#!/usr/bin/env bash set -euo pipefail # === METADATA === SCRIPT_NAME="$(basename "$0")" SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" SKILL_ROOT="$(dirname "$SCRIPT_DIR")" # === CONFIGURATION === : "${OPERATOR_EMAIL:?OPERATOR_EMAIL required}" : "${NODE_NAME:=node-a}" : "${OUTPUT_DIR:=$SKILL_ROOT/outputs}" # === FUNCTIONS === log_info() { echo "[INFO] $(date -Iseconds) $*"; } log_warn() { echo "[WARN] $(date -Iseconds) $*" >&2; } log_error() { echo "[ERROR] $(date -Iseconds) $*" >&2; } preflight() { [[ -d "$OUTPUT_DIR" ]] || mkdir -p "$OUTPUT_DIR" } guide_pass_init() { echo "" echo "============================================" echo " SECRETS ENROLLMENT - GUIDED SETUP" echo " This is an INTERACTIVE process" echo "============================================" echo "" # Check if pass is already initialized if [[ -d "$HOME/.password-store" ]] && [[ -f "$HOME/.password-store/.gpg-id" ]]; then log_info "Pass store already initialized" local existing_gpg existing_gpg=$(cat "$HOME/.password-store/.gpg-id") echo " Current GPG ID: $existing_gpg" echo "" read -p "Re-initialize with $OPERATOR_EMAIL? (y/N): " reinit if [[ "$reinit" != "y" && "$reinit" != "Y" ]]; then log_info "Keeping existing pass store" return 0 fi fi echo "=== Step 1: Initialize Pass Store ===" echo "" echo "Run the following command to initialize pass with your GPG key:" echo "" echo " pass init \"$OPERATOR_EMAIL\"" echo "" read -p "Press Enter when you have completed this step..." # Verify if [[ ! -d "$HOME/.password-store" ]]; then log_warn "Pass store not detected at ~/.password-store" log_warn "Please verify initialization before continuing" else log_info "Pass store detected at $HOME/.password-store" fi } guide_structure_creation() { echo "" echo "=== Step 2: Create Password Structure ===" echo "" echo "Create the following password hierarchy for infrastructure secrets:" echo "" echo " infrastructure/" echo " +-- cloudflare/" echo " | +-- api-token" echo " | +-- tunnel-secret" echo " +-- ssh/" echo " | +-- passphrase" echo " +-- services/" echo " +-- (future services)" echo "" echo "Commands to run (replace with your actual secrets):" echo "" echo " pass insert infrastructure/cloudflare/api-token" echo " pass insert infrastructure/cloudflare/tunnel-secret" echo "" echo "Note: You'll be prompted to enter each secret value." echo "" read -p "Press Enter when you have stored the critical secrets..." } guide_verify() { echo "" echo "=== Step 3: Verify Encryption/Decryption ===" echo "" echo "Test that you can retrieve a secret:" echo "" echo " pass infrastructure/cloudflare/api-token" echo "" echo "This should display your API token (confirm it matches what you entered)." echo "" read -p "Press Enter when you have verified decryption works..." # Attempt to list pass contents if command -v pass &>/dev/null; then echo "" echo "=== Current Pass Store Contents ===" pass ls 2>/dev/null || log_warn "Could not list pass store" echo "" fi } guide_git_init() { echo "" echo "=== Step 4: Initialize Git for Pass Store (Optional) ===" echo "" echo "For version control of your encrypted passwords:" echo "" echo " pass git init" echo "" echo "This enables automatic commits when passwords change." echo "" read -p "Press Enter to continue (skip if you prefer not to use git)..." } generate_manifest() { local manifest="$OUTPUT_DIR/secrets_manifest.json" cat > "$manifest" <