vst
diff --git a/‎.gitignore
Lines changed: 1 addition & 0 deletions b/‎.gitignore
Lines changed: 1 addition & 0 deletions
diff --git a/‎.hlint.yaml
Lines changed: 3 additions & 0 deletions b/‎.hlint.yaml
Lines changed: 3 additions & 0 deletions
diff --git a/‎README.md
Lines changed: 293 additions & 20 deletions b/‎README.md
Lines changed: 293 additions & 20 deletions
diff --git a/‎app/Main.hs
Lines changed: 1 addition & 1 deletion b/‎app/Main.hs
Lines changed: 1 addition & 1 deletion
@@ -5,3 +5,4 @@
 /dist-newstyle
 /result
 /tmp
+spec.yaml
@@ -30,6 +30,9 @@
     - default: false # All extension are banned by default.
     - name:
         - OverloadedStrings
+        - QuasiQuotes
+        - RecordWildCards
+        - TupleSections
 
 ################
 # CUSTOM RULES #
 
@@ -1,40 +1,309 @@
-# Haskell Project Template
+# opsops: SOPS(-Nix) Goodies
 
-This is an opinionated template for creating Haskell projects. It uses
-[Nix], [hpack] and [cabal].
+![GitHub Release](https://img.shields.io/github/v/release/vst/opsops)
+![GitHub issues](https://img.shields.io/github/issues/vst/opsops)
+![GitHub last commit (branch)](https://img.shields.io/github/last-commit/vst/opsops/main)
+![GitHub License](https://img.shields.io/github/license/vst/opsops)
 
-> **TODO** Provide minimum viable documentation.
+`opsops` is a command-line application to generate clear [SOPS]
+secrets from a given specification and generate [sops-nix] snippets
+for it.
 
-## Quickstart
+The specification is a YAML/JSON file representing a tree-like
+structure where terminal nodes represent how the clear secrets will be
+generated, and internal nodes represent the "path" to the clear
+secret.
 
-Create your repository from this template, clone it on your computer
-and enter its directory.
+Currently, system processes, scripts and 1password field reference
+URIs are supported:
 
-Then, run following to configure your project:
+```yaml
+secrets:
+  zamazingo:
+    secret:
+      type: "process"
+      value:
+        command: "zamazingo"
+        arguments: ["--hip", "hop"]
+  github:
+    token:
+      type: "script"
+      value:
+        content: "printf \"%s\" \"$(gh auth token)\""
+  example.com:
+    password:
+      type: "script"
+      value:
+        interpreter: "python3"
+        content: |
+          import netrc
+          import sys
+
+          _login, _account, password = netrc.netrc().authenticators("example.com")
+
+          sys.stdout.write("password")
+  dockerhub:
+    password:
+      type: "op"
+      value:
+        account: "PAIT5BAHSH7DAPEING3EEDIE2E"
+        vault: "Cloud Accounts"
+        item: "yies1Ahl4ahqu1afao4nahshoo"
+        field: "password"
+  influxdb:
+    token:
+      type: "op-read"
+      value:
+        account: "IPAEPH0JI3REE8FICHOOVU4CHA"
+        uri: "op://Devops/OokahCuZ4fo8ahphie1aiFa0ei/API Tokens/write-only"
+```
+
+<!--toc:start-->
+- [opsops: SOPS(-Nix) Goodies](#opsops-sops-nix-goodies)
+  - [Installation](#installation)
+    - [Using `nix-env`](#using-nix-env)
+    - [Using `nix-profile`](#using-nix-profile)
+    - [Using `niv`](#using-niv)
+  - [Usage](#usage)
+    - [Specification](#specification)
+    - [See Canonical Specification](#see-canonical-specification)
+    - [Render Clear Secrets](#render-clear-secrets)
+    - [Create Snippet for `sops-nix`](#create-snippet-for-sops-nix)
+  - [Development](#development)
+  - [License](#license)
+<!--toc:end-->
+
+## Installation
+
+> [!WARNING]
+>
+> If 1Password is used, 1Password CLI application (`op`) must be on
+> `PATH` when running `opsops`.
+
+### Using `nix-env`
 
 ```sh
-bash ./run-template.sh
+nix-env --install --file https://github.com/vst/opsops/archive/main.tar.gz --attr app
 ```
 
-It will prompt some questions and configure your project according to
-your answers.
+### Using `nix-profile`
 
