Minimize state in hydra and cert-store
This commit is contained in:
parent
29d942293e
commit
bedd15ad43
SSH key fingerprint:
SHA256:FladqYjaE4scJY3Hi+gnShZ6ygnTJgixy0I6BAoHyos
3 changed files with 29 additions and 30 deletions
|
|
@ -1,5 +1,5 @@
|
|||
cert-fullchain: ENC[AES256_GCM,data:eWEofNOCmwBHiByfu/lOWTg6CTavBt3jhLPIbMpO+Gy6y2oYJRaExJNC9VRtBiUppruSumZ0jHAqkTwgUrWyKEiqYO/JiRUsn2imRJjiPHlnQ5YUrkYoNAvLcmVitm81XccyJQSqUhQITCQCHnlPZnI9Bxz0CT3btqxGiHAAjcQmVm6Icj8hd9jURuIV9YvJAEDUhVj10erpz0Tp43jYDtJ7xy/FASW1yVrP0lDawjky3Tk1BQ31Je/DdUP1ah6em+ddVyDNRobVU7i7+q38VVjOtgeYf4xPIpinhUTp+ixubghLXz1PbvuXS5mbwXmKOTC/yDVV22hP3kTCynoWvmiqIIHL7+zdczNEiuVK112DeHKtlNF6kv11kQypunVu7C27Vq3zR/Ztjm/ILpDSgLTsXEyayTXHvxq7Mb+74kmaJguuxxeVFtIN5FSn3/mSwLf2LSW9xphJF/cxzUK5V9Jq7wJfc/eYkdZ9HWfb8idX3nnIHok5Dgs/vRnXD0JLIyBi+kKYcdqpb6Z5qvBc/uO0vSVpmSNw170hyIa1t9OFO3PRCZeb4BOyj8FJDR7wWLhU6mHKld+bpfAXDIoSrZhnJ7nzEZEjmjcOONBsExFi2Qz0XxfbU44I4iVK+6BMhoa6/d2aMl9TRLiKuqgD1Af+XovWsXvhVpQ1gwpLKj6/Jzj50kQrn3Xr4VCr9h4vFUL0r3kI6JezjbnmRn6PkmoOzMntmCH7isausejaPjJhatJAy8GBoLQyoXETIJ6t5otQe9fv+qvXHErGCZSZCCqKFLp0V3U9i/AWu9ACp6vXPn6WLGWD4tLstOEe3WW0Jo2AFnAkSioKJFswes3iauscxKkfPGI097RzGvjDt7RYj0qD/ADdHYrN1agY5zaf/qu07h+wSHiEnFDxNXjr/yiO9lUqW9OyYmEzXtQXV44b1DfQq9IsbRM+AW+TjMEwKGIzgO8iVE5eBjmtbhxr/iWK9p+TDohdQ8heQtvtwE3wYcLxzB6r2rp12t+44C1g+LdAntJ1yvAB8FRpIwMP6v3QUNz5qDKZp1B90JBzoEYs03cmk0wXtZoh7akbY1D2DftzfBEzClASzflR/rTKrGVMdZLHSsi6VQ9dKZnAg2w/QzsVPJGSPNUe7ucRGZCeAJ2ABVuFoMI00+zqsRcJ3pytaia5dq3uvEA5JlVJ3G4gA4Wez8p3BjkvMMCwuzONddDb9AC/1M2DiwgkHztq+F2cy7Cai/npwkjwPkVqHW08XJWxIYNQcg9uu074ZGI7HJX5Hx+65Cw7XOU4nGFu2js/JI/urT9Q9j9+3OtuOeMcpUTnEhbLr94d9FsvHhbkyT5d8CfpltRGmenRP1lIsH38055wvpl96QhAKGgpQcXwC9Iwc55cn1XZ1xxhAANorqulwdq4fqijxhnYpptRNcYw1G9bHR5HU0++Qmi94dyA++zGlTdU9eIVlc18iNtafvELWwua+H8uus+reAJGBMwkuo9uCl/OwjXQt3U4blbdw+yuvRU7NPG96bvigJOUXi+wXf8bDilY6Mxy4kDDoMUgPM2S/Eu6A0KuN7CAncRvty2tPsUEv7Pe63PkroBguNyEmhuojfz9O5AQdzOlZ17N6FtTwbdG0ZclojbERg0Usr9JeWeImZ5itt7y+bEH+tIK2M6kB0q728Ot+hO5chlAB/N6GRFLZHatzuxw+RHkjYEfKTMgKiS8tD/dPQE99JQ5iOQ7rSjOOV8pxIzv1zcuYVAaZE/b9+ObQ4nVcPzI+Pb4kMBPX3fTtcs1ubsFXNN4Yc2LCWVseMNZqnrYevoGZsxDSFqK8zCqqkGxwvXXG7TUyTI/LuO6GUIWzq+6WwJx5QJ7J