From 73aecaef414f15f7b6bd924192913925c5fe846f Mon Sep 17 00:00:00 2001
From: Pierre Bourdon <delroth@gmail.com>
Date: Mon, 24 Jun 2024 20:59:19 +0200
Subject: [PATCH] hydra: provide S3 and SSH credentials (via agenix)

---
 secrets.nix                    |   1 +
 secrets/hydra-ssh-key-priv.age | Bin 0 -> 733 bytes
 services/hydra/default.nix     |  14 ++++++++++++--
 3 files changed, 13 insertions(+), 2 deletions(-)
 create mode 100644 secrets/hydra-ssh-key-priv.age

diff --git a/secrets.nix b/secrets.nix
index f42454c..d2977b6 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -5,6 +5,7 @@ let
 
   secrets = with keys; {
     hydra-s3-credentials = [ machines.bagel-box ];
+    hydra-ssh-key-priv = [ machines.bagel-box ];
   };
 in
   builtins.listToAttrs (
diff --git a/secrets/hydra-ssh-key-priv.age b/secrets/hydra-ssh-key-priv.age
new file mode 100644
index 0000000000000000000000000000000000000000..298c9ff3b2ac25a1fa9d26e963b23b0f1471c840
GIT binary patch
literal 733
zcmV<30wVokXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LdPy)jLs1}R
zD`jSFZ&p%8OGi<9QbuJ*S4e72SbBGIaY<}QR8?(eIBaQRF;P-_cXJA2X)r}MI5cH5
zV>L-IFkvx9GEQ1FR$@X|GC65+X;^eIZg_Wfc42gSWkCupJ|J^*Xf0)AGBq_ZIUq|j
zVmCrTAaFu(SWi?#R82x!Zc<P~NJU9DGFf_ZNKi><Hcn`FMKVH5L_|kYPDU|73R6%s
zcQSHAI81FqcvmqvF=;Y6Lr^eeMtL|;Zc0^iF*sLfaA!DrPDofm3N0-yAX8&BL|IN|
zbWcP$a&0m<X;E`BYgkV?b5CwED`9nGL2XP$S2%iEK~__93P0T)8a=OaLEG$m_pM9P
zuH1Eks+^M8%sL6@wj@|we;;i7V0#-C{`j4#53$@f`2v~UwEUCa=l7C9?cBSBM-;Dq
zmdcF(oyIa;>{+*7-8Tt*?@!PjM9w8vDM$IW@T*QUGrD?QEv6bdb>Bqy!5k;pC1}F3
z&jvK^cF=Gm=eLRR_W5w?1w_;~S*8}Gdd`~d^19EJd+So?9MV%7b)f&yj9cc5q^Ml*
zw3q3m;gecWgT-FX5#54-spO`|ZniaQl+3HR4(07J%uq!rHPJEo=(?-Cnl-S9$&YGR
z@b%k4J0(L%?p{W{Z8v<c^B>JNb7)c~z1lYitJ~@aSzNexF#H8pkj~ZM3(ih$;dwj%
zm|*PK_!XXPQhI57MK24zh8TQU>{vJiPg9YLr?c?>H74`0aqJH4&1Q@L*}2?fx6z;P
z)LxIW*R-n*fL@=60NuaPM<O_~)7t$pOf1u>etnz}u$l9t>6r$m)sH>rs1McsSI6mM
zh9_E{KWbE4$=Dz*Z=fm)RoX4~8VU~7hUnO*Oy)VB?RO~SI6XL@?vRac@%1(r>8`-4
PD>T|7S0sNavo?L+d<;r1

literal 0
HcmV?d00001

diff --git a/services/hydra/default.nix b/services/hydra/default.nix
index 63b25b1..7e69c4a 100644
--- a/services/hydra/default.nix
+++ b/services/hydra/default.nix
@@ -20,6 +20,11 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
+    age.secrets.hydra-s3-credentials.file = ../../secrets/hydra-s3-credentials.age;
+
+    age.secrets.hydra-ssh-key-priv.owner = "hydra-queue-runner";
+    age.secrets.hydra-ssh-key-priv.file = ../../secrets/hydra-ssh-key-priv.age;
+
     systemd.tmpfiles.rules = [
       "d /var/cache/hydra 0755 hydra hydra -  -"
       "d ${narCacheDir}   0755 hydra hydra 1d -"
@@ -42,6 +47,12 @@ in {
 
       notificationSender = "bagel@delroth.net";
 
+      buildMachinesFiles = [
+        (pkgs.writeText "hydra-builders.conf" ''
+          ssh://bagel-builder@epyc.infra.newtype.fr x86_64-linux ${config.age.secrets.hydra-ssh-key-priv.path} 8 1 big-parallel,kvm,nixos-test - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUJwcFBwKzhsdDFSTDNodW5aaGlXRUUvY1laaHJXYjFzaVhKVWpiU2l6Rzggcm9vdEBlcHljCg==
+        '')
+      ];
+
       extraConfig = ''
         store_uri = s3://bagel-cache?${mkCacheSettings {
           endpoint = "s3.delroth.net";
@@ -73,9 +84,8 @@ in {
       '';
     };
 
-    age.secrets."hydra-s3-credentials".file = ../../secrets/hydra-s3-credentials.age;
     systemd.services.hydra-queue-runner.serviceConfig.EnvironmentFile =
-      config.age.secrets."hydra-s3-credentials".path;
+      config.age.secrets.hydra-s3-credentials.path;
 
     services.nginx = {
       enable = true;