create secrets with ability to read by apps user

2026-02-10 19:21:57 +03:00
parent ab495df606
commit c4ac3aa02c
1 changed files with 17 additions and 8 deletions
--- a/shared/sops-decrypt.sh
+++ b/shared/sops-decrypt.sh
@@ -17,6 +17,9 @@ set -euo pipefail
 umask 077   # 0600 by default

 OUT_ROOT="/run/secrets"
+SECRETS_GROUP="apps"   # docker container runs under apps user
+DIR_MODE="0750"
+FILE_MODE="0640"

 for service_dir in ./*/; do
  service_name="${service_dir#./}"      # remove leading './': './service/' -> 'service/'
@@ -26,16 +29,22 @@ for service_dir in ./*/; do
  [[ -f "$secrets_file" ]] || continue

  out_dir="${OUT_ROOT}/${service_name}"
-  mkdir -p -- "$out_dir"
+  install -d -m "$DIR_MODE" -o root -g "$SECRETS_GROUP" -- "$out_dir"

  sops -d "$secrets_file" \
  | yq -r -0 'to_entries[] | .key, .value' \
-  | while IFS= read -r -d '' key && IFS= read -r -d '' value; do
-      [[ "$key" =~ ^[A-Za-z0-9_][-A-Za-z0-9_]*$ ]] || { echo "skip bad key: $key" >&2; continue; }
-      tmp_val="$(mktemp "${out_dir}/.${key}.XXXXXX")"
-      printf '%s' "$value" > "$tmp_val"
-      mv -f -- "$tmp_val" "${out_dir}/${key}"
-    done
+    | while IFS= read -r -d '' key && IFS= read -r -d '' value; do
+        [[ "$key" =~ ^[A-Za-z0-9_][-A-Za-z0-9_]*$ ]] || { echo "skip bad key: $key" >&2; continue; }
+
+        tmp_val="$(mktemp "${out_dir}/.${key}.XXXXXX")"
+
+        printf '%s' "$value" > "$tmp_val"
+
+        chown root:"$SECRETS_GROUP" "$tmp_val"
+        chmod "$FILE_MODE" "$tmp_val"
+
+        mv -f -- "$tmp_val" "${out_dir}/${key}"
+      done

  echo "sops ok: ${service_name}"
-done
+done