From c4ac3aa02c20e95ffb59a7dadec7c2d8d8d71e22 Mon Sep 17 00:00:00 2001
From: "v.karaychentsev" <105486287+vk-aterise@users.noreply.github.com>
Date: Tue, 10 Feb 2026 19:21:57 +0300
Subject: [PATCH] create secrets with ability to read by apps user

---
 shared/sops-decrypt.sh | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/shared/sops-decrypt.sh b/shared/sops-decrypt.sh
index 8e2252d..81ecb67 100644
--- a/shared/sops-decrypt.sh
+++ b/shared/sops-decrypt.sh
@@ -17,6 +17,9 @@ set -euo pipefail
 umask 077   # 0600 by default
 
 OUT_ROOT="/run/secrets"
+SECRETS_GROUP="apps"   # docker container runs under apps user
+DIR_MODE="0750"
+FILE_MODE="0640"
 
 for service_dir in ./*/; do
   service_name="${service_dir#./}"      # remove leading './': './service/' -> 'service/'
@@ -26,16 +29,22 @@ for service_dir in ./*/; do
   [[ -f "$secrets_file" ]] || continue
 
   out_dir="${OUT_ROOT}/${service_name}"
-  mkdir -p -- "$out_dir"
+  install -d -m "$DIR_MODE" -o root -g "$SECRETS_GROUP" -- "$out_dir"
 
   sops -d "$secrets_file" \
   | yq -r -0 'to_entries[] | .key, .value' \
-  | while IFS= read -r -d '' key && IFS= read -r -d '' value; do
-      [[ "$key" =~ ^[A-Za-z0-9_][-A-Za-z0-9_]*$ ]] || { echo "skip bad key: $key" >&2; continue; }
-      tmp_val="$(mktemp "${out_dir}/.${key}.XXXXXX")"
-      printf '%s' "$value" > "$tmp_val"
-      mv -f -- "$tmp_val" "${out_dir}/${key}"
-    done
+    | while IFS= read -r -d '' key && IFS= read -r -d '' value; do
+        [[ "$key" =~ ^[A-Za-z0-9_][-A-Za-z0-9_]*$ ]] || { echo "skip bad key: $key" >&2; continue; }
+
+        tmp_val="$(mktemp "${out_dir}/.${key}.XXXXXX")"
+
+        printf '%s' "$value" > "$tmp_val"
+
+        chown root:"$SECRETS_GROUP" "$tmp_val"
+        chmod "$FILE_MODE" "$tmp_val"
+
+        mv -f -- "$tmp_val" "${out_dir}/${key}"
+      done
 
   echo "sops ok: ${service_name}"
-done
+done
\ No newline at end of file