automate/020_docker-credentials.sh

cat <<EOF
Moving to a credentials store like gnome-keyring or keepassxc take some
understanding and policy on the structure and handling of password databases.

This will squash the existing auth section of the ~/.docker/config.json
(copied to config.json.bak) and force the use by docker of the system keystore.
EOF

exit 0
# When the tools needed for docker to use a keyring store are installed
# they bring in gnome-keyring as a dependency. So we put it here so that
# we can we can disable gnome-keyring in favour of a choice of our own.
# see 020_keepassxc.sh

# dockerpycreds will bring in gnome-keyring and golang-docker-credential-helpers
# which provides the executables needed for docker to use a keyring
# We need /usr/bin/docker-credential-pass
#         /usr/bin/docker-credential-secretservice
sudo apt-get install -y golang-docker-credential-helpers

sudo apt-get install -y \
	python3-dockerpycreds \
	libsecret-tools

# prevent gnome-keyring from becoming active
# https://askubuntu.com/questions/545172/how-do-i-disable-gnome-keyring-ssh-integration
# https://devopstales.github.io/home/docker-credential-in-keepassxc/
# Rename the daemon executable
sudo dpkg-divert --local --rename /usr/bin/gnome-keyring-daemon
# which returns:
# Adding 'local diversion of /usr/bin/gnome-keyring-daemon to /usr/bin/gnome-keyring-daemon.distrib'

# re-enable with:
# sudo dpkg-divert --remove --rename /usr/bin/gnome-keyring-daemon

# replace the auth section in ~/.docker/config.yml with a credentials store.
DEST=${1:-/etc/skel}
CONFIG_PATH="${DEST}/.docker"
FILE="config.json"
mkdir -p ${CONFIG_PATH}

# create the json file if it doesn't exist
if [ ! -f "${CONFIG_PATH}/${FILE}" ]; then
	echo '{}' >${CONFIG_PATH}/${FILE}
else
	cp ${CONFIG_PATH}/${FILE} ${CONFIG_PATH}/${FILE}.bak
fi

# delete the auth section
jq 'del(.auths)' ${FILE} | sponge ${FILE}

# add the creditials store
jq '. + {"credsStore": "secret-service"}' ${FILE} | sponge ${FILE}