feat(ops/secrets): Make (encrypted) secrets part of the tree
Currently in NixOS configuration using agenix secrets there is no build time validation of secret paths - things fail at runtime (system activation). To prevent that, this CL makes the secrets part of the tree based on the same configuration file used by agenix itself. This guards against: * agenix secrets.nix definition for a non-existent file * age.secrets value in a NixOS config for a non-existent secret Change-Id: I5b191dcbd5b2522566ff7c38f8a988bbf7679364
This commit is contained in:
parent
8cbb42006a
commit
3a410a78df
2 changed files with 22 additions and 1 deletions
|
@ -205,7 +205,7 @@ in {
|
|||
# Configure secrets for services that need them.
|
||||
age.secrets =
|
||||
let
|
||||
secretFile = name: "${depot.path.origSrc}/ops/secrets/${name}.age";
|
||||
secretFile = name: depot.ops.secrets."${name}.age";
|
||||
in {
|
||||
clbot.file = secretFile "clbot";
|
||||
gerrit-queue.file = secretFile "gerrit-queue";
|
||||
|
|
21
ops/secrets/default.nix
Normal file
21
ops/secrets/default.nix
Normal file
|
@ -0,0 +1,21 @@
|
|||
# Expose secrets as part of the tree, making it possible to validate
|
||||
# their paths at eval time.
|
||||
#
|
||||
# Note that encrypted secrets end up in the Nix store, but this is
|
||||
# fine since they're publicly available anyways.
|
||||
{ depot, pkgs, ... }:
|
||||
|
||||
let
|
||||
inherit (builtins) attrNames listToAttrs;
|
||||
|
||||
# Import agenix configuration file, this itself is not a readTree
|
||||
# target but defines all valid secrets.
|
||||
secrets = import ./secrets.nix;
|
||||
|
||||
# Import a secret to the Nix store
|
||||
declareSecret = name: pkgs.runCommandNoCC name {} ''
|
||||
cp ${./. + "/${name}"} $out
|
||||
'';
|
||||
in depot.nix.readTree.drvTargets (listToAttrs (
|
||||
map (name: { inherit name; value = declareSecret name; }) (attrNames secrets)
|
||||
))
|
Loading…
Reference in a new issue