#!/usr/bin/env bash
# USAGE: ./creds-encrypt.sh path/to/file.gpg
# Find the machine-id and credential.secret.gpg files
# in an ancestor directory, to reencrypt path/to/file.gpg
# into path/to/file.cred
set -eu
set -o pipefail
gpg=$(realpath "$1")
base=${gpg%.gpg}

cd "$(dirname "$gpg")"
while test "$PWD" != /
do test ! -f machine-id || break; cd ..
done

umask 177
SECRET=$(mktemp /dev/shm/credential.secret.XXXXXXX)
trap 'chmod 600 $SECRET; shred --remove=unlink $SECRET' EXIT
set -e${XTRACE:+x}
gpg --yes --output "$SECRET" --decrypt credential.secret.gpg

gpg --decrypt "$gpg" |
sudo unshare --mount sh -${XTRACE:+x}c "
  chmod 400 $SECRET
  mount --bind '$SECRET' /var/lib/systemd/credential.secret &&
  mount --bind machine-id /etc/machine-id &&
  systemd-creds encrypt --with-key=host --name '${base##*/}' - - |
  install -m 400 -o '$USER' -g users /dev/stdin '$base.cred'
"