From 36a9be16630feceb21e329c7c6eac750dca6e3f0 Mon Sep 17 00:00:00 2001
From: zowoq <59103226+zowoq@users.noreply.github.com>
Date: Mon, 16 Dec 2024 08:34:56 +1000
Subject: [PATCH] move hercules CI secrets to sops
---
.sops.yaml | 11 +++
dev/treefmt.nix | 1 +
modules/darwin/hercules-ci.nix | 22 +++---
modules/nixos/hercules-ci.nix | 27 ++++----
modules/secrets/hercules-ci.yaml | 86 ++++++++++++++++++++++++
secrets/hercules-binary-caches.age | Bin 1558 -> 0 bytes
secrets/hercules-cluster-join-token.age | 24 -------
secrets/hercules-secrets.age | 22 ------
secrets/secrets.nix | 17 -----
sops.nix | 8 ++-
tasks.py | 4 +-
11 files changed, 131 insertions(+), 91 deletions(-)
create mode 100644 modules/secrets/hercules-ci.yaml
delete mode 100644 secrets/hercules-binary-caches.age
delete mode 100644 secrets/hercules-cluster-join-token.age
delete mode 100644 secrets/hercules-secrets.age
diff --git a/.sops.yaml b/.sops.yaml
index 487a40c..5ed46f9 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -63,6 +63,17 @@ creation_rules:
- age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
- age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
path_regex: ^hosts/web02/secrets.yaml$
+ - key_groups:
+ - age:
+ - age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
+ - age1r464z5e2shvnh9ekzapgghevr9wy7spd4d7pt5a89ucdk6kr6yhqzv5gkj
+ - age1xpzexnaulzdjtnwstvgvtq2ar7nkk2lj46u96ewjvtgt7g47jsxs0mhag3
+ - age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
+ - age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ - age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+ - age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
+ - age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
+ path_regex: ^modules/secrets/hercules-ci.yaml$
- key_groups:
- age:
- age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
diff --git a/dev/treefmt.nix b/dev/treefmt.nix
index 70f9875..7011fdd 100644
--- a/dev/treefmt.nix
+++ b/dev/treefmt.nix
@@ -65,6 +65,7 @@
excludes = [
"config.yaml"
"*secrets.yaml"
+ "modules/secrets/*.yaml"
];
};
};
diff --git a/modules/darwin/hercules-ci.nix b/modules/darwin/hercules-ci.nix
index a68140b..501691a 100644
--- a/modules/darwin/hercules-ci.nix
+++ b/modules/darwin/hercules-ci.nix
@@ -1,24 +1,24 @@
{ config, inputs, ... }:
-{
- age.secrets.hercules-binary-caches = {
