refactor buildbot, watch-store

2023-11-21 09:33:18 +10:00 · 2023-11-21 09:33:18 +10:00 · 7deb90df67
commit 7deb90df67
parent 78a1f03f2e
9 changed files with 31 additions and 190 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -80,24 +80,6 @@ creation_rules:
          - *zimbatm
          - *zowoq
          - *adisbladis
-  - path_regex: modules/nixos/buildbot-master/.+\.yaml$
-    key_groups:
-      - age:
-          - *build03
-          - *mic92
-          - *ryantm
-          - *zimbatm
-          - *zowoq
-          - *adisbladis
-  - path_regex: modules/nixos/buildbot-worker/.+\.yaml$
-    key_groups:
-      - age:
-          - *build03
-          - *mic92
-          - *ryantm
-          - *zimbatm
-          - *zowoq
-          - *adisbladis
  - path_regex: modules/nixos/hercules-ci/.+\.yaml$
    key_groups:
      - age:
--- a/flake.nix
+++ b/flake.nix
@ -154,8 +154,7 @@
        flake.nixosModules = {
          common = ./modules/nixos/common;

-          buildbot-master = ./modules/nixos/buildbot-master;
-          buildbot-worker = ./modules/nixos/buildbot-worker;
+          buildbot = ./modules/nixos/buildbot.nix;
          builder = ./modules/nixos/builder.nix;
          community-builder = ./modules/nixos/community-builder;
          github-org-backup = ./modules/nixos/github-org-backup.nix;
--- a/hosts/build03/configuration.nix
+++ b/hosts/build03/configuration.nix
@ -13,8 +13,7 @@
    inputs.srvos.nixosModules.mixins-nginx
    inputs.srvos.nixosModules.hardware-hetzner-online-amd
    inputs.self.nixosModules.common
-    inputs.self.nixosModules.buildbot-master
-    inputs.self.nixosModules.buildbot-worker
+    inputs.self.nixosModules.buildbot
    inputs.self.nixosModules.builder
    inputs.self.nixosModules.hercules-ci
    inputs.self.nixosModules.watch-store
--- a/hosts/build03/secrets.yaml
+++ b/hosts/build03/secrets.yaml
@ -4,7 +4,13 @@ hydra-admin-password: ENC[AES256_GCM,data:t0vmchbXXIAzvM2nxm4j16N9W67yWRb439M=,i
 nur-update-github-token: ENC[AES256_GCM,data:KIZCx9IeuBHZei2V13iiyHzCedhkkGEd08mVJEc6F0DWQn1wtzC7+w==,iv:pNVRj/RR7wj64g640F7Vo4H10ijsxnrfFQnt6YHBug4=,tag:UlvOMNB5JZbuJaD9TcJ2UQ==,type:str]
