hosts/hydra-1: Sign nix cache entries with multiple keys
This commit is contained in:
parent
d55dc35882
commit
37685080b9
68
flake.lock
68
flake.lock
@ -79,6 +79,27 @@
|
||||
}
|
||||
},
|
||||
"flake-parts": {
|
||||
"inputs": {
|
||||
"nixpkgs-lib": [
|
||||
"harmonia",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1712014858,
|
||||
"narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-parts_2": {
|
||||
"inputs": {
|
||||
"nixpkgs-lib": [
|
||||
"ssh-to-age",
|
||||
@ -117,6 +138,29 @@
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"harmonia": {
|
||||
"inputs": {
|
||||
"flake-parts": "flake-parts",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"treefmt-nix": "treefmt-nix"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1716301230,
|
||||
"narHash": "sha256-olEXRstmP0lf0H11ht6j3co7mNwcDEXTm+eGfwdEJzM=",
|
||||
"owner": "clerie",
|
||||
"repo": "harmonia",
|
||||
"rev": "e99509779ce6d6ed46062ac556b71f6ca1eb59ad",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "clerie",
|
||||
"ref": "clerie/multiple-signing-keys",
|
||||
"repo": "harmonia",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"mitel-ommclient2": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
@ -244,6 +288,7 @@
|
||||
"chaosevents": "chaosevents",
|
||||
"fernglas": "fernglas",
|
||||
"fieldpoc": "fieldpoc",
|
||||
"harmonia": "harmonia",
|
||||
"nixos-exporter": "nixos-exporter",
|
||||
"nixos-hardware": "nixos-hardware",
|
||||
"nixpkgs": "nixpkgs_3",
|
||||
@ -295,7 +340,7 @@
|
||||
},
|
||||
"ssh-to-age": {
|
||||
"inputs": {
|
||||
"flake-parts": "flake-parts",
|
||||
"flake-parts": "flake-parts_2",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
@ -328,6 +373,27 @@
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"treefmt-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"harmonia",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1711963903,
|
||||
"narHash": "sha256-N3QDhoaX+paWXHbEXZapqd1r95mdshxToGowtjtYkGI=",
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"rev": "49dc4a92b02b8e68798abd99184f228243b6e3ac",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
|
@ -14,6 +14,10 @@
|
||||
url = "github:wobcom/fernglas";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
harmonia = {
|
||||
url = "github:clerie/harmonia/clerie/multiple-signing-keys";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
fieldpoc.url = "git+https://git.clerie.de/clerie/fieldpoc.git";
|
||||
nixos-exporter = {
|
||||
url = "git+https://git.clerie.de/clerie/nixos-exporter.git";
|
||||
|
@ -1,6 +1,7 @@
|
||||
{ self
|
||||
, bij
|
||||
, chaosevents
|
||||
, harmonia
|
||||
, ssh-to-age
|
||||
, ...
|
||||
}@inputs:
|
||||
@ -9,6 +10,8 @@ final: prev: {
|
||||
bij;
|
||||
inherit (chaosevents.packages.${final.system})
|
||||
chaosevents;
|
||||
inherit (harmonia.packages.${final.system})
|
||||
harmonia;
|
||||
inherit (ssh-to-age.packages.${final.system})
