docker: added default cmd fetching key & launching rgpgfs

Dockerfile

@@ -11,12 +11,13 @@ RUN apk add --no-cache \
 RUN adduser -S build
 USER build
 
-COPY --chown=build:nogroup . /rgpgfs
+COPY --chown=build:nogroup Makefile /rgpgfs/
+COPY --chown=build:nogroup src /rgpgfs/src
 WORKDIR /rgpgfs
 RUN make
 
 
-FROM alpine:3.9
+FROM alpine:3.9 as runtime
 
 RUN apk add --no-cache \
     fuse3 \
@@ -33,3 +34,13 @@ USER encrypt
 COPY --from=build /rgpgfs/rgpgfs /usr/local/bin/
 
 COPY --chown=encrypt:nogroup docker/ash_history /home/encrypt/.ash_history
+
+
+FROM runtime as unattended
+
+ENV RECIPIENT= \
+    SOURCE_DIR=/plain \
+    CIPHER_DIR=/encrypted
+
+COPY docker/rgpgfs_unattended.sh /
+CMD ["/rgpgfs_unattended.sh"]

README.md

@@ -64,13 +64,24 @@ rgpgfs -o modules=subdir -o subdir=/source/dir /mount/point
 
 ### Docker 🐳
 
-Mount an enciphered view of named volume `plain-data` at `/mnt/gpgfs`.
+Mount an enciphered view of named volume `plain-data` at `/mnt/rgpgfs`:
 
 ```sh
-host$ mkdir /mnt/gpgfs && chmod a+rwx /mnt/gpgfs
+docker run --rm \
+    --device /dev/fuse --cap-add SYS_ADMIN \
+    -e RECIPIENT=1234567890ABCDEF1234567890ABCDEF12345678 \
+    -v plain-data:/plain:ro \
+    -v /mnt/rgpgfs:/encrypted:shared \
+    fphammerle/rgpgfs
+```
+
+Interactively:
+
+```sh
+host$ mkdir /mnt/rgpgfs && chmod a+rwx /mnt/rgpgfs
 host$ docker run --rm -it \
     -v plain-data:/plain:ro \
-    -v /mnt/gpgfs:/enc:shared \
+    -v /mnt/rgpgfs:/enc:shared \
     --device /dev/fuse --cap-add SYS_ADMIN \
     fphammerle/rgpgfs ash
 container$ ls /plain
@@ -84,7 +95,7 @@ container$ rgpgfs -o allow_other,modules=subdir,subdir=/plain,recipient=12345678
 container$ ls /enc
 example.txt.gpg
 # meanwhile in another shell:
-host$ ls /mnt/gpgfs
+host$ ls /mnt/rgpgfs
 example.txt.gpg
 ```
 

docker/rgpgfs_unattended.sh

@@ -0,0 +1,44 @@
+#!/bin/sh
+
+set -e
+
+if [ -z "$RECIPIENT" ]; then
+    echo missing \$RECIPIENT >&2
+    exit 1
+fi
+
+if [ ! -d "$SOURCE_DIR" ]; then
+    echo missing source dir "$SOURCE_DIR" >&2
+    echo add -v /somewhere:"$SOURCE_DIR":ro >&2
+    exit 1
+fi
+
+if [ ! -d "$CIPHER_DIR" ]; then
+    echo missing mount point "$CIPHER_DIR" >&2
+    echo add -v /somewhere:"$CIPHER_DIR":shared >&2
+    exit 1
+fi
+
+function key_available {
+    gpg --quiet --list-public-keys "$RECIPIENT" > /dev/null
+}
+recv_retries=0
+while [ $recv_retries -lt 3 ] && ! key_available; do
+    [ $recv_retries -ne 0 ] && sleep 1s
+    (set -x; gpg --receive-keys "$RECIPIENT") || true
+    recv_retries=$((recv_retries + 1))
+done
+if ! key_available; then
+    echo failed to fetch recipient\'s key >&2
+    exit 1
+fi
+
+set -x
+
+grep -q "^trust-model always$" ~/.gnupg/gpg.conf 2> /dev/null \
+    || echo trust-model always | tee ~/.gnupg/gpg.conf
+
+rgpgfs -f -o allow_other \
+    -o modules=subdir,subdir="$SOURCE_DIR" \
+    -o recipient="$RECIPIENT" \
+    "$CIPHER_DIR"

src/main.c

@@ -233,6 +233,7 @@ int main(int argc, char *argv[]) {
   }
   printf("recipient fingerprint: %s\n", gpgme_recip_key->fpr);
   if (mkdtemp(cache_dir) == NULL) {
+    perror("Failed to create cache dir");
     return 1;
   }
   printf("cache: %s\n", cache_dir);