move hercules to agenix

modules/nixos/common/default.nix

@@ -10,6 +10,7 @@
     ./telegraf.nix
     ./users.nix
     inputs.sops-nix.nixosModules.sops
+    inputs.agenix.nixosModules.age
     inputs.srvos.nixosModules.server
   ];
 

modules/nixos/hercules-ci.nix

@@ -0,0 +1,27 @@
+{ config, inputs, ... }:
+{
+  age.secrets.hercules-binary-caches = {
+    file = "${toString inputs.self}/secrets/hercules-binary-caches.age";
+    owner = "hercules-ci-agent";
+  };
+
+  age.secrets.hercules-cluster-join-token = {
+    file = "${toString inputs.self}/secrets/hercules-cluster-join-token.age";
+    owner = "hercules-ci-agent";
+  };
+
+  age.secrets.hercules-secrets = {
+    file = "${toString inputs.self}/secrets/hercules-secrets.age";
+    owner = "hercules-ci-agent";
+  };
+
+  services.hercules-ci-agent = {
+    enable = true;
+    settings = {
+      binaryCachesPath = config.age.secrets.hercules-binary-caches.path;
+      clusterJoinTokenPath = config.age.secrets.hercules-cluster-join-token.path;
+      # secrets file is needed for effects
+      secretsJsonPath = config.age.secrets.hercules-secrets.path;
+    };
+  };
+}

modules/nixos/hercules-ci/default.nix

@@ -1,23 +0,0 @@
-{ config, ... }:
-let
-  herculesSecret = {
-    owner = "hercules-ci-agent";
-    sopsFile = ./secrets.yaml;
-  };
-  inherit (config.sops) secrets;
-in
-{
-  sops.secrets."binary-caches.json" = herculesSecret;
-  sops.secrets."cluster-join-token.key" = herculesSecret;
-  sops.secrets."hercules-secrets" = herculesSecret;
-
-  services.hercules-ci-agent = {
-    enable = true;
-    settings = {
-      binaryCachesPath = secrets."binary-caches.json".path;
-      clusterJoinTokenPath = secrets."cluster-join-token.key".path;
-      # secrets file is needed for effects
-      secretsJsonPath = secrets."hercules-secrets".path;
-    };
-  };
-}

