# unpackPhase
# patchPhase
# configurePhase
# buildPhase
# checkPhase
# installPhase
# fixupPhase
# installCheckPhase
# distPhase
{
  lib,
  stdenv,
  runCommand,
  writeText,
  ...
}:
let
  kube_encryption_key = runCommand "kube_encryption_key" { } ''
    head -c 32 /dev/urandom | base64 | tee $out
  '';
  kube_encryption_config = {
    kind = "EncryptionConfig";
    apiVersion = "v1";
    resources = [
      {
        resources = [ "secrets" ];
        providers = [
          {
            aescbc = {
              keys = [
                {
                  name = "key1";
                  secret = (builtins.readFile "${kube_encryption_key}");
                }
              ];
            };
          }
          { identity = { }; }
        ];
      }
    ];
  };
  kube_encryption_config_yaml = (
    writeText "encryption-config.yaml" (lib.generators.toYAML { } kube_encryption_config)
  );
in
stdenv.mkDerivation (finalAttrs: {
  name = "k8s-encryption-key";
  nativeBuildInputs = [ ];
  buildInputs = [ ];

  unpackPhase = "true";

  installPhase = ''
    mkdir "$out"
    cp "${kube_encryption_config_yaml}" $out/encryption-config.yaml
  '';
})