{
  lib,
  pkgs,
  k8s,
  callPackage,
  runCommand,
  symlinkJoin,
  ...
}:
let
  pre_encryption_secrets =
    builtins.mapAttrs
      (
        secret_namespace: secrets:
        (builtins.mapAttrs (
          secret_name: secret_values:
          (callPackage ../../package/k8s-secret-generic/package.nix {
            inherit secret_name secret_namespace secret_values;
          })
        ) secrets)
      )
      {
        "cert-manager" = {
          "rfc2136" = {
            "TSIG_SECRET" = (builtins.readFile "${./secrets/cert-manager/rfc2136/TSIG_SECRET}");
          };
        };
        "dex" = {
          "files" = {
            "config.yaml" = dex_config_yaml;
          };
        };
        "external-dns" = {
          "rfc2136" = {
            "EXTERNAL_DNS_RFC2136_TSIG_SECRET" = (
              builtins.readFile "${./secrets/external-dns/rfc2136/EXTERNAL_DNS_RFC2136_TSIG_SECRET}"
            );
          };
        };
        "gitea" = {
          "gitea-env" = {
            "GITEA_ADMIN_USERNAME" = (builtins.readFile "${./secrets/gitea/gitea-env/GITEA_ADMIN_USERNAME}");
            "GITEA_ADMIN_PASSWORD" = (builtins.readFile "${./secrets/gitea/gitea-env/GITEA_ADMIN_PASSWORD}");
          };
          "oauth2-env" = oauth2_env { dex_id = "gitea"; };
        };
        "harbor" = {
          "harbor-config" = {
            "config.json" = helm_json_escape harbor_config_json;
          };
          "dockerhub-auth-config" = {
            "basic_auth.include" = (
              builtins.readFile "${./secrets/harbor/dockerhub-auth-config/basic_auth.include}"
            );
          };
          "harbor-admin-password" = {
            "HARBOR_ADMIN_PASSWORD" = (
              builtins.readFile "${./secrets/harbor/harbor-admin-password/HARBOR_ADMIN_PASSWORD}"
            );
          };
        };
      };
  encrypted_secrets = (
    builtins.mapAttrs (
      secret_namespace: secrets:
      (builtins.mapAttrs (
        secret_name: secret_package:
        (callPackage ../../package/k8s-secret-encrypted/package.nix {
          source_file = "${
            pre_encryption_secrets."${secret_namespace}"."${secret_name}"
          }/${secret_name}.yaml";
          output_filename = "${secret_name}.yaml";
          pgp_public_key = "${k8s.pgp-keys.flux_gpg}/flux_gpg_public_key.asc";
        })
      ) secrets)
    ) pre_encryption_secrets
  );
  combined_script = (
    lib.concatMapStringsSep "\n" (
      secret_namespace:
      ''
        mkdir -p $out/${secret_namespace}
      ''
      + (lib.concatMapStringsSep "\n" (secret_name: ''
        cat ${
          encrypted_secrets."${secret_namespace}"."${secret_name}"
        }/${secret_name}.yaml > $out/${secret_namespace}/${secret_name}.yaml
      '') (builtins.attrNames encrypted_secrets."${secret_namespace}"))
    ) (builtins.attrNames encrypted_secrets)
  );
  gen_in_repo_secrets = runCommand "gen_in_repo_secrets" { } combined_script;

  ## Utilities
  inherit ((import ../../../functions/to_yaml.nix) { inherit pkgs; }) to_yaml;
  generate_key =
    len: name:
    builtins.readFile (
      runCommand "generate_key" { } ''
        set +o pipefail
        # ${name}
        dd if=/dev/urandom | tr --complement --delete '[:alnum:]' | dd bs=${toString len} count=1 of="$out"
      ''
    );
  helm_json_escape = json: builtins.toJSON json;

  ## dex
  get_dex_config =
    client_id:
    (builtins.head (
      builtins.filter (static_client: static_client.id == client_id) dex_config.staticClients
    ));
  dex_static_client =
    {
      id,
      name,
      redirectURIs,
    }:
    {
      inherit id name redirectURIs;
      secret = generate_key 32 "dex_static_client ${id}";
    };
  dex_config = {
    issuer = "https://dex.fizz.buzz";
    storage = {
      config = {
        inCluster = true;
      };
      type = "kubernetes";
    };
    logger = {
      level = "debug";
    };
    web = {
      http = "0.0.0.0:5556";
    };
    oauth2 = {
      alwaysShowLoginScreen = false;
      skipApprovalScreen = true;
    };
    staticClients = map dex_static_client [
      {
        id = "prometheus";
        name = "Prometheus";
        redirectURIs = [ "https://prometheus.fizz.buzz/oauth2/callback" ];
      }
      {
        id = "harbor";
        name = "Harbor";
        redirectURIs = [ "https://harbor.fizz.buzz/c/oidc/callback" ];
      }
      {
        id = "tekton";
        name = "Tekton";
        redirectURIs = [ "https://tekton.fizz.buzz/oauth2/callback" ];
      }
      {
        id = "homepage-staging";
        name = "Homepage staging";
        redirectURIs = [ "https://staging.fizz.buzz/oauth2/callback" ];
      }
      {
        id = "gitea";
        name = "gitea";
        redirectURIs = [ "https://code.fizz.buzz/oauth2/callback" ];
      }
    ];
    enablePasswordDB = true;
    staticPasswords = (import ./secrets/dex/static_passwords.nix);
    expiry = {
      idTokens = "1h";
      signingKeys = "4h";
    };
  };
  dex_config_yaml = to_yaml "config.yml" dex_config;

  ## oauth2-proxy
  oauth2_env =
    { dex_id }:
    {
      "OAUTH2_PROXY_CLIENT_SECRET" = (get_dex_config dex_id).secret;
      "OAUTH2_PROXY_COOKIE_SECRET" = generate_key 32 "OAUTH2_PROXY_COOKIE_SECRET ${dex_id}";
    };

  ## harbor
  harbor_dex_config = get_dex_config "harbor";
  harbor_config = {
    "auth_mode" = "oidc_auth";
    "self_registration" = "false";
    "oidc_name" = "harbor";
    "oidc_endpoint" = "https://dex.fizz.buzz";
    "oidc_client_id" = harbor_dex_config.id;
    "oidc_client_secret" = harbor_dex_config.secret;
    "oidc_admin_group" = "TODO";
    "oidc_scope" = "openid,profile,email,offline_access,groups";
  };
  # harbor_config_json = pkgs.writeText "config.json" (builtins.toJSON harbor_config);
  harbor_config_json = builtins.toJSON harbor_config;
in
symlinkJoin {
  name = "in-repo-secrets";
  paths = [
    gen_in_repo_secrets
  ];
}