lelgenio/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests Projects 2 Releases Packages Wiki Activity Actions

gitlab-runner: get nix ssh cache as pub key

Browse source
This commit is contained in:
Leonardo Eugênio 2025-07-19 16:53:59 -03:00
parent 734a94fa8d
commit b3e0af1da6
No known key found for this signature in database
GPG key ID: 2F8F21CE8721456B
4 changed files with 15 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

5
secrets/monolith/default.yaml
View file

@ -6,6 +6,7 @@ gitlab-runners:
docker-images-token: ENC[AES256_GCM,data:GGB/KSkjdAyhFKEspAh91ItbqEDf7K/LZSGSn+Jp7SxRfXpDzHIiMD8XJ9PTkGLeQGN4ug1i2nTYPS7d/P5OALWDU+1NPiV9nPdG0w7GERfu4g==,iv:6roabdOKX9xFMf0hWlECd73+943R+hFLos0e2dOpzns=,tag:LrASFc4DtN7aQ+3oOW/p/w==,type:str] docker-images-token: ENC[AES256_GCM,data:GGB/KSkjdAyhFKEspAh91ItbqEDf7K/LZSGSn+Jp7SxRfXpDzHIiMD8XJ9PTkGLeQGN4ug1i2nTYPS7d/P5OALWDU+1NPiV9nPdG0w7GERfu4g==,iv:6roabdOKX9xFMf0hWlECd73+943R+hFLos0e2dOpzns=,tag:LrASFc4DtN7aQ+3oOW/p/w==,type:str]
wopus-gitlab-nix: ENC[AES256_GCM,data:asE7J0d58x9VfQFWc07f5T4s5NZ+/VqMQo66EX93J0LbJ4iI5YjvrrIE4pSI1e4Nz/SRQhltaJ0DfSH0+qgjD4wnAONPRi3UlFbSdGWS2bwwRtWe+Nci2krrUFxV2i/ZVE3CwCkNe4mqtII=,iv:gKrD/LhzI+jnDnX6CdxoHfjpiRdrsuRYJF9rTc8SffM=,tag:TczDGSU3gdKmERjBJ7tP/A==,type:str] wopus-gitlab-nix: ENC[AES256_GCM,data:asE7J0d58x9VfQFWc07f5T4s5NZ+/VqMQo66EX93J0LbJ4iI5YjvrrIE4pSI1e4Nz/SRQhltaJ0DfSH0+qgjD4wnAONPRi3UlFbSdGWS2bwwRtWe+Nci2krrUFxV2i/ZVE3CwCkNe4mqtII=,iv:gKrD/LhzI+jnDnX6CdxoHfjpiRdrsuRYJF9rTc8SffM=,tag:TczDGSU3gdKmERjBJ7tP/A==,type:str]
wopus-ssh-nix-cache-pk: ENC[AES256_GCM,data:MtYDK6P7nwBzr6p+lRX/dkosBfeDUAj/slf/a5SgVXNIbQlkEk7gvfW5iL+C2HgMwowqWx4F+3q2W+kGweqEYzEYAoZ9pR08a7Jci3Szyy49hkamxJXF+Qwhb5VQKxDppESne7DARCF0iYeUjgeXxCYyuWlGpisnkN3HCWrIYCqbk0LS+yqgkNhDxtxMaThGYztfPnLMEV/P5vuge9sRKu3Xi3iX2uDKtx4FTBsX30Lmd8kngOVnP/GaEHDa5ECO+/yW6ZRg3fIaqJ4RV+Vz79ovFUuZV/VE8eY3JOdK5tKIBWb31YUOjP7ccBes7mMhFLO3ceNeh+a6KAJbQ4pCojJwf/cLz663FKr5f/uWDicOBbL64l3+zV5zvSDzFls0ImXMNL6Fe3SaKP7ZcC5rVrRD8P+UN/OSFmbN5LM7uYY8nNsLxTH7MYsRHgTBUmTsFEhLGJIUjtf6J3/NWIlxjBq1MmpgxN0bD6gwVAxDPP489v918tsZtKdG8SJhLUPE4LWKsU7LHpgUBroKlbGE,iv:1jnF2TTlyTR59xM8Bgaz6bubDOwFexHBJipNVa0VPXY=,tag:VsDb6C6wYa9p4Yey3iG4eA==,type:str] wopus-ssh-nix-cache-pk: