modules/nixos/monitoring: move to agenix

hosts/build02/nixpkgs-update-backup.nix

@@ -3,7 +3,7 @@
   # 100GB storagebox is attached to the build02 server
 
   age.secrets.hetzner-borgbackup-ssh = {
-    file = "${toString inputs.self}/secrets/hetzner-borgbackup-ssh.age";
+    file = "${inputs.self}/secrets/hetzner-borgbackup-ssh.age";
   };
 
   systemd.services.borgbackup-job-nixpkgs-update = {

hosts/build02/nixpkgs-update.nix

@@ -6,7 +6,7 @@
   ...
 }:
 let
-  userLib = import "${toString inputs.self}/users/lib.nix" { inherit lib; };
+  userLib = import "${inputs.self}/users/lib.nix" { inherit lib; };
 
   nixpkgs-update-bin = "/var/lib/nixpkgs-update/bin/nixpkgs-update";
 

modules/darwin/hercules-ci.nix

@@ -1,14 +1,14 @@
 { config, inputs, ... }:
 {
   age.secrets.hercules-binary-caches = {
-    file = "${toString inputs.self}/secrets/hercules-binary-caches.age";
+    file = "${inputs.self}/secrets/hercules-binary-caches.age";
     mode = "600";
     owner = "_hercules-ci-agent";
     group = "_hercules-ci-agent";
   };
 
   age.secrets.hercules-cluster-join-token = {
-    file = "${toString inputs.self}/secrets/hercules-cluster-join-token.age";
+    file = "${inputs.self}/secrets/hercules-cluster-join-token.age";
     mode = "600";
     owner = "_hercules-ci-agent";
     group = "_hercules-ci-agent";

modules/nixos/common/sops-nix.nix

@@ -5,7 +5,7 @@
   ...
 }:
 let
-  defaultSopsPath = "${toString inputs.self}/hosts/${config.networking.hostName}/secrets.yaml";
+  defaultSopsPath = "${inputs.self}/hosts/${config.networking.hostName}/secrets.yaml";
 in
 {
   imports = [

modules/nixos/common/users.nix

@@ -1,7 +1,7 @@
 { inputs, lib, ... }:
 
 let
-  usersDir = "${toString inputs.self}/users";
+  usersDir = "${inputs.self}/users";
   userImports =
     let
       toUserPath = f: usersDir + "/${f}";

modules/nixos/github-org-backup.nix

@@ -32,7 +32,7 @@
   };
 
   age.secrets.hetzner-borgbackup-ssh = {
-    file = "${toString inputs.self}/secrets/hetzner-borgbackup-ssh.age";
+    file = "${inputs.self}/secrets/hetzner-borgbackup-ssh.age";
   };
 
   systemd.services.borgbackup-job-github-org = {

modules/nixos/hercules-ci.nix

@@ -1,17 +1,17 @@
 { config, inputs, ... }:
 {
   age.secrets.hercules-binary-caches = {
-    file = "${toString inputs.self}/secrets/hercules-binary-caches.age";
+    file = "${inputs.self}/secrets/hercules-binary-caches.age";
     owner = "hercules-ci-agent";
   };
 
   age.secrets.hercules-cluster-join-token = {
-    file = "${toString inputs.self}/secrets/hercules-cluster-join-token.age";
+    file = "${inputs.self}/secrets/hercules-cluster-join-token.age";
     owner = "hercules-ci-agent";
   };
 
   age.secrets.hercules-secrets = {
-    file = "${toString inputs.self}/secrets/hercules-secrets.age";
+    file = "${inputs.self}/secrets/hercules-secrets.age";
     owner = "hercules-ci-agent";
   };
 

modules/nixos/monitoring/default.nix

@@ -8,12 +8,15 @@
     ./telegraf.nix
   ];
 
