infra/secrets.nix

let
  keys = import common/ssh-keys.nix;

  commonKeys = keys.users.delroth ++ keys.users.raito;

  secrets = with keys; {
    hydra-postgres-key = [ machines.build-coord ];
    hydra-s3-credentials = [ machines.build-coord ];
    hydra-signing-priv = [ machines.build-coord ];
    hydra-ssh-key-priv = [ machines.build-coord ];

    netbox-environment = [ machines.meta01 ];
    mimir-environment = [ machines.meta01 ];
    mimir-webhook-url = [ machines.meta01 ];
    grafana-oauth-secret = [ machines.meta01 ];
    loki-environment = [ machines.meta01 ];
    gerrit-prometheus-bearer-token = [ machines.gerrit01 machines.meta01 ];
    pyroscope-secrets = [ machines.meta01 ];
    tempo-environment = [ machines.meta01 ];

    buildbot-worker-password = [ machines.buildbot ];
    buildbot-oauth-secret = [ machines.buildbot ];
    buildbot-workers = [ machines.buildbot ];
    # Private SSH key to Gerrit
    # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx52RUPWzTa2rBA96xcnGjjzAboNN/hm6gW+Q6JiSos
    buildbot-service-key = [ machines.buildbot ];
    # Signing key for Buildbot's specific cache
    buildbot-signing-key = [ machines.buildbot ];
    buildbot-remote-builder-key = [ machines.buildbot ];

    # These are the same password, but nginx wants it in htpasswd format
    metrics-push-htpasswd = [ machines.meta01 ];
    metrics-push-password = builtins.attrValues machines;

    ows-deploy-key = [ machines.gerrit01 ];
    s3-channel-staging-keys = [ machines.gerrit01 ];
    s3-channel-keys = [ machines.gerrit01 ];

    postgres-ca-priv = [ machines.bagel-box ];
    postgres-tls-priv = [ machines.bagel-box ];

    newsletter-secrets = [ machines.public01 ];
    s3-revproxy-api-keys = [ machines.public01 ];
  };
in
  builtins.listToAttrs (
    map (secretName: {
      name = "secrets/${secretName}.age";
      value.publicKeys = secrets."${secretName}" ++ commonKeys;
    }) (builtins.attrNames secrets)
  )
-												infra: add agenix, add s3 credentials

											
										
										
											2024-06-24 16:03:07 +00:00
+								let
 								  keys = import common/ssh-keys.nix;
-												ssh-keys: add raito to secrets set

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>

											
										
										
											2024-07-09 22:59:17 +00:00
+								  commonKeys = keys.users.delroth ++ keys.users.raito;
-												infra: add agenix, add s3 credentials

											
										
										
											2024-06-24 16:03:07 +00:00
 								  secrets = with keys; {
-												hydra: move from bagel-box to build-coord

											
										
										
											2024-08-16 06:52:56 +00:00
+								    hydra-postgres-key = [ machines.build-coord ];
 								    hydra-s3-credentials = [ machines.build-coord ];
 								    hydra-signing-priv = [ machines.build-coord ];
 								    hydra-ssh-key-priv = [ machines.build-coord ];
-												postgres: add mTLS support

New client certs can be minted via the provided script, which is meant
to be run on the postgres server (where the CA private key is
conveniently deployed).

											
										
										
											2024-08-16 05:59:12 +00:00
-												hotfix: hot bagel on secrets (netbox)

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>

											
										
										
											2024-07-04 11:51:14 +00:00
+								    netbox-environment = [ machines.meta01 ];
-												Add Grafana/Prometheus/Mimir minimal setup

More later, Loki also later.

											
										
										
											2024-07-05 11:25:27 +00:00
+								    mimir-environment = [ machines.meta01 ];
-												Set up alertmanager-hookshot-adapter

											
										
										
											2024-07-09 09:10:28 +00:00
+								    mimir-webhook-url = [ machines.meta01 ];
-												Add Grafana/Prometheus/Mimir minimal setup

More later, Loki also later.

