44 lines
1.2 KiB
Bash
44 lines
1.2 KiB
Bash
#!/bin/bash
|
|
|
|
if [ "$(id -u)" != "0" ]; then
|
|
echo -e "\033[31mThis script requires superuser rights.\033[0m"
|
|
exit 0
|
|
fi
|
|
|
|
if [ -z "$1" ]; then
|
|
echo "Usage: $0 <SERVER_DOMAIN>"
|
|
exit 1
|
|
fi
|
|
|
|
SERVER_DOMAIN=$1
|
|
SAFE_DIR="/data/secrets/safe"
|
|
DOMAIN_DIR="/data/secrets/$SERVER_DOMAIN"
|
|
KEYS_FILE="$SAFE_DIR/keys.env"
|
|
ARCHIVE_FILE="$SAFE_DIR/$SERVER_DOMAIN.tar.gz"
|
|
|
|
trap 'echo -e "\033[31msecrets-encrypt.sh: Something went wrong\033[0m"; exit 1' ERR
|
|
set -e
|
|
|
|
export DEBIAN_FRONTEND=noninteractive
|
|
|
|
generate_password() {
|
|
tr -dc 'a-z0-9' < /dev/urandom | head -c20
|
|
}
|
|
|
|
echo "We check for the presence of a key in keys.env and get it..."
|
|
KEY_VAR=$(echo "$SERVER_DOMAIN" | tr '.' '_')
|
|
|
|
if grep -q "^$KEY_VAR=" "$KEYS_FILE"; then
|
|
PASSWORD=$(grep "^$KEY_VAR=" "$KEYS_FILE" | cut -d '=' -f2)
|
|
echo "Password for $SERVER_DOMAIN already exists"
|
|
else
|
|
PASSWORD=$(generate_password)
|
|
echo "$KEY_VAR=$PASSWORD" >> "$KEYS_FILE"
|
|
echo "Generated new password for $SERVER_DOMAIN."
|
|
fi
|
|
|
|
echo "Pack and encrypt the archive..."
|
|
tar -czf - -C "$DOMAIN_DIR" . | openssl enc -aes-256-cbc -e -out "$ARCHIVE_FILE" -pass pass:"$PASSWORD" -pbkdf2 -iter 100000
|
|
|
|
trap - ERR
|
|
echo "Encrypted archive created at $ARCHIVE_FILE" |