From b3e0af1da6e7a1f49916246b7060038b7217cb8f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= Date: Sat, 19 Jul 2025 16:53:59 -0300 Subject: [PATCH] gitlab-runner: get nix ssh cache as pub key --- secrets/monolith/default.yaml | 5 +++-- system/gitlab-runner.nix | 10 +++++++--- system/gitlab-runner/nix-cache-start | 2 +- system/monolith-gitlab-runner.nix | 4 ++++ 4 files changed, 15 insertions(+), 6 deletions(-) diff --git a/secrets/monolith/default.yaml b/secrets/monolith/default.yaml index f2e12a9..0e1bd4d 100644 --- a/secrets/monolith/default.yaml +++ b/secrets/monolith/default.yaml @@ -6,6 +6,7 @@ gitlab-runners: docker-images-token: ENC[AES256_GCM,data:GGB/KSkjdAyhFKEspAh91ItbqEDf7K/LZSGSn+Jp7SxRfXpDzHIiMD8XJ9PTkGLeQGN4ug1i2nTYPS7d/P5OALWDU+1NPiV9nPdG0w7GERfu4g==,iv:6roabdOKX9xFMf0hWlECd73+943R+hFLos0e2dOpzns=,tag:LrASFc4DtN7aQ+3oOW/p/w==,type:str] wopus-gitlab-nix: ENC[AES256_GCM,data:asE7J0d58x9VfQFWc07f5T4s5NZ+/VqMQo66EX93J0LbJ4iI5YjvrrIE4pSI1e4Nz/SRQhltaJ0DfSH0+qgjD4wnAONPRi3UlFbSdGWS2bwwRtWe+Nci2krrUFxV2i/ZVE3CwCkNe4mqtII=,iv:gKrD/LhzI+jnDnX6CdxoHfjpiRdrsuRYJF9rTc8SffM=,tag:TczDGSU3gdKmERjBJ7tP/A==,type:str] wopus-ssh-nix-cache-pk: ENC[AES256_GCM,data:MtYDK6P7nwBzr6p+lRX/dkosBfeDUAj/slf/a5SgVXNIbQlkEk7gvfW5iL+C2HgMwowqWx4F+3q2W+kGweqEYzEYAoZ9pR08a7Jci3Szyy49hkamxJXF+Qwhb5VQKxDppESne7DARCF0iYeUjgeXxCYyuWlGpisnkN3HCWrIYCqbk0LS+yqgkNhDxtxMaThGYztfPnLMEV/P5vuge9sRKu3Xi3iX2uDKtx4FTBsX30Lmd8kngOVnP/GaEHDa5ECO+/yW6ZRg3fIaqJ4RV+Vz79ovFUuZV/VE8eY3JOdK5tKIBWb31YUOjP7ccBes7mMhFLO3ceNeh+a6KAJbQ4pCojJwf/cLz663FKr5f/uWDicOBbL64l3+zV5zvSDzFls0ImXMNL6Fe3SaKP7ZcC5rVrRD8P+UN/OSFmbN5LM7uYY8nNsLxTH7MYsRHgTBUmTsFEhLGJIUjtf6J3/NWIlxjBq1MmpgxN0bD6gwVAxDPP489v918tsZtKdG8SJhLUPE4LWKsU7LHpgUBroKlbGE,iv:1jnF2TTlyTR59xM8Bgaz6bubDOwFexHBJipNVa0VPXY=,tag:VsDb6C6wYa9p4Yey3iG4eA==,type:str] + wopus-ssh-nix-cache-pub: ENC[AES256_GCM,data:F+QHv9wwgyQYobKwyG13tS2OKCZuBPKLe7RLkhxsqYmVEtkCnli9jG+unMp7MC5L0i3puNqfoXP2IC6g4ESHq1yE0ksUpUCHzps4oMZBQK9b5JcqXQs+c//hskTQ/sFmTfGPpdnQ7wAifnQf5Mx2E4RwiRznMgJGQ3RDDjg9xfWUyvw6PlslZH65aGrq3P/iURvj,iv:u34+rXKLcZjBlVJmdbf60I82Fb621lUjOBmR4CTJWGk=,tag:ToPtBIz3bgzAUKc6hh4Oxg==,type:str] sops: age: - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h @@ -26,8 +27,8 @@ sops: aFVxcDFhaGdYekRWRVFIWnRsZndtZFkKgsvxOFHOcO306Z9FkucA1fDOpZA8N1/h jYmIgcKTFgWoSCvux67lK30jFsYp7sm5z6WxxDYsGcoQ/+pxoUX2jQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-16T15:08:21Z" - mac: ENC[AES256_GCM,data:jGS7FqZqEeACNIoeSLokZFa8NdD4ItagH0MXDK/71VODxAHXyYx1YC1rjQoHtJ94wBJV+PAJBvsVXFLRpp9OrmSmHdEAxDAfk0/yQsbqpTyruYRC+bkf5V+Ul8DhtXLFlCQ0LVL+Ku9jTUGCUbV0MHLAN5OBfPglk2vICOoV8Qk=,iv:1HAG5eAoAscctpkYQ1BNUFfQAodb0KbMqgQMw9W6G3o=,tag:rpxbvG5l7eMvCTKYQeRtEw==,type:str] + lastmodified: "2025-07-16T15:17:16Z" + mac: ENC[AES256_GCM,data:UKIJFzABE0vr7vSYL85iZdTvd0y3dN/MaBUoKf6OpcDtRphM8/yY5J0Xq6XM5f28WFN1GlSKUekQz+DkA6aR6aCI2SICVOJpFb/eXKQ3Y7Td+PGcBr07hFOGCSu2vAzgYB1ZnajfI659FcWmdOoJSYgHUz3G7iRTHHCRVcoaVVk=,iv:jmKwn9bkqvPa0dGge4FFW2uT4Oa1LlFpFMUlnqUgkAA=,tag:CL+0+frQMt2TmgYv9yZeuw==,type:str] pgp: - created_at: "2025-03-07T22:49:16Z" enc: |- diff --git a/system/gitlab-runner.nix b/system/gitlab-runner.nix index 543071b..2a715ab 100644 --- a/system/gitlab-runner.nix +++ b/system/gitlab-runner.nix @@ -4,6 +4,7 @@ let { authenticationTokenConfigFile, nixCacheSshPrivateKeyPath ? null, + nixCacheSshPublicKeyPath ? null, ... }: pkgs.writeScriptBin "install-nix" '' @@ -32,10 +33,9 @@ let ) } - ${lib.optionalString (nixCacheSshPrivateKeyPath != null) '' + ${lib.optionalString (nixCacheSshPrivateKeyPath != null && nixCacheSshPublicKeyPath != null) '' NIX_CACHE_SSH_PRIVATE_KEY_PATH="${nixCacheSshPrivateKeyPath}" - NIX_CACHE_SSH_PUBLIC_KEY="# nix-cache.wopus.dev:22 SSH-2.0-OpenSSH_10.0 - nix-cache.wopus.dev ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINU71N5QxdCmM7N25SnOg6u+YLmv92znpeDcyIDamldI" + NIX_CACHE_SSH_PUBLIC_KEY_PATH="${nixCacheSshPublicKeyPath}" . ${./gitlab-runner/nix-cache-start} ''} ''; @@ -45,6 +45,7 @@ rec { { authenticationTokenConfigFile, nixCacheSshPrivateKeyPath ? null, + nixCacheSshPublicKeyPath ? null, ... }@args: { @@ -67,6 +68,9 @@ rec { ] ++ lib.optionals (nixCacheSshPrivateKeyPath != null) [ "${nixCacheSshPrivateKeyPath}:${nixCacheSshPrivateKeyPath}" + ] + ++ lib.optionals (nixCacheSshPublicKeyPath != null) [ + "${nixCacheSshPublicKeyPath}:${nixCacheSshPublicKeyPath}" ]; # dockerDisableCache = true; preBuildScript = "\". ${lib.getExe (installNixScript args)}\""; diff --git a/system/gitlab-runner/nix-cache-start b/system/gitlab-runner/nix-cache-start index 0fe9d4f..7cd1734 100755 --- a/system/gitlab-runner/nix-cache-start +++ b/system/gitlab-runner/nix-cache-start @@ -1,7 +1,7 @@ #!/bin/sh echo "nix-cache: Setting up ssh key and host" >&2 -STORE_HOST_PUB_KEY="$(echo "$NIX_CACHE_SSH_PUBLIC_KEY" | base64 | tr -d '\n')" +STORE_HOST_PUB_KEY="$(cat "$NIX_CACHE_SSH_PUBLIC_KEY_PATH" | base64 | tr -d '\n')" STORE_URL="ssh://nix-ssh@nix-cache.wopus.dev?trusted=true&compress=true&ssh-key=$NIX_CACHE_SSH_PRIVATE_KEY_PATH&base64-ssh-public-host-key=$STORE_HOST_PUB_KEY" echo STORE_URL="$STORE_URL" >&2 diff --git a/system/monolith-gitlab-runner.nix b/system/monolith-gitlab-runner.nix index db493fb..85a5ffe 100644 --- a/system/monolith-gitlab-runner.nix +++ b/system/monolith-gitlab-runner.nix @@ -21,6 +21,7 @@ in wopus-gitlab-nix = mkNixRunnerFull { authenticationTokenConfigFile = config.sops.secrets."gitlab-runners/wopus-gitlab-nix".path; nixCacheSshPrivateKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pk".path; + nixCacheSshPublicKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pub".path; }; default = { @@ -51,5 +52,8 @@ in "gitlab-runners/wopus-ssh-nix-cache-pk" = { sopsFile = ../secrets/monolith/default.yaml; }; + "gitlab-runners/wopus-ssh-nix-cache-pub" = { + sopsFile = ../secrets/monolith/default.yaml; + }; }; }