From 0c07216370ee96155e776b60f52008bc15c9653b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Sat, 25 Sep 2021 22:35:51 +0200
Subject: [PATCH] migrate to sops-nix
---
.sops.yaml | 37 +++++++
build02/nixpkgs-update.nix | 23 +++++
build02/secrets.yaml | 33 +++++++
build03/secrets.yaml | 39 ++++++++
deployment.nix | 171 +++++----------------------------
nix/overlays.nix | 1 +
nix/sources.json | 18 +++-
roles/buildkite.nix | 10 +-
roles/common.nix | 1 +
roles/gitlab-runner.nix | 14 +--
roles/gitlab-runner.yaml | 3 +
roles/nix-community-cache.nix | 5 +
roles/nix-community-cache.yaml | 57 +++++++++++
roles/sops-nix.nix | 10 ++
services/hydra/default.nix | 7 +-
services/marvin-mk2.nix | 12 +++
services/matterbridge.nix | 1 +
shell.nix | 1 +
18 files changed, 281 insertions(+), 162 deletions(-)
create mode 100644 .sops.yaml
create mode 100644 build02/secrets.yaml
create mode 100644 build03/secrets.yaml
create mode 100644 roles/gitlab-runner.yaml
create mode 100644 roles/nix-community-cache.yaml
create mode 100644 roles/sops-nix.nix
diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..b6751c0
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,37 @@
+keys:
+ - &mic92 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ - &build01 age17jtyn2y4fpey6q7ers9gtnh4580xj89zdjuew9nqhxywmsaw94fs5udupc
+ - &build02 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ - &build03 age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
+ - &build04 age1vr4suv4lhtt8f59s25eukdfk67j7av72gvj7sk7ux6thusct3utqmn3pmf
+# scan new hosts like this:
+# $ nix-shell -p ssh-to-age --run 'ssh-keyscan buildXX.nix-community.org | ssh-to-age'
+creation_rules:
+ - path_regex: build01/[^/]+\.yaml$
+ key_groups:
+ - age:
+ - *mic92
+ - *build01
+ - path_regex: build02/[^/]+\.yaml$
+ key_groups:
+ - age:
+ - *mic92
+ - *build02
+ - path_regex: build03/[^/]+\.yaml$
+ key_groups:
+ - age:
+ - *mic92
+ - *build03
+ - path_regex: build04/[^/]+\.yaml$
+ key_groups:
+ - age:
+ - *mic92
+ - *build04
+ - path_regex: roles/[^/]+\.yaml$
+ key_groups:
+ - age:
+ - *mic92
+ - *build01
+ - *build02
+ - *build03
+ - *build04
diff --git a/build02/nixpkgs-update.nix b/build02/nixpkgs-update.nix
index 89a9bb1..fd3e2e1 100644
--- a/build02/nixpkgs-update.nix
+++ b/build02/nixpkgs-update.nix
@@ -54,6 +54,29 @@ let
in
{
+ sops.secrets.github-r-ryantm-key = {
+ path = "/home/r-ryantm/.ssh/id_rsa";
+ owner = "r-ryantm";
+ group = "r-ryantm";
+ };
+
+ sops.secrets.github-r-ryantm-token = {
+ path = "/var/lib/nixpkgs-update/github_token.txt";
+ owner = "r-ryantm";
+ group = "r-ryantm";
+ };
+
+ sops.secrets.github-token-with-username = {
+ path = "/var/lib/nixpkgs-update/github_token_with_username.txt";
+ owner = "r-ryantm";
+ group = "r-ryantm";
+ };
+
+ sops.secrets.cachix-dhall = {
+ path = "/var/lib/nixpkgs-update/cachix/cachix.dhall";
+ owner = "r-ryantm";
+ group = "r-ryantm";
+ };
users.groups.r-ryantm = { };
users.users.r-ryantm = {
diff --git a/build02/secrets.yaml b/build02/secrets.yaml
new file mode 100644
index 0000000..e3f20a2
--- /dev/null
+++ b/build02/secrets.yaml
@@ -0,0 +1,33 @@
+github-r-ryantm-key: ENC[AES256_GCM,data:Z6kGGGGLClFWxBu4RpPw3F/QrkLVIgkvLzi5ALUAjD/xUvrKvgylRoJVTBWEK6bVoZePxzXbdzNo7JzDvheRnDx4x/qQNiLjCixObzIqsIAEIqj2orJmNVRks2gLmFOCR3MS++tOV/tb3iRmjRSnzzSCdZE4Fzo/iUXVRZpTcO5ONxwTXd0i9Hlk9D6An0mbJD7cR93eBtWpyZM0LwYN5aEukUW/HYfsHKtqj43OlaaaBylIX3cMQzOT9Gup0uYb3yWVsvfqKC0WekAgakn6V1JM0wUJiO/dPQe6Su7nP5gEAxLXd6J8Y6lRT6KnWsQDf5GaIs5FoCJb3QXu1Pkv61fx5X8rdmKCbggp9cbtIcpGFhKM9vyLZnILdpCGGYLJGhNh/7XQvQLeaLuyi456m/fCm2j1vQ9uhON5caQMeFwNuvnaDErrZtNyTKUDcxgY6gtXIqmd7s2c+o1AQqC+dJf0jy/z2tYFwJrXety80CA4yc/yyvlfRLO+tPfhfsQPTbSMIof8oZhcHZNjPj6IjPpn5NbhWbFvtYbER5fSRhyvvwG5jPNtUnAK+k9OIOHo68tjbm7t8B55nm7Kd7gv3eajNl8V2M7jEidIhaIAW7SWhL0/FiRJWosHAq4p/G+URB1Ll9Ay/hKZ/78+hh4M2UQKT8HnoFleevxWFeMmmZDmk3YTGW5WWogrAQ3bA361/ggQwhs+07Bbl2e0VIMdY/gMvY1ppOuGHvoXhvfIQHLdOlgOMQW5MYBMwleMffrPJpsxGBMgwmXP0CmEwTE3Zg7G7cuNFxhR0z6W27ck06tLbn68P9z9GKh9TLnrbRsQHZVYr1eFt9ewr71vAs5t4iqGr5yzVT7fJRO1BZaifwybEDKRFScCJXEeEEu6l3/eqaq/tTHvJ/0TSl2udMuxzgtpUxx26RPvSJFWB7ACyFpMMJncUVKTxyr2vzP3WNLbqvAjEL1AmGVucHxi7zUfvDPw1gCeAgit8u0xuDH2T6Ws4kF6AuXqo5qC1