69 lines
2.5 KiB
Bash
Executable File
69 lines
2.5 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Bootstrap the age-plugin-tpm identity for a desktop host (mreow / yarn).
|
|
#
|
|
# Produces a TPM-sealed age identity at /var/lib/agenix/tpm-identity and
|
|
# prints the legacy `age1tpm1…` recipient. The identity file is a TPM
|
|
# handle, not key material — the actual key never leaves the TPM.
|
|
#
|
|
# --tpm-recipient is required: nixpkgs only ships `age-plugin-tpm`, not the
|
|
# `age-plugin-tag` binary that rage looks up when it sees the new p256tag
|
|
# `age1tag1…` format. Until a packaged age-plugin-tag lands, every recipient
|
|
# stays in the legacy form so encryption works with off-the-shelf nixpkgs.
|
|
#
|
|
# Usage:
|
|
# doas scripts/bootstrap-desktop-tpm.sh
|
|
#
|
|
# After running:
|
|
# 1. Append the printed recipient to `tpm` in secrets/secrets.nix:
|
|
# "age1tpm1… <hostname>"
|
|
# 2. `agenix -r` (from a shell with age-plugin-tpm on PATH) to re-encrypt
|
|
# every desktop secret with the new recipient list.
|
|
# 3. Commit + `./deploy.sh switch`.
|
|
|
|
set -euo pipefail
|
|
|
|
if [[ $EUID -ne 0 ]]; then
|
|
echo "this script must run as root (access to /dev/tpmrm0 + /var/lib/agenix)" >&2
|
|
exit 1
|
|
fi
|
|
|
|
host=$(hostname -s)
|
|
id_file=/var/lib/agenix/tpm-identity
|
|
|
|
install -d -m 0700 -o root -g root /var/lib/agenix
|
|
|
|
if [[ -f "$id_file" ]]; then
|
|
echo "existing identity found at $id_file — preserving"
|
|
else
|
|
echo "generating TPM-sealed age identity..."
|
|
nix run nixpkgs#age-plugin-tpm -- --generate --tpm-recipient --output "$id_file"
|
|
chmod 0400 "$id_file"
|
|
chown root:root "$id_file"
|
|
fi
|
|
|
|
# Always derive the legacy age1tpm1… recipient, even if the identity file
|
|
# was generated with the newer p256tag comment (Recipient line starts with
|
|
# age1tag1…). `--convert --tpm-recipient` uses the same TPM object and just
|
|
# serializes the public key point in the old format.
|
|
recipient=$(nix run nixpkgs#age-plugin-tpm -- --convert --tpm-recipient < "$id_file" 2>/dev/null | grep -o 'age1tpm1[0-9a-z]*' | head -n1)
|
|
if [[ -z "$recipient" ]]; then
|
|
# fallback to parsing the header comment (only works when the identity was
|
|
# already generated with --tpm-recipient).
|
|
recipient=$(grep '^# Recipient:' "$id_file" | awk '{print $3}')
|
|
fi
|
|
if [[ -z "$recipient" ]]; then
|
|
echo "failed to derive recipient for $id_file" >&2
|
|
exit 1
|
|
fi
|
|
|
|
cat <<EOF
|
|
|
|
recipient for $host:
|
|
"$recipient $host"
|
|
|
|
next steps (run on a workstation with git-crypt unlocked):
|
|
1. edit secrets/secrets.nix and append the line above inside the \`tpm\` list.
|
|
2. nix run nixpkgs#agenix -- -r # re-encrypts every .age file.
|
|
3. git commit + ./deploy.sh switch
|
|
EOF
|