machine_setup/nix/kubernetes/keys/package/k8s-encryption-key/package.nix

# unpackPhase
# patchPhase
# configurePhase
# buildPhase
# checkPhase
# installPhase
# fixupPhase
# installCheckPhase
# distPhase
{
  pkgs,
  stdenv,
  runCommand,
  ...
}:
let
  to_yaml_file = ((import ../../../functions/to_yaml.nix) {inherit pkgs;}).to_yaml_file;
  kube_encryption_key = runCommand "kube_encryption_key" { } ''
    head -c 32 /dev/urandom | base64 | tee $out
  '';
  kube_encryption_config = {
    kind = "EncryptionConfig";
    apiVersion = "v1";
    resources = [
      {
        resources = [ "secrets" ];
        providers = [
          {
            aescbc = {
              keys = [
                {
                  name = "key1";
                  secret = (builtins.readFile "${kube_encryption_key}");
                }
              ];
            };
          }
          { identity = { }; }
        ];
      }
    ];
  };
  kube_encryption_config_yaml = (to_yaml_file "encryption-config.yaml" kube_encryption_config);
in
stdenv.mkDerivation (finalAttrs: {
  name = "k8s-encryption-key";
  nativeBuildInputs = [ ];
  buildInputs = [ ];

  unpackPhase = "true";

  installPhase = ''
    mkdir "$out"
    cp "${kube_encryption_config_yaml}" $out/encryption-config.yaml
  '';
})
Move the encryption config into a package. 2025-12-14 20:28:48 -05:00			`# unpackPhase`
			`# patchPhase`
			`# configurePhase`
			`# buildPhase`
			`# checkPhase`
			`# installPhase`
			`# fixupPhase`
			`# installCheckPhase`
			`# distPhase`
			`{`
Introduce functions to generate yaml. The toYAML function is just an alias to toJSON which is technically fine since YAML is a superset of JSON, but these new functions will generate actual YAML. 2025-12-27 21:03:25 -05:00			`pkgs,`
Move the encryption config into a package. 2025-12-14 20:28:48 -05:00			`stdenv,`
			`runCommand,`
			`...`
			`}:`
			`let`
Move the yaml functions to their own file. 2025-12-27 21:15:00 -05:00			`to_yaml_file = ((import ../../../functions/to_yaml.nix) {inherit pkgs;}).to_yaml_file;`
Move the encryption config into a package. 2025-12-14 20:28:48 -05:00			`kube_encryption_key = runCommand "kube_encryption_key" { } ''`
			`head -c 32 /dev/urandom \| base64 \| tee $out`
			`'';`
			`kube_encryption_config = {`
			`kind = "EncryptionConfig";`
			`apiVersion = "v1";`
			`resources = [`
			`{`
			`resources = [ "secrets" ];`
			`providers = [`
			`{`
			`aescbc = {`
			`keys = [`
			`{`
			`name = "key1";`
			`secret = (builtins.readFile "${kube_encryption_key}");`
			`}`
			`];`
			`};`
			`}`
			`{ identity = { }; }`
			`];`
			`}`
			`];`
			`};`
Introduce functions to generate yaml. The toYAML function is just an alias to toJSON which is technically fine since YAML is a superset of JSON, but these new functions will generate actual YAML. 2025-12-27 21:03:25 -05:00			`kube_encryption_config_yaml = (to_yaml_file "encryption-config.yaml" kube_encryption_config);`
Move the encryption config into a package. 2025-12-14 20:28:48 -05:00			`in`
			`stdenv.mkDerivation (finalAttrs: {`
			`name = "k8s-encryption-key";`
			`nativeBuildInputs = [ ];`
			`buildInputs = [ ];`

			`unpackPhase = "true";`

			`installPhase = ''`
			`mkdir "$out"`
			`cp "${kube_encryption_config_yaml}" $out/encryption-config.yaml`
			`'';`
			`})`