diff --git a/flake.lock b/flake.lock
index 524c1c3b..97182e93 100644
--- a/flake.lock
+++ b/flake.lock
@@ -177,6 +177,28 @@
"type": "github"
}
},
+ "flake-parts_2": {
+ "inputs": {
+ "nixpkgs-lib": [
+ "hydra",
+ "nix-eval-jobs",
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1722555600,
+ "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
+ "owner": "hercules-ci",
+ "repo": "flake-parts",
+ "rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
+ "type": "github"
+ },
+ "original": {
+ "owner": "hercules-ci",
+ "repo": "flake-parts",
+ "type": "github"
+ }
+ },
"flake-utils": {
"inputs": {
"systems": "systems"
@@ -217,6 +239,115 @@
"type": "github"
}
},
+ "hydra": {
+ "inputs": {
+ "libgit2": "libgit2",
+ "nix": "nix",
+ "nix-eval-jobs": "nix-eval-jobs",
+ "nixpkgs": [
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1739352917,
+ "narHash": "sha256-IMxe7Jl3efquTO7xzDcxpotDZBHRmD9Jxnw+is1SjDo=",
+ "owner": "NixOS",
+ "repo": "hydra",
+ "rev": "c60e7955bfa7ac3de7c707f7f8555180646e56f7",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "ref": "hydra.nixos.org",
+ "repo": "hydra",
+ "type": "github"
+ }
+ },
+ "libgit2": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1715853528,
+ "narHash": "sha256-J2rCxTecyLbbDdsyBWn9w7r3pbKRMkI9E7RvRgAqBdY=",
+ "owner": "libgit2",
+ "repo": "libgit2",
+ "rev": "36f7e21ad757a3dacc58cf7944329da6bc1d6e96",
+ "type": "github"
+ },
+ "original": {
+ "owner": "libgit2",
+ "ref": "v1.8.1",
+ "repo": "libgit2",
+ "type": "github"
+ }
+ },
+ "nix": {
+ "inputs": {
+ "flake-compat": [
+ "hydra"
+ ],
+ "flake-parts": [
+ "hydra"
+ ],
+ "git-hooks-nix": [
+ "hydra"
+ ],
+ "libgit2": [
+ "hydra",
+ "libgit2"
+ ],
+ "nixpkgs": [
+ "hydra",
+ "nixpkgs"
+ ],
+ "nixpkgs-23-11": [
+ "hydra"
+ ],
+ "nixpkgs-regression": [
+ "hydra"
+ ]
+ },
+ "locked": {
+ "lastModified": 1726787955,
+ "narHash": "sha256-XFznzb8L4SdUm9u+w3DPpMWJhffuv+/6+aiVl00slns=",
+ "owner": "NixOS",
+ "repo": "nix",
+ "rev": "a7fdef6858dd45b9d7bda7c92324c63faee7f509",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "ref": "2.24-maintenance",
+ "repo": "nix",
+ "type": "github"
+ }
+ },
+ "nix-eval-jobs": {
+ "inputs": {
+ "flake-parts": "flake-parts_2",
+ "nix-github-actions": [
+ "hydra"
+ ],
+ "nixpkgs": [
+ "hydra",
+ "nixpkgs"
+ ],
+ "treefmt-nix": "treefmt-nix"
+ },
+ "locked": {
+ "lastModified": 1733814344,
+ "narHash": "sha256-3wwtKpS5tUBdjaGeSia7CotonbiRB6K5Kp0dsUt3nzU=",
+ "owner": "nix-community",
+ "repo": "nix-eval-jobs",
+ "rev": "889ea1406736b53cf165b6c28398aae3969418d1",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-community",
+ "ref": "release-2.24",
+ "repo": "nix-eval-jobs",
+ "type": "github"
+ }
+ },
"nix-github-actions": {
"inputs": {
"nixpkgs": [
@@ -354,12 +485,17 @@
