diff --git a/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix b/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix index 1691b46f..5824a1ca 100644 --- a/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix +++ b/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix @@ -42,6 +42,7 @@ let "GITEA_ADMIN_USERNAME" = (builtins.readFile "${./secrets/gitea/gitea-env/GITEA_ADMIN_USERNAME}"); "GITEA_ADMIN_PASSWORD" = (builtins.readFile "${./secrets/gitea/gitea-env/GITEA_ADMIN_PASSWORD}"); }; + "oauth2-env" = oauth2_env { dex_id = "gitea"; }; }; }; encrypted_secrets = ( @@ -76,6 +77,15 @@ let ## Utilities inherit ((import ../../../functions/to_yaml.nix) { inherit pkgs; }) to_yaml; + generate_key = + len: name: + builtins.readFile ( + runCommand "generate_key" { } '' + set +o pipefail + # ${name} + dd if=/dev/urandom | tr --complement --delete '[:alnum:]' | dd bs=${toString len} count=1 of="$out" + '' + ); ## dex dex_static_client = @@ -84,15 +94,9 @@ let name, redirectURIs, }: - let - generate_key = runCommand "generate_key" { } '' - set +o pipefail - dd if=/dev/urandom | tr --complement --delete '[:alnum:]' | dd bs=32 count=1 of="$out" - ''; - in { inherit id name redirectURIs; - secret = builtins.readFile generate_key; + secret = generate_key 32 "dex_static_client ${id}"; }; dex_config = { issuer = "https://dex.fizz.buzz"; @@ -147,6 +151,17 @@ let }; }; dex_config_yaml = to_yaml "config.yml" dex_config; + + ## oauth2-proxy + oauth2_env = + { dex_id }: + { + "OAUTH2_PROXY_CLIENT_SECRET" = + (builtins.head ( + builtins.filter (static_client: static_client.id == dex_id) dex_config.staticClients + )).secret; + "OAUTH2_PROXY_COOKIE_SECRET" = generate_key 32 "OAUTH2_PROXY_COOKIE_SECRET ${dex_id}"; + }; in symlinkJoin { name = "in-repo-secrets";