- rm -rf ${location}
- install -m0750 -o root -g keys -d ${location}
- ${pkgs.gnutar}/bin/tar --strip-components 1 -C ${location} -xf /run/keys/secrets.tar
- sha512sum /run/keys/secrets.tar > ${location}/currentSecrets
- find ${location} -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
+ TMP=$(${pkgs.coreutils}/bin/mktemp -d)
+ if [ -n "$TMP" ]; then
+ install -m0750 -o root -g keys -d $TMP
+ ${pkgs.gnutar}/bin/tar --strip-components 1 -C $TMP -xf /run/keys/secrets.tar
+ if [ -f /run/keys/vars.yml ]; then
+ find $TMP -name "*.gucci.tpl" -exec \
+ /bin/sh -c 'f="{}"; ${pkgs.gucci}/bin/gucci -f /run/keys/vars.yml "$f" > "''${f%.gucci.tpl}"; touch --reference "$f" ''${f%.gucci.tpl} ; chmod --reference="$f" ''${f%.gucci.tpl} ; chown --reference="$f" ''${f%.gucci.tpl}' \;
+ sha512sum /run/keys/secrets.tar /run/keys/vars.yml > $TMP/currentSecrets
+ else
+ sha512sum /run/keys/secrets.tar > $TMP/currentSecrets
+ fi
+ find $TMP -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
+ ${pkgs.rsync}/bin/rsync --exclude="*.gucci.tpl" -O -c -av --delete $TMP/ ${location}
+ rm -rf $TMP
+ fi