From 37685080b9ff89bbf1070872393954cbfba4ff5b Mon Sep 17 00:00:00 2001 From: clerie Date: Wed, 22 May 2024 17:17:14 +0200 Subject: [PATCH] hosts/hydra-1: Sign nix cache entries with multiple keys --- flake.lock | 68 ++++++++++++++++++++++++++++++++++++- flake.nix | 4 +++ flake/overlay.nix | 3 ++ hosts/hydra-1/nix-cache.nix | 13 ++++++- hosts/hydra-1/secrets.json | 7 ++-- 5 files changed, 90 insertions(+), 5 deletions(-) diff --git a/flake.lock b/flake.lock index f06f8e4..9a89aec 100644 --- a/flake.lock +++ b/flake.lock @@ -79,6 +79,27 @@ } }, "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "harmonia", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1712014858, + "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "ssh-to-age", @@ -117,6 +138,29 @@ "type": "github" } }, + "harmonia": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ], + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1716301230, + "narHash": "sha256-olEXRstmP0lf0H11ht6j3co7mNwcDEXTm+eGfwdEJzM=", + "owner": "clerie", + "repo": "harmonia", + "rev": "e99509779ce6d6ed46062ac556b71f6ca1eb59ad", + "type": "github" + }, + "original": { + "owner": "clerie", + "ref": "clerie/multiple-signing-keys", + "repo": "harmonia", + "type": "github" + } + }, "mitel-ommclient2": { "inputs": { "nixpkgs": [ @@ -244,6 +288,7 @@ "chaosevents": "chaosevents", "fernglas": "fernglas", "fieldpoc": "fieldpoc", + "harmonia": "harmonia", "nixos-exporter": "nixos-exporter", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_3", @@ -295,7 +340,7 @@ }, "ssh-to-age": { "inputs": { - "flake-parts": "flake-parts", + "flake-parts": "flake-parts_2", "nixpkgs": [ "nixpkgs" ] @@ -328,6 +373,27 @@ "repo": "default", "type": "github" } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "harmonia", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1711963903, + "narHash": "sha256-N3QDhoaX+paWXHbEXZapqd1r95mdshxToGowtjtYkGI=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "49dc4a92b02b8e68798abd99184f228243b6e3ac", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 573bd9f..c3ef0ba 100644 --- a/flake.nix +++ b/flake.nix @@ -14,6 +14,10 @@ url = "github:wobcom/fernglas"; inputs.nixpkgs.follows = "nixpkgs"; }; + harmonia = { + url = "github:clerie/harmonia/clerie/multiple-signing-keys"; + inputs.nixpkgs.follows = "nixpkgs"; + }; fieldpoc.url = "git+https://git.clerie.de/clerie/fieldpoc.git"; nixos-exporter = { url = "git+https://git.clerie.de/clerie/nixos-exporter.git"; diff --git a/flake/overlay.nix b/flake/overlay.nix index 6b0e364..22ae40f 100644 --- a/flake/overlay.nix +++ b/flake/overlay.nix @@ -1,6 +1,7 @@ { self , bij , chaosevents +, harmonia , ssh-to-age , ... }@inputs: @@ -9,6 +10,8 @@ final: prev: { bij; inherit (chaosevents.packages.${final.system}) chaosevents; + inherit (harmonia.packages.${final.system}) + harmonia; inherit (ssh-to-age.packages.