provisioning/schemas/security/sops/main.ncl

# SOPS Integration Module - Manage encrypted secrets with Age keys

let contracts = import "contracts.ncl" in
let defaults = import "defaults.ncl" in
let generator = import "generator.ncl" in

{
  # Type exports
  SopsRule = contracts.SopsRule,
  SopsConfig = contracts.SopsConfig,
  SopsEnvironmentConfig = contracts.SopsEnvironmentConfig,

  # Configuration exports
  defaults = defaults,

  # Generator exports
  generate_creation_rules = generator.generate_creation_rules,
  generate_sops_yaml = generator.generate_sops_yaml,
  generate_all_environments = generator.generate_all_environments,
  serialize_to_yaml = generator.serialize_to_yaml,

  # Initialize SOPS configuration for an environment with Age keys
  init_environment = fun environment age_public_key =>
    let config = generator.generate_sops_yaml environment in
    let update_rules = fun rules =>
      std.array.map (fun rule => rule & { age = age_public_key }) rules in
    config & { creation_rules = update_rules config.creation_rules },

  # Merge user SOPS rules with defaults (user rules take precedence)
  merge_with_defaults = fun environment user_config =>
    let default_config = generator.generate_sops_yaml environment in
    {
      creation_rules = (user_config.creation_rules or default_config.creation_rules),
    },

  # Validate SOPS configuration has required fields
  validate_config = fun config =>
    let has_rules = std.array.length config.creation_rules > 0 in
    let all_rules_valid = std.array.all (fun rule =>
      not (std.string.is_empty rule.age) &&
      std.string.length rule.age > 10  # Basic Age key format check
    ) config.creation_rules in
    has_rules && all_rules_valid,

  # Generate complete .sops.yaml file content
  generate_file = fun environment age_public_key =>
    let config = init_environment environment age_public_key in
    generator.serialize_to_yaml config,
}
docs: update README and CHANGELOG for nickel branch (2026-05-12) 2026-05-12 02:23:01 +01:00			`# SOPS Integration Module - Manage encrypted secrets with Age keys`

			`let contracts = import "contracts.ncl" in`
			`let defaults = import "defaults.ncl" in`
			`let generator = import "generator.ncl" in`

			`{`
			`# Type exports`
			`SopsRule = contracts.SopsRule,`
			`SopsConfig = contracts.SopsConfig,`
			`SopsEnvironmentConfig = contracts.SopsEnvironmentConfig,`

			`# Configuration exports`
			`defaults = defaults,`

			`# Generator exports`
			`generate_creation_rules = generator.generate_creation_rules,`
			`generate_sops_yaml = generator.generate_sops_yaml,`
			`generate_all_environments = generator.generate_all_environments,`
			`serialize_to_yaml = generator.serialize_to_yaml,`

			`# Initialize SOPS configuration for an environment with Age keys`
			`init_environment = fun environment age_public_key =>`
			`let config = generator.generate_sops_yaml environment in`
			`let update_rules = fun rules =>`
			`std.array.map (fun rule => rule & { age = age_public_key }) rules in`
			`config & { creation_rules = update_rules config.creation_rules },`

			`# Merge user SOPS rules with defaults (user rules take precedence)`
			`merge_with_defaults = fun environment user_config =>`
			`let default_config = generator.generate_sops_yaml environment in`
			`{`
			`creation_rules = (user_config.creation_rules or default_config.creation_rules),`
			`},`

			`# Validate SOPS configuration has required fields`
			`validate_config = fun config =>`
			`let has_rules = std.array.length config.creation_rules > 0 in`
			`let all_rules_valid = std.array.all (fun rule =>`
			`not (std.string.is_empty rule.age) &&`
			`std.string.length rule.age > 10 # Basic Age key format check`
			`) config.creation_rules in`
			`has_rules && all_rules_valid,`

			`# Generate complete .sops.yaml file content`
			`generate_file = fun environment age_public_key =>`
			`let config = init_environment environment age_public_key in`
			`generator.serialize_to_yaml config,`
			`}`