sops: remove the default examples

2025-06-06 21:56:45 +00:00
parent 503cc832d4
commit 0951725e36
3 changed files with 34 additions and 8 deletions
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -1096,14 +1096,6 @@ in
    # TODO: enable dma heaps for more efficient buffer sharing: <https://gitlab.com/postmarketOS/pmaports/-/issues/2789>
    snapshot.sandbox.method = null;  #< TODO: sandbox

-    sops.sandbox.extraHomePaths = [
-      ".config/sops"
-      "nixos"
-      # TODO: sops should only need access to knowledge/secrets,
-      # except that i currently put its .sops.yaml config in the root of ~/knowledge
-      "knowledge"
-    ];
-
    sox.sandbox.autodetectCliPaths = "existingFileOrParent";
    sox.sandbox.whitelistAudio = true;

--- a/hosts/common/programs/default.nix
+++ b/hosts/common/programs/default.nix
@@ -189,6 +189,7 @@
    ./sm64coopdx.nix
    ./sm64ex-coop.nix
    ./smartmontools.nix
+    ./sops.nix
    ./soundconverter.nix
    ./splatmoji.nix
    ./spot.nix
--- a/hosts/common/programs/sops.nix
+++ b/hosts/common/programs/sops.nix
@@ -0,0 +1,33 @@
+{ pkgs, ... }: {
+  sane.programs.sops = {
+    packageUnwrapped = pkgs.sops.overrideAttrs (upstream: {
+      # sops default behavior is to pre-populate a file with a bunch of example text.
+      # deleting that text for _every_ new secret is annoying.
+      # not tunable by config, so patch out.
+      postPatch = (upstream.postPatch or "") + ''
+        substituteInPlace stores/dotenv/store.go --replace-fail \
+          'stores.ExampleFlatTree.Branches' \
+          'sops.TreeBranches{sops.TreeBranch{}}'
+        substituteInPlace stores/ini/store.go --replace-fail \
+          'stores.ExampleSimpleTree.Branches' \
+          'sops.TreeBranches{}'
+        substituteInPlace stores/json/store.go --replace-fail \
+          'stores.ExampleComplexTree.Branches' \
+          'sops.TreeBranches{sops.TreeBranch{}}'
+        substituteInPlace stores/yaml/store.go --replace-fail \
+          'stores.ExampleComplexTree.Branches' \
+          'sops.TreeBranches{}'
+
+        # substituteInPlace cmd/sops/edit.go \
+        #   --replace-fail 'opts.InputStore.EmitExample()'  '[]byte("")'
+      '';
+    });
+    sandbox.extraHomePaths = [
+      ".config/sops"
+      "nixos"
+      # TODO: sops should only need access to knowledge/secrets,
+      # except that i currently put its .sops.yaml config in the root of ~/knowledge
+      "knowledge"
+    ];
+  };
+}