let lib = import ; secretsConfig = (import ../validation/secrets.nix).getSecretsConfig (import ../config/secrets.nix); getRuntimePath = path: "/run/secrets/${builtins.concatStringsSep "_" path}"; defaultMetadata = { path = null; owner = null; group = null; mode = null; }; normalizeLeaf = path: node: if builtins.isString node || builtins.isPath node then { file = node; metadata = defaultMetadata; } else if builtins.isAttrs node && node ? file then { file = node.file; metadata = { path = node.path or null; owner = node.owner or null; group = node.group or null; mode = node.mode or null; }; } else throw "Invalid secret leaf at ${builtins.concatStringsSep "." path}: must be string, path, or attrset with 'file'"; flattenTree = path: node: if builtins.isAttrs node && !(node ? file) then lib.concatMap (name: flattenTree (path ++ [ name ]) node.${name} ) (builtins.attrNames node) else let normalized = normalizeLeaf path node; in [ { inherit path; file = normalized.file; metadata = normalized.metadata; } ]; entries = flattenTree [] secretsConfig; isReady = entry: builtins.pathExists entry.file; readyEntries = builtins.filter isReady entries; missingEntries = builtins.filter (entry: !(isReady entry)) entries; mkSopsSecrets = sourceEntries: builtins.listToAttrs (map (entry: let secretName = builtins.concatStringsSep "_" entry.path; in { name = secretName; value = { sopsFile = entry.file; format = "binary"; path = if entry.metadata.path != null then entry.metadata.path else getRuntimePath entry.path; owner = if entry.metadata.owner != null then entry.metadata.owner else "root"; group = if entry.metadata.group != null then entry.metadata.group else "root"; mode = if entry.metadata.mode != null then entry.metadata.mode else "0400"; }; } ) sourceEntries); in { source = secretsConfig; byName = mkSopsSecrets readyEntries; missing = missingEntries; }