From bedd15ad43c4364a4da39138e496d0ab07a1193b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vili=20Sinerv=C3=A4?= Date: Thu, 3 Jul 2025 00:11:29 +0300 Subject: [PATCH] Minimize state in hydra and cert-store --- secrets/cert.yaml | 8 ++++---- servers/acme-cert-store.nix | 20 +++++++++----------- servers/hydra.nix | 31 ++++++++++++++++--------------- 3 files changed, 29 insertions(+), 30 deletions(-) diff --git a/secrets/cert.yaml b/secrets/cert.yaml index 3bea4e4..c46fb9f 100644 --- a/secrets/cert.yaml +++ b/secrets/cert.yaml @@ -1,5 +1,5 @@ -cert-fullchain: ENC[AES256_GCM,data:eWEofNOCmwBHiByfu/lOWTg6CTavBt3jhLPIbMpO+Gy6y2oYJRaExJNC9VRtBiUppruSumZ0jHAqkTwgUrWyKEiqYO/JiRUsn2imRJjiPHlnQ5YUrkYoNAvLcmVitm81XccyJQSqUhQITCQCHnlPZnI9Bxz0CT3btqxGiHAAjcQmVm6Icj8hd9jURuIV9YvJAEDUhVj10erpz0Tp43jYDtJ7xy/FASW1yVrP0lDawjky3Tk1BQ31Je/DdUP1ah6em+ddVyDNRobVU7i7+q38VVjOtgeYf4xPIpinhUTp+ixubghLXz1PbvuXS5mbwXmKOTC/yDVV22hP3kTCynoWvmiqIIHL7+zdczNEiuVK112DeHKtlNF6kv11kQypunVu7C27Vq3zR/Ztjm/ILpDSgLTsXEyayTXHvxq7Mb+74kmaJguuxxeVFtIN5FSn3/mSwLf2LSW9xphJF/cxzUK5V9Jq7wJfc/eYkdZ9HWfb8idX3nnIHok5Dgs/vRnXD0JLIyBi+kKYcdqpb6Z5qvBc/uO0vSVpmSNw170hyIa1t9OFO3PRCZeb4BOyj8FJDR7wWLhU6mHKld+bpfAXDIoSrZhnJ7nzEZEjmjcOONBsExFi2Qz0XxfbU44I4iVK+6BMhoa6/d2aMl9TRLiKuqgD1Af+XovWsXvhVpQ1gwpLKj6/Jzj50kQrn3Xr4VCr9h4vFUL0r3kI6JezjbnmRn6PkmoOzMntmCH7isausejaPjJhatJAy8GBoLQyoXETIJ6t5otQe9fv+qvXHErGCZSZCCqKFLp0V3U9i/AWu9ACp6vXPn6WLGWD4tLstOEe3WW0Jo2AFnAkSioKJFswes3iauscxKkfPGI097RzGvjDt7RYj0qD/ADdHYrN1agY5zaf/qu07h+wSHiEnFDxNXjr/yiO9lUqW9OyYmEzXtQXV44b1DfQq9IsbRM+AW+TjMEwKGIzgO8iVE5eBjmtbhxr/iWK9p+TDohdQ8heQtvtwE3wYcLxzB6r2rp12t+44C1g+LdAntJ1yvAB8FRpIwMP6v3QUNz5qDKZp1B90JBzoEYs03cmk0wXtZoh7akbY1D2DftzfBEzClASzflR/rTKrGVMdZLHSsi6VQ9dKZnAg2w/QzsVPJGSPNUe7ucRGZCeAJ2ABVuFoMI00+zqsRcJ3pytaia5dq3uvEA5JlVJ3G4gA4Wez8p3BjkvMMCwuzONddDb9AC/1M2DiwgkHztq+F2cy7Cai/npwkjwPkVqHW08XJWxIYNQcg9uu074ZGI7HJX5Hx+65Cw7XOU4nGFu2js/JI/urT9Q9j9+3OtuOeMcpUTnEhbLr94d9FsvHhbkyT5d8CfpltRGmenRP1lIsH38055wvpl96QhAKGgpQcXwC9Iwc55cn1XZ1xxhAANorqulwdq4fqijxhnYpptRNcYw1G9bHR5HU0++Qmi94dyA++zGlTdU9eIVlc18iNtafvELWwua+H8uus+reAJGBMwkuo9uCl/OwjXQt3U4blbdw+yuvRU7NPG96bvigJOUXi+wXf8bDilY6Mxy4kDDoMUgPM2S/Eu6A0KuN7CAncRvty2tPsUEv7Pe63PkroBguNyEmhuojfz9O5AQdzOlZ17N6FtTwbdG0ZclojbERg0Usr9JeWeImZ5itt7y+bEH+tIK2M6kB0q728Ot+hO5chlAB/N6GRFLZHatzuxw+RHkjYEfKTMgKiS8tD/dPQE99JQ5iOQ7rSjOOV8pxIzv1zcuYVAaZE/b9+ObQ4nVcPzI+Pb4kMBPX3fTtcs1ubsFXNN4Yc2LCWVseMNZqnrYevoGZsxDSFqK8zCqqkGxwvXXG7TUyTI/LuO6GUIWzq+6WwJx5QJ7J6gF6GbWHiRcbw4qJRFaSXHIsOdEP1ZlTp3hpveOyCRJ+espGPdKjGnnMYkV77xf+kfkZSH8pFoGNG6GAg35iSZwFwZEm9IFbsa0bO4H/MqF234w+9RR7xD9EF/4IBdT+tJGBi5oJ5E10wVAHqwp2FrCka6sCBYM7uCK47cDfh8lilXHITSkwXG/wvhyvNKBCI42CUiaG0S70K5VHa4JUZjlWcXUmqwa6mDVeEjycPee8uPp/R8RQFi/cDdoritIE6ZXam2Xarbm8aqG3I6ylrS6X1SNpkHWQYNVOsdYmHC2FOosH6XsYbKYF6aiXn7fKQHzPknl2JTXybrHb0uIvFjGFhLPTudW6UfWJFsW8MC6yqByfgbn09cSOtvErMHhOdGUEcX232dD+5i4ggs/59Wg1OG2LP0G1NPBBYGZPnJTZBjuA/F0cMbY3qiDjmmJh3218dU0OZs37MMRtaOhWeGc4/kxkT4bS2aed+PNliHXqd4UGJfE+aisHKz3hMXjkltb9YZSFQaupQl0WHIsS6BrSQ8QcvyC+Os3qOO3KzxPjwxg067Pv39eNyidLFqzYdpHm38xPFF2i+N+760yxBgREDQdSJrsV9x0XYdLxHhavKHF1gFUYdW5qq4VHOJMVpLTtwz5tVBji0HBr0fvVhaFcqff7cjeKoXH0MCjMj7IP2NiXZDwHz6w6KABxR7NvIVkLYtLDA/W8PbAR1WUJtrUd9EtJKUhlgDwRI5SOhB0ndf89KEDROVdIfq9gyCjWPobKZgCct4VgR2J8587u3JXbHBsPGdvvE7ofhR70b1Le+315ubDIGzcwTU51HNTAxi9aRRFZN25PvuPbfGcNm9NtfP8FMr88G3rXw23lKCVTjgYKabVmNKzO/8c4sbl1De2RpuijQ2fejwaRVnbp94UVoysx9LefdSFoHxRMAfYE4e7FmNDG4x2aQZsCtsgX32kGf4pX5/9jDWtn6v5iF4XYaghWDXlmfxnS8D2AY1QVtCrIMJhPxc/NRl3djO3TiFsYONDoQLtHog+QrlBbVrAXi6uJ+XWn9HnGN7nG9eC8Zxljg4YwjHMdrNHKSqq5kUPikamVI/zoHBFnrjflVSKSK2tAfce0MAr5CFP3KdZoSZL65v6hflhck+O+7sCMdtw7gqte6zg6LXVwgvgLyToyzbOMDhrgKgLdtHebZjSegqSacDSoZOWgmfumLWdG49iSi9YpCM9IJTX3vH572y595PIYNa0LQOKvitzGdudJ0orXEHif/y7AqFavIAvjM5OAUSodNlX4/DUF/Pe+SzmpzFzTFEoaRaptOC8CTNLcZqS60Bu9wOtnM2IVJz1nv3CwYut4p/YPkb9TanvYIIHkqrNN4ujjaSkZF0i872uy0xWrc5fUqpYTs8Y2YAQx5oa946KLfMYz5kSuXUSJ6cOtKoLms0myIwkd2xjGY93zc8IUCCGcIWt8fWbHejXPSxK8fK1W/wTVUG5uzQ0i2Qokk4N+8zJyZY6EgHwTDTxuLSrkrcUIjZGdinTYHuDSMrtKCO8JH0K7QmLOglGg321o0Qy0EpPflDkC/rr7CWLHd3tu4PTI8W0aY9QDDiGs0KuYx6GoHdSIJnzlKQq6gJRWKSTG+ocGS4qWCE3hJkEyXDNyH+FNmEOKIMmShAfu4h+uz259hqizrGNzk9bCA5BHVpfD9B+vYyKCldcCYdzd3OmnxvHiHxKKct+J8JA+wU3Vxz4aoOpqbTgj1rncTpe+69HozRX9oel51oB418CRtv5GsSfUUBGldc+OZLj4IvBkWTcnpyyrL10QrYcPfENEvW3hVG1czZ0+Sbqvi8aXrHoVUivl9tjBP6MYfsuzF7FLwoG50vQ642pGFolJNoXdnpzvlneJTTemBKZMB+kIgf+hX5vB4tvJrilLMSWuszDZqU5oMIlZUX4/003wVm/UF1wQ/m57ljWv63DZQfK78iI6olDJgPamhBhQhF+Zm9NL7j45zgg8Pxmys9FcVVJ4MHKyg==,iv:fnmPdGxOfaIN44jRuj+wzpUqJys3yOIz1ql2xB7xeP0=,tag:EG0BchDp1puA5czz110Zdw==,type:str] -cert-key: