machine_setup/nix/kubernetes/keys/package/deploy-script/package.nix

# unpackPhase
# patchPhase
# configurePhase
# buildPhase
# checkPhase
# installPhase
# fixupPhase
# installCheckPhase
# distPhase
{
  lib,
  stdenv,
  writeShellScript,
  k8s,
  openssh,
  ...
}:
let
  deploy_script_body = (
    ''
      set -euo pipefail
      IFS=$'\n\t'
      DIR="$( cd "$( dirname "''${BASH_SOURCE[0]}" )" && pwd )"
    ''
    + (lib.concatMapStringsSep "\n" deploy_machine [
      "nc0"
      "nc1"
      "nc2"
    ])
  );
  deploy_script = (writeShellScript "deploy-script" deploy_script_body);
  deploy_file = (
    {
      dest_dir,
      file,
      name ? (builtins.baseNameOf file),
      owner,
      group,
      mode,
    }:
    ''
      ##
      ## deploy ${name} to ${dest_dir}
      ##
      ${openssh}/bin/ssh mrmanager doas rm -f ${dest_dir}/${name} ~/${name}
      ${openssh}/bin/scp ${file} mrmanager:~/${name}
      ${openssh}/bin/ssh mrmanager doas install -o ${toString owner} -g ${toString group} -m ${mode} ~/${name} ${dest_dir}/${name}
      ${openssh}/bin/ssh mrmanager doas rm -f ~/${name}


    ''
  );
  deploy_machine = (
    vm_name:
    (
      ''
        ##
        ## Create directories on ${vm_name}
        ##
        ${openssh}/bin/ssh mrmanager doas install -d -o 11235 -g 11235 -m 0755 /vm/${vm_name}/persist/keys
        ${openssh}/bin/ssh mrmanager doas install -d -o 10016 -g 10016 -m 0755 /vm/${vm_name}/persist/keys/etcd
        ${openssh}/bin/ssh mrmanager doas install -d -o 10024 -g 10024 -m 0755 /vm/${vm_name}/persist/keys/kube


      ''
      + (lib.concatMapStringsSep "\n" deploy_file [
        {
          dest_dir = "/vm/${vm_name}/persist/keys/etcd";
          file = "${k8s.keys.kube-api-server}/kube-api-server.crt";
          owner = 10016;
          group = 10016;
          mode = "0640";
        }
        {
          dest_dir = "/vm/${vm_name}/persist/keys/etcd";
          file = "${k8s.keys.kube-api-server}/kube-api-server.key";
          owner = 10016;
          group = 10016;
          mode = "0600";
        }
        {
          dest_dir = "/vm/${vm_name}/persist/keys/etcd";
          file = "${k8s.ca}/ca.crt";
          owner = 10016;
          group = 10016;
          mode = "0640";
        }
        {
          dest_dir = "/vm/${vm_name}/persist/keys/kube";
          file = "${k8s.ca}/ca.crt";
          owner = 10024;
          group = 10024;
          mode = "0640";
        }
        {
          dest_dir = "/vm/${vm_name}/persist/keys/kube";
          file = "${k8s.ca}/ca.key";
          owner = 10024;
          group = 10024;
          mode = "0600";
        }
        {
          dest_dir = "/vm/${vm_name}/persist/keys/kube";
          file = "${k8s.keys.kube-api-server}/kube-api-server.crt";
          owner = 10024;
          group = 10024;
          mode = "0640";
        }
        {
          dest_dir = "/vm/${vm_name}/persist/keys/kube";
          file = "${k8s.keys.kube-api-server}/kube-api-server.key";
          owner = 10024;
          group = 10024;
          mode = "0600";
        }
        {
          dest_dir = "/vm/${vm_name}/persist/keys/kube";
          file = "${k8s.encryption_config}/encryption-config.yaml";
          name = "encryption-config.yaml";
          owner = 10024;
          group = 10024;
          mode = "0600";
        }
        {
          dest_dir = "/vm/${vm_name}/persist/keys/kube";
          file = "${k8s.keys.service-accounts}/service-accounts.crt";
          owner = 10024;
          group = 10024;
          mode = "0640";
        }
        {
          dest_dir = "/vm/${vm_name}/persist/keys/kube";
          file = "${k8s.keys.service-accounts}/service-accounts.key";
          owner = 10024;
          group = 10024;
          mode = "0600";
        }
        {
          dest_dir = "/vm/${vm_name}/persist/keys/kube";
          file = "${k8s.client-configs.kube-controller-manager}/kube-controller-manager.kubeconfig";
          owner = 10024;
          group = 10024;
          mode = "0600";
        }
        {
          dest_dir = "/vm/${vm_name}/persist/keys/kube";
          file = "${k8s.client-configs.kube-scheduler}/kube-scheduler.kubeconfig";
          owner = 10024;
          group = 10024;
          mode = "0600";
        }
      ])
    )
  );
in
stdenv.mkDerivation (finalAttrs: {
  name = "deploy-script";
  nativeBuildInputs = [ ];
  buildInputs = [ ];

