diff --git a/.sops.yaml b/.sops.yaml
index 487a40c..5ed46f9 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -63,6 +63,17 @@ creation_rules:
- age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
- age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
path_regex: ^hosts/web02/secrets.yaml$
+ - key_groups:
+ - age:
+ - age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
+ - age1r464z5e2shvnh9ekzapgghevr9wy7spd4d7pt5a89ucdk6kr6yhqzv5gkj
+ - age1xpzexnaulzdjtnwstvgvtq2ar7nkk2lj46u96ewjvtgt7g47jsxs0mhag3
+ - age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
+ - age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ - age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+ - age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
+ - age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
+ path_regex: ^modules/secrets/hercules-ci.yaml$
- key_groups:
- age:
- age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
diff --git a/dev/treefmt.nix b/dev/treefmt.nix
index 70f9875..7011fdd 100644
--- a/dev/treefmt.nix
+++ b/dev/treefmt.nix
@@ -65,6 +65,7 @@
excludes = [
"config.yaml"
"*secrets.yaml"
+ "modules/secrets/*.yaml"
];
};
};
diff --git a/modules/darwin/hercules-ci.nix b/modules/darwin/hercules-ci.nix
index a68140b..501691a 100644
--- a/modules/darwin/hercules-ci.nix
+++ b/modules/darwin/hercules-ci.nix
@@ -1,24 +1,24 @@
{ config, inputs, ... }:
-{
- age.secrets.hercules-binary-caches = {
- file = "${inputs.self}/secrets/hercules-binary-caches.age";
- mode = "600";
- owner = "_hercules-ci-agent";
- group = "_hercules-ci-agent";
- };
- age.secrets.hercules-cluster-join-token = {
- file = "${inputs.self}/secrets/hercules-cluster-join-token.age";
+let
+ secret = {
mode = "600";
owner = "_hercules-ci-agent";
group = "_hercules-ci-agent";
+ sopsFile = "${inputs.self}/modules/secrets/hercules-ci.yaml";
};
+in
+{
+ sops.secrets.hercules-binary-caches = secret;
+
+ sops.secrets.hercules-cluster-join-token = secret;
services.hercules-ci-agent = {
enable = true;
settings = {
- binaryCachesPath = config.age.secrets.hercules-binary-caches.path;
- clusterJoinTokenPath = config.age.secrets.hercules-cluster-join-token.path;
+ binaryCachesPath = config.sops.secrets.hercules-binary-caches.path;
+ clusterJoinTokenPath = config.sops.secrets.hercules-cluster-join-token.path;
+ # secretsJsonPath / hercules-secrets isn't needed on darwin
};
};
}
diff --git a/modules/nixos/hercules-ci.nix b/modules/nixos/hercules-ci.nix
index 5d5d006..29e3512 100644
--- a/modules/nixos/hercules-ci.nix
+++ b/modules/nixos/hercules-ci.nix
@@ -1,27 +1,24 @@
{ config, inputs, ... }:
+let
+ secret = {
+ owner = "hercules-ci-agent";
+ sopsFile = "${inputs.self}/modules/secrets/hercules-ci.yaml";
