add agenix to deploy darwin secrets

nix-community · May 16, 2024 · b90145d · b90145d
1 parent 4b682d2
commit b90145d
Show file tree

Hide file tree

Showing 11 changed files with 113 additions and 69 deletions.
diff --git a/.sops.yaml b/.sops.yaml
@@ -72,14 +72,6 @@ creation_rules:
           - *zimbatm
           - *zowoq
           - *adisbladis
-  - path_regex: modules/darwin/.+\.yaml$
-    key_groups:
-      - age:
-          - *mic92
-          - *ryantm
-          - *zimbatm
-          - *zowoq
-          - *adisbladis
   - path_regex: modules/nixos/hercules-ci/.+\.yaml$
     key_groups:
       - age:

diff --git a/dev/shell.nix b/dev/shell.nix
@@ -1,8 +1,9 @@
-{ pkgs, ... }:
+{ inputs', pkgs, ... }:
 {
   devShells = {
     default = with pkgs; mkShellNoCC {
       packages = [
+        inputs'.agenix.packages.default
         jq
         python3.pkgs.deploykit
         python3.pkgs.invoke

diff --git a/dev/treefmt.nix b/dev/treefmt.nix
@@ -30,6 +30,7 @@
     editorconfig-checker = {
       command = pkgs.editorconfig-checker;
       includes = [ "*" ];
+      excludes = [ "*.age" ];
     };
 
     nix = {

diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -21,6 +21,12 @@
     # actually not used when using the modules but than nothing ever will try to fetch this nixpkgs variant
     srvos.inputs.nixpkgs.follows = "nixpkgs";
 
+    # rebased patch from https://github.com/ryantm/agenix/pull/241
+    agenix.url = "github:qowoz/agenix/darwin";
+    agenix.inputs.nixpkgs.follows = "nixpkgs";
+    agenix.inputs.home-manager.follows = "";
+    agenix.inputs.darwin.follows = "nix-darwin";
+
     nixpkgs-update.url = "github:nix-community/nixpkgs-update";
     nixpkgs-update.inputs.mmdoc.follows = "";
     nixpkgs-update.inputs.treefmt-nix.follows = "treefmt-nix";

diff --git a/modules/darwin/common/default.nix b/modules/darwin/common/default.nix
@@ -15,6 +15,7 @@ in
     ./upgrade-diff.nix
     ../../shared/known-hosts.nix
     ../../shared/nix-daemon.nix
+    inputs.agenix.darwinModules.age
   ];
 
   # TODO: refactor this to share /users with nixos

diff --git a/modules/darwin/hercules-ci/default.nix b/modules/darwin/hercules-ci/default.nix
@@ -5,10 +5,27 @@ let
   '';
 in
 {
-  # hercules secrets are installed manually from ./secrets.yaml
-  # https://docs.hercules-ci.com/hercules-ci/getting-started/deploy/nix-darwin
+  age.secrets.binary-caches = {
+    file = ../../../secrets/binary-caches.age;
+    mode = "600";
+    owner = "_hercules-ci-agent";
+    group = "_hercules-ci-agent";
+  };
+
+  age.secrets.cluster-join-token = {
+    file = ../../../secrets/cluster-join-token.age;
+    mode = "600";
+    owner = "_hercules-ci-agent";
+    group = "_hercules-ci-agent";
+  };
+
   services.hercules-ci-agent.enable = true;
 
+  services.hercules-ci-agent.settings = {
+    binaryCachesPath = config.age.secrets.binary-caches.path;
+    clusterJoinTokenPath = config.age.secrets.cluster-join-token.path;
+  };
+
   # hercules-ci-agent: security: createProcess: posix_spawnp: does not exist
   # https://github.com/LnL7/nix-darwin/blob/36524adc31566655f2f4d55ad6b875fb5c1a4083/modules/services/hercules-ci-agent/default.nix#L28
   launchd.daemons.hercules-ci-agent.path = pkgs.lib.mkForce [ config.nix.package securityWrapper ];

diff --git a/modules/darwin/hercules-ci/secrets.yaml b/modules/darwin/hercules-ci/secrets.yaml
diff --git a/secrets/binary-caches.age b/secrets/binary-caches.age
diff --git a/secrets/cluster-join-token.age b/secrets/cluster-join-token.age
@@ -0,0 +1,24 @@
+age-encryption.org/v1
+-> ssh-rsa ALNSWw
+k14GuxixIuiA4WhYtWW5PaevHx5QZc2HF9HM7Ia2ji4mNg2Pc1+cXFZG/QLROTVo
+EL0c3/MzZBGAdFYkkm8hlA+S9JLdgiP8ROIT8hjhOE55uWWaH8uDQGODQX42nBe0
+w1wN9iBDKJJ0s4kSak9K8GqS0afVvppLPZTcqoaHbh2YapXSYu7LK8BBgz4+nBUP
+0axc3TIVgUzEDls7VGU1c+aavDvBb8c/fg5w5pJZy379bzU5TWpppmi7U7hEboCA
+IMeAH5iffaksmyPIHlK/iwpHdkchLKX+2YHAu8DxywHeowm4rbxKv3oHfH+/3uM3
+28VUeqYY/SCqwLSe84ZnSg
+-> ssh-ed25519 Qi7vNw W23Q9s5rainiPnp67oLEcLKpEfmvqxUUWL5u+yvN+0o
+/Tiyf6QaTM1NIKPPdrK9e8K43Ee0cNAV5uS5fiab3p8
+-> ssh-ed25519 MW0fCg 2AXjCOaTHC6kJ+m5OnVwyuy6DEI2+6E//fZ7PkZsfFo
+gEvzFrYhSCCvBaOjPb1aI49kCJBK5mpDGShJuVpbSn4
+-> ssh-ed25519 92bXiA xv18v2ncQRE9MWJbpNsGUkwhho/NNZ465zcOl1qi3HQ
+OKP7B3ecWEeBF7GA0Vx72BMRbM6iE6/fQ4mkCaGx4R0
+-> ssh-ed25519 h1lenA tBhqzlU6IKkHKkTb9p8p2R/OOyLtOhLyAIujO+1oyEg
+8ORTR81GImpbXu4rJ0HTSOwbFb3Zw+JmfYSGFoQXLHg
+-> ssh-ed25519 7tFeRw BpJpUC2tTiDfGnO5JvYwW/JiTU2RSfeKzDOCMfLBUxY
+u0mDqrcX/vKNJvqu9Bjl6qUrf1CAkGm5cBRhg984lXk
+-> ssh-ed25519 /B167A t3O6wWHJ1GAxe/e7XwiUzl+uWVBG5F7vc088zFYoFm0
+T954lFCHmJTuOnMy5N1OizGzySbd5/ow1eBbcpJl/F4
+--- BHVcjNVuUaft0wyxOjncdhbpiC9UtUgWSk8sUr6lBCw
+��'���y�"�N��Tm;�)w�V�Ĭ���ќwtֽ,����}-�1�|�ʅ�����b��	t%���+l0�`��W�� �vw�6�>"7�i3�&L��Y*�P(S��	<򠎜������m��ˠTqdK$(��y7�PG(y�*��7p��E�/gT�?3Aq���16�#�ȋ�T'y��G�e%.�ۀʭ�Op��:�
+��Ҩ3Hv��E%(�����s�����l��%������������
+`�w��FLX

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -0,0 +1,18 @@
+let
+  adisbladis = builtins.readFile ../users/keys/adisbladis;
+  mic92 = builtins.readFile ../users/keys/mic92;
+  ryantm = builtins.readFile ../users/keys/ryantm;
+  zimbatm = builtins.readFile ../users/keys/zimbatm;
+  zowoq = builtins.readFile ../users/keys/zowoq;
+
+  users = [ adisbladis mic92 ryantm zimbatm zowoq ];
+
+  inherit ((import ../modules/shared/known-hosts.nix).programs.ssh) knownHosts;
+
+  darwin02 = knownHosts.darwin02.publicKey;
+  darwin03 = knownHosts.darwin03.publicKey;
+in
+{
+  "binary-caches.age".publicKeys = users ++ [ darwin02 darwin03 ];
+  "cluster-join-token.age".publicKeys = users ++ [ darwin02 darwin03 ];
+}