tvl-depot/ops/secrets/mkSecrets.nix

# Expose secrets as part of the tree, making it possible to validate
# their paths at eval time.
#
# Note that encrypted secrets end up in the Nix store, but this is
# fine since they're publicly available anyways.
{ depot, pkgs, ... }:
path: secrets:

let
  inherit (builtins) attrNames listToAttrs;

  # Import a secret to the Nix store
  declareSecret = name: pkgs.runCommandNoCC name {} ''
    cp ${path + "/${name}"} $out
  '';
in depot.nix.readTree.drvTargets (listToAttrs (
  map (name: { inherit name; value = declareSecret name; })
    (attrNames secrets)
))
refactor(ops/secrets): generalize out a mkSecrets function Generalize out a reusable mkSecrets function from the secrets-tree-building that's happening in //ops/secrets, so the same thing can happen in other places in the depot (I want to use it for my personal infrastructure). Change-Id: I059295c8c257d78ad7fa0802859f57c2c105f29b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4679 Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: zseri <zseri.devel@ytrizja.de> Autosubmit: grfn <grfn@gws.fyi> Tested-by: BuildkiteCI 2021-12-26 20:44:37 +01:00			`# Expose secrets as part of the tree, making it possible to validate`
			`# their paths at eval time.`
			`#`
			`# Note that encrypted secrets end up in the Nix store, but this is`
			`# fine since they're publicly available anyways.`
			`{ depot, pkgs, ... }:`
			`path: secrets:`

			`let`
			`inherit (builtins) attrNames listToAttrs;`

			`# Import a secret to the Nix store`
			`declareSecret = name: pkgs.runCommandNoCC name {} ''`
			`cp ${path + "/${name}"} $out`
			`'';`
			`in depot.nix.readTree.drvTargets (listToAttrs (`
			`map (name: { inherit name; value = declareSecret name; })`
			`(attrNames secrets)`
			`))`