sercanto/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add agenix to deploy darwin secrets

Browse source
This commit is contained in:
zowoq 2024-05-05 15:01:47 +10:00
parent 4b682d296c
commit 03fb7492bb
11 changed files with 113 additions and 69 deletions

8
.sops.yaml
View file

@ -72,14 +72,6 @@ creation_rules:
- *zimbatm
- *zowoq
- *adisbladis
- path_regex: modules/darwin/.+\.yaml$
key_groups:
- age:
- *mic92
- *ryantm
- *zimbatm
- *zowoq
- *adisbladis
- path_regex: modules/nixos/hercules-ci/.+\.yaml$
key_groups:
- age:

3
dev/shell.nix
View file

@ -1,8 +1,9 @@
{ pkgs, ... }:
{ inputs', pkgs, ... }:
{
devShells = {
default = with pkgs; mkShellNoCC {
packages = [
inputs'.agenix.packages.default
jq
python3.pkgs.deploykit
python3.pkgs.invoke

1
dev/treefmt.nix
View file

@ -30,6 +30,7 @@
editorconfig-checker = {
command = pkgs.editorconfig-checker;
includes = [ "*" ];
excludes = [ "*.age" ];
};
nix = {

42
flake.lock generated
View file

@ -1,5 +1,31 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": [
"nix-darwin"
],
"home-manager": [],
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1714879853,
"narHash": "sha256-URv/JEimxdhCEgokhY9xdMF09iGX8UE96GXFs3RXiJg=",
"owner": "qowoz",
"repo": "agenix",
"rev": "0248db39f453e47c04f39922d170e11b78fa026a",
"type": "github"
},
"original": {
"owner": "qowoz",
"ref": "darwin",
"repo": "agenix",
"type": "github"
}
},
"buildbot-nix": {
"inputs": {
"flake-parts": [
@ -197,6 +223,7 @@
},
"root": {
"inputs": {
"agenix": "agenix",
"buildbot-nix": "buildbot-nix",
"comin": "comin",
"disko": "disko",
@ -268,6 +295,21 @@
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [

6
flake.nix
View file

@ -21,6 +21,12 @@
# actually not used when using the modules but than nothing ever will try to fetch this nixpkgs variant
srvos.inputs.nixpkgs.follows = "nixpkgs";
# rebased patch from https://github.com/ryantm/agenix/pull/241
agenix.url = "github:qowoz/agenix/darwin";
agenix.inputs.nixpkgs.follows = "nixpkgs";
agenix.inputs.home-manager.follows = "";
agenix.inputs.darwin.follows = "nix-darwin";
nixpkgs-update.url = "github:nix-community/nixpkgs-update";
nixpkgs-update.inputs.mmdoc.follows = "";
nixpkgs-update.inputs.treefmt-nix.follows = "treefmt-nix";

1
modules/darwin/common/default.nix
View file

@ -15,6 +15,7 @@ in
./upgrade-diff.nix
../../shared/known-hosts.nix
../../shared/nix-daemon.nix
inputs.agenix.darwinModules.age
];
# TODO: refactor this to share /users with nixos

21
modules/darwin/hercules-ci/default.nix
View file

@ -5,10 +5,27 @@ let
'';
in
{
# hercules secrets are installed manually from ./secrets.yaml
# https://docs.hercules-ci.com/hercules-ci/getting-started/deploy/nix-darwin
age.secrets.binary-caches = {
file = ../../../secrets/binary-caches.age;
mode = "600";
owner = "_hercules-ci-agent";
group = "_hercules-ci-agent";
};
age.secrets.cluster-join-token = {
file = ../../../secrets/cluster-join-token.age;
mode = "600";
owner = "_hercules-ci-agent";
group = "_hercules-ci-agent";
};
services.hercules-ci-agent.enable = true;
services.hercules-ci-agent.settings = {
binaryCachesPath = config.age.secrets.binary-caches.path;
clusterJoinTokenPath = config.age.secrets.cluster-join-token.path;
};
# hercules-ci-agent: security: createProcess: posix_spawnp: does not exist
# https://github.com/LnL7/nix-darwin/blob/36524adc31566655f2f4d55ad6b875fb5c1a4083/modules/services/hercules-ci-agent/default.nix#L28
launchd.daemons.hercules-ci-agent.path = pkgs.lib.mkForce [ config.nix.package securityWrapper ];

