b69cd940cf
Type checking of secrets was removed in cff6575948 to get rid of yants.
This adds back type checking using Korora.
Fixes https://git.snix.dev/snix/snix/issues/71
Change-Id: I27cd47b7e1810be5c4cd5d86366e860ca217f9c4
Reviewed-on: https://cl.snix.dev/c/snix/+/30118
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Reviewed-by: Florian Klink <flokli@flokli.de>
27 lines
780 B
Nix
27 lines
780 B
Nix
# Expose secrets as part of the tree, exposing their paths at eval time.
|
|
#
|
|
# Note that encrypted secrets end up in the Nix store, but this is
|
|
# fine since they're publicly available anyways.
|
|
{ depot, lib, ... }:
|
|
let
|
|
types = depot.third_party.korora;
|
|
inherit (lib) hasPrefix isString;
|
|
|
|
sshPubkey = types.typedef "SSH pubkey" (s: isString s && hasPrefix "ssh-" s);
|
|
|
|
agePubkey = types.typedef "age pubkey" (s: isString s && hasPrefix "age" s);
|
|
|
|
agenixSecret = types.struct "agenixSecret" {
|
|
publicKeys = types.listOf (types.union [
|
|
sshPubkey
|
|
agePubkey
|
|
]);
|
|
};
|
|
|
|
in
|
|
(
|
|
path: secrets:
|
|
depot.nix.readTree.drvTargets
|
|
# Import each secret into the Nix store
|
|
(builtins.mapAttrs (name: secret: agenixSecret.check secret "${path}/${name}") secrets)
|
|
)
|