From 518f527936b18c1ad27a4bfe43dbd7e10b7890c8 Mon Sep 17 00:00:00 2001
From: zowoq <59103226+zowoq@users.noreply.github.com>
Date: Thu, 19 Dec 2024 10:24:55 +1000
Subject: [PATCH] modules/shared/community-builder: move secrets to sops
---
.sops.yaml | 10 +++
modules/secrets/community-builder.yaml | 75 +++++++++++++++++++
modules/shared/community-builder.nix | 8 +-
.../community-builder-nix-access-tokens.age | 22 ------
secrets/secrets.nix | 8 --
sops.nix | 4 +
6 files changed, 94 insertions(+), 33 deletions(-)
create mode 100644 modules/secrets/community-builder.yaml
delete mode 100644 secrets/community-builder-nix-access-tokens.age
diff --git a/.sops.yaml b/.sops.yaml
index 5ed46f9..9551646 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -63,6 +63,16 @@ creation_rules:
- age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
- age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
path_regex: ^hosts/web02/secrets.yaml$
+ - key_groups:
+ - age:
+ - age17jtyn2y4fpey6q7ers9gtnh4580xj89zdjuew9nqhxywmsaw94fs5udupc
+ - age1tc0yavxcq9hnf8rl5akv4twzaqkz5p9g80r2kf8cdv4urxgm4qnszccsy3
+ - age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
+ - age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ - age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+ - age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
+ - age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
+ path_regex: ^modules/secrets/community-builder.yaml$
- key_groups:
- age:
- age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
diff --git a/modules/secrets/community-builder.yaml b/modules/secrets/community-builder.yaml
new file mode 100644
index 0000000..63f5bf9
--- /dev/null
+++ b/modules/secrets/community-builder.yaml
@@ -0,0 +1,75 @@
+community-builder-nix-access-tokens: ENC[AES256_GCM,data:AIMsjuuJ9hG2tDGyY+GjaOh654moBwgNkc/m+GYIm5+YPkyujQ7H/pIlgyTTqgDZniysE1QUm9xJBwwmbUdwghICPsje829sLjUGcZ+xqq7iNoP9/123+XD099pTU1eNKQhhWLpjvnHCRJxv7nbhFuE10OQdJ3SQLA==,iv:ARs8xyXXLFp7KAvHI7y70DINzdVtEtGW0k7DQTFb5EU=,tag:PROuSQIXPKod3ul+QCW5ww==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age17jtyn2y4fpey6q7ers9gtnh4580xj89zdjuew9nqhxywmsaw94fs5udupc
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBncEk5Z24zWERTMkxPcFhu
+ elVBcC9ibEJpcXJySHkyYVNJczhsZG1HcjA4ClI4WDIydVVmTzY1Q0FIcFlSdWk4
+ RE42VCtrT2NTN0xZUGs4czhPei95TUEKLS0tIGovQ0M5clpnNmNaK254MnVpUFRE
+ cjZkOVNTQVhHQTdLVm9IbWd0QjJMNzgKdO4ceB3p617WxnKC8Y4KS3ymVBs9Tc+z
+ nMQ1L8tdjib83AR4v637qG59eWmDUZ1ACwARrSFM2KrNaJhhuHwjRw==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1tc0yavxcq9hnf8rl5akv4twzaqkz5p9g80r2kf8cdv4urxgm4qnszccsy3
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1MG1vNjJxK0MxL2tZREx4
+ am5HcmpnbGZ2Zk9PdU1IdzBySEZuMnJHcTNvCmtuWlNHWE5LRGtVa3pIeTcwbmRE
+ VHJaN2VmZDFoWnlkYkc4WVVqWkVyWTQKLS0tIDMzUm9NT3FhTjE2ajJmbDBFU0RZ
