hosts/gpg2cred-local.sh

   1 #!/usr/bin/env bash
   2 set -eux
   3 set -o pipefail
   4 #dir=${0%/*}
   5 gpg=$1
   6 name=${2-}
   7 base=${gpg%.gpg}
   8
   9 umask 177
  10 SECRET=$(mktemp /dev/shm/credential.secret.XXXXXXX)
  11 trap 'chmod 600 $SECRET; shred --remove=unlink $SECRET' EXIT
  12 gpg --yes --output "$SECRET" --decrypt "credential.secret.gpg"
  13
  14 gpg --decrypt "$gpg" |
  15 sudo unshare --mount sh -xc "
  16   mount --bind '$SECRET' /var/lib/systemd/credential.secret &&
  17   chmod 400 /var/lib/systemd/credential.secret &&
  18   mount --bind machine-id.clear /etc/machine-id &&
  19   systemd-creds encrypt --with-key=host ${name:+--name "$name"} - - |
  20   install -m 400 -o '$USER' -g users /dev/stdin '$base.cred'
  21 "