From 22d238c29e35f8a0a378b3500cfb92c16b4cdc1f Mon Sep 17 00:00:00 2001 From: zack Date: Sat, 19 Oct 2024 02:11:34 -0400 Subject: [PATCH] fix(signing): add signing to hydra --- flake.nix | 4 +- modules/nixos/sites/hydra/default.nix | 52 +++++++++++++------- modules/nixos/sites/hydra/sec/hydra_key.age | Bin 0 -> 941 bytes 3 files changed, 37 insertions(+), 19 deletions(-) create mode 100644 modules/nixos/sites/hydra/sec/hydra_key.age diff --git a/flake.nix b/flake.nix index 5d66806..961895f 100644 --- a/flake.nix +++ b/flake.nix @@ -3,10 +3,10 @@ nixConfig = { extra-substituters = [ - "https://zackartz.cachix.org" + "https://hydra.zoeys.computer" ]; extra-trusted-public-keys = [ - "zackartz.cachix.org-1:nrEfVZF8MVX0Lnt73KwYzH2kwDzFuAoR5VPjuUd4R30=" + "hydra.zoeys.computer-1:ssh-ed25519:0000000b7373682d65643235353139000000205f061b28bd7b23ff28347b79ac7719587c471904487cebc19172a682240256cc" ]; }; diff --git a/modules/nixos/sites/hydra/default.nix b/modules/nixos/sites/hydra/default.nix index 79bacb3..79dc704 100644 --- a/modules/nixos/sites/hydra/default.nix +++ b/modules/nixos/sites/hydra/default.nix @@ -7,17 +7,31 @@ with lib; with lib.custom; let cfg = config.sites.hydra; + + sec = config.age.secrets; in { options.sites.hydra = with types; { enable = mkBoolOpt false "Enable Hydra"; }; config = mkIf cfg.enable { + age.secrets = { + hydra_key = { + owner = "hydra"; + group = "hydra"; + file = ./sec/hydra_key.age; + }; + }; + services.hydra = { enable = true; hydraURL = "https://hydra.zoeys.computer"; useSubstitutes = true; notificationSender = "hydra@localhost"; # e-mail of hydra service + + extraConfig = '' + binary_cache_secret_key_file = ${sec.hydra_key.path} + ''; }; services.nginx.virtualHosts."hydra.zoeys.computer" = { @@ -28,23 +42,27 @@ in { }; }; - nix.settings.allowed-uris = [ - "github:" - "https://github.com" - "git+https://github.com/" - "git+ssh://github.com/" - "git+https://git.zoeys.computer/" - "git+ssh://git.zoeys.computer/" - ]; + users.users.hydra.extraGroups = ["keys"]; - nix.buildMachines = [ - { - hostName = "localhost"; - protocol = null; - system = "x86_64-linux"; - supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; - maxJobs = 8; - } - ]; + nix = { + settings.allowed-uris = [ + "github:" + "https://github.com" + "git+https://github.com/" + "git+ssh://github.com/" + "git+https://git.zoeys.computer/" + "git+ssh://git.zoeys.computer/" + ]; + trustedUsers = ["hydra"]; # Ensure hydra user is trusted for nix + buildMachines = [ + { + hostName = "localhost"; + protocol = null; + system = "x86_64-linux"; + supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; + maxJobs = 8; + } + ]; + }; }; } diff --git a/modules/nixos/sites/hydra/sec/hydra_key.age b/modules/nixos/sites/hydra/sec/hydra_key.age new file mode 100644 index 0000000000000000000000000000000000000000..e60964a07a16a09bf2b08c205b91bcb210a6e20e GIT binary patch literal 941 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7aj!}@PFKhaFi7&% z)_2ZJPt7$ft1=6U$jQpH)Go_SkIGB(NeQn^O>+q`2+cHgG2u$~&2cyItujwBE>15@ z33kj3&#ZDzG%-vpDsl8m&ho7=Ps%fJ_Xu;gFhIAhSlch6Do`Q6$lKSrsI(}>GuPYH zJ;KP$F~~SAPd~THGh9Ez#KqLhHQg{EEZM>=G?FXQzrw33&^Oh*JhUu5Q9n1xFv%$| z(lWy}E7`@u+rPxiAgwsbuiPgrzZ~7RO4pLAq(FrN7i~Y2WMfOO@`%KYO8?AM^Rgl% z{ZNxagAz+0lgMNPBj?8Dm_y|Ofyr>41LP{ zGJUJ^gA&U!4J$%(LnFC-lP!I#N=!Wc!z_!VvV(KNs)AF}a}3HX{VW4rbCTRj3yiC> za$WTeiY>Twb#)aY10&P34GT*$yi(G9j7-Z-y@GrUGcyx2Jc}#Cw0+Gp%n~gv@~Tow zob$OpxQW?UFq~L=N0G_ule19v-v`b=SG821%a3;0Th)|nm@;+qyt^LjP6*w}D}1rm z_m|vRHSxXM*iwtWhkVydn&Wd-;F7t|{B=&-t^2+`Ik{rZR{<}Mli&M=>Pkwd|Nr># z$9=Kv-|Va*m#nAu?|vZirS93snVQ>b6LQvL?5@rR{&HV8WGIO>()@%4yY_GCjL%iMf&;u9VASEve z)}7zolP6lfSkhSk`6}Oir|d~T7WBF^4k7HEZ{=x?SeyDb|RY+?%wPvHWCD ze|kdHg!bvB+$Ag5vnm-+Z9ddy(dA~dI4|qgoyI5cC)WJbIet&3e}`6u t`lV9QIZLjWY-NfRjnVW8iff!PQ?4w>zPu-K-JDO(N&7Aa-2Xr4KLFXScYFW< literal 0 HcmV?d00001