talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Add secrets for archive-box, webhook-bridge, and tekton.

Browse Source
This commit is contained in:
Tom Alexander
2026-04-28 17:45:02 -04:00
parent 9de8c853e3
commit 70f180f3c8
4 changed files with 98 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
nix/kubernetes/keys/package/k8s-secret-generic/package.nix
View File

@@ -16,19 +16,29 @@
secret_name,
secret_namespace,
secret_values ? { },
secret_type ? null,
secret_annotations ? null,
...
}:
let
toBase64 = (pkgs.callPackage ../../contrib/base64/package.nix { inherit lib; }).toBase64;
metadata = {
name = "${secret_name}";
namespace = "${secret_namespace}";
}
// lib.optionalAttrs (secret_annotations != null) {
"annotations" = secret_annotations;
};
secret_yaml = {
apiVersion = "v1";
kind = "Secret";
metadata = {
name = "${secret_name}";
namespace = "${secret_namespace}";
};
metadata = metadata;
data = (builtins.mapAttrs (key: val: (toBase64 val)) secret_values);
}
// lib.optionalAttrs (secret_type != null) {
"type" = secret_type;
};
settingsFormat = pkgs.formats.yaml { };
yaml_body = settingsFormat.generate "${secret_name}.yaml" secret_yaml;
yaml_file = pkgs.writeTextFile {

79
nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix
View File

@@ -13,13 +13,33 @@ let
(
secret_namespace: secrets:
(builtins.mapAttrs (
secret_name: secret_values:
secret_name: original_secret_values:
let
secret_type = original_secret_values."__type" or null;
secret_annotations = original_secret_values."__annotations" or null;
secret_values = removeAttrs original_secret_values [
"__type"
"__annotations"
];
in
(callPackage ../../package/k8s-secret-generic/package.nix {
inherit secret_name secret_namespace secret_values;
inherit
secret_name
secret_namespace
secret_values
secret_type
secret_annotations
;
})
) secrets)
)
{
"archive-box" = {
"archive-box-auth" = {
"username" = (builtins.readFile "${./secrets/archive-box/archive-box-auth/username}");
"password" = (builtins.readFile "${./secrets/archive-box/archive-box-auth/password}");
};
};
"cert-manager" = {
"rfc2136" = {
"TSIG_SECRET" = (builtins.readFile "${./secrets/cert-manager/rfc2136/TSIG_SECRET}");
@@ -37,6 +57,11 @@ let
);
};
};
"flux-system" = {
"webhook-token" = {
"token" = generate_key 64 "flux-system.webhook-token.token";
};
};
"gitea" = {
"gitea-env" = {
"GITEA_ADMIN_USERNAME" = (builtins.readFile "${./secrets/gitea/gitea-env/GITEA_ADMIN_USERNAME}");
@@ -59,6 +84,29 @@ let
);
};
};
"tekton-gateway" = {
"oauth2-env" = oauth2_env { dex_id = "tekton"; };
};
"webhook-bridge" = {
"webhook-bridge" = {
"HMAC_TOKEN" = (builtins.readFile "${./secrets/webhook-bridge/webhook-bridge/HMAC_TOKEN}");
"OAUTH_TOKEN" = (builtins.readFile "${./secrets/webhook-bridge/webhook-bridge/OAUTH_TOKEN}");
};
"deployer-key" = {
"__annotations" = {
"tekton.dev/git-0" = "code.fizz.buzz";
};
"__type" = "kubernetes.io/ssh-auth";
"ssh-privatekey" = (builtins.readFile "${./secrets/webhook-bridge/deployer-key/ssh-privatekey}");
"ssh-publickey" = (builtins.readFile "${./secrets/webhook-bridge/deployer-key/ssh-publickey}");
};
"gitea" = {
"token" = (builtins.readFile "${./secrets/webhook-bridge/gitea/token}");
};
"harbor-plain" = {
"config.json" = (builtins.readFile "${./secrets/webhook-bridge/harbor-plain/config.json}");
};
};
};
encrypted_secrets = (
builtins.mapAttrs (
@@ -101,8 +149,31 @@ let
dd if=/dev/urandom | tr --complement --delete '[:alnum:]' | dd bs=${toString len} count=1 of="$out"
''
);
helm_json_escape = json: builtins.toJSON json;
# helm_json_escape = json: builtins.toJSON json;
helm_json_escape =
json:
builtins.replaceStrings
[
"="
"["
"]"
","
"."
"\""
"{"
"}"
]
[
"\\="
"\\["
"\\]"
"\\,"
"\\."
"\\\""
"\\{"
"\\}"
]
json;
## dex
get_dex_config =
client_id: