enable cachix deploy agent on all hosts

2023-09-13 16:34:24 +10:00 · 2023-09-13 16:34:24 +10:00 · 5c7481a3aa
commit 5c7481a3aa
parent cebf6d9cd5
7 changed files with 64 additions and 3 deletions
--- a/flake.nix
+++ b/flake.nix
@ -153,7 +153,6 @@
          common = ./modules/nixos/common;

          builder = ./modules/nixos/builder.nix;
-          cachix-deploy = ./modules/nixos/cachix-deploy;
          community-builder = ./modules/nixos/community-builder;
          github-org-backup = ./modules/nixos/github-org-backup.nix;
          hercules-ci = ./modules/nixos/hercules-ci;
--- a/modules/darwin/common/default.nix
+++ b/modules/darwin/common/default.nix
@ -1,6 +1,7 @@
 { pkgs, ... }:
 {
  imports = [
+    ./deploy.nix
    ./flake-inputs.nix
    ./reboot.nix
    ./telegraf.nix
--- a/modules/darwin/common/deploy.nix
+++ b/modules/darwin/common/deploy.nix
@ -0,0 +1,5 @@
+{
+  # cachix deploy secrets are installed manually from ./secrets.yaml
+  # https://github.com/LnL7/nix-darwin/blob/master/modules/services/cachix-agent.nix
+  services.cachix-agent.enable = true;
+}
--- a/modules/darwin/common/secrets.yaml
+++ b/modules/darwin/common/secrets.yaml
@ -0,0 +1,57 @@
+cachix-agent.token: ENC[AES256_GCM,data:BiRRAIw5A76oBdO+YWR0icFS4s3AbXuHWj1R9LTCJ7N4CF7qaH89NKwXEchfwEShJNay1vG3K/jtpaigwoYaEDmgj1YrEUBq3Tne17S8d4AzBr+s2FiOA0iv7T6/szcMm5ShspKl1xYu70mZDxcEuuEI0So8IBq1x2brB5Edw4tN39XrsXKUVIyvODJHQjSyEn0yJOuLw+0FbLZJvt27FQiXoMXoyW0jLh+1NbXY8C1CIg==,iv:8GIZzHaF7mbXOKfSq3vBc4wGa7NUZKbeLNIVxWqiBhg=,tag:HkeJmqVe+Yzf5C+EuF9m2A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFYkhMNFh6Ky9LKzJ0Sjkz
+            MmtncDZYK1RuNm01WERsK1BORHIxR3l2SlhjCmx1NXBZYyt5aU1MaFBpOE1IK2tz
+            OG4xMmpiOERTYlBybjNDOHRoU3UxUmsKLS0tIGhtYmFDcG02VERSeE52WFkycnVr
+            VEgwM3V4RGFvRU1waWlpT3luUGNnT28KXrZysBm8UPHdP0Qd6xamxbqN4tCiulXd
+            DzIsO14Ja/JDNTYkqbes1HWpQ/v+PKfHtCHCeOTMUDQw69Fu+Jrhyw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3T1dia1VyUTlqQW0vbEZS
+            YVdLTXRGVmUwNnRta1piSlZ1ckdrNjR3cmpJCkF4QVpiNExuS3pUK2t0NVVKR1Vs
+            U0E4TnhLT0h2aGNFMmxvWlNRZ2x2M0UKLS0tIEtlTGFLRUhXNmdYdlNyRFlGdVhV
+            Z2lDOUFGSDR4RC9QRTVXNi96SHI5L3MKM/u+pySklXbqVmKwL3ban0mqSoPitzmY
+            2TIGxpywadh4sMlxA9vmvDoRsY3tB30FcccuSnzqnDqHeZCNlzCmhw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGM0xVQlpQOEZlUEZGV1h2
+            K2szK0lWY0xuSFRKQjNRSFB1a1gyZENiV25RCnBoUERjOHhNQmhzdm9ubSszUnFM
+            SGRrYmdDMllIdXBQenZaYkkxaXlBS0UKLS0tIHlkN3BOaFNPTm1wWjNTeVdibmxn
+            R3g3dDhGdzgzS3JnOU1xdVVXUXQyVTgKNLMW9Y7T53E2xYUkA3n2NsjKa4aMn7Fy
+            LIrKxMxQy/JeCyIq4rXWZar0aFMvWR32sMpjKevMv17qJuC2sCa7Zw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYSHhjZVA5dG84VU1QTE9n
+            LzhBN0tEL3hnSlRNbXVTSVc0MkNFdDAzT2d3Ck1DekpQSDJ1bmEzY2x5MWNLQzNh
+            RHRGWUMrSUV2ZE1PS205UFNUVW1oVGsKLS0tIGJrQTFEb1VRM3VPR3p3eW94dXNN
+            MXd3M3JOcll3S05waHErbk9ObHdyREEKibLrTGfvDD1evKrF/a9FLRRPz1qoMXp4
+            ztSeVoVpro0qjsNYidhX5RE84tQ4AQxD8H45qhCsVXoG7x+qYqEw6w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvZFc1WFNHWFNNOEtOMUl1
+            YXBJQ3gxbzBacDVSRTRXMWZucDhYY0UvMjBzCnN2dEJ1S2pHTXlFSFA1aW9ZR015
+            TS8rbTUvRzIyWHVlSDNmNXNrb0tmOVUKLS0tIHF2V3N6MWZEZGtYd0Fub2Z4Wmlu
+            ZFpjSjBhSXF6UTNXMkp1OGhTSi9mR3cKebKGaLAI+BP2U/9cALge82zm5F6saQY6
+            +mHtwJi4zeb+yTTU44KxLFEZynCt5FBJMOPXiNSHvmGEiq9QpbuxXg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-08-02T00:36:19Z"
+    mac: ENC[AES256_GCM,data:0s32EDKAglInEOnnMy9RLQT2wApOdD4zjRSF31//bCVAlp2VZaCjnELLnWAGrovl2E2/Lmbsdkr4ZnZCVeZ5B0JRZVZj+ecuZdxkzE9GXwCzk//YgsqF+UWSazMmSemHKNoy2pJvzoYGvXdKNUqqcU8p1CvQoc1xuIgRvUcvJro=,iv:KmVMR1qVMnzf9ywm+18wMd8Pm/yjZKsKXnE2/PjfOy4=,tag:O3ReRELuy8MNgZVgP0i3aQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
--- a/modules/nixos/common/default.nix
+++ b/modules/nixos/common/default.nix
@ -2,6 +2,7 @@
 {
  imports = [
    ./auto-upgrade.nix
+    ./deploy.nix
    ../../shared/nix-daemon.nix
    ./reboot.nix
    ./security.nix
--- a/modules/nixos/cachix-deploy/default.nix
+++ b/modules/nixos/cachix-deploy/default.nix
@ -6,6 +6,4 @@
    enable = true;
    credentialsFile = config.sops.secrets.cachix-agent-token.path;
  };
-
-  system.autoUpgrade.enable = false;
 }
--- a/modules/nixos/cachix-deploy/secrets.yaml
+++ b/modules/nixos/cachix-deploy/secrets.yaml