From b0c8d8b38e48976dca20a514ae63b9cb15ab037d Mon Sep 17 00:00:00 2001 From: technofab Date: Fri, 4 Apr 2025 16:18:31 +0200 Subject: [PATCH] feat: add secrets module idea: have sops encrypted secret yamls, specify them in Nix, get all secret yamls in a single directory to push into oci repo for flux to use --- lib/default.nix | 3 +++ lib/secretsModule.nix | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+) create mode 100644 lib/secretsModule.nix diff --git a/lib/default.nix b/lib/default.nix index 56cad40..0243448 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -64,6 +64,7 @@ with lib; rec { helm docker files + ./secretsModule.nix ({...}: let finalValues = mkValues "${path}/values.nix" { rawValues = values; @@ -94,6 +95,8 @@ with lib; rec { .config .kubernetes .resultYAML; + # combines all secrets files in a single directory + secrets = args: (eval args).config.kubernetes.secretsCombined; }; fetchNixlet = url: sha256: mkNixlet (builtins.fetchTarball {inherit url sha256;}); diff --git a/lib/secretsModule.nix b/lib/secretsModule.nix new file mode 100644 index 0000000..e2c04f2 --- /dev/null +++ b/lib/secretsModule.nix @@ -0,0 +1,37 @@ +{ + config, + pkgs, + lib, + ... +}: let + inherit (lib) mkOption types; +in { + options.kubernetes = { + secrets = mkOption { + type = types.attrsOf types.path; + description = "sops encrypted secrets"; + example = '' + { + "abc" = ./some-secret.sops.yaml; + } + ''; + }; + secretsCombined = mkOption { + internal = true; + type = types.package; + description = "All sops encrypted secret files in a directory"; + }; + }; + config.kubernetes.secretsCombined = let + commands = builtins.concatStringsSep "\n" ( + map ( + secret: "ln -s ${builtins.getAttr secret config.kubernetes.secrets} $out/${secret}.yaml" + ) + (builtins.attrNames config.kubernetes.secrets) + ); + in + pkgs.runCommand "nixlets-secrets-combined" {} '' + mkdir -p $out + ${commands} + ''; +}