42 lines
947 B
Nix
42 lines
947 B
Nix
{ pkgs ? import <nixpkgs> {}
|
|
, gpgKey
|
|
}:
|
|
|
|
with pkgs.lib;
|
|
let
|
|
loadYaml = import ./load-yaml.nix { inherit pkgs; };
|
|
|
|
decryptMessage = x:
|
|
if gpgKey == null
|
|
then "encrypted"
|
|
else
|
|
builtins.readFile (
|
|
pkgs.runCommandLocal "decrypted-salt-value" {
|
|
nativeBuildInputs = [ pkgs.gnupg ];
|
|
} ''
|
|
export GNUPGHOME=$(mktemp -d)
|
|
gpg --import ${gpgKey}
|
|
gpg -d > $out << EOF
|
|
${x}
|
|
EOF
|
|
''
|
|
);
|
|
|
|
decrypt = x:
|
|
if builtins.isString x
|
|
then if builtins.substring 0 27 x == "-----BEGIN PGP MESSAGE-----"
|
|
then decryptMessage x
|
|
else x
|
|
else if builtins.isList x
|
|
then map decrypt x
|
|
else if builtins.isAttrs x
|
|
then builtins.mapAttrs (_: decrypt) x
|
|
else x;
|
|
|
|
in
|
|
decrypt (
|
|
builtins.foldl' (result: filename:
|
|
recursiveUpdate result (loadYaml filename)
|
|
) {} (filesystem.listFilesRecursive ../../../../salt-pillar)
|
|
)
|