# unpackPhase
# patchPhase
# configurePhase
# buildPhase
# checkPhase
# installPhase
# fixupPhase
# installCheckPhase
# distPhase
{
  pkgs,
  stdenv,
  kubectl,
  gnupg,
  source_file,
  output_filename,
  pgp_public_key,
  ...
}:
let
  pgp_key_id_command = pkgs.runCommand "pgp_key_id_command" { } ''
    mkdir keyring
    export GNUPGHOME=$(readlink -f keyring)
    ${gnupg}/bin/gpg --with-fingerprint --with-colons --keyid-format LONG "${pgp_public_key}" | grep '^pub' | cut -d ':' -f 5 > $out
  '';
  pgp_key_id = builtins.readFile pgp_key_id_command;
  sops_config = {
    creation_rules = [
      {
        "path_regex" = ".*.yaml";
        "encrypted_regex" = "^(data|stringData)$";
        "pgp" = pgp_key_id;
      }
    ];
  };
  settingsFormat = pkgs.formats.yaml { };
  yaml_body = settingsFormat.generate ".sops.yaml" sops_config;
  yaml_file = pkgs.writeTextFile {
    name = ".sops.yaml";
    text = (builtins.readFile yaml_body);
  };
in
stdenv.mkDerivation (finalAttrs: {
  name = "k8s-secret-encrypted-${output_filename}";
  nativeBuildInputs = [
    kubectl
    gnupg
  ];
  buildInputs = [ ];

  unpackPhase = "true";

  buildPhase = ''
    mkdir keyring
    export GNUPGHOME=$(readlink -f keyring)
    cat "${pgp_public_key}" | gpg --import
  '';

  installPhase = ''
    set -x
    export GNUPGHOME=$(readlink -f keyring)
    mkdir "$out"
    cat "${source_file}" | ${pkgs.sops}/bin/sops --config "${yaml_file}" encrypt --filename-override "${output_filename}" | tee "$out/${output_filename}"
  '';
})