Generate pgp keys for sops.

2025-12-21 14:17:31 -05:00 · 2025-12-21 14:17:31 -05:00 · 3affee9007
commit 3affee9007
parent 144b39dfdd
3 changed files with 65 additions and 1 deletions
--- a/nix/kubernetes/keys/package/k8s-keys/package.nix
+++ b/nix/kubernetes/keys/package/k8s-keys/package.nix
@ -11,5 +11,6 @@ symlinkJoin {
  ]
  ++ (builtins.attrValues k8s.keys)
  ++ (builtins.attrValues k8s.client-configs)
-  ++ (builtins.attrValues k8s.ssh-keys);
+  ++ (builtins.attrValues k8s.ssh-keys)
+  ++ (builtins.attrValues k8s.pgp-keys);
 }
--- a/nix/kubernetes/keys/package/pgp-key/package.nix
+++ b/nix/kubernetes/keys/package/pgp-key/package.nix
@ -0,0 +1,50 @@
+# unpackPhase
+# patchPhase
+# configurePhase
+# buildPhase
+# checkPhase
+# installPhase
+# fixupPhase
+# installCheckPhase
+# distPhase
+{
+  stdenv,
+  gnupg,
+  key_name,
+  expire_date ? "0",
+  pgp_comment ? "${key_name}",
+  pgp_name ? "${key_name}",
+  ...
+}:
+stdenv.mkDerivation (finalAttrs: {
+  name = "pgp-key-${key_name}";
+  nativeBuildInputs = [ gnupg ];
+  buildInputs = [ ];
+
+  unpackPhase = "true";
+
+  buildPhase = ''
+    mkdir keyring
+    export GNUPGHOME=$(readlink -f keyring)
+
+    gpg --batch --full-generate-key <<EOF
+    %no-protection
+    Key-Type: 1
+    Key-Length: 4096
+    Subkey-Type: 1
+    Subkey-Length: 4096
+    Expire-Date: ${expire_date}
+    Name-Comment: ${pgp_comment}
+    Name-Real: ${pgp_name}
+    EOF
+
+
+  '';
+
+  installPhase = ''
+    export GNUPGHOME=$(readlink -f keyring)
+    mkdir "$out"
+    gpg --export-secret-keys --armor "${pgp_name}" > "$out/${key_name}_private_key.asc"
+    gpg --export --armor "${pgp_name}" > "$out/${key_name}_public_key.asc"
+  '';
+})
--- a/nix/kubernetes/keys/scope.nix
+++ b/nix/kubernetes/keys/scope.nix
@ -101,6 +101,19 @@ makeScope newScope (
        "flux_ssh_key"
      ] (key_name: (callPackage ./package/ssh-key/package.nix (additional_vars // { inherit key_name; })))
    );
+    pgp-keys = (
+      builtins.mapAttrs
+        (
+          key_name: key_config:
+          (callPackage ./package/pgp-key/package.nix (additional_vars // { inherit key_name; } // key_config))
+        )
+        {
+          "flux_gpg" = {
+            pgp_comment = "flux secrets";
+            pgp_name = "flux sops";
+          };
+        }
+    );
    client-configs = (
      builtins.mapAttrs
        (