sercanto/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

migrate to sops-nix

Browse source
This commit is contained in:
Jörg Thalheim 2021-09-25 22:35:51 +02:00
parent e156052695
commit 0c07216370
18 changed files with 281 additions and 162 deletions

37
.sops.yaml Normal file
View file

@ -0,0 +1,37 @@
keys:
- &mic92 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
- &build01 age17jtyn2y4fpey6q7ers9gtnh4580xj89zdjuew9nqhxywmsaw94fs5udupc
- &build02 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
- &build03 age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
- &build04 age1vr4suv4lhtt8f59s25eukdfk67j7av72gvj7sk7ux6thusct3utqmn3pmf
# scan new hosts like this:
# $ nix-shell -p ssh-to-age --run 'ssh-keyscan buildXX.nix-community.org | ssh-to-age'
creation_rules:
- path_regex: build01/[^/]+\.yaml$
key_groups:
- age:
- *mic92
- *build01
- path_regex: build02/[^/]+\.yaml$
key_groups:
- age:
- *mic92
- *build02
- path_regex: build03/[^/]+\.yaml$
key_groups:
- age:
- *mic92
- *build03
- path_regex: build04/[^/]+\.yaml$
key_groups:
- age:
- *mic92
- *build04
- path_regex: roles/[^/]+\.yaml$
key_groups:
- age:
- *mic92
- *build01
- *build02
- *build03
- *build04

23
build02/nixpkgs-update.nix
View file

@ -54,6 +54,29 @@ let
in
{
sops.secrets.github-r-ryantm-key = {
path = "/home/r-ryantm/.ssh/id_rsa";
owner = "r-ryantm";
group = "r-ryantm";
};
sops.secrets.github-r-ryantm-token = {
path = "/var/lib/nixpkgs-update/github_token.txt";
owner = "r-ryantm";
group = "r-ryantm";
};
sops.secrets.github-token-with-username = {
path = "/var/lib/nixpkgs-update/github_token_with_username.txt";
owner = "r-ryantm";
group = "r-ryantm";
};
sops.secrets.cachix-dhall = {
path = "/var/lib/nixpkgs-update/cachix/cachix.dhall";
owner = "r-ryantm";
group = "r-ryantm";
};
users.groups.r-ryantm = { };
users.users.r-ryantm = {

33
build02/secrets.yaml Normal file
View file

@ -0,0 +1,33 @@
github-r-ryantm-key: ENC[AES256_GCM,data:Z6kGGGGLClFWxBu4RpPw3F/QrkLVIgkvLzi5ALUAjD/xUvrKvgylRoJVTBWEK6bVoZePxzXbdzNo7JzDvheRnDx4x/qQNiLjCixObzIqsIAEIqj2orJmNVRks2gLmFOCR3MS++tOV/tb3iRmjRSnzzSCdZE4Fzo/iUXVRZpTcO5ONxwTXd0i9Hlk9D6An0mbJD7cR93eBtWpyZM0LwYN5aEukUW/HYfsHKtqj43OlaaaBylIX3cMQzOT9Gup0uYb3yWVsvfqKC0WekAgakn6V1JM0wUJiO/dPQe6Su7nP5gEAxLXd6J8Y6lRT6KnWsQDf5GaIs5FoCJb3QXu1Pkv61fx5X8rdmKCbggp9cbtIcpGFhKM9vyLZnILdpCGGYLJGhNh/7XQvQLeaLuyi456m/fCm2j1vQ9uhON5caQMeFwNuvnaDErrZtNyTKUDcxgY6gtXIqmd7s2c+o1AQqC+dJf0jy/z2tYFwJrXety80CA4yc/yyvlfRLO+tPfhfsQPTbSMIof8oZhcHZNjPj6IjPpn5NbhWbFvtYbER5fSRhyvvwG5jPNtUnAK+k9OIOHo68tjbm7t8B55nm7Kd7gv3eajNl8V2M7jEidIhaIAW7SWhL0/FiRJWosHAq4p/G+URB1Ll9Ay/hKZ/78+hh4M2UQKT8HnoFleevxWFeMmmZDmk3YTGW5WWogrAQ3bA361/ggQwhs+07Bbl2e0VIMdY/gMvY1ppOuGHvoXhvfIQHLdOlgOMQW5MYBMwleMffrPJpsxGBMgwmXP0CmEwTE3Zg7G7cuNFxhR0z6W27ck06tLbn68P9z9GKh9TLnrbRsQHZVYr1eFt9ewr71vAs5t4iqGr5yzVT7fJRO1BZaifwybEDKRFScCJXEeEEu6l3/eqaq/tTHvJ/0TSl2udMuxzgtpUxx26RPvSJFWB7ACyFpMMJncUVKTxyr2vzP3WNLbqvAjEL1AmGVucHxi7zUfvDPw1gCeAgit8u0xuDH2T6Ws4kF6AuXqo5qC1MmIA8d8T3aw9q9iWj58/PMWC85uYwf3Od8WAD9BK3nb74v4TsthgxaY5JVOspnG1vKDZQKfjzHQk3kvT08sGgs438KFj+58Fe+9vqKNLH2DBizEKF4aJ8drbTBOItn/RFpoDtAdGKByeWjd3+0UDCJ1bI+6JB2PZo1CvpEz7GkjcK7y3vaEOnMyqGOzjnfVmfLQhVX3Vnx6mC1Z54slNlKTKTaeqoWrpqCT78NnC44c/Jqt7r6wuH/jqZt/uBXvENNyEn8kf8qbMcCjEtHZkzMoDuaoPbdlDCzOJbCiTEmyI/zvPC1qMxI2GfjNUSRNZIbKU5d47sgMqHJ40KN9paJZRt6hxLduk0BouzSF3DK1eV1x96Mi+lydOyLt34k/TlZzpVG3P3K/BIjlGQipNw7iRKxxF7QRvJJl6GjiHNIw3krHTvR5PPxBWL2BtQY6kemlenwVvpOfXSKVwTcMzq6V5gDrf2ks9DrzG8TD0zoPu3xw5SMoEq8DjE4MSvriw3jlgkAp9uxfqlksUXCayEqbuJpwa9O43LwwVVJbUFKlA/iWPU0zc4ejIBSyufnePcEZv7yYoPQEZIphPHKumqySND5p0WbmToNqYZgF7sdrxaIc2zh/jucE0TTI3jwn5i1D2RUpxvGOCjtPw29n7j8clRlrRQHK22628eKV1WpO4BI+jDZbNrkjDr43hhOKmJ0HTTkDkRP8CGjBV2qdnBWDKL98ksqfs2aXprtB9B4TrS0unUzHz1WH1R9BrAEOF/WoTKo/TXNc7AiwPxCm+FdGLgWsoMLuzwdq66QmdGAMIbtrzRHq/J1lHubt9ht9xYYJP/JwNuFjFoFOUubw/1ZkdFUrLaN7pN0Ll0ImoU/CudU8ehcwIyXx1dSYT8pcKNXp55Kw7MlydpcZvRVO7PJ0/HWMD+sLfm6OPTIPX/lFLo9NQwe/3xgfM0EJopQi7KFn2xoU0BGqsaSoO1UyOJr6NCDsXih58bPSbv2ho8ffIQxU289h1SjSQbxmVbH3R6sCN0YIJM7YmJ5oaZMJOCFX/Qg2RrtzN0dOp47GZQA+AXRwiccPaiJf+AlBODl0TUJHhqsCNbfp9mSz40wrrtxlXzbpelyzRNqyed8x5vFzEnLXUWGiQX6kh43anHpPO7rJOliWIudUo5R2Mi5sajZv04Og1V4BBcchjoW7ApnpsHOoIYeMtb7TsKxvAakAXrXwG0f1jr2/Wvi3k1/nLb9jv77IIlMqSejmPnkAjDmmDiFXwhu6WWw0tXCa4jQRu6PanpgTCOgt/UhdUpRC+CDM0EnLpkS2+TCspE/X75emx3VRaDo/aFKuF05FVS0U1nnH495ityljx141ztYnRlrzJyGS/Ps9v9NWR6CdTJBw1gOLCb2EwhBgJL6KZutkHir3uQfzRcBdw4O5QZ0VUPeUhMlUwtay6O/33RqAMpQIiLe0f/cRil/Ib3Xa05Gfdm2hLUgBsIl8ceScduMvl7bFnk18SFcWVWYU5CFaDuhsgD9vZE3BYjcCmAyKTqHhFyMZMZEnWE3vu/8u+0VgoUe0B2n4F8/vWSW7AEQ27hTpePNiUpTpI9ZtWUae/ZrBnbRV09SIfceZCrgCce7EtrHiILC5k6/HGsaoYFWT0B/cpBDJ5XnNNkbH8oOFd/yaNDHxcDhERje6Y5H9bRgPaZPt/H0xKBXxIYb6V9JZ4rc4qWaXWlZwyuNpjvwcm4GRTDyIp2Hdof6nBdn7AQrP5O0AXH3P1qqqIxEhx7uy4CNesFkbvt9zCtJQ9Od7kAWXWNp3YTRqKmmHQ00Tq5MYPwO3yybNRl2DiiBaA0a+l0CFNfGIgUwUvioZZ5p9yk+/CkqWuymkgbb+ChvXEZMskkkTJveZNhgNR4iFEHdMjaZhdMNPnfaFKf2rvu8pfAh7BFoWJOYNwkRXqI2eJNkXCVLbOuyez6Rcs0rDeCz5tgEGO5zPTTZg/VFD3p8dV5PyDSz+mIpe9M54I/FX0He4ws++u5AyDnN0CL//1rdZjyaEL2ZAD7l1yhH1WPttjikb9XS+SQ0kyxEnx/HMD0aNcIpVLbubRY/ll4JvkPG1KBKZfrm+cs8iaVTmyHcsfIPwnDOVTiVoHPoBH4Z35ULxVfNGzdw1S/qLuNLHCph+UNIrk/Ck8L27eobVetjzxqtBcdewVAZT7pOm34BKpukUvhe/zzUStUDZoMWdV005eLC76FH0JJyz8TCVrW1y1eHQzX8rMeBZEdoBseQqbU5LlptamZ7rUOJhkC/QLnZW0lSDOj17awQDxAFS5R7cewFo55Pe8XVu0fGZVdXO59biBuFOgtYiMrKoxGondhuiOTggjSQt1HLA7eAgRRrPG6npubPUAgpdwMsqRT6BS47WVL75vRu4TliPVKjElqWN3iQSze4ZwF71zNS775PqjaDXLRPKYMszpNgX7OMPbSb6EAiCQyT6R7gvPOgIVOrERCEF/0Vm7HjNHqTLOfW1M8um7e8gntYokVZtdGew/x2Dmb2PTj58gnYowH00ZrWbOw7DwW3nq0vpcAwB4Yo+H618dThdk3HDd+zOKHBJmoDP70QvNDyD5wDX+GkMTAL8/kfvZs98yvn3T7kw+qIm/pPfNJaigqutEmRFE7CRCewoohzQ0z/Glt0D1kh+OOnULIPrT2Pfq3nDhivJXC3HQZ1PFn9cKNwR/hl0Cslphm2sOwK3gpbba0vNvqXjh3w7TkJ3gTYQa81qiJbRwKvCOlAi3pt+KZalQ/DdG6/DBqVyYKqsJmAj/Y6NVQGpDBBn9uqlZ3G/nRZWaVEDKTdTXh4lPFMKU+o6b3fKsco4Bln4LfqB8BJU8xawTXx1sb6lHAcVZjEoWDU+u9VaGNNtI47jjxev0oeT+oID63xqz19ZY8pkJGSXtTbo/6jEkvSTx/l9v1mfSCytxMV6gney0Cx+QHAta7VHzKymgXcq0N1pt6XVoExLQTOIkPjIg2KUF9JPUg99WCsXZfLtqoinEYUZ/Alq7HOYKOdpjH+huID7Y2vda5Ivk8UuZpIeseQ4yhSoqA45QO+RQxX09xSUBjzLa8f6CJTfci5M0gY5P4QhmEdkYdMq14XG1dE3gK3Qw7FcpOB11GEamki5VT6+f512QH0h2V4dIf8sJFTHCYxHt16mXWv5HkmZAgv2QxchXq40aheKXwtMGmo/Ofi9iyX0qae6/t0XpRaXZiz0EJALZ8LXXfV0B8KUKe2o6RthDrhNXYzB2BZydWjf7yF1GWEc9a4TSTl1AUPAx5ExhayNATF0NMKRvanJVjJXRSZaN8QZnP0EKQycDwTmbHTXNg44oPx1cxGnBTfdSoB4n3XbDjOn8sSfMyllPe3k6dSGtJx3vHnVIjafdWcsRdUnSxu8rGg0HEIEwBkp6MsLbT9OTVYpqO4XoYe6KMaGJeWfAiaPSQTyZZkisblAGzAx5NnM51Rudo8hysu9BXlJtSvxHqXKdIGuF3/3gyZmxqezeHskbi0=,iv:Qg8SdZVOeOA1rHt/CCo1Fj9sqUvq5zhaetboYUIe2co=,tag:UNGFeWqBY46lK6/cEr4/Kg==,type:str]
github-r-ryantm-token: ENC[AES256_GCM,data:X77cQQQDFcUe9VcHZwbhZdyg6wFsAEwRMDaDojWYyHJf4RxWwRm8Vg==,iv:/PxtdHM1eTbRZb0KrjuSSutxBVwmFaSejp62qb+/D10=,tag:K/EH8Rl6CeZcigftKO3hNw==,type:str]
github-token-with-username: ENC[AES256_GCM,data:9k+TaxVIQ6BUASckGTAAdDsSS1OQ7WfF6oUdY8t/24VU5bK3M2Uozbfh6qUtmZFLcA==,iv:4AE/eoXHm1/gd3SdRYY+LyI56YFod8YD7ZKZ6uG840k=,tag:fboN3lX6vKVZHEtaZ+C8Gw==,type:str]
cachix-dhall: ENC[AES256_GCM,data:SxJ85dw01kRMXc2+Geza6NF4T1Ibidyyd4+ZoJxf78A1GanvmFuiyuHREbF5S/3EGxRvkbFqHDdf2GK6CtH3LRVygKEeGBT6wJtbgP8e8WsCx8WYKTDZq1WoDUBCpNwHw7zCmDIRIPNQkrW7Rj8cs0VMR1IDCpp6ThRC0PLWRkhKgVz+yITspk4U4mUJTRPaga+eVbZV7o6c8BSagHcu8kfjfeTWfYWata5yznxJfzFv2hxmOBIHRpJDZGKC3YHV7oeOv6zYJfrdA4TEcR7GrCOpXhpSv++SyyBlkrY2h5nar7MaJj8X3CpTFRNYyEqCu0gf3t1Pow2/N4C69Bl29xUvMJTnkakaM/KDtqc0vn/IPeb2mZSoeUy3FGvHA+Y5EZbwivguOw7EOWTXbQdG3BHHGM/+yWeOROb4XkgwY+yYXaRxwn1t,iv:NQ8P5R7lk2M5u/e3/T0J6oG8LGjaFs4jei7cZ4qRqBI=,tag:aDZf73Vgpn7tWFUhxXNh/g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTeW8vMm9MUkI5RzFCWGhQ
eVcydUdyTUlEMEtGRkRnUU8yRXFQSUNhRFIwCi9ZNFN0c1E0blNqSzdiSnlaR0JT
UWJnQ3BpcW54SmhNTkFxZDNZdHBIeDQKLS0tIGZmOWpaZ1ExZ1ZvekRPUlZGRUNX
UjN5a0xHcmpFL094bVNGK09XVEMwWjAKUSTf+NqjcXdfSsGE9z+Pj/AyzOfylOSE
ZC5QPpyjE2Srg6gNR7p2yDgPAGhyhOoKzPenFEwd9ZfqLKwMKvL7dg==
-----END AGE ENCRYPTED FILE-----
- recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0cDRJakQ0QlRkY1RudEVP
OGtaYkZnUkdCaTNjTm5yY2RmNDZxQjV1TFFvCjFMc3BDRG45OXZ1RW0zM3p3bThC
c1VqSDVCMlN0OUtEbWt0SUQreWxNb1kKLS0tIHVTa1JCN0U0ZExBSWNLR3VScHRG
aUJ4dDZKcWNmbmt6eEQvdWpGTVIwV1EK0jCKgJQBg9uiT0YJPD4ITU14su8vQaFy
4c5fbjL5i+N60VWF7aj0CZW0/TIYtw3GcM4YM1Ar4gsLz19Igip0tw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2021-09-25T19:30:13Z"
mac: ENC[AES256_GCM,data:AaHBjy++1hd3KjIuNqqsWJDgpIdp+VXa5lFstuKLeXr342I9x7J/D4mI6H9ijKNUnADg0zIiWZ5ebybJgPVWtx8A3ZEYeoQJNGGrkM8YaVSu35USTo/FDAKydawIgMaJZSG5KkYV5Z8m/XTBn3ziG0dM4VDGu3yvw48NTnmaDIc=,iv:e0f576ONwt59APTVIidszKRs9/dN8MhpjmQnfbX9Dy8=,tag:6Qb95Y9pkG03YebD7vALFg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.1

