sercanto/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add cachix deploy

Browse source
This commit is contained in:
Jörg Thalheim 2021-12-23 20:39:49 +01:00
parent 1a16cd0d28
commit bc1339587a
5 changed files with 108 additions and 1 deletions

2
.sops.yaml
View file

@ -41,7 +41,7 @@ creation_rules:
- *build04
pgp:
- *zimbatm
- path_regex: roles/[^/]+\.yaml$
- path_regex: roles/.+\.yaml$
key_groups:
- age:
- *mic92

12
nix/sources.json
View file

@ -1,4 +1,16 @@
{
"cachix": {
"branch": "master",
"description": "Command line client for Nix binary cache hosting:",
"homepage": "https://cachix.org",
"owner": "cachix",
"repo": "cachix",
"rev": "f5cd1b44c2b3dffd6cc31c56a35c55a8775acf75",
"sha256": "0ngjc40a6a17z1lhka78w4nqaqsnm2mgimz0s3666ykd072qcbif",
"type": "tarball",
"url": "https://github.com/cachix/cachix/archive/f5cd1b44c2b3dffd6cc31c56a35c55a8775acf75.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"marvin-mk2": {
"branch": "master",
"description": "Helpful nixpkgs PR bot with an improved Genuine People Personality",

13
roles/cachix-deploy/default.nix Normal file
View file

@ -0,0 +1,13 @@
{ config, ... }: {
sops.secrets.cachix-agent-token.sopsFile = ./secrets.yaml;
systemd.services.cachix-deploy-agent = let
sources = import ../../nix/sources.nix {};
in {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
EnvironmentFile = config.sops.secrets.cachix-agent-token.path;
ExecStart = "${import sources.cachix {}}/bin/cachix deploy agent ${config.networking.hostName}";
};
};
}

