diff options
Diffstat (limited to 'ops/secrets')
| -rw-r--r-- | ops/secrets/mkSecrets.nix | 30 |
1 files changed, 19 insertions, 11 deletions
diff --git a/ops/secrets/mkSecrets.nix b/ops/secrets/mkSecrets.nix index 7a39a418a884..4e40112b9610 100644 --- a/ops/secrets/mkSecrets.nix +++ b/ops/secrets/mkSecrets.nix @@ -3,17 +3,25 @@ # # Note that encrypted secrets end up in the Nix store, but this is # fine since they're publicly available anyways. -{ depot, pkgs, ... }: -path: secrets: +{ depot, lib, ... }: let - inherit (builtins) attrNames listToAttrs; + inherit (depot.nix.yants) + attrs + any + defun + list + path + restrict + string + struct + ; + ssh-pubkey = restrict "SSH pubkey" (lib.hasPrefix "ssh-") string; + agenixSecret = struct "agenixSecret" { publicKeys = list ssh-pubkey; }; +in - # Import a secret to the Nix store - declareSecret = name: pkgs.runCommandNoCC name {} '' - cp ${path + "/${name}"} $out - ''; -in depot.nix.readTree.drvTargets (listToAttrs ( - map (name: { inherit name; value = declareSecret name; }) - (attrNames secrets) -)) +defun [ path (attrs agenixSecret) (attrs any) ] + (path: secrets: + depot.nix.readTree.drvTargets + # Import each secret into the Nix store + (builtins.mapAttrs (name: _: "${path}/${name}") secrets)) |