create secrets with ability to read by apps user

shared/sops-decrypt.sh

@@ -17,6 +17,9 @@ set -euo pipefail
 umask 077   # 0600 by default
 
 OUT_ROOT="/run/secrets"
+SECRETS_GROUP="apps"   # docker container runs under apps user
+DIR_MODE="0750"
+FILE_MODE="0640"
 
 for service_dir in ./*/; do
   service_name="${service_dir#./}"      # remove leading './': './service/' -> 'service/'
@@ -26,16 +29,22 @@ for service_dir in ./*/; do
   [[ -f "$secrets_file" ]] || continue
 
   out_dir="${OUT_ROOT}/${service_name}"
-  mkdir -p -- "$out_dir"
+  install -d -m "$DIR_MODE" -o root -g "$SECRETS_GROUP" -- "$out_dir"
 
   sops -d "$secrets_file" \
   | yq -r -0 'to_entries[] | .key, .value' \
-  | while IFS= read -r -d '' key && IFS= read -r -d '' value; do
+    | while IFS= read -r -d '' key && IFS= read -r -d '' value; do
-      [[ "$key" =~ ^[A-Za-z0-9_][-A-Za-z0-9_]*$ ]] || { echo "skip bad key: $key" >&2; continue; }
+        [[ "$key" =~ ^[A-Za-z0-9_][-A-Za-z0-9_]*$ ]] || { echo "skip bad key: $key" >&2; continue; }
-      tmp_val="$(mktemp "${out_dir}/.${key}.XXXXXX")"
+
-      printf '%s' "$value" > "$tmp_val"
+        tmp_val="$(mktemp "${out_dir}/.${key}.XXXXXX")"
-      mv -f -- "$tmp_val" "${out_dir}/${key}"
+
-    done
+        printf '%s' "$value" > "$tmp_val"
+
+        chown root:"$SECRETS_GROUP" "$tmp_val"
+        chmod "$FILE_MODE" "$tmp_val"
+
+        mv -f -- "$tmp_val" "${out_dir}/${key}"
+      done
 
   echo "sops ok: ${service_name}"
-done
+done