diff options
| author | zseri <zseri.devel@ytrizja.de> | 2021-12-27T01·07+0100 |
|---|---|---|
| committer | clbot <clbot@tvl.fyi> | 2021-12-27T23·16+0000 |
| commit | 52369a11e3dee035b575281c80e2bf9a65546435 (patch) | |
| tree | f72aba410a76d7337da967f8b72fbab2ee9a16e8 /ops/secrets | |
| parent | d8cdd629f496cf828ca175f27e7568eb57f3e568 (diff) | |
refactor(ops/secrets): optimize + typecheck mkSecrets r/3482
Change-Id: I592c8f2f82cef8fe4509e90a8c48504a0c74d133 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4688 Reviewed-by: zseri <zseri.devel@ytrizja.de> Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: lukegb <lukegb@tvl.fyi> Autosubmit: zseri <zseri.devel@ytrizja.de> Tested-by: BuildkiteCI
Diffstat (limited to 'ops/secrets')
| -rw-r--r-- | ops/secrets/mkSecrets.nix | 30 |
1 files changed, 19 insertions, 11 deletions
diff --git a/ops/secrets/mkSecrets.nix b/ops/secrets/mkSecrets.nix index 7a39a418a884..4e40112b9610 100644 --- a/ops/secrets/mkSecrets.nix +++ b/ops/secrets/mkSecrets.nix @@ -3,17 +3,25 @@ # # Note that encrypted secrets end up in the Nix store, but this is # fine since they're publicly available anyways. -{ depot, pkgs, ... }: -path: secrets: +{ depot, lib, ... }: let - inherit (builtins) attrNames listToAttrs; + inherit (depot.nix.yants) + attrs + any + defun + list + path + restrict + string + struct + ; + ssh-pubkey = restrict "SSH pubkey" (lib.hasPrefix "ssh-") string; + agenixSecret = struct "agenixSecret" { publicKeys = list ssh-pubkey; }; +in - # Import a secret to the Nix store - declareSecret = name: pkgs.runCommandNoCC name {} '' - cp ${path + "/${name}"} $out - ''; -in depot.nix.readTree.drvTargets (listToAttrs ( - map (name: { inherit name; value = declareSecret name; }) - (attrNames secrets) -)) +defun [ path (attrs agenixSecret) (attrs any) ] + (path: secrets: + depot.nix.readTree.drvTargets + # Import each secret into the Nix store + (builtins.mapAttrs (name: _: "${path}/${name}") secrets)) |