MmIA8d8T3aw9q9iWj58/PMWC85uYwf3Od8WAD9BK3nb74v4TsthgxaY5JVOspnG1vKDZQKfjzHQk3kvT08sGgs438KFj+58Fe+9vqKNLH2DBizEKF4aJ8drbTBOItn/RFpoDtAdGKByeWjd3+0UDCJ1bI+6JB2PZo1CvpEz7GkjcK7y3vaEOnMyqGOzjnfVmfLQhVX3Vnx6mC1Z54slNlKTKTaeqoWrpqCT78NnC44c/Jqt7r6wuH/jqZt/uBXvENNyEn8kf8qbMcCjEtHZkzMoDuaoPbdlDCzOJbCiTEmyI/zvPC1qMxI2GfjNUSRNZIbKU5d47sgMqHJ40KN9paJZRt6hxLduk0BouzSF3DK1eV1x96Mi+lydOyLt34k/TlZzpVG3P3K/BIjlGQipNw7iRKxxF7QRvJJl6GjiHNIw3krHTvR5PPxBWL2BtQY6kemlenwVvpOfXSKVwTcMzq6V5gDrf2ks9DrzG8TD0zoPu3xw5SMoEq8DjE4MSvriw3jlgkAp9uxfqlksUXCayEqbuJpwa9O43LwwVVJbUFKlA/iWPU0zc4ejIBSyufnePcEZv7yYoPQEZIphPHKumqySND5p0WbmToNqYZgF7sdrxaIc2zh/jucE0TTI3jwn5i1D2RUpxvGOCjtPw29n7j8clRlrRQHK22628eKV1WpO4BI+jDZbNrkjDr43hhOKmJ0HTTkDkRP8CGjBV2qdnBWDKL98ksqfs2aXprtB9B4TrS0unUzHz1WH1R9BrAEOF/WoTKo/TXNc7AiwPxCm+FdGLgWsoMLuzwdq66QmdGAMIbtrzRHq/J1lHubt9ht9xYYJP/JwNuFjFoFOUubw/1ZkdFUrLaN7pN0Ll0ImoU/CudU8ehcwIyXx1dSYT8pcKNXp55Kw7MlydpcZvRVO7PJ0/HWMD+sLfm6OPTIPX/lFLo9NQwe/3xgfM0EJopQi7KFn2xoU0BGqsaSoO1UyOJr6NCDsXih58bPSbv2ho8ffIQxU289h1SjSQbxmVbH3R6sCN0YIJM7YmJ5oaZMJOCFX/Qg2RrtzN0dOp47GZQA+AXRwiccPaiJf+AlBODl0TUJHhqsCNbfp9mSz40wrrtxlXzbpelyzRNqyed8x5vFzEnLXUWGiQX6kh43anHpPO7rJOliWIudUo5R2Mi5sajZv04Og1V4BBcchjoW7ApnpsHOoIYeMtb7TsKxvAakAXrXwG0f1jr2/Wvi3k1/nLb9jv77IIlMqSejmPnkAjDmmDiFXwhu6WWw0tXCa4jQRu6PanpgTCOgt/UhdUpRC+CDM0EnLpkS2+TCspE/X75emx3VRaDo/aFKuF05FVS0U1nnH495ityljx141ztYnRlrzJyGS/Ps9v9NWR6CdTJBw1gOLCb2EwhBgJL6KZutkHir3uQfzRcBdw4O5QZ0VUPeUhMlUwtay6O/33RqAMpQIiLe0f/cRil/Ib3Xa05Gfdm2hLUgBsIl8ceScduMvl7bFnk18SFcWVWYU5CFaDuhsgD9vZE3BYjcCmAyKTqHhFyMZMZEnWE3vu/8u+0VgoUe0B2n4F8/vWSW7AEQ27hTpePNiUpTpI9ZtWUae/ZrBnbRV09SIfceZCrgCce7EtrHiILC5k6/HGsaoYFWT0B/cpBDJ5XnNNkbH8oOFd/yaNDHxcDhERje6Y5H9bRgPaZPt/H0xKBXxIYb6V9JZ4rc4qWaXWlZwyuNpjvwcm4GRTDyIp2Hdof6nBdn7AQrP5O0AXH3P1qqqIxEhx7uy4CNesFkbvt9zCtJQ9Od7kAWXWNp3YTRqKmmHQ00Tq5MYPwO3yybNRl2DiiBaA0a+l0CFNfGIgUwUvioZZ5p9yk+/CkqWuymkgbb+ChvXEZMskkkTJveZNhgNR4iFEHdMjaZhdMNPnfaFKf2rvu8pfAh7BFoWJOYNwkRXqI2eJNkXCVLbOuyez6Rcs0rDeCz5tgEGO5zPTTZg/VFD3p8dV5PyDSz+mIpe9M54I/FX0He4ws++u5AyDnN0CL//1rdZjyaEL2ZAD7l1yhH1WPttjikb9XS+SQ0kyxEnx/HMD0aNcIpVLbubRY/ll4JvkPG1KBKZfrm+cs8iaVTmyHcsfIPwnDOVTiVoHPoBH4Z35ULxVfNGzdw1S/qLuNLHCph+UNIrk/Ck8L27eobVetjzxqtBcdewVAZT7pOm34BKpukUvhe/zzUStUDZoMWdV005eLC76FH0JJyz8TCVrW1y1eHQzX8rMeBZEdoBseQqbU5LlptamZ7rUOJhkC/QLnZW0lSDOj17awQDxAFS5R7cewFo55Pe8XVu0fGZVdXO59biBuFOgtYiMrKoxGondhuiOTggjSQt1HLA7eAgRRrPG6npubPUAgpdwMsqRT6BS47WVL75vRu4TliPVKjElqWN3iQSze4ZwF71zNS775PqjaDXLRPKYMszpNgX7OMPbSb6EAiCQyT6R7gvPOgIVOrERCEF/0Vm7HjNHqTLOfW1M8um7e8gntYokVZtdGew/x2Dmb2PTj58gnYowH00ZrWbOw7DwW3nq0vpcAwB4Yo+H618dThdk3HDd+zOKHBJmoDP70QvNDyD5wDX+GkMTAL8/kfvZs98yvn3T7kw+qIm/pPfNJaigqutEmRFE7CRCewoohzQ0z/Glt0D1kh+OOnULIPrT2Pfq3nDhivJXC3HQZ1PFn9cKNwR/hl0Cslphm2sOwK3gpbba0vNvqXjh3w7TkJ3gTYQa81qiJbRwKvCOlAi3pt+KZalQ/DdG6/DBqVyYKqsJmAj/Y6NVQGpDBBn9uqlZ3G/nRZWaVEDKTdTXh4lPFMKU+o6b3fKsco4Bln4LfqB8BJU8xawTXx1sb6lHAcVZjEoWDU+u9VaGNNtI47jjxev0oeT+oID63xqz19ZY8pkJGSXtTbo/6jEkvSTx/l9v1mfSCytxMV6gney0Cx+QHAta7VHzKymgXcq0N1pt6XVoExLQTOIkPjIg2KUF9JPUg99WCsXZfLtqoinEYUZ/Alq7HOYKOdpjH+huID7Y2vda5Ivk8UuZpIeseQ4yhSoqA45QO+RQxX09xSUBjzLa8f6CJTfci5M0gY5P4QhmEdkYdMq14XG1dE3gK3Qw7FcpOB11GEamki5VT6+f512QH0h2V4dIf8sJFTHCYxHt16mXWv5HkmZAgv2QxchXq40aheKXwtMGmo/Ofi9iyX0qae6/t0XpRaXZiz0EJALZ8LXXfV0B8KUKe2o6RthDrhNXYzB2BZydWjf7yF1GWEc9a4TSTl1AUPAx5ExhayNATF0NMKRvanJVjJXRSZaN8QZnP0EKQycDwTmbHTXNg44oPx1cxGnBTfdSoB4n3XbDjOn8sSfMyllPe3k6dSGtJx3vHnVIjafdWcsRdUnSxu8rGg0HEIEwBkp6MsLbT9OTVYpqO4XoYe6KMaGJeWfAiaPSQTyZZkisblAGzAx5NnM51Rudo8hysu9BXlJtSvxHqXKdIGuF3/3gyZmxqezeHskbi0=,iv:Qg8SdZVOeOA1rHt/CCo1Fj9sqUvq5zhaetboYUIe2co=,tag:UNGFeWqBY46lK6/cEr4/Kg==,type:str]
+github-r-ryantm-token: ENC[AES256_GCM,data:X77cQQQDFcUe9VcHZwbhZdyg6wFsAEwRMDaDojWYyHJf4RxWwRm8Vg==,iv:/PxtdHM1eTbRZb0KrjuSSutxBVwmFaSejp62qb+/D10=,tag:K/EH8Rl6CeZcigftKO3hNw==,type:str]
+github-token-with-username: ENC[AES256_GCM,data:9k+TaxVIQ6BUASckGTAAdDsSS1OQ7WfF6oUdY8t/24VU5bK3M2Uozbfh6qUtmZFLcA==,iv:4AE/eoXHm1/gd3SdRYY+LyI56YFod8YD7ZKZ6uG840k=,tag:fboN3lX6vKVZHEtaZ+C8Gw==,type:str]
