modules/shared/community-builder: move secrets to sops

2024-12-19 10:24:55 +10:00 · 2024-12-19 10:24:55 +10:00 · 518f527936
commit 518f527936
parent 6528e6f959
6 changed files with 94 additions and 33 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -63,6 +63,16 @@ creation_rules:
          - age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
          - age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
    path_regex: ^hosts/web02/secrets.yaml$
+  - key_groups:
+      - age:
+          - age17jtyn2y4fpey6q7ers9gtnh4580xj89zdjuew9nqhxywmsaw94fs5udupc
+          - age1tc0yavxcq9hnf8rl5akv4twzaqkz5p9g80r2kf8cdv4urxgm4qnszccsy3
+          - age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
+          - age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+          - age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+          - age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
+          - age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
+    path_regex: ^modules/secrets/community-builder.yaml$
  - key_groups:
      - age:
          - age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
--- a/modules/secrets/community-builder.yaml
+++ b/modules/secrets/community-builder.yaml
@ -0,0 +1,75 @@
+community-builder-nix-access-tokens: ENC[AES256_GCM,data:AIMsjuuJ9hG2tDGyY+GjaOh654moBwgNkc/m+GYIm5+YPkyujQ7H/pIlgyTTqgDZniysE1QUm9xJBwwmbUdwghICPsje829sLjUGcZ+xqq7iNoP9/123+XD099pTU1eNKQhhWLpjvnHCRJxv7nbhFuE10OQdJ3SQLA==,iv:ARs8xyXXLFp7KAvHI7y70DINzdVtEtGW0k7DQTFb5EU=,tag:PROuSQIXPKod3ul+QCW5ww==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age17jtyn2y4fpey6q7ers9gtnh4580xj89zdjuew9nqhxywmsaw94fs5udupc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBncEk5Z24zWERTMkxPcFhu
+            elVBcC9ibEJpcXJySHkyYVNJczhsZG1HcjA4ClI4WDIydVVmTzY1Q0FIcFlSdWk4
+            RE42VCtrT2NTN0xZUGs4czhPei95TUEKLS0tIGovQ0M5clpnNmNaK254MnVpUFRE
+            cjZkOVNTQVhHQTdLVm9IbWd0QjJMNzgKdO4ceB3p617WxnKC8Y4KS3ymVBs9Tc+z
+            nMQ1L8tdjib83AR4v637qG59eWmDUZ1ACwARrSFM2KrNaJhhuHwjRw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1tc0yavxcq9hnf8rl5akv4twzaqkz5p9g80r2kf8cdv4urxgm4qnszccsy3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1MG1vNjJxK0MxL2tZREx4
+            am5HcmpnbGZ2Zk9PdU1IdzBySEZuMnJHcTNvCmtuWlNHWE5LRGtVa3pIeTcwbmRE
+            VHJaN2VmZDFoWnlkYkc4WVVqWkVyWTQKLS0tIDMzUm9NT3FhTjE2ajJmbDBFU0RZ
+            MEJ4T2xsRkI4QTZQWlNRYWhCQXo4ZU0KQJGmC8wAYI09M8kpT6ID2EIYVj55RK6g
