# ol.sops ## sops ```clojure (sops cmd) (sops cmd args-or-opts) (sops cmd args & opts) ``` A simple wrapper around babashka.process for calling sops. You can call `sops` like this: (sops :command ["args vector"] :opt "value" :opt2 "value2") There are several special opts, that are handled by ol.sops: :in - An input stream than can be passed to sops :out - :string if you want to get a string back, nil (the default) will return an output stream you can slurp :dir - The working directory. Defaults to the current working directory :sops-path - Path to the sops binary. Defaults to `sops` :env - a map of environment variables that are passed to the process All other opts are passed to the `sops` CLI. Consult `sops CMD --help` to see available options. To pass flags like `--verbose` use `:verbose true`. Always use full names of the options, not the short versions like -v. Refer to `babashka.process/process` for the exact behavior of: :in, :out, :dir, and the exact nature of the return value. Returns a record with (among other things, see `babashka.process/process`): - `:out` the output stream - `:exit` the exit code of sops - `:err` a string containing the stderr output from sops, if any If you `clojure.core/deref` the record, then it will block until the process has exited. If you slurp from the out stream, it will also block until the process has exited. Usage examples -------------- Decrypt file in place @(sops :decrypt ["secrets.sops.yaml"] :in-place) Decrypt file to a string (slurp (:out (sops :decrypt ["secrets.sops.yaml"]))) [source,window=_blank](https://github.com/outskirtslabs/sops/blob/main/src/ol/sops.clj#L6-L46) --- ## decrypt-file-to-str ```clojure (decrypt-file-to-str file opts) ``` Decrypts the path `file` and returns the output as a string. Sugar over [`sops`](#sops). Options: - `:input-type` - Override file type detection (yaml, json, env, ini, binary) - `:output-type` - Override output format (yaml, json, env, ini, binary) - Other SOPS options as documented in `sops decrypt --help` Example: ```clojure (decrypt-file "secrets.sops.yaml" {}) (decrypt-file "secrets.enc" {:input-type "yaml" :output-type "json"}) ``` [source,window=_blank](https://github.com/outskirtslabs/sops/blob/main/src/ol/sops.clj#L48-L62) --- ## encrypt-to-file ```clojure (encrypt-to-file file plaintext opts) ``` Encrypts `plaintext` string and writes encrypted content to `file`. Sugar over [`sops`](#sops). The `file` path is used to match creation rules in `.sops.yaml` and determine the file format. Options: - `:age` - Age recipient(s) to encrypt for (can be a single string or vector of strings) - `:pgp` - PGP fingerprint(s) to encrypt for (can be a single string or vector of strings) - `:gcp-kms` - GCP KMS resource ID(s) to encrypt with (can be a single string or vector of strings) - `:azure-kv` - Azure Key Vault URL(s) to encrypt with (can be a single string or vector of strings) - `:kms` - AWS KMS ARN(s) to encrypt with (can be a single string or vector of strings) - `:aws-profile` - The AWS profile to use for requests to AWS - Other SOPS options as documented in `sops encrypt --help` Example: ```clojure (encrypt-to-file "secrets.sops.yaml" "foo: bar" {:age "age1..."}) ``` [source,window=_blank](https://github.com/outskirtslabs/sops/blob/main/src/ol/sops.clj#L64-L83) --- ## with-process-opts _macro_ ```clojure (with-process-opts env-map & body) ``` An escape hatch that executes body with additional babashka/process options merged into the process call. Example: ```clojure ;; Override the environemnt (with-process-opts {:extra-env {:SOPS_AGE_KEY_FILE "/some/path/to/keys.txt"}} (sops :decrypt ["secrets.yaml"])) ``` [source,window=_blank](https://github.com/outskirtslabs/sops/blob/main/src/ol/sops.clj#L85-L96)