Fix secrets closure

[perso/Immae/Config/Nix.git] / flakes / secrets / flake.nix

diff --git a/flakes/secrets/flake.nix b/flakes/secrets/flake.nix
index f2ebefb4c86a6ae3f2e2bc33a5da8b5299a9b613..4ba63d9e1783299b1d47bffca1516c96e824b80b 100644 (file)
--- a/flakes/secrets/flake.nix
+++ b/flakes/secrets/flake.nix
@@ -101,6 +101,11 @@
             ${v.user} ${v.group} ${v.permissions} ${fpath v}
             EOF
             '';
+        toOutputs = n: v: if v.path or false then n else pkgs.lib.flatten (map (v': (import n)."${v'}") v.outputs);
+        inputs = pkgs.lib.unique (pkgs.lib.flatten (map (v:
+          if v.isDir then []
+          else pkgs.lib.mapAttrsToList toOutputs (builtins.getContext v.text)
+        ) keys));
         secrets = pkgs.runCommand "secrets.tar.enc" {
           buildInputs = [ pkgs.gnupg pkgs.sops ];
           } ''
@@ -118,6 +123,7 @@
           done
 
           sops --age ${builtins.concatStringsSep "," config.secrets.ageKeys} --pgp ''${fingerprints#,} --input-type binary -i -e $out 2>/dev/null
+          cat $out | ${pkgs.jq}/bin/jq --argjson inputs '${builtins.toJSON inputs}' '.sops.nixInputs = $inputs' | ${pkgs.moreutils}/bin/sponge $out
           '';
         pathChmodExcl =
           let