diff --git a/.sops.yaml b/.sops.yaml
index bbf9aba..24628eb 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -54,26 +54,3 @@ creation_rules:
- *zimbatm
- *zowoq
- *adisbladis
- - path_regex: modules/nixos/hercules-ci/.+\.yaml$
- key_groups:
- - age:
- - *build03
- - *build04
- - *mic92
- - *ryantm
- - *zimbatm
- - *zowoq
- - *adisbladis
- - path_regex: modules/nixos/.+\.yaml$
- key_groups:
- - age:
- - *build01
- - *build02
- - *build03
- - *build04
- - *web02
- - *mic92
- - *ryantm
- - *zimbatm
- - *zowoq
- - *adisbladis
diff --git a/flake.nix b/flake.nix
index a0e0bae..6da572b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -147,7 +147,7 @@
builder = ./modules/darwin/builder.nix;
community-builder = ./modules/darwin/community-builder;
- hercules-ci = ./modules/darwin/hercules-ci;
+ hercules-ci = ./modules/darwin/hercules-ci.nix;
remote-builder = ./modules/darwin/remote-builder.nix;
};
@@ -159,7 +159,7 @@
community-builder = ./modules/nixos/community-builder;
disko-zfs = ./modules/nixos/disko-zfs.nix;
github-org-backup = ./modules/nixos/github-org-backup.nix;
- hercules-ci = ./modules/nixos/hercules-ci;
+ hercules-ci = ./modules/nixos/hercules-ci.nix;
hydra = ./modules/nixos/hydra.nix;
monitoring = ./modules/nixos/monitoring;
nur-update = ./modules/nixos/nur-update.nix;
diff --git a/modules/darwin/hercules-ci.nix b/modules/darwin/hercules-ci.nix
new file mode 100644
index 0000000..ede2ddf
--- /dev/null
+++ b/modules/darwin/hercules-ci.nix
@@ -0,0 +1,24 @@
+{ config, inputs, ... }:
+{
+ age.secrets.hercules-binary-caches = {
+ file = "${toString inputs.self}/secrets/hercules-binary-caches.age";
+ mode = "600";
+ owner = "_hercules-ci-agent";
+ group = "_hercules-ci-agent";
+ };
+
+ age.secrets.hercules-cluster-join-token = {
+ file = "${toString inputs.self}/secrets/hercules-cluster-join-token.age";
+ mode = "600";
+ owner = "_hercules-ci-agent";
+ group = "_hercules-ci-agent";
+ };
+
+ services.hercules-ci-agent = {
+ enable = true;
+ settings = {
+ binaryCachesPath = config.age.secrets.hercules-binary-caches.path;
+ clusterJoinTokenPath = config.age.secrets.hercules-cluster-join-token.path;
+ };
+ };
+}
diff --git a/modules/darwin/hercules-ci/default.nix b/modules/darwin/hercules-ci/default.nix
deleted file mode 100644
index b776f85..0000000
--- a/modules/darwin/hercules-ci/default.nix
+++ /dev/null
@@ -1,23 +0,0 @@
-{ config, ... }:
-{
