From e8e92d21e62701f4250000a052ac039ab4338ef3 Mon Sep 17 00:00:00 2001 From: nodoka Date: Sun, 18 Jan 2026 07:52:01 +0000 Subject: [PATCH] Update bootstrap: 2026-01-18 07:52:01 --- install.sh | 19 ++++++ nbcrypt | 157 ++++++++++++++++++++++++++++++++++++++++++++------ nbmain.sh.enc | Bin 1088 -> 1104 bytes 3 files changed, 158 insertions(+), 18 deletions(-) diff --git a/install.sh b/install.sh index 010c279..636206d 100755 --- a/install.sh +++ b/install.sh @@ -33,6 +33,22 @@ TEMP_SCRIPT="/tmp/${TARGET}-$$.sh" if "$NBCRYPT" decrypt "$ENC_FILE" "$TEMP_SCRIPT" 2>/dev/null; then chmod +x "$TEMP_SCRIPT" + + # Load SSH Agent environment if it was created by nbcrypt/BWS setup + # Only load if we don't already have a valid Agent Forward + AGENT_ENV_FILE="/tmp/.nb_agent_env_${USER:-$(id -un)}" + if [ -f "$AGENT_ENV_FILE" ]; then + # Check if we already have a valid SSH_AUTH_SOCK (Agent Forward) + if [ -z "${SSH_AUTH_SOCK:-}" ] || [ ! -S "${SSH_AUTH_SOCK}" ]; then + # No valid agent, safe to load from file + echo "๐Ÿ”‘ Loading SSH Agent environment..." + source "$AGENT_ENV_FILE" + else + # Agent Forward exists, preserve it and skip file loading + echo "๐Ÿ”‘ Using existing SSH Agent Forward (preserved)" + fi + fi + echo "โœ… Executing ${TARGET} setup..." exec bash "$TEMP_SCRIPT" else @@ -42,3 +58,6 @@ else exit 1 fi + + + diff --git a/nbcrypt b/nbcrypt index d00d1c2..f718c7a 100755 --- a/nbcrypt +++ b/nbcrypt @@ -34,6 +34,7 @@ Usage: $SCRIPT_NAME [arguments] Commands: encrypt Encrypt a file using SSH Agent key decrypt Decrypt a file using SSH Agent key + install-bws Install Bitwarden Secrets Manager CLI (bws) check Check if SSH Agent has required key help Show this help message @@ -44,6 +45,7 @@ Requirements: Examples: $SCRIPT_NAME encrypt secrets.txt secrets.enc $SCRIPT_NAME decrypt secrets.enc secrets.txt + $SCRIPT_NAME install-bws $SCRIPT_NAME check EOF @@ -65,27 +67,140 @@ check_dependencies() { } check_ssh_agent() { - # Check if SSH_AUTH_SOCK is set - if [ -z "${SSH_AUTH_SOCK:-}" ]; then - error "SSH Agent is not running or SSH_AUTH_SOCK is not set" - fi - - # Check if ssh-add can connect to agent - if ! ssh-add -l >/dev/null 2>&1; then - local rc=$? - if [ $rc -eq 2 ]; then - error "Cannot connect to SSH Agent" - elif [ $rc -eq 1 ]; then - error "SSH Agent has no identities loaded" + # Check if SSH_AUTH_SOCK is set and valid + if [ -n "${SSH_AUTH_SOCK:-}" ] && [ -S "${SSH_AUTH_SOCK}" ]; then + # Check if ssh-add can connect to agent + if ssh-add -l >/dev/null 2>&1; then + # Check if Ed25519 key is loaded + if ssh-add -l 2>/dev/null | grep -q "ED25519"; then + info "SSH Agent check passed (Ed25519 key found)" + return 0 + fi fi fi - # Check if Ed25519 key is loaded - if ! ssh-add -l 2>/dev/null | grep -q "ED25519"; then - error "No Ed25519 key found in SSH Agent. Please add id_ed25519 with: ssh-add ~/.ssh/id_ed25519" + # No valid agent or no Ed25519 key - try BWS bootstrap + info "No Ed25519 key found in SSH Agent. Attempting BWS bootstrap..." + + # Get BWS access token + local bws_token="${BWS_ACCESS_TOKEN:-}" + if [ -z "$bws_token" ]; then + echo -n "Enter BWS_ACCESS_TOKEN: " >&2 + read -s bws_token + echo >&2 + if [ -z "$bws_token" ]; then + error "BWS_ACCESS_TOKEN is required when SSH Agent has no Ed25519 key" + fi fi - info "SSH Agent check passed (Ed25519 key found)" + # Try to load setup script from BWS + load_bws_setup "$bws_token" + + # Re-check agent after BWS setup + if [ -n "${SSH_AUTH_SOCK:-}" ] && [ -S "${SSH_AUTH_SOCK}" ]; then + if ssh-add -l >/dev/null 2>&1 && ssh-add -l 2>/dev/null | grep -q "ED25519"; then + info "SSH Agent check passed (Ed25519 key found after BWS setup)" + return 0 + fi + fi + + error "No Ed25519 key found in SSH Agent. Please add id_ed25519 with: ssh-add ~/.ssh/id_ed25519" +} + +load_bws_setup() { + local token="$1" + local secret_name="nbloader" + + info "Loading setup script from BWS (secret: $secret_name)..." + + # Check if bws command exists, if not try to install it + if ! command -v bws >/dev/null 2>&1; then + warn "bws command not found. Attempting to install..." + install_bws || error "Failed to install bws CLI" + fi + + # Export token temporarily for bws command + export BWS_ACCESS_TOKEN="$token" + + # Get the secret from BWS + local loader_script + if command -v jq >/dev/null 2>&1; then + loader_script=$(bws secret get "$secret_name" 2>/dev/null | jq -r '.value // empty') + elif command -v python3 >/dev/null 2>&1; then + loader_script=$(bws secret get "$secret_name" 2>/dev/null | python3 -c "import sys, json; print(json.load(sys.stdin).get('value', ''))" 2>/dev/null) + else + # Fallback: try to extract value with grep/sed (fragile but works for simple JSON) + loader_script=$(bws secret get "$secret_name" 2>/dev/null | grep -o '"value": "[^"]*"' | sed 's/"value": "//;s/"$//' | head -1) + fi + + if [ -z "$loader_script" ]; then + error "Failed to retrieve '$secret_name' from BWS. Check your token and secret name." + fi + + # Execute the loader script + info "Executing BWS setup script..." + eval "$loader_script" + + # Load agent environment if it was created + local env_file="/tmp/.nb_agent_env_${USER:-$(id -un)}" + if [ -f "$env_file" ]; then + source "$env_file" + info "SSH Agent environment loaded from $env_file" + fi +} + +install_bws() { + local arch + arch=$(uname -m) + local bws_version="1.0.0" + local bws_bin_dir="${HOME}/.local/bin" + local bws_path="${bws_bin_dir}/bws" + + mkdir -p "$bws_bin_dir" + export PATH="$bws_bin_dir:$PATH" + + # Determine architecture + case "$arch" in + x86_64) + arch="x86_64-unknown-linux-gnu" + ;; + aarch64|arm64) + arch="aarch64-unknown-linux-gnu" + ;; + *) + error "Unsupported architecture: $arch" + ;; + esac + + local zip_name="bws-${arch}-${bws_version}.zip" + local url="https://github.com/bitwarden/sdk-sm/releases/download/bws-v${bws_version}/${zip_name}" + + info "Downloading bws v${bws_version} for ${arch}..." + + # Install dependencies if needed + if ! command -v unzip >/dev/null 2>&1; then + if command -v apt-get >/dev/null 2>&1; then + sudo apt-get update -qq && sudo apt-get install -y unzip >/dev/null 2>&1 + elif command -v yum >/dev/null 2>&1; then + sudo yum install -y unzip >/dev/null 2>&1 + fi + fi + + # Download and extract + local temp_zip="/tmp/${zip_name}" + if command -v wget >/dev/null 2>&1; then + wget -q "$url" -O "$temp_zip" || return 1 + elif command -v curl >/dev/null 