52369a11e3
Change-Id: I592c8f2f82cef8fe4509e90a8c48504a0c74d133 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4688 Reviewed-by: zseri <zseri.devel@ytrizja.de> Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: lukegb <lukegb@tvl.fyi> Autosubmit: zseri <zseri.devel@ytrizja.de> Tested-by: BuildkiteCI
27 lines
712 B
Nix
27 lines
712 B
Nix
# Expose secrets as part of the tree, making it possible to validate
|
|
# their paths at eval time.
|
|
#
|
|
# Note that encrypted secrets end up in the Nix store, but this is
|
|
# fine since they're publicly available anyways.
|
|
{ depot, lib, ... }:
|
|
|
|
let
|
|
inherit (depot.nix.yants)
|
|
attrs
|
|
any
|
|
defun
|
|
list
|
|
path
|
|
restrict
|
|
string
|
|
struct
|
|
;
|
|
ssh-pubkey = restrict "SSH pubkey" (lib.hasPrefix "ssh-") string;
|
|
agenixSecret = struct "agenixSecret" { publicKeys = list ssh-pubkey; };
|
|
in
|
|
|
|
defun [ path (attrs agenixSecret) (attrs any) ]
|
|
(path: secrets:
|
|
depot.nix.readTree.drvTargets
|
|
# Import each secret into the Nix store
|
|
(builtins.mapAttrs (name: _: "${path}/${name}") secrets))
|