#3 Set up sops at repo root

.gitattributes

@@ -0,0 +1 @@
+secrets.env filter=sops diff=sops

.sops.yaml

@@ -0,0 +1,11 @@
+creation_rules:
+  - path_regex: secrets.env
+    shamir_threshold: 2
+    key_groups:
+      - age: # Author keys
+        - 'age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00' # joey@dungeon-master
+      - age: # CICD runner keys
+        - 'age12xgfd2w8acy5c2mrg3xv7ndzx3zw2j4kxv2a6ull385vxe8lcq2qpkhnv5'
+      - age: # Deploy host key
+        - 'age13prhyye2jy3ysa6ltnjgkrqtxrxgs0035d86jyn4ltgk3wxtqgrqgav855' # fighter
+        - 'age1n20krynrj75jqfy2muvhrygvzd4ee8ngamljqavsrk033zwx0ses2tdtfe' # druid

.sops/age-author-pubkeys

@@ -0,0 +1 @@
+age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00

.sops/decrypt-filter.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+# Takes file path as first positional argument  
+# Takes encrypted file contents from /dev/stdin
+# Outputs to stdout
+
+SOPS_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &> /dev/null && pwd)
+REPO_ROOT=$(realpath "$SOPS_DIR/../../")
+
+if [[ -f $HOME/.age/key ]]; then
+    export SOPS_AGE_KEY_FILE=$HOME/.age/key
+else
+    echo "SOPS_AGE_KEY_FILE not found at $HOME/.age/key"
+    echo "Cannot decrypt secrets."
+fi
+
+# Set input/output type
+FILE_EXT="${1##*.}"
+
+case $FILE_EXT in
+    "env")
+        FILE_TYPE=dotenv ;;
+    "json")
+        FILE_TYPE=json ;;
+    "yaml")
+        FILE_TYPE=yaml ;;
+    "ini")
+        FILE_TYPE=ini ;;
+esac
+
+if [[ -z ${FILE_TYPE+x} ]]; then
+    sops --decrypt /dev/stdin
+else
+    sops --decrypt --input-type $FILE_TYPE --output-type $FILE_TYPE /dev/stdin
+fi

.sops/encrypt-filter.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+# Takes file path as $1
+# Takes file contents from stdin
+# Outputs to stdout
+
+# Set up directory variables and default age recipients
+SOPS_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &> /dev/null && pwd)
+SOPS_AGE_RECIPIENTS="$(<$SOPS_DIR/age-author-pubkeys)"
+HOST_AGE_PUBKEY_PATH="$(echo $1 | cut -d'/' -f -2)/.age-pubkey"
+if [[ -f "$HOST_AGE_PUBKEY_PATH" ]]; then
+    SOPS_AGE_RECIPIENTS="$SOPS_AGE_RECIPIENTS,$(<$HOST_AGE_PUBKEY_PATH)"
+fi
+
+if [[ -f $HOME/.age/key ]]; then
+    export SOPS_AGE_KEY_FILE=$HOME/.age/key
+else
+    echo "SOPS_AGE_KEY_FILE not found at $HOME/.age/key"
+    echo "Cannot encrypt secrets."
+fi
+
+# Set input/output type
+FILE_EXT="${1##*.}"
+
+case $FILE_EXT in
+    "env")
+        FILE_TYPE=dotenv ;;
+    "json")
+        FILE_TYPE=json ;;
+    "yaml")
+        FILE_TYPE=yaml ;;
+    "ini")
+        FILE_TYPE=ini ;;
+esac
+
+if [[ -z ${FILE_TYPE+x} ]]; then
+    sops --encrypt --age ${SOPS_AGE_RECIPIENTS} /dev/stdin
+else
+    sops --encrypt --input-type $FILE_TYPE --output-type $FILE_TYPE --age ${SOPS_AGE_RECIPIENTS} /dev/stdin
+fi

.sops/sops-setup.sh

@@ -0,0 +1,24 @@
+SOPS_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &> /dev/null && pwd)
+
+# Set up age keypair
+if [[ -f $HOME/.age/key ]]; then 
+    if ! cat ~/.bashrc | grep -q "export SOPS_AGE_KEY_FILE"; then
+        echo "Add this line to your shell profile (e.g. ~/.bashrc or ~/.zshrc):"
+        echo "export SOPS_AGE_KEY_FILE=$HOME/.age/key"
+    else
+        echo "SOPS_AGE_KEY_FILE: $SOPS_AGE_KEY_FILE"
+    fi
+else
+    mkdir -p $HOME/.age
+    HOST_CONFIG_DIR=$SOPS_DIR/../$HOSTNAME/
+    mkdir -p $HOST_CONFIG_DIR
+    age-keygen -o $HOME/.age/key > $HOST_CONFIG_DIR/.age-pubkey
+    echo "Pubkey added to $HOST_CONFIG_DIR/.age-pubkey"
+    echo "If any secrets have already been committed for this host, re-encrypt them with the new pubkey as a recipient."
+fi
+
+# Configure the git filters
+git config --local filter.sops.smudge $SOPS_DIR/decrypt-filter.sh %f
+git config --local filter.sops.clean $SOPS_DIR/encrypt-filter.sh %f
+git config --local filter.sops.required true
+git config --local diff.sops.textconv "sops decrypt"