diff --git a/README.md b/README.md index c19cf66..8d2419c 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ A [NixOS module][nixos-mod] to run [Jenkins][jenkins], optimized specifically fo - Fully nixified - [x] Jenkins configuration declared in Nix (via [configuration-as-code](https://github.com/jenkinsci/configuration-as-code-plugin) plugin) - - [x] [sops-nix] for secrets management, for use in Jenkins credentials/ + - [x] [sops-nix] for secrets management, for use in Jenkins credentials. Known limitation: only JSON format is supported. - [x] Jenkins plugins are managed by [jenkinsPlugins2nix](https://github.com/Fuuzetsu/jenkinsPlugins2nix) - CI features as NixOS modules, encapsulated along with their associated groovy library for referencing in `Jenkinsfile` - [x] [cachix](https://www.cachix.org/): provides `cachixPush` and `cachixUse` pipeline steps diff --git a/example/nammayatri/.sops.yaml b/example/nammayatri/.sops.yaml index 6a9a126..8d18d4b 100644 --- a/example/nammayatri/.sops.yaml +++ b/example/nammayatri/.sops.yaml @@ -2,7 +2,7 @@ keys: - &admin_srid age1zdwstn787x2a7hllksjk0zpdx3wdvy3fju8hk33a583jtv3d8q9qsvzfan - &server_nammayatri age1t46w429zmn9zjm76434g449eqw5ya4yj9np6m5qqqflhnu2sdvxqnn7kud creation_rules: - - path_regex: secrets.yaml$ + - path_regex: secrets.json$ key_groups: - age: - *admin_srid diff --git a/example/nammayatri/flake.lock b/example/nammayatri/flake.lock index 8103c97..c7291d2 100644 --- a/example/nammayatri/flake.lock +++ b/example/nammayatri/flake.lock @@ -302,7 +302,7 @@ }, "locked": { "lastModified": 0, - "narHash": "sha256-qBzq/EswD54vNMCizgfU3p1UZKzXqM9BU9nCdPWjX8E=", + "narHash": "sha256-e2A34eGTdJPbom4hHjxDW/JCB2ML6AAmjhFPGIEtugs=", "path": "../..", "type": "path" }, @@ -712,15 +712,16 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1679799335, - "narHash": "sha256-YrnDyftm0Mk4JLuw3sDBPNfSjk054N0dqQx8FW4JqDM=", - "owner": "Mic92", + "lastModified": 1683576450, + "narHash": "sha256-seuxApVNHAjbDV2OkRVQ1vzuaOBQcJ/WEyzIlAA+3oU=", + "owner": "juspay", "repo": "sops-nix", - "rev": "4740f80ca6e756915aaaa0a9c5fbb61ba09cc145", + "rev": "f4b1471b239dcc55cd8e8a8f3fc410c73511e62b", "type": "github" }, "original": { - "owner": "Mic92", + "owner": "juspay", + "ref": "json-nested", "repo": "sops-nix", "type": "github" } diff --git a/example/nammayatri/flake.nix b/example/nammayatri/flake.nix index 42dfac2..9f3c402 100644 --- a/example/nammayatri/flake.nix +++ b/example/nammayatri/flake.nix @@ -3,7 +3,7 @@ nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; flake-parts.url = "github:hercules-ci/flake-parts"; nixos-flake.url = "github:srid/nixos-flake"; - sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.url = "github:juspay/sops-nix/json-nested"; # https://github.com/Mic92/sops-nix/pull/328 deploy-rs.url = "github:serokell/deploy-rs"; @@ -97,7 +97,8 @@ ./nix/nixos/configuration.nix ./nix/tailscale.nix ]; - sops.defaultSopsFile = ./secrets.yaml; + sops.defaultSopsFile = ./secrets.json; + sops.defaultSopsFormat = "json"; }); perSystem = { self', inputs', system, lib, config, pkgs, ... }: { diff --git a/example/nammayatri/secrets.json b/example/nammayatri/secrets.json new file mode 100644 index 0000000..bd20288 --- /dev/null +++ b/example/nammayatri/secrets.json @@ -0,0 +1,46 @@ +{ + "ngrok-tokens": { + "shivaraj": "ENC[AES256_GCM,data:P9ABLjk+dYbmwDMMJIIcr9FwuWsQTfvDjyxSjeNU4RynGMCA7ugSTl+3nyOvtAPuwg==,iv:B2/1e49kSQRzH2FDa2W/7CQW9DONS81jc166Lx2Llug=,tag:6ViYCuxYH9iwxxe0F4PK9g==,type:str]" + }, + "jenkins-nix-ci": { + "ssh-key": { + "public_unencrypted": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBt2Kt9EMYoddreTugOFg1NPL638qqA8rLVA/C1QO7l6\n", + "private": "ENC[AES256_GCM,data:HoZmUOC3XMJHiY4KD/U3hx/DfXW/LFYjabqm5nFnBV6wiWBfNfMSuq8LY27tQsmk+ARfpuOQx4HQoDSJyxNUv32URxyw2KN80nMs4L/X12HpWEWWANuYUh6d0IRl2D+Mez7KUmlGrrcr9oXBrZPgPRKBDN2W9s1a30sp3LN3b3Nu5lFr/zKfzIBGUHXxW6VtvmNaMfWFMj5TrNEb+oMdEr4SRsYn6YQmtQ/FX5N/MtHEiwoEnrqWGoV2QaCxjdt3FPmrfdi9yZomduJu9CD8ebTcsmF0m0X2C5HHJvIBhpsLDZZ8p4T9b0PcaKP7fZkXRmVq9tn5Rn+1hLuoCNI6ngXgSXKrbq332Jso7i9vhQoKkysRB78P5EWEmP+IfflEmS9Goy7lgc2rnxfwS/RxetVloB/4DFIeyoUW7yKCkxMGxmta4OiYhBIk/T0ukzT2layh7F1v27BTxk6F5bFnHBKNTCnNIdKq4CobR9sQg/2z2U8xoFj/nlFuyW5eMLjc/CEF,iv:Aa8pgacxsmKJUZu9jPJyo5tnt7