creds-decrypt.sh

   1 #!/usr/bin/env bash
   2 # USAGE: ./creds-decrypt.sh path/to/file.cred
   3 # Find machine-id and credential.secret.gpg
   4 # in an ancestor directory, to decrypt and print path/to/file.cred
   5 set -eu
   6 cred=$(realpath "$1")
   7 name=${cred##*/}
   8 name=${name%.cred}
   9
  10 cd "$(dirname "$cred")"
  11 while test "$PWD" != /
  12 do test ! -f machine-id || break; cd ..
  13 done
  14
  15 umask 177
  16 SECRET=$(mktemp /dev/shm/credential.secret.XXXXXXX)
  17 trap 'chmod 600 $SECRET; shred --remove=unlink $SECRET' EXIT
  18 set -e${XTRACE:+x}
  19 gpg --yes --output "$SECRET" --decrypt credential.secret.gpg
  20
  21 sudo unshare --mount sh -${XTRACE:+x}c "
  22   chmod 400 $SECRET &&
  23   mount --bind $SECRET /var/lib/systemd/credential.secret &&
  24   mount --bind machine-id /etc/machine-id &&
  25   systemd-creds decrypt --with-key=host --name '$name' '$cred' -
  26 "