#!/usr/bin/env bash
# USAGE: ./creds-setup.sh
# Generate missing hosts/*/{machine-id,,credential.secret.gpg}
set -eu${XTRACE:+x}
set -o pipefail

git config --local diff.gpg.binary true
git config --local diff.gpg.textconv "gpg2 -d -u --quiet --yes --compress-algo=none --no-encrypt-to --batch --use-agent"

for host in hosts/*.nix
do
  host=${host%.nix}
  if test ! -e "$host"/machine-id
  then
    sudo unshare --mount sh -${XTRACE:+x}c "
      touch $host/machine-id
      mount --bind $host/machine-id /etc/machine-id &&
      systemd-machine-id-setup
    "
  fi
  if test ! -e "$host"/credential.secret.gpg
  then
    umask 077
    systemd=$(mktemp --directory /dev/shm/systemd.XXXXXXX)
    trap 'rm -rf $systemd' EXIT
    sudo unshare --mount sh -${XTRACE:+x}c "
      mount --bind $systemd /var/lib/systemd &&
      systemd-creds setup --with-key=host
      cat $systemd/credential.secret
      shred --remove=unlink $systemd/credential.secret
    " |
    pass insert --multiline "$host"/credential.secret
  fi
done