hydra: switch to using mTLS instead of local peer auth

hosts/bagel-box/default.nix

@@ -39,7 +39,6 @@
     postgres.enable = true;
 
     hydra.enable = true;
-    hydra.dbi = "dbi:Pg:dbname=hydra;user=hydra";
     # Takes 10 builders (0 → 9).
     hydra.builders = lib.genList (i: "builder-${builtins.toString i}") 10;
 

secrets.nix

@@ -4,6 +4,7 @@ let
   commonKeys = keys.users.delroth ++ keys.users.raito;
 
   secrets = with keys; {
+    hydra-postgres-key = [ machines.bagel-box ];
     hydra-s3-credentials = [ machines.bagel-box ];
     hydra-signing-priv = [ machines.bagel-box ];
     hydra-ssh-key-priv = [ machines.bagel-box ];

secrets/hydra-postgres-key.age

@@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-ed25519 +HUDfA PrYITxe8VIsLOsP3oP7jMtammV3emIQBvI4fid5CoxE
+rBD0meQCiOc/WBHtfWws24Byequp9vAZqzKQLXE6HsQ
+-> ssh-ed25519 K3b7BA LK7uLle6TYr2MAmOkGflQDAkO1vcbk+Fr61QbOEAvRU
+Nb8JX7v/kCIF64ItKYiACHefHRrJM583X8jRcF2jdjI
+-> ssh-ed25519 +qVung DiA/3kVlwDqmU++K13kV5lWhWofJHQyuPoc7UTBGTEI
+k9zuwi7WvZxxuX4SWMp/41xK4EcepJvk3iPCNplCSzY
+-> ssh-rsa krWCLQ
+WMNLx1M3XAQ4yVyudEU4GQg6nBUPvDbv+U8Br+D46KeI/FcYZPsdseieT/QVrNRB
+fkPnrNNgCWDcNaT6bgri8kGGzG3ytRJrUFPTCDlobKWKNZMGWSfEQB8xKb7GBwa1
+LwE237DiuSHiYcxNzwfza0ygi7RnIhGq42IPJkiNUtZvYyzs+d/eJ5KU4Z9/us1k
+kqi2Wku69y4QBsZRgZQaH1gkCaQbVfjhq10eTnxuWXLyvtX3E+1YRWSmLKKSNU1/
+wEMPuEEXyf9MYFa+oNDtDO0VgqAebepTjIOedEyyX+QVhPt3/VoLPPfTdFtPkAtd
+MeVQcLmlpRzgn+KENtS/Rg
+-> ssh-ed25519 /vwQcQ vI3LkaJKygKzAeacTOxQV12kqpBphZxd5t0Iz5tTb1U
++TR67BdaqzmUL0P23KvYR/zqbszup6yBw2WO13nwx80
+-> ssh-ed25519 0R97PA Hq35zNwe2YXd7BQL9rt8u9wPo8eCPUmPfgMjaE2OpjE
+b5X5G182EJ6sGCZlAa96GY2sRSF8YH3WGJjFekIqpFA
+--- 9kwuc/FdoWYejJjN2OqUL+BUll4yaChv8s2zv0Kclcw
+µòm¤fŒ‚,ýM¥ÌóÕ5`…•ÊwVÄ\Šž¶TÓ[ŸÿÕ^'b5ÙWþà€	z?ñ<>å_1ú)<29>®b²î'Ys¥äÙëQr<51>ƒ]\nWE³`y³™¦î,Øý7:ÖêHŠ[ÉZM—µá—<A Ò¿ÞKbÄTâLúÜ¢^üehÜØ,u#­ñÏ´úšÍõ
¡Mxȼá~@ªo|—ÍJÖ[dx]3¡/ièSÔ!¼ÆZ‘D™½GoÿBXXZÃq—(!ÞÁ0!˜šûWï2É‚Àf<œÙOØ*ˆãÄ;>)Ï@˜–E¯Ä<C2AF>õL=DÛÄ·.ë&½ÜmKEQÎfÊ'V ›ÌŠ‰p«lqƒ™

services/hydra/default.nix

@@ -9,7 +9,11 @@ let
 
   mkCacheSettings = settings: builtins.concatStringsSep "&" (
     lib.mapAttrsToList (k: v: "${k}=${v}") settings
-    );
+  );
+
+  mkPgConnString = options: builtins.concatStringsSep ";" (
+    lib.mapAttrsToList (k: v: "${k}=${v}") options
+  );
 
   # XXX: to support Nix's dumb public host key syntax (base64'd), this outputs
   # a string with shell-style command interpolations: $(...).
@@ -50,11 +54,6 @@ in {
   options.bagel.services.hydra = with lib; {
     enable = mkEnableOption "Hydra coordinator";
 
-    dbi = mkOption {
-      type = types.str;
-      description = "DBI connection string for the Hydra postgres database";
-    };
-
     builders = mkOption {
       type = types.listOf types.str;
       description = "List of builders to configure for Hydra";
@@ -69,6 +68,10 @@ in {
 
     age.secrets.hydra-s3-credentials.file = ../../secrets/hydra-s3-credentials.age;
 
+    age.secrets.hydra-postgres-key.group = "hydra";
+    age.secrets.hydra-postgres-key.mode = "0440";
+    age.secrets.hydra-postgres-key.file = ../../secrets/hydra-postgres-key.age;
+
     age.secrets.hydra-signing-priv.owner = "hydra-queue-runner";
     age.secrets.hydra-signing-priv.file = ../../secrets/hydra-signing-priv.age;
 
@@ -99,7 +102,16 @@ in {
 
       listenHost = "localhost";
       port = port;
-      dbi = cfg.dbi;
+
+      dbi = "dbi:Pg:${mkPgConnString {
+        host = "postgres.forkos.org";
+        dbname = "hydra";
+        user = "hydra";
+        sslmode = "verify-full";
+        sslcert = "${./postgres.crt}";
+        sslkey = config.age.secrets.hydra-postgres-key.path;
+        sslrootcert = "${../postgres/ca.crt}";
+      }}";
 
       hydraURL = "https://hydra.forkos.org";
       useSubstitutes = false;

services/hydra/postgres.crt

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBtDCCAVugAwIBAgIQTU55o4gtG8EFZArwsuj4NjAKBggqhkjOPQQDAjAiMSAw
+HgYDVQQDExdGb3JrT1MgUG9zdGdyZXMgUm9vdCBDQTAeFw0yNDA4MTYwNTU0MTda
+Fw0zNDA4MTYxNzU0MTdaMBAxDjAMBgNVBAMTBWh5ZHJhMFkwEwYHKoZIzj0CAQYI
+KoZIzj0DAQcDQgAEnTgiFZOXBrcPlWDxJPXUFgxIi7/T7LmwLtpGPK/G6R8KA9cS
+4UXF5Ifz2dCgozTlhqLROKb81yhNsSy1tOcFyKOBhDCBgTAOBgNVHQ8BAf8EBAMC
+B4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQGh6HM
+jl41qw/F0vpBdmOWQ2IfGzAfBgNVHSMEGDAWgBQy4WX/hUExQ/i1h7MvF6Ow2irN
+izAQBgNVHREECTAHggVoeWRyYTAKBggqhkjOPQQDAgNHADBEAiAEypqfyMOGbEJv
+dKI1tyj890uq5Osr5+9wxGBvJDMJNwIgefyOdFcvJTzbfHgLmORpBOVtnpbkwj5y
+rMnjT8gYjEA=
+-----END CERTIFICATE-----