feat: new deploy system, allows for in-repo pii

2025-12-06 09:07:21 +01:00 · 2025-06-11 02:25:34 +02:00 · 2025-06-11 02:25:34 +02:00 · a11c7854d1
commit a11c7854d1
parent 7e11641fe7
19 changed files with 1251 additions and 412 deletions
--- a/nix/extra-builtins.nix
+++ b/nix/extra-builtins.nix
@ -0,0 +1,26 @@
+{ exec, ... }:
+let
+  assertMsg = pred: msg: pred || builtins.throw msg;
+  hasSuffix =
+    suffix: content:
+    let
+      lenContent = builtins.stringLength content;
+      lenSuffix = builtins.stringLength suffix;
+    in
+    lenContent >= lenSuffix && builtins.substring (lenContent - lenSuffix) lenContent content == suffix;
+in
+{
+  # Instead of calling sops directly here, we call a wrapper script that will cache the output
+  # in a predictable path in /tmp, which allows us to only require the password for each encrypted
+  # file once.
+  sopsImportEncrypted =
+    nixFile:
+      assert assertMsg (builtins.isPath nixFile)
+        "The file to decrypt must be given as a path to prevent impurity.";
+      assert assertMsg (hasSuffix ".nix.age" nixFile)
+        "The content of the decrypted file must be a nix expression and should therefore end in .nix.age";
+      exec [
+        ./sops-decrypt-and-cache.sh
+        nixFile
+      ];
+}