Add nix signing key to hydra

Signed-off-by: magic_rb <magic_rb@redalder.org>
2024-11-21 23:54:22 +01:00 · 2023-11-18 14:09:40 +01:00 · 2023-11-18 14:09:40 +01:00 · 3fc53def4d
parent a62e03f81b
commit 3fc53def4d
2 changed files with 122 additions and 109 deletions
--- a/nixng/containers/hydra/hydra.nix
+++ b/nixng/containers/hydra/hydra.nix
@ -1,13 +1,19 @@
-{ makeSystem
-, nixpkgs
-, hydra
+{
+  makeSystem,
+  nixpkgs,
+  hydra,
 }:
 makeSystem {
  system = "x86_64-linux";
  name = "nixng-hydra";
  inherit nixpkgs;
-  config = { pkgs, config, lib, nglib, ... }:
-    {
+  config = {
+    pkgs,
+    config,
+    lib,
+    nglib,
+    ...
+  }: {
    config = {
      dumb-init = {
        enable = true;
@ -18,11 +24,11 @@ makeSystem {
        loadNixDb = true;
        persistNix = "/nix-persist";
        config = {
-            experimental-features = [ "nix-command" "flakes" ];
+          experimental-features = ["nix-command" "flakes"];
          sandbox = true;
-            trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
-            substituters = [ "https://cache.nixos.org/" ];
-            ignored-acls = [ "system.nfs4_acl" ];
+          trusted-public-keys = ["cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="];
+          substituters = ["https://cache.nixos.org/"];
+          ignored-acls = ["system.nfs4_acl"];
          allowed-uris = [
            "https://gitea.redalder.org"
            "https://github.com"
@ -35,7 +41,8 @@ makeSystem {

          builders-use-substitutes = true;
          builders = "@/etc/nix/machines";
-            extra-platforms = [ "i686-linux" "aarch64-linux" ];
+          secret-key-files = "/secrets/nix-key.private";
+          extra-platforms = ["i686-linux" "aarch64-linux"];
        };
      };
      services.hydra = {
@ -72,19 +79,19 @@ makeSystem {
      };

      services.crond.crontabs.autogc = {
-          jobs =
-            let
-              storegc = pkgs.writeShellScript "storegc"
+        jobs = let
+          storegc =
+            pkgs.writeShellScript "storegc"
            ''
              nix-collect-garbage -d
            '';
-            in
-              [
+        in [
          "0 4 * * * ${storegc}"
        ];
      };

-        init.services.nix-daemon.environment.PATH = with pkgs;  lib.makeBinPath [
+      init.services.nix-daemon.environment.PATH = with pkgs;
+        lib.makeBinPath [
          utillinux
          runit
          busybox
@ -92,8 +99,7 @@ makeSystem {
          gzip
        ];

-        system.activation =
-          let
+      system.activation = let
        machines = pkgs.writeText "machines" ''
          eu.nixbuild.net x86_64-linux,aarch64-linux,i686-linux - 100 5 benchmark,big-parallel
          localhost x86_64-linux - 2 1 benchmark,big-parallel,kvm,nixos-test,local
@ -128,8 +134,7 @@ makeSystem {
          chmod 600 /ssh-key
          chown hydra-queue-runner:root /ssh-key
        '';
-          in
-            {
+      in {
        inherit ssh-key ssh nix-machines;
      };
    };
--- a/terranix/containers/hydra/job.hcl
+++ b/terranix/containers/hydra/job.hcl
@ -158,6 +158,14 @@ EOF
        destination = "secrets/pgpass-queue-runner"
        perms = "400"
      }
+
+      template {
+        data = <<EOF
+{{ with secret "kv/data/cluster/hydra" }}{{ .Data.data.nix_signing_key }}{{ end }}
+EOF
+        destination = "secrets/nix-key.private"
+        perms = "400"
+      }
    }

    task "postgresql" {