diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..541e200
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,54 @@
+keys:
+ - &zimbatm 260353B993F8CE16752EF48C71BAF6D40C1D63D7
+ - &mic92 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ - &ryantm age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+ - &build01 age17jtyn2y4fpey6q7ers9gtnh4580xj89zdjuew9nqhxywmsaw94fs5udupc
+ - &build02 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ - &build03 age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
+ - &build04 age1vr4suv4lhtt8f59s25eukdfk67j7av72gvj7sk7ux6thusct3utqmn3pmf
+# scan new hosts like this:
+# $ nix-shell -p ssh-to-age --run 'ssh-keyscan buildXX.nix-community.org | ssh-to-age'
+creation_rules:
+ - path_regex: build01/[^/]+\.yaml$
+ key_groups:
+ - age:
+ - *mic92
+ - *ryantm
+ - *build01
+ pgp:
+ - *zimbatm
+ - path_regex: build02/[^/]+\.yaml$
+ key_groups:
+ - age:
+ - *mic92
+ - *ryantm
+ - *build02
+ pgp:
+ - *zimbatm
+ - path_regex: build03/[^/]+\.yaml$
+ key_groups:
+ - age:
+ - *mic92
+ - *ryantm
+ - *build03
+ pgp:
+ - *zimbatm
+ - path_regex: build04/[^/]+\.yaml$
+ key_groups:
+ - age:
+ - *mic92
+ - *ryantm
+ - *build04
+ pgp:
+ - *zimbatm
+ - path_regex: roles/[^/]+\.yaml$
+ key_groups:
+ - age:
+ - *mic92
+ - *ryantm
+ - *build01
+ - *build02
+ - *build03
+ - *build04
+ pgp:
+ - *zimbatm
diff --git a/build02/nixpkgs-update.nix b/build02/nixpkgs-update.nix
index 89a9bb1..fd3e2e1 100644
--- a/build02/nixpkgs-update.nix
+++ b/build02/nixpkgs-update.nix
@@ -54,6 +54,29 @@ let
in
{
+ sops.secrets.github-r-ryantm-key = {
+ path = "/home/r-ryantm/.ssh/id_rsa";
+ owner = "r-ryantm";
+ group = "r-ryantm";
+ };
+
+ sops.secrets.github-r-ryantm-token = {
+ path = "/var/lib/nixpkgs-update/github_token.txt";
+ owner = "r-ryantm";
+ group = "r-ryantm";
+ };
+
+ sops.secrets.github-token-with-username = {
+ path = "/var/lib/nixpkgs-update/github_token_with_username.txt";
+ owner = "r-ryantm";
+ group = "r-ryantm";
+ };
+
+ sops.secrets.cachix-dhall = {
+ path = "/var/lib/nixpkgs-update/cachix/cachix.dhall";
+ owner = "r-ryantm";
+ group = "r-ryantm";
+ };
users.groups.r-ryantm = { };
users.users.r-ryantm = {
diff --git a/build02/secrets.yaml b/build02/secrets.yaml
new file mode 100644
index 0000000..7cd9b0e
--- /dev/null
+++ b/build02/secrets.yaml
@@ -0,0 +1,57 @@
+github-r-ryantm-key: ENC[AES256_GCM,data:Z6kGGGGLClFWxBu4RpPw3F/QrkLVIgkvLzi5ALUAjD/xUvrKvgylRoJVTBWEK6bVoZePxzXbdzNo7JzDvheRnDx4x/qQNiLjCixObzIqsIAEIqj2orJmNVRks2gLmFOCR3MS++tOV/tb3iRmjRSnzzSCdZE4Fzo/iUXVRZpTcO5ONxwTXd0i9Hlk9D6An0mbJD7cR93eBtWpyZM0LwYN5aEukUW/HYfsHKtqj43OlaaaBylIX3cMQzOT9Gup0uYb3yWVsvfqKC0WekAgakn6V1JM0wUJiO/dPQe6Su7nP5gEAxLXd6J8Y6lRT6KnWsQDf5GaIs5FoCJb3QXu1Pkv61fx5X8rdmKCbggp9cbtIcpGFhKM9vyLZnILdpCGGYLJGhNh/7XQvQLeaLuyi456m/fCm2j1vQ9uhON5caQMeFwNuvnaDErrZtNyTKUDcxgY6gtXIqmd7s2c+o1AQqC+dJf0jy/z2tYFwJrXety80CA4yc/yyvlfRLO+tPfhfsQPTbSMIof8oZhcHZNjPj6IjPpn5NbhWbFvtYbER5fSRhyvvwG5jPNtUnAK+k9OIOHo68tjbm7t8B55nm7Kd7gv3eajNl8V2M7jEidIhaIAW7SWhL0/FiRJWosHAq4p/G+URB1Ll9Ay/hKZ/78+hh4M2UQKT8HnoFleevxWFeMmmZDmk3YTGW5WWogrAQ3bA361/ggQwhs+07Bbl2e0VIMdY/gMvY1ppOuGHvoXhvfIQHLdOlgOMQW5MYBMwleMffrPJpsxGBMgwmXP0CmEwTE3Zg7G7cuNFxhR0z6W27ck06tLbn68P9z9GKh9TLnrbRsQHZVYr1eFt9ewr71vAs5t4iqGr5yzVT7fJRO1BZaifwybEDKRFScCJXEeEEu6l3/eqaq/tTHvJ/0TSl2udMuxzgtpUxx26RPvSJFWB7ACyFpMMJncUVKTxyr2vzP3WNLbqvAjEL1AmGVucHxi7zUfvDPw1gCeAgit8u0xuDH2T6Ws4kF6AuXqo5qC1MmIA8d8T3aw9q9iWj58/PMWC85uYwf3Od8WAD9BK3nb74v4TsthgxaY5JVOspnG1vKDZQKfjzHQk3kvT08sGgs438KFj+58Fe+9vqKNLH2DBizEKF4aJ8drbTBOItn/RFpoDtAdGKByeWjd3+0UDCJ1bI+6JB2PZo1CvpEz7GkjcK7y3vaEOnMyqGOzjnfVmfLQhVX3Vnx6mC1Z54slNlKTKTaeqoWrpqCT78NnC44c/Jqt7r6wuH/jqZt/uBXvENNyEn8kf8qbMcCjEtHZkzMoDuaoPbdlDCzOJbCiTEmyI/zvPC1qMxI2GfjNUSRNZIbKU5d47sgMqHJ40KN9paJZRt6hxLduk0BouzSF3DK1eV1x96Mi+lydOyLt34k/TlZzpVG3P3K/BIjlGQipNw7iRKxxF7QRvJJl6GjiHNIw3krHTvR5PPxBWL2BtQY6kemlenwVvpOfXSKVwTcMzq6V5gDrf2ks9DrzG8TD0zoPu3xw5SMoEq8DjE4MSvriw3jlgkAp9uxfqlksUXCayEqbuJpwa9O43LwwVVJbUFKlA/iWPU0zc4ejIBSyufnePcEZv7yYoPQEZIphPHKumqySND5p0WbmToNqYZgF7sdrxaIc2zh/jucE0TTI3jwn5i1D2RUpxvGOCjtPw29n7j8clRlrRQHK22628eKV1WpO4BI+jDZbNrkjDr43hhOKmJ0HTTkDkRP8CGjBV2qdnBWDKL98ksqfs2aXprtB9B4TrS0unUzHz1WH1R9BrAEOF/WoTKo/TXNc7AiwPxCm+FdGLgWsoMLuzwdq66QmdGAMIbtrzRHq/J1lHubt9ht9xYYJP/JwNuFjFoFOUubw/1ZkdFUrLaN7pN0Ll0ImoU/CudU8ehcwIyXx1dSYT8pcKNXp55Kw7MlydpcZvRVO7PJ0/HWMD+sLfm6OPTIPX/lFLo9NQwe/3xgfM0EJopQi7KFn2xoU0BGqsaSoO1UyOJr6NCDsXih58bPSbv2ho8ffIQxU289h1SjSQbxmVbH3R6sCN0YIJM7YmJ5oaZMJOCFX/Qg2RrtzN0dOp47GZQA+AXRwiccPaiJf+AlBODl0TUJHhqsCNbfp9mSz40wrrtxlXzbpelyzRNqyed8x5vFzEnLXUWGiQX6kh43anHpPO7rJOliWIudUo5R2Mi5sajZv04Og1V4BBcchjoW7ApnpsHOoIYeMtb7TsKxvAakAXrXwG0f1jr2/Wvi3k1/nLb9jv77IIlMqSejmPnkAjDmmDiFXwhu6WWw0tXCa4jQRu6PanpgTCOgt/UhdUpRC+CDM0EnLpkS2+TCspE/X75emx3VRaDo/aFKuF