81
roles/cachix-deploy/secrets.yaml Normal file
View file

@ -0,0 +1,81 @@
cachix-agent-token: ENC[AES256_GCM,data:TvKkumq7NouTEUK8mDIWdUmdyAhNreGaGJEHGnGiRxrfwltN7zIRNMDu5HMiIJEEedsBI1ZXhBwaKbKMP+nk23tUhaIIaS+n9tfggwLzyaK0YPzIt/GjtBE6SIALtKoVgw7pS5o3cpjcpqL/Himx4hJF08Wz22jQYpOq8Ra0PyxxZ11qSxis4LgGNTSrOTVYs2ThF9ij07izn+LPDA4ap1rV5+2b7p1hZw==,iv:Inp7ehEAE5APECiq0b5hVAuBo3ykPCFMrIV0Ib3dcq4=,tag:W8qaxORUKaqwGEcdDsIvEA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0dStmZ3hTeG5JT2xkMGRX
dW5Jc3Z1TlRxOVVMUmpJSkZibFJjTmhrbW1FClczbGQrMFRHNGhNZDgvdUpTOEY2
NENIcmhvekRHaEcvd2FPV2I1NjJwdmMKLS0tIFVJcHdOWitYam5GQTMyMG5KaWZ0
a2oxM2c3T1JSQXV6b0p4Unh5N3NMV3MKkdn122OuglxWWBgvkWhYQHxy81omm3R6
F0HTBJ4CNcBa0lxn09LWl3VsT5S6e1gl4iuKgoUEl6Fk8RRleEkbFw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnZmN4dmszSFE0bkNQSkhN
ajUyZTM2bWd1LytKVzRuZHowU0NhSzZuK0hzClNUZjBKQVNUSVFEVG50eVJlUGJV
aW9ZZEIyT0ZuZy9vRzZVczFLOWp4NzAKLS0tIFdJT1BsbndPb200eDFyZ3FnTW9k
MDg3OFFRS3FQRjhibHVMWkZiYlJTSTAKVA4ivg+C97Ht+c3P5hDiPNo9w2l3//eI
+OSn224LJ36zSpb8H0Vl5S7yXVU3CAASzJFG7siXdPt9Ees5X303VQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age17jtyn2y4fpey6q7ers9gtnh4580xj89zdjuew9nqhxywmsaw94fs5udupc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFNXFIdGtNY281djEvcnRn
QzN6em5IOGVVTkk2Z1BMb0xydmprSm8za1ZjCkg3bERaZmVLV0NhamF6SU43aWlt
MFFLbHZucUNWc3BXd0lFYXVOcHBIYWsKLS0tIHVtNHJvTEdNSVRaZ3F5enBXd3Zs
T2N1M2htTm9uVWtXK3hNRGZOQjk4QlUKDmmuImUYT5FAXzi2LqIBcrJUh97FOXo9
a9cOaYF5Rg/Fq7cnGwyVlftjHHC+1z2wmwPT6Xz8C1fSdkSRrhybLQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1kh6yvgxz9ys74as7aufdy8je7gmqjtguhnjuxvj79qdjswk2r3xqxf2n6d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBTGVVWTdIZEFhREJoaExW
RThRLzNMcWFVYTlIYzlQS2RJLy9walk0WVFFCktwRmZ4WTBqUUFkaHozS0ViUnFs
bDlISDc4RndFWGZtcVpCVm9IZU04OHcKLS0tIE4vVkRXNmlNR2hudm5iOGpMcGdt
RTY3b0ZKU0M3bG9NSll5NFRxbVZUSTgKN3cGnpK+R1UQRyEHMYXu82edwaR9aZrm
OP6l+K42S40pjrWSixV+2Guh8HubseiK4IPlPp8XNKgAqwfO7kGRkA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMQkZscTlUUXp4VWpYS1Za
Qk0zTzFZcHF3cVl0ZFBxN21FbXc4YkwyTkhnCkJiSTVBa2h0OVdhVGgxVWpEQjdv
cjh3QUZKWFgxTFYyOXZvY2M4eER2MlkKLS0tIEx3aEdVOE9JRmRpd1pwczRYVkJp
NHY0d0l4dnFvc0dqTHRkN3REdzRqVlEKVSzQkccHPX4NJrpmTGOdWgb0XYnxVLIH
bKK4+jizUWiCrjHLyB6mhMdsQZ6QtFcoXOeKFOR61xtb0x0Y+tzagw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1vr4suv4lhtt8f59s25eukdfk67j7av72gvj7sk7ux6thusct3utqmn3pmf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFNHVaUCtyQWVqK29TZVBp
RnY5N21FVHkzb2lPSm5pcWxjdm90K0VuWlMwCjh0T21FME5jcityR3Z6VE5TTDFG
UEwxN1lQb01EYm9TUHY2UHhkaXorSHMKLS0tIEFjbnc0QUFHQmYreXYwcWg4Qnc0
TFlTWWxDSmEycnVHSVhyWkhSOVhRdHMKBoo7g8ZMPbaIuHioBdj6uRWx/hi4NZUz
gm8XAFeBQN4wMxZk1r7CjebYbQ6mxHyhlNKae42ihjW8H1fDltRiUQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2021-12-23T19:36:55Z"
mac: ENC[AES256_GCM,data:fK5XKf51j4FNtRs5l/R7Iph13LNbcmVxdnIpcBWs/fC+avWecihLGN5MQKKf1I8o4dUCkcoC4B8Lc2WvffhTF2ScCUZydx64t+xZQmtdvrFd8ueyPXEh/A2x3H2C9rdrmvWz3LCCTiXvUt+ERnoluVnySRhs/Ovuo/Lm+HS/Twk=,iv:1dKCi3th1ssVEFNzOdN3dNa8IbktndDm/fPpyrTP3qc=,tag:2C8K1B8FWr33NrYpRUqXpw==,type:str]
pgp:
- created_at: "2021-12-23T18:32:10Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQEMA3tEuTsG48KkAQgAkelKKuMXnprFcl4MEqVQgfZO+73ZqjaLgvsjvtDkAPHL
MjeZINYbNE05fbLzoXFAoAhNHdjVuzevBjcBP60hvG8vuUizGHwPvKZDYVt+pAGc
RALgwaKQwg528C+VxEYzz5WT+aV9DwCs0cRUZwW2P2R0dRQMcWDbzvOHs1YcsV3a
w5lIw88SU5Z3UVub6wV9Qe9kHE+6UHIkeECDOPtmMNu/2R19J6GXQezgbvg5dlMb
yDs/71XxbtGDDXGqSvR/TEzeHqW26GyZOP88NKb04xM+yzpLDP13tn5M6pG+1eyw
YNJZp54V5AjUthbqDLMFtYh1YjQ/J93iO+/8l7CQ5NJeARIwVL9SnasxLlEX9dOk
g+Agungmu/pHSBEq59tZIS/yWDY/27n4AHL6GO0Y2OK2RvFnCOQ4iGbuMFsaP9QC
fmWx1kp11fBOhHHVnjWpj1FJKNy6GiipQgFGyLLEpw==
=quZl
-----END PGP MESSAGE-----
fp: 260353B993F8CE16752EF48C71BAF6D40C1D63D7
unencrypted_suffix: _unencrypted
version: 3.7.1

1
roles/common.nix
View file

@ -3,6 +3,7 @@
{
imports = [
./cachix-deploy
./nix-daemon.nix
./security.nix
./sshd.nix