Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: sops implementation

Browse Source
This commit is contained in:
Dominik Polakovics Polakovics
2025-11-28 01:32:23 +01:00
parent 301e090251
commit 6935fbea8b
1 changed files with 41 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
hosts/nb/modules/development/nvim/config/sops.lua
View File

@@ -44,7 +44,7 @@ vim.api.nvim_create_autocmd("BufReadPre", {
pattern = secrets_patterns, pattern = secrets_patterns,
callback = function(args) callback = function(args)
-- Set filetype to yaml before the file is read so syntax highlighting works -- Set filetype to yaml before the file is read so syntax highlighting works
vim.bo.filetype = "yaml" vim.bo[args.buf].filetype = "yaml"
end, end,
}) })
@@ -98,26 +98,26 @@ vim.api.nvim_create_autocmd("BufReadPost", {
return return
end end
-- Detach LSP clients BEFORE replacing buffer to prevent sync errors
detach_lsp_clients(args.buf)
-- Replace buffer content with decrypted content -- Replace buffer content with decrypted content
vim.api.nvim_buf_set_lines(0, 0, -1, false, vim.split(result, "\n")) vim.api.nvim_buf_set_lines(args.buf, 0, -1, false, vim.split(result, "\n"))
-- Mark buffer as not modified (since we just loaded it) -- Mark buffer as not modified (since we just loaded it)
vim.bo.modified = false vim.bo[args.buf].modified = false
-- Restore cursor position -- Restore cursor position
pcall(vim.api.nvim_win_set_cursor, 0, cursor_pos) pcall(vim.api.nvim_win_set_cursor, 0, cursor_pos)
-- Disable swap, backup, and undo files for security -- Disable swap, backup, and undo files for security
vim.bo.swapfile = false vim.bo[args.buf].swapfile = false
vim.bo.backup = false vim.bo[args.buf].backup = false
vim.bo.writebackup = false vim.bo[args.buf].writebackup = false
vim.bo.undofile = false vim.bo[args.buf].undofile = false
-- Ensure filetype is set to yaml for syntax highlighting -- Ensure filetype is set to yaml for syntax highlighting
vim.bo.filetype = "yaml" vim.bo[args.buf].filetype = "yaml"
-- Detach LSP clients to prevent sync errors when buffer content is replaced
detach_lsp_clients(0)
vim.notify("SOPS: File decrypted successfully", vim.log.levels.INFO) vim.notify("SOPS: File decrypted successfully", vim.log.levels.INFO)
else else
@@ -132,17 +132,22 @@ vim.api.nvim_create_autocmd("BufWriteCmd", {
group = sops_group, group = sops_group,
pattern = secrets_patterns, pattern = secrets_patterns,
callback = function(args) callback = function(args)
local filepath = vim.fn.expand("%:p") local filepath = vim.api.nvim_buf_get_name(args.buf)
if not is_secrets_file(filepath) then
return
end
if is_secrets_file(filepath) then
-- Guard against double-execution -- Guard against double-execution
if currently_saving[filepath] then if currently_saving[filepath] then
return return
end end
currently_saving[filepath] = true currently_saving[filepath] = true
-- Use pcall to ensure guard is always cleared, even on unexpected errors
local ok, err = pcall(function()
-- Get current buffer content -- Get current buffer content
local lines = vim.api.nvim_buf_get_lines(0, 0, -1, false) local lines = vim.api.nvim_buf_get_lines(args.buf, 0, -1, false)
local content = table.concat(lines, "\n") local content = table.concat(lines, "\n")
-- Check buffer content size before encrypting -- Check buffer content size before encrypting
@@ -153,8 +158,6 @@ vim.api.nvim_create_autocmd("BufWriteCmd", {
string.format("SOPS: Buffer content too large (%sMB > %sMB limit). Cannot encrypt.", size_mb, limit_mb), string.format("SOPS: Buffer content too large (%sMB > %sMB limit). Cannot encrypt.", size_mb, limit_mb),
vim.log.levels.ERROR vim.log.levels.ERROR
) )
-- Don't write anything, leave buffer marked as modified
currently_saving[filepath] = nil
return return
end end
@@ -168,8 +171,6 @@ vim.api.nvim_create_autocmd("BufWriteCmd", {
local temp_f, temp_err = io.open(temp_file, "w") local temp_f, temp_err = io.open(temp_file, "w")
if not temp_f then if not temp_f then
