Infra/tuserver
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tuserver/intermediate/secrets.nix
Katharina Heidenreich a28c2b5563 feat: initial commit
2026-04-08 20:53:49 +02:00

79 lines
2.2 KiB
Nix
Raw Blame History

let
lib = import <nixpkgs/lib>;
secretsConfig = (import ../validation/secrets.nix).getSecretsConfig (import ../config/secrets.nix);
getRuntimePath = path:
"/run/secrets/${builtins.concatStringsSep "_" path}";
defaultMetadata = {
path = null;
owner = null;
group = null;
mode = null;
};
normalizeLeaf = path: node:
if builtins.isString node || builtins.isPath node then
{
file = node;
metadata = defaultMetadata;
}
else if builtins.isAttrs node && node ? file then
{
file = node.file;
metadata = {
path = node.path or null;
owner = node.owner or null;
group = node.group or null;
mode = node.mode or null;
};
}
else
throw "Invalid secret leaf at ${builtins.concatStringsSep "." path}: must be string, path, or attrset with 'file'";
flattenTree = path: node:
if builtins.isAttrs node && !(node ? file) then
lib.concatMap (name:
flattenTree (path ++ [ name ]) node.${name}
) (builtins.attrNames node)
else
let
normalized = normalizeLeaf path node;
in
[ {
inherit path;
file = normalized.file;
metadata = normalized.metadata;
} ];
entries = flattenTree [] secretsConfig;
isReady = entry:
builtins.pathExists entry.file;
readyEntries = builtins.filter isReady entries;
missingEntries = builtins.filter (entry: !(isReady entry)) entries;
mkSopsSecrets = sourceEntries:
builtins.listToAttrs (map (entry:
let
secretName = builtins.concatStringsSep "_" entry.path;
in
{
name = secretName;
value = {
sopsFile = entry.file;
format = "binary";
path = if entry.metadata.path != null then entry.metadata.path else getRuntimePath entry.path;
owner = if entry.metadata.owner != null then entry.metadata.owner else "root";
group = if entry.metadata.group != null then entry.metadata.group else "root";
mode = if entry.metadata.mode != null then entry.metadata.mode else "0400";
};
}
) sourceEntries);
in
{
source = secretsConfig;
byName = mkSopsSecrets readyEntries;
missing = missingEntries;
}
Reference in a new issue View git blame Copy permalink