#!/usr/bin/env bash
# USAGE: ./creds-decrypt.sh path/to/file.cred
# Find machine-id and credential.secret.gpg
# in an ancestor directory, to decrypt and print path/to/file.cred
set -eu
cred=$(realpath "$1")
name=${cred##*/}
name=${name%.cred}

cd "$(dirname "$cred")"
while test "$PWD" != /
do test ! -f machine-id || break; cd ..
done

umask 177
SECRET=$(mktemp /dev/shm/credential.secret.XXXXXXX)
trap 'chmod 600 $SECRET; shred --remove=unlink $SECRET' EXIT
set -e${XTRACE:+x}
gpg --yes --output "$SECRET" --decrypt credential.secret.gpg

sudo unshare --mount sh -${XTRACE:+x}c "
  chmod 400 $SECRET &&
  mount --bind $SECRET /var/lib/systemd/credential.secret &&
  mount --bind machine-id /etc/machine-id &&
  systemd-creds decrypt --with-key=host --name '$name' '$cred' -
"