2024-01-30 20:58:17 +01:00
|
|
|
#!/usr/bin/env bash
|
2024-02-02 19:48:01 +01:00
|
|
|
set -euo pipefail
|
2024-01-30 20:58:17 +01:00
|
|
|
|
|
|
|
username="$1"
|
|
|
|
ssh_secret_name="$2"
|
|
|
|
|
|
|
|
homedir="$(getent passwd "$username" | cut -d: -f6)"
|
|
|
|
sshdir="$homedir/.ssh"
|
|
|
|
|
|
|
|
umask 077
|
|
|
|
workdir=$(mktemp -d)
|
|
|
|
chown "$username:$username" "$workdir"
|
|
|
|
cleanup() { ls -al "$workdir" && rm -rf "$workdir"; }
|
|
|
|
trap cleanup EXIT
|
|
|
|
|
|
|
|
umask 033
|
|
|
|
|
|
|
|
keydata="$(/srv/zulip-aws-tools/bin/aws --output text \
|
|
|
|
secretsmanager get-secret-value \
|
|
|
|
--secret-id "$ssh_secret_name" \
|
|
|
|
--query SecretString)"
|
|
|
|
for keyfile in $(jq -r 'keys[]' <<<"$keydata"); do
|
|
|
|
touch "$workdir/$keyfile"
|
|
|
|
if [[ "$keyfile" != *".pub" ]]; then
|
|
|
|
chmod 600 "$workdir/$keyfile"
|
|
|
|
fi
|
|
|
|
jq -r ".[\"$keyfile\"]" <<<"$keydata" | base64 -d >"$workdir/$keyfile"
|
|
|
|
chown "$username:$username" "$workdir/$keyfile"
|
|
|
|
done
|
|
|
|
|
|
|
|
if [ "$#" -gt 2 ]; then
|
|
|
|
diff -rN -x config -x authorized_keys -x known_hosts \
|
|
|
|
"$workdir/" "$sshdir/"
|
|
|
|
exit 0
|
|
|
|
fi
|
|
|
|
|
2024-02-02 20:30:53 +01:00
|
|
|
rsync -av --delete \
|
2024-01-30 20:58:17 +01:00
|
|
|
--exclude config --exclude authorized_keys --exclude known_hosts \
|
|
|
|
"$workdir/" "$sshdir/"
|