Add dex secrets.

2026-04-18 16:22:47 -04:00
parent a5e70c5d4e
commit aacf5c65e5
1 changed files with 85 additions and 5 deletions
--- a/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix
+++ b/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix
@@ -1,5 +1,6 @@
 {
  lib,
+  pkgs,
  k8s,
  callPackage,
  runCommand,
@@ -19,6 +20,16 @@ let
        ) secrets)
      )
      {
+        "cert-manager" = {
+          "rfc2136" = {
+            "TSIG_SECRET" = (builtins.readFile "${./secrets/cert-manager/rfc2136/TSIG_SECRET}");
+          };
+        };
+        "dex" = {
+          "files" = {
+            "config.yaml" = dex_config_yaml;
+          };
+        };
        "external-dns" = {
          "rfc2136" = {
            "EXTERNAL_DNS_RFC2136_TSIG_SECRET" = (
@@ -26,11 +37,6 @@ let
            );
          };
        };
-        "cert-manager" = {
-          "rfc2136" = {
-            "TSIG_SECRET" = (builtins.readFile "${./secrets/cert-manager/rfc2136/TSIG_SECRET}");
-          };
-        };
        "gitea" = {
          "gitea-env" = {
            "GITEA_ADMIN_USERNAME" = (builtins.readFile "${./secrets/gitea/gitea-env/GITEA_ADMIN_USERNAME}");
@@ -67,6 +73,80 @@ let
    ) (builtins.attrNames encrypted_secrets)
  );
  gen_in_repo_secrets = runCommand "gen_in_repo_secrets" { } combined_script;
+
+  ## Utilities
+  inherit ((import ../../../functions/to_yaml.nix) { inherit pkgs; }) to_yaml;
+
+  ## dex
+  dex_static_client =
+    {
+      id,
+      name,
+      redirectURIs,
+    }:
+    let
+      generate_key = runCommand "generate_key" { } ''
+        set +o pipefail
+        dd if=/dev/urandom | tr --complement --delete '[:alnum:]' | dd bs=32 count=1 of="$out"
+      '';
+    in
+    {
+      inherit id name redirectURIs;
+      secret = builtins.readFile generate_key;
+    };
+  dex_config = {
+    issuer = "https://dex.fizz.buzz";
+    storage = {
+      config = {
+        inCluster = true;
+      };
+      type = "kubernetes";
+    };
+    logger = {
+      level = "debug";
+    };
+    web = {
+      http = "0.0.0.0:5556";
+    };
+    oauth2 = {
+      alwaysShowLoginScreen = false;
+      skipApprovalScreen = true;
+    };
+    staticClients = map dex_static_client [
+      {
+        id = "prometheus";
+        name = "Prometheus";
+        redirectURIs = [ "https://prometheus.fizz.buzz/oauth2/callback" ];
+      }
+      {
+        id = "harbor";
+        name = "Harbor";
+        redirectURIs = [ "https://harbor.fizz.buzz/c/oidc/callback" ];
+      }
+      {
+        id = "tekton";
+        name = "Tekton";
+        redirectURIs = [ "https://tekton.fizz.buzz/oauth2/callback" ];
+      }
+      {
+        id = "homepage-staging";
+        name = "Homepage staging";
+        redirectURIs = [ "https://staging.fizz.buzz/oauth2/callback" ];
+      }
+      {
+        id = "gitea";
+        name = "gitea";
+        redirectURIs = [ "https://code.fizz.buzz/oauth2/callback" ];
+      }
+    ];
+    enablePasswordDB = true;
+    staticPasswords = (import ./secrets/dex/static_passwords.nix);
+    expiry = {
+      idTokens = "1h";
+      signingKeys = "4h";
+    };
+  };
+  dex_config_yaml = to_yaml "config.yml" dex_config;
 in
 symlinkJoin {
  name = "in-repo-secrets";