- file = "${inputs.self}/secrets/hercules-binary-caches.age";
- mode = "600";
- owner = "_hercules-ci-agent";
- group = "_hercules-ci-agent";
- };
- age.secrets.hercules-cluster-join-token = {
- file = "${inputs.self}/secrets/hercules-cluster-join-token.age";
+let
+ secret = {
mode = "600";
owner = "_hercules-ci-agent";
group = "_hercules-ci-agent";
+ sopsFile = "${inputs.self}/modules/secrets/hercules-ci.yaml";
};
+in
+{
+ sops.secrets.hercules-binary-caches = secret;
+
+ sops.secrets.hercules-cluster-join-token = secret;
services.hercules-ci-agent = {
enable = true;
settings = {
- binaryCachesPath = config.age.secrets.hercules-binary-caches.path;
- clusterJoinTokenPath = config.age.secrets.hercules-cluster-join-token.path;
+ binaryCachesPath = config.sops.secrets.hercules-binary-caches.path;
+ clusterJoinTokenPath = config.sops.secrets.hercules-cluster-join-token.path;
+ # secretsJsonPath / hercules-secrets isn't needed on darwin
};
};
}
diff --git a/modules/nixos/hercules-ci.nix b/modules/nixos/hercules-ci.nix
index 5d5d006..29e3512 100644
--- a/modules/nixos/hercules-ci.nix
+++ b/modules/nixos/hercules-ci.nix
@@ -1,27 +1,24 @@
{ config, inputs, ... }:
+let
+ secret = {
+ owner = "hercules-ci-agent";
+ sopsFile = "${inputs.self}/modules/secrets/hercules-ci.yaml";
+ };
+in
{
- age.secrets.hercules-binary-caches = {
- file = "${inputs.self}/secrets/hercules-binary-caches.age";
- owner = "hercules-ci-agent";
- };
+ sops.secrets.hercules-binary-caches = secret;
- age.secrets.hercules-cluster-join-token = {
- file = "${inputs.self}/secrets/hercules-cluster-join-token.age";
- owner = "hercules-ci-agent";
- };
+ sops.secrets.hercules-cluster-join-token = secret;
- age.secrets.hercules-secrets = {
- file = "${inputs.self}/secrets/hercules-secrets.age";
- owner = "hercules-ci-agent";
- };
+ sops.secrets.hercules-secrets = secret;
services.hercules-ci-agent = {
enable = true;
settings = {
- binaryCachesPath = config.age.secrets.hercules-binary-caches.path;
- clusterJoinTokenPath = config.age.secrets.hercules-cluster-join-token.path;
+ binaryCachesPath = config.sops.secrets.hercules-binary-caches.path;
+ clusterJoinTokenPath = config.sops.secrets.hercules-cluster-join-token.path;
# secrets file is needed for effects
- secretsJsonPath = config.age.secrets.hercules-secrets.path;
