network/nix/lib/config/salt-support/yaml-gpg.rb

#!/usr/bin/env ruby

require 'yaml'

def expand_gpg yaml
  if yaml.is_a? Hash
    yaml.transform_values { |value| expand_gpg value }
  elsif yaml.is_a? Array
    yaml.map { |value| expand_gpg value }
  elsif yaml.is_a? String
    if yaml =~ /^-----BEGIN PGP MESSAGE-----.+-----END PGP MESSAGE-----$/m
      IO::popen("gpg --decrypt", "r+") do |gpg|
        gpg.puts yaml
        gpg.close_write
        gpg.readlines.join "\n"
      end
    else
      yaml
    end
  else
    yaml
  end
end

ARGV.each do |filename|
  yaml = YAML::load File::read(filename)
  yaml = expand_gpg yaml
  puts YAML::dump(yaml)
end