Migrate Secrets into Nix Module
This commit is contained in:
@@ -7,7 +7,7 @@ creation_rules:
|
||||
- age:
|
||||
- *hydra
|
||||
- *universedesk
|
||||
- path_regex: secrets/[^/]+\.sh$
|
||||
- path_regex: secrets/[^/]+\.(sh|nix)$
|
||||
key_groups:
|
||||
- age:
|
||||
- *hydra
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||
inputs.newalan.url = "https://git.syzygial.cc/Syzygial/New-Alan/archive/main.tar.gz";
|
||||
inputs.newalan.url = "../";
|
||||
|
||||
outputs = { self, nixpkgs, newalan }: let
|
||||
new_alan_overlay = (final: prev: {
|
||||
@@ -10,6 +10,7 @@
|
||||
nixosConfigurations."staging" = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
../secrets/config.nix
|
||||
({ config, pkgs, ... }: {
|
||||
nixpkgs.overlays = [
|
||||
new_alan_overlay
|
||||
|
||||
34
flake.nix
34
flake.nix
@@ -115,24 +115,28 @@
|
||||
|
||||
hydraJobs = checks // lib.optionalAttrs
|
||||
(system == "x86_64-linux" ) {
|
||||
runCommandHook = let
|
||||
deployFlake = pkgs.runCommand "New Alan Deploy" {} ''
|
||||
mkdir $out
|
||||
substitute ${./deploy/flake.nix} $out/flake.nix \
|
||||
--replace "main.tar.gz" "${self.rev}.tar.gz"
|
||||
'';
|
||||
in {
|
||||
runCommandHook = {
|
||||
newalan = pkgs.runCommand "New Alan Deployscript" {
|
||||
nativeBuildInputs = [
|
||||
newalan
|
||||
checks.newalan-nextest
|
||||
];
|
||||
nativeBuildInputs = builtins.attrValues checks;
|
||||
} ''
|
||||
echo '#!${pkgs.runtimeShell}' >> $out
|
||||
echo 'export flake=${deployFlake}' >> $out
|
||||
echo Deploying ${deployFlake}
|
||||
echo '# ${pkgs.runtimeShell} ./secrets/deploy.sh' >> $out
|
||||
export tmp=$(mktemp -d)
|
||||
pushd $tmp
|
||||
${pkgs.wget}/bin/wget \
|
||||
https://git.syzygial.cc/Syzygial/New-Alan/archive/${self.rev}.bundle
|
||||
git clone * src
|
||||
${pkgs.tree}/bin/tree
|
||||
cd src
|
||||
sops -i -d secrets/config.nix
|
||||
echo << 'DOC'
|
||||
#!${pkgs.runtimeShell}
|
||||
export flake="$tmp/src/deploy"
|
||||
# ${pkgs.runtimeShell} ./secrets/deploy.sh
|
||||
DOC >> $out
|
||||
chmod +x $out
|
||||
popd
|
||||
rm -rf $tmp
|
||||
echo Listing $tmp
|
||||
ls $tmp
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
24
secrets/config.nix
Normal file
24
secrets/config.nix
Normal file
@@ -0,0 +1,24 @@
|
||||
{
|
||||
"data": "ENC[AES256_GCM,data:fL7Q4zqOXIi2WC9Z5P9UasMy6v4afBdUSyKKt8jCe7384Q+pU6BVUsrcKw516bJg0i29Grx7kr/2hBEQ3a5dFt5t5+90gJzjDumseLNMSTO72zFu/uZVJXl3bt0esh16EJ0u9EC9Tsf7okIni3iE8B9xDnfYYSojcF0TPM19Yk8fHBF2BKYsUDHzTIZ0t0rYPTAqpFfYEtMGac87NPauYyWN7YqciTUFK/3euMBHoXLX6/9Iw1mYJzsmrQFE,iv:02nj6TLHoAg7YOGVJyPkJVWAKqWwttB//jzSmpDq0Ow=,tag:H5BGi6KnxByUgcq/T2Ge+g==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
