secrets: refactor & document toSecrets

1 files changed, 27 insertions, 11 deletions

diff --git a/secrets/toSecrets.nix b/secrets/toSecrets.nix
index fff6936..3ae33f1 100644
--- a/secrets/toSecrets.nix
+++ b/secrets/toSecrets.nix
@@ -1,19 +1,35 @@
 hosts:
 let
-  optional = attrset: val: if attrset ? ${val} then [ attrset.${val} ] else [ ];
+  # Find any public keys from a given system's attributes
+  findPubkeysIn =
+    host:
+    builtins.filter (item: item != null) [
+      (host.pubkey or null)
+      (host.owner or null)
+    ];
 
-  mkPubkeys = host: optional host "pubkey" ++ optional host "owner";
+  # Memorize them for later
+  publicKeysFor = builtins.mapAttrs (_: findPubkeysIn) hosts;
 
-  op =
-    acc: host:
-    acc
-    // (builtins.listToAttrs (
+  # Map secret files meant for `hostname` to an attribute set containing
+  # their relative path and public keys
+  #
+  # See https://github.com/ryantm/agenix/blob/de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6/README.md#tutorial
+  # as a reference to what this outputs
+  secretsFrom =
+    hostname: host:
+    builtins.listToAttrs (
       map (file: {
-        name = "${host}/${file}";
+        name = "${hostname}/${file}";
         value = {
-          publicKeys = mkPubkeys hosts.${host};
+          publicKeys = publicKeysFor.${hostname};
         };
-      }) hosts.${host}.files
-    ));
+
+      }) host.files
+    );
+
+  # Memorize them all
+  secretsFor = builtins.mapAttrs secretsFrom hosts;
 in
-builtins.foldl' op { } (builtins.attrNames hosts)
+# Now merge them all into one attribute set
+builtins.foldl' (acc: secrets: acc // secrets) { } (builtins.attrValues secretsFor)