diff options
| author | Griffin Smith <grfn@gws.fyi> | 2021-12-26T19·44-0500 |
|---|---|---|
| committer | clbot <clbot@tvl.fyi> | 2021-12-27T03·46+0000 |
| commit | ef62e51b7bc390d3b046b2eb1af0b44a2e771cbe (patch) | |
| tree | f5ee7b1a9e51b334073ec8f66291223b6c4f949a /ops/secrets | |
| parent | 3a21b3c11f82e018c9b389380715d33b367b0e0f (diff) | |
refactor(ops/secrets): generalize out a mkSecrets function r/3453
Generalize out a reusable mkSecrets function from the secrets-tree-building that's happening in //ops/secrets, so the same thing can happen in other places in the depot (I want to use it for my personal infrastructure). Change-Id: I059295c8c257d78ad7fa0802859f57c2c105f29b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4679 Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: zseri <zseri.devel@ytrizja.de> Autosubmit: grfn <grfn@gws.fyi> Tested-by: BuildkiteCI
Diffstat (limited to 'ops/secrets')
| -rw-r--r-- | ops/secrets/default.nix | 24 | ||||
| -rw-r--r-- | ops/secrets/mkSecrets.nix | 19 |
2 files changed, 22 insertions, 21 deletions
diff --git a/ops/secrets/default.nix b/ops/secrets/default.nix index cafd605a4e..43f2a738bb 100644 --- a/ops/secrets/default.nix +++ b/ops/secrets/default.nix @@ -1,21 +1,3 @@ -# Expose secrets as part of the tree, making it possible to validate -# their paths at eval time. -# -# Note that encrypted secrets end up in the Nix store, but this is -# fine since they're publicly available anyways. -{ depot, pkgs, ... }: - -let - inherit (builtins) attrNames listToAttrs; - - # Import agenix configuration file, this itself is not a readTree - # target but defines all valid secrets. - secrets = import ./secrets.nix; - - # Import a secret to the Nix store - declareSecret = name: pkgs.runCommandNoCC name {} '' - cp ${./. + "/${name}"} $out - ''; -in depot.nix.readTree.drvTargets (listToAttrs ( - map (name: { inherit name; value = declareSecret name; }) (attrNames secrets) -)) +args: +let mkSecrets = import ./mkSecrets.nix args; in +mkSecrets ./. (import ./secrets.nix) // { inherit mkSecrets; } diff --git a/ops/secrets/mkSecrets.nix b/ops/secrets/mkSecrets.nix new file mode 100644 index 0000000000..7a39a418a8 --- /dev/null +++ b/ops/secrets/mkSecrets.nix @@ -0,0 +1,19 @@ +# Expose secrets as part of the tree, making it possible to validate +# their paths at eval time. +# +# Note that encrypted secrets end up in the Nix store, but this is +# fine since they're publicly available anyways. +{ depot, pkgs, ... }: +path: secrets: + +let + inherit (builtins) attrNames listToAttrs; + + # Import a secret to the Nix store + declareSecret = name: pkgs.runCommandNoCC name {} '' + cp ${path + "/${name}"} $out + ''; +in depot.nix.readTree.drvTargets (listToAttrs ( + map (name: { inherit name; value = declareSecret name; }) + (attrNames secrets) +)) |