6gF6GbWHiRcbw4qJRFaSXHIsOdEP1ZlTp3hpveOyCRJ+espGPdKjGnnMYkV77xf+kfkZSH8pFoGNG6GAg35iSZwFwZEm9IFbsa0bO4H/MqF234w+9RR7xD9EF/4IBdT+tJGBi5oJ5E10wVAHqwp2FrCka6sCBYM7uCK47cDfh8lilXHITSkwXG/wvhyvNKBCI42CUiaG0S70K5VHa4JUZjlWcXUmqwa6mDVeEjycPee8uPp/R8RQFi/cDdoritIE6ZXam2Xarbm8aqG3I6ylrS6X1SNpkHWQYNVOsdYmHC2FOosH6XsYbKYF6aiXn7fKQHzPknl2JTXybrHb0uIvFjGFhLPTudW6UfWJFsW8MC6yqByfgbn09cSOtvErMHhOdGUEcX232dD+5i4ggs/59Wg1OG2LP0G1NPBBYGZPnJTZBjuA/F0cMbY3qiDjmmJh3218dU0OZs37MMRtaOhWeGc4/kxkT4bS2aed+PNliHXqd4UGJfE+aisHKz3hMXjkltb9YZSFQaupQl0WHIsS6BrSQ8QcvyC+Os3qOO3KzxPjwxg067Pv39eNyidLFqzYdpHm38xPFF2i+N+760yxBgREDQdSJrsV9x0XYdLxHhavKHF1gFUYdW5qq4VHOJMVpLTtwz5tVBji0HBr0fvVhaFcqff7cjeKoXH0MCjMj7IP2NiXZDwHz6w6KABxR7NvIVkLYtLDA/W8PbAR1WUJtrUd9EtJKUhlgDwRI5SOhB0ndf89KEDROVdIfq9gyCjWPobKZgCct4VgR2J8587u3JXbHBsPGdvvE7ofhR70b1Le+315ubDIGzcwTU51HNTAxi9aRRFZN25PvuPbfGcNm9NtfP8FMr88G3rXw23lKCVTjgYKabVmNKzO/8c4sbl1De2RpuijQ2fejwaRVnbp94UVoysx9LefdSFoHxRMAfYE4e7FmNDG4x2aQZsCtsgX32kGf4pX5/9jDWtn6v5iF4XYaghWDXlmfxnS8D2AY1QVtCrIMJhPxc/NRl3djO3TiFsYONDoQLtHog+QrlBbVrAXi6uJ+XWn9HnGN7nG9eC8Zxljg4YwjHMdrNHKSqq5kUPikamVI/zoHBFnrjflVSKSK2tAfce0MAr5CFP3KdZoSZL65v6hflhck+O+7sCMdtw7gqte6zg6LXVwgvgLyToyzbOMDhrgKgLdtHebZjSegqSacDSoZOWgmfumLWdG49iSi9YpCM9IJTX3vH572y595PIYNa0LQOKvitzGdudJ0orXEHif/y7AqFavIAvjM5OAUSodNlX4/DUF/Pe+SzmpzFzTFEoaRaptOC8CTNLcZqS60Bu9wOtnM2IVJz1nv3CwYut4p/YPkb9TanvYIIHkqrNN4ujjaSkZF0i872uy0xWrc5fUqpYTs8Y2YAQx5oa946KLfMYz5kSuXUSJ6cOtKoLms0myIwkd2xjGY93zc8IUCCGcIWt8fWbHejXPSxK8fK1W/wTVUG5uzQ0i2Qokk4N+8zJyZY6EgHwTDTxuLSrkrcUIjZGdinTYHuDSMrtKCO8JH0K7QmLOglGg321o0Qy0EpPflDkC/rr7CWLHd3tu4PTI8W0aY9QDDiGs0KuYx6GoHdSIJnzlKQq6gJRWKSTG+ocGS4qWCE3hJkEyXDNyH+FNmEOKIMmShAfu4h+uz259hqizrGNzk9bCA5BHVpfD9B+vYyKCldcCYdzd3OmnxvHiHxKKct+J8JA+wU3Vxz4aoOpqbTgj1rncTpe+69HozRX9oel51oB418CRtv5GsSfUUBGldc+OZLj4IvBkWTcnpyyrL10QrYcPfENEvW3hVG1czZ0+Sbqvi8aXrHoVUivl9tjBP6MYfsuzF7FLwoG50vQ642pGFolJNoXdnpzvlneJTTemBKZMB+kIgf+hX5vB4tvJrilLMSWuszDZqU5oMIlZUX4/003wVm/UF1wQ/m57ljWv63DZQfK78iI6olDJgPamhBhQhF+Zm9NL7j45zgg8Pxmys9FcVVJ4MHKyg==,iv:fnmPdGxOfaIN44jRuj+wzpUqJys3yOIz1ql2xB7xeP0=,tag:EG0BchDp1puA5czz110Zdw==,type:str]
|
||||