"first-time-contribution-tagger": "first-time-contribution-tagger",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
+ "hydra": "hydra",
+ "nix": [
+ "hydra",
+ "nix"
+ ],
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"simple-nixos-mailserver": "simple-nixos-mailserver",
"sops-nix": "sops-nix",
"srvos": "srvos",
- "treefmt-nix": "treefmt-nix"
+ "treefmt-nix": "treefmt-nix_2"
}
},
"simple-nixos-mailserver": {
@@ -439,6 +575,28 @@
}
},
"treefmt-nix": {
+ "inputs": {
+ "nixpkgs": [
+ "hydra",
+ "nix-eval-jobs",
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1723303070,
+ "narHash": "sha256-krGNVA30yptyRonohQ+i9cnK+CfCpedg6z3qzqVJcTs=",
+ "owner": "numtide",
+ "repo": "treefmt-nix",
+ "rev": "14c092e0326de759e16b37535161b3cb9770cea3",
+ "type": "github"
+ },
+ "original": {
+ "owner": "numtide",
+ "repo": "treefmt-nix",
+ "type": "github"
+ }
+ },
+ "treefmt-nix_2": {
"inputs": {
"nixpkgs": "nixpkgs_3"
},
diff --git a/flake.nix b/flake.nix
index dca94029..f7f20acf 100644
--- a/flake.nix
+++ b/flake.nix
@@ -48,6 +48,10 @@
flake-utils.follows = "flake-utils";
};
};
+
+ hydra.url = "github:NixOS/hydra/hydra.nixos.org";
+ hydra.inputs.nixpkgs.follows = "nixpkgs";
+ nix.follows = "hydra/nix";
};
outputs =
inputs@{ flake-parts, ... }:
diff --git a/non-critical-infra/.sops.yaml b/non-critical-infra/.sops.yaml
index 82d3baca..11f19819 100644
--- a/non-critical-infra/.sops.yaml
+++ b/non-critical-infra/.sops.yaml
@@ -3,6 +3,10 @@ keys:
- &zimbatm age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
- &caliban age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq
- &umbriel age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6
+ - &staging-hydra age1vawam63mv097z4ae94tm2xlzkc66u3s87n7neu5jzm6687482u4sx8us3v
+ - &m1-s age1v5qpkvs3zpz65gvfr2gv3ln7x6yfexvpregdr02hyvxnunu63ujqgwevf8
+ - &mic92 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ - &shivaraj-bh age1rskg564672la06lqyla73je6e00hx92j9uhyycn3m3vtpw54avwqcn6wx9
creation_rules:
- path_regex: secrets/[^/]+.caliban
@@ -18,3 +22,19 @@ creation_rules:
- *umbriel
- *hexa
- *zimbatm
+
+ # ssh keys used to bootstrap new machines
+ - path_regex: secrets/[^/]+-hostkeys.yaml
+ key_groups:
+ - age:
+ - *m1-s
+ - *shivaraj-bh
+ - *mic92
+
+ - path_regex: secrets/[^/]+.staging-hydra
+ key_groups:
+ - age:
+ - *staging-hydra
+ - *shivaraj-bh
+ - *m1-s
+ - *mic92
diff --git a/non-critical-infra/hosts/staging-hydra/bootstrap-staging-hydra.sh b/non-critical-infra/hosts/staging-hydra/bootstrap-staging-hydra.sh
new file mode 100755
index 00000000..46ff1894
--- /dev/null
+++ b/non-critical-infra/hosts/staging-hydra/bootstrap-staging-hydra.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+# Use this script to deploy the initial keys when bootstrapping a new machine.
