From 46f455907b57c234c06ff338da89cd9855c8ec7f Mon Sep 17 00:00:00 2001
From: Sridhar Ratnakumar <srid@srid.ca>
Date: Tue, 20 Feb 2024 17:20:44 -0500
Subject: [PATCH] here: setup sops and 1 github runner

---
 .sops.yaml   |  2 ++
 flake.nix    |  9 ++++++++-
 secrets.json | 16 ++++++++++------
 3 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/.sops.yaml b/.sops.yaml
index 9ea6b8c..7dc23e4 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -3,6 +3,7 @@ keys:
   - &server_pce age1k2efalw74pce98ff2qa45hadkgew5q43gluefr7l4y4cqg6ul5ms8rlcep
   - &server_actual age1jd7cj3jj9g8qkch5k62gqm6fy62ufpx7q6hx06lwuvug4z8ya4uqu6u2ft
   - &server_immediacy age1cng52vahpnm8g3gcqf2n8w3jp74pvly3hjyn2zzrhjhaar6epa6szs9dqu
+  - &server_here age1fxllmnxnqke34c26y8pcz49tc5ur5qfagxjdryp2km8m0s0ev4mqz09gs6
 creation_rules:
   - path_regex: secrets.json$
     key_groups:
@@ -11,3 +12,4 @@ creation_rules:
         - *server_pce
         - *server_actual
         - *server_immediacy
+        - *server_here
diff --git a/flake.nix b/flake.nix
index ea844ff..5661124 100644
--- a/flake.nix
+++ b/flake.nix
@@ -76,10 +76,17 @@
           here = self.nixos-flake.lib.mkLinuxSystem {
             imports = [
               self.nixosModules.common # Defined in nixos/default.nix
+              inputs.sops-nix.nixosModules.sops
               ./systems/here.nix
               ./nixos/server/harden.nix
+              ./nixos/easy-github-runners.nix
             ];
+            sops.defaultSopsFile = ./secrets.json;
+            sops.defaultSopsFormat = "json";
             services.tailscale.enable = true;
+            services.easy-github-runners = {
+              "srid/emanote" = { };
+            };
           };
 
           immediacy = self.nixos-flake.lib.mkLinuxSystem {
@@ -93,8 +100,8 @@
             sops.defaultSopsFile = ./secrets.json;
             sops.defaultSopsFormat = "json";
             services.tailscale.enable = true;
+            # TODO: Move these to 'here' VM.
             services.easy-github-runners = {
-              "srid/emanote" = { };
               "srid/haskell-flake" = { };
               "srid/nixos-config" = { };
               "srid/nixos-flake" = { };
diff --git a/secrets.json b/secrets.json
index 64b94c8..1a2bb04 100644
--- a/secrets.json
+++ b/secrets.json
@@ -34,23 +34,27 @@
 		"age": [
 			{
 				"recipient": "age1zdwstn787x2a7hllksjk0zpdx3wdvy3fju8hk33a583jtv3d8q9qsvzfan",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTZnppR0RDNUQvTktkWVcr\nNzFaayt5TDNwajcvMUl0bUNWdWwwSldkR2h3CmhvM0FYRGZjYWxhRFRsUnp2U1Vt\nbU1GUWtrWWFKclVhNmxpT09vMXcrNUUKLS0tIGVHVk9xQ1RsY0pTVVNxY3YwR0d2\nRmYrL1h1bUtmbTlSTVpReE1DRENNaVkKcUlybJ76q0qKBFc26G6EyusDTXUHLIah\ndf6Nnkw4t2DdQcOFh/EFsqHSTVoBx1SIAy8ThkDPGsZ0Ov9wsTs3PQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCRldZTVhWSktEV1h5QkVa\naUdyY3dybGRyRTJHb2c5aURIbHB4Njk4OFNrCnhZb293enlnSzZqRWt4WElQT29v\nTlNXSTVSVFJDSmtaZG5veUdLRkdpMFUKLS0tIEt3YlRKK2NpdFJCSWJCK0JQWElT\nUlNLajJQaGlUMG85YjJnVHhtSGF5SkEKmrnDtZ0ED/DQaWQy63Sww/5HtK1hS3PV\nkWcTIZJJGmZrLiDyk0DUcNQNWKM1G88w3hdnEGo2b+/utmm/E7U8uA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1k2efalw74pce98ff2qa45hadkgew5q43gluefr7l4y4cqg6ul5ms8rlcep",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNdG5wMU0zZlpQblUvaGJj\nZm45eDNaR1V5dTV6R0krUW82MXVURzVBR3hnCktHdmI0MmlHSkVBa1JMczFYVVFp\nZ29hNmxnQnU4MTAveXI3RjNVZEpBckkKLS0tIGFhSnVobk9oY1VzRjJaYmtpS210\nUEpncXBzbmlYaStSazFSdGxYWlhrNlUK8FvAVOnkQEM6fyTGwvmKvgURADXcnvEh\nC92FbcTMbVjwjx51SSznfwVn5U3iQhWiU7a5ArpTl1wej2/qjjhLCQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSzhYUTh5NmEyckgvdTZv\nWVY1M3NMRjgxdm9iK0tBNG9uRElVb0xiWXh3CmZhMURsMm1qM1N5NXVyM1l5aGl2\nZThDZnBhM0h4VTdGbnhpbEFlUWJhZ2MKLS0tIEpQVXFDa29zbzdNOG1EbG5SN0pU\nYTkvU0xEV3hFYlllS2JQUllHK1NRS00KQ366Ym3HHEpmnjJjiukRYv70D3kVdiCa\noR+MGl87Ny7OEQT5qb+Ku6+zMgyoGUBsRBz9xk5uWGUM7+T3KZrC7A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1jd7cj3jj9g8qkch5k62gqm6fy62ufpx7q6hx06lwuvug4z8ya4uqu6u2ft",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2cVNHbkFGOUxTUkhXR0pC\nZzZhTVJSc3hhaHdra0E2ZG0yblM0NTJnQUJBCkRvM1pyV3pEQkNOT0pqbnBXM2ow\naDR0ZE04Y1FUZEVCek9JbUJFUzVqcXMKLS0tIEUrdUZsc1U4aTFGVVk0ZndWalhE\nSnNnL05sKytNWCtmSm84WGxRc28rMkEK3Orv4ti4CXgpq97FZ8ftY51n0Ees6qZk\n62E3ma7OHBq3E1DSLFFbydIwJxmBV1ym3jiRg9aW7yW3EZJagGXafw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaa0V4SThUVmRJRWxwUERD\neDNxR1ZVUEtpRXFpWm9yTGkreVlVd1JIMVVVCm81RFVWM0l1S2tqTGNlbUZkVHBw\neTZyTk9uOFhCK2VnWWZYM0txOWlGMmMKLS0tIGNmL0thUkxjL2YvY0FEUFQ0bWhM\nOFB0alFTWStOb2xtQmllZE9aVVdObHcKov+HAFAeSkDA1fkry7u1/BGeyIZKkorJ\nfs+tggJwptpn+eNB1rcRVRhlUIf24LeyUi9ro27AslSZKINokEFHsA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1cng52vahpnm8g3gcqf2n8w3jp74pvly3hjyn2zzrhjhaar6epa6szs9dqu",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtM2Q4MjJiTHZ6dTB5M3Rm\nU0VEQVowUVN4cmFkbzkxTStZdTh1V00xM2hnCjNVVW5hUURMTkhuU2FvS0lkQ1Zm\nQXp6SVhuOTZwQXFTcFZ3WjZhbG81Q1UKLS0tIHFKUzAwZkJPTGUrcFMvMFF2bmxZ\nQ2l0RVVBcGJ0bGtWRXJSTk9lL3J6WWsKd3DWiedz0Jos02vJhxb24vZ6hz81IpGp\n2Gy7neDz1PooQ9ydoDXWFxrY9TOFg0Ax1jNCWlowg/TlVWJtw2vHZQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBydC9hcUpPUnpiblQveE5H\ndTUxdm9WNmpNcXBNd0pEcjFOSVlua01ZQlhJCm4zYlE3YWptemtMaFQ3NW1tb3JS\nUXlHMWs2V1daUGtod3BsRGRqVmtjQWsKLS0tIDVCVzA5bjVla0R5MXFVMFFDM1Ax\nMUdvUDdIVENyMTB1aGNOaDFRMzFwWU0KI+o26mFXGmJWRJbFgAgmBtV4TGH1xH4k\nboDoBPbYgNkFSxDm6iPC7oqBohW0XFWQ2JE1HPWJ3ZT5PRRK+OMgYw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1fxllmnxnqke34c26y8pcz49tc5ur5qfagxjdryp2km8m0s0ev4mqz09gs6",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBZDJnaU9ISlFKYlBrVDUz\nTWtzN21reUlQSzVubG5LM0hsRjJaa09tTlRNCktVQU5YejBpK1hHTldZTFFPbElJ\nK3ZBZ2k2c3BJbDNoVnpmWE56N2l1bU0KLS0tIEVpS3VQT1dvNFNjRGptY3dmdW5l\nQnJOaXlIeFNrVk1yMWdmbHZCN0FycjQKT3h9/0WdjUdmawRTLopXk6VK73AT4BF8\noMvrRF9lKWrpPnAEXxzfLNNjUtiWLV0KJ7h8ekaJZIsTN8rmZhhL5A==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-02-13T18:59:51Z",
-		"mac": "ENC[AES256_GCM,data:5zBCL6OH4wqOSYbB+ReIpL6xxssC8yibGLs2cvmhd54d9MJDvluYi4j7Hxrhfq+VHG4JoCoBm/IoTxw4h1c5CZ/96rxbxSxwe1NZfBNWo3EhenPR7KGdtq5rXbWZf+rmG/GS5CcCFW7VV2JlShKUEXpNGUvjCX2YiLkBxRDPl7Y=,iv:gDNWZ2o7XUUG+zp7+Un23eGNF3GJfzGGx2s1/BPIlxg=,tag:MvBSJQhmuiGJyyNz1m6TAQ==,type:str]",
+		"lastmodified": "2024-02-20T21:52:53Z",
+		"mac": "ENC[AES256_GCM,data:ue6wtadXQbeY0kyoBg4bBjvdhsFzEhcqsEAhQHvHS39/f4Ke1kWb8KwMhb9ZDColPS3xTj6LCgV6GgJKRwif0cTKIZZ7+Ng8KcXmIT6zPdILA1HDagUV7gMDjxkCXO/rJDV3kWsZj/0v789Pb86jL78u6IL7ECoWJ4M/mHBOA9g=,iv:vOn4W+Mjo6r/HYR06nKsM5U7hLl7BLG1o7cqzTrYEJE=,tag:9nT8YWmKl1KPMTrH0l5HVg==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.8.1"