Nothing to see

secrets.sh

#!/usr/bin/env bash
# Encrypts ~/.secrets into ~/.secrets.gpg and back

set -eo pipefail

source _functions

SECRETS=$HOME/.secrets
ARCHIVE=$HOME/.secrets.gpg
STATE=$SECRETS/gpg-checksum
export GPG_TTY=$(tty)
cd

trigger() {
    _status_bar_trigger vpn cloud secrets
}

([[ -f .gitignore ]] && grep -q "^/.secrets/$" ~/.gitignore) || {
    echo "$0: /.secrets/ not in .gitignore" 1>&2
    exit 1
}

case $1 in
encrypt)
    [[ -d $SECRETS ]] || {
        echo "$0: Missing secrets directory $SECRETS" 1>&2
        exit 0
    }
    rm -f $ARCHIVE
    cd "$(dirname $SECRETS)"
    tar cfvz - "$(basename $SECRETS)" | gpg -c --cipher-algo aes256 -o $ARCHIVE
    md5sum "$ARCHIVE" > $STATE
    trigger
    ;;
decrypt)
    cd
    gpg -d --pinentry-mode=loopback --cipher-algo aes256 $ARCHIVE | tar xfz -
    md5sum "$ARCHIVE" > $STATE
    chmod -R go-rwx $SECRETS
    trigger
    ;;
status|"")
    if [[ -d $SECRETS ]]; then
        checksum=$(md5sum "$ARCHIVE")
        [[ -f $STATE && "$checksum" != "$(cat $STATE)" ]] && {
            echo "undecrypted"
            exit 0
        }
        latest=$(find $SECRETS -type f | grep -v $STATE | xargs ls -t | head -1)
        [[ -n "$latest" &&  $latest -nt $ARCHIVE ]] && {
            echo "uncommitted"
            exit 0
        }
        echo "ok"
    else
        echo "not decrypted"
    fi
    exit 0
    ;;
*)
    echo "Usage: secrets (encrypt|decrypt|)" 1>&2
    exit 2
    ;;
esac