2026-03-19 18:16:20 -04:00
|
|
|
{
|
|
|
|
|
lib,
|
2026-04-18 16:22:47 -04:00
|
|
|
pkgs,
|
2026-03-19 18:16:20 -04:00
|
|
|
k8s,
|
|
|
|
|
callPackage,
|
|
|
|
|
runCommand,
|
|
|
|
|
symlinkJoin,
|
|
|
|
|
...
|
|
|
|
|
}:
|
|
|
|
|
let
|
|
|
|
|
pre_encryption_secrets =
|
|
|
|
|
builtins.mapAttrs
|
|
|
|
|
(
|
|
|
|
|
secret_namespace: secrets:
|
|
|
|
|
(builtins.mapAttrs (
|
|
|
|
|
secret_name: secret_values:
|
|
|
|
|
(callPackage ../../package/k8s-secret-generic/package.nix {
|
|
|
|
|
inherit secret_name secret_namespace secret_values;
|
|
|
|
|
})
|
|
|
|
|
) secrets)
|
|
|
|
|
)
|
|
|
|
|
{
|
2026-04-18 16:22:47 -04:00
|
|
|
"cert-manager" = {
|
|
|
|
|
"rfc2136" = {
|
|
|
|
|
"TSIG_SECRET" = (builtins.readFile "${./secrets/cert-manager/rfc2136/TSIG_SECRET}");
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
"dex" = {
|
|
|
|
|
"files" = {
|
|
|
|
|
"config.yaml" = dex_config_yaml;
|
|
|
|
|
};
|
|
|
|
|
};
|
2026-03-19 18:16:20 -04:00
|
|
|
"external-dns" = {
|
|
|
|
|
"rfc2136" = {
|
|
|
|
|
"EXTERNAL_DNS_RFC2136_TSIG_SECRET" = (
|
|
|
|
|
builtins.readFile "${./secrets/external-dns/rfc2136/EXTERNAL_DNS_RFC2136_TSIG_SECRET}"
|
|
|
|
|
);
|
|
|
|
|
};
|
|
|
|
|
};
|
2026-04-16 20:33:54 -04:00
|
|
|
"gitea" = {
|
|
|
|
|
"gitea-env" = {
|
|
|
|
|
"GITEA_ADMIN_USERNAME" = (builtins.readFile "${./secrets/gitea/gitea-env/GITEA_ADMIN_USERNAME}");
|
|
|
|
|
"GITEA_ADMIN_PASSWORD" = (builtins.readFile "${./secrets/gitea/gitea-env/GITEA_ADMIN_PASSWORD}");
|
|
|
|
|
};
|
2026-04-18 17:45:47 -04:00
|
|
|
"oauth2-env" = oauth2_env { dex_id = "gitea"; };
|
2026-04-16 20:33:54 -04:00
|
|
|
};
|
2026-04-26 09:11:35 -04:00
|
|
|
"harbor" = {
|
|
|
|
|
"harbor-config" = {
|
|
|
|
|
"config.json" = helm_json_escape harbor_config_json;
|
|
|
|
|
};
|
|
|
|
|
"dockerhub-auth-config" = {
|
|
|
|
|
"basic_auth.include" = (
|
|
|
|
|
builtins.readFile "${./secrets/harbor/dockerhub-auth-config/basic_auth.include}"
|
|
|
|
|
);
|
|
|
|
|
};
|
|
|
|
|
"harbor-admin-password" = {
|
|
|
|
|
"HARBOR_ADMIN_PASSWORD" = (
|
|
|
|
|
builtins.readFile "${./secrets/harbor/harbor-admin-password/HARBOR_ADMIN_PASSWORD}"
|
|
|
|
|
);
|
|
|
|
|
};
|
|
|
|
|
};
|
2026-03-19 18:16:20 -04:00
|
|
|
};
|
|
|
|
|
encrypted_secrets = (
|
|
|
|
|
builtins.mapAttrs (
|
|
|
|
|
secret_namespace: secrets:
|
|
|
|
|
(builtins.mapAttrs (
|
|
|
|
|
secret_name: secret_package:
|
|
|
|
|
(callPackage ../../package/k8s-secret-encrypted/package.nix {
|
|
|
|
|
