refactor(nix/*): drop yants and consumers, and some more

Change-Id: I96ab5890518c7bb0d4a676adbad20e4c49699b63

ops/secrets/mkSecrets.nix

@@ -1,29 +1,12 @@
-# Expose secrets as part of the tree, making it possible to validate
-# their paths at eval time.
+# Expose secrets as part of the tree, exposing their paths at eval time.
 #
 # Note that encrypted secrets end up in the Nix store, but this is
 # fine since they're publicly available anyways.
 { depot, lib, ... }:
 
-let
-  inherit (depot.nix.yants)
-    attrs
-    any
-    either
-    defun
-    list
-    path
-    restrict
-    string
-    struct
-    ;
-  ssh-pubkey = restrict "SSH pubkey" (lib.hasPrefix "ssh-") string;
-  age-pubkey = restrict "age pubkey" (lib.hasPrefix "age") string;
-  agenixSecret = struct "agenixSecret" { publicKeys = list (either age-pubkey ssh-pubkey); };
-in
-
-defun [ path (attrs agenixSecret) (attrs any) ]
-  (path: secrets:
+(
+  path: secrets:
   depot.nix.readTree.drvTargets
     # Import each secret into the Nix store
-    (builtins.mapAttrs (name: _: "${path}/${name}") secrets))
+    (builtins.mapAttrs (name: _: "${path}/${name}") secrets)
+)

ops/secrets/secrets.nix

@@ -1,3 +1,5 @@
+# This file is read by agenix standalone, to know which audiences to (re)encrypt secrets to.
+
 let
   raito = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICaw9ihTG7ucB8P38XdalEWev8+q96e2yNm4B+/I9IJp"