provisioning/scripts/secrets-encrypt.nu

#!/usr/bin/env nu
# SOPS encryption with vault-service age keys
# Encrypts configuration files using Age public key from vault-service
# Usage: secrets-encrypt <file> [--environment dev|staging|prod] [--output <file>]

use std log

def get-vault-url [] {
    $env.VAULT_SERVICE_URL? // "http://localhost:9094"
}

def get-vault-token [] {
    $env.VAULT_SERVICE_TOKEN? // ""
}

def fetch-age-public-key [environment: string] {
    let url = $"(get-vault-url)/api/v1/age/get-public?env=($environment)"
    let token = (get-vault-token)

    let headers = if ($token | is-empty) {
        {}
    } else {
        {"X-Vault-Token": $token}
    }

    let response = (http get -H $headers $url | complete)

    if $response.exit_code != 0 {
        error make {
            msg: "Cannot connect to vault-service"
            label: {
                text: $"Check VAULT_SERVICE_URL (set to: (get-vault-url))"
                span: (metadata $environment).span
            }
        }
    }

    let json = ($response.stdout | from json)
    $json.public_key
}

def main [
    file: string
    --environment: string = "dev"
    --output: string = ""
] {
    let input_path = if ($file | path exists) {
        $file
    } else {
        error make {
            msg: "File not found"
            label: {
                text: $file
                span: (metadata $file).span
            }
        }
    }

    # Validate environment
    if $environment not-in ["dev", "staging", "prod"] {
        error make {
            msg: "Invalid environment"
            label: {
                text: "Must be: dev, staging, or prod"
                span: (metadata $file).span
            }
        }
    }

    let output_path = if ($output | is-empty) {
        $"($input_path).enc"
    } else {
        $output
    }

    print $"Fetching Age public key for ($environment)..."
    let pubkey = (fetch-age-public-key $environment)
    print $"✓ Age public key: ($pubkey | str substring 0..20)..."

    print $"Encrypting ($input_path) with SOPS..."
    let result = (
        ^sops --encrypt --age $pubkey --encrypted-regex '^(password|token|key|secret|api_key)$' --input-type "yaml" --output-type "yaml" --output $output_path $input_path
        | complete
    )

    if $result.exit_code != 0 {
        let stderr = $result.stderr
        error make {
            msg: "SOPS encryption failed"
            label: {
                text: $stderr
                span: (metadata $file).span
            }
        }
    }

    print $"✓ Encrypted file: ($output_path)"
    {
        success: true
        input: $input_path
        output: $output_path
        environment: $environment
        public_key: $pubkey
    }
}
docs: update README and CHANGELOG for nickel branch (2026-05-12) 2026-05-12 02:23:01 +01:00			`#!/usr/bin/env nu`
			`# SOPS encryption with vault-service age keys`
			`# Encrypts configuration files using Age public key from vault-service`
			`# Usage: secrets-encrypt <file> [--environment dev\|staging\|prod] [--output <file>]`

			`use std log`

			`def get-vault-url [] {`
			`$env.VAULT_SERVICE_URL? // "http://localhost:9094"`
			`}`

			`def get-vault-token [] {`
			`$env.VAULT_SERVICE_TOKEN? // ""`
			`}`

			`def fetch-age-public-key [environment: string] {`
			`let url = $"(get-vault-url)/api/v1/age/get-public?env=($environment)"`
			`let token = (get-vault-token)`

			`let headers = if ($token \| is-empty) {`
			`{}`
			`} else {`
			`{"X-Vault-Token": $token}`
			`}`

			`let response = (http get -H $headers $url \| complete)`

			`if $response.exit_code != 0 {`
			`error make {`
			`msg: "Cannot connect to vault-service"`
			`label: {`
			`text: $"Check VAULT_SERVICE_URL (set to: (get-vault-url))"`
			`span: (metadata $environment).span`
			`}`
			`}`
			`}`

			`let json = ($response.stdout \| from json)`
			`$json.public_key`
			`}`

			`def main [`
			`file: string`
			`--environment: string = "dev"`
			`--output: string = ""`
			`] {`
			`let input_path = if ($file \| path exists) {`
			`$file`
			`} else {`
			`error make {`
			`msg: "File not found"`
			`label: {`
			`text: $file`
			`span: (metadata $file).span`
			`}`
			`}`
			`}`

			`# Validate environment`
			`if $environment not-in ["dev", "staging", "prod"] {`
			`error make {`
			`msg: "Invalid environment"`
			`label: {`
			`text: "Must be: dev, staging, or prod"`
			`span: (metadata $file).span`
			`}`
			`}`
			`}`

			`let output_path = if ($output \| is-empty) {`
			`$"($input_path).enc"`
			`} else {`
			`$output`
			`}`

			`print $"Fetching Age public key for ($environment)..."`
			`let pubkey = (fetch-age-public-key $environment)`
			`print $"✓ Age public key: ($pubkey \| str substring 0..20)..."`

			`print $"Encrypting ($input_path) with SOPS..."`
			`let result = (`
			`^sops --encrypt --age $pubkey --encrypted-regex '^(password\|token\|key\|secret\|api_key)$' --input-type "yaml" --output-type "yaml" --output $output_path $input_path`
			`\| complete`
			`)`

			`if $result.exit_code != 0 {`
			`let stderr = $result.stderr`
			`error make {`
			`msg: "SOPS encryption failed"`
			`label: {`
			`text: $stderr`
			`span: (metadata $file).span`
			`}`
			`}`
			`}`

			`print $"✓ Encrypted file: ($output_path)"`
			`{`
			`success: true`
			`input: $input_path`
			`output: $output_path`
			`environment: $environment`
			`public_key: $pubkey`
			`}`
			`}`