about summary refs log blame commit diff
path: root/ops/secrets/mkSecrets.nix
blob: 4e40112b961050d5d1834305333a51030ba6c42d (plain) (tree)
1
2
3
4
5
6
7
8




                                                                    
                    

   












                                                                         
 




                                                               
# Expose secrets as part of the tree, making it possible to validate
# their paths at eval time.
#
# Note that encrypted secrets end up in the Nix store, but this is
# fine since they're publicly available anyways.
{ depot, lib, ... }:

let
  inherit (depot.nix.yants)
    attrs
    any
    defun
    list
    path
    restrict
    string
    struct
    ;
  ssh-pubkey = restrict "SSH pubkey" (lib.hasPrefix "ssh-") string;
  agenixSecret = struct "agenixSecret" { publicKeys = list ssh-pubkey; };
in

defun [ path (attrs agenixSecret) (attrs any) ]
  (path: secrets:
    depot.nix.readTree.drvTargets
      # Import each secret into the Nix store
      (builtins.mapAttrs (name: _: "${path}/${name}") secrets))