"azure_kv": null,
|
||||
"hc_vault": null,
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age18c3v89md4yjc9exjgfmk42csn8yqr9fvumsqjm8rnku5ac3q6gqs6s5un9",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLU1hFOXpaN0wvWVk1N0t2\nQlBJZDFtOGdSOHZHZnJ3SGJsRnFtMHdQS2hnClcwdXFOWlliYjcrYVlxMHFrUU9O\nbTFsZ3BhRnFHbG05bXYzY2U3S3hKNmcKLS0tIGFRSm42Um04ZnZXTkpXYW1LVGVZ\nd21VREFGUGljbncyU04ra3JGek4wMWMKvpjyN1kijCpkcDPwpkrYkGZ9+DQrqKaC\nssh3OkuNoZ26FZv/2FWIC4+v9RJaHogDDbqqH1hFYqGZula3uPS1KQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1apajqje4zvah0n2dzds3kstlsakqr2ntk64xl7xc4erzedsuy9jqqk7cd7",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsRDNqeW0rVU9LNGdVYWZB\nTVkxdDVIOGtiNlZ1UHI2SjZpZ2J0d1psM3owClhVbWNMTzZMWFpUMGpiMzJvOXVi\ndlQzZFZkOTJQd3J0ZVAzVmRnSExjSFEKLS0tIFFrYWNVMzlITC85a2E2QUR4d2s0\nY1JZazEzdVg1K2JaUW5BTGNSai9COU0KWNkWId02IHLp8Kih9lkkV4HOd69GVT2v\nq4PnDevZeofV9qOFIpvi3UkFNeU21pjORg8d6pJPBgzyCcCFbQN2cA==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2023-03-10T03:42:36Z",
|
||||
"mac": "ENC[AES256_GCM,data:wttw2chEQeG/3eQdH9KPbqSveJTt5V83orPa6mnXlVWAkm/WTe4w3EwJOKl+UyOQq/lRSpplGWmq+z8SZt4OOfEVNfh3MBIX2bL+8PDPzJYS41Z4TYMs+FIUjHZCtHMWISKeO1ULmxvGEHN+/VHynnH9pTDdhE0LHTPd8iEdq3w=,iv:LGaD7+3Ao0QAf5c5RZCD0wqGeC0cCP3AMwRJOH37v2o=,tag:YPN2LxY8POY469F7E9qSTQ==,type:str]",
|
||||
"pgp": null,
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.7.3"
|
||||
}
|
||||
}
|
||||
@@ -1,5 +1,5 @@
|
||||
{
|
||||
"data": "ENC[AES256_GCM,data:Mbg6Z1FK4vd7SLLh22C5CJXUb94js2Urrhp6JAfxkMhOqokMUuQOJgfhBE4MbV2Lwwh9ccmLyI3kFsPpHL0S/0s5BE4GM9zMdwRT0qbWi9bwJlyv0DLEK8at8+YPqCADBQowmbk=,iv:BwmSF1aB3JZ40v6dRKmFHM9WsH1N2lLxND51rewe0b8=,tag:7UZdHN9QaJNiXJgyUBH9ww==,type:str]",
|
||||
"data": "ENC[AES256_GCM,data:Ls8bv2Oyq3ZUN5Xvjei2BA8PoHOjdXAZGrl69ek3pbe2mXnOWv8PH8y2tU2dFSaWCl/RJWxWqdlWfv7h56asE0BeHoV/LiL9mXAugK5iQgputWeGTkQDx0XmJJ2p,iv:/gjsHYY1UVcDn6b0dlyiC1Bdvj12yJTUBEYJI+o6OQ4=,tag:7rPht2t8FW7qhNis1k7gVA==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
@@ -15,8 +15,8 @@
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdUtHMERreXlZTGRGMWlM\nbldjMHFWWWRQZHRvZWx5QmhmVno0VmZQNmljCnFRUnZxT29iZkNxaExQbCtUNFFy\nMkttVkkrQkh0Ky91bnRxRmJ4VDk0N2MKLS0tIHhYREFwRUZ6a1BDM1FWZjlpcTJR\nVW5YSkwvZWQyMXNuaUdBTWpwa2Y1VWcKawzPRiMB/ruOBCylNssB/k+hITJDYX+6\nKpwHk9Avh6Pzhptm21yeY1zmVQkqEx6YU24aJiqs1RRmrQAvnWr3WQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2023-03-10T03:06:35Z",