05FVS0U1nnH495ityljx141ztYnRlrzJyGS/Ps9v9NWR6CdTJBw1gOLCb2EwhBgJL6KZutkHir3uQfzRcBdw4O5QZ0VUPeUhMlUwtay6O/33RqAMpQIiLe0f/cRil/Ib3Xa05Gfdm2hLUgBsIl8ceScduMvl7bFnk18SFcWVWYU5CFaDuhsgD9vZE3BYjcCmAyKTqHhFyMZMZEnWE3vu/8u+0VgoUe0B2n4F8/vWSW7AEQ27hTpePNiUpTpI9ZtWUae/ZrBnbRV09SIfceZCrgCce7EtrHiILC5k6/HGsaoYFWT0B/cpBDJ5XnNNkbH8oOFd/yaNDHxcDhERje6Y5H9bRgPaZPt/H0xKBXxIYb6V9JZ4rc4qWaXWlZwyuNpjvwcm4GRTDyIp2Hdof6nBdn7AQrP5O0AXH3P1qqqIxEhx7uy4CNesFkbvt9zCtJQ9Od7kAWXWNp3YTRqKmmHQ00Tq5MYPwO3yybNRl2DiiBaA0a+l0CFNfGIgUwUvioZZ5p9yk+/CkqWuymkgbb+ChvXEZMskkkTJveZNhgNR4iFEHdMjaZhdMNPnfaFKf2rvu8pfAh7BFoWJOYNwkRXqI2eJNkXCVLbOuyez6Rcs0rDeCz5tgEGO5zPTTZg/VFD3p8dV5PyDSz+mIpe9M54I/FX0He4ws++u5AyDnN0CL//1rdZjyaEL2ZAD7l1yhH1WPttjikb9XS+SQ0kyxEnx/HMD0aNcIpVLbubRY/ll4JvkPG1KBKZfrm+cs8iaVTmyHcsfIPwnDOVTiVoHPoBH4Z35ULxVfNGzdw1S/qLuNLHCph+UNIrk/Ck8L27eobVetjzxqtBcdewVAZT7pOm34BKpukUvhe/zzUStUDZoMWdV005eLC76FH0JJyz8TCVrW1y1eHQzX8rMeBZEdoBseQqbU5LlptamZ7rUOJhkC/QLnZW0lSDOj17awQDxAFS5R7cewFo55Pe8XVu0fGZVdXO59biBuFOgtYiMrKoxGondhuiOTggjSQt1HLA7eAgRRrPG6npubPUAgpdwMsqRT6BS47WVL75vRu4TliPVKjElqWN3iQSze4ZwF71zNS775PqjaDXLRPKYMszpNgX7OMPbSb6EAiCQyT6R7gvPOgIVOrERCEF/0Vm7HjNHqTLOfW1M8um7e8gntYokVZtdGew/x2Dmb2PTj58gnYowH00ZrWbOw7DwW3nq0vpcAwB4Yo+H618dThdk3HDd+zOKHBJmoDP70QvNDyD5wDX+GkMTAL8/kfvZs98yvn3T7kw+qIm/pPfNJaigqutEmRFE7CRCewoohzQ0z/Glt0D1kh+OOnULIPrT2Pfq3nDhivJXC3HQZ1PFn9cKNwR/hl0Cslphm2sOwK3gpbba0vNvqXjh3w7TkJ3gTYQa81qiJbRwKvCOlAi3pt+KZalQ/DdG6/DBqVyYKqsJmAj/Y6NVQGpDBBn9uqlZ3G/nRZWaVEDKTdTXh4lPFMKU+o6b3fKsco4Bln4LfqB8BJU8xawTXx1sb6lHAcVZjEoWDU+u9VaGNNtI47jjxev0oeT+oID63xqz19ZY8pkJGSXtTbo/6jEkvSTx/l9v1mfSCytxMV6gney0Cx+QHAta7VHzKymgXcq0N1pt6XVoExLQTOIkPjIg2KUF9JPUg99WCsXZfLtqoinEYUZ/Alq7HOYKOdpjH+huID7Y2vda5Ivk8UuZpIeseQ4yhSoqA45QO+RQxX09xSUBjzLa8f6CJTfci5M0gY5P4QhmEdkYdMq14XG1dE3gK3Qw7FcpOB11GEamki5VT6+f512QH0h2V4dIf8sJFTHCYxHt16mXWv5HkmZAgv2QxchXq40aheKXwtMGmo/Ofi9iyX0qae6/t0XpRaXZiz0EJALZ8LXXfV0B8KUKe2o6RthDrhNXYzB2BZydWjf7yF1GWEc9a4TSTl1AUPAx5ExhayNATF0NMKRvanJVjJXRSZaN8QZnP0EKQycDwTmbHTXNg44oPx1cxGnBTfdSoB4n3XbDjOn8sSfMyllPe3k6dSGtJx3vHnVIjafdWcsRdUnSxu8rGg0HEIEwBkp6MsLbT9OTVYpqO4XoYe6KMaGJeWfAiaPSQTyZZkisblAGzAx5NnM51Rudo8hysu9BXlJtSvxHqXKdIGuF3/3gyZmxqezeHskbi0=,iv:Qg8SdZVOeOA1rHt/CCo1Fj9sqUvq5zhaetboYUIe2co=,tag:UNGFeWqBY46lK6/cEr4/Kg==,type:str]
+github-r-ryantm-token: ENC[AES256_GCM,data:X77cQQQDFcUe9VcHZwbhZdyg6wFsAEwRMDaDojWYyHJf4RxWwRm8Vg==,iv:/PxtdHM1eTbRZb0KrjuSSutxBVwmFaSejp62qb+/D10=,tag:K/EH8Rl6CeZcigftKO3hNw==,type:str]
+github-token-with-username: ENC[AES256_GCM,data:9k+TaxVIQ6BUASckGTAAdDsSS1OQ7WfF6oUdY8t/24VU5bK3M2Uozbfh6qUtmZFLcA==,iv:4AE/eoXHm1/gd3SdRYY+LyI56YFod8YD7ZKZ6uG840k=,tag:fboN3lX6vKVZHEtaZ+C8Gw==,type:str]
+cachix-dhall: ENC[AES256_GCM,data:SxJ85dw01kRMXc2+Geza6NF4T1Ibidyyd4+ZoJxf78A1GanvmFuiyuHREbF5S/3EGxRvkbFqHDdf2GK6CtH3LRVygKEeGBT6wJtbgP8e8WsCx8WYKTDZq1WoDUBCpNwHw7zCmDIRIPNQkrW7Rj8cs0VMR1IDCpp6ThRC0PLWRkhKgVz+yITspk4U4mUJTRPaga+eVbZV7o6c8BSagHcu8kfjfeTWfYWata5yznxJfzFv2hxmOBIHRpJDZGKC3YHV7oeOv6zYJfrdA4TEcR7GrCOpXhpSv++SyyBlkrY2h5nar7MaJj8X3CpTFRNYyEqCu0gf3t1Pow2/N4C69Bl29xUvMJTnkakaM/KDtqc0vn/IPeb2mZSoeUy3FGvHA+Y5EZbwivguOw7EOWTXbQdG3BHHGM/+yWeOROb4XkgwY+yYXaRxwn1t,iv:NQ8P5R7lk2M5u/e3/T0J6oG8LGjaFs4jei7cZ4qRqBI=,tag:aDZf73Vgpn7tWFUhxXNh/g==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKTjZXS0FHOUlYMmJqK3o0
+ MXY4MGlyb0hsaDNUaW41VUJmQkZGSDB4bTNrCkIyclMxQVdJc244ZnBhRjdvbVJp
+ MTg4TkgrZTBCbUl2cElvU0h0dWg1UDAKLS0tIHBDNk5KQUIxQkFhaGg0WEJpT1Fy
+ MFF2WEllYjJOb3o1Y3BaQXNIWlVzNU0K70CzTOO+lWSpxBZ762KGgbITFkkp3zto
+ w2ks4Npnha5HE2gFvW+3LqVnBU6ltBQIZulSp5iw8wk1D5Y1N1VWKw==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtSlNKUldxQlpGZzB1NU5K
+ Zzl3UDgxdUxjUEtxOU4yR1Y2WGFkQ1NqdUZvCm1lakM2R1VoM2hJeTdPZ2ZZU0Vl
+ eDJwUFdyV0NMRHNWYUtsRkFVWWtiaU0KLS0tIDROdFFzOW9UYjlKNStmZ0psd3Ny
+ TDUyT3huMGx2a2EvNmR6aDdOdFQ3MEEKtCQeWR5puxRS81wfdxkffumXyxYr/qvu
+ gZHnUyRjZFh3demGeOMPZIat/3hgYtq5vr6cPApIvhiI9NLW4eT5tg==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtQnJDTnBFeFZySlBQdU5l
+ WlFKYkt6Ymx5R0w1aHBWTzNUQlNJTTJ6LzJ3CndVUW5VZ0lnY1dwajdpWDRHeUpq
+ bTQzMHhpdHNqUWQ4Z25xSjN5SUlQNnMKLS0tIHlHMkpjYTBnVkJlRnM5VzdiK3hL
+ TVdqNkxlS1U5T3JYOWlSMG40S0ptSlkKHIRI77LjrziCExYYw0By9ncK1A+8YycY
+ 5O8b5K6rt5VZ2YAyX5O5BG3XdVIIa/81XzMQx6TsFbisIVMrI6sfzg==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2021-09-25T19:30:13Z"
+ mac: ENC[AES256_GCM,data:AaHBjy++1hd3KjIuNqqsWJDgpIdp+VXa5lFstuKLeXr342I9x7J/D4mI6H9ijKNUnADg0zIiWZ5ebybJgPVWtx8A3ZEYeoQJNGGrkM8YaVSu35USTo/FDAKydawIgMaJZSG5KkYV5Z8m/XTBn3ziG0dM4VDGu3yvw48NTnmaDIc=,iv:e0f576ONwt59APTVIidszKRs9/dN8MhpjmQnfbX9Dy8=,tag:6Qb95Y9pkG03YebD7vALFg==,type:str]
+ pgp:
+ - created_at: "2021-09-29T16:58:58Z"
+ enc: |
+ -----BEGIN PGP MESSAGE-----
+
+ hQEMA3tEuTsG48KkAQf/eR/gO1Lal6br33V/qgWqCZF7mvCRMz2DZxGPK8rQriAH
