refactor(ops): Move Nix cache secret to agenix
... and also the public key, just to keep the distribution mechanism the same. Change-Id: Ief14daf9344c0fb99eeb5789c1ec9bfb1f12bee0
This commit is contained in:
parent
82a885a750
commit
2fe8d724d7
5 changed files with 35 additions and 3 deletions
|
@ -173,7 +173,7 @@ in {
|
|||
nrBuildUsers = 256;
|
||||
maxJobs = lib.mkDefault 64;
|
||||
extraOptions = ''
|
||||
secret-key-files = /etc/secrets/nix-cache-privkey
|
||||
secret-key-files = /run/agenix/nix-cache-priv
|
||||
'';
|
||||
|
||||
trustedUsers = [
|
||||
|
@ -212,6 +212,7 @@ in {
|
|||
grafana.file = secretFile "grafana";
|
||||
irccat.file = secretFile "irccat";
|
||||
owothia.file = secretFile "owothia";
|
||||
nix-cache-priv.file = secretFile "nix-cache-priv";
|
||||
|
||||
buildkite-agent-token = {
|
||||
file = secretFile "buildkite-agent-token";
|
||||
|
@ -240,6 +241,12 @@ in {
|
|||
file = secretFile "clbot-ssh";
|
||||
owner = "clbot";
|
||||
};
|
||||
|
||||
# Not actually a secret
|
||||
nix-cache-pub = {
|
||||
file = secretFile "nix-cache-pub";
|
||||
mode = "0444";
|
||||
};
|
||||
};
|
||||
|
||||
# Automatically collect garbage from the Nix store.
|
||||
|
@ -419,7 +426,7 @@ in {
|
|||
services.nix-serve = {
|
||||
enable = true;
|
||||
port = 6443;
|
||||
secretKeyFile = "/etc/secrets/nix-cache-key.sec";
|
||||
secretKeyFile = "/run/agenix/nix-cache-priv";
|
||||
bindAddress = "localhost";
|
||||
};
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
|
||||
extraConfig = ''
|
||||
location = /cache-key.pub {
|
||||
alias /etc/secrets/nix-cache-key.pub;
|
||||
alias /run/agenix/nix-cache-pub;
|
||||
}
|
||||
|
||||
location / {
|
||||
|
|
11
ops/secrets/nix-cache-priv.age
Normal file
11
ops/secrets/nix-cache-priv.age
Normal file
|
@ -0,0 +1,11 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 dcsaLw GSjmDlPaOHw2uNxaGgQ/Jvt1xyL6pqnAGOhW/PXq0g0
|
||||
Lw27V3JPG6iBGiHpnHEm1B07skTYkYZHkCtDbRVXj/4
|
||||
-> ssh-ed25519 CpJBgQ Y52Trw6EsiR5xfVMB7bh8vLPnNlNj9RKu2WYVKOd9SQ
|
||||
51egTYyWQj+HUVytA1Te0kcJCeKQn3GkW0ZODGPylOI
|
||||
-> ssh-ed25519 OkGqLg rU7V7ekAJ/7IxnbP5mbXT9fCH3zYlzDajkbzStACfmM
|
||||
l0CIZ2kIod05a2mWeFTM5BAcfXp3VNqsfLzjknXv6d0
|
||||
-> C#9J-grease 6
|
||||
uBB/nrNzeiZBynmHdla48aU6JC45+8T2WLQ
|
||||
--- MG+HoZ+OIMOSBp0IZqamiW4ShQZF9o8XDRIRUBYXY3E
|
||||
§ùÝàWG,PÂjžã 'f<14>â¯?vÁÎÀ3Y´1ÏC-¥‚´+“³‰_eõѸý1JA«6ô]4µÞÒaB‘ž+ϾšÏ¼Ð9ɪ…ƒÓXòs2ép›àZ!<21>ÈtMÏ)j\<!§gïØA9ì*Wj€†®Ž×D6ò+kÞ
|
12
ops/secrets/nix-cache-pub.age
Normal file
12
ops/secrets/nix-cache-pub.age
Normal file
|
@ -0,0 +1,12 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 dcsaLw TL5QToF0mDivu98x9gXaSl69LUZL5iKBRqabHAdVWzM
|
||||
UajZlNzYwlyol2mgUFMieb2u/9B+0guhU/lAadDdwZI
|
||||
-> ssh-ed25519 CpJBgQ 7S+W2LgW2ZqUVb3c7Yk0LevWX3sWMm57yLC5Xqoxowo
|
||||
jjN6v+kZ22Y1QZF92JXkonPTa/AwlVGK5Tfx6t6O02k
|
||||
-> ssh-ed25519 OkGqLg hr9WfRaMD8ItNpy5MUse6h1XWvsfTVGlKhy9EfJenjE
|
||||
hKcAGPH2F+tjirBZLn2UfoOkFzBj0jAz11MuBmR+Ruc
|
||||
-> _IV%wdMT-grease sj}ltN 2j: , `
|
||||
32ynfXOvS7JtSNvxhEDJq9UntSBcmh7VLIBSGmzNlv9QrcjtLluFy0ig2jYuYVUh
|
||||
bT1LncUASkgCxW6GPqd21oYOn4ygDvZqTgi+FB6O
|
||||
--- fUjoaFfrtbi4tV6zqH3t9wlY+8TDwcLbV6WWlzQqnJY
|
||||
sI»ó;!Öït¨UÁÙtUKiƒQ<C692>õ¤ë
êÒaµ]…|ã×ÉŽìýN@<40>yŠ‚dÙçžÕŒu%zµçfJÝ0F!ã÷ȽXjs¹5Få!ðOÛõÌ<C3B5>û‰³ ŠŽ
|
|
@ -20,5 +20,7 @@ in {
|
|||
"gerrit-queue.age" = default;
|
||||
"grafana.age" = default;
|
||||
"irccat.age" = default;
|
||||
"nix-cache-priv.age" = default;
|
||||
"nix-cache-pub.age" = default;
|
||||
"owothia.age" = default;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue