From 75d866774cbeb36640a758d8dfd7c64d7434cb09 Mon Sep 17 00:00:00 2001 From: emily Date: Wed, 24 Jul 2024 00:11:04 +0200 Subject: [PATCH] Fix hydra sshkey permissions --- config/services/hydra/default.nix | 9 ++++++--- secrets/services/hydra.yaml | 5 +++-- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/config/services/hydra/default.nix b/config/services/hydra/default.nix index 229d15c..d16f0f5 100644 --- a/config/services/hydra/default.nix +++ b/config/services/hydra/default.nix @@ -6,11 +6,14 @@ owner = "hydra-queue-runner"; sopsFile = ../../../secrets/services/hydra.yaml; }; - sops.secrets."services/hydra/id_ed25519_hydra" = { + sops.secrets."services/hydra/id_ed25519_hydra-eval" = { path = "/var/lib/hydra/.ssh/id_ed25519"; + owner = "hydra"; + mode = "0400"; + sopsFile = ../../../secrets/services/hydra.yaml; + }; + sops.secrets."services/hydra/id_ed25519_hydra" = { owner = "hydra-queue-runner"; - group = "hydra"; - mode = "0440"; sopsFile = ../../../secrets/services/hydra.yaml; }; kyouma.deployment.auto-upgrade.cache = "daemon"; diff --git a/secrets/services/hydra.yaml b/secrets/services/hydra.yaml index 008d490..eeccbf7 100644 --- a/secrets/services/hydra.yaml +++ b/secrets/services/hydra.yaml @@ -2,6 +2,7 @@ services: hydra: signKey: ENC[AES256_GCM,data:WbGyQtlko04eCXP5duAVbgbMHSQ8wNrCHuS0+M29l/9LJjm8E7wps2ogy5S5jH+5etkwIj2m7d+xFci1IE9a2ERVs4qrFmfx8mikuF/+iIewJuaOOJcHcrUtYto5RxiFjYb9ooG7ktfy,iv:FvNRBY/aZnJ8z/wSYhsZLiq8h25WYvXB/zL9+4qQR7o=,tag:hU6i64XZH/1JDJzDHbiuXQ==,type:str] id_ed25519_hydra: ENC[AES256_GCM,data:7dmdHA/bLBQunNjaCwT1zb2CmuLVdUiFunkGpaGJXvnzHsVnWOdy9O5p+zIAiGeg3awNjn8jlH9KJiUk5W5X55caPlhDnFOhx77zW684vJAWViHK3Iu84XJ/sL33a547c4lLPgT5dLTMY4JDtNQCk0hV1BdsRwU9rpDvkuGaT2mewu8xCpyueV++wwDfy6e3HXRxPlXHkvE77FCFgDXW5tCH/q+UDOS59WkERT8SFwy8t1ILTUt07rdyhIQmykPo5nPatrPuV9TD/60R9pcxA6w88HeZzi36q3GfJVEKJ/MdFdzvShX1ayhfojVkCRptMxwyu/9MYigqvENgOvnV6N+0JKbJWpkDUldUUEFCZFl2EAoSVb+QGP3S6Bro5x2b3AjHRDW5fUmldEQQUDG6UO+zbXnUeziH2kairqrQAj4UMyZSumiLV3P9d3LYZy7wCza68lklcupbhap5lxgXJhNAz1ScHOPgzQpmLw0bxiLDX1oHhPPZtBNc3t4wGlQyNuKUTXzhrn3L5dBdSmZ3,iv:Ftw3hBUcvY/nW9LiBFUbhHOpv7KIbkdEcIp3Si4oM1Q=,tag:QqUDYFcJ6bq2l2Q09klXdQ==,type:str] + id_ed25519_hydra-eval: ENC[AES256_GCM,data:8YLmxuh+2ul1VtCbpXk5gORM97R5jgxkq/0GGUgAGgrUzKxeW+7onXTD3DoCz5sMaLOgtgM4ZEuMLQIxBQIwbmGPubZZhaP1nYsrgMxz/ZEjnHc7o2EOgrIa6B7v1w16D9uqRqfvA47jHyA5SoDEo7iJcEF9o34cyxCGQe0AHkhnCxcFY3u1ZNMCQ6WBPl4rlyAvZcaba6ySss9WQuzVs7IlJyOEr0F1zgl6R9cj700UnVrd27pId9xBhN1xtwob23+BnSIbq7u7HBECrQLwfDwXaDbVpHfk+cPEG23DzRXVeiy8KGEVBVE5nzx6WpRfTbh45CP0LrDVR+/G3crKiuK4mHqAtJ3UnW45clM3Gcz7VygCsjGArO3pVp4cctOZu0lD+AfAjmgl7tz7xTVLLPNhglraSLbWL3TUQ7rdtKIGggrJD7uo7k2RpUHemMtZk2+o42tYJ4uHKVELf+vACoGHGYn/2Vn6NWZEITlpOXCNNRMd7eYunFwN4HX2m9vRwUR8vtPJyOUeC957kln3,iv:r0ejnmyxNFabwzJn5gJL0tId/jP0FTrL0utFWd/DiRA=,tag:RsObDcDIkbr3tg2863b19Q==,type:str] sops: kms: [] gcp_kms: [] @@ -17,8 +18,8 @@ sops: enBjbHhJS1hqRGF2QUF1azNJdk9yUDAKJ1TY0Pybp54zh6KQ1kJQrcJeT91F4QKQ YpeRMwHR+QIuXF37MXuWKtIsRmcPAC+dCi4LZFmXUjX0yUwA0K8juQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-14T12:01:05Z" - mac: ENC[AES256_GCM,data:CvaqYz0wwU0i9tQ6DoLJwAfX5+IuPtnoc0tRtYAe1dLhszDqSv+VXRYtjwoM5jAIpYcHTN6w90pZkDXNEtluHDSmy1WlDEGhRo/rMuVi12le7iTPZ6G380/bUrE4PqKxYo6Kg2esAXZTXFdM0Om1oqcBfOywrCOPpx1ioIOxEQ8=,iv:l++0F1jTIjcqXUAKF5N63PJtNZgUeRQT7H3FV87/nZA=,tag:icTc376kY2+CPLtnvlaUUA==,type:str] + lastmodified: "2024-07-23T22:18:12Z" + mac: ENC[AES256_GCM,data:80Dul9VV/MpL/IgWilpne4szz28rQPV0fgdjTfX33c6hO1OiARDFrY6hRTAk38AKakkIFwmneBlmTfFpgN6pstqX9f4YNtHLdi6KXoJzBL9v6+gyY5ypJwKftpXcKUuJUo/A03HA8Grq4vhOqsUEO7HXofj96GxKcMtHONgcTbI=,iv:v140qo5vnEsJhObV5GgLgBbU2/AoROfSSvEiAXl+Kgg=,tag:vitC7J3pSGA9WkNzfFVmXw==,type:str] pgp: - created_at: "2024-05-10T18:05:16Z" enc: |-