diff options
author | Vincent Ambo <mail@tazj.in> | 2021-12-10T18·23+0300 |
---|---|---|
committer | tazjin <mail@tazj.in> | 2021-12-10T19·48+0000 |
commit | 2fe8d724d7cbc86c68c62ed6233e7b982566ad4d (patch) | |
tree | 9e2384047122267f4896002d4d8bfdbd206ed009 | |
parent | 82a885a750cfe3bdf282a19a37f91842f374b24c (diff) |
refactor(ops): Move Nix cache secret to agenix r/3199
... and also the public key, just to keep the distribution mechanism the same. Change-Id: Ief14daf9344c0fb99eeb5789c1ec9bfb1f12bee0
-rw-r--r-- | ops/machines/whitby/default.nix | 11 | ||||
-rw-r--r-- | ops/modules/www/cache.tvl.su.nix | 2 | ||||
-rw-r--r-- | ops/secrets/nix-cache-priv.age | 11 | ||||
-rw-r--r-- | ops/secrets/nix-cache-pub.age | 12 | ||||
-rw-r--r-- | ops/secrets/secrets.nix | 2 |
5 files changed, 35 insertions, 3 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix index 572417fea695..129a1a766772 100644 --- a/ops/machines/whitby/default.nix +++ b/ops/machines/whitby/default.nix @@ -173,7 +173,7 @@ in { nrBuildUsers = 256; maxJobs = lib.mkDefault 64; extraOptions = '' - secret-key-files = /etc/secrets/nix-cache-privkey + secret-key-files = /run/agenix/nix-cache-priv ''; trustedUsers = [ @@ -212,6 +212,7 @@ in { grafana.file = secretFile "grafana"; irccat.file = secretFile "irccat"; owothia.file = secretFile "owothia"; + nix-cache-priv.file = secretFile "nix-cache-priv"; buildkite-agent-token = { file = secretFile "buildkite-agent-token"; @@ -240,6 +241,12 @@ in { file = secretFile "clbot-ssh"; owner = "clbot"; }; + + # Not actually a secret + nix-cache-pub = { + file = secretFile "nix-cache-pub"; + mode = "0444"; + }; }; # Automatically collect garbage from the Nix store. @@ -419,7 +426,7 @@ in { services.nix-serve = { enable = true; port = 6443; - secretKeyFile = "/etc/secrets/nix-cache-key.sec"; + secretKeyFile = "/run/agenix/nix-cache-priv"; bindAddress = "localhost"; }; diff --git a/ops/modules/www/cache.tvl.su.nix b/ops/modules/www/cache.tvl.su.nix index 182306bebff1..633178b5ccec 100644 --- a/ops/modules/www/cache.tvl.su.nix +++ b/ops/modules/www/cache.tvl.su.nix @@ -14,7 +14,7 @@ extraConfig = '' location = /cache-key.pub { - alias /etc/secrets/nix-cache-key.pub; + alias /run/agenix/nix-cache-pub; } location / { diff --git a/ops/secrets/nix-cache-priv.age b/ops/secrets/nix-cache-priv.age new file mode 100644 index 000000000000..3be14bcf0ceb --- /dev/null +++ b/ops/secrets/nix-cache-priv.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 dcsaLw GSjmDlPaOHw2uNxaGgQ/Jvt1xyL6pqnAGOhW/PXq0g0 +Lw27V3JPG6iBGiHpnHEm1B07skTYkYZHkCtDbRVXj/4 +-> ssh-ed25519 CpJBgQ Y52Trw6EsiR5xfVMB7bh8vLPnNlNj9RKu2WYVKOd9SQ +51egTYyWQj+HUVytA1Te0kcJCeKQn3GkW0ZODGPylOI +-> ssh-ed25519 OkGqLg rU7V7ekAJ/7IxnbP5mbXT9fCH3zYlzDajkbzStACfmM +l0CIZ2kIod05a2mWeFTM5BAcfXp3VNqsfLzjknXv6d0 +-> C#9J-grease 6 +uBB/nrNzeiZBynmHdla48aU6JC45+8T2WLQ +--- MG+HoZ+OIMOSBp0IZqamiW4ShQZF9o8XDRIRUBYXY3E + WG,Pj'f?v3Y1C-+_e1JA6]4aB+Ͼϼ9ɪXs2pZ!tM)j\<!gA9*WjD6+k \ No newline at end of file diff --git a/ops/secrets/nix-cache-pub.age b/ops/secrets/nix-cache-pub.age new file mode 100644 index 000000000000..cf91568ed7ee --- /dev/null +++ b/ops/secrets/nix-cache-pub.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 dcsaLw TL5QToF0mDivu98x9gXaSl69LUZL5iKBRqabHAdVWzM +UajZlNzYwlyol2mgUFMieb2u/9B+0guhU/lAadDdwZI +-> ssh-ed25519 CpJBgQ 7S+W2LgW2ZqUVb3c7Yk0LevWX3sWMm57yLC5Xqoxowo +jjN6v+kZ22Y1QZF92JXkonPTa/AwlVGK5Tfx6t6O02k +-> ssh-ed25519 OkGqLg hr9WfRaMD8ItNpy5MUse6h1XWvsfTVGlKhy9EfJenjE +hKcAGPH2F+tjirBZLn2UfoOkFzBj0jAz11MuBmR+Ruc +-> _IV%wdMT-grease sj}ltN 2j: , ` +32ynfXOvS7JtSNvxhEDJq9UntSBcmh7VLIBSGmzNlv9QrcjtLluFy0ig2jYuYVUh +bT1LncUASkgCxW6GPqd21oYOn4ygDvZqTgi+FB6O +--- fUjoaFfrtbi4tV6zqH3t9wlY+8TDwcLbV6WWlzQqnJY +sI;!tUtUKiQ a]|ɎN@ydՌu%zfJ0F!ȽXjs5F!Ó \ No newline at end of file diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix index 9dae76d15ba5..dc68e22380be 100644 --- a/ops/secrets/secrets.nix +++ b/ops/secrets/secrets.nix @@ -20,5 +20,7 @@ in { "gerrit-queue.age" = default; "grafana.age" = default; "irccat.age" = default; + "nix-cache-priv.age" = default; + "nix-cache-pub.age" = default; "owothia.age" = default; } |