nixlets/lib/secretsModule.nix

{
  config,
  pkgs,
  lib,
  ...
}: let
  inherit (lib) mkOption types;
in {
  options.kubernetes = {
    secrets = mkOption {
      type = types.attrsOf types.path;
      description = "sops encrypted secrets";
      example = ''
        {
          "abc" = ./some-secret.sops.yaml;
        }
      '';
    };
    secretsCombined = mkOption {
      internal = true;
      type = types.package;
      description = "All sops encrypted secret files in a directory";
    };
  };
  config.kubernetes.secretsCombined = let
    commands = builtins.concatStringsSep "\n" (
      map (
        secret: "ln -s ${builtins.getAttr secret config.kubernetes.secrets} $out/${secret}.yaml"
      )
      (builtins.attrNames config.kubernetes.secrets)
    );
  in
    pkgs.runCommand "nixlets-secrets-combined" {} ''
      mkdir -p $out
      ${commands}
    '';
}
feat: add secrets module idea: have sops encrypted secret yamls, specify them in Nix, get all secret yamls in a single directory to push into oci repo for flux to use 2025-04-04 16:18:31 +02:00			`{`
			`config,`
			`pkgs,`
			`lib,`
			`...`
			`}: let`
			`inherit (lib) mkOption types;`
			`in {`
			`options.kubernetes = {`
			`secrets = mkOption {`
			`type = types.attrsOf types.path;`
			`description = "sops encrypted secrets";`
			`example = ''`
			`{`
			`"abc" = ./some-secret.sops.yaml;`
			`}`
			`'';`
			`};`
			`secretsCombined = mkOption {`
			`internal = true;`
			`type = types.package;`
			`description = "All sops encrypted secret files in a directory";`
			`};`
			`};`
			`config.kubernetes.secretsCombined = let`
			`commands = builtins.concatStringsSep "\n" (`
			`map (`
			`secret: "ln -s ${builtins.getAttr secret config.kubernetes.secrets} $out/${secret}.yaml"`
			`)`
			`(builtins.attrNames config.kubernetes.secrets)`
			`);`
			`in`
			`pkgs.runCommand "nixlets-secrets-combined" {} ''`
			`mkdir -p $out`
			`${commands}`
			`'';`
			`}`