Add generation for in-repo secrets.

2026-03-19 18:16:20 -04:00
parent 4abd80ac98
commit eaf0c16c17
7 changed files with 149 additions and 7 deletions
--- a/nix/kubernetes/keys/package/k8s-secret-encrypted/package.nix
+++ b/nix/kubernetes/keys/package/k8s-secret-encrypted/package.nix
@@ -0,0 +1,65 @@
+# unpackPhase
+# patchPhase
+# configurePhase
+# buildPhase
+# checkPhase
+# installPhase
+# fixupPhase
+# installCheckPhase
+# distPhase
+{
+  pkgs,
+  stdenv,
+  kubectl,
+  gnupg,
+  source_file,
+  output_filename,
+  pgp_public_key,
+  ...
+}:
+let
+  pgp_key_id_command = pkgs.runCommand "pgp_key_id_command" { } ''
+    mkdir keyring
+    export GNUPGHOME=$(readlink -f keyring)
+    ${gnupg}/bin/gpg --with-fingerprint --with-colons --keyid-format LONG "${pgp_public_key}" | grep '^pub' | cut -d ':' -f 5 > $out
+  '';
+  pgp_key_id = builtins.readFile pgp_key_id_command;
+  sops_config = {
+    creation_rules = [
+      {
+        "path_regex" = ".*.yaml";
+        "encrypted_regex" = "^(data|stringData)$";
+        "pgp" = pgp_key_id;
+      }
+    ];
+  };
+  settingsFormat = pkgs.formats.yaml { };
+  yaml_body = settingsFormat.generate ".sops.yaml" sops_config;
+  yaml_file = pkgs.writeTextFile {
+    name = ".sops.yaml";
+    text = (builtins.readFile yaml_body);
+  };
+in
+stdenv.mkDerivation (finalAttrs: {
+  name = "k8s-secret-encrypted-${output_filename}";
+  nativeBuildInputs = [
+    kubectl
+    gnupg
+  ];
+  buildInputs = [ ];
+
+  unpackPhase = "true";
+
+  buildPhase = ''
+    mkdir keyring
+    export GNUPGHOME=$(readlink -f keyring)
+    cat "${pgp_public_key}" | gpg --import
+  '';
+
+  installPhase = ''
+    set -x
+    export GNUPGHOME=$(readlink -f keyring)
+    mkdir "$out"
+    cat "${source_file}" | ${pkgs.sops}/bin/sops --config "${yaml_file}" encrypt --filename-override "${output_filename}" | tee "$out/${output_filename}"
+  '';
+})