feat: try rework

2026-04-04 11:42:19 +02:00 · 2026-04-04 11:42:19 +02:00 · ecf10628c3
commit ecf10628c3
parent 1ddbd3b8b6
51 changed files with 1941 additions and 445 deletions
--- a/validation/secrets.nix
+++ b/validation/secrets.nix
@ -0,0 +1,71 @@
+let
+  lib = import <nixpkgs/lib>;
+  helperNames = [ "getRuntimePath" "getSopsKey" ];
+
+  validateLeaf = context: leaf:
+    if builtins.isString leaf || builtins.isPath leaf then
+      # String or path: file path (binary or single-value secret)
+      leaf
+    else if builtins.isAttrs leaf then
+      # Object: must have 'file', may have 'keys' list and optional deployment metadata
+      let
+        _ =
+          if leaf ? file && (builtins.isPath leaf.file || builtins.isString leaf.file) then
+            null
+          else
+            throw "${context}.file must be a path or string.";
+        __ =
+          if !(leaf ? keys) || (builtins.isList leaf.keys && builtins.all builtins.isString leaf.keys) then
+            null
+          else
+            throw "${context}.keys must be a list of strings when provided.";
+        ___ =
+          if !(leaf ? path) || builtins.isString leaf.path then
+            null
+          else
+            throw "${context}.path must be a string when provided.";
+        ____ =
+          if !(leaf ? owner) || builtins.isString leaf.owner then
+            null
+          else
+            throw "${context}.owner must be a string when provided.";
+        _____ =
+          if !(leaf ? group) || builtins.isString leaf.group then
+            null
+          else
+            throw "${context}.group must be a string when provided.";
+        ______ =
+          if !(leaf ? mode) || builtins.isString leaf.mode then
+            null
+          else
+            throw "${context}.mode must be a string when provided.";
+      in
+        leaf
+    else
+      throw "${context} must be a string, path, or an attrset with 'file' key.";
+
+  validateTree = context: node:
+    if builtins.isAttrs node then
+      lib.mapAttrs (name: value:
+        if lib.elem name helperNames then
+          value
+        else
+          validateTree "${context}.${name}" value
+      ) node
+    else
+      throw "${context} must be an attrset at non-leaf level.";
+
+  getSecretsConfig = secretsConfig:
+    let
+      _ =
+        if builtins.isAttrs secretsConfig then
+          null
+        else
+          throw "config/secrets.nix must evaluate to an attrset.";
+      __ = validateTree "config/secrets.nix" secretsConfig;
+    in
+      secretsConfig;
+in
+rec {
+  inherit getSecretsConfig validateLeaf validateTree;
+}