move hercules CI secrets to sops

2024-12-16 08:34:56 +10:00 · 2024-12-16 08:34:56 +10:00 · 36a9be1663
commit 36a9be1663
parent b260b29a85
11 changed files with 131 additions and 91 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -63,6 +63,17 @@ creation_rules:
          - age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
          - age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
    path_regex: ^hosts/web02/secrets.yaml$
+  - key_groups:
+      - age:
+          - age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
+          - age1r464z5e2shvnh9ekzapgghevr9wy7spd4d7pt5a89ucdk6kr6yhqzv5gkj
+          - age1xpzexnaulzdjtnwstvgvtq2ar7nkk2lj46u96ewjvtgt7g47jsxs0mhag3
+          - age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
+          - age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+          - age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+          - age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
+          - age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
+    path_regex: ^modules/secrets/hercules-ci.yaml$
  - key_groups:
      - age:
          - age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
--- a/dev/treefmt.nix
+++ b/dev/treefmt.nix
@ -65,6 +65,7 @@
      excludes = [
        "config.yaml"
        "*secrets.yaml"
+        "modules/secrets/*.yaml"
      ];
    };
  };
--- a/modules/darwin/hercules-ci.nix
+++ b/modules/darwin/hercules-ci.nix
@ -1,24 +1,24 @@
 { config, inputs, ... }:
-{
-  age.secrets.hercules-binary-caches = {
-    file = "${inputs.self}/secrets/hercules-binary-caches.age";
-    mode = "600";
-    owner = "_hercules-ci-agent";
-    group = "_hercules-ci-agent";
-  };

-  age.secrets.hercules-cluster-join-token = {
-    file = "${inputs.self}/secrets/hercules-cluster-join-token.age";
+let
+  secret = {
    mode = "600";
    owner = "_hercules-ci-agent";
    group = "_hercules-ci-agent";
+    sopsFile = "${inputs.self}/modules/secrets/hercules-ci.yaml";
  };
+in
+{
+  sops.secrets.hercules-binary-caches = secret;
+
+  sops.secrets.hercules-cluster-join-token = secret;

  services.hercules-ci-agent = {
    enable = true;
    settings = {
-      binaryCachesPath = config.age.secrets.hercules-binary-caches.path;
-      clusterJoinTokenPath = config.age.secrets.hercules-cluster-join-token.path;
+      binaryCachesPath = config.sops.secrets.hercules-binary-caches.path;
+      clusterJoinTokenPath = config.sops.secrets.hercules-cluster-join-token.path;
+      # secretsJsonPath / hercules-secrets isn't needed on darwin
    };
  };
 }
--- a/modules/nixos/hercules-ci.nix
+++ b/modules/nixos/hercules-ci.nix
@ -1,27 +1,24 @@
 { config, inputs, ... }:
+let
+  secret = {
+    owner = "hercules-ci-agent";
+    sopsFile = "${inputs.self}/modules/secrets/hercules-ci.yaml";
+  };
+in
 {
-  age.secrets.hercules-binary-caches = {
-    file = "${inputs.self}/secrets/hercules-binary-caches.age";
-    owner = "hercules-ci-agent";
-  };
+  sops.secrets.hercules-binary-caches = secret;

-  age.secrets.hercules-cluster-join-token = {
-    file = "${inputs.self}/secrets/hercules-cluster-join-token.age";
-    owner = "hercules-ci-agent";
-  };
+  sops.secrets.hercules-cluster-join-token = secret;

-  age.secrets.hercules-secrets = {
-    file = "${inputs.self}/secrets/hercules-secrets.age";
-    owner = "hercules-ci-agent";
-  };
+  sops.secrets.hercules-secrets = secret;

