monolith: migrate ci secrets to sops
This commit is contained in:
Leonardo Eugênio
parent
0bc125c944
commit
b52a886806
|
|
@ -1,4 +1,8 @@
|
|||
forgejo-runners:
|
||||
git.lelgenio.com-default: ENC[AES256_GCM,data:sEfpBZvgQUkyXPWY4RI0RPJWUbsYK/RGqiYJ5wDSVY9a0EYenyt96QYq6815evq2iQ==,iv:rSWnCOdhfKH4TM9R0/IParYd9laYhWxR+iUhgkVvqfc=,tag:mBcSH/oGDMBgBScvCdn3Zg==,type:str]
|
||||
gitlab-runners:
|
||||
thoreb-telemetria-nix: ENC[AES256_GCM,data:zrZvG4be08ulpo7itbrprKK5csCMLvzZjrszfMw1XiJP0FyRTUd9nHgHpbAzbjj2KyT7kKngoZAyengvaTEhkT9sUi1pdGnvajAH8BDDOD0g4LJIHFl4,iv:3bSsTzU7gHx+MchuPg9kmb5xEDugmGPje8Jw74NpRJI=,tag:zffRr77lWbyLt7o/mywb5A==,type:str]
|
||||
thoreb-itinerario-nix: ENC[AES256_GCM,data:UdAAD0V895sFoEYR56sCG2LlpZugJ0K/nwkTygzWOnbTSmBRAcIQ8qVFPZGw+K+XMSLiCyio6Jp7k8AYP0K1VYm+6aEP3OkqR9FCLQTJgXo=,iv:UGUby50BYkn13OzItk6zZmxc5+SnbZZa4bebQHIow2A=,tag:LjDg3deWwdH2T71EtPo6jA==,type:str]
|
||||
docker-images-token: ENC[AES256_GCM,data:GGB/KSkjdAyhFKEspAh91ItbqEDf7K/LZSGSn+Jp7SxRfXpDzHIiMD8XJ9PTkGLeQGN4ug1i2nTYPS7d/P5OALWDU+1NPiV9nPdG0w7GERfu4g==,iv:6roabdOKX9xFMf0hWlECd73+943R+hFLos0e2dOpzns=,tag:LrASFc4DtN7aQ+3oOW/p/w==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
|
|
@ -34,8 +38,8 @@ sops:
|
|||
TGNwNUQxN0VQMHErMGVZbG5CZW9kSGMK9TRcgSJQT73dYoQxrrqFW/FkKExLGT4T
|
||||
Xagi6Eq4rhT7pvaL4h3vglwbqkLPsHrWRSyhh0sAEIJ1WpvD+cFEMA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-03-07T14:47:44Z"
|
||||
mac: ENC[AES256_GCM,data:k0yhfVhDmtU8wOZIylaxmmd+8TIXCzCbGhlaQnyeLplH2BDHVnpzAxBJVizS/VtVpAkjMAESndXqW7N6pnGnRWdZPtCxE8KNtz/nUxCZA44cn+mjC+ghKgsgaLuxe4smu0f4u4TK2uFsJqw5J0VGFgMtyKe4AaHujoXWL80zTR0=,iv:xiDrOtto246oPjMw5+ny0qB8HjdMpkzZyPNi3csgMVE=,tag:2xioMXxERDSePdIwPpP7hg==,type:str]
|
||||
lastmodified: "2025-03-07T16:48:32Z"
|
||||
mac: ENC[AES256_GCM,data:vyO1MMSRCoc8CK1wqXdgvvAiNP4NUXxpF1MPNsz2z9ioeu15ue2AYV+kWH3I94qUOZ93UM+Nbfx1sqN+JKpkbQ7iS8vY1NNwovEYtrp4FInr6esYOIJXSvvf/3wlWoquSaNACQnbjKJKgV05m24+hu/meIXMYs9sn2SxlnetTmg=,iv:W1jokO9Shhle0cWZpR5bonVdLPZAOo76h8sClMUYZbE=,tag:1Pg5f6q6TmBrAmYWuhKaKQ==,type:str]
|
||||
pgp:
|
||||
- created_at: "2025-03-07T14:42:24Z"
|
||||
enc: |-
|
||||
|
|
|
|||
|
|
@ -1,7 +1,6 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
|
|
@ -16,8 +15,8 @@ in
|
|||
services = {
|
||||
# runner for building in docker via host's nix-daemon
|
||||
# nix store will be readable in runner, might be insecure
|
||||
thoreb-telemetria-nix = mkNixRunner config.age.secrets.gitlab-runner-thoreb-telemetria-registrationConfigFile.path;
|
||||
thoreb-itinerario-nix = mkNixRunner config.age.secrets.monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.path;
|
||||
thoreb-telemetria-nix = mkNixRunner config.sops.secrets."gitlab-runners/thoreb-telemetria-nix".path;
|
||||
thoreb-itinerario-nix = mkNixRunner config.sops.secrets."gitlab-runners/thoreb-itinerario-nix".path;
|
||||
|
||||
default = {
|
||||
# File should contain at least these two variables:
|
||||
|
|
@ -31,6 +30,12 @@ in
|
|||
systemd.services.gitlab-runner.serviceConfig.Nice = 10;
|
||||
|
||||
sops.secrets = {
|
||||
"gitlab-runners/thoreb-telemetria-nix" = {
|
||||
sopsFile = ../secrets/monolith/default.yaml;
|
||||
};
|
||||
"gitlab-runners/thoreb-itinerario-nix" = {
|
||||
sopsFile = ../secrets/monolith/default.yaml;
|
||||
};
|
||||
"gitlab-runners/docker-images-token" = {
|
||||
sopsFile = ../secrets/monolith/default.yaml;
|
||||
};
|
||||
|
|
|
|||
Loading…
Reference in a new issue