From c9332006e4547c4d31677e569e3e44fd7440d618 Mon Sep 17 00:00:00 2001
From: Menno van Leeuwen <menno@vleeuwen.me>
Date: Thu, 22 Aug 2024 23:36:09 +0200
Subject: [PATCH] feat: adds secrets

Signed-off-by: Menno van Leeuwen <menno@vleeuwen.me>
---
 bin/actions/git/pre-commit   | 18 ++++++++++++++++
 bin/actions/secrets.sh       | 41 ++++++++++++++++++++++++++++++++++++
 bin/actions/update.sh        |  3 ++-
 bin/dotf                     | 28 ++++++++++++++++++++++++
 bin/resources/help.txt       |  1 +
 config/ssh/config            |  2 ++
 config/ssh/config.d/dev.gpg  | 12 +++++++++++
 config/ssh/config.d/prod.gpg | 11 ++++++++++
 zshrc                        |  5 +++--
 9 files changed, 118 insertions(+), 3 deletions(-)
 create mode 100755 bin/actions/git/pre-commit
 create mode 100755 bin/actions/secrets.sh
 create mode 100644 config/ssh/config.d/dev.gpg
 create mode 100644 config/ssh/config.d/prod.gpg

diff --git a/bin/actions/git/pre-commit b/bin/actions/git/pre-commit
new file mode 100755
index 0000000..7f9ff1f
--- /dev/null
+++ b/bin/actions/git/pre-commit
@@ -0,0 +1,18 @@
+#!/usr/bin/env zsh
+
+source ~/dotfiles/bin/helpers/functions.sh
+
+# Check for unencrypted files in .ssh/config.d/
+unencrypted_files=$(find config/ssh/config.d/ -type f ! -name "*.gpg")
+
+if [ -n "$unencrypted_files" ]; then
+    printfe "%s\n" "red" "Unencrypted files found in .ssh/config.d/:"
+    for file in $(find config/ssh/config.d/ -type f ! -name "*.gpg"); do
+        printfe "%s\n" "yellow" "  - $file"
+    done
+
+    echo ""
+    printfe "%s\n" "blue" "Use 'dotf secrets encrypt' to encrypt them."
+    exit 1
+fi
+
diff --git a/bin/actions/secrets.sh b/bin/actions/secrets.sh
new file mode 100755
index 0000000..65dcaf0
--- /dev/null
+++ b/bin/actions/secrets.sh
@@ -0,0 +1,41 @@
+#!/usr/bin/env zsh
+
+source ~/dotfiles/bin/helpers/functions.sh
+
+####################################################################################################
+# Decrypt secrets
+####################################################################################################
+printfe "%s\n" "cyan" "Fetching password from 1Password..."
+echo -en '\r'
+
+output=$(op item get "SSH Config Secrets" --fields password)
+command=$(echo "$output" | grep -oP "(?<=use ').*(?=')")
+password=$(eval $command | grep -oP "(?<=  password:    ).*" | tr -d '\n')
+
+# Check what we are supposed to do (Either decrypt or encrypt)
+if [[ "$2" == "decrypt" ]]; then
+    printfe "%s\n" "cyan" "Decrypting .ssh/config.d/ files..."
+    echo -en '\r'
+
+    for file in ~/.ssh/config.d/*.gpg; do
+        filename=$(basename $file .gpg)
+        gpg --quiet --batch --yes --decrypt --passphrase="$password" --output ~/.ssh/config.d/$filename $file
+        rm $file
+    done
+elif [[ "$2" == "encrypt" ]]; then
+    printfe "%s\n" "cyan" "Encrypting .ssh/config.d/ files..."
+    echo -en '\r'
+
+    for file in ~/.ssh/config.d/*; do
+        # Skip already encrypted files
+        if [[ $file == *.gpg ]]; then
+            continue
+        fi
+
+        gpg --quiet --batch --yes --symmetric --cipher-algo AES256 --armor --passphrase="$password" --output $file.gpg $file
+        rm $file
+    done
+else
+    printfe "%s\n" "red" "Invalid argument. Use 'decrypt' or 'encrypt'"
+    exit 1
+fi
\ No newline at end of file
diff --git a/bin/actions/update.sh b/bin/actions/update.sh
index 4cdd5d9..3fd168e 100755
--- a/bin/actions/update.sh
+++ b/bin/actions/update.sh
@@ -25,7 +25,8 @@ else
   check_or_make_symlink ~/.gitconfig ~/dotfiles/config/gitconfig.linux
 fi
 
-check_or_make_symlink ~/.ssh/config ~/dotfiles/ssh/config
+check_or_make_symlink ~/.ssh/config ~/dotfiles/config/ssh/config
+check_or_make_symlink ~/.ssh/config.d ~/dotfiles/config/ssh/config.d
 check_or_make_symlink ~/.wezterm.lua ~/dotfiles/config/wezterm.lua
 
 
diff --git a/bin/dotf b/bin/dotf
index 6fd7b78..f3ea761 100755
--- a/bin/dotf
+++ b/bin/dotf
@@ -18,6 +18,31 @@ exports() {
     ~/dotfiles/bin/actions/export.sh $@
 }
 
