From 919b3c4e73a7574de619dd3b40524f820ab70644 Mon Sep 17 00:00:00 2001 From: Skyler Grey Date: Tue, 2 Jul 2024 22:46:30 +0000 Subject: [PATCH 1/3] feat: Add agenix-rekey Agenix-rekey is a project which uses rage to encrypt secrets for hosts where they're needed. We'll need it for a future commit with buildbot --- .reuse/dep5 | 10 -------- REUSE.toml | 24 +++++++++++++++++++ flake.nix | 22 +++++++++++++++-- .../auxolotl/security/secrets/default.nix | 18 ++++++++++++++ secrets/keys/minion/collabora-yubikey.pub | 7 ++++++ .../keys/minion/collabora-yubikey.pub.license | 3 +++ secrets/keys/minion/iyubikey.pub | 7 ++++++ secrets/keys/minion/iyubikey.pub.license | 3 +++ secrets/keys/minion/tiny-yubikey.pub | 7 ++++++ secrets/keys/minion/tiny-yubikey.pub.license | 3 +++ shells/default/default.nix | 2 ++ systems/x86_64-linux/baxter/default.nix | 3 +++ 12 files changed, 97 insertions(+), 12 deletions(-) delete mode 100644 .reuse/dep5 create mode 100644 REUSE.toml create mode 100644 modules/nixos/auxolotl/security/secrets/default.nix create mode 100644 secrets/keys/minion/collabora-yubikey.pub create mode 100644 secrets/keys/minion/collabora-yubikey.pub.license create mode 100644 secrets/keys/minion/iyubikey.pub create mode 100644 secrets/keys/minion/iyubikey.pub.license create mode 100644 secrets/keys/minion/tiny-yubikey.pub create mode 100644 secrets/keys/minion/tiny-yubikey.pub.license diff --git a/.reuse/dep5 b/.reuse/dep5 deleted file mode 100644 index e9a0867..0000000 --- a/.reuse/dep5 +++ /dev/null @@ -1,10 +0,0 @@ -Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ -Upstream-Name: Auxolotl Infrastructure -Upstream-Contact: Auxolotl Infrastructure Committee -Source: https://auxolotl.org - -# Sample paragraph, commented out: -# -# Files: src/* -# Copyright: $YEAR $NAME <$CONTACT> -# License: ... diff --git a/REUSE.toml b/REUSE.toml new file mode 100644 index 0000000..62db0fb --- /dev/null +++ b/REUSE.toml @@ -0,0 +1,24 @@ +# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors +# +# SPDX-License-Identifier: CC0-1.0 + +version = 1 + +SPDX-PackageName = "Auxolotl Infrastructure" +SPDX-PackageSupplier = "Auxolotl Infrastructure Committee " +SPDX-PackageDownloadLocation = "https://auxolotl.org" + +[[annotations]] +path = "secrets/generated/**" +SPDX-FileCopyrightText = "2024 Auxolotl Infrastructure Contributors" +SPDX-License-Identifier = "CC0-1.0" + +[[annotations]] +path = "secrets/rekeyed/**" +SPDX-FileCopyrightText = "2024 Auxolotl Infrastructure Contributors" +SPDX-License-Identifier = "CC0-1.0" + +[[annotations]] +path = "**/*.age" +SPDX-FileCopyrightText = "2024 Auxolotl Infrastructure Contributors" +SPDX-License-Identifier = "CC0-1.0" diff --git a/flake.nix b/flake.nix index 2e69ce7..4e23335 100644 --- a/flake.nix +++ b/flake.nix @@ -14,6 +14,13 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + agenix.url = "github:ryantm/agenix"; + + agenix-rekey = { + url = "github:oddlama/agenix-rekey"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + auxolotl-website = { url = "git+https://git.auxolotl.org/auxolotl/website"; inputs.nixpkgs.follows = "nixpkgs"; @@ -37,8 +44,14 @@ }; in lib.mkFlake { - overlays = with inputs; [ - auxolotl-website.overlays.default + overlays = [ + inputs.auxolotl-website.overlays.default + inputs.agenix-rekey.overlays.default + ]; + + systems.modules.nixos = [ + inputs.agenix.nixosModules.default + inputs.agenix-rekey.nixosModules.default ]; deploy = lib.mkDeploy { @@ -49,6 +62,11 @@ }; }; + agenix-rekey = inputs.agenix-rekey.configure { + userFlake = inputs.self; + nodes = inputs.self.nixosConfigurations; + }; + checks = builtins.mapAttrs (system: deploy-lib: deploy-lib.deployChecks inputs.self.deploy) diff --git a/modules/nixos/auxolotl/security/secrets/default.nix b/modules/nixos/auxolotl/security/secrets/default.nix new file mode 100644 index 0000000..ecea233 --- /dev/null +++ b/modules/nixos/auxolotl/security/secrets/default.nix @@ -0,0 +1,18 @@ +# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors +# +# SPDX-License-Identifier: GPL-3.0-only + +{ config, lib, pkgs, inputs, ... }: + +{ + age.rekey = { + masterIdentities = [ + "${inputs.self}/secrets/keys/minion/collabora-yubikey.pub" + "${inputs.self}/secrets/keys/minion/tiny-yubikey.pub" + "${inputs.self}/secrets/keys/minion/iyubikey.pub" + ]; + storageMode = "local"; + generatedSecretsDir = "${inputs.self}/secrets/generated/${config.networking.hostName}"; + localStorageDir = "${inputs.self}/secrets/rekeyed/${config.networking.hostName}"; + }; +} diff --git a/secrets/keys/minion/collabora-yubikey.pub b/secrets/keys/minion/collabora-yubikey.pub new file mode 100644 index 0000000..a3061c2 --- /dev/null +++ b/secrets/keys/minion/collabora-yubikey.pub @@ -0,0 +1,7 @@ +# Serial: 20652804, Slot: 1 +# Name: MINION_COLLABORA_YUBIKEY +# Created: Sun, 21 Jul 2024 12:55:44 +0000 +# PIN policy: Once (A PIN is required once per session, if set) +# Touch policy: Always (A physical touch is required for every decryption) +# Recipient: age1yubikey1qd38ggwk5h8y877qwx4kkt3jz89fd4483v843ps450z5fl2uwgc82x8tsz8 +AGE-PLUGIN-YUBIKEY-1QS3NKQVZC38R9FS6T2PNZ diff --git a/secrets/keys/minion/collabora-yubikey.pub.license b/secrets/keys/minion/collabora-yubikey.pub.license new file mode 100644 index 0000000..7f85994 --- /dev/null +++ b/secrets/keys/minion/collabora-yubikey.pub.license @@ -0,0 +1,3 @@ +SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors + +SPDX-License-Identifier: GPL-3.0-only diff --git a/secrets/keys/minion/iyubikey.pub b/secrets/keys/minion/iyubikey.pub new file mode 100644 index 0000000..ec49feb --- /dev/null +++ b/secrets/keys/minion/iyubikey.pub @@ -0,0 +1,7 @@ +# Serial: 24039462, Slot: 1 +# Name: MINION_iYUBIKEY +# Created: Sun, 21 Jul 2024 12:57:17 +0000 +# PIN policy: Once (A PIN is required once per session, if set) +# Touch policy: Always (A physical touch is required for every decryption) +# Recipient: age1yubikey1qfczekkv6thu32q5fv272pmzca86rqf4pn4083h9qvfgytrmycquqz23c3d +AGE-PLUGIN-YUBIKEY-1YMGXUQVZEHAJFXGQ57UKA diff --git a/secrets/keys/minion/iyubikey.pub.license b/secrets/keys/minion/iyubikey.pub.license new file mode 100644 index 0000000..7f85994 --- /dev/null +++ b/secrets/keys/minion/iyubikey.pub.license @@ -0,0 +1,3 @@ +SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors + +SPDX-License-Identifier: GPL-3.0-only diff --git a/secrets/keys/minion/tiny-yubikey.pub b/secrets/keys/minion/tiny-yubikey.pub new file mode 100644 index 0000000..0838d68 --- /dev/null +++ b/secrets/keys/minion/tiny-yubikey.pub @@ -0,0 +1,7 @@ +# Serial: 23751432, Slot: 1 +# Name: MINION_TINY_YUBIKEY +# Created: Sun, 21 Jul 2024 12:49:01 +0000 +# PIN policy: Once (A PIN is required once per session, if set) +# Touch policy: Always (A physical touch is required for every decryption) +# Recipient: age1yubikey1qf92p7gj5k8pavnzrzg644plfqcpkc8laj2l4avdfnem2re08tuqsu7ynnf +AGE-PLUGIN-YUBIKEY-1PP4K5QVZR6DHL7G8RVVJ0 diff --git a/secrets/keys/minion/tiny-yubikey.pub.license b/secrets/keys/minion/tiny-yubikey.pub.license new file mode 100644 index 0000000..7f85994 --- /dev/null +++ b/secrets/keys/minion/tiny-yubikey.pub.license @@ -0,0 +1,3 @@ +SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors + +SPDX-License-Identifier: GPL-3.0-only diff --git a/shells/default/default.nix b/shells/default/default.nix index 8223b7f..d773c20 100644 --- a/shells/default/default.nix +++ b/shells/default/default.nix @@ -6,10 +6,12 @@ mkShell, reuse, deploy-rs, + agenix-rekey, }: mkShell { packages = [ reuse # Used to provide licenses & copyright attribution deploy-rs # Used to deploy to our servers + agenix-rekey # Used to manage secrets ]; } diff --git a/systems/x86_64-linux/baxter/default.nix b/systems/x86_64-linux/baxter/default.nix index 25c5f92..3841c2a 100644 --- a/systems/x86_64-linux/baxter/default.nix +++ b/systems/x86_64-linux/baxter/default.nix @@ -7,12 +7,15 @@ { pkgs, modulesPath, + config, ... }: { imports = [ (modulesPath + "/virtualisation/digital-ocean-config.nix") ]; + age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM4rfWCoqby2qIcq/KVEWCKZVvIxr6h4GxJcsCQYffj+"; + boot.loader.grub.enable = true; virtualisation.digitalOcean.rebuildFromUserData = false; -- 2.45.2 From e8e8b544657533084b538b34d5a7c535368ffd20 Mon Sep 17 00:00:00 2001 From: Skyler Grey Date: Tue, 2 Jul 2024 22:46:30 +0000 Subject: [PATCH 2/3] chore(reuse): Remove unused