- age.secrets.binary-caches = {
- file = ../../../secrets/binary-caches.age;
- mode = "600";
- owner = "_hercules-ci-agent";
- group = "_hercules-ci-agent";
- };
-
- age.secrets.cluster-join-token = {
- file = ../../../secrets/cluster-join-token.age;
- mode = "600";
- owner = "_hercules-ci-agent";
- group = "_hercules-ci-agent";
- };
-
- services.hercules-ci-agent.enable = true;
-
- services.hercules-ci-agent.settings = {
- binaryCachesPath = config.age.secrets.binary-caches.path;
- clusterJoinTokenPath = config.age.secrets.cluster-join-token.path;
- };
-}
diff --git a/modules/nixos/common/default.nix b/modules/nixos/common/default.nix
index 91a03b2..a43fa5c 100644
--- a/modules/nixos/common/default.nix
+++ b/modules/nixos/common/default.nix
@@ -10,6 +10,7 @@
./telegraf.nix
./users.nix
inputs.sops-nix.nixosModules.sops
+ inputs.agenix.nixosModules.age
inputs.srvos.nixosModules.server
];
diff --git a/modules/nixos/hercules-ci.nix b/modules/nixos/hercules-ci.nix
new file mode 100644
index 0000000..6f7a88a
--- /dev/null
+++ b/modules/nixos/hercules-ci.nix
@@ -0,0 +1,27 @@
+{ config, inputs, ... }:
+{
+ age.secrets.hercules-binary-caches = {
+ file = "${toString inputs.self}/secrets/hercules-binary-caches.age";
+ owner = "hercules-ci-agent";
+ };
+
+ age.secrets.hercules-cluster-join-token = {
+ file = "${toString inputs.self}/secrets/hercules-cluster-join-token.age";
+ owner = "hercules-ci-agent";
+ };
+
+ age.secrets.hercules-secrets = {
+ file = "${toString inputs.self}/secrets/hercules-secrets.age";
+ owner = "hercules-ci-agent";
+ };
+
+ services.hercules-ci-agent = {
+ enable = true;
+ settings = {
+ binaryCachesPath = config.age.secrets.hercules-binary-caches.path;
+ clusterJoinTokenPath = config.age.secrets.hercules-cluster-join-token.path;
+ # secrets file is needed for effects
+ secretsJsonPath = config.age.secrets.hercules-secrets.path;
+ };
+ };
+}
diff --git a/modules/nixos/hercules-ci/default.nix b/modules/nixos/hercules-ci/default.nix
deleted file mode 100644
index 5f0b8c8..0000000
--- a/modules/nixos/hercules-ci/default.nix
+++ /dev/null
@@ -1,23 +0,0 @@
-{ config, ... }:
-let
- herculesSecret = {
- owner = "hercules-ci-agent";
- sopsFile = ./secrets.yaml;
- };
- inherit (config.sops) secrets;
-in
-{
- sops.secrets."binary-caches.json" = herculesSecret;
- sops.secrets."cluster-join-token.key" = herculesSecret;
- sops.secrets."hercules-secrets" = herculesSecret;
