILE" --vault-password-file "$DEST" >/dev/null 2>&1; then
|
||||
echo "Verified: vault.yml is readable with $DEST"
|
||||
else
|
||||
echo "Warning: vault.yml is not readable with $DEST" >&2
|
||||
return 5
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then
|
||||
usage
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ ! -f "$ARCHIVE" ]; then
|
||||
cat >&2 <<ERR
|
||||
Missing archive: $ARCHIVE
|
||||
|
||||
Create/provide a password-protected archive that contains one file named:
|
||||
vault-pass.txt
|
||||
|
||||
Then rerun:
|
||||
scripts/install-vault-pass.sh $ARCHIVE
|
||||
ERR
|
||||
exit 2
|
||||
if verify_existing; then
|
||||
verify_vault_readable_if_possible || true
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if ! command -v unzip >/dev/null 2>&1; then
|
||||
echo "Missing dependency: unzip" >&2
|
||||
echo "Install it with: sudo apt install -y unzip" >&2
|
||||
exit 3
|
||||
fi
|
||||
cat <<MENU
|
||||
Vault password file does not exist:
|
||||
$DEST
|
||||
|
||||
tmpdir="$(mktemp -d)"
|
||||
cleanup() { rm -rf "$tmpdir"; }
|
||||
trap cleanup EXIT
|
||||
Choose setup method:
|
||||
1) Create a new vault password and initialize/re-encrypt vault.yml if needed
|
||||
2) Paste/type vault-pass.txt content manually
|
||||
3) Download vault-pass.txt from a URL
|
||||
4) Extract vault-pass.txt from password-protected zip archive
|
||||
MENU
|
||||
printf 'Enter choice [1-4]: '
|
||||
read -r choice
|
||||
|
||||
umask 077
|
||||
mkdir -p "$(dirname "$DEST")"
|
||||
chmod 700 "$(dirname "$DEST")" || true
|
||||
case "$choice" in
|
||||
1) create_new_password ;;
|
||||
2) manual_create ;;
|
||||
3) download_from_url ;;
|
||||
4) extract_from_archive ;;
|
||||
*) echo "Invalid choice: $choice" >&2; exit 4 ;;
|
||||
esac
|
||||
|
||||
# unzip will prompt for the archive password interactively.
|
||||
unzip -q "$ARCHIVE" -d "$tmpdir"
|
||||
|
||||
src="$tmpdir/vault-pass.txt"
|
||||
if [ ! -f "$src" ]; then
|
||||
echo "Archive extracted, but vault-pass.txt was not found inside." >&2
|
||||
exit 4
|
||||
fi
|
||||
|
||||
install -m 600 "$src" "$DEST"
|
||||
|
||||
echo "Installed vault password file: $DEST"
|
||||
verify_vault_readable_if_possible || true
|
||||
|
||||
Reference in New Issue
Block a user