sivizius/nixfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nixfiles/libs/secrets/lib/secret/default.nix
Sebastian Walz 860d31cee1
Tohu vaBohu
2023-04-21 00:22:52 +02:00

312 lines
9.9 KiB
Nix
Raw Permalink Blame History

{ core, ... }:
let
inherit(core) debug type;
cannotMerge
= { type, ... } @ secret:
{ ... } @ secret':
debug.panic [ "cannotMerge" type ]
{
text = "Cannot merge secrets:";
data = { inherit secret secret'; };
nice = true;
}
null;
decrypt
= {
toSecret
= { encryptedFile, group, owner, ... }:
{
inherit encryptedFile group owner;
inherit(decrypt) type;
};
merge = cannotMerge;
type = "decrypt";
__functor
= { toSecret, type, ... }:
{ encryptedFile, group ? null, owner ? null }:
Secret.instanciateAs type
{
inherit encryptedFile group owner;
__functor
= { encryptedFile, ... } @ args:
{ hash, vaultBasePath, ... }:
let
secret = hash encryptedFile;
in
{
secrets = { ${secret} = toSecret args; };
value = loadPath.toValue { inherit secret vaultBasePath; };
};
};
};
decryptGrafanaSecret
= { encryptedFile, group ? null, owner ? "grafana" }:
Secret.instanciateAs "decryptGrafanaSecret"
{
inherit encryptedFile group owner;
merge = cannotMerge;
__functor
= { encryptedFile, group, owner, ... } @ args:
{ hash, vaultBasePath, ... }:
let
secret = hash encryptedFile;
in
{
secrets = { ${secret} = decrypt.toSecret args; };
value = loadGrafanaSecret.toValue { inherit secret vaultBasePath; };
};
};
decryptVariable
= environment:
{ encryptedFile, group ? null, owner ? null }:
Secret.instanciateAs "decryptVariable"
{
inherit encryptedFile environment group owner;
merge = cannotMerge;
__functor
= { encryptedFile, environment, ... } @ args:
{ hash, vaultBasePath, ... }:
let
secret = hash encryptedFile;
secret' = hash environment;
in
{
secrets
= {
${secret} = decrypt.toSecret args;
${secret'} = generateEnvFile.toSecret { variables = [ secret ]; };
};
value = loadVariable.toValue { inherit secret vaultBasePath; };
};
};
generateEnvFile
= {
toSecret
= { group ? null, owner ? null, variables, ... }:
{
inherit group owner variables;
inherit(generateEnvFile) type;
};
type = "generateEnvFile";
merge
= { variables, ... } @ secret:
{ ... } @ secret':
if secret.type == generateEnvFile.type
&& secret'.type == generateEnvFile.type
then
secret
// {
variables
= variables
++ secret'.variables;
}
else
cannotMerge secret secret';
__functor
= { toSecret, type, merge, ... }:
environment:
{ group ? null, owner ? null, variables ? [] }:
Secret.instanciateAs type
{
inherit environment group owner merge variables;
__functor
= { environment, ... } @ args:
{ hash, vaultBasePath, ... }:
let
secret = hash environment;
in
{
secrets = { ${secret} = toSecret args; };
value = loadPath.toValue { inherit secret vaultBasePath; };
};
};
};
generateToken
= {
toSecret
= { generator ? null, group ? null, length ? null, owner ? null, ... } @ args:
debug.warn [ "generateToken" "toSecret" ]
{
text = "No owner set!";
when = owner == null;
data = args;
}
{
inherit generator group length owner;
inherit(generateToken) type;
};
type = "generateToken";
merge = cannotMerge;
__functor
= { toSecret, type, ... }:
identifier:
{ generator ? null, group ? null, length ? null, owner ? null }:
Secret.instanciateAs type
{
inherit generator group identifier length owner;
__functor
= { identifier, ... } @ args:
{ hash, vaultBasePath, ... }:
let
secret = hash identifier;
in
{
secrets = { ${secret} = toSecret (args // { inherit secret; }); };
value = loadPath.toValue { inherit secret vaultBasePath; };
};
};
};
loadGrafanaSecret
= {
toValue
= { secret, vaultBasePath, ... }:
"$__file{${vaultBasePath}/${secret}}";
type = "loadGrafanaSecret";
merge = cannotMerge;
__functor
= { toValue, type, ... }:
secret:
Secret.instanciateAs type
{
inherit secret;
__functor
= { secret, ... }:
{ vaultBasePath, ... }:
{
secrets = { ${secret} = null; };
value = toValue { inherit secret vaultBasePath; };
};
};
};
loadPath
= {
toValue
= { secret, vaultBasePath, ... }:
"${vaultBasePath}/${secret}";
type = "loadPath";
merge = cannotMerge;
__functor
= { toValue, type, ... }:
secret:
Secret.instanciateAs type
{
inherit secret;
__functor
= { secret, ... }:
{ vaultBasePath, ... }:
{
secrets = { ${secret} = null; };
value = toValue { inherit secret vaultBasePath; };
};
};
};
loadTokenPath
= identifier:
Secret.instanciateAs "loadTokenPath"
{
inherit identifier;
merge = cannotMerge;
__functor
= { identifier, ... }:
{ hash, vaultBasePath, ... }:
let
secret = hash identifier;
in
{
secrets = { ${secret} = null; };
value = loadPath.toValue { inherit secret vaultBasePath; };
};
};
loadVariable
= {
toValue
= { secret, vaultBasePath, ... }:
"@_${secret}_@";
type = "loadVariable";
merge = cannotMerge;
__functor
= { toValue, type, ... }:
secret:
Secret.instanciateAs type
{
inherit secret;
__functor
= { secret, ... }:
{ vaultBasePath, ... }:
{
secrets = { ${secret} = null; };
value = toValue { inherit secret vaultBasePath; };
};
};
};
Secret
= type "Secret"
{
inherit decrypt decryptGrafanaSecret decryptVariable
generateEnvFile generateToken
loadGrafanaSecret loadPath loadTokenPath loadVariable;
decrypt'
= encryptedFile:
Secret.decrypt { inherit encryptedFile; };
decryptGrafanaSecret'
= encryptedFile:
Secret.decryptGrafanaSecret { inherit encryptedFile; };
decryptVariable'
= environment:
encryptedFile:
Secret.decryptVariable environment { inherit encryptedFile; };
generateEnvFile'
= environment:
Secret.generateEnvFile environment {};
generateToken'
= identifier:
Secret.generateToken identifier {};
};
in
Secret // { inherit Secret; }
Reference in New Issue View Git Blame Copy Permalink