From 3c554a18f84b6c8458f99b6fdbff11e636fcf62c Mon Sep 17 00:00:00 2001
From: zowoq <59103226+zowoq@users.noreply.github.com>
Date: Tue, 9 Jul 2024 11:41:05 +1000
Subject: [PATCH] move hercules to agenix

---
 .sops.yaml                              |  23 -------
 flake.nix                               |   4 +-
 modules/darwin/hercules-ci.nix          |  24 ++++++++
 modules/darwin/hercules-ci/default.nix  |  23 -------
 modules/nixos/common/default.nix        |   1 +
 modules/nixos/hercules-ci.nix           |  27 +++++++++
 modules/nixos/hercules-ci/default.nix   |  23 -------
 modules/nixos/hercules-ci/secrets.yaml  |  77 ------------------------
 secrets/binary-caches.age               | Bin 1448 -> 0 bytes
 secrets/cluster-join-token.age          |  24 --------
 secrets/hercules-binary-caches.age      | Bin 0 -> 1668 bytes
 secrets/hercules-cluster-join-token.age | Bin 0 -> 1584 bytes
 secrets/hercules-secrets.age            |  22 +++++++
 secrets/secrets.nix                     |   7 ++-
 14 files changed, 81 insertions(+), 174 deletions(-)
 create mode 100644 modules/darwin/hercules-ci.nix
 delete mode 100644 modules/darwin/hercules-ci/default.nix
 create mode 100644 modules/nixos/hercules-ci.nix
 delete mode 100644 modules/nixos/hercules-ci/default.nix
 delete mode 100644 modules/nixos/hercules-ci/secrets.yaml
 delete mode 100644 secrets/binary-caches.age
 delete mode 100644 secrets/cluster-join-token.age
 create mode 100644 secrets/hercules-binary-caches.age
 create mode 100644 secrets/hercules-cluster-join-token.age
 create mode 100644 secrets/hercules-secrets.age

diff --git a/.sops.yaml b/.sops.yaml
index bbf9aba..24628eb 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -54,26 +54,3 @@ creation_rules:
           - *zimbatm
           - *zowoq
           - *adisbladis
-  - path_regex: modules/nixos/hercules-ci/.+\.yaml$
-    key_groups:
-      - age:
-          - *build03
-          - *build04
-          - *mic92
-          - *ryantm
-          - *zimbatm
-          - *zowoq
-          - *adisbladis
-  - path_regex: modules/nixos/.+\.yaml$
-    key_groups:
-      - age:
-          - *build01
-          - *build02
-          - *build03
-          - *build04
-          - *web02
-          - *mic92
-          - *ryantm
-          - *zimbatm
-          - *zowoq
-          - *adisbladis
diff --git a/flake.nix b/flake.nix
index a0e0bae..6da572b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -147,7 +147,7 @@
 
           builder = ./modules/darwin/builder.nix;
           community-builder = ./modules/darwin/community-builder;
-          hercules-ci = ./modules/darwin/hercules-ci;
+          hercules-ci = ./modules/darwin/hercules-ci.nix;
           remote-builder = ./modules/darwin/remote-builder.nix;
         };
 
@@ -159,7 +159,7 @@
