sercanto/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

move hercules CI secrets to sops

Browse source
This commit is contained in:
zowoq 2024-12-16 08:34:56 +10:00
parent b260b29a85
commit 36a9be1663
11 changed files with 131 additions and 91 deletions

11
.sops.yaml
View file

@ -63,6 +63,17 @@ creation_rules:
- age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h - age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
- age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n - age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
path_regex: ^hosts/web02/secrets.yaml$ path_regex: ^hosts/web02/secrets.yaml$
- key_groups:
- age:
- age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
- age1r464z5e2shvnh9ekzapgghevr9wy7spd4d7pt5a89ucdk6kr6yhqzv5gkj
- age1xpzexnaulzdjtnwstvgvtq2ar7nkk2lj46u96ewjvtgt7g47jsxs0mhag3
- age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
- age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
- age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
- age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
- age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
path_regex: ^modules/secrets/hercules-ci.yaml$
- key_groups: - key_groups:
- age: - age:
- age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy - age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy

1
dev/treefmt.nix
View file

@ -65,6 +65,7 @@
excludes = [ excludes = [
"config.yaml" "config.yaml"
"*secrets.yaml" "*secrets.yaml"
"modules/secrets/*.yaml"
]; ];
}; };
}; };

22
modules/darwin/hercules-ci.nix
View file

@ -1,24 +1,24 @@
{ config, inputs, ... }: { config, inputs, ... }:
{
age.secrets.hercules-binary-caches = {
file = "${inputs.self}/secrets/hercules-binary-caches.age";
mode = "600";
owner = "_hercules-ci-agent";
group = "_hercules-ci-agent";
};
age.secrets.hercules-cluster-join-token = { let
file = "${inputs.self}/secrets/hercules-cluster-join-token.age"; secret = {
mode = "600"; mode = "600";
owner = "_hercules-ci-agent"; owner = "_hercules-ci-agent";
group = "_hercules-ci-agent"; group = "_hercules-ci-agent";
sopsFile = "${inputs.self}/modules/secrets/hercules-ci.yaml";
}; };
in
{
sops.secrets.hercules-binary-caches = secret;
sops.secrets.hercules-cluster-join-token = secret;
services.hercules-ci-agent = { services.hercules-ci-agent = {
enable = true; enable = true;
settings = { settings = {
binaryCachesPath = config.age.secrets.hercules-binary-caches.path; binaryCachesPath = config.sops.secrets.hercules-binary-caches.path;
clusterJoinTokenPath = config.age.secrets.hercules-cluster-join-token.path; clusterJoinTokenPath = config.sops.secrets.hercules-cluster-join-token.path;
# secretsJsonPath / hercules-secrets isn't needed on darwin
}; };
}; };
} }

27
modules/nixos/hercules-ci.nix
View file

@ -1,27 +1,24 @@
{ config, inputs, ... }: { config, inputs, ... }:
let
secret = {
owner = "hercules-ci-agent";
sopsFile = "${inputs.self}/modules/secrets/hercules-ci.yaml";
};
in
{ {
age.secrets.hercules-binary-caches = { sops.secrets.hercules-binary-caches = secret;
file = "${inputs.self}/secrets/hercules-binary-caches.age";
owner = "hercules-ci-agent";
};
age.secrets.hercules-cluster-join-token = { sops.secrets.hercules-cluster-join-token = secret;
file = "${inputs.self}/secrets/hercules-cluster-join-token.age";
owner = "hercules-ci-agent";
};
age.secrets.hercules-secrets = { sops.secrets.hercules-secrets = secret;
file = "${inputs.self}/secrets/hercules-secrets.age";
owner = "hercules-ci-agent";
};
services.hercules-ci-agent = { services.hercules-ci-agent = {
enable = true; enable = true;
settings = { settings = {
binaryCachesPath = config.age.secrets.hercules-binary-caches.path; binaryCachesPath = config.sops.secrets.hercules-binary-caches.path;
clusterJoinTokenPath = config.age.secrets.hercules-cluster-join-token.path; clusterJoinTokenPath = config.sops.secrets.hercules-cluster-join-token.path;
# secrets file is needed for effects # secrets file is needed for effects
secretsJsonPath = config.age.secrets.hercules-secrets.path; secretsJsonPath = config.sops.secrets.hercules-secrets.path;
}; };
}; };
} }

