snix/ops/secrets/mkSecrets.nix
adisbladis b69cd940cf feat(ops/secrets): Use korora for type checking secrets
Type checking of secrets was removed in cff6575948 to get rid of yants.
This adds back type checking using Korora.

Fixes https://git.snix.dev/snix/snix/issues/71
Change-Id: I27cd47b7e1810be5c4cd5d86366e860ca217f9c4
Reviewed-on: https://cl.snix.dev/c/snix/+/30118
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-03-20 21:25:05 +00:00

27 lines
780 B
Nix

# Expose secrets as part of the tree, exposing their paths at eval time.
#
# Note that encrypted secrets end up in the Nix store, but this is
# fine since they're publicly available anyways.
{ depot, lib, ... }:
let
types = depot.third_party.korora;
inherit (lib) hasPrefix isString;
sshPubkey = types.typedef "SSH pubkey" (s: isString s && hasPrefix "ssh-" s);
agePubkey = types.typedef "age pubkey" (s: isString s && hasPrefix "age" s);
agenixSecret = types.struct "agenixSecret" {
publicKeys = types.listOf (types.union [
sshPubkey
agePubkey
]);
};
in
(
path: secrets:
depot.nix.readTree.drvTargets
# Import each secret into the Nix store
(builtins.mapAttrs (name: secret: agenixSecret.check secret "${path}/${name}") secrets)
)