From 8c70d4e829cebceecb5740cd9688be8967df59c7 Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Sun, 21 Dec 2025 22:41:21 -0500
Subject: [PATCH] Generic secrets for ssh keys.

---
 .../keys/package/bootstrap-script/package.nix | 22 ++++++-----
 .../keys/package/k8s-keys/package.nix         |  1 -
 .../package/k8s-secret-generic/package.nix    |  2 -
 .../keys/package/k8s-secret-ssh/package.nix   | 39 -------------------
 nix/kubernetes/keys/scope.nix                 | 22 ++++-------
 5 files changed, 20 insertions(+), 66 deletions(-)
 delete mode 100644 nix/kubernetes/keys/package/k8s-secret-ssh/package.nix

diff --git a/nix/kubernetes/keys/package/bootstrap-script/package.nix b/nix/kubernetes/keys/package/bootstrap-script/package.nix
index 5ebacb21..31a7df00 100644
--- a/nix/kubernetes/keys/package/bootstrap-script/package.nix
+++ b/nix/kubernetes/keys/package/bootstrap-script/package.nix
@@ -27,15 +27,19 @@ let
     echo "Bootstrap finished"
   '');
   manifests = (
-    lib.concatMapStringsSep "," lib.escapeShellArg [
-      ./files/manifests/initial_clusterrole.yaml
-      ./files/manifests/cilium.yaml
-      ./files/manifests/coredns.yaml
-      ./files/manifests/flux_namespace.yaml
-      ./files/manifests/flux.yaml
-      ./files/manifests/flux_instance.yaml
-      "${k8s.k8s-ssh-secrets.kubernetes-deploy-key}/kubernetes-deploy-key.yaml"
-    ]
+    lib.concatMapStringsSep "," lib.escapeShellArg (
+      [
+        ./files/manifests/initial_clusterrole.yaml
+        ./files/manifests/cilium.yaml
+        ./files/manifests/coredns.yaml
+        ./files/manifests/flux_namespace.yaml
+        ./files/manifests/flux.yaml
+        ./files/manifests/flux_instance.yaml
+      ]
+      ++ (lib.attrsets.mapAttrsToList (
+        secret_name: secret_value: "${secret_value}/${secret_name}.yaml"
+      ) k8s.k8s-secrets-generic)
+    )
   );
   apply_manifests = "kubectl --kubeconfig=${k8s.client-configs.admin}/admin.kubeconfig apply --server-side --force-conflicts -f ${manifests}";
 in
diff --git a/nix/kubernetes/keys/package/k8s-keys/package.nix b/nix/kubernetes/keys/package/k8s-keys/package.nix
index 5f3ac7ae..587749a4 100644
--- a/nix/kubernetes/keys/package/k8s-keys/package.nix
+++ b/nix/kubernetes/keys/package/k8s-keys/package.nix
@@ -13,6 +13,5 @@ symlinkJoin {
   ++ (builtins.attrValues k8s.client-configs)
   ++ (builtins.attrValues k8s.ssh-keys)
   ++ (builtins.attrValues k8s.pgp-keys)
-  ++ (builtins.attrValues k8s.k8s-ssh-secrets)
   ++ (builtins.attrValues k8s.k8s-secrets-generic);
 }
diff --git a/nix/kubernetes/keys/package/k8s-secret-generic/package.nix b/nix/kubernetes/keys/package/k8s-secret-generic/package.nix
index 7d4249b6..6aea5e01 100644
--- a/nix/kubernetes/keys/package/k8s-secret-generic/package.nix
+++ b/nix/kubernetes/keys/package/k8s-secret-generic/package.nix
@@ -43,8 +43,6 @@ stdenv.mkDerivation (finalAttrs: {
 
   unpackPhase = "true";
 
-  # lib.attrsets.mapAttrsToList
-
   installPhase = ''
     mkdir "$out"
     cp "${yaml_file}" "$out/${secret_name}.yaml"
diff --git a/nix/kubernetes/keys/package/k8s-secret-ssh/package.nix b/nix/kubernetes/keys/package/k8s-secret-ssh/package.nix
deleted file mode 100644
index 88411ddc..00000000
--- a/nix/kubernetes/keys/package/k8s-secret-ssh/package.nix
+++ /dev/null
@@ -1,39 +0,0 @@
-# unpackPhase
-# patchPhase
-# configurePhase
-# buildPhase
-# checkPhase
-# installPhase
-# fixupPhase
-# installCheckPhase
-# distPhase
-{
-  stdenv,
-  k8s,
-  kubectl,
-  secret_name,
-  secret_namespace,
-  ssh_key_name,
-  ...
-}:
-stdenv.mkDerivation (finalAttrs: {
-  name = "k8s-secret-ssh-${secret_name}";
-  nativeBuildInputs = [ kubectl ];
-  buildInputs = [ ];
-
-  unpackPhase = "true";
-
-  buildPhase = ''
-    kubectl create secret generic ${secret_name} \
-      --namespace ${secret_namespace} \
-      --from-file=identity=${k8s.ssh-keys."${ssh_key_name}"}/${ssh_key_name} \
-      --from-file=identity.pub=${k8s.ssh-keys."${ssh_key_name}"}/${ssh_key_name}.pub \
-      --dry-run=client -o yaml > ${secret_name}.yaml
-  '';
-  # --from-file=known_hosts=$(OUT)/known_hosts \
-
-  installPhase = ''
-    mkdir "$out"
-    cp "${secret_name}.yaml" $out/
-  '';
-})
diff --git a/nix/kubernetes/keys/scope.nix b/nix/kubernetes/keys/scope.nix
index abc7b777..93dff6f6 100644
--- a/nix/kubernetes/keys/scope.nix
+++ b/nix/kubernetes/keys/scope.nix
@@ -114,21 +114,6 @@ makeScope newScope (
           };
         }
     );
-    k8s-ssh-secrets = (
-      builtins.mapAttrs
-        (
-          secret_name: secret_config:
-          (callPackage ./package/k8s-secret-ssh/package.nix (
-            additional_vars // { inherit secret_name; } // secret_config
-          ))
-        )
-        {
-          "kubernetes-deploy-key" = {
-            secret_namespace = "flux-system";
-            ssh_key_name = "flux_ssh_key";
-          };
-        }
-    );
     k8s-secrets-generic = (
       builtins.mapAttrs
         (
@@ -144,6 +129,13 @@ makeScope newScope (
               "sops.asc" = (builtins.readFile "${self.pgp-keys.flux_gpg}/flux_gpg_private_key.asc");
             };
           };
+          "kubernetes-deploy-key" = {
+            secret_namespace = "flux-system";
+            secret_values = {
+              "identity" = builtins.readFile "${self.ssh-keys.flux_ssh_key}/flux_ssh_key";
+              "identity.pub" = builtins.readFile "${self.ssh-keys.flux_ssh_key}/flux_ssh_key.pub";
+            };
+          };
         }
     );
     client-configs = (