diff --git a/flake.nix b/flake.nix
index 76b531a..9969262 100644
--- a/flake.nix
+++ b/flake.nix
@@ -153,7 +153,6 @@
common = ./modules/nixos/common;
builder = ./modules/nixos/builder.nix;
- cachix-deploy = ./modules/nixos/cachix-deploy;
community-builder = ./modules/nixos/community-builder;
github-org-backup = ./modules/nixos/github-org-backup.nix;
hercules-ci = ./modules/nixos/hercules-ci;
diff --git a/modules/darwin/common/default.nix b/modules/darwin/common/default.nix
index e5e1bd9..4420033 100644
--- a/modules/darwin/common/default.nix
+++ b/modules/darwin/common/default.nix
@@ -1,6 +1,7 @@
{ pkgs, ... }:
{
imports = [
+ ./deploy.nix
./flake-inputs.nix
./reboot.nix
./telegraf.nix
diff --git a/modules/darwin/common/deploy.nix b/modules/darwin/common/deploy.nix
new file mode 100644
index 0000000..e6780bb
--- /dev/null
+++ b/modules/darwin/common/deploy.nix
@@ -0,0 +1,5 @@
+{
+ # cachix deploy secrets are installed manually from ./secrets.yaml
+ # https://github.com/LnL7/nix-darwin/blob/master/modules/services/cachix-agent.nix
+ services.cachix-agent.enable = true;
+}
diff --git a/modules/darwin/common/secrets.yaml b/modules/darwin/common/secrets.yaml
new file mode 100644
index 0000000..ea7b6d5
--- /dev/null
+++ b/modules/darwin/common/secrets.yaml
@@ -0,0 +1,57 @@
+cachix-agent.token: ENC[AES256_GCM,data:BiRRAIw5A76oBdO+YWR0icFS4s3AbXuHWj1R9LTCJ7N4CF7qaH89NKwXEchfwEShJNay1vG3K/jtpaigwoYaEDmgj1YrEUBq3Tne17S8d4AzBr+s2FiOA0iv7T6/szcMm5ShspKl1xYu70mZDxcEuuEI0So8IBq1x2brB5Edw4tN39XrsXKUVIyvODJHQjSyEn0yJOuLw+0FbLZJvt27FQiXoMXoyW0jLh+1NbXY8C1CIg==,iv:8GIZzHaF7mbXOKfSq3vBc4wGa7NUZKbeLNIVxWqiBhg=,tag:HkeJmqVe+Yzf5C+EuF9m2A==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFYkhMNFh6Ky9LKzJ0Sjkz
+ MmtncDZYK1RuNm01WERsK1BORHIxR3l2SlhjCmx1NXBZYyt5aU1MaFBpOE1IK2tz
+ OG4xMmpiOERTYlBybjNDOHRoU3UxUmsKLS0tIGhtYmFDcG02VERSeE52WFkycnVr
+ VEgwM3V4RGFvRU1waWlpT3luUGNnT28KXrZysBm8UPHdP0Qd6xamxbqN4tCiulXd
+ DzIsO14Ja/JDNTYkqbes1HWpQ/v+PKfHtCHCeOTMUDQw69Fu+Jrhyw==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3T1dia1VyUTlqQW0vbEZS
+ YVdLTXRGVmUwNnRta1piSlZ1ckdrNjR3cmpJCkF4QVpiNExuS3pUK2t0NVVKR1Vs
+ U0E4TnhLT0h2aGNFMmxvWlNRZ2x2M0UKLS0tIEtlTGFLRUhXNmdYdlNyRFlGdVhV
+ Z2lDOUFGSDR4RC9QRTVXNi96SHI5L3MKM/u+pySklXbqVmKwL3ban0mqSoPitzmY
+ 2TIGxpywadh4sMlxA9vmvDoRsY3tB30FcccuSnzqnDqHeZCNlzCmhw==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGM0xVQlpQOEZlUEZGV1h2
