Generate pgp keys for sops.

2025-12-21 14:17:31 -05:00 · 2025-12-21 14:17:31 -05:00 · 3affee9007
commit 3affee9007
parent 144b39dfdd
3 changed files with 65 additions and 1 deletions
--- a/nix/kubernetes/keys/package/k8s-keys/package.nix
+++ b/nix/kubernetes/keys/package/k8s-keys/package.nix
@ -11,5 +11,6 @@ symlinkJoin {
  ]
  ++ (builtins.attrValues k8s.keys)
  ++ (builtins.attrValues k8s.client-configs)
-  ++ (builtins.attrValues k8s.ssh-keys);
+  ++ (builtins.attrValues k8s.ssh-keys)
  ++ (builtins.attrValues k8s.pgp-keys);
 }
--- a/nix/kubernetes/keys/package/pgp-key/package.nix
+++ b/nix/kubernetes/keys/package/pgp-key/package.nix
@ -0,0 +1,50 @@
 # unpackPhase
 # patchPhase
 # configurePhase
 # buildPhase
 # checkPhase
 # installPhase
 # fixupPhase
 # installCheckPhase
 # distPhase
 {
  stdenv,
  gnupg,
  key_name,
  expire_date ? "0",
  pgp_comment ? "${key_name}",
  pgp_name ? "${key_name}",
  ...
 }:
 stdenv.mkDerivation (finalAttrs: {
  name = "pgp-key-${key_name}";
  nativeBuildInputs = [ gnupg ];
  buildInputs = [ ];
  unpackPhase = "true";
  buildPhase = ''
    mkdir keyring
    export GNUPGHOME=$(readlink -f keyring)
    gpg --batch --full-generate-key <<EOF
    %no-protection
    Key-Type: 1
    Key-Length: 4096
    Subkey-Type: 1
    Subkey-Length: 4096
    Expire-Date: ${expire_date}
    Name-Comment: ${pgp_comment}
    Name-Real: ${pgp_name}
    EOF
  '';
  installPhase = ''
    export GNUPGHOME=$(readlink -f keyring)
    mkdir "$out"
    gpg --export-secret-keys --armor "${pgp_name}" > "$out/${key_name}_private_key.asc"
    gpg --export --armor "${pgp_name}" > "$out/${key_name}_public_key.asc"
  '';
 })
--- a/nix/kubernetes/keys/scope.nix
+++ b/nix/kubernetes/keys/scope.nix
@ -101,6 +101,19 @@ makeScope newScope (
        "flux_ssh_key"
      ] (key_name: (callPackage ./package/ssh-key/package.nix (additional_vars // { inherit key_name; })))
    );
    pgp-keys = (
      builtins.mapAttrs
        (
          key_name: key_config:
          (callPackage ./package/pgp-key/package.nix (additional_vars // { inherit key_name; } // key_config))
        )
        {
          "flux_gpg" = {
            pgp_comment = "flux secrets";
            pgp_name = "flux sops";
          };
        }
    );
    client-configs = (
      builtins.mapAttrs
        (