license --- LICENSES/MIT.txt | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 LICENSES/MIT.txt diff --git a/LICENSES/MIT.txt b/LICENSES/MIT.txt deleted file mode 100644 index 2071b23..0000000 --- a/LICENSES/MIT.txt +++ /dev/null @@ -1,9 +0,0 @@ -MIT License - -Copyright (c) - -Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -- 2.45.2 From 198b4dff207893bd366a4b22b6658a7cc6a4c47b Mon Sep 17 00:00:00 2001 From: Skyler Grey Date: Tue, 2 Jul 2024 22:46:30 +0000 Subject: [PATCH 3/3] feat(baxter): Add buildbot CI For a while we've been lacking a CI, which has led to problems such as an inability to enforce REUSE, as well as an inability to build and deploy docs-site automatically Buildbot is commonly used (nix-community, lix, etc.), and very extensible, which we hope will benefit us over something like Hydra or Typhon The buildbot instance is available at https://builds.auxolotl.org --- flake.lock | 498 +++++++++++++++--- flake.nix | 6 +- .../auxolotl/services/ci/master/default.nix | 112 ++++ .../auxolotl/services/ci/worker/default.nix | 40 ++ .../services.ci.master.webhookSecretFile.age | 12 + .../services.ci.worker.workerPasswordFile.age | Bin 0 -> 615 bytes ...cee6517c6-services.ci.master.tokenFile.age | 7 + ...vices.ci.master.oauth.clientSecretFile.age | Bin 0 -> 433 bytes ...f-services.ci.master.webhookSecretFile.age | 7 + ...75-services.ci.master.workersFile.json.age | Bin 0 -> 351 bytes ...-services.ci.worker.workerPasswordFile.age | 7 + systems/x86_64-linux/baxter/default.nix | 41 ++ ...vices.ci.master.oauth.clientSecretFile.age | 12 + .../baxter/services.ci.master.tokenFile.age | 11 + .../services.ci.master.workersFile.json.age | Bin 0 -> 658 bytes 15 files changed, 679 insertions(+), 74 deletions(-) create mode 100644 modules/nixos/auxolotl/services/ci/master/default.nix create mode 100644 modules/nixos/auxolotl/services/ci/worker/default.nix create mode 100644 secrets/generated/baxter/services.ci.master.webhookSecretFile.age create mode 100644 secrets/generated/baxter/services.ci.worker.workerPasswordFile.age create mode 100644 secrets/rekeyed/baxter/24951ab2dd459b4cbdfa83ecee6517c6-services.ci.master.tokenFile.age create mode 100644 secrets/rekeyed/baxter/58a73a00f6ce9881f5206f8ab350466b-services.ci.master.oauth.clientSecretFile.age create mode 100644 secrets/rekeyed/baxter/611a4946b7c2a4de9aa8f6175cf92d7f-services.ci.master.webhookSecretFile.age create mode 100644 secrets/rekeyed/baxter/9ffbe2a747e0bcdc4d670cf7d47d3575-services.ci.master.workersFile.json.age create mode 100644 secrets/rekeyed/baxter/be4852d28a22f490934108662e4718f4-services.ci.worker.workerPasswordFile.age create mode 100644 systems/x86_64-linux/baxter/services.ci.master.oauth.clientSecretFile.age create mode 100644 systems/x86_64-linux/baxter/services.ci.master.tokenFile.age create mode 100644 systems/x86_64-linux/baxter/services.ci.master.workersFile.json.age diff --git a/flake.lock b/flake.lock index 5125259..07cb3e0 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,49 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1720546205, + "narHash": "sha256-boCXsjYVxDviyzoEyAk624600f3ZBo/DKtUdvMTpbGY=", + "owner": "ryantm", + "repo": "agenix", + "rev": "de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "agenix-rekey": { + "inputs": { + "devshell": "devshell", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks": "pre-commit-hooks" + }, + "locked": { + "lastModified": 1721402988, + "narHash": "sha256-O5j5y5gpssVF5FNsSF7joTyrlW//LpwyLk6yBWgQ0VE=", + "owner": "oddlama", + "repo": "agenix-rekey", + "rev": "3f1c787e2092d9c13142ae7572cc1c52b68f1c4c", + "type": "github" + }, + "original": { + "owner": "oddlama", + "repo": "agenix-rekey", + "type": "github" + } + }, "auxolotl-website": { "inputs": { "nixpkgs": [ @@ -21,20 +65,62 @@ "url": "https://git.auxolotl.org/auxolotl/website" } }, + "buildbot-nix": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": "nixpkgs_2", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1722025605, + "narHash": "sha256-WKgvUD1V5w3GQ/uycqHMmYXhYvbB0T0EnKFeQ8hb6j8=", + "owner": "nix-community", + "repo": "buildbot-nix", + "rev": "225d286fa78389329168befc5d26888e317d0d0d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "buildbot-nix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "deploy-rs": { "inputs": { - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "nixpkgs": [ "nixpkgs" ], "utils": "utils" }, "locked": { - "lastModified": 1711973905, - "narHash": "sha256-UFKME/N1pbUtn+2Aqnk+agUt8CekbpuqwzljivfIme8=", + "lastModified": 1718194053, + "narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=", "owner": "serokell", "repo": "deploy-rs", - "rev": "88b3059b020da69cbe16526b8d639bd5e0b51c8b", + "rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a", "type": "github" }, "original": { @@ -43,7 +129,45 @@ "type": "github" } }, + "devshell": { + "inputs": { + "nixpkgs": [ + "agenix-rekey", + "nixpkgs" + ], + "systems": "systems_2" + }, + "locked": { + "lastModified": 1695195896, + "narHash": "sha256-pq9q7YsGXnQzJFkR5284TmxrLNFc0wo4NQ/a5E93CQU=", + "owner": "numtide", + "repo": "devshell", + "rev": "05d40d17bf3459606316e3e9ec683b784ff28f16", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "devshell", + "type": "github" + } + }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1650374568, @@ -59,7 +183,7 @@ "type": "github" } }, - "flake-compat_2": { + "flake-compat_3": { "flake": false, "locked": { "lastModified": 1696426674, @@ -75,7 +199,7 @@ "type": "github" } }, - "flake-compat_3": { + "flake-compat_4": { "flake": false, "locked": { "lastModified": 1650374568, @@ -91,61 +215,28 @@ "type": "github" } }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "buildbot-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719994518, + "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { - "inputs": { - "systems": "systems" - }, - "locked": { - "lastModified": 1694529238, - "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils-plus": { - "inputs": { - "flake-utils": "flake-utils" - }, - "locked": { - "lastModified": 1696331477, - "narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=", - "owner": "gytis-ivaskevicius", - "repo": "flake-utils-plus", - "rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3", - "type": "github" - }, - "original": { - "owner": "gytis-ivaskevicius", - "repo": "flake-utils-plus", - "type": "github" - } - }, - "flake-utils-plus_2": { - "inputs": { - "flake-utils": "flake-utils_2" - }, - "locked": { - "lastModified": 1696331477, - "narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=", - "owner": "gytis-ivaskevicius", - "repo": "flake-utils-plus", - "rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3", - "type": "github" - }, - "original": { - "owner": "gytis-ivaskevicius", - "repo": "flake-utils-plus", - "type": "github" - } - }, - "flake-utils_2": { "inputs": { "systems": "systems_3" }, @@ -163,13 +254,177 @@ "type": "github" } }, + "flake-utils-plus": { + "inputs": { + "flake-utils": "flake-utils_2" + }, + "locked": { + "lastModified": 1696331477, + "narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=", + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3", + "type": "github" + }, + "original": { + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "type": "github" + } + }, + "flake-utils-plus_2": { + "inputs": { + "flake-utils": "flake-utils_3" + }, + "locked": { + "lastModified": 1715533576, + "narHash": "sha256-fT4ppWeCJ0uR300EH3i7kmgRZnAVxrH+XtK09jQWihk=", + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", + "type": "github" + }, + "original": { + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_4" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_6" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "agenix-rekey", + "pre-commit-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "nixpkgs": { "locked": { - "lastModified": 1719848872, - "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", + "lastModified": 1703013332, + "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1685801374, + "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c37ca420157f4abc31e26f436c1145f8951ff373", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1721838734, + "narHash": "sha256-o87oh2nLDzZ1E9+j1I6GaEvd9865OWGYvxaPSiH9DEU=", + "owner": "Nixos", + "repo": "nixpkgs", + "rev": "1855c9961e0bfa2e776fa4b58b7d43149eeed431", + "type": "github" + }, + "original": { + "owner": "Nixos", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1721743106, + "narHash": "sha256-adRZhFpBTnHiK3XIELA3IBaApz70HwCYfv7xNrHjebA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", + "rev": "dc14ed91132ee3a26255d01d8fd0c1f5bff27b2f", "type": "github" }, "original": { @@ -179,18 +434,49 @@ "type": "github" } }, + "pre-commit-hooks": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": [ + "agenix-rekey", + "flake-utils" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "agenix-rekey", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1694364351, + "narHash": "sha256-oadhSCqopYXxURwIA6/Anpe5IAG11q2LhvTJNP5zE6o=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "4f883a76282bc28eb952570afc3d8a1bf6f481d7", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { + "agenix": "agenix", + "agenix-rekey": "agenix-rekey", "auxolotl-website": "auxolotl-website", + "buildbot-nix": "buildbot-nix", "deploy-rs": "deploy-rs", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_3", "snowfall-lib": "snowfall-lib_2", "unstable": "unstable" } }, "snowfall-lib": { "inputs": { - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "flake-utils-plus": "flake-utils-plus", "nixpkgs": [ "auxolotl-website", @@ -213,18 +499,18 @@ }, "snowfall-lib_2": { "inputs": { - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_4", "flake-utils-plus": "flake-utils-plus_2", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1713814392, - "narHash": "sha256-IanrgtpgDqxGfzNczstspPljAHKaY0e4DGvYgdAwC1Y=", + "lastModified": 1717625599, + "narHash": "sha256-qX9VJizFEoiRWDEiVs5+2w4FclQNQVVPvGPESsZ1F8k=", "owner": "snowfallorg", "repo": "lib", - "rev": "91ab40c2e01cc1bade8092604370964ee86e9317", + "rev": "5a10d2e37b6c6223763fa7c00b974875e49f93cc", "type": "github" }, "original": { @@ -279,13 +565,79 @@ "type": "github" } }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_5": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_6": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "buildbot-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1721769617, + "narHash": "sha256-6Pqa0bi5nV74IZcENKYRToRNM5obo1EQ+3ihtunJ014=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "8db8970be1fb8be9c845af7ebec53b699fe7e009", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, "unstable": { "locked": { - "lastModified": 1714906307, - "narHash": "sha256-UlRZtrCnhPFSJlDQE7M0eyhgvuuHBTe1eJ9N9AQlJQ0=", + "lastModified": 1721743106, + "narHash": "sha256-adRZhFpBTnHiK3XIELA3IBaApz70HwCYfv7xNrHjebA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "25865a40d14b3f9cf19f19b924e2ab4069b09588", + "rev": "dc14ed91132ee3a26255d01d8fd0c1f5bff27b2f", "type": "github" }, "original": { @@ -297,7 +649,7 @@ }, "utils": { "inputs": { - "systems": "systems_2" + "systems": "systems_5" }, "locked": { "lastModified": 1701680307, diff --git a/flake.nix b/flake.nix index 4e23335..e89fee2 100644 --- a/flake.nix +++ b/flake.nix @@ -8,7 +8,6 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - snowfall-lib = { url = "github:snowfallorg/lib/dev"; inputs.nixpkgs.follows = "nixpkgs"; @@ -26,6 +25,9 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + buildbot-nix.url = "github:nix-community/buildbot-nix"; + # Do not override nixpkgs in buildbot-nix (see https://github.com/nix-community/buildbot-nix) + deploy-rs = { url = "github:serokell/deploy-rs"; inputs.nixpkgs.follows = "nixpkgs"; @@ -52,6 +54,8 @@ systems.modules.nixos = [ inputs.agenix.nixosModules.default inputs.agenix-rekey.nixosModules.default + inputs.buildbot-nix.nixosModules.buildbot-master + inputs.buildbot-nix.nixosModules.buildbot-worker ]; deploy = lib.mkDeploy { diff --git a/modules/nixos/auxolotl/services/ci/master/default.nix b/modules/nixos/auxolotl/services/ci/master/default.nix new file mode 100644 index 0000000..754df30 --- /dev/null +++ b/modules/nixos/auxolotl/services/ci/master/default.nix @@ -0,0 +1,112 @@ +# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors +# +# SPDX-License-Identifier: GPL-3.0-only + +{ + lib, + pkgs, + config, + inputs, + ... +}: let + cfg = config.auxolotl.services.ci.master; +in { + options.auxolotl.services.ci.master = { + enable = lib.mkEnableOption "Enable the buildbot-nix master on this server"; + + forgeUrl = lib.mkOption { + type = lib.types.str; + default = "https://${config.auxolotl.services.forge.subdomain}.