talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Add secrets for archive-box, webhook-bridge, and tekton.

Browse Source
This commit is contained in:
Tom Alexander
2026-04-28 17:45:02 -04:00
parent 9de8c853e3
commit 70f180f3c8
4 changed files with 98 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
nix/kubernetes/README.org
View File

@@ -12,11 +12,12 @@
#+end_src #+end_src
* IP Ranges * IP Ranges
| | IPv4 | IPv6 | | | IPv4 | IPv6 |
|------------------------------+-----------------------------+-----------------------------------------| |--------------------------------+-----------------------------+-----------------------------------------|
| Pod | 10.200.0.0/16 | 2620:11f:7001:7:ffff:eeee::/96 | | Pod | 10.200.0.0/16 | 2620:11f:7001:7:ffff:eeee::/96 |
| Service | 10.197.0.0/16 | fd00:3e42:e349::/112 | | Service | 10.197.0.0/16 | fd00:3e42:e349::/112 |
| Node | 10.215.1.0/24 | 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 | | Node | 10.215.1.0/24 | 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 |
| Load Balancer | 74.80.180.139-74.80.180.142 | 2620:11f:7001:7:ffff:dddd::/96 | | Load Balancer | 74.80.180.139-74.80.180.142 | 2620:11f:7001:7:ffff:dddd::/96 |
| Load Balancer Private (unused) | 10.198.0.0/16 | fd9c:0bd5:22a4::/112 |
| PowerDNS from inside cluster | 10.215.1.211 | | | PowerDNS from inside cluster | 10.215.1.211 | |
* Healthcheck * Healthcheck
** Check cilium status ** Check cilium status

16
nix/kubernetes/keys/package/k8s-secret-generic/package.nix
View File

@@ -16,19 +16,29 @@
secret_name, secret_name,
secret_namespace, secret_namespace,
secret_values ? { }, secret_values ? { },
secret_type ? null,
secret_annotations ? null,
... ...
}: }:
let let
toBase64 = (pkgs.callPackage ../../contrib/base64/package.nix { inherit lib; }).toBase64; toBase64 = (pkgs.callPackage ../../contrib/base64/package.nix { inherit lib; }).toBase64;
secret_yaml = {
apiVersion = "v1";
kind = "Secret";
metadata = { metadata = {
name = "${secret_name}"; name = "${secret_name}";
namespace = "${secret_namespace}"; namespace = "${secret_namespace}";
}
// lib.optionalAttrs (secret_annotations != null) {
"annotations" = secret_annotations;
}; };
secret_yaml = {
apiVersion = "v1";
kind = "Secret";
metadata = metadata;
data = (builtins.mapAttrs (key: val: (toBase64 val)) secret_values); data = (builtins.mapAttrs (key: val: (toBase64 val)) secret_values);
}
// lib.optionalAttrs (secret_type != null) {
"type" = secret_type;
}; };
settingsFormat = pkgs.formats.yaml { }; settingsFormat = pkgs.formats.yaml { };
yaml_body = settingsFormat.generate "${secret_name}.yaml" secret_yaml; yaml_body = settingsFormat.generate "${secret_name}.yaml" secret_yaml;
yaml_file = pkgs.writeTextFile { yaml_file = pkgs.writeTextFile {

