diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..7aa3d88 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,28 @@ +keys: + - &lelgenio-gpg 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B + - &lelgenio-ssh age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h + - &monolith-ssh age1ecyynwv93lfu7crjjp8l47defv07quzfzaktwurpep7jc9eha5pscg7lrw + - &phantom-ssh age1m4mqcd2kmuhfr8a22rvh02c68jkakhdfmuqgtusuv0czk4jvna7sz79p3y + +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + - *lelgenio-gpg + age: + - *lelgenio-ssh + - *monolith-ssh + - path_regex: secrets/monolith/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + - *lelgenio-gpg + age: + - *lelgenio-ssh + - *monolith-ssh + - path_regex: secrets/phantom/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + - *lelgenio-gpg + age: + - *lelgenio-ssh + - *phantom-ssh diff --git a/flake.lock b/flake.lock index 573ab5e..cabf4cf 100644 --- a/flake.lock +++ b/flake.lock @@ -722,6 +722,7 @@ "nixpkgs-unstable": "nixpkgs-unstable", "plymouth-themes": "plymouth-themes", "ranger-icons": "ranger-icons", + "sops-nix": "sops-nix", "tlauncher": "tlauncher", "tomater": "tomater", "treefmt-nix": "treefmt-nix", @@ -775,6 +776,26 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1741043164, + "narHash": "sha256-9lfmSZLz6eq9Ygr6cCmvQiiBEaPb54pUBcjvbEMPORc=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "3f2412536eeece783f0d0ad3861417f347219f4d", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index 636724e..fd1bac2 100644 --- a/flake.nix +++ b/flake.nix @@ -26,6 +26,11 @@ inputs.home-manager.follows = "home-manager"; }; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + nixos-mailserver = { url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master"; inputs.nixpkgs.follows = "nixpkgs"; @@ -96,10 +101,12 @@ { nixpkgs.pkgs = pkgs; } ./system/configuration.nix ./system/secrets.nix + ./system/sops.nix ./system/greetd.nix { login-manager.greetd.enable = desktop == "sway"; } inputs.agenix.nixosModules.default + inputs.sops-nix.nixosModules.default inputs.home-manager.nixosModules.home-manager inputs.disko.nixosModules.disko ( @@ -139,6 +146,7 @@ modules = [ ./hosts/monolith ./system/monolith-gitlab-runner.nix + ./system/monolith-bitbucket-runner.nix ./system/monolith-forgejo-runner.nix ./system/nix-serve.nix ] ++ common_modules; diff --git