diff options
| author | Vincent Ambo <tazjin@google.com> | 2019-12-20T20·18+0000 |
|---|---|---|
| committer | Vincent Ambo <tazjin@google.com> | 2019-12-20T20·18+0000 |
| commit | 03bfe08e1dd9faf48b06cb146bfa446575cde88a (patch) | |
| tree | 55317968922a9b2a01516f1b79527874df037517 /ops/kms_pass.nix | |
| parent | e52eed3cd4f73779c2e7c350537fb346835ba9f3 (diff) | |
chore: Significantly restructure folder layout r/237
This moves the various projects from "type-based" folders (such as "services" or "tools") into more appropriate semantic folders (such as "nix", "ops" or "web"). Deprecated projects (nixcon-demo & gotest) which only existed for testing/demonstration purposes have been removed. (Note: *all* builds are broken with this commit)
Diffstat (limited to 'ops/kms_pass.nix')
| -rw-r--r-- | ops/kms_pass.nix | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/ops/kms_pass.nix b/ops/kms_pass.nix new file mode 100644 index 000000000000..14989b392dd1 --- /dev/null +++ b/ops/kms_pass.nix @@ -0,0 +1,60 @@ +# This tool mimics a subset of the interface of 'pass', but uses +# Google Cloud KMS for encryption. +# +# It is intended to be compatible with how 'kontemplate' invokes +# 'pass.' +# +# Only the 'show' and 'insert' commands are supported. + +{ pkgs, kms, ... }: + +let inherit (pkgs.third_party) google-cloud-sdk tree writeShellScriptBin; +in (writeShellScriptBin "pass" '' + set -eo pipefail + + CMD="$1" + readonly SECRET=$2 + readonly SECRET_PATH="$SECRETS_DIR/$SECRET" + + function secret_check { + if [[ -z $SECRET ]]; then + echo 'Secret must be specified' + exit 1 + fi + } + + if [[ -z $CMD ]]; then + CMD="ls" + fi + + case "$CMD" in + ls) + ${tree}/bin/tree $SECRETS_DIR + ;; + show) + secret_check + ${google-cloud-sdk}/bin/gcloud kms decrypt \ + --project ${kms.project} \ + --location ${kms.region} \ + --keyring ${kms.keyring} \ + --key ${kms.key} \ + --ciphertext-file $SECRET_PATH \ + --plaintext-file - + ;; + insert) + secret_check + ${google-cloud-sdk}/bin/gcloud kms encrypt \ + --project ${kms.project} \ + --location ${kms.region} \ + --keyring ${kms.keyring} \ + --key ${kms.key} \ + --ciphertext-file $SECRET_PATH \ + --plaintext-file - + echo "Inserted secret '$SECRET'" + ;; + *) + echo "Usage: pass show/insert <secret>" + exit 1 + ;; + esac +'') // { meta.enableCI = true; } |