From 0871be7cf399ce4f55aad93aade514d347301b83 Mon Sep 17 00:00:00 2001
From: Florian Klink <flokli@flokli.de>
Date: Wed, 20 Dec 2023 17:18:27 +0200
Subject: [PATCH] hosts/jenkins-controller: inline get_secret.py

Prevent the repo and nixpkgs linter from fighting each other about
formatting.

Signed-off-by: Florian Klink <flokli@flokli.de>
---
 hosts/jenkins-controller/configuration.nix | 42 ++++++++++++++++------
 hosts/jenkins-controller/get_secret.py     | 24 -------------
 2 files changed, 32 insertions(+), 34 deletions(-)
 delete mode 100644 hosts/jenkins-controller/get_secret.py

diff --git a/hosts/jenkins-controller/configuration.nix b/hosts/jenkins-controller/configuration.nix
index 3db8c7f3..a1f70455 100644
--- a/hosts/jenkins-controller/configuration.nix
+++ b/hosts/jenkins-controller/configuration.nix
@@ -20,6 +20,36 @@
     echo "Uploading paths" $OUT_PATHS
     exec nix --extra-experimental-features nix-command copy --to 'http://localhost:8080?secret-key=/etc/secrets/nix-signing-key&compression=zstd' $OUT_PATHS
   '';
+
+  get-secret =
+    pkgs.writers.writePython3 "get-secret" {
+      libraries = with pkgs.python3.pkgs; [azure-keyvault-secrets azure-identity];
+    } ''
+      """
+      This script retrieves a secret specified in $SECRET_NAME
+      from an Azure Key Vault in $KEY_VAULT_NAME
+      and prints it to stdout.
+
+      It uses the default Azure credential client.
+      """
+
+      from azure.keyvault.secrets import SecretClient
+      from azure.identity import DefaultAzureCredential
+
+      import os
+
+      key_vault_name = os.environ["KEY_VAULT_NAME"]
+      secret_name = os.environ["SECRET_NAME"]
+
+      credential = DefaultAzureCredential()
+      client = SecretClient(
+          vault_url=f"https://{key_vault_name}.vault.azure.net",
+          credential=credential
+      )
+
+      s = client.get_secret(secret_name)
+      print(s.value)
+    '';
 in {
   imports = [
     ../azure-common-2.nix
@@ -71,11 +101,7 @@ in {
       EnvironmentFile = "/var/lib/fetch-build-ssh-key/env";
       Restart = "on-failure";
     };
-    script = let
-      get-secret = pkgs.writers.writePython3 "get-secret" {
-        libraries = with pkgs.python3.pkgs; [azure-keyvault-secrets azure-identity];
-      } (builtins.readFile ./get_secret.py);
-    in ''
+    script = ''
       umask 077
       mkdir -p /etc/secrets/
       ${get-secret} > /etc/secrets/remote-build-ssh-key
@@ -127,11 +153,7 @@ in {
       EnvironmentFile = "/var/lib/fetch-binary-cache-signing-key/env";
       Restart = "on-failure";
     };
-    script = let
-      get-secret = pkgs.writers.writePython3 "get-secret" {
-        libraries = with pkgs.python3.pkgs; [azure-keyvault-secrets azure-identity];
-      } (builtins.readFile ./get_secret.py);
-    in ''
+    script = ''
       umask 077
       mkdir -p /etc/secrets/
       ${get-secret} > /etc/secrets/nix-signing-key
diff --git a/hosts/jenkins-controller/get_secret.py b/hosts/jenkins-controller/get_secret.py
deleted file mode 100644
index ba59ea60..00000000
--- a/hosts/jenkins-controller/get_secret.py
+++ /dev/null
@@ -1,24 +0,0 @@
-"""
-This script retrieves a secret specified in $SECRET_NAME
-from an Azure Key Vault in $KEY_VAULT_NAME
-and prints it to stdout.
-
-It uses the default Azure credential client.
-"""
-
-from azure.keyvault.secrets import SecretClient
-from azure.identity import DefaultAzureCredential
-
-import os
-
-key_vault_name = os.environ["KEY_VAULT_NAME"]
-secret_name = os.environ["SECRET_NAME"]
-
-credential = DefaultAzureCredential()
-client = SecretClient(
-    vault_url=f"https://{key_vault_name}.vault.azure.net",
-    credential=credential
-)
-
-s = client.get_secret(secret_name)
-print(s.value)