           community-builder = ./modules/nixos/community-builder;
           disko-zfs = ./modules/nixos/disko-zfs.nix;
           github-org-backup = ./modules/nixos/github-org-backup.nix;
-          hercules-ci = ./modules/nixos/hercules-ci;
+          hercules-ci = ./modules/nixos/hercules-ci.nix;
           hydra = ./modules/nixos/hydra.nix;
           monitoring = ./modules/nixos/monitoring;
           nur-update = ./modules/nixos/nur-update.nix;
diff --git a/modules/darwin/hercules-ci.nix b/modules/darwin/hercules-ci.nix
new file mode 100644
index 0000000..ede2ddf
--- /dev/null
+++ b/modules/darwin/hercules-ci.nix
@@ -0,0 +1,24 @@
+{ config, inputs, ... }:
+{
+  age.secrets.hercules-binary-caches = {
+    file = "${toString inputs.self}/secrets/hercules-binary-caches.age";
+    mode = "600";
+    owner = "_hercules-ci-agent";
+    group = "_hercules-ci-agent";
+  };
+
+  age.secrets.hercules-cluster-join-token = {
+    file = "${toString inputs.self}/secrets/hercules-cluster-join-token.age";
+    mode = "600";
+    owner = "_hercules-ci-agent";
+    group = "_hercules-ci-agent";
+  };
+
+  services.hercules-ci-agent = {
+    enable = true;
+    settings = {
+      binaryCachesPath = config.age.secrets.hercules-binary-caches.path;
+      clusterJoinTokenPath = config.age.secrets.hercules-cluster-join-token.path;
+    };
+  };
+}
diff --git a/modules/darwin/hercules-ci/default.nix b/modules/darwin/hercules-ci/default.nix
deleted file mode 100644
index b776f85..0000000
--- a/modules/darwin/hercules-ci/default.nix
+++ /dev/null
@@ -1,23 +0,0 @@
-{ config, ... }:
-{
-  age.secrets.binary-caches = {
-    file = ../../../secrets/binary-caches.age;
-    mode = "600";
-    owner = "_hercules-ci-agent";
-    group = "_hercules-ci-agent";
-  };
-
-  age.secrets.cluster-join-token = {
-    file = ../../../secrets/cluster-join-token.age;
-    mode = "600";
-    owner = "_hercules-ci-agent";
-    group = "_hercules-ci-agent";
-  };
-
-  services.hercules-ci-agent.enable = true;
-
-  services.hercules-ci-agent.settings = {
-    binaryCachesPath = config.age.secrets.binary-caches.path;
-    clusterJoinTokenPath = config.age.secrets.cluster-join-token.path;
-  };
-}
diff --git a/modules/nixos/common/default.nix b/modules/nixos/common/default.nix
index 91a03b2..a43fa5c 100644
--- a/modules/nixos/common/default.nix
+++ b/modules/nixos/common/default.nix
@@ -10,6 +10,7 @@
     ./telegraf.nix
     ./users.nix
     inputs.sops-nix.nixosModules.sops
+    inputs.agenix.nixosModules.age
     inputs.srvos.nixosModules.server
   ];
 
diff --git a/modules/nixos/hercules-ci.nix b/modules/nixos/hercules-ci.nix
new file mode 100644
index 0000000..6f7a88a
--- /dev/null
+++ b/modules/nixos/hercules-ci.nix
@@ -0,0 +1,27 @@
+{ config, inputs, ... }:
+{
