allow to run ./deploy --build-only event if git-crypt is locked

This will allow to test deployments in CI and also for contributors that are not part of the core infrastructure team.
nix-community · Apr 17, 2020 · 69cf40d · 69cf40d
1 parent 1fdf33a
commit 69cf40d
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 3 deletions.
diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml
@@ -13,3 +13,4 @@ jobs:
         signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
         # Only needed for private caches
         authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+    - run: ./deploy --build-only
diff --git a/deployment.nix b/deployment.nix
@@ -1,7 +1,5 @@
 let
-
-  secrets = import ./secrets;
-
+  secrets = import ./secrets.nix;
 in
 {
 

diff --git a/secrets.nix b/secrets.nix
@@ -0,0 +1,23 @@
+with builtins;
+let
+  # Copied from <nixpkgs/lib>
+  removeSuffix = suffix: str:
+    let
+      sufLen = stringLength suffix;
+      sLen = stringLength str;
+    in
+    if
+      sufLen <= sLen && suffix == substring (sLen - sufLen) sufLen str
+    then
+      substring 0 (sLen - sufLen) str
+    else
+      str;
+
+  # Copied from <nixpkgs/lib>
+  fileContents = file: removeSuffix "\n" (builtins.readFile file);
+
+  readSecret = name: fileContents (./secrets + "/${name}");
+in
+mapAttrs
+  (name: type: if type != "directory" then readSecret name else null)
+  (readDir ./secrets)