  unpackPhase = "true";

  installPhase = ''
    cp ${deploy_script} "$out"
  '';
})
Add requestheader-client-ca. 2025-12-14 13:44:56 -05:00			`# unpackPhase`
			`# patchPhase`
			`# configurePhase`
			`# buildPhase`
			`# checkPhase`
			`# installPhase`
			`# fixupPhase`
			`# installCheckPhase`
			`# distPhase`
			`{`
Move the encryption config into a package. 2025-12-14 20:28:48 -05:00			`lib,`
Add requestheader-client-ca. 2025-12-14 13:44:56 -05:00			`stdenv,`
Switch to generating certs with openssl. 2025-12-14 18:24:24 -05:00			`writeShellScript,`
Add requestheader-client-ca. 2025-12-14 13:44:56 -05:00			`k8s,`
Move the encryption config into a package. 2025-12-14 20:28:48 -05:00			`openssh,`
Add requestheader-client-ca. 2025-12-14 13:44:56 -05:00			`...`
			`}:`
Switch to generating certs with openssl. 2025-12-14 18:24:24 -05:00			`let`
Move the encryption config into a package. 2025-12-14 20:28:48 -05:00			`deploy_script_body = (`
			`''`
			`set -euo pipefail`
			`IFS=$'\n\t'`
			`DIR="$( cd "$( dirname "''${BASH_SOURCE[0]}" )" && pwd )"`
			`''`
			`+ (lib.concatMapStringsSep "\n" deploy_machine [`
			`"nc0"`
			`"nc1"`
			`"nc2"`
			`])`
			`);`
Switch to generating certs with openssl. 2025-12-14 18:24:24 -05:00			`deploy_script = (writeShellScript "deploy-script" deploy_script_body);`
Move the encryption config into a package. 2025-12-14 20:28:48 -05:00			`deploy_file = (`
			`{`
			`dest_dir,`
			`file,`
			`name ? (builtins.baseNameOf file),`
			`owner,`
			`group,`
			`mode,`
			`}:`
			`''`
			`##`
			`## deploy ${name} to ${dest_dir}`
			`##`
			`${openssh}/bin/ssh mrmanager doas rm -f ${dest_dir}/${name} ~/${name}`
			`${openssh}/bin/scp ${file} mrmanager:~/${name}`
			`${openssh}/bin/ssh mrmanager doas install -o ${toString owner} -g ${toString group} -m ${mode} ~/${name} ${dest_dir}/${name}`
			`${openssh}/bin/ssh mrmanager doas rm -f ~/${name}`


			`''`
			`);`
			`deploy_machine = (`
			`vm_name:`
			`(`
			`''`
			`##`
			`## Create directories on ${vm_name}`
			`##`
			`${openssh}/bin/ssh mrmanager doas install -d -o 11235 -g 11235 -m 0755 /vm/${vm_name}/persist/keys`
			`${openssh}/bin/ssh mrmanager doas install -d -o 10016 -g 10016 -m 0755 /vm/${vm_name}/persist/keys/etcd`
			`${openssh}/bin/ssh mrmanager doas install -d -o 10024 -g 10024 -m 0755 /vm/${vm_name}/persist/keys/kube`