39
build03/secrets.yaml Normal file
View file

@ -0,0 +1,39 @@
buildkite-token: ENC[AES256_GCM,data:ckvzbyXHuW3N4tgZMYd+dPre+YOEnJj3T627wER3+7L9CMrZtYQlj6qU+HyeplMGqig=,iv:OmXO+85jtY6nGNm62+sF8QJF4q93mx06jNKherySD+o=,tag:mCj29oJTwEmjMN+QpmzUmQ==,type:str]
buildkite-agent-key: ENC[AES256_GCM,data:WSVCUQ393JkN3Dq14UYo5jYm0b0J0Edqe6k/z5FRohmuQvQCZfAOYPil7cQSoP36xUxdd9kWVgsWnD2jXUumX9bbUm8t1uxf8CwDWqV3iHfDOvjfWyW7ifp7SLAo0JGI+xD1Zjy5ftzHQcjbX9VOQHJ5aBzVQUBdwfxUSSkNTBSp05iWkOIsEJKaJEUhXbZiQ81yxW0uyVq7vRVAskEPz3FxY+DmcZeu4O+kStiygGUaXSTKrzG2iE1ESnHBkd0LyajNbVq1CjohV5SpBVoP9Kf0tOi47xvirNDUlk93uTCTTk9h2KDJ/qHlwM1Cx3d30VUFsIh9eIRFP5q9qePxqdSlZcZGp0Llp1IeMZACQLEfZYA4ZlHEkOQqt8fy36PXuAY/37bM3urARjStXZIEJq3rA+d4js9zTD/16iOJqw7Sv51HrMSUQA+za/HgK13UnV69p9hvPKvAd9Xwg/SBm4TG294Ez0K/0qBckQ2z7HgmX9EY0ZjGQdqWPzLmHjYI9YzcfiT+2HuIblF/uMGJm9ZD+d/tAfUMSCVc9yhsKU5fp9c=,iv:l3rVZA9QigI96ibMu9WRlA4UbVRzFt8CwF7+dCZ6tX0=,tag:B6EhsV97IVwaji8IgJHgPQ==,type:str]
buildkite-agent-key-pub: ENC[AES256_GCM,data:dqARMa5gzgO3qgMh7BXUJIcqcNusxW0tladrUVb9MTew92K2IHKMYAlKRGENKIHPnPAYaW9yISmXs4cD3rPCosrHoZsgtVvCGS83atqthnR7StmuEKWdxQ35573BOEXqt71v+yRk0CJQJIMEUbI=,iv:2fCB8h/vI2DEL/XSWJLhUjZgjzFYDtr7ncMpE6x8Wg4=,tag:lIq7abSvadAc9CnRa6EJkg==,type:str]
github-nixpkgs-swh-key: ENC[AES256_GCM,data:HiZCCt1gQoq4EWZGttv0XDLXOf/lLy53+Cf2sFhaMam5Ygoohm4Ra+qT5O1HG+y4x46ZySy863flZWBxy+Ui0iFIlfO0bIG0loUcLN4g6SjdlTFz8HuZr177rPnOyc6G9hts/MNRTdOMoKgPvcT9GMIKpoKAd4CNPM2RkZYRpQ+R3dRRnxzQ9xI+9q21//+LzU9GxbOIE5Qln6DCOqZx4cyyNv3q57fjRjcIFpLQ13/zcrqLqNTK3ifYHFLJSnjj8t0lsbWibYgXqZOHpdnCaO8SQgE3R2V1P6Ig+DrCy/PeuGVflG69V4UANtu8Ju5FfmEHpHEFjEzIDWv9wV73RlvrSeKS8ZeBws3CDJX7jtwcfh8SDW0sq9iLoHBuvMw7F8uU+c0tHvqvp4EiQG57+z01eboijHOnisQfpnSd/jphPTXjjd3gftXOW4XC3VASMf8mceBHPSurMNI/QY0gREwww+VPRW8pnaIheAA1zwf1hIjsiiqEDgMgAxLwVTqGeMUqKdX1iunrzf52XTfR88mEEgf7TcXbdtSq0nijTybONnlt0rpQX+bu2hUD8EZ3D/jt56ZpMELgOvptI/2ieLWxHdqKUaOrhEFajwzn6s9fjQpTqaJig4fXjFrh80I6b4LOhobAYVoOxY21eQ5f07Nnk21orFnhZwxnr9KVECo6CwVwpwgDUASs9tQHPm8PsQDyFDFZsC+G81zAJ+BVj1rt/aO7ugblAdsRLPfinAHWRtAzniPzuXlZa/uaooZyq+0g935Mtix3GQZPAtogGpXaqp8PKCgG5GZrACECFIDuuu0ElVPCwLU6+nDjY1/SThYcPD8aiwBeOe7pEWbW/mp0Qu4dzI0d/tHQ2RfqOh9io6qhvwvIuky7R8rTAyg0kWqFSHiBcN40VMkVgMZ3IxTbbxGTK0gYpzTrQPv0U2rboxjQLfX9t53QgHHmbZQS3tliw4IQjph7spNOzfAahKG8Q5YDWBYZNG5F0cF8W4KTdjNqyOYkSo1gqhmnId6HEXzFGXSRJKr+QywPBI6jmGzbnyEC31otpaq21IFoPln3R9b9JssImM8j/rG5G9UFCGN2w6TpOOEGK8QJjW04kaG42UqTDv78EdHG1I8PnnyTv097nqAj8ktzD0fl5kMQP0bkpEVKIF3BFy6CHYSoJ7ds+Xoyqs76GEMFwHeFOpMeiV6Gz29A6DuC1y6Im2aAevRONWgcBYxsLo2PbqgWUSF4SNdx1TBIAfzI4M9CTjki6nmhq/CvMTkh0Ut2l+RVo/Y+dJQZ+bERCrjfe5FQhEWftHnUgDo/01ajKS1w2t6FhQN3+hd0Z8dazYyW8rb07eW6aAA429ao2v4SR2n8/5CgEuhnMjERPfSQNb0lEjIQQtrMs9etfwyNh4wb0o0dQ1JkGKz8YCi/ufasGhCNZMSjmabld84Jux1gdQa7k54OAsvsLaPkohXOY1/cVpn3uxMnHYLoIrrje/p+O1obEnKGJvq4MeVj63KjIK8+Rc+0NfWsWizkvDW+crRcSkHuRADUNoz8CoXrVDlC5np/m59LuzR/HlhqSXRvmTZrB9avP70+pbHJvOxab5UqxMNHfKI83DzhwRQ68qOm88oivEqG5lioCq0mktqDUqMKA1IwNKLm++hoZc8iNjOOmzdPZHHT+izGVEAsHBP1KwagE0uxVgylC4Wet68RI8ImGQ1ppNczy/i/EJlUGtM52QOBOQ9qL069QaOqNHT9ZS+Vy+WojrNqtGjiHR8Qn5tQg5R4Axr5z0u2god1MQ5JUkHNCZurd2r06Mj5a8/lNWT8xr6/9KxatFa06Pe+ggRgO1xKB1ft0HQqxF7wqYsdSO9jvKkFsQSBHzoHehYJWDAqXj/NSqkPpzL0k8VWZON8PbGsbLvE9XzC1EGQfhcag7/5AcxIsuHlTrrU6mABtiveZiutyEv3R0uAKhq6NFvjUvabVe764bRd7jESH6LHpU+POz7Yva1IuR9MBvmLFVWXuj1tnuEeP2tlPYi7bSgkB7+tyjWX69KAcRCM+0k3cetaJvCFbD/f2vTJms9kbJagW9f08pw4Is/5Igz5IvXJ8gKR7z+Eo4AWwUkrUtOQBSToaiQrB4Pamr36rOL+FR2N63UdTVt7h1LnsiAziGErRk3dUU7+Dsvp7P5lvUAn+uPxQXeiTl8zsNsvgAbiFFWGHIMGhneABwBjNYvhkyxBLsZKUOcDBku42C3gNHVzK09tnDk7exjltLH5G6Lxg3cv0pu2FqvecSNsoNQ1+2i5+FeDzdqSoljhrN2Zlr/2dlz/pobI6slhWpqbR8rCQAPT/EJp8l4aKL3i8GWFCgczm8p6p1XdiRRV2AeCaO4jh0FIE2jJQINgIoNb9MXa3gGJLCCmGSbOBVxQzO6yp/QeHzFTFRk=,iv:FbelgOuVwv2VkmBEXt/PHceSm6dFzptSUtYGpeolgk0=,tag:FBu7MnrfFqqxj1NkMgDdtQ==,type:str]
matterbridge: ENC[AES256_GCM,data:zLrVbfUSebZX69y4tvDXigpoEQziMbzXaO0EKQLrSBR1WaRJDb2U00Ifisucv7kfiJIuGf7xSKl+QthemgUyhfJiBWUtfFwbR2F526wA4uBUGvy5eYmM5eu5HeEfYN+Yrd7BMR5kSE4laUwjwd1/Dps6rFHwx/JtKmfGiKtE3nmqErypdm9kJrxqsPd9Ytn4r5UbM46rRu80AyN46shCL8MlRXmxLRxN4ihahY/QirAZ4TCfTJDu59IQQnmR9totBAMKmdfnDTgjUoxEXRY4WeLF+8tmcM/hPjYIgh/q+LMZtSoNWo8VYMccu71Tl6dwRjbo2evlVuqDB/uRwj5vwj8Ayf4QXePDblo5sX+AaC2/jCZ9l7cUBoB4gpgPkvdIgarPw0dZO35RLcKvLTpJo+8px0TjDmkSC4AdnPYTZeXRWfwse9DClmJqEQdHcVtrCSJ2g0wVZ5CuBX1jTrzOQIAkFBUf+M1SMARss6BAQJQzCYYDLRLu95v/FXhop7J/83OO/XAwVSofK1pM2bYwgwpZeYLGRN0b9hBniqneudA0zlbC8nNcwgiz/qnT9/99+Vuwc/6niqfmZr1qIZfL0TxUf2SOvSK5t54cFPO209Gsuc8F19/ukrxkqauwCI+ZtNV64L29knUGYy0yud5IzDnuyKC+oDHz4/x1JXKn0+Cfbmp5RUWtB3AxU4QjGYU9zv9aS0De1BHfGaKPJZCiCRv8ac04WyiH7o2hpt49N4a2Gg==,iv:cJ1F7TxrlrD1LHUMUTICPr0WW/gp2pbSVSTHBPPfFRw=,tag:Q/6BNz87Y1ifukdCVPTJqA==,type:str]