+ };
+in
{
- age.secrets.hercules-binary-caches = {
- file = "${inputs.self}/secrets/hercules-binary-caches.age";
- owner = "hercules-ci-agent";
- };
+ sops.secrets.hercules-binary-caches = secret;
- age.secrets.hercules-cluster-join-token = {
- file = "${inputs.self}/secrets/hercules-cluster-join-token.age";
- owner = "hercules-ci-agent";
- };
+ sops.secrets.hercules-cluster-join-token = secret;
- age.secrets.hercules-secrets = {
- file = "${inputs.self}/secrets/hercules-secrets.age";
- owner = "hercules-ci-agent";
- };
+ sops.secrets.hercules-secrets = secret;
services.hercules-ci-agent = {
enable = true;
settings = {
- binaryCachesPath = config.age.secrets.hercules-binary-caches.path;
- clusterJoinTokenPath = config.age.secrets.hercules-cluster-join-token.path;
+ binaryCachesPath = config.sops.secrets.hercules-binary-caches.path;
+ clusterJoinTokenPath = config.sops.secrets.hercules-cluster-join-token.path;
# secrets file is needed for effects
- secretsJsonPath = config.age.secrets.hercules-secrets.path;
+ secretsJsonPath = config.sops.secrets.hercules-secrets.path;
};
};
}
diff --git a/modules/secrets/hercules-ci.yaml b/modules/secrets/hercules-ci.yaml
new file mode 100644
index 0000000..8dba4c3
--- /dev/null
+++ b/modules/secrets/hercules-ci.yaml
@@ -0,0 +1,86 @@
+hercules-binary-caches: ENC[AES256_GCM,data:kj6AvRCx36dkJFi01Q8YIXuQ1RPDaGoBXKUoK8Um5KV/gAmJxh1pha+EVjRIX2qeREE76Xq6oWXwWl4pAkPU6M4dqAG3yhaGn5aaX5sHJnspT+N38JpOJurI6mMFLa7ktJxtQj1kpkU13RIpb9G81SPPZF5URR7QUD+A1JQIhwT93DVdnQxi6PRuuaqetwQrt15GSSjcvr3U72wN3deMrJH2DVkJiO3OnC7vJs/UyrT8cjIrWxOzjXTpywY9+drA3SYnMSmlu/4JmIwpGUHTe2E09pkkyusZsae8WyFB91UuatTuaLA2ZprOl0k9vxICUSzFjKwecgB1fzd6Gf1EDN0SZ5ZTPq29I6PAVPsFw9q3YKNaIT3+9YJSQKSb8EIwS2bmguUMdexLLOs6xQHvN0otJYoRNDJhfBC3f5H3sf0=,iv:vaYMdJcrEsbJfamBIS+eldlFUaIKQUlhsavNs5yUxbU=,tag:qkcahfMiNN+SPK96xPVGIg==,type:str]
+hercules-cluster-join-token: ENC[AES256_GCM,data:cwMtoJck16BDx4adMr8543gQoeYml8EI+XsTVk6rlT9qv1FMMo/CrrlOVNV5qd2TGXAmnlFawymKaRZZkU/6B618m3Q8fTTzwaoAFhEsuHh9G2+Cghp8dBEot2H+PbnNauq8Bor3oEU62gG0tbtVTVmy1rtGWG98S/KKyLu6HFZEAbail+ApXr8T1pe5HO6lwZZiSz4OosOW/hZWYqZCIahdSX8RxjufW0c4J0HTFrv8Zckc6YgCeJA3Mt0c7Vkjet4MQOueVEOHTRyZFIf1cVreKWNxuINgu365+UbrI39KqWN2GNXaTnOkZr4=,iv:zm7blCtNejdvVjVCIH+QTqtAiEYp7LC6/rTrMoqUrGk=,tag:oTb1iSUq713/k6G3o2axEw==,type:str]
+hercules-secrets: ENC[AES256_GCM,data:xYvP,iv:Ak5dxiwSVX9Si443kY43oXklOrUg0A0Pw00vrLQqzX4=,tag:v4CpvgDtGUd97OtG2KGmrg==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1d2FOd0Z0MEdPbmMweWVv
+ dm5JbjNJdGRUOGtmN2F2dlhlNDRrVGtzamhzClFmUlpJSHN4YmI2dEZmcUxaSUV2
+ YlZFdURKc05KdzRJTGxUb2UwZ2E0RnMKLS0tIGdFNUxZU0NPMkZpK2hwN0QxWThU
+ M3g0MUgrNUZBTjlwMVM0OFg1WVZWVHcKTBMdpK9TPNS37NfnW1hZFhszssHJ7j90