+
+set -euo pipefail
+tmpDir=$(mktemp -d)
+sshDir="$tmpDir/etc/ssh"
+mkdir -p "$sshDir"
+trap 'rm -rf "$tmpDir"' EXIT
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+
+for keyname in ssh_host_ed25519_key ssh_host_ed25519_key.pub; do
+ if [[ $keyname == *.pub ]]; then
+ umask 0133
+ else
+ umask 0177
+ fi
+ sops --extract '["'$keyname'"]' --decrypt "$SCRIPT_DIR/../../secrets/staging-hydra-hostkeys.yaml" >"$sshDir/$keyname"
+done
+nix run nixpkgs#nixos-anywhere -- --extra-files "$tmpDir" -f .#staging-hydra root@157.180.25.203
diff --git a/non-critical-infra/hosts/staging-hydra/default.nix b/non-critical-infra/hosts/staging-hydra/default.nix
new file mode 100644
index 00000000..d2cf69cf
--- /dev/null
+++ b/non-critical-infra/hosts/staging-hydra/default.nix
@@ -0,0 +1,49 @@
+{ inputs, lib, ... }:
+{
+ imports = [
+ ./hardware.nix
+ inputs.srvos.nixosModules.server
+ inputs.srvos.nixosModules.hardware-hetzner-cloud-arm
+ ../../modules/common.nix
+ ./hydra-proxy.nix
+ ./hydra.nix
+ inputs.hydra.nixosModules.hydra
+ ];
+
+ nixpkgs.overlays = [
+ inputs.nix.overlays.default
+ inputs.hydra.overlays.default
+ ];
+
+
+ boot = {
+ loader = {
+ systemd-boot.enable = true;
+ timeout = lib.mkForce 5;
+ efi.efiSysMountPoint = "/efi";
+ };
+ kernelParams = [ "console=tty" ];
+ };
+ networking = {
+ hostName = "staging-hydra";
+ domain = "nixos.org";
+ };
+
+ systemd.network.networks."10-uplink".networkConfig.Address = "2a01:4f9:c012:d5d3::1/128";
+
+ disko.devices = import ./disko.nix;
+
+ networking.firewall.allowedTCPPorts = [
+ 80
+ 443
+ ];
+ networking.firewall.allowedUDPPorts = [ ];
+
+ system.stateVersion = "24.11";
+ users.users.root.openssh.authorizedKeys.keys = [
+ # m1-s
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINaGspw6myJ5GKHHxN+7jaJWyU1SlVo4nCzDajyJdtvg"
+ # shivaraj-bh
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFN5Ov2zDIG59/DaYKjT0sMWIY15er1DZCT9SIak07vK"
+ ];
+}
diff --git a/non-critical-infra/hosts/staging-hydra/disko.nix b/non-critical-infra/hosts/staging-hydra/disko.nix
new file mode 100644
index 00000000..dcc19066
--- /dev/null
+++ b/non-critical-infra/hosts/staging-hydra/disko.nix
@@ -0,0 +1,61 @@
+{
+ disk = {
+ main = {
+ device = "/dev/sda";
+ type = "disk";
+ content = {
+ type = "gpt";
+ partitions = {
+ esp = {
+ type = "EF00";
+ size = "1024M";
+ content = {
+ type = "filesystem";
+ format = "vfat";
+ mountpoint = "/efi";
+ };
+ };
+ root = {
+ size = "100%";
+ content = {
+ type = "zfs";
+ pool = "zroot";
+ };
+ };
+ };
+ };
+ };
+ };
+
+ zpool.zroot = {
+ type = "zpool";
+ options = {
+ # smartctl --all /dev/sda
+ # Logical block size: 512 bytes
+ ashift = "9";
+ };
+ rootFsOptions = {
+ acltype = "posixacl";
+ compression = "zstd";
+ mountpoint = "none";
+ xattr = "sa";
+ };
+ datasets = {
+ "root" = {
+ type = "zfs_fs";
+ mountpoint = "/";
+ };
+ "nix" = {
+ type = "zfs_fs";
+ mountpoint = "/nix";
+ };
+ "reserved" = {
