jungle/secrets/secrets.nix

let
  keys = import ../keys.nix;
  adminsKeys = builtins.attrValues keys.admins;
  hut = [ keys.hosts.hut ] ++ adminsKeys;
  # Only expose ceph keys to safe nodes and admins
  safe = keys.hostGroup.safe ++ adminsKeys;
in
{
  "gitea-runner-token.age".publicKeys = hut;
  "gitlab-runner-docker-token.age".publicKeys = hut;
  "gitlab-runner-shell-token.age".publicKeys = hut;
  "nix-serve.age".publicKeys = hut;
  "jungle-robot-password.age".publicKeys = hut;

  "ceph-user.age".publicKeys = safe;
  "munge-key.age".publicKeys = safe;
}
Reorganize secrets and ssh keys The agenix tools needs to read the secrets from a standalone file, but we also need the same information for the SSH keys. 2023-09-04 21:36:31 +02:00			`let`
			`keys = import ../keys.nix;`
			`adminsKeys = builtins.attrValues keys.admins;`
			`hut = [ keys.hosts.hut ] ++ adminsKeys;`
			`# Only expose ceph keys to safe nodes and admins`
Add encrypted munge key with agenix 2023-09-08 19:01:57 +02:00			`safe = keys.hostGroup.safe ++ adminsKeys;`
Reorganize secrets and ssh keys The agenix tools needs to read the secrets from a standalone file, but we also need the same information for the SSH keys. 2023-09-04 21:36:31 +02:00			`in`
			`{`
Add Gitea service Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es> 2024-04-26 16:52:52 +02:00			`"gitea-runner-token.age".publicKeys = hut;`
Use authentication tokens for PM GitLab runner Starting with GitLab 16, there is a new mechanism to authenticate the runners via authentication tokens, so use it instead. Older tokens and runners are also removed, as they are no longer used. With the new way of managing tokens, both the tags and the locked state are managed from the GitLab web page. See: https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html Reviewed-by: Aleix Boné <abonerib@bsc.es> 2024-07-16 14:58:58 +02:00			`"gitlab-runner-docker-token.age".publicKeys = hut;`
			`"gitlab-runner-shell-token.age".publicKeys = hut;`
Serve the nix store from hut 2023-09-12 12:19:43 +02:00			`"nix-serve.age".publicKeys = hut;`
Add msmtp to send notifications via email Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es> 2024-05-02 17:54:09 +02:00			`"jungle-robot-password.age".publicKeys = hut;`
Reorganize secrets and ssh keys The agenix tools needs to read the secrets from a standalone file, but we also need the same information for the SSH keys. 2023-09-04 21:36:31 +02:00
Add encrypted munge key with agenix 2023-09-08 19:01:57 +02:00			`"ceph-user.age".publicKeys = safe;`
			`"munge-key.age".publicKeys = safe;`
Reorganize secrets and ssh keys The agenix tools needs to read the secrets from a standalone file, but we also need the same information for the SSH keys. 2023-09-04 21:36:31 +02:00			`}`