diff --git a/.sops.yaml b/.sops.yaml deleted file mode 100644 index 7aa3d88..0000000 --- a/.sops.yaml +++ /dev/null @@ -1,28 +0,0 @@ -keys: - - &lelgenio-gpg 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B - - &lelgenio-ssh age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h - - &monolith-ssh age1ecyynwv93lfu7crjjp8l47defv07quzfzaktwurpep7jc9eha5pscg7lrw - - &phantom-ssh age1m4mqcd2kmuhfr8a22rvh02c68jkakhdfmuqgtusuv0czk4jvna7sz79p3y - -creation_rules: - - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ - key_groups: - - pgp: - - *lelgenio-gpg - age: - - *lelgenio-ssh - - *monolith-ssh - - path_regex: secrets/monolith/[^/]+\.(yaml|json|env|ini)$ - key_groups: - - pgp: - - *lelgenio-gpg - age: - - *lelgenio-ssh - - *monolith-ssh - - path_regex: secrets/phantom/[^/]+\.(yaml|json|env|ini)$ - key_groups: - - pgp: - - *lelgenio-gpg - age: - - *lelgenio-ssh - - *phantom-ssh diff --git a/flake.lock b/flake.lock index cabf4cf..573ab5e 100644 --- a/flake.lock +++ b/flake.lock @@ -722,7 +722,6 @@ "nixpkgs-unstable": "nixpkgs-unstable", "plymouth-themes": "plymouth-themes", "ranger-icons": "ranger-icons", - "sops-nix": "sops-nix", "tlauncher": "tlauncher", "tomater": "tomater", "treefmt-nix": "treefmt-nix", @@ -776,26 +775,6 @@ "type": "github" } }, - "sops-nix": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1741043164, - "narHash": "sha256-9lfmSZLz6eq9Ygr6cCmvQiiBEaPb54pUBcjvbEMPORc=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "3f2412536eeece783f0d0ad3861417f347219f4d", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" - } - }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index fd1bac2..636724e 100644 --- a/flake.nix +++ b/flake.nix @@ -26,11 +26,6 @@ inputs.home-manager.follows = "home-manager"; }; - sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - nixos-mailserver = { url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master"; inputs.nixpkgs.follows = "nixpkgs"; @@ -101,12 +96,10 @@ { nixpkgs.pkgs = pkgs; } ./system/configuration.nix ./system/secrets.nix - ./system/sops.nix ./system/greetd.nix { login-manager.greetd.enable = desktop == "sway"; } inputs.agenix.nixosModules.default - inputs.sops-nix.nixosModules.default inputs.home-manager.nixosModules.home-manager inputs.disko.nixosModules.disko ( @@ -146,7 +139,6 @@ modules = [ ./hosts/monolith ./system/monolith-gitlab-runner.nix - ./system/monolith-bitbucket-runner.nix ./system/monolith-forgejo-runner.nix ./system/nix-serve.nix ] ++ common_modules; diff --git a/hosts/phantom/default.nix b/hosts/phantom/default.nix index 9111434..45c27d7 100644 --- a/hosts/phantom/default.nix +++ b/hosts/phantom/default.nix @@ -2,16 +2,12 @@ config, pkgs, inputs, - lib, ... }: { imports = [ inputs.vpsadminos.nixosConfigurations.container inputs.agenix.nixosModules.default - inputs.sops-nix.nixosModules.default - - ../../system/sops.nix ../../system/nix.nix ./hardware-config.nix ./mastodon.nix @@ -61,15 +57,6 @@ identityPaths = [ "/root/.ssh/id_rsa" ]; }; - sops = { - secrets.hello = { }; - defaultSopsFile = lib.mkForce ../../secrets/phantom/default.yaml; - }; - - environment.etc."teste-sops" = { - text = config.sops.secrets.hello.path; - }; - virtualisation.docker = { enable = true; daemon.settings = { diff --git a/secrets/monolith/default.yaml b/secrets/monolith/default.yaml deleted file mode 100644 index 8bd8e12..0000000 --- a/secrets/monolith/default.yaml +++ /dev/null @@ -1,55 +0,0 @@ -forgejo-runners: - git.lelgenio.com-default: ENC[AES256_GCM,data:sEfpBZvgQUkyXPWY4RI0RPJWUbsYK/RGqiYJ5wDSVY9a0EYenyt96QYq6815evq2iQ==,iv:rSWnCOdhfKH4TM9R0/IParYd9laYhWxR+iUhgkVvqfc=,tag:mBcSH/oGDMBgBScvCdn3Zg==,type:str] -gitlab-runners: - thoreb-telemetria-nix: ENC[AES256_GCM,data:zrZvG4be08ulpo7itbrprKK5csCMLvzZjrszfMw1XiJP0FyRTUd9nHgHpbAzbjj2KyT7kKngoZAyengvaTEhkT9sUi1pdGnvajAH8BDDOD0g4LJIHFl4,iv:3bSsTzU7gHx+MchuPg9kmb5xEDugmGPje8Jw74NpRJI=,tag:zffRr77lWbyLt7o/mywb5A==,type:str] - thoreb-itinerario-nix: ENC[AES256_GCM,data:UdAAD0V895sFoEYR56sCG2LlpZugJ0K/nwkTygzWOnbTSmBRAcIQ8qVFPZGw+K+XMSLiCyio6Jp7k8AYP0K1VYm+6aEP3OkqR9FCLQTJgXo=,iv:UGUby50BYkn13OzItk6zZmxc5+SnbZZa4bebQHIow2A=,tag:LjDg3deWwdH2T71EtPo6jA==,type:str] - docker-images-token: ENC[AES256_GCM,data:GGB/KSkjdAyhFKEspAh91ItbqEDf7K/LZSGSn+Jp7SxRfXpDzHIiMD8XJ9PTkGLeQGN4ug1i2nTYPS7d/P5OALWDU+1NPiV9nPdG0w7GERfu4g==,iv:6roabdOKX9xFMf0hWlECd73+943R+hFLos0e2dOpzns=,tag:LrASFc4DtN7aQ+3oOW/p/w==,type:str] -bitbucket-runners: - wopus-runner-1: ENC[AES256_GCM,data:gtH0T5n8qMYpvSv5ciN8+ScGlFDf9xE0FTxNP97vT/qsOCcaItTE+5P+DFcWw46onLED+1c+u0sArFbEsT3f8lyco9b+0l99uOQAxLZQzAXYH8zGye1UnwUtytkci2PHu5c8kTpIWHXyZ1IOYNGWkermeab57ANzOkM1LbkHyAjS6VTh0I60LfAOdHOw5FDFL8d1d9oWxLloOe9USLPqHjC023EpCUT2YuyHoPCTpBu8Kb/2HfV0wkAKaB3dvVrKwXCj+bfP6+bjQ3uMzVO/7jxPmnSGBfvyZ+Hlg5goJ6bSAqQWmnPPnQ96FgQfe8su5ML9qNIp9/7eNiL6Rv6Vhxe0hHbE5wsZ/58grcg/LrugeWJvUJ9THhwcTwO8Pkvwlq0XM9seUY2NV+LCK3bLQ4IWDjWkU1IHg6+nihTcvl1iD6UIGMgqGoB/v05WVzHb+GcE2fFuSuhVHfa5RMyboELOJoFrqZiXGhY=,iv:ZakLafxYQCDd1Zw8T83Xfj+YwAQKna9LC6ognJqtifA=,tag:bwBObfdMIvJfRrOG04NtxA==,type:str] - wopus-runner-2: ENC[AES256_GCM,data:gg8merZMFbf396hdJY7zmKQndT3GzB7NeGZAs3C0au8Zd7OFAg9vcQcFcxNA3kZGJZqmFTR/ycWJwhYr9fhlfFuPhDynVvgJAqoYtvC2MUDiOMD/d3DlfwFjQ6cOGTrvFuY1kkgSFb4OFdrVC1eiTDrGygFmYnYcqTKn/t5Ttqi+cHZNzFzVzdVLvaLCYxltM5g45zn+fXYxYwCfqyb32/M1XTnnwIGiataGxEX5oWhVV4zqeLO4ZIYPSby5AVvIMJ/zqvqaeVVY52GLDcTKrj3thbZxMQLWN3/lOA0uYhi3L/WM8Gx+JMEIbSICcuT7QXu4w4PA+opcx9GnsMCK2/egzS+cNPJ4vGZCdVD/jh6A9zVEJAgXdsHXNXFHmMPt7DcgrCQiub62og4kBY4G/Rcg4UN7sb3v3qyBpGbCGHGRjCFc+wdHpom0yDOG2cwcqfN49pC2R7Ag2BisFQ/5A+DPmKnvGG3kt9s=,iv:5g5XiDecYqi4JNRkZubgPJECBQdZ6rBeojgFe6Etebk=,tag:HRy5bFSbfxKTb5e13lGtgg==,type:str] - wopus-runner-3: ENC[AES256_GCM,data:f9pLYR8t51HtPpLyXysIVaDAhxDrmktJH93E7rb7imtKwK7hRhR8usnvHTcknLfD7BMvStAIYefdGt19u7PrQu6vqc19bEcNbnK5OH4KBP6+X47oMgBYtbIGXH+t3dSDt22fSIoppTwdX7/Kf4vqesfN8K7EunETvFR86oyyKdy15mvXr0XUO4us4HZjnIOBEnOm1P/V8hk5JcCpRuo+8ZYmBe5gzq5pTnqnYlPE1EovM7eDMg72J7ev07h50qvySrAqmNiqDcXfTPQ2TzuHx3XxAYqFybf1L6P9OnLB6RDAlpoFJ0h8dSg2tzC2+amYsBP0UIBK/ZhWvvAjpX+MZrTASjenh/tefDcNdbsXDOr7A4i/261z4rC0r+97INglCN1N/SZg51iBHiRAVV1zibDLfioR5+eBIykWAtjILMoYU+zOcr0E8K0I9jQGMtpnYmvHJqV0DVcdfZpJptrPUUy+lQ/iZVcPpLs=,iv:grzvVsfpUzywjNE4jvTxXKG3TYajrvSsQgfOgtafvIo=,tag:K1B6crN0ckLk0EYBtGHDkw==,type:str] - wopus-runner-4: ENC[AES256_GCM,data:D1Zq0BtPuACnutAbUcj3gYSMLuIZcMuqc/1mEFmitEG0tBFMWhkabS+8lXcp8sb1DM0LTDMEwgMB9FVyFb670MKQNEncqQtaNJtY1BxS3SolovDAM/I+i6YGvd4X8jX99d+7ZNR6xGBWJ/dW8rz4QnIM8Eh3FDOqaFa/ltfyPKP9IZ2uZi67C/n8Q/OSdgMQkt+QxhgJfSghE1iruPwxyGlqv+E4SZNI/fQQMjX0Lh7z02ms58yyMtjO71YbukV/JXFRsdJrqY2wfH/6NlZbsKideoSxluBRVqmbW6KQd7dUT819KbOSu9CFdgThtVCU8qiv3jbAbn8D5xRy4AAOEfSqRLXJoj7otCqr47R/8+0BdS3aztFBjL3lDmprMWZ4+LD55fvczfpxUF9ox1mhcjIvCvZJJL06XsST1XRXa7i2fr4/a/XhCmQgIzar5IYxSC9OjuHp6jLsTaY3ZUgid5W1L1n8uWSmA98=,iv:O9caRG//brERiIhuMrsFdTz6TnPY0rdQnvHEu0P42yM=,tag:hrmwLX/CRhZfammJ2nfTPw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlaFFtOHRBNjZqOXJOV1Bk - SXRhZTdNWklKaTZST2JhU3VFLzBGSWY0QlMwCldwS1hhMDEyZDAxWUlRRXZtTWts - Ti9IOUR2OFdGYkJ4cFRsV0lkbWJvb1EKLS0tIEJUS1ZCZ1M4ZUs5cDhiam5JaEk1 - U1VjNFprNHZWeDhwU3owRXh0MlBFYkUKHPgxz9/w3+JEtOljfyWBPSshfFlVWVys - f15yxlAeWIZVEGqoau7DegVdZiYYIJR2dFBXV1RkKbAwLrbUxAQidg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ecyynwv93lfu7crjjp8l47defv07quzfzaktwurpep7jc9eha5pscg7lrw - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5OWk0cTJ4d25Qd0hrdkFD - a2Fzd1lrMDREclkvRmxUSjFpYXZvRGs2Rm13Cm5aRVZDWE5ZUVR1K2hkZkdKWjYw - K3lKNndBNGFveGVGVWplaHA0MVlYUG8KLS0tIFlVeXhCTGJGUm1HK2RCSFg1RnI3 - aFVxcDFhaGdYekRWRVFIWnRsZndtZFkKgsvxOFHOcO306Z9FkucA1fDOpZA8N1/h - jYmIgcKTFgWoSCvux67lK30jFsYp7sm5z6WxxDYsGcoQ/+pxoUX2jQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-03-07T21:28:04Z" - mac: ENC[AES256_GCM,data:4lOafZQ6PP38CByulzA/J86sw+TpQhj40s1lTRXqUtpt72yH8nQK8dXpw0dNYvDBtDpKRvNTHZubzalEua6n2lCQL7rsZ2+fo6FJ4ht2Kb70dddDcWEyrfyZQ2FaKC5L/QjqM0SbIfPszNvyQ8wIaOoMfNJBis5QOjRSGDAcJm8=,iv:LLT0oJW+3KNe1nKphCK0c5FPIuh8GfnDrvNDCFhP4NM=,tag:rPbVY7L1qxNc3aCfv77FAg==,type:str] - pgp: - - created_at: "2025-03-07T22:49:16Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQEMAzy6JxafzLr5AQgAjwQqdeESOfrOuCjfjALdoy3AnNYC+slusdlra58CoRu6 - YFDAivwPHJBRiuVy43Lo7SWnKXMKvLOry589GBY3JGjNV5U1cPWBhMlTubYZmZWl - iel8Bvw4IF5JksMIvLFdDgexLN7wETzzZP9S8750BCgpSrncrw1k/dUedhv5HUjo - N10x6BPjPSmgolA8uxsISHLAUrKcQoeaWvcZFU1ofKywq08HgIySphy6z3Gmv3Qs - 86saZp1rFm5+qHkrDRgL6Oe3Xx30jVkzn9MHPWzZCDPCEvYGJgXX34NGzbX+/nd3 - JB9XkT2YTFi4BLhdHY3EE7e9//PJc5G9RVDZyAF1e9JeAXH2yR5blXbogoy+VMnS - Yn74Uvs+fnYFTDOiuequro5i0uAyxtrCx8fdfwjuh+9SC5p3N2cBv2eT7zLQwQHi - czHlwxmpi/dMB/u83fR4FzuCUt98VXiezIC4yGn25g== - =Yqqx - -----END PGP MESSAGE----- - fp: 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B - unencrypted_suffix: _unencrypted - version: 3.9.4-unstable diff --git a/secrets/phantom/default.yaml b/secrets/phantom/default.yaml deleted file mode 100644 index 962c6ba..0000000 --- a/secrets/phantom/default.yaml +++ /dev/null @@ -1,54 +0,0 @@ -hello: ENC[AES256_GCM,data:UJAAdOL7wzQ1LduTyW+XK2NtXyw/u/Yz28Bmd7OoBe41FVLKwVfvdI1nAwYuNQ==,iv:7kPT2HF5T498bUJ9hUlz5Ez/jn1g7YIUVbJOTW/CHhQ=,tag:KJhJPg8AStyW4roEbEUJ2g==,type:str] -example_key: ENC[AES256_GCM,data:DcLN+C1BQ6WZg5fRiA==,iv:JC3GTWn4a4RekAHdOQB3YV5+eGa4cUK1JjyTPe8eNHY=,tag:W9CV4rsgHuXyqpWpUxlIQg==,type:str] -#ENC[AES256_GCM,data:RjdYJNz6qGfbsU/AiBeLlQ==,iv:LjRzSjBXp44cGSqUUfRDNLC9cW4Vd7lfsqDWINt31VA=,tag:NzVm1h9CVKE2XXt300aR/g==,type:comment] -example_array: - - ENC[AES256_GCM,data:K9j/t8MDibYO8Frhu1M=,iv:YnrxRnJJwTH6DJC6Bv/d1NUnX2ZPFwsjoji7L1Z+d7s=,tag:Dm7xCUlnjKdXHCuk8lwY8w==,type:str] - - ENC[AES256_GCM,data:0g6ACJzEHBtukwQYYTY=,iv:xLBJWfOYkX7Y28N01CX2+d5QOr9VGAhInH6pa1hNSGE=,tag:tCkCigo4yhi6YKVMe3Z3lQ==,type:str] -example_number: