From 144b39dfdd11acd94a37a27bff2f9301054c0625 Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Sun, 21 Dec 2025 00:01:57 -0500
Subject: [PATCH] Generate ssh keys for flux bootstrap.

---
 .../keys/package/k8s-keys/package.nix         |  3 +-
 .../keys/package/ssh-key/package.nix          | 33 +++++++++++++++++++
 nix/kubernetes/keys/scope.nix                 |  5 +++
 3 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 nix/kubernetes/keys/package/ssh-key/package.nix

diff --git a/nix/kubernetes/keys/package/k8s-keys/package.nix b/nix/kubernetes/keys/package/k8s-keys/package.nix
index 05bc44e7..f6e5efb6 100644
--- a/nix/kubernetes/keys/package/k8s-keys/package.nix
+++ b/nix/kubernetes/keys/package/k8s-keys/package.nix
@@ -10,5 +10,6 @@ symlinkJoin {
     k8s.encryption_config
   ]
   ++ (builtins.attrValues k8s.keys)
-  ++ (builtins.attrValues k8s.client-configs);
+  ++ (builtins.attrValues k8s.client-configs)
+  ++ (builtins.attrValues k8s.ssh-keys);
 }
diff --git a/nix/kubernetes/keys/package/ssh-key/package.nix b/nix/kubernetes/keys/package/ssh-key/package.nix
new file mode 100644
index 00000000..01a23669
--- /dev/null
+++ b/nix/kubernetes/keys/package/ssh-key/package.nix
@@ -0,0 +1,33 @@
+# unpackPhase
+# patchPhase
+# configurePhase
+# buildPhase
+# checkPhase
+# installPhase
+# fixupPhase
+# installCheckPhase
+# distPhase
+{
+  lib,
+  stdenv,
+  k8s,
+  openssh,
+  key_name,
+  ...
+}:
+stdenv.mkDerivation (finalAttrs: {
+  name = "ssh-key-${key_name}";
+  nativeBuildInputs = [ openssh ];
+  buildInputs = [ ];
+
+  unpackPhase = "true";
+
+  buildPhase = ''
+    ssh-keygen -t ed25519 -f ${key_name} -N ""
+  '';
+
+  installPhase = ''
+    mkdir "$out"
+    cp "${key_name}" "${key_name}.pub" $out/
+  '';
+})
diff --git a/nix/kubernetes/keys/scope.nix b/nix/kubernetes/keys/scope.nix
index e36cde16..ae62bd26 100644
--- a/nix/kubernetes/keys/scope.nix
+++ b/nix/kubernetes/keys/scope.nix
@@ -96,6 +96,11 @@ makeScope newScope (
         "service-accounts"
       ] (key_name: (callPackage ./package/tls-key/package.nix (additional_vars // { inherit key_name; })))
     );
+    ssh-keys = (
+      lib.genAttrs [
+        "flux_ssh_key"
+      ] (key_name: (callPackage ./package/ssh-key/package.nix (additional_vars // { inherit key_name; })))
+    );
     client-configs = (
       builtins.mapAttrs
         (