+            4WRRCxVQZ900fXYVqslMOR+kr9T9lM5tVSNwXUFaJYktB1VuwcXewQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBReDREbmZVVGF1L0ZVc2JF
+            SXpVcGhjalNHc0hmVHl4Q2s3RnY2MkhqMlR3Ck5RaUxCN0xzcW0vYjZia1ZYUGJR
+            Vk1NandDRzVZSUx1dVVTa1N0UC9iLzgKLS0tIGJOR29MSW8zQ29YMUl5OStqck0w
+            MGMwbVN4WDNLanJlQTBDVExkdWh1REkKJ7IItvPrcoad6TpDm0/Ctg52lqDUJjRm
+            w2OyUFBaDddpb5wBt/7G16gSQJOvO36r3Vg4rWHxrJUp1Yr58UpCbg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTWHRJMFhTS0RUNVFwZ1RO
+            NlBXU0JFYzIrWkRVWE1RUHVtZ2NQd1ZzRlJnClZ0OFNLVmJPTDlwZVU0K1p1SVEx
+            aGJMYUo2MG9mZ1g1WmcwSm94blpSaU0KLS0tIGY0QVBEaWdTcFVSSytIZUJDaDY5
+            SU8zTHBMMWFjZHJPa0YrNlBoOEg3R28KwUeRyXAjx6S4vHsF3iEtvYGwRJUd1gDm
+            olxKzPti2kHsnQJ3Sz7sKx0dFSFYIbusPUPX8OLZy2AFXM2U6JYFkA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbmdhZGtpb1p3Misrdjh4
+            aWhDRGRNc3BHZ1BVSjJrTUZHT2ZWdzh0WWlVCis2anZqc3BWbjNBT2RyRVlpZWc5
+            ZHZlWGdmenhpeHBUOFhGV0xPTnNBaWMKLS0tIHhrQytZUlV2d2ZySHFESXZabnVV
+            dUgrZzdxZVdZTjArMDJQS3VzMUNWZTQKN0+wEGUEXfvnIvBP3Pj+isNYogWNcJOZ
+            5hZdAa/j+qSFcqTodREllOJPWNz8Rm3NDa3z/vZxfZs1jkl5mW4ESg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnaVQ3R2VtRXFRTXBJR2da
+            VUpBRkJsMGl5YWFldE85UEVwR2FnSDVxSWlFCjlFOGpTNGVTYzhSMFZLUGl0cTJn
+            d1ZCQ04yeVdXNU1jYlBrbGNiaUQyb3cKLS0tIFZmbndDNXM3ZnZXT2JpMWFXUE5t
+            UWV5T2NURnpxYzFhaVNUWU5qcll4V3cKJXb7PpLodu/dYHJt7eol/B+OTmrnpqDL
+            RMJTfmAWHuJk7VHoTinJV2MmYyU6KU6sq2rYxKv1+uc2S/UTQCR3Rw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiazdENTdRcDVzRmVhVHdn
+            Q1E2NGxIVnBuN2RCZmVwSnhnamVmMjhTOFJrCkFrVGdobEYvSGVIN2Y3NDVEd0tE
+            b0lCYTQ1TEhYMlJML212ZmxiR1hieFkKLS0tICt3RVBLRVd1UWpzQm1ib1BZRUd3
+            OCtmdlhZRU1ZdkRJZVdKMm1mQjFwdFEKrErnw+YwpfG8ywSSaufWbq71Q3Kc+lz3
+            Tmvpi4UcEUGJTj8ZHrixvxgvUvjCcgsYKcrbbPeKynFERk6HFDZPVg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-19T00:27:32Z"
+    mac: ENC[AES256_GCM,data:hKJQ1ef7CyPOD8xd/PCqOpGSBYpSpdW37P9nOXeKQEHE58vCaiQyy5RziUIGKUI7KIcxHwa1agn/yBdaWigSWihImH2WlRMQnQJAQoSV2Tc8sDhDFFckJEDqh0Pm0g+HcjL/59J4G4QJuRgVdxNBeRT472gQN/u/Lw1CE2s6ONQ=,iv:IU2cLIfCT6DuViUTFH8EnvaWA4ok96CzXs86DRsonqM=,tag:T/+HmZLWvYNkR3u2jSWM9Q==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
--- a/modules/shared/community-builder.nix
+++ b/modules/shared/community-builder.nix
@ -26,13 +26,15 @@

