#!/bin/bash ######################################################################## certs=( 'burble-dn42' 'collector-dn42' ) # hosts to push hosts=( 'rsync.tier2.fr-rbx1.burble.dn42' 'rsync.tier2.de-fra1.burble.dn42' 'rsync.tier2.ca-bhs2.burble.dn42' ) dst="apps/nginx/certs" ######################################################################## # where am I ? SCRIPTPATH="$(cd "$(dirname "$0")" ; pwd -P)" CERTPATH="$(cd "${SCRIPTPATH}/../certificates/"; pwd -P)" echo "Certs are here: $CERTPATH" pushd "$CERTPATH" # create a temp directory export TMPDIR="$XDG_RUNTIME_DIR" tmp=$(mktemp -d) if [ $? -ne 0 -o -z "$tmp"] then echo "Failed to create tmp directory" exit 1 fi echo "Created tmp directory: $tmp" function cleanup { if [ -d "$tmp" ] then echo "Cleaning tmp directory" rm -rf "$tmp" > /dev/null 2>&1 fi } trap cleanup EXIT export VAULT_ADDR='https://vault.burble.dn42' ######################################################################## # generate one time key for deployment access echo "Generating temporary rsync key" sshkey="${tmp}/rsync_key" ssh-keygen -t ed25519 -a 100 -N '' -f "$sshkey" vault write \ -field=signed_key \ burble.dn42/ssh/user/sign/rsync \ public_key="@${sshkey}.pub" \ > "${sshkey}-cert.pub" if [ $? -ne 0 ] then echo "Failed to generate temporary rsync key" exit 1 fi echo "Key is signed" # fixup perms chmod 0600 "${tmp}"/* ######################################################################## # create a list of files to push declare -a flist echo "Files to copy:" for cert in ${certs[@]} do crt="${cert}/${cert}.crt" key="${cert}/${cert}.key" echo " - $crt" echo " - $key" flist+=( "$crt" "$key" ) done # and push to hosts for host in ${hosts[@]} do echo "Syncing host: $host" rsync -avogp --delete -e "ssh -i '${sshkey}'" \ --chown 81001:81001 --chmod=D2700,F600 \ "${flist[@]}" \ "root@${host}:${dst}/" done popd ######################################################################## # end of file