ENC[AES256_GCM,data:GTd78p+vnXV4KicTMvywFAaRmLtnTExyy43sjTY9g9L8oAuTcqtTeKf8sBnjgmAehMTKS1pOSUui+BHAMWkZ8zu7M434jz08QARtaa/nzlz9Nl1mQGUDwnxBXf4zy6TpeagS3MfQz4a3Hu1fk8k4UFBCWhEgN5YGQY0vRU0y1AsrU+Wby6N9oDt6BdzldgEMnSCnYzuTdRrncdHdEwSpU20YR0dp7MQGffgu2AiFqapeDve37FH3BL+/LOcxdCu4BR6QlzZxOVpMJUayF31LfV/7xD33NUwHrlp+hW0sHrdSSm2fixHKal/6f8OolI6OOonDTOxiPG+wo4EgiNq6AQspFht1k//ldMjJ/ja549fPEHyoCRAyw9WWKb1S8Sti,iv:i6Wai/qgIXQyXayHaZpuKAnG7hkIwjEcxblugDpZ0zA=,tag:BvRlFIAvK+nuJzwRj9h+dg==,type:str] +cert-fullchain: ENC[AES256_GCM,data:AA9Wng==,iv:6sqRgeZCGcwXFiVZT4x3ll0wyPziEbo3gOr/8H8j+/g=,tag:6H9zExWGMUUYlEogYkPq5A==,type:str] +cert-key: ENC[AES256_GCM,data:PB37JA==,iv:ao9vpYjpNDcJ44RllRazlOsJUEor39ZEj8mC49AJ7TM=,tag:dt3hwlC3mbMgztiLfgNUGA==,type:str] sops: age: - recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp @@ -47,7 +47,7 @@ sops: NmFpWVNKRENSYkNWcVk2M3RIYmtpSmMKBfzyOjjoCRsvTUX34PiGEIJ0ETJjq5ZR qsxGOTOrG9FMv9slfvWPOaMnDeJCQc2CZS0b0EqfNg/eFzFxG/jOuw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-22T22:15:42Z" - mac: ENC[AES256_GCM,data:BK0dsImd1ClVYdR7xHksz4FzfXcRpN5uSME0TCX9rvA0R59sGzdRjab02xVOfPkkHbAxj7WN6LRxB/nzTVNS6rk8xe004tVnbYjbc21gqqGW3sH5rdX/VqvsB2JJo5CfxXbTHRccjnzWAOzTxylfG4ILxNZvOJRX/rKFzUJKsxE=,iv:Uc8tAAhFLeXetMbgpjvmYCUftlQrU+D8fwEYtBN1KEM=,tag:v+ld334czS0hYVW7YWwB6A==,type:str] + lastmodified: "2025-07-02T21:11:04Z" + mac: ENC[AES256_GCM,data:hSpz3Yv/RHME/0+4sRMPwHZXmoLa6siP12CKNYVAakM9FrZATpecVxIxVNHcmQuIlOWdRfIFcUgfiBrhlszPzxXE7yY3r79zh+LbNjxSNGpMstGZMPF+Ee7qSPpVhfUoVY3+7MamW2DCaLxWPJlDC2jrnt0QSuersKv5fyFk4Yc=,iv:nmkaotestaKutwqnwciLLoXro3n6VxvFs6/y4THHiEs=,tag:7zpqTSHRBUSLsfkmYZcbzQ==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/servers/acme-cert-store.nix b/servers/acme-cert-store.nix index bb771e4..1f70e26 100644 --- a/servers/acme-cert-store.nix +++ b/servers/acme-cert-store.nix @@ -1,6 +1,9 @@ { config, pkgs, ... }: let update-cert = pkgs.writeScriptBin "update-cert" '' + export SOPS_AGE_KEY_FILE='${config.sops.secrets.cert-age-key.path}' + export GIT_SSH_COMMAND='ssh -i ${config.sops.secrets.forgejo-deploy-key.path} -o