From 885e530454571477070384ef6fdb3ade6f711485 Mon Sep 17 00:00:00 2001
From: "v.karaychentsev" <105486287+vk-aterise@users.noreply.github.com>
Date: Fri, 13 Feb 2026 10:57:56 +0300
Subject: [PATCH] add option decrypt .env secrets as is to separate file for
 services that do not support docker secrets reading from file.

---
 shared/sops-decrypt.sh | 41 ++++++++++++++++++++++++++++-------------
 1 file changed, 28 insertions(+), 13 deletions(-)

diff --git a/shared/sops-decrypt.sh b/shared/sops-decrypt.sh
index 85d8e7d..5df7638 100644
--- a/shared/sops-decrypt.sh
+++ b/shared/sops-decrypt.sh
@@ -25,26 +25,41 @@ for service_dir in ./*/; do
   service_name="${service_dir#./}"      # remove leading './': './service/' -> 'service/'
   service_name="${service_name%/}"      # remove trailing '/': 'service/' -> 'service'
 
-  secrets_file="./${service_name}/secrets.sops.yaml"
-  [[ -f "$secrets_file" ]] || continue
+  yaml_secrets_file="./${service_name}/secrets.sops.yaml"
+  env_secrets_file="./${service_name}/secrets.sops.env"
+
+  [[ -f "$yaml_secrets_file" || -f "$env_secrets_file" ]] || continue
 
   out_dir="${OUT_ROOT}/${service_name}"
   install -d -m "$DIR_MODE" -o root -g "$SECRETS_GROUP" -- "$out_dir"
 
-  sops -d "$secrets_file" \
-  | yq -r -0 'to_entries[] | [.key, .value] | .[]' \
-    | while IFS= read -r -d '' key && IFS= read -r -d '' value; do
-        [[ "$key" =~ ^[A-Za-z0-9_][-A-Za-z0-9_]*$ ]] || { echo "skip bad key: $key" >&2; continue; }
+  if [[ -f "$yaml_secrets_file" ]]; then
+    sops -d "$yaml_secrets_file" \
+    | yq -r -0 'to_entries[] | [.key, .value] | .[]' \
+      | while IFS= read -r -d '' key && IFS= read -r -d '' value; do
+          [[ "$key" =~ ^[A-Za-z0-9_][-A-Za-z0-9_]*$ ]] || { echo "skip bad key: $key" >&2; continue; }
 
-        tmp_val="$(mktemp "${out_dir}/.${key}.XXXXXX")"
+          tmp_val="$(mktemp "${out_dir}/.${key}.XXXXXX")"
 
-        printf '%s' "$value" > "$tmp_val"
+          printf '%s' "$value" > "$tmp_val"
 
-        chown root:"$SECRETS_GROUP" "$tmp_val"
-        chmod "$FILE_MODE" "$tmp_val"
+          chown root:"$SECRETS_GROUP" "$tmp_val"
+          chmod "$FILE_MODE" "$tmp_val"
 
-        mv -f -- "$tmp_val" "${out_dir}/${key}"
-      done
+          mv -f -- "$tmp_val" "${out_dir}/${key}"
+        done
+  fi
+
+  if [[ -f "$env_secrets_file" ]]; then
+    tmp_env="$(mktemp "${out_dir}/.secrets.env.XXXXXX")"
+
+    sops -d "$env_secrets_file" > "$tmp_env"
+
+    chown root:"$SECRETS_GROUP" "$tmp_env"
+    chmod "$FILE_MODE" "$tmp_env"
+
+    mv -f -- "$tmp_env" "${out_dir}/secrets.env"
+  fi
 
   echo "sops ok: ${service_name}"
-done
\ No newline at end of file
+done