hermes/agent-secret-vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ea1bb0979f682335e265a6d561830ad649951089
agent-secret-vault/scripts/install-vault-pass.sh

220 lines
5.5 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
DEST="${VAULT_PASS_FILE:-$HOME/.config/vault-pass.txt}"
ARCHIVE="${1:-$REPO_DIR/secrets/vault-pass.txt.zip}"
VAULT_FILE="${VAULT_FILE:-$REPO_DIR/secrets/vault.yml}"
usage() {
cat <<USAGE
Usage: scripts/install-vault-pass.sh [archive.zip]
Installs the Ansible Vault password file to:
${VAULT_PASS_FILE:-$HOME/.config/vault-pass.txt}
Behavior:
1. If the password file already exists, keep it and verify permissions.
2. If missing, prompt the user to choose one of four setup methods:
[1] Create a new vault password and initialize/re-encrypt vault.yml
[2] Paste/type vault-pass.txt content manually
[3] Download vault-pass.txt from a user-provided URL
[4] Extract vault-pass.txt from a password-protected zip archive
Default archive path for method [4]:
$REPO_DIR/secrets/vault-pass.txt.zip
USAGE
}
ensure_dest_dir() {
umask 077
mkdir -p "$(dirname "$DEST")"
chmod 700 "$(dirname "$DEST")" || true
}
secure_dest() {
chmod 600 "$DEST"
}
verify_existing() {
if [ -f "$DEST" ]; then
secure_dest
echo "Vault password file already exists: $DEST"
return 0
fi
return 1
}
require_cmd() {
if ! command -v "$1" >/dev/null 2>&1; then
echo "Missing dependency: $1" >&2
echo "Please install it first." >&2
exit 3
fi
}
create_new_password() {
require_cmd ansible-vault
require_cmd python3
ensure_dest_dir
umask 077
python3 - <<'PY' > "$DEST"
import secrets
print(secrets.token_urlsafe(48))
PY
secure_dest
echo "Created new vault password file: $DEST"
if [ -f "$VAULT_FILE" ]; then
if ansible-vault view "$VAULT_FILE" --vault-password-file "$DEST" >/dev/null 2>&1; then
echo "Existing vault is already readable with the new password. No re-encryption needed."
else
cat <<WARN
WARNING: $VAULT_FILE exists but is not readable with the new password.
To avoid destroying existing encrypted secrets, this script will NOT overwrite it automatically.
If this is a brand-new install, create a plaintext YAML file and run:
./scripts/vault.sh encrypt /path/to/plaintext.yml
If this is an existing vault, choose method [2], [3], or [4] with the correct password instead.
WARN
fi
else
mkdir -p "$(dirname "$VAULT_FILE")"
tmp="$(mktemp)"
chmod 600 "$tmp"
cat > "$tmp" <<'YAML'
# Initial placeholder vault. Replace with real secrets using ./scripts/vault.sh edit.
gitea: {}
openclaw_alice:
http_nodes: {}
ssh_nodes: {}
YAML
cp "$tmp" "$VAULT_FILE"
ansible-vault encrypt "$VAULT_FILE" --vault-password-file "$DEST"
rm -f "$tmp"
echo "Created encrypted placeholder vault: $VAULT_FILE"
fi
}
manual_create() {
ensure_dest_dir
cat <<MSG
Paste/type the vault password content now, then press Enter.
Input is hidden. The content will be written to:
$DEST
MSG
read -r -s pass
printf '\n'
if [ -z "$pass" ]; then
echo "Empty password is not allowed." >&2
exit 4
fi
umask 077
printf '%s\n' "$pass" > "$DEST"
secure_dest
echo "Installed manually provided vault password file: $DEST"
}
download_from_url() {
ensure_dest_dir
printf 'Enter vault-pass.txt URL: '
read -r url
if [ -z "$url" ]; then
echo "URL is required." >&2
exit 4
fi
case "$url" in
http://*|https://*) ;;
*) echo "Only http:// or https:// URLs are supported." >&2; exit 4 ;;
esac
if command -v curl >/dev/null 2>&1; then
umask 077
curl -fsSL "$url" -o "$DEST"
elif command -v wget >/dev/null 2>&1; then
umask 077
wget -qO "$DEST" "$url"
else
echo "Missing dependency: curl or wget" >&2
exit 3
fi
if [ ! -s "$DEST" ]; then
echo "Downloaded file is empty or missing." >&2
exit 4
fi
secure_dest
echo "Downloaded vault password file to: $DEST"
}
extract_from_archive() {
require_cmd unzip
ensure_dest_dir
if [ ! -f "$ARCHIVE" ]; then
cat >&2 <<ERR
Missing archive: $ARCHIVE
Create/provide a password-protected archive that contains one file named:
vault-pass.txt
ERR
exit 2
fi
tmpdir="$(mktemp -d)"
cleanup() { rm -rf "$tmpdir"; }
trap cleanup EXIT
# unzip will prompt for the archive password interactively.
unzip -q "$ARCHIVE" -d "$tmpdir"
src="$tmpdir/vault-pass.txt"
if [ ! -f "$src" ]; then
echo "Archive extracted, but vault-pass.txt was not found inside." >&2
exit 4
fi
install -m 600 "$src" "$DEST"
echo "Installed vault password file from archive: $DEST"
}
verify_vault_readable_if_possible() {
if [ -f "$VAULT_FILE" ] && command -v ansible-vault >/dev/null 2>&1; then
if ansible-vault view "$VAULT_FILE" --vault-password-file "$DEST" >/dev/null 2>&1; then
echo "Verified: vault.yml is readable with $DEST"
else
echo "Warning: vault.yml is not readable with $DEST" >&2
return 5
fi
fi
}
if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then
usage
exit 0
fi
if verify_existing; then
verify_vault_readable_if_possible || true
exit 0
fi
cat <<MENU
Vault password file does not exist:
$DEST
Choose setup method:
1) Create a new vault password and initialize/re-encrypt vault.yml if needed
2) Paste/type vault-pass.txt content manually
3) Download vault-pass.txt from a URL
4) Extract vault-pass.txt from password-protected zip archive
MENU
printf 'Enter choice [1-4]: '
read -r choice
case "$choice" in
1) create_new_password ;;
2) manual_create ;;
3) download_from_url ;;
4) extract_from_archive ;;
*) echo "Invalid choice: $choice" >&2; exit 4 ;;
esac
verify_vault_readable_if_possible || true
Reference in New Issue View Git Blame Copy Permalink