cert-key: ENC[AES256_GCM,data:GTd78p+vnXV4KicTMvywFAaRmLtnTExyy43sjTY9g9L8oAuTcqtTeKf8sBnjgmAehMTKS1pOSUui+BHAMWkZ8zu7M434jz08QARtaa/nzlz9Nl1mQGUDwnxBXf4zy6TpeagS3MfQz4a3Hu1fk8k4UFBCWhEgN5YGQY0vRU0y1AsrU+Wby6N9oDt6BdzldgEMnSCnYzuTdRrncdHdEwSpU20YR0dp7MQGffgu2AiFqapeDve37FH3BL+/LOcxdCu4BR6QlzZxOVpMJUayF31LfV/7xD33NUwHrlp+hW0sHrdSSm2fixHKal/6f8OolI6OOonDTOxiPG+wo4EgiNq6AQspFht1k//ldMjJ/ja549fPEHyoCRAyw9WWKb1S8Sti,iv:i6Wai/qgIXQyXayHaZpuKAnG7hkIwjEcxblugDpZ0zA=,tag:BvRlFIAvK+nuJzwRj9h+dg==,type:str]
|
||||
cert-fullchain: ENC[AES256_GCM,data:AA9Wng==,iv:6sqRgeZCGcwXFiVZT4x3ll0wyPziEbo3gOr/8H8j+/g=,tag:6H9zExWGMUUYlEogYkPq5A==,type:str]
|
||||
cert-key: ENC[AES256_GCM,data:PB37JA==,iv:ao9vpYjpNDcJ44RllRazlOsJUEor39ZEj8mC49AJ7TM=,tag:dt3hwlC3mbMgztiLfgNUGA==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
|
||||
|
|
@ -47,7 +47,7 @@ sops:
|
|||
NmFpWVNKRENSYkNWcVk2M3RIYmtpSmMKBfzyOjjoCRsvTUX34PiGEIJ0ETJjq5ZR
|
||||
qsxGOTOrG9FMv9slfvWPOaMnDeJCQc2CZS0b0EqfNg/eFzFxG/jOuw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-06-22T22:15:42Z"
|
||||
mac: ENC[AES256_GCM,data:BK0dsImd1ClVYdR7xHksz4FzfXcRpN5uSME0TCX9rvA0R59sGzdRjab02xVOfPkkHbAxj7WN6LRxB/nzTVNS6rk8xe004tVnbYjbc21gqqGW3sH5rdX/VqvsB2JJo5CfxXbTHRccjnzWAOzTxylfG4ILxNZvOJRX/rKFzUJKsxE=,iv:Uc8tAAhFLeXetMbgpjvmYCUftlQrU+D8fwEYtBN1KEM=,tag:v+ld334czS0hYVW7YWwB6A==,type:str]
|
||||
lastmodified: "2025-07-02T21:11:04Z"
|
||||
mac: ENC[AES256_GCM,data:hSpz3Yv/RHME/0+4sRMPwHZXmoLa6siP12CKNYVAakM9FrZATpecVxIxVNHcmQuIlOWdRfIFcUgfiBrhlszPzxXE7yY3r79zh+LbNjxSNGpMstGZMPF+Ee7qSPpVhfUoVY3+7MamW2DCaLxWPJlDC2jrnt0QSuersKv5fyFk4Yc=,iv:nmkaotestaKutwqnwciLLoXro3n6VxvFs6/y4THHiEs=,tag:7zpqTSHRBUSLsfkmYZcbzQ==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.10.2
|
||||
|
|
|
|||
|
|
@ -1,6 +1,9 @@
|
|||
{ config, pkgs, ... }:
|
||||
let
|
||||
update-cert = pkgs.writeScriptBin "update-cert" ''
|
||||
export SOPS_AGE_KEY_FILE='${config.sops.secrets.cert-age-key.path}'
|
||||
export GIT_SSH_COMMAND='ssh -i ${config.sops.secrets.forgejo-deploy-key.path} -o IdentitiesOnly=yes'
|
||||
|
||||
cd ${config.users.users."cert-store".home}
|
||||
git clone ssh://forgejo@forgejo.sinerva.eu/VSinerva/nixos-conf.git
|
||||
cd nixos-conf
