ops/nixos: move nix cache tokens into vault
This commit is contained in:
parent
4100b021aa
commit
0187120a24
4 changed files with 23 additions and 12 deletions
|
@ -113,6 +113,12 @@ in {
|
|||
|
||||
containers.deployer = {
|
||||
autoStart = true;
|
||||
bindMounts = {
|
||||
"/var/lib/secrets/nix-daemon" = {
|
||||
hostPath = "/var/lib/secrets/nix-daemon";
|
||||
isReadOnly = true;
|
||||
};
|
||||
};
|
||||
config = { config, pkgs, ... }: {
|
||||
imports = [
|
||||
../lib/low-space.nix
|
||||
|
@ -123,11 +129,8 @@ in {
|
|||
substituters = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ];
|
||||
trusted-substituters = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ];
|
||||
};
|
||||
envVars = {
|
||||
AWS_ACCESS_KEY_ID = "${depot.ops.secrets.nixCache.AWS_ACCESS_KEY_ID}";
|
||||
AWS_SECRET_ACCESS_KEY = "${depot.ops.secrets.nixCache.AWS_SECRET_ACCESS_KEY}";
|
||||
};
|
||||
};
|
||||
systemd.services.nix-daemon.serviceConfig.EnvironmentFile = "/var/lib/secrets/nix-daemon/secret";
|
||||
environment.etc."secrets/gitlab-runner-registration" = {
|
||||
text = ''
|
||||
CI_SERVER_URL=https://hg.lukegb.com
|
||||
|
|
|
@ -110,10 +110,6 @@ in
|
|||
substituters = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ];
|
||||
trusted-substituters = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ];
|
||||
};
|
||||
envVars = {
|
||||
AWS_ACCESS_KEY_ID = "${depot.ops.secrets.nixCache.AWS_ACCESS_KEY_ID}";
|
||||
AWS_SECRET_ACCESS_KEY = "${depot.ops.secrets.nixCache.AWS_SECRET_ACCESS_KEY}";
|
||||
};
|
||||
};
|
||||
nixpkgs.config = depot.third_party.nixpkgsConfig;
|
||||
|
||||
|
@ -275,6 +271,18 @@ in
|
|||
recommendedProxySettings = true;
|
||||
};
|
||||
|
||||
my.vault.secrets.nix-daemon = {
|
||||
template = ''
|
||||
{{ with secret "kv/apps/nix-daemon" }}
|
||||
AWS_ACCESS_KEY_ID={{ .Data.data.cacheAccessKeyID }}
|
||||
AWS_SECRET_ACCESS_KEY={{ .Data.data.cacheSecretAccessKey }}
|
||||
{{ end }}
|
||||
'';
|
||||
group = "root";
|
||||
reloadOrRestartUnits = [ "nix-daemon.service" ];
|
||||
};
|
||||
systemd.services.nix-daemon.serviceConfig.EnvironmentFile = config.my.vault.secrets.nix-daemon.path;
|
||||
|
||||
services.fwupd.enable = true;
|
||||
|
||||
# This is enabled independently of my.scrapeJournal.enable.
|
||||
|
|
|
@ -11,8 +11,8 @@ pkgs.writeShellScriptBin "rebuilder" ''
|
|||
|
||||
DEPOT_PATH="''${1:-<depot>}"
|
||||
|
||||
export AWS_ACCESS_KEY_ID="${depot.ops.secrets.nixCache.AWS_ACCESS_KEY_ID}"
|
||||
export AWS_SECRET_ACCESS_KEY="${depot.ops.secrets.nixCache.AWS_SECRET_ACCESS_KEY}"
|
||||
export AWS_ACCESS_KEY_ID="$(${pkgs.vault}/bin/vault kv get --address=http://127.0.0.1:8200 -field=cacheAccessKeyID kv/apps/nix-daemon)"
|
||||
export AWS_SECRET_ACCESS_KEY="$(${pkgs.vault}/bin/vault kv get --address=http://127.0.0.1:8200 -field=cacheSecretAccessKey kv/apps/nix-daemon)"
|
||||
|
||||
current_specialisation="$(cat /run/current-system/specialisation-name 2>/dev/null)"
|
||||
specialisation_path=""
|
||||
|
|
|
@ -6,8 +6,8 @@
|
|||
pkgs.writeShellScriptBin "switch-prebuilt" ''
|
||||
set -ue
|
||||
|
||||
export AWS_ACCESS_KEY_ID="${depot.ops.secrets.nixCache.AWS_ACCESS_KEY_ID}"
|
||||
export AWS_SECRET_ACCESS_KEY="${depot.ops.secrets.nixCache.AWS_SECRET_ACCESS_KEY}"
|
||||
export AWS_ACCESS_KEY_ID="$(${pkgs.vault}/bin/vault kv get --address=http://127.0.0.1:8200 -field=cacheAccessKeyID kv/apps/nix-daemon)"
|
||||
export AWS_SECRET_ACCESS_KEY="$(${pkgs.vault}/bin/vault kv get --address=http://127.0.0.1:8200 -field=cacheSecretAccessKey kv/apps/nix-daemon)"
|
||||
system="''${1}"
|
||||
|
||||
if [[ "$system" == "latest" ]]; then
|
||||
|
|
Loading…
Reference in a new issue