diff --git a/nix/kubernetes/keys/package/k8s-keys/package.nix b/nix/kubernetes/keys/package/k8s-keys/package.nix index f6e5efb6..13def7e7 100644 --- a/nix/kubernetes/keys/package/k8s-keys/package.nix +++ b/nix/kubernetes/keys/package/k8s-keys/package.nix @@ -11,5 +11,6 @@ symlinkJoin { ] ++ (builtins.attrValues k8s.keys) ++ (builtins.attrValues k8s.client-configs) - ++ (builtins.attrValues k8s.ssh-keys); + ++ (builtins.attrValues k8s.ssh-keys) + ++ (builtins.attrValues k8s.pgp-keys); } diff --git a/nix/kubernetes/keys/package/pgp-key/package.nix b/nix/kubernetes/keys/package/pgp-key/package.nix new file mode 100644 index 00000000..fa69f128 --- /dev/null +++ b/nix/kubernetes/keys/package/pgp-key/package.nix @@ -0,0 +1,50 @@ +# unpackPhase +# patchPhase +# configurePhase +# buildPhase +# checkPhase +# installPhase +# fixupPhase +# installCheckPhase +# distPhase +{ + stdenv, + gnupg, + key_name, + expire_date ? "0", + pgp_comment ? "${key_name}", + pgp_name ? "${key_name}", + ... +}: +stdenv.mkDerivation (finalAttrs: { + name = "pgp-key-${key_name}"; + nativeBuildInputs = [ gnupg ]; + buildInputs = [ ]; + + unpackPhase = "true"; + + buildPhase = '' + mkdir keyring + export GNUPGHOME=$(readlink -f keyring) + + gpg --batch --full-generate-key < "$out/${key_name}_private_key.asc" + gpg --export --armor "${pgp_name}" > "$out/${key_name}_public_key.asc" + ''; +}) diff --git a/nix/kubernetes/keys/scope.nix b/nix/kubernetes/keys/scope.nix index ae62bd26..5f331528 100644 --- a/nix/kubernetes/keys/scope.nix +++ b/nix/kubernetes/keys/scope.nix @@ -101,6 +101,19 @@ makeScope newScope ( "flux_ssh_key" ] (key_name: (callPackage ./package/ssh-key/package.nix (additional_vars // { inherit key_name; }))) ); + pgp-keys = ( + builtins.mapAttrs + ( + key_name: key_config: + (callPackage ./package/pgp-key/package.nix (additional_vars // { inherit key_name; } // key_config)) + ) + { + "flux_gpg" = { + pgp_comment = "flux secrets"; + pgp_name = "flux sops"; + }; + } + ); client-configs = ( builtins.mapAttrs (