diff --git a/hosts/hydra/default.nix b/hosts/hydra/default.nix index 183c8480..cdd0a56b 100644 --- a/hosts/hydra/default.nix +++ b/hosts/hydra/default.nix @@ -35,6 +35,7 @@ in supportedFeatures = [ "kvm" "nixos-test" ]; maxJobs = 1; }]; + checkConfig = config.nix.extraOptions == ""; daemonCPUSchedPolicy = "idle"; daemonIOSchedClass = "idle"; daemonIOSchedPriority = 7; @@ -51,6 +52,9 @@ in "nixos-test" "benchmark" ]; }; + extraOptions = '' + include ${config.sops.secrets."nix/access-tokens".path} + ''; }; nixpkgs.config.allowUnfree = true; @@ -131,7 +135,7 @@ in useSubstitutes = true; extraConfig = let - key = config.sops.secrets."nix-serve/secretKey".path; + key = config.sops.secrets."nix/signing-key/secretKey".path; in '' binary_cache_secret_key_file = ${key} @@ -205,7 +209,7 @@ in workers = 20; max_connection_rate = 1024; priority = 50; - sign_key_path = config.sops.secrets."nix-serve/secretKey".path; + sign_key_path = config.sops.secrets."nix/signing-key/secretKey".path; }; }; @@ -264,7 +268,10 @@ in mode = "444"; path = "/etc/machine-id"; }; - "nix-serve/secretKey" = { + "nix/access-tokens" = { + mode = "444"; + }; + "nix/signing-key/secretKey" = { mode = "440"; owner = config.users.users.hydra-queue-runner.name; inherit (config.users.users.hydra-queue-runner) group; diff --git a/hosts/hydra/secrets.yaml b/hosts/hydra/secrets.yaml index 29d5f24c..7ffb1efd 100644 --- a/hosts/hydra/secrets.yaml +++ b/hosts/hydra/secrets.yaml @@ -1,7 +1,9 @@ machine-id: ENC[AES256_GCM,data:/DmTA1InXn2MWnqmhkHYWaI504qnT0dFoQj2gganMqA=,iv:bBDMsChgDqVk47MHlP3ZeGq8pxurTwMxHDhXTWOXNB0=,tag:mlAljtHyp6LsK/xtnpBfYQ==,type:str] -nix-serve: - publicKey: ENC[AES256_GCM,data:sR5wk7yvH5+lLpSIP0zNqCLvDRRvR8ws4Q8rVcVJx8YkrywwPcvIsJ1h6mVEu3nc6SLoZlQsuxOGCyNGD98CBNY=,iv:fFV2D27hWoxGtqVt3EnS4hMlrqW5LnIZ3LB5k4xmFWs=,tag:g7R1ossy2On6B2nVfKC9iA==,type:str] - secretKey: ENC[AES256_GCM,data:cm84sA7E6AnzpVoYuaYepbHGWkRigLdD2RxN21UsXCe7FXQxeTQTxxbzVxJ3G9Lt3kRXuZnODntOo5EQKhs46+wzpO8YLKQxkJXrdluXoGVIWl3/6QFVq66XLJ2i6G4eBK9IH0DYJ+anj8/i8Q==,iv:GEM8Vmx0A8LfJo7QOl0N67Cgk+JqHpp7r+41VivmTg4=,tag:O4Kq4WKgbyt354HSa/7eQQ==,type:str] +nix: + access-tokens: ENC[AES256_GCM,data:6qYsInpdUwkWCFroA9AMUIHfu2/XoKfHPtwLRyaIffrcAa9KaHfgO7fKAvsySkaQ7mc9yImZxC5/AurN6zDMTOe1YQ4tVxcsDcBOtjEF+EBJjY2gS5LmxkreIr5+I8TYHSO0Bj7CZQAZOdtQW7mZ6CQ=,iv:NW4moujf3yCEbmLIW5lp+Zc0IMAy1W8xsVXgaCIpNUY=,tag:GkQNy8IarFWPkCTIxbn1gw==,type:str] + signing-key: + publicKey: ENC[AES256_GCM,data:OV549m0+BA0BkYHQu0wx0d4XYkxwq9aNU7k6lLZ82blI5tf90UlKlCbVmA0wK5aVoGEBvQtBdntBMgubsH1GHJc=,iv:H/upNu0xCDKHPivYTYySKZ6a+XVJWV1vvRwfwKomJLU=,tag:xkFTTGyNS/UCQ5fmlLnnDA==,type:str] + secretKey: ENC[AES256_GCM,data:CMEER5Pcv2T0dYrgcrEH10uC6BM1pUOdAaQWA95lNQ3giuHdXzslFq3FTsk8hYODngNdNt/0ZOe67iWdJMjqSPKO2oTDofGtUL9GVordjnRpEtSgFkLbEjJ8kZff/IbXJzScdHEM676UhIdC3g==,iv:yVqWLuXFCCGjaiVHIKQbaagCxasqpVhS+4JnQWdecPk=,tag:F7zPgTzOxUiAJggmZAnaIg==,type:str] ldap: search-user-pw: ENC[AES256_GCM,data:tSWin/QPIow2P5Aps/XaT42J+MXb8+a24SEri1QjF1O3bDlCxcR8RHqSX8d4Vg==,iv:P5qMaE2cdKxTaXuKO2nh+LDhKkY3psSlWf+JckmUYt4=,tag:eq8XW7P6FNlkviY5PydkZg==,type:str] ssh-keys: @@ -38,8 +40,8 @@ sops: WkRmWkpEYVMrZ0tKQVgrRk5YU0grTFEK3cX9v11MK9LIw4w51hr2zyLP3biGxkdf dl77D0IS9m2u0HipmzUs95m+z5j47hiX4Qo1Uza/sshwDBYyia4upg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-01-06T21:53:26Z" - mac: ENC[AES256_GCM,data:9DZDaGv7GDp0AqsxZ4AWYgUFa13nBisTk24Ftk6Fiwk/hSQo7zvYE1P4Nw9GzLtiwPzu8h0JznK1OdPoQyMaRW+i3cuCeWJsEJiJlJzYSDBRmONy/NdzCAgZ9X1KWkxKhq41FoEvsReEE0ftcxBobaCpCc8EuHDPoapKm9VDdg4=,iv:z+pp0EdOByM0pLLtFnI7QApnNYSqELGDQO8jHFH/9Uk=,tag:AuiqZ/e11tq+6nFn0FjPrw==,type:str] + lastmodified: "2023-01-06T23:28:11Z" + mac: ENC[AES256_GCM,data:2+jeXXMS5ZwEXULBHHpFosXW9Z5CAC165QQ7iJ0uY7JRoeAgBYgrYX3LDU56BMY10eiiYoUyqGh5XdLy3dJud3qTQosMo4fgO1THgBa2xtxUNHgVnH8yqJl3ncNiIgPbusa4f3KVaar30Zs31nbuomLDBfbrI6k63QpTz3Kp2xE=,iv:MUt+G1/HRps6GokWAUalA5LbC9tnfN3PpzwBqZ69m30=,tag:HbvuMLTvEbEIDk8t/63O9w==,type:str] pgp: - created_at: "2022-12-26T19:10:03Z" enc: |