monolith: migrate ci secrets to sops

2025-03-07 14:56:02 -03:00 · 2025-03-07 14:56:02 -03:00 · b52a886806
commit b52a886806
parent 0bc125c944
2 changed files with 14 additions and 5 deletions
--- a/secrets/monolith/default.yaml
+++ b/secrets/monolith/default.yaml
@ -1,4 +1,8 @@
 forgejo-runners:
    git.lelgenio.com-default: ENC[AES256_GCM,data:sEfpBZvgQUkyXPWY4RI0RPJWUbsYK/RGqiYJ5wDSVY9a0EYenyt96QYq6815evq2iQ==,iv:rSWnCOdhfKH4TM9R0/IParYd9laYhWxR+iUhgkVvqfc=,tag:mBcSH/oGDMBgBScvCdn3Zg==,type:str]
 gitlab-runners:
    thoreb-telemetria-nix: ENC[AES256_GCM,data:zrZvG4be08ulpo7itbrprKK5csCMLvzZjrszfMw1XiJP0FyRTUd9nHgHpbAzbjj2KyT7kKngoZAyengvaTEhkT9sUi1pdGnvajAH8BDDOD0g4LJIHFl4,iv:3bSsTzU7gHx+MchuPg9kmb5xEDugmGPje8Jw74NpRJI=,tag:zffRr77lWbyLt7o/mywb5A==,type:str]
    thoreb-itinerario-nix: ENC[AES256_GCM,data:UdAAD0V895sFoEYR56sCG2LlpZugJ0K/nwkTygzWOnbTSmBRAcIQ8qVFPZGw+K+XMSLiCyio6Jp7k8AYP0K1VYm+6aEP3OkqR9FCLQTJgXo=,iv:UGUby50BYkn13OzItk6zZmxc5+SnbZZa4bebQHIow2A=,tag:LjDg3deWwdH2T71EtPo6jA==,type:str]
    docker-images-token: ENC[AES256_GCM,data:GGB/KSkjdAyhFKEspAh91ItbqEDf7K/LZSGSn+Jp7SxRfXpDzHIiMD8XJ9PTkGLeQGN4ug1i2nTYPS7d/P5OALWDU+1NPiV9nPdG0w7GERfu4g==,iv:6roabdOKX9xFMf0hWlECd73+943R+hFLos0e2dOpzns=,tag:LrASFc4DtN7aQ+3oOW/p/w==,type:str]
 sops:
    kms: []
@ -34,8 +38,8 @@ sops:
            TGNwNUQxN0VQMHErMGVZbG5CZW9kSGMK9TRcgSJQT73dYoQxrrqFW/FkKExLGT4T
            Xagi6Eq4rhT7pvaL4h3vglwbqkLPsHrWRSyhh0sAEIJ1WpvD+cFEMA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-07T14:47:44Z"
+    lastmodified: "2025-03-07T16:48:32Z"
-    mac: ENC[AES256_GCM,data:k0yhfVhDmtU8wOZIylaxmmd+8TIXCzCbGhlaQnyeLplH2BDHVnpzAxBJVizS/VtVpAkjMAESndXqW7N6pnGnRWdZPtCxE8KNtz/nUxCZA44cn+mjC+ghKgsgaLuxe4smu0f4u4TK2uFsJqw5J0VGFgMtyKe4AaHujoXWL80zTR0=,iv:xiDrOtto246oPjMw5+ny0qB8HjdMpkzZyPNi3csgMVE=,tag:2xioMXxERDSePdIwPpP7hg==,type:str]
+    mac: ENC[AES256_GCM,data:vyO1MMSRCoc8CK1wqXdgvvAiNP4NUXxpF1MPNsz2z9ioeu15ue2AYV+kWH3I94qUOZ93UM+Nbfx1sqN+JKpkbQ7iS8vY1NNwovEYtrp4FInr6esYOIJXSvvf/3wlWoquSaNACQnbjKJKgV05m24+hu/meIXMYs9sn2SxlnetTmg=,iv:W1jokO9Shhle0cWZpR5bonVdLPZAOo76h8sClMUYZbE=,tag:1Pg5f6q6TmBrAmYWuhKaKQ==,type:str]
    pgp:
        - created_at: "2025-03-07T14:42:24Z"
          enc: |-
--- a/system/monolith-gitlab-runner.nix
+++ b/system/monolith-gitlab-runner.nix
@ -1,7 +1,6 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 let
@ -16,8 +15,8 @@ in
    services = {
      # runner for building in docker via host's nix-daemon
      # nix store will be readable in runner, might be insecure
-      thoreb-telemetria-nix = mkNixRunner config.age.secrets.gitlab-runner-thoreb-telemetria-registrationConfigFile.path;
+      thoreb-telemetria-nix = mkNixRunner config.sops.secrets."gitlab-runners/thoreb-telemetria-nix".path;
-      thoreb-itinerario-nix = mkNixRunner config.age.secrets.monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.path;
+      thoreb-itinerario-nix = mkNixRunner config.sops.secrets."gitlab-runners/thoreb-itinerario-nix".path;
      default = {
        # File should contain at least these two variables:
@ -31,6 +30,12 @@ in
  systemd.services.gitlab-runner.serviceConfig.Nice = 10;
  sops.secrets = {
    "gitlab-runners/thoreb-telemetria-nix" = {
      sopsFile = ../secrets/monolith/default.yaml;
    };
    "gitlab-runners/thoreb-itinerario-nix" = {
      sopsFile = ../secrets/monolith/default.yaml;
    };
    "gitlab-runners/docker-images-token" = {
      sopsFile = ../secrets/monolith/default.yaml;
    };