From 66b8b64e2b3f247a950dc08ffd40fea36309dcbc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vili=20Sinerv=C3=A4?= <vili.m.sinerva@gmail.com>
Date: Sat, 21 Jun 2025 16:17:12 +0300
Subject: [PATCH] Move ci to sops-nix

---
 .sops.yaml                 |  6 ++++++
 secrets/ci.yaml            | 26 ++++++++++++++++++++++++++
 servers/forgejo-runner.nix |  9 +++++++--
 servers/hydra.nix          |  6 ++++--
 4 files changed, 43 insertions(+), 4 deletions(-)
 create mode 100644 secrets/ci.yaml

diff --git a/.sops.yaml b/.sops.yaml
index 0831305..9761882 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,6 +1,7 @@
 keys:
   - &vili-bw age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
   - &helium age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q
+  - &ci age18k4drn9kuhu5qk8cqfd390nv9r0pq0qql6s76hkhzefxskwnscxsqm78q4
   - &forgejo age1mfvue6vjj445dtly39k5vlcnhpfdf0ujumm6v8degk2lvaa9avcsl2eeg7
   - &vaultwarden age1g9xu0m2wkpcrj0lr6sjcx6ak2akwtuxdxh2lct44wkkkzklgjsss5zt3r9
 creation_rules:
@@ -14,6 +15,11 @@ creation_rules:
     - age:
       - *vili-bw
       - *helium
+  - path_regex: ^secrets/ci.yaml$
+    key_groups:
+    - age:
+      - *vili-bw
+      - *ci
   - path_regex: ^secrets/forgejo.yaml$
     key_groups:
     - age:
diff --git a/secrets/ci.yaml b/secrets/ci.yaml
new file mode 100644
index 0000000..1e39dca
--- /dev/null
+++ b/secrets/ci.yaml
@@ -0,0 +1,26 @@
+forgejo-token: ENC[AES256_GCM,data:g/JB9n2zIt42rrBf5XEwH0A4zzNQO6T8YqyOJE72Ffr8LJM+R4fc1xkIG5Hqlw==,iv:5aAhMQa/6chXodKQBOMiesusvNdwwKsOhXyidnN+hpM=,tag:BJih7G9xEDcLEMB0kByIbQ==,type:str]
+priv-cache-key: ENC[AES256_GCM,data:pNjWmbHypAsUtrktAXDWK67yseSKHAT+Nan0cHO8XFT3ADr5VbFwTZbqIQDGzSsU0P0y5BzhcxzorbK6624esuFzcawn0fKfzLaQWm4CCES4MXC4V1Rt41+7IJOY8nuq4e1Rwn917oyb,iv:7WLtQ1t7ZhQFdmeA3YDwZepq646hPhF9l465Su3WWMc=,tag:Y2k7hXYGMmjZ6g7Dy6Hd8w==,type:str]
+sops:
+    age:
+        - recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4Qi82M2JNeEZHSGJHME1w
+            Q2FFUnB0d1lMajcvdEJZSVNLdEJkalgxVXhrCk4zRnE5Q3dpVVNJNjNEMmlmZUM4
+            TjdCckxwSzdRMUg1Nk5DaDFJNjQ0OGcKLS0tIEdZZEJlSEJ0cm5Qb0g0UHpza2Za
+            K08wNDJJSGN2M21Yb2ZERHMvMmJDNjQKEwzdP8D1wTiKX0VHapxE8IODHuyH9laU
+            NIz32fJWl1A5w0xE3e1YXVJpjcvQ8nHX5CceSuOorq7IPYbDpaJhDQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age18k4drn9kuhu5qk8cqfd390nv9r0pq0qql6s76hkhzefxskwnscxsqm78q4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4YUNQdkd2bzJmM1l2WEJs
+            cGd3RTFDbkpLQmxWRFNMRUxLZmdPWmczNzFFCkhJMVY2L3c1VEZpSEFMeHhZZXNQ
+            V0txcUZZK2NaRHJIcVBqWHB1R3NDN1kKLS0tIDF5amxqa3JQSS93YzErK0ttdEpu
+            ZDdzTEFPUXJlYnJpUndSWEkwNWNMRkkKFl3ebl0NB3c7rmLwuCSUeRKftlljj36u
+            WTTHu6QlXkr48ASt9/kvN+09deXu+cX7aXBHsDo7O6cmt9OJFBlwGw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-06-21T13:12:37Z"
+    mac: ENC[AES256_GCM,data:ndDoQvRTVZL+xtjkoXathY0Q90kxeN0b9BIDKXVaFkoqdb+jKG3Rv8CcfWXJLBn7P7aUxsLSkyDhxdme9wBqSSWv6BRHu3v1x0ryn0NEhVp+/UYq+05iL+QTmGjJXcFlx1BJP/wSHO4uGSbOg9y6dfzToDqhZsRqRt7Du3fvdxk=,iv:rnf0Dcyo5Pq/42rD3U6vD2Ke2XddrKyG1ah0su8QFFM=,tag:IrsW3rFfMxK1ae5a2yyugg==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
diff --git a/servers/forgejo-runner.nix b/servers/forgejo-runner.nix
index 7c739e6..169ece8 100644
--- a/servers/forgejo-runner.nix
+++ b/servers/forgejo-runner.nix
@@ -1,5 +1,10 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 {
+  sops.secrets.forgejo-token = {
+    sopsFile = ../secrets/ci.yaml;
+    restartUnits = [ "gitea-runner-forgejo.sinerva.eu.service" ];
+  };
+
   networking.firewall.trustedInterfaces = [ "br-+" ];
 
   services.gitea-actions-runner = {
@@ -8,7 +13,7 @@
       enable = true;
       name = "ci.sinerva.eu";
       url = "https://forgejo.sinerva.eu";
-      tokenFile = "/persist/secrets/forgejo_token";
+      tokenFile = config.sops.secrets.forgejo-token.path;
       labels = [
         "ubuntu-24.04-lts:docker://ubuntu:24.04"
         "ubuntu-22.04:docker://node:24-bullseye"
diff --git a/servers/hydra.nix b/servers/hydra.nix
index 940bd47..fe9ca5c 100644
--- a/servers/hydra.nix
+++ b/servers/hydra.nix
@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ config, lib, ... }:
 let
   hydra_domain = "ci.sinerva.eu";
   cache_domain = "cache.sinerva.eu";
@@ -9,6 +9,8 @@ in
     ./utils/acme-http-client.nix
   ];
 
+  sops.secrets.priv-cache-key.sopsFile = ../secrets/ci.yaml;
+
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
 
   services = {
@@ -30,7 +32,7 @@ in
       enable = true;
       bindAddress = "127.0.0.2";
       port = 8081;
-      secretKeyFile = "/persist/secrets/priv_cache_key";
+      secretKeyFile = config.sops.secrets.priv-cache-key.path;
     };
 
     nginx.virtualHosts = {