feat: test sops and hercules-ci

kid · kid · commit 3f91a1a56bc4 · 2025-03-06T19:24:17.000+01:00
diff --git a/.sops.yaml b/.sops.yaml
@@ -0,0 +1,15 @@
+keys:
+  - &nixos_kid age1dghfu7sxwlkf4626eywmgr63y2g7m4x8zs8a6xt2zay3x7dclpnsw776dd
+  - &pve0 age1p2vm095mfftw3uywqkhwmkseusl0l95dpsx9dtd6zu84m0zspa4sjndx3c
+
+creation_rules:
+  - key_groups:
+      - age:
+          - *nixos_kid
+          - *pve0
+
+stores:
+  json:
+    indent: 2
+  yaml:
+    indent: 2
diff --git a/checks/pre-commit-hooks/default.nix b/checks/pre-commit-hooks/default.nix
@@ -12,7 +12,7 @@ git-hooks-nix.lib.${pkgs.system}.run {
   src = ./.;
   hooks = {
     treefmt = {
-      enable = true;
+      # enable = true;
       package = treefmt.config.build.wrapper;
     };
   };
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -70,6 +70,10 @@
 
     deploy-rs.url = "github:serokell/deploy-rs";
     deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
+
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+
   };
 
   outputs =
@@ -99,21 +103,28 @@
 
       homes.modules = with inputs; [
         plasma-manager.homeManagerModules.plasma-manager
+        sops-nix.homeManagerModules.sops
       ];
 
       # home.users."kid@nixos".modules = with inputs; [
       #   # Default to enabled and require a config
       #   xremap.homeManagerModules.default
       # ];
 
-      systems.modules.nixos = with inputs; [
-        nixos-facter-modules.nixosModules.facter
-        disko.nixosModules.disko
-        impermanence.nixosModules.impermanence
-        stylix.nixosModules.stylix
-        ucodenix.nixosModules.default
-        # xremap.nixosModules.default
-      ];
+      systems.modules = {
+        darwin = with inputs; [
+          sops-nix.darwinModules.sops
+        ];
+        nixos = with inputs; [
+          nixos-facter-modules.nixosModules.facter
+          disko.nixosModules.disko
+          impermanence.nixosModules.impermanence
+          stylix.nixosModules.stylix
+          ucodenix.nixosModules.default
+          sops-nix.nixosModules.sops
+          # xremap.nixosModules.default
+        ];
+      };
 
       deploy = lib.mkDeploy {
         inherit self;
@@ -139,5 +150,8 @@
       githubActions = inputs.nix-github-actions.lib.mkGithubMatrix {
         checks = inputs.nixpkgs.lib.getAttrs [ "x86_64-linux" "x86_64-darwin" ] self.checks;
       };
+      herculesCI = {
+        ciSystems = [ "x86_64-linux" ];
+      };
     };
 }
diff --git a/modules/nixos/roles/hercules-ci/default.nix b/modules/nixos/roles/hercules-ci/default.nix
@@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  namespace,
+  ...
+}:
+let
+  inherit (lib.${namespace}) mkModule;
+in
+mkModule ./. false config { } (_cfg: {
+  services.hercules-ci-agent = {
+    enable = true;
+    settings = {
+      clusterJoinTokenPath = config.sops.secrets."hercules_ci/token".path;
+      binaryCachesPath = config.sops.secrets."hercules_ci/caches".path;
+    };
+  };
+  sops = {
+    defaultSopsFormat = "yaml";
+    secrets = {
+      "hercules_ci/token" = {
+        owner = config.services.hercules-ci-agent.user;
+      };
+      "hercules_ci/caches" = {
+        owner = config.services.hercules-ci-agent.user;
+      };
+    };
+  };
+})
diff --git a/modules/nixos/security/sops/default.nix b/modules/nixos/security/sops/default.nix
@@ -0,0 +1,28 @@
+{
+  config,
+  lib,
+  namespace,
+  ...
+}:
+let
+  inherit (lib.types) listOf path;
+  inherit (lib.${namespace}) mkModule mkOpt;
+in
+mkModule ./. false config
+  {
+    defaultSopsFile = mkOpt path null "Default sops file.";
+    sshKeyPaths = mkOpt (listOf path) [
+      "/etc/ssh/ssh_host_ed25519_key"
+    ] "SSH key paths to use.";
+  }
+  (cfg: {
+    sops = {
+      inherit (cfg) defaultSopsFile;
+
+      age = {
+        inherit (cfg) sshKeyPaths;
+
+        # keyFile = "${config.users.users.${config.${namespace}.user.name}.home}/.config/sops/age/keys.txt";
+      };
+    };
+  })
diff --git a/modules/nixos/suites/common/default.nix b/modules/nixos/suites/common/default.nix
@@ -17,6 +17,7 @@ mkModule ./. false config { } (_cfg: {
       firmware = mkDefault enabled;
       power = mkDefault enabled;
     };
+    security.sops = mkDefault enabled;
   };
 
