the-distro/infra
9
0
Fork 5
Code Issues 39 Pull requests 8 Packages Projects 1 Releases Wiki Activity

infra: add agenix, add s3 credentials

Browse source
This commit is contained in:
Pierre Bourdon 2024-06-24 18:03:07 +02:00
parent 78293ae532
commit 04bd33e32c
Signed by: delroth
GPG key ID: 6FB80DCD84DA0F1C
6 changed files with 119 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
common/ssh-keys.nix Normal file
View file

@ -0,0 +1,5 @@
{
machines.bagel-box = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJW7jmkJ73tx9lsrz9UhqJIJdoqZGuhsHti55xny5/yp";
users.delroth = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3tjB4KYDok3KlWxdBp/yEmqhhmybd+w0VO4xUwLKKV" ];
}

82
flake.lock
View file

@ -1,5 +1,28 @@
{ {
"nodes": { "nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1718371084,
"narHash": "sha256-abpBi61mg0g+lFFU0zY4C6oP6fBwPzbHPKBGw676xsA=",
"owner": "ryantm",
"repo": "agenix",
"rev": "3a56735779db467538fb2e577eda28a9daacaca6",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"colmena": { "colmena": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
@ -23,6 +46,28 @@
"type": "github" "type": "github"
} }
}, },
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -70,6 +115,27 @@
"type": "github" "type": "github"
} }
}, },
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"hydra": { "hydra": {
"inputs": { "inputs": {
"nix": "nix", "nix": "nix",
@ -182,6 +248,7 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix",
"colmena": "colmena", "colmena": "colmena",
"hydra": "hydra", "hydra": "hydra",
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
@ -202,6 +269,21 @@
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

4
flake.nix
View file

@ -4,6 +4,9 @@
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
colmena.url = "github:zhaofengli/colmena"; colmena.url = "github:zhaofengli/colmena";
colmena.inputs.nixpkgs.follows = "nixpkgs"; colmena.inputs.nixpkgs.follows = "nixpkgs";
@ -20,6 +23,7 @@
bagel-box = { bagel-box = {
imports = [ imports = [
inputs.agenix.nixosModules.default
inputs.hydra.nixosModules.hydra inputs.hydra.nixosModules.hydra
./services ./services

15
secrets.nix Normal file
View file

@ -0,0 +1,15 @@
let
keys = import common/ssh-keys.nix;
commonKeys = keys.users.delroth;
secrets = with keys; {
hydra-s3-credentials = [ machines.bagel-box ];
};
in
builtins.listToAttrs (
map (secretName: {
name = "secrets/${secretName}.age";
value.publicKeys = secrets."${secretName}" ++ commonKeys;
}) (builtins.attrNames secrets)
)

8
secrets/hydra-s3-credentials.age Normal file
View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 zI09CQ IfOmA+uPS3mNQHx/8XG6Hh+GLsfUUXQPA9x6+9Aw7jg
5iNgA/ImRbbEYgMysQtj4sYpJfZMtj79Yj+41bckrj4
-> ssh-ed25519 K3b7BA wtps2j28He4oR5d/rCTNy7INSq0xlm27YO6h5ANf7Xs
YdiMBtKw6G+NiqwaN3jAugDT1Q0zo6Cvjiph6zkIUMg
--- xAU32CtSvaWLKOKwh9dv97ZWCot4eeMO1+0RsQo8hIA
ˆsÁ°¬Cw
LYڹѩjС&‰õÙNøhÿÛNê”  Ã>àÎ kßâNÊÛO_ÿJòþ»Œªå<1E>aˆ¢àÜ4IÑûºìtÓtÐÙK ?RÚÆWX¾4Iþ&)“<>Á^2Þ NÚüvGvFÀŒÐbDMªÄ˜(k(Aèº\V&kaF•'<27>´‰:a%Œk7Êíí!…9Q¾oÈ®k·Dïíñ

6
services/hydra/default.nix
View file

@ -47,7 +47,7 @@ in {
endpoint = "s3.delroth.net"; endpoint = "s3.delroth.net";
region = "garage"; region = "garage";
secret-key = "TODO"; #secret-key = "TODO";
compression = "zstd"; compression = "zstd";
log-compression = "br"; log-compression = "br";
@ -73,6 +73,10 @@ in {
''; '';
}; };
age.secrets."hydra-s3-credentials".file = ../../secrets/hydra-s3-credentials.age;
systemd.services.hydra-queue-runner.serviceConfig.EnvironmentFile =
config.age.secrets."hydra-s3-credentials".path;
services.nginx = { services.nginx = {
enable = true; enable = true;
enableReload = true; enableReload = true;