private/hosts/encrypt.sh

   1 #!/usr/bin/env sh
   2 set -eux
   3 dir=${0%/*}
   4 key=$1
   5 host=${key#*/}
   6 host=${host%%/*}
   7 hostkey=${key#*/*/}
   8 mkdir -p "$dir/$host/credentials/${hostkey%/*}"
   9 ${pass:-pass} "$key" |
  10 sudo unshare --mount sh -xc "
  11   mount --bind $dir/$host/root /var/lib/systemd &&
  12   mount --bind $dir/$host/root/machine-id /etc/machine-id &&
  13   systemd-creds setup &&
  14   chown $USER:users /var/lib/systemd/crendentials.secret &&
  15   systemd-creds encrypt --with-key=host --name '${hostkey##*/}' - - |
  16   install -m 400 -o $USER -g users /dev/stdin '$dir/$host/credentials/$hostkey.secret'
  17 "