+ secretsJsonPath = config.sops.secrets.hercules-secrets.path;
};
};
}
diff --git a/modules/secrets/hercules-ci.yaml b/modules/secrets/hercules-ci.yaml
new file mode 100644
index 0000000..8dba4c3
--- /dev/null
+++ b/modules/secrets/hercules-ci.yaml
@@ -0,0 +1,86 @@
+hercules-binary-caches: ENC[AES256_GCM,data:kj6AvRCx36dkJFi01Q8YIXuQ1RPDaGoBXKUoK8Um5KV/gAmJxh1pha+EVjRIX2qeREE76Xq6oWXwWl4pAkPU6M4dqAG3yhaGn5aaX5sHJnspT+N38JpOJurI6mMFLa7ktJxtQj1kpkU13RIpb9G81SPPZF5URR7QUD+A1JQIhwT93DVdnQxi6PRuuaqetwQrt15GSSjcvr3U72wN3deMrJH2DVkJiO3OnC7vJs/UyrT8cjIrWxOzjXTpywY9+drA3SYnMSmlu/4JmIwpGUHTe2E09pkkyusZsae8WyFB91UuatTuaLA2ZprOl0k9vxICUSzFjKwecgB1fzd6Gf1EDN0SZ5ZTPq29I6PAVPsFw9q3YKNaIT3+9YJSQKSb8EIwS2bmguUMdexLLOs6xQHvN0otJYoRNDJhfBC3f5H3sf0=,iv:vaYMdJcrEsbJfamBIS+eldlFUaIKQUlhsavNs5yUxbU=,tag:qkcahfMiNN+SPK96xPVGIg==,type:str]
+hercules-cluster-join-token: ENC[AES256_GCM,data:cwMtoJck16BDx4adMr8543gQoeYml8EI+XsTVk6rlT9qv1FMMo/CrrlOVNV5qd2TGXAmnlFawymKaRZZkU/6B618m3Q8fTTzwaoAFhEsuHh9G2+Cghp8dBEot2H+PbnNauq8Bor3oEU62gG0tbtVTVmy1rtGWG98S/KKyLu6HFZEAbail+ApXr8T1pe5HO6lwZZiSz4OosOW/hZWYqZCIahdSX8RxjufW0c4J0HTFrv8Zckc6YgCeJA3Mt0c7Vkjet4MQOueVEOHTRyZFIf1cVreKWNxuINgu365+UbrI39KqWN2GNXaTnOkZr4=,iv:zm7blCtNejdvVjVCIH+QTqtAiEYp7LC6/rTrMoqUrGk=,tag:oTb1iSUq713/k6G3o2axEw==,type:str]
+hercules-secrets: ENC[AES256_GCM,data:xYvP,iv:Ak5dxiwSVX9Si443kY43oXklOrUg0A0Pw00vrLQqzX4=,tag:v4CpvgDtGUd97OtG2KGmrg==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1d2FOd0Z0MEdPbmMweWVv
+ dm5JbjNJdGRUOGtmN2F2dlhlNDRrVGtzamhzClFmUlpJSHN4YmI2dEZmcUxaSUV2
+ YlZFdURKc05KdzRJTGxUb2UwZ2E0RnMKLS0tIGdFNUxZU0NPMkZpK2hwN0QxWThU
+ M3g0MUgrNUZBTjlwMVM0OFg1WVZWVHcKTBMdpK9TPNS37NfnW1hZFhszssHJ7j90
+ tpyAbCOupBVPZIxcvG5iQfetW6IlBPP8X6fLnD55QAE3BcZXNXKT/Q==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1r464z5e2shvnh9ekzapgghevr9wy7spd4d7pt5a89ucdk6kr6yhqzv5gkj
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0R2cxM0tlanU0MkU0WS9k
+ SklLN21YUWIxRlhVci80ZVlQS1c3WGlWaTBJCkNBOWE4VkpqUlNGOGtab01XRGkw
+ RUJJZm5VeU1JU2hnMzM5NjBWUjdBN3cKLS0tIC9tandNM0ZBeXFnUmtuTVRvR0RQ
+ dHFtcVE3b2FqYlNGT1NoWmh2YkFVTGMKEdQO/Llwm+90EUDPPhgNtVF+1W6SMiwi
+ aOCQxyXzTL18w5Y9jYyP7nGV3pU4/nc0VzmV0WPT//YjSe1e6pVy1A==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1xpzexnaulzdjtnwstvgvtq2ar7nkk2lj46u96ewjvtgt7g47jsxs0mhag3