+ MEJ4T2xsRkI4QTZQWlNRYWhCQXo4ZU0KQJGmC8wAYI09M8kpT6ID2EIYVj55RK6g
+ 4WRRCxVQZ900fXYVqslMOR+kr9T9lM5tVSNwXUFaJYktB1VuwcXewQ==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBReDREbmZVVGF1L0ZVc2JF
+ SXpVcGhjalNHc0hmVHl4Q2s3RnY2MkhqMlR3Ck5RaUxCN0xzcW0vYjZia1ZYUGJR
+ Vk1NandDRzVZSUx1dVVTa1N0UC9iLzgKLS0tIGJOR29MSW8zQ29YMUl5OStqck0w
+ MGMwbVN4WDNLanJlQTBDVExkdWh1REkKJ7IItvPrcoad6TpDm0/Ctg52lqDUJjRm
+ w2OyUFBaDddpb5wBt/7G16gSQJOvO36r3Vg4rWHxrJUp1Yr58UpCbg==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTWHRJMFhTS0RUNVFwZ1RO
+ NlBXU0JFYzIrWkRVWE1RUHVtZ2NQd1ZzRlJnClZ0OFNLVmJPTDlwZVU0K1p1SVEx
+ aGJMYUo2MG9mZ1g1WmcwSm94blpSaU0KLS0tIGY0QVBEaWdTcFVSSytIZUJDaDY5
+ SU8zTHBMMWFjZHJPa0YrNlBoOEg3R28KwUeRyXAjx6S4vHsF3iEtvYGwRJUd1gDm
+ olxKzPti2kHsnQJ3Sz7sKx0dFSFYIbusPUPX8OLZy2AFXM2U6JYFkA==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbmdhZGtpb1p3Misrdjh4
+ aWhDRGRNc3BHZ1BVSjJrTUZHT2ZWdzh0WWlVCis2anZqc3BWbjNBT2RyRVlpZWc5
+ ZHZlWGdmenhpeHBUOFhGV0xPTnNBaWMKLS0tIHhrQytZUlV2d2ZySHFESXZabnVV
+ dUgrZzdxZVdZTjArMDJQS3VzMUNWZTQKN0+wEGUEXfvnIvBP3Pj+isNYogWNcJOZ
+ 5hZdAa/j+qSFcqTodREllOJPWNz8Rm3NDa3z/vZxfZs1jkl5mW4ESg==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnaVQ3R2VtRXFRTXBJR2da
+ VUpBRkJsMGl5YWFldE85UEVwR2FnSDVxSWlFCjlFOGpTNGVTYzhSMFZLUGl0cTJn
+ d1ZCQ04yeVdXNU1jYlBrbGNiaUQyb3cKLS0tIFZmbndDNXM3ZnZXT2JpMWFXUE5t
+ UWV5T2NURnpxYzFhaVNUWU5qcll4V3cKJXb7PpLodu/dYHJt7eol/B+OTmrnpqDL
+ RMJTfmAWHuJk7VHoTinJV2MmYyU6KU6sq2rYxKv1+uc2S/UTQCR3Rw==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiazdENTdRcDVzRmVhVHdn
+ Q1E2NGxIVnBuN2RCZmVwSnhnamVmMjhTOFJrCkFrVGdobEYvSGVIN2Y3NDVEd0tE
+ b0lCYTQ1TEhYMlJML212ZmxiR1hieFkKLS0tICt3RVBLRVd1UWpzQm1ib1BZRUd3
+ OCtmdlhZRU1ZdkRJZVdKMm1mQjFwdFEKrErnw+YwpfG8ywSSaufWbq71Q3Kc+lz3
+ Tmvpi4UcEUGJTj8ZHrixvxgvUvjCcgsYKcrbbPeKynFERk6HFDZPVg==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-12-19T00:27:32Z"
+ mac: ENC[AES256_GCM,data:hKJQ1ef7CyPOD8xd/PCqOpGSBYpSpdW37P9nOXeKQEHE58vCaiQyy5RziUIGKUI7KIcxHwa1agn/yBdaWigSWihImH2WlRMQnQJAQoSV2Tc8sDhDFFckJEDqh0Pm0g+HcjL/59J4G4QJuRgVdxNBeRT472gQN/u/Lw1CE2s6ONQ=,iv:IU2cLIfCT6DuViUTFH8EnvaWA4ok96CzXs86DRsonqM=,tag:T/+HmZLWvYNkR3u2jSWM9Q==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.9.2
diff --git a/modules/shared/community-builder.nix b/modules/shared/community-builder.nix
index d75925c..b6de41a 100644
--- a/modules/shared/community-builder.nix
+++ b/modules/shared/community-builder.nix
@@ -26,13 +26,15 @@
'';
- age.secrets.community-builder-nix-access-tokens = {
- file = "${inputs.self}/secrets/community-builder-nix-access-tokens.age";
+ sops.secrets.community-builder-nix-access-tokens = {
+ sopsFile = "${inputs.self}/modules/secrets/community-builder.yaml";
mode = "444";
};
+ # fine-grained, no permissions github token, expires 2025-10-29
+ # from `nix-community-buildbot` (user account, not the github app)
