ops/nixos: move nix cache tokens into vault
This commit is contained in:
parent
4100b021aa
commit
0187120a24
4 changed files with 23 additions and 12 deletions
|
@ -113,6 +113,12 @@ in {
|
||||||
|
|
||||||
containers.deployer = {
|
containers.deployer = {
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
|
bindMounts = {
|
||||||
|
"/var/lib/secrets/nix-daemon" = {
|
||||||
|
hostPath = "/var/lib/secrets/nix-daemon";
|
||||||
|
isReadOnly = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
config = { config, pkgs, ... }: {
|
config = { config, pkgs, ... }: {
|
||||||
imports = [
|
imports = [
|
||||||
../lib/low-space.nix
|
../lib/low-space.nix
|
||||||
|
@ -123,11 +129,8 @@ in {
|
||||||
substituters = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ];
|
substituters = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ];
|
||||||
trusted-substituters = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ];
|
trusted-substituters = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ];
|
||||||
};
|
};
|
||||||
envVars = {
|
|
||||||
AWS_ACCESS_KEY_ID = "${depot.ops.secrets.nixCache.AWS_ACCESS_KEY_ID}";
|
|
||||||
AWS_SECRET_ACCESS_KEY = "${depot.ops.secrets.nixCache.AWS_SECRET_ACCESS_KEY}";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
systemd.services.nix-daemon.serviceConfig.EnvironmentFile = "/var/lib/secrets/nix-daemon/secret";
|
||||||
environment.etc."secrets/gitlab-runner-registration" = {
|
environment.etc."secrets/gitlab-runner-registration" = {
|
||||||
text = ''
|
text = ''
|
||||||
CI_SERVER_URL=https://hg.lukegb.com
|
CI_SERVER_URL=https://hg.lukegb.com
|
||||||
|
|
|
@ -110,10 +110,6 @@ in
|
||||||
substituters = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ];
|
substituters = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ];
|
||||||
trusted-substituters = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ];
|
trusted-substituters = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ];
|
||||||
};
|
};
|
||||||
envVars = {
|
|
||||||
AWS_ACCESS_KEY_ID = "${depot.ops.secrets.nixCache.AWS_ACCESS_KEY_ID}";
|
|
||||||
AWS_SECRET_ACCESS_KEY = "${depot.ops.secrets.nixCache.AWS_SECRET_ACCESS_KEY}";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
nixpkgs.config = depot.third_party.nixpkgsConfig;
|
nixpkgs.config = depot.third_party.nixpkgsConfig;
|
||||||
|
|
||||||
|
@ -275,6 +271,18 @@ in
|
||||||
recommendedProxySettings = true;
|
recommendedProxySettings = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
my.vault.secrets.nix-daemon = {
|
||||||
|
template = ''
|
||||||
|
{{ with secret "kv/apps/nix-daemon" }}
|
||||||
|
AWS_ACCESS_KEY_ID={{ .Data.data.cacheAccessKeyID }}
|
||||||
|
AWS_SECRET_ACCESS_KEY={{ .Data.data.cacheSecretAccessKey }}
|
||||||
|
{{ end }}
|
||||||
|
'';
|
||||||
|
group = "root";
|
||||||
|
reloadOrRestartUnits = [ "nix-daemon.service" ];
|
||||||
|
};
|
||||||
|
systemd.services.nix-daemon.serviceConfig.EnvironmentFile = config.my.vault.secrets.nix-daemon.path;
|
||||||
|
|
||||||
services.fwupd.enable = true;
|
services.fwupd.enable = true;
|
||||||
|
|
||||||
# This is enabled independently of my.scrapeJournal.enable.
|
# This is enabled independently of my.scrapeJournal.enable.
|
||||||
|
|
|
@ -11,8 +11,8 @@ pkgs.writeShellScriptBin "rebuilder" ''
|
||||||
|
|
||||||
DEPOT_PATH="''${1:-<depot>}"
|
DEPOT_PATH="''${1:-<depot>}"
|
||||||
|
|
||||||
export AWS_ACCESS_KEY_ID="${depot.ops.secrets.nixCache.AWS_ACCESS_KEY_ID}"
|
export AWS_ACCESS_KEY_ID="$(${pkgs.vault}/bin/vault kv get --address=http://127.0.0.1:8200 -field=cacheAccessKeyID kv/apps/nix-daemon)"
|
||||||
export AWS_SECRET_ACCESS_KEY="${depot.ops.secrets.nixCache.AWS_SECRET_ACCESS_KEY}"
|
export AWS_SECRET_ACCESS_KEY="$(${pkgs.vault}/bin/vault kv get --address=http://127.0.0.1:8200 -field=cacheSecretAccessKey kv/apps/nix-daemon)"
|
||||||
|
|
||||||
current_specialisation="$(cat /run/current-system/specialisation-name 2>/dev/null)"
|
current_specialisation="$(cat /run/current-system/specialisation-name 2>/dev/null)"
|
||||||
specialisation_path=""
|
specialisation_path=""
|
||||||
|
|
|
@ -6,8 +6,8 @@
|
||||||
pkgs.writeShellScriptBin "switch-prebuilt" ''
|
pkgs.writeShellScriptBin "switch-prebuilt" ''
|
||||||
set -ue
|
set -ue
|
||||||
|
|
||||||
export AWS_ACCESS_KEY_ID="${depot.ops.secrets.nixCache.AWS_ACCESS_KEY_ID}"
|
export AWS_ACCESS_KEY_ID="$(${pkgs.vault}/bin/vault kv get --address=http://127.0.0.1:8200 -field=cacheAccessKeyID kv/apps/nix-daemon)"
|
||||||
export AWS_SECRET_ACCESS_KEY="${depot.ops.secrets.nixCache.AWS_SECRET_ACCESS_KEY}"
|
export AWS_SECRET_ACCESS_KEY="$(${pkgs.vault}/bin/vault kv get --address=http://127.0.0.1:8200 -field=cacheSecretAccessKey kv/apps/nix-daemon)"
|
||||||
system="''${1}"
|
system="''${1}"
|
||||||
|
|
||||||
if [[ "$system" == "latest" ]]; then
|
if [[ "$system" == "latest" ]]; then
|
||||||
|
|
Loading…
Reference in a new issue