+ 3yeJgA3TAdAtDVHZWwoqTuB81NTNpG6Ykuy3oYBPPo76Ll3QzBLXn+I9RVmQ3kQB
+ skCXXl4CA6GBUOTVhRr5/OHdjZ0q/1s9qD/nrYaX4Yuip9y39yZRod7oshMCmCIm
+ n4fxAp4x2AvtPeYEN5TQ9QQel6i3yJ1dpnDTUPd29zEf5u+ZdCT84KaiRRIglqEY
+ F3X4dJ96wimcEYbzXePDaX9V7W5WuK+xBO+zaZNk6UMoJtqM+aAvKBhSJVe9DAdB
+ HGg4z+Agx5jHfwi8AHV7+2r5mH1jyv6dwjTJHWMUv9JeAQ1gmoHZbdO1vzPK0H29
+ mitSSzSlO7Z9o9s9KPSKjfDccJ3ubcg4lJ58NifPvhYhWFEqUsPtq3QKoJZxVhPe
+ F0pvlWmnatIJj/5835/uvyywL+MxvGkU/Oo/juK8Ng==
+ =lrHq
+ -----END PGP MESSAGE-----
+ fp: 260353B993F8CE16752EF48C71BAF6D40C1D63D7
+ unencrypted_suffix: _unencrypted
+ version: 3.7.1
diff --git a/build03/secrets.yaml b/build03/secrets.yaml
new file mode 100644
index 0000000..60da0cf
--- /dev/null
+++ b/build03/secrets.yaml
@@ -0,0 +1,63 @@
+buildkite-token: ENC[AES256_GCM,data:ckvzbyXHuW3N4tgZMYd+dPre+YOEnJj3T627wER3+7L9CMrZtYQlj6qU+HyeplMGqig=,iv:OmXO+85jtY6nGNm62+sF8QJF4q93mx06jNKherySD+o=,tag:mCj29oJTwEmjMN+QpmzUmQ==,type:str]
+buildkite-agent-key: ENC[AES256_GCM,data:WSVCUQ393JkN3Dq14UYo5jYm0b0J0Edqe6k/z5FRohmuQvQCZfAOYPil7cQSoP36xUxdd9kWVgsWnD2jXUumX9bbUm8t1uxf8CwDWqV3iHfDOvjfWyW7ifp7SLAo0JGI+xD1Zjy5ftzHQcjbX9VOQHJ5aBzVQUBdwfxUSSkNTBSp05iWkOIsEJKaJEUhXbZiQ81yxW0uyVq7vRVAskEPz3FxY+DmcZeu4O+kStiygGUaXSTKrzG2iE1ESnHBkd0LyajNbVq1CjohV5SpBVoP9Kf0tOi47xvirNDUlk93uTCTTk9h2KDJ/qHlwM1Cx3d30VUFsIh9eIRFP5q9qePxqdSlZcZGp0Llp1IeMZACQLEfZYA4ZlHEkOQqt8fy36PXuAY/37bM3urARjStXZIEJq3rA+d4js9zTD/16iOJqw7Sv51HrMSUQA+za/HgK13UnV69p9hvPKvAd9Xwg/SBm4TG294Ez0K/0qBckQ2z7HgmX9EY0ZjGQdqWPzLmHjYI9YzcfiT+2HuIblF/uMGJm9ZD+d/tAfUMSCVc9yhsKU5fp9c=,iv:l3rVZA9QigI96ibMu9WRlA4UbVRzFt8CwF7+dCZ6tX0=,tag:B6EhsV97IVwaji8IgJHgPQ==,type:str]
+buildkite-agent-key-pub: ENC[AES256_GCM,data:dqARMa5gzgO3qgMh7BXUJIcqcNusxW0tladrUVb9MTew92K2IHKMYAlKRGENKIHPnPAYaW9yISmXs4cD3rPCosrHoZsgtVvCGS83atqthnR7StmuEKWdxQ35573BOEXqt71v+yRk0CJQJIMEUbI=,iv:2fCB8h/vI2DEL/XSWJLhUjZgjzFYDtr7ncMpE6x8Wg4=,tag:lIq7abSvadAc9CnRa6EJkg==,type:str]
+github-nixpkgs-swh-key: ENC[AES256_GCM,data:HiZCCt1gQoq4EWZGttv0XDLXOf/lLy53+Cf2sFhaMam5Ygoohm4Ra+qT5O1HG+y4x46ZySy863flZWBxy+Ui0iFIlfO0bIG0loUcLN4g6SjdlTFz8HuZr177rPnOyc6G9hts/MNRTdOMoKgPvcT9GMIKpoKAd4CNPM2RkZYRpQ+R3dRRnxzQ9xI+9q21//+LzU9GxbOIE5Qln6DCOqZx4cyyNv3q57fjRjcIFpLQ13/zcrqLqNTK3ifYHFLJSnjj8t0lsbWibYgXqZOHpdnCaO8SQgE3R2V1P6Ig+DrCy/PeuGVflG69V4UANtu8Ju5FfmEHpHEFjEzIDWv9wV73RlvrSeKS8ZeBws3CDJX7jtwcfh8SDW0sq9iLoHBuvMw7F8uU+c0tHvqvp4EiQG57+z01eboijHOnisQfpnSd/jphPTXjjd3gftXOW4XC3VASMf8mceBHPSurMNI/QY0gREwww+VPRW8pnaIheAA1zwf1hIjsiiqEDgMgAxLwVTqGeMUqKdX1iunrzf52XTfR88mEEgf7TcXbdtSq0nijTybONnlt0rpQX+bu2hUD8EZ3D/jt56ZpMELgOvptI/2ieLWxHdqKUaOrhEFajwzn6s9fjQpTqaJig4fXjFrh80I6b4LOhobAYVoOxY21eQ5f07Nnk21orFnhZwxnr9KVECo6CwVwpwgDUASs9tQHPm8PsQDyFDFZsC+G81zAJ+BVj1rt/aO7ugblAdsRLPfinAHWRtAzniPzuXlZa/uaooZyq+0g935Mtix3GQZPAtogGpXaqp8PKCgG5GZrACECFIDuuu0ElVPCwLU6+nDjY1/SThYcPD8aiwBeOe7pEWbW/mp0Qu4dzI0d/tHQ2RfqOh9io6qhvwvIuky7R8rTAyg0kWqFSHiBcN40VMkVgMZ3IxTbbxGTK0gYpzTrQPv0U2rboxjQLfX9t53QgHHmbZQS3tliw4IQjph7spNOzfAahKG8Q5YDWBYZNG5F0cF8W4KTdjNqyOYkSo1gqhmnId6HEXzFGXSRJKr+QywPBI6jmGzbnyEC31otpaq21IFoPln3R9b9JssImM8j/rG5G9UFCGN2w6TpOOEGK8QJjW04kaG42UqTDv78EdHG1I8PnnyTv097nqAj8ktzD0fl5kMQP0bkpEVKIF3BFy6CHYSoJ7ds+Xoyqs76GEMFwHeFOpMeiV6Gz29A6DuC1y6Im2aAevRONWgcBYxsLo2PbqgWUSF4SNdx1TBIAfzI4M9CTjki6nmhq/CvMTkh0Ut2l+RVo/Y+dJQZ+bERCrjfe5FQhEWftHnUgDo/01ajKS1w2t6FhQN3+hd0Z8dazYyW8rb07eW6aAA429ao2v4SR2n8/5CgEuhnMjERPfSQNb0lEjIQQtrMs9etfwyNh4wb0o0dQ1JkGKz8YCi/ufasGhCNZMSjmabld84Jux1gdQa7k54OAsvsLaPkohXOY1/cVpn3uxMnHYLoIrrje/p+O1obEnKGJvq4MeVj63KjIK8+Rc+0NfWsWizkvDW+crRcSkHuRADUNoz8CoXrVDlC5np/m59LuzR/HlhqSXRvmTZrB9avP70+pbHJvOxab5UqxMNHfKI83DzhwRQ68qOm88oivEqG5lioCq0mktqDUqMKA1IwNKLm++hoZc8iNjOOmzdPZHHT+izGVEAsHBP1KwagE0uxVgylC4Wet68RI8ImGQ1ppNczy/i/EJlUGtM52QOBOQ9qL069QaOqNHT9ZS+Vy+WojrNqtGjiHR8Qn5tQg5R4Axr5z0u2god1MQ5JUkHNCZurd2r06Mj5a8/lNWT8xr6/9KxatFa06Pe+ggRgO1xKB1ft0HQqxF7wqYsdSO9jvKkFsQSBHzoHehYJWDAqXj/NSqkPpzL0k8VWZON8PbGsbLvE9XzC1EGQfhcag7/5AcxIsuHlTrrU6mABtiveZiutyEv3R0uAKhq6NFvjUvabVe764bRd7jESH6LHpU+POz7Yva1IuR9MBvmLFVWXuj1tnuEeP2tlPYi7bSgkB7+tyjWX69KAcRCM+0k3cetaJvCFbD/f2vTJms9kbJagW9f08pw4Is/5Igz5IvXJ8gKR7z+Eo4AWwUkrUtOQBSToaiQrB4Pamr36rOL+FR2N63UdTVt7h1LnsiAziGErRk3dUU7+Dsvp7P5lvUAn+uPxQXeiTl8zsNsvgAbiFFWGHIMGhneABwBjNYvhkyxBLsZKUOcDBku42C3gNHVzK09tnDk7exjltLH5G6Lxg3cv0pu2FqvecSNsoNQ1+2i5+FeDzdqSoljhrN2Zlr/2dlz/pobI6slhWpqbR8rCQAPT/EJp8l4aKL3i8GWFCgczm8p6p1XdiRRV2AeCaO4jh0FIE2jJQINgIoNb9MXa3gGJLCCmGSbOBVxQzO6yp/QeHzFTFRk=,iv:FbelgOuVwv2VkmBEXt/PHceSm6dFzptSUtYGpeolgk0=,tag:FBu7MnrfFqqxj1NkMgDdtQ==,type:str]
