From 6f64ae87768790f516cc8e0e9e84ea648cfe5c88 Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Thu, 14 Dec 2023 21:39:56 +0100
Subject: [PATCH] add secret for k3s admin private key manage kubeconfig with
 home manager for k8s cluster access

---
 home-manager/default.nix    |  13 +++++++++++++
 home-manager/kubeconfig.yml |  19 +++++++++++++++++++
 secrets/k3s-pim-privkey.age | Bin 0 -> 504 bytes
 secrets/secrets.nix         |   4 +++-
 4 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 home-manager/kubeconfig.yml
 create mode 100644 secrets/k3s-pim-privkey.age

diff --git a/home-manager/default.nix b/home-manager/default.nix
index ff75810..7a060b7 100644
--- a/home-manager/default.nix
+++ b/home-manager/default.nix
@@ -31,7 +31,15 @@
       (pkgs.nerdfonts.override { fonts = [ "Hack" ]; })
       virt-manager
       gnome.gnome-tweaks
+      impression
+      poppler_utils # For pdfunite
+      silicon
     ];
+
+    file.k3s-pim-privkey = {
+      target = ".kube/config";
+      source = ./kubeconfig.yml;
+    };
   };
 
   programs = {
@@ -105,6 +113,11 @@
       source = ../secrets/postgresql_client.key.age;
       symlinks = [ "${config.xdg.configHome}/home/postgresql_client.key" ];
     };
+
+    file."k3s-pim-privkey" = {
+      source = ../secrets/k3s-pim-privkey.age;
+      symlinks = [ "${config.home.homeDirectory}/.kube/k3s-pim-privkey" ];
+    };
   };
 
   fonts.fontconfig.enable = true;
diff --git a/home-manager/kubeconfig.yml b/home-manager/kubeconfig.yml
new file mode 100644
index 0000000..80f242e
--- /dev/null
+++ b/home-manager/kubeconfig.yml
@@ -0,0 +1,19 @@
+apiVersion: v1
+clusters:
+- cluster:
+    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkekNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUzTURJMU56UXlOVGt3SGhjTk1qTXhNakUwTVRjeE56TTVXaGNOTXpNeE1qRXhNVGN4TnpNNQpXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUzTURJMU56UXlOVGt3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFUMzdYdlBzUG9DeTk3Nm1zWm9qTHBlUklieVB5NWFPV0NJWXpyZVpUcVYKUlo4cDVyME1RdVViV0crNTJqQ1ZjNCtrZGN3WVkwRXRDaUpkZ21LSU5RcTRvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVWx1ZGcvZWd0bUMvWkNiaTZMRkNnClhIaXFtL2t3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQUlTbHJ2TmVTc3RtVlFLVWp2STF3UlZPb0RMWEJjWDEKelpZOURUNW9WM214QWlBT2JKRThOaldOSUdSZE1FcWpXZXhUd1M5RUlGbGs2eUEwOXNjS0FmRUNXUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+    server: https://jefke.hyp:6443
+  name: default
+contexts:
+- context:
+    cluster: default
+    user: pim
+  name: default
+current-context: default
+kind: Config
+preferences: {}
+users:
+- name: pim
+  user:
+    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJWVENCL0tBREFnRUNBaEFWemhyQ3QwZzFQMWJXZW1IUGx2SUZNQW9HQ0NxR1NNNDlCQU1DTUNNeElUQWYKQmdOVkJBTU1HR3N6Y3kxamJHbGxiblF0WTJGQU1UY3dNalUzTkRJMU9UQWVGdzB5TXpFeU1UUXhPVEl3TURCYQpGdzB5TkRFeU1UTXhPVEl3TURCYU1BNHhEREFLQmdOVkJBTVRBM0JwYlRBcU1BVUdBeXRsY0FNaEFDYWxxaUdFCjdvcVo0SFNvLy95RGhqZXJrVVA5WWg4QXdFbHFnMXI4NGpvbG8xWXdWREFPQmdOVkhROEJBZjhFQkFNQ0JhQXcKRXdZRFZSMGxCQXd3Q2dZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JTZQpkenA2TzVhajU4NGtML2FJM0pvTHhkOUtQakFLQmdncWhrak9QUVFEQWdOSUFEQkZBaUF3eDJISGNOcVd4bkhyCmkvRVg2SmJRVlRZYThmTzhpYTdMOXRYWS84OXlQQUloQVBSanlmMU0waWtCZU95VUVUODVLS1dNaDFhbWRNZVUKSUFBZTM2WDVUSVRDCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+    client-key: k3s-pim-privkey
diff --git a/secrets/k3s-pim-privkey.age b/secrets/k3s-pim-privkey.age
new file mode 100644
index 0000000000000000000000000000000000000000..4ff8ffcec22d62e34a75f2830e187c6f8c761174
GIT binary patch
literal 504
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUlaSRA8FIPxO_3$nU
zbx$iQ@%1q^$V*O6w)Aw=Pf9j4)-Eq84lFG)4k@&>bjl9M_T<XRa5B%Us4@xiNpdcY
zG%ZLq@~?`pjPOV`vowheFHJMG^zleZ)Gx^M4n?=E%qc3%G+iOAqS&mk+{-k>H6mQU
zysFT^ugtNy)G#L~%hR#gw7|#5$2`X<IoTvV*O4nI)I7k+FDF$$$2mVB(=^#UHy|Z1
z+|oHE(cHJt%hfNVD%_;fC)eG_#Q<cRjjf__s)ufRQEFmwszPXiy_u7nLRL*&uC<PW
zLx@GLM{0;df|7?0my@%3Nuh<0qe-5RVSaX)eqkV&uCA_vQ<a~IabUWEuWN-zlv8R*
zVo|ndVva>%ey(p~L7H1;rBhg*TUJ0>rdK*wg`$ha<aw5d?Dxj;vB+1+{ufQvVAhI0
zJ;&_1#EE0uXFZ$n?48@5SaI9bKYB~TyY~K8%~(BsP5qh4{zAVFr+H7yT)gMevpEjZ
z;(wc`&A7VwNX_CIx$9ou3YLqVJvpi{W4WTIuQ<Qt+klu-Np7XRv*sT@cIJld*5d&y
kmD~y++{zFZ_^TkP(`2*gQKFOK$Iq`s%NSA^l6F1=0RPXpGynhq

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 8cd452b..b4e9698 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -5,7 +5,8 @@ let
   publicKeysFile = builtins.fetchurl { url = publicKeysURL; };
   publicKeys = pkgs.lib.strings.splitString "\n"
     (pkgs.lib.strings.fileContents publicKeysFile);
-in {
+in
+{
   "wg-quick-home-privkey.age".publicKeys = publicKeys;
   "wg-quick-home-preshared-key.age".publicKeys = publicKeys;
   "sue_ed25519.age".publicKeys = publicKeys;
@@ -18,4 +19,5 @@ in {
   "keepassxc.ini.age".publicKeys =
     publicKeys; # Secret agent causes private keys in config file.
   "postgresql_client.key.age".publicKeys = publicKeys;
+  "k3s-pim-privkey.age".publicKeys = publicKeys;
 }