hydra: switch to using mTLS instead of local peer auth
This commit is contained in:
parent
0dd333c573
commit
c33326f836
|
@ -39,7 +39,6 @@
|
||||||
postgres.enable = true;
|
postgres.enable = true;
|
||||||
|
|
||||||
hydra.enable = true;
|
hydra.enable = true;
|
||||||
hydra.dbi = "dbi:Pg:dbname=hydra;user=hydra";
|
|
||||||
# Takes 10 builders (0 → 9).
|
# Takes 10 builders (0 → 9).
|
||||||
hydra.builders = lib.genList (i: "builder-${builtins.toString i}") 10;
|
hydra.builders = lib.genList (i: "builder-${builtins.toString i}") 10;
|
||||||
|
|
||||||
|
|
|
@ -4,6 +4,7 @@ let
|
||||||
commonKeys = keys.users.delroth ++ keys.users.raito;
|
commonKeys = keys.users.delroth ++ keys.users.raito;
|
||||||
|
|
||||||
secrets = with keys; {
|
secrets = with keys; {
|
||||||
|
hydra-postgres-key = [ machines.bagel-box ];
|
||||||
hydra-s3-credentials = [ machines.bagel-box ];
|
hydra-s3-credentials = [ machines.bagel-box ];
|
||||||
hydra-signing-priv = [ machines.bagel-box ];
|
hydra-signing-priv = [ machines.bagel-box ];
|
||||||
hydra-ssh-key-priv = [ machines.bagel-box ];
|
hydra-ssh-key-priv = [ machines.bagel-box ];
|
||||||
|
|
20
secrets/hydra-postgres-key.age
Normal file
20
secrets/hydra-postgres-key.age
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 +HUDfA PrYITxe8VIsLOsP3oP7jMtammV3emIQBvI4fid5CoxE
|
||||||
|
rBD0meQCiOc/WBHtfWws24Byequp9vAZqzKQLXE6HsQ
|
||||||
|
-> ssh-ed25519 K3b7BA LK7uLle6TYr2MAmOkGflQDAkO1vcbk+Fr61QbOEAvRU
|
||||||
|
Nb8JX7v/kCIF64ItKYiACHefHRrJM583X8jRcF2jdjI
|
||||||
|
-> ssh-ed25519 +qVung DiA/3kVlwDqmU++K13kV5lWhWofJHQyuPoc7UTBGTEI
|
||||||
|
k9zuwi7WvZxxuX4SWMp/41xK4EcepJvk3iPCNplCSzY
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
WMNLx1M3XAQ4yVyudEU4GQg6nBUPvDbv+U8Br+D46KeI/FcYZPsdseieT/QVrNRB
|
||||||
|
fkPnrNNgCWDcNaT6bgri8kGGzG3ytRJrUFPTCDlobKWKNZMGWSfEQB8xKb7GBwa1
|
||||||
|
LwE237DiuSHiYcxNzwfza0ygi7RnIhGq42IPJkiNUtZvYyzs+d/eJ5KU4Z9/us1k
|
||||||
|
kqi2Wku69y4QBsZRgZQaH1gkCaQbVfjhq10eTnxuWXLyvtX3E+1YRWSmLKKSNU1/
|
||||||
|
wEMPuEEXyf9MYFa+oNDtDO0VgqAebepTjIOedEyyX+QVhPt3/VoLPPfTdFtPkAtd
|
||||||
|
MeVQcLmlpRzgn+KENtS/Rg
|
||||||
|
-> ssh-ed25519 /vwQcQ vI3LkaJKygKzAeacTOxQV12kqpBphZxd5t0Iz5tTb1U
|
||||||
|
+TR67BdaqzmUL0P23KvYR/zqbszup6yBw2WO13nwx80
|
||||||
|
-> ssh-ed25519 0R97PA Hq35zNwe2YXd7BQL9rt8u9wPo8eCPUmPfgMjaE2OpjE
|
||||||
|
b5X5G182EJ6sGCZlAa96GY2sRSF8YH3WGJjFekIqpFA
|
||||||
|
--- 9kwuc/FdoWYejJjN2OqUL+BUll4yaChv8s2zv0Kclcw
|
||||||
|
µòm¤fŒ‚,ýM¥ÌóÕ5`…•ÊwVÄ\Šž¶TÓ[ŸÿÕ^'b5ÙWþà€ z?ñ<>å_1ú)<29>®b²î'Ys¥äÙëQr<51>ƒ]\nWE³`y³™¦î,Øý7:ÖêHŠ[ÉZM—µá—<A Ò¿ÞKbÄTâLúÜ¢^üehÜØ,u#ñÏ´úšÍõ
¡Mxȼá~@ªo|—ÍJÖ[dx]3¡/ièSÔ!¼ÆZ‘D™½GoÿBXXZÃq—(!ÞÁ0!˜šûWï2É‚Àf<œÙOØ*ˆãÄ;>)Ï@˜–E¯Ä<C2AF>õL=DÛÄ·.ë&½ÜmKEQÎfÊ'V ›ÌŠ‰p«lqƒ™
|
|
@ -11,6 +11,10 @@ let
|
||||||
lib.mapAttrsToList (k: v: "${k}=${v}") settings
|
lib.mapAttrsToList (k: v: "${k}=${v}") settings
|
||||||
);
|
);
|
||||||
|
|
||||||
|
mkPgConnString = options: builtins.concatStringsSep ";" (
|
||||||
|
lib.mapAttrsToList (k: v: "${k}=${v}") options
|
||||||
|
);