hydra-admin-password: ENC[AES256_GCM,data:t0vmchbXXIAzvM2nxm4j16N9W67yWRb439M=,iv:qr/OfyMvTzi6Znw446KtxE2erh3XWi2VTJvVL2Ot2UI=,tag:mS6HlE6nojkemjp4F59+wQ==,type:str]
hydra-users: ENC[AES256_GCM,data:0NVgtjaiQ2ytn2Z3EqjsphMsXMVq1KRjaHA9R11aFC1qoSnLP1GWu/Y8bkrA/fAcfn90Nmx6kY8N37PclYWNYPVzHL5Nf/zZgD+gUXF/5yFgvX73v/qmE39tp9zqVjmW02GJTug9FkYWUt8tTaMSq71jfW2B3w6SHz20jUn41Ak+VWexJjjxxj/4iq5bdx6f/9lu5VtM90Lyx5D2+8lWWKiRnMtjIqXPdzRSPi8X4zvJm4aGId1kKPE0Ba6RMuBKwDW4qqRoJixc1ddZoDQe4ycO12gszj1bTGB7cHm7iDU5B5KnZScJUrjzmE8F1hG0oLaP5SyR9+Ehe5uMZojTQZlDC57/zV10dj16H7mNaRBWFilshmhlmVuKcLA=,iv:vQ+dRNr6EplY8/+ZIgxg7f6lqqoMzXGoItx73imzfSY=,tag:sF7cq+986sy5a3N9HkUqPw==,type:str]
marvin-mk2-key: ENC[AES256_GCM,data:7gDG0Sq0vIf1DooKmPrWXyUJvpyk4r4Le9LCQstsCWGa2yb30qGAp6mkTLwACjhl8gmNOVpAFrkNqRdbqb7wtba256ebsolsEULk5Mnyezytt+Ye2oCuo3Iu6DLwEtIh8ERIJN+Bg1FlLM48bN+8RhviR60oBrV+54oGmqwWP1QaDquCK4YZ0w+3CY/yMM4y3KOFa7MvZJ+sprCrvSiuv2Go9QBsYkM9EvVAgRjyQrT2egCjdxJWrazyUobN3dhMAdUxwpUb7sthqOES4TwEX0YWybRTM2gAnpIYt20nRGOcnLZjmsCg+62aQJlIvYk74e7ViIcc4AJ3vvqMor9bovRX0IW0IGuuX/qPRastdlCEAgDHrwONQI1xFgd7V6zpUiFKF/AeqMN4lzBgvAHXJv2Tx+qp53jat0q9m856/dSRplVYvo/nxDYx31eiv1YdBoDOm0ASwvVmfL7ZLoqxH63/phzhMLmB7j7LIGRcwEhyDTLlIwmTbe2A0s1Zikv6FOLiGOrpv5pDp8NIyfy7ltOp6dAOnW+p7Z508wdOHdX8er0fD5Oirw1ZRnyO4rqqO/wqUDllxEyqUoLVyCl1Nu+fyYTfQDiMwliWMH9kHtADaWobihFE+Qh6rl/vhoJaMwWdSbVwHO03uFqcZ5HtfwG5sadDM/Bb+olucdONLtQVMmBEylzhtszvFbhZbwe+FNWikxM7FQTa3iHfT5y7T9t2gA6HdPRqEJ9AFgcf9//IwHjdSItuDxpJOY1SGV0pxpBNo04V07wk5YIHKy6++zHYkAfizUFiXtX9Iml3imBEmWSo15JjFf+GXgB4lfXK5X3OZG0dZryV2hxiRrI10nJG7X144fQF14Ej3kYxPyIs5JRpdQbjX2hiYfNNV5BrlKesfq8Q+IRDN+E179X6vbhiCJbnCXiAJ7/1ZDrGi4mTCmmerVhgGDH2cjffr6cSfh7zdwyAwbr4KQ8nN2rXJ/u9CNi5xgvzqt6u8JXJTnyI8Zw1KHX0RL9u98GaDfnLKGf7E4APjCP7MIUukh/hS9zd88GgpkVaqI2pwEIjqgUvSrp45ud8V5dZQi+Nwo3ckrUj1u2J2I7BkQYPhZiC41GRR2uDb7m1xZDT0TFfcf+8WNrAZ5ft3tlWktNZ9qPzdxdJwUPryA3wAc1kN77VGmlOAkNpCuqoOvHbrrBruLgisIVPPK343o2+FHy0xYTs/SALnL+vx1AgzfcIeiyWx5Nsmo7IPuyLjW+fUtaboXmDphM+R/xfSwzBgngdW7WCYiEYbH+8Tx3GJHOtrTdh/JVfeuKHpNGegdRXhYOsHcioMnBksy1FJHFcfd1RudbCnBasaQ3qUdCcdcYoeGrIzTsRC7XBC/cLxVZ90JjhnF4RXXkQzeKdeaWxjUR3S64xE5S6USFftqAh2eVY86Gc98SeJlQX1grhWP3PlALF7g6eXLJyDgDsoNZJzX2LFpEoJ+p+dPOt+j1+N4gg1UlmuEH4Xg6fyoTECG2JdNJV4reboK9lM91NfKxF3bAB3t5KtJylFuqc8uIkW935K33O4X/JOA8m2579ycy9POxRIYBkdH3yHdgHluJYgygkA0xhU4eZcsSRzYrimnceK/M3b/1MtFWR5IpmDDNgH95YVK8+ZEk8RGT8Bl1pD62k+Iivzb7fZIG6ig+tc7FsOnp8NmLDVOfb4m3ApAaF3ccqbbiQRfikHH7swMRcWAP2Qtvj9Opag5Fw1PUJA5SsmSmLRQELNaXjQ2tCnjRuAkY2I9Ui3qbmlw+faar4Hf4u+/7mi61gPmEoYSHtGNl3kdgiagz660fhxSwQEz5uA2VGo+cyDkoMukEkukv9VRRKXkVSeFNby2c9pYWl+mMTl56DZzTpTCv/eiAf9838XVECJY555q9/lHzp5RLI4+KfyXn9rLBUo7TCYRAGf3mEj4CQLV+YmVfo81YiqLu0n1f36PJDqBhTsRHS5geMBQVkrR1Arsp48Qcr3QF92hemB63Y4xN3nhK3v9RQsyK3k6LCZGJis+IBuXZfBbAcuW4jCG6stYhREPECHbfMGNgufRnf13Y2nFC5erhFTB8lT+OnR/pIN5BAx7jd9ZF1Qz9D/oAzgt7TPr9W2MDyhUkvkt6QQiuAI3xCzVD6GehpaxzlbBoEZ3/wxdyA6L5j7aNNAD12pkt6nspv3SouUqgRFunvtVa4dOuHQElWi0s+PAOWxAlzqsCcqRkYTaDapQ==,iv:ZwZCATHmV5LlD1KuOZxQR/QCWoDr4QgvZFYYl9H45gA=,tag:JJe+2rLOIuRT8X9EXfv1Sg==,type:str]
marvin_mk2_id: ENC[AES256_GCM,data:iIkSiz4=,iv:h7zZDgCmhNzVoa4gmaL9E+ngDXDJm99xSfuWM/pBbc4=,tag:cM7G2luQahyzoqZ3Hi9S/w==,type:int]
marvin-mk2-webhook-secret: ENC[AES256_GCM,data:5uhSE/xIj2iGM3+v2d7XtGNI1AQAbeUvZDFj/5QM,iv:XAixOFSLFZSFnpWumqVHpQEeeMzIEl/8qrTiinayqDM=,tag:CSR6Htf+sK9RtbssRvJddg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjQ1NLVmJyOTM3emNYQ0Nn
eUJqSWZTUlIydWFSQVltY3FCeDZDRnZHWjBVCllLL1ljTUlSSmxsbWVXMXVMclpj
N1RUeXZmb2Y5c1pYSVgxSVBsSTJFVmsKLS0tIGhrY2cwTElSaGkzM21QRkE3UWpa
QnNJTkRiUTA2L05xZnc2U3hpaDZ1K28KG/HqTCqBW0chJ93N1s0gRFLC/2Yz1dqI
25e40+9I1CpZ3Ys+jsMXrw3i74ajKBLQNhW+m24iH8a4kz2GxvwM+w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQK0d4dnZ1c2gzVXY3YWFF
cUJUNmdFdDJDK0R5MzRiZTFYOHJJTEtuMnc4CjNFcEJqWmYrU2NweUpxV3lac0Vs
QjNVYlJkTmxERndSNG5XK2VWK3FWbHMKLS0tIDFIRDZ3bXJjS2I0UDM5RGo0TURp
V3VRQ2ZHSEFLejI1UE1rTXd6UEtFS1EK/eVWfKlCD4q3QIr4RIDX+Wpw7ieVuP/c
Bu2qxJOpIc4AKkA2AlJD/z6FFCLji1Q7dp3nO4sEROT/xlQOXZBe7Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2021-09-25T20:26:06Z"
mac: ENC[AES256_GCM,data:Q//lq4YyjL8GmK7MACjT82v3GCAOVJnORiNwaFvT0dX+ZQ5a8GBXgqxgb+DtcOfYPMF4iulFSJiXBqeyDuAnRqYITE7ZAjZ1x3/E5Dl0uKA5hrrixOLka/lJHfrCUOAypFD27RHszJgU7jUbGPRQWQi6OViBKW1pRcX1juVT+Qw=,iv:Y0M45KXatLCigR6Kdya/07e7QZBTg0vOhE9YmJMi+TQ=,tag:gELLCgGq5pWT1LcogyJXcw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.1

