Build the cilium manifest automatically in nix.

nix/kubernetes/keys/package/cilium-manifest/package.nix

@@ -0,0 +1,70 @@
+# unpackPhase
+# patchPhase
+# configurePhase
+# buildPhase
+# checkPhase
+# installPhase
+# fixupPhase
+# installCheckPhase
+# distPhase
+{
+  stdenv,
+  openssl,
+  fetchFromGitHub,
+  kubernetes-helm,
+  ...
+}:
+stdenv.mkDerivation (
+  finalAttrs:
+  let
+    version = "1.18.5";
+  in
+  {
+    name = "cilium-manifest";
+    nativeBuildInputs = [
+      openssl
+      kubernetes-helm
+    ];
+    buildInputs = [ ];
+
+    src = fetchFromGitHub {
+      owner = "cilium";
+      repo = "cilium";
+      tag = "v${version}";
+      hash = "sha256-348inOOQ/fgwTYnaSHrQ363xGYnx2UPts3D4ycDRsWE=";
+    };
+
+    buildPhase = ''
+      helm template --dry-run=client cilium $src/install/kubernetes/cilium --version 1.18.5 --namespace kube-system \
+           --set kubeProxyReplacement=true \
+           --set ipam.mode=kubernetes \
+           --set k8sServiceHost="2620:11f:7001:7:ffff:ffff:ad7:1dd" \
+           --set k8sServicePort=6443 \
+           --set ipv6.enabled=true \
+           --set ipv4.enabled=true \
+           --set enableIPv6Masquerade=false \
+           | tee $NIX_BUILD_TOP/cilium.yaml
+    '';
+
+    # --set enableIPv4BIGTCP=false \
+    # --set enableIPv6BIGTCP=false \
+    # --set routingMode=native \
+    # --set ipv4NativeRoutingCIDR=10.0.0.0/8 \
+    # --set ipv6NativeRoutingCIDR=2620:11f:7001:7:ffff::/96 \
+
+    # --set hostFirewall.enabled=true
+    # --set routingMode=native
+
+    # --set 'ipam.operator.clusterPoolIPv4PodCIDRList=["10.0.0.0/8"]' \
+    # --set 'ipam.operator.clusterPoolIPv6PodCIDRList=["fd00::/100"]' \
+
+    # --set encryption.enabled=true \
+    # --set encryption.type=wireguard
+    # --set encryption.nodeEncryption=true
+
+    installPhase = ''
+      mkdir -p "$out"
+      cp $NIX_BUILD_TOP/cilium.yaml $out/
+    '';
+  }
+)