IdentitiesOnly=yes' + cd ${config.users.users."cert-store".home} git clone ssh://forgejo@forgejo.sinerva.eu/VSinerva/nixos-conf.git cd nixos-conf @@ -34,25 +37,20 @@ in secrets = { forgejo-deploy-key = { sopsFile = ../secrets/cert-store.yaml; - path = "${config.users.users."cert-store".home}/.ssh/id_ed25519"; owner = config.users.users."cert-store".name; }; cert-age-key = { sopsFile = ../secrets/cert-store.yaml; - path = "${config.users.users."cert-store".home}/.config/sops/age/keys.txt"; owner = config.users.users."cert-store".name; }; }; }; - environment.persistence."/persist".directories = [ - { - directory = "/home/cert-store"; - user = "cert-store"; - group = "users"; - mode = "u=rwx,g=,o="; - } - ]; + systemd.tmpfiles.settings."cert-store-home"."/home/cert-store".d = { + user = "cert-store"; + group = "users"; + mode = "0700"; + }; users.users."cert-store" = { isNormalUser = true; openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [ @@ -61,7 +59,7 @@ in }; services.openssh.knownHosts."forgejo.sinerva.eu".publicKey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDiJZWlmiEkVzlf5/KV/jKkCGlgp8mnEeCnwk/dhdctJ"; + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG74oN4MnrCm/rm1WyYy7M7Lv1qMRgcy3sDCgj6YN2zE"; environment.systemPackages = [ update-cert ]; diff --git a/servers/hydra.nix b/servers/hydra.nix index d103ce1..8cd588c 100644 --- a/servers/hydra.nix +++ b/servers/hydra.nix @@ -9,21 +9,22 @@ in ./utils/acme-http-client.nix ]; - environment.persistence."/persist".directories = [ - { - directory = "/var/lib/hydra"; - user = "hydra"; - group = "hydra"; - mode = "u=rwx,g=rx,o="; - } - { - directory = "/var/lib/postgresql"; - user = "postgresql"; - group = "postgresql"; - mode = "u=rwx,g=rx,o="; - } - ]; - + systemd.tmpfiles.settings."hydra-home"."/var/lib/hydra".d = { + user = "hydra"; + group = "hydra"; + mode = "0750"; + }; + environment.persistence."/persist" = { + directories = [ + { + directory = "/var/lib/postgresql"; + user = "postgresql"; + group = "postgresql"; + mode = "u=rwx,g=rx,o="; + } + ]; + files = [ "/var/lib/hydra/.db-created" ]; + }; sops.secrets.priv-cache-key.sopsFile = ../secrets/ci.yaml; boot.binfmt.emulatedSystems = [ "aarch64-linux" ];