refactor(ops/secrets): optimize + typecheck mkSecrets

Change-Id: I592c8f2f82cef8fe4509e90a8c48504a0c74d133
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4688
Reviewed-by: zseri <zseri.devel@ytrizja.de>
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: lukegb <lukegb@tvl.fyi>
Autosubmit: zseri <zseri.devel@ytrizja.de>
Tested-by: BuildkiteCI
This commit is contained in:
zseri 2021-12-27 02:07:45 +01:00 committed by clbot
parent d8cdd629f4
commit 52369a11e3

View file

@ -3,17 +3,25 @@
#
# Note that encrypted secrets end up in the Nix store, but this is
# fine since they're publicly available anyways.
{ depot, pkgs, ... }:
path: secrets:
{ depot, lib, ... }:
let
inherit (builtins) attrNames listToAttrs;
inherit (depot.nix.yants)
attrs
any
defun
list
path
restrict
string
struct
;
ssh-pubkey = restrict "SSH pubkey" (lib.hasPrefix "ssh-") string;
agenixSecret = struct "agenixSecret" { publicKeys = list ssh-pubkey; };
in
# Import a secret to the Nix store
declareSecret = name: pkgs.runCommandNoCC name {} ''
cp ${path + "/${name}"} $out
'';
in depot.nix.readTree.drvTargets (listToAttrs (
map (name: { inherit name; value = declareSecret name; })
(attrNames secrets)
))
defun [ path (attrs agenixSecret) (attrs any) ]
(path: secrets:
depot.nix.readTree.drvTargets
# Import each secret into the Nix store
(builtins.mapAttrs (name: _: "${path}/${name}") secrets))