scripts/init_fcos.sh.tftpl at master · krasovs.ky/homelab

krasovs.ky / homelab
Personal Homelab
homelab / scripts / init_fcos.sh.tftpl
at master 1.5 kB view raw
 1#!/bin/bash
 2set -e
 3
 4echo "Importing Podman and Restic secrets..."
 5# Bitwarden Secrets Manager CLI requires to save state in order to work correctly, but
 6# Fedora CoreOS has strict SELinux policies, so we need to make proper adjustments.
 7%{ for name, id in secrets ~}
 8%{ if !startswith(name, "restic_") ~}
 9podman run --rm -it -v /var/home/core:/home/app --user 1000:1000 --uidmap +1000:@1000:1 --security-opt=label=disable \
10  docker.io/bitwarden/bws secret get --color=no --access-token=${bws_access_token} ${id} | jq -r .value | tr -d '\n' | \
11  podman secret create --replace ${replace(name, "_", "-")} - # I prefer '-' divider for everything related to podman
12%{ else ~}
13podman run --rm -it -v /var/home/core:/home/app --user 1000:1000 --uidmap +1000:@1000:1 --security-opt=label=disable \
14  docker.io/bitwarden/bws secret get --color=no --access-token=${bws_access_token} ${id} | jq -r .value | tr -d '\n' | \
15  sudo dd status=none of=/etc/credstore/${replace(name, "_", "-")}
16sudo chmod 0600 /etc/credstore/${replace(name, "_", "-")}
17%{ endif ~}
18%{ endfor ~}
19
20echo "Starting Quadlets..."
21# Quadlets are "enabled" using their configurations, it's enough to just start them.
22%{ for path, content in config_files ~}
23%{ if strcontains(basename(path), ".container") && !strcontains(content, "\nPod=") ~}
24systemctl --user start ${replace(basename(path), ".container", "")}
25%{ endif ~}
26%{ if strcontains(basename(path), ".pod") ~}
27systemctl --user start ${replace(basename(path), ".pod", "")}-pod
28%{ endif ~}
29%{ endfor ~}