1
0

hosts/hydra-1: Sign nix cache entries with multiple keys

This commit is contained in:
clerie 2024-05-22 17:17:14 +02:00
parent d55dc35882
commit 37685080b9
Signed by: clerie
GPG Key ID: BD9F56480870BAD2
5 changed files with 90 additions and 5 deletions

View File

@ -79,6 +79,27 @@
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"harmonia",
"nixpkgs"
]
},
"locked": {
"lastModified": 1712014858,
"narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"ssh-to-age",
@ -117,6 +138,29 @@
"type": "github"
}
},
"harmonia": {
"inputs": {
"flake-parts": "flake-parts",
"nixpkgs": [
"nixpkgs"
],
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1716301230,
"narHash": "sha256-olEXRstmP0lf0H11ht6j3co7mNwcDEXTm+eGfwdEJzM=",
"owner": "clerie",
"repo": "harmonia",
"rev": "e99509779ce6d6ed46062ac556b71f6ca1eb59ad",
"type": "github"
},
"original": {
"owner": "clerie",
"ref": "clerie/multiple-signing-keys",
"repo": "harmonia",
"type": "github"
}
},
"mitel-ommclient2": {
"inputs": {
"nixpkgs": [
@ -244,6 +288,7 @@
"chaosevents": "chaosevents",
"fernglas": "fernglas",
"fieldpoc": "fieldpoc",
"harmonia": "harmonia",
"nixos-exporter": "nixos-exporter",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_3",
@ -295,7 +340,7 @@
},
"ssh-to-age": {
"inputs": {
"flake-parts": "flake-parts",
"flake-parts": "flake-parts_2",
"nixpkgs": [
"nixpkgs"
]
@ -328,6 +373,27 @@
"repo": "default",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"harmonia",
"nixpkgs"
]
},
"locked": {
"lastModified": 1711963903,
"narHash": "sha256-N3QDhoaX+paWXHbEXZapqd1r95mdshxToGowtjtYkGI=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "49dc4a92b02b8e68798abd99184f228243b6e3ac",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
}
},
"root": "root",

View File

@ -14,6 +14,10 @@
url = "github:wobcom/fernglas";
inputs.nixpkgs.follows = "nixpkgs";
};
harmonia = {
url = "github:clerie/harmonia/clerie/multiple-signing-keys";
inputs.nixpkgs.follows = "nixpkgs";
};
fieldpoc.url = "git+https://git.clerie.de/clerie/fieldpoc.git";
nixos-exporter = {
url = "git+https://git.clerie.de/clerie/nixos-exporter.git";

View File

@ -1,6 +1,7 @@
{ self
, bij
, chaosevents
, harmonia
, ssh-to-age
, ...
}@inputs:
@ -9,6 +10,8 @@ final: prev: {
bij;
inherit (chaosevents.packages.${final.system})
chaosevents;
inherit (harmonia.packages.${final.system})
harmonia;
inherit (ssh-to-age.packages.${final.system})
ssh-to-age;
}

View File

@ -5,7 +5,18 @@
services.harmonia = {
enable = true;
settings.bind = "[::1]:5005";
signKeyPath = config.sops.secrets.nix-cache-key.path;
};
systemd.services.harmonia = {
environment = {
SIGN_KEY_PATHS = "%d/key1 %d/key2";
};
serviceConfig = {
LoadCredential = [
"key1:${config.sops.secrets."sign-key-nix-cache.clerie.de".path}"
"key2:${config.sops.secrets."sign-key-cache.nix.clerie.de".path}"
];
};
};
services.nginx.virtualHosts = {