+matterbridge: ENC[AES256_GCM,data:zLrVbfUSebZX69y4tvDXigpoEQziMbzXaO0EKQLrSBR1WaRJDb2U00Ifisucv7kfiJIuGf7xSKl+QthemgUyhfJiBWUtfFwbR2F526wA4uBUGvy5eYmM5eu5HeEfYN+Yrd7BMR5kSE4laUwjwd1/Dps6rFHwx/JtKmfGiKtE3nmqErypdm9kJrxqsPd9Ytn4r5UbM46rRu80AyN46shCL8MlRXmxLRxN4ihahY/QirAZ4TCfTJDu59IQQnmR9totBAMKmdfnDTgjUoxEXRY4WeLF+8tmcM/hPjYIgh/q+LMZtSoNWo8VYMccu71Tl6dwRjbo2evlVuqDB/uRwj5vwj8Ayf4QXePDblo5sX+AaC2/jCZ9l7cUBoB4gpgPkvdIgarPw0dZO35RLcKvLTpJo+8px0TjDmkSC4AdnPYTZeXRWfwse9DClmJqEQdHcVtrCSJ2g0wVZ5CuBX1jTrzOQIAkFBUf+M1SMARss6BAQJQzCYYDLRLu95v/FXhop7J/83OO/XAwVSofK1pM2bYwgwpZeYLGRN0b9hBniqneudA0zlbC8nNcwgiz/qnT9/99+Vuwc/6niqfmZr1qIZfL0TxUf2SOvSK5t54cFPO209Gsuc8F19/ukrxkqauwCI+ZtNV64L29knUGYy0yud5IzDnuyKC+oDHz4/x1JXKn0+Cfbmp5RUWtB3AxU4QjGYU9zv9aS0De1BHfGaKPJZCiCRv8ac04WyiH7o2hpt49N4a2Gg==,iv:cJ1F7TxrlrD1LHUMUTICPr0WW/gp2pbSVSTHBPPfFRw=,tag:Q/6BNz87Y1ifukdCVPTJqA==,type:str]
+hydra-admin-password: ENC[AES256_GCM,data:t0vmchbXXIAzvM2nxm4j16N9W67yWRb439M=,iv:qr/OfyMvTzi6Znw446KtxE2erh3XWi2VTJvVL2Ot2UI=,tag:mS6HlE6nojkemjp4F59+wQ==,type:str]
+hydra-users: ENC[AES256_GCM,data:0NVgtjaiQ2ytn2Z3EqjsphMsXMVq1KRjaHA9R11aFC1qoSnLP1GWu/Y8bkrA/fAcfn90Nmx6kY8N37PclYWNYPVzHL5Nf/zZgD+gUXF/5yFgvX73v/qmE39tp9zqVjmW02GJTug9FkYWUt8tTaMSq71jfW2B3w6SHz20jUn41Ak+VWexJjjxxj/4iq5bdx6f/9lu5VtM90Lyx5D2+8lWWKiRnMtjIqXPdzRSPi8X4zvJm4aGId1kKPE0Ba6RMuBKwDW4qqRoJixc1ddZoDQe4ycO12gszj1bTGB7cHm7iDU5B5KnZScJUrjzmE8F1hG0oLaP5SyR9+Ehe5uMZojTQZlDC57/zV10dj16H7mNaRBWFilshmhlmVuKcLA=,iv:vQ+dRNr6EplY8/+ZIgxg7f6lqqoMzXGoItx73imzfSY=,tag:sF7cq+986sy5a3N9HkUqPw==,type:str]
+marvin-mk2-key: ENC[AES256_GCM,data:7gDG0Sq0vIf1DooKmPrWXyUJvpyk4r4Le9LCQstsCWGa2yb30qGAp6mkTLwACjhl8gmNOVpAFrkNqRdbqb7wtba256ebsolsEULk5Mnyezytt+Ye2oCuo3Iu6DLwEtIh8ERIJN+Bg1FlLM48bN+8RhviR60oBrV+54oGmqwWP1QaDquCK4YZ0w+3CY/yMM4y3KOFa7MvZJ+sprCrvSiuv2Go9QBsYkM9EvVAgRjyQrT2egCjdxJWrazyUobN3dhMAdUxwpUb7sthqOES4TwEX0YWybRTM2gAnpIYt20nRGOcnLZjmsCg+62aQJlIvYk74e7ViIcc4AJ3vvqMor9bovRX0IW0IGuuX/qPRastdlCEAgDHrwONQI1xFgd7V6zpUiFKF/AeqMN4lzBgvAHXJv2Tx+qp53jat0q9m856/dSRplVYvo/nxDYx31eiv1YdBoDOm0ASwvVmfL7ZLoqxH63/phzhMLmB7j7LIGRcwEhyDTLlIwmTbe2A0s1Zikv6FOLiGOrpv5pDp8NIyfy7ltOp6dAOnW+p7Z508wdOHdX8er0fD5Oirw1ZRnyO4rqqO/wqUDllxEyqUoLVyCl1Nu+fyYTfQDiMwliWMH9kHtADaWobihFE+Qh6rl/vhoJaMwWdSbVwHO03uFqcZ5HtfwG5sadDM/Bb+olucdONLtQVMmBEylzhtszvFbhZbwe+FNWikxM7FQTa3iHfT5y7T9t2gA6HdPRqEJ9AFgcf9//IwHjdSItuDxpJOY1SGV0pxpBNo04V07wk5YIHKy6++zHYkAfizUFiXtX9Iml3imBEmWSo15JjFf+GXgB4lfXK5X3OZG0dZryV2hxiRrI10nJG7X144fQF14Ej3kYxPyIs5JRpdQbjX2hiYfNNV5BrlKesfq8Q+IRDN+E179X6vbhiCJbnCXiAJ7/1ZDrGi4mTCmmerVhgGDH2cjffr6cSfh7zdwyAwbr4KQ8nN2rXJ/u9CNi5xgvzqt6u8JXJTnyI8Zw1KHX0RL9u98GaDfnLKGf7E4APjCP7MIUukh/hS9zd88GgpkVaqI2pwEIjqgUvSrp45ud8V5dZQi+Nwo3ckrUj1u2J2I7BkQYPhZiC41GRR2uDb7m1xZDT0TFfcf+8WNrAZ5ft3tlWktNZ9qPzdxdJwUPryA3wAc1kN77VGmlOAkNpCuqoOvHbrrBruLgisIVPPK343o2+FHy0xYTs/SALnL+vx1AgzfcIeiyWx5Nsmo7IPuyLjW+fUtaboXmDphM+R/xfSwzBgngdW7WCYiEYbH+8Tx3GJHOtrTdh/JVfeuKHpNGegdRXhYOsHcioMnBksy1FJHFcfd1RudbCnBasaQ3qUdCcdcYoeGrIzTsRC7XBC/cLxVZ90JjhnF4RXXkQzeKdeaWxjUR3S64xE5S6USFftqAh2eVY86Gc98SeJlQX1grhWP3PlALF7g6eXLJyDgDsoNZJzX2LFpEoJ+p+dPOt+j1+N4gg1UlmuEH4Xg6fyoTECG2JdNJV4reboK9lM91NfKxF3bAB3t5KtJylFuqc8uIkW935K33O4X/JOA8m2579ycy9POxRIYBkdH3yHdgHluJYgygkA0xhU4eZcsSRzYrimnceK/M3b/1MtFWR5IpmDDNgH95YVK8+ZEk8RGT8Bl1pD62k+Iivzb7fZIG6ig+tc7FsOnp8NmLDVOfb4m3ApAaF3ccqbbiQRfikHH7swMRcWAP2Qtvj9Opag5Fw1PUJA5SsmSmLRQELNaXjQ2tCnjRuAkY2I9Ui3qbmlw+faar4Hf4u+/7mi61gPmEoYSHtGNl3kdgiagz660fhxSwQEz5uA2VGo+cyDkoMukEkukv9VRRKXkVSeFNby2c9pYWl+mMTl56DZzTpTCv/eiAf9838XVECJY555q9/lHzp5RLI4+KfyXn9rLBUo7TCYRAGf3mEj4CQLV+YmVfo81YiqLu0n1f36PJDqBhTsRHS5geMBQVkrR1Arsp48Qcr3QF92hemB63Y4xN3nhK3v9RQsyK3k6LCZGJis+IBuXZfBbAcuW4jCG6stYhREPECHbfMGNgufRnf13Y2nFC5erhFTB8lT+OnR/pIN5BAx7jd9ZF1Qz9D/oAzgt7TPr9W2MDyhUkvkt6QQiuAI3xCzVD6GehpaxzlbBoEZ3/wxdyA6L5j7aNNAD12pkt6nspv3SouUqgRFunvtVa4dOuHQElWi0s+PAOWxAlzqsCcqRkYTaDapQ==,iv:ZwZCATHmV5LlD1KuOZxQR/QCWoDr4QgvZFYYl9H45gA=,tag:JJe+2rLOIuRT8X9EXfv1Sg==,type:str]
+marvin_mk2_id: ENC[AES256_GCM,data:iIkSiz4=,iv:h7zZDgCmhNzVoa4gmaL9E+ngDXDJm99xSfuWM/pBbc4=,tag:cM7G2luQahyzoqZ3Hi9S/w==,type:int]
+marvin-mk2-webhook-secret: ENC[AES256_GCM,data:5uhSE/xIj2iGM3+v2d7XtGNI1AQAbeUvZDFj/5QM,iv:XAixOFSLFZSFnpWumqVHpQEeeMzIEl/8qrTiinayqDM=,tag:CSR6Htf+sK9RtbssRvJddg==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqNXlQNGZPZ2IrV0RHOUJK
+ amRlcitSWnJ4d0lmOFl6OEdvMWNFV1hXVjJjClpQUUtJeVB2UFNyV0I5aURFUkpS
+ cElQdzd0QVFhS2JLQ1A0YUx2cmQ2bkUKLS0tIFlNYlpDTHFkeGN4UnFkdDVZd2FQ
+ Syt0L014QzcvR3NzSDBxUDdDa2N6Z0EKXnZJmrqewi54dMr54R3x0QVuiFdDS4vW
+ uDiT9rp3FXiZ/RAF3twv/T4Vb0POdImy1asvQANrvitC5i6L0LpgCg==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0eXhDeGxaUjUwblZidlVN
+ Zk0xYmdzOFBtWWhxb0ZkS0NycUtqSm5ETm1BCnRtd25qalJ2cnIySHlLUlRtbEZ6
+ RVZnSWgwN2NpV2VTNDc2ZTBQdWVlN2cKLS0tIEk4MzB4QnYwNHdEZHFlK1NaOTh1
+ RzRlT3dIbzlPYXFzZ20yMlFzQmIvZ3cKzb/9lV6kuJE2HRn4WfQgj+fx3jdFeIId
+ agnMl7jAya9WOHpQVnjutNXytVEI5yB9c/AtmvwWwiABAn6GvDgArg==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUcStZVzc2MjVZS2RFS0ZB
+ YS9JZFJ0QVJPZElSeTg2WmJKbitCb0syV0ZzClpNWWlramdyZEtZaFNpSmZaQmJV