  services.hercules-ci-agent = {
    enable = true;
    settings = {
-      binaryCachesPath = config.age.secrets.hercules-binary-caches.path;
-      clusterJoinTokenPath = config.age.secrets.hercules-cluster-join-token.path;
+      binaryCachesPath = config.sops.secrets.hercules-binary-caches.path;
+      clusterJoinTokenPath = config.sops.secrets.hercules-cluster-join-token.path;
      # secrets file is needed for effects
-      secretsJsonPath = config.age.secrets.hercules-secrets.path;
+      secretsJsonPath = config.sops.secrets.hercules-secrets.path;
    };
  };
 }
--- a/modules/secrets/hercules-ci.yaml
+++ b/modules/secrets/hercules-ci.yaml
@ -0,0 +1,86 @@
+hercules-binary-caches: ENC[AES256_GCM,data:kj6AvRCx36dkJFi01Q8YIXuQ1RPDaGoBXKUoK8Um5KV/gAmJxh1pha+EVjRIX2qeREE76Xq6oWXwWl4pAkPU6M4dqAG3yhaGn5aaX5sHJnspT+N38JpOJurI6mMFLa7ktJxtQj1kpkU13RIpb9G81SPPZF5URR7QUD+A1JQIhwT93DVdnQxi6PRuuaqetwQrt15GSSjcvr3U72wN3deMrJH2DVkJiO3OnC7vJs/UyrT8cjIrWxOzjXTpywY9+drA3SYnMSmlu/4JmIwpGUHTe2E09pkkyusZsae8WyFB91UuatTuaLA2ZprOl0k9vxICUSzFjKwecgB1fzd6Gf1EDN0SZ5ZTPq29I6PAVPsFw9q3YKNaIT3+9YJSQKSb8EIwS2bmguUMdexLLOs6xQHvN0otJYoRNDJhfBC3f5H3sf0=,iv:vaYMdJcrEsbJfamBIS+eldlFUaIKQUlhsavNs5yUxbU=,tag:qkcahfMiNN+SPK96xPVGIg==,type:str]
+hercules-cluster-join-token: ENC[AES256_GCM,data:cwMtoJck16BDx4adMr8543gQoeYml8EI+XsTVk6rlT9qv1FMMo/CrrlOVNV5qd2TGXAmnlFawymKaRZZkU/6B618m3Q8fTTzwaoAFhEsuHh9G2+Cghp8dBEot2H+PbnNauq8Bor3oEU62gG0tbtVTVmy1rtGWG98S/KKyLu6HFZEAbail+ApXr8T1pe5HO6lwZZiSz4OosOW/hZWYqZCIahdSX8RxjufW0c4J0HTFrv8Zckc6YgCeJA3Mt0c7Vkjet4MQOueVEOHTRyZFIf1cVreKWNxuINgu365+UbrI39KqWN2GNXaTnOkZr4=,iv:zm7blCtNejdvVjVCIH+QTqtAiEYp7LC6/rTrMoqUrGk=,tag:oTb1iSUq713/k6G3o2axEw==,type:str]
+hercules-secrets: ENC[AES256_GCM,data:xYvP,iv:Ak5dxiwSVX9Si443kY43oXklOrUg0A0Pw00vrLQqzX4=,tag:v4CpvgDtGUd97OtG2KGmrg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1d2FOd0Z0MEdPbmMweWVv
+            dm5JbjNJdGRUOGtmN2F2dlhlNDRrVGtzamhzClFmUlpJSHN4YmI2dEZmcUxaSUV2
+            YlZFdURKc05KdzRJTGxUb2UwZ2E0RnMKLS0tIGdFNUxZU0NPMkZpK2hwN0QxWThU
+            M3g0MUgrNUZBTjlwMVM0OFg1WVZWVHcKTBMdpK9TPNS37NfnW1hZFhszssHJ7j90
+            tpyAbCOupBVPZIxcvG5iQfetW6IlBPP8X6fLnD55QAE3BcZXNXKT/Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1r464z5e2shvnh9ekzapgghevr9wy7spd4d7pt5a89ucdk6kr6yhqzv5gkj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0R2cxM0tlanU0MkU0WS9k
+            SklLN21YUWIxRlhVci80ZVlQS1c3WGlWaTBJCkNBOWE4VkpqUlNGOGtab01XRGkw
+            RUJJZm5VeU1JU2hnMzM5NjBWUjdBN3cKLS0tIC9tandNM0ZBeXFnUmtuTVRvR0RQ
+            dHFtcVE3b2FqYlNGT1NoWmh2YkFVTGMKEdQO/Llwm+90EUDPPhgNtVF+1W6SMiwi
+            aOCQxyXzTL18w5Y9jYyP7nGV3pU4/nc0VzmV0WPT//YjSe1e6pVy1A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1xpzexnaulzdjtnwstvgvtq2ar7nkk2lj46u96ewjvtgt7g47jsxs0mhag3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnTWNvWUw4TVNoTVd6LzdD
+            dUY0S084TEl6SUdEYUpHdlJod1Z6MzlKdUFJCk94Q1pmM0UvUVIrUWNScG9TeWNy
