Generic secrets for pgp keys.

2025-12-21 19:43:43 -05:00 · 2025-12-21 19:43:43 -05:00 · df4260a35a
commit df4260a35a
parent 32fda29efe
4 changed files with 133 additions and 1 deletions
--- a/nix/kubernetes/keys/contrib/base64/package.nix
+++ b/nix/kubernetes/keys/contrib/base64/package.nix
@ -0,0 +1,62 @@
+# From: https://gist.github.com/manveru/74eb41d850bc146b7e78c4cb059507e2
+# From: https://discourse.nixos.org/t/string-to-base-64/32624/3
+{ lib, ... }:
+{
+  toBase64 =
+    text:
+    let
+      inherit (lib)
+        sublist
+        mod
+        stringToCharacters
+        concatMapStrings
+        ;
+      inherit (lib.strings) charToInt;
+      inherit (builtins)
+        substring
+        foldl'
+        genList
+        elemAt
+        length
+        concatStringsSep
+        stringLength
+        ;
+      lookup = stringToCharacters "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+      sliceN =
+        size: list: n:
+        sublist (n * size) size list;
+      pows = [
+        (64 * 64 * 64)
+        (64 * 64)
+        64
+        1
+      ];
+      intSextets = i: map (j: mod (i / j) 64) pows;
+      compose =
+        f: g: x:
+        f (g x);
+      intToChar = elemAt lookup;
+      convertTripletInt = sliceInt: concatMapStrings intToChar (intSextets sliceInt);
+      sliceToInt = foldl' (acc: val: acc * 256 + val) 0;
+      convertTriplet = compose convertTripletInt sliceToInt;
+      join = concatStringsSep "";
+      convertLastSlice =
+        slice:
+        let
+          len = length slice;
+        in
+        if len == 1 then
+          (substring 0 2 (convertTripletInt ((sliceToInt slice) * 256 * 256))) + "=="
+        else if len == 2 then
+          (substring 0 3 (convertTripletInt ((sliceToInt slice) * 256))) + "="
+        else
+          "";
+      len = stringLength text;
+      nFullSlices = len / 3;
+      bytes = map charToInt (stringToCharacters text);
+      tripletAt = sliceN 3 bytes;
+      head = genList (compose convertTriplet tripletAt) nFullSlices;
+      tail = convertLastSlice (tripletAt nFullSlices);
+    in
+    join (head ++ [ tail ]);
+}
--- a/nix/kubernetes/keys/package/k8s-keys/package.nix
+++ b/nix/kubernetes/keys/package/k8s-keys/package.nix
@ -13,5 +13,6 @@ symlinkJoin {
  ++ (builtins.attrValues k8s.client-configs)
  ++ (builtins.attrValues k8s.ssh-keys)
  ++ (builtins.attrValues k8s.pgp-keys)
-  ++ (builtins.attrValues k8s.k8s-ssh-secrets);
+  ++ (builtins.attrValues k8s.k8s-ssh-secrets)
+  ++ (builtins.attrValues k8s.k8s-secrets-generic);
 }
--- a/nix/kubernetes/keys/package/k8s-secret-generic/package.nix
+++ b/nix/kubernetes/keys/package/k8s-secret-generic/package.nix
@ -0,0 +1,52 @@
+# unpackPhase
+# patchPhase
+# configurePhase
+# buildPhase
+# checkPhase
+# installPhase
+# fixupPhase
+# installCheckPhase
+# distPhase
+{
+  lib,
+  pkgs,
+  stdenv,
+  k8s,
+  kubectl,
+  secret_name,
+  secret_namespace,
+  secret_values ? { },
+  ...
+}:
+let
+  toBase64 = (pkgs.callPackage ../../contrib/base64/package.nix { inherit lib; }).toBase64;
+  secret_yaml = {
+    apiVersion = "v1";
+    kind = "Secret";
+    metadata = {
+      name = "${secret_name}";
+      namespace = "${secret_namespace}";
+    };
+    data = (builtins.mapAttrs (key: val: (toBase64 val)) secret_values);
+  };
+  settingsFormat = pkgs.formats.yaml { };
+  yaml_body = settingsFormat.generate "${secret_name}.yaml" secret_yaml;
+  yaml_file = pkgs.writeTextFile {
+    name = "${secret_name}.yaml";
+    text = (builtins.readFile yaml_body);
+  };
+in
+stdenv.mkDerivation (finalAttrs: {
+  name = "k8s-secret-generic-${secret_name}";
+  nativeBuildInputs = [ kubectl ];
+  buildInputs = [ ];
+
+  unpackPhase = "true";
+
+  # lib.attrsets.mapAttrsToList
+
+  installPhase = ''
+    mkdir "$out"
+    cp "${yaml_file}" "$out/${secret_name}.yaml"
+  '';
+})
--- a/nix/kubernetes/keys/scope.nix
+++ b/nix/kubernetes/keys/scope.nix
@ -129,6 +129,23 @@ makeScope newScope (
          };
        }
    );
+    k8s-secrets-generic = (
+      builtins.mapAttrs
+        (
+          secret_name: secret_config:
+          (callPackage ./package/k8s-secret-generic/package.nix (
+            additional_vars // { inherit secret_name; } // secret_config
+          ))
+        )
+        {
+          "sops-gpg" = {
+            secret_namespace = "flux-system";
+            secret_values = {
+              "sops.asc" = (builtins.readFile "${self.pgp-keys.flux_gpg}/flux_gpg_private_key.asc");
+            };
+          };
+        }
+    );
    client-configs = (
      builtins.mapAttrs
        (