From bc1339587a8bf1bd69fcca3bfc5d655f016c7700 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Thu, 23 Dec 2021 20:39:49 +0100
Subject: [PATCH] add cachix deploy
---
.sops.yaml | 2 +-
nix/sources.json | 12 +++++
roles/cachix-deploy/default.nix | 13 +++++
roles/cachix-deploy/secrets.yaml | 81 ++++++++++++++++++++++++++++++++
roles/common.nix | 1 +
5 files changed, 108 insertions(+), 1 deletion(-)
create mode 100644 roles/cachix-deploy/default.nix
create mode 100644 roles/cachix-deploy/secrets.yaml
diff --git a/.sops.yaml b/.sops.yaml
index 6b31998..68c22d7 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -41,7 +41,7 @@ creation_rules:
- *build04
pgp:
- *zimbatm
- - path_regex: roles/[^/]+\.yaml$
+ - path_regex: roles/.+\.yaml$
key_groups:
- age:
- *mic92
diff --git a/nix/sources.json b/nix/sources.json
index 5f8fa3f..a6091bd 100644
--- a/nix/sources.json
+++ b/nix/sources.json
@@ -1,4 +1,16 @@
{
+ "cachix": {
+ "branch": "master",
+ "description": "Command line client for Nix binary cache hosting:",
+ "homepage": "https://cachix.org",
+ "owner": "cachix",
+ "repo": "cachix",
+ "rev": "f5cd1b44c2b3dffd6cc31c56a35c55a8775acf75",
+ "sha256": "0ngjc40a6a17z1lhka78w4nqaqsnm2mgimz0s3666ykd072qcbif",
+ "type": "tarball",
+ "url": "https://github.com/cachix/cachix/archive/f5cd1b44c2b3dffd6cc31c56a35c55a8775acf75.tar.gz",
+ "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+ },
"marvin-mk2": {
"branch": "master",
"description": "Helpful nixpkgs PR bot with an improved Genuine People Personality",
diff --git a/roles/cachix-deploy/default.nix b/roles/cachix-deploy/default.nix
new file mode 100644
index 0000000..0e37356
--- /dev/null
+++ b/roles/cachix-deploy/default.nix
@@ -0,0 +1,13 @@
+{ config, ... }: {
+ sops.secrets.cachix-agent-token.sopsFile = ./secrets.yaml;
+
+ systemd.services.cachix-deploy-agent = let
+ sources = import ../../nix/sources.nix {};
+ in {
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig = {
+ EnvironmentFile = config.sops.secrets.cachix-agent-token.path;
+ ExecStart = "${import sources.cachix {}}/bin/cachix deploy agent ${config.networking.hostName}";
+ };
+ };
+}
diff --git a/roles/cachix-deploy/secrets.yaml b/roles/cachix-deploy/secrets.yaml
new file mode 100644
index 0000000..9c24a0f
--- /dev/null
+++ b/roles/cachix-deploy/secrets.yaml
@@ -0,0 +1,81 @@
+cachix-agent-token: ENC[AES256_GCM,data:TvKkumq7NouTEUK8mDIWdUmdyAhNreGaGJEHGnGiRxrfwltN7zIRNMDu5HMiIJEEedsBI1ZXhBwaKbKMP+nk23tUhaIIaS+n9tfggwLzyaK0YPzIt/GjtBE6SIALtKoVgw7pS5o3cpjcpqL/Himx4hJF08Wz22jQYpOq8Ra0PyxxZ11qSxis4LgGNTSrOTVYs2ThF9ij07izn+LPDA4ap1rV5+2b7p1hZw==,iv:Inp7ehEAE5APECiq0b5hVAuBo3ykPCFMrIV0Ib3dcq4=,tag:W8qaxORUKaqwGEcdDsIvEA==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0dStmZ3hTeG5JT2xkMGRX
+ dW5Jc3Z1TlRxOVVMUmpJSkZibFJjTmhrbW1FClczbGQrMFRHNGhNZDgvdUpTOEY2
+ NENIcmhvekRHaEcvd2FPV2I1NjJwdmMKLS0tIFVJcHdOWitYam5GQTMyMG5KaWZ0
+ a2oxM2c3T1JSQXV6b0p4Unh5N3NMV3MKkdn122OuglxWWBgvkWhYQHxy81omm3R6
+ F0HTBJ4CNcBa0lxn09LWl3VsT5S6e1gl4iuKgoUEl6Fk8RRleEkbFw==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnZmN4dmszSFE0bkNQSkhN
+ ajUyZTM2bWd1LytKVzRuZHowU0NhSzZuK0hzClNUZjBKQVNUSVFEVG50eVJlUGJV
