65 lines
1.4 KiB
Bash
Executable File
65 lines
1.4 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
|
DEST="${VAULT_PASS_FILE:-$HOME/.config/vault-pass.txt}"
|
|
ARCHIVE="${1:-$REPO_DIR/secrets/vault-pass.txt.zip}"
|
|
|
|
usage() {
|
|
cat <<USAGE
|
|
Usage: scripts/install-vault-pass.sh [archive.zip]
|
|
|
|
Installs the Ansible Vault password file to:
|
|
${VAULT_PASS_FILE:-$HOME/.config/vault-pass.txt}
|
|
|
|
The archive must be password-protected. The user will be prompted by unzip/7z.
|
|
Default archive path:
|
|
$REPO_DIR/secrets/vault-pass.txt.zip
|
|
USAGE
|
|
}
|
|
|
|
if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then
|
|
usage
|
|
exit 0
|
|
fi
|
|
|
|
if [ ! -f "$ARCHIVE" ]; then
|
|
cat >&2 <<ERR
|
|
Missing archive: $ARCHIVE
|
|
|
|
Create/provide a password-protected archive that contains one file named:
|
|
vault-pass.txt
|
|
|
|
Then rerun:
|
|
scripts/install-vault-pass.sh $ARCHIVE
|
|
ERR
|
|
exit 2
|
|
fi
|
|
|
|
if ! command -v unzip >/dev/null 2>&1; then
|
|
echo "Missing dependency: unzip" >&2
|
|
echo "Install it with: sudo apt install -y unzip" >&2
|
|
exit 3
|
|
fi
|
|
|
|
tmpdir="$(mktemp -d)"
|
|
cleanup() { rm -rf "$tmpdir"; }
|
|
trap cleanup EXIT
|
|
|
|
umask 077
|
|
mkdir -p "$(dirname "$DEST")"
|
|
chmod 700 "$(dirname "$DEST")" || true
|
|
|
|
# unzip will prompt for the archive password interactively.
|
|
unzip -q "$ARCHIVE" -d "$tmpdir"
|
|
|
|
src="$tmpdir/vault-pass.txt"
|
|
if [ ! -f "$src" ]; then
|
|
echo "Archive extracted, but vault-pass.txt was not found inside." >&2
|
|
exit 4
|
|
fi
|
|
|
|
install -m 600 "$src" "$DEST"
|
|
|
|
echo "Installed vault password file: $DEST"
|