-
- services.hercules-ci-agent = {
- enable = true;
- settings = {
- binaryCachesPath = secrets."binary-caches.json".path;
- clusterJoinTokenPath = secrets."cluster-join-token.key".path;
- # secrets file is needed for effects
- secretsJsonPath = secrets."hercules-secrets".path;
- };
- };
-}
diff --git a/modules/nixos/hercules-ci/secrets.yaml b/modules/nixos/hercules-ci/secrets.yaml
deleted file mode 100644
index dee8321..0000000
--- a/modules/nixos/hercules-ci/secrets.yaml
+++ /dev/null
@@ -1,77 +0,0 @@
-cluster-join-token.key: ENC[AES256_GCM,data:Ba8S5Cx3NJR/FoKkSVc5pX1bwKkYHAhTid3dlWcGRXPCmVtrMgBKLjDZ5b3AajZio+IvS7XNajsVqPUB/rsBUPL+mz/DPbnI4bibLkB0KZl5v6FnMf6RbGr7RWbEsGXWlJh77l/AmGRWJTj7Dh3LaQ53dguhNIDuXGvNhTLs690/93Xnc+x+d5tzl2hNz/A4/IQxpsRoJJKygqGndbc0bTUPo0QZMLtf8kHQtCiozfm1SeW49ITnM+4VCOJB8NkSkwUfy5Rs574fFijYSOGT8LSSH0ly2oxHEY+UaJudRhjr5uzrcZPI/WrrtkI=,iv:87JRtvlkkExu37uYRaHojsk1vjhO1ocw2L9yE+7shpI=,tag:0de71eZjy8F/w0LQzOVAyg==,type:str]
-binary-caches.json: ENC[AES256_GCM,data:o5H3jtSn4yV8qgdBy8FEMNHx4azLzcv2aVqdG343FLvyokbTijn5KnHfVeLaxwMe4ugmfXUkQbx5fPP9VWMIoWUecagS39nkVz1D2XA9a1KAvpJdLqUIvqI9grtPv10cdh99zPQ/epBz/qat8tcXGC/ggKH7e7rJSYcd6WWQxdu7Z/dIFdbuuwzENHiIEKwVUyyNp/Qe5SBKA1ysA4uTx0HKKgZj4Ytcfao1eoDOp9pV9KruaXC7EiGTYujk8M3PwUBdLsX4Tgjh3Qoku+PTRMbdesE52QEHDgYw3jZNwZuyvg4tHhs7qm/3gILRZJUZxlVw8BotYGVsjMUyEGuHcwUspeqQVYOgewPbYIcRV9TC/z23CBecsGHrjE7b21Wf5uQJcGt+x+mDuiP2socrLr6Jd1lFgMbxSiKcTEHR5gA=,iv:BZ5QGtGiR++dAxPQHdtSu4+mLE18rM7nt70urViFET8=,tag:tNQiKaLrOB/ZmSsRKHgWLQ==,type:str]
-hercules-secrets: ENC[AES256_GCM,data:XG68,iv:OjgSr4yI6pznAep0ChxSS8H3Iv85M4gyPNmlhMfOUK8=,tag:WHowGftwk7viIqMPmWM08Q==,type:str]
-sops:
- kms: []
- gcp_kms: []
- azure_kv: []
- hc_vault: []
- age:
- - recipient: age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
- enc: |
- -----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTelo3ajQzOTgzRi80elRu
- Rk9raUlRdUloRGxLL3ZyRGtWTHZtcC80S1g0Cll2MjhVcW44RGtLems1RmJ3RFVK
- T0F6MFcrdGlhSUNvMzJzKzBQQTQ4dnMKLS0tIG0vNWRRdDVLNDUrUHpCTEVQYVFY
- MnF6bWJKcTJKY0hsbmx3c1B5WmZPaWMKR34ZzjR2aDObxGi2P4Ak1sSvdWT6VoQE
- UfW64J1INE0PVJYgF6lDh5kFojIenTCvHM2AKR6KnIVn0DAE/eJhTg==
- -----END AGE ENCRYPTED FILE-----
- - recipient: age1r464z5e2shvnh9ekzapgghevr9wy7spd4d7pt5a89ucdk6kr6yhqzv5gkj
- enc: |
- -----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVQUR2bWNIOWFTNG5GTVQ1
- TWNUOFNCU3B2cWQyOXpjeG5YeFlQdUdYMm5rCnJ1MUNDT3BaS0hhbmNnbTcxcUVQ
