maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(ops/secrets): Use korora for type checking secrets

Browse source 
Type checking of secrets was removed in cff6575948 to get rid of yants.
This adds back type checking using Korora.

Fixes https://git.snix.dev/snix/snix/issues/71
Change-Id: I27cd47b7e1810be5c4cd5d86366e860ca217f9c4
Reviewed-on: https://cl.snix.dev/c/snix/+/30118
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Reviewed-by: Florian Klink <flokli@flokli.de>
This commit is contained in:
adisbladis 2025-03-18 19:18:06 +01:00 committed by adis bladis
parent cfe842effa
commit b69cd940cf
3 changed files with 31 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

17
ops/secrets/mkSecrets.nix
View file

@ -3,10 +3,25 @@
# Note that encrypted secrets end up in the Nix store, but this is # Note that encrypted secrets end up in the Nix store, but this is
# fine since they're publicly available anyways. # fine since they're publicly available anyways.
{ depot, lib, ... }: { depot, lib, ... }:
let
types = depot.third_party.korora;
inherit (lib) hasPrefix isString;
sshPubkey = types.typedef "SSH pubkey" (s: isString s && hasPrefix "ssh-" s);
agePubkey = types.typedef "age pubkey" (s: isString s && hasPrefix "age" s);
agenixSecret = types.struct "agenixSecret" {
publicKeys = types.listOf (types.union [
sshPubkey
agePubkey
]);
};
in
( (
path: secrets: path: secrets:
depot.nix.readTree.drvTargets depot.nix.readTree.drvTargets
# Import each secret into the Nix store # Import each secret into the Nix store
(builtins.mapAttrs (name: _: "${path}/${name}") secrets) (builtins.mapAttrs (name: secret: agenixSecret.check secret "${path}/${name}") secrets)
) )

3
third_party/korora/default.nix vendored Normal file
View file

@ -0,0 +1,3 @@
{ depot, ... }:
import depot.third_party.sources.korora { }

12
third_party/sources/sources.json vendored
View file

@ -48,6 +48,18 @@
"url": "https://github.com/hercules-ci/gitignore.nix/archive/637db329424fd7e46cf4185293b9cc8c88c95394.tar.gz", "url": "https://github.com/hercules-ci/gitignore.nix/archive/637db329424fd7e46cf4185293b9cc8c88c95394.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
}, },
"korora": {
"branch": "master",
"description": "A tiny & fast type system for Nix in Nix",
"homepage": "",
"owner": "adisbladis",
"repo": "korora",
"rev": "f7d8f17c4f20b69bc77189d4202c59c680400623",
"sha256": "15im7sm7z36n128g38fz3dcy26qml7vzj986x0nfpzwgyd7499pb",
"type": "tarball",
"url": "https://github.com/adisbladis/korora/archive/f7d8f17c4f20b69bc77189d4202c59c680400623.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"naersk": { "naersk": {
"branch": "master", "branch": "master",
"description": "Build rust crates in Nix. No configuration, no code generation, no IFD. Sandbox friendly. [maintainer: @Patryk27]", "description": "Build rust crates in Nix. No configuration, no code generation, no IFD. Sandbox friendly. [maintainer: @Patryk27]",