sops-nix -> agenix

.sops.yaml

@@ -1,56 +1,23 @@
 keys:
-  - &build01 age17jtyn2y4fpey6q7ers9gtnh4580xj89zdjuew9nqhxywmsaw94fs5udupc
-  - &build02 age1kh6yvgxz9ys74as7aufdy8je7gmqjtguhnjuxvj79qdjswk2r3xqxf2n6d
-  - &build03 age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
-  - &build04 age1r464z5e2shvnh9ekzapgghevr9wy7spd4d7pt5a89ucdk6kr6yhqzv5gkj
-  - &web02 age158v8dpppnw3yt2kqgqekwamaxpst5alfrnvvt7z36wfdk4veydrsqxc2tl
+  - &adisbladis age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
   - &mic92 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
   - &ryantm age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
   - &zimbatm age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
   - &zowoq age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
-  - &adisbladis age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
-# scan new hosts with `scan-age-keys` task
 creation_rules:
   - path_regex: ^secrets.yaml$
     key_groups:
       - age:
-          - *mic92
-          - *ryantm
-          - *zimbatm
-          - *zowoq
           - *adisbladis
-  - path_regex: terraform/secrets.yaml$
-    key_groups:
-      - age:
           - *mic92
           - *ryantm
           - *zimbatm
           - *zowoq
-          - *adisbladis
-  - path_regex: hosts/build02/[^/]+\.yaml$
-    key_groups:
-      - age:
-          - *build02
-          - *mic92
-          - *ryantm
-          - *zimbatm
-          - *zowoq
-          - *adisbladis
-  - path_regex: hosts/build03/[^/]+\.yaml$
+  - path_regex: terraform/secrets.yaml$
     key_groups:
       - age:
-          - *build03
-          - *mic92
-          - *ryantm
-          - *zimbatm
-          - *zowoq
           - *adisbladis
-  - path_regex: hosts/web02/[^/]+\.yaml$
-    key_groups:
-      - age:
-          - *web02
           - *mic92
           - *ryantm
           - *zimbatm
           - *zowoq
-          - *adisbladis

flake.nix

@@ -44,9 +44,6 @@
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
     nur-update.inputs.nixpkgs.follows = "nixpkgs";
     nur-update.url = "github:nix-community/nur-update";
-    sops-nix.inputs.nixpkgs-stable.follows = "empty";
-    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
-    sops-nix.url = "github:Mic92/sops-nix";
     srvos.inputs.nixpkgs.follows = "nixpkgs";
     srvos.url = "github:nix-community/srvos";
     systems.url = "github:nix-systems/default";

hosts/build02/nixpkgs-update.nix

@@ -129,7 +129,7 @@ let
     ];
     # API_TOKEN is used by nixpkgs-update-github-releases
     # using a token from another account so the rate limit doesn't block opening PRs
-    environment.API_TOKEN_FILE = "${config.sops.secrets.github-token-with-username.path}";
+    environment.API_TOKEN_FILE = "${config.age.secrets.github-token-with-username.path}";
     environment.XDG_CACHE_HOME = "/var/cache/nixpkgs-update/fetcher/";
 
     serviceConfig = {
@@ -264,24 +264,28 @@ in
     }/bin/nixpkgs-update"
   ];
 
-  sops.secrets.github-r-ryantm-key = {
+  age.secrets.github-r-ryantm-key = {
+    file = "${inputs.self}/secrets/github-r-ryantm-key.age";
     path = "/home/r-ryantm/.ssh/id_rsa";
     owner = "r-ryantm";
     group = "r-ryantm";
   };
 
-  sops.secrets.github-r-ryantm-token = {
+  age.secrets.github-r-ryantm-token = {
+    file = "${inputs.self}/secrets/github-r-ryantm-token.age";
     path = "/var/lib/nixpkgs-update/worker/github_token.txt";
     owner = "r-ryantm";
     group = "r-ryantm";
   };
 
-  sops.secrets.github-token-with-username = {
+  age.secrets.github-token-with-username = {
+    file = "${inputs.self}/secrets/github-token-with-username.age";
     owner = "r-ryantm";
     group = "r-ryantm";
   };
 
