nix/kubernetes/keys/package/k8s-secret-encrypted/package.nix

# unpackPhase
# patchPhase
# configurePhase
# buildPhase
# checkPhase
# installPhase
# fixupPhase
# installCheckPhase
# distPhase
{
  pkgs,
  stdenv,
  kubectl,
  gnupg,
  source_file,
  output_filename,
  pgp_public_key,
  ...
}:
let
  pgp_key_id_command = pkgs.runCommand "pgp_key_id_command" { } ''
    mkdir keyring
    export GNUPGHOME=$(readlink -f keyring)
    ${gnupg}/bin/gpg --with-fingerprint --with-colons --keyid-format LONG "${pgp_public_key}" | grep '^pub' | cut -d ':' -f 5 > $out
  '';
  pgp_key_id = builtins.readFile pgp_key_id_command;
  sops_config = {
    creation_rules = [
      {
        "path_regex" = ".*.yaml";
        "encrypted_regex" = "^(data|stringData)$";
        "pgp" = pgp_key_id;
      }
    ];
  };
  settingsFormat = pkgs.formats.yaml { };
  yaml_body = settingsFormat.generate ".sops.yaml" sops_config;
  yaml_file = pkgs.writeTextFile {
    name = ".sops.yaml";
    text = (builtins.readFile yaml_body);
  };
in
stdenv.mkDerivation (finalAttrs: {
  name = "k8s-secret-encrypted-${output_filename}";
  nativeBuildInputs = [
    kubectl
    gnupg
  ];
  buildInputs = [ ];

  unpackPhase = "true";

  buildPhase = ''
    mkdir keyring
    export GNUPGHOME=$(readlink -f keyring)
    cat "${pgp_public_key}" | gpg --import
  '';

  installPhase = ''
    set -x
    export GNUPGHOME=$(readlink -f keyring)
    mkdir "$out"
    cat "${source_file}" | ${pkgs.sops}/bin/sops --config "${yaml_file}" encrypt --filename-override "${output_filename}" | tee "$out/${output_filename}"
  '';
})
Add generation for in-repo secrets. 2026-03-19 18:16:20 -04:00			`# unpackPhase`
			`# patchPhase`
			`# configurePhase`
			`# buildPhase`
			`# checkPhase`
			`# installPhase`
			`# fixupPhase`
			`# installCheckPhase`
			`# distPhase`
			`{`
			`pkgs,`
			`stdenv,`
			`kubectl,`
			`gnupg,`
			`source_file,`
			`output_filename,`
			`pgp_public_key,`
			`...`
			`}:`
			`let`
			`pgp_key_id_command = pkgs.runCommand "pgp_key_id_command" { } ''`
			`mkdir keyring`
			`export GNUPGHOME=$(readlink -f keyring)`
			`${gnupg}/bin/gpg --with-fingerprint --with-colons --keyid-format LONG "${pgp_public_key}" \| grep '^pub' \| cut -d ':' -f 5 > $out`
			`'';`
			`pgp_key_id = builtins.readFile pgp_key_id_command;`
			`sops_config = {`
			`creation_rules = [`
			`{`
			`"path_regex" = ".*.yaml";`
			`"encrypted_regex" = "^(data\|stringData)$";`
			`"pgp" = pgp_key_id;`
			`}`
			`];`
			`};`
			`settingsFormat = pkgs.formats.yaml { };`
			`yaml_body = settingsFormat.generate ".sops.yaml" sops_config;`
			`yaml_file = pkgs.writeTextFile {`
			`name = ".sops.yaml";`
			`text = (builtins.readFile yaml_body);`
			`};`
			`in`
			`stdenv.mkDerivation (finalAttrs: {`
			`name = "k8s-secret-encrypted-${output_filename}";`
			`nativeBuildInputs = [`
			`kubectl`
			`gnupg`
			`];`
			`buildInputs = [ ];`

			`unpackPhase = "true";`

			`buildPhase = ''`
			`mkdir keyring`
			`export GNUPGHOME=$(readlink -f keyring)`
			`cat "${pgp_public_key}" \| gpg --import`
			`'';`

			`installPhase = ''`
			`set -x`
			`export GNUPGHOME=$(readlink -f keyring)`
			`mkdir "$out"`
			`cat "${source_file}" \| ${pkgs.sops}/bin/sops --config "${yaml_file}" encrypt --filename-override "${output_filename}" \| tee "$out/${output_filename}"`
			`'';`
			`})`