|
||||
|
|
@ -34,25 +37,20 @@ in
|
|||
secrets = {
|
||||
forgejo-deploy-key = {
|
||||
sopsFile = ../secrets/cert-store.yaml;
|
||||
path = "${config.users.users."cert-store".home}/.ssh/id_ed25519";
|
||||
owner = config.users.users."cert-store".name;
|
||||
};
|
||||
cert-age-key = {
|
||||
sopsFile = ../secrets/cert-store.yaml;
|
||||
path = "${config.users.users."cert-store".home}/.config/sops/age/keys.txt";
|
||||
owner = config.users.users."cert-store".name;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
environment.persistence."/persist".directories = [
|
||||
{
|
||||
directory = "/home/cert-store";
|
||||
systemd.tmpfiles.settings."cert-store-home"."/home/cert-store".d = {
|
||||
user = "cert-store";
|
||||
group = "users";
|
||||
mode = "u=rwx,g=,o=";
|
||||
}
|
||||
];
|
||||
mode = "0700";
|
||||
};
|
||||
users.users."cert-store" = {
|
||||
isNormalUser = true;
|
||||
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [
|
||||
|
|
@ -61,7 +59,7 @@ in
|
|||
};
|
||||
|
||||
services.openssh.knownHosts."forgejo.sinerva.eu".publicKey =
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDiJZWlmiEkVzlf5/KV/jKkCGlgp8mnEeCnwk/dhdctJ";
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG74oN4MnrCm/rm1WyYy7M7Lv1qMRgcy3sDCgj6YN2zE";
|
||||
|
||||
environment.systemPackages = [ update-cert ];
|
||||
|
||||
|
|
|
|||
|
|
@ -9,13 +9,13 @@ in
|
|||
./utils/acme-http-client.nix
|
||||
];
|
||||
|
||||
environment.persistence."/persist".directories = [
|
||||
{
|
||||
directory = "/var/lib/hydra";
|
||||
systemd.tmpfiles.settings."hydra-home"."/var/lib/hydra".d = {
|
||||
user = "hydra";
|
||||
group = "hydra";
|
||||
mode = "u=rwx,g=rx,o=";
|
||||
}
|
||||
mode = "0750";
|
||||
};
|
||||
environment.persistence."/persist" = {
|
||||
directories = [
|
||||
{
|
||||
directory = "/var/lib/postgresql";
|
||||
user = "postgresql";
|
||||
|
|
@ -23,7 +23,8 @@ in
|
|||
mode = "u=rwx,g=rx,o=";
|
||||
}
|
||||
];
|
||||
|
||||
files = [ "/var/lib/hydra/.db-created" ];
|
||||
};
|
||||
sops.secrets.priv-cache-key.sopsFile = ../secrets/ci.yaml;
|
||||
|
||||
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue