diff --git a/.sops.yaml b/.sops.yaml index 699e3c1..20a8640 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -12,7 +12,17 @@ creation_rules: age: - *lelgenio-ssh - *monolith-ssh + - path_regex: secrets/monolith/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + - *lelgenio-gpg + age: + - *lelgenio-ssh + - *monolith-ssh - path_regex: secrets/phantom/[^/]+\.(yaml|json|env|ini)$ key_groups: - - age: + - pgp: + - *lelgenio-gpg + age: + - *lelgenio-ssh - *phantom-ssh diff --git a/secrets/monolith/default.yaml b/secrets/monolith/default.yaml new file mode 100644 index 0000000..857bc5d --- /dev/null +++ b/secrets/monolith/default.yaml @@ -0,0 +1,56 @@ +gitlab-runners: + docker-images-token: ENC[AES256_GCM,data:GGB/KSkjdAyhFKEspAh91ItbqEDf7K/LZSGSn+Jp7SxRfXpDzHIiMD8XJ9PTkGLeQGN4ug1i2nTYPS7d/P5OALWDU+1NPiV9nPdG0w7GERfu4g==,iv:6roabdOKX9xFMf0hWlECd73+943R+hFLos0e2dOpzns=,tag:LrASFc4DtN7aQ+3oOW/p/w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1yc2EgQnd3eEhnCldST3lPZXBV + cTVNK3R3RjlFcDQ4UldRT0tsSVJ2N2FkN0hiOVllT2Rrc2NjVWtMbnMrWHVMN1k5 + dExsVHFhMHMKRVVzR1pzeG01Y2FidWNrQ0xjK1FUZktnWTZaWWlWalM5cWhZWE9U + TFU3ZXV3aGp6QkRIZkl4MDFJN2RRQVkrdwpqQlE5ajFTVW15MVVyTkNaS3JiOFph + cGthWWZ4R3Rldjh0a2lnd1dSbUcvSVpDdHJKVk5GVy8vR05WbmhUWFhuCkZsaWk5 + L2dnNE4rNTV6VWpIZlNIMENzZVlKS2NEOFdmSFhsYkFNSHRlTENYeGNtekpDaUN4 + V3l2VWtta3hSVFIKblVDZ1hOdzZQbWswTDB5MXd3dXpXQW44MFhFR0hGZkxjbzlU + WkR5dFhhbVpTUGZwQVR3WXNCUjJWYlAyTU1VeQpkWEdXQjVUemlRdXVxZVE4SGVU + TFlPS0FEV1dRRWU0K1d1ZTRrZGU1MHVKQ0lCemJmcUhOaWtON3ZDbUtad2lXCklt + aFREN3BmdEo1TUw2V2NtQ0QvbE1EQ25OeW5ZaldOY04zQjFQbWRnWjhJaWZKWXJn + UlBTTjV0VkpEY0FhZjQKTURjT004dHEvS24rNGVBSE1KK0ZabTBKb0Z4QTJvS2Fi + czdnWEpUTXJsRVMvdWFzVlJLT281a3JwQi9PMGVDcQoKLS0tIFgvSE14blgvVkxQ + b3N5WWlzdG5hajZaVFVkWVlhOXNZKytmZEZrZVprRHMKXqPgDpKG42KsfKfIAflT + 1meea416Af+WeFhWnw8fBBhApKrMMmYMMjDi1lIOGDz57ydNqtlFqdFtkiQsUC0f + wA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ecyynwv93lfu7crjjp8l47defv07quzfzaktwurpep7jc9eha5pscg7lrw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzTWVYNXNQcHhHSzVBQmhU + ejlOQzJMZ0xEVFVkbzNPQ0hMVHBQWEgzQTFJCkF6ZDNaZ29UM29vWGZqVW10dmlQ + YjNFNXJVMlcxT1ZsMU55cE8vc3VjaXMKLS0tIDZYQTRjMWp5a3hKc2N4alZKZHFt + TGNwNUQxN0VQMHErMGVZbG5CZW9kSGMK9TRcgSJQT73dYoQxrrqFW/FkKExLGT4T + Xagi6Eq4rhT7pvaL4h3vglwbqkLPsHrWRSyhh0sAEIJ1WpvD+cFEMA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-03-07T14:47:44Z" + mac: ENC[AES256_GCM,data:k0yhfVhDmtU8wOZIylaxmmd+8TIXCzCbGhlaQnyeLplH2BDHVnpzAxBJVizS/VtVpAkjMAESndXqW7N6pnGnRWdZPtCxE8KNtz/nUxCZA44cn+mjC+ghKgsgaLuxe4smu0f4u4TK2uFsJqw5J0VGFgMtyKe4AaHujoXWL80zTR0=,iv:xiDrOtto246oPjMw5+ny0qB8HjdMpkzZyPNi3csgMVE=,tag:2xioMXxERDSePdIwPpP7hg==,type:str] + pgp: + - created_at: "2025-03-07T14:42:24Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMAzy6JxafzLr5AQf/Y0QIIBN0uY3RUj88u5L0tJqypnKOAlfLOMYPkZ0oomAd + ZowogLWJgWyFC6NTdZRj84GoF2EAMDZqDAwh7shrZSpuhr0rwT7bGMQ4/VSx/Sxs + uCgkzXGMT0DsGjDOw6h17dDLNAnnvViamL1Br3ZXG7gZJXmUhPavL1YXeQciPqjh + FyJLAKeb9sQAFUp0Aexo4fKZSJh//O8jTiz7vl5klpQnDHWzpkcuxqIajIoYFdcL + ioP1GnrsUDfyXh2zfLcggxs/WHU24/C8DZqWai9WqRA08kJpw+aj1835vmUIWM0W + E5TF9h/tOEGw+PGhvwNiEvONhv/tpyLpjoXylbisjtJeAY6Fntxcrssw2cKMimFV + UjBuf2vSmQlNBqU+LE0JOICmRsmnLZTEPXnPqpqBTRV4gj4kTLCJYcaEIFP7uSEd + WlCyyX28ACGThorQEoQ/W2bFfNT/Mi7CNQ8EOckmKg== + =6Qin + -----END PGP MESSAGE----- + fp: 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B + unencrypted_suffix: _unencrypted + version: 3.9.4-unstable diff --git a/secrets/phantom/default.yaml b/secrets/phantom/default.yaml index a299b34..2d744c9 100644 --- a/secrets/phantom/default.yaml +++ b/secrets/phantom/default.yaml @@ -14,17 +14,51 @@ sops: azure_kv: [] hc_vault: [] age: + - recipient: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1yc2EgQnd3eEhnCm9xWXdTQjZU + Znpiak1xdE1kTm56NWI3bUNlQXBFcjhNNFlwbDVUcGhrS2J4Y1M3aXFydjVGYmVI + UmNKVmkrb3cKWHNsa2FZaE4zbnJWYVo1SDhTOEZxM0JMRWJ0ckpySk11V09LMkd5 + bjhQRkpSZG0xYko3aTFqQmVFU3JhSWo1Ugo2Nk0rNzJBNzJvbVJkU0VhSmRRWE5B + RUt4S3h1cFZkZHkxOU5VUTcxN1JBNFlaYTkyZTNSM3JVUjhCUStNODRMCjdJRWlv + d0g4bnlQMzhWSGUxY04vRnUvbTlyWVQ0eWsvbnk4UmxxOHVZblM3bVFETXJiVjRE + b2s1ZFVHaEFNc3EKSDJTYUVSNWtKQS81bUdOcDA0SnZGeE4vQkt6bFZWY1dxNm9S + YVhRdjVCb3RGaC94djZZeFhXaTZSVVYzaUJ6KwoxQXNKcU9Dbk8xYWRvaGJwSXdu + Zzk4Y09zbW54elJHdjJ6OTNyeURwZ3JJL0gvaFVRUmgyRnNBbXFJU1l5U2FwCm56 + bzc0TkVWdnNoWnBMMjlKbnZicmRxdXIwd2hCZGp5dEQ2TnBtdTZCdnJRbzIyZFhV + L1ZpVW9nZmNqQW45c0cKYnIxQTc2aEowTUprZ1pYVCt3L2NsVHJ5SWF1aHZUR1E5 + eGVrcUphWk1vVURBL2J4UlZLQXluNC82YnNhQUFOQgoKLS0tICtOTXVyUzZldUJO + QkN0eUVRSDlDWmthU0VrRUZDb0VBTVFhL24raHJDcGsKcspICwz+f6y21yogiXO3 + Qp7evIuOzfWe6pMtge5BjxWTlzIdi2btFTzuTjgZaOiQd8FIB3iTqBkepUVD49jN + RQ== + -----END AGE ENCRYPTED FILE----- - recipient: age1m4mqcd2kmuhfr8a22rvh02c68jkakhdfmuqgtusuv0czk4jvna7sz79p3y enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxQkRWWmYweUNpcDRNbzRW - NnQ4R3JPK0oydm9iL0owS0d6Nm92eTFJZldFCnZpUVUvWi9FYTBDSGNvUUJRZHNz - QStPT0hCc08xUmh4dEdJdmVPRm01V2cKLS0tIEZPMmNKdGUvNnVWYXZNTHA3SkE3 - ZTNJbW9EWktPb2M5TVBNekUrZXVoUFkKLEsQVYVp7fTBRDA7RO8Kjpc5MUPb5U7I - WKZtNhsMZsP+SLgZWBF1PpvcjlDlNA2Z+Hqsrw6vsq6DYpnxToxfZQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3TklEaUl2QkVtVVN5UXlC + cW9RaHNoSnRkV0lKTmtYS0VZQnhyM0o0cUFNCmZWemJuOFVyK1ZFbkR1RUZOTEVB + WmJFemRrd0xIUW43cElkdVJOM052N2cKLS0tIFJpRTNtQ1hjWGJwSFJLRDNRSm4z + WW9MbmZoTllLalpWcFdOa3JpaThPMjQKa5vVGp+L1V2/ScyUe0EaOVw4TB8paS2w + 79VgplKN6HL+f6bL/0rIUOwJ6PDW944bOioKDYvbUCpBnSRYIHnYoQ== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-03-05T22:27:18Z" mac: ENC[AES256_GCM,data:WSopSnWZ+uOllywd7difaZtJcfxkL7eIf9Kr3GajZKO0+rP6pEHIS+5AbXZy6oKRlCLUPecY/WXFvk3//akpvvXHbf6Jp4fQ/YSuTcYKRQupbDBpOXSlc33QyRl6oEyiMOjxMxa2N2tmq8dmA0NbF9wSDMa5a4eNDoiL5T/sUZ8=,iv:QqbVRApzFF6q24rk8KfKuthj656nEczD9Si4INj+N9A=,tag:tMRNYo+u/jIQ6iX3KqKJdA==,type:str] - pgp: [] + pgp: + - created_at: "2025-03-07T16:05:59Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMAzy6JxafzLr5AQf/djnT5hse11QoFPbmuu5rmc/0vpOQ79G6MYZtHlXL/HbP + hx0r25yTI6ICayFiO7luovz58saN0BY5K1dCbGB7+nZ8lrKoGE4GhX4k5Cc/KJIO + BTEbTqMJLezkb34FsuXgD9o2udNysC3Bpi/3NbPCYsJkVeCmx1wyEWzWhz51RO4M + WEyKkE0DyJfOpTuY2fofGhaA866firFDrS2SeiU4Dox4au3iR4VYqt6IITmgZdDE + M9LRp3AzOPOUZzpeRcer4ksh8WVDIWPEEL+w+OGo8QpUL3kqHIMVPgXY0kBOR+5s + tVTCLVe7yoimK/oSYkEx9Z3TYRwKV6ggJWahX7VHaNJeAVxIon8Qs8W2L+f1gclK + tPbaE+jCg6AH3apD3ICisxCj0Vvm+NsWMo2skeN2YGyWBCOoeGcG5OhgJtD0cQiw + QxCzywMXujxYYAXJEvhk4YRhaCOMkTTMGNoloWMugg== + =CHH0 + -----END PGP MESSAGE----- + fp: 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B unencrypted_suffix: _unencrypted version: 3.9.4-unstable diff --git a/system/configuration.nix b/system/configuration.nix index 11f327e..f515e43 100644 --- a/system/configuration.nix +++ b/system/configuration.nix @@ -29,14 +29,6 @@ zramSwap.enable = true; - sops = { - secrets.hello = { }; - }; - - environment.etc."teste-sops" = { - text = config.sops.secrets.hello.path; - }; - # Enable touchpad support (enabled default in most desktopManager). services.libinput.enable = true; diff --git a/system/monolith-gitlab-runner.nix b/system/monolith-gitlab-runner.nix index 3e63d98..ce0dc6f 100644 --- a/system/monolith-gitlab-runner.nix +++ b/system/monolith-gitlab-runner.nix @@ -18,7 +18,21 @@ in # nix store will be readable in runner, might be insecure thoreb-telemetria-nix = mkNixRunner config.age.secrets.gitlab-runner-thoreb-telemetria-registrationConfigFile.path; thoreb-itinerario-nix = mkNixRunner config.age.secrets.monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.path; + + default = { + # File should contain at least these two variables: + # `CI_SERVER_URL` + # `CI_SERVER_TOKEN` + authenticationTokenConfigFile = config.sops.secrets."gitlab-runners/docker-images-token".path; + dockerImage = "debian:stable"; + }; }; }; systemd.services.gitlab-runner.serviceConfig.Nice = 10; + + sops.secrets = { + "gitlab-runners/docker-images-token" = { + sopsFile = ../secrets/monolith/default.yaml; + }; + }; }