add agenix to deploy darwin secrets

dev/shell.nix

@@ -1,8 +1,9 @@
-{ pkgs, ... }:
+{ inputs', pkgs, ... }:
 {
   devShells = {
     default = with pkgs; mkShellNoCC {
       packages = [
+        inputs'.agenix.packages.default
         jq
         python3.pkgs.deploykit
         python3.pkgs.invoke

flake.nix

@@ -21,6 +21,12 @@
     # actually not used when using the modules but than nothing ever will try to fetch this nixpkgs variant
     srvos.inputs.nixpkgs.follows = "nixpkgs";
 
+    # rebased patch from https://github.com/ryantm/agenix/pull/241
+    agenix.url = "github:qowoz/agenix/darwin";
+    agenix.inputs.nixpkgs.follows = "nixpkgs";
+    agenix.inputs.home-manager.follows = "";
+    agenix.inputs.darwin.follows = "nix-darwin";
+
     nixpkgs-update.url = "github:nix-community/nixpkgs-update";
     nixpkgs-update.inputs.mmdoc.follows = "";
     nixpkgs-update.inputs.treefmt-nix.follows = "treefmt-nix";

hosts/darwin01/builders.nix

@@ -1,14 +1,16 @@
-{ inputs, ... }:
+{ config, inputs, ... }:
 {
-  # builder ssh key is installed manually from ./secrets.yaml
+  age.secrets.darwin-community-builder = {
+    file = ../../secrets/darwin-community-builder.age;
+  };
 
   nix.distributedBuilds = true;
   nix.buildMachines = [
     {
       hostName = "darwin03.nix-community.org";
       maxJobs = 8;
       protocol = "ssh-ng";
-      sshKey = "/etc/nix/darwin-community-builder.key";
+      sshKey = config.age.secrets.darwin-community-builder.path;
       sshUser = "nix";
       systems = [ "aarch64-darwin" "x86_64-darwin" ];
       supportedFeatures = inputs.self.outputs.darwinConfigurations.darwin03.config.nix.settings.system-features;

modules/darwin/common/default.nix

@@ -8,6 +8,7 @@
     ./upgrade-diff.nix
     ../../shared/known-hosts.nix
     ../../shared/nix-daemon.nix
+    inputs.agenix.darwinModules.age
   ];
 
   # TODO: refactor this to share /users with nixos

modules/darwin/hercules-ci/default.nix

@@ -5,10 +5,27 @@ let
   '';
 in
 {
-  # hercules secrets are installed manually from ./secrets.yaml
-  # https://docs.hercules-ci.com/hercules-ci/getting-started/deploy/nix-darwin
+  age.secrets.binary-caches = {
+    file = ../../../secrets/binary-caches.age;
+    mode = "600";
+    owner = "_hercules-ci-agent";
+    group = "_hercules-ci-agent";
+  };
+
+  age.secrets.cluster-join-token = {
+    file = ../../../secrets/cluster-join-token.age;
+    mode = "600";
+    owner = "_hercules-ci-agent";
+    group = "_hercules-ci-agent";
+  };
+
   services.hercules-ci-agent.enable = true;
 
+  services.hercules-ci-agent.settings = {
+    binaryCachesPath = config.age.secrets.binary-caches.path;
+    clusterJoinTokenPath = config.age.secrets.cluster-join-token.path;
+  };
+
   # hercules-ci-agent: security: createProcess: posix_spawnp: does not exist
   # https://github.com/LnL7/nix-darwin/blob/36524adc31566655f2f4d55ad6b875fb5c1a4083/modules/services/hercules-ci-agent/default.nix#L28
   launchd.daemons.hercules-ci-agent.path = pkgs.lib.mkForce [ config.nix.package securityWrapper ];

