about summary refs log tree commit diff
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2021-12-10T18·23+0300
committertazjin <mail@tazj.in>2021-12-10T19·48+0000
commit2fe8d724d7cbc86c68c62ed6233e7b982566ad4d (patch)
tree9e2384047122267f4896002d4d8bfdbd206ed009
parent82a885a750cfe3bdf282a19a37f91842f374b24c (diff)
refactor(ops): Move Nix cache secret to agenix r/3199
... and also the public key, just to keep the distribution mechanism
the same.

Change-Id: Ief14daf9344c0fb99eeb5789c1ec9bfb1f12bee0
-rw-r--r--ops/machines/whitby/default.nix11
-rw-r--r--ops/modules/www/cache.tvl.su.nix2
-rw-r--r--ops/secrets/nix-cache-priv.age11
-rw-r--r--ops/secrets/nix-cache-pub.age12
-rw-r--r--ops/secrets/secrets.nix2
5 files changed, 35 insertions, 3 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index 572417fea695..129a1a766772 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -173,7 +173,7 @@ in {
     nrBuildUsers = 256;
     maxJobs = lib.mkDefault 64;
     extraOptions = ''
-      secret-key-files = /etc/secrets/nix-cache-privkey
+      secret-key-files = /run/agenix/nix-cache-priv
     '';
 
     trustedUsers = [
@@ -212,6 +212,7 @@ in {
       grafana.file = secretFile "grafana";
       irccat.file = secretFile "irccat";
       owothia.file = secretFile "owothia";
+      nix-cache-priv.file = secretFile "nix-cache-priv";
 
       buildkite-agent-token = {
         file = secretFile "buildkite-agent-token";
@@ -240,6 +241,12 @@ in {
         file = secretFile "clbot-ssh";
         owner = "clbot";
       };
+
+      # Not actually a secret
+      nix-cache-pub = {
+        file = secretFile "nix-cache-pub";
+        mode = "0444";
+      };
     };
 
   # Automatically collect garbage from the Nix store.
@@ -419,7 +426,7 @@ in {
   services.nix-serve = {
     enable = true;
     port = 6443;
-    secretKeyFile = "/etc/secrets/nix-cache-key.sec";
+    secretKeyFile = "/run/agenix/nix-cache-priv";
     bindAddress = "localhost";
   };
 
diff --git a/ops/modules/www/cache.tvl.su.nix b/ops/modules/www/cache.tvl.su.nix
index 182306bebff1..633178b5ccec 100644
--- a/ops/modules/www/cache.tvl.su.nix
+++ b/ops/modules/www/cache.tvl.su.nix
@@ -14,7 +14,7 @@
 
       extraConfig = ''
         location = /cache-key.pub {
-          alias /etc/secrets/nix-cache-key.pub;
+          alias /run/agenix/nix-cache-pub;
         }
 
         location / {
diff --git a/ops/secrets/nix-cache-priv.age b/ops/secrets/nix-cache-priv.age
new file mode 100644
index 000000000000..3be14bcf0ceb
--- /dev/null
+++ b/ops/secrets/nix-cache-priv.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw GSjmDlPaOHw2uNxaGgQ/Jvt1xyL6pqnAGOhW/PXq0g0
+Lw27V3JPG6iBGiHpnHEm1B07skTYkYZHkCtDbRVXj/4
+-> ssh-ed25519 CpJBgQ Y52Trw6EsiR5xfVMB7bh8vLPnNlNj9RKu2WYVKOd9SQ
+51egTYyWQj+HUVytA1Te0kcJCeKQn3GkW0ZODGPylOI
+-> ssh-ed25519 OkGqLg rU7V7ekAJ/7IxnbP5mbXT9fCH3zYlzDajkbzStACfmM
+l0CIZ2kIod05a2mWeFTM5BAcfXp3VNqsfLzjknXv6d0
+-> C#9J-grease 6
+uBB/nrNzeiZBynmHdla48aU6JC45+8T2WLQ
+--- MG+HoZ+OIMOSBp0IZqamiW4ShQZF9o8XDRIRUBYXY3E
+	WG,Pj'f?v3Y1C-+_e1JA6]4aB+Ͼϼ9ɪXs2pZ!tM)j\<!gA9*WjD6+k
\ No newline at end of file
diff --git a/ops/secrets/nix-cache-pub.age b/ops/secrets/nix-cache-pub.age
new file mode 100644
index 000000000000..cf91568ed7ee
--- /dev/null
+++ b/ops/secrets/nix-cache-pub.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw TL5QToF0mDivu98x9gXaSl69LUZL5iKBRqabHAdVWzM
+UajZlNzYwlyol2mgUFMieb2u/9B+0guhU/lAadDdwZI
+-> ssh-ed25519 CpJBgQ 7S+W2LgW2ZqUVb3c7Yk0LevWX3sWMm57yLC5Xqoxowo
+jjN6v+kZ22Y1QZF92JXkonPTa/AwlVGK5Tfx6t6O02k
+-> ssh-ed25519 OkGqLg hr9WfRaMD8ItNpy5MUse6h1XWvsfTVGlKhy9EfJenjE
+hKcAGPH2F+tjirBZLn2UfoOkFzBj0jAz11MuBmR+Ruc
+-> _IV%wdMT-grease sj}ltN 2j: , `
+32ynfXOvS7JtSNvxhEDJq9UntSBcmh7VLIBSGmzNlv9QrcjtLluFy0ig2jYuYVUh
+bT1LncUASkgCxW6GPqd21oYOn4ygDvZqTgi+FB6O
+--- fUjoaFfrtbi4tV6zqH3t9wlY+8TDwcLbV6WWlzQqnJY
+sI;!tUtUKiQ
a]|ɎN@ydՌu%zfJ0F!ȽXjs5F!Ó
\ No newline at end of file
diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix
index 9dae76d15ba5..dc68e22380be 100644
--- a/ops/secrets/secrets.nix
+++ b/ops/secrets/secrets.nix
@@ -20,5 +20,7 @@ in {
   "gerrit-queue.age" = default;
   "grafana.age" = default;
   "irccat.age" = default;
+  "nix-cache-priv.age" = default;
+  "nix-cache-pub.age" = default;
   "owothia.age" = default;
 }