{ pkgs ? import <nixpkgs> {}
, gpgKeyFile ? ../../salt-gpg.asc
}:

path:
let
  json = pkgs.runCommand "json-from-j2yaml" {
    nativeBuildInputs = with pkgs; [
      gnupg
      pythonPackages.j2cli ruby yaml2json
    ];
  } ''
    export GNUPGHOME=$(mktemp -d)
    gpg --import ${gpgKeyFile}

    j2 ${path} > expanded.yaml
    ruby ${./yaml-gpg.rb} expanded.yaml > decrypted.yaml
    yaml2json < decrypted.yaml > $out
  '';
in
builtins.fromJSON (
  builtins.readFile json
)