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnTWNvWUw4TVNoTVd6LzdD
+ dUY0S084TEl6SUdEYUpHdlJod1Z6MzlKdUFJCk94Q1pmM0UvUVIrUWNScG9TeWNy
+ K2g2cGxRUWlSVEtLTmtjcHNWSURXR2MKLS0tIFVOYWpONFhTVHNrR1kwSmVQUUty
+ RHlyVjNZSC9CR2orODMyT0V6M3FrekEKajFVMiODpTOXU862VePw/L1L0xNNAeBH
+ BR3rOD7/MKNFGsjuQ94hD9sx4JTlJgyloBWNaCy3v36gRIohRcb6Vg==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBidHZOcGh3Ymg3UVg0MHM4
+ S0xQZWVCMHZEZmJyb0FxWWs3dE0vUzgwRlJvCnhXT3hGbWxNczRXUnJTNTFyVTdF
+ ZnZ0Tkpsc003bC9sQ21NakwxNHNjbUkKLS0tIHRrUVQ0SU54L1NXZktRc2ZyWmRs
+ K3RWa0ovYkpUc20wVE4yRUMxMEY5MkkKpxmOMbbk/cJ/jdQ2Ts6p7fTHv1QJjHU1
+ oGQmSL3Gn5/iGB/ioGhtq0ClNch9r8cmcVh5eA7ATRgWVmGtvmVRuQ==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2Ykd1MU9LYUw5b0ZZV1U2
+ dXV3eXg2REZnR21YRmlGT0NWRmdUYklJRkZFCkRQUkxqNm9abVQ2K2E0TlFDNUU0
+ a0I5MXg2dUplODloWWYyRXQ4MVAvWHMKLS0tIFJjNDFTd083WE12ZmdQcldIbndC
+ TWlpd2R6SFQrZ2Y4QWJSSnNZMTlUK00K5x9w6ZvUltGksdbGmVu9RKUIQQ7ER69c
+ V4o3cpyH7TTc3SnuXyYs99XJLrxVq529DGzdhHs2M9S83I3GvFPAUQ==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvcmxOY0NVSG4vclcxSHVi
+ a24xZTRNeGJ1SmZPMGlndWluTFVnVWhweXlvCjBIdWcyampDYXNPMGdLY2tNSEoy
+ M0YzdzZEdUNTTlRVZTZpNG4ybEtDVU0KLS0tIFNNdDhLSlpXV1dSbTFmcG84V1B6
+ MXJXaHRxNlRoM0FiZUlGSjN6ZSttcnMKX5Jbu0UCCTVgwMqHquQiMdfYz8hUejMH
+ ZDdNrPZLXNkOt87N/anJiwNhdbMxYJDPdn3ieEMca2HBAitVT8qIlQ==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHcE9WM0IyVjZ2amJ6R1Zr
+ OVRpQWtTMks1QnVrb0Fjb21KQ1hiZ0huNlNrCnpud1lIT3dkc0pOOXgwWnZuaGcy
+ TXVJZStTeURTdUpFc1ZIRjBBTHBOUVkKLS0tIEJ1dG0vbUNQWnc1UyttNU9YSFlG
+ ek91Y1lDVVRrZldrSHI5Y2Ira05pNm8K3fEJaKEXX2oV+QkLiKaCl2gvGtR6lJBy
+ TqzfrnENZ1wSxxHOxQUp+1UG5q3O8BQyX4iTG6jPAKFCD1c7w1zUjQ==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvU0k0WFI5aC9Mc3ZuVWN0
+ QmV5Mnk0dXBLWU1mcHp0aHZIdUROKzEzV1Y4Ck14RWdLdlJIaHRDWG5vTmVYdmdo
+ K3BzVUViQ1NyVXZuVXBtVit6eS9GS1UKLS0tIEo5clgwcm9uSTk3Z2Y2cjdRZ1RC
+ WFI4TERDVHFpdGNKdTlpbGRVV1JCVVUKpRpq0WhqK53tsEfIUwhW6wgO+D3XylS4
+ YtN/X3WT3+J7PS5L21cvbUoEEcb7oE1ZHvro0L6SN/fJ6+SYgGGyCQ==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-12-16T22:50:20Z"
+ mac: ENC[AES256_GCM,data:GHNWoNFq7Ij7palmTpSnRYUmj2EjxLfJ6+dRPtIzdpZqWiagVs42QaO0y7lTYOcpWfQdQ4vIes7fSYhniPyor3qhyZxPZypOYkKSpaBLo+UvQQoNiNYI1CJSWfDBqTLpw+VakM3enAAg7/rYP1KnHJDRA9H1Ue1Ekq+12Ii7jB4=,iv:rAGOvRMjKAo6tQLqIFfn8CMVQIO6wwVhbDStBBddn5A=,tag:gX2nHsqrTldMgkoTgxzOZw==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.9.2