    '';

-    age.secrets.community-builder-nix-access-tokens = {
-      file = "${inputs.self}/secrets/community-builder-nix-access-tokens.age";
+    sops.secrets.community-builder-nix-access-tokens = {
+      sopsFile = "${inputs.self}/modules/secrets/community-builder.yaml";
      mode = "444";
    };

+    # fine-grained, no permissions github token, expires 2025-10-29
+    # from `nix-community-buildbot` (user account, not the github app)
    nix.extraOptions = ''
-      !include ${config.age.secrets.community-builder-nix-access-tokens.path}
+      !include ${config.sops.secrets.community-builder-nix-access-tokens.path}
    '';

    # useful for people that want to test stuff
--- a/secrets/community-builder-nix-access-tokens.age
+++ b/secrets/community-builder-nix-access-tokens.age
@ -1,22 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 INdbQA z8wMt6lT52YyEqoOhhmbAhzfip08LXa49qGS7aqC4HQ
-pHnLGs/xCdk7VmHb6o1YHc2haTp65Rs6LfCYtz1Tmww
-> ssh-ed25519 YMHjXw 61B5Zlry7Y5qH4c9bx/vd/Nw8xONK0fbaUyKdAdFk3M
-Zz7aWM4chDnKdnbdjOqeHmVBYpIcpELqvNS89SJMMWw
-> ssh-rsa ALNSWw
-q0prQ4k9lYSwq3wRmPkAMtphvSQSGM9lJfsX6k7I8TOITr3j9LsNuoJJ5IhBl6ut
-e9vfCBQ1e7AYMMpVs0t5YnLMUpQaEf52PoCJr7Ng4Gwz7k6w2K4B21G7u5VcCRmG
-panXfLCqkfESX0BaiyYtB2OUYfSIhb/s1coUJYZ6c2fO8fcNnatiXcHou+TAJDp6
-BgRng1FcrItIer5f6S/zj8et4Jf1nY/EhsRIoczXvDI37vOO16mLcp/vJuVTxLBO
-cwrwRgP38w5Ksnr0gMbSAcmj3TxOpzdnD51imkusjc5p5dveKSb5oLfIVic2dqA2
-bDQkhoud9u6aM6EJe1bR0g
-> ssh-ed25519 Qi7vNw hWe3ZZm4XqaT03sVhid+NF7GlSojve0c39Nex818ahc
-1hbSiV3Bo0eLe4e4/da30erp1N/LraLOR5y1XB5AvYk
-> ssh-ed25519 MW0fCg uNHGu14NYPUnQO4dCf4jjqcsphkn8fOvdTHQZ3wSKSU
-FgTrf/DnJVkGF8sdNCYGEWhoXPkWwsCYzbY3cvlD/0w
-> ssh-ed25519 92bXiA LSz/4wSP6EbQV3JayNpXVDAnk/xkW6q+9VWSayjOhW8
-C4RJvkOgQUMAVdXCa1kPpD50/A0Wh3514AUJw3rRU9s
-> ssh-ed25519 h1lenA rhww2s2rzG8pomRw5n94LL1O2CLht04pwd9aPxZZ53M
-ZBrCDvix3CUdTHxXsg1T05TFnFM36Tng7Pr+4DYX8Ls
--- nL7sh66aBHKa44yvUwTSLfHEdS6rLA6EBZYYvS4a82A
-9Ô“Le!<01>Z™òwû›³¿¥×ß%›»<></·Ü|Âx*½o$µ-îKÊv‘ºoAá4´æÊ·<¹þº¬5Ð99Ñi‹\ ‹ÚŸ·Ãen&Ì<>Võ…±‚›é¯+_<>/¤MA‹¨KáÆ#8dø<64>ˆvÆ}³½—~W¬4‡–Êz‚ÝHÂ —ÝÀ³lòÔÄŽ~©¦#¹€o
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -11,19 +11,11 @@ let

  inherit ((import ../modules/shared/known-hosts.nix).programs.ssh) knownHosts;

-  build01 = knownHosts.build01.publicKey;
  build02 = knownHosts.build02.publicKey;
  build03 = knownHosts.build03.publicKey;
-  darwin01 = knownHosts.darwin01.publicKey;
  web02 = knownHosts.web02.publicKey;

  secrets = {
-    # fine-grained, no permissions github token, expires 2025-10-29
-    # from `nix-community-buildbot` (user account, not the github app)
-    community-builder-nix-access-tokens = [
-      build01
-      darwin01
-    ];
    grafana-client-secret = [ web02 ];
    hetzner-borgbackup-ssh = [
      build02
--- a/sops.nix
+++ b/sops.nix
@ -23,6 +23,10 @@ let
      "terraform/secrets.yaml" = [ ];
    }
    // builtins.mapAttrs (_: value: (map (x: keys.hosts.${x}) value)) {
+      "modules/secrets/community-builder.yaml" = [
+        "build01"
+        "darwin01"
+      ];
      "modules/secrets/hercules-ci.yaml" = [
        "build03"
        "build04"