#!/usr/bin/env bash
set -eu
dir=${0%/*}
cred=$1
name=${cred##*/}
name=${name%.cred}

umask 177
SECRET=$(mktemp /dev/shm/credential.secret.XXXXXXX)
trap 'chmod 600 $SECRET; shred --remove=unlink $SECRET' EXIT
gpg --yes --output "$SECRET" --decrypt "$dir/credential.secret.gpg"
chmod 400 "$SECRET"

sudo unshare --mount sh -xc "
  mount --bind '$SECRET' /var/lib/systemd/credential.secret &&
  mount --bind '$dir'/machine-id /etc/machine-id &&
  systemd-creds decrypt --with-key=host --name '$name' '$cred' -
"