ops/nixos: move nix cache tokens into vault

This commit is contained in:
Luke Granger-Brown 2022-03-11 16:46:50 +00:00
parent 4100b021aa
commit 0187120a24
4 changed files with 23 additions and 12 deletions

View file

@ -113,6 +113,12 @@ in {
containers.deployer = {
autoStart = true;
bindMounts = {
"/var/lib/secrets/nix-daemon" = {
hostPath = "/var/lib/secrets/nix-daemon";
isReadOnly = true;
};
};
config = { config, pkgs, ... }: {
imports = [
../lib/low-space.nix
@ -123,11 +129,8 @@ in {
substituters = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ];
trusted-substituters = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ];
};
envVars = {
AWS_ACCESS_KEY_ID = "${depot.ops.secrets.nixCache.AWS_ACCESS_KEY_ID}";
AWS_SECRET_ACCESS_KEY = "${depot.ops.secrets.nixCache.AWS_SECRET_ACCESS_KEY}";
};
};
systemd.services.nix-daemon.serviceConfig.EnvironmentFile = "/var/lib/secrets/nix-daemon/secret";
environment.etc."secrets/gitlab-runner-registration" = {
text = ''
CI_SERVER_URL=https://hg.lukegb.com

View file

@ -110,10 +110,6 @@ in
substituters = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ];
trusted-substituters = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ];
};
envVars = {
AWS_ACCESS_KEY_ID = "${depot.ops.secrets.nixCache.AWS_ACCESS_KEY_ID}";
AWS_SECRET_ACCESS_KEY = "${depot.ops.secrets.nixCache.AWS_SECRET_ACCESS_KEY}";
};
};
nixpkgs.config = depot.third_party.nixpkgsConfig;
@ -275,6 +271,18 @@ in
recommendedProxySettings = true;
};
my.vault.secrets.nix-daemon = {
template = ''
{{ with secret "kv/apps/nix-daemon" }}
AWS_ACCESS_KEY_ID={{ .Data.data.cacheAccessKeyID }}
AWS_SECRET_ACCESS_KEY={{ .Data.data.cacheSecretAccessKey }}
{{ end }}
'';
group = "root";
reloadOrRestartUnits = [ "nix-daemon.service" ];
};
systemd.services.nix-daemon.serviceConfig.EnvironmentFile = config.my.vault.secrets.nix-daemon.path;
services.fwupd.enable = true;
# This is enabled independently of my.scrapeJournal.enable.

View file

@ -11,8 +11,8 @@ pkgs.writeShellScriptBin "rebuilder" ''
DEPOT_PATH="''${1:-<depot>}"
export AWS_ACCESS_KEY_ID="${depot.ops.secrets.nixCache.AWS_ACCESS_KEY_ID}"
export AWS_SECRET_ACCESS_KEY="${depot.ops.secrets.nixCache.AWS_SECRET_ACCESS_KEY}"
export AWS_ACCESS_KEY_ID="$(${pkgs.vault}/bin/vault kv get --address=http://127.0.0.1:8200 -field=cacheAccessKeyID kv/apps/nix-daemon)"
export AWS_SECRET_ACCESS_KEY="$(${pkgs.vault}/bin/vault kv get --address=http://127.0.0.1:8200 -field=cacheSecretAccessKey kv/apps/nix-daemon)"
current_specialisation="$(cat /run/current-system/specialisation-name 2>/dev/null)"
specialisation_path=""

View file

@ -6,8 +6,8 @@
pkgs.writeShellScriptBin "switch-prebuilt" ''
set -ue
export AWS_ACCESS_KEY_ID="${depot.ops.secrets.nixCache.AWS_ACCESS_KEY_ID}"
export AWS_SECRET_ACCESS_KEY="${depot.ops.secrets.nixCache.AWS_SECRET_ACCESS_KEY}"
export AWS_ACCESS_KEY_ID="$(${pkgs.vault}/bin/vault kv get --address=http://127.0.0.1:8200 -field=cacheAccessKeyID kv/apps/nix-daemon)"
export AWS_SECRET_ACCESS_KEY="$(${pkgs.vault}/bin/vault kv get --address=http://127.0.0.1:8200 -field=cacheSecretAccessKey kv/apps/nix-daemon)"
system="''${1}"
if [[ "$system" == "latest" ]]; then