From 04bd33e32cb4cff570b106920bd7df1a2ca3ee2e Mon Sep 17 00:00:00 2001 From: Pierre Bourdon Date: Mon, 24 Jun 2024 18:03:07 +0200 Subject: [PATCH] infra: add agenix, add s3 credentials --- common/ssh-keys.nix | 5 ++ flake.lock | 82 ++++++++++++++++++++++++++++++++ flake.nix | 4 ++ secrets.nix | 15 ++++++ secrets/hydra-s3-credentials.age | 8 ++++ services/hydra/default.nix | 6 ++- 6 files changed, 119 insertions(+), 1 deletion(-) create mode 100644 common/ssh-keys.nix create mode 100644 secrets.nix create mode 100644 secrets/hydra-s3-credentials.age diff --git a/common/ssh-keys.nix b/common/ssh-keys.nix new file mode 100644 index 0000000..9310d4d --- /dev/null +++ b/common/ssh-keys.nix @@ -0,0 +1,5 @@ +{ + machines.bagel-box = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJW7jmkJ73tx9lsrz9UhqJIJdoqZGuhsHti55xny5/yp"; + + users.delroth = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3tjB4KYDok3KlWxdBp/yEmqhhmybd+w0VO4xUwLKKV" ]; +} diff --git a/flake.lock b/flake.lock index 937c1ac..6a5cc60 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,28 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": [ + "nixpkgs" + ], + "systems": "systems" + }, + "locked": { + "lastModified": 1718371084, + "narHash": "sha256-abpBi61mg0g+lFFU0zY4C6oP6fBwPzbHPKBGw676xsA=", + "owner": "ryantm", + "repo": "agenix", + "rev": "3a56735779db467538fb2e577eda28a9daacaca6", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "colmena": { "inputs": { "flake-compat": "flake-compat", @@ -23,6 +46,28 @@ "type": "github" } }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -70,6 +115,27 @@ "type": "github" } }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "hydra": { "inputs": { "nix": "nix", @@ -182,6 +248,7 @@ }, "root": { "inputs": { + "agenix": "agenix", "colmena": "colmena", "hydra": "hydra", "nixpkgs": "nixpkgs" @@ -202,6 +269,21 @@ "repo": "nixpkgs", "type": "github" } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index a80cea6..6a20c8d 100644 --- a/flake.nix +++ b/flake.nix @@ -4,6 +4,9 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + agenix.url = "github:ryantm/agenix"; + agenix.inputs.nixpkgs.follows = "nixpkgs"; + colmena.url = "github:zhaofengli/colmena"; colmena.inputs.nixpkgs.follows = "nixpkgs"; @@ -20,6 +23,7 @@ bagel-box = { imports = [ + inputs.agenix.nixosModules.default inputs.hydra.nixosModules.hydra ./services diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 0000000..f42454c --- /dev/null +++ b/secrets.nix @@ -0,0 +1,15 @@ +let + keys = import common/ssh-keys.nix; + + commonKeys = keys.users.delroth; + + secrets = with keys; { + hydra-s3-credentials = [ machines.bagel-box ]; + }; +in + builtins.listToAttrs ( + map (secretName: { + name = "secrets/${secretName}.age"; + value.publicKeys = secrets."${secretName}" ++ commonKeys; + }) (builtins.attrNames secrets) + ) diff --git a/secrets/hydra-s3-credentials.age b/secrets/hydra-s3-credentials.age new file mode 100644 index 0000000..ccd038a --- /dev/null +++ b/secrets/hydra-s3-credentials.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 zI09CQ IfOmA+uPS3mNQHx/8XG6Hh+GLsfUUXQPA9x6+9Aw7jg +5iNgA/ImRbbEYgMysQtj4sYpJfZMtj79Yj+41bckrj4 +-> ssh-ed25519 K3b7BA wtps2j28He4oR5d/rCTNy7INSq0xlm27YO6h5ANf7Xs +YdiMBtKw6G+NiqwaN3jAugDT1Q0zo6Cvjiph6zkIUMg +--- xAU32CtSvaWLKOKwh9dv97ZWCot4eeMO1+0RsQo8hIA +sCw +LYڹѩjС&NhN > kNO_Ja4IttK ?RWX4I&)^2 NvGvFbDMĘ(k(A\V&kaF':a%k7!9QoȮkD \ No newline at end of file diff --git a/services/hydra/default.nix b/services/hydra/default.nix index e98f6cc..63b25b1 100644 --- a/services/hydra/default.nix +++ b/services/hydra/default.nix @@ -47,7 +47,7 @@ in { endpoint = "s3.delroth.net"; region = "garage"; - secret-key = "TODO"; + #secret-key = "TODO"; compression = "zstd"; log-compression = "br"; @@ -73,6 +73,10 @@ in { ''; }; + age.secrets."hydra-s3-credentials".file = ../../secrets/hydra-s3-credentials.age; + systemd.services.hydra-queue-runner.serviceConfig.EnvironmentFile = + config.age.secrets."hydra-s3-credentials".path; + services.nginx = { enable = true; enableReload = true;