+  age.secrets.hercules-binary-caches = {
+    file = "${toString inputs.self}/secrets/hercules-binary-caches.age";
+    owner = "hercules-ci-agent";
+  };
+
+  age.secrets.hercules-cluster-join-token = {
+    file = "${toString inputs.self}/secrets/hercules-cluster-join-token.age";
+    owner = "hercules-ci-agent";
+  };
+
+  age.secrets.hercules-secrets = {
+    file = "${toString inputs.self}/secrets/hercules-secrets.age";
+    owner = "hercules-ci-agent";
+  };
+
+  services.hercules-ci-agent = {
+    enable = true;
+    settings = {
+      binaryCachesPath = config.age.secrets.hercules-binary-caches.path;
+      clusterJoinTokenPath = config.age.secrets.hercules-cluster-join-token.path;
+      # secrets file is needed for effects
+      secretsJsonPath = config.age.secrets.hercules-secrets.path;
+    };
+  };
+}
diff --git a/modules/nixos/hercules-ci/default.nix b/modules/nixos/hercules-ci/default.nix
deleted file mode 100644
index 5f0b8c8..0000000
--- a/modules/nixos/hercules-ci/default.nix
+++ /dev/null
@@ -1,23 +0,0 @@
-{ config, ... }:
-let
-  herculesSecret = {
-    owner = "hercules-ci-agent";
-    sopsFile = ./secrets.yaml;
-  };
-  inherit (config.sops) secrets;
-in
-{
-  sops.secrets."binary-caches.json" = herculesSecret;
-  sops.secrets."cluster-join-token.key" = herculesSecret;
-  sops.secrets."hercules-secrets" = herculesSecret;
-
-  services.hercules-ci-agent = {
-    enable = true;
-    settings = {
-      binaryCachesPath = secrets."binary-caches.json".path;
-      clusterJoinTokenPath = secrets."cluster-join-token.key".path;
-      # secrets file is needed for effects
-      secretsJsonPath = secrets."hercules-secrets".path;
-    };
-  };
-}
diff --git a/modules/nixos/hercules-ci/secrets.yaml b/modules/nixos/hercules-ci/secrets.yaml
deleted file mode 100644
index dee8321..0000000
--- a/modules/nixos/hercules-ci/secrets.yaml
+++ /dev/null
@@ -1,77 +0,0 @@
-cluster-join-token.key: ENC[AES256_GCM,data:Ba8S5Cx3NJR/FoKkSVc5pX1bwKkYHAhTid3dlWcGRXPCmVtrMgBKLjDZ5b3AajZio+IvS7XNajsVqPUB/rsBUPL+mz/DPbnI4bibLkB0KZl5v6FnMf6RbGr7RWbEsGXWlJh77l/AmGRWJTj7Dh3LaQ53dguhNIDuXGvNhTLs690/93Xnc+x+d5tzl2hNz/A4/IQxpsRoJJKygqGndbc0bTUPo0QZMLtf8kHQtCiozfm1SeW49ITnM+4VCOJB8NkSkwUfy5Rs574fFijYSOGT8LSSH0ly2oxHEY+UaJudRhjr5uzrcZPI/WrrtkI=,iv:87JRtvlkkExu37uYRaHojsk1vjhO1ocw2L9yE+7shpI=,tag:0de71eZjy8F/w0LQzOVAyg==,type:str]
-binary-caches.json: ENC[AES256_GCM,data:o5H3jtSn4yV8qgdBy8FEMNHx4azLzcv2aVqdG343FLvyokbTijn5KnHfVeLaxwMe4ugmfXUkQbx5fPP9VWMIoWUecagS39nkVz1D2XA9a1KAvpJdLqUIvqI9grtPv10cdh99zPQ/epBz/qat8tcXGC/ggKH7e7rJSYcd6WWQxdu7Z/dIFdbuuwzENHiIEKwVUyyNp/Qe5SBKA1ysA4uTx0HKKgZj4Ytcfao1eoDOp9pV9KruaXC7EiGTYujk8M3PwUBdLsX4Tgjh3Qoku+PTRMbdesE52QEHDgYw3jZNwZuyvg4tHhs7qm/3gILRZJUZxlVw8BotYGVsjMUyEGuHcwUspeqQVYOgewPbYIcRV9TC/z23CBecsGHrjE7b21Wf5uQJcGt+x+mDuiP2socrLr6Jd1lFgMbxSiKcTEHR5gA=,iv:BZ5QGtGiR++dAxPQHdtSu4+mLE18rM7nt70urViFET8=,tag:tNQiKaLrOB/ZmSsRKHgWLQ==,type:str]
