46 lines
1.4 KiB
Nix
46 lines
1.4 KiB
Nix
{
|
|
sops,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}: let
|
|
scriptOverride = pkgs.writeShellScriptBin "sops" ''
|
|
set -uo pipefail
|
|
|
|
if [ -n "''${SOPS_AGE_KEY_COMMAND:-}" ]; then
|
|
dir="$(mktemp -d)"
|
|
chmod 700 "''${dir}"
|
|
export SOPS_AGE_KEY_FILE="$(mktemp --tmpdir="$dir")"
|
|
chmod 600 "''${SOPS_AGE_KEY_FILE}"
|
|
trap 'rm -f "''${SOPS_AGE_KEY_FILE}"' INT TERM EXIT
|
|
sh -c "''${SOPS_AGE_KEY_COMMAND}" > "''${SOPS_AGE_KEY_FILE}"
|
|
else
|
|
printf >&2 'sops (wrapper): ERROR: environment variable `SOPS_AGE_KEY_COMMAND` is empty or undefined\n'
|
|
printf >&2 'sops (wrapper): INFO: `SOPS_AGE_KEY_COMMAND` must contain a command that prints `age` private key\n'
|
|
printf >&2 'sops (wrapper): INFO: example: `pass show sops/myproject/key` (see https://www.passwordstore.org/)\n'
|
|
exit 1
|
|
fi
|
|
${sops}/bin/sops "''${@}"
|
|
'';
|
|
in pkgs.symlinkJoin {
|
|
name = "sops-wrapper";
|
|
paths = [ scriptOverride sops ];
|
|
buildInputs = [ pkgs.makeWrapper ];
|
|
postBuild = ''
|
|
set -x
|
|
for bin in $out/bin/*; do
|
|
wrapProgram "$bin" \
|
|
--prefix PATH : ${lib.makeBinPath (with pkgs; [
|
|
coreutils
|
|
])} \
|
|
--suffix PATH : ${lib.makeBinPath (with pkgs; [
|
|
age # expected to be used by ${SOPS_AGE_KEY_COMMAND}
|
|
])}
|
|
done
|
|
'';
|
|
|
|
meta = sops.meta // {
|
|
description = "${sops.meta.description} -- wrapper. Provides custom source for `age` master key.";
|
|
};
|
|
}
|