From f74d1ca0f66d9231e558053d499b382ad7ad33b6 Mon Sep 17 00:00:00 2001
From: Pierre Bourdon <delroth@gmail.com>
Date: Wed, 10 Jul 2024 17:34:57 +0200
Subject: [PATCH] hydra: start signing paths

---
 secrets.nix                    |   1 +
 secrets/hydra-signing-priv.age | Bin 0 -> 1124 bytes
 services/hydra/default.nix     |   5 ++++-
 3 files changed, 5 insertions(+), 1 deletion(-)
 create mode 100644 secrets/hydra-signing-priv.age

diff --git a/secrets.nix b/secrets.nix
index 7bfd8a7..24c992a 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -5,6 +5,7 @@ let
 
   secrets = with keys; {
     hydra-s3-credentials = [ machines.bagel-box ];
+    hydra-signing-priv = [ machines.bagel-box ];
     hydra-ssh-key-priv = [ machines.bagel-box ];
     netbox-environment = [ machines.meta01 ];
     mimir-environment = [ machines.meta01 ];
diff --git a/secrets/hydra-signing-priv.age b/secrets/hydra-signing-priv.age
new file mode 100644
index 0000000000000000000000000000000000000000..23cd618cf5e693566f066bff527ff9229ca504b2
GIT binary patch
literal 1124
zcmZ9~&FkBA00wX`!VKy~1W&VvA!7acZId)<m8p4YljgN~X_`corD<N8v`LyYNt2UK
zc2U7O*+rQX1yN98I1okgx*Z&N@CD{YJ&wUZy!*TC^7{)u&-3s&fp_F3Zr)`3b(%bv
z<^ibs(9w&Xq6m+?6+9U9N1ZM^r+uQcVRmdhFgLmfYqX}wY(3ZI{t)9W#-xJvrq&ys
z$PNWPsi7G~G=|ObN<?@#=?elinH&yIZE$kmh3hpxXd<~uDhEMNYCN*UNutwA^$Ho{
zHUJ}Q>dd!9WTi@x@MT>})yB51-73adwcV(5s4)%JVq;NSESM?BY{hk%8(d(KF{f2w
zt=KRf*=3O@<@lu5-5F&PbZCb&s36G216mKUVC$^h!GdIR8ZIluG%HE+v<R~uSwkUI
zu6qa)xwV)GiUtxTi&q>MiNx5I97~emGTJQX<KQ^;eJwAXPMj|&L4jzhn=#7)V8g>S
z(S665>j#vZ!$Iz1Lp`x;K4sjIOxRn*S;#wKk*BUm+SnSdW}0pep}Z@j4o3I3IIQyx
z?eANV$+G14c574hOm7lSy8e)-GS{Vr@qs+pIp0n*ln`eAW-;L)BQ?8>LuCt@>WN#H
ztpt!{pp9fzc1wOE5}@ZrD+YLsx@#4;G>H)okWF3i{as7g3AFZ>QtHduDv6!pu`e!*
zff#P_319==nNka?so-jlG)glm8M&eR8tFE?QU+m812cvesm-LV-roS(#J6_hgDAq%
z0B$(~sENF1v)I*_g*&e2=<%Aclrdzc#Y=&nF-?#p(C+vHq#dJy7M6`M>?xcYdBOd)
z@BbE5wc;urR%vV=Z_~gC$}qGu^`O)U;mww`uZUZ0=i<4b_l!1c6sW9ir(h3r*oy&7
zRw=d;NAMV(6?@P0(>4%=)SkKFvYc5bwVpb{XGF(wrO@2KZnsMjJ333#h*9;BtW-+n
zX?C|QOii0Gz8M(`Bv)>!*}hrtr_p2$yTYM~{BcFIdomp%pv6-Ko8k!Oo5$UbjykF@
z0jn5Ns6oQBG8=?&AgzbQ*c+ojCnCgB1W6e7=V~;D{yG1$b@`KD@X!BjpS<+aneM;e
ze)iEFA^WMk^2p6=?>&3>$9umj(3dXw{f!5%e)DSgySJ}ifX+UD>a|zSo_p-w+uY^f
zZr`|g>(=>e|NX#R1oz%QRo(sTg|9uLbLY)jdgf;R;2+no8>hejp!@pY=brlcnLc#m
g!V@2!zQSDj;%VsNyKjBUKlJfem#lXl)gO2M2ZV5hBLDyZ

literal 0
HcmV?d00001

diff --git a/services/hydra/default.nix b/services/hydra/default.nix
index 6c9a37d..29e5508 100644
--- a/services/hydra/default.nix
+++ b/services/hydra/default.nix
@@ -48,6 +48,9 @@ in {
 
     age.secrets.hydra-s3-credentials.file = ../../secrets/hydra-s3-credentials.age;
 
+    age.secrets.hydra-signing-priv.owner = "hydra-queue-runner";
+    age.secrets.hydra-signing-priv.file = ../../secrets/hydra-signing-priv.age;
+
     age.secrets.hydra-ssh-key-priv.owner = "hydra-queue-runner";
     age.secrets.hydra-ssh-key-priv.file = ../../secrets/hydra-ssh-key-priv.age;
 
@@ -90,7 +93,7 @@ in {
           endpoint = "s3.delroth.net";
           region = "garage";
 
-          #secret-key = "TODO";
+          secret-key = config.age.secrets.hydra-signing-priv.path;
 
           compression = "zstd";
           log-compression = "br";