hydra: provide S3 and SSH credentials (via agenix)

This commit is contained in:
Pierre Bourdon 2024-06-24 20:59:19 +02:00
parent 04bd33e32c
commit 73aecaef41
Signed by: delroth
GPG key ID: 6FB80DCD84DA0F1C
3 changed files with 13 additions and 2 deletions

View file

@ -5,6 +5,7 @@ let
secrets = with keys; { secrets = with keys; {
hydra-s3-credentials = [ machines.bagel-box ]; hydra-s3-credentials = [ machines.bagel-box ];
hydra-ssh-key-priv = [ machines.bagel-box ];
}; };
in in
builtins.listToAttrs ( builtins.listToAttrs (

Binary file not shown.

View file

@ -20,6 +20,11 @@ in {
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
age.secrets.hydra-s3-credentials.file = ../../secrets/hydra-s3-credentials.age;
age.secrets.hydra-ssh-key-priv.owner = "hydra-queue-runner";
age.secrets.hydra-ssh-key-priv.file = ../../secrets/hydra-ssh-key-priv.age;
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d /var/cache/hydra 0755 hydra hydra - -" "d /var/cache/hydra 0755 hydra hydra - -"
"d ${narCacheDir} 0755 hydra hydra 1d -" "d ${narCacheDir} 0755 hydra hydra 1d -"
@ -42,6 +47,12 @@ in {
notificationSender = "bagel@delroth.net"; notificationSender = "bagel@delroth.net";
buildMachinesFiles = [
(pkgs.writeText "hydra-builders.conf" ''
ssh://bagel-builder@epyc.infra.newtype.fr x86_64-linux ${config.age.secrets.hydra-ssh-key-priv.path} 8 1 big-parallel,kvm,nixos-test - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUJwcFBwKzhsdDFSTDNodW5aaGlXRUUvY1laaHJXYjFzaVhKVWpiU2l6Rzggcm9vdEBlcHljCg==
'')
];
extraConfig = '' extraConfig = ''
store_uri = s3://bagel-cache?${mkCacheSettings { store_uri = s3://bagel-cache?${mkCacheSettings {
endpoint = "s3.delroth.net"; endpoint = "s3.delroth.net";
@ -73,9 +84,8 @@ in {
''; '';
}; };
age.secrets."hydra-s3-credentials".file = ../../secrets/hydra-s3-credentials.age;
systemd.services.hydra-queue-runner.serviceConfig.EnvironmentFile = systemd.services.hydra-queue-runner.serviceConfig.EnvironmentFile =
config.age.secrets."hydra-s3-credentials".path; config.age.secrets.hydra-s3-credentials.path;
services.nginx = { services.nginx = {
enable = true; enable = true;