+cachix-dhall: ENC[AES256_GCM,data:SxJ85dw01kRMXc2+Geza6NF4T1Ibidyyd4+ZoJxf78A1GanvmFuiyuHREbF5S/3EGxRvkbFqHDdf2GK6CtH3LRVygKEeGBT6wJtbgP8e8WsCx8WYKTDZq1WoDUBCpNwHw7zCmDIRIPNQkrW7Rj8cs0VMR1IDCpp6ThRC0PLWRkhKgVz+yITspk4U4mUJTRPaga+eVbZV7o6c8BSagHcu8kfjfeTWfYWata5yznxJfzFv2hxmOBIHRpJDZGKC3YHV7oeOv6zYJfrdA4TEcR7GrCOpXhpSv++SyyBlkrY2h5nar7MaJj8X3CpTFRNYyEqCu0gf3t1Pow2/N4C69Bl29xUvMJTnkakaM/KDtqc0vn/IPeb2mZSoeUy3FGvHA+Y5EZbwivguOw7EOWTXbQdG3BHHGM/+yWeOROb4XkgwY+yYXaRxwn1t,iv:NQ8P5R7lk2M5u/e3/T0J6oG8LGjaFs4jei7cZ4qRqBI=,tag:aDZf73Vgpn7tWFUhxXNh/g==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTeW8vMm9MUkI5RzFCWGhQ
+ eVcydUdyTUlEMEtGRkRnUU8yRXFQSUNhRFIwCi9ZNFN0c1E0blNqSzdiSnlaR0JT
+ UWJnQ3BpcW54SmhNTkFxZDNZdHBIeDQKLS0tIGZmOWpaZ1ExZ1ZvekRPUlZGRUNX
+ UjN5a0xHcmpFL094bVNGK09XVEMwWjAKUSTf+NqjcXdfSsGE9z+Pj/AyzOfylOSE
+ ZC5QPpyjE2Srg6gNR7p2yDgPAGhyhOoKzPenFEwd9ZfqLKwMKvL7dg==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0cDRJakQ0QlRkY1RudEVP
+ OGtaYkZnUkdCaTNjTm5yY2RmNDZxQjV1TFFvCjFMc3BDRG45OXZ1RW0zM3p3bThC
+ c1VqSDVCMlN0OUtEbWt0SUQreWxNb1kKLS0tIHVTa1JCN0U0ZExBSWNLR3VScHRG
+ aUJ4dDZKcWNmbmt6eEQvdWpGTVIwV1EK0jCKgJQBg9uiT0YJPD4ITU14su8vQaFy
+ 4c5fbjL5i+N60VWF7aj0CZW0/TIYtw3GcM4YM1Ar4gsLz19Igip0tw==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2021-09-25T19:30:13Z"
+ mac: ENC[AES256_GCM,data:AaHBjy++1hd3KjIuNqqsWJDgpIdp+VXa5lFstuKLeXr342I9x7J/D4mI6H9ijKNUnADg0zIiWZ5ebybJgPVWtx8A3ZEYeoQJNGGrkM8YaVSu35USTo/FDAKydawIgMaJZSG5KkYV5Z8m/XTBn3ziG0dM4VDGu3yvw48NTnmaDIc=,iv:e0f576ONwt59APTVIidszKRs9/dN8MhpjmQnfbX9Dy8=,tag:6Qb95Y9pkG03YebD7vALFg==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.7.1
diff --git a/build03/secrets.yaml b/build03/secrets.yaml
new file mode 100644
index 0000000..ace8f98
--- /dev/null
+++ b/build03/secrets.yaml
@@ -0,0 +1,39 @@
+buildkite-token: ENC[AES256_GCM,data:ckvzbyXHuW3N4tgZMYd+dPre+YOEnJj3T627wER3+7L9CMrZtYQlj6qU+HyeplMGqig=,iv:OmXO+85jtY6nGNm62+sF8QJF4q93mx06jNKherySD+o=,tag:mCj29oJTwEmjMN+QpmzUmQ==,type:str]
+buildkite-agent-key: ENC[AES256_GCM,data:WSVCUQ393JkN3Dq14UYo5jYm0b0J0Edqe6k/z5FRohmuQvQCZfAOYPil7cQSoP36xUxdd9kWVgsWnD2jXUumX9bbUm8t1uxf8CwDWqV3iHfDOvjfWyW7ifp7SLAo0JGI+xD1Zjy5ftzHQcjbX9VOQHJ5aBzVQUBdwfxUSSkNTBSp05iWkOIsEJKaJEUhXbZiQ81yxW0uyVq7vRVAskEPz3FxY+DmcZeu4O+kStiygGUaXSTKrzG2iE1ESnHBkd0LyajNbVq1CjohV5SpBVoP9Kf0tOi47xvirNDUlk93uTCTTk9h2KDJ/qHlwM1Cx3d30VUFsIh9eIRFP5q9qePxqdSlZcZGp0Llp1IeMZACQLEfZYA4ZlHEkOQqt8fy36PXuAY/37bM3urARjStXZIEJq3rA+d4js9zTD/16iOJqw7Sv51HrMSUQA+za/HgK13UnV69p9hvPKvAd9Xwg/SBm4TG294Ez0K/0qBckQ2z7HgmX9EY0ZjGQdqWPzLmHjYI9YzcfiT+2HuIblF/uMGJm9ZD+d/tAfUMSCVc9yhsKU5fp9c=,iv:l3rVZA9QigI96ibMu9WRlA4UbVRzFt8CwF7+dCZ6tX0=,tag:B6EhsV97IVwaji8IgJHgPQ==,type:str]
+buildkite-agent-key-pub: ENC[AES256_GCM,data:dqARMa5gzgO3qgMh7BXUJIcqcNusxW0tladrUVb9MTew92K2IHKMYAlKRGENKIHPnPAYaW9yISmXs4cD3rPCosrHoZsgtVvCGS83atqthnR7StmuEKWdxQ35573BOEXqt71v+yRk0CJQJIMEUbI=,iv:2fCB8h/vI2DEL/XSWJLhUjZgjzFYDtr7ncMpE6x8Wg4=,tag:lIq7abSvadAc9CnRa6EJkg==,type:str]
+github-nixpkgs-swh-key: ENC[AES256_GCM,data:HiZCCt1gQoq4EWZGttv0XDLXOf/lLy53+Cf2sFhaMam5Ygoohm4Ra+qT5O1HG+y4x46ZySy863flZWBxy+Ui0iFIlfO0bIG0loUcLN4g6SjdlTFz8HuZr177rPnOyc6G9hts/MNRTdOMoKgPvcT9GMIKpoKAd4CNPM2RkZYRpQ+R3dRRnxzQ9xI+9q21//+LzU9GxbOIE5Qln6DCOqZx4cyyNv3q57fjRjcIFpLQ13/zcrqLqNTK3ifYHFLJSnjj8t0lsbWibYgXqZOHpdnCaO8SQgE3R2V1P6Ig+DrCy/PeuGVflG69V4UANtu8Ju5FfmEHpHEFjEzIDWv9wV73RlvrSeKS8ZeBws3CDJX7jtwcfh8SDW0sq9iLoHBuvMw7F8uU+c0tHvqvp4EiQG57+z01eboijHOnisQfpnSd/jphPTXjjd3gftXOW4XC3VASMf8mceBHPSurMNI/QY0gREwww+VPRW8pnaIheAA1zwf1hIjsiiqEDgMgAxLwVTqGeMUqKdX1iunrzf52XTfR88mEEgf7TcXbdtSq0nijTybONnlt0rpQX+bu2hUD8EZ3D/jt56ZpMELgOvptI/2ieLWxHdqKUaOrhEFajwzn6s9fjQpTqaJig4fXjFrh80I6b4LOhobAYVoOxY21eQ5f07Nnk21orFnhZwxnr9KVECo6CwVwpwgDUASs9tQHPm8PsQDyFDFZsC+G81zAJ+BVj1rt/aO7ugblAdsRLPfinAHWRtAzniPzuXlZa/uaooZyq+0g935Mtix3GQZPAtogGpXaqp8PKCgG5GZrACECFIDuuu0ElVPCwLU6+nDjY1/SThYcPD8aiwBeOe7pEWbW/mp0Qu4dzI0d/tHQ2RfqOh9io6qhvwvIuky7R8rTAyg0kWqFSHiBcN40VMkVgMZ3IxTbbxGTK0gYpzTrQPv0U2rboxjQLfX9t53QgHHmbZQS3tliw4IQjph7spNOzfAahKG8Q5YDWBYZNG5F0cF8W4KTdjNqyOYkSo1gqhmnId6HEXzFGXSRJKr+QywPBI6jmGzbnyEC31otpaq21IFoPln3R9b9JssImM8j/rG5G9UFCGN2w6TpOOEGK8QJjW04kaG42UqTDv78EdHG1I8PnnyTv097nqAj8ktzD0fl5kMQP0bkpEVKIF3BFy6CHYSoJ7ds+Xoyqs76GEMFwHeFOpMeiV6Gz29A6DuC1y6Im2aAevRONWgcBYxsLo2PbqgWUSF4SNdx1TBIAfzI4M9CTjki6nmhq/CvMTkh0Ut2l+RVo/Y+dJQZ+bERCrjfe5FQhEWftHnUgDo/01ajKS1w2t6FhQN3+hd0Z8dazYyW8rb07eW6aAA429ao2v4SR2n8/5CgEuhnMjERPfSQNb0lEjIQQtrMs9etfwyNh4wb0o0dQ1JkGKz8YCi/ufasGhCNZMSjmabld84Jux1gdQa7k54OAsvsLaPkohXOY1/cVpn3uxMnHYLoIrrje/p+O1obEnKGJvq4MeVj63KjIK8+Rc+0NfWsWizkvDW+crRcSkHuRADUNoz8CoXrVDlC5np/m59LuzR/HlhqSXRvmTZrB9avP70+pbHJvOxab5UqxMNHfKI83DzhwRQ68qOm88oivEqG5lioCq0mktqDUqMKA1IwNKLm++hoZc8iNjOOmzdPZHHT+izGVEAsHBP1KwagE0uxVgylC4Wet68RI8ImGQ1ppNczy/i/EJlUGtM52QOBOQ9qL069QaOqNHT9ZS+Vy+WojrNqtGjiHR8Qn5tQg5R4Axr5z0u2god1MQ5JUkHNCZurd2r06Mj5a8/lNWT8xr6/9KxatFa06Pe+ggRgO1xKB1ft0HQqxF7wqYsdSO9jvKkFsQSBHzoHehYJWDAqXj/NSqkPpzL0k8VWZON8PbGsbLvE9XzC1EGQfhcag7/5AcxIsuHlTrrU6mABtiveZiutyEv3R0uAKhq6NFvjUvabVe764bRd7jESH6LHpU+POz7Yva1IuR9MBvmLFVWXuj1tnuEeP2tlPYi7bSgkB7+tyjWX69KAcRCM+0k3cetaJvCFbD/f2vTJms9kbJagW9f08pw4Is/5Igz5IvXJ8gKR7z+Eo4AWwUkrUtOQBSToaiQrB4Pamr36rOL+FR2N63UdTVt7h1LnsiAziGErRk3dUU7+Dsvp7P5lvUAn+uPxQXeiTl8zsNsvgAbiFFWGHIMGhneABwBjNYvhkyxBLsZKUOcDBku42C3gNHVzK09tnDk7exjltLH5G6Lxg3cv0pu2FqvecSNsoNQ1+2i5+FeDzdqSoljhrN2Zlr/2dlz/pobI6slhWpqbR8rCQAPT/EJp8l4aKL3i8GWFCgczm8p6p1XdiRRV2AeCaO4jh0FIE2jJQINgIoNb9MXa3gGJLCCmGSbOBVxQzO6yp/QeHzFTFRk=,iv:FbelgOuVwv2VkmBEXt/PHceSm6dFzptSUtYGpeolgk0=,tag:FBu7MnrfFqqxj1NkMgDdtQ==,type:str]
+matterbridge: ENC[AES256_GCM,data:zLrVbfUSebZX69y4tvDXigpoEQziMbzXaO0EKQLrSBR1WaRJDb2U00Ifisucv7kfiJIuGf7xSKl+QthemgUyhfJiBWUtfFwbR2F526wA4uBUGvy5eYmM5eu5HeEfYN+Yrd7BMR5kSE4laUwjwd1/Dps6rFHwx/JtKmfGiKtE3nmqErypdm9kJrxqsPd9Ytn4r5UbM46rRu80AyN46shCL8MlRXmxLRxN4ihahY/QirAZ4TCfTJDu59IQQnmR9totBAMKmdfnDTgjUoxEXRY4WeLF+8tmcM/hPjYIgh/q+LMZtSoNWo8VYMccu71Tl6dwRjbo2evlVuqDB/uRwj5vwj8Ayf4QXePDblo5sX+AaC2/jCZ9l7cUBoB4gpgPkvdIgarPw0dZO35RLcKvLTpJo+8px0TjDmkSC4AdnPYTZeXRWfwse9DClmJqEQdHcVtrCSJ2g0wVZ5CuBX1jTrzOQIAkFBUf+M1SMARss6BAQJQzCYYDLRLu95v/FXhop7J/83OO/XAwVSofK1pM2bYwgwpZeYLGRN0b9hBniqneudA0zlbC8nNcwgiz/qnT9/99+Vuwc/6niqfmZr1qIZfL0TxUf2SOvSK5t54cFPO209Gsuc8F19/ukrxkqauwCI+ZtNV64L29knUGYy0yud5IzDnuyKC+oDHz4/x1JXKn0+Cfbmp5RUWtB3AxU4QjGYU9zv9aS0De1BHfGaKPJZCiCRv8ac04WyiH7o2hpt49N4a2Gg==,iv:cJ1F7TxrlrD1LHUMUTICPr0WW/gp2pbSVSTHBPPfFRw=,tag:Q/6BNz87Y1ifukdCVPTJqA==,type:str]
+hydra-admin-password: ENC[AES256_GCM,data:t0vmchbXXIAzvM2nxm4j16N9W67yWRb439M=,iv:qr/OfyMvTzi6Znw446KtxE2erh3XWi2VTJvVL2Ot2UI=,tag:mS6HlE6nojkemjp4F59+wQ==,type:str]
+hydra-users: ENC[AES256_GCM,data:0NVgtjaiQ2ytn2Z3EqjsphMsXMVq1KRjaHA9R11aFC1qoSnLP1GWu/Y8bkrA/fAcfn90Nmx6kY8N37PclYWNYPVzHL5Nf/zZgD+gUXF/5yFgvX73v/qmE39tp9zqVjmW02GJTug9FkYWUt8tTaMSq71jfW2B3w6SHz20jUn41Ak+VWexJjjxxj/4iq5bdx6f/9lu5VtM90Lyx5D2+8lWWKiRnMtjIqXPdzRSPi8X4zvJm4aGId1kKPE0Ba6RMuBKwDW4qqRoJixc1ddZoDQe4ycO12gszj1bTGB7cHm7iDU5B5KnZScJUrjzmE8F1hG0oLaP5SyR9+Ehe5uMZojTQZlDC57/zV10dj16H7mNaRBWFilshmhlmVuKcLA=,iv:vQ+dRNr6EplY8/+ZIgxg7f6lqqoMzXGoItx73imzfSY=,tag:sF7cq+986sy5a3N9HkUqPw==,type:str]
+marvin-mk2-key: ENC[AES256_GCM,data:7gDG0Sq0vIf1DooKmPrWXyUJvpyk4r4Le9LCQstsCWGa2yb30qGAp6mkTLwACjhl8gmNOVpAFrkNqRdbqb7wtba256ebsolsEULk5Mnyezytt+Ye2oCuo3Iu6DLwEtIh8ERIJN+Bg1FlLM48bN+8RhviR60oBrV+54oGmqwWP1QaDquCK4YZ0w+3CY/yMM4y3KOFa7MvZJ+sprCrvSiuv2Go9QBsYkM9EvVAgRjyQrT2egCjdxJWrazyUobN3dhMAdUxwpUb7sthqOES4TwEX0YWybRTM2gAnpIYt20nRGOcnLZjmsCg+62aQJlIvYk74e7ViIcc4AJ3vvqMor9bovRX0IW0IGuuX/qPRastdlCEAgDHrwONQI1xFgd7V6zpUiFKF/AeqMN4lzBgvAHXJv2Tx+qp53jat0q9m856/dSRplVYvo/nxDYx31eiv1YdBoDOm0ASwvVmfL7ZLoqxH63/phzhMLmB7j7LIGRcwEhyDTLlIwmTbe2A0s1Zikv6FOLiGOrpv5pDp8NIyfy7ltOp6dAOnW+p7Z508wdOHdX8er0fD5Oirw1ZRnyO4rqqO/wqUDllxEyqUoLVyCl1Nu+fyYTfQDiMwliWMH9kHtADaWobihFE+Qh6rl/vhoJaMwWdSbVwHO03uFqcZ5HtfwG5sadDM/Bb+olucdONLtQVMmBEylzhtszvFbhZbwe+FNWikxM7FQTa3iHfT5y7T9t2gA6HdPRqEJ9AFgcf9//IwHjdSItuDxpJOY1SGV0pxpBNo04V07wk5YIHKy6++zHYkAfizUFiXtX9Iml3imBEmWSo15JjFf+GXgB4lfXK5X3OZG0dZryV2hxiRrI10nJG7X144fQF14Ej3kYxPyIs5JRpdQbjX2hiYfNNV5BrlKesfq8Q+IRDN+E179X6vbhiCJbnCXiAJ7/1ZDrGi4mTCmmerVhgGDH2cjffr6cSfh7zdwyAwbr4KQ8nN2rXJ/u9CNi5xgvzqt6u8JXJTnyI8Zw1KHX0RL9u98GaDfnLKGf7E4APjCP7MIUukh/hS9zd88GgpkVaqI2pwEIjqgUvSrp45ud8V5dZQi+Nwo3ckrUj1u2J2I7BkQYPhZiC41GRR2uDb7m1xZDT0TFfcf+8WNrAZ5ft3tlWktNZ9qPzdxdJwUPryA3wAc1kN77VGmlOAkNpCuqoOvHbrrBruLgisIVPPK343o2+FHy0xYTs/SALnL+vx1AgzfcIeiyWx5Nsmo7IPuyLjW+fUtaboXmDphM+R/xfSwzBgngdW7WCYiEYbH+8Tx3GJHOtrTdh/JVfeuKHpNGegdRXhYOsHcioMnBksy1FJHFcfd1RudbCnBasaQ3qUdCcdcYoeGrIzTsRC7XBC/cLxVZ90JjhnF4RXXkQzeKdeaWxjUR3S64