86
modules/secrets/hercules-ci.yaml Normal file
View file

@ -0,0 +1,86 @@
hercules-binary-caches: ENC[AES256_GCM,data:kj6AvRCx36dkJFi01Q8YIXuQ1RPDaGoBXKUoK8Um5KV/gAmJxh1pha+EVjRIX2qeREE76Xq6oWXwWl4pAkPU6M4dqAG3yhaGn5aaX5sHJnspT+N38JpOJurI6mMFLa7ktJxtQj1kpkU13RIpb9G81SPPZF5URR7QUD+A1JQIhwT93DVdnQxi6PRuuaqetwQrt15GSSjcvr3U72wN3deMrJH2DVkJiO3OnC7vJs/UyrT8cjIrWxOzjXTpywY9+drA3SYnMSmlu/4JmIwpGUHTe2E09pkkyusZsae8WyFB91UuatTuaLA2ZprOl0k9vxICUSzFjKwecgB1fzd6Gf1EDN0SZ5ZTPq29I6PAVPsFw9q3YKNaIT3+9YJSQKSb8EIwS2bmguUMdexLLOs6xQHvN0otJYoRNDJhfBC3f5H3sf0=,iv:vaYMdJcrEsbJfamBIS+eldlFUaIKQUlhsavNs5yUxbU=,tag:qkcahfMiNN+SPK96xPVGIg==,type:str]
hercules-cluster-join-token: ENC[AES256_GCM,data:cwMtoJck16BDx4adMr8543gQoeYml8EI+XsTVk6rlT9qv1FMMo/CrrlOVNV5qd2TGXAmnlFawymKaRZZkU/6B618m3Q8fTTzwaoAFhEsuHh9G2+Cghp8dBEot2H+PbnNauq8Bor3oEU62gG0tbtVTVmy1rtGWG98S/KKyLu6HFZEAbail+ApXr8T1pe5HO6lwZZiSz4OosOW/hZWYqZCIahdSX8RxjufW0c4J0HTFrv8Zckc6YgCeJA3Mt0c7Vkjet4MQOueVEOHTRyZFIf1cVreKWNxuINgu365+UbrI39KqWN2GNXaTnOkZr4=,iv:zm7blCtNejdvVjVCIH+QTqtAiEYp7LC6/rTrMoqUrGk=,tag:oTb1iSUq713/k6G3o2axEw==,type:str]
hercules-secrets: ENC[AES256_GCM,data:xYvP,iv:Ak5dxiwSVX9Si443kY43oXklOrUg0A0Pw00vrLQqzX4=,tag:v4CpvgDtGUd97OtG2KGmrg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1d2FOd0Z0MEdPbmMweWVv
dm5JbjNJdGRUOGtmN2F2dlhlNDRrVGtzamhzClFmUlpJSHN4YmI2dEZmcUxaSUV2
YlZFdURKc05KdzRJTGxUb2UwZ2E0RnMKLS0tIGdFNUxZU0NPMkZpK2hwN0QxWThU
M3g0MUgrNUZBTjlwMVM0OFg1WVZWVHcKTBMdpK9TPNS37NfnW1hZFhszssHJ7j90
tpyAbCOupBVPZIxcvG5iQfetW6IlBPP8X6fLnD55QAE3BcZXNXKT/Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1r464z5e2shvnh9ekzapgghevr9wy7spd4d7pt5a89ucdk6kr6yhqzv5gkj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0R2cxM0tlanU0MkU0WS9k
SklLN21YUWIxRlhVci80ZVlQS1c3WGlWaTBJCkNBOWE4VkpqUlNGOGtab01XRGkw
RUJJZm5VeU1JU2hnMzM5NjBWUjdBN3cKLS0tIC9tandNM0ZBeXFnUmtuTVRvR0RQ
dHFtcVE3b2FqYlNGT1NoWmh2YkFVTGMKEdQO/Llwm+90EUDPPhgNtVF+1W6SMiwi
aOCQxyXzTL18w5Y9jYyP7nGV3pU4/nc0VzmV0WPT//YjSe1e6pVy1A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1xpzexnaulzdjtnwstvgvtq2ar7nkk2lj46u96ewjvtgt7g47jsxs0mhag3
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnTWNvWUw4TVNoTVd6LzdD
dUY0S084TEl6SUdEYUpHdlJod1Z6MzlKdUFJCk94Q1pmM0UvUVIrUWNScG9TeWNy
K2g2cGxRUWlSVEtLTmtjcHNWSURXR2MKLS0tIFVOYWpONFhTVHNrR1kwSmVQUUty
RHlyVjNZSC9CR2orODMyT0V6M3FrekEKajFVMiODpTOXU862VePw/L1L0xNNAeBH
BR3rOD7/MKNFGsjuQ94hD9sx4JTlJgyloBWNaCy3v36gRIohRcb6Vg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBidHZOcGh3Ymg3UVg0MHM4
S0xQZWVCMHZEZmJyb0FxWWs3dE0vUzgwRlJvCnhXT3hGbWxNczRXUnJTNTFyVTdF
ZnZ0Tkpsc003bC9sQ21NakwxNHNjbUkKLS0tIHRrUVQ0SU54L1NXZktRc2ZyWmRs
K3RWa0ovYkpUc20wVE4yRUMxMEY5MkkKpxmOMbbk/cJ/jdQ2Ts6p7fTHv1QJjHU1
oGQmSL3Gn5/iGB/ioGhtq0ClNch9r8cmcVh5eA7ATRgWVmGtvmVRuQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2Ykd1MU9LYUw5b0ZZV1U2
dXV3eXg2REZnR21YRmlGT0NWRmdUYklJRkZFCkRQUkxqNm9abVQ2K2E0TlFDNUU0
a0I5MXg2dUplODloWWYyRXQ4MVAvWHMKLS0tIFJjNDFTd083WE12ZmdQcldIbndC
TWlpd2R6SFQrZ2Y4QWJSSnNZMTlUK00K5x9w6ZvUltGksdbGmVu9RKUIQQ7ER69c
V4o3cpyH7TTc3SnuXyYs99XJLrxVq529DGzdhHs2M9S83I3GvFPAUQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvcmxOY0NVSG4vclcxSHVi
a24xZTRNeGJ1SmZPMGlndWluTFVnVWhweXlvCjBIdWcyampDYXNPMGdLY2tNSEoy
M0YzdzZEdUNTTlRVZTZpNG4ybEtDVU0KLS0tIFNNdDhLSlpXV1dSbTFmcG84V1B6
MXJXaHRxNlRoM0FiZUlGSjN6ZSttcnMKX5Jbu0UCCTVgwMqHquQiMdfYz8hUejMH
ZDdNrPZLXNkOt87N/anJiwNhdbMxYJDPdn3ieEMca2HBAitVT8qIlQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHcE9WM0IyVjZ2amJ6R1Zr
OVRpQWtTMks1QnVrb0Fjb21KQ1hiZ0huNlNrCnpud1lIT3dkc0pOOXgwWnZuaGcy
TXVJZStTeURTdUpFc1ZIRjBBTHBOUVkKLS0tIEJ1dG0vbUNQWnc1UyttNU9YSFlG
ek91Y1lDVVRrZldrSHI5Y2Ira05pNm8K3fEJaKEXX2oV+QkLiKaCl2gvGtR6lJBy
TqzfrnENZ1wSxxHOxQUp+1UG5q3O8BQyX4iTG6jPAKFCD1c7w1zUjQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvU0k0WFI5aC9Mc3ZuVWN0
QmV5Mnk0dXBLWU1mcHp0aHZIdUROKzEzV1Y4Ck14RWdLdlJIaHRDWG5vTmVYdmdo
K3BzVUViQ1NyVXZuVXBtVit6eS9GS1UKLS0tIEo5clgwcm9uSTk3Z2Y2cjdRZ1RC
WFI4TERDVHFpdGNKdTlpbGRVV1JCVVUKpRpq0WhqK53tsEfIUwhW6wgO+D3XylS4
YtN/X3WT3+J7PS5L21cvbUoEEcb7oE1ZHvro0L6SN/fJ6+SYgGGyCQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-16T22:50:20Z"
mac: ENC[AES256_GCM,data:GHNWoNFq7Ij7palmTpSnRYUmj2EjxLfJ6+dRPtIzdpZqWiagVs42QaO0y7lTYOcpWfQdQ4vIes7fSYhniPyor3qhyZxPZypOYkKSpaBLo+UvQQoNiNYI1CJSWfDBqTLpw+VakM3enAAg7/rYP1KnHJDRA9H1Ue1Ekq+12Ii7jB4=,iv:rAGOvRMjKAo6tQLqIFfn8CMVQIO6wwVhbDStBBddn5A=,tag:gX2nHsqrTldMgkoTgxzOZw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.2