+ type = "zfs_fs";
+ options = {
+ canmount = "off";
+ refreservation = "1G";
+ };
+ };
+ };
+ };
+}
diff --git a/non-critical-infra/hosts/staging-hydra/hardware.nix b/non-critical-infra/hosts/staging-hydra/hardware.nix
new file mode 100644
index 00000000..4b0b75f7
--- /dev/null
+++ b/non-critical-infra/hosts/staging-hydra/hardware.nix
@@ -0,0 +1,15 @@
+{ lib, ... }:
+{
+
+ boot.initrd = {
+ availableKernelModules = [
+ "xhci_pci"
+ "virtio_pci"
+ "usbhid"
+ "sr_mod"
+ ];
+ kernelModules = [ "virtio_gpu" ];
+ };
+
+ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
diff --git a/non-critical-infra/hosts/staging-hydra/hydra-proxy.nix b/non-critical-infra/hosts/staging-hydra/hydra-proxy.nix
new file mode 100644
index 00000000..3bea6b98
--- /dev/null
+++ b/non-critical-infra/hosts/staging-hydra/hydra-proxy.nix
@@ -0,0 +1,97 @@
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
+
+let
+ bannedUserAgentPatterns = [
+ "Trident/"
+ "Android\\s[123456789]\\."
+ "iPod"
+ "iPad\\sOS\\s"
+ "iPhone\\sOS\\s[23456789]"
+ "Opera/[89]"
+ "(Chrome|CriOS)/(\\d\\d?\\.|1[01]|12[4])"
+ "(Firefox|FxiOS)/(\\d\\d?\\.|1[01]|12[012345679]\\.)"
+ "PPC\\sMac\\sOS"
+ "Windows\\sCE"
+ "Windows\\s95"
+ "Windows\\s98"
+ "Windows\\sNT\\s[12345]\\."
+ ];
+in
+{
+ networking.firewall.allowedTCPPorts = [
+ 80
+ 443
+ ];
+
+ services.nginx = {
+ enable = true;
+ enableReload = true;
+
+ recommendedBrotliSettings = true;
+ recommendedGzipSettings = true;
+ recommendedOptimisation = true;
+ recommendedProxySettings = true;
+ recommendedTlsSettings = true;
+ recommendedZstdSettings = true;
+
+ proxyTimeout = "900s";
+
+ appendConfig = ''
+ worker_processes auto;
+ '';
+
+ eventsConfig = ''
+ worker_connections 1024;
+ '';
+
+ appendHttpConfig = ''
+ map $http_user_agent $badagent {
+ default 0;
+ ${lib.concatMapStringsSep "\n" (pattern: ''
+ ~${pattern} 1;
+ '') bannedUserAgentPatterns}
+ }
+ '';
+
+ virtualHosts."staging-hydra.nixos.org" = {
+ forceSSL = true;
+ enableACME = true;
+
+ extraConfig = ''
+ error_page 502 /502.html;
+ error_page 503 /503.html;
+ location ~ /(502|503).html {
+ root ${../../../build/nginx-error-pages};
+ internal;
+ }
+ '';
+
+ # Ask robots not to scrape hydra, it has various expensive endpoints
+ locations."=/robots.txt".alias = pkgs.writeText "hydra.nixos.org-robots.txt" ''
+ User-agent: *
+ Disallow: /
+ Allow: /$
+ '';
+
+ locations."/" = {
+ proxyPass = "http://127.0.0.1:3000";
+ extraConfig = ''
+ if ($badagent) {
+ access_log /var/log/nginx/abuse.log;
+ return 403;
+ }
+ '';
+ };
+
+ locations."/static/" = {
+ alias = "${config.services.hydra-dev.package}/libexec/hydra/root/static/";
+ };
+ };
+ };
+
+}
diff --git a/non-critical-infra/hosts/staging-hydra/hydra.nix b/non-critical-infra/hosts/staging-hydra/hydra.nix
new file mode 100644
index 00000000..2c939231
--- /dev/null
+++ b/non-critical-infra/hosts/staging-hydra/hydra.nix
@@ -0,0 +1,190 @@
+{ lib
+, pkgs
+, config
+, ...