 hydra-users: ENC[AES256_GCM,data:askAB+a3bsFvue/j9i6sYSwgOQl+rL+uh+1+z+xizzBOWdTZcvRh5uFHTkg7MV/E7tG7eRByQ7b+v/onJ4+l3rGJJ6qsWtLLLizC1rusngsAXyI9jt66eqpsyacN5kw8cKILjGearptrhUZDWdKpbaHII6fwUbWbjyV5fpoQzNmI4VELWEQMZ50yECfAfCLHx9iTdoMJHPXzhqwvAZ+TbX6TsyqbDrrNauYWNUBhCK7E2tDYAQqOGhxnQWI+gQs=,iv:Baqyd/WfloMuXTiICD2dlvENst8G6YU9rSHdRkTECkU=,tag:z4j5dYcba3aZTyWu5wvkzw==,type:str]
 hetzner-borgbackup-ssh: ENC[AES256_GCM,data:ZNrQp36c3EuERlAYez6SHTLbHK7ZmLNqDpAffTTQARL2zpnjpw1wJQJdm6d6Un1wTjYmHMJ/f1jCKgn389FGiZJwxSLUL4Ko2n5HffBTjZwTeqE1y4XFe6qvAY/LYBmD728ZWOsSWPvoVZOm1dG7LsxxwUZWk2VyDtvODuJBInn19Dn7Tw5VqPjJMJAp5CfAaW8ilEPpdeG0JQfkJkBQj0+pMlpI1EIVDvdZai5fesweUWeaajrPnIjrBbqdFvd8eG9qrTehLM7FvpnT2qllfsCOeQf/KTPEw16I6eGFFm22iPblJgHFPzpu1a2Lvwn+8HcwqSMlGI9poOeV5RwXqBhFX9vozlN8G82csAnehiZmLktyYin1kYF3nfOXFqH9fKxbvXn/1hxQP//GDeoaNlepa/K/w51pj1mgbIXIb5g/PKsHaC7Rv3iDMcYW977+lobA4WnxfWhjA6k/iBb1unkSKbrZs+iHglpOKueAq9g6HO5fJ299eY2+GcmsPU3QKm4W,iv:550mzEValpqVruLQBMMJeJHVyYfaxNHwCvXkvz66qI0=,tag:k48T+9AtJs8GTVchyEP8Jw==,type:str]
-watch-store-token: ENC[AES256_GCM,data:VBEj9g5R/aa3hTDcKl8HRxJOOgl4B+0uyPMRhnrPth6LD7r5tpq4ckPHXqo87kekXMGoMIVeGYaM+E1iOLhnqOUOeOoSs+6NnnrUg2+nHR2gC2xAGZpxc/ntZ5g5DVDi0iw7jzxdd3X5OAru5mi/mDRXOAdeT+jtwLwqBEZ5dHMBRI/gGs2wRVIY0XUG5EQW/M1AYpanRat/jfmWJjuZvlT3MEA=,iv:AP66pQJiP8wl10F3vhwpdRcVKm8PP6U8T0POXa1fFio=,tag:WdI6TgV5D1ZJolOazFV1Ew==,type:str]
+cachix-auth-token: ENC[AES256_GCM,data:LJwxCrkiiHX5iKfxJ3yFQIaBCevFqQnkJpfs5fe7ntmie185liz2Tp+b9IcC091YDbAa/fV8ZBzC8I6T5Kf57fk1ZxaRcqRkZ0a+BXTYUUteLQkC9ECxbkk4CCsZK6vVvdx4509lezQ1TrJnoQ+7YRuH0mI2J5WTxJO9s/1rs43rMTD0AOuXRDbTblu5r5pILxWVBwT6xCVGv5k4V3kiEoQSvg==,iv:8CWE6WIs7s+eTQ+OUbSsUScO4bjzKpyMdHUxUwVUYIw=,tag:jhyDfHxfzMhVb8fPdD41rw==,type:str]
+cachix-name: ENC[AES256_GCM,data:DhzIMyT+B9wvMoK9Iw==,iv:5pnXyQosbF/HFmbDFmfSaz4XWkfiA0/ccfe/yw4LvbM=,tag:E7+u/+aEK83cYygk88ZYOw==,type:str]
+buildbot-github-oauth-secret: ENC[AES256_GCM,data:XDEbK5ahb5qiDdmq2gOyIch/NDFK/qjA6gX3rQ0XZthshiO3OfpAng==,iv:ze2R9Laji2FR1qp3LkeRPfKC0ebH0fF4ZTQ4mLVliUs=,tag:eT0jpnj2v7q3L6vyVLAeeQ==,type:str]
+buildbot-github-token: ENC[AES256_GCM,data:t62X1d2Uw62YwmJnENSS629OrVRT9D2zpkZeF9UR144KZNZ01TxSWA==,iv:Lv3ryF1U5zUQreH9LZa60LZ4sgxVFIR0jd4+VELSkMg=,tag:EyKdmC9goF4UZeUKBDeAzA==,type:str]
+buildbot-github-webhook-secret: ENC[AES256_GCM,data:AtUFcOjLivJt8np5451Wfol5s48R4vW5gJPisT+hMD7dFAvucKriQEY+mcAMqL1X6w==,iv:oBKj9XXu/4mkeH+3KkMlWSx8GnMoXwBugNuG8Uu3XtU=,tag:8cBZVE7TOJf3QEqxfsuF8g==,type:str]
