about summary refs log tree commit diff
path: root/tools/kms_pass.nix
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2019-11-15T23·46+0000
committerGitHub <noreply@github.com>2019-11-15T23·46+0000
commitae53bf30c3306eeb56731e6e7aefc2bab278c6e0 (patch)
treeed66073f8c7dc2f01814ae8cc786bdf32988f0bd /tools/kms_pass.nix
parent9ba4bbb60954c3fafb5e5f0aa5f8ff478c09a600 (diff)
parentecd54d58b1863ccd84e6a85b161fb1ef066e5efd (diff)
Merge pull request #9 from tazjin/feat/read-tree r/95
Configure automatic package layouts via repository structure
Diffstat (limited to 'tools/kms_pass.nix')
-rw-r--r--tools/kms_pass.nix60
1 files changed, 60 insertions, 0 deletions
diff --git a/tools/kms_pass.nix b/tools/kms_pass.nix
new file mode 100644
index 000000000000..7005697daaf8
--- /dev/null
+++ b/tools/kms_pass.nix
@@ -0,0 +1,60 @@
+# This tool mimics a subset of the interface of 'pass', but uses
+# Google Cloud KMS for encryption.
+#
+# It is intended to be compatible with how 'kontemplate' invokes
+# 'pass.'
+#
+# Only the 'show' and 'insert' commands are supported.
+
+{ pkgs, kms, ... }:
+
+let inherit (pkgs) google-cloud-sdk tree writeShellScriptBin;
+in (writeShellScriptBin "pass" ''
+  set -eo pipefail
+
+  CMD="$1"
+  readonly SECRET=$2
+  readonly SECRET_PATH="$SECRETS_DIR/$SECRET"
+
+  function secret_check {
+    if [[ -z $SECRET ]]; then
+      echo 'Secret must be specified'
+      exit 1
+    fi
+  }
+
+  if [[ -z $CMD ]]; then
+    CMD="ls"
+  fi
+
+  case "$CMD" in
+    ls)
+       ${tree}/bin/tree $SECRETS_DIR
+       ;;
+    show)
+      secret_check
+      ${google-cloud-sdk}/bin/gcloud kms decrypt \
+        --project ${kms.project} \
+        --location ${kms.region} \
+        --keyring ${kms.keyring} \
+        --key ${kms.key} \
+        --ciphertext-file $SECRET_PATH \
+        --plaintext-file -
+      ;;
+    insert)
+      secret_check
+      ${google-cloud-sdk}/bin/gcloud kms encrypt \
+        --project ${kms.project} \
+        --location ${kms.region} \
+        --keyring ${kms.keyring} \
+        --key ${kms.key} \
+        --ciphertext-file $SECRET_PATH \
+        --plaintext-file -
+      echo "Inserted secret '$SECRET'"
+      ;;
+    *)
+      echo "Usage: pass show/insert <secret>"
+      exit 1
+      ;;
+  esac
+'') // { meta.enableCI = true; }