secrets/darwin-community-builder.age

@@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-rsa ALNSWw
+p6vqecx4RLOlSrGCl5Y78QXba+GXr5gz3xFSfGc/LTGIICfwL5rOuDw2WluKqgiY
+m6Aa2qAlBYA8qKmd5WDu/D8LhWANruV+TzU/Bxpmt/yBLmbJnYhW8PaaITYOTcDV
+hiV3XGJl+jvrQpYZ7HOqlkbMUfSYVxRrSMx14vdOfB+/GTjyU03z4cKYZNrb92Jy
+j+LQD0n46PPp3frg8M1a89bnqZN+zesOCGdGyzysOWZv7vDYgRM/Z66BhsZZbyID
+v0nh2ys0AeLiVb7xY4mZb94s7LcIoCalOqImdDqSi3rlKb1nhkTOQlFreRCQ2BLR
+w5tPSy17vgBYl+spCOmc+Q
+-> ssh-ed25519 Qi7vNw RMlGQ+GhCi2yHLdput/iUTrsqs1YaHiY5zJUaVtSNGI
+hPm/PxJJNffw4GwkGvAEPKp/EwkAUw9+VpS7hVjqfKM
+-> ssh-ed25519 MW0fCg AmcdeGFLzizC9PaCZdnhP8ZMZ3UUAKhanM20ijU13gg
+IZGJxl+OGtoxpXbHuwJts8lkoDdJsOTQ0f24uZgSZfk
+-> ssh-ed25519 92bXiA duEFDFRipvR053nkaHetHVknozgviC7CjhxRkzrtzxo
+0yuWAD7LiiPXLYnU5xOc/sZj72TAzssZM0gC/c5oZ/w
+-> ssh-ed25519 h1lenA jrsdwRqRdLkmtueB50G/8ql8GuO9k/EmjD7S4JNv51Y
+eexwhglJISW0nAojdHqtq0/QKjbCErU/tnsXCqorWKA
+-> ssh-ed25519 tekucg 0xTjECMy8HLDUsFi4rB6VlB3v84qblD73iHor/ZdZjk
+Vh5aG7obB6K/XbY6tX7M0gBRAZrNnmV3Oj9MiR/11gw
+--- OIbLlawLtzPFPi+Fgkp9nwmWM+8EgFXbvL4ph9hRPig
+y�@K�Q;>�1���
�EA�,��Gu���k�yE&�9?@V���j(@���nrs�XS�����s��[���GpU>\ʃ"b�_��jl�㊕ˆ��f'�ʓx��-�<�w.�����m�;��Q�,��$�d"��1PJ�P��S�d��1b�l{�H���i��UF�s�������t|U��曦+�Ȫ���R���)�Eu�<C�qw�^?s�ݫ�(>�$��[�gDdim[be�:��D���-�-lE�4M����ǟb��X�_��fC�ɽ�Bw�C�CP+1��]떱 �W��!�m�U�]G:����)j~׀ʧ\�Ă������1�; ��^v���y�8n?i7	��m\�P�˝����nB�f������ݱ���3����v�D������"e��W�
�����'�-�׏��6�C���+���

secrets/secrets.nix

@@ -0,0 +1,19 @@
+let
+  adisbladis = builtins.readFile ../users/keys/adisbladis;
+  mic92 = builtins.readFile ../users/keys/mic92;
+  ryantm = builtins.readFile ../users/keys/ryantm;
+  zimbatm = builtins.readFile ../users/keys/zimbatm;
+  zowoq = builtins.readFile ../users/keys/zowoq;
+
+  users = [ adisbladis mic92 ryantm zimbatm zowoq ];
+
+  knownHosts = (import ../modules/shared/known-hosts.nix).programs.ssh.knownHosts;
+
+  darwin01 = knownHosts.darwin01.publicKey;
+  darwin02 = knownHosts.darwin02.publicKey;
+in
+{
+  "darwin-community-builder.age".publicKeys = users ++ [ darwin01 ];
+  "binary-caches.age".publicKeys = users ++ [ darwin02 ];
+  "cluster-join-token.age".publicKeys = users ++ [ darwin02 ];
+}