forked from DeterminateSystems/macos-ephemeral
-
Notifications
You must be signed in to change notification settings - Fork 0
/
setup-password.sh
82 lines (65 loc) · 2.25 KB
/
setup-password.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
#!/bin/sh
set -eux
set -o pipefail
(
date
while ! ping -c1 github.com; do
sleep 1
done
if [ "$(uname -m)" = "arm64" ]; then
jobset=nixpkgs-unstable-aarch64-darwin
arch=aarch64-darwin
else
jobset=trunk
arch=x86_64-darwin
fi
cd ~root
while [ ! -d /Volumes/CONFIG ]; do
echo "Waiting for /Volumes/CONFIG to exist ..."
sleep 1
done
# If vault isn't already available (i.e. via Nixpkgs), and it doesn't exist at
# that path, then get it from Hydra
export VAULT
if ! hash vault; then
if ! test -f /usr/local/bin/vault; then
curl -L -o vault "https://hydra.nixos.org/job/nixpkgs/$jobset/vault.$arch/latest/download/1/out/bin/vault"
chmod +x ./vault
mkdir -p /usr/local/bin/
mv ./vault /usr/local/bin/vault
fi
VAULT=/usr/local/bin/vault
else
VAULT="$(command -v vault)"
fi
# Don't accidentally leak any vault secrets
set +x
# We unconditionally do this vault thing, _IF_ the secret_id file exists and is readable
if test -r /Volumes/CONFIG/secret_id; then
export VAULT_ADDR=https://vault-ipv6.detsys.dev:8200
export ROLE_ID_FILE="/Volumes/CONFIG/role_id"
export SECRET_ID_FILE="/Volumes/CONFIG/secret_id"
export AUTH_PATH
# Yes, this is ugly, but it's necessary; there's no other easy way to
# distinguish between the foundation and detsys macs.
if grep -q foundation "$ROLE_ID_FILE"; then
AUTH_PATH=auth/internalservices/macos_foundation/approle/login
else
AUTH_PATH=auth/internalservices/macos/approle/login
fi
export VAULT_TOKEN="$($VAULT write -field=token "$AUTH_PATH" role_id=@"$ROLE_ID_FILE" secret_id=@"$SECRET_ID_FILE")"
unset AUTH_PATH
unset SECRET_ID_FILE
$VAULT kv patch internalservices/macos/kv/"$(cat $ROLE_ID_FILE)"/password ephemeraladmin=@"$EPHEMERALADMIN_PASSWORD_FILE" \
|| $VAULT kv put internalservices/macos/kv/"$(cat $ROLE_ID_FILE)"/password ephemeraladmin=@"$EPHEMERALADMIN_PASSWORD_FILE"
rm "$EPHEMERALADMIN_PASSWORD_FILE"
unset EPHEMERALADMIN_PASSWORD_FILE
unset ROLE_ID_FILE
else
echo "Device does not have a secret_id! Exiting."
exit 1
fi
set -x
# We'll get vault somewhere in the setup-vault.sh script
rm $VAULT
) 2>&1 | tee -a /var/log/mosyle-password-script.log