Add nix signing key to hydra

Signed-off-by: magic_rb <magic_rb@redalder.org>
2024-11-21 23:54:22 +01:00 · 2023-11-18 14:09:40 +01:00 · 2023-11-18 14:09:40 +01:00 · 3fc53def4d
parent a62e03f81b
commit 3fc53def4d
2 changed files with 122 additions and 109 deletions
--- a/nixng/containers/hydra/hydra.nix
+++ b/nixng/containers/hydra/hydra.nix
@ -1,13 +1,19 @@
-{ makeSystem
-, nixpkgs
-, hydra
+{
+  makeSystem,
+  nixpkgs,
+  hydra,
 }:
 makeSystem {
  system = "x86_64-linux";
  name = "nixng-hydra";
  inherit nixpkgs;
-  config = { pkgs, config, lib, nglib, ... }:
-    {
+  config = {
+    pkgs,
+    config,
+    lib,
+    nglib,
+    ...
+  }: {
    config = {
      dumb-init = {
        enable = true;
@ -35,6 +41,7 @@ makeSystem {

          builders-use-substitutes = true;
          builders = "@/etc/nix/machines";
+          secret-key-files = "/secrets/nix-key.private";
          extra-platforms = ["i686-linux" "aarch64-linux"];
        };
      };
@ -72,19 +79,19 @@ makeSystem {
      };

      services.crond.crontabs.autogc = {
-          jobs =
-            let
-              storegc = pkgs.writeShellScript "storegc"
+        jobs = let
+          storegc =
+            pkgs.writeShellScript "storegc"
            ''
              nix-collect-garbage -d
            '';
-            in
-              [
+        in [
          "0 4 * * * ${storegc}"
        ];
      };

-        init.services.nix-daemon.environment.PATH = with pkgs;  lib.makeBinPath [
+      init.services.nix-daemon.environment.PATH = with pkgs;
+        lib.makeBinPath [
          utillinux
          runit
          busybox
@ -92,8 +99,7 @@ makeSystem {
          gzip
        ];

-        system.activation =
-          let
+      system.activation = let
        machines = pkgs.writeText "machines" ''
          eu.nixbuild.net x86_64-linux,aarch64-linux,i686-linux - 100 5 benchmark,big-parallel
          localhost x86_64-linux - 2 1 benchmark,big-parallel,kvm,nixos-test,local
@ -128,8 +134,7 @@ makeSystem {
          chmod 600 /ssh-key
          chown hydra-queue-runner:root /ssh-key
        '';
-          in
-            {
+      in {
        inherit ssh-key ssh nix-machines;
      };
    };
--- a/terranix/containers/hydra/job.hcl
+++ b/terranix/containers/hydra/job.hcl
@ -158,6 +158,14 @@ EOF
        destination = "secrets/pgpass-queue-runner"
        perms = "400"
      }
+
+      template {
+        data = <<EOF
+{{ with secret "kv/data/cluster/hydra" }}{{ .Data.data.nix_signing_key }}{{ end }}
+EOF
+        destination = "secrets/nix-key.private"
+        perms = "400"
+      }
    }

    task "postgresql" {