${config.auxolotl.services.forge.domain}"; + description = "The url your gitea/forgejo forge is hosted at"; + }; + + domain = lib.mkOption { + type = lib.types.str; + default = "auxolotl.org"; + description = "The domain name for the website."; + }; + + subdomain = lib.mkOption { + type = lib.types.str; + default = "builds"; + description = "The subdomain for the website."; + }; + + oauth = { + clientId = lib.mkOption { + type = lib.types.str; + description = "The client ID for your gitea/forgejo app"; + }; + clientSecretFile = lib.mkOption { + type = lib.types.str; + description = "A file containing the client secret for your gitea/forgejo app, readable by the 'buildbot' user"; + }; + }; + + tokenFile = lib.mkOption { + type = lib.types.str; + description = "A file containing the personal access token for your gitea/forgejo user. You should probably make a new 'ci' user for this purpose, although this is not strictly required"; + }; + + webhookSecretFile = lib.mkOption { + type = lib.types.str; + description = "A file containing the secret for your gitea/forgejo triggering webhooks"; + }; + + databasePasswordFile = lib.mkOption { + type = lib.types.str; + description = "A file containing the password for the buildbot postgres user"; + }; + + workersFile = lib.mkOption { + type = lib.types.str; + description = "A file containing a list of workers, passwords, etc. as JSON. See https://github.com/nix-community/buildbot-nix/blob/5bdbb7609689989a79f7d6e6e59c4b7985634230/examples/master.nix#L13 for an example"; + }; + }; + + config = lib.mkIf cfg.enable { + services.buildbot-nix.master = { + enable = true; + + authBackend = "gitea"; # Forgejo and gitea are similar enough to ... + + gitea = { + inherit (cfg) tokenFile webhookSecretFile; + + instanceUrl = cfg.forgeUrl; + + oauthId = cfg.oauth.clientId; + oauthSecretFile = cfg.oauth.clientSecretFile; + + topic = null; + }; + + admins = [ + "jakehamilton" + "isabelroses" + "minion" + + "AxelSilverdew" + "coded" + "srd424" + ]; + # Admins is currently Steering+Infrastructure committees + # We should consider how best to proceed with this... + + workersFile = cfg.workersFile; + buildSystems = [ pkgs.hostPlatform.system ]; + + domain = "${cfg.subdomain}.${cfg.domain}"; + useHTTPS = true; + + buildbotNixpkgs = pkgs; + + outputsPath = "/var/lib/buildbot/outputs"; + }; + + services.nginx.virtualHosts."${cfg.subdomain}.${cfg.domain}" = { + forceSSL = true; + enableACME = true; + }; + }; +} diff --git a/modules/nixos/auxolotl/services/ci/worker/default.nix b/modules/nixos/auxolotl/services/ci/worker/default.nix new file mode 100644 index 0000000..c135bd4 --- /dev/null +++ b/modules/nixos/auxolotl/services/ci/worker/default.nix @@ -0,0 +1,40 @@ +# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors +# +# SPDX-License-Identifier: GPL-3.0-only + +{ + lib, + pkgs, + config, + inputs, + ... +}: let + cfg = config.auxolotl.services.ci.worker; +in { + options.auxolotl.services.ci.worker = { + enable = lib.mkEnableOption "Enable a buildbot-nix worker on this server"; + + masterUrl = lib.mkOption { + type = lib.types.str; + description = "The master url for the buildbot worker"; + default = if config.auxolotl.services.ci.master.enable + then "tcp:host=localhost:port=9989" + else throw "auxolotl.services.ci.worker: You must either set a master URL or run a master on this server"; + }; + + workerPasswordFile = lib.mkOption { + type = lib.types.str; + description = "A file containing the password for this worker"; + }; + }; + + config = lib.mkIf cfg.enable { + services.buildbot-nix.worker = { + enable = true; + + buildbotNixpkgs = pkgs; + + inherit (cfg) masterUrl workerPasswordFile; + }; + }; +} diff --git a/secrets/generated/baxter/services.ci.master.webhookSecretFile.age b/secrets/generated/baxter/services.ci.master.webhookSecretFile.age new file mode 100644 index 0000000..810d4b1 --- /dev/null +++ b/secrets/generated/baxter/services.ci.master.webhookSecretFile.