-  sops.secrets.nix-community-cachix = {
+  age.secrets.nix-community-cachix = {
+    file = "${inputs.self}/secrets/nix-community-cachix.age";
     path = "/var/lib/nixpkgs-update/worker/cachix/cachix.dhall";
     owner = "r-ryantm";
     group = "r-ryantm";

hosts/build03/builders.nix

@@ -1,14 +1,16 @@
 { config, inputs, ... }:
 {
-  sops.secrets.id_buildfarm = { };
+  age.secrets.id_buildfarm = {
+    file = "${inputs.self}/secrets/id_buildfarm.age";
+  };
 
   nix.distributedBuilds = true;
   nix.buildMachines = [
     {
       hostName = "build04.nix-community.org";
       maxJobs = 80;
       protocol = "ssh-ng";
-      sshKey = config.sops.secrets.id_buildfarm.path;
+      sshKey = config.age.secrets.id_buildfarm.path;
       sshUser = "nix";
       systems = [ "aarch64-linux" ];
       supportedFeatures =
@@ -18,7 +20,7 @@
       hostName = "darwin02.nix-community.org";
       maxJobs = 8;
       protocol = "ssh-ng";
-      sshKey = config.sops.secrets.id_buildfarm.path;
+      sshKey = config.age.secrets.id_buildfarm.path;
       sshUser = "nix";
       systems = [
         "aarch64-darwin"

modules/nixos/buildbot.nix

@@ -11,11 +11,21 @@
 
   services.nginx.virtualHosts."buildbot.nix-community.org" = { };
 
-  sops.secrets.buildbot-github-oauth-secret = { };
-  sops.secrets.buildbot-github-app-secret-key = { };
-  sops.secrets.buildbot-github-webhook-secret = { };
-  sops.secrets.buildbot-nix-workers = { };
-  sops.secrets.cachix-auth-token = { };
+  age.secrets.buildbot-github-oauth-secret = {
+    file = "${inputs.self}/secrets/buildbot-github-oauth-secret.age";
+  };
+  age.secrets.buildbot-github-app-secret-key = {
+    file = "${inputs.self}/secrets/buildbot-github-app-secret-key.age";
+  };
+  age.secrets.buildbot-github-webhook-secret = {
+    file = "${inputs.self}/secrets/buildbot-github-webhook-secret.age";
+  };
+  age.secrets.buildbot-nix-workers = {
+    file = "${inputs.self}/secrets/buildbot-nix-workers.age";
+  };
+  age.secrets.cachix-auth-token = {
+    file = "${inputs.self}/secrets/cachix-auth-token.age";
+  };
 
   services.buildbot-nix.master = {
     enable = true;
@@ -36,19 +46,19 @@
     evalMaxMemorySize = 4096;
     evalWorkerCount = 32;
     jobReportLimit = 0;
-    workersFile = config.sops.secrets.buildbot-nix-workers.path;
+    workersFile = config.age.secrets.buildbot-nix-workers.path;
     cachix = {
       enable = true;
       name = "nix-community";
-      auth.authToken.file = config.sops.secrets.cachix-auth-token.path;
+      auth.authToken.file = config.age.secrets.cachix-auth-token.path;
     };
     github = {
       authType.app = {
         id = 920387;
-        secretKeyFile = config.sops.secrets.buildbot-github-app-secret-key.path;
+        secretKeyFile = config.age.secrets.buildbot-github-app-secret-key.path;
       };
-      webhookSecretFile = config.sops.secrets.buildbot-github-webhook-secret.path;
-      oauthSecretFile = config.sops.secrets.buildbot-github-oauth-secret.path;
+      webhookSecretFile = config.age.secrets.buildbot-github-webhook-secret.path;
+      oauthSecretFile = config.age.secrets.buildbot-github-oauth-secret.path;
       oauthId = "Iv23liN9rjd1Bm3bvYKZ";
       topic = "nix-community-buildbot";
     };
@@ -59,10 +69,12 @@
     titleUrl = "https://nix-community.org/";
   };
 
-  sops.secrets.buildbot-nix-worker-password = { };
+  age.secrets.buildbot-nix-worker-password = {
+    file = "${inputs.self}/secrets/buildbot-nix-worker-password.age";
+  };
 
   services.buildbot-nix.worker = {
     enable = true;
-    workerPasswordFile = config.sops.secrets.buildbot-nix-worker-password.path;
+    workerPasswordFile = config.age.secrets.buildbot-nix-worker-password.path;
   };
 }

modules/nixos/common/default.nix

@@ -10,7 +10,6 @@
     ../../shared/nix-daemon.nix
     ./agenix.nix
     ./security.nix
-    ./sops-nix.nix
     ./telegraf.nix
     ./update.nix
     ./users.nix

modules/nixos/hydra.nix

@@ -1,10 +1,24 @@
-{ pkgs, config, ... }:
 {
-  sops.secrets.hydra-admin-password.owner = "hydra";
-  sops.secrets.hydra-users.owner = "hydra";
+  pkgs,
+  config,
+  inputs,
+  ...
+}:
+{
+  age.secrets.hydra-admin-password = {
+    file = "${inputs.self}/secrets/hydra-admin-password.age";
+    owner = "hydra";
+  };
+  age.secrets.hydra-users = {
+    file = "${inputs.self}/secrets/hydra-users.age";
+    owner = "hydra";
+  };
 
