diff options
Diffstat (limited to 'ops/secrets/mkSecrets.nix')
| -rw-r--r-- | ops/secrets/mkSecrets.nix | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/ops/secrets/mkSecrets.nix b/ops/secrets/mkSecrets.nix new file mode 100644 index 000000000000..c99130835f15 --- /dev/null +++ b/ops/secrets/mkSecrets.nix @@ -0,0 +1,27 @@ +# Expose secrets as part of the tree, making it possible to validate +# their paths at eval time. +# +# Note that encrypted secrets end up in the Nix store, but this is +# fine since they're publicly available anyways. +{ depot, lib, ... }: + +let + inherit (depot.nix.yants) + attrs + any + defun + list + path + restrict + string + struct + ; + ssh-pubkey = restrict "SSH pubkey" (lib.hasPrefix "ssh-") string; + agenixSecret = struct "agenixSecret" { publicKeys = list ssh-pubkey; }; +in + +defun [ path (attrs agenixSecret) (attrs any) ] + (path: secrets: + depot.nix.readTree.drvTargets + # Import each secret into the Nix store + (builtins.mapAttrs (name: _: "${path}/${name}") secrets)) |