Add oauth2 proxy secrets.

nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix

@@ -42,6 +42,7 @@ let
             "GITEA_ADMIN_USERNAME" = (builtins.readFile "${./secrets/gitea/gitea-env/GITEA_ADMIN_USERNAME}");
             "GITEA_ADMIN_PASSWORD" = (builtins.readFile "${./secrets/gitea/gitea-env/GITEA_ADMIN_PASSWORD}");
           };
+          "oauth2-env" = oauth2_env { dex_id = "gitea"; };
         };
       };
   encrypted_secrets = (
@@ -76,6 +77,15 @@ let
 
   ## Utilities
   inherit ((import ../../../functions/to_yaml.nix) { inherit pkgs; }) to_yaml;
+  generate_key =
+    len: name:
+    builtins.readFile (
+      runCommand "generate_key" { } ''
+        set +o pipefail
+        # ${name}
+        dd if=/dev/urandom | tr --complement --delete '[:alnum:]' | dd bs=${toString len} count=1 of="$out"
+      ''
+    );
 
   ## dex
   dex_static_client =
@@ -84,15 +94,9 @@ let
       name,
       redirectURIs,
     }:
-    let
-      generate_key = runCommand "generate_key" { } ''
-        set +o pipefail
-        dd if=/dev/urandom | tr --complement --delete '[:alnum:]' | dd bs=32 count=1 of="$out"
-      '';
-    in
     {
       inherit id name redirectURIs;
-      secret = builtins.readFile generate_key;
+      secret = generate_key 32 "dex_static_client ${id}";
     };
   dex_config = {
     issuer = "https://dex.fizz.buzz";
@@ -147,6 +151,17 @@ let
     };
   };
   dex_config_yaml = to_yaml "config.yml" dex_config;
+
+  ## oauth2-proxy
+  oauth2_env =
+    { dex_id }:
+    {
+      "OAUTH2_PROXY_CLIENT_SECRET" =
+        (builtins.head (
+          builtins.filter (static_client: static_client.id == dex_id) dex_config.staticClients
+        )).secret;
+      "OAUTH2_PROXY_COOKIE_SECRET" = generate_key 32 "OAUTH2_PROXY_COOKIE_SECRET ${dex_id}";
+    };
 in
 symlinkJoin {
   name = "in-repo-secrets";