a/hosts/phantom/default.nix b/hosts/phantom/default.nix index 45c27d7..9111434 100644 --- a/hosts/phantom/default.nix +++ b/hosts/phantom/default.nix @@ -2,12 +2,16 @@ config, pkgs, inputs, + lib, ... }: { imports = [ inputs.vpsadminos.nixosConfigurations.container inputs.agenix.nixosModules.default + inputs.sops-nix.nixosModules.default + + ../../system/sops.nix ../../system/nix.nix ./hardware-config.nix ./mastodon.nix @@ -57,6 +61,15 @@ identityPaths = [ "/root/.ssh/id_rsa" ]; }; + sops = { + secrets.hello = { }; + defaultSopsFile = lib.mkForce ../../secrets/phantom/default.yaml; + }; + + environment.etc."teste-sops" = { + text = config.sops.secrets.hello.path; + }; + virtualisation.docker = { enable = true; daemon.settings = { diff --git a/secrets/monolith/default.yaml b/secrets/monolith/default.yaml new file mode 100644 index 0000000..8bd8e12 --- /dev/null +++ b/secrets/monolith/default.yaml @@ -0,0 +1,55 @@ +forgejo-runners: + git.lelgenio.com-default: ENC[AES256_GCM,data:sEfpBZvgQUkyXPWY4RI0RPJWUbsYK/RGqiYJ5wDSVY9a0EYenyt96QYq6815evq2iQ==,iv:rSWnCOdhfKH4TM9R0/IParYd9laYhWxR+iUhgkVvqfc=,tag:mBcSH/oGDMBgBScvCdn3Zg==,type:str] +gitlab-runners: + thoreb-telemetria-nix: ENC[AES256_GCM,data:zrZvG4be08ulpo7itbrprKK5csCMLvzZjrszfMw1XiJP0FyRTUd9nHgHpbAzbjj2KyT7kKngoZAyengvaTEhkT9sUi1pdGnvajAH8BDDOD0g4LJIHFl4,iv:3bSsTzU7gHx+MchuPg9kmb5xEDugmGPje8Jw74NpRJI=,tag:zffRr77lWbyLt7o/mywb5A==,type:str] + thoreb-itinerario-nix: ENC[AES256_GCM,data:UdAAD0V895sFoEYR56sCG2LlpZugJ0K/nwkTygzWOnbTSmBRAcIQ8qVFPZGw+K+XMSLiCyio6Jp7k8AYP0K1VYm+6aEP3OkqR9FCLQTJgXo=,iv:UGUby50BYkn13OzItk6zZmxc5+SnbZZa4bebQHIow2A=,tag:LjDg3deWwdH2T71EtPo6jA==,type:str] + docker-images-token: ENC[AES256_GCM,data:GGB/KSkjdAyhFKEspAh91ItbqEDf7K/LZSGSn+Jp7SxRfXpDzHIiMD8XJ9PTkGLeQGN4ug1i2nTYPS7d/P5OALWDU+1NPiV9nPdG0w7GERfu4g==,iv:6roabdOKX9xFMf0hWlECd73+943R+hFLos0e2dOpzns=,tag:LrASFc4DtN7aQ+3oOW/p/w==,type:str] +bitbucket-runners: + wopus-runner-1: ENC[AES256_GCM,data:gtH0T5n8qMYpvSv5ciN8+ScGlFDf9xE0FTxNP97vT/qsOCcaItTE+5P+DFcWw46onLED+1c+u0sArFbEsT3f8lyco9b+0l99uOQAxLZQzAXYH8zGye1UnwUtytkci2PHu5c8kTpIWHXyZ1IOYNGWkermeab57ANzOkM1LbkHyAjS6VTh0I60LfAOdHOw5FDFL8d1d9oWxLloOe9USLPqHjC023EpCUT2YuyHoPCTpBu8Kb/2HfV0wkAKaB3dvVrKwXCj+bfP6+bjQ3uMzVO/7jxPmnSGBfvyZ+Hlg5goJ6bSAqQWmnPPnQ96FgQfe8su5ML9qNIp9/7eNiL6Rv6Vhxe0hHbE5wsZ/58grcg/LrugeWJvUJ9THhwcTwO8Pkvwlq0XM9seUY2NV+LCK3bLQ4IWDjWkU1IHg6+nihTcvl1iD6UIGMgqGoB/v05WVzHb+GcE2fFuSuhVHfa5RMyboELOJoFrqZiXGhY=,iv:ZakLafxYQCDd1Zw8T83Xfj+YwAQKna9LC6ognJqtifA=,tag:bwBObfdMIvJfRrOG04NtxA==,type:str] + wopus-runner-2: