feat: new deploy system, allows for in-repo pii

nix/extra-builtins.nix

@@ -0,0 +1,26 @@
+{ exec, ... }:
+let
+  assertMsg = pred: msg: pred || builtins.throw msg;
+  hasSuffix =
+    suffix: content:
+    let
+      lenContent = builtins.stringLength content;
+      lenSuffix = builtins.stringLength suffix;
+    in
+    lenContent >= lenSuffix && builtins.substring (lenContent - lenSuffix) lenContent content == suffix;
+in
+{
+  # Instead of calling sops directly here, we call a wrapper script that will cache the output
+  # in a predictable path in /tmp, which allows us to only require the password for each encrypted
+  # file once.
+  sopsImportEncrypted =
+    nixFile:
+      assert assertMsg (builtins.isPath nixFile)
+        "The file to decrypt must be given as a path to prevent impurity.";
+      assert assertMsg (hasSuffix ".nix.age" nixFile)
+        "The content of the decrypted file must be a nix expression and should therefore end in .nix.age";
+      exec [
+        ./sops-decrypt-and-cache.sh
+        nixFile
+      ];
+}

nix/nix-plugins.patch

@@ -0,0 +1,21 @@
+diff --git a/extra-builtins.cc b/extra-builtins.cc
+index 3a0f90e..bb10f8b 100644
+--- a/extra-builtins.cc
++++ b/extra-builtins.cc
+@@ -1,9 +1,9 @@
+-#include <config.h>
+-#include <primops.hh>
+-#include <globals.hh>
+-#include <config-global.hh>
+-#include <eval-settings.hh>
+-#include <common-eval-args.hh>
+-#include <filtering-source-accessor.hh>
++#include <nix/cmd/common-eval-args.hh>
++#include <nix/expr/eval-settings.hh>
++#include <nix/expr/primops.hh>
++#include <nix/fetchers/filtering-source-accessor.hh>
++#include <nix/store/globals.hh>
++#include <nix/util/configuration.hh>
++#include <nix/util/config-global.hh>
+
+ #include "nix-plugins-config.h"

nix/sops-decrypt-and-cache.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+print_out_path=false
+if [[ $1 == "--print-out-path" ]]; then
+    print_out_path=true
+    shift
+fi
+
+file="$1"
+shift
+
+basename="$file"
+# store path prefix or ./ if applicable
+[[ $file == "/nix/store/"* ]] && basename="${basename#*"-"}"
+[[ $file == "./"* ]] && basename="${basename#"./"}"
+
+# Calculate a unique content-based identifier (relocations of
+# the source file in the nix store should not affect caching)
+new_name="$(sha512sum "$file")"
+new_name="${new_name:0:32}-${basename//"/"/"%"}"
+
+# Derive the path where the decrypted file will be stored
+out="/var/tmp/nix-import-encrypted/$UID/$new_name"
+umask 077
+mkdir -p "$(dirname "$out")"
+
+# Decrypt only if necessary
+if [[ ! -e $out ]]; then
+    agekey=$(sudo ssh-to-age -private-key -i /etc/ssh/sops || sudo ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key)
+    SOPS_AGE_KEY="$agekey" sops decrypt --output "$out" "$file"
+fi
+
+# Print out path or decrypted content
+if [[ $print_out_path == true ]]; then
+    echo "$out"
+else
+    cat "$out"
+fi