vim.notify("SOPS: Failed to create temp file: " .. (temp_err or "unknown error"), vim.log.levels.ERROR) vim.notify("SOPS: Failed to create temp file: " .. (temp_err or "unknown error"), vim.log.levels.ERROR)
-- Don't write anything, leave buffer marked as modified
currently_saving[filepath] = nil
return return
end end
temp_f:write(content) temp_f:write(content)
@@ -188,14 +189,14 @@ vim.api.nvim_create_autocmd("BufWriteCmd", {
if sops_exit_code == 0 then if sops_exit_code == 0 then
-- Write encrypted content directly to file -- Write encrypted content directly to file
local file, err = io.open(filepath, "w") local file, file_err = io.open(filepath, "w")
if file then if file then
local success, write_err = file:write(encrypted) local success, write_err = file:write(encrypted)
file:close() file:close()
if success then if success then
-- Mark buffer as saved -- Mark buffer as saved
vim.bo.modified = false vim.bo[args.buf].modified = false
vim.notify("SOPS: File encrypted and saved successfully", vim.log.levels.INFO) vim.notify("SOPS: File encrypted and saved successfully", vim.log.levels.INFO)
-- Re-decrypt to show plaintext in buffer -- Re-decrypt to show plaintext in buffer
@@ -207,37 +208,37 @@ vim.api.nvim_create_autocmd("BufWriteCmd", {
-- Save cursor position -- Save cursor position
local cursor_pos = vim.api.nvim_win_get_cursor(0) local cursor_pos = vim.api.nvim_win_get_cursor(0)
-- Detach LSP clients BEFORE replacing buffer to prevent sync errors
detach_lsp_clients(args.buf)
-- Replace buffer with decrypted content -- Replace buffer with decrypted content
vim.api.nvim_buf_set_lines(0, 0, -1, false, vim.split(decrypted, "\n")) vim.api.nvim_buf_set_lines(args.buf, 0, -1, false, vim.split(decrypted, "\n"))
-- Mark as not modified since we just saved -- Mark as not modified since we just saved
vim.bo.modified = false vim.bo[args.buf].modified = false
-- Restore cursor position -- Restore cursor position
pcall(vim.api.nvim_win_set_cursor, 0, cursor_pos) pcall(vim.api.nvim_win_set_cursor, 0, cursor_pos)
-- Detach LSP clients to prevent sync errors when buffer content is replaced
detach_lsp_clients(0)
else else
vim.notify("SOPS: Could not re-decrypt after save. Buffer may show encrypted content.", vim.log.levels.WARN) vim.notify("SOPS: Could not re-decrypt after save. Buffer may show encrypted content.", vim.log.levels.WARN)
end end
-- Clear guard after successful save
currently_saving[filepath] = nil
else else
vim.notify("SOPS: Failed to write encrypted content: " .. (write_err or "unknown error"), vim.log.levels.ERROR) vim.notify("SOPS: Failed to write encrypted content: " .. (write_err or "unknown error"), vim.log.levels.ERROR)
-- Don't mark as saved, keep buffer marked as modified
currently_saving[filepath] = nil
end end
else else
vim.notify("SOPS: Failed to open file for writing: " .. (err or "unknown error"), vim.log.levels.ERROR) vim.notify("SOPS: Failed to open file for writing: " .. (file_err or "unknown error"), vim.log.levels.ERROR)
-- Don't mark as saved, keep buffer marked as modified
currently_saving[filepath] = nil
end end
else else
vim.notify("SOPS: Failed to encrypt file - NOT SAVED! Error: " .. encrypted, vim.log.levels.ERROR) vim.notify("SOPS: Failed to encrypt file - NOT SAVED! Error: " .. encrypted, vim.log.levels.ERROR)
-- Don't write anything, leave buffer marked as modified
currently_saving[filepath] = nil
end end
end)
-- Always clear guard, even if pcall caught an error
currently_saving[filepath] = nil
-- Re-throw unexpected errors so they're visible
if not ok then
vim.notify("SOPS: Unexpected error during save: " .. tostring(err), vim.log.levels.ERROR)
end end
end, end,
}) })
@@ -247,7 +248,7 @@ vim.api.nvim_create_autocmd("BufLeave", {
group = sops_group, group = sops_group,
pattern = secrets_patterns, pattern = secrets_patterns,
callback = function(args) callback = function(args)
if vim.bo.modified then if vim.bo[args.buf].modified then
vim.notify("Warning: Unsaved changes in secrets file!", vim.log.levels.WARN) vim.notify("Warning: Unsaved changes in secrets file!", vim.log.levels.WARN)
end end
end, end,