diff --git a/secrets/hercules-binary-caches.age b/secrets/hercules-binary-caches.age
deleted file mode 100644
index 766b7b7682e19ba427aa15ca6d4cb918316fe35e..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 1558
zcmZY7{qNia0mpINKthKEMwZAD<TPr4=1Z@4*M~E1*oW)2y<V^FT_5h|fIeM&?X|t@
z-L=;P0y+&$AehYYFcSv>nQUVTBm*P3VF)40!(7y`geL(PAsRwPrt%QyPy1#51+Tn6
z`Iw%&=EinfOy;8`zAi~UD1(8ut)<z_Uvr%bg244sUe$#mQ5ujEp_Zq8l_2ZmWaw8q
zowi4#V%jMXtlNuqd+8!8t}j(*0E9a%Xfh^mY9o5sW9=!&D=z2gx>JXlP$`;CQX>Xb
zIqsjUaXH+k<kG<I;l3Rj2?en$d+Kn#IlmADV%{@#Q=}$d7)X)K#9qV!9YlxuV5;G5
z1(U)6)xe(F>>Hz`KN5AOGVU*hDD4-kIia4b_3CV)dL^+Y5M>;<WMwE-!yH^zY$g(C
zSk$rmLccrp_-b|4i(0LM18f1SfnE?&R<)}uIYtjF9tE}YXr4gJ1<^22dqzS7xZc9g
zYU#`@5rWv&bHHaXkWYhp3z-zWrN@&TF|z@edKA+iDJCKqB3I*Ep;}CqSfFEa*z(z#
zkI%$Ls)S7i03(^#O%1O&36+TENR+2#+OH#YBy~v5!HM3gKk6$Ym|I=cMdo7`9hBv~
zfG0NOl8^-GNf9`B;#ZN3@TPg0(}{T$&<Ti1Z40tF1qpa0mHi4BL3*wvzL7Hv-E4ae
zO~%Ux0q}TOm=!n|2m@X$y9pVSRHI547UqC>wnEq`nGpp66&)`2D|F(u92%<xSW1DN
z7>{*eE@w5S$D&kC_0y3#C6;sADVzAjYok)tv>_|U>B&Nf69cQlhBWj8dD-=cY1cv9
z4m<)#Bb-gm(2ZNDwm{;1taYp7{OsCie=Co$Ow3D=xKbJ37bt~f#*2pLs%dShwDDX+
z=M5A$vW1|xW)0kr8^9vA6Bh5~E}3#O%L+2GvJBdZZBbYu59rLLU0O<7rVnxFYHhtd
zq`XqC64`2ofRf54GU1hzCT%30sLiXfr~AD~vdnajp<Y=gfDuEpqXvSzsk~${#&RsT
zs4`_H7{(DX=xSUD#u(mEAnO0x>J`fv5v7Q;=Jp)7Lrn-&#+dr4rWC}uiq+lNDGCH<
zkwP&-d*Km)8$?TVLV^ekDFz8n;xuEkF*_ZRB;<^$tX>NOMH@?s<DJ{)!(%rlN(CCg
zL6V_VbIPo=o;^@ID_fw-Wi3l3xw@dcWE42!*i&+VOE{6Xd}tspL?JF~D&O+Gu%;-2
znuo=r(VR*~zYn)1R0h`8)=DE<u-H6?TSLcR^0ijV`E}5RW?XmNa~aI25FL<L*kpyO
z05bph(=FtYI}TUgU2B@_UdX<Avia(vY`uEf&kkPkx4VpE=fA%p`{BA9TbmBOvv08X
z!Z-iB+!$z&NOx~KLtl3j_12XyeX-=<+``=Om~{EEo5<46^G*owaq%|u^<QlG)nnQ1
z!r&mg`8PL&7r&jO+8Zxo|3LC5zOm)xsegWJ&*n?KUw>)ScaEI;N%xBl|Jt$bl?x;B
zg@0fC;I2om%th-X=AAtcJ-Yjdef9e7yZ(Cpp7uT2ejB)D+v3Zw?R@X`^7l^t<^9Wc
zKX-b0$%zX#hbImwpMUM?ji-M6*^c;=!O5S0d|=nxkN@DR-yhnm|L(3|?qx2RUbEl-
z_EYJdTkibe*89#Jy>|T{9{SO}FW>*<!}r~N>)yl9^AF^oexC}qUVrnt*Umif^=q!$
z4I)=xwCCVgj_-RmK7HGtUb6q3f5e{t>3Q3CZQZ}Kp04)ohrjyarHdWw)^0nz{a&N~
h%zuvmz47iR_aDXX*m(PIpRZrqn4iyl*FE^h{{hmOFLVF^
diff --git a/secrets/hercules-cluster-join-token.age b/secrets/hercules-cluster-join-token.age
deleted file mode 100644
index e148b98..0000000
--- a/secrets/hercules-cluster-join-token.age
+++ /dev/null
