refactor(ops): Move Nix cache secret to agenix
... and also the public key, just to keep the distribution mechanism the same. Change-Id: Ief14daf9344c0fb99eeb5789c1ec9bfb1f12bee0
This commit is contained in:
parent
82a885a750
commit
2fe8d724d7
5 changed files with 35 additions and 3 deletions
|
@ -173,7 +173,7 @@ in {
|
||||||
nrBuildUsers = 256;
|
nrBuildUsers = 256;
|
||||||
maxJobs = lib.mkDefault 64;
|
maxJobs = lib.mkDefault 64;
|
||||||
extraOptions = ''
|
extraOptions = ''
|
||||||
secret-key-files = /etc/secrets/nix-cache-privkey
|
secret-key-files = /run/agenix/nix-cache-priv
|
||||||
'';
|
'';
|
||||||
|
|
||||||
trustedUsers = [
|
trustedUsers = [
|
||||||
|
@ -212,6 +212,7 @@ in {
|
||||||
grafana.file = secretFile "grafana";
|
grafana.file = secretFile "grafana";
|
||||||
irccat.file = secretFile "irccat";
|
irccat.file = secretFile "irccat";
|
||||||
owothia.file = secretFile "owothia";
|
owothia.file = secretFile "owothia";
|
||||||
|
nix-cache-priv.file = secretFile "nix-cache-priv";
|
||||||
|
|
||||||
buildkite-agent-token = {
|
buildkite-agent-token = {
|
||||||
file = secretFile "buildkite-agent-token";
|
file = secretFile "buildkite-agent-token";
|
||||||
|
@ -240,6 +241,12 @@ in {
|
||||||
file = secretFile "clbot-ssh";
|
file = secretFile "clbot-ssh";
|
||||||
owner = "clbot";
|
owner = "clbot";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Not actually a secret
|
||||||
|
nix-cache-pub = {
|
||||||
|
file = secretFile "nix-cache-pub";
|
||||||
|
mode = "0444";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# Automatically collect garbage from the Nix store.
|
# Automatically collect garbage from the Nix store.
|
||||||
|
@ -419,7 +426,7 @@ in {
|
||||||
services.nix-serve = {
|
services.nix-serve = {
|
||||||
enable = true;
|
enable = true;
|
||||||
port = 6443;
|
port = 6443;
|
||||||
secretKeyFile = "/etc/secrets/nix-cache-key.sec";
|
secretKeyFile = "/run/agenix/nix-cache-priv";
|
||||||
bindAddress = "localhost";
|
bindAddress = "localhost";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@
|
||||||
|
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
location = /cache-key.pub {
|
location = /cache-key.pub {
|
||||||
alias /etc/secrets/nix-cache-key.pub;
|
alias /run/agenix/nix-cache-pub;
|
||||||
}
|
}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
|
11
ops/secrets/nix-cache-priv.age
Normal file
11
ops/secrets/nix-cache-priv.age
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 dcsaLw GSjmDlPaOHw2uNxaGgQ/Jvt1xyL6pqnAGOhW/PXq0g0
|
||||||
|
Lw27V3JPG6iBGiHpnHEm1B07skTYkYZHkCtDbRVXj/4
|
||||||
|
-> ssh-ed25519 CpJBgQ Y52Trw6EsiR5xfVMB7bh8vLPnNlNj9RKu2WYVKOd9SQ
|
||||||
|
51egTYyWQj+HUVytA1Te0kcJCeKQn3GkW0ZODGPylOI
|
||||||
|
-> ssh-ed25519 OkGqLg rU7V7ekAJ/7IxnbP5mbXT9fCH3zYlzDajkbzStACfmM
|
||||||
|
l0CIZ2kIod05a2mWeFTM5BAcfXp3VNqsfLzjknXv6d0
|
||||||
|
-> C#9J-grease 6
|
||||||
|
uBB/nrNzeiZBynmHdla48aU6JC45+8T2WLQ
|
||||||
|
--- MG+HoZ+OIMOSBp0IZqamiW4ShQZF9o8XDRIRUBYXY3E
|
||||||
|
§ùÝàWG,PÂjžã 'f<14>â¯?vÁÎÀ3Y´1ÏC-¥‚´+“³‰_eõѸý1JA«6ô]4µÞÒaB‘ž+ϾšÏ¼Ð9ɪ…ƒÓXòs2ép›àZ!<21>ÈtMÏ)j\<!§gïØA9ì*Wj€†®Ž×D6ò+kÞ
|
12
ops/secrets/nix-cache-pub.age
Normal file
12
ops/secrets/nix-cache-pub.age
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 dcsaLw TL5QToF0mDivu98x9gXaSl69LUZL5iKBRqabHAdVWzM
|
||||||
|
UajZlNzYwlyol2mgUFMieb2u/9B+0guhU/lAadDdwZI
|
||||||
|
-> ssh-ed25519 CpJBgQ 7S+W2LgW2ZqUVb3c7Yk0LevWX3sWMm57yLC5Xqoxowo
|
||||||
|
jjN6v+kZ22Y1QZF92JXkonPTa/AwlVGK5Tfx6t6O02k
|
||||||
|
-> ssh-ed25519 OkGqLg hr9WfRaMD8ItNpy5MUse6h1XWvsfTVGlKhy9EfJenjE
|
||||||
|
hKcAGPH2F+tjirBZLn2UfoOkFzBj0jAz11MuBmR+Ruc
|
||||||
|
-> _IV%wdMT-grease sj}ltN 2j: , `
|
||||||
|
32ynfXOvS7JtSNvxhEDJq9UntSBcmh7VLIBSGmzNlv9QrcjtLluFy0ig2jYuYVUh
|
||||||
|
bT1LncUASkgCxW6GPqd21oYOn4ygDvZqTgi+FB6O
|
||||||
|
--- fUjoaFfrtbi4tV6zqH3t9wlY+8TDwcLbV6WWlzQqnJY
|
||||||
|
sI»ó;!Öït¨UÁÙtUKiƒQ<C692>õ¤ë
êÒaµ]…|ã×ÉŽìýN@<40>yŠ‚dÙçžÕŒu%zµçfJÝ0F!ã÷ȽXjs¹5Få!ðOÛõÌ<C3B5>û‰³ ŠŽ
|
|
@ -20,5 +20,7 @@ in {
|
||||||
"gerrit-queue.age" = default;
|
"gerrit-queue.age" = default;
|
||||||
"grafana.age" = default;
|
"grafana.age" = default;
|
||||||
"irccat.age" = default;
|
"irccat.age" = default;
|
||||||
|
"nix-cache-priv.age" = default;
|
||||||
|
"nix-cache-pub.age" = default;
|
||||||
"owothia.age" = default;
|
"owothia.age" = default;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue