me/homelab-infra
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

add option decrypt .env secrets as is to separate file for services that do not support docker secrets reading from file.

Browse Source
This commit is contained in:
v.karaychentsev
2026-02-13 10:57:56 +03:00
parent ae4efa868f
commit 885e530454
1 changed files with 28 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
shared/sops-decrypt.sh
View File

@@ -25,26 +25,41 @@ for service_dir in ./*/; do
service_name="${service_dir#./}" # remove leading './': './service/' -> 'service/'
service_name="${service_name%/}" # remove trailing '/': 'service/' -> 'service'
secrets_file="./${service_name}/secrets.sops.yaml"
[[ -f "$secrets_file" ]] || continue
yaml_secrets_file="./${service_name}/secrets.sops.yaml"
env_secrets_file="./${service_name}/secrets.sops.env"
[[ -f "$yaml_secrets_file" || -f "$env_secrets_file" ]] || continue
out_dir="${OUT_ROOT}/${service_name}"
install -d -m "$DIR_MODE" -o root -g "$SECRETS_GROUP" -- "$out_dir"
sops -d "$secrets_file" \
| yq -r -0 'to_entries[] | [.key, .value] | .[]' \
| while IFS= read -r -d '' key && IFS= read -r -d '' value; do
[[ "$key" =~ ^[A-Za-z0-9_][-A-Za-z0-9_]*$ ]] || { echo "skip bad key: $key" >&2; continue; }
if [[ -f "$yaml_secrets_file" ]]; then
sops -d "$yaml_secrets_file" \
| yq -r -0 'to_entries[] | [.key, .value] | .[]' \
| while IFS= read -r -d '' key && IFS= read -r -d '' value; do
[[ "$key" =~ ^[A-Za-z0-9_][-A-Za-z0-9_]*$ ]] || { echo "skip bad key: $key" >&2; continue; }
tmp_val="$(mktemp "${out_dir}/.${key}.XXXXXX")"
tmp_val="$(mktemp "${out_dir}/.${key}.XXXXXX")"
printf '%s' "$value" > "$tmp_val"
printf '%s' "$value" > "$tmp_val"
chown root:"$SECRETS_GROUP" "$tmp_val"
chmod "$FILE_MODE" "$tmp_val"
chown root:"$SECRETS_GROUP" "$tmp_val"
chmod "$FILE_MODE" "$tmp_val"
mv -f -- "$tmp_val" "${out_dir}/${key}"
done
mv -f -- "$tmp_val" "${out_dir}/${key}"
done
fi
if [[ -f "$env_secrets_file" ]]; then
tmp_env="$(mktemp "${out_dir}/.secrets.env.XXXXXX")"
sops -d "$env_secrets_file" > "$tmp_env"
chown root:"$SECRETS_GROUP" "$tmp_env"
chmod "$FILE_MODE" "$tmp_env"
mv -f -- "$tmp_env" "${out_dir}/secrets.env"
fi
echo "sops ok: ${service_name}"
done