From 7fc1a717658506d918fd1547b0799d6f04c25443 Mon Sep 17 00:00:00 2001 From: zowoq <59103226+zowoq@users.noreply.github.com> Date: Sun, 5 May 2024 15:01:47 +1000 Subject: [PATCH] add agenix to deploy darwin secrets --- dev/shell.nix | 3 +- flake.lock | 42 +++++++++++++++++++++++++ flake.nix | 6 ++++ hosts/darwin01/builders.nix | 8 +++-- modules/darwin/common/default.nix | 1 + modules/darwin/hercules-ci/default.nix | 21 +++++++++++-- secrets/binary-caches.age | Bin 0 -> 1338 bytes secrets/cluster-join-token.age | Bin 0 -> 1254 bytes secrets/darwin-community-builder.age | 20 ++++++++++++ secrets/secrets.nix | 19 +++++++++++ 10 files changed, 114 insertions(+), 6 deletions(-) create mode 100644 secrets/binary-caches.age create mode 100644 secrets/cluster-join-token.age create mode 100644 secrets/darwin-community-builder.age create mode 100644 secrets/secrets.nix diff --git a/dev/shell.nix b/dev/shell.nix index 15608dc19..a02bd8971 100644 --- a/dev/shell.nix +++ b/dev/shell.nix @@ -1,8 +1,9 @@ -{ pkgs, ... }: +{ inputs', pkgs, ... }: { devShells = { default = with pkgs; mkShellNoCC { packages = [ + inputs'.agenix.packages.default jq python3.pkgs.deploykit python3.pkgs.invoke diff --git a/flake.lock b/flake.lock index 3966ed847..64657d1fb 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,31 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": [ + "nix-darwin" + ], + "home-manager": [], + "nixpkgs": [ + "nixpkgs" + ], + "systems": "systems" + }, + "locked": { + "lastModified": 1714879853, + "narHash": "sha256-URv/JEimxdhCEgokhY9xdMF09iGX8UE96GXFs3RXiJg=", + "owner": "qowoz", + "repo": "agenix", + "rev": "0248db39f453e47c04f39922d170e11b78fa026a", + "type": "github" + }, + "original": { + "owner": "qowoz", + "ref": "darwin", + "repo": "agenix", + "type": "github" + } + }, "buildbot-nix": { "inputs": { "flake-parts": [ @@ -213,6 +239,7 @@ }, "root": { "inputs": { + "agenix": "agenix", "buildbot-nix": "buildbot-nix", "comin": "comin", "disko": "disko", @@ -285,6 +312,21 @@ "type": "github" } }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 23fcdb037..c6ecb52f7 100644 --- a/flake.nix +++ b/flake.nix @@ -21,6 +21,12 @@ # actually not used when using the modules but than nothing ever will try to fetch this nixpkgs variant srvos.inputs.nixpkgs.follows = "nixpkgs"; + # rebased patch from https://github.com/ryantm/agenix/pull/241 + agenix.url = "github:qowoz/agenix/darwin"; + agenix.inputs.nixpkgs.follows = "nixpkgs"; + agenix.inputs.home-manager.follows = ""; + agenix.inputs.darwin.follows = "nix-darwin"; + nixpkgs-update.url = "github:nix-community/nixpkgs-update"; nixpkgs-update.inputs.mmdoc.follows = ""; nixpkgs-update.inputs.treefmt-nix.follows = "treefmt-nix"; diff --git a/hosts/darwin01/builders.nix b/hosts/darwin01/builders.nix index f9d64d3fa..edf368215 100644 --- a/hosts/darwin01/builders.nix +++ b/hosts/darwin01/builders.nix @@ -1,6 +1,8 @@ -{ inputs, ... }: +{ config, inputs, ... }: { - # builder ssh key is installed manually from ./secrets.yaml + age.secrets.darwin-community-builder = { + file = ../../secrets/darwin-community-builder.age; + }; nix.distributedBuilds = true; nix.buildMachines = [ @@ -8,7 +10,7 @@ hostName = "darwin03.nix-community.org"; maxJobs = 8; protocol = "ssh-ng"; - sshKey = "/etc/nix/darwin-community-builder.key"; + sshKey = config.age.secrets.darwin-community-builder.path; sshUser = "nix"; systems = [ "aarch64-darwin" "x86_64-darwin" ]; supportedFeatures = inputs.self.outputs.darwinConfigurations.darwin03.config.nix.settings.system-features; diff --git a/modules/darwin/common/default.nix b/modules/darwin/common/default.nix index 025a6aead..5c3634bc4 100644 --- a/modules/darwin/common/default.nix +++ b/modules/darwin/common/default.nix @@ -8,6 +8,7 @@ ./upgrade-diff.nix ../../shared/known-hosts.nix ../../shared/nix-daemon.nix + inputs.agenix.darwinModules.age ]; # TODO: refactor this to share /users with nixos diff --git a/modules/darwin/hercules-ci/default.nix b/modules/darwin/hercules-ci/default.nix index 83089a6ec..5eebb30f1 100644 --- a/modules/darwin/hercules-ci/default.nix +++ b/modules/darwin/hercules-ci/default.nix @@ -5,10 +5,27 @@ let ''; in { - # hercules secrets are installed manually from ./secrets.yaml - # https://docs.hercules-ci.com/hercules-ci/getting-started/deploy/nix-darwin + age.secrets.binary-caches = { + file = ../../../secrets/binary-caches.age; + mode = "600"; + owner = "_hercules-ci-agent"; + group = "_hercules-ci-agent"; + }; + + age.secrets.cluster-join-token = { + file = ../../../secrets/cluster-join-token.age; + mode = "600"; + owner = "_hercules-ci-agent"; + group = "_hercules-ci-agent"; + }; + services.hercules-ci-agent.enable = true; + services.hercules-ci-agent.settings = { + binaryCachesPath = config.age.secrets.binary-caches.path; + clusterJoinTokenPath = config.age.secrets.cluster-join-token.path; + }; + # hercules-ci-agent: security: createProcess: posix_spawnp: does not exist # https://github.com/LnL7/nix-darwin/blob/36524adc31566655f2f4d55ad6b875fb5c1a4083/modules/services/hercules-ci-agent/default.nix#L28 