diff --git a/.sops.yaml b/.sops.yaml index e8bb936..4f6a408 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -7,7 +7,7 @@ creation_rules: - age: - *hydra - *universedesk - - path_regex: secrets/[^/]+\.sh$ + - path_regex: secrets/[^/]+\.(sh|nix)$ key_groups: - age: - *hydra diff --git a/deploy/flake.nix b/deploy/flake.nix index 41b86d7..bda8057 100644 --- a/deploy/flake.nix +++ b/deploy/flake.nix @@ -1,6 +1,6 @@ { inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; - inputs.newalan.url = "https://git.syzygial.cc/Syzygial/New-Alan/archive/main.tar.gz"; + inputs.newalan.url = "../"; outputs = { self, nixpkgs, newalan }: let new_alan_overlay = (final: prev: { @@ -10,6 +10,7 @@ nixosConfigurations."staging" = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ + ../secrets/config.nix ({ config, pkgs, ... }: { nixpkgs.overlays = [ new_alan_overlay diff --git a/flake.nix b/flake.nix index 0d74b35..b2efe86 100644 --- a/flake.nix +++ b/flake.nix @@ -115,24 +115,28 @@ hydraJobs = checks // lib.optionalAttrs (system == "x86_64-linux" ) { - runCommandHook = let - deployFlake = pkgs.runCommand "New Alan Deploy" {} '' - mkdir $out - substitute ${./deploy/flake.nix} $out/flake.nix \ - --replace "main.tar.gz" "${self.rev}.tar.gz" - ''; - in { + runCommandHook = { newalan = pkgs.runCommand "New Alan Deployscript" { - nativeBuildInputs = [ - newalan - checks.newalan-nextest - ]; + nativeBuildInputs = builtins.attrValues checks; } '' - echo '#!${pkgs.runtimeShell}' >> $out - echo 'export flake=${deployFlake}' >> $out - echo Deploying ${deployFlake} - echo '# ${pkgs.runtimeShell} ./secrets/deploy.sh' >> $out + export tmp=$(mktemp -d) + pushd $tmp + ${pkgs.wget}/bin/wget \ + https://git.syzygial.cc/Syzygial/New-Alan/archive/${self.rev}.bundle + git clone * src + ${pkgs.tree}/bin/tree + cd src + sops -i -d secrets/config.nix + echo << 'DOC' + #!${pkgs.runtimeShell} + export flake="$tmp/src/deploy" + # ${pkgs.runtimeShell} ./secrets/deploy.sh + DOC >> $out chmod +x $out + popd + rm -rf $tmp + echo Listing $tmp + ls $tmp ''; }; }; diff --git a/secrets/config.nix b/secrets/config.nix new file mode 100644 index 0000000..7f137a2 --- /dev/null +++ b/secrets/config.nix @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:fL7Q4zqOXIi2WC9Z5P9UasMy6v4afBdUSyKKt8jCe7384Q+pU6BVUsrcKw516bJg0i29Grx7kr/2hBEQ3a5dFt5t5+90gJzjDumseLNMSTO72zFu/uZVJXl3bt0esh16EJ0u9EC9Tsf7okIni3iE8B9xDnfYYSojcF0TPM19Yk8fHBF2BKYsUDHzTIZ0t0rYPTAqpFfYEtMGac87NPauYyWN7YqciTUFK/3euMBHoXLX6/9Iw1mYJzsmrQFE,iv:02nj6TLHoAg7YOGVJyPkJVWAKqWwttB//jzSmpDq0Ow=,tag:H5BGi6KnxByUgcq/T2Ge+g==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age18c3v89md4yjc9exjgfmk42csn8yqr9fvumsqjm8rnku5ac3q6gqs6s5un9", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLU1hFOXpaN0wvWVk1N0t2\nQlBJZDFtOGdSOHZHZnJ3SGJsRnFtMHdQS2hnClcwdXFOWlliYjcrYVlxMHFrUU9O\nbTFsZ3BhRnFHbG05bXYzY2U3S3hKNmcKLS0tIGFRSm42Um04ZnZXTkpXYW1LVGVZ\nd21VREFGUGljbncyU04ra3JGek4wMWMKvpjyN1kijCpkcDPwpkrYkGZ9+DQrqKaC\nssh3OkuNoZ26FZv/2FWIC4+v9RJaHogDDbqqH1hFYqGZula3uPS1KQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1apajqje4zvah0n2dzds3kstlsakqr2ntk64xl7xc4erzedsuy9jqqk7cd7", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsRDNqeW0rVU9LNGdVYWZB\nTVkxdDVIOGtiNlZ1UHI2SjZpZ2J0d1psM3owClhVbWNMTzZMWFpUMGpiMzJvOXVi\ndlQzZFZkOTJQd3J0ZVAzVmRnSExjSFEKLS0tIFFrYWNVMzlITC85a2E2QUR4d2s0\nY1JZazEzdVg1K2JaUW5BTGNSai9COU0KWNkWId02IHLp8Kih9lkkV4HOd69GVT2v\nq4PnDevZeofV9qOFIpvi3UkFNeU21pjORg8d6pJPBgzyCcCFbQN2cA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2023-03-10T03:42:36Z", + "mac": "ENC[AES256_GCM,data:wttw2chEQeG/3eQdH9KPbqSveJTt5V83orPa6mnXlVWAkm/WTe4w3EwJOKl+UyOQq/lRSpplGWmq+z8SZt4OOfEVNfh3MBIX2bL+8PDPzJYS41Z4TYMs+FIUjHZCtHMWISKeO1ULmxvGEHN+/VHynnH9pTDdhE0LHTPd8iEdq3w=,iv:LGaD7+3Ao0QAf5c5RZCD0wqGeC0cCP3AMwRJOH37v2o=,tag:YPN2LxY8POY469F7E9qSTQ==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file diff --git a/secrets/deploy.sh b/secrets/deploy.sh index 5ce4d15..f9a02c6 100644 --- a/secrets/deploy.sh +++ b/secrets/deploy.sh @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:Mbg6Z1FK4vd7SLLh22C5CJXUb94js2Urrhp6JAfxkMhOqokMUuQOJgfhBE4MbV2Lwwh9ccmLyI3kFsPpHL0S/0s5BE4GM9zMdwRT0qbWi9bwJlyv0DLEK8at8+YPqCADBQowmbk=,iv:BwmSF1aB3JZ40v6dRKmFHM9WsH1N2lLxND51rewe0b8=,tag:7UZdHN9QaJNiXJgyUBH9ww==,type:str]", + "data": "ENC[AES256_GCM,data:Ls8bv2Oyq3ZUN5Xvjei2BA8PoHOjdXAZGrl69ek3pbe2mXnOWv8PH8y2tU2dFSaWCl/RJWxWqdlWfv7h56asE0BeHoV/LiL9mXAugK5iQgputWeGTkQDx0XmJJ2p,iv:/gjsHYY1UVcDn6b0dlyiC1Bdvj12yJTUBEYJI+o6OQ4=,tag:7rPht2t8FW7qhNis1k7gVA==,type:str]", "sops": { "kms": null, "gcp_kms": null, @@ -15,8 +15,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdUtHMERreXlZTGRGMWlM\nbldjMHFWWWRQZHRvZWx5QmhmVno0VmZQNmljCnFRUnZxT29iZkNxaExQbCtUNFFy\nMkttVkkrQkh0Ky91bnRxRmJ4VDk0N2MKLS0tIHhYREFwRUZ6a1BDM1FWZjlpcTJR\nVW5YSkwvZWQyMXNuaUdBTWpwa2Y1VWcKawzPRiMB/ruOBCylNssB/k+hITJDYX+6\nKpwHk9Avh6Pzhptm21yeY1zmVQkqEx6YU24aJiqs1RRmrQAvnWr3WQ==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2023-03-10T03:06:35Z", - "mac": "ENC[AES256_GCM,data:FeBfJbqcjF6gXS64UjsgZCN9Sx8Qiqe6HXfgxedk0kyoiLV0ucSmsvd4XUiB1tKhy3cJtGElXNzNP+p3er3QLCgpLdBu2kQ4HMs3eexOboaD/c+ZoDMT0rCdi0DgENEaWBRnXD2P0Jlo7ispOueJXykHFxd4pc3aIhJjlXw/ed8=,iv:4QWgPAiOROIj+J3lVH1ifGuKwYOEVx5uKaEfmDg/eQQ=,tag:iTDr5uRL/Aekp+cEZtfGgw==,type:str]", + "lastmodified": "2023-03-10T03:20:18Z", + "mac": "ENC[AES256_GCM,data:Eg6+ibTbUwOiK8XsYWQY+QJFg0W1erJn+efzN0HsE3+e2UuLHdSyL1M+b6BnVYc3XE54wbTUl4G0UstWDYWn+DXmEJdDUtB4WoTr80iY3fgz0Q3A1q46Z+SCDN+8/0cCJaEdEEqA6SptdopEmHFq3lgwttRIaotu/+x0nrIJMUA=,iv:YP4w4sR8gwdksVgHnNNoBy6Po0CiI0m+9gbgCAKXmkY=,tag:ReXepR+Tjr2OupHFO8KRnQ==,type:str]", "pgp": null, "unencrypted_suffix": "_unencrypted", "version": "3.7.3" diff --git a/secrets/deploy.yaml b/secrets/deploy.yaml index c2be17d..e69de29 100644 --- a/secrets/deploy.yaml +++ b/secrets/deploy.yaml @@ -1,30 +0,0 @@ -DISCORD_TOKEN: ENC[AES256_GCM,data:IA1ZKRjahzR/hyi9DeZPYJSmCwkWhJ1BQhD/RgADm7mAj4La5Svad7swNFltimMJSuSOX8bz1onPOBiPeqBF4ZfuFS8LKw==,iv:3DYPxVlyDahUCztVjSvBfkXbkLM3J0lp8oZPbOjXI/g=,tag:esTAmPTewAU9zlO1JNn25A==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age12qq2fn4nxx9g99vp5knndtn0xa0p6g9ztn48gv9ap8054am39c3qsezz90 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMREpSMmI4K1J4LzlnNGdH - S0k0dWdZUHo2YkNxeWR2eG5HYXpmQndxRmo0CmFZY2RrRUpIT0NsdkNKQTl3L3N3 - d2loNlZBajFyNmRPQzdIWUdMbUFzbEkKLS0tIGVGbEF1cDFneHl2ZUdpaTFjZGNq - dVNwdUNxcnhhd0dxcXhvRlRuR2IwR2cKCDFj6ubhGwcy6EFx0EaCcB/bE3k2PDeA - g8RhyS+k+XLpErkU2cd+Rz2Cwj2w4QORvJddwDhdnm/sqYCCLQlG3g== - -----END AGE ENCRYPTED FILE----- - - recipient: age1apajqje4zvah0n2dzds3kstlsakqr2ntk64xl7xc4erzedsuy9jqqk7cd7 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5RklkWE9VMFNQbkNIU0Z6 - WXBPTWthWG1oVzRsb3JWMUR1dE1zdEhMUkM4Clk0clA0d3A5SFdmem9lblhUVzRo - djJ3SlFDS0p4NEpxSHhoMnlnN2h3OVEKLS0tIGx1eVdaYXVtZER1KzB2ZkZickFs - TDd0dG1RYVFhWkkrWmlPVmt0aVJhclEK991J72XkQy2+1jQpY4rZSFkRFE8v/nqb - Vt3dG7GfnCjpf/F0BZscLsQdo1fcZcwgumlG3omyBTylFXTGnWT4VA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-03-09T23:19:57Z" - mac: ENC[AES256_GCM,data:le2wHQqrAVNYyPbJqhtmqb3teV+LVP7yQ9nPngBlC546vYh/rwY8NtOb8uiFpUiDAhw8P50QLsUVF/lL/i2D1DBd1MyWV3xOPH4uJ3W1EpB+gKZdDEV/XSEtvSkUFB9Lqp5OVCwOl41kA1PafD2qIrVlX8obGe9837+mFLb+Ys0=,iv:0yEZZPO+co1t5AgKAm2nHku+BvGJJ/j04Td6JtMMIcI=,tag:VA0jGJNDyPj7GbAxUcwP8g==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.7.3