-hercules-secrets: ENC[AES256_GCM,data:XG68,iv:OjgSr4yI6pznAep0ChxSS8H3Iv85M4gyPNmlhMfOUK8=,tag:WHowGftwk7viIqMPmWM08Q==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTelo3ajQzOTgzRi80elRu
-            Rk9raUlRdUloRGxLL3ZyRGtWTHZtcC80S1g0Cll2MjhVcW44RGtLems1RmJ3RFVK
-            T0F6MFcrdGlhSUNvMzJzKzBQQTQ4dnMKLS0tIG0vNWRRdDVLNDUrUHpCTEVQYVFY
-            MnF6bWJKcTJKY0hsbmx3c1B5WmZPaWMKR34ZzjR2aDObxGi2P4Ak1sSvdWT6VoQE
-            UfW64J1INE0PVJYgF6lDh5kFojIenTCvHM2AKR6KnIVn0DAE/eJhTg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1r464z5e2shvnh9ekzapgghevr9wy7spd4d7pt5a89ucdk6kr6yhqzv5gkj
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVQUR2bWNIOWFTNG5GTVQ1
-            TWNUOFNCU3B2cWQyOXpjeG5YeFlQdUdYMm5rCnJ1MUNDT3BaS0hhbmNnbTcxcUVQ
-            Y0llMUd2aHpkZ3FJRXZkQjNXSGMxNHcKLS0tIFlyNVRpZjV5MitYK2dHQm1OYkJq
-            UGVlOVdweWJvQ1FNUnNsNzgyYkk2SzAKl3uOuDRY/INd/ahtpG37kdPp+aT86iuV
-            a0Lg1QqTAnCaAgh3BNGqUzSVx580s88fefn19y3Iay6w/nGRYs3LTA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1b2x6eHYrQ0VwOFhmYWJG
-            anRhMk5OUzFleElkcEtoR3VkTWlvSFMvV3lvCkx2UUJBaUR1N3JHTG1DQnVuZ1g3
-            YWVyTWlsT2dnZVRFQmoybitralVBcFkKLS0tIHhaS0FYYm5raFNlallFbEsrV29N
-            dHlpUVlVL1RHTnplZHNzcnVWMmlVU2MKkTvDT3ghsEk2GKKTWAs9u/VRHAlTcIfV
-            4F60cGCutbXrLHGyye99tqSuHdJKcvc7C/DRWqYCQ+k/ONLBiC8a7g==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZXBHYklkeVdOMktIb3JI
-            MzhOVXVoOWg3b3BOV3dqdjI3K1BmUlZXaW5VCmwxakZFMnRpbnpTbTZxRkFzY21D
-            ODFFSjYxWkE3ZGZRZWxhRjFKQXpVVDgKLS0tIC84a1l2elZuVGgybVppcGN6WTNR
-            dzBsU1VZZUFNVElMZXV2UUI0VW9OM3MKQWK5vznCUz07HDUzGYdYG06UUBhF9XtJ
-            XS82nTT96DzgxcUSD/10eMc/AbZQC1iUCUTDEycXG9TvQkQGy6XWUA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZUUwdUg0eDEzTkhDK1NX
-            QVVPV0w0MjE2akphWVhFTER5MFo4aTZzeWlzCldwTXRxMWVjbGx2ZkVRdVh1anp2
-            OGc4aVR2RDZDUjZaaWo5WEh4RzZUemMKLS0tIHE5Sm44aVZrRndqS0sxOC82M2ZQ
-            clZyT213MDZrOTNKZW9Ld2VFRVFZTmsKTtwuuORDqeO2f0sixAE+N/ffi/hanW30
-            2zZHR0F9yLNQV0qHQv27mfmpkb6ikP3bc9FMYJVs98hfuxU0wK1ZUw==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuYWNLZHIvOGZLbTFrMmQ5
-            Z0ZZREpRRWtrcVBnVzc3b2M5cU44cFE5dkdNCjQydEh0QXdSVitNMkhaSVpjRDF3
-            Mlk0SFphWVdzcW1HQ0RENktaQ084dDQKLS0tIEZnWXFaSEN1S0ttYmZIV21xaDVv
-            dkdvbEhHV0dPYVJZSXZ5M2RzSEV3bmsKMR2JDRjVHIouEyD02i574mnwClf4yQdr
-            ge6FFMGi2sLvDULXOyRnEgCu9dyeCp1qKKmJlz2Se0BtH4PWaRKIfQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzelcxZDVodzVwWm1WWGRU
-            UGl5eHNlYVQ4SUNGNkhVR1BDVXFsd1NPSkU4CkVYREhqc0hDTEdyTkUySmN3czRp
-            bk4yNzJEMFQ3RmxmcnJpNkxsaGdiSlEKLS0tIFcyY055S3ViVG5lbSs2VzNpanI0
