talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Generic secrets for pgp keys.

Browse Source
This commit is contained in:
Tom Alexander 2025-12-21 19:43:43 -05:00 committed by Tom Alexander
parent 32fda29efe
commit df4260a35a
Signed by: talexander
GPG Key ID: 36C99E8B3C39D85F
4 changed files with 133 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
nix/kubernetes/keys/contrib/base64/package.nix Normal file
View File

@ -0,0 +1,62 @@
# From: https://gist.github.com/manveru/74eb41d850bc146b7e78c4cb059507e2
# From: https://discourse.nixos.org/t/string-to-base-64/32624/3
{ lib, ... }:
{
toBase64 =
text:
let
inherit (lib)
sublist
mod
stringToCharacters
concatMapStrings
;
inherit (lib.strings) charToInt;
inherit (builtins)
substring
foldl'
genList
elemAt
length
concatStringsSep
stringLength
;
lookup = stringToCharacters "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
sliceN =
size: list: n:
sublist (n * size) size list;
pows = [
(64 * 64 * 64)
(64 * 64)
64
1
];
intSextets = i: map (j: mod (i / j) 64) pows;
compose =
f: g: x:
f (g x);
intToChar = elemAt lookup;
convertTripletInt = sliceInt: concatMapStrings intToChar (intSextets sliceInt);
sliceToInt = foldl' (acc: val: acc * 256 + val) 0;
convertTriplet = compose convertTripletInt sliceToInt;
join = concatStringsSep "";
convertLastSlice =
slice:
let
len = length slice;
in
if len == 1 then
(substring 0 2 (convertTripletInt ((sliceToInt slice) * 256 * 256))) + "=="
else if len == 2 then
(substring 0 3 (convertTripletInt ((sliceToInt slice) * 256))) + "="
else
"";
len = stringLength text;
nFullSlices = len / 3;
bytes = map charToInt (stringToCharacters text);
tripletAt = sliceN 3 bytes;
head = genList (compose convertTriplet tripletAt) nFullSlices;
tail = convertLastSlice (tripletAt nFullSlices);
in
join (head ++ [ tail ]);
}

3
nix/kubernetes/keys/package/k8s-keys/package.nix
View File

@ -13,5 +13,6 @@ symlinkJoin {
++ (builtins.attrValues k8s.client-configs) ++ (builtins.attrValues k8s.client-configs)
++ (builtins.attrValues k8s.ssh-keys) ++ (builtins.attrValues k8s.ssh-keys)
++ (builtins.attrValues k8s.pgp-keys) ++ (builtins.attrValues k8s.pgp-keys)
++ (builtins.attrValues k8s.k8s-ssh-secrets); ++ (builtins.attrValues k8s.k8s-ssh-secrets)
++ (builtins.attrValues k8s.k8s-secrets-generic);
} }

52
nix/kubernetes/keys/package/k8s-secret-generic/package.nix Normal file
View File

@ -0,0 +1,52 @@
# unpackPhase
# patchPhase
# configurePhase
# buildPhase
# checkPhase
# installPhase
# fixupPhase
# installCheckPhase
# distPhase
{
lib,
pkgs,
stdenv,
k8s,
kubectl,
secret_name,
secret_namespace,
secret_values ? { },
...
}:
let
toBase64 = (pkgs.callPackage ../../contrib/base64/package.nix { inherit lib; }).toBase64;
secret_yaml = {
apiVersion = "v1";
kind = "Secret";
metadata = {
name = "${secret_name}";
namespace = "${secret_namespace}";
};
data = (builtins.mapAttrs (key: val: (toBase64 val)) secret_values);
};
settingsFormat = pkgs.formats.yaml { };
yaml_body = settingsFormat.generate "${secret_name}.yaml" secret_yaml;
yaml_file = pkgs.writeTextFile {
name = "${secret_name}.yaml";
text = (builtins.readFile yaml_body);
};
in
stdenv.mkDerivation (finalAttrs: {
name = "k8s-secret-generic-${secret_name}";
nativeBuildInputs = [ kubectl ];
buildInputs = [ ];
unpackPhase = "true";
# lib.attrsets.mapAttrsToList
installPhase = ''
mkdir "$out"
cp "${yaml_file}" "$out/${secret_name}.yaml"
'';
})

17
nix/kubernetes/keys/scope.nix
View File

@ -129,6 +129,23 @@ makeScope newScope (
}; };
} }
); );
k8s-secrets-generic = (
builtins.mapAttrs
(
secret_name: secret_config:
(callPackage ./package/k8s-secret-generic/package.nix (
additional_vars // { inherit secret_name; } // secret_config
))
)
{
"sops-gpg" = {
secret_namespace = "flux-system";
secret_values = {
"sops.asc" = (builtins.readFile "${self.pgp-keys.flux_gpg}/flux_gpg_private_key.asc");
};
};
}
);
client-configs = ( client-configs = (
builtins.mapAttrs builtins.mapAttrs
( (