macos-configuration/modules/09-ssh.sh at main · t128n.dev/scripts

t128n.dev / scripts
this repo has no description
scripts / macos-configuration / modules / 09-ssh.sh
at main 3.1 kB view raw
 1#!/usr/bin/env bash
 2set -euo pipefail
 3ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 4source "$ROOT/lib.sh"
 5
 6need_cmd pass-cli
 7need_cmd jq
 8
 9#──────────────────────────────────────────────────────────────
10# STATE: SSH key configuration (edit these values)
11#──────────────────────────────────────────────────────────────
12VAULT_NAME="TA-Netzwerk"
13HOST_TITLE="torben-mba"
14SSH_DIR="${HOME}/.ssh"
15KEY_BASENAME="id_ed25519_${HOST_TITLE}"
16
17#──────────────────────────────────────────────────────────────
18# LOGIC: Idempotent SSH key retrieval
19#──────────────────────────────────────────────────────────────
20
21KEY_PATH="${SSH_DIR}/${KEY_BASENAME}"
22PUB_PATH="${KEY_PATH}.pub"
23
24log "Checking SSH key setup"
25
26# Check if Proton Pass CLI is authenticated
27if ! pass-cli test >/dev/null 2>&1; then
28  warn "Proton Pass CLI session not found"
29  warn "Please run: pass-cli login"
30  exit 1
31fi
32
33# Check if item exists in vault
34if ! pass-cli item view --vault-name "$VAULT_NAME" --item-title "$HOST_TITLE" --output json >/dev/null 2>&1; then
35  warn "Could not find item titled '$HOST_TITLE' in vault '$VAULT_NAME'"
36  exit 1
37fi
38
39# Create SSH directory if needed
40mkdir -p "$SSH_DIR"
41chmod 700 "$SSH_DIR"
42
43# Fetch key from Proton Pass
44log "Retrieving SSH key from Proton Pass"
45item_json=$(pass-cli item view --vault-name "$VAULT_NAME" --item-title "$HOST_TITLE" --output json)
46
47# Extract private key
48private_key=$(echo "$item_json" | jq -r '
49  .item.content.content.SshKey.private_key
50  | select(. != null and . != "")
51  | gsub("\\r"; "")
52  | capture("(?<head>-----BEGIN OPENSSH PRIVATE KEY-----)(?<body>.*)(?<tail>-----END OPENSSH PRIVATE KEY-----)")
53  | "\(.head)\n" +
54    ( .body
55      | gsub("\\s+";"")
56      | [range(0; length; 70) as $i | .[$i:$i+70]]
57      | join("\n")
58    ) + "\n" +
59    "\(.tail)\n"
60')
61
62# Extract public key
63public_key=$(echo "$item_json" | jq -r '.item.content.content.SshKey.public_key // empty')
64
65# Check if keys already exist and match
66keys_match=false
67if [[ -f "$KEY_PATH" && -f "$PUB_PATH" ]]; then
68  existing_private=$(cat "$KEY_PATH")
69  existing_public=$(cat "$PUB_PATH")
70  
71  if [[ "$existing_private" == "$private_key" && "$existing_public" == "$public_key" ]]; then
72    keys_match=true
73    log "SSH keys already up to date"
74  fi
75fi
76
77# Write keys only if changed
78if [[ "$keys_match" == "false" ]]; then
79  log "Writing SSH private key to $KEY_PATH"
80  echo "$private_key" > "$KEY_PATH"
81  chmod 600 "$KEY_PATH"
82  
83  log "Writing SSH public key to $PUB_PATH"
84  echo "$public_key" > "$PUB_PATH"
85  chmod 644 "$PUB_PATH"
86  
87  log "SSH keys updated"
88else
89  log "SSH keys verified"
90fi