54 lines
1.1 KiB
Plaintext
54 lines
1.1 KiB
Plaintext
|
#!/bin/bash
|
||
|
|
|
||
|
|
# encrypt unencrypted secrets or warn if a secret is unencrypted in check mode
|
||
|
|
|
||
|
|
keydir=$1
|
||
|
|
secret=$2
|
||
|
|
mode=$3
|
||
|
|
|
||
|
|
if test -z "$mode"; then
|
||
|
|
echo "Usage: $0 keydir vault-password-file (check|encrypt)"
|
||
|
|
exit 1
|
||
|
|
fi
|
||
|
|
|
||
|
|
err=""
|
||
|
|
|
||
|
|
for key in "$keydir"/*; do
|
||
|
|
filetype=$(file "$key")
|
||
|
|
|
||
|
|
case "$filetype" in
|
||
|
|
*OpenSSH*)
|
||
|
|
case "$mode" in
|
||
|
|
encrypt)
|
||
|
|
ansible-vault encrypt --vault-password-file "$secret" --vault-id default "$key"
|
||
|
|
;;
|
||
|
|
check)
|
||
|
|
echo "$key is unencrypted!"
|
||
|
|
err=1
|
||
|
|
;;
|
||
|
|
esac
|
||
|
|
;;
|
||
|
|
*Ansible*Vault*)
|
||
|
|
case "$mode" in
|
||
|
|
check)
|
||
|
|
:
|
||
|
|
;;
|
||
|
|
esac
|
||
|
|
;;
|
||
|
|
*)
|
||
|
|
case "$mode" in
|
||
|
|
check)
|
||
|
|
echo "$key is an unknown clear text file!"
|
||
|
|
err=1
|
||
|
|
;;
|
||
|
|
esac
|
||
|
|
;;
|
||
|
|
|
||
|
|
|
||
|
|
esac
|
||
|
|
done
|
||
|
|
|
||
|
|
if test -n "$err"; then
|
||
|
|
exit 1
|
||
|
|
fi
|