-Once it is configured, provision `direnv`:
+```sh
+nix profile install --file https://github.com/vst/opsops/archive/main.tar.gz app
+```
+
+### Using `niv`
 
 ```sh
-direnv allow
+niv add vst/opsops -n opsops
+```
+
+... and then:
+
+```sh
+sources = import ./nix/sources.nix;
+opsops = (import sources.opsops { }).app;
+```
+
+... and finally add `opsops` to your system packages, home packages or
+Nix shell build inputs.
+
+## Usage
+
+### Specification
+
+A specification is a YAML (or JSON) file. Here is an example:
+
+<details>
+  <summary>See Example</summary>
+
+```yaml
+## File: opsops.yaml
+secrets:
+  zamazingo:
+    secret:
+      type: "process"
+      value:
+        command: "zamazingo"
+        arguments: ["--hip", "hop"]
+  github:
+    token:
+      type: "script"
+      value:
+        content: "printf \"%s\" \"$(gh auth token)\""
+  example.com:
+    password:
+      type: "script"
+      value:
+        interpreter: "python3"
+        content: |
+          import netrc
+          import sys
+
+          _login, _account, password = netrc.netrc().authenticators("example.com")
+
+          sys.stdout.write("password")
+  dockerhub:
+    password:
+      type: "op"
+      value:
+        account: "PAIT5BAHSH7DAPEING3EEDIE2E"
+        vault: "Cloud Accounts"
+        item: "yies1Ahl4ahqu1afao4nahshoo"
+        field: "password"
+  influxdb:
+    token:
+      type: "op-read"
+      value:
+        account: "IPAEPH0JI3REE8FICHOOVU4CHA"
+        uri: "op://Devops/OokahCuZ4fo8ahphie1aiFa0ei/API Tokens/write-only"
+```
+</details>
+
+### See Canonical Specification
+
+To see canonical/normalized specification:
+
+```sh
+opsops normalize --input opsops.yaml
+```
+
+<details>
+  <summary>See Output</summary>
+
+```yaml
+secrets:
+  dockerhub:
+    password:
+      type: op
+      value:
+        account: PAIT5BAHSH7DAPEING3EEDIE2E
+        field: password
+        item: yies1Ahl4ahqu1afao4nahshoo
+        newline: false
+        section: null
+        vault: Cloud Accounts
+  example.com:
+    password:
+      type: script
+      value:
+        arguments: []
+        content: |
+          import netrc
+          import sys
+
+          _login, _account, password = netrc.netrc().authenticators("example.com")
+
+          sys.stdout.write("password")
+        interpreter: python3
+  github:
+    token:
+      type: script
+      value:
+        arguments: []
+        content: |
+          printf "%s" "$(gh auth token)"
+        interpreter: bash
+  influxdb:
+    token:
+      type: op-read
+      value:
+        account: IPAEPH0JI3REE8FICHOOVU4CHA
+        newline: false
+        uri: op://Devops/OokahCuZ4fo8ahphie1aiFa0ei/API Tokens/write-only
+  zamazingo:
+    secret:
+      type: process
+      value:
+        arguments:
+        - --hip
+        - hop
+        command: zamazingo
+        environment: {}
+```
+</details>
+
+### Render Clear Secrets
+
+> [!WARNING]
+>
+> If 1Password is used, 1Password CLI application (`op`) should be
+> authenticated first:
+>
+> ```sh
+> eval $(op signin -f [--account <ACCOUNT>])
+> ```
+
+To render clear secrets:
+
+```sh
+opsops render --input opsops.yaml
+```
+
+<details>
+  <summary>See Output</summary>
+
+```yaml
+example.com:
+  password: password
+github:
+  token: gho_meecubier5dinohSh3tohphaekuo5Phahpei
+zamazingo:
+  secret: hebelehubele
+dockerhub:
+  password: ohbauy5eing8pheSh6iigooweeZee6ch
+influxdb:
+  token: mu9aephabeadi7zi8goo9peYo8yae7ge
+```
+</details>
+
+### Create Snippet for `sops-nix`
+
+To create snippet for `sops-nix` that can be copied/pasted inside the
+`sops-nix` module configuration:
+
+```sh
+opsops snippet sops-nix --input opsops.yaml
 ```
 
-And run the big, long build command as given in the next section.
+<details>
+  <summary>See Output</summary>
+
+```nix
+"dockerhub/password" = {};
+"example.com/password" = {};
+"github/token" = {};
+"influxdb/token" = {};
+"zamazingo/secret" = {};
+```
+</details
 
-Finally, you can remove the `run-template.sh` script:
+... or with some prefix:
 
 ```sh
-rm run-template.sh
+opsops snippet sops-nix --input opsops.yaml --prefix my_namespace
+```
+
+<details>
+  <summary>See Output</summary>
+
+```nix
+"my_namespace/dockerhub/password" = { key = "dockerhub/password"; };
+"my_namespace/example.com/password" = { key = "example.com/password"; };
+"my_namespace/github/token" = { key = "github/token"; };
+"my_namespace/influxdb/token" = { key = "influxdb/token"; };
+"my_namespace/zamazingo/secret" = { key = "zamazingo/secret"; };
 ```
+</details>
 
 ## Development
 
+Provision `direnv`:
+
+```sh
+direnv allow
+```
+
 Big, long build command for the impatient:
 
 ```sh
@@ -45,13 +314,17 @@ hpack &&
     find . -iname "*.nix" -not -path "*/nix/sources.nix" -print0 | xargs --null nixpkgs-fmt &&
     hlint app/ src/ test/ &&
     cabal build -O0 &&
-    cabal run -O0 haskell-template-hebele -- --version &&
+    cabal run -O0 opsops -- --version &&
     cabal v1-test &&
     cabal haddock -O0
 ```
 
+## License
+
+See [LICENSE].
+
 <!-- REFERENCES -->
 
-[Nix]: https://nixos.org
-[hpack]: https://github.com/sol/hpack
-[cabal]: https://www.haskell.org/cabal
+[LICENSE]: ./LICENSE.md
+[SOPS]: https://github.com/getsops/sops
+[sops-nix]: https://github.com/Mic92/sops-nix
@@ -1,6 +1,6 @@
 module Main where
 
-import qualified Hebele.Cli as Cli
+import qualified Opsops.Cli as Cli
 import System.Exit (exitWith)