monolith: migrate ci secrets to sops

This commit is contained in:
Leonardo Eugênio 2025-03-07 14:56:02 -03:00
parent 0bc125c944
commit b52a886806
2 changed files with 14 additions and 5 deletions

View file

@ -1,4 +1,8 @@
forgejo-runners:
git.lelgenio.com-default: ENC[AES256_GCM,data:sEfpBZvgQUkyXPWY4RI0RPJWUbsYK/RGqiYJ5wDSVY9a0EYenyt96QYq6815evq2iQ==,iv:rSWnCOdhfKH4TM9R0/IParYd9laYhWxR+iUhgkVvqfc=,tag:mBcSH/oGDMBgBScvCdn3Zg==,type:str]
gitlab-runners:
thoreb-telemetria-nix: ENC[AES256_GCM,data:zrZvG4be08ulpo7itbrprKK5csCMLvzZjrszfMw1XiJP0FyRTUd9nHgHpbAzbjj2KyT7kKngoZAyengvaTEhkT9sUi1pdGnvajAH8BDDOD0g4LJIHFl4,iv:3bSsTzU7gHx+MchuPg9kmb5xEDugmGPje8Jw74NpRJI=,tag:zffRr77lWbyLt7o/mywb5A==,type:str]
thoreb-itinerario-nix: ENC[AES256_GCM,data:UdAAD0V895sFoEYR56sCG2LlpZugJ0K/nwkTygzWOnbTSmBRAcIQ8qVFPZGw+K+XMSLiCyio6Jp7k8AYP0K1VYm+6aEP3OkqR9FCLQTJgXo=,iv:UGUby50BYkn13OzItk6zZmxc5+SnbZZa4bebQHIow2A=,tag:LjDg3deWwdH2T71EtPo6jA==,type:str]
docker-images-token: ENC[AES256_GCM,data:GGB/KSkjdAyhFKEspAh91ItbqEDf7K/LZSGSn+Jp7SxRfXpDzHIiMD8XJ9PTkGLeQGN4ug1i2nTYPS7d/P5OALWDU+1NPiV9nPdG0w7GERfu4g==,iv:6roabdOKX9xFMf0hWlECd73+943R+hFLos0e2dOpzns=,tag:LrASFc4DtN7aQ+3oOW/p/w==,type:str]
sops:
kms: []
@ -34,8 +38,8 @@ sops:
TGNwNUQxN0VQMHErMGVZbG5CZW9kSGMK9TRcgSJQT73dYoQxrrqFW/FkKExLGT4T
Xagi6Eq4rhT7pvaL4h3vglwbqkLPsHrWRSyhh0sAEIJ1WpvD+cFEMA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-07T14:47:44Z"
mac: ENC[AES256_GCM,data:k0yhfVhDmtU8wOZIylaxmmd+8TIXCzCbGhlaQnyeLplH2BDHVnpzAxBJVizS/VtVpAkjMAESndXqW7N6pnGnRWdZPtCxE8KNtz/nUxCZA44cn+mjC+ghKgsgaLuxe4smu0f4u4TK2uFsJqw5J0VGFgMtyKe4AaHujoXWL80zTR0=,iv:xiDrOtto246oPjMw5+ny0qB8HjdMpkzZyPNi3csgMVE=,tag:2xioMXxERDSePdIwPpP7hg==,type:str]
lastmodified: "2025-03-07T16:48:32Z"
mac: ENC[AES256_GCM,data:vyO1MMSRCoc8CK1wqXdgvvAiNP4NUXxpF1MPNsz2z9ioeu15ue2AYV+kWH3I94qUOZ93UM+Nbfx1sqN+JKpkbQ7iS8vY1NNwovEYtrp4FInr6esYOIJXSvvf/3wlWoquSaNACQnbjKJKgV05m24+hu/meIXMYs9sn2SxlnetTmg=,iv:W1jokO9Shhle0cWZpR5bonVdLPZAOo76h8sClMUYZbE=,tag:1Pg5f6q6TmBrAmYWuhKaKQ==,type:str]
pgp:
- created_at: "2025-03-07T14:42:24Z"
enc: |-

View file

@ -1,7 +1,6 @@
{
config,
pkgs,
lib,
...
}:
let
@ -16,8 +15,8 @@ in
services = {
# runner for building in docker via host's nix-daemon
# nix store will be readable in runner, might be insecure
thoreb-telemetria-nix = mkNixRunner config.age.secrets.gitlab-runner-thoreb-telemetria-registrationConfigFile.path;
thoreb-itinerario-nix = mkNixRunner config.age.secrets.monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.path;
thoreb-telemetria-nix = mkNixRunner config.sops.secrets."gitlab-runners/thoreb-telemetria-nix".path;
thoreb-itinerario-nix = mkNixRunner config.sops.secrets."gitlab-runners/thoreb-itinerario-nix".path;
default = {
# File should contain at least these two variables:
@ -31,6 +30,12 @@ in
systemd.services.gitlab-runner.serviceConfig.Nice = 10;
sops.secrets = {
"gitlab-runners/thoreb-telemetria-nix" = {
sopsFile = ../secrets/monolith/default.yaml;
};
"gitlab-runners/thoreb-itinerario-nix" = {
sopsFile = ../secrets/monolith/default.yaml;
};
"gitlab-runners/docker-images-token" = {
sopsFile = ../secrets/monolith/default.yaml;
};