From 1c2adb54ac7ff3cb1683a91482e9a8d3c05be786 Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Sun, 26 Apr 2026 09:11:35 -0400
Subject: [PATCH] Add harbor secrets.

---
 .../keys/package/deploy-script/package.nix    |  6 +++
 .../mrmanager-repo-secrets/package.nix        | 41 +++++++++++++++++--
 2 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/nix/kubernetes/keys/package/deploy-script/package.nix b/nix/kubernetes/keys/package/deploy-script/package.nix
index 11db1500..f3d84ce2 100644
--- a/nix/kubernetes/keys/package/deploy-script/package.nix
+++ b/nix/kubernetes/keys/package/deploy-script/package.nix
@@ -60,6 +60,12 @@ let
         group = "26";
         mode = "0777";
       }
+      {
+        path = "manual-pv/harbor-psql";
+        owner = "26";
+        group = "26";
+        mode = "0755";
+      }
       # {
       #   path = "manual-pv/gitea";
       #   owner = "1000";
diff --git a/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix b/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix
index 5824a1ca..a97fcb50 100644
--- a/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix
+++ b/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix
@@ -44,6 +44,21 @@ let
           };
           "oauth2-env" = oauth2_env { dex_id = "gitea"; };
         };
+        "harbor" = {
+          "harbor-config" = {
+            "config.json" = helm_json_escape harbor_config_json;
+          };
+          "dockerhub-auth-config" = {
+            "basic_auth.include" = (
+              builtins.readFile "${./secrets/harbor/dockerhub-auth-config/basic_auth.include}"
+            );
+          };
+          "harbor-admin-password" = {
+            "HARBOR_ADMIN_PASSWORD" = (
+              builtins.readFile "${./secrets/harbor/harbor-admin-password/HARBOR_ADMIN_PASSWORD}"
+            );
+          };
+        };
       };
   encrypted_secrets = (
     builtins.mapAttrs (
@@ -86,8 +101,14 @@ let
         dd if=/dev/urandom | tr --complement --delete '[:alnum:]' | dd bs=${toString len} count=1 of="$out"
       ''
     );
+  helm_json_escape = json: builtins.toJSON json;
 
   ## dex
+  get_dex_config =
+    client_id:
+    (builtins.head (
+      builtins.filter (static_client: static_client.id == client_id) dex_config.staticClients
+    ));
   dex_static_client =
     {
       id,
@@ -156,12 +177,24 @@ let
   oauth2_env =
     { dex_id }:
     {
-      "OAUTH2_PROXY_CLIENT_SECRET" =
-        (builtins.head (
-          builtins.filter (static_client: static_client.id == dex_id) dex_config.staticClients
-        )).secret;
+      "OAUTH2_PROXY_CLIENT_SECRET" = (get_dex_config dex_id).secret;
       "OAUTH2_PROXY_COOKIE_SECRET" = generate_key 32 "OAUTH2_PROXY_COOKIE_SECRET ${dex_id}";
     };
+
+  ## harbor
+  harbor_dex_config = get_dex_config "harbor";
+  harbor_config = {
+    "auth_mode" = "oidc_auth";
+    "self_registration" = "false";
+    "oidc_name" = "harbor";
+    "oidc_endpoint" = "https://dex.fizz.buzz";
+    "oidc_client_id" = harbor_dex_config.id;
+    "oidc_client_secret" = harbor_dex_config.secret;
+    "oidc_admin_group" = "TODO";
+    "oidc_scope" = "openid,profile,email,offline_access,groups";
+  };
+  # harbor_config_json = pkgs.writeText "config.json" (builtins.toJSON harbor_config);
+  harbor_config_json = builtins.toJSON harbor_config;
 in
 symlinkJoin {
   name = "in-repo-secrets";