]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/encrypt.sh
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
losurdo: drop gnupg at runtime in favor of systemd-creds
[sourcephile-nix.git] / hosts / losurdo / encrypt.sh
1 #!/usr/bin/env bash
2 set -eux
3 set -o pipefail
4 dir=${0%/*}
5 gpg=$1
6 base=${gpg%.gpg}
7
8 umask 177
9 SECRET=$(mktemp /dev/shm/credential.secret.XXXXXXX)
10 trap 'chmod 600 $SECRET; shred --remove=unlink $SECRET' EXIT
11 gpg --yes --output "$SECRET" --decrypt "$dir/credential.secret.gpg"
12
13 gpg --decrypt "$gpg" |
14 sudo unshare --mount sh -xc "
15 mount --bind '$SECRET' /var/lib/systemd/credential.secret &&
16 chmod 400 /var/lib/systemd/credential.secret &&
17 mount --bind '$dir'/machine-id /etc/machine-id &&
18 systemd-creds encrypt --with-key=host --name '${base##*/}' - - |
19 install -m 400 -o '$USER' -g users /dev/stdin '$base.cred'
20 "
NixOS configurations for Sourcephile's infrastructure