|
||||
ssh-to-age;
|
||||
}
|
||||
|
@ -5,7 +5,18 @@
|
||||
services.harmonia = {
|
||||
enable = true;
|
||||
settings.bind = "[::1]:5005";
|
||||
signKeyPath = config.sops.secrets.nix-cache-key.path;
|
||||
};
|
||||
|
||||
systemd.services.harmonia = {
|
||||
environment = {
|
||||
SIGN_KEY_PATHS = "%d/key1 %d/key2";
|
||||
};
|
||||
serviceConfig = {
|
||||
LoadCredential = [
|
||||
"key1:${config.sops.secrets."sign-key-nix-cache.clerie.de".path}"
|
||||
"key2:${config.sops.secrets."sign-key-cache.nix.clerie.de".path}"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts = {
|
||||
|
@ -1,5 +1,6 @@
|
||||
{
|
||||
"nix-cache-key": "ENC[AES256_GCM,data:AFDvfikObYvlwqRd0Wz3jfZdrKp6vu5ga6mFKRSPhh/BPFS1mBNyz3DQTL914bO7Pn47QHQVxufFVYlYmIq9sIK5snudZmRNDC21D95CvnJMWkO4d+nO8sMbjTMocEBmBEPMC18WHrkVmWOJ,iv:sD1qpX4sgAqb0c4Vmr7cRAELwiQhORKleGggKnOtmB4=,tag:q9D/f/+n9J2+ZtyuLXuk6w==,type:str]",
|
||||
"sign-key-nix-cache.clerie.de": "ENC[AES256_GCM,data:V6PHF1p8I43uErwNdixWeU5dw6liI/8LtFL61bZ7vldvv/7RbqJ/e5gvLYhrsK5hzLYbBqKEpt2v7007Jh/A16fX0VZ+M1d5OqTClAzRdW6FC/A/JAaJfcDphYK2MXeXdNtN9WlRS6hBK9T6,iv:Y0eiMTFu34/Oy6hRHHPJ+wWOJsJ9S7mUFKwfJiRwjus=,tag:sYsjS3LVGDPUy2ZrDlXw8g==,type:str]",
|
||||
"sign-key-cache.nix.clerie.de": "ENC[AES256_GCM,data:vuc21vilquxcasVXv7dsMSDxq1i0pUENmuoehFZHQd2vJqpkT8IFjwRBdVScxBgcz2/qv1iA3Ou4yBVPAfUKmOM6S1hzJGPxOfQySUTrQE6LgJZFAe/nKxNdiE0cBksMF7UtfJt4AmRv93BN,iv:s1N0U1X6sY/0HM7OMAGjrqFRRpiwHpedQn11/U3C944=,tag:nDrmDhB4D2OCu1ZLfoflag==,type:str]",
|
||||
"wg-monitoring": "ENC[AES256_GCM,data:C5C1s8GgEhu0QrIYiToJu/6Be7njwwNzdj5oMDGihT0m4lCtkwDI9NPxdBQ=,iv:icgVuwsJjl9+6pank/0MenY3Sm9eZiJ4KqQHASz+GXE=,tag:ANKZxndDHXAakUFr0euvkQ==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
@ -12,8 +13,8 @@
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiS01SZzVxOGVjeDNuMEY2\nMjd3VjJHRTgyckZxbitFYTg5cUNZNHk5TTM0CkM3QnZyaFFmTUp2T2phZ3FuR3lR\nd1E3TlpsRnBQVXM4WlNIKzdTelJIbkUKLS0tIG5xR1VlK25LR3JucDIwakMzNVp6\nYkI1ZmorajhDUHdHZHQ0QlkxMkE5dHMKTaffSqKMM7Z6pDmMLvRr6MEsNPvJ9ycF\ny5Wilaie7qdFPEWJDNXOmmKwJgF/wPIsYYouL+YlKaOalL4X0i4xgA==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2024-04-21T16:30:03Z",
|
||||
"mac": "ENC[AES256_GCM,data:aEIs0bTuMJJsjCLtwQ/3ApO8iVCdlfPhBY97veU518R+Z2aywEh9R7h89skuVjrRcrbzeZthaubD3fqK+0mWkIgk9cYWzcHAA8OYNX8inZAnWuhN4kcc9pAy6abdqYtlqtTBY33m4BITEsIsUROW+VP7V87Kyp3THnn2S0QqAag=,iv:1wqiyugRLFXT3uXfo053E6mGH/wFGjUO/AkXz915GrA=,tag:8Vil1vZRkKUN4HwcFNJsXQ==,type:str]",
|
||||
"lastmodified": "2024-05-22T15:14:09Z",
|
||||
"mac": "ENC[AES256_GCM,data:kOC/GOhtq00jcHQoLSaCeI9ACUDv4aoMH8+Zn3tCEpK2k71/mdzV0ces5Aojxu7CIsZh+0GpStCPVgA68Ke96PKt5yYv4G0PaN0dlFs8luvl29OcvEWIvM3Hzb3KVmp5/rYsch4l1YrxCO9PqNVN6aIwe0mdJlLLpwTshZ2bgu8=,iv:0YkBoKBqi7S3ioXbo8p1yr5jVRjjBAI/y8cy9VJhIDU=,tag:3VQKXWhoK+nFZ4WKz3Y3AA==,type:str]",
|
||||
"pgp": [
|
||||
{
|
||||
"created_at": "2024-04-21T16:29:22Z",
|
||||
|
Loading…
Reference in New Issue
Block a user