@@ -1,24 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 w3WLfA x/YAHTSiimsim42u9TANr2sQAME5vxERtRYmytjGdjo
-S+XenvJjOIYQrj5ZveVZpULcm6bt/FrWy4uH+UZSiQE
--> ssh-ed25519 Iw1MCQ MYjn2q/EMnLez6wb6DEh+ix36WRsmRzo9qLOXGxVMHo
-h2WPCfInagKRCIV1bNzCMWMRTS3SHQNV14BNKuspE2I
--> ssh-ed25519 T9HyUg 7ur+zCdrqTHXGwB3Il1QWHDUD9PhM3tblVi6au7q2lc
-CuqzUS1Oz2L40jXDB6QXEVXy5u9C/G2zvfCHrVUq2Rw
--> ssh-rsa ALNSWw
-FS4RHiHh1/8Hmv95mql4YKsEaVTfZBgZP8v6GWI15iGXap6Y5RGUYyRJFSxDCBax
-z+CIqEFVBDU27IOLcEE1d4Vu28TTZ58WZNKdJEUNFiV7bJti2sRjhNdDcyLYnqoO
-1R8fa++Ka45uC1aitrtnYlqw9H/ZHG2YKqm5mm08HpQOvXqivGn5sVtcPSSH0Csr
-Xu6a+mXQsrEtP2qDkR7W+ZUYVLxYrfuQczJ82OKfzUK+3G+myDpr/lYI0i97INEU
-rOSFs0SFC4oVwk6wugguCGGt/EaVbe5lBQBUlBMLeGkHGsSRgSHtBcS2ZW8NXYHk
-4OmXPu3e+qRf2iBXIZ1Q4w
--> ssh-ed25519 Qi7vNw 9r6k1MAP2NOjy7K7zKmE//DLVCOYEGeLnD/HEGBLvjY
-TwEWyOQNqV+xU5MaQtYIf0VeWBL9lNLCrHSBlkxOprA
--> ssh-ed25519 MW0fCg hyLX8herf6zasDRbYPnBIDKhHdmshpQpugzbjeMRkQk
-0cDaTwxrtaDLKlcMRYbjSXrAqbgFrCeZI9cEBA5HOdQ
--> ssh-ed25519 92bXiA e6UBcl0RrKgags/0VZVT3bE8re+C9TY15RQrtZRKi1E
-rGhaV4Z2SdsmZ8Vor0/yv13XcOR2J7hYiT0u1g0V68s
--> ssh-ed25519 h1lenA KEidSVfCZNOlPhFVePBaN6LHyPa95Nx3twjUXHsNzFM
-L0VG+NiujqusrEUoBz6ZaQgWEkyRPaXA8I6o02AIccc
---- tHo6R3b+X52chttfjIV6SCssiWbZ2ZUAarYOQSfj18U
-�D�T��1� �_έ�*���`���� �#�^����(k�,��i�M���\S���͌�{�*͎����TY<?*��#�����s8$ږ�1��x�]�eF$�������1p�
��GBX���B��M�H�d6�q��N���/m�W���h��vu��j�u�J�'����S_?y���s��Z���o�6��]��Q���H��`�[DpN�r�?l��2K�t���0�����ϒ���x샼sä��j�\t#i40`��0����9��h��z���=:����4K}�U����
\ No newline at end of file
diff --git a/secrets/hercules-secrets.age b/secrets/hercules-secrets.age
deleted file mode 100644
index f5c4e6d..0000000
--- a/secrets/hercules-secrets.age
+++ /dev/null
@@ -1,22 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa ALNSWw
-JPVTTEpszi2gGu1rOhd0dRV4ebmQe9Hk2h8bBQI/pq5JYV+H0Bh4oTN/CZ3Py9pS
-sg9n3TPFmZs3Mg/7sr9o/rHtRB1Eyq0mVGFkDqDiDKu7w9Cyz5GsvX8H0FActa0w
-BLFzZb0mpjXk7yqZMrXBejacU9EAWH+qRtReAmyMv9SSs4hEwSNNDPMqBHa8VapV
-lEC3s9zPNTCR5SuMb4D8EBMBcZ8i4C1lCiUFOBCr3YRTkH2430PG3uX/543vwKn7
-amHSRxoNk8GxDK2Z3azJfBGa2ESUEBef3g76P/Y0SDEOkg0u09g9/6vnKJ+fGrf8
-Zq/Ydx5N8QinAqiDZhirkA
--> ssh-ed25519 Qi7vNw Nn4EMk/FmRVrOpWEqaLFyKd2P+udGQeJxn7mrEA89Rk
-rpUu5ZvxoHReKK/XKFp5zElKyvO/ZkZgbxwxqg9Hbhc
--> ssh-ed25519 MW0fCg cT/e5vLkD/oRVa23QP/0ZzACU4gbajC3UOOHHMCpOlg