launchd.daemons.hercules-ci-agent.path = pkgs.lib.mkForce [ config.nix.package securityWrapper ]; diff --git a/secrets/binary-caches.age b/secrets/binary-caches.age new file mode 100644 index 0000000000000000000000000000000000000000..922643be4e2575c9fca8573fbdeb0834bc5868f5 GIT binary patch literal 1338 zcmZY5{mT;t0KoAc38Mu`8H(tWGo`fidA8kN?v`TQZMWCkZFk$vU~4oECQP<&5};<>P%k&22-2a0(Z z#TzuMz!FbT2-xJZmJ8I4l!yW_0p%=*h@pf}D#LNNK-;2_2Ouh6EaZS5WXTL&XS@gi z7E_f za8?hfT79&I)3F@H@CaYEycok*cpafSgEDVte3(p%o{Xp}peOpWG6?*;CqVvpyHN+D z(NNq^s!)$`{duYo1Jp1q4$M9)X4E#q;LS7=rovjf#ZbBo2W#D8pU7#n5A+BMiY7!h z24=lZt!VZMH=_V`NuY`*sIdr?#Jr^C286loteRE&16EzpcD z>n*-rc4J9a;GA&F%y3Ajjx%_KC$til5se4ilu)aoBmQ2&>5yK`;kzx`E?OqzRib(# zQnz#t%j(H?1}-vChXA}P<_kd{3($R7m%%D1FsfBfFyU&TjWtC|YS#FYn37~CQP#2U zgBoO~8kFnT5Sa*6)ClTm4HS*28Ajrqatuti>wqX0W8EZQD5VJoO>w@kl7rxAg(VyX zZr1w{Sa7YjfEXqjf=OJACli5UcaT9k9_AYv8SxjToL18+Rl&09I0G3+SYZ4zGwElx#Puydx!7L8ecMrKDqSX zckk}NXU>_L&X?!j*K$MGhfk8bge~x5@Z|oXOA|r#Dzs9a60S%~=Cf-yY}kC^(*;kR zi*&6ylVd>V!q?39+dD^h-#aq@#+J{YeQ9d$-LbbmIa;~?%V5O}yLNi=+QTQ$h8A7C z|Mq?|^^kn}kKj$ixPI!(SJkEV!s+zz#S@FpZ`=MAyG&ix-n@|?llVh!`0SnCpJ5-2 zPj5ed>-DYX`t0NcOFrS9xiP-+@!iA2w~p=m^|{x`Q+J!U&wunMY~H&y{bP3dsyoY1 ztbA{aCA={7!-^~KAPZKU5--e=Cq~ykJ@4}2M^_WIBW!l&rmcscUp)kFleP`^jjg+} zZ1tIMKYZlpT}Kb^*-0G#;`F6+d;UJL$XOhGW7ads>|MU!#;@(2_{QE)du;8(SALqY ZVD9|CF0a3O?PdM_;P3M`9XNJi>K}7t??V6p literal 0 HcmV?d00001 diff --git a/secrets/cluster-join-token.age b/secrets/cluster-join-token.age new file mode 100644 index 0000000000000000000000000000000000000000..4e872e1ffe4cdc270176c63cf59188b3020158c0 GIT binary patch literal 1254 zcmZ9~?duZ-0KjqIXmSJ!5!wr7Wnekh?ryv7RwCSP4|luUZoAuVw`IcJ?rGcYo}YF_ z8D;oOQY3mdG>o#02!i_c04j+uB%>dSgn#!O>cgG!3Vy4MNP>l=E$Af z{@5}fv0N=1LO^Cm%JcM$>xn6hZgKqxpncK_bRnM<2Q<|eYjKoTCOyZlMMl+h=+=N_ zYk5)V6{<9rZN;@<-ZkPe4y6aMBn-wlFs-#h$f$aDm$g}?<}g9jQd*SZRQ&$LLR8;v z<7x+i1E@bB0>p*t^#N9Ej1okr3WgB^Fy!>3CgasQgya}pDZQ;heEe#o-kUXrLCF2Ch55R0?h~Xm+CTOP)>#$T(<2oKBdO4fJQ9=w_ zWDqoCQ${G#n{;CYQz2Y&>_{zE8WI4GdtOJL6M@o-e2FupQURsFeB_JuxIJTns!7|{ zuvqCBvG4aWrJB<{P2oC_0ir`*>jLS-8YfcP8A4RMYD!>ZPQz&D|JsTSBM4MVb;iZ8 z6{UKGP)!$Q5^Z^mt0jmi#sX{OLQpH~LKjxqYQ&UEln+86pwgv6NfySv^e7zQk=2lC zC2{C-7|s+3sqnSADQcZ=P=@j=wPqhwaV=G#Clu?(bEu>@8WJstuvW2AzDYL{O(T0k zm94_aShdt70=Urh&?!+jjNGUV=6#XGIa$tV*OBAmchYNh{f7-Ok9 z6vt?%i^g1F_k=W4X%K`q8c~QGQFb*y9HJA8NE&d0SwI70lN@8)u0+!HYM2zJTNgD>WT56cbAkaG5DiL4M$aA*XwYJe3r!LIrFku!F*+k0>3j z3pNLxBoDZbp7l_!7sXNNSF5P*HDz2G<#W(9as`>Rw0he>$MOUQS87GSrm#_}QQ<0n zNfX?09z7_ z!tXyrm#>^S9euI&f%E?y*}MJKS9UJm*>%^Qg>yOQ*2(mz)WWeR(!)