From 7711514b8543891eea6ae84392c74a379c5010de Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edward=20Tj=C3=B6rnhammar?= <ed@cflags.cc>
Date: Sat, 14 Oct 2023 16:53:21 +0200
Subject: [PATCH] don't substitute binaries

---
 modules/sops/templates/default.nix | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/modules/sops/templates/default.nix b/modules/sops/templates/default.nix
index 750a531..0a543fd 100644
--- a/modules/sops/templates/default.nix
+++ b/modules/sops/templates/default.nix
@@ -90,11 +90,12 @@ in {
                 tpl = config.sops.templates.${name};
                 substitute = pkgs.writers.writePython3 "substitute" { }
                   (readFile ./subs.py);
-                subst-pairs = pkgs.writeText "pairs" (concatMapStringsSep "\n"
+                subst-pairs = pkgs.writeText "pairs" (flip (concatMapStringsSep "\n")
+                  (attrNames (filterAttrs (n: v: v ? format && v.format != "binary") config.sops.secrets))
                   (name:
                     "${toString config.sops.placeholder.${name}} ${
                       config.sops.secrets.${name}.path
-                    }") (attrNames config.sops.secrets));
+                    }"));
               in ''
                 mkdir -p "${dirOf tpl.path}"
                 (umask 077; ${substitute} ${tpl.file} ${subst-pairs} > ${tpl.path})