feat: appropriate sops dream wrapper
This commit is contained in:
45
package/sops.nix
Normal file
45
package/sops.nix
Normal file
@@ -0,0 +1,45 @@
|
||||
{
|
||||
sops,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}: let
|
||||
scriptOverride = pkgs.writeShellScriptBin "sops" ''
|
||||
set -uo pipefail
|
||||
|
||||
if [ -n "''${SOPS_AGE_KEY_COMMAND:-}" ]; then
|
||||
dir="$(mktemp -d)"
|
||||
chmod 700 "''${dir}"
|
||||
export SOPS_AGE_KEY_FILE="$(mktemp --tmpdir="$dir")"
|
||||
chmod 600 "''${SOPS_AGE_KEY_FILE}"
|
||||
trap 'rm -f "''${SOPS_AGE_KEY_FILE}"' INT TERM EXIT
|
||||
sh -c "''${SOPS_AGE_KEY_COMMAND}" > "''${SOPS_AGE_KEY_FILE}"
|
||||
else
|
||||
printf >&2 'sops (wrapper): ERROR: environment variable `SOPS_AGE_KEY_COMMAND` is empty or undefined\n'
|
||||
printf >&2 'sops (wrapper): INFO: `SOPS_AGE_KEY_COMMAND` must contain a command that prints `age` private key\n'
|
||||
printf >&2 'sops (wrapper): INFO: example: `pass show sops/myproject/key` (see https://www.passwordstore.org/)\n'
|
||||
exit 1
|
||||
fi
|
||||
${sops}/bin/sops "''${@}"
|
||||
'';
|
||||
in pkgs.symlinkJoin {
|
||||
name = "sops-wrapper";
|
||||
paths = [ scriptOverride sops ];
|
||||
buildInputs = [ pkgs.makeWrapper ];
|
||||
postBuild = ''
|
||||
set -x
|
||||
for bin in $out/bin/*; do
|
||||
wrapProgram "$bin" \
|
||||
--prefix PATH : ${lib.makeBinPath (with pkgs; [
|
||||
coreutils
|
||||
])} \
|
||||
--suffix PATH : ${lib.makeBinPath (with pkgs; [
|
||||
age # expected to be used by ${SOPS_AGE_KEY_COMMAND}
|
||||
])}
|
||||
done
|
||||
'';
|
||||
|
||||
meta = sops.meta // {
|
||||
description = "${sops.meta.description} -- wrapper. Provides custom source for `age` master key.";
|
||||
};
|
||||
}
|
||||
Reference in New Issue
Block a user