+buildbot-nix-workers: ENC[AES256_GCM,data:taoOzkDugI8zilAAkYjIUPEpE4BK7zQulImKblwDmygGRMYw9y3N6gwxcVOeAu1BusGkFStnMa+6DQz555H00rS8YPKwS16ov0XN1ZmrcrbWS12z2/9NUvq/iI+HpLmVoHTTasM=,iv:0brO1MqB19AQZCXubiTvCwX0jN+Arn7YKg6CQ6Urf9g=,tag:FlHif4EBsjeBaSqveBrPTA==,type:str]
+buildbot-nix-worker-password: ENC[AES256_GCM,data:TaMHVzlzuAHfTBAyqG5JJFwpG2We+wlXva3YJnNkO9KSX9PIhnRHVES72jO63AkhvfBVEg==,iv:rTpaiCYcedcsy115BEDep68Mehb6knes7OxvBrEOrUQ=,tag:dD4Hg4oR3SfpYdP1e8V2jA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -65,8 +71,8 @@ sops:
            WUZQSGQyQy9halJsRTIvb1FGV08zZEEKmjlYY6epTuZKRBcVyjPvJI5XKQtP5Yag
            FMrI+M6hUeyBeCade5C+Y4eGQbt57BWLmsX7u0J1WTlkUSS5j7+wPg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-11-16T06:27:48Z"
-    mac: ENC[AES256_GCM,data:rObEhY3ArAQJjoYkejy3g9AOMHz0ophqG7nfOfZgUnejLmsNqxVlq9tIZCTEOXHT9QbDi34jTEobQLVdqCPX2wL7A4dx/cfDKNEtei8vKm1xAOeGl6gnyCyONQwP7Nqd1rtZCy6lS8ePa8Lyrc6wRL/giDM2yOcV+XR/aH4Jch4=,iv:Y2zYk9K1EGM7cwHNSOdY+OoooWjNfUiUWHKRJ+h8QHA=,tag:Oyjs1hEG4HzI76z2GA73Mg==,type:str]
+    lastmodified: "2023-11-20T23:33:43Z"
+    mac: ENC[AES256_GCM,data:zTFyPd6ev6JgUnjLM1xLbuxodoKlvUPgf68byRkY8Z6jfdETjJXMzvLYdwOxXvU282iAZYzLiQjdoIeUE0nc3UvakaVUqEP0e91MNmBfHyFyvjjeDGX5n3WSbPJOX1BzuQIOsagqY8fewJAY90dCSRTiWrtnnJ/SkVoQJVyCxEw=,iv:VUMfGZ9ihMkd6R6SFJ1ECLJezTyKgb+DL8eN9DnSs8w=,tag:YsDp2l3K0g/ZdL7t9XvNJQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/modules/nixos/buildbot-master/secrets.yaml
+++ b/modules/nixos/buildbot-master/secrets.yaml
@ -1,71 +0,0 @@
-github-oauth-secret: ENC[AES256_GCM,data:/yz5IXVGItgBrJ0ISA9hfWojXo/GlW16hmGiWFxY7fnzIYL3q47Raw==,iv:B8u0ezCiquMqnO1V5Z9hz/MGZRtXF6mRa/24ffFBzAI=,tag:soVcm+N5tu00gHm9nCGnvw==,type:str]
-github-token: ENC[AES256_GCM,data:vzHJ31K+/JkfSMe+SJ1dq74CQNSZYPOFe7rf8nuhupGIFGSwhvtOYA==,iv:viPK9T6MMUcnRDDi7PiJ1oYQJ3S3qmVv6b2m6Tsz9H4=,tag:B6dYki6Qz29eGQ84WZHFcQ==,type:str]
-github-webhook-secret: ENC[AES256_GCM,data:KXJurFMX0cG1UDYb+ecvmEnHoN9ojWd4QToZAqwGW080LMZlq89Z221Pk+MYK5h61w==,iv:b7JJi8tqmwdnB8c4iepzGH51iBnj0WRbjYTsPNpt5F4=,tag:/9f7RL+dW7JJjs6CXqqcQw==,type:str]
-nix-workers: ENC[AES256_GCM,data:3lkpS+zOOAvdotdVnC4xwgcbqMST/zRuaiDYd4Q3+LK6j/XUAbCJhrAM+0GcrZhrmKWpioIEfWD7YMQQfyXRZ/5Voyo9Q9uSRbazCOSRD88yCTaTKt6zLytYJm+Y6hBgfCBDWyM=,iv:Jwg0QwojQbxiN5bycq1xvEr+3dSijP5zvy9UtLsDyqw=,tag:j3qG+sV97zQKwdTiJ2ZUKw==,type:str]
