here: setup sops and 1 github runner

2025-12-26 15:04:59 +08:00 · 2024-02-20 17:20:44 -05:00 · 2024-02-20 17:20:44 -05:00 · 46f455907b
commit 46f455907b
parent 157f07026e
3 changed files with 20 additions and 7 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -3,6 +3,7 @@ keys:
  - &server_pce age1k2efalw74pce98ff2qa45hadkgew5q43gluefr7l4y4cqg6ul5ms8rlcep
  - &server_actual age1jd7cj3jj9g8qkch5k62gqm6fy62ufpx7q6hx06lwuvug4z8ya4uqu6u2ft
  - &server_immediacy age1cng52vahpnm8g3gcqf2n8w3jp74pvly3hjyn2zzrhjhaar6epa6szs9dqu
+  - &server_here age1fxllmnxnqke34c26y8pcz49tc5ur5qfagxjdryp2km8m0s0ev4mqz09gs6
 creation_rules:
  - path_regex: secrets.json$
    key_groups:
@ -11,3 +12,4 @@ creation_rules:
        - *server_pce
        - *server_actual
        - *server_immediacy
+        - *server_here
--- a/flake.nix
+++ b/flake.nix
@ -76,10 +76,17 @@
          here = self.nixos-flake.lib.mkLinuxSystem {
            imports = [
              self.nixosModules.common # Defined in nixos/default.nix
+              inputs.sops-nix.nixosModules.sops
              ./systems/here.nix
              ./nixos/server/harden.nix
+              ./nixos/easy-github-runners.nix
            ];
+            sops.defaultSopsFile = ./secrets.json;
+            sops.defaultSopsFormat = "json";
            services.tailscale.enable = true;
+            services.easy-github-runners = {
+              "srid/emanote" = { };
+            };
          };

          immediacy = self.nixos-flake.lib.mkLinuxSystem {
@ -93,8 +100,8 @@
            sops.defaultSopsFile = ./secrets.json;
            sops.defaultSopsFormat = "json";
            services.tailscale.enable = true;
+            # TODO: Move these to 'here' VM.
            services.easy-github-runners = {
-              "srid/emanote" = { };
              "srid/haskell-flake" = { };
              "srid/nixos-config" = { };
              "srid/nixos-flake" = { };
--- a/secrets.json
+++ b/secrets.json
@ -34,23 +34,27 @@
 		"age": [
 			{
 				"recipient": "age1zdwstn787x2a7hllksjk0zpdx3wdvy3fju8hk33a583jtv3d8q9qsvzfan",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTZnppR0RDNUQvTktkWVcr\nNzFaayt5TDNwajcvMUl0bUNWdWwwSldkR2h3CmhvM0FYRGZjYWxhRFRsUnp2U1Vt\nbU1GUWtrWWFKclVhNmxpT09vMXcrNUUKLS0tIGVHVk9xQ1RsY0pTVVNxY3YwR0d2\nRmYrL1h1bUtmbTlSTVpReE1DRENNaVkKcUlybJ76q0qKBFc26G6EyusDTXUHLIah\ndf6Nnkw4t2DdQcOFh/EFsqHSTVoBx1SIAy8ThkDPGsZ0Ov9wsTs3PQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCRldZTVhWSktEV1h5QkVa\naUdyY3dybGRyRTJHb2c5aURIbHB4Njk4OFNrCnhZb293enlnSzZqRWt4WElQT29v\nTlNXSTVSVFJDSmtaZG5veUdLRkdpMFUKLS0tIEt3YlRKK2NpdFJCSWJCK0JQWElT\nUlNLajJQaGlUMG85YjJnVHhtSGF5SkEKmrnDtZ0ED/DQaWQy63Sww/5HtK1hS3PV\nkWcTIZJJGmZrLiDyk0DUcNQNWKM1G88w3hdnEGo2b+/utmm/E7U8uA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1k2efalw74pce98ff2qa45hadkgew5q43gluefr7l4y4cqg6ul5ms8rlcep",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNdG5wMU0zZlpQblUvaGJj\nZm45eDNaR1V5dTV6R0krUW82MXVURzVBR3hnCktHdmI0MmlHSkVBa1JMczFYVVFp\nZ29hNmxnQnU4MTAveXI3RjNVZEpBckkKLS0tIGFhSnVobk9oY1VzRjJaYmtpS210\nUEpncXBzbmlYaStSazFSdGxYWlhrNlUK8FvAVOnkQEM6fyTGwvmKvgURADXcnvEh\nC92FbcTMbVjwjx51SSznfwVn5U3iQhWiU7a5ArpTl1wej2/qjjhLCQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSzhYUTh5NmEyckgvdTZv\nWVY1M3NMRjgxdm9iK0tBNG9uRElVb0xiWXh3CmZhMURsMm1qM1N5NXVyM1l5aGl2\nZThDZnBhM0h4VTdGbnhpbEFlUWJhZ2MKLS0tIEpQVXFDa29zbzdNOG1EbG5SN0pU\nYTkvU0xEV3hFYlllS2JQUllHK1NRS00KQ366Ym3HHEpmnjJjiukRYv70D3kVdiCa\noR+MGl87Ny7OEQT5qb+Ku6+zMgyoGUBsRBz9xk5uWGUM7+T3KZrC7A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1jd7cj3jj9g8qkch5k62gqm6fy62ufpx7q6hx06lwuvug4z8ya4uqu6u2ft",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2cVNHbkFGOUxTUkhXR0pC\nZzZhTVJSc3hhaHdra0E2ZG0yblM0NTJnQUJBCkRvM1pyV3pEQkNOT0pqbnBXM2ow\naDR0ZE04Y1FUZEVCek9JbUJFUzVqcXMKLS0tIEUrdUZsc1U4aTFGVVk0ZndWalhE\nSnNnL05sKytNWCtmSm84WGxRc28rMkEK3Orv4ti4CXgpq97FZ8ftY51n0Ees6qZk\n62E3ma7OHBq3E1DSLFFbydIwJxmBV1ym3jiRg9aW7yW3EZJagGXafw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaa0V4SThUVmRJRWxwUERD\neDNxR1ZVUEtpRXFpWm9yTGkreVlVd1JIMVVVCm81RFVWM0l1S2tqTGNlbUZkVHBw\neTZyTk9uOFhCK2VnWWZYM0txOWlGMmMKLS0tIGNmL0thUkxjL2YvY0FEUFQ0bWhM\nOFB0alFTWStOb2xtQmllZE9aVVdObHcKov+HAFAeSkDA1fkry7u1/BGeyIZKkorJ\nfs+tggJwptpn+eNB1rcRVRhlUIf24LeyUi9ro27AslSZKINokEFHsA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1cng52vahpnm8g3gcqf2n8w3jp74pvly3hjyn2zzrhjhaar6epa6szs9dqu",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtM2Q4MjJiTHZ6dTB5M3Rm\nU0VEQVowUVN4cmFkbzkxTStZdTh1V00xM2hnCjNVVW5hUURMTkhuU2FvS0lkQ1Zm\nQXp6SVhuOTZwQXFTcFZ3WjZhbG81Q1UKLS0tIHFKUzAwZkJPTGUrcFMvMFF2bmxZ\nQ2l0RVVBcGJ0bGtWRXJSTk9lL3J6WWsKd3DWiedz0Jos02vJhxb24vZ6hz81IpGp\n2Gy7neDz1PooQ9ydoDXWFxrY9TOFg0Ax1jNCWlowg/TlVWJtw2vHZQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBydC9hcUpPUnpiblQveE5H\ndTUxdm9WNmpNcXBNd0pEcjFOSVlua01ZQlhJCm4zYlE3YWptemtMaFQ3NW1tb3JS\nUXlHMWs2V1daUGtod3BsRGRqVmtjQWsKLS0tIDVCVzA5bjVla0R5MXFVMFFDM1Ax\nMUdvUDdIVENyMTB1aGNOaDFRMzFwWU0KI+o26mFXGmJWRJbFgAgmBtV4TGH1xH4k\nboDoBPbYgNkFSxDm6iPC7oqBohW0XFWQ2JE1HPWJ3ZT5PRRK+OMgYw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1fxllmnxnqke34c26y8pcz49tc5ur5qfagxjdryp2km8m0s0ev4mqz09gs6",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBZDJnaU9ISlFKYlBrVDUz\nTWtzN21reUlQSzVubG5LM0hsRjJaa09tTlRNCktVQU5YejBpK1hHTldZTFFPbElJ\nK3ZBZ2k2c3BJbDNoVnpmWE56N2l1bU0KLS0tIEVpS3VQT1dvNFNjRGptY3dmdW5l\nQnJOaXlIeFNrVk1yMWdmbHZCN0FycjQKT3h9/0WdjUdmawRTLopXk6VK73AT4BF8\noMvrRF9lKWrpPnAEXxzfLNNjUtiWLV0KJ7h8ekaJZIsTN8rmZhhL5A==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-02-13T18:59:51Z",
-		"mac": "ENC[AES256_GCM,data:5zBCL6OH4wqOSYbB+ReIpL6xxssC8yibGLs2cvmhd54d9MJDvluYi4j7Hxrhfq+VHG4JoCoBm/IoTxw4h1c5CZ/96rxbxSxwe1NZfBNWo3EhenPR7KGdtq5rXbWZf+rmG/GS5CcCFW7VV2JlShKUEXpNGUvjCX2YiLkBxRDPl7Y=,iv:gDNWZ2o7XUUG+zp7+Un23eGNF3GJfzGGx2s1/BPIlxg=,tag:MvBSJQhmuiGJyyNz1m6TAQ==,type:str]",
+		"lastmodified": "2024-02-20T21:52:53Z",
+		"mac": "ENC[AES256_GCM,data:ue6wtadXQbeY0kyoBg4bBjvdhsFzEhcqsEAhQHvHS39/f4Ke1kWb8KwMhb9ZDColPS3xTj6LCgV6GgJKRwif0cTKIZZ7+Ng8KcXmIT6zPdILA1HDagUV7gMDjxkCXO/rJDV3kWsZj/0v789Pb86jL78u6IL7ECoWJ4M/mHBOA9g=,iv:vOn4W+Mjo6r/HYR06nKsM5U7hLl7BLG1o7cqzTrYEJE=,tag:9nT8YWmKl1KPMTrH0l5HVg==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.8.1"