+}:
+let
+ narCache = "/var/cache/hydra/nar-cache";
+ localSystems = [
+ "builtin"
+ config.nixpkgs.hostPlatform.system
+ ];
+in
+{
+ networking.firewall.allowedTCPPorts = [
+ 9198 # queue-runnner metrics
+ 9199 # hydra-notify metrics
+ ];
+
+ # garbage collection
+ nix.gc = {
+ automatic = true;
+ options = ''--max-freed "$((400 * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))"'';
+ dates = "03,09,15,21:15";
+ };
+
+ # gc outputs as well, since they are served from the cache
+ nix.settings.gc-keep-outputs = lib.mkForce false;
+
+ # Don't rate-limit the journal.
+ services.journald.rateLimitBurst = 0;
+
+ sops.secrets = {
+ signing-key = {
+ sopsFile = ../../secrets/signing-key.staging-hydra;
+ format = "binary";
+ owner = config.systemd.services.hydra-queue-runner.serviceConfig.User;
+ };
+ hydra-aws-credentials = {
+ sopsFile = ../../secrets/hydra-aws-credentials.staging-hydra;
+ format = "binary";
+ path = "/var/lib/hydra/queue-runner/.aws/credentials";
+ owner = config.systemd.services.hydra-queue-runner.serviceConfig.User;
+ };
+ };
+
+ services.hydra-dev = {
+ enable = true;
+ package = pkgs.hydra;
+ buildMachinesFiles = [
+ (pkgs.writeText "local" ''
+ localhost ${lib.concatStringsSep "," localSystems} - 3 1 ${lib.concatStringsSep "," config.nix.settings.system-features} - -
+ '')
+ ];
+ logo = ../../../build/hydra-logo.png;
+ hydraURL = "https://hydra.nixos.org";
+ notificationSender = "edolstra@gmail.com";
+ smtpHost = "localhost";
+ useSubstitutes = true;
+ extraConfig = ''
+ max_servers 30
+
+ store_uri = s3://nix-cache-staging?secret-key=${config.sops.secrets.signing-key.path}&ls-compression=br&log-compression=br
+ server_store_uri = https://cache-staging.nixos.org?local-nar-cache=${narCache}
+ binary_cache_public_uri = https://cache-staging.nixos.org
+
+
+ cache_size = 32m
+
+
+ # patchelf:master:3
+ xxx-jobset-repeats = nixos:reproducibility:1
+
+ upload_logs_to_binary_cache = true
+ compress_build_logs = false # conflicts with upload_logs_to_binary_cache
+
+ log_prefix = https://cache.nixos.org/
+
+ evaluator_workers = 1
+ evaluator_max_memory_size = 4096
+
+ max_concurrent_evals = 1
+
+ # increase the number of active compress slots (CPU is 48*2 on mimas)
+ max_local_worker_threads = 144
+
+ max_unsupported_time = 86400
+
+ allow_import_from_derivation = false
+
+ max_output_size = 3821225472 # 3 << 30 + 600000000 = 3 GiB + 0.6 GB