+ aC9MUnU0WmlxcUxLRC9zTHMyU2NiMTAKLS0tIGVBaVhxNzR3a0lVNGU5YmFEUCtj
+ dkdxUGVnYms5SXF1QUtqRlBUSkxpSlkKtUELjyaXUHhRcUTElgLBPvppSjldWAh+
+ pjDzatq8F7NDPLpvHOAymYwu0G0B+LueWo3rO/coqONPxS9MMJQuvA==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2021-09-25T20:26:06Z"
+ mac: ENC[AES256_GCM,data:Q//lq4YyjL8GmK7MACjT82v3GCAOVJnORiNwaFvT0dX+ZQ5a8GBXgqxgb+DtcOfYPMF4iulFSJiXBqeyDuAnRqYITE7ZAjZ1x3/E5Dl0uKA5hrrixOLka/lJHfrCUOAypFD27RHszJgU7jUbGPRQWQi6OViBKW1pRcX1juVT+Qw=,iv:Y0M45KXatLCigR6Kdya/07e7QZBTg0vOhE9YmJMi+TQ=,tag:gELLCgGq5pWT1LcogyJXcw==,type:str]
+ pgp:
+ - created_at: "2021-09-29T17:02:42Z"
+ enc: |
+ -----BEGIN PGP MESSAGE-----
+
+ hQEMA3tEuTsG48KkAQf/UVAiwNWKRxKwqw++IxoKn1oUnb9vFGyrHEdgIEs9wvhD
+ u+gMMZQoM0CsHn0RHHGr0WG3k2hG0G5q91UD0lmiv0fvpx8ZbLDGUbPwD4Q3SUT+
+ bWOMocAAlUqBuGl8R7U+XmPNkkZyKj20YK3cnrE8s4LSJQIvWWYQAPZpUqslDFyT
+ ypGZAtR9LDHMiBK6v0zbKsFW68+rcLtt+f30jor+nRveuRyhnDcMUUE6E4jdF9UI
+ EsxU/+xUyw7LE0FN/u/IkyQUTwNCFPS/XEO+erXFccQ8UekmjDm7xRhhSX5pKSdJ
+ 1AfaeLu/9J6qx4b1SbICRFRt+Vh/DKttCfLaSZ+TRNJcAXjMsqtZUzi+2qSt1D3B
+ mG7LhdntGGnMFdKUYrEZ0y8y2B+nY6P+ix/AKcsF4ajFCq0L2IYTJ2+37+OtKEDA
+ 3/5j4I2ujkgQGMSY3aEovX5jU/O9SngBe/h/xHU=
+ =D3oS
+ -----END PGP MESSAGE-----
+ fp: 260353B993F8CE16752EF48C71BAF6D40C1D63D7
+ unencrypted_suffix: _unencrypted
+ version: 3.7.1
diff --git a/deployment.nix b/deployment.nix
index b3727f8..5f3a2ff 100644
--- a/deployment.nix
+++ b/deployment.nix
@@ -17,159 +17,36 @@ let
in
{
-
network.description = "nix-community infra";
- build01 =
- { resources, ... }:
- {
- imports = [
- ./build01/configuration.nix
- ];
+ build01 = { ... }: {
+ imports = [
+ ./build01/configuration.nix
+ ];
- deployment.targetHost = "94.130.143.84";
- };
+ deployment.targetHost = "94.130.143.84";
+ };
- build02 =
- { resources, ... }:
- {
- imports = [
- ./build02/configuration.nix
- ];
+ build02 = { ... }: {
+ imports = [
+ ./build02/configuration.nix
+ ];
- deployment.targetHost = "95.217.109.189";
+ deployment.targetHost = "95.217.109.189";
+ };
- deployment.keys."id_rsa" = {
- text = secrets.github-r-ryantm-key;
- destDir = "/home/r-ryantm/.ssh";
- user = "r-ryantm";
- group = "r-ryantm";
- permissions = "0600";
- };
+ build03 = { ... }: {
+ imports = [
+ ./build03/configuration.nix
+ ];
- deployment.keys."github_token.txt" = {
- text = secrets.github-r-ryantm-token;
- destDir = "/var/lib/nixpkgs-update";
- user = "r-ryantm";
- group = "r-ryantm";
- permissions = "0600";
- };
+ deployment.targetHost = "build03.nix-community.org";
+ };
- deployment.keys."github_token_with_username.txt" = {
- text = "r-ryantm:${secrets.github-r-ryantm-token}";
- destDir = "/var/lib/nixpkgs-update";
- user = "r-ryantm";
- group = "r-ryantm";
- permissions = "0600";
- };
-
- deployment.keys."cachix.dhall" = {
- text = secrets."cachix.dhall";
- destDir = "/var/lib/nixpkgs-update/cachix";
- user = "r-ryantm";
- group = "r-ryantm";
- permissions = "0600";
- };
-
- deployment.keys."nix-community-cachix.dhall" = {
- text = secrets."nix-community-cachix.dhall";
- destDir = "/var/lib/post-build-hook";
- user = "root";
- permissions = "0400";
- };
-
- };
-
- build03 =
- { resources, ... }:
- {
- imports = [
- ./build03/configuration.nix
- ];
-
- deployment.targetHost = "build03.nix-community.org";
-
- deployment.keys.buildkite-token = {
- text = removeSuffix "\n" secrets.buildkite-token;
- user = "buildkite-agent-ci";
- permissions = "0600";
- };
-
- deployment.keys.buildkite-agent-key = {
- text = secrets.buildkite-agent-key;
- user = "buildkite-agent-ci";
- permissions = "0600";
- };
-
- deployment.keys."buildkite-agent-key.pub" = {
- text = secrets."buildkite-agent-key.pub";
- user = "buildkite-agent-ci";
- permissions = "0600";
- };
-
- deployment.keys.github-nixpkgs-swh-key = {
- text = secrets.github-nixpkgs-swh-key;
- user = "buildkite-agent-ci";
- permissions = "0400";
- };
-
- deployment.keys."nix-community-cachix.dhall" = {
- text = secrets."nix-community-cachix.dhall";
- destDir = "/var/lib/post-build-hook";
- user = "root";
- permissions = "0400";
- };
-
- deployment.keys."matterbridge.toml" = {
- text = secrets."matterbridge.toml";
- user = "matterbridge";
- group = "matterbridge";
- permissions = "0400";
- };
-
- deployment.keys.hydra-admin-password = {
- text = secrets.hydra-admin-password;
- user = "hydra";
- permissions = "0400";
- };
-
- deployment.keys.hydra-users = {
- text = secrets.hydra-users;
- user = "hydra";
- permissions = "0400";
- };
-
- deployment.keys."marvin-mk2-key.pem" = {
- text = secrets."marvin-mk2-key.pem";
- destDir = "/var/lib/marvin-mk2";
- user = "marvin-mk2";
- group = "marvin-mk2";
- permissions = "0600";
- };
-
- deployment.keys."marvin_mk2_id.txt" = {
- text = secrets."marvin_mk2_id.txt";
- destDir = "/var/lib/marvin-mk2";
