{ lib, k8s, callPackage, runCommand, symlinkJoin, ... }: let pre_encryption_secrets = builtins.mapAttrs ( secret_namespace: secrets: (builtins.mapAttrs ( secret_name: secret_values: (callPackage ../../package/k8s-secret-generic/package.nix { inherit secret_name secret_namespace secret_values; }) ) secrets) ) { "external-dns" = { "rfc2136" = { "EXTERNAL_DNS_RFC2136_TSIG_SECRET" = ( builtins.readFile "${./secrets/external-dns/rfc2136/EXTERNAL_DNS_RFC2136_TSIG_SECRET}" ); }; }; "cert-manager" = { "rfc2136" = { "TSIG_SECRET" = (builtins.readFile "${./secrets/cert-manager/rfc2136/TSIG_SECRET}"); }; }; "gitea" = { "gitea-env" = { "GITEA_ADMIN_USERNAME" = (builtins.readFile "${./secrets/gitea/gitea-env/GITEA_ADMIN_USERNAME}"); "GITEA_ADMIN_PASSWORD" = (builtins.readFile "${./secrets/gitea/gitea-env/GITEA_ADMIN_PASSWORD}"); }; }; }; encrypted_secrets = ( builtins.mapAttrs ( secret_namespace: secrets: (builtins.mapAttrs ( secret_name: secret_package: (callPackage ../../package/k8s-secret-encrypted/package.nix { source_file = "${ pre_encryption_secrets."${secret_namespace}"."${secret_name}" }/${secret_name}.yaml"; output_filename = "${secret_name}.yaml"; pgp_public_key = "${k8s.pgp-keys.flux_gpg}/flux_gpg_public_key.asc"; }) ) secrets) ) pre_encryption_secrets ); combined_script = ( lib.concatMapStringsSep "\n" ( secret_namespace: '' mkdir -p $out/${secret_namespace} '' + (lib.concatMapStringsSep "\n" (secret_name: '' cat ${ encrypted_secrets."${secret_namespace}"."${secret_name}" }/${secret_name}.yaml > $out/${secret_namespace}/${secret_name}.yaml '') (builtins.attrNames encrypted_secrets."${secret_namespace}")) ) (builtins.attrNames encrypted_secrets) ); gen_in_repo_secrets = runCommand "gen_in_repo_secrets" { } combined_script; in symlinkJoin { name = "in-repo-secrets"; paths = [ gen_in_repo_secrets ]; }