+            K2g2cGxRUWlSVEtLTmtjcHNWSURXR2MKLS0tIFVOYWpONFhTVHNrR1kwSmVQUUty
+            RHlyVjNZSC9CR2orODMyT0V6M3FrekEKajFVMiODpTOXU862VePw/L1L0xNNAeBH
+            BR3rOD7/MKNFGsjuQ94hD9sx4JTlJgyloBWNaCy3v36gRIohRcb6Vg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBidHZOcGh3Ymg3UVg0MHM4
+            S0xQZWVCMHZEZmJyb0FxWWs3dE0vUzgwRlJvCnhXT3hGbWxNczRXUnJTNTFyVTdF
+            ZnZ0Tkpsc003bC9sQ21NakwxNHNjbUkKLS0tIHRrUVQ0SU54L1NXZktRc2ZyWmRs
+            K3RWa0ovYkpUc20wVE4yRUMxMEY5MkkKpxmOMbbk/cJ/jdQ2Ts6p7fTHv1QJjHU1
+            oGQmSL3Gn5/iGB/ioGhtq0ClNch9r8cmcVh5eA7ATRgWVmGtvmVRuQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2Ykd1MU9LYUw5b0ZZV1U2
+            dXV3eXg2REZnR21YRmlGT0NWRmdUYklJRkZFCkRQUkxqNm9abVQ2K2E0TlFDNUU0
+            a0I5MXg2dUplODloWWYyRXQ4MVAvWHMKLS0tIFJjNDFTd083WE12ZmdQcldIbndC
+            TWlpd2R6SFQrZ2Y4QWJSSnNZMTlUK00K5x9w6ZvUltGksdbGmVu9RKUIQQ7ER69c
+            V4o3cpyH7TTc3SnuXyYs99XJLrxVq529DGzdhHs2M9S83I3GvFPAUQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvcmxOY0NVSG4vclcxSHVi
+            a24xZTRNeGJ1SmZPMGlndWluTFVnVWhweXlvCjBIdWcyampDYXNPMGdLY2tNSEoy
+            M0YzdzZEdUNTTlRVZTZpNG4ybEtDVU0KLS0tIFNNdDhLSlpXV1dSbTFmcG84V1B6
+            MXJXaHRxNlRoM0FiZUlGSjN6ZSttcnMKX5Jbu0UCCTVgwMqHquQiMdfYz8hUejMH
+            ZDdNrPZLXNkOt87N/anJiwNhdbMxYJDPdn3ieEMca2HBAitVT8qIlQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHcE9WM0IyVjZ2amJ6R1Zr
+            OVRpQWtTMks1QnVrb0Fjb21KQ1hiZ0huNlNrCnpud1lIT3dkc0pOOXgwWnZuaGcy
+            TXVJZStTeURTdUpFc1ZIRjBBTHBOUVkKLS0tIEJ1dG0vbUNQWnc1UyttNU9YSFlG
+            ek91Y1lDVVRrZldrSHI5Y2Ira05pNm8K3fEJaKEXX2oV+QkLiKaCl2gvGtR6lJBy
+            TqzfrnENZ1wSxxHOxQUp+1UG5q3O8BQyX4iTG6jPAKFCD1c7w1zUjQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvU0k0WFI5aC9Mc3ZuVWN0
+            QmV5Mnk0dXBLWU1mcHp0aHZIdUROKzEzV1Y4Ck14RWdLdlJIaHRDWG5vTmVYdmdo
+            K3BzVUViQ1NyVXZuVXBtVit6eS9GS1UKLS0tIEo5clgwcm9uSTk3Z2Y2cjdRZ1RC
+            WFI4TERDVHFpdGNKdTlpbGRVV1JCVVUKpRpq0WhqK53tsEfIUwhW6wgO+D3XylS4
+            YtN/X3WT3+J7PS5L21cvbUoEEcb7oE1ZHvro0L6SN/fJ6+SYgGGyCQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-16T22:50:20Z"
+    mac: ENC[AES256_GCM,data:GHNWoNFq7Ij7palmTpSnRYUmj2EjxLfJ6+dRPtIzdpZqWiagVs42QaO0y7lTYOcpWfQdQ4vIes7fSYhniPyor3qhyZxPZypOYkKSpaBLo+UvQQoNiNYI1CJSWfDBqTLpw+VakM3enAAg7/rYP1KnHJDRA9H1Ue1Ekq+12Ii7jB4=,iv:rAGOvRMjKAo6tQLqIFfn8CMVQIO6wwVhbDStBBddn5A=,tag:gX2nHsqrTldMgkoTgxzOZw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
--- a/secrets/hercules-binary-caches.age
+++ b/secrets/hercules-binary-caches.age
--- a/secrets/hercules-cluster-join-token.age
+++ b/secrets/hercules-cluster-join-token.age
@ -1,24 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 w3WLfA x/YAHTSiimsim42u9TANr2sQAME5vxERtRYmytjGdjo
-S+XenvJjOIYQrj5ZveVZpULcm6bt/FrWy4uH+UZSiQE
