talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity
Files
aacf5c65e5e03284d159c36cfcf5271ed94f675a
machine_setup/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix
Tom Alexander aacf5c65e5 Add dex secrets.
2026-04-26 12:45:07 -04:00

157 lines
4.1 KiB
Nix
Raw Blame History

{
lib,
pkgs,
k8s,
callPackage,
runCommand,
symlinkJoin,
...
}:
let
pre_encryption_secrets =
builtins.mapAttrs
(
secret_namespace: secrets:
(builtins.mapAttrs (
secret_name: secret_values:
(callPackage ../../package/k8s-secret-generic/package.nix {
inherit secret_name secret_namespace secret_values;
})
) secrets)
)
{
"cert-manager" = {
"rfc2136" = {
"TSIG_SECRET" = (builtins.readFile "${./secrets/cert-manager/rfc2136/TSIG_SECRET}");
};
};
"dex" = {
"files" = {
"config.yaml" = dex_config_yaml;
};
};
"external-dns" = {
"rfc2136" = {
"EXTERNAL_DNS_RFC2136_TSIG_SECRET" = (
builtins.readFile "${./secrets/external-dns/rfc2136/EXTERNAL_DNS_RFC2136_TSIG_SECRET}"
);
};
};
"gitea" = {
"gitea-env" = {
"GITEA_ADMIN_USERNAME" = (builtins.readFile "${./secrets/gitea/gitea-env/GITEA_ADMIN_USERNAME}");
"GITEA_ADMIN_PASSWORD" = (builtins.readFile "${./secrets/gitea/gitea-env/GITEA_ADMIN_PASSWORD}");
};
};
};
encrypted_secrets = (
builtins.mapAttrs (
secret_namespace: secrets:
(builtins.mapAttrs (
secret_name: secret_package:
(callPackage ../../package/k8s-secret-encrypted/package.nix {
source_file = "${
pre_encryption_secrets."${secret_namespace}"."${secret_name}"
}/${secret_name}.yaml";
output_filename = "${secret_name}.yaml";
pgp_public_key = "${k8s.pgp-keys.flux_gpg}/flux_gpg_public_key.asc";
})
) secrets)
) pre_encryption_secrets
);
combined_script = (
lib.concatMapStringsSep "\n" (
secret_namespace:
''
mkdir -p $out/${secret_namespace}
''
+ (lib.concatMapStringsSep "\n" (secret_name: ''
cat ${
encrypted_secrets."${secret_namespace}"."${secret_name}"
}/${secret_name}.yaml > $out/${secret_namespace}/${secret_name}.yaml
'') (builtins.attrNames encrypted_secrets."${secret_namespace}"))
) (builtins.attrNames encrypted_secrets)
);
gen_in_repo_secrets = runCommand "gen_in_repo_secrets" { } combined_script;
## Utilities
inherit ((import ../../../functions/to_yaml.nix) { inherit pkgs; }) to_yaml;
## dex
dex_static_client =
{
id,
name,
redirectURIs,
}:
let
generate_key = runCommand "generate_key" { } ''
set +o pipefail
dd if=/dev/urandom | tr --complement --delete '[:alnum:]' | dd bs=32 count=1 of="$out"
'';
in
{
inherit id name redirectURIs;
secret = builtins.readFile generate_key;
};
dex_config = {
issuer = "https://dex.fizz.buzz";
storage = {
config = {
inCluster = true;
};
type = "kubernetes";
};
logger = {
level = "debug";
};
web = {
http = "0.0.0.0:5556";
};
oauth2 = {
alwaysShowLoginScreen = false;
skipApprovalScreen = true;
};
staticClients = map dex_static_client [
{
id = "prometheus";
name = "Prometheus";
redirectURIs = [ "https://prometheus.fizz.buzz/oauth2/callback" ];
}
{
id = "harbor";
name = "Harbor";
redirectURIs = [ "https://harbor.fizz.buzz/c/oidc/callback" ];
}
{
id = "tekton";
name = "Tekton";
redirectURIs = [ "https://tekton.fizz.buzz/oauth2/callback" ];
}
{
id = "homepage-staging";
name = "Homepage staging";
redirectURIs = [ "https://staging.fizz.buzz/oauth2/callback" ];
}
{
id = "gitea";
name = "gitea";
redirectURIs = [ "https://code.fizz.buzz/oauth2/callback" ];
}
];
enablePasswordDB = true;
staticPasswords = (import ./secrets/dex/static_passwords.nix);
expiry = {
idTokens = "1h";
signingKeys = "4h";
};
};
dex_config_yaml = to_yaml "config.yml" dex_config;
in
symlinkJoin {
name = "in-repo-secrets";
paths = [
gen_in_repo_secrets
];
}
Reference in New Issue View Git Blame Copy Permalink