black-start/kubernetes/charts/omni.nix

{ pkgs, ... }:
let
    omniSrc = pkgs.fetchFromGitHub {
        owner = "siderolabs";
        repo = "omni";
        rev = "v1.6.5";
        hash = "sha256-FV0aPZaEejNBY/ajjdo3dURwDFu+8RInKOmeV5SVMXw=";
    };

    omniChartTarball = pkgs.runCommand "omni-chart.tgz" {
        nativeBuildInputs = [ pkgs.gnutar ];
    } ''
        tar czf "$out" -C "${omniSrc}/deploy/helm" omni
    '';

    omniManifest = pkgs.runCommand "omni-manifest.yaml" {
        nativeBuildInputs = [ pkgs.coreutils ];
    } ''
        chart_content=$(base64 -w 0 < "${omniChartTarball}")
        cat > "$out" <<EOF
        apiVersion: helm.cattle.io/v1
        kind: HelmChart
        metadata:
          name: omni
          namespace: kube-system
        spec:
          targetNamespace: omni
          createNamespace: true
          chartContent: $chart_content
          valuesContent: |-
            etcdEncryptionKey:
              existingSecret: omni-etcd-key

            ingress:
              main:
                enabled: true
                host: weyma-omni.infra.dubyatp.xyz
                tls:
                  - hosts:
                      - weyma-omni.infra.dubyatp.xyz
                    secretName: cert-dubyatp-xyz
              kubernetesProxy:
                enabled: true
                host: weyma-omni-k8s.infra.dubyatp.xyz
                tls:
                  - hosts:
                      - weyma-omni-k8s.infra.dubyatp.xyz
                    secretName: cert-dubyatp-xyz
              siderolinkApi:
                enabled: true
                host: weyma-omni-siderolink.infra.dubyatp.xyz
                tls:
                  - hosts:
                      - weyma-omni-siderolink.infra.dubyatp.xyz
                    secretName: cert-dubyatp-xyz

            service:
              wireguard:
                type: LoadBalancer

            config:
              account:
                name: weyma-omni
                id: a0a43f2a-d838-4fe0-96fb-ab9e60695e0b
              auth:
                auth0:
                  enabled: false
                saml:
                  enabled: true
                  url: https://auth.dubyatp.xyz/application/saml/omni/metadata/
                initialUsers:
                  - me@williamtpeebles.com
              services:
                api:
                  advertisedURL: https://weyma-omni.infra.dubyatp.xyz
                kubernetesProxy:
                  advertisedURL: https://weyma-omni-k8s.infra.dubyatp.xyz
                machineAPI:
                  advertisedURL: https://weyma-omni-siderolink.infra.dubyatp.xyz
                siderolink:
                  wireGuard:
                    advertisedEndpoint: 10.105.6.198:50180
        EOF
    '';
in
{
    services.k3s.manifests."omni-chart.yaml".source = omniManifest;
}