nix.extraOptions = ''
- !include ${config.age.secrets.community-builder-nix-access-tokens.path}
+ !include ${config.sops.secrets.community-builder-nix-access-tokens.path}
'';
# useful for people that want to test stuff
diff --git a/secrets/community-builder-nix-access-tokens.age b/secrets/community-builder-nix-access-tokens.age
deleted file mode 100644
index 3c4e392..0000000
--- a/secrets/community-builder-nix-access-tokens.age
+++ /dev/null
@@ -1,22 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 INdbQA z8wMt6lT52YyEqoOhhmbAhzfip08LXa49qGS7aqC4HQ
-pHnLGs/xCdk7VmHb6o1YHc2haTp65Rs6LfCYtz1Tmww
--> ssh-ed25519 YMHjXw 61B5Zlry7Y5qH4c9bx/vd/Nw8xONK0fbaUyKdAdFk3M
-Zz7aWM4chDnKdnbdjOqeHmVBYpIcpELqvNS89SJMMWw
--> ssh-rsa ALNSWw
-q0prQ4k9lYSwq3wRmPkAMtphvSQSGM9lJfsX6k7I8TOITr3j9LsNuoJJ5IhBl6ut
-e9vfCBQ1e7AYMMpVs0t5YnLMUpQaEf52PoCJr7Ng4Gwz7k6w2K4B21G7u5VcCRmG
-panXfLCqkfESX0BaiyYtB2OUYfSIhb/s1coUJYZ6c2fO8fcNnatiXcHou+TAJDp6
-BgRng1FcrItIer5f6S/zj8et4Jf1nY/EhsRIoczXvDI37vOO16mLcp/vJuVTxLBO
-cwrwRgP38w5Ksnr0gMbSAcmj3TxOpzdnD51imkusjc5p5dveKSb5oLfIVic2dqA2
-bDQkhoud9u6aM6EJe1bR0g
--> ssh-ed25519 Qi7vNw hWe3ZZm4XqaT03sVhid+NF7GlSojve0c39Nex818ahc
-1hbSiV3Bo0eLe4e4/da30erp1N/LraLOR5y1XB5AvYk
--> ssh-ed25519 MW0fCg uNHGu14NYPUnQO4dCf4jjqcsphkn8fOvdTHQZ3wSKSU
-FgTrf/DnJVkGF8sdNCYGEWhoXPkWwsCYzbY3cvlD/0w
--> ssh-ed25519 92bXiA LSz/4wSP6EbQV3JayNpXVDAnk/xkW6q+9VWSayjOhW8
-C4RJvkOgQUMAVdXCa1kPpD50/A0Wh3514AUJw3rRU9s
--> ssh-ed25519 h1lenA rhww2s2rzG8pomRw5n94LL1O2CLht04pwd9aPxZZ53M
-ZBrCDvix3CUdTHxXsg1T05TFnFM36Tng7Pr+4DYX8Ls
---- nL7sh66aBHKa44yvUwTSLfHEdS6rLA6EBZYYvS4a82A
-9ԓLe!��Z����w�������%�����</���|�x*�o$��-�K�v���oA�4��ʷ<�������5�99��i�\ ��ڟ��en&́V������+�_�/�MA��K���#8d���v�}����~W��4���z��H� ����l��Ď~��#��o
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 19c5034..b39c7fc 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -11,19 +11,11 @@ let
inherit ((import ../modules/shared/known-hosts.nix).programs.ssh) knownHosts;
- build01 = knownHosts.build01.publicKey;
build02 = knownHosts.build02.publicKey;
build03 = knownHosts.build03.publicKey;
- darwin01 = knownHosts.darwin01.publicKey;
web02 = knownHosts.web02.publicKey;
secrets = {
- # fine-grained, no permissions github token, expires 2025-10-29
- # from `nix-community-buildbot` (user account, not the github app)
- community-builder-nix-access-tokens = [
- build01
- darwin01
- ];
grafana-client-secret = [ web02 ];
hetzner-borgbackup-ssh = [
build02
diff --git a/sops.nix b/sops.nix
index d7ce470..4732db9 100644
--- a/sops.nix
+++ b/sops.nix
@@ -23,6 +23,10 @@ let
"terraform/secrets.yaml" = [ ];
}
// builtins.mapAttrs (_: value: (map (x: keys.hosts.${x}) value)) {
+ "modules/secrets/community-builder.yaml" = [
+ "build01"
+ "darwin01"
+ ];
"modules/secrets/hercules-ci.yaml" = [
"build03"
"build04"