			`''`
			`+ (lib.concatMapStringsSep "\n" deploy_file [`
			`{`
			`dest_dir = "/vm/${vm_name}/persist/keys/etcd";`
			`file = "${k8s.keys.kube-api-server}/kube-api-server.crt";`
			`owner = 10016;`
			`group = 10016;`
			`mode = "0640";`
			`}`
			`{`
			`dest_dir = "/vm/${vm_name}/persist/keys/etcd";`
			`file = "${k8s.keys.kube-api-server}/kube-api-server.key";`
			`owner = 10016;`
			`group = 10016;`
			`mode = "0600";`
			`}`
			`{`
			`dest_dir = "/vm/${vm_name}/persist/keys/etcd";`
			`file = "${k8s.ca}/ca.crt";`
			`owner = 10016;`
			`group = 10016;`
			`mode = "0640";`
			`}`
Fix launching kube-apiserver. 2025-12-14 23:24:23 -05:00			`{`
			`dest_dir = "/vm/${vm_name}/persist/keys/kube";`
			`file = "${k8s.ca}/ca.crt";`
			`owner = 10024;`
			`group = 10024;`
			`mode = "0640";`
			`}`
Add kube-controller-manager. 2025-12-15 19:47:35 -05:00			`{`
			`dest_dir = "/vm/${vm_name}/persist/keys/kube";`
			`file = "${k8s.ca}/ca.key";`
			`owner = 10024;`
			`group = 10024;`
			`mode = "0600";`
			`}`
Fix launching kube-apiserver. 2025-12-14 23:24:23 -05:00			`{`
			`dest_dir = "/vm/${vm_name}/persist/keys/kube";`
			`file = "${k8s.keys.kube-api-server}/kube-api-server.crt";`
			`owner = 10024;`
			`group = 10024;`
			`mode = "0640";`
			`}`
			`{`
			`dest_dir = "/vm/${vm_name}/persist/keys/kube";`
			`file = "${k8s.keys.kube-api-server}/kube-api-server.key";`
			`owner = 10024;`
			`group = 10024;`
			`mode = "0600";`
			`}`
			`{`
			`dest_dir = "/vm/${vm_name}/persist/keys/kube";`
			`file = "${k8s.encryption_config}/encryption-config.yaml";`
			`name = "encryption-config.yaml";`
			`owner = 10024;`
			`group = 10024;`
			`mode = "0600";`
			`}`
			`{`
			`dest_dir = "/vm/${vm_name}/persist/keys/kube";`
			`file = "${k8s.keys.service-accounts}/service-accounts.crt";`
			`owner = 10024;`
			`group = 10024;`
			`mode = "0640";`
			`}`
			`{`
			`dest_dir = "/vm/${vm_name}/persist/keys/kube";`
			`file = "${k8s.keys.service-accounts}/service-accounts.key";`
			`owner = 10024;`
			`group = 10024;`
			`mode = "0600";`
			`}`
Add kube-controller-manager. 2025-12-15 19:47:35 -05:00			`{`
			`dest_dir = "/vm/${vm_name}/persist/keys/kube";`
			`file = "${k8s.client-configs.kube-controller-manager}/kube-controller-manager.kubeconfig";`
			`owner = 10024;`
			`group = 10024;`
			`mode = "0600";`
			`}`
Add kube-scheduler. 2025-12-15 20:09:46 -05:00			`{`
			`dest_dir = "/vm/${vm_name}/persist/keys/kube";`
			`file = "${k8s.client-configs.kube-scheduler}/kube-scheduler.kubeconfig";`
			`owner = 10024;`
			`group = 10024;`
			`mode = "0600";`
			`}`
Move the encryption config into a package. 2025-12-14 20:28:48 -05:00			`])`
			`)`
			`);`
Switch to generating certs with openssl. 2025-12-14 18:24:24 -05:00			`in`
Add requestheader-client-ca. 2025-12-14 13:44:56 -05:00			`stdenv.mkDerivation (finalAttrs: {`
Switch to generating certs with openssl. 2025-12-14 18:24:24 -05:00			`name = "deploy-script";`
			`nativeBuildInputs = [ ];`
Add requestheader-client-ca. 2025-12-14 13:44:56 -05:00			`buildInputs = [ ];`

			`unpackPhase = "true";`

			`installPhase = ''`
Switch to generating certs with openssl. 2025-12-14 18:24:24 -05:00			`cp ${deploy_script} "$out"`
Add requestheader-client-ca. 2025-12-14 13:44:56 -05:00			`'';`
			`})`