Rotate operator secrets into agenix and deepen caches
This commit is contained in:
Conrad Kramer
parent
7039bf5aad
commit
03415e579b
28 changed files with 526 additions and 126 deletions
|
|
@ -3,17 +3,22 @@
|
|||
set -euo pipefail
|
||||
umask 077
|
||||
|
||||
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
||||
REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
|
||||
# shellcheck source=Scripts/_burrow-secrets.sh
|
||||
source "${REPO_ROOT}/Scripts/_burrow-secrets.sh"
|
||||
|
||||
usage() {
|
||||
cat <<'EOF'
|
||||
Usage:
|
||||
Tools/forwardemail-custom-s3.sh \
|
||||
--domain burrow.net \
|
||||
--api-token-file intake/forwardemail_api_token.txt \
|
||||
--api-token-file secrets/forwardemail/api-token.age \
|
||||
--s3-endpoint https://<endpoint> \
|
||||
--s3-region <region> \
|
||||
--s3-bucket <bucket> \
|
||||
--s3-access-key-file intake/hetzner-s3-user.txt \
|
||||
--s3-secret-key-file intake/hetzner-s3-secret.txt
|
||||
--s3-access-key-file secrets/forwardemail/hetzner-s3-user.age \
|
||||
--s3-secret-key-file secrets/forwardemail/hetzner-s3-secret.age
|
||||
|
||||
Options:
|
||||
--domain <domain> Forward Email domain to update.
|
||||
|
|
@ -54,13 +59,18 @@ read_secret() {
|
|||
printf '%s' "$value"
|
||||
}
|
||||
|
||||
cleanup() {
|
||||
burrow_cleanup_secret_tmpfiles
|
||||
}
|
||||
trap cleanup EXIT
|
||||
|
||||
domain=""
|
||||
api_token_file=""
|
||||
api_token_file="${FORWARDEMAIL_API_TOKEN_FILE:-}"
|
||||
s3_endpoint=""
|
||||
s3_region=""
|
||||
s3_bucket=""
|
||||
s3_access_key_file=""
|
||||
s3_secret_key_file=""
|
||||
s3_access_key_file="${FORWARDEMAIL_S3_ACCESS_KEY_FILE:-}"
|
||||
s3_secret_key_file="${FORWARDEMAIL_S3_SECRET_KEY_FILE:-}"
|
||||
test_only=false
|
||||
|
||||
while [[ $# -gt 0 ]]; do
|
||||
|
|
@ -108,16 +118,38 @@ while [[ $# -gt 0 ]]; do
|
|||
done
|
||||
|
||||
[[ -n "$domain" ]] || fail "--domain is required"
|
||||
[[ -n "$api_token_file" ]] || fail "--api-token-file is required"
|
||||
[[ -n "$s3_endpoint" || "$test_only" == true ]] || fail "--s3-endpoint is required unless --test-only is set"
|
||||
[[ -n "$s3_region" || "$test_only" == true ]] || fail "--s3-region is required unless --test-only is set"
|
||||
[[ -n "$s3_bucket" || "$test_only" == true ]] || fail "--s3-bucket is required unless --test-only is set"
|
||||
[[ -n "$s3_access_key_file" || "$test_only" == true ]] || fail "--s3-access-key-file is required unless --test-only is set"
|
||||
[[ -n "$s3_secret_key_file" || "$test_only" == true ]] || fail "--s3-secret-key-file is required unless --test-only is set"
|
||||
|
||||
api_token_file="$(
|
||||
burrow_resolve_secret_file \
|
||||
"${REPO_ROOT}" \
|
||||
"${api_token_file}" \
|
||||
"${REPO_ROOT}/intake/forwardemail_api_token.txt" \
|
||||
"${REPO_ROOT}/secrets/forwardemail/api-token.age"
|
||||
)" || fail "unable to resolve Forward Email API token file"
|
||||
require_file "$api_token_file"
|
||||
api_token="$(read_secret "$api_token_file")"
|
||||
|
||||
if [[ "$test_only" != true ]]; then