-            aWtHdldjTUE3MVhzM2lvVDZkYVJtdTgKoZn+URDEUn2ABex6dGsN7eKYvle1JqEZ
-            9ltCSlGIJ9m+r9TA4ATUthlhLJtV3ClYqIJ92yhlNH3+MIpnuxsnZA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-12-09T03:55:30Z"
-    mac: ENC[AES256_GCM,data:NP6HyJiX097tDhbgMcDD8IBQKpug0JMLbRjRWs9QUPLqitq/HNoIfD3OuY1hLGhML/YY+TQ/fyFvAxFJG/8qyIZYOu2JwFnCHzmBbE02KRyB90iAB/zlw3em+jKzBuUIDknaYbOn5fucJHOci4OjZfkd4/UmWodlulnRGsljx+c=,iv:lRRZDAAGnnI5KNtBH6qQWBzUo7GDIlUPbcZL147Tgh4=,tag:CWOerIPjpzndXq6j7zjy2A==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1
diff --git a/secrets/binary-caches.age b/secrets/binary-caches.age
deleted file mode 100644
index de5ff583b7ce7ea7743dc328be869829dd971743..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1448
zcmZY7?T^z00LO75#9&{LcoG9dVTr~_cE{R1b_O-w)^6RpcI~!yTL{p#T_4tUUAwJa
z6M+}zPyz@T5;y@hMuYJZBcK6I)Qe&Oj|U@aR4@?*!gG{(5D`w^_~!fzKKcIg<7H_?
zG6ZX2cGb4AtZm7GJ_L+B=d*2P#IkuGLXbty0Z`A#2w5Vn;dH*HS%%fKO7&Kqx3f}(
zh?)%$2Sw8LK-1tvCqacB28@eofvwyA2JVD4fb|M#Pj<U@qZFgcd@)DkT2>WRrK0qr
zr7+>IC$gb<4;E^SM!-;-Yt>r8Vv%HUx)*|aD8PvUzM87WqDDRfm8zsomzwQ%Ug<<y
z!7jyjyZ$l`kwnw-!Y#Vj)5GbaM^rOJjTB)PW_TdW>CsrOo(iD_GZu<8vYCeBG(gZ~
zMLv-T2~alQwlqxB?lV>=2!n9ntZEkAF{907%8CKmh-HC_M#=(?;CUm_?gcn{kQ6Wn
zjDwC<^mJKQ#k!qqXyPCcPcW{mnQ&FYK$aIu0S3ql?OdP)Vr(LV+k~5l<UlHl{I|9w
z1|tzD?xWRMpLBd#*N?QCIjUO8qpHXR`D~d9qDfwra}a|kOQ9;93i7SEOCvxqRU$Jz
ztk!XRSW@Rjdr+{QelejSZn+-}R|mQ#DvU&=1$d^G=fFl%_H_y!w?HN{4I=KbDFl%^
zf?Kj6wMgOZ&VY5JVziMVT#sZ>Ku(tex|wVi`eIo{VG#z)Nq>%M(nT+gAa1CPN22|@
zD`b-ROf4R)S5(C3c%d+zGEK~Hg0%$9cIqvEAw`3XnKC(lUT|2JkHEP?#lV5GmcU?*
zg6le3_WD|nSAu!U(?rQ~xwe6)<H4}Tn7uk!2+!0MNS6%6*Kesv%FA=I%c81Ttyn5Q
z;2;{V$QVPDMMKhE#|)~9*OCE^w5tO+jDc|uZ6_UpRv0v-8jVabiE;xWq1k#&aMh^R
z{9jwFi%E>*lQAgXfk6t=(*Ze`Fd?BPd2lSs#9C^up&M`&bNUt8AJjmA$#!#GS6~s4
zfi*3bg<334)^cG=#+pe=EH%4frVwzN$y#$}TOa{NV~CF);Hb_PWJxu<c$~Fcy1!`H
zJQ?CbA=wVQEw3<WH&O<wpa5H~6Wuza!ckkTrChHYU@3n@sgoTWacVUPbuoWBMp!}k
z{!2zid>#~SDriS1ny#0mG(#KUy1`Pp7SfGSUb@keOrACce+NT>=BrDmR#m?KedNZb
z@^N<O^CuQw+`B{C;#Ze#yK-&at$u!!4!G#*M}9v2`Q+#mbMiuO%=cZPK6O0*z?DNQ
zxAq)i-r~u_7qnB!jl+)*&Dp$1n>U(SjJ<Pkl_zbfzJ2@BWc<a2f2|+>bvtxn^M{|l
zd&^vL?E1mkKR!8j`lB_+mQHW~;ZEkQhhHE6Y}D<&G;80v{OUzleP>AJ=(8`JBo;ig
z_p9#y<<LJ{AIr{}f7n=g=I;D&7mbde`s4CMcYbI6_NR_aoqKdGc0%tcHy^x&p4_u*
zY{4wb-aRxub#*rX#-V$&SA6`%*q1+z?K+hmKDX_}hTWI%&D9M3_8R=IHT~xY!@$^`
zc9~Nrb^_-oW}iP>c5l3QhO=K;_wt36uN`<guy*-Fti2>K>@B(X{t<0aX{kFIG57s)
y_RZ<*=Fq&kM{jNz`t90|RfoU%`;I<+;No=7E`G9hdkp-3eB-r=t0UU@{(k{5wH=56

diff --git a/secrets/cluster-join-token.age b/secrets/cluster-join-token.age
deleted file mode 100644
index d1e9547..0000000
--- a/secrets/cluster-join-token.age
+++ /dev/null
@@ -1,24 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa ALNSWw
-k14GuxixIuiA4WhYtWW5PaevHx5QZc2HF9HM7Ia2ji4mNg2Pc1+cXFZG/QLROTVo
