feat: add initial config

2026-04-04 22:19:24 +02:00 · 2026-04-04 22:19:24 +02:00 · fb98563bb6
commit fb98563bb6
26 changed files with 576 additions and 0 deletions
--- a/intermediate/secrets.nix
+++ b/intermediate/secrets.nix
@ -0,0 +1,79 @@
+let
+  lib = import <nixpkgs/lib>;
+  secretsConfig = (import ../validation/secrets.nix).getSecretsConfig (import ../config/secrets.nix);
+
+  getRuntimePath = path:
+    "/run/secrets/${builtins.concatStringsSep "_" path}";
+
+  defaultMetadata = {
+    path = null;
+    owner = null;
+    group = null;
+    mode = null;
+  };
+
+  normalizeLeaf = path: node:
+    if builtins.isString node || builtins.isPath node then
+      {
+        file = node;
+        metadata = defaultMetadata;
+      }
+    else if builtins.isAttrs node && node ? file then
+      {
+        file = node.file;
+        metadata = {
+          path = node.path or null;
+          owner = node.owner or null;
+          group = node.group or null;
+          mode = node.mode or null;
+        };
+      }
+    else
+      throw "Invalid secret leaf at ${builtins.concatStringsSep "." path}: must be string, path, or attrset with 'file'";
+
+  flattenTree = path: node:
+    if builtins.isAttrs node && !(node ? file) then
+      lib.concatMap (name:
+        flattenTree (path ++ [ name ]) node.${name}
+      ) (builtins.attrNames node)
+    else
+      let
+        normalized = normalizeLeaf path node;
+      in
+        [ {
+          inherit path;
+          file = normalized.file;
+          metadata = normalized.metadata;
+        } ];
+
+  entries = flattenTree [] secretsConfig;
+
+  isReady = entry:
+    builtins.pathExists entry.file;
+
+  readyEntries = builtins.filter isReady entries;
+  missingEntries = builtins.filter (entry: !(isReady entry)) entries;
+
+  mkSopsSecrets = sourceEntries:
+    builtins.listToAttrs (map (entry:
+      let
+        secretName = builtins.concatStringsSep "_" entry.path;
+      in
+        {
+          name = secretName;
+          value = {
+            sopsFile = entry.file;
+            format = "binary";
+            path = if entry.metadata.path != null then entry.metadata.path else getRuntimePath entry.path;
+            owner = if entry.metadata.owner != null then entry.metadata.owner else "root";
+            group = if entry.metadata.group != null then entry.metadata.group else "root";
+            mode = if entry.metadata.mode != null then entry.metadata.mode else "0400";
+          };
+        }
+    ) sourceEntries);
+in
+{
+  source = secretsConfig;
+  byName = mkSopsSecrets readyEntries;
+  missing = missingEntries;
+}