-> ssh-ed25519 Iw1MCQ MYjn2q/EMnLez6wb6DEh+ix36WRsmRzo9qLOXGxVMHo
-h2WPCfInagKRCIV1bNzCMWMRTS3SHQNV14BNKuspE2I
-> ssh-ed25519 T9HyUg 7ur+zCdrqTHXGwB3Il1QWHDUD9PhM3tblVi6au7q2lc
-CuqzUS1Oz2L40jXDB6QXEVXy5u9C/G2zvfCHrVUq2Rw
-> ssh-rsa ALNSWw
-FS4RHiHh1/8Hmv95mql4YKsEaVTfZBgZP8v6GWI15iGXap6Y5RGUYyRJFSxDCBax
-z+CIqEFVBDU27IOLcEE1d4Vu28TTZ58WZNKdJEUNFiV7bJti2sRjhNdDcyLYnqoO
-1R8fa++Ka45uC1aitrtnYlqw9H/ZHG2YKqm5mm08HpQOvXqivGn5sVtcPSSH0Csr
-Xu6a+mXQsrEtP2qDkR7W+ZUYVLxYrfuQczJ82OKfzUK+3G+myDpr/lYI0i97INEU
-rOSFs0SFC4oVwk6wugguCGGt/EaVbe5lBQBUlBMLeGkHGsSRgSHtBcS2ZW8NXYHk
-4OmXPu3e+qRf2iBXIZ1Q4w
-> ssh-ed25519 Qi7vNw 9r6k1MAP2NOjy7K7zKmE//DLVCOYEGeLnD/HEGBLvjY
-TwEWyOQNqV+xU5MaQtYIf0VeWBL9lNLCrHSBlkxOprA
-> ssh-ed25519 MW0fCg hyLX8herf6zasDRbYPnBIDKhHdmshpQpugzbjeMRkQk
-0cDaTwxrtaDLKlcMRYbjSXrAqbgFrCeZI9cEBA5HOdQ
-> ssh-ed25519 92bXiA e6UBcl0RrKgags/0VZVT3bE8re+C9TY15RQrtZRKi1E
-rGhaV4Z2SdsmZ8Vor0/yv13XcOR2J7hYiT0u1g0V68s
-> ssh-ed25519 h1lenA KEidSVfCZNOlPhFVePBaN6LHyPa95Nx3twjUXHsNzFM
-L0VG+NiujqusrEUoBz6ZaQgWEkyRPaXA8I6o02AIccc
--- tHo6R3b+X52chttfjIV6SCssiWbZ2ZUAarYOQSfj18U
-“DœTî”1¥	Ö_Î¸*©³¶`›¢‡ Â#Ÿ^Óêòì(k,ÈÔièªM¸«\SÀÙÍŒ{À*ÍŽ—‰¦TY<?*˜œ#¤šü¬s8$Ú–1¢†x]à®eF$©˜ò«¢Ö1pì±
‰GBXØøúBšÞM×Hãd6Çq©N¢à/m€Wžðh˜Üvu•¿jŽuºJ©'ð<18>ÆS_?y“âs„½Z‚‡×o 6µ]‡Q—§ÖH¯œ`‹[DpN<70>r?l„2Ktèí0‚š±¸Ï’“òxìƒ¼sÃ¤”jñ\t#i40`™§0šÍíñ9»<39>hzø=: Ü4K}‰U‰û¡¶
--- a/secrets/hercules-secrets.age
+++ b/secrets/hercules-secrets.age
@ -1,22 +0,0 @@
-age-encryption.org/v1
-> ssh-rsa ALNSWw
-JPVTTEpszi2gGu1rOhd0dRV4ebmQe9Hk2h8bBQI/pq5JYV+H0Bh4oTN/CZ3Py9pS
-sg9n3TPFmZs3Mg/7sr9o/rHtRB1Eyq0mVGFkDqDiDKu7w9Cyz5GsvX8H0FActa0w
-BLFzZb0mpjXk7yqZMrXBejacU9EAWH+qRtReAmyMv9SSs4hEwSNNDPMqBHa8VapV
-lEC3s9zPNTCR5SuMb4D8EBMBcZ8i4C1lCiUFOBCr3YRTkH2430PG3uX/543vwKn7
-amHSRxoNk8GxDK2Z3azJfBGa2ESUEBef3g76P/Y0SDEOkg0u09g9/6vnKJ+fGrf8
-Zq/Ydx5N8QinAqiDZhirkA
-> ssh-ed25519 Qi7vNw Nn4EMk/FmRVrOpWEqaLFyKd2P+udGQeJxn7mrEA89Rk
-rpUu5ZvxoHReKK/XKFp5zElKyvO/ZkZgbxwxqg9Hbhc
-> ssh-ed25519 MW0fCg cT/e5vLkD/oRVa23QP/0ZzACU4gbajC3UOOHHMCpOlg
-a4GEBlXXvcAkM8f7jHS03Fn+Y9AZEmSw57nCc+UULUc
-> ssh-ed25519 92bXiA pwmOz0U2J734URSKYgzmwjU8G64mHc0zXUwx26wW6Rk
-uJRltNEU1Xmin9cVFToetPdw+Q1jBO/e5kGooRWDUWM
-> ssh-ed25519 h1lenA NiXmtP+u6lzOmwS1qBE+Aa1LTaCNrN2PelySn6h8jj8
-NUZorwmpdChGzKSJ/OwBACy+1cvkxSynh/PLg5BXHcI
-> ssh-ed25519 w3WLfA 1mpwXgXsSCnu6P8oknOJOmQN2nfkXR4cuk3V4Z8hA2w
-yQRB7JHQoJFiePv9qF1x+saTag9nWVGE5fbp4dKHD2k
-> ssh-ed25519 Iw1MCQ BhSpFVwgbZEOauhacPj9MPzYZ+742/p6Vfals7V2KnM
-iLSmAz6WSwQJfrEq1jyUxNyA3VssWAJ9U3Bv8ouu1Sw
--- 0taNGRQsutIEP95MVdq2I3kyuold6r85MqKdz3G5li0
-rIždR[ˇ?ýöţtÎúÜyüIěťr6‡¬î5zż‚F2
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -14,9 +14,7 @@ let
  build01 = knownHosts.build01.publicKey;
  build02 = knownHosts.build02.publicKey;
  build03 = knownHosts.build03.publicKey;
-  build04 = knownHosts.build04.publicKey;
  darwin01 = knownHosts.darwin01.publicKey;
-  darwin02 = knownHosts.darwin02.publicKey;
  web02 = knownHosts.web02.publicKey;

