tvl-depot/ops/secrets/mkSecrets.nix

# Expose secrets as part of the tree, making it possible to validate
# their paths at eval time.
#
# Note that encrypted secrets end up in the Nix store, but this is
# fine since they're publicly available anyways.
{ depot, lib, ... }:

let
  inherit (depot.nix.yants)
    attrs
    any
    defun
    list
    path
    restrict
    string
    struct
    ;
  ssh-pubkey = restrict "SSH pubkey" (lib.hasPrefix "ssh-") string;
  agenixSecret = struct "agenixSecret" { publicKeys = list ssh-pubkey; };
in

defun [ path (attrs agenixSecret) (attrs any) ]
  (path: secrets:
  depot.nix.readTree.drvTargets
    # Import each secret into the Nix store
    (builtins.mapAttrs (name: _: "${path}/${name}") secrets))
refactor(ops/secrets): generalize out a mkSecrets function Generalize out a reusable mkSecrets function from the secrets-tree-building that's happening in //ops/secrets, so the same thing can happen in other places in the depot (I want to use it for my personal infrastructure). Change-Id: I059295c8c257d78ad7fa0802859f57c2c105f29b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4679 Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: zseri <zseri.devel@ytrizja.de> Autosubmit: grfn <grfn@gws.fyi> Tested-by: BuildkiteCI 2021-12-26 20:44:37 +01:00			`# Expose secrets as part of the tree, making it possible to validate`
			`# their paths at eval time.`
			`#`
			`# Note that encrypted secrets end up in the Nix store, but this is`
			`# fine since they're publicly available anyways.`
refactor(ops/secrets): optimize + typecheck mkSecrets Change-Id: I592c8f2f82cef8fe4509e90a8c48504a0c74d133 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4688 Reviewed-by: zseri <zseri.devel@ytrizja.de> Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: lukegb <lukegb@tvl.fyi> Autosubmit: zseri <zseri.devel@ytrizja.de> Tested-by: BuildkiteCI 2021-12-27 02:07:45 +01:00			`{ depot, lib, ... }:`
refactor(ops/secrets): generalize out a mkSecrets function Generalize out a reusable mkSecrets function from the secrets-tree-building that's happening in //ops/secrets, so the same thing can happen in other places in the depot (I want to use it for my personal infrastructure). Change-Id: I059295c8c257d78ad7fa0802859f57c2c105f29b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4679 Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: zseri <zseri.devel@ytrizja.de> Autosubmit: grfn <grfn@gws.fyi> Tested-by: BuildkiteCI 2021-12-26 20:44:37 +01:00
			`let`
refactor(ops/secrets): optimize + typecheck mkSecrets Change-Id: I592c8f2f82cef8fe4509e90a8c48504a0c74d133 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4688 Reviewed-by: zseri <zseri.devel@ytrizja.de> Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: lukegb <lukegb@tvl.fyi> Autosubmit: zseri <zseri.devel@ytrizja.de> Tested-by: BuildkiteCI 2021-12-27 02:07:45 +01:00			`inherit (depot.nix.yants)`
			`attrs`
			`any`
			`defun`
			`list`
			`path`
			`restrict`
			`string`
			`struct`
			`;`
			`ssh-pubkey = restrict "SSH pubkey" (lib.hasPrefix "ssh-") string;`
			`agenixSecret = struct "agenixSecret" { publicKeys = list ssh-pubkey; };`
			`in`
refactor(ops/secrets): generalize out a mkSecrets function Generalize out a reusable mkSecrets function from the secrets-tree-building that's happening in //ops/secrets, so the same thing can happen in other places in the depot (I want to use it for my personal infrastructure). Change-Id: I059295c8c257d78ad7fa0802859f57c2c105f29b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4679 Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: zseri <zseri.devel@ytrizja.de> Autosubmit: grfn <grfn@gws.fyi> Tested-by: BuildkiteCI 2021-12-26 20:44:37 +01:00
refactor(ops/secrets): optimize + typecheck mkSecrets Change-Id: I592c8f2f82cef8fe4509e90a8c48504a0c74d133 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4688 Reviewed-by: zseri <zseri.devel@ytrizja.de> Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: lukegb <lukegb@tvl.fyi> Autosubmit: zseri <zseri.devel@ytrizja.de> Tested-by: BuildkiteCI 2021-12-27 02:07:45 +01:00			`defun [ path (attrs agenixSecret) (attrs any) ]`
			`(path: secrets:`
			`depot.nix.readTree.drvTargets`
			`# Import each secret into the Nix store`
			`(builtins.mapAttrs (name: _: "${path}/${name}") secrets))`