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> piv-p256 xE4ypg A70wMCisOjVzR3ug4BLjnWaiySAkBRDLS80G5F+HgP90 +5eo4VyKyOpO3s1ab5tYWrPJLp2NDoNfOLssPJz1X6sM +-> piv-p256 Hpt/+Q Ap55RMoW+ydJ/CWdY4f+dT3m+e6iKe+OJlE3ORgH5jl/ +XjwSs/jqumcvnOsfKM97NbjuKelP7bxz87fXqDajmto +-> piv-p256 zfskmQ A6uIgMEgAQONVDgcpqh935TcbNVHPdGR+a8y2fsY0dw4 +0eByad5OHK5Gap5Eq+jA5j1cWHS8q6cKvR9VKD5gXg4 +-> LOt-grease %/=M +fgFp1gevlSUjaT26jP0yiRZNh3H9IlhZtJDt61WublxpuNhISVSNSqXat86tXjOZ +iEd+ +--- 8HghOj3gAYLyGa2/z7ep5TbdSmrzhi7Bv333id6/XRY +O:&-3sQsDF<̅ fDXb.TxdR 3YBqs"Nlٚ \ No newline at end of file diff --git a/secrets/generated/baxter/services.ci.worker.workerPasswordFile.age b/secrets/generated/baxter/services.ci.worker.workerPasswordFile.age new file mode 100644 index 0000000000000000000000000000000000000000..cc74ebfbbd0ea1c8522f99003ba6b27997d9c803 GIT binary patch literal 615 zcmY+t_?BN}4Jxsik<=tM@p z>yQ?ewoP4`E{OpabVJWw1tHvCP`PY~=d5m;qwui7F$3Elaa4)1e!I$NqPn}6?qvjs zLuID1eUQ<;#OrX)$dMpsAq%n71Y}O@Va4#cKTUcIOqfbK=X8jenV6Kh6l2Qq&sp_s z9WDP^L8q(H#Mo6gnSz`4qEuG#hy6RXs9q-eC|w^X#?PkX(;~G-s%?7{|6W8OWK*G!=49 zl#?9-u6-C*t8OJ`u4)*R80Mk4R|rDj7iCJ!@m1((bQc1tY01MCI_DJ0)$~rK8(AyH zs_Aa6jjc9_HxqUv*RjI4VA_^cnwr-Tf*=jWkb2CR&MhoK)iQEtxyweZBXpb!@T>=D zK@P|PK1%EaLjSzG`sL%R=chN$9(?_cZeM<~eEFtMvF9N q&xiQ^w^yR~*VMzuzwUjYUHs?(y!i3#()G{z*0=pz`zNo>gVVq9+|!x> literal 0 HcmV?d00001 diff --git a/secrets/rekeyed/baxter/24951ab2dd459b4cbdfa83ecee6517c6-services.ci.master.tokenFile.age b/secrets/rekeyed/baxter/24951ab2dd459b4cbdfa83ecee6517c6-services.ci.master.tokenFile.age new file mode 100644 index 0000000..c65bcee --- /dev/null +++ b/secrets/rekeyed/baxter/24951ab2dd459b4cbdfa83ecee6517c6-services.ci.master.tokenFile.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 Z9MeFA 5MtkO2R8f6CVXX4c2n3BOiAMzExUSwfm4u+TQIHamEg +i3SUH1s0UYAUhfZmCkrBw7BN5NTTtQIwGl0ITQht0XM +-> [[E3wgE-grease xW^ t/4SAoK@ +8dSbS93buyIBRyWFPg +--- 4ySt+P89sGFFAdDieoRwozA/Hsq+FqA2wWNcMwQ3a74 +TTUV+E{YDLM_.P$y^mO͚S(S;TgN(N aT Q \ No newline at end of file diff --git a/secrets/rekeyed/baxter/58a73a00f6ce9881f5206f8ab350466b-services.ci.master.oauth.clientSecretFile.age b/secrets/rekeyed/baxter/58a73a00f6ce9881f5206f8ab350466b-services.ci.master.oauth.clientSecretFile.age new file mode 100644 index 0000000000000000000000000000000000000000..1422b169d59237e3149a2a2965f0183f1fa0a73f GIT binary patch literal 433 zcmV;i0Z#s5XJsvAZewzJaCB*JZZ23)QcVSC5V>NYiW@c_vVKPH%YG_SEQE_;0Gj9rVH*+{KS1@R7 zdP-4KQ*>fSNK{i}aZ^iUQg=6DZdNiuO?gdHQ8HpkMokJWJ|IwYFl-c`sINVOnNqLO5z!QhHBCO>PQVYcvWiEiE8ucr|i3 zVn#(XYHV|NMR;sWQgTE$WMp<|WHxGbN_k01RC0AqFmi1+N^=T>Q2>BS#)qCJzTG!{ zVu#ypVLR*gvpv^w34lQZrg8~;t3#-sso=xT-6ND2>rO&4yuz9NkZwIr2p(0{@F&N3 b{ ssh-ed25519 Z9MeFA 3AdBBzRTHv35vrflVzH1z/8YV5SJykizTzOtKOgucRI +eU/l9cWEF9ix2fK8YqqlHuBdJdISERVVZAdRnAXfKFA +-> Cf*79d-grease +Mft5A1hDcFzr+nA1uE6kNLlN26I +--- HkABm597GfKIRwYRHvYV6tCoFeiNN3tAEEgnctlGCo8 +x^qc73^јNZHh?8GӔTw]y,Q8H xVG+O$y \ No newline at end of file diff --git a/secrets/rekeyed/baxter/9ffbe2a747e0bcdc4d670cf7d47d3575-services.ci.master.workersFile.json.age b/secrets/rekeyed/baxter/9ffbe2a747e0bcdc4d670cf7d47d3575-services.ci.master.workersFile.json.age new file mode 100644 index 0000000000000000000000000000000000000000..02eb3a862a2caffc36004a79ffb6c113d738e46f GIT binary patch literal 351 zcmV-l0igb2XJsvAZewzJaCB*JZZ2cyl#+Z&yTFa&|IHcSU1$Pee5_S}{>8Woc(CQ+ID-F-KxrcQ6V>X)i-HQ&mt* zRxv_DOm9bNHfb_uXLU|daY0owS8G{oZDdbaWKB16FG&h5J|IPXVSXgE^Y-&?xPhodE>N^ff~ zP(yNaRxe>sSSvX(R&ZlM3f%zy-IJ)~q1X^-U#)~8Y5+(Hp!LNK!ti)TDM({-E6EG0 z*DY_<65Kr7|6k>6H&aAKBbs xb5U`_f|S4K@VMRQlxg3qJbpLp2Anoff&xL%nmgpYanw;7zvkyN}EiID&R literal 0 HcmV?d00001 diff --git a/secrets/rekeyed/baxter/be4852d28a22f490934108662e4718f4-services.ci.worker.workerPasswordFile.age b/secrets/rekeyed/baxter/be4852d28a22f490934108662e4718f4-services.ci.worker.workerPasswordFile.age new file mode 100644 index 0000000..df80bfa --- /dev/null +++ b/secrets/rekeyed/baxter/be4852d28a22f490934108662e4718f4-services.ci.worker.workerPasswordFile.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 Z9MeFA EOHfjGuxu4lGCf1BVX4yI6GEULyMjqgijUjozsNxCnk +9cT0bTKNP73guNnwSmDVn+gSZwnF4Wweq4DlvHdWUkA +-> )|AUL?