50 lines
1.2 KiB
Nix
50 lines
1.2 KiB
Nix
{ pkgs ? import <nixpkgs> {} }:
|
|
|
|
with pkgs.lib;
|
|
let
|
|
loadYaml = import ./load-yaml.nix { inherit pkgs; };
|
|
|
|
# Swap with the real one if you don't have the key:
|
|
decryptMessage = _: "encrypted";
|
|
|
|
_decryptMessage = x:
|
|
let
|
|
keyFile = requireFile {
|
|
name = "salt-gpg.asc";
|
|
sha256 = "";
|
|
message = ''
|
|
GPG private key not found.
|
|
|
|
If you still want to build the scripts, search "#decryptMessage" in salt-pillar.nix.
|
|
'';
|
|
};
|
|
cleartextFile = pkgs.runCommandLocal "decrypted-salt-value" {
|
|
nativeBuildInputs = [ pkgs.gpg ];
|
|
} ''
|
|
export GNUPGHOME=$(mktemp -d)
|
|
gpg --import ${keyFile}
|
|
gpg -d > $out << EOF
|
|
${x}
|
|
EOF
|
|
'';
|
|
in
|
|
builtins.readFile cleartextFile;
|
|
|
|
decrypt = x:
|
|
if builtins.isString x
|
|
then if builtins.substring 0 27 x == "-----BEGIN PGP MESSAGE-----"
|
|
then decryptMessage x
|
|
else x
|
|
else if builtins.isList x
|
|
then map decrypt x
|
|
else if builtins.isAttrs x
|
|
then builtins.mapAttrs (_: decrypt) x
|
|
else x;
|
|
|
|
in
|
|
decrypt (
|
|
builtins.foldl' (result: filename:
|
|
recursiveUpdate result (loadYaml filename)
|
|
) {} (filesystem.listFilesRecursive ../../../../salt-pillar)
|
|
)
|