${final.system}) ssh-to-age; } diff --git a/hosts/hydra-1/nix-cache.nix b/hosts/hydra-1/nix-cache.nix index c85c237..17a8b96 100644 --- a/hosts/hydra-1/nix-cache.nix +++ b/hosts/hydra-1/nix-cache.nix @@ -5,7 +5,18 @@ services.harmonia = { enable = true; settings.bind = "[::1]:5005"; - signKeyPath = config.sops.secrets.nix-cache-key.path; + }; + + systemd.services.harmonia = { + environment = { + SIGN_KEY_PATHS = "%d/key1 %d/key2"; + }; + serviceConfig = { + LoadCredential = [ + "key1:${config.sops.secrets."sign-key-nix-cache.clerie.de".path}" + "key2:${config.sops.secrets."sign-key-cache.nix.clerie.de".path}" + ]; + }; }; services.nginx.virtualHosts = { diff --git a/hosts/hydra-1/secrets.json b/hosts/hydra-1/secrets.json index 189e9e8..b131b0b 100644 --- a/hosts/hydra-1/secrets.json +++ b/hosts/hydra-1/secrets.json @@ -1,5 +1,6 @@ { - "nix-cache-key": "ENC[AES256_GCM,data:AFDvfikObYvlwqRd0Wz3jfZdrKp6vu5ga6mFKRSPhh/BPFS1mBNyz3DQTL914bO7Pn47QHQVxufFVYlYmIq9sIK5snudZmRNDC21D95CvnJMWkO4d+nO8sMbjTMocEBmBEPMC18WHrkVmWOJ,iv:sD1qpX4sgAqb0c4Vmr7cRAELwiQhORKleGggKnOtmB4=,tag:q9D/f/+n9J2+ZtyuLXuk6w==,type:str]", + "sign-key-nix-cache.clerie.de": "ENC[AES256_GCM,data:V6PHF1p8I43uErwNdixWeU5dw6liI/8LtFL61bZ7vldvv/7RbqJ/e5gvLYhrsK5hzLYbBqKEpt2v7007Jh/A16fX0VZ+M1d5OqTClAzRdW6FC/A/JAaJfcDphYK2MXeXdNtN9WlRS6hBK9T6,iv:Y0eiMTFu34/Oy6hRHHPJ+wWOJsJ9S7mUFKwfJiRwjus=,tag:sYsjS3LVGDPUy2ZrDlXw8g==,type:str]", + "sign-key-cache.nix.clerie.de": "ENC[AES256_GCM,data:vuc21vilquxcasVXv7dsMSDxq1i0pUENmuoehFZHQd2vJqpkT8IFjwRBdVScxBgcz2/qv1iA3Ou4yBVPAfUKmOM6S1hzJGPxOfQySUTrQE6LgJZFAe/nKxNdiE0cBksMF7UtfJt4AmRv93BN,iv:s1N0U1X6sY/0HM7OMAGjrqFRRpiwHpedQn11/U3C944=,tag:nDrmDhB4D2OCu1ZLfoflag==,type:str]", "wg-monitoring": "ENC[AES256_GCM,data:C5C1s8GgEhu0QrIYiToJu/6Be7njwwNzdj5oMDGihT0m4lCtkwDI9NPxdBQ=,iv:icgVuwsJjl9+6pank/0MenY3Sm9eZiJ4KqQHASz+GXE=,tag:ANKZxndDHXAakUFr0euvkQ==,type:str]", "sops": { "kms": null, @@ -12,8 +13,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiS01SZzVxOGVjeDNuMEY2\nMjd3VjJHRTgyckZxbitFYTg5cUNZNHk5TTM0CkM3QnZyaFFmTUp2T2phZ3FuR3lR\nd1E3TlpsRnBQVXM4WlNIKzdTelJIbkUKLS0tIG5xR1VlK25LR3JucDIwakMzNVp6\nYkI1ZmorajhDUHdHZHQ0QlkxMkE5dHMKTaffSqKMM7Z6pDmMLvRr6MEsNPvJ9ycF\ny5Wilaie7qdFPEWJDNXOmmKwJgF/wPIsYYouL+YlKaOalL4X0i4xgA==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2024-04-21T16:30:03Z", - "mac": "ENC[AES256_GCM,data:aEIs0bTuMJJsjCLtwQ/3ApO8iVCdlfPhBY97veU518R+Z2aywEh9R7h89skuVjrRcrbzeZthaubD3fqK+0mWkIgk9cYWzcHAA8OYNX8inZAnWuhN4kcc9pAy6abdqYtlqtTBY33m4BITEsIsUROW+VP7V87Kyp3THnn2S0QqAag=,iv:1wqiyugRLFXT3uXfo053E6mGH/wFGjUO/AkXz915GrA=,tag:8Vil1vZRkKUN4HwcFNJsXQ==,type:str]", + "lastmodified": "2024-05-22T15:14:09Z", + "mac": "ENC[AES256_GCM,data:kOC/GOhtq00jcHQoLSaCeI9ACUDv4aoMH8+Zn3tCEpK2k71/mdzV0ces5Aojxu7CIsZh+0GpStCPVgA68Ke96PKt5yYv4G0PaN0dlFs8luvl29OcvEWIvM3Hzb3KVmp5/rYsch4l1YrxCO9PqNVN6aIwe0mdJlLLpwTshZ2bgu8=,iv:0YkBoKBqi7S3ioXbo8p1yr5jVRjjBAI/y8cy9VJhIDU=,tag:3VQKXWhoK+nFZ4WKz3Y3AA==,type:str]", "pgp": [ { "created_at": "2024-04-21T16:29:22Z",