secrets-bao: inline configchanges, remove file, make configChanges attrs

2026-01-05 22:43:44 -06:00 · 2026-01-05 22:43:44 -06:00 · bd8cff90ed
commit bd8cff90ed
parent c1f5677520
4 changed files with 269 additions and 257 deletions
--- a/flakes/secrets-bao/flake.nix
+++ b/flakes/secrets-bao/flake.nix
@ -5,13 +5,32 @@

  outputs = { ... }:
    {
+      lib = {
+        applyConfigChanges = secrets:
+          let
+            substitute = secretPath: value:
+              if builtins.isAttrs value then
+                builtins.mapAttrs (_: v: substitute secretPath v) value
+              else if builtins.isList value then
+                map (v: substitute secretPath v) value
+              else if builtins.isString value then
+                builtins.replaceStrings [ "$SECRET_PATH" ] [ secretPath ] value
+              else
+                value;
+
+            fragments = builtins.attrValues (builtins.mapAttrs (
+              name: s:
+              let
+                secretPath = s.path or ("/run/secrets/" + name);
+              in
+              substitute secretPath (s.configChanges or { })
+            ) secrets);
+          in
+          builtins.foldl' (acc: v: acc // v) { } fragments;
+      };
+
      nixosModules = {
-        default = {
-          imports = [
-            (import ./nixos-module.nix)
-            (import ./nixos-configchanges.nix)
-          ];
-        };
+        default = import ./nixos-module.nix;
      };
    };
 }