device-templates.nix: futile decryption attempts

nix/lib/config/salt-support/salt-pillar.nix

@@ -3,7 +3,47 @@
 with pkgs.lib;
 let
   loadYaml = import ./load-yaml.nix { inherit pkgs; };
+
+  # Swap with the real one if you don't have the key:
+  decryptMessage = _: "encrypted";
+
+  _decryptMessage = x:
+    let
+      keyFile = requireFile {
+        name = "salt-gpg.asc";
+        sha256 = "";
+        message = ''
+          GPG private key not found.
+
+          If you still want to build the scripts, search "#decryptMessage" in salt-pillar.nix.
+        '';
+      };
+      cleartextFile = pkgs.runCommandLocal "decrypted-salt-value" {
+        nativeBuildInputs = [ pkgs.gpg ];
+      } ''
+        export GNUPGHOME=$(mktemp -d)
+        gpg --import ${keyFile}
+        gpg -d > $out << EOF
+        ${x}
+        EOF
+      '';
+    in
+      builtins.readFile cleartextFile;
+
+  decrypt = x:
+    if builtins.isString x
+    then if builtins.substring 0 27 x == "-----BEGIN PGP MESSAGE-----"
+         then decryptMessage x
+         else x
+    else if builtins.isList x
+    then map decrypt x
+    else if builtins.isAttrs x
+    then builtins.mapAttrs (_: decrypt) x
+    else x;
+
 in
-builtins.foldl' (result: filename:
-  recursiveUpdate result (loadYaml filename)
-) {} (filesystem.listFilesRecursive ../../../../salt-pillar)
+decrypt (
+  builtins.foldl' (result: filename:
+    recursiveUpdate result (loadYaml filename)
+  ) {} (filesystem.listFilesRecursive ../../../../salt-pillar)
+)

nix/pkgs/device-templates.nix

@@ -40,8 +40,8 @@ let
       '' +
       builtins.concatStringsSep "\n" (
         map (hostname:
-          "ln -s ${config.site.device-scripts.${hostname}} $out/bin/${hostname}.sh"
-        ) (builtins.attrNames config.site.device-scripts)
+          "ln -s ${device-scripts.${hostname}} $out/bin/${hostname}.sh"
+        ) (builtins.attrNames device-scripts)
       )
     );
 in