gitlab-runner: get nix ssh cache as pub key

2025-07-19 16:53:59 -03:00 · 2025-07-19 16:53:59 -03:00 · b3e0af1da6
commit b3e0af1da6
parent 734a94fa8d
4 changed files with 15 additions and 6 deletions
--- a/system/gitlab-runner.nix
+++ b/system/gitlab-runner.nix
@ -4,6 +4,7 @@ let
    {
      authenticationTokenConfigFile,
      nixCacheSshPrivateKeyPath ? null,
+      nixCacheSshPublicKeyPath ? null,
      ...
    }:
    pkgs.writeScriptBin "install-nix" ''
@ -32,10 +33,9 @@ let
        )
      }

-      ${lib.optionalString (nixCacheSshPrivateKeyPath != null) ''
+      ${lib.optionalString (nixCacheSshPrivateKeyPath != null && nixCacheSshPublicKeyPath != null) ''
        NIX_CACHE_SSH_PRIVATE_KEY_PATH="${nixCacheSshPrivateKeyPath}"
-        NIX_CACHE_SSH_PUBLIC_KEY="# nix-cache.wopus.dev:22 SSH-2.0-OpenSSH_10.0
-        nix-cache.wopus.dev ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINU71N5QxdCmM7N25SnOg6u+YLmv92znpeDcyIDamldI"
+        NIX_CACHE_SSH_PUBLIC_KEY_PATH="${nixCacheSshPublicKeyPath}"
        . ${./gitlab-runner/nix-cache-start}
      ''}
    '';
@ -45,6 +45,7 @@ rec {
    {
      authenticationTokenConfigFile,
      nixCacheSshPrivateKeyPath ? null,
+      nixCacheSshPublicKeyPath ? null,
      ...
    }@args:
    {
@ -67,6 +68,9 @@ rec {
        ]
        ++ lib.optionals (nixCacheSshPrivateKeyPath != null) [
          "${nixCacheSshPrivateKeyPath}:${nixCacheSshPrivateKeyPath}"
+        ]
+        ++ lib.optionals (nixCacheSshPublicKeyPath != null) [
+          "${nixCacheSshPublicKeyPath}:${nixCacheSshPublicKeyPath}"
        ];
      # dockerDisableCache = true;
      preBuildScript = "\". ${lib.getExe (installNixScript args)}\"";
--- a/system/gitlab-runner/nix-cache-start
+++ b/system/gitlab-runner/nix-cache-start
@ -1,7 +1,7 @@
 #!/bin/sh

 echo "nix-cache: Setting up ssh key and host" >&2
-STORE_HOST_PUB_KEY="$(echo "$NIX_CACHE_SSH_PUBLIC_KEY" | base64 | tr -d '\n')"
+STORE_HOST_PUB_KEY="$(cat "$NIX_CACHE_SSH_PUBLIC_KEY_PATH" | base64 | tr -d '\n')"
 STORE_URL="ssh://nix-ssh@nix-cache.wopus.dev?trusted=true&compress=true&ssh-key=$NIX_CACHE_SSH_PRIVATE_KEY_PATH&base64-ssh-public-host-key=$STORE_HOST_PUB_KEY"
 echo STORE_URL="$STORE_URL" >&2

--- a/system/monolith-gitlab-runner.nix
+++ b/system/monolith-gitlab-runner.nix
@ -21,6 +21,7 @@ in
      wopus-gitlab-nix = mkNixRunnerFull {
        authenticationTokenConfigFile = config.sops.secrets."gitlab-runners/wopus-gitlab-nix".path;
        nixCacheSshPrivateKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pk".path;
+        nixCacheSshPublicKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pub".path;
      };

      default = {
@ -51,5 +52,8 @@ in
    "gitlab-runners/wopus-ssh-nix-cache-pk" = {
      sopsFile = ../secrets/monolith/default.yaml;
    };
+    "gitlab-runners/wopus-ssh-nix-cache-pub" = {
+      sopsFile = ../secrets/monolith/default.yaml;
+    };
  };
 }