creds-setup.sh

   1 #!/usr/bin/env bash
   2 # USAGE: ./creds-setup.sh
   3 # Generate missing hosts/*/{machine-id,,credential.secret.gpg}
   4 set -eu${XTRACE:+x}
   5 set -o pipefail
   6
   7 git config --local diff.gpg.binary true
   8 git config --local diff.gpg.textconv "gpg2 -d -u --quiet --yes --compress-algo=none --no-encrypt-to --batch --use-agent"
   9
  10 for host in hosts/*.nix
  11 do
  12   host=${host%.nix}
  13   if test ! -e "$host"/machine-id
  14   then
  15     sudo unshare --mount sh -${XTRACE:+x}c "
  16       touch $host/machine-id
  17       mount --bind $host/machine-id /etc/machine-id &&
  18       systemd-machine-id-setup
  19     "
  20   fi
  21   if test ! -e "$host"/credential.secret.gpg
  22   then
  23     umask 077
  24     systemd=$(mktemp --directory /dev/shm/systemd.XXXXXXX)
  25     trap 'rm -rf $systemd' EXIT
  26     sudo unshare --mount sh -${XTRACE:+x}c "
  27       mount --bind $systemd /var/lib/systemd &&
  28       systemd-creds setup --with-key=host
  29       cat $systemd/credential.secret
  30       shred --remove=unlink $systemd/credential.secret
  31     " |
  32     pass insert --multiline "$host"/credential.secret
  33   fi
  34 done