!evA^gOtq+eL z*tw>D@Zjvl=l9&Zd}`ax{Y-dIdGC*z_1k>R>@B?ZhrR6-{KN9YXP2&T{rdg4konqc zH*ejq&bBOX-nH+ymp>xE*}z?TX5WSzE^9WkA8)#PdJl7>{q}0=-IIsbft#ia8}-}D zQ)iT`w^twk_5At=n{Px{e!B2Izi#8j4}Q7)=8@J5&xUueTHLa?d;XJm)}Hxx`LXZb dGp+~==a}eGbocH{i-p~rFFu{W?r!;e?Y}#<$MgUI literal 0 HcmV?d00001 diff --git a/secrets/darwin-community-builder.age b/secrets/darwin-community-builder.age new file mode 100644 index 000000000..4553cd857 --- /dev/null +++ b/secrets/darwin-community-builder.age @@ -0,0 +1,20 @@ +age-encryption.org/v1 +-> ssh-rsa ALNSWw +p6vqecx4RLOlSrGCl5Y78QXba+GXr5gz3xFSfGc/LTGIICfwL5rOuDw2WluKqgiY +m6Aa2qAlBYA8qKmd5WDu/D8LhWANruV+TzU/Bxpmt/yBLmbJnYhW8PaaITYOTcDV +hiV3XGJl+jvrQpYZ7HOqlkbMUfSYVxRrSMx14vdOfB+/GTjyU03z4cKYZNrb92Jy +j+LQD0n46PPp3frg8M1a89bnqZN+zesOCGdGyzysOWZv7vDYgRM/Z66BhsZZbyID +v0nh2ys0AeLiVb7xY4mZb94s7LcIoCalOqImdDqSi3rlKb1nhkTOQlFreRCQ2BLR +w5tPSy17vgBYl+spCOmc+Q +-> ssh-ed25519 Qi7vNw RMlGQ+GhCi2yHLdput/iUTrsqs1YaHiY5zJUaVtSNGI +hPm/PxJJNffw4GwkGvAEPKp/EwkAUw9+VpS7hVjqfKM +-> ssh-ed25519 MW0fCg AmcdeGFLzizC9PaCZdnhP8ZMZ3UUAKhanM20ijU13gg +IZGJxl+OGtoxpXbHuwJts8lkoDdJsOTQ0f24uZgSZfk +-> ssh-ed25519 92bXiA duEFDFRipvR053nkaHetHVknozgviC7CjhxRkzrtzxo +0yuWAD7LiiPXLYnU5xOc/sZj72TAzssZM0gC/c5oZ/w +-> ssh-ed25519 h1lenA jrsdwRqRdLkmtueB50G/8ql8GuO9k/EmjD7S4JNv51Y +eexwhglJISW0nAojdHqtq0/QKjbCErU/tnsXCqorWKA +-> ssh-ed25519 tekucg 0xTjECMy8HLDUsFi4rB6VlB3v84qblD73iHor/ZdZjk +Vh5aG7obB6K/XbY6tX7M0gBRAZrNnmV3Oj9MiR/11gw +--- OIbLlawLtzPFPi+Fgkp9nwmWM+8EgFXbvL4ph9hRPig +y@KQ;>1EA,GukyE&9?@Vj(@nrsXSs[GpU>\ʃ"b_jl㊕ˆf'ʓx -$[gDdim[be:D--l E4MǟbX_fCɽBwCCP+1]떱 W!mU]G:)j~׀ʧ\Ă1; ^vy 8n?i7 m\P˝nBf ݱ3vD"eW'-׏ 6C+ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 000000000..43431f726 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,19 @@ +let + adisbladis = builtins.readFile ../users/keys/adisbladis; + mic92 = builtins.readFile ../users/keys/mic92; + ryantm = builtins.readFile ../users/keys/ryantm; + zimbatm = builtins.readFile ../users/keys/zimbatm; + zowoq = builtins.readFile ../users/keys/zowoq; + + users = [ adisbladis mic92 ryantm zimbatm zowoq ]; + + knownHosts = (import ../modules/shared/known-hosts.nix).programs.ssh.knownHosts; + + darwin01 = knownHosts.darwin01.publicKey; + darwin02 = knownHosts.darwin02.publicKey; +in +{ + "darwin-community-builder.age".publicKeys = users ++ [ darwin01 ]; + "binary-caches.age".publicKeys = users ++ [ darwin02 ]; + "cluster-join-token.age".publicKeys = users ++ [ darwin02 ]; +}