From c33326f836d2785fab3376f982edef994a5e7611 Mon Sep 17 00:00:00 2001 From: Pierre Bourdon Date: Fri, 16 Aug 2024 08:19:18 +0200 Subject: [PATCH] hydra: switch to using mTLS instead of local peer auth --- hosts/bagel-box/default.nix | 1 - secrets.nix | 1 + secrets/hydra-postgres-key.age | 20 ++++++++++++++++++++ services/hydra/default.nix | 26 +++++++++++++++++++------- services/hydra/postgres.crt | 12 ++++++++++++ 5 files changed, 52 insertions(+), 8 deletions(-) create mode 100644 secrets/hydra-postgres-key.age create mode 100644 services/hydra/postgres.crt diff --git a/hosts/bagel-box/default.nix b/hosts/bagel-box/default.nix index 07f4057..c7189f9 100644 --- a/hosts/bagel-box/default.nix +++ b/hosts/bagel-box/default.nix @@ -39,7 +39,6 @@ postgres.enable = true; hydra.enable = true; - hydra.dbi = "dbi:Pg:dbname=hydra;user=hydra"; # Takes 10 builders (0 → 9). hydra.builders = lib.genList (i: "builder-${builtins.toString i}") 10; diff --git a/secrets.nix b/secrets.nix index a76bb79..fb35cad 100644 --- a/secrets.nix +++ b/secrets.nix @@ -4,6 +4,7 @@ let commonKeys = keys.users.delroth ++ keys.users.raito; secrets = with keys; { + hydra-postgres-key = [ machines.bagel-box ]; hydra-s3-credentials = [ machines.bagel-box ]; hydra-signing-priv = [ machines.bagel-box ]; hydra-ssh-key-priv = [ machines.bagel-box ]; diff --git a/secrets/hydra-postgres-key.age b/secrets/hydra-postgres-key.age new file mode 100644 index 0000000..c8c98ab --- /dev/null +++ b/secrets/hydra-postgres-key.age @@ -0,0 +1,20 @@ +age-encryption.org/v1 +-> ssh-ed25519 +HUDfA PrYITxe8VIsLOsP3oP7jMtammV3emIQBvI4fid5CoxE +rBD0meQCiOc/WBHtfWws24Byequp9vAZqzKQLXE6HsQ +-> ssh-ed25519 K3b7BA LK7uLle6TYr2MAmOkGflQDAkO1vcbk+Fr61QbOEAvRU +Nb8JX7v/kCIF64ItKYiACHefHRrJM583X8jRcF2jdjI +-> ssh-ed25519 +qVung DiA/3kVlwDqmU++K13kV5lWhWofJHQyuPoc7UTBGTEI +k9zuwi7WvZxxuX4SWMp/41xK4EcepJvk3iPCNplCSzY +-> ssh-rsa krWCLQ +WMNLx1M3XAQ4yVyudEU4GQg6nBUPvDbv+U8Br+D46KeI/FcYZPsdseieT/QVrNRB +fkPnrNNgCWDcNaT6bgri8kGGzG3ytRJrUFPTCDlobKWKNZMGWSfEQB8xKb7GBwa1 +LwE237DiuSHiYcxNzwfza0ygi7RnIhGq42IPJkiNUtZvYyzs+d/eJ5KU4Z9/us1k +kqi2Wku69y4QBsZRgZQaH1gkCaQbVfjhq10eTnxuWXLyvtX3E+1YRWSmLKKSNU1/ +wEMPuEEXyf9MYFa+oNDtDO0VgqAebepTjIOedEyyX+QVhPt3/VoLPPfTdFtPkAtd +MeVQcLmlpRzgn+KENtS/Rg +-> ssh-ed25519 /vwQcQ vI3LkaJKygKzAeacTOxQV12kqpBphZxd5t0Iz5tTb1U ++TR67BdaqzmUL0P23KvYR/zqbszup6yBw2WO13nwx80 +-> ssh-ed25519 0R97PA Hq35zNwe2YXd7BQL9rt8u9wPo8eCPUmPfgMjaE2OpjE +b5X5G182EJ6sGCZlAa96GY2sRSF8YH3WGJjFekIqpFA +--- 9kwuc/FdoWYejJjN2OqUL+BUll4yaChv8s2zv0Kclcw +mf,M5`wV\T[^'b5W z?_1)b'YsQr]\nWE`y,7:H[ZM)@EĐL=D.