   # hydra-queue-runner needs to read this key for remote building
-  sops.secrets.id_buildfarm.owner = "hydra-queue-runner";
+  age.secrets.id_buildfarm = {
+    file = "${inputs.self}/secrets/id_buildfarm.age";
+    owner = "hydra-queue-runner";
+  };
 
   nix.settings.keep-outputs = pkgs.lib.mkForce false;
 
@@ -16,7 +30,7 @@
     "sourcehut:"
   ];
 
-  sops.secrets.id_buildfarm = { };
+  age.secrets.id_buildfarm = { };
 
   # delete build logs older than 30 days
   systemd.services.hydra-delete-old-logs = {
@@ -83,13 +97,13 @@
           opts+=("--full-name" "$fullname")
         fi
         hydra-create-user "''${opts[@]}"
-      done < ${config.sops.secrets.hydra-users.path}
+      done < ${config.age.secrets.hydra-users.path}
 
       while ! nc -z localhost ${toString config.services.hydra.port}; do
         sleep 1
       done
 
-      export HYDRA_ADMIN_PASSWORD=$(cat ${config.sops.secrets.hydra-admin-password.path})
+      export HYDRA_ADMIN_PASSWORD=$(cat ${config.age.secrets.hydra-admin-password.path})
       export URL=http://localhost:${toString config.services.hydra.port}
     '';
   };

modules/nixos/nur-update.nix

@@ -10,7 +10,9 @@
     locations."/".proxyPass = "http://unix:/run/nur-update/gunicorn.sock";
   };
 
-  sops.secrets.nur-update-github-token = { };
+  age.secrets.nur-update-github-token = {
+    file = "${inputs.self}/secrets/nur-update-github-token.age";
+  };
 
   systemd.services.nur-update =
     let
@@ -33,7 +35,7 @@
       '';
       serviceConfig = {
         DynamicUser = true;
-        LoadCredential = [ "github-token:${config.sops.secrets.nur-update-github-token.path}" ];
+        LoadCredential = [ "github-token:${config.age.secrets.nur-update-github-token.path}" ];
         Restart = "always";
         RuntimeDirectory = "nur-update";
       };

modules/nixos/watch-store.nix

@@ -1,11 +1,13 @@
-{ config, ... }:
+{ config, inputs, ... }:
 
 {
-  sops.secrets.cachix-auth-token = { };
+  age.secrets.cachix-auth-token = {
+    file = "${inputs.self}/secrets/cachix-auth-token.age";
+  };
 
   services.cachix-watch-store = {
     enable = true;
     cacheName = "nix-community";
-    cachixTokenFile = config.sops.secrets.cachix-auth-token.path;
+    cachixTokenFile = config.age.secrets.cachix-auth-token.path;
   };
 }

secrets/secrets.nix

@@ -18,6 +18,11 @@ let
   web02 = knownHosts.web02.publicKey;
 
   secrets = {
+    buildbot-github-oauth-secret = [ build03 ];
+    buildbot-github-webhook-secret = [ build03 ];
+    buildbot-nix-worker-password = [ build03 ];
+    buildbot-nix-workers = [ build03 ];
+    cachix-auth-token = [ build03 ];
     grafana-client-secret = [ web02 ];
     hercules-binary-caches = [
       build03
@@ -38,8 +43,16 @@ let
       build02
       build03
     ];
+    hydra-admin-password = [ build03 ];
+    hydra-users = [ build03 ];
+    id_buildfarm = [ build03 ];
     nginx-basic-auth-file = [ web02 ];
     nix-community-matrix-bot-token = [ web02 ];
+    nixpkgs-update-github-r-ryantm-key = [ build02 ];
+    nixpkgs-update-github-r-ryantm-token = [ build02 ];
+    nixpkgs-update-github-token-with-username = [ build02 ];
+    nixpkgs-update-nix-community-cachix = [ build02 ];
+    nur-update-github-token = [ build03 ];
   };
 in
 builtins.listToAttrs (

tasks.py

@@ -86,13 +86,6 @@ def print_keys(c: Any, flake_attr: str) -> None:
         )
         print("###### Public keys ######")
         print(pubkey.stdout)
-        print("###### Age keys ######")
-        subprocess.run(
-            ["ssh-to-age"],
-            input=pubkey.stdout,
-            check=True,
-            text=True,
-        )
 
 
 @task