- user = "marvin-mk2";
- group = "marvin-mk2";
- permissions = "0600";
- };
-
- deployment.keys."marvin-mk2-webhook-secret.txt" = {
- text = secrets."marvin-mk2-webhook-secret.txt";
- destDir = "/var/lib/marvin-mk2";
- user = "marvin-mk2";
- group = "marvin-mk2";
- permissions = "0600";
- };
- };
-
- build04 =
- { resources, ... }:
- {
- imports = [
- ./build04/configuration.nix
- ];
- deployment.targetHost = "158.101.223.107";
- };
+ build04 = { ... }: {
+ imports = [
+ ./build04/configuration.nix
+ ];
+ deployment.targetHost = "158.101.223.107";
+ };
}
diff --git a/keys/zimbatm.asc b/keys/zimbatm.asc
new file mode 100644
index 0000000..b9525fe
--- /dev/null
+++ b/keys/zimbatm.asc
@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBFc+BfYBCACtWxj0q16ScUA+ebozKq36MSKAeAMf6RcNyINtC3Z5fzh3kZ3b
+g7VS8gEuMXm1/Kx9BksjUfC8/F+ZzoQoUdel5XaBA/8YCwabj9yNT/W+gQuVGB3Z
+MpmhSs08YnEmVjQy2pUEBUWq7q1k8W04q/fyOsAWTWNwGh3UU25twROomX2RYATB
+dRYJgnH02FVMxMBx9qpIVkskmUBKlLRkZ+XGL8ctlfsTSjFj2Q9UNdcqnLwKodDy
+kZFfyX7OQaYnCeor/6HlGIBAmNW5GiLCBYR5wYFCb77EYcuo9eildyfwoHHBG9Tz
+GH60a5KjIP4Mo7PBLlLP35irBffZDui1rRiZABEBAAG0HXppbWJhdG0gPHppbWJh
+dG1AemltYmF0bS5jb20+iQE3BBMBCgAhBQJXPgX2AhsDBQsJCAcDBRUKCQgLBRYC
+AwEAAh4BAheAAAoJEHG69tQMHWPX1P4H/3HBMc+vuseIx0mt2wIuu4Ccvj8UdfyL
+rFMmEMBL0BDRXJPPUL0+GsalCKwTeVjNY5ZxJ0upKGeODUgE8N7tBHGwJ7PJK0XM
+OXNDa41Q7Ev7Pb41ZZrt/vE0fsRLvUupJip4GeFSV18VqFpTjev/y9tREiugpmSR
+JyFVI5Q5awO1zEnZyGro1wuzQ3DJ7lOaflu3xG4Qryv4gzoAN1YoMcQtJXdZBWTo
+tTIxSa07P4FbNI+B9nRvQNq1BzTQPc3uTN+/2Q49GrXoSe3FsV2BhkLPCbgRds4v
+zoXdCCDKNbspJEYOfPH6QobupO5S45WnIDGBjgx0GeQ4My9DBCoSzcS5AQ0EVz4F
+9gEIAMoE30ESB0hV+v/V5MOdlOWXQf6W/O/z2R0zJh/WLqzhYGy8C6Nqb4d2PYYd
+3qyUCHj2GgqxBgNRjGlJbO1ctlSueYBqpiFzFNVr5WlyFxNSg8LRZ2vPIYwsUQ/G
+IXns3TJnLypxXl+v2vnzNa6RqB0zXv4RleRNYW2Z/CD8die8jd+XH19Pf2gR3s4I
+Y2rV81YWi2hvyERP694aK89BVTQRCutm4gHtpBc3mX0FB2+lq1HwZ5jVZ5ZRwL28
+Ty1MnHkyxmIjQv67mv07fXEUQ08Fp1jFQfamvVzF2GLCg5e7SUqGUVUD4quVAqQX
+KkwsqwP/viA9eYOASo0waUbYuJUAEQEAAYkBHwQYAQoACQUCVz4F9gIbDAAKCRBx
+uvbUDB1j1yduB/9RzZpAWGdqqmQyDLH7fxUt+RnYMmSWswRvrP1O8WMA3dDO65xP
+m2wCweZyOmQJ4BNMVh8JA0JWrkVYBbuRiHZKNaKQygmRISR5379h+y1Zc4BctHZ7
+6OyjNnLwt4bQMwncr8/wLB+JwTrMB6Q9GMFieTJiak3QKbVkcaNpy2Q718CeCwUs
+ZVgmMWZENii0mHVzACLyM0GEsY/ZGeLT73en2QDCEYN32ad/3BGBqjmETBy26bg8
+LIRiLEAWFYJdDxFBUoIAZHdlxqkI0+yaqxTupgOK0brSO0sYldGd6lmMIr1t461y
+20wJIM3Im6Ozov71dec221hD5XLPNYde/uFK
+=zyun
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/nix/overlays.nix b/nix/overlays.nix
index e25ef0a..b7ce2a6 100644
--- a/nix/overlays.nix
+++ b/nix/overlays.nix
@@ -3,6 +3,7 @@ let
inherit (pkgs)
git-crypt
niv
+ sops
sources;
nixopsUnstable =
let nixopsPkgs = import sources.nixops-nixpkgs {};
diff --git a/nix/sources.json b/nix/sources.json
index 671d883..8da1dfa 100644
--- a/nix/sources.json
+++ b/nix/sources.json
@@ -41,10 +41,10 @@
"homepage": "https://github.com/NixOS/nixpkgs",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "ed332b0bc7440cc25de85a09fdb0491d3ad3343d",
- "sha256": "1n8wcgm0wcng1mcgk1q6yfi1y951j2fc3n2dxgcrns9v9h7c552c",
+ "rev": "96606addcedb821d311c701788062b8864346838",
+ "sha256": "1pja0yrwcj13nbbqakyfsfb90szi0m9lfz4wygm9c7s8gagqxd29",
"type": "tarball",
- "url": "https://github.com/NixOS/nixpkgs/archive/ed332b0bc7440cc25de85a09fdb0491d3ad3343d.tar.gz",
+ "url": "https://github.com/NixOS/nixpkgs/archive/96606addcedb821d311c701788062b8864346838.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"nixpkgs-update": {
@@ -94,5 +94,17 @@
"type": "tarball",
"url": "https://github.com/ElvishJerricco/simple-hydra/archive/0d28b0b66136082d0cbfd90ede4436a580e3e8d0.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+ },
+ "sops-nix": {
+ "branch": "master",
+ "description": "Atomic secret provisioning for NixOS based on sops",
+ "homepage": "",
+ "owner": "Mic92",
+ "repo": "sops-nix",
+ "rev": "ae84c313c5250a832d61dae9e1e659b27542c47b",
+ "sha256": "1p4qfbb108syycszjyncwx4wiqgw6qn53cp4b21afff7pmbp02bs",
+ "type": "tarball",
+ "url": "https://github.com/Mic92/sops-nix/archive/ae84c313c5250a832d61dae9e1e659b27542c47b.tar.gz",
+ "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
}
}
diff --git a/roles/buildkite.nix b/roles/buildkite.nix
index fb65acb..a373df9 100644
--- a/roles/buildkite.nix
+++ b/roles/buildkite.nix
@@ -1,9 +1,13 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
{
+ sops.secrets.buildkite-token.user = "buildkite-agent-ci";
+ sops.secrets.buildkite-agent-key.user = "buildkite-agent-ci";
+ sops.secrets.github-nixpkgs-swh-key.user = "buildkite-agent-ci";
+
services.buildkite-agents.ci = {
enable = true;
- tokenPath = "/run/keys/buildkite-token";
- privateSshKeyPath = builtins.toPath "/run/keys/buildkite-agent-key";
+ tokenPath = config.secrets.buildkite-token.path;
