From 5dd03a947f9083d40a25813a6db6acb2a27c1ecb Mon Sep 17 00:00:00 2001
From: yukkop <hectic.yukkop@gmail.com>
Date: Fri, 12 Sep 2025 14:20:04 +0000
Subject: [PATCH] feat: appropriate sops dream wrapper

---
 package/default.nix |  1 +
 package/sops.nix    | 45 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)
 create mode 100644 package/sops.nix

diff --git a/package/default.nix b/package/default.nix
index fa9f58e..1417b59 100644
--- a/package/default.nix
+++ b/package/default.nix
@@ -275,4 +275,5 @@ in {
   nix-derivation-hash = pkgs.callPackage ./nix-derivation-hash {};
   server-health = pkgs.callPackage ./server-health {};
   shellplot = pkgs.callPackage ./shellplot {};
+  sops = pkgs.callPackage ./sops.nix {};
 }
diff --git a/package/sops.nix b/package/sops.nix
new file mode 100644
index 0000000..7ecee5d
--- /dev/null
+++ b/package/sops.nix
@@ -0,0 +1,45 @@
+{
+  sops,
+  pkgs,
+  lib,
+  ...
+}: let
+  scriptOverride = pkgs.writeShellScriptBin "sops" ''
+    set -uo pipefail
+
+    if [ -n "''${SOPS_AGE_KEY_COMMAND:-}" ]; then
+      dir="$(mktemp -d)"
+      chmod 700 "''${dir}"
+      export SOPS_AGE_KEY_FILE="$(mktemp --tmpdir="$dir")"
+      chmod 600 "''${SOPS_AGE_KEY_FILE}"
+      trap 'rm -f "''${SOPS_AGE_KEY_FILE}"' INT TERM EXIT
+      sh -c "''${SOPS_AGE_KEY_COMMAND}" > "''${SOPS_AGE_KEY_FILE}"
+    else
+      printf >&2 'sops (wrapper): ERROR: environment variable `SOPS_AGE_KEY_COMMAND` is empty or undefined\n'
+      printf >&2 'sops (wrapper): INFO: `SOPS_AGE_KEY_COMMAND` must contain a command that prints `age` private key\n'
+      printf >&2 'sops (wrapper): INFO: example: `pass show sops/myproject/key` (see https://www.passwordstore.org/)\n'
+      exit 1
+    fi
+    ${sops}/bin/sops "''${@}"
+  '';
+in pkgs.symlinkJoin {
+  name = "sops-wrapper";
+  paths = [ scriptOverride sops ];
+  buildInputs = [ pkgs.makeWrapper ];
+  postBuild = ''
+    set -x
+    for bin in $out/bin/*; do
+      wrapProgram "$bin" \
+        --prefix PATH : ${lib.makeBinPath (with pkgs; [
+          coreutils
+        ])} \
+        --suffix PATH : ${lib.makeBinPath (with pkgs; [
+          age # expected to be used by ${SOPS_AGE_KEY_COMMAND}
+        ])}
+    done
+  '';
+
+  meta = sops.meta // {
+    description = "${sops.meta.description} -- wrapper. Provides custom source for `age` master key.";
+  };
+}