infra/common/secrets.nix

## This is a simple secret abstraction with multi-tenancy awareness.
{ config, lib, ... }:
let
  cfg = config.bagel.secrets;
  inherit (lib) mkOption types genAttrs;
in
{
  options.bagel.secrets = {
    tenant = mkOption {
      type = types.enum [ "lix" "floral" ];
    };

    files = mkOption {
      type = types.listOf types.str;
      default = [ ];
    };
  };

  config.age.secrets = genAttrs cfg.files (secretFile: {
      file = ../secrets/${cfg.tenant}/${secretFile}.age;
    });
}
feat: multi-tenant secrets Lix may have its own secrets and we want to maintain a certain generalization level on the NixOS modules, so we can decorrelate which secret we select dynamically by having a simple tenancy hierarchy system. This unfortunately requires to rewrite all call sites with a floral prefix until we migrate them to the simple internal secret module which is aware of this. Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-10-05 16:03:41 +00:00			`## This is a simple secret abstraction with multi-tenancy awareness.`
			`{ config, lib, ... }:`
			`let`
			`cfg = config.bagel.secrets;`
			`inherit (lib) mkOption types genAttrs;`
			`in`
			`{`
			`options.bagel.secrets = {`
			`tenant = mkOption {`
			`type = types.enum [ "lix" "floral" ];`
			`};`

			`files = mkOption {`
			`type = types.listOf types.str;`
			`default = [ ];`
			`};`
			`};`

			`config.age.secrets = genAttrs cfg.files (secretFile: {`
			`file = ../secrets/${cfg.tenant}/${secretFile}.age;`
			`});`
			`}`