-cachix-auth-token: ENC[AES256_GCM,data:I7AmKu+19oOuos7VvmfmMpOJR8pP/E046Ndy4l30oIJRprH75Zs41h/7k2MTPj41IAdKqPtwUR+cc40eb3z5auoOEPKJZjUWjXYAKOPR7Mn5wampEQ7WR20m7+iLD0DB445hyaPQHd5sYh7OWjl6C7RtqveM5nT9UujJuF7oL4FBQvvw7Ojm78e4zqvo9y1z0s1ewd832+lImPCTR8byrSUIrA==,iv:YwvVELf4/xFsDsrISrDzPaAb9Ogm/0KTV87i6P4YUts=,tag:5s8AqPNcoyTzSW4xvmJslg==,type:str]
-cachix-name: ENC[AES256_GCM,data:2AJ6BLlxOVGLTalrMw==,iv:n9PhB6yHcDoHQt0Zk/UeY9gpTqhDTQOHWq/TS3GaalY=,tag:DXu+BvGjMPO3pcMNp8XVwQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxY3g4YVJsdVU1TWtrQlpG
-            VVhjWVptcGJaZHVoV05xQkVOaVdmU3FNTGlBCjZRWXp4NjNncW9FcE5vcnVrVHZm
-            Q2xmRlJ4RDFBejdDWWsySkpub1ZGQmsKLS0tIG0yMmRtTFhMblpmUVVzaWtWMjRj
-            ZnBjRStKbnlzQUgwbkpadjVPS1RqNjAKoV+zf1GNzr8K3+849KHZulrWvZKTd1xi
-            PymU5Yxo7W8H6L6EtlmRvpFhbfGk0oBlWvFdY06jreE5ganofsougw==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3Q2VqM2tGa3BjSjUvd2xh
-            WGpHZFFiT3llZ2orVHVxUTFPaURuWEtXL0hZCjNwanl5RFB2dTJXUjR3Ylordkwz
-            SVlHRDI5V1hnaE90ZUxFb3NmMlhlcDQKLS0tIDVFUldoNC94K25IM0YweE5qQTZG
-            UERPempUcDQ3R256K2dvdzlaQjFXcDgKB1rd8yZZCtBq+wzOFxn0HRoGHb3bn8Q4
-            vDeZTW2iqnMq7A4Cnxjh2q3JdqRtbx3hsy1yT6bup/NAV0ijCJagDA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5bjBrRW03Y25ZNllnYmxH
-            ZlUySUt0d0d0K0VWL29DWGtrRnQ4bFlxZDFJClZ3QUxyVGgxLy8rWklHUGwwZ29L
-            QytzYitLU2FiMnRmU0tNS2R4WUJlTUEKLS0tIGtaK3dJenZPYWhwN2JqNFJxM0x6
-            cGs4QzdtY0NUekJpemVIbksvZWhhN00K1HM2TnDA4MmM7fWEkH3ZTsT18ijctmx8
-            zmmDddgPeh7ykFZZte1NZRrdwOrFDQoNWX3J5/NMh6r+JFvcsmfphQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmM3orSC9oUllLMjkxV0hV
-            cDhQc3BDUHZFWkw0UVpuNEFHRUQ5TVBBd2hrCmJqU3dNam5QYkJyR0ZaWStKQkZJ
-            RUIwVzVVb0gxWjhncmRZR1Q2WGZ6eXcKLS0tIDBrWitacnY3L3R6dmJDU3M4L0tS
-            Y1BhaEFEYnorY3hvbXlSVHQ0Y1VvUG8KF/aAnJcFVQpc3AsUC+liR4kCyA21nKLr
-            6lhfFn63Y6wVNyvL7tWlL47FrYlC9A2XQ+/EesbEU/N6aL4f08wUDQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzSFR5U044WE0xNEtmeUt2
-            M2hlV2prRjY4Z3JydVhIVWNxTWxrSWlTUFNJCjc2SjF6dU9lK24xNUcxZzhrbjBB
-            VDBFdlowY0JNZmVHd2JGb2hDdXI2b1kKLS0tIFdvdlZHUXcyaHQ5OXBxN1NLYlJo
-            ZnFnenRIUVFzbmpIYm9uQmhTbVQxZXcK+75G1gYVywrfnP4HaiQZTf+/wpFyG9dk
