nixfiles/lib/secrets-unsafe.nix

{ 
  age, 
  writeShellScript, 
  system,
  stdenv,
  ...
}: 

{
  readUnsafe = name: let 
    isDarwin = stdenv.isDarwin;
    identityPath = if isDarwin then "/Users/Shared/agenix-key-unsafe" else "/etc/ssh/agenix-key-unsafe";

    path = ../secrets + "/UNSAFE.${name}.age";
    drv = builtins.derivation { 
      system = system;
      name = name;
      src = path;
      builder = writeShellScript "read-${name}.sh" ''
        ${age}/bin/age --decrypt --identity ${identityPath} $src > $out
      '';
    };
  in builtins.readFile drv;
}
feat(teidesu): nix-managed ssh config 2024-05-01 05:48:50 +03:00			`{`
			`age,`
			`writeShellScript,`
			`system,`
			`stdenv,`
			`...`
			`}:`
feat: improved secrets management, support for build-time "unsafe" secrets 2024-05-01 04:59:31 +03:00
			`{`
			`readUnsafe = name: let`
feat(teidesu): nix-managed ssh config 2024-05-01 05:48:50 +03:00			`isDarwin = stdenv.isDarwin;`
			`identityPath = if isDarwin then "/Users/Shared/agenix-key-unsafe" else "/etc/ssh/agenix-key-unsafe";`

			`path = ../secrets + "/UNSAFE.${name}.age";`
feat: improved secrets management, support for build-time "unsafe" secrets 2024-05-01 04:59:31 +03:00			`drv = builtins.derivation {`
feat(teidesu): nix-managed ssh config 2024-05-01 05:48:50 +03:00			`system = system;`
feat: improved secrets management, support for build-time "unsafe" secrets 2024-05-01 04:59:31 +03:00			`name = name;`
			`src = path;`
feat(teidesu): nix-managed ssh config 2024-05-01 05:48:50 +03:00			`builder = writeShellScript "read-${name}.sh" ''`
			`${age}/bin/age --decrypt --identity ${identityPath} $src > $out`
feat: improved secrets management, support for build-time "unsafe" secrets 2024-05-01 04:59:31 +03:00			`'';`
			`};`
			`in builtins.readFile drv;`
			`}`