From 52369a11e3dee035b575281c80e2bf9a65546435 Mon Sep 17 00:00:00 2001
From: zseri <zseri.devel@ytrizja.de>
Date: Mon, 27 Dec 2021 02:07:45 +0100
Subject: refactor(ops/secrets): optimize + typecheck mkSecrets

Change-Id: I592c8f2f82cef8fe4509e90a8c48504a0c74d133
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4688
Reviewed-by: zseri <zseri.devel@ytrizja.de>
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: lukegb <lukegb@tvl.fyi>
Autosubmit: zseri <zseri.devel@ytrizja.de>
Tested-by: BuildkiteCI
---
 ops/secrets/mkSecrets.nix | 30 +++++++++++++++++++-----------
 1 file changed, 19 insertions(+), 11 deletions(-)

(limited to 'ops/secrets')

diff --git a/ops/secrets/mkSecrets.nix b/ops/secrets/mkSecrets.nix
index 7a39a418a8..4e40112b96 100644
--- a/ops/secrets/mkSecrets.nix
+++ b/ops/secrets/mkSecrets.nix
@@ -3,17 +3,25 @@
 #
 # Note that encrypted secrets end up in the Nix store, but this is
 # fine since they're publicly available anyways.
-{ depot, pkgs, ... }:
-path: secrets:
+{ depot, lib, ... }:
 
 let
-  inherit (builtins) attrNames listToAttrs;
+  inherit (depot.nix.yants)
+    attrs
+    any
+    defun
+    list
+    path
+    restrict
+    string
+    struct
+    ;
+  ssh-pubkey = restrict "SSH pubkey" (lib.hasPrefix "ssh-") string;
+  agenixSecret = struct "agenixSecret" { publicKeys = list ssh-pubkey; };
+in
 
-  # Import a secret to the Nix store
-  declareSecret = name: pkgs.runCommandNoCC name {} ''
-    cp ${path + "/${name}"} $out
-  '';
-in depot.nix.readTree.drvTargets (listToAttrs (
-  map (name: { inherit name; value = declareSecret name; })
-    (attrNames secrets)
-))
+defun [ path (attrs agenixSecret) (attrs any) ]
+  (path: secrets:
+    depot.nix.readTree.drvTargets
+      # Import each secret into the Nix store
+      (builtins.mapAttrs (name: _: "${path}/${name}") secrets))
-- 
cgit 1.4.1