Add secrets for archive-box, webhook-bridge, and tekton.

nix/kubernetes/README.org

@@ -11,13 +11,14 @@
   ];
 #+end_src
 * IP Ranges
-|                              | IPv4                        | IPv6                                    |
+|                                | IPv4                        | IPv6                                    |
-|------------------------------+-----------------------------+-----------------------------------------|
+|--------------------------------+-----------------------------+-----------------------------------------|
-| Pod                          | 10.200.0.0/16               | 2620:11f:7001:7:ffff:eeee::/96          |
+| Pod                            | 10.200.0.0/16               | 2620:11f:7001:7:ffff:eeee::/96          |
-| Service                      | 10.197.0.0/16               | fd00:3e42:e349::/112                    |
+| Service                        | 10.197.0.0/16               | fd00:3e42:e349::/112                    |
-| Node                         | 10.215.1.0/24               | 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 |
+| Node                           | 10.215.1.0/24               | 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 |
-| Load Balancer                | 74.80.180.139-74.80.180.142 | 2620:11f:7001:7:ffff:dddd::/96          |
+| Load Balancer                  | 74.80.180.139-74.80.180.142 | 2620:11f:7001:7:ffff:dddd::/96          |
-| PowerDNS from inside cluster | 10.215.1.211                |                                         |
+| Load Balancer Private (unused) | 10.198.0.0/16               | fd9c:0bd5:22a4::/112                    |
+| PowerDNS from inside cluster   | 10.215.1.211                |                                         |
 * Healthcheck
 ** Check cilium status
 #+begin_src bash

nix/kubernetes/keys/package/k8s-secret-generic/package.nix

@@ -16,19 +16,29 @@
   secret_name,
   secret_namespace,
   secret_values ? { },
+  secret_type ? null,
+  secret_annotations ? null,
   ...
 }:
 let
   toBase64 = (pkgs.callPackage ../../contrib/base64/package.nix { inherit lib; }).toBase64;
+  metadata = {
+    name = "${secret_name}";
+    namespace = "${secret_namespace}";
+  }
+  // lib.optionalAttrs (secret_annotations != null) {
+    "annotations" = secret_annotations;
+  };
   secret_yaml = {
     apiVersion = "v1";
     kind = "Secret";
-    metadata = {
+    metadata = metadata;
-      name = "${secret_name}";
-      namespace = "${secret_namespace}";
-    };
     data = (builtins.mapAttrs (key: val: (toBase64 val)) secret_values);
+  }
+  // lib.optionalAttrs (secret_type != null) {
+    "type" = secret_type;
   };
+
   settingsFormat = pkgs.formats.yaml { };
   yaml_body = settingsFormat.generate "${secret_name}.yaml" secret_yaml;
   yaml_file = pkgs.writeTextFile {

nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix

@@ -13,13 +13,33 @@ let
       (
         secret_namespace: secrets:
         (builtins.mapAttrs (
-          secret_name: secret_values:
+          secret_name: original_secret_values:
+          let
+            secret_type = original_secret_values."__type" or null;
+            secret_annotations = original_secret_values."__annotations" or null;
+            secret_values = removeAttrs original_secret_values [
+              "__type"
+              "__annotations"
+            ];
+          in
           (callPackage ../../package/k8s-secret-generic/package.nix {
-            inherit secret_name secret_namespace secret_values;
+            inherit
+              secret_name
+              secret_namespace
+              secret_values
+              secret_type
+              secret_annotations
+              ;
           })
         ) secrets)
       )
       {
+        "archive-box" = {
+          "archive-box-auth" = {
+            "username" = (builtins.readFile "${./secrets/archive-box/archive-box-auth/username}");
+            "password" = (builtins.readFile "${./secrets/archive-box/archive-box-auth/password}");
+          };
+        };
         "cert-manager" = {
           "rfc2136" = {
             "TSIG_SECRET" = (builtins.readFile "${./secrets/cert-manager/rfc2136/TSIG_SECRET}");
@@ -37,6 +57,11 @@ let
             );
           };
         };
+        "flux-system" = {
+          "webhook-token" = {
+            "token" = generate_key 64 "flux-system.webhook-token.token";
+          };
+        };
         "gitea" = {
           "gitea-env" = {
             "GITEA_ADMIN_USERNAME" = (builtins.readFile "${./secrets/gitea/gitea-env/GITEA_ADMIN_USERNAME}");
@@ -59,6 +84,29 @@ let
             );
           };
         };
+        "tekton-gateway" = {
+          "oauth2-env" = oauth2_env { dex_id = "tekton"; };
+        };
+        "webhook-bridge" = {
+          "webhook-bridge" = {
+            "HMAC_TOKEN" = (builtins.readFile "${./secrets/webhook-bridge/webhook-bridge/HMAC_TOKEN}");
+            "OAUTH_TOKEN" = (builtins.readFile "${./secrets/webhook-bridge/webhook-bridge/OAUTH_TOKEN}");
+          };
+          "deployer-key" = {
+            "__annotations" = {
+              "tekton.dev/git-0" = "code.fizz.buzz";
+            };
+            "__type" = "kubernetes.io/ssh-auth";
+            "ssh-privatekey" = (builtins.readFile "${./secrets/webhook-bridge/deployer-key/ssh-privatekey}");
+            "ssh-publickey" = (builtins.readFile "${./secrets/webhook-bridge/deployer-key/ssh-publickey}");
+          };
+          "gitea" = {
+            "token" = (builtins.readFile "${./secrets/webhook-bridge/gitea/token}");
+          };
+          "harbor-plain" = {
+            "config.json" = (builtins.readFile "${./secrets/webhook-bridge/harbor-plain/config.json}");
+          };
+        };
       };
   encrypted_secrets = (
     builtins.mapAttrs (
@@ -101,8 +149,31 @@ let
         dd if=/dev/urandom | tr --complement --delete '[:alnum:]' | dd bs=${toString len} count=1 of="$out"
       ''
     );
-  helm_json_escape = json: builtins.toJSON json;
+  # helm_json_escape = json: builtins.toJSON json;
-
+  helm_json_escape =
+    json:
+    builtins.replaceStrings
+      [
+        "="
+        "["
+        "]"
+        ","
+        "."
+        "\""
+        "{"
+        "}"
+      ]
+      [
+        "\\="
+        "\\["
+        "\\]"
+        "\\,"
+        "\\."
+        "\\\""
+        "\\{"
+        "\\}"
+      ]
+      json;
   ## dex
   get_dex_config =
     client_id:

nix/kubernetes/roles/kubelet/default.nix

@@ -32,7 +32,7 @@ let
     containerRuntimeEndpoint = "unix:///var/run/containerd/containerd.sock";
     enableServer = true;
     failSwapOn = false;
-    maxPods = 16;
+    maxPods = 110;
     memorySwap = {
       swapBehavior = "NoSwap";
     };