machine_setup/nix/kubernetes/keys/package/cilium-manifest/package.nix

# unpackPhase
# patchPhase
# configurePhase
# buildPhase
# checkPhase
# installPhase
# fixupPhase
# installCheckPhase
# distPhase
{
  stdenv,
  openssl,
  fetchFromGitHub,
  kubernetes-helm,
  ...
}:
stdenv.mkDerivation (
  finalAttrs:
  let
    version = "1.18.5";
  in
  {
    name = "cilium-manifest";
    nativeBuildInputs = [
      openssl
      kubernetes-helm
    ];
    buildInputs = [ ];

    src = fetchFromGitHub {
      owner = "cilium";
      repo = "cilium";
      tag = "v${version}";
      hash = "sha256-348inOOQ/fgwTYnaSHrQ363xGYnx2UPts3D4ycDRsWE=";
    };

    buildPhase = ''
      helm template --dry-run=client cilium $src/install/kubernetes/cilium --version 1.18.5 --namespace kube-system \
           --set kubeProxyReplacement=true \
           --set ipam.mode=kubernetes \
           --set k8sServiceHost="2620:11f:7001:7:ffff:ffff:ad7:1dd" \
           --set k8sServicePort=6443 \
           --set ipv6.enabled=true \
           --set ipv4.enabled=true \
           --set enableIPv6Masquerade=false \
           --set enableIPv4BIGTCP=false \
           --set enableIPv6BIGTCP=false \
           --set routingMode=native \
           --set ipv4NativeRoutingCIDR=10.0.0.0/8 \
           --set ipv6NativeRoutingCIDR=2620:11f:7001:7:ffff::/96 \
           | tee $NIX_BUILD_TOP/cilium.yaml
    '';

    # --set hostFirewall.enabled=true
    # --set routingMode=native

    # --set 'ipam.operator.clusterPoolIPv4PodCIDRList=["10.0.0.0/8"]' \
    # --set 'ipam.operator.clusterPoolIPv6PodCIDRList=["fd00::/100"]' \

    # --set encryption.enabled=true \
    # --set encryption.type=wireguard
    # --set encryption.nodeEncryption=true

    installPhase = ''
      mkdir -p "$out"
      cp $NIX_BUILD_TOP/cilium.yaml $out/
    '';
  }
)
Build the cilium manifest automatically in nix. 2025-12-29 19:11:55 -05:00			`# unpackPhase`
			`# patchPhase`
			`# configurePhase`
			`# buildPhase`
			`# checkPhase`
			`# installPhase`
			`# fixupPhase`
			`# installCheckPhase`
			`# distPhase`
			`{`
			`stdenv,`
			`openssl,`
			`fetchFromGitHub,`
			`kubernetes-helm,`
			`...`
			`}:`
			`stdenv.mkDerivation (`
			`finalAttrs:`
			`let`
			`version = "1.18.5";`
			`in`
			`{`
			`name = "cilium-manifest";`
			`nativeBuildInputs = [`
			`openssl`
			`kubernetes-helm`
			`];`
			`buildInputs = [ ];`

			`src = fetchFromGitHub {`
			`owner = "cilium";`
			`repo = "cilium";`
			`tag = "v${version}";`
			`hash = "sha256-348inOOQ/fgwTYnaSHrQ363xGYnx2UPts3D4ycDRsWE=";`
			`};`

			`buildPhase = ''`
			`helm template --dry-run=client cilium $src/install/kubernetes/cilium --version 1.18.5 --namespace kube-system \`
			`--set kubeProxyReplacement=true \`
			`--set ipam.mode=kubernetes \`
			`--set k8sServiceHost="2620:11f:7001:7:ffff:ffff:ad7:1dd" \`
			`--set k8sServicePort=6443 \`
			`--set ipv6.enabled=true \`
			`--set ipv4.enabled=true \`
			`--set enableIPv6Masquerade=false \`
Enable native routing. 2025-12-29 20:45:01 -05:00			`--set enableIPv4BIGTCP=false \`
			`--set enableIPv6BIGTCP=false \`
			`--set routingMode=native \`
			`--set ipv4NativeRoutingCIDR=10.0.0.0/8 \`
			`--set ipv6NativeRoutingCIDR=2620:11f:7001:7:ffff::/96 \`
Build the cilium manifest automatically in nix. 2025-12-29 19:11:55 -05:00			`\| tee $NIX_BUILD_TOP/cilium.yaml`
			`'';`

			`# --set hostFirewall.enabled=true`
			`# --set routingMode=native`

			`# --set 'ipam.operator.clusterPoolIPv4PodCIDRList=["10.0.0.0/8"]' \`
			`# --set 'ipam.operator.clusterPoolIPv6PodCIDRList=["fd00::/100"]' \`

			`# --set encryption.enabled=true \`
			`# --set encryption.type=wireguard`
			`# --set encryption.nodeEncryption=true`

			`installPhase = ''`
			`mkdir -p "$out"`
			`cp $NIX_BUILD_TOP/cilium.yaml $out/`
			`'';`
			`}`
			`)`