View File

@ -1,5 +1,6 @@
{
"nix-cache-key": "ENC[AES256_GCM,data:AFDvfikObYvlwqRd0Wz3jfZdrKp6vu5ga6mFKRSPhh/BPFS1mBNyz3DQTL914bO7Pn47QHQVxufFVYlYmIq9sIK5snudZmRNDC21D95CvnJMWkO4d+nO8sMbjTMocEBmBEPMC18WHrkVmWOJ,iv:sD1qpX4sgAqb0c4Vmr7cRAELwiQhORKleGggKnOtmB4=,tag:q9D/f/+n9J2+ZtyuLXuk6w==,type:str]",
"sign-key-nix-cache.clerie.de": "ENC[AES256_GCM,data:V6PHF1p8I43uErwNdixWeU5dw6liI/8LtFL61bZ7vldvv/7RbqJ/e5gvLYhrsK5hzLYbBqKEpt2v7007Jh/A16fX0VZ+M1d5OqTClAzRdW6FC/A/JAaJfcDphYK2MXeXdNtN9WlRS6hBK9T6,iv:Y0eiMTFu34/Oy6hRHHPJ+wWOJsJ9S7mUFKwfJiRwjus=,tag:sYsjS3LVGDPUy2ZrDlXw8g==,type:str]",
"sign-key-cache.nix.clerie.de": "ENC[AES256_GCM,data:vuc21vilquxcasVXv7dsMSDxq1i0pUENmuoehFZHQd2vJqpkT8IFjwRBdVScxBgcz2/qv1iA3Ou4yBVPAfUKmOM6S1hzJGPxOfQySUTrQE6LgJZFAe/nKxNdiE0cBksMF7UtfJt4AmRv93BN,iv:s1N0U1X6sY/0HM7OMAGjrqFRRpiwHpedQn11/U3C944=,tag:nDrmDhB4D2OCu1ZLfoflag==,type:str]",
"wg-monitoring": "ENC[AES256_GCM,data:C5C1s8GgEhu0QrIYiToJu/6Be7njwwNzdj5oMDGihT0m4lCtkwDI9NPxdBQ=,iv:icgVuwsJjl9+6pank/0MenY3Sm9eZiJ4KqQHASz+GXE=,tag:ANKZxndDHXAakUFr0euvkQ==,type:str]",
"sops": {
"kms": null,
@ -12,8 +13,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiS01SZzVxOGVjeDNuMEY2\nMjd3VjJHRTgyckZxbitFYTg5cUNZNHk5TTM0CkM3QnZyaFFmTUp2T2phZ3FuR3lR\nd1E3TlpsRnBQVXM4WlNIKzdTelJIbkUKLS0tIG5xR1VlK25LR3JucDIwakMzNVp6\nYkI1ZmorajhDUHdHZHQ0QlkxMkE5dHMKTaffSqKMM7Z6pDmMLvRr6MEsNPvJ9ycF\ny5Wilaie7qdFPEWJDNXOmmKwJgF/wPIsYYouL+YlKaOalL4X0i4xgA==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-04-21T16:30:03Z",
"mac": "ENC[AES256_GCM,data:aEIs0bTuMJJsjCLtwQ/3ApO8iVCdlfPhBY97veU518R+Z2aywEh9R7h89skuVjrRcrbzeZthaubD3fqK+0mWkIgk9cYWzcHAA8OYNX8inZAnWuhN4kcc9pAy6abdqYtlqtTBY33m4BITEsIsUROW+VP7V87Kyp3THnn2S0QqAag=,iv:1wqiyugRLFXT3uXfo053E6mGH/wFGjUO/AkXz915GrA=,tag:8Vil1vZRkKUN4HwcFNJsXQ==,type:str]",
"lastmodified": "2024-05-22T15:14:09Z",
"mac": "ENC[AES256_GCM,data:kOC/GOhtq00jcHQoLSaCeI9ACUDv4aoMH8+Zn3tCEpK2k71/mdzV0ces5Aojxu7CIsZh+0GpStCPVgA68Ke96PKt5yYv4G0PaN0dlFs8luvl29OcvEWIvM3Hzb3KVmp5/rYsch4l1YrxCO9PqNVN6aIwe0mdJlLLpwTshZ2bgu8=,iv:0YkBoKBqi7S3ioXbo8p1yr5jVRjjBAI/y8cy9VJhIDU=,tag:3VQKXWhoK+nFZ4WKz3Y3AA==,type:str]",
"pgp": [
{
"created_at": "2024-04-21T16:29:22Z",