ENC[AES256_GCM,data:gg8merZMFbf396hdJY7zmKQndT3GzB7NeGZAs3C0au8Zd7OFAg9vcQcFcxNA3kZGJZqmFTR/ycWJwhYr9fhlfFuPhDynVvgJAqoYtvC2MUDiOMD/d3DlfwFjQ6cOGTrvFuY1kkgSFb4OFdrVC1eiTDrGygFmYnYcqTKn/t5Ttqi+cHZNzFzVzdVLvaLCYxltM5g45zn+fXYxYwCfqyb32/M1XTnnwIGiataGxEX5oWhVV4zqeLO4ZIYPSby5AVvIMJ/zqvqaeVVY52GLDcTKrj3thbZxMQLWN3/lOA0uYhi3L/WM8Gx+JMEIbSICcuT7QXu4w4PA+opcx9GnsMCK2/egzS+cNPJ4vGZCdVD/jh6A9zVEJAgXdsHXNXFHmMPt7DcgrCQiub62og4kBY4G/Rcg4UN7sb3v3qyBpGbCGHGRjCFc+wdHpom0yDOG2cwcqfN49pC2R7Ag2BisFQ/5A+DPmKnvGG3kt9s=,iv:5g5XiDecYqi4JNRkZubgPJECBQdZ6rBeojgFe6Etebk=,tag:HRy5bFSbfxKTb5e13lGtgg==,type:str] + wopus-runner-3: ENC[AES256_GCM,data:f9pLYR8t51HtPpLyXysIVaDAhxDrmktJH93E7rb7imtKwK7hRhR8usnvHTcknLfD7BMvStAIYefdGt19u7PrQu6vqc19bEcNbnK5OH4KBP6+X47oMgBYtbIGXH+t3dSDt22fSIoppTwdX7/Kf4vqesfN8K7EunETvFR86oyyKdy15mvXr0XUO4us4HZjnIOBEnOm1P/V8hk5JcCpRuo+8ZYmBe5gzq5pTnqnYlPE1EovM7eDMg72J7ev07h50qvySrAqmNiqDcXfTPQ2TzuHx3XxAYqFybf1L6P9OnLB6RDAlpoFJ0h8dSg2tzC2+amYsBP0UIBK/ZhWvvAjpX+MZrTASjenh/tefDcNdbsXDOr7A4i/261z4rC0r+97INglCN1N/SZg51iBHiRAVV1zibDLfioR5+eBIykWAtjILMoYU+zOcr0E8K0I9jQGMtpnYmvHJqV0DVcdfZpJptrPUUy+lQ/iZVcPpLs=,iv:grzvVsfpUzywjNE4jvTxXKG3TYajrvSsQgfOgtafvIo=,tag:K1B6crN0ckLk0EYBtGHDkw==,type:str] + wopus-runner-4: ENC[AES256_GCM,data:D1Zq0BtPuACnutAbUcj3gYSMLuIZcMuqc/1mEFmitEG0tBFMWhkabS+8lXcp8sb1DM0LTDMEwgMB9FVyFb670MKQNEncqQtaNJtY1BxS3SolovDAM/I+i6YGvd4X8jX99d+7ZNR6xGBWJ/dW8rz4QnIM8Eh3FDOqaFa/ltfyPKP9IZ2uZi67C/n8Q/OSdgMQkt+QxhgJfSghE1iruPwxyGlqv+E4SZNI/fQQMjX0Lh7z02ms58yyMtjO71YbukV/JXFRsdJrqY2wfH/6NlZbsKideoSxluBRVqmbW6KQd7dUT819KbOSu9CFdgThtVCU8qiv3jbAbn8D5xRy4AAOEfSqRLXJoj7otCqr47R/8+0BdS3aztFBjL3lDmprMWZ4+LD55fvczfpxUF9ox1mhcjIvCvZJJL06XsST1XRXa7i2fr4/a/XhCmQgIzar5IYxSC9OjuHp6jLsTaY3ZUgid5W1L1n8uWSmA98=,iv:O9caRG//brERiIhuMrsFdTz6TnPY0rdQnvHEu0P42yM=,tag:hrmwLX/CRhZfammJ2nfTPw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlaFFtOHRBNjZqOXJOV1Bk + SXRhZTdNWklKaTZST2JhU3VFLzBGSWY0QlMwCldwS1hhMDEyZDAxWUlRRXZtTWts + Ti9IOUR2OFdGYkJ4cFRsV0lkbWJvb1EKLS0tIEJUS1ZCZ1M4ZUs5cDhiam5JaEk1 + U1VjNFprNHZWeDhwU3owRXh0MlBFYkUKHPgxz9/w3+JEtOljfyWBPSshfFlVWVys + f15yxlAeWIZVEGqoau7DegVdZiYYIJR2dFBXV1RkKbAwLrbUxAQidg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ecyynwv93lfu7crjjp8l47defv07quzfzaktwurpep7jc9eha5pscg7lrw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5OWk0cTJ4d25Qd0hrdkFD + a2Fzd1lrMDREclkvRmxUSjFpYXZvRGs2Rm13Cm5aRVZDWE5ZUVR1K2hkZkdKWjYw + K3lKNndBNGFveGVGVWplaHA0MVlYUG8KLS0tIFlVeXhCTGJGUm1HK2RCSFg1RnI3 + aFVxcDFhaGdYekRWRVFIWnRsZndtZFkKgsvxOFHOcO306Z9FkucA1fDOpZA8N1/h + jYmIgcKTFgWoSCvux67lK30jFsYp7sm5z6WxxDYsGcoQ/+pxoUX2jQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-03-07T21:28:04Z" + mac: ENC[AES256_GCM,data:4lOafZQ6PP38CByulzA/J86sw+TpQhj40s1lTRXqUtpt72yH8nQK8dXpw0dNYvDBtDpKRvNTHZubzalEua6n2lCQL7rsZ2+fo6FJ4ht2Kb70dddDcWEyrfyZQ2FaKC5L/QjqM0SbIfPszNvyQ8wIaOoMfNJBis5QOjRSGDAcJm8=,iv:LLT0oJW+3KNe1nKphCK0c5FPIuh8GfnDrvNDCFhP4NM=,tag:rPbVY7L1qxNc3aCfv77FAg==,type:str] + pgp: + - created_at: "2025-03-07T22:49:16Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMAzy6JxafzLr5AQgAjwQqdeESOfrOuCjfjALdoy3AnNYC+slusdlra58CoRu6 + YFDAivwPHJBRiuVy43Lo7SWnKXMKvLOry589GBY3JGjNV5U1cPWBhMlTubYZmZWl + iel8Bvw4IF5JksMIvLFdDgexLN7wETzzZP9S8750BCgpSrncrw1k/dUedhv5HUjo + N10x6BPjPSmgolA8uxsISHLAUrKcQoeaWvcZFU1ofKywq08HgIySphy6z3Gmv3Qs + 86saZp1rFm5+qHkrDRgL6Oe3Xx30jVkzn9MHPWzZCDPCEvYGJgXX34NGzbX+/nd3 + JB9XkT2YTFi4BLhdHY3EE7e9//PJc5G9RVDZyAF1e9JeAXH2yR5blXbogoy+VMnS + Yn74Uvs+fnYFTDOiuequro5i0uAyxtrCx8fdfwjuh+9SC5p3N2cBv2eT7zLQwQHi + czHlwxmpi/dMB/u83fR4FzuCUt98VXiezIC4yGn25g== + =Yqqx + -----END PGP MESSAGE----- + fp: 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B + unencrypted_suffix: _unencrypted + version: 3.9.4-unstable diff --git a/secrets/phantom/default.yaml b/secrets/phantom/default.yaml new file mode 100644 index 0000000..962c6ba --- /dev/null +++ b/secrets/phantom/default.yaml @@ -0,0 +1,54 @@ +hello: ENC[AES256_GCM,data:UJAAdOL7wzQ1LduTyW+XK2NtXyw/u/Yz28Bmd7OoBe41FVLKwVfvdI1nAwYuNQ==,iv:7kPT2HF5T498bUJ9hUlz5Ez/jn1g7YIUVbJOTW/CHhQ=,tag:KJhJPg8AStyW4roEbEUJ2g==,type:str] +example_key: ENC[AES256_GCM,data:DcLN+C1BQ6WZg5fRiA==,iv:JC3GTWn4a4RekAHdOQB3YV5+eGa4cUK1JjyTPe8eNHY=,tag:W9CV4rsgHuXyqpWpUxlIQg==,type:str] +#ENC[AES256_GCM,data:RjdYJNz6qGfbsU/AiBeLlQ==,iv:LjRzSjBXp44cGSqUUfRDNLC9cW4Vd7lfsqDWINt31VA=,tag:NzVm1h9CVKE2XXt300aR/g==,type:comment] +example_array: + - ENC[AES256_GCM,data:K9j/t8MDibYO8Frhu1M=,iv:YnrxRnJJwTH6DJC6Bv/d1NUnX2ZPFwsjoji7L1Z+d7s=,tag:Dm7xCUlnjKdXHCuk8lwY8w==,type:str] + - ENC[AES256_GCM,data:0g6ACJzEHBtukwQYYTY=,iv:xLBJWfOYkX7Y28N01CX2+d5QOr9VGAhInH6pa1hNSGE=,tag:tCkCigo4yhi6YKVMe3Z3lQ==,type:str] +example_number: ENC[AES256_GCM,data:R+/m/QVBH9/3DA==,iv:FumBUj97ICrRQmyh5fg8Gu9Lba9oITD1pdsr1I/PCf0=,tag:hguw1gpPI3w64fG1WLnJqA==,type:float] +example_booleans: + - ENC[AES256_GCM,data:VvI5ag==,iv:koMzyWcua75sK19vuk65oywCD61lMyH3xUwue8LTqy4=,tag:2ym1M0FTwevLm7wefTUWAw==,type:bool] + - ENC[AES256_GCM,data:lFEC/S8=,iv:cJWbnmseP/AqJzyORM+VI5y7rK8axVeh7EXoLP7mT/Q=,tag:BaS5HyecokdLCq+LzQxGkg==,type:bool] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpSXhsMHQvb0NyUXRkRDE3 + TjVjb2orQktDMGs4U2JUS3hWdmtMdnhuYnhBCi9VU1RVblZPaW14VGxMcjM0N20z + R1pOdUJZc1ZGcjBsTnNaZGhleVR6L1kKLS0tIE5vQkFhVXd0R3ZQSzZkNmVqN1Vj + NERXdlJhVHF0NWpNT29CNlRid2NYMVUKxg7kbP6dOZDUz0uxdC45DZCAa6GQTQ1x + nIb7lvPW4xFIb0bOZuvc7cAbHjf4So+8zvA0MM4mkTmIDpnwGD5Clg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1m4mqcd2kmuhfr8a22rvh02c68jkakhdfmuqgtusuv0czk4jvna7sz79p3y + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrcTJGVmZUenNwYVNjRFlU + VXNBeDdpVFVtSTN5TG9VN0Q1WjRFbjlHd0Z3CjFsU1BsNkZ1a1ZkY2lva3lBUWZ3 + YUpqeEo0Tys1bDk0TEpwQTJ2U29kbjgKLS0tIFJDYWpNemY4NXZ0MkM0YWNldDBE + RU1HSUhldHpzeURaUWQvcjBCQ3pMY2cKYL87Njs4e68zu5AXKNF/hxiB3HduS8wz + o0kmGI58DZx17+Cdipw0ab9a9wiu9C9Fn+LaiCcdM/ESXtS79RzdbQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-03-05T22:27:18Z" + mac: ENC[AES256_GCM,data:WSopSnWZ+uOllywd7difaZtJcfxkL7eIf9Kr3GajZKO0+rP6pEHIS+5AbXZy6oKRlCLUPecY/WXFvk3//akpvvXHbf6Jp4fQ/YSuTcYKRQupbDBpOXSlc33QyRl6oEyiMOjxMxa2N2tmq8dmA0NbF9wSDMa5a4eNDoiL5T/sUZ8=,iv:QqbVRApzFF6q24rk8KfKuthj656nEczD9Si4INj+N9A=,tag:tMRNYo+u/jIQ6iX3KqKJdA==,type:str] + pgp: + - created_at: "2025-03-07T22:49:19Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMAzy6JxafzLr5AQf/Zw+EB0lFpbul4KmHL3ndbhQCHzhkMgG6vEyj7EpjHQxE + nwf9kRrTcRh9YdrgR+5PFRnFJ8+L+gZhk+V/GaEPcEUyskOX/YGTSp1u6pXKGEem + TGojrIx0WwcmeCZUn+qCehbC7ZU64NDDmb7VeWnRkMbboU6UVooHUub88VsbnYw2 + XXtXh4G8isrbyAKzUyypnJnEVbKlVqPOL67BYczjyBqMYc1JVLmBy6nP+sv6q/yo + QyDzlunmZtu52dwAL0L6wJF+novLr4W9cso4K5UVv2sp5M8gucuiY2obiB3vNfgO + q9GZTlMWnyDGflM1w+tzpZ/Ke+sM4dSy3cXpZd+MFNJeAaBJ1owjolb4tPUXlt+W + cJ+SFLWxzH8MsPb+Hfxrt8PPCcv67uch/k50PLYs/V/EM59+mgEJe5LY4rMbUSFw + REGL3LA6Cnkl2bUeHlfG7XlztHd/ehmZM2RPKof+Qw== + =htZl + -----END PGP MESSAGE----- + fp: 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B + unencrypted_suffix: _unencrypted + version: 