From e3ec78b937eb143b26ffeb7d67bc28c5361ebf3a Mon Sep 17 00:00:00 2001 From: emily Date: Tue, 14 May 2024 14:17:53 +0200 Subject: [PATCH] added hydra sshkey to sops --- config/services/hydra/default.nix | 6 +++++- config/services/hydra/nix-config.nix | 10 +++++++--- secrets/services/hydra.yaml | 5 +++-- 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/config/services/hydra/default.nix b/config/services/hydra/default.nix index 5d7536d..c89858a 100644 --- a/config/services/hydra/default.nix +++ b/config/services/hydra/default.nix @@ -1,4 +1,4 @@ -{ config, inputs, ... }: { +{ config, ... }: { imports = [ ./nix-config.nix ]; @@ -6,6 +6,10 @@ owner = "hydra-queue-runner"; sopsFile = ../../../secrets/services/hydra.yaml; }; + sops.secrets."services/hydra/id_ed25519_hydra" = { + owner = "hydra-queue-runner"; + sopsFile = ../../../secrets/services/hydra.yaml; + }; services.hydra = { enable = true; diff --git a/config/services/hydra/nix-config.nix b/config/services/hydra/nix-config.nix index c7aa778..351d4bf 100644 --- a/config/services/hydra/nix-config.nix +++ b/config/services/hydra/nix-config.nix @@ -1,4 +1,4 @@ -{ ... }: { +{ config, ... }: { nix.buildMachines = [ { hostName = "localhost"; @@ -7,7 +7,7 @@ speedFactor = 40; systems = [ "x86_64-linux" ]; supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; - sshKey = "/var/lib/hydra/id_ed25519"; + sshKey = config.sops.secrets."services/hydra/id_ed25519_hydra".path; } { hostName = "integra.kyouma.net"; @@ -16,7 +16,7 @@ speedFactor = 8; systems = [ "aarch64-linux" ]; supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; - sshKey = "/var/lib/hydra/id_ed25519"; + sshKey = config.sops.secrets."services/hydra/id_ed25519_hydra".path; } ]; nix.settings = { @@ -27,7 +27,11 @@ "https://" ]; }; + users.users.hydra-queue-runner.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/vCXM3IaxJP9v2Y+xcQrQD2IcffgdzqtWhpMjj9Xl5 hydra@seras" + ]; programs.ssh = { knownHosts."integra.kyouma.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBwEQiSfaDrUAwgul4mktusBPcIVxI4pLNDh9DPopVU"; + knownHosts."localhost".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPNVavo3YHVsrYwXRVISu7kDoknn+5inFGySn4azlB8P"; }; } diff --git a/secrets/services/hydra.yaml b/secrets/services/hydra.yaml index 5336c1b..008d490 100644 --- a/secrets/services/hydra.yaml +++ b/secrets/services/hydra.yaml @@ -1,6 +1,7 @@ services: hydra: signKey: ENC[AES256_GCM,data:WbGyQtlko04eCXP5duAVbgbMHSQ8wNrCHuS0+M29l/9LJjm8E7wps2ogy5S5jH+5etkwIj2m7d+xFci1IE9a2ERVs4qrFmfx8mikuF/+iIewJuaOOJcHcrUtYto5RxiFjYb9ooG7ktfy,iv:FvNRBY/aZnJ8z/wSYhsZLiq8h25WYvXB/zL9+4qQR7o=,tag:hU6i64XZH/1JDJzDHbiuXQ==,type:str] + id_ed25519_hydra: ENC[AES256_GCM,data:7dmdHA/bLBQunNjaCwT1zb2CmuLVdUiFunkGpaGJXvnzHsVnWOdy9O5p+zIAiGeg3awNjn8jlH9KJiUk5W5X55caPlhDnFOhx77zW684vJAWViHK3Iu84XJ/sL33a547c4lLPgT5dLTMY4JDtNQCk0hV1BdsRwU9rpDvkuGaT2mewu8xCpyueV++wwDfy6e3HXRxPlXHkvE77FCFgDXW5tCH/q+UDOS59WkERT8SFwy8t1ILTUt07rdyhIQmykPo5nPatrPuV9TD/60R9pcxA6w88HeZzi36q3GfJVEKJ/MdFdzvShX1ayhfojVkCRptMxwyu/9MYigqvENgOvnV6N+0JKbJWpkDUldUUEFCZFl2EAoSVb+QGP3S6Bro5x2b3AjHRDW5fUmldEQQUDG6UO+zbXnUeziH2kairqrQAj4UMyZSumiLV3P9d3LYZy7wCza68lklcupbhap5lxgXJhNAz1ScHOPgzQpmLw0bxiLDX1oHhPPZtBNc3t4wGlQyNuKUTXzhrn3L5dBdSmZ3,iv:Ftw3hBUcvY/nW9LiBFUbhHOpv7KIbkdEcIp3Si4oM1Q=,tag:QqUDYFcJ6bq2l2Q09klXdQ==,type:str] sops: kms: [] gcp_kms: [] @@ -16,8 +17,8 @@ sops: enBjbHhJS1hqRGF2QUF1azNJdk9yUDAKJ1TY0Pybp54zh6KQ1kJQrcJeT91F4QKQ YpeRMwHR+QIuXF37MXuWKtIsRmcPAC+dCi4LZFmXUjX0yUwA0K8juQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-11T09:08:54Z" - mac: ENC[AES256_GCM,data:0bz8sifK6lwpLI7GYsLneXPw7f+bnskHdtzECKz9p7x+lMBz/LP+dSz9VOnULKI8b+Xk9YCWAqZuJyjeahsZji0QGLB/BSxo7FLjiWPpjwas0zBNqNwP10M9ZPtTEDTazzwT/MF7LZtypL6u66RORgSkLK47FcZoVKJjZDKBP4c=,iv:G9lAoE5vjSlWTHTd74/LIgLO85HdExCIDZz8giJr4ho=,tag:67ZHrw+SS/Nwrc+xRVfySw==,type:str] + lastmodified: "2024-05-14T12:01:05Z" + mac: ENC[AES256_GCM,data:CvaqYz0wwU0i9tQ6DoLJwAfX5+IuPtnoc0tRtYAe1dLhszDqSv+VXRYtjwoM5jAIpYcHTN6w90pZkDXNEtluHDSmy1WlDEGhRo/rMuVi12le7iTPZ6G380/bUrE4PqKxYo6Kg2esAXZTXFdM0Om1oqcBfOywrCOPpx1ioIOxEQ8=,iv:l++0F1jTIjcqXUAKF5N63PJtNZgUeRQT7H3FV87/nZA=,tag:icTc376kY2+CPLtnvlaUUA==,type:str] pgp: - created_at: "2024-05-10T18:05:16Z" enc: |-