- Y0llMUd2aHpkZ3FJRXZkQjNXSGMxNHcKLS0tIFlyNVRpZjV5MitYK2dHQm1OYkJq
- UGVlOVdweWJvQ1FNUnNsNzgyYkk2SzAKl3uOuDRY/INd/ahtpG37kdPp+aT86iuV
- a0Lg1QqTAnCaAgh3BNGqUzSVx580s88fefn19y3Iay6w/nGRYs3LTA==
- -----END AGE ENCRYPTED FILE-----
- - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
- enc: |
- -----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1b2x6eHYrQ0VwOFhmYWJG
- anRhMk5OUzFleElkcEtoR3VkTWlvSFMvV3lvCkx2UUJBaUR1N3JHTG1DQnVuZ1g3
- YWVyTWlsT2dnZVRFQmoybitralVBcFkKLS0tIHhaS0FYYm5raFNlallFbEsrV29N
- dHlpUVlVL1RHTnplZHNzcnVWMmlVU2MKkTvDT3ghsEk2GKKTWAs9u/VRHAlTcIfV
- 4F60cGCutbXrLHGyye99tqSuHdJKcvc7C/DRWqYCQ+k/ONLBiC8a7g==
- -----END AGE ENCRYPTED FILE-----
- - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
- enc: |
- -----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZXBHYklkeVdOMktIb3JI
- MzhOVXVoOWg3b3BOV3dqdjI3K1BmUlZXaW5VCmwxakZFMnRpbnpTbTZxRkFzY21D
- ODFFSjYxWkE3ZGZRZWxhRjFKQXpVVDgKLS0tIC84a1l2elZuVGgybVppcGN6WTNR
- dzBsU1VZZUFNVElMZXV2UUI0VW9OM3MKQWK5vznCUz07HDUzGYdYG06UUBhF9XtJ
- XS82nTT96DzgxcUSD/10eMc/AbZQC1iUCUTDEycXG9TvQkQGy6XWUA==
- -----END AGE ENCRYPTED FILE-----
- - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
- enc: |
- -----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZUUwdUg0eDEzTkhDK1NX
- QVVPV0w0MjE2akphWVhFTER5MFo4aTZzeWlzCldwTXRxMWVjbGx2ZkVRdVh1anp2
- OGc4aVR2RDZDUjZaaWo5WEh4RzZUemMKLS0tIHE5Sm44aVZrRndqS0sxOC82M2ZQ
- clZyT213MDZrOTNKZW9Ld2VFRVFZTmsKTtwuuORDqeO2f0sixAE+N/ffi/hanW30
- 2zZHR0F9yLNQV0qHQv27mfmpkb6ikP3bc9FMYJVs98hfuxU0wK1ZUw==
- -----END AGE ENCRYPTED FILE-----
- - recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
- enc: |
- -----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuYWNLZHIvOGZLbTFrMmQ5
- Z0ZZREpRRWtrcVBnVzc3b2M5cU44cFE5dkdNCjQydEh0QXdSVitNMkhaSVpjRDF3
- Mlk0SFphWVdzcW1HQ0RENktaQ084dDQKLS0tIEZnWXFaSEN1S0ttYmZIV21xaDVv
- dkdvbEhHV0dPYVJZSXZ5M2RzSEV3bmsKMR2JDRjVHIouEyD02i574mnwClf4yQdr
- ge6FFMGi2sLvDULXOyRnEgCu9dyeCp1qKKmJlz2Se0BtH4PWaRKIfQ==
- -----END AGE ENCRYPTED FILE-----
- - recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
- enc: |
- -----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzelcxZDVodzVwWm1WWGRU
- UGl5eHNlYVQ4SUNGNkhVR1BDVXFsd1NPSkU4CkVYREhqc0hDTEdyTkUySmN3czRp
- bk4yNzJEMFQ3RmxmcnJpNkxsaGdiSlEKLS0tIFcyY055S3ViVG5lbSs2VzNpanI0
- aWtHdldjTUE3MVhzM2lvVDZkYVJtdTgKoZn+URDEUn2ABex6dGsN7eKYvle1JqEZ
- 9ltCSlGIJ9m+r9TA4ATUthlhLJtV3ClYqIJ92yhlNH3+MIpnuxsnZA==
