dotfiles/terranix/main/kubernetes/default.nix

{
  inputs,
  pkgs,
  lib,
  elib,
  tflib,
  ...
}: let
  inherit
    (tflib)
    tf
    ;

  inherit
    (lib)
    filterAttrs
    optionalAttrs
    ;
in {
  imports = [
    ./website.nix
    ./jellyfin.nix
    ./gitea.nix
    (elib.terraformModule {
      name = "generated";
      source = {...}: {
        imports = [
          (inputs.uk3s-nix.legacyPackages.${pkgs.stdenv.system}.helm2nix2terraform {
            predicate = chart: name: manifest:
              manifest.kind != "CustomResourceDefinition";
            path = ./generated;
            mapper = resource: {
              manifest = inputs.uk3s-nix.lib.sanitizeKubernetesManifest resource.manifest;
            };
          })
        ];

        resource."kubernetes_manifest"."default_ValidatingWebhookConfiguration_istiod-default-validator" = {
          computed_fields = [
            "webhooks[0].failurePolicy"
          ];
        };

        resource."kubernetes_manifest"."default_ValidatingWebhookConfiguration_istio-validator-1-22-0-istio-system" = {
          computed_fields = [
            "webhooks[0].failurePolicy"
          ];
        };

        resource."kubernetes_manifest"."default_DaemonSet_metallb-speaker" = {
          computed_fields = [
            "metadata.annotations[\"deprecated.daemonset.template.generation\"]"
          ];
        };
      };
    })
  ];

  resource."kubernetes_manifest"."istio_authorization_policy_deny_by_default" = {
    for_each = (list: tf "toset(${builtins.toJSON list})") [
      "default"
      "kube-system"
      "kube-public"
      "kube-node-lease"
      "istio-system"
      "metallb-system"
      "website"
      "ingress"
    ];

    manifest = {
      apiVersion = "security.istio.io/v1";
      kind = "AuthorizationPolicy";
      metadata = {
        name = "deny-by-default";
        namespace = tf "each.key";
      };
      spec = {};
    };
  };

  resource."kubernetes_manifest"."istio_peer_authentication" = {
    manifest = {
      apiVersion = "security.istio.io/v1beta1";
      kind = "PeerAuthentication";
      metadata = {
        name = "default";
        namespace = "istio-system";
      };
      spec = {
        mtls = {
          mode = "STRICT";
        };
      };
    };
  };
}