ENC[AES256_GCM,data:MtYDK6P7nwBzr6p+lRX/dkosBfeDUAj/slf/a5SgVXNIbQlkEk7gvfW5iL+C2HgMwowqWx4F+3q2W+kGweqEYzEYAoZ9pR08a7Jci3Szyy49hkamxJXF+Qwhb5VQKxDppESne7DARCF0iYeUjgeXxCYyuWlGpisnkN3HCWrIYCqbk0LS+yqgkNhDxtxMaThGYztfPnLMEV/P5vuge9sRKu3Xi3iX2uDKtx4FTBsX30Lmd8kngOVnP/GaEHDa5ECO+/yW6ZRg3fIaqJ4RV+Vz79ovFUuZV/VE8eY3JOdK5tKIBWb31YUOjP7ccBes7mMhFLO3ceNeh+a6KAJbQ4pCojJwf/cLz663FKr5f/uWDicOBbL64l3+zV5zvSDzFls0ImXMNL6Fe3SaKP7ZcC5rVrRD8P+UN/OSFmbN5LM7uYY8nNsLxTH7MYsRHgTBUmTsFEhLGJIUjtf6J3/NWIlxjBq1MmpgxN0bD6gwVAxDPP489v918tsZtKdG8SJhLUPE4LWKsU7LHpgUBroKlbGE,iv:1jnF2TTlyTR59xM8Bgaz6bubDOwFexHBJipNVa0VPXY=,tag:VsDb6C6wYa9p4Yey3iG4eA==,type:str]
wopus-ssh-nix-cache-pub: ENC[AES256_GCM,data:F+QHv9wwgyQYobKwyG13tS2OKCZuBPKLe7RLkhxsqYmVEtkCnli9jG+unMp7MC5L0i3puNqfoXP2IC6g4ESHq1yE0ksUpUCHzps4oMZBQK9b5JcqXQs+c//hskTQ/sFmTfGPpdnQ7wAifnQf5Mx2E4RwiRznMgJGQ3RDDjg9xfWUyvw6PlslZH65aGrq3P/iURvj,iv:u34+rXKLcZjBlVJmdbf60I82Fb621lUjOBmR4CTJWGk=,tag:ToPtBIz3bgzAUKc6hh4Oxg==,type:str]
sops: sops:
age: age:
- recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h
@ -26,8 +27,8 @@ sops:
aFVxcDFhaGdYekRWRVFIWnRsZndtZFkKgsvxOFHOcO306Z9FkucA1fDOpZA8N1/h aFVxcDFhaGdYekRWRVFIWnRsZndtZFkKgsvxOFHOcO306Z9FkucA1fDOpZA8N1/h
jYmIgcKTFgWoSCvux67lK30jFsYp7sm5z6WxxDYsGcoQ/+pxoUX2jQ== jYmIgcKTFgWoSCvux67lK30jFsYp7sm5z6WxxDYsGcoQ/+pxoUX2jQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-16T15:08:21Z" lastmodified: "2025-07-16T15:17:16Z"
mac: ENC[AES256_GCM,data:jGS7FqZqEeACNIoeSLokZFa8NdD4ItagH0MXDK/71VODxAHXyYx1YC1rjQoHtJ94wBJV+PAJBvsVXFLRpp9OrmSmHdEAxDAfk0/yQsbqpTyruYRC+bkf5V+Ul8DhtXLFlCQ0LVL+Ku9jTUGCUbV0MHLAN5OBfPglk2vICOoV8Qk=,iv:1HAG5eAoAscctpkYQ1BNUFfQAodb0KbMqgQMw9W6G3o=,tag:rpxbvG5l7eMvCTKYQeRtEw==,type:str] mac: ENC[AES256_GCM,data:UKIJFzABE0vr7vSYL85iZdTvd0y3dN/MaBUoKf6OpcDtRphM8/yY5J0Xq6XM5f28WFN1GlSKUekQz+DkA6aR6aCI2SICVOJpFb/eXKQ3Y7Td+PGcBr07hFOGCSu2vAzgYB1ZnajfI659FcWmdOoJSYgHUz3G7iRTHHCRVcoaVVk=,iv:jmKwn9bkqvPa0dGge4FFW2uT4Oa1LlFpFMUlnqUgkAA=,tag:CL+0+frQMt2TmgYv9yZeuw==,type:str]
pgp: pgp:
- created_at: "2025-03-07T22:49:16Z" - created_at: "2025-03-07T22:49:16Z"
enc: |- enc: |-

