diff --git a/flake.nix b/flake.nix index 76b531a..9969262 100644 --- a/flake.nix +++ b/flake.nix @@ -153,7 +153,6 @@ common = ./modules/nixos/common; builder = ./modules/nixos/builder.nix; - cachix-deploy = ./modules/nixos/cachix-deploy; community-builder = ./modules/nixos/community-builder; github-org-backup = ./modules/nixos/github-org-backup.nix; hercules-ci = ./modules/nixos/hercules-ci; diff --git a/modules/darwin/common/default.nix b/modules/darwin/common/default.nix index e5e1bd9..4420033 100644 --- a/modules/darwin/common/default.nix +++ b/modules/darwin/common/default.nix @@ -1,6 +1,7 @@ { pkgs, ... }: { imports = [ + ./deploy.nix ./flake-inputs.nix ./reboot.nix ./telegraf.nix diff --git a/modules/darwin/common/deploy.nix b/modules/darwin/common/deploy.nix new file mode 100644 index 0000000..e6780bb --- /dev/null +++ b/modules/darwin/common/deploy.nix @@ -0,0 +1,5 @@ +{ + # cachix deploy secrets are installed manually from ./secrets.yaml + # https://github.com/LnL7/nix-darwin/blob/master/modules/services/cachix-agent.nix + services.cachix-agent.enable = true; +} diff --git a/modules/darwin/common/secrets.yaml b/modules/darwin/common/secrets.yaml new file mode 100644 index 0000000..ea7b6d5 --- /dev/null +++ b/modules/darwin/common/secrets.yaml @@ -0,0 +1,57 @@ +cachix-agent.token: ENC[AES256_GCM,data:BiRRAIw5A76oBdO+YWR0icFS4s3AbXuHWj1R9LTCJ7N4CF7qaH89NKwXEchfwEShJNay1vG3K/jtpaigwoYaEDmgj1YrEUBq3Tne17S8d4AzBr+s2FiOA0iv7T6/szcMm5ShspKl1xYu70mZDxcEuuEI0So8IBq1x2brB5Edw4tN39XrsXKUVIyvODJHQjSyEn0yJOuLw+0FbLZJvt27FQiXoMXoyW0jLh+1NbXY8C1CIg==,iv:8GIZzHaF7mbXOKfSq3vBc4wGa7NUZKbeLNIVxWqiBhg=,tag:HkeJmqVe+Yzf5C+EuF9m2A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFYkhMNFh6Ky9LKzJ0Sjkz + MmtncDZYK1RuNm01WERsK1BORHIxR3l2SlhjCmx1NXBZYyt5aU1MaFBpOE1IK2tz + OG4xMmpiOERTYlBybjNDOHRoU3UxUmsKLS0tIGhtYmFDcG02VERSeE52WFkycnVr + VEgwM3V4RGFvRU1waWlpT3luUGNnT28KXrZysBm8UPHdP0Qd6xamxbqN4tCiulXd + DzIsO14Ja/JDNTYkqbes1HWpQ/v+PKfHtCHCeOTMUDQw69Fu+Jrhyw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3T1dia1VyUTlqQW0vbEZS + YVdLTXRGVmUwNnRta1piSlZ1ckdrNjR3cmpJCkF4QVpiNExuS3pUK2t0NVVKR1Vs + U0E4TnhLT0h2aGNFMmxvWlNRZ2x2M0UKLS0tIEtlTGFLRUhXNmdYdlNyRFlGdVhV + Z2lDOUFGSDR4RC9QRTVXNi96SHI5L3MKM/u+pySklXbqVmKwL3ban0mqSoPitzmY + 2TIGxpywadh4sMlxA9vmvDoRsY3tB30FcccuSnzqnDqHeZCNlzCmhw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGM0xVQlpQOEZlUEZGV1h2 + K2szK0lWY0xuSFRKQjNRSFB1a1gyZENiV25RCnBoUERjOHhNQmhzdm9ubSszUnFM + SGRrYmdDMllIdXBQenZaYkkxaXlBS0UKLS0tIHlkN3BOaFNPTm1wWjNTeVdibmxn + R3g3dDhGdzgzS3JnOU1xdVVXUXQyVTgKNLMW9Y7T53E2xYUkA3n2NsjKa4aMn7Fy + LIrKxMxQy/JeCyIq4rXWZar0aFMvWR32sMpjKevMv17qJuC2sCa7Zw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYSHhjZVA5dG84VU1QTE9n + LzhBN0tEL3hnSlRNbXVTSVc0MkNFdDAzT2d3Ck1DekpQSDJ1bmEzY2x5MWNLQzNh + RHRGWUMrSUV2ZE1PS205UFNUVW1oVGsKLS0tIGJrQTFEb1VRM3VPR3p3eW94dXNN + MXd3M3JOcll3S05waHErbk9ObHdyREEKibLrTGfvDD1evKrF/a9FLRRPz1qoMXp4 + ztSeVoVpro0qjsNYidhX5RE84tQ4AQxD8H45qhCsVXoG7x+qYqEw6w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvZFc1WFNHWFNNOEtOMUl1 + YXBJQ3gxbzBacDVSRTRXMWZucDhYY0UvMjBzCnN2dEJ1S2pHTXlFSFA1aW9ZR015 + TS8rbTUvRzIyWHVlSDNmNXNrb0tmOVUKLS0tIHF2V3N6MWZEZGtYd0Fub2Z4Wmlu + ZFpjSjBhSXF6UTNXMkp1OGhTSi9mR3cKebKGaLAI+BP2U/9cALge82zm5F6saQY6 + +mHtwJi4zeb+yTTU44KxLFEZynCt5FBJMOPXiNSHvmGEiq9QpbuxXg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-08-02T00:36:19Z" + mac: ENC[AES256_GCM,data:0s32EDKAglInEOnnMy9RLQT2wApOdD4zjRSF31//bCVAlp2VZaCjnELLnWAGrovl2E2/Lmbsdkr4ZnZCVeZ5B0JRZVZj+ecuZdxkzE9GXwCzk//YgsqF+UWSazMmSemHKNoy2pJvzoYGvXdKNUqqcU8p1CvQoc1xuIgRvUcvJro=,iv:KmVMR1qVMnzf9ywm+18wMd8Pm/yjZKsKXnE2/PjfOy4=,tag:O3ReRELuy8MNgZVgP0i3aQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/modules/nixos/common/default.nix b/modules/nixos/common/default.nix index db6f35d..4e4167a 100644 --- a/modules/nixos/common/default.nix +++ b/modules/nixos/common/default.nix @@ -2,6 +2,7 @@ { imports = [ ./auto-upgrade.nix + ./deploy.nix ../../shared/nix-daemon.nix ./reboot.nix ./security.nix diff --git a/modules/nixos/cachix-deploy/default.nix b/modules/nixos/common/deploy.nix similarity index 84% rename from modules/nixos/cachix-deploy/default.nix rename to modules/nixos/common/deploy.nix index cf44d72..b04e65a 100644 --- a/modules/nixos/cachix-deploy/default.nix +++ b/modules/nixos/common/deploy.nix @@ -6,6 +6,4 @@ enable = true; credentialsFile = config.sops.secrets.cachix-agent-token.path; }; - - system.autoUpgrade.enable = false; } diff --git a/modules/nixos/cachix-deploy/secrets.yaml b/modules/nixos/common/secrets.yaml similarity index 100% rename from modules/nixos/cachix-deploy/secrets.yaml rename to modules/nixos/common/secrets.yaml