From b69cd940cfc005fda1e71cb64995f64ecbe6cd66 Mon Sep 17 00:00:00 2001
From: adisbladis <adisbladis@gmail.com>
Date: Tue, 18 Mar 2025 19:18:06 +0100
Subject: [PATCH] feat(ops/secrets): Use korora for type checking secrets

Type checking of secrets was removed in cff65759485e7f4c6f1be423f2e8ddcd08536676 to get rid of yants.
This adds back type checking using Korora.

Fixes https://git.snix.dev/snix/snix/issues/71
Change-Id: I27cd47b7e1810be5c4cd5d86366e860ca217f9c4
Reviewed-on: https://cl.snix.dev/c/snix/+/30118
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Reviewed-by: Florian Klink <flokli@flokli.de>
---
 ops/secrets/mkSecrets.nix        | 17 ++++++++++++++++-
 third_party/korora/default.nix   |  3 +++
 third_party/sources/sources.json | 12 ++++++++++++
 3 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 third_party/korora/default.nix

diff --git a/ops/secrets/mkSecrets.nix b/ops/secrets/mkSecrets.nix
index dc0ce153f..03990ad1f 100644
--- a/ops/secrets/mkSecrets.nix
+++ b/ops/secrets/mkSecrets.nix
@@ -3,10 +3,25 @@
 # Note that encrypted secrets end up in the Nix store, but this is
 # fine since they're publicly available anyways.
 { depot, lib, ... }:
+let
+  types = depot.third_party.korora;
+  inherit (lib) hasPrefix isString;
 
+  sshPubkey = types.typedef "SSH pubkey" (s: isString s && hasPrefix "ssh-" s);
+
+  agePubkey = types.typedef "age pubkey" (s: isString s && hasPrefix "age" s);
+
+  agenixSecret = types.struct "agenixSecret" {
+    publicKeys = types.listOf (types.union [
+      sshPubkey
+      agePubkey
+    ]);
+  };
+
+in
 (
   path: secrets:
   depot.nix.readTree.drvTargets
     # Import each secret into the Nix store
-    (builtins.mapAttrs (name: _: "${path}/${name}") secrets)
+    (builtins.mapAttrs (name: secret: agenixSecret.check secret "${path}/${name}") secrets)
 )
diff --git a/third_party/korora/default.nix b/third_party/korora/default.nix
new file mode 100644
index 000000000..5a0413b84
--- /dev/null
+++ b/third_party/korora/default.nix
@@ -0,0 +1,3 @@
+{ depot, ... }:
+
+import depot.third_party.sources.korora { }
diff --git a/third_party/sources/sources.json b/third_party/sources/sources.json
index b3ec3d460..5d5be9acc 100644
--- a/third_party/sources/sources.json
+++ b/third_party/sources/sources.json
@@ -48,6 +48,18 @@
         "url": "https://github.com/hercules-ci/gitignore.nix/archive/637db329424fd7e46cf4185293b9cc8c88c95394.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
+    "korora": {
+        "branch": "master",
+        "description": "A tiny & fast type system for Nix in Nix",
+        "homepage": "",
+        "owner": "adisbladis",
+        "repo": "korora",
+        "rev": "f7d8f17c4f20b69bc77189d4202c59c680400623",
+        "sha256": "15im7sm7z36n128g38fz3dcy26qml7vzj986x0nfpzwgyd7499pb",
+        "type": "tarball",
+        "url": "https://github.com/adisbladis/korora/archive/f7d8f17c4f20b69bc77189d4202c59c680400623.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
     "naersk": {
         "branch": "master",
         "description": "Build rust crates in Nix. No configuration, no code generation, no IFD. Sandbox friendly. [maintainer: @Patryk27]",