feat(ops/secrets): Use korora for type checking secrets

Type checking of secrets was removed in cff6575948 to get rid of yants. This adds back type checking using Korora. Fixes https://git.snix.dev/snix/snix/issues/71 Change-Id: I27cd47b7e1810be5c4cd5d86366e860ca217f9c4 Reviewed-on: https://cl.snix.dev/c/snix/+/30118 Tested-by: besadii Reviewed-by: Ryan Lahfa <masterancpp@gmail.com> Reviewed-by: Florian Klink <flokli@flokli.de>
2025-03-18 19:18:06 +01:00 · 2025-03-18 19:18:06 +01:00 · b69cd940cf
commit b69cd940cf
parent cfe842effa
3 changed files with 31 additions and 1 deletions
--- a/ops/secrets/mkSecrets.nix
+++ b/ops/secrets/mkSecrets.nix
@ -3,10 +3,25 @@
 # Note that encrypted secrets end up in the Nix store, but this is
 # fine since they're publicly available anyways.
 { depot, lib, ... }:
+let
+  types = depot.third_party.korora;
+  inherit (lib) hasPrefix isString;

+  sshPubkey = types.typedef "SSH pubkey" (s: isString s && hasPrefix "ssh-" s);
+
+  agePubkey = types.typedef "age pubkey" (s: isString s && hasPrefix "age" s);
+
+  agenixSecret = types.struct "agenixSecret" {
+    publicKeys = types.listOf (types.union [
+      sshPubkey
+      agePubkey
+    ]);
+  };
+
+in
 (
  path: secrets:
  depot.nix.readTree.drvTargets
    # Import each secret into the Nix store
-    (builtins.mapAttrs (name: _: "${path}/${name}") secrets)
+    (builtins.mapAttrs (name: secret: agenixSecret.check secret "${path}/${name}") secrets)
 )