|
||||
s3_access_key_file="$(
|
||||
burrow_resolve_secret_file \
|
||||
"${REPO_ROOT}" \
|
||||
"${s3_access_key_file}" \
|
||||
"${REPO_ROOT}/intake/hetzner-s3-user.txt" \
|
||||
"${REPO_ROOT}/secrets/forwardemail/hetzner-s3-user.age"
|
||||
)" || fail "unable to resolve Hetzner S3 access key file"
|
||||
s3_secret_key_file="$(
|
||||
burrow_resolve_secret_file \
|
||||
"${REPO_ROOT}" \
|
||||
"${s3_secret_key_file}" \
|
||||
"${REPO_ROOT}/intake/hetzner-s3-secret.txt" \
|
||||
"${REPO_ROOT}/secrets/forwardemail/hetzner-s3-secret.age"
|
||||
)" || fail "unable to resolve Hetzner S3 secret key file"
|
||||
require_file "$s3_access_key_file"
|
||||
require_file "$s3_secret_key_file"
|
||||
fi
|
||||
|
||||
if [[ "$test_only" == false ]]; then
|
||||
require_file "$s3_access_key_file"
|
||||
require_file "$s3_secret_key_file"
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@ import argparse
|
|||
import datetime as dt
|
||||
import hashlib
|
||||
import hmac
|
||||
import subprocess
|
||||
import sys
|
||||
import textwrap
|
||||
from pathlib import Path
|
||||
|
|
@ -13,11 +14,38 @@ from urllib.parse import urlencode, urlparse
|
|||
|
||||
import requests
|
||||
|
||||
REPO_ROOT = Path(__file__).resolve().parent.parent
|
||||
|
||||
|
||||
def default_secret_path(age_rel: str, intake_rel: str) -> str:
|
||||
age_path = REPO_ROOT / age_rel
|
||||
if age_path.exists():
|
||||
return str(age_path)
|
||||
return intake_rel
|
||||
|
||||
|
||||
def read_secret(path: str) -> str:
|
||||
value = Path(path).read_text(encoding="utf-8").strip()
|
||||
file_path = Path(path)
|
||||
if not file_path.is_absolute():
|
||||
file_path = REPO_ROOT / file_path
|
||||
if file_path.suffix == ".age":
|
||||
value = subprocess.check_output(
|
||||
[
|
||||
"nix",
|
||||
"--extra-experimental-features",
|
||||
"nix-command flakes",
|
||||
"run",
|
||||
f"{REPO_ROOT}#agenix",
|
||||
"--",
|
||||
"-d",
|
||||
str(file_path),
|
||||
],
|
||||
text=True,
|
||||
).strip()
|
||||
else:
|
||||
value = file_path.read_text(encoding="utf-8").strip()
|
||||
if not value:
|
||||
raise SystemExit(f"error: empty secret file: {path}")
|
||||
raise SystemExit(f"error: empty secret file: {file_path}")
|
||||
return value
|
||||
|
||||
|
||||
|
|
@ -212,12 +240,12 @@ def parse_args() -> argparse.Namespace:
|
|||
parser.add_argument("--region", default="hel1", help="S3 region.")
|
||||
parser.add_argument(
|
||||
"--access-key-file",
|
||||
default="intake/hetzner-s3-user.txt",
|
||||
default=default_secret_path("secrets/forwardemail/hetzner-s3-user.age", "intake/hetzner-s3-user.txt"),
|
||||
help="File containing the S3 access key id.",
|
||||
)
|
||||
parser.add_argument(
|
||||
"--secret-key-file",
|
||||
default="intake/hetzner-s3-secret.txt",
|
||||
default=default_secret_path("secrets/forwardemail/hetzner-s3-secret.age", "intake/hetzner-s3-secret.txt"),
|
||||
help="File containing the S3 secret key.",
|
||||
)
|
||||
parser.add_argument(
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue