epcim · June 29, 2022 11:59
diff --git a/Makefile b/Makefile
 seal-sops: ## SOPS Encrypt all secrets path matching [_sec|secret|config|*.secret*]
 	@find $(PTH) -path "*/_sec/*" -type f -o -path "*/secret/*" -type f -o -path "*/config/*" -name "*.secret*" -type f |\
 		egrep -v '(\.enc|\.asc|\.sealed|\.matrix)' |\
 		while read file; do \
 		 ./scripts/seal-sops $$file;\
 		done;

 unseal-sops: ## SOPS Decrypt all secrets (suffix: .enc and .enc.yaml)
 	@find $(PTH) -name "*.enc" -type f -o -name "*.enc.*" -type f |\
 		while read file; do \
 		 ./scripts/unseal-sops $$file;\
 		done;
diff --git a/seal-sops b/seal-sops
 #!/bin/bash -e

 # sops-seal, encrypt file if modified (adds .enc before(as) its suffix)
 sops-seal() {

  file=$1
  fullname="${file##*/}"
  dirname="${file%/*}"
  basename="${fullname%.*}"
  extension=".${fullname##*.}"

  # If the file is in the same directory with the script,
  # path likely will not include any directory seperator.
  [[ "$dirname" == "$path" ]] && dirname="."

  # If the file has no extension, correct the variable accordingly.
  [[ "$extension" == ".$basename" ]] && extension=""

  # Destination file
  dest="${dirname}/${basename}.enc${extension}";

  [[ ! -e "$dest" ]] && {
    sops -e --output "$dest" "$file";
  } || {
    # if changed
      diff $file <(sops --config ${SOPS_CONFIG:-.sops.yaml} -d "$dest") > /dev/null ||\
      { rm "$dest"; echo "  ${dest}"; sops -e --config ${SOPS_CONFIG:-.sops.yaml} --output "$dest" "$file";};
  }
  git add -f ${dest} 
 }

 sops-seal $@
diff --git a/unseal-sops b/unseal-sops
 #!/bin/bash

 # sops-unseal, decrypt files (while removing `.enc.` file.enc.suffix)
 sops-unseal() {
  for file in $(ls $@); do
  ex=".${file##*.}";
  fp="${file%.enc*}";
  #[[ "$ex" == ".$fp" ]] && ex="" # fix, no filename suffix
  dest="$fp${ex#.enc}";

  echo "  ${dest}";
 	sops -d --config ${SOPS_CONFIG:-.sops.yaml} --output "$dest" "$file"; \
  done
 }

 sops-unseal $@
	seal-sops: ## SOPS Encrypt all secrets path matching [_sec\|secret\|config\|.secret]
	@find $(PTH) -path "/_sec/" -type f -o -path "/secret/" -type f -o -path "/config/" -name ".secret" -type f \|\
	egrep -v '(\.enc\|\.asc\|\.sealed\|\.matrix)' \|\
	while read file; do \
	./scripts/seal-sops $$file;\
	done;

	unseal-sops: ## SOPS Decrypt all secrets (suffix: .enc and .enc.yaml)
	@find $(PTH) -name ".enc" -type f -o -name ".enc.*" -type f \|\
	while read file; do \
	./scripts/unseal-sops $$file;\
	done;
	#!/bin/bash -e

	# sops-seal, encrypt file if modified (adds .enc before(as) its suffix)
	sops-seal() {

	file=$1
	fullname="${file##*/}"
	dirname="${file%/*}"
	basename="${fullname%.*}"
	extension=".${fullname##*.}"

	# If the file is in the same directory with the script,
	# path likely will not include any directory seperator.
	[[ "$dirname" == "$path" ]] && dirname="."

	# If the file has no extension, correct the variable accordingly.
	[[ "$extension" == ".$basename" ]] && extension=""

	# Destination file
	dest="${dirname}/${basename}.enc${extension}";

	[[ ! -e "$dest" ]] && {
	sops -e --output "$dest" "$file";
	} \|\| {
	# if changed
	diff $file <(sops --config ${SOPS_CONFIG:-.sops.yaml} -d "$dest") > /dev/null \|\|\
	{ rm "$dest"; echo " ${dest}"; sops -e --config ${SOPS_CONFIG:-.sops.yaml} --output "$dest" "$file";};
	}
	git add -f ${dest}
	}

	sops-seal $@
	#!/bin/bash

	# sops-unseal, decrypt files (while removing `.enc.` file.enc.suffix)
	sops-unseal() {
	for file in $(ls $@); do
	ex=".${file##*.}";
	fp="${file%.enc*}";
	#[[ "$ex" == ".$fp" ]] && ex="" # fix, no filename suffix
	dest="$fp${ex#.enc}";

	echo " ${dest}";
	sops -d --config ${SOPS_CONFIG:-.sops.yaml} --output "$dest" "$file"; \
	done
	}

	sops-unseal $@