From 2fe8d724d7cbc86c68c62ed6233e7b982566ad4d Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Fri, 10 Dec 2021 21:23:05 +0300 Subject: refactor(ops): Move Nix cache secret to agenix ... and also the public key, just to keep the distribution mechanism the same. Change-Id: Ief14daf9344c0fb99eeb5789c1ec9bfb1f12bee0 --- ops/machines/whitby/default.nix | 11 +++++++++-- ops/modules/www/cache.tvl.su.nix | 2 +- ops/secrets/nix-cache-priv.age | 11 +++++++++++ ops/secrets/nix-cache-pub.age | 12 ++++++++++++ ops/secrets/secrets.nix | 2 ++ 5 files changed, 35 insertions(+), 3 deletions(-) create mode 100644 ops/secrets/nix-cache-priv.age create mode 100644 ops/secrets/nix-cache-pub.age diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix index 572417fea6..129a1a7667 100644 --- a/ops/machines/whitby/default.nix +++ b/ops/machines/whitby/default.nix @@ -173,7 +173,7 @@ in { nrBuildUsers = 256; maxJobs = lib.mkDefault 64; extraOptions = '' - secret-key-files = /etc/secrets/nix-cache-privkey + secret-key-files = /run/agenix/nix-cache-priv ''; trustedUsers = [ @@ -212,6 +212,7 @@ in { grafana.file = secretFile "grafana"; irccat.file = secretFile "irccat"; owothia.file = secretFile "owothia"; + nix-cache-priv.file = secretFile "nix-cache-priv"; buildkite-agent-token = { file = secretFile "buildkite-agent-token"; @@ -240,6 +241,12 @@ in { file = secretFile "clbot-ssh"; owner = "clbot"; }; + + # Not actually a secret + nix-cache-pub = { + file = secretFile "nix-cache-pub"; + mode = "0444"; + }; }; # Automatically collect garbage from the Nix store. @@ -419,7 +426,7 @@ in { services.nix-serve = { enable = true; port = 6443; - secretKeyFile = "/etc/secrets/nix-cache-key.sec"; + secretKeyFile = "/run/agenix/nix-cache-priv"; bindAddress = "localhost"; }; diff --git a/ops/modules/www/cache.tvl.su.nix b/ops/modules/www/cache.tvl.su.nix index 182306bebf..633178b5cc 100644 --- a/ops/modules/www/cache.tvl.su.nix +++ b/ops/modules/www/cache.tvl.su.nix @@ -14,7 +14,7 @@ extraConfig = '' location = /cache-key.pub { - alias /etc/secrets/nix-cache-key.pub; + alias /run/agenix/nix-cache-pub; } location / { diff --git a/ops/secrets/nix-cache-priv.age b/ops/secrets/nix-cache-priv.age new file mode 100644 index 0000000000..3be14bcf0c --- /dev/null +++ b/ops/secrets/nix-cache-priv.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 dcsaLw GSjmDlPaOHw2uNxaGgQ/Jvt1xyL6pqnAGOhW/PXq0g0 +Lw27V3JPG6iBGiHpnHEm1B07skTYkYZHkCtDbRVXj/4 +-> ssh-ed25519 CpJBgQ Y52Trw6EsiR5xfVMB7bh8vLPnNlNj9RKu2WYVKOd9SQ +51egTYyWQj+HUVytA1Te0kcJCeKQn3GkW0ZODGPylOI +-> ssh-ed25519 OkGqLg rU7V7ekAJ/7IxnbP5mbXT9fCH3zYlzDajkbzStACfmM +l0CIZ2kIod05a2mWeFTM5BAcfXp3VNqsfLzjknXv6d0 +-> C#9J-grease 6 +uBB/nrNzeiZBynmHdla48aU6JC45+8T2WLQ +--- MG+HoZ+OIMOSBp0IZqamiW4ShQZF9o8XDRIRUBYXY3E + WG ,Pj'f ?v3Y1C-+_e1JA6]4aB+Ͼϼ9ɪXs2pZ!tM)j\ ssh-ed25519 dcsaLw TL5QToF0mDivu98x9gXaSl69LUZL5iKBRqabHAdVWzM +UajZlNzYwlyol2mgUFMieb2u/9B+0guhU/lAadDdwZI +-> ssh-ed25519 CpJBgQ 7S+W2LgW2ZqUVb3c7Yk0LevWX3sWMm57yLC5Xqoxowo +jjN6v+kZ22Y1QZF92JXkonPTa/AwlVGK5Tfx6t6O02k +-> ssh-ed25519 OkGqLg hr9WfRaMD8ItNpy5MUse6h1XWvsfTVGlKhy9EfJenjE +hKcAGPH2F+tjirBZLn2UfoOkFzBj0jAz11MuBmR+Ruc +-> _IV%wdMT-grease sj}ltN 2j: , ` +32ynfXOvS7JtSNvxhEDJq9UntSBcmh7VLIBSGmzNlv9QrcjtLluFy0ig2jYuYVUh +bT1LncUASkgCxW6GPqd21oYOn4ygDvZqTgi+FB6O +--- fUjoaFfrtbi4tV6zqH3t9wlY+8TDwcLbV6WWlzQqnJY +sI;!tUtUKiQ a]|ɎN@ydՌu%zfJ0F!ȽXjs5F!Ó \ No newline at end of file diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix index 9dae76d15b..dc68e22380 100644 --- a/ops/secrets/secrets.nix +++ b/ops/secrets/secrets.nix @@ -20,5 +20,7 @@ in { "gerrit-queue.age" = default; "grafana.age" = default; "irccat.age" = default; + "nix-cache-priv.age" = default; + "nix-cache-pub.age" = default; "owothia.age" = default; } -- cgit 1.4.1