|
||||||
|
|
||||||
# XXX: to support Nix's dumb public host key syntax (base64'd), this outputs
|
# XXX: to support Nix's dumb public host key syntax (base64'd), this outputs
|
||||||
# a string with shell-style command interpolations: $(...).
|
# a string with shell-style command interpolations: $(...).
|
||||||
mkBaremetalBuilder = {
|
mkBaremetalBuilder = {
|
||||||
|
@ -50,11 +54,6 @@ in {
|
||||||
options.bagel.services.hydra = with lib; {
|
options.bagel.services.hydra = with lib; {
|
||||||
enable = mkEnableOption "Hydra coordinator";
|
enable = mkEnableOption "Hydra coordinator";
|
||||||
|
|
||||||
dbi = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = "DBI connection string for the Hydra postgres database";
|
|
||||||
};
|
|
||||||
|
|
||||||
builders = mkOption {
|
builders = mkOption {
|
||||||
type = types.listOf types.str;
|
type = types.listOf types.str;
|
||||||
description = "List of builders to configure for Hydra";
|
description = "List of builders to configure for Hydra";
|
||||||
|
@ -69,6 +68,10 @@ in {
|
||||||
|
|
||||||
age.secrets.hydra-s3-credentials.file = ../../secrets/hydra-s3-credentials.age;
|
age.secrets.hydra-s3-credentials.file = ../../secrets/hydra-s3-credentials.age;
|
||||||
|
|
||||||
|
age.secrets.hydra-postgres-key.group = "hydra";
|
||||||
|
age.secrets.hydra-postgres-key.mode = "0440";
|
||||||
|
age.secrets.hydra-postgres-key.file = ../../secrets/hydra-postgres-key.age;
|
||||||
|
|
||||||
age.secrets.hydra-signing-priv.owner = "hydra-queue-runner";
|
age.secrets.hydra-signing-priv.owner = "hydra-queue-runner";
|
||||||
age.secrets.hydra-signing-priv.file = ../../secrets/hydra-signing-priv.age;
|
age.secrets.hydra-signing-priv.file = ../../secrets/hydra-signing-priv.age;
|
||||||
|
|
||||||
|
@ -99,7 +102,16 @@ in {
|
||||||
|
|
||||||
listenHost = "localhost";
|
listenHost = "localhost";
|
||||||
port = port;
|
port = port;
|
||||||
dbi = cfg.dbi;
|
|
||||||
|
dbi = "dbi:Pg:${mkPgConnString {
|
||||||
|
host = "postgres.forkos.org";
|
||||||
|
dbname = "hydra";
|
||||||
|
user = "hydra";
|
||||||
|
sslmode = "verify-full";
|
||||||
|
sslcert = "${./postgres.crt}";
|
||||||
|
sslkey = config.age.secrets.hydra-postgres-key.path;
|
||||||
|
sslrootcert = "${../postgres/ca.crt}";
|
||||||
|
}}";
|
||||||
|
|
||||||
hydraURL = "https://hydra.forkos.org";
|
hydraURL = "https://hydra.forkos.org";
|
||||||
useSubstitutes = false;
|
useSubstitutes = false;
|
||||||
|
|
12
services/hydra/postgres.crt
Normal file
12
services/hydra/postgres.crt
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIBtDCCAVugAwIBAgIQTU55o4gtG8EFZArwsuj4NjAKBggqhkjOPQQDAjAiMSAw
|
||||||
|
HgYDVQQDExdGb3JrT1MgUG9zdGdyZXMgUm9vdCBDQTAeFw0yNDA4MTYwNTU0MTda
|
||||||
|
Fw0zNDA4MTYxNzU0MTdaMBAxDjAMBgNVBAMTBWh5ZHJhMFkwEwYHKoZIzj0CAQYI
|
||||||
|
KoZIzj0DAQcDQgAEnTgiFZOXBrcPlWDxJPXUFgxIi7/T7LmwLtpGPK/G6R8KA9cS
|
||||||
|
4UXF5Ifz2dCgozTlhqLROKb81yhNsSy1tOcFyKOBhDCBgTAOBgNVHQ8BAf8EBAMC
|
||||||
|
B4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQGh6HM
|
||||||
|
jl41qw/F0vpBdmOWQ2IfGzAfBgNVHSMEGDAWgBQy4WX/hUExQ/i1h7MvF6Ow2irN
|
||||||
|
izAQBgNVHREECTAHggVoeWRyYTAKBggqhkjOPQQDAgNHADBEAiAEypqfyMOGbEJv
|
||||||
|
dKI1tyj890uq5Osr5+9wxGBvJDMJNwIgefyOdFcvJTzbfHgLmORpBOVtnpbkwj5y
|
||||||
|
rMnjT8gYjEA=
|
||||||
|
-----END CERTIFICATE-----
|
Loading…
Reference in a new issue