dotfiles/scripts/nix-secret-wrapper/nix-secret-wrapper.sh

79 lines
1.7 KiB
Bash
Raw Normal View History

if [[ "$NIX_SECRET_WRAPPER_DEBUG" = 1 ]] ; then
set -x
fi
if ! [ -z $NIX_GET_COMPLETIONS ] || [ "$NIX_WRAPPER_BYPASS" = 1 ] ; then
exec .nix-unwrapped "$@"
fi
pre_lock_hash="$(sha256sum flake-secret.lock | cut -f1 -d' ')"
new_args=()
i="0"
flake=0
immutable=0
local=0
for arg in "$@" ; do
if [[ "$arg" =~ ^git\+file://.*$ ]] ; then
immutable=1
local=1
fi
if [[ "$arg" =~ ^.\#.*$ ]] ; then
local=1
fi
done
for arg in "$@" ; do
case "$arg" in
build|eval|run|path-info)
new_args[$i]="$arg"
new_args[$(($i + 1))]="--reference-lock-file"
new_args[$(($i + 2))]="flake-secret.lock"
if [[ "$immutable" == 0 ]] ; then
new_args[$(($i + 3))]="--output-lock-file"
new_args[$(($i + 4))]="flake-secret.lock"
i="$(($i + 2))"
fi
i="$(($i + 3))"
if [[ "$local" = 0 ]] ; then
exec .nix-unwrapped "$@"
fi
;;
flake)
new_args[$i]="$arg"
i="$(($i + 1))"
flake=1
;;
--*|-*)
new_args[$i]="$arg"
i="$(($i + 1))"
;;
*)
if [[ "$flake" == "1" ]] ; then
new_args[$i]="$arg"
new_args[$(($i + 1))]="--reference-lock-file"
new_args[$(($i + 2))]="flake-secret.lock"
new_args[$(($i + 3))]="--output-lock-file"
new_args[$(($i + 4))]="flake-secret.lock"
flake=0
i="$(($i + 5))"
else
new_args[$i]="$arg"
i="$(($i + 1))"
fi
;;
esac
done
( exec -a $0 .nix-unwrapped "${new_args[@]}" )
ret_code=$?
post_lock_hash="$(sha256sum flake-secret.lock | cut -f1 -d' ')"
if ! [[ "$pre_lock_hash" == "$post_lock_hash" ]] || [ "$NIX_SECRET_FORCE" = "1" ] ; then
cp flake-secret.lock flake.lock
.nix-unwrapped flake lock --override-input secret sourcehut:~magic_rb/empty
fi
exit $ret_code