1 files changed, 69 insertions, 0 deletions

diff --git a/old/bin/copy-secrets b/old/bin/copy-secrets
new file mode 100755
index 000000000..f40493599
--- /dev/null
+++ b/old/bin/copy-secrets
@@ -0,0 +1,69 @@
+#! /bin/sh
+#
+# copy-secrets system_name target
+#
+set -euf
+
+system_name=$1
+target=$2
+
+nixos_config=$config_root/modules/$system_name
+secrets_nix=$secrets_root/$system_name/nix
+secrets_rsync=$secrets_root/$system_name/rsync
+
+if ! test -e "$secrets_rsync"; then
+  exit # nothing to do
+fi
+
+# XXX this is ugly
+# Notice NIX_PATH used from host
+# Notice secrets required to evaluate configuration
+NIX_PATH=$NIX_PATH:nixos-config=$PWD/modules/$system_name
+NIX_PATH=$NIX_PATH:secrets=$PWD/secrets/$system_name/nix
+export NIX_PATH
+
+case $(nixos-query tv.retiolum.enable 2>/dev/null) in true)
+  retiolum_secret=$(nixos-query tv.retiolum.privateKeyFile)
+  retiolum_uid=$(nixos-query users.extraUsers.retiolum-tinc.uid)
+esac
+
+case $(nixos-query services.ejabberd-cd.enable 2>/dev/null) in true)
+  ejabberd_secret=$(nixos-query services.ejabberd-cd.certFile)
+  ejabberd_uid=$(nixos-query users.extraUsers.ejabberd.uid)
+esac
+
+case $(nixos-query tv.consul.enable 2>/dev/null) in true)
+  consul_secret=$(nixos-query tv.consul.encrypt-file)
+  consul_uid=$(nixos-query users.extraUsers.consul.uid)
+esac
+
+(set -x
+  rsync \
+    --rsync-path="mkdir -p \"$2\" && rsync" \
+    -vzrlptD \
+    "$secrets_rsync/" \
+    "$target:/")
+
+ssh "$target" -T <<EOF
+set -euf
+
+retiolum_secret=${retiolum_secret-}
+retiolum_uid=${retiolum_uid-}
+ejabberd_secret=${ejabberd_secret-}
+ejabberd_uid=${ejabberd_uid-}
+consul_secret=${consul_secret-}
+consul_uid=${consul_uid-}
+
+if test -n "\$retiolum_secret"; then
+  chown -v "\$retiolum_uid:0" "\$retiolum_secret"
+fi
+
+if test -n "\$ejabberd_secret"; then
+  chown -v "\$ejabberd_uid:0" "\$ejabberd_secret"
+fi
+
+if test -n "\$consul_secret"; then
+  chown -v "\$consul_uid:0" "\$consul_secret"
+fi
+
+EOF