10
system/gitlab-runner.nix
View file

@ -4,6 +4,7 @@ let
{ {
authenticationTokenConfigFile, authenticationTokenConfigFile,
nixCacheSshPrivateKeyPath ? null, nixCacheSshPrivateKeyPath ? null,
nixCacheSshPublicKeyPath ? null,
... ...
}: }:
pkgs.writeScriptBin "install-nix" '' pkgs.writeScriptBin "install-nix" ''
@ -32,10 +33,9 @@ let
) )
} }
${lib.optionalString (nixCacheSshPrivateKeyPath != null) '' ${lib.optionalString (nixCacheSshPrivateKeyPath != null && nixCacheSshPublicKeyPath != null) ''
NIX_CACHE_SSH_PRIVATE_KEY_PATH="${nixCacheSshPrivateKeyPath}" NIX_CACHE_SSH_PRIVATE_KEY_PATH="${nixCacheSshPrivateKeyPath}"
NIX_CACHE_SSH_PUBLIC_KEY="# nix-cache.wopus.dev:22 SSH-2.0-OpenSSH_10.0 NIX_CACHE_SSH_PUBLIC_KEY_PATH="${nixCacheSshPublicKeyPath}"
nix-cache.wopus.dev ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINU71N5QxdCmM7N25SnOg6u+YLmv92znpeDcyIDamldI"
. ${./gitlab-runner/nix-cache-start} . ${./gitlab-runner/nix-cache-start}
''} ''}
''; '';
@ -45,6 +45,7 @@ rec {
{ {
authenticationTokenConfigFile, authenticationTokenConfigFile,
nixCacheSshPrivateKeyPath ? null, nixCacheSshPrivateKeyPath ? null,
nixCacheSshPublicKeyPath ? null,
... ...
}@args: }@args:
{ {
@ -67,6 +68,9 @@ rec {
] ]
++ lib.optionals (nixCacheSshPrivateKeyPath != null) [ ++ lib.optionals (nixCacheSshPrivateKeyPath != null) [
"${nixCacheSshPrivateKeyPath}:${nixCacheSshPrivateKeyPath}" "${nixCacheSshPrivateKeyPath}:${nixCacheSshPrivateKeyPath}"
]
++ lib.optionals (nixCacheSshPublicKeyPath != null) [
"${nixCacheSshPublicKeyPath}:${nixCacheSshPublicKeyPath}"
]; ];
# dockerDisableCache = true; # dockerDisableCache = true;
preBuildScript = "\". ${lib.getExe (installNixScript args)}\""; preBuildScript = "\". ${lib.getExe (installNixScript args)}\"";

2
system/gitlab-runner/nix-cache-start
View file

@ -1,7 +1,7 @@
#!/bin/sh #!/bin/sh
echo "nix-cache: Setting up ssh key and host" >&2 echo "nix-cache: Setting up ssh key and host" >&2
STORE_HOST_PUB_KEY="$(echo "$NIX_CACHE_SSH_PUBLIC_KEY" | base64 | tr -d '\n')" STORE_HOST_PUB_KEY="$(cat "$NIX_CACHE_SSH_PUBLIC_KEY_PATH" | base64 | tr -d '\n')"
STORE_URL="ssh://nix-ssh@nix-cache.wopus.dev?trusted=true&compress=true&ssh-key=$NIX_CACHE_SSH_PRIVATE_KEY_PATH&base64-ssh-public-host-key=$STORE_HOST_PUB_KEY" STORE_URL="ssh://nix-ssh@nix-cache.wopus.dev?trusted=true&compress=true&ssh-key=$NIX_CACHE_SSH_PRIVATE_KEY_PATH&base64-ssh-public-host-key=$STORE_HOST_PUB_KEY"
echo STORE_URL="$STORE_URL" >&2 echo STORE_URL="$STORE_URL" >&2

4
system/monolith-gitlab-runner.nix
View file

@ -21,6 +21,7 @@ in
wopus-gitlab-nix = mkNixRunnerFull { wopus-gitlab-nix = mkNixRunnerFull {
authenticationTokenConfigFile = config.sops.secrets."gitlab-runners/wopus-gitlab-nix".path; authenticationTokenConfigFile = config.sops.secrets."gitlab-runners/wopus-gitlab-nix".path;
nixCacheSshPrivateKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pk".path; nixCacheSshPrivateKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pk".path;
nixCacheSshPublicKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pub".path;
}; };
default = { default = {
@ -51,5 +52,8 @@ in
"gitlab-runners/wopus-ssh-nix-cache-pk" = { "gitlab-runners/wopus-ssh-nix-cache-pk" = {
sopsFile = ../secrets/monolith/default.yaml; sopsFile = ../secrets/monolith/default.yaml;
}; };
"gitlab-runners/wopus-ssh-nix-cache-pub" = {
sopsFile = ../secrets/monolith/default.yaml;
};
}; };
} }