+ K2szK0lWY0xuSFRKQjNRSFB1a1gyZENiV25RCnBoUERjOHhNQmhzdm9ubSszUnFM
+ SGRrYmdDMllIdXBQenZaYkkxaXlBS0UKLS0tIHlkN3BOaFNPTm1wWjNTeVdibmxn
+ R3g3dDhGdzgzS3JnOU1xdVVXUXQyVTgKNLMW9Y7T53E2xYUkA3n2NsjKa4aMn7Fy
+ LIrKxMxQy/JeCyIq4rXWZar0aFMvWR32sMpjKevMv17qJuC2sCa7Zw==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYSHhjZVA5dG84VU1QTE9n
+ LzhBN0tEL3hnSlRNbXVTSVc0MkNFdDAzT2d3Ck1DekpQSDJ1bmEzY2x5MWNLQzNh
+ RHRGWUMrSUV2ZE1PS205UFNUVW1oVGsKLS0tIGJrQTFEb1VRM3VPR3p3eW94dXNN
+ MXd3M3JOcll3S05waHErbk9ObHdyREEKibLrTGfvDD1evKrF/a9FLRRPz1qoMXp4
+ ztSeVoVpro0qjsNYidhX5RE84tQ4AQxD8H45qhCsVXoG7x+qYqEw6w==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvZFc1WFNHWFNNOEtOMUl1
+ YXBJQ3gxbzBacDVSRTRXMWZucDhYY0UvMjBzCnN2dEJ1S2pHTXlFSFA1aW9ZR015
+ TS8rbTUvRzIyWHVlSDNmNXNrb0tmOVUKLS0tIHF2V3N6MWZEZGtYd0Fub2Z4Wmlu
+ ZFpjSjBhSXF6UTNXMkp1OGhTSi9mR3cKebKGaLAI+BP2U/9cALge82zm5F6saQY6
+ +mHtwJi4zeb+yTTU44KxLFEZynCt5FBJMOPXiNSHvmGEiq9QpbuxXg==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2023-08-02T00:36:19Z"
+ mac: ENC[AES256_GCM,data:0s32EDKAglInEOnnMy9RLQT2wApOdD4zjRSF31//bCVAlp2VZaCjnELLnWAGrovl2E2/Lmbsdkr4ZnZCVeZ5B0JRZVZj+ecuZdxkzE9GXwCzk//YgsqF+UWSazMmSemHKNoy2pJvzoYGvXdKNUqqcU8p1CvQoc1xuIgRvUcvJro=,iv:KmVMR1qVMnzf9ywm+18wMd8Pm/yjZKsKXnE2/PjfOy4=,tag:O3ReRELuy8MNgZVgP0i3aQ==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.7.3
diff --git a/modules/nixos/common/default.nix b/modules/nixos/common/default.nix
index db6f35d..4e4167a 100644
--- a/modules/nixos/common/default.nix
+++ b/modules/nixos/common/default.nix
@@ -2,6 +2,7 @@
{
imports = [
./auto-upgrade.nix
+ ./deploy.nix
../../shared/nix-daemon.nix
./reboot.nix
./security.nix
diff --git a/modules/nixos/cachix-deploy/default.nix b/modules/nixos/common/deploy.nix
similarity index 84%
rename from modules/nixos/cachix-deploy/default.nix
rename to modules/nixos/common/deploy.nix
index cf44d72..b04e65a 100644
--- a/modules/nixos/cachix-deploy/default.nix
+++ b/modules/nixos/common/deploy.nix
@@ -6,6 +6,4 @@
enable = true;
credentialsFile = config.sops.secrets.cachix-agent-token.path;
};
-
- system.autoUpgrade.enable = false;
}
diff --git a/modules/nixos/cachix-deploy/secrets.yaml b/modules/nixos/common/secrets.yaml
similarity index 100%
rename from modules/nixos/cachix-deploy/secrets.yaml
rename to modules/nixos/common/secrets.yaml