- -----END AGE ENCRYPTED FILE-----
- lastmodified: "2023-12-09T03:55:30Z"
- mac: ENC[AES256_GCM,data:NP6HyJiX097tDhbgMcDD8IBQKpug0JMLbRjRWs9QUPLqitq/HNoIfD3OuY1hLGhML/YY+TQ/fyFvAxFJG/8qyIZYOu2JwFnCHzmBbE02KRyB90iAB/zlw3em+jKzBuUIDknaYbOn5fucJHOci4OjZfkd4/UmWodlulnRGsljx+c=,iv:lRRZDAAGnnI5KNtBH6qQWBzUo7GDIlUPbcZL147Tgh4=,tag:CWOerIPjpzndXq6j7zjy2A==,type:str]
- pgp: []
- unencrypted_suffix: _unencrypted
- version: 3.8.1
diff --git a/secrets/binary-caches.age b/secrets/binary-caches.age
deleted file mode 100644
index de5ff58..0000000
Binary files a/secrets/binary-caches.age and /dev/null differ
diff --git a/secrets/cluster-join-token.age b/secrets/cluster-join-token.age
deleted file mode 100644
index d1e9547..0000000
--- a/secrets/cluster-join-token.age
+++ /dev/null
@@ -1,24 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa ALNSWw
-k14GuxixIuiA4WhYtWW5PaevHx5QZc2HF9HM7Ia2ji4mNg2Pc1+cXFZG/QLROTVo
-EL0c3/MzZBGAdFYkkm8hlA+S9JLdgiP8ROIT8hjhOE55uWWaH8uDQGODQX42nBe0
-w1wN9iBDKJJ0s4kSak9K8GqS0afVvppLPZTcqoaHbh2YapXSYu7LK8BBgz4+nBUP
-0axc3TIVgUzEDls7VGU1c+aavDvBb8c/fg5w5pJZy379bzU5TWpppmi7U7hEboCA
-IMeAH5iffaksmyPIHlK/iwpHdkchLKX+2YHAu8DxywHeowm4rbxKv3oHfH+/3uM3
-28VUeqYY/SCqwLSe84ZnSg
--> ssh-ed25519 Qi7vNw W23Q9s5rainiPnp67oLEcLKpEfmvqxUUWL5u+yvN+0o
-/Tiyf6QaTM1NIKPPdrK9e8K43Ee0cNAV5uS5fiab3p8
--> ssh-ed25519 MW0fCg 2AXjCOaTHC6kJ+m5OnVwyuy6DEI2+6E//fZ7PkZsfFo
-gEvzFrYhSCCvBaOjPb1aI49kCJBK5mpDGShJuVpbSn4
--> ssh-ed25519 92bXiA xv18v2ncQRE9MWJbpNsGUkwhho/NNZ465zcOl1qi3HQ
-OKP7B3ecWEeBF7GA0Vx72BMRbM6iE6/fQ4mkCaGx4R0
--> ssh-ed25519 h1lenA tBhqzlU6IKkHKkTb9p8p2R/OOyLtOhLyAIujO+1oyEg
-8ORTR81GImpbXu4rJ0HTSOwbFb3Zw+JmfYSGFoQXLHg
--> ssh-ed25519 7tFeRw BpJpUC2tTiDfGnO5JvYwW/JiTU2RSfeKzDOCMfLBUxY
-u0mDqrcX/vKNJvqu9Bjl6qUrf1CAkGm5cBRhg984lXk
--> ssh-ed25519 /B167A t3O6wWHJ1GAxe/e7XwiUzl+uWVBG5F7vc088zFYoFm0
-T954lFCHmJTuOnMy5N1OizGzySbd5/ow1eBbcpJl/F4
---- BHVcjNVuUaft0wyxOjncdhbpiC9UtUgWSk8sUr6lBCw
-��'���y�"�N��Tm;�)w�V�Ĭ���ќw�tֽ,����}-�1�|��ʅ�����
b�� t%���+l0�`��W�� �vw�6���>"7��i3�&L��Y*��P(S��� <������m���ˠTq�dK���$(��y�7�PG(y�*���7p��E�/gT�?3Aq�����16���#�ȋ�T'y��G�e�%.���ۀʭ�Op����:�
-��Ҩ��3Hv���E%(�������s������l��%��������������
-`�w����FLX
\ No newline at end of file
diff --git a/secrets/hercules-binary-caches.age b/secrets/hercules-binary-caches.age
new file mode 100644
index 0000000..497c4af
Binary files /dev/null and b/secrets/hercules-binary-caches.age differ
