device-templates.nix: futile decryption attempts
This commit is contained in:
parent
1e0201b429
commit
d2a3d8a3c6
|
@ -3,7 +3,47 @@
|
||||||
with pkgs.lib;
|
with pkgs.lib;
|
||||||
let
|
let
|
||||||
loadYaml = import ./load-yaml.nix { inherit pkgs; };
|
loadYaml = import ./load-yaml.nix { inherit pkgs; };
|
||||||
|
|
||||||
|
# Swap with the real one if you don't have the key:
|
||||||
|
decryptMessage = _: "encrypted";
|
||||||
|
|
||||||
|
_decryptMessage = x:
|
||||||
|
let
|
||||||
|
keyFile = requireFile {
|
||||||
|
name = "salt-gpg.asc";
|
||||||
|
sha256 = "";
|
||||||
|
message = ''
|
||||||
|
GPG private key not found.
|
||||||
|
|
||||||
|
If you still want to build the scripts, search "#decryptMessage" in salt-pillar.nix.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
cleartextFile = pkgs.runCommandLocal "decrypted-salt-value" {
|
||||||
|
nativeBuildInputs = [ pkgs.gpg ];
|
||||||
|
} ''
|
||||||
|
export GNUPGHOME=$(mktemp -d)
|
||||||
|
gpg --import ${keyFile}
|
||||||
|
gpg -d > $out << EOF
|
||||||
|
${x}
|
||||||
|
EOF
|
||||||
|
'';
|
||||||
|
in
|
||||||
|
builtins.readFile cleartextFile;
|
||||||
|
|
||||||
|
decrypt = x:
|
||||||
|
if builtins.isString x
|
||||||
|
then if builtins.substring 0 27 x == "-----BEGIN PGP MESSAGE-----"
|
||||||
|
then decryptMessage x
|
||||||
|
else x
|
||||||
|
else if builtins.isList x
|
||||||
|
then map decrypt x
|
||||||
|
else if builtins.isAttrs x
|
||||||
|
then builtins.mapAttrs (_: decrypt) x
|
||||||
|
else x;
|
||||||
|
|
||||||
in
|
in
|
||||||
builtins.foldl' (result: filename:
|
decrypt (
|
||||||
recursiveUpdate result (loadYaml filename)
|
builtins.foldl' (result: filename:
|
||||||
) {} (filesystem.listFilesRecursive ../../../../salt-pillar)
|
recursiveUpdate result (loadYaml filename)
|
||||||
|
) {} (filesystem.listFilesRecursive ../../../../salt-pillar)
|
||||||
|
)
|
||||||
|
|
|
@ -40,8 +40,8 @@ let
|
||||||
'' +
|
'' +
|
||||||
builtins.concatStringsSep "\n" (
|
builtins.concatStringsSep "\n" (
|
||||||
map (hostname:
|
map (hostname:
|
||||||
"ln -s ${config.site.device-scripts.${hostname}} $out/bin/${hostname}.sh"
|
"ln -s ${device-scripts.${hostname}} $out/bin/${hostname}.sh"
|
||||||
) (builtins.attrNames config.site.device-scripts)
|
) (builtins.attrNames device-scripts)
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
in
|
in
|
||||||
|
|
Loading…
Reference in New Issue