2023-05-02 15:08:36 +02:00
|
|
|
#!/usr/bin/env bash
|
|
|
|
|
|
|
|
|
|
set -euo pipefail
|
|
|
|
|
|
|
|
|
|
print_out_path=false
|
|
|
|
|
if [[ "$1" == "--print-out-path" ]]; then
|
|
|
|
|
print_out_path=true
|
|
|
|
|
shift
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
file="$1"
|
|
|
|
|
shift
|
|
|
|
|
identities=("$@")
|
|
|
|
|
|
|
|
|
|
# Strip .age suffix, and store path prefix or ./ if applicable
|
|
|
|
|
basename="${file%".age"}"
|
|
|
|
|
[[ "$file" == "/nix/store/"* ]] && basename="${basename#*"-"}"
|
|
|
|
|
[[ "$file" == "./"* ]] && basename="${basename#"./"}"
|
|
|
|
|
|
|
|
|
|
# Calculate a unique content-based identifier (relocations of
|
|
|
|
|
# the source file in the nix store should not affect caching)
|
|
|
|
|
new_name="$(sha512sum "$file")"
|
|
|
|
|
new_name="${new_name:0:32}-${basename//"/"/"%"}"
|
|
|
|
|
|
|
|
|
|
# Derive the path where the decrypted file will be stored
|
2024-04-12 12:19:47 +02:00
|
|
|
out="/var/tmp/nix-import-encrypted/$new_name"
|
2023-05-02 15:08:36 +02:00
|
|
|
mkdir -p "$(dirname "$out")"
|
|
|
|
|
|
|
|
|
|
# Decrypt only if necessary
|
|
|
|
|
if [[ ! -e "$out" ]]; then
|
|
|
|
|
args=()
|
|
|
|
|
for i in "${identities[@]}"; do
|
|
|
|
|
args+=("-i" "$i")
|
|
|
|
|
done
|
|
|
|
|
rage -d "${args[@]}" -o "$out" "$file"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# Print out path or decrypted content
|
|
|
|
|
[[ "$print_out_path" == true ]] && echo "$out" || cat "$out"
|
