commit 536831f8d9866857efc8a60ec25a419f0dfe6f10 Author: Mark Kaulertz Date: Fri Jun 20 09:59:23 2025 +0200 initial commit diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..2d76021 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,15 @@ +# Use a minimal, secure base image +FROM alpine:latest + +# Install only the tools we need: SOPS and GnuPG +RUN apk add --no-cache sops gnupg + +# Set a working directory +WORKDIR /app + +# Copy our decryption script into the container and make it executable +COPY entrypoint.sh . +RUN chmod +x ./entrypoint.sh + +# Set the script as the entrypoint +ENTRYPOINT ["./entrypoint.sh"] diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100644 index 0000000..a058974 --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,54 @@ +#!/bin/sh +# Exit immediately if any command fails +set -e + +# --- Configuration (from Environment Variables) --- +# Use ':-' to set a default value if the variable is unset or null. +APP_NAME="${APP_NAME:-sops-init}" +GPG_KEY_PATH="${GPG_KEY_PATH:-/run/secrets/gpg_key}" + +# The directory containing encrypted files. +SOPS_INPUT_DIR="${SOPS_INPUT_DIR:-/config_in}" +# The directory where decrypted files will be written. +SOPS_OUTPUT_DIR="${SOPS_OUTPUT_DIR:-/config_out}" +# The suffix of files to search for. +SOPS_FILE_SUFFIX="${SOPS_FILE_SUFFIX:-.sops.yaml}" + + +# --- Script Logic --- +echo "✅ $APP_NAME: Decryption container started." +echo "➡️ $APP_NAME: Input Dir: '$SOPS_INPUT_DIR', Output Dir: '$SOPS_OUTPUT_DIR', Suffix: '$SOPS_FILE_SUFFIX'" + +# Validate that the required files/directories exist +if [ ! -f "$GPG_KEY_PATH" ]; then + echo "❌ $APP_NAME: ERROR: GPG secret key not found at '$GPG_KEY_PATH'" + exit 1 +fi + +if [ ! -d "$SOPS_INPUT_DIR" ]; then + echo "❌ $APP_NAME: ERROR: Input directory not found at '$SOPS_INPUT_DIR'" + exit 1 +fi + +# Ensure the output directory exists +mkdir -p "$SOPS_OUTPUT_DIR" + +echo "🔐 $APP_NAME: Importing GPG private key..." +gpg --batch --import "$GPG_KEY_PATH" + +echo "🔎 $APP_NAME: Searching for files ending in '$SOPS_FILE_SUFFIX'..." + +# Use 'find' to locate all target files and loop through them +find "$SOPS_INPUT_DIR" -type f -name "*${SOPS_FILE_SUFFIX}" | while read -r encrypted_file; do + # Get the filename without the full path + base_filename_with_suffix=$(basename "$encrypted_file") + # Remove the suffix to get the clean output filename + output_filename=$(basename "$encrypted_file" "$SOPS_FILE_SUFFIX") + # Construct the full output path + decrypted_file="${SOPS_OUTPUT_DIR}/${output_filename}" + + echo " - Decrypting '$base_filename_with_suffix' to '$decrypted_file'" + sops --decrypt "$encrypted_file" > "$decrypted_file" +done + +echo "🎉 $APP_NAME: All files decrypted. Exiting."