#!/usr/bin/env bash
set -eux
set -o pipefail
-dir=${0%/*}
-gpg=$1
+#dir=${0%/*}
+gpg=$(realpath -e "$1")
base=${gpg%.gpg}
+name=${NAME:-${base##*/}}
umask 177
-SECRET=$(mktemp /dev/shm/credential.secret.XXXXXXX)
+SECRET=$(mktemp /dev/shm/secret.XXXXXXX)
trap 'chmod 600 $SECRET; shred --remove=unlink $SECRET' EXIT
-gpg --yes --output "$SECRET" --decrypt "$dir/credential.secret.gpg"
-
-gpg --decrypt "$gpg" |
-sudo unshare --mount sh -xc "
- mount --bind '$SECRET' /var/lib/systemd/credential.secret &&
- chmod 400 /var/lib/systemd/credential.secret &&
- mount --bind '$dir'/machine-id /etc/machine-id &&
- systemd-creds encrypt --with-key=host --name '${base##*/}' - - |
- install -m 400 -o '$USER' -g users /dev/stdin '$base.cred'
-"
+gpg --batch --decrypt "$gpg" |
+ssh -o StrictHostKeyChecking=yes -o ControlMaster=auto -o ControlPersist=16s root@losurdo.sp -- systemd-creds encrypt --name "$name" --with-key=auto - - |
+install -D -m 640 /dev/stdin "$SECRET"
+cp "$SECRET" "$base".cred