-  sops.secrets.nginx-basic-auth-file.owner = "nginx";
+  age.secrets.nginx-basic-auth-file = {
+    file = "${inputs.self}/secrets/nginx-basic-auth-file.age";
+    owner = "nginx";
+  };
 
   services.nginx.virtualHosts."monitoring.nix-community.org" = {
     locations."/".return = "302 https://nix-community.org/monitoring";
     locations."/alertmanager/" = {
-      basicAuthFile = config.sops.secrets.nginx-basic-auth-file.path;
+      basicAuthFile = config.age.secrets.nginx-basic-auth-file.path;
       proxyPass = "http://localhost:9093/";
     };
     locations."/prometheus/".proxyPass = "http://localhost:9090/";

modules/nixos/monitoring/matrix-hook.nix

@@ -1,9 +1,16 @@
-{ config, pkgs, ... }:
+{
+  config,
+  inputs,
+  pkgs,
+  ...
+}:
 let
   matrixHook = pkgs.matrix-hook;
 in
 {
-  sops.secrets.nix-community-matrix-bot-token = { };
+  age.secrets.nix-community-matrix-bot-token = {
+    file = "${inputs.self}/secrets/nix-community-matrix-bot-token.age";
+  };
 
   users.users.matrix-hook = {
     isSystemUser = true;
@@ -27,7 +34,7 @@ in
     serviceConfig = {
       Type = "simple";
       ExecStart = "${matrixHook}/bin/matrix-hook";
-      EnvironmentFile = [ config.sops.secrets.nix-community-matrix-bot-token.path ];
+      EnvironmentFile = [ config.age.secrets.nix-community-matrix-bot-token.path ];
       Restart = "always";
       RestartSec = "10";
       User = "matrix-hook";