BIN
secrets/hercules-binary-caches.age
View file

Binary file not shown.

24
secrets/hercules-cluster-join-token.age
View file

@ -1,24 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 w3WLfA x/YAHTSiimsim42u9TANr2sQAME5vxERtRYmytjGdjo
S+XenvJjOIYQrj5ZveVZpULcm6bt/FrWy4uH+UZSiQE
-> ssh-ed25519 Iw1MCQ MYjn2q/EMnLez6wb6DEh+ix36WRsmRzo9qLOXGxVMHo
h2WPCfInagKRCIV1bNzCMWMRTS3SHQNV14BNKuspE2I
-> ssh-ed25519 T9HyUg 7ur+zCdrqTHXGwB3Il1QWHDUD9PhM3tblVi6au7q2lc
CuqzUS1Oz2L40jXDB6QXEVXy5u9C/G2zvfCHrVUq2Rw
-> ssh-rsa ALNSWw
FS4RHiHh1/8Hmv95mql4YKsEaVTfZBgZP8v6GWI15iGXap6Y5RGUYyRJFSxDCBax
z+CIqEFVBDU27IOLcEE1d4Vu28TTZ58WZNKdJEUNFiV7bJti2sRjhNdDcyLYnqoO
1R8fa++Ka45uC1aitrtnYlqw9H/ZHG2YKqm5mm08HpQOvXqivGn5sVtcPSSH0Csr
Xu6a+mXQsrEtP2qDkR7W+ZUYVLxYrfuQczJ82OKfzUK+3G+myDpr/lYI0i97INEU
rOSFs0SFC4oVwk6wugguCGGt/EaVbe5lBQBUlBMLeGkHGsSRgSHtBcS2ZW8NXYHk
4OmXPu3e+qRf2iBXIZ1Q4w
-> ssh-ed25519 Qi7vNw 9r6k1MAP2NOjy7K7zKmE//DLVCOYEGeLnD/HEGBLvjY
TwEWyOQNqV+xU5MaQtYIf0VeWBL9lNLCrHSBlkxOprA
-> ssh-ed25519 MW0fCg hyLX8herf6zasDRbYPnBIDKhHdmshpQpugzbjeMRkQk
0cDaTwxrtaDLKlcMRYbjSXrAqbgFrCeZI9cEBA5HOdQ
-> ssh-ed25519 92bXiA e6UBcl0RrKgags/0VZVT3bE8re+C9TY15RQrtZRKi1E
rGhaV4Z2SdsmZ8Vor0/yv13XcOR2J7hYiT0u1g0V68s
-> ssh-ed25519 h1lenA KEidSVfCZNOlPhFVePBaN6LHyPa95Nx3twjUXHsNzFM
L0VG+NiujqusrEUoBz6ZaQgWEkyRPaXA8I6o02AIccc
--- tHo6R3b+X52chttfjIV6SCssiWbZ2ZUAarYOQSfj18U
“DœTî”1¥ Ö_έ¸*©³¶` ¢‡ Â#Ÿ^Óêòì(k,ÈÔièªM¸«\SÀÙÍŒ{À*ÍŽ—‰¦TY<?*˜œ#¤šü¬s8$Ú– 1¢†x]à®eF$©˜ò«¢Ö1pì± ‰GBXØøúBšÞM×Hãd6Çq©N¢à/m€Wžðh˜Üvu•¿jŽuºJ©'ð<18>ÆS_?y“âs„½Z×o 6µ]‡Q—§ÖH¯œ`[DpN<70>r?l„2Kí0š±¸Ï’“òx샼sä”jñ\t#i40`™§0šÍíñ9»<39>h­=: Ü 4K}‰U‰û¡¶