|
||||
"mac": "ENC[AES256_GCM,data:FeBfJbqcjF6gXS64UjsgZCN9Sx8Qiqe6HXfgxedk0kyoiLV0ucSmsvd4XUiB1tKhy3cJtGElXNzNP+p3er3QLCgpLdBu2kQ4HMs3eexOboaD/c+ZoDMT0rCdi0DgENEaWBRnXD2P0Jlo7ispOueJXykHFxd4pc3aIhJjlXw/ed8=,iv:4QWgPAiOROIj+J3lVH1ifGuKwYOEVx5uKaEfmDg/eQQ=,tag:iTDr5uRL/Aekp+cEZtfGgw==,type:str]",
|
||||
"lastmodified": "2023-03-10T03:20:18Z",
|
||||
"mac": "ENC[AES256_GCM,data:Eg6+ibTbUwOiK8XsYWQY+QJFg0W1erJn+efzN0HsE3+e2UuLHdSyL1M+b6BnVYc3XE54wbTUl4G0UstWDYWn+DXmEJdDUtB4WoTr80iY3fgz0Q3A1q46Z+SCDN+8/0cCJaEdEEqA6SptdopEmHFq3lgwttRIaotu/+x0nrIJMUA=,iv:YP4w4sR8gwdksVgHnNNoBy6Po0CiI0m+9gbgCAKXmkY=,tag:ReXepR+Tjr2OupHFO8KRnQ==,type:str]",
|
||||
"pgp": null,
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.7.3"
|
||||
|
||||
@@ -1,30 +0,0 @@
|
||||
DISCORD_TOKEN: ENC[AES256_GCM,data:IA1ZKRjahzR/hyi9DeZPYJSmCwkWhJ1BQhD/RgADm7mAj4La5Svad7swNFltimMJSuSOX8bz1onPOBiPeqBF4ZfuFS8LKw==,iv:3DYPxVlyDahUCztVjSvBfkXbkLM3J0lp8oZPbOjXI/g=,tag:esTAmPTewAU9zlO1JNn25A==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age12qq2fn4nxx9g99vp5knndtn0xa0p6g9ztn48gv9ap8054am39c3qsezz90
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMREpSMmI4K1J4LzlnNGdH
|
||||
S0k0dWdZUHo2YkNxeWR2eG5HYXpmQndxRmo0CmFZY2RrRUpIT0NsdkNKQTl3L3N3
|
||||
d2loNlZBajFyNmRPQzdIWUdMbUFzbEkKLS0tIGVGbEF1cDFneHl2ZUdpaTFjZGNq
|
||||
dVNwdUNxcnhhd0dxcXhvRlRuR2IwR2cKCDFj6ubhGwcy6EFx0EaCcB/bE3k2PDeA
|
||||
g8RhyS+k+XLpErkU2cd+Rz2Cwj2w4QORvJddwDhdnm/sqYCCLQlG3g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1apajqje4zvah0n2dzds3kstlsakqr2ntk64xl7xc4erzedsuy9jqqk7cd7
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5RklkWE9VMFNQbkNIU0Z6
|
||||
WXBPTWthWG1oVzRsb3JWMUR1dE1zdEhMUkM4Clk0clA0d3A5SFdmem9lblhUVzRo
|
||||
djJ3SlFDS0p4NEpxSHhoMnlnN2h3OVEKLS0tIGx1eVdaYXVtZER1KzB2ZkZickFs
|
||||
TDd0dG1RYVFhWkkrWmlPVmt0aVJhclEK991J72XkQy2+1jQpY4rZSFkRFE8v/nqb
|
||||
Vt3dG7GfnCjpf/F0BZscLsQdo1fcZcwgumlG3omyBTylFXTGnWT4VA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-03-09T23:19:57Z"
|
||||
mac: ENC[AES256_GCM,data:le2wHQqrAVNYyPbJqhtmqb3teV+LVP7yQ9nPngBlC546vYh/rwY8NtOb8uiFpUiDAhw8P50QLsUVF/lL/i2D1DBd1MyWV3xOPH4uJ3W1EpB+gKZdDEV/XSEtvSkUFB9Lqp5OVCwOl41kA1PafD2qIrVlX8obGe9837+mFLb+Ys0=,iv:0yEZZPO+co1t5AgKAm2nHku+BvGJJ/j04Td6JtMMIcI=,tag:VA0jGJNDyPj7GbAxUcwP8g==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
||||
|
||||
Reference in New Issue
Block a user