+ max_db_connections = 350
+
+ queue_runner_metrics_address = [::]:9198
+
+
+
+ listen_address = 0.0.0.0
+ port = 9199
+
+
+ '';
+ };
+
+ sops.secrets.hydra-users = {
+ sopsFile = ../../secrets/hydra-users.staging-hydra;
+ format = "binary";
+ };
+
+ systemd = {
+ tmpfiles.rules = [
+ "d /var/cache/hydra 0755 hydra hydra - -"
+ "d ${narCache} 0775 hydra hydra 1d -"
+ ];
+
+ # eats memory as if it was free
+ services = {
+ hydra-notify.enable = false;
+ hydra-queue-runner = {
+ # restarting the scheduler is very expensive
+ restartIfChanged = false;
+ serviceConfig = {
+ ManagedOOMPreference = "avoid";
+ LimitNOFILE = 65535;
+ };
+ };
+
+ hydra-prune-build-logs = {
+ description = "Clean up old build logs";
+ startAt = "weekly";
+ serviceConfig = {
+ User = "hydra-queue-runner";
+ Group = "hydra";
+ ExecStart = lib.concatStringsSep " " [
+ (lib.getExe pkgs.findutils)
+ "/var/lib/hydra/build-logs/"
+ "-ignore_readdir_race"
+ "-type"
+ "f"
+ "-mtime"
+ "+${toString (3 * 365)}" # days
+ "-delete"
+ ];
+ };
+ };
+ hydra-post-init = {
+ serviceConfig = {
+ Type = "oneshot";
+ TimeoutStartSec = "60";
+ };
+ wantedBy = [ config.systemd.targets.multi-user.name ];
+ after = [ config.systemd.services.hydra-server.name ];
+ requires = [ config.systemd.services.hydra-server.name ];
+ environment = {
+ inherit (config.systemd.services.hydra-init.environment) HYDRA_DBI;
+ };
+ path = [
+ config.services.hydra.package
+ pkgs.netcat
+ ];
+ script = ''
+ set -e
+ while IFS=';' read -r user role passwordhash email fullname; do
+ opts=("$user" "--role" "$role" "--password-hash" "$passwordhash")
+ if [[ -n "$email" ]]; then
+ opts+=("--email-address" "$email")
+ fi
+ if [[ -n "$fullname" ]]; then
+ opts+=("--full-name" "$fullname")
+ fi
+ hydra-create-user "''${opts[@]}"
+ done < ${config.sops.secrets.hydra-users.path}
+ '';
+ };
+ };
+ };
+
+ programs.ssh = {
+ hostKeyAlgorithms = [
+ "rsa-sha2-512-cert-v01@openssh.com"
+ "ssh-ed25519"
+ "ssh-rsa"
+ "ecdsa-sha2-nistp256"
+ ];
+
+ extraConfig = lib.mkAfter ''
+ ServerAliveInterval 120
+ TCPKeepAlive yes
+ '';
+ };
+}
diff --git a/non-critical-infra/secrets/hydra-aws-credentials.staging-hydra b/non-critical-infra/secrets/hydra-aws-credentials.staging-hydra
new file mode 100644
index 00000000..6fbf0df5
--- /dev/null
+++ b/non-critical-infra/secrets/hydra-aws-credentials.staging-hydra