-            YQ3Dbv3nDs8QPheae1OiDpBr9HpwpirtcHiApUnxUQ5Sp4a1jKkn0Q==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0d1V3Rnd5bVRTWC9tcHpV
-            STRtd2NiWFV5YWhscFhWNW11QS9LTnA1RmhNCkR5eGFRVmVoTFJCRG1TN3FRTEZQ
-            T0pnZFg2WGN0cVQ3UHhqd014WUtCRE0KLS0tIDVOcGF4ODNrNmdzelRsdm5McnRx
-            eFVkODlCM2c5bjY2aGE3ZDF4cXNQZFUKY0lMEJvwSnzLAbBk1vi9IurCCil+7Sxm
-            cNdk6vKJloBX7SwjoThrE6Yx+NrTVpFenzCSqU1b8/DZfjZBU9Disw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-11-03T13:43:29Z"
-    mac: ENC[AES256_GCM,data:Gp1yE0nP1ynDC5ZmdD7/hGbGtpyz7NKV4nO5uWsL74n5165o0Yn1U5oMlLs6ua2DrQGQXkQip/0uXIbF4lGfqQEgnjqvRf6VF7WjaRY+U0bP5uF7w6KgyS9U7Cd5rxmNzfbq2/gAqvLvo7bd2waGX/lbGiOEXSavA0UNUCukhgU=,iv:G9YYOBo3cdJqawDqxR4qnjjq3YIfyvOb3q85hnZ/57Q=,tag:8UXmHk3kTVZ1j9h2OwSqLw==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1
--- a/modules/nixos/buildbot-worker/default.nix
+++ b/modules/nixos/buildbot-worker/default.nix
@ -1,13 +0,0 @@
-{ config, inputs, ... }:
-{
-  imports = [
-    inputs.buildbot-nix.nixosModules.buildbot-worker
-  ];
-
-  sops.secrets.nix-worker-password.sopsFile = ./secrets.yaml;
-
-  services.buildbot-nix.worker = {
-    enable = true;
-    workerPasswordFile = config.sops.secrets.nix-worker-password.path;
-  };
-}
--- a/modules/nixos/buildbot-worker/secrets.yaml
+++ b/modules/nixos/buildbot-worker/secrets.yaml
@ -1,66 +0,0 @@
-nix-worker-password: ENC[AES256_GCM,data:xyhJOiM8n6QeXkVX0AVbINwomkrbWQo/o/frsS1YDzO8LuWFJklcML7h6cvQ2TP0veioSQ==,iv:ncjF03HGejeeWVdi0WYcmyvfQqhBvg9POWKA0VYKChM=,tag:hO40gcVi9OTAsrzQqjQz2Q==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSQi9ScWJFRkZheWtoRW1y
-            VjJibmVuWWpmS3loS0M1dE9uZjBuQnZTa1NjCmx4ME9WUCtsL0Z3bTEvNEVVSlho
-            UjJ1YnFDTlRiOVVzWEw5L2ovYWxIM2sKLS0tIDhKcVRnaFl5ZUU0UWZ5VEhYNS9R
-            ZmxWbm5wUUk2d2wvN2ZlZkVhUXVoKzgKho7Dfk0PyOCkKaDV2O7rNZpDhEd/KhfB
-            n/mGfIcfAPacSA3GitipaNvZvmwgZ/02hec8zvrKNCH7zA5O9SHAGg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiRTUrWVF4S3REWFhWalBz
-            R21GazlTRk93NnA3QVdDUVd2L3RsK0lSU3pzCm54Q0NtZG0zdzhXZ0tZU2JFQnd5
-            VExpQUg0aGZXKytZMzJHVkc3N0trclEKLS0tIHRvbWkzTWRrVzVUUFNUT3UxT0ox
-            MjFTdDFMdEo3Qk1CcnhSN1JKZjNqNVEKCuat4qnUemUijV6i3abvFWRfw44JjoUe
-            4tUmQoPxNVah/mUlZYk6Ny8gg21YCq6BONo0JLHkoxiQ5UCRSxyVHw==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaZzdQcnNkekJMaW0xb1Vl
