67 lines
1.7 KiB
Bash
Executable File
67 lines
1.7 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
usage() {
|
|
cat <<'USAGE'
|
|
Usage:
|
|
hermes-emergency-bundle-decrypt.sh <bundle.tar.zst.gpg> [staging-dir]
|
|
|
|
Decrypts a Hermes emergency bundle into a staging directory.
|
|
|
|
Default staging-dir:
|
|
/root/hermes-emergency-restore-staging/<bundle-name-without-.gpg>
|
|
|
|
Passphrase:
|
|
Interactive GPG prompt by default.
|
|
Or set BUNDLE_PASSPHRASE_FILE=/root/path/to/passphrase-file for unattended use.
|
|
|
|
Safety:
|
|
- Does not write into /root/.hermes or /home/uma/.hermes.
|
|
- Does not overwrite live credentials.
|
|
- Review extracted files, then copy only the needed files manually.
|
|
USAGE
|
|
}
|
|
|
|
if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ] || [ "$#" -lt 1 ]; then
|
|
usage
|
|
exit 0
|
|
fi
|
|
|
|
BUNDLE="$1"
|
|
if [ ! -f "$BUNDLE" ]; then
|
|
echo "Bundle not found: $BUNDLE" >&2
|
|
exit 1
|
|
fi
|
|
|
|
base="$(basename "$BUNDLE" .gpg)"
|
|
STAGING_DIR="${2:-/root/hermes-emergency-restore-staging/$base}"
|
|
WORK_DIR="$(mktemp -d)"
|
|
ARCHIVE="$WORK_DIR/$base"
|
|
|
|
cleanup() {
|
|
rm -rf "$WORK_DIR"
|
|
}
|
|
trap cleanup EXIT
|
|
|
|
install -d -m 700 "$STAGING_DIR"
|
|
|
|
gpg_args=(--decrypt --output "$ARCHIVE")
|
|
if [ -n "${BUNDLE_PASSPHRASE_FILE:-}" ]; then
|
|
gpg_args=(--batch --yes --pinentry-mode loopback --passphrase-file "$BUNDLE_PASSPHRASE_FILE" "${gpg_args[@]}")
|
|
fi
|
|
|
|
gpg "${gpg_args[@]}" "$BUNDLE"
|
|
tar -C "$STAGING_DIR" -I zstd -xf "$ARCHIVE"
|
|
chmod -R go-rwx "$STAGING_DIR"
|
|
|
|
echo "Bundle decrypted into staging directory: $STAGING_DIR"
|
|
echo
|
|
echo "Included paths:"
|
|
if [ -f "$STAGING_DIR/MANIFEST.paths" ]; then
|
|
sed -n '1,200p' "$STAGING_DIR/MANIFEST.paths"
|
|
else
|
|
find "$STAGING_DIR" -type f | sed "s#^$STAGING_DIR/##" | sort | sed -n '1,200p'
|
|
fi
|
|
echo
|
|
echo "Next step: inspect staging, then manually copy only the needed files into place."
|