secrets.yaml

@@ -8,6 +8,7 @@ accounts:
     - name: ENC[AES256_GCM,data:BGA/HMgie64=,iv:c+utmChiZA73GRS4uzZDyfdU+DZaDpB3WljC2uye8o0=,tag:lr1w5TWr05lpfBNLK0Swxw==,type:str]
       totpsecret: ENC[AES256_GCM,data:Q5aJq9sLmW/0oMIgy4FErA==,iv:cFhVj/QV4tMjvB/Y8ExOSSLArvjxCV8+39YtMaADK04=,tag:aPJFH7WhaBYAW7eYsGzGYg==,type:str]
 emergency_access_password: ENC[AES256_GCM,data:ELpkrEQjFQwDicz3WeJoivrZBAWeAKkfFg==,iv:rzbKvnS5IBjUCCT2NAHINZs60F0jrRPJvZ1wnBa6xkI=,tag:hWax9+gTRhuhtIikP/jO/Q==,type:str]
+nginx-basic-auth-password: ENC[AES256_GCM,data:THXCfzuXXEsEARk1Hz4eEtzqqzzbf/IF0hHy,iv:mvOu8CSomzUYzpt1PkhSeBMgwHluUtTQZHozi6Am+RM=,tag:itQJu7Dp/N48BJMYTleuqw==,type:str]
 ssh_host_ed25519_key:
     build01: ENC[AES256_GCM,data:5rG0+Iw8uVKXTrT5A/uvbz9MJZHPyTBPKIxSbMIgvwEVHDsCENDihxL5C00PisZ4dgMIW1WQIvD3zLtJ5RxedY832K9dwO36lWH2uHZW96qlObnTqMpi0vtsZQ1FQVUtNWPj146uz7QyasisFu6CFFMBBbx6y5ZAipfJ+bsth7YliCMPL+1bM84b8a40m3k9gI4xpYH9txrq1+yvTLau25rNsmAq4oHDGKEZqRoN2WflBZLP0DL3zQ/8uPODUjOmyFpKnbDeKsDQ3RuFcPaLZOGEBruayYldxiv215pdFgw72TbvtLXc726y7bUTOvsOiLfVMdfiXZCRPzVbjGB+NLtiyz9hlCa5WdJrQmLceqC/v5zy1TbV0azlZCDNopw1yznLn8fPA8KIYJUGw+PkdKPDFKRn+F78+5QG4wpYFK9qZ/vaukvpuZrUdboFIU/qFdjplrGhniYfbh7enIGhnd2Y+qLC92IG0SQPVpI2fQNx7h3MD2V9w2spk8hZ4QGWsA4JU0fJ9mKY4w6eElGLggzT15vuCrrJx4zbThSfyVYHmlE=,iv:ksSPKFNHdy646BU2x0fr6ey+kif1jpPhlsQ5Kmxjqd4=,tag:2SL/1x4/9LoNqfHPMk8H8Q==,type:str]
     build02: ENC[AES256_GCM,data:kwc1rs7xbKod7+vV9yDNqAZMmTqencDe6LTMqxihNLuvGny1atjJ/4cf2vnWEyPar4AvqLtawbIexowbpgyzIiJBKskw0voUgUan0TMH7dsjeZtcdnBSsGWDlcBSjq8bK+yfNMWxwaq7FB9eTJkhN41UhQwqXIVpitEJg0LQcz7+BeQnYhCMnMOc+AG78zIZK+lbzAikejFJUV1A0/kmEl9VirBTpGqxhsiPUSCpAq9c3mE16f31YF9bUn9Dr/4gLW42xxbt/+6psDstKlKgfldzC+izCCCfL1qKcKz7RtyLX37O1MkQqLWvC5I5XRt81tKPOgmtjtGSM0iYmx9zy6FKGJlWqHGNb5K+g1NugWuKMzkBQNoWIypS/yHUY9R3eLa6JJM+tfE/Hvw4Q6/4HGBePMauULd/sgTC8D6o+6023a9ZdC6vdwAWzgWzhbG8uN8vjRR9JKy8/tzgzWJsR4PvPFw9ka0HbRMjigmMxZ817Z6iB2BcO2xmJvD5hP2YpPKCNLQzUznq0vh1s91C,iv:cQERNZJUQ0TJW0pbEzJF6O+1Idkt2e+I06+Kjygr4lk=,tag:2X4KhuEd/0153sCT7qeyqQ==,type:str]
@@ -111,8 +112,8 @@ sops:
             MkcvL1JyVFBJV0Y5RFFCMGN1OUFXdU0Kdx1wy6ZOOTg1a6VKaq52SMBvC26lMsW/
             oMP+hmXc2WtoqZp+jZ9rrXz6cZW6/dO7CPqxl3aUEKg6BkXIwgyKeg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-16T07:30:20Z"
-    mac: ENC[AES256_GCM,data:nzK1E2M4gnsY/z6KG8uMsOau+Q96u/gRmXue9jA0BKEErEWA2AYg5p9Ig+pRWwhq1BdEN9PbjKBmuEmSTWdfFijbM7NaRSHelpUIccfoiMMW51/MHFiEMt7euCLE2i9O7q1Vx7br+NaHu+fqctrx1ikOXaWNhM6Q6NJ1NY0Z5dU=,iv:1S1NsVtILala9zBFMfEqxpokscpPW+Frq+T1qyrmVYI=,tag:87SYZkvSdqYldcVJnnw2/A==,type:str]
+    lastmodified: "2024-10-26T00:28:59Z"
+    mac: ENC[AES256_GCM,data:Ds3v0YTPxlpV+QTtRs1Lq3LyvnVXVU4Hp37mGOwrAgD76ek19dyMPVeJu1Q9QZwYcoSrq7GccQvo/GfTM+WVxW48B3aH+qeUye9RcdV6SYLmtQANhUyyBQurzyN7sJt2qyOWsE/VpF3NViUMkVYhLqwd/wYIiaEVmCaEpkjHp38=,iv:Vhoj+Vm8n8VcQZhmGOZU9OVZ0S+VxrZEZ178yx8aezk=,tag:D4p7Az+LqC7eQkI2QIyVfA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.1