xE5S6USFftqAh2eVY86Gc98SeJlQX1grhWP3PlALF7g6eXLJyDgDsoNZJzX2LFpEoJ+p+dPOt+j1+N4gg1UlmuEH4Xg6fyoTECG2JdNJV4reboK9lM91NfKxF3bAB3t5KtJylFuqc8uIkW935K33O4X/JOA8m2579ycy9POxRIYBkdH3yHdgHluJYgygkA0xhU4eZcsSRzYrimnceK/M3b/1MtFWR5IpmDDNgH95YVK8+ZEk8RGT8Bl1pD62k+Iivzb7fZIG6ig+tc7FsOnp8NmLDVOfb4m3ApAaF3ccqbbiQRfikHH7swMRcWAP2Qtvj9Opag5Fw1PUJA5SsmSmLRQELNaXjQ2tCnjRuAkY2I9Ui3qbmlw+faar4Hf4u+/7mi61gPmEoYSHtGNl3kdgiagz660fhxSwQEz5uA2VGo+cyDkoMukEkukv9VRRKXkVSeFNby2c9pYWl+mMTl56DZzTpTCv/eiAf9838XVECJY555q9/lHzp5RLI4+KfyXn9rLBUo7TCYRAGf3mEj4CQLV+YmVfo81YiqLu0n1f36PJDqBhTsRHS5geMBQVkrR1Arsp48Qcr3QF92hemB63Y4xN3nhK3v9RQsyK3k6LCZGJis+IBuXZfBbAcuW4jCG6stYhREPECHbfMGNgufRnf13Y2nFC5erhFTB8lT+OnR/pIN5BAx7jd9ZF1Qz9D/oAzgt7TPr9W2MDyhUkvkt6QQiuAI3xCzVD6GehpaxzlbBoEZ3/wxdyA6L5j7aNNAD12pkt6nspv3SouUqgRFunvtVa4dOuHQElWi0s+PAOWxAlzqsCcqRkYTaDapQ==,iv:ZwZCATHmV5LlD1KuOZxQR/QCWoDr4QgvZFYYl9H45gA=,tag:JJe+2rLOIuRT8X9EXfv1Sg==,type:str]
+marvin_mk2_id: ENC[AES256_GCM,data:iIkSiz4=,iv:h7zZDgCmhNzVoa4gmaL9E+ngDXDJm99xSfuWM/pBbc4=,tag:cM7G2luQahyzoqZ3Hi9S/w==,type:int]
+marvin-mk2-webhook-secret: ENC[AES256_GCM,data:5uhSE/xIj2iGM3+v2d7XtGNI1AQAbeUvZDFj/5QM,iv:XAixOFSLFZSFnpWumqVHpQEeeMzIEl/8qrTiinayqDM=,tag:CSR6Htf+sK9RtbssRvJddg==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjQ1NLVmJyOTM3emNYQ0Nn
+ eUJqSWZTUlIydWFSQVltY3FCeDZDRnZHWjBVCllLL1ljTUlSSmxsbWVXMXVMclpj
+ N1RUeXZmb2Y5c1pYSVgxSVBsSTJFVmsKLS0tIGhrY2cwTElSaGkzM21QRkE3UWpa
+ QnNJTkRiUTA2L05xZnc2U3hpaDZ1K28KG/HqTCqBW0chJ93N1s0gRFLC/2Yz1dqI
+ 25e40+9I1CpZ3Ys+jsMXrw3i74ajKBLQNhW+m24iH8a4kz2GxvwM+w==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQK0d4dnZ1c2gzVXY3YWFF
+ cUJUNmdFdDJDK0R5MzRiZTFYOHJJTEtuMnc4CjNFcEJqWmYrU2NweUpxV3lac0Vs
+ QjNVYlJkTmxERndSNG5XK2VWK3FWbHMKLS0tIDFIRDZ3bXJjS2I0UDM5RGo0TURp
+ V3VRQ2ZHSEFLejI1UE1rTXd6UEtFS1EK/eVWfKlCD4q3QIr4RIDX+Wpw7ieVuP/c
+ Bu2qxJOpIc4AKkA2AlJD/z6FFCLji1Q7dp3nO4sEROT/xlQOXZBe7Q==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2021-09-25T20:26:06Z"
+ mac: ENC[AES256_GCM,data:Q//lq4YyjL8GmK7MACjT82v3GCAOVJnORiNwaFvT0dX+ZQ5a8GBXgqxgb+DtcOfYPMF4iulFSJiXBqeyDuAnRqYITE7ZAjZ1x3/E5Dl0uKA5hrrixOLka/lJHfrCUOAypFD27RHszJgU7jUbGPRQWQi6OViBKW1pRcX1juVT+Qw=,iv:Y0M45KXatLCigR6Kdya/07e7QZBTg0vOhE9YmJMi+TQ=,tag:gELLCgGq5pWT1LcogyJXcw==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.7.1
diff --git a/deployment.nix b/deployment.nix
index b3727f8..5f3a2ff 100644
--- a/deployment.nix
+++ b/deployment.nix
@@ -17,159 +17,36 @@ let
in
{
-
network.description = "nix-community infra";
- build01 =
- { resources, ... }:
- {
- imports = [
- ./build01/configuration.nix
- ];
+ build01 = { ... }: {
+ imports = [
+ ./build01/configuration.nix
+ ];
- deployment.targetHost = "94.130.143.84";
- };
+ deployment.targetHost = "94.130.143.84";
+ };
- build02 =
- { resources, ... }:
- {
- imports = [
- ./build02/configuration.nix
- ];
+ build02 = { ... }: {
+ imports = [
+ ./build02/configuration.nix
+ ];
- deployment.targetHost = "95.217.109.189";
+ deployment.targetHost = "95.217.109.189";
+ };
- deployment.keys."id_rsa" = {
- text = secrets.github-r-ryantm-key;
- destDir = "/home/r-ryantm/.ssh";
- user = "r-ryantm";
- group = "r-ryantm";
- permissions = "0600";
- };
+ build03 = { ... }: {
+ imports = [
+ ./build03/configuration.nix
+ ];
- deployment.keys."github_token.txt" = {
- text = secrets.github-r-ryantm-token;
- destDir = "/var/lib/nixpkgs-update";
- user = "r-ryantm";
- group = "r-ryantm";
- permissions = "0600";
- };
+ deployment.targetHost = "build03.nix-community.org";
+ };
- deployment.keys."github_token_with_username.txt" = {
- text = "r-ryantm:${secrets.github-r-ryantm-token}";
- destDir = "/var/lib/nixpkgs-update";
- user = "r-ryantm";
- group = "r-ryantm";
- permissions = "0600";
- };
-
- deployment.keys."cachix.dhall" = {
- text = secrets."cachix.dhall";
- destDir = "/var/lib/nixpkgs-update/cachix";
- user = "r-ryantm";
- group = "r-ryantm";
- permissions = "0600";
- };
-
- deployment.keys."nix-community-cachix.dhall" = {
- text = secrets."nix-community-cachix.dhall";
- destDir = "/var/lib/post-build-hook";
- user = "root";
- permissions = "0400";
- };
-
- };
-
- build03 =
- { resources, ... }:
- {
- imports = [
