blob: 09a9ab33c89f328eec263fcd0f9f2734953c7c9b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
{ runCommand, haskellPackages }:
/*
Given a list of XML files, produces a Nix file with a list of files included
with the XInclude mechanism. The file produced can be imported into other
Nix files. This requires read-write mode of evaluation.
Use case: XML config files with portions of sensitive data (secrets, keys),
merged in runtime. With this package, deployment tools like NixOps can be
taught to extract keys and deploy them automatically.
Example of input file (for Jenkins):
<?xml version="1.0" encoding="UTF-8"?>
<hudson xmlns:xi="http://www.w3.org/2001/XInclude">
<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.ProjectMatrixAuthorizationStrategy">
<permission>hudson.model.Hudson.Read:ip1981</permission>
<permission>hudson.model.Item.Build:ip1981</permission>
<permission>hudson.model.Item.Cancel:ip1981</permission>
<permission>hudson.model.Item.Read:ip1981</permission>
<permission>hudson.model.Hudson.Administer:ip1981</permission>
</authorizationStrategy>
<securityRealm class="org.jenkinsci.plugins.GithubSecurityRealm">
<clientID>XXXXXXXXXXXXXXXXXXX</clientID>
<xi:include href="/run/keys/github-oauth-XXXXXXXXXXXXXXXXXXX.xml"/>
<oauthScopes>read:org,user:email</oauthScopes>
</securityRealm>
</hudson>
Corresponding output file (/nix/store/abc...xyz-xinclude.nix):
["/run/keys/github-oauth-XXXXXXXXXXXXXXXXXXX.xml"]
*/
# XXX: either string or list of strings
xmlFiles:
let
inherit (builtins) toString;
xinclude2nix =
let
deps = hpkgs: with hpkgs; [ hxt ];
ghc = "${haskellPackages.ghcWithPackages deps}/bin/ghc -Wall -static";
in runCommand "xinclude2nix" {} ''
${ghc} -o $out ${./xinclude2nix.hs}
'';
in runCommand "xinclude.nix" {} ''
echo ${xinclude2nix} ${toString xmlFiles} >&2
${xinclude2nix} ${toString xmlFiles} > $out
echo -n "$out: " >&2
cat "$out" >&2
''
|
