hscloud/tools/nixops.sh

#!/usr/bin/env bash

# A wrapper around real nixops to decrypt GCP secret.

if [ -z "$hscloud_root" ]; then
   echo 2>&1 "Please source env.sh"
   exit 1
fi

for f in sa.json sa.pem; do
    plain="$hscloud_root/gcp/secrets/plain/$f"
    cipher="$hscloud_root/gcp/secrets/cipher/$f"
    if [ ! -f "$plain" ]; then
        secretstore decrypt "$cipher" > "$plain"
    fi
done

export GCE_PROJECT="hscloud"
export GCE_SERVICE_ACCOUNT="nixops@hscloud.iam.gserviceaccount.com"
export ACCESS_KEYPATH="$hscloud_root/gcp/secrets/plain/sa.pem"

nixops.bin "$@"