ENC[AES256_GCM,data:R+/m/QVBH9/3DA==,iv:FumBUj97ICrRQmyh5fg8Gu9Lba9oITD1pdsr1I/PCf0=,tag:hguw1gpPI3w64fG1WLnJqA==,type:float] -example_booleans: - - ENC[AES256_GCM,data:VvI5ag==,iv:koMzyWcua75sK19vuk65oywCD61lMyH3xUwue8LTqy4=,tag:2ym1M0FTwevLm7wefTUWAw==,type:bool] - - ENC[AES256_GCM,data:lFEC/S8=,iv:cJWbnmseP/AqJzyORM+VI5y7rK8axVeh7EXoLP7mT/Q=,tag:BaS5HyecokdLCq+LzQxGkg==,type:bool] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpSXhsMHQvb0NyUXRkRDE3 - TjVjb2orQktDMGs4U2JUS3hWdmtMdnhuYnhBCi9VU1RVblZPaW14VGxMcjM0N20z - R1pOdUJZc1ZGcjBsTnNaZGhleVR6L1kKLS0tIE5vQkFhVXd0R3ZQSzZkNmVqN1Vj - NERXdlJhVHF0NWpNT29CNlRid2NYMVUKxg7kbP6dOZDUz0uxdC45DZCAa6GQTQ1x - nIb7lvPW4xFIb0bOZuvc7cAbHjf4So+8zvA0MM4mkTmIDpnwGD5Clg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1m4mqcd2kmuhfr8a22rvh02c68jkakhdfmuqgtusuv0czk4jvna7sz79p3y - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrcTJGVmZUenNwYVNjRFlU - VXNBeDdpVFVtSTN5TG9VN0Q1WjRFbjlHd0Z3CjFsU1BsNkZ1a1ZkY2lva3lBUWZ3 - YUpqeEo0Tys1bDk0TEpwQTJ2U29kbjgKLS0tIFJDYWpNemY4NXZ0MkM0YWNldDBE - RU1HSUhldHpzeURaUWQvcjBCQ3pMY2cKYL87Njs4e68zu5AXKNF/hxiB3HduS8wz - o0kmGI58DZx17+Cdipw0ab9a9wiu9C9Fn+LaiCcdM/ESXtS79RzdbQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-03-05T22:27:18Z" - mac: ENC[AES256_GCM,data:WSopSnWZ+uOllywd7difaZtJcfxkL7eIf9Kr3GajZKO0+rP6pEHIS+5AbXZy6oKRlCLUPecY/WXFvk3//akpvvXHbf6Jp4fQ/YSuTcYKRQupbDBpOXSlc33QyRl6oEyiMOjxMxa2N2tmq8dmA0NbF9wSDMa5a4eNDoiL5T/sUZ8=,iv:QqbVRApzFF6q24rk8KfKuthj656nEczD9Si4INj+N9A=,tag:tMRNYo+u/jIQ6iX3KqKJdA==,type:str] - pgp: - - created_at: "2025-03-07T22:49:19Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQEMAzy6JxafzLr5AQf/Zw+EB0lFpbul4KmHL3ndbhQCHzhkMgG6vEyj7EpjHQxE - nwf9kRrTcRh9YdrgR+5PFRnFJ8+L+gZhk+V/GaEPcEUyskOX/YGTSp1u6pXKGEem - TGojrIx0WwcmeCZUn+qCehbC7ZU64NDDmb7VeWnRkMbboU6UVooHUub88VsbnYw2 - XXtXh4G8isrbyAKzUyypnJnEVbKlVqPOL67BYczjyBqMYc1JVLmBy6nP+sv6q/yo - QyDzlunmZtu52dwAL0L6wJF+novLr4W9cso4K5UVv2sp5M8gucuiY2obiB3vNfgO - q9GZTlMWnyDGflM1w+tzpZ/Ke+sM4dSy3cXpZd+MFNJeAaBJ1owjolb4tPUXlt+W - cJ+SFLWxzH8MsPb+Hfxrt8PPCcv67uch/k50PLYs/V/EM59+mgEJe5LY4rMbUSFw - REGL3LA6Cnkl2bUeHlfG7XlztHd/ehmZM2RPKof+Qw== - =htZl - -----END PGP MESSAGE----- - fp: 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B - unencrypted_suffix: _unencrypted - version: 3.9.4-unstable diff --git a/secrets/test.yaml b/secrets/test.yaml deleted file mode 100644 index 0f9b6e7..0000000 --- a/secrets/test.yaml +++ /dev/null @@ -1,55 +0,0 @@ -hello: ENC[AES256_GCM,data:ADXdQUkrnh9lDrsHyInYsPBo21u/mIAH47KhGQsxuz5OshT6CoK+89CILEi9tQ==,iv:b/rnM77z69+pVO3kxQZxI2YzTCRiBwwO5fhcwCB2/CI=,tag:A0FOXIfgIkJawV3QhlJPWQ==,type:str] -example_key: ENC[AES256_GCM,data:gXXl6hhdYNLC1Grmyw==,iv:miSL7Wdewd5zs4A86/r8OW6gK+PGZJ+gaqZRHHxvZos=,tag:Ty+IaoXdMSEThNPRjwhqTA==,type:str] -#ENC[AES256_GCM,data:FLhydTaiOqLRFk+ZrgGx9Q==,iv:TqhX2ylJKFQjdOpmwCER1+gRe4iR+I0hkVkNnYH4ESo=,tag:1BSk9TKqTma4MVUMswwmog==,type:comment] -example_array: - - ENC[AES256_GCM,data:1sIEL3xGDAygUKoodBA=,iv:1DumVv8vDvhT/K0jXM1vHdrFTE7dIxqqjS8CIpWdnc8=,tag:WSs+3a816zVOaGCTElxgFQ==,type:str] - - ENC[AES256_GCM,data:tFi1czQnVgX/nlWrJrs=,iv:isH65ldilVe3EjsKNP/dOKgtWZtHQPw364fPHBI+LEw=,tag:Ka5ywriFptKg3+lIHPEIyA==,type:str] -example_number: ENC[AES256_GCM,data:sxSM8a9oAp+u6g==,iv:KRLfIxZuBsnK+QE4mqm3pyhJmE7Fsd4ykJA++KrOnEQ=,tag:F5EkVUzw06ulr5jZvlTJdg==,type:float] -example_booleans: - - ENC[AES256_GCM,data:PDts2Q==,iv:qtfKg5gmUw2aERJe3gfT15Pk7mWocXwKdJhAzSic1o0=,tag:gn1sWsgt9ihYF8bHAkAQwQ==,type:bool] - - ENC[AES256_GCM,data:o9as7T0=,iv:YXyTB2X9PmTsOd37+BAp2xnT/+Yzyajcn5y1GE1O5rE=,tag:hyXA43jpyAbgH2hg1ivloQ==,type:bool] -sops: - shamir_threshold: 1 - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvUURIQmZvSVp3aXlFT0RR - VHVBR0drN2JyV1hNUk5sakxGRXl6SEJuOUUwClQ1Q1lRZTR5R3Z4dlZyb29OaTNW - UVcwV3h6UlhtZkg2aFhrUUtIT0tQRmsKLS0tIDlnckhHWXRKcmRwTGUzdHZxWEVh - a3ZSWk0wNm1raXdMYXdKY1hDd2dZWUEK+IFU/9vsHu70XbSJ7sKqFncrZO3NAH8/ - X/XF1VUmIuDfQZYJsDa4HaXe52xvDWTw3/4frG9HutEI2NcvvRpxlw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ecyynwv93lfu7crjjp8l47defv07quzfzaktwurpep7jc9eha5pscg7lrw - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNRGxFWXJVcDZOdzVxaFJG - LzdhN3JKaFhPOVBlblRPNWpDdERPaWhDNkM0CmcvUGxNQ09tNTJndWZTdjFia2pl - RnNWQ0ZKSFhEN0FNbVZlKzlFUlh5QTgKLS0tIFkwc1pJajlyOGNHSTdaM3FQZWFK - NUJpRDlLNXlGOTNBbVRTU0ZMVkhqdUUK1koXmGDGTKoNx1wp4c9EknY9LQ5a7dQP - Zx6OzvtpsxL6KGjH7BeNNcm2zOR4YqnklLq09UsPHElz2upJQzECAQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-03-07T22:49:01Z" - mac: ENC[AES256_GCM,data:yma+7wtzVjCzlLOVpqiicjQ9YN1ttzoh8CpcAtjdtVl6gu7/3FXUKYyAWJd+1NUUpK7vN435gOq9/nsig0FRrn0Hgq0+cjFUGS6+6+SPmL97eFvti89gCOeIFhPvBnJQYJLiyVkUcBek4xW+vnt6UgrTy+sD9AT3KHdBlfu3pzY=,iv:ioswFO5KDAL3Bv7MI8V0aWXXxZZIz1M1PyMUbIMnCRI=,tag:5fUBtqz9J2qvY4fUT2ueoQ==,type:str] - pgp: - - created_at: "2025-03-07T22:49:20Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQEMAzy6JxafzLr5AQf/Xok7aBMNT6W3LV2Ekx/ccxEZaZ0aVNKHE9aFTz5kBSpu - cXVohu5mEgeXr++HbrsCI821/gfchQ1yzVSLJsSrmZdJ586c3a7pWx2Eo4pcngmy - vb5UWtTBNogABnLz4iTjVQYLjZeNcNhkzW6s3m9PiaX3AvJP9irPcmwIyYpzd9pt - hngnBsdTis52fmvZ6+wOuMyTZU0Iksknom1De8xqgR5ZuO0Vitt19RGbpVhx96AC - t1CUkb5WMFTdpbCFORa/ta9Z7UcKxXTAPsfPkPVG9DnHQ1jSmsJWPDQZxoIJLHuH - SVV+qfRGndOo9fjExCInX6I5wBlrHrdpGtL7VLczV9JeAXYlMJwH63eOyi8hxxtr - KfTJEIALC25uFhoK8bmr30yVZe7thUPMXfht+R5dlHne7+FcBb4k7YLpeN/M40me - CSKk+9YaG7gQIdrfvEXlHSPCPppcKev6ZUspHewhmQ== - =IMON - -----END PGP MESSAGE----- - fp: 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B - unencrypted_suffix: _unencrypted - version: 3.9.4 diff --git a/system/configuration.nix b/system/configuration.nix index f515e43..a227e36 100644 --- a/system/configuration.nix +++ b/system/configuration.nix @@ -1,7 +1,7 @@ # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ pkgs, config, ... }: +{ pkgs, ... }: { imports = [ ./android.nix diff --git a/system/monolith-bitbucket-runner.nix b/system/monolith-bitbucket-runner.nix deleted file mode 100644 index 17d462b..0000000 --- a/system/monolith-bitbucket-runner.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ - config, - pkgs, - ... -}: - -let - mkRunner = secret: { - image = "docker-public.packages.atlassian.com/sox/atlassian/bitbucket-pipelines-runner:latest"; - volumes = [ - "/tmp:/tmp" - "/var/run/docker.sock:/var/run/docker.sock" - "/var/lib/docker/containers:/var/lib/docker/containers:ro" - ]; - environmentFiles = [ secret ]; - }; - - secretConf = { - sopsFile = ../secrets/monolith/default.yaml; - }; -in -{ - virtualisation.docker = { - enable = true; - daemon.settings = { - # needed by bitbucket runner ??? - log-driver = "json-file"; - log-opts = { - max-size = "10m"; - max-file = "3"; - }; - }; - }; - - virtualisation.oci-containers.backend = "docker"; - - virtualisation.oci-containers.containers = { - bitbucket-runner-1 = mkRunner config.sops.secrets."bitbucket-runners/wopus-runner-1".path; - bitbucket-runner-2 = mkRunner config.sops.secrets."bitbucket-runners/wopus-runner-2".path; - bitbucket-runner-3 = mkRunner config.sops.secrets."bitbucket-runners/wopus-runner-3".path; - bitbucket-runner-4 = mkRunner config.sops.secrets."bitbucket-runners/wopus-runner-4".path; - }; - - sops.secrets = { - "bitbucket-runners/wopus-runner-1" = secretConf; - "bitbucket-runners/wopus-runner-2" = secretConf; - "bitbucket-runners/wopus-runner-3" = secretConf; - "bitbucket-runners/wopus-runner-4" = secretConf; - }; -} diff --git a/system/monolith-gitlab-runner.nix b/system/monolith-gitlab-runner.nix index 28a0ecd..3e63d98 100644 --- a/system/monolith-gitlab-runner.nix +++ b/system/monolith-gitlab-runner.nix @@ -1,6 +1,7 @@ { config, pkgs, + lib, ... }: let @@ -15,29 +16,9 @@ in services = { # runner for building in docker via host's nix-daemon # nix store will be readable in runner, might be insecure - thoreb-telemetria-nix = mkNixRunner config.sops.secrets."gitlab-runners/thoreb-telemetria-nix".path; - thoreb-itinerario-nix = mkNixRunner config.sops.secrets."gitlab-runners/thoreb-itinerario-nix".path; - - default = { - # File should contain at least these two variables: - # `CI_SERVER_URL` - # `CI_SERVER_TOKEN` - authenticationTokenConfigFile = config.sops.secrets."gitlab-runners/docker-images-token".path; - dockerImage = "debian:stable"; - }; + thoreb-telemetria-nix = mkNixRunner config.age.secrets.gitlab-runner-thoreb-telemetria-registrationConfigFile.path; + thoreb-itinerario-nix = mkNixRunner config.age.secrets.monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.path; }; }; systemd.services.gitlab-runner.serviceConfig.Nice = 10; - - sops.secrets = { - "gitlab-runners/thoreb-telemetria-nix" = { - sopsFile = ../secrets/monolith/default.yaml; - }; - "gitlab-runners/thoreb-itinerario-nix" = { - sopsFile = ../secrets/monolith/default.yaml; - }; - "gitlab-runners/docker-images-token" = { - sopsFile = ../secrets/monolith/default.yaml; - }; - }; } diff --git a/system/secrets.nix b/system/secrets.nix index 588dfe4..fdf14e8 100644 --- a/system/secrets.nix +++ b/system/secrets.nix @@ -1,4 +1,4 @@ -{ pkgs, config, ... }: +{ pkgs, ... }: { age = { identityPaths = [ "/root/.ssh/id_rsa" ]; diff --git a/system/sops.nix b/system/sops.nix deleted file mode 100644 index d868153..0000000 --- a/system/sops.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = with pkgs; [ - sops - gnupg - ]; - - sops = { - defaultSopsFile = ../secrets/test.yaml; - age.sshKeyPaths = [ - "/etc/ssh/ssh_host_ed25519_key" - "/home/lelgenio/.ssh/id_ed25519" - ]; - }; -}