h4oBHW6IIE0Y1W050=,tag:cPGHaWmdsyvrCgEvXoDOdw==,type:str]" + }, + "cachix-auth-token": { + "description": "ENC[AES256_GCM,data:01MZlRCeRmfAojEDLkmw6SQ2K1d3JJ7Oxze+PnkD0+Q=,iv:HzH3C+/iXNRvFjaeTBZjpRkeWX2s3DTvCIPa39b5ceo=,tag:vVy+uV6O2fZSR2HRRbLqJA==,type:str]", + "secret": "ENC[AES256_GCM,data:tIjhKofKqu7tkgrG8SMbNM62FrFaIhrOBjxilwTruMyO+ekFJBWysZ7TWuf52UxfAsIlgYZaMPyGxG/z60jG0I6d6W72x/W0KobHPy6lyza4Fv74ypoLY0I1NfpIavEMMdzjk9mFQL1Jg3xF4dOmCr56FXAajHF0nhqE4cfTujkaS1QnWWxKBiT679Chjs4yC53mtUc=,iv:BGFwudxOUoIWJxr9QznGl5URK3D2vi4XpC6vdbsvaSo=,tag:1Jth0FqRQdZbhqcAr6V1Fw==,type:str]" + }, + "docker-login": { + "description": "ENC[AES256_GCM,data:IDYyLlIpKv75X2sysd6NuuL5tXn9/LlVuZMdoWggoFTszg==,iv:kne1JCoydjw3rNg4olaYvQxd+9go7Cko4kop7Xg8/E4=,tag:3RaLEWWIL7BBsbYkyuftUQ==,type:str]", + "user": "ENC[AES256_GCM,data:/S0OtEKdqq4=,iv:KmDf5TMS6Onisq/7j6/RHudKf/fVdOcKiUwU5QWnq7o=,tag:gGBKT5A1350ApWN9IVBYsg==,type:str]", + "pass": "ENC[AES256_GCM,data:ghPJ2t2dBr84MLZIswsezBE3PEi97ZHysJHugjKfaV1svSJSU4Ywuw==,iv:97sqP0/6kSDLpNs+YmfMIvDRRiT8DAmP/chbtgQDynw=,tag:YHjNe9AJogdNTMB/TfyKmw==,type:str]" + }, + "github-app": { + "appID": "ENC[AES256_GCM,data:vPnedYQr,iv:F/PjsOK3UjrpUJxl4wR2CJFUd0cfJbHwrIyUk4mIoyQ=,tag:gT1sKqF3XjW9ChfZV+XnGQ==,type:str]", + "description": "ENC[AES256_GCM,data:adwjabsxQcDeaL2QSo+13+6v/0BX58aZi78Hg6cgwg==,iv:TUN0wegepohlaznia6PYw+/DFLYu24DBojqnwotezHg=,tag:ntH/uUrkUefCGun+uEZ7NQ==,type:str]", + "privateKey": "ENC[AES256_GCM,data:g5S9mhI7u8HMjFSzfP02CXbJ2GwZEAz13g2zBnx1WcpK3QxFyuGCwv7hWYljVGF7xTBz4+claGml6aBojMTTIgj7uPe+Z4H27c3xGcmgkSUTiYOqiU3Asz9b9aIrqZFgSQgCalpN7U1HPTsk3nC4xvyNvTyYwH62IihtOIetiB3Z2Yz4Dv8BtSoJANpGExSdVnkM/k98uw3gUJlcCutvwJYmQ69humH/bWekszV6PfZ/tKJ63gMSTB6p+H+YXHx1ttrks9ycJCUPoLt6amS+Q5CGHlALCQuDiHg8FFb14th1orpucLuRqZih6rrQjLuzcgK1Y5PvnAEhNgE2B7ZvAqJxD0u03yDTg6vSTOqrUHELQVOWEqF+uxpWqczwMR8f6Y47PB32W12CQqFr6JVHCn7Y40a5BHBi9g2b8PUT3HAnehQ7cykcLftMdG9YSLaL1H0IIQ/DLFL9PKfgcBDfM7OSHkBthiAApmuDoG3ulzSLvVJZvq8yZRwueidgHmZJ8mhbjWXqbrhk1ZRAzQbHvY6Rol9/2GekrIlZuVlWTY+atT0CICw9foWz5BZpaPxTQYZQ7lcoV5WTaaglXQp8fL9DJBzy8jiuBeo5E3bCM2ojLc752JO2fIJv6xXrKrZT5MNYjzBv3UsjSxKWdqG7HQ6ukkINTGdd3oXTvKlu9oVxINDrYdl2XIFxh9/4R2LqSdhnASdRSEEoZqVL5XmgyTHG15PKTrox9YyWSuiW5pdK0tIn8YAbk9Ho2+/WmFs7CXPjkHQNPopBBtB0ARcyghb0laVEq5c8LzSg774LdvZTvMKDhGD1/jimAjV9lIcA1/EcVAZ9pq3vGSTwKBSRWAJ9yisqgv6pNJTyoYxR+XP9E/jncnlLogerVTwBk7wbzRn+AbxocAlEE1QbInw/KpeW5IT+cgI0FW3cGaoPbe3FaWEZihZEPkaljKv6A7d/TW5q1Ig0PSdjwASyha9e1gEIltWkHimEpNuRFlYaIUoPBKBUueO+fZsniqK+ptctLOkHtFcQJPHaftyb9FoQuk+6xSGJ+Cu8a1XR4Smf9HTGD+VUYjVaGku0nSefw1uef/VdPTcorDbqq5zC16G91YaxS7z076jHEXHj61d4uaHU8aHNL/g0T+I+6jOHEnKhN+XZxMX36md7CeWLg4oUGfIx6+fPXcu8Qy/fDLSU9zqjxadqoqslT7KNaovfGNazg30SSlC1Ca0qDKdAnnjRzpHcUHdcA/t/B9ONcNS1WAXfkcvzDdk6zefiMTmxwMDzpiQjnY+mF44Lf32Gwcc7oms1qgXJepAWvSAN/f9OSWKIuqYBmqA6dPAG+OMUjBCRLVBxMuncnIAoyHWGYzK+221CF4nVckXixFiMJVKRS24zWTVKCIQywXC4i4jZB+42iO/dwcfxlzQBOWAWerQyGJXdpuf0n9HH/mTz4iJizX+kV0NeITyEH8hjhmH24DXqvqb/0Z6JIblGBaYXFX20lBvk8IqV3nbtM/Rr9Tff6NKE6W2SepCwQTgyfn8Pxq/Uh6r+YtH9L3D6/VYBu4fJEJpxEtstrrDeU0aHVaYtra1/OlCTomxY6Q9byyfxX+D76x9NCnZma4BEHESEmjK5byM3vOSq74XuqQf5n203O47yPEVfTzch47qbaltzFsh8CdOlPP5Q4DAE7tvJoOQiioVN+vE9WemfjDfMXtpDCBAZUad183+jjGw2ASpPMXvcmAGOnEB89/8i+enkMRDTKbrkY/vzDcsJ5GQOzNNoFy5wliObnwzqfiutIKfeIkuyxnGO/AHV8sPYU9TzbTdmRCkIrn2T6wSYAbRsPS1dA6lJgqPoWw0McPkZDRGt22JidIEL8m/UtXzy/DDHPXqvdUH9HdMT0DVIw86Gdv63zcETDi+4n9sQHsHn2gmbzS4YksSvDnTmSOc92qSLlrxRaDBZzBWufdU6WBseT59oN5mkJA0VB46GbLIBJFI/VsDwkM91dkqLGFGIscoB3YCSdhFRidWdRLcwfbBgV7ZkmgyoI7tL7ho3drLkcUAXrg1RodRdqNKY3Gz8K45TurtHadQLo4MjIrKmubp2Z/NrKACtRMJ7RYqUTGKsQKC3dct9xac0QBxb274bdnbrhslKma9J7emFsUiCIVSFs/O5iRyMaN6evwJpIqc4fmRO7MG+OH9C90g7LD1KwQoMVq50TF7zCBtu8vhOPj8EP4z9x3d3cstu9YQp/kuI8f2uYxdLILjvxOB6UkwtA5F/X6l7C7zVNpCRkCJr,iv:S4n68JwXT1wQorxzPwYiM3abTx7iutjE66WQeHyODBs=,tag:S/510pbk7E95AKeEQPMukg==,type:str]" + } + }, + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1zdwstn787x2a7hllksjk0zpdx3wdvy3fju8hk33a583jtv3d8q9qsvzfan", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuWVJ5MlNiVXk2RTdnVU5n\nejg0NENIUDNrUFhNYUxseXJicXVVYlhMZVFzCnJaT2FYa3pzS1ltQkNMNXZIVWtB\nZURiVnF0RzVKYjgwdnc5VTVLZ3ZEMzgKLS0tIGJyT1ZiY2puQ2JWa1dLMmJjK0pG\nR3ZQMk00TVY3emkwcVhKejlBTmd6RWcK38ck2ttpgfO763AFEIVGy8i1qs1lFqNP\njdR7EAuLt687aRW4w2eQmOQ/ycTv6q2TJaSsX/qlduU7W6DImg5o9w==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1t46w429zmn9zjm76434g449eqw5ya4yj9np6m5qqqflhnu2sdvxqnn7kud", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1bC9UUjV0RXRCdkRrcVJU\ncU96aVlKWFFkbmxZbEN1d0RHZHZsdXlmQVVJCjl2bVlOU05YUkhvOTJna2R6bVRJ\neFRkMFVGU2xxdjg0OFQrNkJNODIvODAKLS0tIEVLVTZnbTBHdmNwZzVWQXI3aWNV\nQWhjNUZ3VlA5ZGUyaHpnUmJBRVlUMU0KlZ8TASztnCk95Yu3IJ+haThdUoeGHM7O\nr3dFsncxmtMNqXK8ErJsKwZbc/5ZJQP2sIlT2lWECx8INimP5WdAMA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2023-05-08T20:20:12Z", + "mac": "ENC[AES256_GCM,data:MUmn9obQeSrZr3986oXH+t2tOaJb+xqsEaRf94hY8nuITH1iXK7yyPGD9gmXAd24RAB0e9gu8lm4xPS5oxUxfFdn8Aoj6ikIAst37EoDNjbXNHAjZqy0mrRcEuikiVTzGPDSAS/mX2XSeC+FBbZq6WdSm6CgFfx5C+mDicBy5bk=,iv:xW//4QxVqu/K1d+tiIPR10fT9HpCNOZpavilJ/iAxwI=,tag:kq/HhvxeADTiOtntVKKXNQ==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file diff --git a/example/nammayatri/secrets.yaml b/example/nammayatri/secrets.yaml deleted file mode 100644 index 0e6e872..0000000 --- a/example/nammayatri/secrets.yaml +++ /dev/null @@ -1,47 +0,0 @@ -ngrok-tokens: - shivaraj: ENC[AES256_GCM,data:P9ABLjk+dYbmwDMMJIIcr9FwuWsQTfvDjyxSjeNU4RynGMCA7ugSTl+3nyOvtAPuwg==,iv:B2/1e49kSQRzH2FDa2W/7CQW9DONS81jc166Lx2Llug=,tag:6ViYCuxYH9iwxxe0F4PK9g==,type:str] -jenkins-nix-ci: - ssh-key: - public_unencrypted: | - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBt2Kt9EMYoddreTugOFg1NPL638qqA8rLVA/C1QO7l6 - private: ENC[AES256_GCM,data:HoZmUOC3XMJHiY4KD/U3hx/DfXW/LFYjabqm5nFnBV6wiWBfNfMSuq8LY27tQsmk+ARfpuOQx4HQoDSJyxNUv32URxyw2KN80nMs4L/X12HpWEWWANuYUh6d0IRl2D+Mez7KUmlGrrcr9oXBrZPgPRKBDN2W9s1a30sp3LN3b3Nu5lFr/zKfzIBGUHXxW6VtvmNaMfWFMj5TrNEb+oMdEr4SRsYn6YQmtQ/FX5N/MtHEiwoEnrqWGoV2QaCxjdt3FPmrfdi9yZomduJu9CD8ebTcsmF0m0X2C5HHJvIBhpsLDZZ8p4T9b0PcaKP7fZkXRmVq9tn5Rn+1hLuoCNI6ngXgSXKrbq332Jso7i9vhQoKkysRB78P5EWEmP+IfflEmS9Goy7lgc2rnxfwS/RxetVloB/4DFIeyoUW7yKCkxMGxmta4OiYhBIk/T0ukzT2layh7F1v27BTxk6F5bFnHBKNTCnNIdKq4CobR9sQg/2z2U8xoFj/nlFuyW5eMLjc/CEF,iv:Aa8pgacxsmKJUZu9jPJyo5tnt7h4oBHW6IIE0Y1W050=,tag:cPGHaWmdsyvrCgEvXoDOdw==,type:str] - cachix-auth-token: - description: ENC[AES256_GCM,data:01MZlRCeRmfAojEDLkmw6SQ2K1d3JJ7Oxze+PnkD0+Q=,iv:HzH3C+/iXNRvFjaeTBZjpRkeWX2s3DTvCIPa39b5ceo=,tag:vVy+uV6O2fZSR2HRRbLqJA==,type:str] - secret: ENC[AES256_GCM,data:tIjhKofKqu7tkgrG8SMbNM62FrFaIhrOBjxilwTruMyO+ekFJBWysZ7TWuf52UxfAsIlgYZaMPyGxG/z60jG0I6d6W72x/W0KobHPy6lyza4Fv74ypoLY0I1NfpIavEMMdzjk9mFQL1Jg3xF4dOmCr56FXAajHF0nhqE4cfTujkaS1QnWWxKBiT679Chjs4yC53mtUc=,iv:BGFwudxOUoIWJxr9QznGl5URK3D2vi4XpC6vdbsvaSo=,tag:1Jth0FqRQdZbhqcAr6V1Fw==,type:str] - docker-login: - description: ENC[AES256_GCM,data:IDYyLlIpKv75X2sysd6NuuL5tXn9/LlVuZMdoWggoFTszg==,iv:kne1JCoydjw3rNg4olaYvQxd+9go7Cko4kop7Xg8/E4=,tag:3RaLEWWIL7BBsbYkyuftUQ==,type:str] - user: ENC[AES256_GCM,data:/S0OtEKdqq4=,iv:KmDf5TMS6Onisq/7j6/RHudKf/fVdOcKiUwU5QWnq7o=,tag:gGBKT5A1350ApWN9IVBYsg==,type:str] - pass: ENC[AES256_GCM,data:ghPJ2t2dBr84MLZIswsezBE3PEi97ZHysJHugjKfaV1svSJSU4Ywuw==,iv:97sqP0/6kSDLpNs+YmfMIvDRRiT8DAmP/chbtgQDynw=,tag:YHjNe9AJogdNTMB/TfyKmw==,type:str] - github-app: - appID: ENC[AES256_GCM,data:vPnedYQr,iv:F/PjsOK3UjrpUJxl4wR2CJFUd0cfJbHwrIyUk4mIoyQ=,tag:gT1sKqF3XjW9ChfZV+XnGQ==,type:str] - description: ENC[AES256_GCM,data:adwjabsxQcDeaL2QSo+13+6v/0BX58aZi78Hg6cgwg==,iv:TUN0wegepohlaznia6PYw+/DFLYu24DBojqnwotezHg=,tag:ntH/uUrkUefCGun+uEZ7NQ==,type:str] - privateKey: ENC[AES256_GCM,data:g5S9mhI7u8HMjFSzfP02CXbJ2GwZEAz13g2zBnx1WcpK3QxFyuGCwv7hWYljVGF7xTBz4+claGml6aBojMTTIgj7uPe+Z4H27c3xGcmgkSUTiYOqiU3Asz9b9aIrqZFgSQgCalpN7U1HPTsk3nC4xvyNvTyYwH62IihtOIetiB3Z2Yz4Dv8BtSoJANpGExSdVnkM/k98uw3gUJlcCutvwJYmQ69humH/bWekszV6PfZ/tKJ63gMSTB6p+H+YXHx1ttrks9ycJCUPoLt6amS+Q5CGHlALCQuDiHg8FFb14th1orpucLuRqZih6rrQjLuzcgK1Y5PvnAEhNgE2B7ZvAqJxD0u03yDTg6vSTOqrUHELQVOWEqF+uxpWqczwMR8f6Y47PB32W12CQqFr6JVHCn7Y40a5BHBi9g2b8PUT3HAnehQ7cykcLftMdG9YSLaL1H0IIQ/DLFL9PKfgcBDfM7OSHkBthiAApmuDoG3ulzSLvVJZvq8yZRwueidgHmZJ8mhbjWXqbrhk1ZRAzQbHvY6Rol9/2GekrIlZuVlWTY+atT0CICw9foWz5BZpaPxTQYZQ7lcoV5WTaaglXQp8fL9DJBzy8jiuBeo5E3bCM2ojLc752JO2fIJv6xXrKrZT5MNYjzBv3UsjSxKWdqG7HQ6ukkINTGdd3oXTvKlu9oVxINDrYdl2XIFxh9/4R2LqSdhnASdRSEEoZqVL5XmgyTHG15PKTrox9YyWSuiW5pdK0tIn8YAbk9Ho2+/WmFs7CXPjkHQNPopBBtB0ARcyghb0laVEq5c8LzSg774LdvZTvMKDhGD1/jimAjV9lIcA1/EcVAZ9pq3vGSTwKBSRWAJ9yisqgv6pNJTyoYxR+XP9E/jncnlLogerVTwBk7wbzRn+AbxocAlEE1QbInw/KpeW5IT+cgI0FW3cGaoPbe3FaWEZihZEPkaljKv6A7d/TW5q1Ig0PSdjwASyha9e1gEIltWkHimEpNuRFlYaIUoPBKBUueO+fZsniqK+ptctLOkHtFcQJPHaftyb9FoQuk+6xSGJ+Cu8a1XR4Smf9HTGD+VUYjVaGku0nSefw1uef/VdPTcorDbqq5zC16G91YaxS7z076jHEXHj61d4uaHU8aHNL/g0T+I+6jOHEnKhN+XZxMX36md7CeWLg4oUGfIx6+fPXcu8Qy/fDLSU9zqjxadqoqslT7KNaovfGNazg30SSlC1Ca0qDKdAnnjRzpHcUHdcA/t/B9ONcNS1WAXfkcvzDdk6zefiMTmxwMDzpiQjnY+mF44Lf32Gwcc7oms1qgXJepAWvSAN/f9OSWKIuqYBmqA6dPAG+OMUjBCRLVBxMuncnIAoyHWGYzK+221CF4nVckXixFiMJVKRS24zWTVKCIQywXC4i4jZB+42iO/dwcfxlzQBOWAWerQyGJXdpuf0n9HH/mTz4iJizX+kV0NeITyEH8hjhmH24DXqvqb/0Z6JIblGBaYXFX20lBvk8IqV3nbtM/Rr9Tff6NKE6W2SepCwQTgyfn8Pxq/Uh6r+YtH9L3D6/VYBu4fJEJpxEtstrrDeU0aHVaYtra1/OlCTomxY6Q9byyfxX+D76x9NCnZma4BEHESEmjK5byM3vOSq74XuqQf5n203O47yPEVfTzch47qbaltzFsh8CdOlPP5Q4DAE7tvJoOQiioVN+vE9WemfjDfMXtpDCBAZUad183+jjGw2ASpPMXvcmAGOnEB89/8i+enkMRDTKbrkY/vzDcsJ5GQOzNNoFy5wliObnwzqfiutIKfeIkuyxnGO/AHV8sPYU9TzbTdmRCkIrn2T6wSYAbRsPS1dA6lJgqPoWw0McPkZDRGt22JidIEL8m/UtXzy/DDHPXqvdUH9HdMT0DVIw86Gdv63zcETDi+4n9sQHsHn2gmbzS4YksSvDnTmSOc92qSLlrxRaDBZzBWufdU6WBseT59oN5mkJA0VB46GbLIBJFI/VsDwkM91dkqLGFGIscoB3YCSdhFRidWdRLcwfbBgV7ZkmgyoI7tL7ho3drLkcUAXrg1RodRdqNKY3Gz8K45TurtHadQLo4MjIrKmubp2Z/NrKACtRMJ7RYqUTGKsQKC3dct9xac0QBxb274bdnbrhslKma9J7emFsUiCIVSFs/O5iRyMaN6evwJpIqc4fmRO7MG+OH9C90g7LD1KwQoMVq50TF7zCBtu8vhOPj8EP4z9x3d3cstu9YQp/kuI8f2uYxdLILjvxOB6UkwtA5F/X6l7C7zVNpCRkCJr,iv:S4n68JwXT1wQorxzPwYiM3abTx7iutjE66WQeHyODBs=,tag:S/510pbk7E95AKeEQPMukg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1zdwstn787x2a7hllksjk0zpdx3wdvy3fju8hk33a583jtv3d8q9qsvzfan - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuWVJ5MlNiVXk2RTdnVU5n - ejg0NENIUDNrUFhNYUxseXJicXVVYlhMZVFzCnJaT2FYa3pzS1ltQkNMNXZIVWtB - ZURiVnF0RzVKYjgwdnc5VTVLZ3ZEMzgKLS0tIGJyT1ZiY2puQ2JWa1dLMmJjK0pG - R3ZQMk00TVY3emkwcVhKejlBTmd6RWcK38ck2ttpgfO763AFEIVGy8i1qs1lFqNP - jdR7EAuLt687aRW4w2eQmOQ/ycTv6q2TJaSsX/qlduU7W6DImg5o9w== - -----END AGE ENCRYPTED FILE----- - - recipient: age1t46w429zmn9zjm76434g449eqw5ya4yj9np6m5qqqflhnu2sdvxqnn7kud - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1bC9UUjV0RXRCdkRrcVJU - cU96aVlKWFFkbmxZbEN1d0RHZHZsdXlmQVVJCjl2bVlOU05YUkhvOTJna2R6bVRJ - eFRkMFVGU2xxdjg0OFQrNkJNODIvODAKLS0tIEVLVTZnbTBHdmNwZzVWQXI3aWNV - QWhjNUZ3VlA5ZGUyaHpnUmJBRVlUMU0KlZ8TASztnCk95Yu3IJ+haThdUoeGHM7O - r3dFsncxmtMNqXK8ErJsKwZbc/5ZJQP2sIlT2lWECx8INimP5WdAMA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-04-18T17:46:20Z" - mac: ENC[AES256_GCM,data:B1qdL+GNinaT7+swMXy7TqE2JP8UZPppebTsvrJBcDRhLYHo/g50+A8q4vDWq1h344xRHfPpt5dMsFWFVv7DLT8UxPMvhlQQHlrg8qzcVHTMHI8jxKqf7e6z6f4DTERWjYhbx8d9OjiU0ewpWvB+/U08iBgA8r+Sq/x0KXK0fvc=,iv:DPwYJjB8TCj1KtpLKJxv/iDGNWLwIAp/mKu98JA5oV4=,tag:pkdfW+ZQ6irWofvLuZsszg==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/nix/from-yaml.nix b/nix/from-yaml.nix deleted file mode 100644 index f1422b6..0000000 --- a/nix/from-yaml.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ yaml2json, stdenv }: -# Parse text containing YAML content into a nix expression. -yaml: -builtins.fromJSON (builtins.readFile (stdenv.mkDerivation { - preferLocalBuild = true; - allowSubstitutes = false; - name = "fromYAML"; - phases = [ "buildPhase" ]; - buildPhase = "echo '${yaml}' | ${yaml2json}/bin/yaml2json > $out"; -})) diff --git a/nix/jenkins/features/ssh-key/default.nix b/nix/jenkins/features/ssh-key/default.nix index 83ba6cc..4f28deb 100644 --- a/nix/jenkins/features/ssh-key/default.nix +++ b/nix/jenkins/features/ssh-key/default.nix @@ -51,14 +51,10 @@ in default = { pkgs, ... }: let authorizedKey = - # In lieu of https://github.com/Mic92/sops-nix/issues/317 let - # TODO: Switch to https://github.com/NixOS/nix/issues/1491#issuecomment-1284348948 - # Because we can't use IFD when evaluating cross-system config (macos) - fromYAML = pkgs.callPackage ../../../from-yaml.nix { }; - sopsJson = fromYAML (builtins.readFile sops.defaultSopsFile); + secretsRaw = assert (sops.defaultSopsFormat == "json"); builtins.fromJSON (builtins.readFile sops.defaultSopsFile); in - sopsJson.jenkins-nix-ci.ssh-key.public_unencrypted; + secretsRaw.jenkins-nix-ci.ssh-key.public_unencrypted; in { users.users.${jenkins.user}.openssh.authorizedKeys.keys = [ authorizedKey ];