refactor(ops/secrets): generalize out a mkSecrets function

Generalize out a reusable mkSecrets function from the
secrets-tree-building that's happening in //ops/secrets, so the same
thing can happen in other places in the depot (I want to use it for my
personal infrastructure).

Change-Id: I059295c8c257d78ad7fa0802859f57c2c105f29b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4679
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: zseri <zseri.devel@ytrizja.de>
Autosubmit: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI

ops/secrets/default.nix

@@ -1,21 +1,3 @@
-# Expose secrets as part of the tree, making it possible to validate
-# their paths at eval time.
-#
-# Note that encrypted secrets end up in the Nix store, but this is
-# fine since they're publicly available anyways.
-{ depot, pkgs, ... }:
-
-let
-  inherit (builtins) attrNames listToAttrs;
-
-  # Import agenix configuration file, this itself is not a readTree
-  # target but defines all valid secrets.
-  secrets = import ./secrets.nix;
-
-  # Import a secret to the Nix store
-  declareSecret = name: pkgs.runCommandNoCC name {} ''
-    cp ${./. + "/${name}"} $out
-  '';
-in depot.nix.readTree.drvTargets (listToAttrs (
-  map (name: { inherit name; value = declareSecret name; }) (attrNames secrets)
-))
+args:
+let mkSecrets = import ./mkSecrets.nix args; in
+mkSecrets ./. (import ./secrets.nix) // { inherit mkSecrets; }

ops/secrets/mkSecrets.nix

@@ -0,0 +1,19 @@
+# Expose secrets as part of the tree, making it possible to validate
+# their paths at eval time.
+#
+# Note that encrypted secrets end up in the Nix store, but this is
+# fine since they're publicly available anyways.
+{ depot, pkgs, ... }:
+path: secrets:
+
+let
+  inherit (builtins) attrNames listToAttrs;
+
+  # Import a secret to the Nix store
+  declareSecret = name: pkgs.runCommandNoCC name {} ''
+    cp ${path + "/${name}"} $out
+  '';
+in depot.nix.readTree.drvTargets (listToAttrs (
+  map (name: { inherit name; value = declareSecret name; })
+    (attrNames secrets)
+))