dotfiles

backup-secrets (1987B)

---

#!/usr/bin/env bash
set -euo pipefail

ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
OUT="${1:-$ROOT/private/keys-$(date +%Y%m%d).tar.gz.age}"
mkdir -p "$(dirname "$OUT")"

TMP="$(mktemp -d)"
echo "Using temporary directory: $TMP"
trap 'rm -rf "$TMP"' EXIT

mkdir -p "$TMP/gpg" "$TMP/ssh" "$TMP/age" "$TMP/skate" "$TMP/omz"

# --- GPG export ---
if command -v gpg >/dev/null 2>&1; then
  gpg --export --armor > "$TMP/gpg/public-keys.asc" || true
  gpg --export-secret-keys --armor > "$TMP/gpg/secret-keys.asc" || true
  gpg --export-ownertrust > "$TMP/gpg/ownertrust.txt" || true
fi

# --- SSH backup (selected files) ---
if [[ -d "$HOME/.ssh" ]]; then
  rsync -a \
    --include='config' \
    --include='known_hosts' \
    --include='id_*' \
    --exclude='*' \
    "$HOME/.ssh/" "$TMP/ssh/" || true
fi

# --- AGE identities (common locations) ---
for f in \
  "$HOME/.config/age/keys.txt" \
  "$HOME/.config/age/key.txt" \
  "$HOME/.config/age/age.key" \
  "$HOME/key.txt" \
  "$HOME/age.key"
do
  [[ -f "$f" ]] && cp -p "$f" "$TMP/age/"
done

# --- Skate export (JSONL; values base64) ---
if command -v skate >/dev/null 2>&1; then
  python3 - <<'PY' > "$TMP/skate/skate.jsonl"
import base64, json, subprocess
def sh(*cmd):
  return subprocess.check_output(list(cmd))
dbs = sh("skate","list-dbs").decode().splitlines()
for db in dbs:
  keys = sh("skate","list","-k",f"{db}").decode().splitlines()
  for k in keys:
    v = sh("skate","get",f"{k}{db}")
    print(json.dumps({"db": db, "key": k, "b64": base64.b64encode(v).decode()}))
PY
fi

# --- Oh-My-Zsh custom configs ---
if [[ -d "$HOME/.oh-my-zsh/custom" ]]; then
  echo "Backing up Oh-My-Zsh custom configs..."
  rsync -a "$HOME/.oh-my-zsh/custom/" "$TMP/omz/custom/" || true
fi

# --- Encrypt archive ---
echo "Creating encrypted archive: $OUT"
if [[ -n "${AGE_RECIPIENT:-}" ]]; then
  tar -C "$TMP" -czf - . | age -r "$AGE_RECIPIENT" -o "$OUT"
else
  tar -C "$TMP" -czf - . | age -p -o "$OUT"
fi

echo "Wrote: $OUT"