#!/usr/bin/env bash
set -eux
set -o pipefail
#dir=${0%/*}
gpg=$(realpath -e "$1")
base=${gpg%.gpg}
name=${NAME:-${base##*/}}

umask 177
SECRET=$(mktemp /dev/shm/secret.XXXXXXX)
trap 'chmod 600 $SECRET; shred --remove=unlink $SECRET' EXIT
gpg --batch --decrypt "$gpg" |
ssh -o StrictHostKeyChecking=yes -o ControlMaster=auto -o ControlPersist=16s root@losurdo.wg -- systemd-creds encrypt --name "$name" --with-key=auto - - |
install -D -m 640 /dev/stdin "$SECRET"
cp "$SECRET" "$base".cred