3.9.4-unstable diff --git a/secrets/test.yaml b/secrets/test.yaml new file mode 100644 index 0000000..0f9b6e7 --- /dev/null +++ b/secrets/test.yaml @@ -0,0 +1,55 @@ +hello: ENC[AES256_GCM,data:ADXdQUkrnh9lDrsHyInYsPBo21u/mIAH47KhGQsxuz5OshT6CoK+89CILEi9tQ==,iv:b/rnM77z69+pVO3kxQZxI2YzTCRiBwwO5fhcwCB2/CI=,tag:A0FOXIfgIkJawV3QhlJPWQ==,type:str] +example_key: ENC[AES256_GCM,data:gXXl6hhdYNLC1Grmyw==,iv:miSL7Wdewd5zs4A86/r8OW6gK+PGZJ+gaqZRHHxvZos=,tag:Ty+IaoXdMSEThNPRjwhqTA==,type:str] +#ENC[AES256_GCM,data:FLhydTaiOqLRFk+ZrgGx9Q==,iv:TqhX2ylJKFQjdOpmwCER1+gRe4iR+I0hkVkNnYH4ESo=,tag:1BSk9TKqTma4MVUMswwmog==,type:comment] +example_array: + - ENC[AES256_GCM,data:1sIEL3xGDAygUKoodBA=,iv:1DumVv8vDvhT/K0jXM1vHdrFTE7dIxqqjS8CIpWdnc8=,tag:WSs+3a816zVOaGCTElxgFQ==,type:str] + - ENC[AES256_GCM,data:tFi1czQnVgX/nlWrJrs=,iv:isH65ldilVe3EjsKNP/dOKgtWZtHQPw364fPHBI+LEw=,tag:Ka5ywriFptKg3+lIHPEIyA==,type:str] +example_number: ENC[AES256_GCM,data:sxSM8a9oAp+u6g==,iv:KRLfIxZuBsnK+QE4mqm3pyhJmE7Fsd4ykJA++KrOnEQ=,tag:F5EkVUzw06ulr5jZvlTJdg==,type:float] +example_booleans: + - ENC[AES256_GCM,data:PDts2Q==,iv:qtfKg5gmUw2aERJe3gfT15Pk7mWocXwKdJhAzSic1o0=,tag:gn1sWsgt9ihYF8bHAkAQwQ==,type:bool] + - ENC[AES256_GCM,data:o9as7T0=,iv:YXyTB2X9PmTsOd37+BAp2xnT/+Yzyajcn5y1GE1O5rE=,tag:hyXA43jpyAbgH2hg1ivloQ==,type:bool] +sops: + shamir_threshold: 1 + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvUURIQmZvSVp3aXlFT0RR + VHVBR0drN2JyV1hNUk5sakxGRXl6SEJuOUUwClQ1Q1lRZTR5R3Z4dlZyb29OaTNW + UVcwV3h6UlhtZkg2aFhrUUtIT0tQRmsKLS0tIDlnckhHWXRKcmRwTGUzdHZxWEVh + a3ZSWk0wNm1raXdMYXdKY1hDd2dZWUEK+IFU/9vsHu70XbSJ7sKqFncrZO3NAH8/ + X/XF1VUmIuDfQZYJsDa4HaXe52xvDWTw3/4frG9HutEI2NcvvRpxlw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ecyynwv93lfu7crjjp8l47defv07quzfzaktwurpep7jc9eha5pscg7lrw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNRGxFWXJVcDZOdzVxaFJG + LzdhN3JKaFhPOVBlblRPNWpDdERPaWhDNkM0CmcvUGxNQ09tNTJndWZTdjFia2pl + RnNWQ0ZKSFhEN0FNbVZlKzlFUlh5QTgKLS0tIFkwc1pJajlyOGNHSTdaM3FQZWFK + NUJpRDlLNXlGOTNBbVRTU0ZMVkhqdUUK1koXmGDGTKoNx1wp4c9EknY9LQ5a7dQP + Zx6OzvtpsxL6KGjH7BeNNcm2zOR4YqnklLq09UsPHElz2upJQzECAQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-03-07T22:49:01Z" + mac: ENC[AES256_GCM,data:yma+7wtzVjCzlLOVpqiicjQ9YN1ttzoh8CpcAtjdtVl6gu7/3FXUKYyAWJd+1NUUpK7vN435gOq9/nsig0FRrn0Hgq0+cjFUGS6+6+SPmL97eFvti89gCOeIFhPvBnJQYJLiyVkUcBek4xW+vnt6UgrTy+sD9AT3KHdBlfu3pzY=,iv:ioswFO5KDAL3Bv7MI8V0aWXXxZZIz1M1PyMUbIMnCRI=,tag:5fUBtqz9J2qvY4fUT2ueoQ==,type:str] + pgp: + - created_at: "2025-03-07T22:49:20Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMAzy6JxafzLr5AQf/Xok7aBMNT6W3LV2Ekx/ccxEZaZ0aVNKHE9aFTz5kBSpu + cXVohu5mEgeXr++HbrsCI821/gfchQ1yzVSLJsSrmZdJ586c3a7pWx2Eo4pcngmy + vb5UWtTBNogABnLz4iTjVQYLjZeNcNhkzW6s3m9PiaX3AvJP9irPcmwIyYpzd9pt + hngnBsdTis52fmvZ6+wOuMyTZU0Iksknom1De8xqgR5ZuO0Vitt19RGbpVhx96AC + t1CUkb5WMFTdpbCFORa/ta9Z7UcKxXTAPsfPkPVG9DnHQ1jSmsJWPDQZxoIJLHuH + SVV+qfRGndOo9fjExCInX6I5wBlrHrdpGtL7VLczV9JeAXYlMJwH63eOyi8hxxtr + KfTJEIALC25uFhoK8bmr30yVZe7thUPMXfht+R5dlHne7+FcBb4k7YLpeN/M40me + CSKk+9YaG7gQIdrfvEXlHSPCPppcKev6ZUspHewhmQ== + =IMON + -----END PGP MESSAGE----- + fp: 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/system/configuration.nix b/system/configuration.nix index a227e36..f515e43 100644 --- a/system/configuration.nix +++ b/system/configuration.nix @@ -1,7 +1,7 @@ # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ pkgs, ... }: +{ pkgs, config, ... }: { imports = [ ./android.nix diff --git a/system/monolith-bitbucket-runner.nix b/system/monolith-bitbucket-runner.nix new file mode 100644 index 0000000..17d462b --- /dev/null +++ b/system/monolith-bitbucket-runner.nix @@ -0,0 +1,50 @@ +{ + config, + pkgs, + ... +}: + +let + mkRunner = secret: { + image = "docker-public.packages.atlassian.com/sox/atlassian/bitbucket-pipelines-runner:latest"; + volumes = [ + "/tmp:/tmp" + "/var/run/docker.sock:/var/run/docker.sock" + "/var/lib/docker/containers:/var/lib/docker/containers:ro" + ]; + environmentFiles = [ secret ]; + }; + + secretConf = { + sopsFile = ../secrets/monolith/default.yaml; + }; +in +{ + virtualisation.docker = { + enable = true; + daemon.settings = { + # needed by bitbucket runner ??? + log-driver = "json-file"; + log-opts = { + max-size = "10m"; + max-file = "3"; + }; + }; + }; + + virtualisation.oci-containers.backend = "docker"; + + virtualisation.oci-containers.containers = { + bitbucket-runner-1 = mkRunner config.sops.secrets."bitbucket-runners/wopus-runner-1".path; + bitbucket-runner-2 = mkRunner config.sops.secrets."bitbucket-runners/wopus-runner-2".path; + bitbucket-runner-3 = mkRunner config.sops.secrets."bitbucket-runners/wopus-runner-3".path; + bitbucket-runner-4 = mkRunner