@@ -0,0 +1,32 @@
+{
+ "data": "ENC[AES256_GCM,data:OTKF4ciLxhfcmeqS78NsoS24e2PaUmpdbD+Ol2toWDcc/WdRYDcw8uimtJE/B0VfXUgz8sqEPISXOHV1kw2Jh3+089HVLlQPdJPpC9aCSQ9zPv3wwyCAXATH2nOv1piF+h8tNqHYmsxykDFVkMs1oEvGPQOlo9HaFd4OSB2y1nSAA/S79wOa,iv:ZCH/gsD91QcVKQtyymUXXOrSioHrOwa9mW/PIe6WG1k=,tag:ck4C6U5RphH5rR0yR0rqIw==,type:str]",
+ "sops": {
+ "kms": null,
+ "gcp_kms": null,
+ "azure_kv": null,
+ "hc_vault": null,
+ "age": [
+ {
+ "recipient": "age1vawam63mv097z4ae94tm2xlzkc66u3s87n7neu5jzm6687482u4sx8us3v",
+ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIbHBoNkZzY0E1NytUMGsw\nVHQ3NnJQbjJCQ0JpdXEyVXBFVS9CcTVBU1JzClBYa1pLQWdlREhIbnFJbUhrWWdY\naE9rRE0ySWlaMTZGMGpXeWRHVE96a1EKLS0tIExnYTBXdE16Z2h5UGhsK3gyMm53\nWGlmUkhndnZYOE9COE5wVDRsZi8zbTQKNqiJ+vpmwhpdHAmh++A4s7kJQEASXi+o\nbZd6Wr/F7ucZqrB+BZAoqYFb5XGfBrQ/TeTBOi8drS58y0yYilsATQ==\n-----END AGE ENCRYPTED FILE-----\n"
+ },
+ {
+ "recipient": "age1rskg564672la06lqyla73je6e00hx92j9uhyycn3m3vtpw54avwqcn6wx9",
+ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQVW43N3BOeWZpK3BPMTZv\ndE5KVndUSFNaR3FaalhVdjVhN2JPbVdtQUhRCnFlNkQrSSs2MDkxVEhxYThkVVg0\nSVp5Y1VTeWI4a2Z5SSsvVlNzQTg1OVUKLS0tIERMbjNSSzJsc1F0TWZYaUhiQU5l\nbUFZTUtjVmFWRUl4OEkwZjNMWVpsN0kKpaENj5CzhSIj5JcCx+5mydbsugjONig6\nIRBvuG/RJBQnwVTyBcYdezV+OlhX86FHbf1KmO94B8crUoUePLL24Q==\n-----END AGE ENCRYPTED FILE-----\n"
+ },
+ {
+ "recipient": "age1v5qpkvs3zpz65gvfr2gv3ln7x6yfexvpregdr02hyvxnunu63ujqgwevf8",
+ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWc1RWQ1c5ZmV3cU56QzhQ\nclpNNU9ycCtKa1piWTBnQVdrbEpOQlJwYUJJCnB2NlVXd0J3NElueHo0ZEsvMEpC\nc2RTa2RFV0lvaDg5THoyWjcyV2ttQ00KLS0tIG5lZnFBVHdxQjhkYjQrM0ZUQnRM\nbGRZaGJiNUFIc2orS2x4TGNxa2kvNUUKldYSnCr3NEdV1WtpWrrNxd6e129T40Fh\nSrSr2cLlUN/tvw5o96ysO3zfYhTF2kbjADxFvMW25T2jjliGNzPKTQ==\n-----END AGE ENCRYPTED FILE-----\n"
+ },
+ {
+ "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
+ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtNzBuNGJxakZaNXJONU11\nSkNsN2ZzYWhzVWl0U3lUWTAzK1NvT1hnOG5rCnJHTjBxcExzdjgvUGxUSVBqZjdW\nRTZUYTR1bFd6NEltRmZQZ0pYVmI5TzAKLS0tIHZVbWM4Y2NTN2JDckRPZWk0ZDgv\nVXMybjlaWUplSkRjdDlma1RGMFFSZGMKDUPalwL72E1ISuuYVa8JOyO2evqAvke/\nc1B/S6QZDZocmPZpxlyJ1Dmb2OxhNr+kA9YhL/LRMQplI7v7qI6uxw==\n-----END AGE ENCRYPTED FILE-----\n"
+ }
+ ],
+ "lastmodified": "2025-02-15T16:47:02Z",
