From 8b71caf26b64f8143e724684b0103a81c05162e3 Mon Sep 17 00:00:00 2001
From: Noa Aarts <noa@voorwaarts.nl>
Date: Mon, 21 Oct 2024 12:43:41 +0200
Subject: [PATCH] feat: add agenix secrets for github runners

---
 hosts/nuos/configuration.nix |  11 ++++++++---
 secrets/github/flurry.age    |   7 +++++++
 secrets/github/nixconf.age   | Bin 0 -> 352 bytes
 secrets/secrets.nix          |   3 +++
 4 files changed, 18 insertions(+), 3 deletions(-)
 create mode 100644 secrets/github/flurry.age
 create mode 100644 secrets/github/nixconf.age

diff --git a/hosts/nuos/configuration.nix b/hosts/nuos/configuration.nix
index 81ee105..1747073 100644
--- a/hosts/nuos/configuration.nix
+++ b/hosts/nuos/configuration.nix
@@ -2,7 +2,7 @@
 # your system. Help is available in the configuration.nix(5) man page, on
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
 
-{ modulesPath, pkgs, inputs, lib, nix-colors, ... }:
+{ modulesPath, pkgs, inputs, lib, nix-colors, config, ... }:
 {
   imports =
     [
@@ -143,6 +143,11 @@
     };
   };
 
+  age.secrets = {
+    "secrets/token-flurry".file = ../../secrets/github/flurry.age;
+    "secrets/token-nixconf".file = ../../secrets/github/nixconf.age;
+  };
+
   services = {
     nix-serve = {
       enable = true;
@@ -158,7 +163,7 @@
           curl
         ];
         name = "flurry-runner";
-        tokenFile = "/secrets/token-flurry";
+        tokenFile = config.age.secrets."secrets/token-flurry".path;
         url = "https://github.com/itepastra/flurry";
       };
       nixconf-runner = {
@@ -167,7 +172,7 @@
           nixos-rebuild
         ];
         name = "nixconf-runner";
-        tokenFile = "/secrets/token-nixconf";
+        tokenFile = config.age.secrets."secrets/token-nixconf".path;
         url = "https://github.com/itepastra/nixconf";
       };
     };
diff --git a/secrets/github/flurry.age b/secrets/github/flurry.age
new file mode 100644
index 0000000..39be8df
--- /dev/null
+++ b/secrets/github/flurry.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 tcnWbQ JAhI/dqMejqQiwZFA6nNMBG4M6HRGuoVZZ0u5Tz6mD4
+i4Zmj5Uz7bBaztDRtbfXobXpBc7IivtvP9yM/2fL0KQ
+-> ssh-ed25519 ropO2g aJL3w72KCeL7DLQZc6l2zH1zSr0qQUdH9t5MNgLvonE
+IQ82mUzK2Qh7nllM/AMhSajX4lQszao9CZ2IUA6BDeI
+--- dNAB2ZaXFs5iC8zMMH+sazvOl3jeQCF5cZi5vlz9yQY
+múUJF3ò ‰´í	ÒV¬æ’YfÄR8Gn!kr¦k) j^­M|Ó6˜sø‹È.1˜`‘sê<Í§
\ No newline at end of file
diff --git a/secrets/github/nixconf.age b/secrets/github/nixconf.age
new file mode 100644
index 0000000000000000000000000000000000000000..c353346ebb17cad045ea2ac6ea4a6659e33afdef
GIT binary patch
literal 352
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSHNzMyT3RFnR3&?UR
z4-XA9F46Y%D+u&*^9}PWP7IDr4XKEzu*~qwD)P-J%y7-B%H}f7sxYezH_h@(%d#}_
z(Kaj(&CBvgHgiw*cJ=Zub}P;{^UUyc3(5`7FhIAhD8InpC|#jAB;PyDAS~Fq)X3Q|
z-OHdT$34;9CBUm9$s#|=ztqVs#iT65E8ID`s+h~jIVsc8)Xm((tT55by|m2G#Gt6y
zH`_4C)Fm)YKcLdhB+}WlP}?9NC!b4KS69I~JG(g2wXia|AYI$9(jqH2BqYxxsI)ZP
zrywmWt2{qcKfvEDB{Rz}#Fguso|H)CZ!h<!+e#wuKKTBR(__jN6G@%~y?vG*5o-l%
k)ZhPjwd_ixq@;nS;99SUaOb^}<+Iy&+-F#$Rl}kN08d+a<NyEw

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 1b0e2a6..0ae3732 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -1,9 +1,12 @@
 let
   noa = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOiz4Dsp4fgtwgOvARzOO9kZI4fSwJ4QJCf34dGVB6Z";
+  nuOS = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM79/rtDi2KIN75Rr6ae+A8lPTSCQfCkhbx1tGmQ3Qed";
 in
 {
   "restic/env.age".publicKeys = [ noa ];
   "restic/repo.age".publicKeys = [ noa ];
   "restic/password.age".publicKeys = [ noa ];
+  "github/flurry.age".publicKeys = [ noa nuOS ];
+  "github/nixconf.age".publicKeys = [ noa nuOS ];
 }