12{ nixpkgs, hosts }: with nixpkgs.lib; rec {3 mkSecret = let4 system = builtins.currentSystem;5 pkgs = import nixpkgs { inherit system; };6 keys = builtins.getEnv "RAGE_KEYS";7 encryptCmd = "rage ${keys} -a";8 impuritySource = builtins.getEnv "IMPURITY_SOURCE";9 in10 f: let11 data = f { inherit pkgs encryptCmd; };12 in13 builtins.derivation {14 inherit system;15 name = "secret";1617 builder = "${pkgs.bash}/bin/bash";18 args = [19 (20 pkgs.writeTextFile {21 name = "./build-${impuritySource}.sh";22 text = data.script;23 executable = true;24 }25 )26 ];2728 PATH = "${pkgs.coreutils}/bin:${pkgs.rage}/bin${builtins.concatStringsSep "" (builtins.map (n: ":${n}/bin") data.utils)}";29 };30 31 hostNames = attrNames hosts;32 hostsToAttrs = f: listToAttrs (33 map (name: { inherit name; value = f name; }) hostNames34 );35 hostsCartesian = remove null (36 unique (37 crossLists (38 a: b: if a == b then39 null40 else41 hostsPair a b42 ) [ hostNames hostNames ]43 )44 );45 hostsPair = this: other: let46 sorted = sort (a: b: a < b) [ this other ];47 in48 {49 a = elemAt sorted 0;50 b = elemAt sorted 1;51 };52}