hydra: switch to using mTLS instead of local peer auth

This commit is contained in:
Pierre Bourdon 2024-08-16 08:19:18 +02:00
parent 0dd333c573
commit c33326f836
Signed by: delroth
GPG key ID: 6FB80DCD84DA0F1C
5 changed files with 52 additions and 8 deletions

View file

@ -39,7 +39,6 @@
postgres.enable = true;
hydra.enable = true;
hydra.dbi = "dbi:Pg:dbname=hydra;user=hydra";
# Takes 10 builders (0 → 9).
hydra.builders = lib.genList (i: "builder-${builtins.toString i}") 10;

View file

@ -4,6 +4,7 @@ let
commonKeys = keys.users.delroth ++ keys.users.raito;
secrets = with keys; {
hydra-postgres-key = [ machines.bagel-box ];
hydra-s3-credentials = [ machines.bagel-box ];
hydra-signing-priv = [ machines.bagel-box ];
hydra-ssh-key-priv = [ machines.bagel-box ];

View file

@ -0,0 +1,20 @@
age-encryption.org/v1
-> ssh-ed25519 +HUDfA PrYITxe8VIsLOsP3oP7jMtammV3emIQBvI4fid5CoxE
rBD0meQCiOc/WBHtfWws24Byequp9vAZqzKQLXE6HsQ
-> ssh-ed25519 K3b7BA LK7uLle6TYr2MAmOkGflQDAkO1vcbk+Fr61QbOEAvRU
Nb8JX7v/kCIF64ItKYiACHefHRrJM583X8jRcF2jdjI
-> ssh-ed25519 +qVung DiA/3kVlwDqmU++K13kV5lWhWofJHQyuPoc7UTBGTEI
k9zuwi7WvZxxuX4SWMp/41xK4EcepJvk3iPCNplCSzY
-> ssh-rsa krWCLQ
WMNLx1M3XAQ4yVyudEU4GQg6nBUPvDbv+U8Br+D46KeI/FcYZPsdseieT/QVrNRB
fkPnrNNgCWDcNaT6bgri8kGGzG3ytRJrUFPTCDlobKWKNZMGWSfEQB8xKb7GBwa1
LwE237DiuSHiYcxNzwfza0ygi7RnIhGq42IPJkiNUtZvYyzs+d/eJ5KU4Z9/us1k
kqi2Wku69y4QBsZRgZQaH1gkCaQbVfjhq10eTnxuWXLyvtX3E+1YRWSmLKKSNU1/
wEMPuEEXyf9MYFa+oNDtDO0VgqAebepTjIOedEyyX+QVhPt3/VoLPPfTdFtPkAtd
MeVQcLmlpRzgn+KENtS/Rg
-> ssh-ed25519 /vwQcQ vI3LkaJKygKzAeacTOxQV12kqpBphZxd5t0Iz5tTb1U
+TR67BdaqzmUL0P23KvYR/zqbszup6yBw2WO13nwx80
-> ssh-ed25519 0R97PA Hq35zNwe2YXd7BQL9rt8u9wPo8eCPUmPfgMjaE2OpjE
b5X5G182EJ6sGCZlAa96GY2sRSF8YH3WGJjFekIqpFA
--- 9kwuc/FdoWYejJjN2OqUL+BUll4yaChv8s2zv0Kclcw
µòm¤fŒ,ýM¥ÌóÕ5`…•ÊwVÄ\Šž¶TÓ[ŸÿÕ^'b5ÙWþà€ z?ñ<>å_1ú)<29>®b²î'Ys¥äÙëQr<51>ƒ]\nWE³`y³™¦î,Øý7:ÖêHŠ[ÉZM—µá—<A Ò¿ÞKbÄTâLúÜ¢^üehÜØ,u#­ñÏ´úšÍõ ¡Mxȼá~@ªo|—ÍJÖ[dx]3¡/ièSÔ!¼ÆZD™½GoÿBXXZÃq—(!ÞÁ0!˜šûWï2ÉÀf<œÙOØ*ˆãÄ;>)Ï@˜E¯Ä<C2AF>õL=DÛÄ·.ë&½ÜmKEQÎfÊ'V ›ÌŠ‰p«lqƒ™

View file

@ -11,6 +11,10 @@ let
lib.mapAttrsToList (k: v: "${k}=${v}") settings
);
mkPgConnString = options: builtins.concatStringsSep ";" (
lib.mapAttrsToList (k: v: "${k}=${v}") options
);
# XXX: to support Nix's dumb public host key syntax (base64'd), this outputs
# a string with shell-style command interpolations: $(...).
mkBaremetalBuilder = {
@ -50,11 +54,6 @@ in {
options.bagel.services.hydra = with lib; {
enable = mkEnableOption "Hydra coordinator";
dbi = mkOption {
type = types.str;
description = "DBI connection string for the Hydra postgres database";
};
builders = mkOption {
type = types.listOf types.str;
description = "List of builders to configure for Hydra";
@ -69,6 +68,10 @@ in {
age.secrets.hydra-s3-credentials.file = ../../secrets/hydra-s3-credentials.age;
age.secrets.hydra-postgres-key.group = "hydra";
age.secrets.hydra-postgres-key.mode = "0440";
age.secrets.hydra-postgres-key.file = ../../secrets/hydra-postgres-key.age;
age.secrets.hydra-signing-priv.owner = "hydra-queue-runner";
age.secrets.hydra-signing-priv.file = ../../secrets/hydra-signing-priv.age;
@ -99,7 +102,16 @@ in {
listenHost = "localhost";
port = port;
dbi = cfg.dbi;
dbi = "dbi:Pg:${mkPgConnString {
host = "postgres.forkos.org";
dbname = "hydra";
user = "hydra";
sslmode = "verify-full";
sslcert = "${./postgres.crt}";
sslkey = config.age.secrets.hydra-postgres-key.path;
sslrootcert = "${../postgres/ca.crt}";
}}";
hydraURL = "https://hydra.forkos.org";
useSubstitutes = false;

View file

@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIBtDCCAVugAwIBAgIQTU55o4gtG8EFZArwsuj4NjAKBggqhkjOPQQDAjAiMSAw
HgYDVQQDExdGb3JrT1MgUG9zdGdyZXMgUm9vdCBDQTAeFw0yNDA4MTYwNTU0MTda
Fw0zNDA4MTYxNzU0MTdaMBAxDjAMBgNVBAMTBWh5ZHJhMFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAEnTgiFZOXBrcPlWDxJPXUFgxIi7/T7LmwLtpGPK/G6R8KA9cS
4UXF5Ifz2dCgozTlhqLROKb81yhNsSy1tOcFyKOBhDCBgTAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQGh6HM
jl41qw/F0vpBdmOWQ2IfGzAfBgNVHSMEGDAWgBQy4WX/hUExQ/i1h7MvF6Ow2irN
izAQBgNVHREECTAHggVoeWRyYTAKBggqhkjOPQQDAgNHADBEAiAEypqfyMOGbEJv
dKI1tyj890uq5Osr5+9wxGBvJDMJNwIgefyOdFcvJTzbfHgLmORpBOVtnpbkwj5y
rMnjT8gYjEA=
-----END CERTIFICATE-----