]> Git — Sourcephile - julm/julm-nix.git/blob - private/hosts/encrypt.sh
oignon: allow more output-net
[julm/julm-nix.git] / private / hosts / encrypt.sh
1 #!/usr/bin/env sh
2 set -eux
3 dir=${0%/*}
4 key=$1
5 host=${key#*/}
6 host=${host%%/*}
7 hostkey=${key#*/*/}
8 mkdir -p "$dir/$host/credentials/${hostkey%/*}"
9 ${pass:-pass} "$key" |
10 sudo unshare --mount sh -xc "
11 mount --bind $dir/$host/root /var/lib/systemd &&
12 mount --bind $dir/$host/root/machine-id /etc/machine-id &&
13 systemd-creds setup &&
14 chown $USER:users /var/lib/systemd/crendentials.secret &&
15 systemd-creds encrypt --with-key=host --name '${hostkey##*/}' - - |
16 install -m 400 -o $USER -g users /dev/stdin '$dir/$host/credentials/$hostkey.secret'
17 "