talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Add harbor secrets.

Browse Source
This commit is contained in:
Tom Alexander
2026-04-26 09:11:35 -04:00
parent 5e0ac767a6
commit 26b885c557
2 changed files with 43 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
nix/kubernetes/keys/package/deploy-script/package.nix
View File

@@ -60,6 +60,12 @@ let
group = "26"; group = "26";
mode = "0777"; mode = "0777";
} }
{
path = "manual-pv/harbor-psql";
owner = "26";
group = "26";
mode = "0755";
}
# { # {
# path = "manual-pv/gitea"; # path = "manual-pv/gitea";
# owner = "1000"; # owner = "1000";

41
nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix
View File

@@ -44,6 +44,21 @@ let
}; };
"oauth2-env" = oauth2_env { dex_id = "gitea"; }; "oauth2-env" = oauth2_env { dex_id = "gitea"; };
}; };
"harbor" = {
"harbor-config" = {
"config.json" = helm_json_escape harbor_config_json;
};
"dockerhub-auth-config" = {
"basic_auth.include" = (
builtins.readFile "${./secrets/harbor/dockerhub-auth-config/basic_auth.include}"
);
};
"harbor-admin-password" = {
"HARBOR_ADMIN_PASSWORD" = (
builtins.readFile "${./secrets/harbor/harbor-admin-password/HARBOR_ADMIN_PASSWORD}"
);
};
};
}; };
encrypted_secrets = ( encrypted_secrets = (
builtins.mapAttrs ( builtins.mapAttrs (
@@ -86,8 +101,14 @@ let
dd if=/dev/urandom | tr --complement --delete '[:alnum:]' | dd bs=${toString len} count=1 of="$out" dd if=/dev/urandom | tr --complement --delete '[:alnum:]' | dd bs=${toString len} count=1 of="$out"
'' ''
); );
helm_json_escape = json: builtins.toJSON json;
## dex ## dex
get_dex_config =
client_id:
(builtins.head (
builtins.filter (static_client: static_client.id == client_id) dex_config.staticClients
));
dex_static_client = dex_static_client =
{ {
id, id,
@@ -156,12 +177,24 @@ let
oauth2_env = oauth2_env =
{ dex_id }: { dex_id }:
{ {
"OAUTH2_PROXY_CLIENT_SECRET" = "OAUTH2_PROXY_CLIENT_SECRET" = (get_dex_config dex_id).secret;
(builtins.head (
builtins.filter (static_client: static_client.id == dex_id) dex_config.staticClients
)).secret;
"OAUTH2_PROXY_COOKIE_SECRET" = generate_key 32 "OAUTH2_PROXY_COOKIE_SECRET ${dex_id}"; "OAUTH2_PROXY_COOKIE_SECRET" = generate_key 32 "OAUTH2_PROXY_COOKIE_SECRET ${dex_id}";
}; };
## harbor
harbor_dex_config = get_dex_config "harbor";
harbor_config = {
"auth_mode" = "oidc_auth";
"self_registration" = "false";
"oidc_name" = "harbor";
"oidc_endpoint" = "https://dex.fizz.buzz";
"oidc_client_id" = harbor_dex_config.id;
"oidc_client_secret" = harbor_dex_config.secret;
"oidc_admin_group" = "TODO";
"oidc_scope" = "openid,profile,email,offline_access,groups";
};
# harbor_config_json = pkgs.writeText "config.json" (builtins.toJSON harbor_config);
harbor_config_json = builtins.toJSON harbor_config;
in in
symlinkJoin { symlinkJoin {
name = "in-repo-secrets"; name = "in-repo-secrets";