+ privateSshKeyPath = config.secrets.buildkite-agent-key.path;
};
}
diff --git a/roles/common.nix b/roles/common.nix
index 95f3ef3..d49d13e 100644
--- a/roles/common.nix
+++ b/roles/common.nix
@@ -9,6 +9,7 @@
./telegraf
./users.nix
./zfs.nix
+ ./sops-nix.nix
];
environment.systemPackages = [
diff --git a/roles/gitlab-runner.nix b/roles/gitlab-runner.nix
index 7fdd31d..5cfc5e7 100644
--- a/roles/gitlab-runner.nix
+++ b/roles/gitlab-runner.nix
@@ -1,10 +1,5 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
## requires this secret in deployment.nix
-#deployment.keys.gitlab-runner-registration = {
-# text = secrets.gitlab-runner-registration;
-# user = "gitlab-runner";
-# permissions = "0600";
-#};
let
gitlabModule = builtins.fetchTarball {
url = "https://gitlab.com/arianvp/nixos-gitlab-runner/-/archive/9126927c701aa399bd1734e7e5230c3a0010c1b7/nixos-gitlab-runner-9126927c701aa399bd1734e7e5230c3a0010c1b7.tar.gz";
@@ -16,10 +11,15 @@ in
"${gitlabModule}/gitlab-runner.nix"
];
+ sops.keys.gitlab-runner-registration = {
+ user = "gitlab-runner";
+ sopsFile = ./gitlab-runner.yaml;
+ };
+
services.gitlab-runner2.enable = true;
# The module depends on gitlab-runner to have a "bin" output.
services.gitlab-runner2.package = pkgs.gitlab-runner // {
bin = pkgs.gitlab-runner;
};
- services.gitlab-runner2.registrationConfigFile = "/run/keys/gitlab-runner-registration";
+ services.gitlab-runner2.registrationConfigFile = config.sops.keys.gitlab-runner-registration.path;
}
diff --git a/roles/gitlab-runner.yaml b/roles/gitlab-runner.yaml
new file mode 100644
index 0000000..820c208
--- /dev/null
+++ b/roles/gitlab-runner.yaml
@@ -0,0 +1,3 @@
+gitlab-runner-registration: |
+ CI_SERVER_URL=https://gitlab.com/
+ REGISTRATION_TOKEN=ynWzkuM4vNEZkxrUtJFs
diff --git a/roles/nix-community-cache.nix b/roles/nix-community-cache.nix
index fd889e4..5881618 100644
--- a/roles/nix-community-cache.nix
+++ b/roles/nix-community-cache.nix
@@ -4,6 +4,11 @@ let
sources = import ../nix/sources.nix {};
in
{
+ sops.secrets.nix-community-cachix = {
+ path = "/var/lib/post-build-hook/nix-community-cachix.dhall";
+ sopsFile = ./nix-community-cache.yaml;
+ };
+
systemd.services.cachix-watch-store = {
description = "Cachix store watcher service";
wantedBy = [ "multi-user.target" ];
diff --git a/roles/nix-community-cache.yaml b/roles/nix-community-cache.yaml
new file mode 100644
index 0000000..dc5aa4c
--- /dev/null
+++ b/roles/nix-community-cache.yaml
@@ -0,0 +1,81 @@
+nix-community-cachix: ENC[AES256_GCM,data:tGMaYSBnhZ9idMV7DGzUfR1Zzk70syR8f4DSkrO65XcYUvoS4tcaVXr4l6PzDAFetkgU92a/kkIrEMZ9tZZZGHMvmCteGObH2BgF6k57NdozNnkXsI4ZhltATu5tpwzI+DUFgtpAXPEVYY6DRDlUATrt8SKJ2JuI4JtpIHpPi0noS/WpBfsphOUQ/7epTtABLpyDb0EOXisvkPLjDIKwfNDE+dOHO61aN8zS14QhelRIfJUSj7BwVFWbaseLKmq5ZIDAFK5s/FSgToi4Bj/YYVrTo23RH8wvhYOelSNcAWW/wotMZ5u/pklTytytLC41DhyFXU54k/UEorfVMHMnLAlujDoBs/9oV+M18Jcs0qV7c1utzjwoGlYhxV7zV/QvJ2zuMyDtszK0twcL8BjUSpsy+W/sR3kpGBKzjt1oNteTlz0YvIXlxg/Yn63qGr2/HzZlNd9rygMnLhTf7VO4Su2AB4GLXI7ljgQdqM7AREuAgE5J0hHE82fRalBsZcK34QGEFVKN4mzybcK4HO70yUQY4o5cOc7R5DHvEJmukjjJclm/,iv:N/yKtyd56YpdpNEe92g9Eml8gYR9x5pBT66U5p20Rzw=,tag:HCAJSqQ3Wq5SnZDwdryN1Q==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzYkk1bEdDN0FnZ0tYSEJS
+ d3NPV0QrWmdMMWt0WmVNbkY2MXF4UUQzeG1rCkcyZnJ4YTMydjlESFZoa29tSnEv
+ TVhZblphbGpRWVpab1VEZVBpaGM0a2sKLS0tIHlyRmo5Z21GREpHQkNGK1BYcXdP
+ WFdwWnpsSnFGZkZhbzFjUE9EdjZmVDAKMkl6SxRIIVsfjYr9GhZEMJJBHn9D6esU
+ NbM1hKVLqvl08Xrl0b3glxoTs3Seirbj9qj1jl65WwgqlZJyw93ZeA==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnVmg5b1ZXRmhwM25naE56
+ NGV5RFExYmZXbThxbmdVZC95R1NJcmw1VnhNCmhPQWM0YWxTL3NJbjFsekpkclND
+ M1hLNWZ4Wk95SXZDYmlFb1hNUUk2R28KLS0tIHk5SUpRUnA3WjB4YS9FQm1sOHU5
+ U3Y5eXZhenFna0tIbjErVXZtRmFtbTQKjTh3xkEelFwjpBPxcf7o25pOTvAaz3mr
+ NGACvPbDy2lqivzkLnGclv905/O3b2E29Np2N8Pj+/sVFJPRH8fPYQ==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age17jtyn2y4fpey6q7ers9gtnh4580xj89zdjuew9nqhxywmsaw94fs5udupc
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtM1hNQkJHcDUxbkQwM0NE
+ Y0pQRGE5QUdGQW5Bak5icE5jbjhlczQrU3o4CmdvVVlvNkVWQ3ZoU1JvOXkxekRr
+ enZTN2M0aVhwQzRDaTREaDI1OTR3RlUKLS0tIFR6WnB5Mzh6QkxaWnlFVFF1N1lO
+ d0svWEdVdnhxM3RxdGNOVm1qYkt3UjQKj/a8b8cnIekk+nIuqFxld38uWf9wl5G1
+ p5vTB4hv93l5VCFL3ipHYV1kA+nXUvAMleg8k12MgLs5FWQvfKbuGw==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCNW1UL09rems5K2RWdWRR
+ VktyU1lKdDRRbEIzVmFMRXAxU2hFU25KVEJ3CjhOcDY5NEdyak1LQTFzeTkyTzdY
+ Nk1XbURVR1RiMkNQYnBpMFlidDBHd00KLS0tIGZ3djBacUorOFZxUjQ1alJicFlX
+ THFjSEI1SndHSDEwRng4MldmZTFST3MKw0T4QkxAiBib9Xozc9QYA/4AdRT3oPIf
+ uKpPs4ADI7RFAvrdmwDzJlTwf77e4VA+ZWT6TaxLfk6LcsHXycT1HA==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3czZ2QUU1cTU4YnhBK0tG
+ Vkc4VHJnS0V5eUJWcGQ4QkljOFpvMkxpRDNzCjEzQW5UZ0RseWkwTXJ2THJ0dUti
