From 0187120a24377ccba941036df1212db2167f68a2 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Fri, 11 Mar 2022 16:46:50 +0000 Subject: [PATCH] ops/nixos: move nix cache tokens into vault --- ops/nixos/bvm-heptapod/default.nix | 11 +++++++---- ops/nixos/lib/common.nix | 16 ++++++++++++---- ops/nixos/lib/rebuilder.nix | 4 ++-- ops/nixos/lib/switch-prebuilt.nix | 4 ++-- 4 files changed, 23 insertions(+), 12 deletions(-) diff --git a/ops/nixos/bvm-heptapod/default.nix b/ops/nixos/bvm-heptapod/default.nix index 56d3bc1459..6242979830 100644 --- a/ops/nixos/bvm-heptapod/default.nix +++ b/ops/nixos/bvm-heptapod/default.nix @@ -113,6 +113,12 @@ in { containers.deployer = { autoStart = true; + bindMounts = { + "/var/lib/secrets/nix-daemon" = { + hostPath = "/var/lib/secrets/nix-daemon"; + isReadOnly = true; + }; + }; config = { config, pkgs, ... }: { imports = [ ../lib/low-space.nix @@ -123,11 +129,8 @@ in { substituters = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ]; trusted-substituters = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ]; }; - envVars = { - AWS_ACCESS_KEY_ID = "${depot.ops.secrets.nixCache.AWS_ACCESS_KEY_ID}"; - AWS_SECRET_ACCESS_KEY = "${depot.ops.secrets.nixCache.AWS_SECRET_ACCESS_KEY}"; - }; }; + systemd.services.nix-daemon.serviceConfig.EnvironmentFile = "/var/lib/secrets/nix-daemon/secret"; environment.etc."secrets/gitlab-runner-registration" = { text = '' CI_SERVER_URL=https://hg.lukegb.com diff --git a/ops/nixos/lib/common.nix b/ops/nixos/lib/common.nix index 40afd3275f..606e2b17d2 100644 --- a/ops/nixos/lib/common.nix +++ b/ops/nixos/lib/common.nix @@ -110,10 +110,6 @@ in substituters = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ]; trusted-substituters = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ]; }; - envVars = { - AWS_ACCESS_KEY_ID = "${depot.ops.secrets.nixCache.AWS_ACCESS_KEY_ID}"; - AWS_SECRET_ACCESS_KEY = "${depot.ops.secrets.nixCache.AWS_SECRET_ACCESS_KEY}"; - }; }; nixpkgs.config = depot.third_party.nixpkgsConfig; @@ -275,6 +271,18 @@ in recommendedProxySettings = true; }; + my.vault.secrets.nix-daemon = { + template = '' + {{ with secret "kv/apps/nix-daemon" }} + AWS_ACCESS_KEY_ID={{ .Data.data.cacheAccessKeyID }} + AWS_SECRET_ACCESS_KEY={{ .Data.data.cacheSecretAccessKey }} + {{ end }} + ''; + group = "root"; + reloadOrRestartUnits = [ "nix-daemon.service" ]; + }; + systemd.services.nix-daemon.serviceConfig.EnvironmentFile = config.my.vault.secrets.nix-daemon.path; + services.fwupd.enable = true; # This is enabled independently of my.scrapeJournal.enable. diff --git a/ops/nixos/lib/rebuilder.nix b/ops/nixos/lib/rebuilder.nix index 2fae18129d..bbf18448b5 100644 --- a/ops/nixos/lib/rebuilder.nix +++ b/ops/nixos/lib/rebuilder.nix @@ -11,8 +11,8 @@ pkgs.writeShellScriptBin "rebuilder" '' DEPOT_PATH="''${1:-}" - export AWS_ACCESS_KEY_ID="${depot.ops.secrets.nixCache.AWS_ACCESS_KEY_ID}" - export AWS_SECRET_ACCESS_KEY="${depot.ops.secrets.nixCache.AWS_SECRET_ACCESS_KEY}" + export AWS_ACCESS_KEY_ID="$(${pkgs.vault}/bin/vault kv get --address=http://127.0.0.1:8200 -field=cacheAccessKeyID kv/apps/nix-daemon)" + export AWS_SECRET_ACCESS_KEY="$(${pkgs.vault}/bin/vault kv get --address=http://127.0.0.1:8200 -field=cacheSecretAccessKey kv/apps/nix-daemon)" current_specialisation="$(cat /run/current-system/specialisation-name 2>/dev/null)" specialisation_path="" diff --git a/ops/nixos/lib/switch-prebuilt.nix b/ops/nixos/lib/switch-prebuilt.nix index 4b27382c06..1dd424895c 100644 --- a/ops/nixos/lib/switch-prebuilt.nix +++ b/ops/nixos/lib/switch-prebuilt.nix @@ -6,8 +6,8 @@ pkgs.writeShellScriptBin "switch-prebuilt" '' set -ue - export AWS_ACCESS_KEY_ID="${depot.ops.secrets.nixCache.AWS_ACCESS_KEY_ID}" - export AWS_SECRET_ACCESS_KEY="${depot.ops.secrets.nixCache.AWS_SECRET_ACCESS_KEY}" + export AWS_ACCESS_KEY_ID="$(${pkgs.vault}/bin/vault kv get --address=http://127.0.0.1:8200 -field=cacheAccessKeyID kv/apps/nix-daemon)" + export AWS_SECRET_ACCESS_KEY="$(${pkgs.vault}/bin/vault kv get --address=http://127.0.0.1:8200 -field=cacheSecretAccessKey kv/apps/nix-daemon)" system="''${1}" if [[ "$system" == "latest" ]]; then