refactor(ops/secrets): optimize + typecheck mkSecrets
Change-Id: I592c8f2f82cef8fe4509e90a8c48504a0c74d133 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4688 Reviewed-by: zseri <zseri.devel@ytrizja.de> Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: lukegb <lukegb@tvl.fyi> Autosubmit: zseri <zseri.devel@ytrizja.de> Tested-by: BuildkiteCI
This commit is contained in:
parent
d8cdd629f4
commit
52369a11e3
1 changed files with 19 additions and 11 deletions
|
@ -3,17 +3,25 @@
|
|||
#
|
||||
# Note that encrypted secrets end up in the Nix store, but this is
|
||||
# fine since they're publicly available anyways.
|
||||
{ depot, pkgs, ... }:
|
||||
path: secrets:
|
||||
{ depot, lib, ... }:
|
||||
|
||||
let
|
||||
inherit (builtins) attrNames listToAttrs;
|
||||
inherit (depot.nix.yants)
|
||||
attrs
|
||||
any
|
||||
defun
|
||||
list
|
||||
path
|
||||
restrict
|
||||
string
|
||||
struct
|
||||
;
|
||||
ssh-pubkey = restrict "SSH pubkey" (lib.hasPrefix "ssh-") string;
|
||||
agenixSecret = struct "agenixSecret" { publicKeys = list ssh-pubkey; };
|
||||
in
|
||||
|
||||
# Import a secret to the Nix store
|
||||
declareSecret = name: pkgs.runCommandNoCC name {} ''
|
||||
cp ${path + "/${name}"} $out
|
||||
'';
|
||||
in depot.nix.readTree.drvTargets (listToAttrs (
|
||||
map (name: { inherit name; value = declareSecret name; })
|
||||
(attrNames secrets)
|
||||
))
|
||||
defun [ path (attrs agenixSecret) (attrs any) ]
|
||||
(path: secrets:
|
||||
depot.nix.readTree.drvTargets
|
||||
# Import each secret into the Nix store
|
||||
(builtins.mapAttrs (name: _: "${path}/${name}") secrets))
|
||||
|
|
Loading…
Reference in a new issue