{ lib, pkgs, k8s, callPackage, runCommand, symlinkJoin, ... }: let pre_encryption_secrets = builtins.mapAttrs ( secret_namespace: secrets: (builtins.mapAttrs ( secret_name: secret_values: (callPackage ../../package/k8s-secret-generic/package.nix { inherit secret_name secret_namespace secret_values; }) ) secrets) ) { "cert-manager" = { "rfc2136" = { "TSIG_SECRET" = (builtins.readFile "${./secrets/cert-manager/rfc2136/TSIG_SECRET}"); }; }; "dex" = { "files" = { "config.yaml" = dex_config_yaml; }; }; "external-dns" = { "rfc2136" = { "EXTERNAL_DNS_RFC2136_TSIG_SECRET" = ( builtins.readFile "${./secrets/external-dns/rfc2136/EXTERNAL_DNS_RFC2136_TSIG_SECRET}" ); }; }; "gitea" = { "gitea-env" = { "GITEA_ADMIN_USERNAME" = (builtins.readFile "${./secrets/gitea/gitea-env/GITEA_ADMIN_USERNAME}"); "GITEA_ADMIN_PASSWORD" = (builtins.readFile "${./secrets/gitea/gitea-env/GITEA_ADMIN_PASSWORD}"); }; }; }; encrypted_secrets = ( builtins.mapAttrs ( secret_namespace: secrets: (builtins.mapAttrs ( secret_name: secret_package: (callPackage ../../package/k8s-secret-encrypted/package.nix { source_file = "${ pre_encryption_secrets."${secret_namespace}"."${secret_name}" }/${secret_name}.yaml"; output_filename = "${secret_name}.yaml"; pgp_public_key = "${k8s.pgp-keys.flux_gpg}/flux_gpg_public_key.asc"; }) ) secrets) ) pre_encryption_secrets ); combined_script = ( lib.concatMapStringsSep "\n" ( secret_namespace: '' mkdir -p $out/${secret_namespace} '' + (lib.concatMapStringsSep "\n" (secret_name: '' cat ${ encrypted_secrets."${secret_namespace}"."${secret_name}" }/${secret_name}.yaml > $out/${secret_namespace}/${secret_name}.yaml '') (builtins.attrNames encrypted_secrets."${secret_namespace}")) ) (builtins.attrNames encrypted_secrets) ); gen_in_repo_secrets = runCommand "gen_in_repo_secrets" { } combined_script; ## Utilities inherit ((import ../../../functions/to_yaml.nix) { inherit pkgs; }) to_yaml; ## dex dex_static_client = { id, name, redirectURIs, }: let generate_key = runCommand "generate_key" { } '' set +o pipefail dd if=/dev/urandom | tr --complement --delete '[:alnum:]' | dd bs=32 count=1 of="$out" ''; in { inherit id name redirectURIs; secret = builtins.readFile generate_key; }; dex_config = { issuer = "https://dex.fizz.buzz"; storage = { config = { inCluster = true; }; type = "kubernetes"; }; logger = { level = "debug"; }; web = { http = "0.0.0.0:5556"; }; oauth2 = { alwaysShowLoginScreen = false; skipApprovalScreen = true; }; staticClients = map dex_static_client [ { id = "prometheus"; name = "Prometheus"; redirectURIs = [ "https://prometheus.fizz.buzz/oauth2/callback" ]; } { id = "harbor"; name = "Harbor"; redirectURIs = [ "https://harbor.fizz.buzz/c/oidc/callback" ]; } { id = "tekton"; name = "Tekton"; redirectURIs = [ "https://tekton.fizz.buzz/oauth2/callback" ]; } { id = "homepage-staging"; name = "Homepage staging"; redirectURIs = [ "https://staging.fizz.buzz/oauth2/callback" ]; } { id = "gitea"; name = "gitea"; redirectURIs = [ "https://code.fizz.buzz/oauth2/callback" ]; } ]; enablePasswordDB = true; staticPasswords = (import ./secrets/dex/static_passwords.nix); expiry = { idTokens = "1h"; signingKeys = "4h"; }; }; dex_config_yaml = to_yaml "config.yml" dex_config; in symlinkJoin { name = "in-repo-secrets"; paths = [ gen_in_repo_secrets ]; }