2>&1; then + curl -sL "$url" -o "$temp_zip" || return 1 + else + error "wget or curl is required to download bws" + fi + + unzip -o "$temp_zip" -d "$bws_bin_dir" >/dev/null 2>&1 || return 1 + chmod +x "$bws_path" + rm -f "$temp_zip" + + info "bws installed successfully at $bws_path" return 0 } @@ -201,11 +316,14 @@ main() { usage fi - check_dependencies - local command="$1" shift + # install-bws ใ‚ณใƒžใƒณใƒ‰ใฎๅ ดๅˆใฏ check_dependencies ใ‚’ใ‚นใ‚ญใƒƒใƒ— + if [ "$command" != "install-bws" ] && [ "$command" != "help" ] && [ "$command" != "--help" ] && [ "$command" != "-h" ]; then + check_dependencies + fi + case "$command" in encrypt) if [ $# -ne 2 ]; then @@ -223,6 +341,9 @@ main() { check_ssh_agent echo "โœ… All checks passed" ;; + install-bws) + install_bws + ;; help|--help|-h) usage ;; diff --git a/nbmain.sh.enc b/nbmain.sh.enc index f698f774c4cd79684c7227e1a33a435db0c3f4d6..95995e599673cef900166d01837458273e0651de 100644 GIT binary patch literal 1104 zcmV-W1h4y3VQh3|WM5xxWqCrCP4z9y^>60|0a*pgK%Ftsgyl@@LGRfMW(Wb(d;Y+1 zz-XQ8K%~3Yy_7F(Wj zj{4K@^G*+fg~wfGzprv0V6X4vp#6~_i-6IYH#Lz(1Q-ZRM8MV5#U1LN@j5+sj>GnoiDSy>(Yb-`jstWomXH zJhXud^Y~nw>!G}Atl-FL#PBfQt@c>WNzUvF*>goHsy3ftSE*~E7ZWAo-D^~_iSEcN z{0|J;bVk8-tdXf6eO-tJ*6u)&>tfCH7|J_i*erj@1h^&P=Rwtgghm%kXVYLK89wQg zQW@yKSkgCP#}_E0P~dyzFErF8FtDTSq$Wvj#PS3X( zksD`&E;{Wy@s*>x>=qxX*aGYLi8olAU~69+qkaSkUpj7fnY+Er?-e@ae_K793eo|z;}WCXL> zva4K>KU}j-vyi_~;@-7=+Iq*Z&{nVLi37&jfGYurYRFls$odVEWMhhjO$tae%7V&l z%|ppekmwRs0%HA&yL%vug_PJwk%8!?c#=gFwh{pyu9jy#rtk+GGL4a?o|s6N3845Y zT(?tLFeRZI4eT?9N(xL^@SGFyjs3L3Yd%U(B`6<72U2ihLI!p~qw4T5_*&~roy_*L z_29>p!(>r>oNx;^O0e~KOc8{R(qJBsNg0! zWp-M-PpBvIu-v9uSQW^+&HFT#Gf79HQC$B8PB-@;fV}O?q;^CmMgrBC>4Zw&c6Lb( zQK!Dgio^qbFMs-htkA**kjQGayhLUPOGvNd`IPzy@f!@<1;bm`onho5##d!!feL=o za){g}maa7$;y2=4RQd|+8_kHJ<0gjCa5}6nWXut7`=M~E*aXaOEqmKUd_Cif#?=Oo zIIIaWg93S@ZuCf8kVQ`hAw0)DO!>QuSZV)E9SPaaBHX~iP^OJ7EL?>)zh%(ZaV|H$ z4=jVNtmdlx%>b^7qGxEDEE<&w1q-vbXDD_?oyBs^Hle(7YRz1jHsTGQ{kECJ8gSR_ Wdhe&o(q5tem;by!>{0v$*Jb^*b1YN< literal 1088 zcmV-G1i$-JVQh3|WM5y^l~KayvGzSCnPFd5^(}2?M=jeS!RAAzDTc1V4qe#Yb4l~X zLO4z|dKf5V_UNfytGZzmDQ^9*Cp+cNUe0>^y9p5!xKSyM^eW>k8Stdjgoo}UYG?#X z$MCW3I*@Uz==GEwl-Ch-`>?s`s_oPmcg04#sfBNX~3!RnOccVbzM2s$TV( zGQvJ^LS|LI;ek$Sr)rxW5pxM{9BjLj3S}N=rm{kG9a{J@*rb04(SV0ZEDX>s3bMYe zkFQjYoxP9QB0IuH^RvRItAW zUM++WS_Tr_cBiR&$5L&)NfYQT8On|H=-}!bkc?%rgQU`Q1PqOsMw`FCh|;}Ht4^RI z3T6?)=-AQM)2{DB`?~G5<+SBu=H#tl6&&=RGg;#TR~qZ@lnBpT!8pl?QedQ~1?+n+ z8Go_VR6P>>c-%C%+gitcjP2wJPO-4vVV^Z^y6Zpq>3*%ekOjMwKLk3=727lG<@a6`)mBNl|G*@SJl45x_vA&7}ogIxx0$e`G!+l&A>-C`RT zRxxF%ANQ8~XU0}6hq{0orU&ZQmK=k_S_63m-7c+u!a4`Ddj~6El+0_Sg4fqobYqby zJh|R(c02b*|6U6T$zF5PzB^kSp8GRHNV8vw+XiPNnFfoDNh;%HdSD|blt$TjjMa9U z62_zYIMcH^p#ikFy%5=L0F>v-vXuSmAP9?6Trm#~RmslmFsY^HWr`eipq)~+Sq>^x z_192a=FtI;jpcPNY*tzgG$xU5IMbjnmBzXFrv}r%faX|-R&Q9Fz-gvr1Q$WX0+F=^ zm(cg{p!HjNpkh=#|G`A4j?=-6YuW2D8MllTkV;Biq-IexD@P=cv&JYp@ZYJ#9fhQ> zB2)4P8`5U+K6p+jQE-e{v10>^K#AnMm+UTRK0>1#1|_3}Ct|qdrp_NL8V-dm(9ol7 z2+5OEp1m|Fhdseswmv7NlD7!#V>hartP%m=+r)G4i38K6HGFhFGwJ+7SF@g%U+8+K zhgCh^C}-YOP#kl+fSi-lelxeNX4e%%H&pVh9%5b#0hH7cloSzd^JtqCPhTPT@5^b* zw77krycOFRL!JkA@pX0APirH1ocrLSTVZy>im@G6;ZE7ZcK86j}v6zb=;m9uCA$ zi3iCk>A)@TUDNJ7hFn^Xcy>(^vyci(!P*qZXdLx@o(C-=~;)GA*X G?1KY&X%eXb