source_file = "${
|
|
|
|
|
pre_encryption_secrets."${secret_namespace}"."${secret_name}"
|
|
|
|
|
}/${secret_name}.yaml";
|
|
|
|
|
output_filename = "${secret_name}.yaml";
|
|
|
|
|
pgp_public_key = "${k8s.pgp-keys.flux_gpg}/flux_gpg_public_key.asc";
|
|
|
|
|
})
|
|
|
|
|
) secrets)
|
|
|
|
|
) pre_encryption_secrets
|
|
|
|
|
);
|
|
|
|
|
combined_script = (
|
|
|
|
|
lib.concatMapStringsSep "\n" (
|
|
|
|
|
secret_namespace:
|
|
|
|
|
''
|
|
|
|
|
mkdir -p $out/${secret_namespace}
|
|
|
|
|
''
|
|
|
|
|
+ (lib.concatMapStringsSep "\n" (secret_name: ''
|
|
|
|
|
cat ${
|
|
|
|
|
encrypted_secrets."${secret_namespace}"."${secret_name}"
|
|
|
|
|
}/${secret_name}.yaml > $out/${secret_namespace}/${secret_name}.yaml
|
|
|
|
|
'') (builtins.attrNames encrypted_secrets."${secret_namespace}"))
|
|
|
|
|
) (builtins.attrNames encrypted_secrets)
|
|
|
|
|
);
|
|
|
|
|
gen_in_repo_secrets = runCommand "gen_in_repo_secrets" { } combined_script;
|
2026-04-18 16:22:47 -04:00
|
|
|
|
|
|
|
|
## Utilities
|
|
|
|
|
inherit ((import ../../../functions/to_yaml.nix) { inherit pkgs; }) to_yaml;
|
2026-04-18 17:45:47 -04:00
|
|
|
generate_key =
|
|
|
|
|
len: name:
|
|
|
|
|
builtins.readFile (
|
|
|
|
|
runCommand "generate_key" { } ''
|
|
|
|
|
set +o pipefail
|
|
|
|
|
# ${name}
|
|
|
|
|
dd if=/dev/urandom | tr --complement --delete '[:alnum:]' | dd bs=${toString len} count=1 of="$out"
|
|
|
|
|
''
|
|
|
|
|
);
|
2026-04-26 09:11:35 -04:00
|
|
|
helm_json_escape = json: builtins.toJSON json;
|
2026-04-18 16:22:47 -04:00
|
|
|
|
|
|
|
|
## dex
|
2026-04-26 09:11:35 -04:00
|
|
|
get_dex_config =
|
|
|
|
|
client_id:
|
|
|
|
|
(builtins.head (
|
|
|
|
|
builtins.filter (static_client: static_client.id == client_id) dex_config.staticClients
|
|
|
|
|
));
|
2026-04-18 16:22:47 -04:00
|
|
|
dex_static_client =
|
|
|
|
|
{
|
|
|
|
|
id,
|
|
|
|
|
name,
|
|
|
|
|
redirectURIs,
|
|
|
|
|
}:
|
|
|
|
|
{
|
|
|
|
|
inherit id name redirectURIs;
|
2026-04-18 17:45:47 -04:00
|
|
|
secret = generate_key 32 "dex_static_client ${id}";
|
2026-04-18 16:22:47 -04:00
|
|
|
};
|
|
|
|
|
dex_config = {
|
|
|
|
|
issuer = "https://dex.fizz.buzz";
|
|
|
|
|
storage = {
|
|
|
|
|
config = {
|
|
|
|
|
inCluster = true;
|
|
|
|
|
};
|
|
|
|
|
type = "kubernetes";
|
|
|
|
|
};
|
|
|
|
|
logger = {
|
|
|
|
|
level = "debug";
|
|
|
|
|
};
|
|
|
|
|
web = {
|
|
|
|
|
http = "0.0.0.0:5556";
|
|
|
|
|
};
|
|
|
|
|
oauth2 = {
|
|
|
|
|
alwaysShowLoginScreen = false;
|
|
|
|
|
