if [[ "$NIX_SECRET_WRAPPER_DEBUG" = 1 ]] ; then set -x fi if ! [ -z $NIX_GET_COMPLETIONS ] || [ "$NIX_WRAPPER_BYPASS" = 1 ] ; then exec .nix-unwrapped "$@" fi pre_lock_hash="$(sha256sum flake-secret.lock | cut -f1 -d' ')" new_args=() i="0" flake=0 immutable=0 local=0 for arg in "$@" ; do if [[ "$arg" =~ ^git\+file://.*$ ]] ; then immutable=1 local=1 fi if [[ "$arg" =~ ^.\#.*$ ]] ; then local=1 fi done for arg in "$@" ; do case "$arg" in build|eval|run) new_args[$i]="$arg" new_args[$(($i + 1))]="--reference-lock-file" new_args[$(($i + 2))]="flake-secret.lock" if [[ "$immutable" == 0 ]] ; then new_args[$(($i + 3))]="--output-lock-file" new_args[$(($i + 4))]="flake-secret.lock" i="$(($i + 2))" fi i="$(($i + 3))" if [[ "$local" = 0 ]] ; then exec .nix-unwrapped "$@" fi ;; flake) new_args[$i]="$arg" i="$(($i + 1))" flake=1 ;; --*|-*) new_args[$i]="$arg" i="$(($i + 1))" ;; *) if [[ "$flake" == "1" ]] ; then new_args[$i]="$arg" new_args[$(($i + 1))]="--reference-lock-file" new_args[$(($i + 2))]="flake-secret.lock" new_args[$(($i + 3))]="--output-lock-file" new_args[$(($i + 4))]="flake-secret.lock" flake=0 i="$(($i + 5))" else new_args[$i]="$arg" i="$(($i + 1))" fi ;; esac done ( exec -a $0 .nix-unwrapped "${new_args[@]}" ) ret_code=$? post_lock_hash="$(sha256sum flake-secret.lock | cut -f1 -d' ')" if ! [[ "$pre_lock_hash" == "$post_lock_hash" ]] || [ "$NIX_SECRET_FORCE" = "1" ] ; then cp flake-secret.lock flake.lock .nix-unwrapped flake lock --override-input secret sourcehut:~magic_rb/empty fi exit $ret_code