- ./build03/configuration.nix
- ];
-
- deployment.targetHost = "build03.nix-community.org";
-
- deployment.keys.buildkite-token = {
- text = removeSuffix "\n" secrets.buildkite-token;
- user = "buildkite-agent-ci";
- permissions = "0600";
- };
-
- deployment.keys.buildkite-agent-key = {
- text = secrets.buildkite-agent-key;
- user = "buildkite-agent-ci";
- permissions = "0600";
- };
-
- deployment.keys."buildkite-agent-key.pub" = {
- text = secrets."buildkite-agent-key.pub";
- user = "buildkite-agent-ci";
- permissions = "0600";
- };
-
- deployment.keys.github-nixpkgs-swh-key = {
- text = secrets.github-nixpkgs-swh-key;
- user = "buildkite-agent-ci";
- permissions = "0400";
- };
-
- deployment.keys."nix-community-cachix.dhall" = {
- text = secrets."nix-community-cachix.dhall";
- destDir = "/var/lib/post-build-hook";
- user = "root";
- permissions = "0400";
- };
-
- deployment.keys."matterbridge.toml" = {
- text = secrets."matterbridge.toml";
- user = "matterbridge";
- group = "matterbridge";
- permissions = "0400";
- };
-
- deployment.keys.hydra-admin-password = {
- text = secrets.hydra-admin-password;
- user = "hydra";
- permissions = "0400";
- };
-
- deployment.keys.hydra-users = {
- text = secrets.hydra-users;
- user = "hydra";
- permissions = "0400";
- };
-
- deployment.keys."marvin-mk2-key.pem" = {
- text = secrets."marvin-mk2-key.pem";
- destDir = "/var/lib/marvin-mk2";
- user = "marvin-mk2";
- group = "marvin-mk2";
- permissions = "0600";
- };
-
- deployment.keys."marvin_mk2_id.txt" = {
- text = secrets."marvin_mk2_id.txt";
- destDir = "/var/lib/marvin-mk2";
- user = "marvin-mk2";
- group = "marvin-mk2";
- permissions = "0600";
- };
-
- deployment.keys."marvin-mk2-webhook-secret.txt" = {
- text = secrets."marvin-mk2-webhook-secret.txt";
- destDir = "/var/lib/marvin-mk2";
- user = "marvin-mk2";
- group = "marvin-mk2";
- permissions = "0600";
- };
- };
-
- build04 =
- { resources, ... }:
- {
- imports = [
- ./build04/configuration.nix
- ];
- deployment.targetHost = "158.101.223.107";
- };
+ build04 = { ... }: {
+ imports = [
+ ./build04/configuration.nix
+ ];
+ deployment.targetHost = "158.101.223.107";
+ };
}
diff --git a/nix/overlays.nix b/nix/overlays.nix
index e25ef0a..b7ce2a6 100644
--- a/nix/overlays.nix
+++ b/nix/overlays.nix
@@ -3,6 +3,7 @@ let
inherit (pkgs)
git-crypt
niv
+ sops
sources;
nixopsUnstable =
let nixopsPkgs = import sources.nixops-nixpkgs {};
diff --git a/nix/sources.json b/nix/sources.json
index 671d883..60d289b 100644
--- a/nix/sources.json
+++ b/nix/sources.json
@@ -41,10 +41,10 @@
"homepage": "https://github.com/NixOS/nixpkgs",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "ed332b0bc7440cc25de85a09fdb0491d3ad3343d",
- "sha256": "1n8wcgm0wcng1mcgk1q6yfi1y951j2fc3n2dxgcrns9v9h7c552c",
+ "rev": "e9540c5f121d77c68de0f2156cb6f9869d95a6f8",
+ "sha256": "0s0i6x78nxjyc0a885hzvwh5bylccixiam6c5h1q6pa64aqx50pc",
"type": "tarball",
- "url": "https://github.com/NixOS/nixpkgs/archive/ed332b0bc7440cc25de85a09fdb0491d3ad3343d.tar.gz",
+ "url": "https://github.com/NixOS/nixpkgs/archive/e9540c5f121d77c68de0f2156cb6f9869d95a6f8.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"nixpkgs-update": {
@@ -94,5 +94,17 @@
"type": "tarball",
"url": "https://github.com/ElvishJerricco/simple-hydra/archive/0d28b0b66136082d0cbfd90ede4436a580e3e8d0.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+ },
+ "sops-nix": {
+ "branch": "master",
+ "description": "Atomic secret provisioning for NixOS based on sops",
+ "homepage": "",
+ "owner": "Mic92",
+ "repo": "sops-nix",
+ "rev": "64235a958b9ceedf98a3212c13b0dea3a504598f",
+ "sha256": "0672hz2ap0ljani5vm1yq9h92596ad7smmkl5rixmi878m6x1agr",
+ "type": "tarball",
+ "url": "https://github.com/Mic92/sops-nix/archive/64235a958b9ceedf98a3212c13b0dea3a504598f.tar.gz",
+ "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
}
}
diff --git a/roles/buildkite.nix b/roles/buildkite.nix
index fb65acb..a373df9 100644
--- a/roles/buildkite.nix
+++ b/roles/buildkite.nix
@@ -1,9 +1,13 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
{
+ sops.secrets.buildkite-token.user = "buildkite-agent-ci";
+ sops.secrets.buildkite-agent-key.user = "buildkite-agent-ci";
