diff --git a/nix/lib/config/salt-support/salt-pillar.nix b/nix/lib/config/salt-support/salt-pillar.nix index 0452b12..29cb560 100644 --- a/nix/lib/config/salt-support/salt-pillar.nix +++ b/nix/lib/config/salt-support/salt-pillar.nix @@ -3,7 +3,47 @@ with pkgs.lib; let loadYaml = import ./load-yaml.nix { inherit pkgs; }; + + # Swap with the real one if you don't have the key: + decryptMessage = _: "encrypted"; + + _decryptMessage = x: + let + keyFile = requireFile { + name = "salt-gpg.asc"; + sha256 = ""; + message = '' + GPG private key not found. + + If you still want to build the scripts, search "#decryptMessage" in salt-pillar.nix. + ''; + }; + cleartextFile = pkgs.runCommandLocal "decrypted-salt-value" { + nativeBuildInputs = [ pkgs.gpg ]; + } '' + export GNUPGHOME=$(mktemp -d) + gpg --import ${keyFile} + gpg -d > $out << EOF + ${x} + EOF + ''; + in + builtins.readFile cleartextFile; + + decrypt = x: + if builtins.isString x + then if builtins.substring 0 27 x == "-----BEGIN PGP MESSAGE-----" + then decryptMessage x + else x + else if builtins.isList x + then map decrypt x + else if builtins.isAttrs x + then builtins.mapAttrs (_: decrypt) x + else x; + in -builtins.foldl' (result: filename: - recursiveUpdate result (loadYaml filename) -) {} (filesystem.listFilesRecursive ../../../../salt-pillar) +decrypt ( + builtins.foldl' (result: filename: + recursiveUpdate result (loadYaml filename) + ) {} (filesystem.listFilesRecursive ../../../../salt-pillar) +) diff --git a/nix/pkgs/device-templates.nix b/nix/pkgs/device-templates.nix index 3ae25cf..d41b2e0 100644 --- a/nix/pkgs/device-templates.nix +++ b/nix/pkgs/device-templates.nix @@ -40,8 +40,8 @@ let '' + builtins.concatStringsSep "\n" ( map (hostname: - "ln -s ${config.site.device-scripts.${hostname}} $out/bin/${hostname}.sh" - ) (builtins.attrNames config.site.device-scripts) + "ln -s ${device-scripts.${hostname}} $out/bin/${hostname}.sh" + ) (builtins.attrNames device-scripts) ) ); in