skipApprovalScreen = true;
|
|
|
|
|
};
|
|
|
|
|
staticClients = map dex_static_client [
|
|
|
|
|
{
|
|
|
|
|
id = "prometheus";
|
|
|
|
|
name = "Prometheus";
|
|
|
|
|
redirectURIs = [ "https://prometheus.fizz.buzz/oauth2/callback" ];
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
id = "harbor";
|
|
|
|
|
name = "Harbor";
|
|
|
|
|
redirectURIs = [ "https://harbor.fizz.buzz/c/oidc/callback" ];
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
id = "tekton";
|
|
|
|
|
name = "Tekton";
|
|
|
|
|
redirectURIs = [ "https://tekton.fizz.buzz/oauth2/callback" ];
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
id = "homepage-staging";
|
|
|
|
|
name = "Homepage staging";
|
|
|
|
|
redirectURIs = [ "https://staging.fizz.buzz/oauth2/callback" ];
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
id = "gitea";
|
|
|
|
|
name = "gitea";
|
|
|
|
|
redirectURIs = [ "https://code.fizz.buzz/oauth2/callback" ];
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
enablePasswordDB = true;
|
|
|
|
|
staticPasswords = (import ./secrets/dex/static_passwords.nix);
|
|
|
|
|
expiry = {
|
|
|
|
|
idTokens = "1h";
|
|
|
|
|
signingKeys = "4h";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
dex_config_yaml = to_yaml "config.yml" dex_config;
|
2026-04-18 17:45:47 -04:00
|
|
|
|
|
|
|
|
## oauth2-proxy
|
|
|
|
|
oauth2_env =
|
|
|
|
|
{ dex_id }:
|
|
|
|
|
{
|
2026-04-26 09:11:35 -04:00
|
|
|
"OAUTH2_PROXY_CLIENT_SECRET" = (get_dex_config dex_id).secret;
|
2026-04-18 17:45:47 -04:00
|
|
|
"OAUTH2_PROXY_COOKIE_SECRET" = generate_key 32 "OAUTH2_PROXY_COOKIE_SECRET ${dex_id}";
|
|
|
|
|
};
|
2026-04-26 09:11:35 -04:00
|
|
|
|
|
|
|
|
## harbor
|
|
|
|
|
harbor_dex_config = get_dex_config "harbor";
|
|
|
|
|
harbor_config = {
|
|
|
|
|
"auth_mode" = "oidc_auth";
|
|
|
|
|
"self_registration" = "false";
|
|
|
|
|
"oidc_name" = "harbor";
|
|
|
|
|
"oidc_endpoint" = "https://dex.fizz.buzz";
|
|
|
|
|
"oidc_client_id" = harbor_dex_config.id;
|
|
|
|
|
"oidc_client_secret" = harbor_dex_config.secret;
|
|
|
|
|
"oidc_admin_group" = "TODO";
|
|
|
|
|
"oidc_scope" = "openid,profile,email,offline_access,groups";
|
|
|
|
|
};
|
|
|
|
|
# harbor_config_json = pkgs.writeText "config.json" (builtins.toJSON harbor_config);
|
|
|
|
|
harbor_config_json = builtins.toJSON harbor_config;
|
2026-03-19 18:16:20 -04:00
|
|
|
in
|
|
|
|
|
symlinkJoin {
|
|
|
|
|
name = "in-repo-secrets";
|
|
|
|
|
paths = [
|
|
|
|
|
gen_in_repo_secrets
|
|
|
|
|
];
|
|
|
|
|
}
|