modules/nixos/hercules-ci/secrets.yaml

@@ -1,77 +0,0 @@
-cluster-join-token.key: ENC[AES256_GCM,data:Ba8S5Cx3NJR/FoKkSVc5pX1bwKkYHAhTid3dlWcGRXPCmVtrMgBKLjDZ5b3AajZio+IvS7XNajsVqPUB/rsBUPL+mz/DPbnI4bibLkB0KZl5v6FnMf6RbGr7RWbEsGXWlJh77l/AmGRWJTj7Dh3LaQ53dguhNIDuXGvNhTLs690/93Xnc+x+d5tzl2hNz/A4/IQxpsRoJJKygqGndbc0bTUPo0QZMLtf8kHQtCiozfm1SeW49ITnM+4VCOJB8NkSkwUfy5Rs574fFijYSOGT8LSSH0ly2oxHEY+UaJudRhjr5uzrcZPI/WrrtkI=,iv:87JRtvlkkExu37uYRaHojsk1vjhO1ocw2L9yE+7shpI=,tag:0de71eZjy8F/w0LQzOVAyg==,type:str]
-binary-caches.json: ENC[AES256_GCM,data:o5H3jtSn4yV8qgdBy8FEMNHx4azLzcv2aVqdG343FLvyokbTijn5KnHfVeLaxwMe4ugmfXUkQbx5fPP9VWMIoWUecagS39nkVz1D2XA9a1KAvpJdLqUIvqI9grtPv10cdh99zPQ/epBz/qat8tcXGC/ggKH7e7rJSYcd6WWQxdu7Z/dIFdbuuwzENHiIEKwVUyyNp/Qe5SBKA1ysA4uTx0HKKgZj4Ytcfao1eoDOp9pV9KruaXC7EiGTYujk8M3PwUBdLsX4Tgjh3Qoku+PTRMbdesE52QEHDgYw3jZNwZuyvg4tHhs7qm/3gILRZJUZxlVw8BotYGVsjMUyEGuHcwUspeqQVYOgewPbYIcRV9TC/z23CBecsGHrjE7b21Wf5uQJcGt+x+mDuiP2socrLr6Jd1lFgMbxSiKcTEHR5gA=,iv:BZ5QGtGiR++dAxPQHdtSu4+mLE18rM7nt70urViFET8=,tag:tNQiKaLrOB/ZmSsRKHgWLQ==,type:str]
-hercules-secrets: ENC[AES256_GCM,data:XG68,iv:OjgSr4yI6pznAep0ChxSS8H3Iv85M4gyPNmlhMfOUK8=,tag:WHowGftwk7viIqMPmWM08Q==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTelo3ajQzOTgzRi80elRu
-            Rk9raUlRdUloRGxLL3ZyRGtWTHZtcC80S1g0Cll2MjhVcW44RGtLems1RmJ3RFVK
-            T0F6MFcrdGlhSUNvMzJzKzBQQTQ4dnMKLS0tIG0vNWRRdDVLNDUrUHpCTEVQYVFY
-            MnF6bWJKcTJKY0hsbmx3c1B5WmZPaWMKR34ZzjR2aDObxGi2P4Ak1sSvdWT6VoQE
-            UfW64J1INE0PVJYgF6lDh5kFojIenTCvHM2AKR6KnIVn0DAE/eJhTg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1r464z5e2shvnh9ekzapgghevr9wy7spd4d7pt5a89ucdk6kr6yhqzv5gkj
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVQUR2bWNIOWFTNG5GTVQ1
-            TWNUOFNCU3B2cWQyOXpjeG5YeFlQdUdYMm5rCnJ1MUNDT3BaS0hhbmNnbTcxcUVQ
-            Y0llMUd2aHpkZ3FJRXZkQjNXSGMxNHcKLS0tIFlyNVRpZjV5MitYK2dHQm1OYkJq
-            UGVlOVdweWJvQ1FNUnNsNzgyYkk2SzAKl3uOuDRY/INd/ahtpG37kdPp+aT86iuV
-            a0Lg1QqTAnCaAgh3BNGqUzSVx580s88fefn19y3Iay6w/nGRYs3LTA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1b2x6eHYrQ0VwOFhmYWJG
-            anRhMk5OUzFleElkcEtoR3VkTWlvSFMvV3lvCkx2UUJBaUR1N3JHTG1DQnVuZ1g3
-            YWVyTWlsT2dnZVRFQmoybitralVBcFkKLS0tIHhaS0FYYm5raFNlallFbEsrV29N
-            dHlpUVlVL1RHTnplZHNzcnVWMmlVU2MKkTvDT3ghsEk2GKKTWAs9u/VRHAlTcIfV
-            4F60cGCutbXrLHGyye99tqSuHdJKcvc7C/DRWqYCQ+k/ONLBiC8a7g==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZXBHYklkeVdOMktIb3JI
-            MzhOVXVoOWg3b3BOV3dqdjI3K1BmUlZXaW5VCmwxakZFMnRpbnpTbTZxRkFzY21D
-            ODFFSjYxWkE3ZGZRZWxhRjFKQXpVVDgKLS0tIC84a1l2elZuVGgybVppcGN6WTNR
-            dzBsU1VZZUFNVElMZXV2UUI0VW9OM3MKQWK5vznCUz07HDUzGYdYG06UUBhF9XtJ
-            XS82nTT96DzgxcUSD/10eMc/AbZQC1iUCUTDEycXG9TvQkQGy6XWUA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZUUwdUg0eDEzTkhDK1NX
-            QVVPV0w0MjE2akphWVhFTER5MFo4aTZzeWlzCldwTXRxMWVjbGx2ZkVRdVh1anp2
-            OGc4aVR2RDZDUjZaaWo5WEh4RzZUemMKLS0tIHE5Sm44aVZrRndqS0sxOC82M2ZQ
-            clZyT213MDZrOTNKZW9Ld2VFRVFZTmsKTtwuuORDqeO2f0sixAE+N/ffi/hanW30
-            2zZHR0F9yLNQV0qHQv27mfmpkb6ikP3bc9FMYJVs98hfuxU0wK1ZUw==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuYWNLZHIvOGZLbTFrMmQ5
-            Z0ZZREpRRWtrcVBnVzc3b2M5cU44cFE5dkdNCjQydEh0QXdSVitNMkhaSVpjRDF3
-            Mlk0SFphWVdzcW1HQ0RENktaQ084dDQKLS0tIEZnWXFaSEN1S0ttYmZIV21xaDVv
-            dkdvbEhHV0dPYVJZSXZ5M2RzSEV3bmsKMR2JDRjVHIouEyD02i574mnwClf4yQdr
-            ge6FFMGi2sLvDULXOyRnEgCu9dyeCp1qKKmJlz2Se0BtH4PWaRKIfQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzelcxZDVodzVwWm1WWGRU
-            UGl5eHNlYVQ4SUNGNkhVR1BDVXFsd1NPSkU4CkVYREhqc0hDTEdyTkUySmN3czRp
-            bk4yNzJEMFQ3RmxmcnJpNkxsaGdiSlEKLS0tIFcyY055S3ViVG5lbSs2VzNpanI0
-            aWtHdldjTUE3MVhzM2lvVDZkYVJtdTgKoZn+URDEUn2ABex6dGsN7eKYvle1JqEZ
-            9ltCSlGIJ9m+r9TA4ATUthlhLJtV3ClYqIJ92yhlNH3+MIpnuxsnZA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-12-09T03:55:30Z"
-    mac: ENC[AES256_GCM,data:NP6HyJiX097tDhbgMcDD8IBQKpug0JMLbRjRWs9QUPLqitq/HNoIfD3OuY1hLGhML/YY+TQ/fyFvAxFJG/8qyIZYOu2JwFnCHzmBbE02KRyB90iAB/zlw3em+jKzBuUIDknaYbOn5fucJHOci4OjZfkd4/UmWodlulnRGsljx+c=,iv:lRRZDAAGnnI5KNtBH6qQWBzUo7GDIlUPbcZL147Tgh4=,tag:CWOerIPjpzndXq6j7zjy2A==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1