-a4GEBlXXvcAkM8f7jHS03Fn+Y9AZEmSw57nCc+UULUc
--> ssh-ed25519 92bXiA pwmOz0U2J734URSKYgzmwjU8G64mHc0zXUwx26wW6Rk
-uJRltNEU1Xmin9cVFToetPdw+Q1jBO/e5kGooRWDUWM
--> ssh-ed25519 h1lenA NiXmtP+u6lzOmwS1qBE+Aa1LTaCNrN2PelySn6h8jj8
-NUZorwmpdChGzKSJ/OwBACy+1cvkxSynh/PLg5BXHcI
--> ssh-ed25519 w3WLfA 1mpwXgXsSCnu6P8oknOJOmQN2nfkXR4cuk3V4Z8hA2w
-yQRB7JHQoJFiePv9qF1x+saTag9nWVGE5fbp4dKHD2k
--> ssh-ed25519 Iw1MCQ BhSpFVwgbZEOauhacPj9MPzYZ+742/p6Vfals7V2KnM
-iLSmAz6WSwQJfrEq1jyUxNyA3VssWAJ9U3Bv8ouu1Sw
---- 0taNGRQsutIEP95MVdq2I3kyuold6r85MqKdz3G5li0
-rI�dR[�?����t����y�I�r6���5z���F2�
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 6d8ef00..19c5034 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -14,9 +14,7 @@ let
build01 = knownHosts.build01.publicKey;
build02 = knownHosts.build02.publicKey;
build03 = knownHosts.build03.publicKey;
- build04 = knownHosts.build04.publicKey;
darwin01 = knownHosts.darwin01.publicKey;
- darwin02 = knownHosts.darwin02.publicKey;
web02 = knownHosts.web02.publicKey;
secrets = {
@@ -27,21 +25,6 @@ let
darwin01
];
grafana-client-secret = [ web02 ];
- hercules-binary-caches = [
- build03
- build04
- darwin02
- ];
- hercules-cluster-join-token = [
- build03
- build04
- darwin02
- ];
- # hercules-secrets are only needed on linux
- hercules-secrets = [
- build03
- build04
- ];
hetzner-borgbackup-ssh = [
build02
build03
diff --git a/sops.nix b/sops.nix
index 27487ea..d7ce470 100644
--- a/sops.nix
+++ b/sops.nix
@@ -22,7 +22,13 @@ let
"secrets.yaml" = [ ];
"terraform/secrets.yaml" = [ ];
}
- // builtins.mapAttrs (_: value: (map (x: keys.hosts.${x}) value)) { }
+ // builtins.mapAttrs (_: value: (map (x: keys.hosts.${x}) value)) {
+ "modules/secrets/hercules-ci.yaml" = [
+ "build03"
+ "build04"
+ "darwin02"
+ ];
+ }
// builtins.listToAttrs (
mapAttrsToList (hostname: key: {
name = "hosts/${hostname}/secrets.yaml";
diff --git a/tasks.py b/tasks.py
index f9cd766..cdfe1be 100644
--- a/tasks.py
+++ b/tasks.py
@@ -71,7 +71,9 @@ def update_sops_files(c: Any) -> None:
print("# AUTOMATICALLY GENERATED WITH: $ inv update-sops-files", file=f)
c.run(f"nix eval --json -f {ROOT}/sops.nix | yq e -P - >> {ROOT}/.sops.yaml")
- c.run("shopt -s globstar && sops updatekeys --yes **/secrets.yaml")
+ c.run(
+ "shopt -s globstar && sops updatekeys --yes **/secrets.yaml modules/secrets/*.yaml"
+ )
@task