22
secrets/hercules-secrets.age
View file

@ -1,22 +0,0 @@
age-encryption.org/v1
-> ssh-rsa ALNSWw
JPVTTEpszi2gGu1rOhd0dRV4ebmQe9Hk2h8bBQI/pq5JYV+H0Bh4oTN/CZ3Py9pS
sg9n3TPFmZs3Mg/7sr9o/rHtRB1Eyq0mVGFkDqDiDKu7w9Cyz5GsvX8H0FActa0w
BLFzZb0mpjXk7yqZMrXBejacU9EAWH+qRtReAmyMv9SSs4hEwSNNDPMqBHa8VapV
lEC3s9zPNTCR5SuMb4D8EBMBcZ8i4C1lCiUFOBCr3YRTkH2430PG3uX/543vwKn7
amHSRxoNk8GxDK2Z3azJfBGa2ESUEBef3g76P/Y0SDEOkg0u09g9/6vnKJ+fGrf8
Zq/Ydx5N8QinAqiDZhirkA
-> ssh-ed25519 Qi7vNw Nn4EMk/FmRVrOpWEqaLFyKd2P+udGQeJxn7mrEA89Rk
rpUu5ZvxoHReKK/XKFp5zElKyvO/ZkZgbxwxqg9Hbhc
-> ssh-ed25519 MW0fCg cT/e5vLkD/oRVa23QP/0ZzACU4gbajC3UOOHHMCpOlg
a4GEBlXXvcAkM8f7jHS03Fn+Y9AZEmSw57nCc+UULUc
-> ssh-ed25519 92bXiA pwmOz0U2J734URSKYgzmwjU8G64mHc0zXUwx26wW6Rk
uJRltNEU1Xmin9cVFToetPdw+Q1jBO/e5kGooRWDUWM
-> ssh-ed25519 h1lenA NiXmtP+u6lzOmwS1qBE+Aa1LTaCNrN2PelySn6h8jj8
NUZorwmpdChGzKSJ/OwBACy+1cvkxSynh/PLg5BXHcI
-> ssh-ed25519 w3WLfA 1mpwXgXsSCnu6P8oknOJOmQN2nfkXR4cuk3V4Z8hA2w
yQRB7JHQoJFiePv9qF1x+saTag9nWVGE5fbp4dKHD2k
-> ssh-ed25519 Iw1MCQ BhSpFVwgbZEOauhacPj9MPzYZ+742/p6Vfals7V2KnM
iLSmAz6WSwQJfrEq1jyUxNyA3VssWAJ9U3Bv8ouu1Sw
--- 0taNGRQsutIEP95MVdq2I3kyuold6r85MqKdz3G5li0
rIždR[ˇ?ýöţtÎúÜyüIěťr6‡¬î5zżF2

17
secrets/secrets.nix
View file

@ -14,9 +14,7 @@ let
build01 = knownHosts.build01.publicKey; build01 = knownHosts.build01.publicKey;
build02 = knownHosts.build02.publicKey; build02 = knownHosts.build02.publicKey;
build03 = knownHosts.build03.publicKey; build03 = knownHosts.build03.publicKey;
build04 = knownHosts.build04.publicKey;
darwin01 = knownHosts.darwin01.publicKey; darwin01 = knownHosts.darwin01.publicKey;
darwin02 = knownHosts.darwin02.publicKey;
web02 = knownHosts.web02.publicKey; web02 = knownHosts.web02.publicKey;
secrets = { secrets = {
@ -27,21 +25,6 @@ let
darwin01 darwin01
]; ];
grafana-client-secret = [ web02 ]; grafana-client-secret = [ web02 ];
hercules-binary-caches = [
build03
build04
darwin02
];
hercules-cluster-join-token = [
build03
build04
darwin02
];
# hercules-secrets are only needed on linux
hercules-secrets = [
build03
build04
];
hetzner-borgbackup-ssh = [ hetzner-borgbackup-ssh = [
build02 build02
build03 build03

8
sops.nix
View file

@ -22,7 +22,13 @@ let
"secrets.yaml" = [ ]; "secrets.yaml" = [ ];
"terraform/secrets.yaml" = [ ]; "terraform/secrets.yaml" = [ ];
} }
// builtins.mapAttrs (_: value: (map (x: keys.hosts.${x}) value)) { } // builtins.mapAttrs (_: value: (map (x: keys.hosts.${x}) value)) {
"modules/secrets/hercules-ci.yaml" = [
"build03"
"build04"
"darwin02"
];
}
// builtins.listToAttrs ( // builtins.listToAttrs (
mapAttrsToList (hostname: key: { mapAttrsToList (hostname: key: {
name = "hosts/${hostname}/secrets.yaml"; name = "hosts/${hostname}/secrets.yaml";

4
tasks.py
View file

@ -71,7 +71,9 @@ def update_sops_files(c: Any) -> None:
print("# AUTOMATICALLY GENERATED WITH: $ inv update-sops-files", file=f) print("# AUTOMATICALLY GENERATED WITH: $ inv update-sops-files", file=f)
c.run(f"nix eval --json -f {ROOT}/sops.nix | yq e -P - >> {ROOT}/.sops.yaml") c.run(f"nix eval --json -f {ROOT}/sops.nix | yq e -P - >> {ROOT}/.sops.yaml")
c.run("shopt -s globstar && sops updatekeys --yes **/secrets.yaml") c.run(
"shopt -s globstar && sops updatekeys --yes **/secrets.yaml modules/secrets/*.yaml"
)
@task @task