58
modules/darwin/hercules-ci/secrets.yaml
View file

@ -1,58 +0,0 @@
cluster-join-token.key: ENC[AES256_GCM,data:23z3EpVexVRC5Tlv9Spo0zxqA2dDI7SnVWjpXuqfFsLvFjgbMbv1rw8svHvlL3h3ROV6GQNqa2LtzsiGO4rCDKDui6CpV5pnIH7VnkvS7kqt9OHgkFOJ/dPqgJ6sB4kubEBhvSXqxehbGS+V8y/djhmOM8/faHC8dqryXE30K0LUZ1adI9vE+5r3lmSq6ICeDyq8QgEHVyygaOdP7YvY2ZKZd9aedG35aohAn1XEuJniNXkqpA/W7psCzQtQoKomrjTouuHF6LYDiCSxMLc4SLcfsQO28M+hsovN7Xiugq5OfpQ53FqCsKHXcXw=,iv:bOnyxOYGQyhK4zL9dMcCjVgCdUNtL8Sy1iuWL+OqYgM=,tag:ORqKCRFmN+C16j/Ksamt3g==,type:str]
binary-caches.json: ENC[AES256_GCM,data:b+YoC3vomkFFZGhix04yvLPFe1h9FW5g561IAY6uBCjiHmCWBJRs5tWHXiTb7tdSR3c37Xkkz8oagLKJv8Fg2+rQgTfPOvsFjsalc54f5QhRFx+/nG+DQ/xE9HMWyT7DsJhERuFmh/ZnfmddB/ESfjOZvSMqluOiB9iT4ypUMTvSU2LH8NGr6bZXFNAkbU/JJFtxxk4p9Deo5+9QbF/jRSVgrg33up/m2zjcW5DQEgL4mLAQSfggaH0R/6wqztErX2uhffVvgKZTt5UPErXe9FpdfU9ndQSrGXrtBKE2NYQEIyI3t55RSNlqdjoFZT5jAc3tD/RIP0uf+qIjfF0i3B8xbRhj8odalwQ7bANjr9TXSWu5wBY8L9Uk4Tp4aFguVdwT7YCGsLYRIME1VKYl5xvvnqYdUbzk7+Azxc1W1Zc=,iv:7tN1ZaJDV+rhNbuQJM11i/GgpkZUmHnflHiZ4DIFIQY=,tag:zOZMTucFA4WAwXAT+bQm0w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1VW4vSnA3S0taNGtNMERC
Yzlwa3FFTXZKTzZ3cnlDRFhVRnFEZ3d6eEdjClFIbHYzR0RYZ1ZuQ0tmZTdXaEFF
TkRROThkdlV6Y1FxV0NBZmVPaWRNamcKLS0tIDdyOGMyak5yUWhoUUxUWTlZalRl
WTYrc0xHcklQd1c0VkZpZDVVWTQ3WlkK7clbIbcIKxb9XJFg7Crf90Xz2iOG7qsg
xNr1iv7lqrWQIO0mb1b8EC/PN8BpP24NmKXurD5BYJUHVoZQnq5tFA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SUtGN2R6K0VQeUd1MjBI
dGdUN3VrWGl2aUQ0VCtidnZhVXNJQnRvQ2c0CjQwT25RR1NMdmdUZ0JqcXJlaUdS
TFFwelltdWtQbkVBVVZYUEloNlAxVEEKLS0tIERZZ0tHUURSaXVWZmZtekJtRjlo
WEI3dVE5QVJXMmJQNGxjSm1GMWJ2bUUKciFofJsB2vLgWbJiozL4Dc3XJRNyYfr5
uhN29RDVGA0WjRsExPc/9TyCVFynE6NKIYr6bNFgq/MTuU/Oc7uUig==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlM1RpdWlsQXYxd3gyUTJO
MUl1Z0RSMDBCSmlLM1E0V0ZxcjByMG4rSVFjCjNXd1lsMldEMDZ2cWNQK1hzQlFh
b2dJRUtPTkdNOTBRUlYxYlBkVTVBQVEKLS0tIHdxTDI2WnMvR2RlaUtTek4vdGJO
MmtSQnZqaVJHTG1pbDg5MmgxSnVxQUkKqAuztZ/LNVzCn03nQxbN6rJlngijvPbo
RI45pv5o6BKR3Ty1sI/Gmr/WTp1mQPjgP7Am8CTxjVXzcQzvgnlSQA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1djhWYWZXVmh2ellhSlNU
QkZ6SEwzNFhib3dSdXNqOTBCN0Zld3VMYlFZClAvcWY3VlVjYlJjLzdlbG05QTlH
M0UrVURwU3hkZ2tUdS9USlBxY3AwVzQKLS0tICtCNGtPd2RIWFJvRmgrVnR5OXl3
QW1ZQ2Rab1hsbTRFb3Z3dCt3UzV0ekEK2sn0tU7lM09mjsys5WZhhn+WVJ+uCy70
lNK30Wu50f2wv0JjdwcANXY1tWOJyZJAcp75p8Rgy+JS+xIoJb1QqQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCNGt3dVdvdUptY1VOdEVQ
NFA3dG81SVkzRm1IWmN4MkZrNWZ3SU5hT0c0CkdldDJFODVGNnJENlRmRnVrNGJ4
OVo3d0M2L3lYczVVenRRRVkrTnBtemcKLS0tIGI3K3ViZ0swdE1yWmI3TGpqQ0hG
U3hITzJvWUthY1hkd1hod09LbUhXaE0KSS10Ocvu5bRgLAZCQv+A8dptHNQxsAfz
8xU6aSgMMI1rxP4DcuEe/+ysTAyAQUnXwAmeYWGdfIxUpVG/84xsOw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-07-17T03:50:09Z"
mac: ENC[AES256_GCM,data:8HpTYCODhaPNU9blJuIO6uDnYHwQGNpnZYUuiiP3oH4a870R8+/aj5qziRgL/kXkufZnjKBo6IbEXj9qfMVi+/+SxV+cFQHaQy8mPpD9QpzVeWEHRVypuBx4wY3T08fcKSZVCRYsumEMnF5cHZfse6vB5Fe/gclTE22OaYlHEXA=,iv:WJJqyLZ97kRr44iJOo7q2Rzu4W4yvZyuH8TdJYmmCTQ=,tag:omyuDAEkR7w8+XOE1EGDvQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

BIN
secrets/binary-caches.age Normal file
View file

Binary file not shown.

