about summary refs log tree commit diff
diff options
context:
space:
mode:
authorVincent Ambo <tazjin@google.com>2019-10-27T12·42+0100
committerVincent Ambo <github@tazj.in>2019-10-27T12·58+0100
commit7b7d21205fb5288f1772d6ea4baff080565ebd9e (patch)
treece86c496b5202d7380ec3cedd566eda0eb6cafa1
parent3a5db4f9f184d38799cda1ca83039d11ff457c04 (diff)
docs: Update GCS signing key documentation
This key is now taken straight from the configured service account
key.
-rw-r--r--tools/nixery/README.md18
-rw-r--r--tools/nixery/docs/src/run-your-own.md8
2 files changed, 14 insertions, 12 deletions
diff --git a/tools/nixery/README.md b/tools/nixery/README.md
index 3026451c74e0..1574d5950a22 100644
--- a/tools/nixery/README.md
+++ b/tools/nixery/README.md
@@ -79,15 +79,17 @@ variables:
 * `NIXERY_CHANNEL`: The name of a Nix/NixOS channel to use for building
 * `NIXERY_PKGS_REPO`: URL of a git repository containing a package set (uses
   locally configured SSH/git credentials)
-* `NIXERY_PKGS_PATH`: A local filesystem path containing a Nix package set to use
-  for building
+* `NIXERY_PKGS_PATH`: A local filesystem path containing a Nix package set to
+  use for building
 * `NIX_TIMEOUT`: Number of seconds that any Nix builder is allowed to run
-  (defaults to 60
-* `NIX_POPULARITY_URL`: URL to a file containing popularity data for the package set (see `popcount/`)
-* `GCS_SIGNING_KEY`: A Google service account key (in PEM format) that can be
-  used to sign Cloud Storage URLs
-* `GCS_SIGNING_ACCOUNT`: Google service account ID that the signing key belongs
-  to
+  (defaults to 60)
+* `NIX_POPULARITY_URL`: URL to a file containing popularity data for
+  the package set (see `popcount/`)
+
+If the `GOOGLE_APPLICATION_CREDENTIALS` environment variable is set to a service
+account key, Nixery will also use this key to create [signed URLs][] for layers
+in the storage bucket. This makes it possible to serve layers from a bucket
+without having to make them publicly available.
 
 ## Roadmap
 
diff --git a/tools/nixery/docs/src/run-your-own.md b/tools/nixery/docs/src/run-your-own.md
index 7a294f56055e..ffddec32db5f 100644
--- a/tools/nixery/docs/src/run-your-own.md
+++ b/tools/nixery/docs/src/run-your-own.md
@@ -85,15 +85,15 @@ You may set *all* of these:
 
 * `NIX_TIMEOUT`: Number of seconds that any Nix builder is allowed to run
   (defaults to 60)
-* `GCS_SIGNING_KEY`: A Google service account key (in PEM format) that can be
-  used to [sign Cloud Storage URLs][signed-urls]
-* `GCS_SIGNING_ACCOUNT`: Google service account ID that the signing key belongs
-  to
 
 To authenticate to the configured GCS bucket, Nixery uses Google's [Application
 Default Credentials][ADC]. Depending on your environment this may require
 additional configuration.
 
+If the `GOOGLE_APPLICATION_CREDENTIALS` environment is configured, the service
+account's private key will be used to create [signed URLs for
+layers][signed-urls].
+
 ## 4. Deploy Nixery
 
 With the above environment variables configured, you can run the image that was