-            bml2SGE3aVg4OW51U2xCM3h2UnBzdlFZdVNNCkdVVCtTL0Z4MGo2V09pQUlUZ3lh
-            T3B5TkU5WTlyeDJ0aVYveUFiOTU4Z0kKLS0tIFZpc0JRQ2Myc2hzVEs1QWlNaFNB
-            RS9EL0d0WTQ3bEM0b01PQ1VhWXpKc1EKhP2NSIIdJDvVMT+0E1yVGc5OMxPDaorx
-            H/JHNI4/FCmdjuVLf8IrFXz8J9c7Uzl9tBz78rsfFXqJdNFYRr57gQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwZFMzUEZZaFh5WlBTZjhR
-            L0RNWFJNUUoyZFVuNFc3VFZXVDZWQmhQdlZJCk1QVHhSdXlwSktZOWNKQjd2OStG
-            NVlMdzBNbVRpN2V4TDl0RGpnbDNvc1UKLS0tIHd2MC9qYVFYT2RyMHk1WkRiSVdm
-            a0o3Z1lUbXpmNVNSckg0NlQzdk5sUncKTMVSmlGSKIj1Sbjbai2QTy/ps2eyDWR8
-            sFroWeQyxIVuhCADYhFvMMk2m1tPfqYGhqpNLHTLD5FzW6nhcAKMbg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYVU1zMzR5bWt1OTUzejlG
-            MmtXZ0ZNWElHOEVYeDdWQzFNcERrRHhMN0R3CjJoSlozaWNrMG1sUlJvSWhMN3lC
-            WGpqNGZpcHNxZmpwM3puZVloblVzOXcKLS0tIHg2QmxpeDk3OE9HK0lWQ1BiOEx6
-            U1BaZVFXZGhZSkJnZFB2OUs0VStWOW8KoVLv73qIeTyt2Xq+rkHpQ9APgNENaaYX
-            AdnJmCSLQyituj01/sGZxI5L69J9BP8C+Kxse/53mqwOCJ6YnYYmgA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdTByOStOVmVubXZjZ3RM
-            MjJQdVU3b2tWRVNFL09uSzhnL3RnZTlJalN3CmR1Z0VXcmZwZW9RUzBTT0hReEtR
-            TkJ3ZGVEVjhpN1lMWE85MktGUWI5bUEKLS0tIDlqUTVwQlJqQkNmWlBFVXdDT09r
-            dmgzbk1sUExITU5nM3E3Sy9SbmxSclUKf06KTNpWl9kPkGFwPqSEPcUbRcCUVGd9
-            9aQZhqzi4s13Mn1UjDMvBkjfL9o1bQSFEbQKjQpVcUkdsMzurlAtZw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-10-29T03:08:31Z"
-    mac: ENC[AES256_GCM,data:1/1rNQVAu7+sP4I4LbTwFOcBo2p0yKexd+1qz6YtPMtIgmIr61DPCMUSPchnQsP9vzj3qqbdAgqBw9xtDzEDDHdicxFZM9qrNJ+aqUuHVF3KzkyR+qPiC9Bzzb9j/CqSc1zvT4UNZSmGl5xymvO+q+2Sb5rRcC1B3EEC1e1+Klc=,iv:KZdDuTqeY6V5Fjxp8glYRz/iFd5soj5fYCRMTOY/U/c=,tag:PW02PH6PSux8rdNpL31ObA==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1
--- a/modules/nixos/buildbot-master/default.nix
+++ b/modules/nixos/buildbot-master/default.nix
@ -1,10 +1,8 @@
 { config, inputs, ... }:
-let
-  buildbotSecrets.sopsFile = ./secrets.yaml;
-in
 {
  imports = [
    inputs.buildbot-nix.nixosModules.buildbot-master
+    inputs.buildbot-nix.nixosModules.buildbot-worker
  ];

  services.nginx.virtualHosts."buildbot.nix-community.org" = {
@ -16,10 +14,10 @@ in
    "http://localhost:8011/metrics"
  ];