-EL0c3/MzZBGAdFYkkm8hlA+S9JLdgiP8ROIT8hjhOE55uWWaH8uDQGODQX42nBe0
-w1wN9iBDKJJ0s4kSak9K8GqS0afVvppLPZTcqoaHbh2YapXSYu7LK8BBgz4+nBUP
-0axc3TIVgUzEDls7VGU1c+aavDvBb8c/fg5w5pJZy379bzU5TWpppmi7U7hEboCA
-IMeAH5iffaksmyPIHlK/iwpHdkchLKX+2YHAu8DxywHeowm4rbxKv3oHfH+/3uM3
-28VUeqYY/SCqwLSe84ZnSg
--> ssh-ed25519 Qi7vNw W23Q9s5rainiPnp67oLEcLKpEfmvqxUUWL5u+yvN+0o
-/Tiyf6QaTM1NIKPPdrK9e8K43Ee0cNAV5uS5fiab3p8
--> ssh-ed25519 MW0fCg 2AXjCOaTHC6kJ+m5OnVwyuy6DEI2+6E//fZ7PkZsfFo
-gEvzFrYhSCCvBaOjPb1aI49kCJBK5mpDGShJuVpbSn4
--> ssh-ed25519 92bXiA xv18v2ncQRE9MWJbpNsGUkwhho/NNZ465zcOl1qi3HQ
-OKP7B3ecWEeBF7GA0Vx72BMRbM6iE6/fQ4mkCaGx4R0
--> ssh-ed25519 h1lenA tBhqzlU6IKkHKkTb9p8p2R/OOyLtOhLyAIujO+1oyEg
-8ORTR81GImpbXu4rJ0HTSOwbFb3Zw+JmfYSGFoQXLHg
--> ssh-ed25519 7tFeRw BpJpUC2tTiDfGnO5JvYwW/JiTU2RSfeKzDOCMfLBUxY
-u0mDqrcX/vKNJvqu9Bjl6qUrf1CAkGm5cBRhg984lXk
--> ssh-ed25519 /B167A t3O6wWHJ1GAxe/e7XwiUzl+uWVBG5F7vc088zFYoFm0
-T954lFCHmJTuOnMy5N1OizGzySbd5/ow1eBbcpJl/F4
---- BHVcjNVuUaft0wyxOjncdhbpiC9UtUgWSk8sUr6lBCw
-��'���y�"�N��Tm;�)w�V�Ĭ���ќwtֽ,����}-�1�|�ʅ�����
b��	t%���+l0�`��W�� �vw�6�>"7�i3�&L��Y*�P(S��	<򠎜������m��ˠTqdK$(��y7�PG(y�*��7p��E�/gT�?3Aq���16�#�ȋ�T'y��G�e%.�ۀʭ�Op��:�
-��Ҩ3Hv��E%(�����s�����l��%������������
-`�w��FLX
\ No newline at end of file
diff --git a/secrets/hercules-binary-caches.age b/secrets/hercules-binary-caches.age
new file mode 100644
index 0000000000000000000000000000000000000000..497c4af66483a2c90b882a644ff476532c56ed8b
GIT binary patch
literal 1668
zcmZXS?eE+K0mn7MOo~QD0%j)coT$j<w_dMzeNf}*^?KLq)AjM%s}I=r`gGT8d)Mpr
z+QkGN5EYmxa~es25N8-<Bru&uGM}A;5cLJ}LKbvvL*>PcirX**<c)8B`~{zUzMrq<
zyIXGTEX#BiCh?wR>4R$s*!pxW%Yv<CX4MEzQ1k-m46#|?GoehH2JIe6_gOOxOQ|x$
z#6sPXYFct#py>@M32i@{&ZtqTEwq^&Es%Mab3DNIii#-~kuO&%4%1PF(mH8vTDnl_
zPzOZ{zbvIro7|{&g25`DOctifXt1UG)>>2@U@&KKl9#RZ((i^mp-j=NMXvH$tUxH1
z<wZjS@dZ+*lP(nw85|6_jz64gt7u{3D@hsw6Kk&31BD6uxIgBkk&*C(oSQr)$_p4o
zWVbU4T`TE2c!gLq0YummP6UA(R)(3&m<dE39twoOu2&#D^U8&kqoFrrblKlDjBY1s
z=P?IG@hIC^G%aYEu%Y3wqT1Cm>#x;n2~6abTNYDdhKVhK@*6~vH8;}#*LEk(b{oQL
zQi!gFq9$97B-T=&tPr!mnTg7946-3?ghe8%!jypps?-dLHJf8VbH`LN4tfUc@oXIt
zJ!-m4rj(B;Lmca-#6l(|Sd><D&Tpsjdc!0AnnJ*MdnC`}Qi?|s%&%Gotp)XdYCH2T
z<<A<Gj)j8&PACen*NcW4=~6Zw=+g|xOL!eRzG0LwQ*Lmb^I2qV;67-&<LxxOX&WI?
zQ*}tlMW*AKZf<pRgP?<4Gz}MnZ5Udhr8^lQy66}ni2-qUAc-8CbCf>jv{e8WMT?6&
z(lU;O0p+3@DvEq77-Q?VxCKz;#zbxNW(uha`TkJ!?FJZQ*rFcgQ@Q61dgBdPAtZ&)
z-M-t9DPTQ@sVHBOe#nlf6!C{;nyQhX!VH>5dX8D}iiKfG?CQ>Tw*uBVkEpFVl@rw^
zG4D4w`38^c{aHN8yVFi?#X&D^xjnd0Hl)S%B>+u536^bB%6SSKHrqTip&&>gIf|-x
z*qDYjs8>feLwk*Frws~-C#71aKL)3vE=x_WwJ36X)KsLLHO8u&$$Fz*2=z%JH##ah
zlYq4HsEij~Z#~k>S>dQsgCK*_wAc`7Li0^1P6v@O6dmO)-OyFfm5W-GI|{=!=Ruoj
zw(xPHP+8hk0tpkW6nDbroD^9JC0lYh0}{oR5GPv4E`$-wsp!yadJ_9{hQcZvlq;^C
ztU%DOSSH!-26i9>C2C&MwMxeo+RI)`E15BxckHe)X&8K2FX=cpy+{+2p}CAH0CzXG
ztrPQD1e1VV;gCUt0x~Bux|mJ4H&5KhF(vIe(L@8bwzg^sV=u`nEZJ;8+1-#<>>MR!
