feat(tools): Introduce pass-compatible wrapper using Cloud KMS

Adds a shell script that supports a subset of the 'pass' interface for
compatibility with kontemplate, and wraps kontemplate in a script that
places this version on the PATH.

This makes it possible to use Cloud KMS encrypted secrets with kontemplate.

default.nix

@@ -28,6 +28,13 @@ let
       blog = self.callPackage ./services/tazblog {};
       blog_cli = self.callPackage ./tools/blog_cli {};
       gemma = self.callPackage ./services/gemma {};
+
+      kms_pass = self.callPackage ./tools/kms_pass {
+        project = "tazjins-infrastructure";
+        region = "europe-north1";
+        keyring = "tazjins-keys";
+        key = "kontemplate-key";
+      };
     };
 
     # Third-party projects (either vendored or modified from nixpkgs) go here:
@@ -49,6 +56,12 @@ let
       sha256 = "1wn7nmb1cqfk2j91l3rwc6yhimfkzxprb8wknw5wi57yhq9m6lv1";
     }) {}).elmPackages;
 
+    # Wrap kontemplate to inject the Cloud KMS version of 'pass'
+    kontemplate = self.writeShellScriptBin "kontemplate" ''
+      export PATH="${self.tazjin.kms_pass}/bin:$PATH"
+      exec ${super.kontemplate}/bin/kontemplate $@
+    '';
+
     # One of Gemma's dependencies is missing in nixpkgs' Quicklisp
     # package set, it is overlaid locally here.
     lispPackages = import ./third_party/common_lisp/quicklisp.nix {