-  sops.secrets.github-oauth-secret = buildbotSecrets;
-  sops.secrets.github-token = buildbotSecrets;
-  sops.secrets.github-webhook-secret = buildbotSecrets;
-  sops.secrets.nix-workers = buildbotSecrets;
+  sops.secrets.buildbot-github-oauth-secret = { };
+  sops.secrets.buildbot-github-token = { };
+  sops.secrets.buildbot-github-webhook-secret = { };
+  sops.secrets.buildbot-nix-workers = { };

  services.buildbot-nix.master = {
    enable = true;
@ -28,11 +26,11 @@ in
    prometheusExporterPort = 8011;
    evalMaxMemorySize = "4096";
    evalWorkerCount = 8;
-    workersFile = config.sops.secrets.nix-workers.path;
+    workersFile = config.sops.secrets.buildbot-nix-workers.path;
    github = {
-      tokenFile = config.sops.secrets.github-token.path;
-      webhookSecretFile = config.sops.secrets.github-webhook-secret.path;
-      oauthSecretFile = config.sops.secrets.github-oauth-secret.path;
+      tokenFile = config.sops.secrets.buildbot-github-token.path;
+      webhookSecretFile = config.sops.secrets.buildbot-github-webhook-secret.path;
+      oauthSecretFile = config.sops.secrets.buildbot-github-oauth-secret.path;
      oauthId = "9bbd3e8bbfebb197d2ca";
      user = "nix-community-buildbot";
      admins = [ "adisbladis" "Mic92" "ryantm" "zimbatm" "zowoq" ];
@ -40,11 +38,18 @@ in
    };
  };

-  sops.secrets.cachix-auth-token = buildbotSecrets;
-  sops.secrets.cachix-name = buildbotSecrets;
+  sops.secrets.cachix-auth-token = { };
+  sops.secrets.cachix-name = { };

  systemd.services.buildbot-master.serviceConfig.LoadCredential = [
    "cachix-auth-token:${config.sops.secrets.cachix-auth-token.path}"
    "cachix-name:${config.sops.secrets.cachix-name.path}"
  ];
+
+  sops.secrets.buildbot-nix-worker-password = { };
+
+  services.buildbot-nix.worker = {
+    enable = true;
+    workerPasswordFile = config.sops.secrets.buildbot-nix-worker-password.path;
+  };
 }
--- a/modules/nixos/watch-store.nix
+++ b/modules/nixos/watch-store.nix
@ -1,11 +1,11 @@
 { config, ... }:

 {
-  sops.secrets.watch-store-token = { };
+  sops.secrets.cachix-auth-token = { };

  services.cachix-watch-store = {
    enable = true;
    cacheName = "nix-community";
-    cachixTokenFile = config.sops.secrets.watch-store-token.path;
+    cachixTokenFile = config.sops.secrets.cachix-auth-token.path;
  };
 }