about summary refs log blame commit diff
path: root/ops/secrets/mkSecrets.nix
blob: c99130835f15a838fca10ec5efef46edd3c15ccf (plain) (tree)
1
2
3
4
5
6
7
8




                                                                    
                    

   












                                                                         
 

                                               


                                                             
# Expose secrets as part of the tree, making it possible to validate
# their paths at eval time.
#
# Note that encrypted secrets end up in the Nix store, but this is
# fine since they're publicly available anyways.
{ depot, lib, ... }:

let
  inherit (depot.nix.yants)
    attrs
    any
    defun
    list
    path
    restrict
    string
    struct
    ;
  ssh-pubkey = restrict "SSH pubkey" (lib.hasPrefix "ssh-") string;
  agenixSecret = struct "agenixSecret" { publicKeys = list ssh-pubkey; };
in

defun [ path (attrs agenixSecret) (attrs any) ]
  (path: secrets:
  depot.nix.readTree.drvTargets
    # Import each secret into the Nix store
    (builtins.mapAttrs (name: _: "${path}/${name}") secrets))