zo#{9OQws;8#_?V~T6Y(83;590ANbwgi$A!gI`a&#HZFYTO#c`szvuMZBJ{7d(|0Vt
z@chw>zu*7MKXq?^>A|nq|K;D&hu*iBz4KjLJ6^hSm$>`UKmXxxo#$S|&+WYZw<o;2
zld~Uu_Q|i_wC}x#jQno${A>H}JNMwOe+3Vn_#_~F_67PkuY=8l*J3|CwfpDK{NvJ>
z_gEi3u=o$~YIi4k%PWVM^!@`k&o1nE_Qa2O?|kS`>xp|VpMK(?c<;I1Bgyg4pE~(*
z?yjqUed^`&_ZLq;{POY3=D`Dlvlw^Rk;XM=A9(v&@l5L*^*!|0&hHgozv+$hPafIZ
zzQXx;GW`3=Td#OZ`{@13(f!9ivh~6nN51vl$CeK_zW>y7e_^H<?ogNu$6oo_e(ciw
ziQc<^as7++FA>-6IDFk>$A}-k^S0>Fr@nLY+M~l)Z@%@0i==Vo^~A4UoL~Bh^!N?m
z`(pjh`nk^?e!BXEQ@e-VWk=8NlWzRBn%?qt@A5bQ30RNZR=fPMtNu8=>PP<ri(^=n

literal 0
HcmV?d00001

diff --git a/secrets/hercules-cluster-join-token.age b/secrets/hercules-cluster-join-token.age
new file mode 100644
index 0000000000000000000000000000000000000000..e33caa96f81c949999a53e319781570ada1bd812
GIT binary patch
literal 1584
zcmZY5+3Vy60l@K9q?MEkt@zZ^on7m;Zv2^JGC8DFGnpj6nH-a2a#EB`?#VSX$t0N(
zM7y{}5p1<@c5N#yYEkTi%a)}m9)(uH6%|wpqH8_62&EzxYDInV<=4O9!}sgO;Za!n
z+x@yptMbFuHilXRIJ$pO*U8bg_6D>l>sALyD9*Hn<XJl@L@c2)Av2EP?L65^O#upE
zY=xF>(pZ3O_8CP&t8tRxLRZ)uL@>lM0B~V7!(9Z2_tZYMF^yJ`u(u$+huO7isjC7d
zO=E7*Yri^f9oUQTAcw}xe8{a-sN3y<xLDYXJSpG=+7wFO;nU@0UbN7hkF~Ly!i;Wq
z3cM$<Ae(C(7(raePsDr~XYEQ;MF;RUEvXFG<(O{b4X@{DpEZ*tketH=_d6@fXG@4}
z6~@?)R1TfVvxz57@|9C<mtcl=8emAVENL#(LpJU7XzP*fj)<Y9g0Z&fY%<C;!lEBX
z$H#8KPPu&7cf)i`9f+N`>BnvYsGRDJ2x6;dVPXe$Oqq^m#Q(n?2Iy#nPy;n3TDcq4
z5sbU|)URrP!HN#=x~(}9QM`xUrT4$Hj5tKr8r8!q2UrwcI#uL7i8WejT6|Te;M&35
z67#FVT&xZv+aTyT9r^G{O|syKi3cVO>dI^yMTCU1j5v`pYs}4@0AdSqA#>rn;px<&
zgNlxUy(W*T{YY`-P2{YaZ8_gbjnHHaT}1)3CHBIOHbVw)(zmry=+aK<f#B`vW3gLI
zc73+P`LR6I+|rkZ2T9gSvOesm(_}4T{mQ}s-hiqAI*=feJ8=_02%dA(Oz&luX&oJ|
zMGr;Uo|5{vpG=TEEa|~8o^dcVnj&^{Oe$*QlZ*9iKMb%&mjl0usCffVhGa$?6;P;M
zz1Ey%+jN<sOz8AD*+D)`i93m1Afh--$3X*gM$57%Pj*8~jOf8WLJd=3YOCRN)I>Ce
z6#bbw$GEa;&|@e%EbQ7=mf0qDfR4c;Bd<3H-a|bwbo-^B2Mk6kn~*Sby_m1r-dxNX
z$*WFk(+-gsbx;p2&rZsbmB5j?4y277GT|N-in+j7y1ZOCi7zL~#^M~Hg!70dJXix$
zkk>)cQ4p6>^K!T<xm{CZ)CjD$xwX(D<D^D3T&Q(}f+AATN-;17<%y%K2aR{>(%x$F
z7Ob_r;5#fMd<QCE2hg|DbWg$1LNtZUHscMwHezDrk-~~)S=aN)EjipVZd0fyHE4|B
z1U+a}Z3ii_K=WuxhsCTB77^vtnAs19stVR9M}h{er$Pz?o}+n!ux;(>rXdYlUE}Mp
zsYSjsC@!ML3FL~ih@b^Glz^k7qk(W}1JX5NE68Ll=wq{>Ji*CL-uI`HSRWW$6-||?