+ RUJua1M2dXpPd1ZHQ1FWV1hjdklEcXMKLS0tIElkVnZsMVR4cU5IOU4zdTNlRzcr
+ aGhzWUtaY3NVbnBtSkh6bUxRYlBHZU0KVQgEX1tBiE5Yiipzo7CFnLb0YO4BCqWa
+ ZIttlq2lW1oxivpk6KPUg+aLCOIgyLEPkOuYIw9XNeT/t47m0GJIYA==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1vr4suv4lhtt8f59s25eukdfk67j7av72gvj7sk7ux6thusct3utqmn3pmf
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEL3FadFlhVExKemlsVWxv
+ Q2J1eVArbW9OZzlMcTNRQitvc2lQRkNWb0ZjCjdoZkFhaWxFUElIeVFaUWRpQmlT
+ QnRJWW5icGxKZlhJZmp0SVU5dHpTSmMKLS0tIE12dERYVGpwTzhMRFkwNytZQkVS
+ MFlJekswK2pkV3lzVGhqRitpMDY0SmcKRaW/wm6SIJBX514g4zZD2k4k0kSzQ4qA
+ baNRlr1fqj3LjIzWBlwolmM+W3cTyhVV8VSjN8fZ+xQcVPjSFazB6g==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2021-09-25T19:43:46Z"
+ mac: ENC[AES256_GCM,data:ZQibKAevbsldaAIjzoZ4/zzWdCLaGHKMzBU7zre6DnE+9UF3vpa+VWfTPCs7ovqKkWJUsTiyyg8JxMeF3ivFnXRzrbzeX5EZRAqlKQJHXAp5ruWDJL5Zaw3dWMVM70MGJDOsZdws5tJUu8jbZN5nYX+yjw1zDIfb1Gho7sfYg48=,iv:VDP2iWxiFy+4vTQd5DKMNpMFAWrfwKKaGfZos+Y5l3U=,tag:wo8a27b6hWkL85e+IIm58Q==,type:str]
+ pgp:
+ - created_at: "2021-09-29T17:02:43Z"
+ enc: |
+ -----BEGIN PGP MESSAGE-----
+
+ hQEMA3tEuTsG48KkAQgAl3H+gXJ1Q4sRM6keLtiAO8Irf2ZHqLq1/CyzkJXymfXf
+ rme3cssXfuxfn2mPDPUb7eLOVtrv8vWuMkAripHJvzKNSyxf6fEbFZlN2zT48AZA
+ E8UYV5/pHSXQ5tmVhOMUuWJBThvOoogBHNEzZVCqdd28ZK7utqU3ynSe08KQWAHO
+ /VEa//so3sr21vLg32LZzTPqdzjFQjLPnvvqQ0ItghbzsIiTsjy40jAF5+jSwX49
+ BND9+tI3GJgg/bppiSLhAk6NVW6TRu5UoJQ/CxMsj79FPyUoyU9cb8ub74CvNaJy
+ Hjz5JEArIo8qRj+peQ7OqsNJfuqyM/+tgzJOc9Li4NJeAdVuVTrYeqHt44B5TEO+
+ S3zEb0BeDra8Ol2qIPLlWvuTH7s45xHDni9cB95usC6QIvLenO7tbBT8QjpKIguw
+ qJS6ei6uVaeTdz3T2FNlqEEDh3avD5558mAK8iz3NQ==
+ =V6ae
+ -----END PGP MESSAGE-----
+ fp: 260353B993F8CE16752EF48C71BAF6D40C1D63D7
+ unencrypted_suffix: _unencrypted
+ version: 3.7.1
diff --git a/roles/sops-nix.nix b/roles/sops-nix.nix
new file mode 100644
index 0000000..54c9bf6
--- /dev/null
+++ b/roles/sops-nix.nix
@@ -0,0 +1,10 @@
+{ config, lib, pkgs, ... }:
+let
+ sources = import ../nix/sources.nix;
+ hostDir = lib.head (builtins.match "nix-community-(.*)" config.networking.hostName);
+ defaultSopsPath = ../. + "/${hostDir}/secrets.yaml";
+in
+{
+ imports = [ "${sources.sops-nix}/modules/sops" ];
+ sops.defaultSopsFile = lib.mkIf (builtins.pathExists defaultSopsPath) defaultSopsPath;
+}
diff --git a/services/hydra/default.nix b/services/hydra/default.nix
index 41fd35f..edbdb6a 100644
--- a/services/hydra/default.nix
+++ b/services/hydra/default.nix
@@ -6,8 +6,8 @@ let
hydraPort = 3000;
hydraAdmin = "admin";
- hydraAdminPasswordFile = "/run/keys/hydra-admin-password";
- hydraUsersFile = "/run/keys/hydra-users";
+ hydraAdminPasswordFile = config.sops.secrets.hydra-admin-password.path;
+ hydraUsersFile = config.sops.secrets.hydra-users.path;
createDeclarativeProjectScript = pkgs.stdenv.mkDerivation {
name = "create-declarative-project";
@@ -78,6 +78,9 @@ in
};
};
config = {
+ sops.secrets.hydra-admin-password.user = "hydra";
+ sops.secrets.hydra-users.user = "hydra";
+
nixpkgs.config = {
whitelistedLicenses = with lib.licenses; [
unfreeRedistributable
diff --git a/services/marvin-mk2.nix b/services/marvin-mk2.nix
index 560f3d7..3eb5a7e 100644
--- a/services/marvin-mk2.nix
+++ b/services/marvin-mk2.nix
@@ -28,6 +28,18 @@ in
# FIXME: use the above host instead
networking.firewall.allowedTCPPorts = [ 3001 ];
+ sops.secrets.marvin-mk2-key.user = "marvin-mk2";
+
+ sops.secrets.marvin_mk2_id = {
+ path = "/var/lib/marvin-mk2/marvin_mk2_id.txt";
+ user = "marvin-mk2";
+ };
+
+ sops.secrets.marvin-mk2-webhook-secret = {
+ path = "/var/lib/marvin-mk2/marvin-mk2-webhook-secret.txt";
+ user = "marvin-mk2";
+ };
+
users.groups.marvin-mk2 = { };
users.users.marvin-mk2 = {
useDefaultShell = true;
diff --git a/services/matterbridge.nix b/services/matterbridge.nix
index a01b478..ec9b951 100644
--- a/services/matterbridge.nix
+++ b/services/matterbridge.nix
@@ -1,5 +1,6 @@
# A single instance of matterbridge
{ ... }: {
+ sops.secrets.matterbridge.user = "matterbridge";
services.matterbridge.enable = true;
services.matterbridge.configPath = "/run/keys/matterbridge.toml";
# Allow to access /run/keys
diff --git a/shell.nix b/shell.nix
index 761a7c3..0e3956d 100644
--- a/shell.nix
+++ b/shell.nix
@@ -1,19 +1,26 @@
{ system ? builtins.currentSystem }:
let
+ sources = import ./nix/sources.nix;
pkgs = import ./nix { inherit system; };
in
pkgs.mkShell {
-
NIX_PATH = "nixpkgs=${toString pkgs.path}";
NIXOPS_DEPLOYMENT = "nix-community-infra";
NIXOPS_STATE = toString ./state/deployment-state.nixops;
+ sopsPGPKeyDirs = [
+ "./keys"
+ ];
+
buildInputs = with pkgs.nix-community-infra; [
git-crypt
niv
nixopsUnstable
terraform
+ sops
+
+ (pkgs.callPackage sources.sops-nix {}).sops-import-keys-hook
];
# terraform cloud without the remote execution part