   environment = {
diff --git a/secrets/pve0/default.sops.yaml b/secrets/pve0/default.sops.yaml
@@ -0,0 +1,32 @@
+hercules_ci:
+  token: ENC[AES256_GCM,data:Odvge3VVOvxJFwzifIjDXIWzM1nqZvCBJ0x8udtX7kwboPJL8k2WJ5K+iZ9DUC54z8DEzU1CpHiFLEWTejp9XQ0XcA4JC1FUlG+omD589sD4k2fOYqMGILacLr6t9BSfiFMSwXkaHPpW43dFuif1kjbKwI2dFjBAgboQCVQPcyXr3dXX3HHjK6kGpiAUmAQzWP1XPDH++OHcfuIoHLO+qOFze8YZfXD2CktkBF/XZgp/RLRnmToFjj6HZgySecK/olQv16c7Qp2GPxbTMS3WP0qQ/b9f+T5W6IWWtJaUFIsBGwRR6o16KN0OAA==,iv:QoSh+GnWOzm5XZPecqHGqsjb0ck8/c8QRC7rr+iNK1w=,tag:xnfV6UuvCinetZANc6OITw==,type:str]
+  caches: ENC[AES256_GCM,data:5anLYG/zyZsotWoMfsy02Nr9dXA2BvdqxgRb8K/x9WthHQZ3eOV5e5JilBA9wwfPjnSrozciYfPkaHZ91S/2CgMLdiKM2iGikrDRr2TN6YVNTM1IhH03ZP/RMEZJc0QK7T8skPU8uw0yD9oCdclJB4hN+tP7I1K3hnOpDn+m7YcCm9i6vUzQhLTV0wYrG1PDv5rJrMz4Eiyd5QRV3oHIYw27Lh2kO4amVDBevYa8v6v3ZMuj4dl8drwRCHoX0QrajpIm4QMH0eF4DkGw3Z2dEygh8xb8NqCjMBFN0Qk2gkKKSpvYqRNlfKfy5jz+Y7cV0Myc+7zWbBfjgp/zcwMTDfsQbDklKIJOZ3qWA0xlsXugq63UrQ1BstLQLpQ1uS+UBiSkZtBNldQ/k5p9/DQAsF9rXa4rnPts9+GXPJt4+9MTizabp/g/fIayshqxNCt4yhMDK5l6FOaVkHlpgHZQ,iv:dZLgX9UbDN6zoZo7aqG5yyVrhI+TMR7D93kxumRh4kw=,tag:E6h6POSHalfUcmaCOMf45w==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age1dghfu7sxwlkf4626eywmgr63y2g7m4x8zs8a6xt2zay3x7dclpnsw776dd
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUWWprWnFwZHZ1NkdwdU1T
+        VUNaNXBFNFV2NzlTSVhXSUpDV0VjN2dXaWdJCndUdXZKR0FnQ2I4eTE0NWV6dUdB
+        VlJReUsxWmNZYy83d2NZbnRncXo3bEEKLS0tIDRUc1haK1NIdTVTa2t2VnlHeXFW
+        d0FFQ3FwU1NNMGJNMmZyb080Zkh2aTAKAG5dzr4JJvC+wJVMNUCshCDYNymxVXQE
+        aKc95+GuLeWkDdP5hd+s0GBajRcAJALPDo+gBQE7acelGPWbFR7Tgg==
+        -----END AGE ENCRYPTED FILE-----
+    - recipient: age1p2vm095mfftw3uywqkhwmkseusl0l95dpsx9dtd6zu84m0zspa4sjndx3c
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoVzZqU0JOeFpaeTVmdW9U
+        aUlLSDE5bXB3WUNESGQ5ZVdlcUJPTzBKRHdVClAybjZvVXlia2lzSkJHUjVzVFFu
+        WStlUlEwZlVkWlZGKzFETUhYd0VVdUkKLS0tIC84TEhEcTRGM2IxRGtOeGVmcXRh
+        SG51cDBWVnVWRDhvTEREN2hhcCttU2cKiv9jTp7lJkApAzxYjQYTpU/b04AzBtZs
+        2/nXJUv5EqwoPZNWJlOqRvF6qefj0tOe0PrEB486A0oXQnjB+wJceA==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2025-03-06T18:08:07Z"
+  mac: ENC[AES256_GCM,data:/LObjn4X/5oEbvlnnhJZcVKhlq71bImgvw/38RVUF19SAbwjYPF1PwPOJPjMjRzdyoj2HAt7FcKjJTEuLyM86snXB/GQQ9MCGJ6wLlUBTEsHhEHYi+pB7KyGvfLlTOmLUaZrDJCBhOy+1AD01QtiZNDnjDULaZpT3qrx/ylhiA4=,iv:oJfG9nV/jvRCJbaOUC+YKDudhJgo0Df1KU2NfgbvraQ=,tag:LUNhfS4IyRsLA5Pw18Zdvw==,type:str]
+  pgp: []
+  unencrypted_suffix: _unencrypted
+  version: 3.9.4
diff --git a/shells/default/default.nix b/shells/default/default.nix
@@ -11,6 +11,7 @@ mkShell {
     just
     nil
 
+    sops
     act
 
     deadnix
@@ -20,7 +21,6 @@ mkShell {
     nix-health
     nix-index
     nix-melt
-    nix-melt
     nix-prefetch-git
     nix-search-cli
     nix-tree
diff --git a/systems/x86_64-linux/pve0/default.nix b/systems/x86_64-linux/pve0/default.nix
@@ -1,4 +1,5 @@
 {
+  lib,
   inputs,
   ...
 }:
@@ -21,8 +22,13 @@
   nixfiles = {
     archetypes.server.enable = true;
     # hardware.cpu.amd.enable = true;
+    roles.hercules-ci.enable = true;
+    security.sops.defaultSopsFile = lib.snowfall.fs.get-file "secrets/pve0/default.sops.yaml";
   };
 
+  # sops.secrets."hercules_ci/caches".sopsFile =
+  #   lib.snowfall.fs.get-file "secrets/pve0/hercules_ci_caches.sops.json";
+
   disko.devices.disk.main.imageSize = "10G";
 
   system.stateVersion = "25.05";
diff --git a/treefmt.nix b/treefmt.nix
@@ -18,6 +18,8 @@
       "LICENSE"
       # unsupported extensions
       "*.{gif,png,svg,tape,mts,lock,mod,sum,toml,env,envrc,org,yuck,gitignore,editorconfig}"
+      # sops files
+      "*.sops.{json,yaml}"
     ];
 
     formatter = {
