about summary refs log blame commit diff
path: root/ops/kms_pass.nix
blob: 2399559b4da889e5c99dcfa76cbbb06eccd85236 (plain) (tree)
1
2
3
4
5
6
7
8
9






                                                                
                    
 
                                                                          
                                 


                    
                                   


















                                                  


                                  




                                                  


                                  







                                             
                                
# This tool mimics a subset of the interface of 'pass', but uses
# Google Cloud KMS for encryption.
#
# It is intended to be compatible with how 'kontemplate' invokes
# 'pass.'
#
# Only the 'show' and 'insert' commands are supported.

{ depot, kms, ... }:

let inherit (depot.third_party) google-cloud-sdk tree writeShellScriptBin;
in (writeShellScriptBin "pass" ''
  set -eo pipefail

  CMD="$1"
  readonly SECRET=$2
  readonly SECRETS_DIR=${./secrets}
  readonly SECRET_PATH="$SECRETS_DIR/$SECRET"

  function secret_check {
    if [[ -z $SECRET ]]; then
      echo 'Secret must be specified'
      exit 1
    fi
  }

  if [[ -z $CMD ]]; then
    CMD="ls"
  fi

  case "$CMD" in
    ls)
       ${tree}/bin/tree $SECRETS_DIR
       ;;
    show)
      secret_check
      ${google-cloud-sdk}/bin/gcloud kms decrypt \
        --project ${kms.project} \
        --location ${kms.region} \
        --keyring ${kms.keyring} \
        --key ${kms.key} \
        --ciphertext-file $SECRET_PATH \
        --plaintext-file -
      ;;
    insert)
      secret_check
      ${google-cloud-sdk}/bin/gcloud kms encrypt \
        --project ${kms.project} \
        --location ${kms.region} \
        --keyring ${kms.keyring} \
        --key ${kms.key} \
        --ciphertext-file $SECRET_PATH \
        --plaintext-file -
      echo "Inserted secret '$SECRET'"
      ;;
    *)
      echo "Usage: pass show/insert <secret>"
      exit 1
      ;;
  esac
'') // { meta.enableCI = true; }