#!/bin/bash

set -eu -o pipefail

die() {
	echo "ERROR: $*" 1>&2
	exit 1
}

cleanup() {
	umount "$drive" || true
	rmdir "$mnt"
}

trap cleanup EXIT

drive="$1"
pubkey="$2"

[ -e "$drive" ] || die "$drive does not exist"
[ -e "$pubkey" ] || die "$pubkey does not exist"

mnt="$(mktemp -d)"
mount "$drive" "$mnt"

include="$mnt/etc/ssh/sshd_config.d/userca.conf"
echo "TrustedUserCAKeys /etc/ssh/user_ca_keys" >"$include"
chown root:root "$include"
chmod 0644 "$include"

cakeys="$mnt/etc/ssh/user_ca_keys"
install -m 0600 "$pubkey" "$cakeys"