171
deployment.nix
View file

@ -17,159 +17,36 @@ let
in
{
network.description = "nix-community infra";
build01 =
{ resources, ... }:
{
imports = [
./build01/configuration.nix
];
build01 = { ... }: {
imports = [
./build01/configuration.nix
];
deployment.targetHost = "94.130.143.84";
};
deployment.targetHost = "94.130.143.84";
};
build02 =
{ resources, ... }:
{
imports = [
./build02/configuration.nix
];
build02 = { ... }: {
imports = [
./build02/configuration.nix
];
deployment.targetHost = "95.217.109.189";
deployment.targetHost = "95.217.109.189";
};
deployment.keys."id_rsa" = {
text = secrets.github-r-ryantm-key;
destDir = "/home/r-ryantm/.ssh";
user = "r-ryantm";
group = "r-ryantm";
permissions = "0600";
};
build03 = { ... }: {
imports = [
./build03/configuration.nix
];
deployment.keys."github_token.txt" = {
text = secrets.github-r-ryantm-token;
destDir = "/var/lib/nixpkgs-update";
user = "r-ryantm";
group = "r-ryantm";
permissions = "0600";
};
deployment.targetHost = "build03.nix-community.org";
};
deployment.keys."github_token_with_username.txt" = {
text = "r-ryantm:${secrets.github-r-ryantm-token}";
destDir = "/var/lib/nixpkgs-update";
user = "r-ryantm";
group = "r-ryantm";
permissions = "0600";
};
deployment.keys."cachix.dhall" = {
text = secrets."cachix.dhall";
destDir = "/var/lib/nixpkgs-update/cachix";
user = "r-ryantm";
group = "r-ryantm";
permissions = "0600";
};
deployment.keys."nix-community-cachix.dhall" = {
text = secrets."nix-community-cachix.dhall";
destDir = "/var/lib/post-build-hook";
user = "root";
permissions = "0400";
};
};
build03 =
{ resources, ... }:
{
imports = [
./build03/configuration.nix
];
deployment.targetHost = "build03.nix-community.org";
deployment.keys.buildkite-token = {
text = removeSuffix "\n" secrets.buildkite-token;
user = "buildkite-agent-ci";
permissions = "0600";
};
deployment.keys.buildkite-agent-key = {
text = secrets.buildkite-agent-key;
user = "buildkite-agent-ci";
permissions = "0600";
};
deployment.keys."buildkite-agent-key.pub" = {
text = secrets."buildkite-agent-key.pub";
user = "buildkite-agent-ci";
permissions = "0600";
};
deployment.keys.github-nixpkgs-swh-key = {
text = secrets.github-nixpkgs-swh-key;
user = "buildkite-agent-ci";
permissions = "0400";
};
deployment.keys."nix-community-cachix.dhall" = {
text = secrets."nix-community-cachix.dhall";
destDir = "/var/lib/post-build-hook";
user = "root";
permissions = "0400";
};
deployment.keys."matterbridge.toml" = {
text = secrets."matterbridge.toml";
user = "matterbridge";
group = "matterbridge";
permissions = "0400";
};
deployment.keys.hydra-admin-password = {
text = secrets.hydra-admin-password;
user = "hydra";
permissions = "0400";
};
deployment.keys.hydra-users = {
text = secrets.hydra-users;
user = "hydra";
permissions = "0400";
};
deployment.keys."marvin-mk2-key.pem" = {
text = secrets."marvin-mk2-key.pem";
destDir = "/var/lib/marvin-mk2";
user = "marvin-mk2";
group = "marvin-mk2";
permissions = "0600";
};
deployment.keys."marvin_mk2_id.txt" = {
text = secrets."marvin_mk2_id.txt";
destDir = "/var/lib/marvin-mk2";
user = "marvin-mk2";
group = "marvin-mk2";
permissions = "0600";
};
deployment.keys."marvin-mk2-webhook-secret.txt" = {
text = secrets."marvin-mk2-webhook-secret.txt";
destDir = "/var/lib/marvin-mk2";
user = "marvin-mk2";
group = "marvin-mk2";
permissions = "0600";
};
};
build04 =
{ resources, ... }:
{
imports = [
./build04/configuration.nix
];
deployment.targetHost = "158.101.223.107";
};
build04 = { ... }: {
imports = [
./build04/configuration.nix
];
deployment.targetHost = "158.101.223.107";
};
}

