# ol.sops 0.1 An extremely tiny and simple wrapper around the awesome sops (previously known as mozilla/sops) ## ol.sops # ol.sops ## sops ```clojure (sops cmd) (sops cmd args-or-opts) (sops cmd args & opts) ``` A simple wrapper around babashka.process for calling sops. You can call `sops` like this: (sops :command ["args vector"] :opt "value" :opt2 "value2") There are several special opts, that are handled by ol.sops: :in - An input stream than can be passed to sops :out - :string if you want to get a string back, nil (the default) will return an output stream you can slurp :dir - The working directory. Defaults to the current working directory :sops-path - Path to the sops binary. Defaults to `sops` :env - a map of environment variables that are passed to the process All other opts are passed to the `sops` CLI. Consult `sops CMD --help` to see available options. To pass flags like `--verbose` use `:verbose true`. Always use full names of the options, not the short versions like -v. Refer to `babashka.process/process` for the exact behavior of: :in, :out, :dir, and the exact nature of the return value. Returns a record with (among other things, see `babashka.process/process`): - `:out` the output stream - `:exit` the exit code of sops - `:err` a string containing the stderr output from sops, if any If you `clojure.core/deref` the record, then it will block until the process has exited. If you slurp from the out stream, it will also block until the process has exited. Usage examples -------------- Decrypt file in place @(sops :decrypt ["secrets.sops.yaml"] :in-place) Decrypt file to a string (slurp (:out (sops :decrypt ["secrets.sops.yaml"]))) [source,window=_blank](https://github.com/outskirtslabs/sops/blob/v0.1.x/src/ol/sops.clj#L6-L46) --- ## decrypt-file-to-str ```clojure (decrypt-file-to-str file opts) ``` Decrypts the path `file` and returns the output as a string. Sugar over [`sops`](#sops). Options: - `:input-type` - Override file type detection (yaml, json, env, ini, binary) - `:output-type` - Override output format (yaml, json, env, ini, binary) - Other SOPS options as documented in `sops decrypt --help` Example: ```clojure (decrypt-file "secrets.sops.yaml" {}) (decrypt-file "secrets.enc" {:input-type "yaml" :output-type "json"}) ``` [source,window=_blank](https://github.com/outskirtslabs/sops/blob/v0.1.x/src/ol/sops.clj#L48-L62) --- ## encrypt-to-file ```clojure (encrypt-to-file file plaintext opts) ``` Encrypts `plaintext` string and writes encrypted content to `file`. Sugar over [`sops`](#sops). The `file` path is used to match creation rules in `.sops.yaml` and determine the file format. Options: - `:age` - Age recipient(s) to encrypt for (can be a single string or vector of strings) - `:pgp` - PGP fingerprint(s) to encrypt for (can be a single string or vector of strings) - `:gcp-kms` - GCP KMS resource ID(s) to encrypt with (can be a single string or vector of strings) - `:azure-kv` - Azure Key Vault URL(s) to encrypt with (can be a single string or vector of strings) - `:kms` - AWS KMS ARN(s) to encrypt with (can be a single string or vector of strings) - `:aws-profile` - The AWS profile to use for requests to AWS - Other SOPS options as documented in `sops encrypt --help` Example: ```clojure (encrypt-to-file "secrets.sops.yaml" "foo: bar" {:age "age1..."}) ``` [source,window=_blank](https://github.com/outskirtslabs/sops/blob/v0.1.x/src/ol/sops.clj#L64-L83) --- ## with-process-opts _macro_ ```clojure (with-process-opts env-map & body) ``` An escape hatch that executes body with additional babashka/process options merged into the process call. Example: ```clojure ;; Override the environemnt (with-process-opts {:extra-env {:SOPS_AGE_KEY_FILE "/some/path/to/keys.txt"}} (sops :decrypt ["secrets.yaml"])) ``` [source,window=_blank](https://github.com/outskirtslabs/sops/blob/v0.1.x/src/ol/sops.clj#L85-L96) ## Changelog # Changelog All notable changes to this project will be documented in this file. This project uses https://www.taoensso.com/break-versioning[*Break Versioning*]. ## ++[++UNRELEASED++]++ ## `v0.1.0` (2025-10-03) This is the first public release of this codebase under the `ol.sops` name. Please report any problems and let me know if anything is unclear, inconvenient, etc. Thank you! 🙏 ## ol.sops # `ol.sops` > An extremely tiny and simple wrapper around the awesome sops (previously > known as mozilla/sops) ![doc](https://img.shields.io/badge/doc-outskirtslabs-orange.svg) ![status: maturing](https://img.shields.io/badge/status-maturing-yellow.svg) ![alt=built with garnix](https://img.shields.io/endpoint.svg?url=https%3A%2F%2Fgarnix.io%2Fapi%2Fbadges%2Foutskirtslabs%2Fsops) https://clojars.org/com.outskirtslabs/sops[image:https://img.shields.io/clojars/v/com.outskirtslabs/sops.svg[Clojars Project]] This is intended for [babashka](https://babashka.org/) and JVM clojure and provides an idiomatic and data driven wrapper around the CLI tool. Project status: **[Maturing](https://docs.outskirtslabs.com/open-source-vital-signs#maturing)**. ## Installation ```clojure {:deps {com.outskirtslabs/sops {:mvn/version "0.1.0"}}} ;; Leiningen [com.outskirtslabs/sops "0.1.0"] ``` ## Quick Start ```clojure (ns myapp.core (:require [ol.sops :as sops])) ;; decrypt a sops file to string (sops/decrypt-file-to-str "dev/test.sops.yml" {:env {"SOPS_AGE_KEY_FILE" "dev/keys.txt"}}) ;; => "hello: world\n" ;; encrypt a plaintext to a sfile @(sops/encrypt-to-file "output.sops.json" (edn->json {:foo "bar"}) {:age "age15905pjs5av9nyh8rdt4zrzn7x0mdud20eyf7tsvz63mygvsfhd9sclsh94"}) ``` ## Documentation * [Docs](https://docs.outskirtslabs.com/ol.sops/0.1/) * [API Reference](https://docs.outskirtslabs.com/ol.sops/0.1/api) * [Support via GitHub Issues](https://github.com/outskirtslabs/sops/issues) ## Security See [here](https://github.com/outskirtslabs/sops/security) for security advisories or to report a security vulnerability. ## License Copyright © 2025 Casey Link casey@outskirtslabs.com Distributed under the [MIT License](./LICENSE) ## Security policy # Security policy ## Advisories All security advisories will be posted https://github.com/outskirtslabs/sops/security/advisories[on GitHub]. ## Reporting a vulnerability Please report possible security vulnerabilities https://github.com/outskirtslabs/sops/security/advisories[via GitHub], or by emailing me at `casey@outskirtslabs.com`. You may encrypt emails with [my public PGP key](https://casey.link/pgp.asc). For the organization-wide security policy, see [Outskirts Labs Security Policy](https://docs.outskirtslabs.com/security-policy). Thank you! — [Casey Link](https://casey.link)