+secrets() {
+    ~/dotfiles/bin/actions/secrets.sh $@
+}
+
+ensure_git_hooks() {
+    # If .git/hooks is a symlink, skip this
+    if [[ -L .git/hooks ]]; then
+        # Let's make sure the symlink is correct
+        if [[ $(readlink .git/hooks) != ~/dotfiles/bin/actions/git ]]; then
+            printfe "%s\n" "yellow" "The .git/hooks symlink is incorrect. Please remove it and run this script again."
+        fi
+        return
+    fi
+
+    if [[ -d .git/hooks ]]; then
+        rm -rf ~/dotfiles/.git/hooks
+        printfe "%s\n" "yellow" "The ~/dotfiles/.git/hooks directory already exists. We're removing it!"
+    fi
+
+    ln -s ~/dotfiles/bin/actions/git ~/dotfiles/.git/hooks
+    printfe "%s\n" "green" "Git hooks are now set up!"
+}
+
+ensure_git_hooks
+
 # switch case for parameters
 case $1 in
     "update")
@@ -35,6 +60,9 @@ case $1 in
     "help"|"--help"|"")
         help $@
         ;;
+    "secrets")
+        secrets $@
+        ;;
     term)
         ~/dotfiles/bin/actions/term.sh $@
         ;;
diff --git a/bin/resources/help.txt b/bin/resources/help.txt
index 6681eda..ff6cfcd 100644
--- a/bin/resources/help.txt
+++ b/bin/resources/help.txt
@@ -5,5 +5,6 @@ Usage: dotf [options] [optional parameters]
     update:         Pull latest changes, and update symlinks and configurations.
     export:         Export dconf, gsettings, and other configurations.
     status:         Show the status of the dotfiles repository.
+    secrets:        Encrypt and decrypt secrets.
     help:           Shows this help message
     
\ No newline at end of file
diff --git a/config/ssh/config b/config/ssh/config
index f419c60..df78326 100644
--- a/config/ssh/config
+++ b/config/ssh/config
@@ -1,2 +1,4 @@
 Host *
     IdentityAgent ~/.1password/agent.sock
+
+Include ~/.ssh/config.d/*
diff --git a/config/ssh/config.d/dev.gpg b/config/ssh/config.d/dev.gpg
new file mode 100644
index 0000000..47fbb61
--- /dev/null
+++ b/config/ssh/config.d/dev.gpg
@@ -0,0 +1,12 @@
+-----BEGIN PGP MESSAGE-----
+
+jA0ECQMKPHWMDJPd39n/0sCRAUvYT1hP36/ydmW0IGEUoc7coTDY7JZZ3h8qvAn8
+8H0ORO0CqjRHQgK6voLhtzEVSvCVh2i4RdSVV1d4u3WgsN6oUVAGfuN4z1hWpE/U
+TmW4Dsvzz+8zgLA5mI6+X/EpQ7OhaO+LWaq2hlP2FdqL7UW+3HjxEPmYQMkIo6sw
+hd8hnsDbo00xM/o+TKBzkEor5vWMvARRf/Gd9dDd+XiBre6fK50I2DPRKV62XajH
+VTOsZW8fikbG7gbgkahKUTviZyEWRcMdO3gYUFaA35ASIUpsi/v89rEAf9x9AX0H
+fJb7rCZoR7B9omoDvNH2l4C5Rl090E10o3GZKiuJ4eAEVNzt2ZSdRcoHuWTqBCU6
+K1HJD5zJuX+URppaidEaLNQADjLi4S+VPxVJaf/JgtGgtTiQUzbmCZfIUl26Qdmx
+G8VWj8jo1Y0T2Rs51GR8spvrXA==
+=JzdB
+-----END PGP MESSAGE-----
diff --git a/config/ssh/config.d/prod.gpg b/config/ssh/config.d/prod.gpg
new file mode 100644
index 0000000..792ee79
--- /dev/null
+++ b/config/ssh/config.d/prod.gpg
@@ -0,0 +1,11 @@
+-----BEGIN PGP MESSAGE-----
+
+jA0ECQMKiBwUrZPDL2//0sB+AX3QZhyXLCCdphsfQOQSCmbT93icXcn2h3NtfyhE
+NHht/i44lSNehCS8+2oEYhVYhWF9DXOmdHQjxUUGVgNehHdF0r1Fb11FHp0Ll7Y8
+NgHppsB+OidVs0Wlsui3fOT3zNdQpTmmCpNU0z9eKHmFrxatT9NFBXNgYtjd8xOE
+d4UYrRqRbAcqmnQjf4+ulazGV/1vcH1IDOQJM6JzzIpWNJWY+Nc4jipf4ubqPCBS
+/9bXbFV+QQ1DKtqs+RkLvMvNtxBI1fzTTmSGTXl2q7nt4C3ALxwPcFb1NAY96TNn
+A63QPq7AJpHH+YLJCAw0LdUq8o3+2I0gLhIRlrAFaGP0cHAwriIqDa1scKTqCqmx
+pM9ZYA52iWnoooYq3fa8HDTOdQXRq1orb30U10JeSAMIpRtXooJScwJPhIUtWNMv
+=6LX+
+-----END PGP MESSAGE-----
diff --git a/zshrc b/zshrc
index de3c06e..dad98da 100755
--- a/zshrc
+++ b/zshrc
@@ -43,8 +43,9 @@ alias docker-compose='docker compose'
 alias gg='git pull'
 alias gl='git log --stat'
 alias l='lsd -Sl --reverse --human-readable --group-directories-first'
-alias mv='/usr/local/bin/advmv -g'
-alias cp='/usr/local/bin/advcp -g'
+# TODO: Add advcp and advmv
+# alias mv='/usr/local/bin/advmv -g'
+# alias cp='/usr/local/bin/advcp -g'
 alias ddpul='docker compose down && docker compose pull && docker compose up -d && docker compose logs -f'
 alias cat='bat'