55 lines
1.6 KiB
Bash
Executable File
55 lines
1.6 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Bootstrap the age-plugin-tpm identity for a desktop host (mreow / yarn).
|
|
#
|
|
# Produces a TPM-sealed age identity at /var/lib/agenix/tpm-identity and
|
|
# prints the recipient string to add to secrets/secrets.nix.
|
|
#
|
|
# Usage:
|
|
# doas scripts/bootstrap-desktop-tpm.sh
|
|
#
|
|
# After running:
|
|
# 1. Append the printed recipient to the `tpm` list in secrets/secrets.nix.
|
|
# 2. Re-encrypt: nix-shell -p age-plugin-tpm rage --run \
|
|
# 'agenix -r -i ~/.ssh/id_ed25519'
|
|
# 3. Commit + ./deploy.sh switch.
|
|
|
|
set -euo pipefail
|
|
|
|
if [[ $EUID -ne 0 ]]; then
|
|
echo "this script must run as root (access to /dev/tpmrm0 + /var/lib/agenix)" >&2
|
|
exit 1
|
|
fi
|
|
|
|
host=$(hostname -s)
|
|
id_file=/var/lib/agenix/tpm-identity
|
|
|
|
install -d -m 0700 -o root -g root /var/lib/agenix
|
|
|
|
if [[ -f "$id_file" ]]; then
|
|
echo "existing identity found at $id_file — preserving"
|
|
else
|
|
echo "generating TPM-sealed age identity..."
|
|
nix-shell -p age-plugin-tpm --run "age-plugin-tpm --generate -o $id_file"
|
|
chmod 0400 "$id_file"
|
|
chown root:root "$id_file"
|
|
fi
|
|
|
|
# Read the recipient directly from the identity file header — no TPM
|
|
# round-trip needed, no nix run, no set -e hazards.
|
|
recipient=$(grep '^# Recipient:' "$id_file" | awk '{print $3}')
|
|
if [[ -z "$recipient" ]]; then
|
|
echo "failed to read recipient from $id_file" >&2
|
|
exit 1
|
|
fi
|
|
|
|
cat <<EOF
|
|
|
|
recipient for $host:
|
|
"$recipient $host"
|
|
|
|
next steps (run on a workstation with git-crypt unlocked):
|
|
1. edit secrets/secrets.nix and add the line above to the \`tpm\` list.
|
|
2. re-encrypt: nix-shell -p age-plugin-tpm rage --run 'agenix -r -i ~/.ssh/id_ed25519'
|
|
3. git commit + ./deploy.sh switch
|
|
EOF
|