&mKEQfÊ'V ̊plq \ No newline at end of file diff --git a/services/hydra/default.nix b/services/hydra/default.nix index 608fb2c..1510def 100644 --- a/services/hydra/default.nix +++ b/services/hydra/default.nix @@ -9,7 +9,11 @@ let mkCacheSettings = settings: builtins.concatStringsSep "&" ( lib.mapAttrsToList (k: v: "${k}=${v}") settings - ); + ); + + mkPgConnString = options: builtins.concatStringsSep ";" ( + lib.mapAttrsToList (k: v: "${k}=${v}") options + ); # XXX: to support Nix's dumb public host key syntax (base64'd), this outputs # a string with shell-style command interpolations: $(...). @@ -50,11 +54,6 @@ in { options.bagel.services.hydra = with lib; { enable = mkEnableOption "Hydra coordinator"; - dbi = mkOption { - type = types.str; - description = "DBI connection string for the Hydra postgres database"; - }; - builders = mkOption { type = types.listOf types.str; description = "List of builders to configure for Hydra"; @@ -69,6 +68,10 @@ in { age.secrets.hydra-s3-credentials.file = ../../secrets/hydra-s3-credentials.age; + age.secrets.hydra-postgres-key.group = "hydra"; + age.secrets.hydra-postgres-key.mode = "0440"; + age.secrets.hydra-postgres-key.file = ../../secrets/hydra-postgres-key.age; + age.secrets.hydra-signing-priv.owner = "hydra-queue-runner"; age.secrets.hydra-signing-priv.file = ../../secrets/hydra-signing-priv.age; @@ -99,7 +102,16 @@ in { listenHost = "localhost"; port = port; - dbi = cfg.dbi; + + dbi = "dbi:Pg:${mkPgConnString { + host = "postgres.forkos.org"; + dbname = "hydra"; + user = "hydra"; + sslmode = "verify-full"; + sslcert = "${./postgres.crt}"; + sslkey = config.age.secrets.hydra-postgres-key.path; + sslrootcert = "${../postgres/ca.crt}"; + }}"; hydraURL = "https://hydra.forkos.org"; useSubstitutes = false; diff --git a/services/hydra/postgres.crt b/services/hydra/postgres.crt new file mode 100644 index 0000000..10b0b0e --- /dev/null +++ b/services/hydra/postgres.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBtDCCAVugAwIBAgIQTU55o4gtG8EFZArwsuj4NjAKBggqhkjOPQQDAjAiMSAw +HgYDVQQDExdGb3JrT1MgUG9zdGdyZXMgUm9vdCBDQTAeFw0yNDA4MTYwNTU0MTda +Fw0zNDA4MTYxNzU0MTdaMBAxDjAMBgNVBAMTBWh5ZHJhMFkwEwYHKoZIzj0CAQYI +KoZIzj0DAQcDQgAEnTgiFZOXBrcPlWDxJPXUFgxIi7/T7LmwLtpGPK/G6R8KA9cS +4UXF5Ifz2dCgozTlhqLROKb81yhNsSy1tOcFyKOBhDCBgTAOBgNVHQ8BAf8EBAMC +B4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQGh6HM +jl41qw/F0vpBdmOWQ2IfGzAfBgNVHSMEGDAWgBQy4WX/hUExQ/i1h7MvF6Ow2irN +izAQBgNVHREECTAHggVoeWRyYTAKBggqhkjOPQQDAgNHADBEAiAEypqfyMOGbEJv +dKI1tyj890uq5Osr5+9wxGBvJDMJNwIgefyOdFcvJTzbfHgLmORpBOVtnpbkwj5y +rMnjT8gYjEA= +-----END CERTIFICATE-----