  secrets = {
@ -27,21 +25,6 @@ let
      darwin01
    ];
    grafana-client-secret = [ web02 ];
-    hercules-binary-caches = [
-      build03
-      build04
-      darwin02
-    ];
-    hercules-cluster-join-token = [
-      build03
-      build04
-      darwin02
-    ];
-    # hercules-secrets are only needed on linux
-    hercules-secrets = [
-      build03
-      build04
-    ];
    hetzner-borgbackup-ssh = [
      build02
      build03
--- a/sops.nix
+++ b/sops.nix
@ -22,7 +22,13 @@ let
      "secrets.yaml" = [ ];
      "terraform/secrets.yaml" = [ ];
    }
-    // builtins.mapAttrs (_: value: (map (x: keys.hosts.${x}) value)) { }
+    // builtins.mapAttrs (_: value: (map (x: keys.hosts.${x}) value)) {
+      "modules/secrets/hercules-ci.yaml" = [
+        "build03"
+        "build04"
+        "darwin02"
+      ];
+    }
    // builtins.listToAttrs (
      mapAttrsToList (hostname: key: {
        name = "hosts/${hostname}/secrets.yaml";
--- a/tasks.py
+++ b/tasks.py
@ -71,7 +71,9 @@ def update_sops_files(c: Any) -> None:
        print("# AUTOMATICALLY GENERATED WITH: $ inv update-sops-files", file=f)

    c.run(f"nix eval --json -f {ROOT}/sops.nix | yq e -P - >> {ROOT}/.sops.yaml")
-    c.run("shopt -s globstar && sops updatekeys --yes **/secrets.yaml")
+    c.run(
+        "shopt -s globstar && sops updatekeys --yes **/secrets.yaml modules/secrets/*.yaml"
+    )


@task