zh$#y^`|qE?|1#cs{%jlGc-NKhmJi>~$}s%;^1d6dy)rxZy-z&#5b?;B$H=!nd-YSF
z)4%e%%iehMTKM>12dD0Q=7IF$WAC^H{^a0KACKQW_v)V?gn`LVwY#ra_??fQ29AF9
zgIktg)xYt?U!pI*{F_JQQ%}CeG1(izKQCOcuikar@2_3|$On}7)DQgf*MBS@dghK$
zvp)UK2hlIz_wH}E=k=E_Uw(r;|CtxAUwk3_*1c!G;QsLMzjeG{K-b?Jp8eU9zx1K^
z{o_CPT)h3IO#c4<)|;>W{HB{8JwN%{*Ylh2H{XBtp1W_o6u)>bd*alOXzUM{o;`in
wm(-^pe(sffh1)J)IQy!O55Duk&%gP%=bk_PF?n|8cV~V~M<4y>9jJKuzefZixBvhE

literal 0
HcmV?d00001

diff --git a/secrets/hercules-secrets.age b/secrets/hercules-secrets.age
new file mode 100644
index 0000000..556b8c9
--- /dev/null
+++ b/secrets/hercules-secrets.age
@@ -0,0 +1,22 @@
+age-encryption.org/v1
+-> ssh-rsa ALNSWw
+p191juUB3M1ugsq9G0JSxd8py62YvADEpHGBUrH2g9AVW5tPlsg8DfVMB303OpGf
+W3uLnkzFToMkVYRwogZ2fFjRrgL3TzYP/7YtNvSOCK5ISgr/O7gzvN2bef/SmaU5
+hbT55479Fll47swpOyLCmb8MPBpejt7rUIwrWwVYe7H7Iiy0/c2BqnoFH01izCte
+JKeNl9zv3W/xC8E+9NBhNy9JzxyE1TTK6lBynf1fm3c1lFzgLuhIyRyw2bfN1Xe7
+zqxGoEwHI2HliMyfWVoqAPIuamMjol5nXftXOdk+iynNoUOC5CYCOvb2izgAMlux
+mRi9Isw5+URm9i1ftnne9A
+-> ssh-ed25519 Qi7vNw UqDd9zpwUG+Zz6GBM/ihh+SSmvlyftVLQ3vGbs8bmig
+UtIHBx1seQYsprHUy+gCtHEHHW6DLoLOC8nB0IW5gnE
+-> ssh-ed25519 MW0fCg fsE5TkypLmOW34SLIjundvPQKvge7om9gxhjTWqBIEg
+/N4XYNuD91v30anQ6wvvaF0ed4p4S2qCivpjQjc6Zzk
+-> ssh-ed25519 92bXiA agh7/NO92cdr6Ks9l++5zmUxDMOG7/kpAuLa2+krrjk
+Dw5ZcYsTNLEtISZjbryO6SG9hkxQyvvaqZ23Q9Cg+yQ
+-> ssh-ed25519 h1lenA UlcCE/LSI99G1JHrMBb30QD1FqW3AGFIWK2pScH7XFg
+huP7kMFoCzH28A2F0csofXvAwQ/XL+zUhEmWKzCaaVM
+-> ssh-ed25519 w3WLfA a8a6jxPciyKv97TlZeFzTPPCTkHkSAtAo3E7zdi3g2E
+ZB3//50/GnoPOrBZW2LO3Ro+ufOY5PLrlp4BEEqOSJk
+-> ssh-ed25519 Iw1MCQ vb99twMuWFPT9hSdu+PNChC8ckCEKugaNA1AmoIO/gw
+g51+sN/q/cc/rleg3xda8w1CybnF5gn5hXB97kjtXi8
+--- w6C7jupmvs4mp5Dpwm2Ff2SMs1cPB+kxweTI95HpnI0
+�Y�c����ZA=�Q��+�kg�e����yx�U
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 507deb3..ad16601 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -9,10 +9,13 @@ let
 
   inherit ((import ../modules/shared/known-hosts.nix).programs.ssh) knownHosts;
 
+  build03 = knownHosts.build03.publicKey;
+  build04 = knownHosts.build04.publicKey;
   darwin02 = knownHosts.darwin02.publicKey;
   darwin03 = knownHosts.darwin03.publicKey;
 in
 {
-  "binary-caches.age".publicKeys = users ++ [ darwin02 darwin03 ];
-  "cluster-join-token.age".publicKeys = users ++ [ darwin02 darwin03 ];
+  "hercules-binary-caches.age".publicKeys = users ++ [ build03 build04 darwin02 darwin03 ];
+  "hercules-cluster-join-token.age".publicKeys = users ++ [ build03 build04 darwin02 darwin03 ];
+  "hercules-secrets.age".publicKeys = users ++ [ build03 build04 ]; # hercules-secrets are only needed on linux
 }