ef62e51b7b
Generalize out a reusable mkSecrets function from the secrets-tree-building that's happening in //ops/secrets, so the same thing can happen in other places in the depot (I want to use it for my personal infrastructure). Change-Id: I059295c8c257d78ad7fa0802859f57c2c105f29b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4679 Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: zseri <zseri.devel@ytrizja.de> Autosubmit: grfn <grfn@gws.fyi> Tested-by: BuildkiteCI
19 lines
568 B
Nix
19 lines
568 B
Nix
# Expose secrets as part of the tree, making it possible to validate
|
|
# their paths at eval time.
|
|
#
|
|
# Note that encrypted secrets end up in the Nix store, but this is
|
|
# fine since they're publicly available anyways.
|
|
{ depot, pkgs, ... }:
|
|
path: secrets:
|
|
|
|
let
|
|
inherit (builtins) attrNames listToAttrs;
|
|
|
|
# Import a secret to the Nix store
|
|
declareSecret = name: pkgs.runCommandNoCC name {} ''
|
|
cp ${path + "/${name}"} $out
|
|
'';
|
|
in depot.nix.readTree.drvTargets (listToAttrs (
|
|
map (name: { inherit name; value = declareSecret name; })
|
|
(attrNames secrets)
|
|
))
|