2021-12-26 20:44:37 +01:00
|
|
|
# Expose secrets as part of the tree, making it possible to validate
|
|
|
|
# their paths at eval time.
|
|
|
|
#
|
|
|
|
# Note that encrypted secrets end up in the Nix store, but this is
|
|
|
|
# fine since they're publicly available anyways.
|
2021-12-27 02:07:45 +01:00
|
|
|
{ depot, lib, ... }:
|
2021-12-26 20:44:37 +01:00
|
|
|
|
|
|
|
let
|
2021-12-27 02:07:45 +01:00
|
|
|
inherit (depot.nix.yants)
|
|
|
|
attrs
|
|
|
|
any
|
|
|
|
defun
|
|
|
|
list
|
|
|
|
path
|
|
|
|
restrict
|
|
|
|
string
|
|
|
|
struct
|
|
|
|
;
|
|
|
|
ssh-pubkey = restrict "SSH pubkey" (lib.hasPrefix "ssh-") string;
|
|
|
|
agenixSecret = struct "agenixSecret" { publicKeys = list ssh-pubkey; };
|
|
|
|
in
|
2021-12-26 20:44:37 +01:00
|
|
|
|
2021-12-27 02:07:45 +01:00
|
|
|
defun [ path (attrs agenixSecret) (attrs any) ]
|
|
|
|
(path: secrets:
|
|
|
|
depot.nix.readTree.drvTargets
|
|
|
|
# Import each secret into the Nix store
|
|
|
|
(builtins.mapAttrs (name: _: "${path}/${name}") secrets))
|