91d02d8c84
Most of the ecosystem has moved to this formatter, and many people configured their editors to autoformat it with this formatter. Closes: https://git.snix.dev/snix/snix/issues/62 Change-Id: Icf39e7836c91fc2ae49fbe22a40a639105bfb0bd Reviewed-on: https://cl.snix.dev/c/snix/+/30671 Reviewed-by: Florian Klink <flokli@flokli.de> Tested-by: besadii Autosubmit: Ilan Joselevich <personal@ilanjoselevich.com>
29 lines
798 B
Nix
29 lines
798 B
Nix
# Expose secrets as part of the tree, exposing their paths at eval time.
|
|
#
|
|
# Note that encrypted secrets end up in the Nix store, but this is
|
|
# fine since they're publicly available anyways.
|
|
{ depot, lib, ... }:
|
|
let
|
|
types = depot.third_party.korora;
|
|
inherit (lib) hasPrefix isString;
|
|
|
|
sshPubkey = types.typedef "SSH pubkey" (s: isString s && hasPrefix "ssh-" s);
|
|
|
|
agePubkey = types.typedef "age pubkey" (s: isString s && hasPrefix "age" s);
|
|
|
|
agenixSecret = types.struct "agenixSecret" {
|
|
publicKeys = types.listOf (
|
|
types.union [
|
|
sshPubkey
|
|
agePubkey
|
|
]
|
|
);
|
|
};
|
|
|
|
in
|
|
(
|
|
path: secrets:
|
|
depot.nix.readTree.drvTargets
|
|
# Import each secret into the Nix store
|
|
(builtins.mapAttrs (name: secret: agenixSecret.check secret "${path}/${name}") secrets)
|
|
)
|