											
										
										
											2024-07-05 11:25:27 +00:00
+								    grafana-oauth-secret = [ machines.meta01 ];
-												Add Loki + Promtail setup

											
										
										
											2024-07-05 14:20:22 +00:00
+								    loki-environment = [ machines.meta01 ];
-												secrets: add gerrit-prometheus-bearer-token

											
										
										
											2024-07-13 18:10:29 +00:00
+								    gerrit-prometheus-bearer-token = [ machines.gerrit01 machines.meta01 ];
-												feat(pyroscope): add secrets and storage

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>

											
										
										
											2024-08-23 18:19:55 +00:00
+								    pyroscope-secrets = [ machines.meta01 ];
-												Set up tempo

											
										
										
											2024-08-31 12:05:30 +00:00
+								    tempo-environment = [ machines.meta01 ];
-												feat(pyroscope): add secrets and storage

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>

											
										
										
											2024-08-23 18:19:55 +00:00
-												services/buildbot: init

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>

											
										
										
											2024-07-17 13:43:29 +00:00
+								    buildbot-worker-password = [ machines.buildbot ];
 								    buildbot-oauth-secret = [ machines.buildbot ];
 								    buildbot-workers = [ machines.buildbot ];
 								    # Private SSH key to Gerrit
 								    # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx52RUPWzTa2rBA96xcnGjjzAboNN/hm6gW+Q6JiSos
 								    buildbot-service-key = [ machines.buildbot ];
 								    # Signing key for Buildbot's specific cache
 								    buildbot-signing-key = [ machines.buildbot ];
-												buildbot: add support for remote builders via baremetal machines

For now, only builder-3 is used.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>

											
										
										
											2024-07-17 16:18:59 +00:00
+								    buildbot-remote-builder-key = [ machines.buildbot ];
-												services/buildbot: init

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>

											
										
										
											2024-07-17 13:43:29 +00:00
-												Add Loki + Promtail setup

											
										
										
											2024-07-05 14:20:22 +00:00
+								    # These are the same password, but nginx wants it in htpasswd format
-												Metrics fixups

- fix grafana-agent config format
- rekey metrics-push-password for fodwatch

											
										
										
											2024-07-08 07:01:25 +00:00
+								    metrics-push-htpasswd = [ machines.meta01 ];
 								    metrics-push-password = builtins.attrValues machines;
-												gerrit01: add a one-way-sync service

It's basic and does not handle conflicts which needs to be manually
managed.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>

											
										
										
											2024-07-04 13:18:21 +00:00
 								    ows-deploy-key = [ machines.gerrit01 ];
-												feat(nixpkgs): run oxidized channel scripts

We don't need weird Perl scripts where we are going. Here's a streaming
channel-scripts deployment with plenty of bells, including OTLP.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>

											
										
										
											2024-08-01 22:33:42 +00:00
+								    s3-channel-staging-keys = [ machines.gerrit01 ];
 								    s3-channel-keys = [ machines.gerrit01 ];
-												postgres: add mTLS support

New client certs can be minted via the provided script, which is meant
to be run on the postgres server (where the CA private key is
conveniently deployed).

											
										
										
											2024-08-16 05:59:12 +00:00
 								    postgres-ca-priv = [ machines.bagel-box ];
 								    postgres-tls-priv = [ machines.bagel-box ];
-												feat(public): add listmonk instance on news.forkos.org

To prepare for public communications and updates.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>

											
										
										
											2024-08-21 14:27:00 +00:00
 								    newsletter-secrets = [ machines.public01 ];
-												feat(secrets): add s3 reverse proxy API keys

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>

											
										
										
											2024-08-30 22:19:49 +00:00
+								    s3-revproxy-api-keys = [ machines.public01 ];
-												infra: add agenix, add s3 credentials

											
										
										
											2024-06-24 16:03:07 +00:00
+								  };
 								in
 								  builtins.listToAttrs (
 								    map (secretName: {
 								      name = "secrets/${secretName}.age";
 								      value.publicKeys = secrets."${secretName}" ++ commonKeys;
 								    }) (builtins.attrNames secrets)
 								  )