+ sops.secrets.github-nixpkgs-swh-key.user = "buildkite-agent-ci";
+
services.buildkite-agents.ci = {
enable = true;
- tokenPath = "/run/keys/buildkite-token";
- privateSshKeyPath = builtins.toPath "/run/keys/buildkite-agent-key";
+ tokenPath = config.secrets.buildkite-token.path;
+ privateSshKeyPath = config.secrets.buildkite-agent-key.path;
};
}
diff --git a/roles/common.nix b/roles/common.nix
index 95f3ef3..d49d13e 100644
--- a/roles/common.nix
+++ b/roles/common.nix
@@ -9,6 +9,7 @@
./telegraf
./users.nix
./zfs.nix
+ ./sops-nix.nix
];
environment.systemPackages = [
diff --git a/roles/gitlab-runner.nix b/roles/gitlab-runner.nix
index 7fdd31d..5cfc5e7 100644
--- a/roles/gitlab-runner.nix
+++ b/roles/gitlab-runner.nix
@@ -1,10 +1,5 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
## requires this secret in deployment.nix
-#deployment.keys.gitlab-runner-registration = {
-# text = secrets.gitlab-runner-registration;
-# user = "gitlab-runner";
-# permissions = "0600";
-#};
let
gitlabModule = builtins.fetchTarball {
url = "https://gitlab.com/arianvp/nixos-gitlab-runner/-/archive/9126927c701aa399bd1734e7e5230c3a0010c1b7/nixos-gitlab-runner-9126927c701aa399bd1734e7e5230c3a0010c1b7.tar.gz";
@@ -16,10 +11,15 @@ in
"${gitlabModule}/gitlab-runner.nix"
];
+ sops.keys.gitlab-runner-registration = {
+ user = "gitlab-runner";
+ sopsFile = ./gitlab-runner.yaml;
+ };
+
services.gitlab-runner2.enable = true;
# The module depends on gitlab-runner to have a "bin" output.
services.gitlab-runner2.package = pkgs.gitlab-runner // {
bin = pkgs.gitlab-runner;
};
- services.gitlab-runner2.registrationConfigFile = "/run/keys/gitlab-runner-registration";
+ services.gitlab-runner2.registrationConfigFile = config.sops.keys.gitlab-runner-registration.path;
}
diff --git a/roles/gitlab-runner.yaml b/roles/gitlab-runner.yaml
new file mode 100644
index 0000000..820c208
--- /dev/null
+++ b/roles/gitlab-runner.yaml
@@ -0,0 +1,3 @@
+gitlab-runner-registration: |
+ CI_SERVER_URL=https://gitlab.com/
+ REGISTRATION_TOKEN=ynWzkuM4vNEZkxrUtJFs
diff --git a/roles/nix-community-cache.nix b/roles/nix-community-cache.nix
index fd889e4..5881618 100644
--- a/roles/nix-community-cache.nix
+++ b/roles/nix-community-cache.nix
@@ -4,6 +4,11 @@ let
sources = import ../nix/sources.nix {};
in
{
+ sops.secrets.nix-community-cachix = {
+ path = "/var/lib/post-build-hook/nix-community-cachix.dhall";
+ sopsFile = ./nix-community-cache.yaml;
+ };
+
systemd.services.cachix-watch-store = {
description = "Cachix store watcher service";
wantedBy = [ "multi-user.target" ];
diff --git a/roles/nix-community-cache.yaml b/roles/nix-community-cache.yaml
new file mode 100644
index 0000000..08caa70
--- /dev/null
+++ b/roles/nix-community-cache.yaml
@@ -0,0 +1,57 @@
+nix-community-cachix: ENC[AES256_GCM,data:tGMaYSBnhZ9idMV7DGzUfR1Zzk70syR8f4DSkrO65XcYUvoS4tcaVXr4l6PzDAFetkgU92a/kkIrEMZ9tZZZGHMvmCteGObH2BgF6k57NdozNnkXsI4ZhltATu5tpwzI+DUFgtpAXPEVYY6DRDlUATrt8SKJ2JuI4JtpIHpPi0noS/WpBfsphOUQ/7epTtABLpyDb0EOXisvkPLjDIKwfNDE+dOHO61aN8zS14QhelRIfJUSj7BwVFWbaseLKmq5ZIDAFK5s/FSgToi4Bj/YYVrTo23RH8wvhYOelSNcAWW/wotMZ5u/pklTytytLC41DhyFXU54k/UEorfVMHMnLAlujDoBs/9oV+M18Jcs0qV7c1utzjwoGlYhxV7zV/QvJ2zuMyDtszK0twcL8BjUSpsy+W/sR3kpGBKzjt1oNteTlz0YvIXlxg/Yn63qGr2/HzZlNd9rygMnLhTf7VO4Su2AB4GLXI7ljgQdqM7AREuAgE5J0hHE82fRalBsZcK34QGEFVKN4mzybcK4HO70yUQY4o5cOc7R5DHvEJmukjjJclm/,iv:N/yKtyd56YpdpNEe92g9Eml8gYR9x5pBT66U5p20Rzw=,tag:HCAJSqQ3Wq5SnZDwdryN1Q==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0UE1CMW5mVTFHdW01T0Qr
+ SFJBcXZXRm4rbXQ4WnU3OVlhZk9EWEswbUdzCm8zR2tBdEh6Tk9PS1BEUHJmb3k3
+ T3hmcUt2dnZER0tIMlhIeENuUFR4S1kKLS0tIFhXaUU1SlJQLy93T2I3SXB3VXUy
+ bmdob3B6R3ByNjBvdEtkWTlTSi9vbnMKIBY6+fzvy/4dQ7EAhI4nU2ViSSlZ3KmG
+ bZv63cddNEGFq9JAQUIqfkaF0FjcOm9c+GPuKa08bQLOJ74gXF8dzg==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age17jtyn2y4fpey6q7ers9gtnh4580xj89zdjuew9nqhxywmsaw94fs5udupc
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZk5vOXJwSC9tRmprdjdS
+ MGRrTmx4dGJudVFsZFZtaHBjbEtOa0xnQ0I4CjcrTnNNdm1EQnl2VDkrVi9FcjVV
+ RHNFOGhqTXRzMkEwb3JwdlRGVFR0V28KLS0tIERKU2JHSHI5M3FLejJLRVJ3QVd1
+ a2NpZndjN1ZSSjJqYkpuSUluU1k5UFEKDmBFgAkjb3k9x8QetqYbYw4m7KyDQbXz
