From 3a410a78df98fbace3fb3d6c6a570058a2758811 Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Sun, 12 Dec 2021 11:14:50 +0300
Subject: feat(ops/secrets): Make (encrypted) secrets part of the tree

Currently in NixOS configuration using agenix secrets there is no
build time validation of secret paths - things fail at runtime (system
activation).

To prevent that, this CL makes the secrets part of the tree based on
the same configuration file used by agenix itself.

This guards against:

* agenix secrets.nix definition for a non-existent file
* age.secrets value in a NixOS config for a non-existent secret

Change-Id: I5b191dcbd5b2522566ff7c38f8a988bbf7679364
---
 ops/secrets/default.nix | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 ops/secrets/default.nix

(limited to 'ops/secrets')

diff --git a/ops/secrets/default.nix b/ops/secrets/default.nix
new file mode 100644
index 0000000000..cafd605a4e
--- /dev/null
+++ b/ops/secrets/default.nix
@@ -0,0 +1,21 @@
+# Expose secrets as part of the tree, making it possible to validate
+# their paths at eval time.
+#
+# Note that encrypted secrets end up in the Nix store, but this is
+# fine since they're publicly available anyways.
+{ depot, pkgs, ... }:
+
+let
+  inherit (builtins) attrNames listToAttrs;
+
+  # Import agenix configuration file, this itself is not a readTree
+  # target but defines all valid secrets.
+  secrets = import ./secrets.nix;
+
+  # Import a secret to the Nix store
+  declareSecret = name: pkgs.runCommandNoCC name {} ''
+    cp ${./. + "/${name}"} $out
+  '';
+in depot.nix.readTree.drvTargets (listToAttrs (
+  map (name: { inherit name; value = declareSecret name; }) (attrNames secrets)
+))
-- 
cgit 1.4.1