secrets/nginx-basic-auth-file.age

@@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-ed25519 meza2g tOhoYzkG+lCD2ONeWe32iOT+qCOvFFM2MOSTMw86ck4
+N4xw2JWB0BvQy12lIb1CS4QifkiFCHHHYBep9XzhpFI
+-> ssh-rsa ALNSWw
+lzYsNzDw+FQRwcgk2ezjfw4fr5PundiR+As4Xa/OCsHFZa94QVhBVlFzgtB5nO8s
+wnoENRSQIkYqzJtGxAF8VGOvGpOsuIxNLNy/AvN4YeXYVvhPlpZjRmkCKpWG2r1w
+gprc+2VdUVjeUJiWYYhCZdn62yMXS0HI+aC8eLghtovl4dhWKh4sq8SMlNtzHLKZ
+D1nLY2rDNM+u00NEMMTOr879zfp4LHAsaol0HJrc3BnC1KmyYFd4dTivwVEU1X/r
+jw+mv8duQrbXJHckf8si7GuwQxsA0eDxKQb0y8F2hIMAkmAUMsvrJF0kyPS3UGyp
+qkby51wMLIOzzvcrgJ9KJQ
+-> ssh-ed25519 Qi7vNw hiomOFHJB1MuK7rf6x6lDr6CvTMo3CN9x4/rYov6lD4
+ILX7g5TugewxzJuHF3Og06135rohMLs+vhnrcGlTO6s
+-> ssh-ed25519 MW0fCg 5gofg/CnnH3aI7WnAMqHd5P7Gvyb9XV8M7v1FF8TdXU
+wwLUGvVGngz1rMZa0eIVSwf0TmUqQHTPjZDgubtoMgk
+-> ssh-ed25519 92bXiA OcbjXruCXI43g/mJC/I65m7I/p04OHNWUXZuFa2vUEM
+5+NimqArjB+cbSNMh53LUmmBlXiecjdjcilS9zYVE2w
+-> ssh-ed25519 h1lenA mtoPhHkVeGkSwirRAvcfHgwdZrmWalB8KEwBFfix2xE
+FyCMnN2MzQmuCjYF+cElRl1wAPumz8mAgJFzMcUXfk0
+--- u5BHJScdFfK3/JdJs5dLFGTGUmX0wPAo5jra3cmYI1c
+`�����2Λ�	κ�w���̐b3f��6y�:���1q�iA��9G�w�W�eS�鯙��
m��~�ף�,f����%=��Q�O6

secrets/secrets.nix

@@ -1,16 +1,12 @@
 let
-  adisbladis = builtins.readFile ../users/keys/adisbladis;
-  mic92 = builtins.readFile ../users/keys/mic92;
-  ryantm = builtins.readFile ../users/keys/ryantm;
-  zimbatm = builtins.readFile ../users/keys/zimbatm;
-  zowoq = builtins.readFile ../users/keys/zowoq;
+  users = map (name: builtins.readFile ../users/keys/${name}) userNames;
 
-  users = [
-    adisbladis
-    mic92
-    ryantm
-    zimbatm
-    zowoq
+  userNames = [
+    "adisbladis"
+    "mic92"
+    "ryantm"
+    "zimbatm"
+    "zowoq"
   ];
 
   inherit ((import ../modules/shared/known-hosts.nix).programs.ssh) knownHosts;
@@ -19,24 +15,35 @@ let
   build03 = knownHosts.build03.publicKey;
   build04 = knownHosts.build04.publicKey;
   darwin02 = knownHosts.darwin02.publicKey;
+  web02 = knownHosts.web02.publicKey;
+
+  secrets = {
+    hercules-binary-caches = [
+      build03
+      build04
+      darwin02
+    ];
+    hercules-cluster-join-token = [
+      build03
+      build04
+      darwin02
+    ];
+    # hercules-secrets are only needed on linux
+    hercules-secrets = [
+      build03
+      build04
+    ];
+    hetzner-borgbackup-ssh = [
+      build02
+      build03
+    ];
+    nginx-basic-auth-file = [ web02 ];
+    nix-community-matrix-bot-token = [ web02 ];
+  };
 in
-{
-  "hercules-binary-caches.age".publicKeys = users ++ [
-    build03
-    build04
-    darwin02
-  ];
-  "hercules-cluster-join-token.age".publicKeys = users ++ [
-    build03
-    build04
-    darwin02
-  ];
-  "hercules-secrets.age".publicKeys = users ++ [
-    build03
-    build04
-  ]; # hercules-secrets are only needed on linux
-  "hetzner-borgbackup-ssh.age".publicKeys = users ++ [
-    build02
-    build03
-  ];
-}
+builtins.listToAttrs (
+  map (secretName: {
+    name = "${secretName}.age";
+    value.publicKeys = secrets."${secretName}" ++ users;
+  }) (builtins.attrNames secrets)
+)