config.sops.secrets."bitbucket-runners/wopus-runner-4".path; + }; + + sops.secrets = { + "bitbucket-runners/wopus-runner-1" = secretConf; + "bitbucket-runners/wopus-runner-2" = secretConf; + "bitbucket-runners/wopus-runner-3" = secretConf; + "bitbucket-runners/wopus-runner-4" = secretConf; + }; +} diff --git a/system/monolith-gitlab-runner.nix b/system/monolith-gitlab-runner.nix index 3e63d98..28a0ecd 100644 --- a/system/monolith-gitlab-runner.nix +++ b/system/monolith-gitlab-runner.nix @@ -1,7 +1,6 @@ { config, pkgs, - lib, ... }: let @@ -16,9 +15,29 @@ in services = { # runner for building in docker via host's nix-daemon # nix store will be readable in runner, might be insecure - thoreb-telemetria-nix = mkNixRunner config.age.secrets.gitlab-runner-thoreb-telemetria-registrationConfigFile.path; - thoreb-itinerario-nix = mkNixRunner config.age.secrets.monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.path; + thoreb-telemetria-nix = mkNixRunner config.sops.secrets."gitlab-runners/thoreb-telemetria-nix".path; + thoreb-itinerario-nix = mkNixRunner config.sops.secrets."gitlab-runners/thoreb-itinerario-nix".path; + + default = { + # File should contain at least these two variables: + # `CI_SERVER_URL` + # `CI_SERVER_TOKEN` + authenticationTokenConfigFile = config.sops.secrets."gitlab-runners/docker-images-token".path; + dockerImage = "debian:stable"; + }; }; }; systemd.services.gitlab-runner.serviceConfig.Nice = 10; + + sops.secrets = { + "gitlab-runners/thoreb-telemetria-nix" = { + sopsFile = ../secrets/monolith/default.yaml; + }; + "gitlab-runners/thoreb-itinerario-nix" = { + sopsFile = ../secrets/monolith/default.yaml; + }; + "gitlab-runners/docker-images-token" = { + sopsFile = ../secrets/monolith/default.yaml; + }; + }; } diff --git a/system/secrets.nix b/system/secrets.nix index fdf14e8..588dfe4 100644 --- a/system/secrets.nix +++ b/system/secrets.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ pkgs, config, ... }: { age = { identityPaths = [ "/root/.ssh/id_rsa" ]; diff --git a/system/sops.nix b/system/sops.nix new file mode 100644 index 0000000..d868153 --- /dev/null +++ b/system/sops.nix @@ -0,0 +1,15 @@ +{ pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + sops + gnupg + ]; + + sops = { + defaultSopsFile = ../secrets/test.yaml; + age.sshKeyPaths = [ + "/etc/ssh/ssh_host_ed25519_key" + "/home/lelgenio/.ssh/id_ed25519" + ]; + }; +}