talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Add generation for in-repo secrets.

Browse Source
This commit is contained in:
Tom Alexander
2026-03-19 18:16:20 -04:00
parent 4abd80ac98
commit eaf0c16c17
7 changed files with 149 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
nix/kubernetes/README.org
View File

@@ -12,11 +12,12 @@
#+end_src
* IP Ranges
| | IPv4 | IPv6 |
|---------------+-----------------------------+-----------------------------------------|
|------------------------------+-----------------------------+-----------------------------------------|
| Pod | 10.200.0.0/16 | 2620:11f:7001:7:ffff:eeee::/96 |
| Service | 10.197.0.0/16 | fd00:3e42:e349::/112 |
| Node | 10.215.1.0/24 | 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 |
| Load Balancer | 74.80.180.139-74.80.180.142 | 2620:11f:7001:7:ffff:dddd::/96 |
| PowerDNS from inside cluster | 10.215.1.211 | |
* Healthcheck
** Check cilium status
#+begin_src bash

1
nix/kubernetes/keys/flake.nix
View File

@@ -23,6 +23,7 @@
deploy_script = pkgs.k8s.deploy_script;
default = pkgs.k8s.all_keys;
bootstrap_script = pkgs.k8s.bootstrap_script;
mrmanager_repo_secrets = pkgs.k8s.mrmanager_repo_secrets;
}
);
overlays.default = (

1
nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux_apply_git.yaml
View File

@@ -14,7 +14,6 @@ spec:
ignore: |
bootstrap
.sops.yaml
secrets/
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization

5
nix/kubernetes/keys/package/k8s-keys/package.nix
View File

@@ -10,12 +10,17 @@ let
cp ${k8s.deploy_script} $out/deploy_script
cp ${k8s.bootstrap_script} $out/bootstrap_script
'';
mrmanager_repo_secrets = runCommand "mrmanager_repo_secrets" { } ''
mkdir $out
cp -r ${k8s.mrmanager_repo_secrets} $out/mrmanager_repo_secrets
'';
in
symlinkJoin {
name = "k8s-keys";
paths = [
scripts
k8s.encryption_config
mrmanager_repo_secrets
]
++ (builtins.attrValues k8s.ca)
++ (builtins.attrValues k8s.keys)

65
nix/kubernetes/keys/package/k8s-secret-encrypted/package.nix Normal file
View File

@@ -0,0 +1,65 @@
# unpackPhase
# patchPhase
# configurePhase
# buildPhase
# checkPhase
# installPhase
# fixupPhase
# installCheckPhase
# distPhase
{
pkgs,
stdenv,
kubectl,
gnupg,
source_file,
output_filename,
pgp_public_key,
...
}:
let
pgp_key_id_command = pkgs.runCommand "pgp_key_id_command" { } ''
mkdir keyring
export GNUPGHOME=$(readlink -f keyring)
${gnupg}/bin/gpg --with-fingerprint --with-colons --keyid-format LONG "${pgp_public_key}" | grep '^pub' | cut -d ':' -f 5 > $out
'';
pgp_key_id = builtins.readFile pgp_key_id_command;
sops_config = {
creation_rules = [
{
"path_regex" = ".*.yaml";
"encrypted_regex" = "^(data|stringData)$";
"pgp" = pgp_key_id;
}
];
};
settingsFormat = pkgs.formats.yaml { };
yaml_body = settingsFormat.generate ".sops.yaml" sops_config;
yaml_file = pkgs.writeTextFile {
name = ".sops.yaml";
text = (builtins.readFile yaml_body);
};
in
stdenv.mkDerivation (finalAttrs: {
name = "k8s-secret-encrypted-${output_filename}";
nativeBuildInputs = [
kubectl
gnupg
];
buildInputs = [ ];
unpackPhase = "true";
buildPhase = ''
mkdir keyring
export GNUPGHOME=$(readlink -f keyring)
cat "${pgp_public_key}" | gpg --import
'';
installPhase = ''
set -x
export GNUPGHOME=$(readlink -f keyring)
mkdir "$out"
cat "${source_file}" | ${pkgs.sops}/bin/sops --config "${yaml_file}" encrypt --filename-override "${output_filename}" | tee "$out/${output_filename}"
'';
})

70
nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix Normal file
View File

@@ -0,0 +1,70 @@
{
lib,
k8s,
callPackage,
runCommand,
symlinkJoin,
...
}:
let
pre_encryption_secrets =
builtins.mapAttrs
(
secret_namespace: secrets:
(builtins.mapAttrs (
secret_name: secret_values:
(callPackage ../../package/k8s-secret-generic/package.nix {
inherit secret_name secret_namespace secret_values;
})
) secrets)
)
{
"external-dns" = {
"rfc2136" = {
"EXTERNAL_DNS_RFC2136_TSIG_SECRET" = (
builtins.readFile "${./secrets/external-dns/rfc2136/EXTERNAL_DNS_RFC2136_TSIG_SECRET}"
);
};
};
"cert-manager" = {
"rfc2136" = {
"TSIG_SECRET" = (builtins.readFile "${./secrets/cert-manager/rfc2136/TSIG_SECRET}");
};
};
};
encrypted_secrets = (
builtins.mapAttrs (
secret_namespace: secrets:
(builtins.mapAttrs (
secret_name: secret_package:
(callPackage ../../package/k8s-secret-encrypted/package.nix {
source_file = "${
pre_encryption_secrets."${secret_namespace}"."${secret_name}"
}/${secret_name}.yaml";
output_filename = "${secret_name}.yaml";
pgp_public_key = "${k8s.pgp-keys.flux_gpg}/flux_gpg_public_key.asc";
})
) secrets)
) pre_encryption_secrets
);
combined_script = (
lib.concatMapStringsSep "\n" (
secret_namespace:
''
mkdir -p $out/${secret_namespace}
''
+ (lib.concatMapStringsSep "\n" (secret_name: ''
cat ${
encrypted_secrets."${secret_namespace}"."${secret_name}"
}/${secret_name}.yaml > $out/${secret_namespace}/${secret_name}.yaml
'') (builtins.attrNames encrypted_secrets."${secret_namespace}"))
) (builtins.attrNames encrypted_secrets)
);
gen_in_repo_secrets = runCommand "gen_in_repo_secrets" { } combined_script;
in
symlinkJoin {
name = "in-repo-secrets";
paths = [
gen_in_repo_secrets
];
}

1
nix/kubernetes/keys/scope.nix
View File

@@ -373,5 +373,6 @@ makeScope newScope (
all_keys = (callPackage ./package/k8s-keys/package.nix additional_vars);
deploy_script = (callPackage ./package/deploy-script/package.nix additional_vars);
bootstrap_script = (callPackage ./package/bootstrap-script/package.nix additional_vars);
mrmanager_repo_secrets = (callPackage ./package/mrmanager-repo-secrets/package.nix additional_vars);
}
)