1
nix/overlays.nix
View file

@ -3,6 +3,7 @@ let
inherit (pkgs)
git-crypt
niv
sops
sources;
nixopsUnstable =
let nixopsPkgs = import sources.nixops-nixpkgs {};

18
nix/sources.json
View file

@ -41,10 +41,10 @@
"homepage": "https://github.com/NixOS/nixpkgs",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ed332b0bc7440cc25de85a09fdb0491d3ad3343d",
"sha256": "1n8wcgm0wcng1mcgk1q6yfi1y951j2fc3n2dxgcrns9v9h7c552c",
"rev": "e9540c5f121d77c68de0f2156cb6f9869d95a6f8",
"sha256": "0s0i6x78nxjyc0a885hzvwh5bylccixiam6c5h1q6pa64aqx50pc",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/ed332b0bc7440cc25de85a09fdb0491d3ad3343d.tar.gz",
"url": "https://github.com/NixOS/nixpkgs/archive/e9540c5f121d77c68de0f2156cb6f9869d95a6f8.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"nixpkgs-update": {
@ -94,5 +94,17 @@
"type": "tarball",
"url": "https://github.com/ElvishJerricco/simple-hydra/archive/0d28b0b66136082d0cbfd90ede4436a580e3e8d0.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"sops-nix": {
"branch": "master",
"description": "Atomic secret provisioning for NixOS based on sops",
"homepage": "",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "64235a958b9ceedf98a3212c13b0dea3a504598f",
"sha256": "0672hz2ap0ljani5vm1yq9h92596ad7smmkl5rixmi878m6x1agr",
"type": "tarball",
"url": "https://github.com/Mic92/sops-nix/archive/64235a958b9ceedf98a3212c13b0dea3a504598f.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
}
}

10
roles/buildkite.nix
View file

@ -1,9 +1,13 @@
{ pkgs, ... }:
{ pkgs, config, ... }:
{
sops.secrets.buildkite-token.user = "buildkite-agent-ci";
sops.secrets.buildkite-agent-key.user = "buildkite-agent-ci";
sops.secrets.github-nixpkgs-swh-key.user = "buildkite-agent-ci";
services.buildkite-agents.ci = {
enable = true;
tokenPath = "/run/keys/buildkite-token";
privateSshKeyPath = builtins.toPath "/run/keys/buildkite-agent-key";
tokenPath = config.secrets.buildkite-token.path;
privateSshKeyPath = config.secrets.buildkite-agent-key.path;
};
}

1
roles/common.nix
View file

@ -9,6 +9,7 @@
./telegraf
./users.nix
./zfs.nix
./sops-nix.nix
];
environment.systemPackages = [

14
roles/gitlab-runner.nix
View file

@ -1,10 +1,5 @@
{ pkgs, ... }:
{ pkgs, config, ... }:
## requires this secret in deployment.nix
#deployment.keys.gitlab-runner-registration = {
# text = secrets.gitlab-runner-registration;
# user = "gitlab-runner";
# permissions = "0600";
#};
let
gitlabModule = builtins.fetchTarball {
url = "https://gitlab.com/arianvp/nixos-gitlab-runner/-/archive/9126927c701aa399bd1734e7e5230c3a0010c1b7/nixos-gitlab-runner-9126927c701aa399bd1734e7e5230c3a0010c1b7.tar.gz";
@ -16,10 +11,15 @@ in
"${gitlabModule}/gitlab-runner.nix"
];
sops.keys.gitlab-runner-registration = {
user = "gitlab-runner";
sopsFile = ./gitlab-runner.yaml;
};
services.gitlab-runner2.enable = true;
# The module depends on gitlab-runner to have a "bin" output.
services.gitlab-runner2.package = pkgs.gitlab-runner // {
bin = pkgs.gitlab-runner;
};
services.gitlab-runner2.registrationConfigFile = "/run/keys/gitlab-runner-registration";
services.gitlab-runner2.registrationConfigFile = config.sops.keys.gitlab-runner-registration.path;
}

3
roles/gitlab-runner.yaml Normal file
View file

@ -0,0 +1,3 @@
gitlab-runner-registration: |
CI_SERVER_URL=https://gitlab.com/
REGISTRATION_TOKEN=ynWzkuM4vNEZkxrUtJFs

5
roles/nix-community-cache.nix
View file

@ -4,6 +4,11 @@ let
sources = import ../nix/sources.nix {};
in
{
sops.secrets.nix-community-cachix = {
path = "/var/lib/post-build-hook/nix-community-cachix.dhall";
sopsFile = ./nix-community-cache.yaml;
};
systemd.services.cachix-watch-store = {
description = "Cachix store watcher service";
wantedBy = [ "multi-user.target" ];

57
roles/nix-community-cache.yaml Normal file
View file

@ -0,0 +1,57 @@
nix-community-cachix: ENC[AES256_GCM,data:tGMaYSBnhZ9idMV7DGzUfR1Zzk70syR8f4DSkrO65XcYUvoS4tcaVXr4l6PzDAFetkgU92a/kkIrEMZ9tZZZGHMvmCteGObH2BgF6k57NdozNnkXsI4ZhltATu5tpwzI+DUFgtpAXPEVYY6DRDlUATrt8SKJ2JuI4JtpIHpPi0noS/WpBfsphOUQ/7epTtABLpyDb0EOXisvkPLjDIKwfNDE+dOHO61aN8zS14QhelRIfJUSj7BwVFWbaseLKmq5ZIDAFK5s/FSgToi4Bj/YYVrTo23RH8wvhYOelSNcAWW/wotMZ5u/pklTytytLC41DhyFXU54k/UEorfVMHMnLAlujDoBs/9oV+M18Jcs0qV7c1utzjwoGlYhxV7zV/QvJ2zuMyDtszK0twcL8BjUSpsy+W/sR3kpGBKzjt1oNteTlz0YvIXlxg/Yn63qGr2/HzZlNd9rygMnLhTf7VO4Su2AB4GLXI7ljgQdqM7AREuAgE5J0hHE82fRalBsZcK34QGEFVKN4mzybcK4HO70yUQY4o5cOc7R5DHvEJmukjjJclm/,iv:N/yKtyd56YpdpNEe92g9Eml8gYR9x5pBT66U5p20Rzw=,tag:HCAJSqQ3Wq5SnZDwdryN1Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0UE1CMW5mVTFHdW01T0Qr
SFJBcXZXRm4rbXQ4WnU3OVlhZk9EWEswbUdzCm8zR2tBdEh6Tk9PS1BEUHJmb3k3
T3hmcUt2dnZER0tIMlhIeENuUFR4S1kKLS0tIFhXaUU1SlJQLy93T2I3SXB3VXUy
bmdob3B6R3ByNjBvdEtkWTlTSi9vbnMKIBY6+fzvy/4dQ7EAhI4nU2ViSSlZ3KmG
bZv63cddNEGFq9JAQUIqfkaF0FjcOm9c+GPuKa08bQLOJ74gXF8dzg==
-----END AGE ENCRYPTED FILE-----
- recipient: age17jtyn2y4fpey6q7ers9gtnh4580xj89zdjuew9nqhxywmsaw94fs5udupc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZk5vOXJwSC9tRmprdjdS
MGRrTmx4dGJudVFsZFZtaHBjbEtOa0xnQ0I4CjcrTnNNdm1EQnl2VDkrVi9FcjVV
RHNFOGhqTXRzMkEwb3JwdlRGVFR0V28KLS0tIERKU2JHSHI5M3FLejJLRVJ3QVd1
a2NpZndjN1ZSSjJqYkpuSUluU1k5UFEKDmBFgAkjb3k9x8QetqYbYw4m7KyDQbXz
JwOKDu3pkL5LnJ4rOIZGABNUsb8yXCk2MIzT791tokbyEj2LWUAcTw==
-----END AGE ENCRYPTED FILE-----
- recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2NWt5UGdFK2NhUUFoTkdy
b2IvVEdkd0t3akM5bktFdGYrd3B5WFhZZ2s4CnpxalBCUmt4c2xMaUV4cFFZOVIr
Z080SloyaXhKUGNrVmZJbnZjVDJYNW8KLS0tIEtJQWlURFlTQWF4MC9ZS3p1L3A0
dXM2VTZKWFBCUXFUMFNpQkJFTS9MaHcK86b9xh17pQOauZLUhfnwdBk2CDXo07Bk
8nrAinC8kJS7Nok4gvu+ps07O26DDPGTIY07vJrV52NagI/trl0caA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyeVNNWm0rdnJmd1JCQXhw
bzh6ZVRzZHZiSHRXcFFmU3Zua2pRaC9kUFZNCkdZcWcxU2VWSWNON2lzQXFVYVVJ
Tk15Qm1ZUzRrb0h3eTY0MU9iQS80TG8KLS0tIExPRVRRNWs4MlhseW5lNllFalQr
ZlliV2Q2dmVJK05WcUlmcENRM3hxT1EKXKH2F6ImIowlmhg8W7j5cVxVaP3tIfkv
JEOCVPBUPoGSEndNYsg0gcJfnkZbfeSwrmmEXyY8y2C5gqlm/sp4FQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1vr4suv4lhtt8f59s25eukdfk67j7av72gvj7sk7ux6thusct3utqmn3pmf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjWFBhNUtzdTBSc3JrYnZs
ZTNKa0lNVG8vUVhDM0lyZzVIV29UTWNvU2s0CjV2S0ZXYTUrZnVjQXI4THovWTEw
UytYV2dxTUNUamFZRHNiWHNPREJaQmsKLS0tIHJWQk9qQWtySmFVZWZwZHdXV0dh
NmZYQm5iYkhkek9Pa1J6MFlQZEtPZTgKXYaKq7feFWHZttEU7zNTzI+Am/02qv9S
mN0jh+IW55kYKh+Fo3yXirqOqeRKImt3jHYU1j0HKZqHIaQkNd4iCg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2021-09-25T19:43:46Z"
mac: ENC[AES256_GCM,data:ZQibKAevbsldaAIjzoZ4/zzWdCLaGHKMzBU7zre6DnE+9UF3vpa+VWfTPCs7ovqKkWJUsTiyyg8JxMeF3ivFnXRzrbzeX5EZRAqlKQJHXAp5ruWDJL5Zaw3dWMVM70MGJDOsZdws5tJUu8jbZN5nYX+yjw1zDIfb1Gho7sfYg48=,iv:VDP2iWxiFy+4vTQd5DKMNpMFAWrfwKKaGfZos+Y5l3U=,tag:wo8a27b6hWkL85e+IIm58Q==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.1

10
roles/sops-nix.nix Normal file
View file

@ -0,0 +1,10 @@
{ config, lib, pkgs, ... }:
let
sources = import ../nix/sources.nix;
hostDir = lib.head (builtins.match "nix-community-(.*)" config.networking.hostName);
defaultSopsPath = ../. + "/${hostDir}/secrets.yaml";
in
{
imports = [ "${sources.sops-nix}/modules/sops" ];
sops.defaultSopsFile = lib.mkIf (builtins.pathExists defaultSopsPath) defaultSopsPath;
}

7
services/hydra/default.nix
View file

@ -6,8 +6,8 @@ let
hydraPort = 3000;
hydraAdmin = "admin";
hydraAdminPasswordFile = "/run/keys/hydra-admin-password";
hydraUsersFile = "/run/keys/hydra-users";
hydraAdminPasswordFile = config.sops.secrets.hydra-admin-password.path;
hydraUsersFile = config.sops.secrets.hydra-users.path;
createDeclarativeProjectScript = pkgs.stdenv.mkDerivation {
name = "create-declarative-project";
@ -78,6 +78,9 @@ in
};
};
config = {
sops.secrets.hydra-admin-password.user = "hydra";
sops.secrets.hydra-users.user = "hydra";
nixpkgs.config = {
whitelistedLicenses = with lib.licenses; [
unfreeRedistributable

12
services/marvin-mk2.nix
View file

@ -28,6 +28,18 @@ in
# FIXME: use the above host instead
networking.firewall.allowedTCPPorts = [ 3001 ];
sops.secrets.marvin-mk2-key.user = "marvin-mk2";
sops.secrets.marvin_mk2_id = {
path = "/var/lib/marvin-mk2/marvin_mk2_id.txt";
user = "marvin-mk2";
};
sops.secrets.marvin-mk2-webhook-secret = {
path = "/var/lib/marvin-mk2/marvin-mk2-webhook-secret.txt";
user = "marvin-mk2";
};
users.groups.marvin-mk2 = { };
users.users.marvin-mk2 = {
useDefaultShell = true;

1
services/matterbridge.nix
View file

@ -1,5 +1,6 @@
# A single instance of matterbridge
{ ... }: {
sops.secrets.matterbridge.user = "matterbridge";
services.matterbridge.enable = true;
services.matterbridge.configPath = "/run/keys/matterbridge.toml";
# Allow to access /run/keys

1
shell.nix
View file

@ -14,6 +14,7 @@ pkgs.mkShell {
niv
nixopsUnstable
terraform
sops
];
# terraform cloud without the remote execution part