+ JwOKDu3pkL5LnJ4rOIZGABNUsb8yXCk2MIzT791tokbyEj2LWUAcTw==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2NWt5UGdFK2NhUUFoTkdy
+ b2IvVEdkd0t3akM5bktFdGYrd3B5WFhZZ2s4CnpxalBCUmt4c2xMaUV4cFFZOVIr
+ Z080SloyaXhKUGNrVmZJbnZjVDJYNW8KLS0tIEtJQWlURFlTQWF4MC9ZS3p1L3A0
+ dXM2VTZKWFBCUXFUMFNpQkJFTS9MaHcK86b9xh17pQOauZLUhfnwdBk2CDXo07Bk
+ 8nrAinC8kJS7Nok4gvu+ps07O26DDPGTIY07vJrV52NagI/trl0caA==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyeVNNWm0rdnJmd1JCQXhw
+ bzh6ZVRzZHZiSHRXcFFmU3Zua2pRaC9kUFZNCkdZcWcxU2VWSWNON2lzQXFVYVVJ
+ Tk15Qm1ZUzRrb0h3eTY0MU9iQS80TG8KLS0tIExPRVRRNWs4MlhseW5lNllFalQr
+ ZlliV2Q2dmVJK05WcUlmcENRM3hxT1EKXKH2F6ImIowlmhg8W7j5cVxVaP3tIfkv
+ JEOCVPBUPoGSEndNYsg0gcJfnkZbfeSwrmmEXyY8y2C5gqlm/sp4FQ==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1vr4suv4lhtt8f59s25eukdfk67j7av72gvj7sk7ux6thusct3utqmn3pmf
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjWFBhNUtzdTBSc3JrYnZs
+ ZTNKa0lNVG8vUVhDM0lyZzVIV29UTWNvU2s0CjV2S0ZXYTUrZnVjQXI4THovWTEw
+ UytYV2dxTUNUamFZRHNiWHNPREJaQmsKLS0tIHJWQk9qQWtySmFVZWZwZHdXV0dh
+ NmZYQm5iYkhkek9Pa1J6MFlQZEtPZTgKXYaKq7feFWHZttEU7zNTzI+Am/02qv9S
+ mN0jh+IW55kYKh+Fo3yXirqOqeRKImt3jHYU1j0HKZqHIaQkNd4iCg==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2021-09-25T19:43:46Z"
+ mac: ENC[AES256_GCM,data:ZQibKAevbsldaAIjzoZ4/zzWdCLaGHKMzBU7zre6DnE+9UF3vpa+VWfTPCs7ovqKkWJUsTiyyg8JxMeF3ivFnXRzrbzeX5EZRAqlKQJHXAp5ruWDJL5Zaw3dWMVM70MGJDOsZdws5tJUu8jbZN5nYX+yjw1zDIfb1Gho7sfYg48=,iv:VDP2iWxiFy+4vTQd5DKMNpMFAWrfwKKaGfZos+Y5l3U=,tag:wo8a27b6hWkL85e+IIm58Q==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.7.1
diff --git a/roles/sops-nix.nix b/roles/sops-nix.nix
new file mode 100644
index 0000000..54c9bf6
--- /dev/null
+++ b/roles/sops-nix.nix
@@ -0,0 +1,10 @@
+{ config, lib, pkgs, ... }:
+let
+ sources = import ../nix/sources.nix;
+ hostDir = lib.head (builtins.match "nix-community-(.*)" config.networking.hostName);
+ defaultSopsPath = ../. + "/${hostDir}/secrets.yaml";
+in
+{
+ imports = [ "${sources.sops-nix}/modules/sops" ];
+ sops.defaultSopsFile = lib.mkIf (builtins.pathExists defaultSopsPath) defaultSopsPath;
+}
diff --git a/services/hydra/default.nix b/services/hydra/default.nix
index 41fd35f..edbdb6a 100644
--- a/services/hydra/default.nix
+++ b/services/hydra/default.nix
@@ -6,8 +6,8 @@ let
hydraPort = 3000;
hydraAdmin = "admin";
- hydraAdminPasswordFile = "/run/keys/hydra-admin-password";
- hydraUsersFile = "/run/keys/hydra-users";
+ hydraAdminPasswordFile = config.sops.secrets.hydra-admin-password.path;
+ hydraUsersFile = config.sops.secrets.hydra-users.path;
createDeclarativeProjectScript = pkgs.stdenv.mkDerivation {
name = "create-declarative-project";
@@ -78,6 +78,9 @@ in
};
};
config = {
+ sops.secrets.hydra-admin-password.user = "hydra";
+ sops.secrets.hydra-users.user = "hydra";
+
nixpkgs.config = {
whitelistedLicenses = with lib.licenses; [
unfreeRedistributable
diff --git a/services/marvin-mk2.nix b/services/marvin-mk2.nix
index 560f3d7..3eb5a7e 100644
--- a/services/marvin-mk2.nix
+++ b/services/marvin-mk2.nix
@@ -28,6 +28,18 @@ in
# FIXME: use the above host instead
networking.firewall.allowedTCPPorts = [ 3001 ];
+ sops.secrets.marvin-mk2-key.user = "marvin-mk2";
+
+ sops.secrets.marvin_mk2_id = {
+ path = "/var/lib/marvin-mk2/marvin_mk2_id.txt";
+ user = "marvin-mk2";
+ };
+
+ sops.secrets.marvin-mk2-webhook-secret = {
+ path = "/var/lib/marvin-mk2/marvin-mk2-webhook-secret.txt";
+ user = "marvin-mk2";
+ };
+
users.groups.marvin-mk2 = { };
users.users.marvin-mk2 = {
useDefaultShell = true;
diff --git a/services/matterbridge.nix b/services/matterbridge.nix
index a01b478..ec9b951 100644
--- a/services/matterbridge.nix
+++ b/services/matterbridge.nix
@@ -1,5 +1,6 @@
# A single instance of matterbridge
{ ... }: {
+ sops.secrets.matterbridge.user = "matterbridge";
services.matterbridge.enable = true;
services.matterbridge.configPath = "/run/keys/matterbridge.toml";
# Allow to access /run/keys
diff --git a/shell.nix b/shell.nix
index 761a7c3..9f95e0d 100644
--- a/shell.nix
+++ b/shell.nix
@@ -14,6 +14,7 @@ pkgs.mkShell {
niv
nixopsUnstable
terraform
+ sops
];
# terraform cloud without the remote execution part