24
secrets/cluster-join-token.age Normal file
View file

@ -0,0 +1,24 @@
age-encryption.org/v1
-> ssh-rsa ALNSWw
k14GuxixIuiA4WhYtWW5PaevHx5QZc2HF9HM7Ia2ji4mNg2Pc1+cXFZG/QLROTVo
EL0c3/MzZBGAdFYkkm8hlA+S9JLdgiP8ROIT8hjhOE55uWWaH8uDQGODQX42nBe0
w1wN9iBDKJJ0s4kSak9K8GqS0afVvppLPZTcqoaHbh2YapXSYu7LK8BBgz4+nBUP
0axc3TIVgUzEDls7VGU1c+aavDvBb8c/fg5w5pJZy379bzU5TWpppmi7U7hEboCA
IMeAH5iffaksmyPIHlK/iwpHdkchLKX+2YHAu8DxywHeowm4rbxKv3oHfH+/3uM3
28VUeqYY/SCqwLSe84ZnSg
-> ssh-ed25519 Qi7vNw W23Q9s5rainiPnp67oLEcLKpEfmvqxUUWL5u+yvN+0o
/Tiyf6QaTM1NIKPPdrK9e8K43Ee0cNAV5uS5fiab3p8
-> ssh-ed25519 MW0fCg 2AXjCOaTHC6kJ+m5OnVwyuy6DEI2+6E//fZ7PkZsfFo
gEvzFrYhSCCvBaOjPb1aI49kCJBK5mpDGShJuVpbSn4
-> ssh-ed25519 92bXiA xv18v2ncQRE9MWJbpNsGUkwhho/NNZ465zcOl1qi3HQ
OKP7B3ecWEeBF7GA0Vx72BMRbM6iE6/fQ4mkCaGx4R0
-> ssh-ed25519 h1lenA tBhqzlU6IKkHKkTb9p8p2R/OOyLtOhLyAIujO+1oyEg
8ORTR81GImpbXu4rJ0HTSOwbFb3Zw+JmfYSGFoQXLHg
-> ssh-ed25519 7tFeRw BpJpUC2tTiDfGnO5JvYwW/JiTU2RSfeKzDOCMfLBUxY
u0mDqrcX/vKNJvqu9Bjl6qUrf1CAkGm5cBRhg984lXk
-> ssh-ed25519 /B167A t3O6wWHJ1GAxe/e7XwiUzl+uWVBG5F7vc088zFYoFm0
T954lFCHmJTuOnMy5N1OizGzySbd5/ow1eBbcpJl/F4
--- BHVcjNVuUaft0wyxOjncdhbpiC9UtUgWSk8sUr6lBCw
•Ù'À¡Æyá"ÌTm;ö)wªVõĬ»÷ÑœwtÖ½,ùžÛø}-ã1Œ|ÌÊ…©ù¸’¿ b¤Š t%†‚¶+l0ë`à<>Wˆ« Îvw­6¯>"7Øi3í&LêòY*“P(Sƒà <ò Žœ„³÷°´ëm™Ë TqdK $(×æy 7¢PG(y*¢¤7p¾ÀEÅ/gTÆ?3AqϪ¶16µ#±ÈæT'y˜öG¢e%.øۀʭ¡Opâý:Å
¹”Ò¨ 3Hvµ¦E%(¥ô õ¤s󳸧²lÁä¿%Š<>×øÄ…¨¹„Ïû
`Õw©æ£FLX

18
secrets/secrets.nix Normal file
View file

@ -0,0 +1,18 @@
let
adisbladis = builtins.readFile ../users/keys/adisbladis;
mic92 = builtins.readFile ../users/keys/mic92;
ryantm = builtins.readFile ../users/keys/ryantm;
zimbatm = builtins.readFile ../users/keys/zimbatm;
zowoq = builtins.readFile ../users/keys/zowoq;
users = [ adisbladis mic92 ryantm zimbatm zowoq ];
inherit ((import ../modules/shared/known-hosts.nix).programs.ssh) knownHosts;
darwin02 = knownHosts.darwin02.publicKey;
darwin03 = knownHosts.darwin03.publicKey;
in
{
"binary-caches.age".publicKeys = users ++ [ darwin02 darwin03 ];
"cluster-join-token.age".publicKeys = users ++ [ darwin02 darwin03 ];
}