+ aW9ZZEIyT0ZuZy9vRzZVczFLOWp4NzAKLS0tIFdJT1BsbndPb200eDFyZ3FnTW9k
+ MDg3OFFRS3FQRjhibHVMWkZiYlJTSTAKVA4ivg+C97Ht+c3P5hDiPNo9w2l3//eI
+ +OSn224LJ36zSpb8H0Vl5S7yXVU3CAASzJFG7siXdPt9Ees5X303VQ==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age17jtyn2y4fpey6q7ers9gtnh4580xj89zdjuew9nqhxywmsaw94fs5udupc
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFNXFIdGtNY281djEvcnRn
+ QzN6em5IOGVVTkk2Z1BMb0xydmprSm8za1ZjCkg3bERaZmVLV0NhamF6SU43aWlt
+ MFFLbHZucUNWc3BXd0lFYXVOcHBIYWsKLS0tIHVtNHJvTEdNSVRaZ3F5enBXd3Zs
+ T2N1M2htTm9uVWtXK3hNRGZOQjk4QlUKDmmuImUYT5FAXzi2LqIBcrJUh97FOXo9
+ a9cOaYF5Rg/Fq7cnGwyVlftjHHC+1z2wmwPT6Xz8C1fSdkSRrhybLQ==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1kh6yvgxz9ys74as7aufdy8je7gmqjtguhnjuxvj79qdjswk2r3xqxf2n6d
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBTGVVWTdIZEFhREJoaExW
+ RThRLzNMcWFVYTlIYzlQS2RJLy9walk0WVFFCktwRmZ4WTBqUUFkaHozS0ViUnFs
+ bDlISDc4RndFWGZtcVpCVm9IZU04OHcKLS0tIE4vVkRXNmlNR2hudm5iOGpMcGdt
+ RTY3b0ZKU0M3bG9NSll5NFRxbVZUSTgKN3cGnpK+R1UQRyEHMYXu82edwaR9aZrm
+ OP6l+K42S40pjrWSixV+2Guh8HubseiK4IPlPp8XNKgAqwfO7kGRkA==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMQkZscTlUUXp4VWpYS1Za
+ Qk0zTzFZcHF3cVl0ZFBxN21FbXc4YkwyTkhnCkJiSTVBa2h0OVdhVGgxVWpEQjdv
+ cjh3QUZKWFgxTFYyOXZvY2M4eER2MlkKLS0tIEx3aEdVOE9JRmRpd1pwczRYVkJp
+ NHY0d0l4dnFvc0dqTHRkN3REdzRqVlEKVSzQkccHPX4NJrpmTGOdWgb0XYnxVLIH
+ bKK4+jizUWiCrjHLyB6mhMdsQZ6QtFcoXOeKFOR61xtb0x0Y+tzagw==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1vr4suv4lhtt8f59s25eukdfk67j7av72gvj7sk7ux6thusct3utqmn3pmf
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFNHVaUCtyQWVqK29TZVBp
+ RnY5N21FVHkzb2lPSm5pcWxjdm90K0VuWlMwCjh0T21FME5jcityR3Z6VE5TTDFG
+ UEwxN1lQb01EYm9TUHY2UHhkaXorSHMKLS0tIEFjbnc0QUFHQmYreXYwcWg4Qnc0
+ TFlTWWxDSmEycnVHSVhyWkhSOVhRdHMKBoo7g8ZMPbaIuHioBdj6uRWx/hi4NZUz
+ gm8XAFeBQN4wMxZk1r7CjebYbQ6mxHyhlNKae42ihjW8H1fDltRiUQ==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2021-12-23T19:36:55Z"
+ mac: ENC[AES256_GCM,data:fK5XKf51j4FNtRs5l/R7Iph13LNbcmVxdnIpcBWs/fC+avWecihLGN5MQKKf1I8o4dUCkcoC4B8Lc2WvffhTF2ScCUZydx64t+xZQmtdvrFd8ueyPXEh/A2x3H2C9rdrmvWz3LCCTiXvUt+ERnoluVnySRhs/Ovuo/Lm+HS/Twk=,iv:1dKCi3th1ssVEFNzOdN3dNa8IbktndDm/fPpyrTP3qc=,tag:2C8K1B8FWr33NrYpRUqXpw==,type:str]
+ pgp:
+ - created_at: "2021-12-23T18:32:10Z"
+ enc: |
+ -----BEGIN PGP MESSAGE-----
+
+ hQEMA3tEuTsG48KkAQgAkelKKuMXnprFcl4MEqVQgfZO+73ZqjaLgvsjvtDkAPHL
+ MjeZINYbNE05fbLzoXFAoAhNHdjVuzevBjcBP60hvG8vuUizGHwPvKZDYVt+pAGc
+ RALgwaKQwg528C+VxEYzz5WT+aV9DwCs0cRUZwW2P2R0dRQMcWDbzvOHs1YcsV3a
+ w5lIw88SU5Z3UVub6wV9Qe9kHE+6UHIkeECDOPtmMNu/2R19J6GXQezgbvg5dlMb
+ yDs/71XxbtGDDXGqSvR/TEzeHqW26GyZOP88NKb04xM+yzpLDP13tn5M6pG+1eyw
+ YNJZp54V5AjUthbqDLMFtYh1YjQ/J93iO+/8l7CQ5NJeARIwVL9SnasxLlEX9dOk
+ g+Agungmu/pHSBEq59tZIS/yWDY/27n4AHL6GO0Y2OK2RvFnCOQ4iGbuMFsaP9QC
+ fmWx1kp11fBOhHHVnjWpj1FJKNy6GiipQgFGyLLEpw==
+ =quZl
+ -----END PGP MESSAGE-----
+ fp: 260353B993F8CE16752EF48C71BAF6D40C1D63D7
+ unencrypted_suffix: _unencrypted
+ version: 3.7.1
diff --git a/roles/common.nix b/roles/common.nix
index d49d13e..244651d 100644
--- a/roles/common.nix
+++ b/roles/common.nix
@@ -3,6 +3,7 @@
{
imports = [
+ ./cachix-deploy
./nix-daemon.nix
./security.nix
./sshd.nix