+ tpyAbCOupBVPZIxcvG5iQfetW6IlBPP8X6fLnD55QAE3BcZXNXKT/Q==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1r464z5e2shvnh9ekzapgghevr9wy7spd4d7pt5a89ucdk6kr6yhqzv5gkj
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0R2cxM0tlanU0MkU0WS9k
+ SklLN21YUWIxRlhVci80ZVlQS1c3WGlWaTBJCkNBOWE4VkpqUlNGOGtab01XRGkw
+ RUJJZm5VeU1JU2hnMzM5NjBWUjdBN3cKLS0tIC9tandNM0ZBeXFnUmtuTVRvR0RQ
+ dHFtcVE3b2FqYlNGT1NoWmh2YkFVTGMKEdQO/Llwm+90EUDPPhgNtVF+1W6SMiwi
+ aOCQxyXzTL18w5Y9jYyP7nGV3pU4/nc0VzmV0WPT//YjSe1e6pVy1A==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1xpzexnaulzdjtnwstvgvtq2ar7nkk2lj46u96ewjvtgt7g47jsxs0mhag3
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnTWNvWUw4TVNoTVd6LzdD
+ dUY0S084TEl6SUdEYUpHdlJod1Z6MzlKdUFJCk94Q1pmM0UvUVIrUWNScG9TeWNy
+ K2g2cGxRUWlSVEtLTmtjcHNWSURXR2MKLS0tIFVOYWpONFhTVHNrR1kwSmVQUUty
+ RHlyVjNZSC9CR2orODMyT0V6M3FrekEKajFVMiODpTOXU862VePw/L1L0xNNAeBH
+ BR3rOD7/MKNFGsjuQ94hD9sx4JTlJgyloBWNaCy3v36gRIohRcb6Vg==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBidHZOcGh3Ymg3UVg0MHM4
+ S0xQZWVCMHZEZmJyb0FxWWs3dE0vUzgwRlJvCnhXT3hGbWxNczRXUnJTNTFyVTdF
+ ZnZ0Tkpsc003bC9sQ21NakwxNHNjbUkKLS0tIHRrUVQ0SU54L1NXZktRc2ZyWmRs
+ K3RWa0ovYkpUc20wVE4yRUMxMEY5MkkKpxmOMbbk/cJ/jdQ2Ts6p7fTHv1QJjHU1
+ oGQmSL3Gn5/iGB/ioGhtq0ClNch9r8cmcVh5eA7ATRgWVmGtvmVRuQ==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2Ykd1MU9LYUw5b0ZZV1U2
+ dXV3eXg2REZnR21YRmlGT0NWRmdUYklJRkZFCkRQUkxqNm9abVQ2K2E0TlFDNUU0
+ a0I5MXg2dUplODloWWYyRXQ4MVAvWHMKLS0tIFJjNDFTd083WE12ZmdQcldIbndC
+ TWlpd2R6SFQrZ2Y4QWJSSnNZMTlUK00K5x9w6ZvUltGksdbGmVu9RKUIQQ7ER69c
+ V4o3cpyH7TTc3SnuXyYs99XJLrxVq529DGzdhHs2M9S83I3GvFPAUQ==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvcmxOY0NVSG4vclcxSHVi
+ a24xZTRNeGJ1SmZPMGlndWluTFVnVWhweXlvCjBIdWcyampDYXNPMGdLY2tNSEoy
+ M0YzdzZEdUNTTlRVZTZpNG4ybEtDVU0KLS0tIFNNdDhLSlpXV1dSbTFmcG84V1B6
+ MXJXaHRxNlRoM0FiZUlGSjN6ZSttcnMKX5Jbu0UCCTVgwMqHquQiMdfYz8hUejMH
+ ZDdNrPZLXNkOt87N/anJiwNhdbMxYJDPdn3ieEMca2HBAitVT8qIlQ==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHcE9WM0IyVjZ2amJ6R1Zr
+ OVRpQWtTMks1QnVrb0Fjb21KQ1hiZ0huNlNrCnpud1lIT3dkc0pOOXgwWnZuaGcy
+ TXVJZStTeURTdUpFc1ZIRjBBTHBOUVkKLS0tIEJ1dG0vbUNQWnc1UyttNU9YSFlG
+ ek91Y1lDVVRrZldrSHI5Y2Ira05pNm8K3fEJaKEXX2oV+QkLiKaCl2gvGtR6lJBy
+ TqzfrnENZ1wSxxHOxQUp+1UG5q3O8BQyX4iTG6jPAKFCD1c7w1zUjQ==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvU0k0WFI5aC9Mc3ZuVWN0
+ QmV5Mnk0dXBLWU1mcHp0aHZIdUROKzEzV1Y4Ck14RWdLdlJIaHRDWG5vTmVYdmdo
+ K3BzVUViQ1NyVXZuVXBtVit6eS9GS1UKLS0tIEo5clgwcm9uSTk3Z2Y2cjdRZ1RC
+ WFI4TERDVHFpdGNKdTlpbGRVV1JCVVUKpRpq0WhqK53tsEfIUwhW6wgO+D3XylS4
+ YtN/X3WT3+J7PS5L21cvbUoEEcb7oE1ZHvro0L6SN/fJ6+SYgGGyCQ==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-12-16T22:50:20Z"