diff --git a/secrets/hercules-cluster-join-token.age b/secrets/hercules-cluster-join-token.age
new file mode 100644
index 0000000..e33caa9
Binary files /dev/null and b/secrets/hercules-cluster-join-token.age differ
diff --git a/secrets/hercules-secrets.age b/secrets/hercules-secrets.age
new file mode 100644
index 0000000..556b8c9
--- /dev/null
+++ b/secrets/hercules-secrets.age
@@ -0,0 +1,22 @@
+age-encryption.org/v1
+-> ssh-rsa ALNSWw
+p191juUB3M1ugsq9G0JSxd8py62YvADEpHGBUrH2g9AVW5tPlsg8DfVMB303OpGf
+W3uLnkzFToMkVYRwogZ2fFjRrgL3TzYP/7YtNvSOCK5ISgr/O7gzvN2bef/SmaU5
+hbT55479Fll47swpOyLCmb8MPBpejt7rUIwrWwVYe7H7Iiy0/c2BqnoFH01izCte
+JKeNl9zv3W/xC8E+9NBhNy9JzxyE1TTK6lBynf1fm3c1lFzgLuhIyRyw2bfN1Xe7
+zqxGoEwHI2HliMyfWVoqAPIuamMjol5nXftXOdk+iynNoUOC5CYCOvb2izgAMlux
+mRi9Isw5+URm9i1ftnne9A
+-> ssh-ed25519 Qi7vNw UqDd9zpwUG+Zz6GBM/ihh+SSmvlyftVLQ3vGbs8bmig
+UtIHBx1seQYsprHUy+gCtHEHHW6DLoLOC8nB0IW5gnE
+-> ssh-ed25519 MW0fCg fsE5TkypLmOW34SLIjundvPQKvge7om9gxhjTWqBIEg
+/N4XYNuD91v30anQ6wvvaF0ed4p4S2qCivpjQjc6Zzk
+-> ssh-ed25519 92bXiA agh7/NO92cdr6Ks9l++5zmUxDMOG7/kpAuLa2+krrjk
+Dw5ZcYsTNLEtISZjbryO6SG9hkxQyvvaqZ23Q9Cg+yQ
+-> ssh-ed25519 h1lenA UlcCE/LSI99G1JHrMBb30QD1FqW3AGFIWK2pScH7XFg
+huP7kMFoCzH28A2F0csofXvAwQ/XL+zUhEmWKzCaaVM
+-> ssh-ed25519 w3WLfA a8a6jxPciyKv97TlZeFzTPPCTkHkSAtAo3E7zdi3g2E
+ZB3//50/GnoPOrBZW2LO3Ro+ufOY5PLrlp4BEEqOSJk
+-> ssh-ed25519 Iw1MCQ vb99twMuWFPT9hSdu+PNChC8ckCEKugaNA1AmoIO/gw
+g51+sN/q/cc/rleg3xda8w1CybnF5gn5hXB97kjtXi8
+--- w6C7jupmvs4mp5Dpwm2Ff2SMs1cPB+kxweTI95HpnI0
+��Y�c����Z�A=�Q���+�kg�e����yx�U
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 507deb3..ad16601 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -9,10 +9,13 @@ let
inherit ((import ../modules/shared/known-hosts.nix).programs.ssh) knownHosts;
+ build03 = knownHosts.build03.publicKey;
+ build04 = knownHosts.build04.publicKey;
darwin02 = knownHosts.darwin02.publicKey;
darwin03 = knownHosts.darwin03.publicKey;
in
{
- "binary-caches.age".publicKeys = users ++ [ darwin02 darwin03 ];
- "cluster-join-token.age".publicKeys = users ++ [ darwin02 darwin03 ];
+ "hercules-binary-caches.age".publicKeys = users ++ [ build03 build04 darwin02 darwin03 ];
+ "hercules-cluster-join-token.age".publicKeys = users ++ [ build03 build04 darwin02 darwin03 ];
+ "hercules-secrets.age".publicKeys = users ++ [ build03 build04 ]; # hercules-secrets are only needed on linux
}