79
nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix
View File

@@ -13,13 +13,33 @@ let
( (
secret_namespace: secrets: secret_namespace: secrets:
(builtins.mapAttrs ( (builtins.mapAttrs (
secret_name: secret_values: secret_name: original_secret_values:
let
secret_type = original_secret_values."__type" or null;
secret_annotations = original_secret_values."__annotations" or null;
secret_values = removeAttrs original_secret_values [
"__type"
"__annotations"
];
in
(callPackage ../../package/k8s-secret-generic/package.nix { (callPackage ../../package/k8s-secret-generic/package.nix {
inherit secret_name secret_namespace secret_values; inherit
secret_name
secret_namespace
secret_values
secret_type
secret_annotations
;
}) })
) secrets) ) secrets)
) )
{ {
"archive-box" = {
"archive-box-auth" = {
"username" = (builtins.readFile "${./secrets/archive-box/archive-box-auth/username}");
"password" = (builtins.readFile "${./secrets/archive-box/archive-box-auth/password}");
};
};
"cert-manager" = { "cert-manager" = {
"rfc2136" = { "rfc2136" = {
"TSIG_SECRET" = (builtins.readFile "${./secrets/cert-manager/rfc2136/TSIG_SECRET}"); "TSIG_SECRET" = (builtins.readFile "${./secrets/cert-manager/rfc2136/TSIG_SECRET}");
@@ -37,6 +57,11 @@ let
); );
}; };
}; };
"flux-system" = {
"webhook-token" = {
"token" = generate_key 64 "flux-system.webhook-token.token";
};
};
"gitea" = { "gitea" = {
"gitea-env" = { "gitea-env" = {
"GITEA_ADMIN_USERNAME" = (builtins.readFile "${./secrets/gitea/gitea-env/GITEA_ADMIN_USERNAME}"); "GITEA_ADMIN_USERNAME" = (builtins.readFile "${./secrets/gitea/gitea-env/GITEA_ADMIN_USERNAME}");
@@ -59,6 +84,29 @@ let
); );
}; };
}; };
"tekton-gateway" = {
"oauth2-env" = oauth2_env { dex_id = "tekton"; };
};
"webhook-bridge" = {
"webhook-bridge" = {
"HMAC_TOKEN" = (builtins.readFile "${./secrets/webhook-bridge/webhook-bridge/HMAC_TOKEN}");
"OAUTH_TOKEN" = (builtins.readFile "${./secrets/webhook-bridge/webhook-bridge/OAUTH_TOKEN}");
};
"deployer-key" = {
"__annotations" = {
"tekton.dev/git-0" = "code.fizz.buzz";
};
"__type" = "kubernetes.io/ssh-auth";
"ssh-privatekey" = (builtins.readFile "${./secrets/webhook-bridge/deployer-key/ssh-privatekey}");
"ssh-publickey" = (builtins.readFile "${./secrets/webhook-bridge/deployer-key/ssh-publickey}");
};
"gitea" = {
"token" = (builtins.readFile "${./secrets/webhook-bridge/gitea/token}");
};
"harbor-plain" = {
"config.json" = (builtins.readFile "${./secrets/webhook-bridge/harbor-plain/config.json}");
};
};
}; };
encrypted_secrets = ( encrypted_secrets = (
builtins.mapAttrs ( builtins.mapAttrs (
@@ -101,8 +149,31 @@ let
dd if=/dev/urandom | tr --complement --delete '[:alnum:]' | dd bs=${toString len} count=1 of="$out" dd if=/dev/urandom | tr --complement --delete '[:alnum:]' | dd bs=${toString len} count=1 of="$out"
'' ''
); );
helm_json_escape = json: builtins.toJSON json; # helm_json_escape = json: builtins.toJSON json;
helm_json_escape =
json:
builtins.replaceStrings
[
"="
"["
"]"
","
"."
"\""
"{"
"}"
]
[
"\\="
"\\["
"\\]"
"\\,"
"\\."
"\\\""
"\\{"
"\\}"
]
json;
## dex ## dex
get_dex_config = get_dex_config =
client_id: client_id:

2
nix/kubernetes/roles/kubelet/default.nix
View File

@@ -32,7 +32,7 @@ let
containerRuntimeEndpoint = "unix:///var/run/containerd/containerd.sock"; containerRuntimeEndpoint = "unix:///var/run/containerd/containerd.sock";
enableServer = true; enableServer = true;
failSwapOn = false; failSwapOn = false;
maxPods = 16; maxPods = 110;
memorySwap = { memorySwap = {
swapBehavior = "NoSwap"; swapBehavior = "NoSwap";
}; };