+ mac: ENC[AES256_GCM,data:GHNWoNFq7Ij7palmTpSnRYUmj2EjxLfJ6+dRPtIzdpZqWiagVs42QaO0y7lTYOcpWfQdQ4vIes7fSYhniPyor3qhyZxPZypOYkKSpaBLo+UvQQoNiNYI1CJSWfDBqTLpw+VakM3enAAg7/rYP1KnHJDRA9H1Ue1Ekq+12Ii7jB4=,iv:rAGOvRMjKAo6tQLqIFfn8CMVQIO6wwVhbDStBBddn5A=,tag:gX2nHsqrTldMgkoTgxzOZw==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.9.2
diff --git a/secrets/hercules-binary-caches.age b/secrets/hercules-binary-caches.age
deleted file mode 100644
index 766b7b7..0000000
Binary files a/secrets/hercules-binary-caches.age and /dev/null differ
diff --git a/secrets/hercules-cluster-join-token.age b/secrets/hercules-cluster-join-token.age
deleted file mode 100644
index e148b98..0000000
--- a/secrets/hercules-cluster-join-token.age
+++ /dev/null
@@ -1,24 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 w3WLfA x/YAHTSiimsim42u9TANr2sQAME5vxERtRYmytjGdjo
-S+XenvJjOIYQrj5ZveVZpULcm6bt/FrWy4uH+UZSiQE
--> ssh-ed25519 Iw1MCQ MYjn2q/EMnLez6wb6DEh+ix36WRsmRzo9qLOXGxVMHo
-h2WPCfInagKRCIV1bNzCMWMRTS3SHQNV14BNKuspE2I
--> ssh-ed25519 T9HyUg 7ur+zCdrqTHXGwB3Il1QWHDUD9PhM3tblVi6au7q2lc
-CuqzUS1Oz2L40jXDB6QXEVXy5u9C/G2zvfCHrVUq2Rw
--> ssh-rsa ALNSWw
-FS4RHiHh1/8Hmv95mql4YKsEaVTfZBgZP8v6GWI15iGXap6Y5RGUYyRJFSxDCBax
-z+CIqEFVBDU27IOLcEE1d4Vu28TTZ58WZNKdJEUNFiV7bJti2sRjhNdDcyLYnqoO
-1R8fa++Ka45uC1aitrtnYlqw9H/ZHG2YKqm5mm08HpQOvXqivGn5sVtcPSSH0Csr
-Xu6a+mXQsrEtP2qDkR7W+ZUYVLxYrfuQczJ82OKfzUK+3G+myDpr/lYI0i97INEU
-rOSFs0SFC4oVwk6wugguCGGt/EaVbe5lBQBUlBMLeGkHGsSRgSHtBcS2ZW8NXYHk
-4OmXPu3e+qRf2iBXIZ1Q4w
--> ssh-ed25519 Qi7vNw 9r6k1MAP2NOjy7K7zKmE//DLVCOYEGeLnD/HEGBLvjY
-TwEWyOQNqV+xU5MaQtYIf0VeWBL9lNLCrHSBlkxOprA
--> ssh-ed25519 MW0fCg hyLX8herf6zasDRbYPnBIDKhHdmshpQpugzbjeMRkQk
-0cDaTwxrtaDLKlcMRYbjSXrAqbgFrCeZI9cEBA5HOdQ
--> ssh-ed25519 92bXiA e6UBcl0RrKgags/0VZVT3bE8re+C9TY15RQrtZRKi1E
-rGhaV4Z2SdsmZ8Vor0/yv13XcOR2J7hYiT0u1g0V68s
--> ssh-ed25519 h1lenA KEidSVfCZNOlPhFVePBaN6LHyPa95Nx3twjUXHsNzFM
-L0VG+NiujqusrEUoBz6ZaQgWEkyRPaXA8I6o02AIccc
---- tHo6R3b+X52chttfjIV6SCssiWbZ2ZUAarYOQSfj18U
-�D�T��1� �_έ�*���`���� �#�^����(k�,��i�M���\S���͌�{�*͎����TY<?*��#�����s8$ږ�1��x�]�eF$�������1p�
��GBX���B��M�H�d6�q��N���/m�W���h��vu��j�u�J�'����S_?y���s��Z���o�6��]��Q���H��`�[DpN�r�?l��2K�t���0�����ϒ���x샼sä��j�\t#i40`��0����9��h��z���=:����4K}�U����
\ No newline at end of file
diff --git a/secrets/hercules-secrets.age b/secrets/hercules-secrets.age
deleted file mode 100644
index f5c4e6d..0000000
--- a/secrets/hercules-secrets.age
+++ /dev/null
@@ -1,22 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa ALNSWw
-JPVTTEpszi2gGu1rOhd0dRV4ebmQe9Hk2h8bBQI/pq5JYV+H0Bh4oTN/CZ3Py9pS
-sg9n3TPFmZs3Mg/7sr9o/rHtRB1Eyq0mVGFkDqDiDKu7w9Cyz5GsvX8H0FActa0w
-BLFzZb0mpjXk7yqZMrXBejacU9EAWH+qRtReAmyMv9SSs4hEwSNNDPMqBHa8VapV
