nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix

{
  lib,
  k8s,
  callPackage,
  runCommand,
  symlinkJoin,
  ...
}:
let
  pre_encryption_secrets =
    builtins.mapAttrs
      (
        secret_namespace: secrets:
        (builtins.mapAttrs (
          secret_name: secret_values:
          (callPackage ../../package/k8s-secret-generic/package.nix {
            inherit secret_name secret_namespace secret_values;
          })
        ) secrets)
      )
      {
        "external-dns" = {
          "rfc2136" = {
            "EXTERNAL_DNS_RFC2136_TSIG_SECRET" = (
              builtins.readFile "${./secrets/external-dns/rfc2136/EXTERNAL_DNS_RFC2136_TSIG_SECRET}"
            );
          };
        };
        "cert-manager" = {
          "rfc2136" = {
            "TSIG_SECRET" = (builtins.readFile "${./secrets/cert-manager/rfc2136/TSIG_SECRET}");
          };
        };
      };
  encrypted_secrets = (
    builtins.mapAttrs (
      secret_namespace: secrets:
      (builtins.mapAttrs (
        secret_name: secret_package:
        (callPackage ../../package/k8s-secret-encrypted/package.nix {
          source_file = "${
            pre_encryption_secrets."${secret_namespace}"."${secret_name}"
          }/${secret_name}.yaml";
          output_filename = "${secret_name}.yaml";
          pgp_public_key = "${k8s.pgp-keys.flux_gpg}/flux_gpg_public_key.asc";
        })
      ) secrets)
    ) pre_encryption_secrets
  );
  combined_script = (
    lib.concatMapStringsSep "\n" (
      secret_namespace:
      ''
        mkdir -p $out/${secret_namespace}
      ''
      + (lib.concatMapStringsSep "\n" (secret_name: ''
        cat ${
          encrypted_secrets."${secret_namespace}"."${secret_name}"
        }/${secret_name}.yaml > $out/${secret_namespace}/${secret_name}.yaml
      '') (builtins.attrNames encrypted_secrets."${secret_namespace}"))
    ) (builtins.attrNames encrypted_secrets)
  );
  gen_in_repo_secrets = runCommand "gen_in_repo_secrets" { } combined_script;
in
symlinkJoin {
  name = "in-repo-secrets";
  paths = [
    gen_in_repo_secrets
  ];
}
Add generation for in-repo secrets. 2026-03-19 18:16:20 -04:00			`{`
			`lib,`
			`k8s,`
			`callPackage,`
			`runCommand,`
			`symlinkJoin,`
			`...`
			`}:`
			`let`
			`pre_encryption_secrets =`
			`builtins.mapAttrs`
			`(`
			`secret_namespace: secrets:`
			`(builtins.mapAttrs (`
			`secret_name: secret_values:`
			`(callPackage ../../package/k8s-secret-generic/package.nix {`
			`inherit secret_name secret_namespace secret_values;`
			`})`
			`) secrets)`
			`)`
			`{`
			`"external-dns" = {`
			`"rfc2136" = {`
			`"EXTERNAL_DNS_RFC2136_TSIG_SECRET" = (`
			`builtins.readFile "${./secrets/external-dns/rfc2136/EXTERNAL_DNS_RFC2136_TSIG_SECRET}"`
			`);`
			`};`
			`};`
			`"cert-manager" = {`
			`"rfc2136" = {`
			`"TSIG_SECRET" = (builtins.readFile "${./secrets/cert-manager/rfc2136/TSIG_SECRET}");`
			`};`
			`};`
			`};`
			`encrypted_secrets = (`
			`builtins.mapAttrs (`
			`secret_namespace: secrets:`
			`(builtins.mapAttrs (`
			`secret_name: secret_package:`
			`(callPackage ../../package/k8s-secret-encrypted/package.nix {`
			`source_file = "${`
			`pre_encryption_secrets."${secret_namespace}"."${secret_name}"`
			`}/${secret_name}.yaml";`
			`output_filename = "${secret_name}.yaml";`
			`pgp_public_key = "${k8s.pgp-keys.flux_gpg}/flux_gpg_public_key.asc";`
			`})`
			`) secrets)`
			`) pre_encryption_secrets`
			`);`
			`combined_script = (`
			`lib.concatMapStringsSep "\n" (`
			`secret_namespace:`
			`''`
			`mkdir -p $out/${secret_namespace}`
			`''`
			`+ (lib.concatMapStringsSep "\n" (secret_name: ''`
			`cat ${`
			`encrypted_secrets."${secret_namespace}"."${secret_name}"`
			`}/${secret_name}.yaml > $out/${secret_namespace}/${secret_name}.yaml`
			`'') (builtins.attrNames encrypted_secrets."${secret_namespace}"))`
			`) (builtins.attrNames encrypted_secrets)`
			`);`
			`gen_in_repo_secrets = runCommand "gen_in_repo_secrets" { } combined_script;`
			`in`
			`symlinkJoin {`
			`name = "in-repo-secrets";`
			`paths = [`
			`gen_in_repo_secrets`
			`];`
			`}`