add option decrypt .env secrets as is to separate file for services that do not support docker secrets reading from file.

shared/sops-decrypt.sh

@@ -25,13 +25,16 @@ for service_dir in ./*/; do
   service_name="${service_dir#./}"      # remove leading './': './service/' -> 'service/'
   service_name="${service_name%/}"      # remove trailing '/': 'service/' -> 'service'
 
-  secrets_file="./${service_name}/secrets.sops.yaml"
+  yaml_secrets_file="./${service_name}/secrets.sops.yaml"
-  [[ -f "$secrets_file" ]] || continue
+  env_secrets_file="./${service_name}/secrets.sops.env"
+
+  [[ -f "$yaml_secrets_file" || -f "$env_secrets_file" ]] || continue
 
   out_dir="${OUT_ROOT}/${service_name}"
   install -d -m "$DIR_MODE" -o root -g "$SECRETS_GROUP" -- "$out_dir"
 
-  sops -d "$secrets_file" \
+  if [[ -f "$yaml_secrets_file" ]]; then
+    sops -d "$yaml_secrets_file" \
     | yq -r -0 'to_entries[] | [.key, .value] | .[]' \
       | while IFS= read -r -d '' key && IFS= read -r -d '' value; do
           [[ "$key" =~ ^[A-Za-z0-9_][-A-Za-z0-9_]*$ ]] || { echo "skip bad key: $key" >&2; continue; }
@@ -45,6 +48,18 @@ for service_dir in ./*/; do
 
           mv -f -- "$tmp_val" "${out_dir}/${key}"
         done
+  fi
+
+  if [[ -f "$env_secrets_file" ]]; then
+    tmp_env="$(mktemp "${out_dir}/.secrets.env.XXXXXX")"
+
+    sops -d "$env_secrets_file" > "$tmp_env"
+
+    chown root:"$SECRETS_GROUP" "$tmp_env"
+    chmod "$FILE_MODE" "$tmp_env"
+
+    mv -f -- "$tmp_env" "${out_dir}/secrets.env"
+  fi
 
   echo "sops ok: ${service_name}"
 done