machine_setup/nix/kubernetes/keys/package/bootstrap-script/package.nix

# unpackPhase
# patchPhase
# configurePhase
# buildPhase
# checkPhase
# installPhase
# fixupPhase
# installCheckPhase
# distPhase
{
  lib,
  stdenv,
  writeShellScript,
  k8s,
  ...
}:
let
  bootstrap_script = (writeShellScript "bootstrap-script" bootstrap_script_body);
  bootstrap_script_body = (''
    set -euo pipefail
    IFS=$'\n\t'
    DIR="$( cd "$( dirname "''${BASH_SOURCE[0]}" )" && pwd )"

    ${apply_manifests}
    echo "Bootstrap finished"
  '');
  manifests = (
    lib.concatMapStringsSep "," lib.escapeShellArg (
      [
        ./files/manifests/initial_clusterrole.yaml
      ]
      ++ gateway_crds
      ++ [
        "${k8s.cilium-manifest}/cilium.yaml"
        "${k8s.coredns-manifest}/coredns.yaml"
        ./files/manifests/flux_namespace.yaml
        ./files/manifests/flux.yaml
        ./files/manifests/flux_instance.yaml
      ]
      ++ (lib.attrsets.mapAttrsToList (
        secret_name: secret_value: "${secret_value}/${secret_name}.yaml"
      ) k8s.k8s-secrets-generic)
      ++ [
        ./files/manifests/flux_apply_git.yaml
      ]
    )
  );
  apply_manifests = "kubectl --kubeconfig=${k8s.client-configs.admin}/admin.kubeconfig apply --server-side --force-conflicts -f ${manifests}";
  gateway_crds = [
    (builtins.fetchurl {
      url = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml";
      sha256 = "0vf8c3kzlf7p6bf92gmdrzjc22fr2dwkrzvvbnxlsb43knv1nbzl";
    })
    (builtins.fetchurl {
      url = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_gateways.yaml";
      sha256 = "1dqwlsypcb5f37y7x48rrv27yfgkizcx2alqd2nngijl1qzir3wa";
    })
    (builtins.fetchurl {
      url = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml";
      sha256 = "05llfw6y66438r8kqy7krhyymyalkzxsaxjpa2zxzjk6z5mggbzq";
    })
    (builtins.fetchurl {
      url = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml";
      sha256 = "0a9q0vhqcazfrni3ajcq8vm2b254vcjbgmkchsdq9l6cbpvx79jd";
    })
    (builtins.fetchurl {
      url = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml";
      sha256 = "19hwvdwdj0sc5fihdskw492g52ail3kjjzm6vpflvp2vlqam629p";
    })
    (builtins.fetchurl {
      url = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml";
      sha256 = "0b5pjihyzyyi4inz3avlkzvvccsynj9wsmx6znld04jmmvwpgxc9";
    })
  ];
in
stdenv.mkDerivation (finalAttrs: {
  name = "bootstrap-script";
  nativeBuildInputs = [ ];
  buildInputs = [ ];

  unpackPhase = "true";

  installPhase = ''
    cp ${bootstrap_script} "$out"
  '';
})
Move the cluster bootstrap into the keys flake. Bootstrapping the cluster needs access to secrets, so I am moving it into the keys flake. 2025-12-20 23:13:51 -05:00			`# unpackPhase`
			`# patchPhase`
			`# configurePhase`
			`# buildPhase`
			`# checkPhase`
			`# installPhase`
			`# fixupPhase`
			`# installCheckPhase`
			`# distPhase`
			`{`
			`lib,`
			`stdenv,`
			`writeShellScript,`
			`k8s,`
			`...`
			`}:`
			`let`
			`bootstrap_script = (writeShellScript "bootstrap-script" bootstrap_script_body);`
			`bootstrap_script_body = (''`
			`set -euo pipefail`
			`IFS=$'\n\t'`
			`DIR="$( cd "$( dirname "''${BASH_SOURCE[0]}" )" && pwd )"`

			`${apply_manifests}`
			`echo "Bootstrap finished"`
			`'');`
			`manifests = (`
Generic secrets for ssh keys. 2025-12-21 22:41:21 -05:00			`lib.concatMapStringsSep "," lib.escapeShellArg (`
			`[`
			`./files/manifests/initial_clusterrole.yaml`
Enable gateway support. 2026-01-04 22:27:00 -05:00			`]`
			`++ gateway_crds`
			`++ [`
Build the cilium manifest automatically in nix. 2025-12-29 19:11:55 -05:00			`"${k8s.cilium-manifest}/cilium.yaml"`
Switch to generating the coredns manifests via nix. 2025-12-29 21:19:50 -05:00			`"${k8s.coredns-manifest}/coredns.yaml"`
Generic secrets for ssh keys. 2025-12-21 22:41:21 -05:00			`./files/manifests/flux_namespace.yaml`
			`./files/manifests/flux.yaml`
			`./files/manifests/flux_instance.yaml`
			`]`
			`++ (lib.attrsets.mapAttrsToList (`
			`secret_name: secret_value: "${secret_value}/${secret_name}.yaml"`
			`) k8s.k8s-secrets-generic)`
Trust flux's ssh key in the yaml git repo. 2025-12-21 23:26:15 -05:00			`++ [`
			`./files/manifests/flux_apply_git.yaml`
			`]`
Generic secrets for ssh keys. 2025-12-21 22:41:21 -05:00			`)`
Move the cluster bootstrap into the keys flake. Bootstrapping the cluster needs access to secrets, so I am moving it into the keys flake. 2025-12-20 23:13:51 -05:00			`);`
			`apply_manifests = "kubectl --kubeconfig=${k8s.client-configs.admin}/admin.kubeconfig apply --server-side --force-conflicts -f ${manifests}";`
Enable gateway support. 2026-01-04 22:27:00 -05:00			`gateway_crds = [`
			`(builtins.fetchurl {`
			`url = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml";`
			`sha256 = "0vf8c3kzlf7p6bf92gmdrzjc22fr2dwkrzvvbnxlsb43knv1nbzl";`
			`})`
			`(builtins.fetchurl {`
			`url = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_gateways.yaml";`
			`sha256 = "1dqwlsypcb5f37y7x48rrv27yfgkizcx2alqd2nngijl1qzir3wa";`
			`})`
			`(builtins.fetchurl {`
			`url = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml";`
			`sha256 = "05llfw6y66438r8kqy7krhyymyalkzxsaxjpa2zxzjk6z5mggbzq";`
			`})`
			`(builtins.fetchurl {`
			`url = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml";`
			`sha256 = "0a9q0vhqcazfrni3ajcq8vm2b254vcjbgmkchsdq9l6cbpvx79jd";`
			`})`
			`(builtins.fetchurl {`
			`url = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml";`
			`sha256 = "19hwvdwdj0sc5fihdskw492g52ail3kjjzm6vpflvp2vlqam629p";`
			`})`
			`(builtins.fetchurl {`
			`url = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml";`
			`sha256 = "0b5pjihyzyyi4inz3avlkzvvccsynj9wsmx6znld04jmmvwpgxc9";`
			`})`
			`];`
Move the cluster bootstrap into the keys flake. Bootstrapping the cluster needs access to secrets, so I am moving it into the keys flake. 2025-12-20 23:13:51 -05:00			`in`
			`stdenv.mkDerivation (finalAttrs: {`
			`name = "bootstrap-script";`
			`nativeBuildInputs = [ ];`
			`buildInputs = [ ];`

			`unpackPhase = "true";`

			`installPhase = ''`
			`cp ${bootstrap_script} "$out"`
			`'';`
			`})`