-lEC3s9zPNTCR5SuMb4D8EBMBcZ8i4C1lCiUFOBCr3YRTkH2430PG3uX/543vwKn7
-amHSRxoNk8GxDK2Z3azJfBGa2ESUEBef3g76P/Y0SDEOkg0u09g9/6vnKJ+fGrf8
-Zq/Ydx5N8QinAqiDZhirkA
--> ssh-ed25519 Qi7vNw Nn4EMk/FmRVrOpWEqaLFyKd2P+udGQeJxn7mrEA89Rk
-rpUu5ZvxoHReKK/XKFp5zElKyvO/ZkZgbxwxqg9Hbhc
--> ssh-ed25519 MW0fCg cT/e5vLkD/oRVa23QP/0ZzACU4gbajC3UOOHHMCpOlg
-a4GEBlXXvcAkM8f7jHS03Fn+Y9AZEmSw57nCc+UULUc
--> ssh-ed25519 92bXiA pwmOz0U2J734URSKYgzmwjU8G64mHc0zXUwx26wW6Rk
-uJRltNEU1Xmin9cVFToetPdw+Q1jBO/e5kGooRWDUWM
--> ssh-ed25519 h1lenA NiXmtP+u6lzOmwS1qBE+Aa1LTaCNrN2PelySn6h8jj8
-NUZorwmpdChGzKSJ/OwBACy+1cvkxSynh/PLg5BXHcI
--> ssh-ed25519 w3WLfA 1mpwXgXsSCnu6P8oknOJOmQN2nfkXR4cuk3V4Z8hA2w
-yQRB7JHQoJFiePv9qF1x+saTag9nWVGE5fbp4dKHD2k
--> ssh-ed25519 Iw1MCQ BhSpFVwgbZEOauhacPj9MPzYZ+742/p6Vfals7V2KnM
-iLSmAz6WSwQJfrEq1jyUxNyA3VssWAJ9U3Bv8ouu1Sw
---- 0taNGRQsutIEP95MVdq2I3kyuold6r85MqKdz3G5li0
-rI�dR[�?����t����y�I�r6���5z���F2�
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 6d8ef00..19c5034 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -14,9 +14,7 @@ let
build01 = knownHosts.build01.publicKey;
build02 = knownHosts.build02.publicKey;
build03 = knownHosts.build03.publicKey;
- build04 = knownHosts.build04.publicKey;
darwin01 = knownHosts.darwin01.publicKey;
- darwin02 = knownHosts.darwin02.publicKey;
web02 = knownHosts.web02.publicKey;
secrets = {
@@ -27,21 +25,6 @@ let
darwin01
];
grafana-client-secret = [ web02 ];
- hercules-binary-caches = [
- build03
- build04
- darwin02
- ];
- hercules-cluster-join-token = [
- build03
- build04
- darwin02
- ];
- # hercules-secrets are only needed on linux
- hercules-secrets = [
- build03
- build04
- ];
hetzner-borgbackup-ssh = [
build02
build03
diff --git a/sops.nix b/sops.nix
index 27487ea..d7ce470 100644
--- a/sops.nix
+++ b/sops.nix
@@ -22,7 +22,13 @@ let
"secrets.yaml" = [ ];
"terraform/secrets.yaml" = [ ];
}
- // builtins.mapAttrs (_: value: (map (x: keys.hosts.${x}) value)) { }
+ // builtins.mapAttrs (_: value: (map (x: keys.hosts.${x}) value)) {
+ "modules/secrets/hercules-ci.yaml" = [
+ "build03"
+ "build04"
+ "darwin02"
+ ];
+ }
// builtins.listToAttrs (
mapAttrsToList (hostname: key: {
name = "hosts/${hostname}/secrets.yaml";
diff --git a/tasks.py b/tasks.py
index f9cd766..cdfe1be 100644
--- a/tasks.py
+++ b/tasks.py
@@ -71,7 +71,9 @@ def update_sops_files(c: Any) -> None:
print("# AUTOMATICALLY GENERATED WITH: $ inv update-sops-files", file=f)
c.run(f"nix eval --json -f {ROOT}/sops.nix | yq e -P - >> {ROOT}/.sops.yaml")
- c.run("shopt -s globstar && sops updatekeys --yes **/secrets.yaml")
+ c.run(
+ "shopt -s globstar && sops updatekeys --yes **/secrets.yaml modules/secrets/*.yaml"
+ )
@task