From 4bcb9d5f4740a7ba9f6c67ce1bd522b67a8a8d37 Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Sat, 18 Apr 2026 16:22:47 -0400
Subject: [PATCH] Add dex secrets.

---
 .../mrmanager-repo-secrets/package.nix        | 90 +++++++++++++++++--
 1 file changed, 85 insertions(+), 5 deletions(-)

diff --git a/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix b/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix
index f42fe550..1691b46f 100644
--- a/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix
+++ b/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix
@@ -1,5 +1,6 @@
 {
   lib,
+  pkgs,
   k8s,
   callPackage,
   runCommand,
@@ -19,6 +20,16 @@ let
         ) secrets)
       )
       {
+        "cert-manager" = {
+          "rfc2136" = {
+            "TSIG_SECRET" = (builtins.readFile "${./secrets/cert-manager/rfc2136/TSIG_SECRET}");
+          };
+        };
+        "dex" = {
+          "files" = {
+            "config.yaml" = dex_config_yaml;
+          };
+        };
         "external-dns" = {
           "rfc2136" = {
             "EXTERNAL_DNS_RFC2136_TSIG_SECRET" = (
@@ -26,11 +37,6 @@ let
             );
           };
         };
-        "cert-manager" = {
-          "rfc2136" = {
-            "TSIG_SECRET" = (builtins.readFile "${./secrets/cert-manager/rfc2136/TSIG_SECRET}");
-          };
-        };
         "gitea" = {
           "gitea-env" = {
             "GITEA_ADMIN_USERNAME" = (builtins.readFile "${./secrets/gitea/gitea-env/GITEA_ADMIN_USERNAME}");
@@ -67,6 +73,80 @@ let
     ) (builtins.attrNames encrypted_secrets)
   );
   gen_in_repo_secrets = runCommand "gen_in_repo_secrets" { } combined_script;
+
+  ## Utilities
+  inherit ((import ../../../functions/to_yaml.nix) { inherit pkgs; }) to_yaml;
+
+  ## dex
+  dex_static_client =
+    {
+      id,
+      name,
+      redirectURIs,
+    }:
+    let
+      generate_key = runCommand "generate_key" { } ''
+        set +o pipefail
+        dd if=/dev/urandom | tr --complement --delete '[:alnum:]' | dd bs=32 count=1 of="$out"
+      '';
+    in
+    {
+      inherit id name redirectURIs;
+      secret = builtins.readFile generate_key;
+    };
+  dex_config = {
+    issuer = "https://dex.fizz.buzz";
+    storage = {
+      config = {
+        inCluster = true;
+      };
+      type = "kubernetes";
+    };
+    logger = {
+      level = "debug";
+    };
+    web = {
+      http = "0.0.0.0:5556";
+    };
+    oauth2 = {
+      alwaysShowLoginScreen = false;
+      skipApprovalScreen = true;
+    };
+    staticClients = map dex_static_client [
+      {
+        id = "prometheus";
+        name = "Prometheus";
+        redirectURIs = [ "https://prometheus.fizz.buzz/oauth2/callback" ];
+      }
+      {
+        id = "harbor";
+        name = "Harbor";
+        redirectURIs = [ "https://harbor.fizz.buzz/c/oidc/callback" ];
+      }
+      {
+        id = "tekton";
+        name = "Tekton";
+        redirectURIs = [ "https://tekton.fizz.buzz/oauth2/callback" ];
+      }
+      {
+        id = "homepage-staging";
+        name = "Homepage staging";
+        redirectURIs = [ "https://staging.fizz.buzz/oauth2/callback" ];
+      }
+      {
+        id = "gitea";
+        name = "gitea";
+        redirectURIs = [ "https://code.fizz.buzz/oauth2/callback" ];
+      }
+    ];
+    enablePasswordDB = true;
+    staticPasswords = (import ./secrets/dex/static_passwords.nix);
+    expiry = {
+      idTokens = "1h";
+      signingKeys = "4h";
+    };
+  };
+  dex_config_yaml = to_yaml "config.yml" dex_config;
 in
 symlinkJoin {
   name = "in-repo-secrets";