nixfiles/lib/secrets-unsafe.nix

{ 
  age, 
  writeShellScript, 
  system,
  ...
}: 

{
  readUnsafe = name: let 
    identityPath = ../secrets/unsafe.key;

    path = ../secrets + "/UNSAFE.${name}.age";
    drv = builtins.derivation { 
      system = system;
      name = name;
      src = path;
      builder = writeShellScript "read-${name}.sh" ''
        ${age}/bin/age --decrypt --identity ${identityPath} $src > $out
      '';
    };
  in builtins.readFile drv;
}
feat(teidesu): nix-managed ssh config 2024-05-01 05:48:50 +03:00			`{`
			`age,`
			`writeShellScript,`
			`system,`
			`...`
			`}:`
feat: improved secrets management, support for build-time "unsafe" secrets 2024-05-01 04:59:31 +03:00
			`{`
			`readUnsafe = name: let`
chore: better unsafe secret handling turned out my previous scheme didn't work properly under linux xd 2024-05-12 12:43:51 +03:00			`identityPath = ../secrets/unsafe.key;`
feat(teidesu): nix-managed ssh config 2024-05-01 05:48:50 +03:00
			`path = ../secrets + "/UNSAFE.${name}.age";`
feat: improved secrets management, support for build-time "unsafe" secrets 2024-05-01 04:59:31 +03:00			`drv = builtins.derivation {`
feat(teidesu): nix-managed ssh config 2024-05-01 05:48:50 +03:00			`system = system;`
feat: improved secrets management, support for build-time "unsafe" secrets 2024-05-01 04:59:31 +03:00			`name = name;`
			`src = path;`
feat(teidesu): nix-managed ssh config 2024-05-01 05:48:50 +03:00			`builder = writeShellScript "read-${name}.sh" ''`
			`${age}/bin/age --decrypt --identity ${identityPath} $src > $out`
feat: improved secrets management, support for build-time "unsafe" secrets 2024-05-01 04:59:31 +03:00			`'';`
			`};`
			`in builtins.readFile drv;`
			`}`