-grease +&*1J$ uR@9HO ,nfE ULx2MW"l +7Z3ZhFGj/dlmd6s1W2AESyALUeslyMrLiVN6X+Uo8w +--- 2i6p/11kcpcMhZUItUPfqCUp+9ykJq+T4mGg1oYw7gE +$w4؎r}(1hue&f>40G\D.%<&dK\ \ No newline at end of file diff --git a/systems/x86_64-linux/baxter/default.nix b/systems/x86_64-linux/baxter/default.nix index 3841c2a..5f754c8 100644 --- a/systems/x86_64-linux/baxter/default.nix +++ b/systems/x86_64-linux/baxter/default.nix @@ -46,8 +46,49 @@ services = { ssh.enable = true; forge.enable = true; + + ci = { + master = { + enable = true; + + tokenFile = config.age.secrets."services.ci.master.tokenFile".path; + webhookSecretFile = config.age.secrets."services.ci.master.webhookSecretFile".path; + oauth = { + clientId = "76e70591-79a6-4a2f-8319-317f46800519"; + clientSecretFile = config.age.secrets."services.ci.master.oauth.clientSecretFile".path; + }; + + workersFile = config.age.secrets."services.ci.master.workersFile.json".path; + }; + worker = { + enable = true; + workerPasswordFile = config.age.secrets."services.ci.worker.workerPasswordFile".path; + }; + }; }; }; + age.secrets."services.ci.master.tokenFile" = { + rekeyFile = ./services.ci.master.tokenFile.age; + group = "buildbot"; + }; + age.secrets."services.ci.master.webhookSecretFile" = { + generator.script = "alnum"; + group = "buildbot"; + }; + age.secrets."services.ci.master.oauth.clientSecretFile" = { + rekeyFile = ./services.ci.master.oauth.clientSecretFile.age; + group = "buildbot"; + }; + age.secrets."services.ci.master.workersFile.json" = { + rekeyFile = ./services.ci.master.workersFile.json.age; + group = "buildbot"; + }; + + age.secrets."services.ci.worker.workerPasswordFile" = { + generator.script = "alnum"; + group = "buildbot"; + }; + system.stateVersion = "23.11"; } diff --git a/systems/x86_64-linux/baxter/services.ci.master.oauth.clientSecretFile.age b/systems/x86_64-linux/baxter/services.ci.master.oauth.clientSecretFile.age new file mode 100644 index 0000000..1c09e17 --- /dev/null +++ b/systems/x86_64-linux/baxter/services.ci.master.oauth.clientSecretFile.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> piv-p256 xE4ypg A+D0j6/XAOWgbzbOKKNX3IaA0RCZSYG1lWXNL7ErYKjh +p3kgqbWj5T0D1pbStNRjHpKPbv4sMvrHXDpBk5Ym8LE +-> piv-p256 Hpt/+Q AgIoOHkn/1EJRoaMHTVR2nO2ub1F2UoRjYaJIpmvXzty +tGfVG9kUG94wZSwwkFEcJK6ehvaHHUVa1eJBXjyQnW4 +-> piv-p256 zfskmQ AhG7AZlLuJ2JwfojMJIZKAjGlgUgssK2JlsBjcAkdehP +Yr8a6Cx7S08KBYkbTYoPHAROllXvGsMkS1lKv+3cP4I +-> D^7VNXi7-grease C !pw j +nIH+2iyF2LotQqzFroxVIgeFVnvMjYhsO27Egb7UU/zavBgrY2Grc30v3AptjT2j +I4q23DfwVcU5OYXq4HYHnC4zwKI +--- XOlDFARRpwZ/ew4vOTsDt5dkAfTNNfmVKfVB+2fGwHE +.a-.= c9:P7d96 1 b;24f!nCFjJm׫rwt%F{QI  \ No newline at end of file diff --git a/systems/x86_64-linux/baxter/services.ci.master.tokenFile.age b/systems/x86_64-linux/baxter/services.ci.master.tokenFile.age new file mode 100644 index 0000000..e8c3dd7 --- /dev/null +++ b/systems/x86_64-linux/baxter/services.ci.master.tokenFile.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> piv-p256 xE4ypg Ags6YIwJfw361Tg6pfdxGUZDDegofZk+xIPWpEbSps02 +oSq4ycmqQjeYrnBDAb1PyK8KnWySOyukcvhS8OXW82A +-> piv-p256 Hpt/+Q AgvQ2nuF4CELPs7L9OJEeoXk2TpPLNWkQ8TYrZIyJiZ3 +KFkj1om15tbZVCM1zmG7/zjhJSGwRDSP5wfB+9HuBP4 +-> piv-p256 zfskmQ A551KXlyYGw0E4X3VUSnyPEdXdEIcQBoLFbf4yoc2pEF +JEheQDNOFweKrO8AfKyS2acuzpN77g/qwdHJzWXzUew +-> 6U;sLGZs-grease 6 +Ug2KSn6pQ5KWyTb7A3l/dN3G8C9v3QlJp4PXzw +--- 8jZf5hxeOQO2fk9vafkEkpAlHEXKO/EZIrP0YkLkI+4 +(Kwk`ލ.Qv{q <|rDIoϮnZQlj#46lZ"UF2Y! \ No newline at end of file diff --git a/systems/x86_64-linux/baxter/services.ci.master.workersFile.json.age b/systems/x86_64-linux/baxter/services.ci.master.workersFile.json.age new file mode 100644 index 0000000000000000000000000000000000000000..682cd66ef342037db52552fb23cc065571570e80 GIT binary patch literal 658 zcmY+;%WKnc003YG4;s+J#NrNOrVfNqo8Q``EvS(6m85yBk2LK>FiF#_&Dy-$qzN({ zf)_=-$n@k6D(Jz3O!VYIyr`QBJLnLn7e&OAg0F*f9`_e~pR8+9t*1JH)o+`HIH`)CtyYp6#>x_p@j{Iwhn`WcsUcv>Wf2uSiL@#z z9EAC7p7fa@SN0^-k)>uaEZS8L2?s1w;S+`4pc&wqDxQ7FK*A&9oxDUd22(I3y6o$CCD6e%lBKi>oWMw)H-s3?lN!Wg z?PObV2a`BkMr(*Y0C5 zCQzm+1`RfD^#-_H?@Z`O3=gOnT}rWnO8X5&9cFT9N{6D+C@fP6%qICx#sgGWZe*Bh zCYh5;UYLkyZAG`^O%_y#LLgWT=)8+9V zL$A+1nIC^Tf8g1^yRrAD)~;R~jjYTq?Tsk2M~QmDwO7$M_l`X{`DgCNHYIqs>r&*( F!+&CE>~8=7 literal 0 HcmV?d00001 -- 2.45.2