+ "mac": "ENC[AES256_GCM,data:wilD1Hhi9/+eFmfPznq4WQYBYROkPfvKV7cjKsfRzgm1k5GRwvXe1V2bHpHJAVgPADFQ8b5JJrRmOGqNwds28Tx5fKmp8B4g7s7i8v7JK62OLMOl1BX3AeJxjvDBEPIKLkZUZuosSmCZUBEWcXppyVmdvHJETLi6RIFpAEw/Zc4=,iv:CcSj6oSjmWPQXJv9O7GlPIVfj+0h7fgktIZHVFWdFbI=,tag:2C0vY1Fvh5nvuzmdcoUYNA==,type:str]",
+ "pgp": null,
+ "unencrypted_suffix": "_unencrypted",
+ "version": "3.9.4"
+ }
+}
\ No newline at end of file
diff --git a/non-critical-infra/secrets/hydra-password.staging-hydra b/non-critical-infra/secrets/hydra-password.staging-hydra
new file mode 100644
index 00000000..231fa657
--- /dev/null
+++ b/non-critical-infra/secrets/hydra-password.staging-hydra
@@ -0,0 +1,32 @@
+{
+ "data": "ENC[AES256_GCM,data:6pJnTnWOCfA/vM+eV4cGc5Cif/gvXq8aNGiL,iv:PqGRNS4u9Ok6OJ4XE2oqcgTeuHbdMsteV3TucOA59IQ=,tag:P5E036UhXxJyqGyat+bzsg==,type:str]",
+ "sops": {
+ "kms": null,
+ "gcp_kms": null,
+ "azure_kv": null,
+ "hc_vault": null,
+ "age": [
+ {
+ "recipient": "age1vawam63mv097z4ae94tm2xlzkc66u3s87n7neu5jzm6687482u4sx8us3v",
+ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNZmJYcHJ5VndldTBCOS9z\nZ1Z0ci9yM2d5d2MzNml6ZmJtU2JzUUhzU0VNCnRnTnlXbng5NDBUVnd0VWkyUHFK\nZGRrVGpRZ3pEKzRwWEQ2bHZQbUNROEEKLS0tIGhuTGhtOEFNa1NpSW9qa3IvQTV2\nck44cUwxZTJZNGNxSVlVRUlzWmp1SlUKuqR/rAE1Sig4mORIy+WZoZUw0m+TY93d\nVwKn6YoEs5qiLUpNa0a2wPaj1Iec8eZlJYzkt1eoZFx7ErB/it66mg==\n-----END AGE ENCRYPTED FILE-----\n"
+ },
+ {
+ "recipient": "age1rskg564672la06lqyla73je6e00hx92j9uhyycn3m3vtpw54avwqcn6wx9",
+ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvNWZOR2V6Q29sNlUrWVps\ndnRrWGZodnhxZEI3cGlPRXRKMWI2eWxxZUEwCi9BUE5oeW5rTnJlVE5td2Q5SVkz\nbVNKVFBsazFMeVg3d0hkL3o2WWJJNE0KLS0tIGdGT1ZibTV6VjkwaEpxbFVVTFJR\ndWxVL1J2eElvaUFEblJwSVRwbkVzV28KxUx+YuFZqAVj3moTnoSblXrcf4EMiZjq\nVlGD0ccJfqfQU/1SAnExebUODcIWA22tCvTr6fTT8vQm9MAJDmz5Mg==\n-----END AGE ENCRYPTED FILE-----\n"
+ },
+ {
+ "recipient": "age1v5qpkvs3zpz65gvfr2gv3ln7x6yfexvpregdr02hyvxnunu63ujqgwevf8",
+ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzTVdZUDgzbWRKa3oxMXFn\nbWZlN0djdWUySXBsZ3U0RDAyWld1QkJYRjAwCkNPUC9JRVM4Vi9LUGlWSWhFQVNG\ndXhwSjRxNXB2eE9IdEtsTXl4VitEWHMKLS0tIHkwTUFHWGl2VUZMd215T1VZZGw0\na2xVTHA4b1JMNFJZUG9kTU5nZ0VzVUEKljLLoGh0tJ9KYZocrZ0LT79mXQF916aQ\nsDi67K5yB5pDwsyZAfo5Gmp2FsJCJmt93ao/iSL2J91rdap0uo9ZCw==\n-----END AGE ENCRYPTED FILE-----\n"
+ },
+ {
+ "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
+ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnSHdrYXA1WkxmU2VrSkto\nNnBnNjk3MEVBdlB0aE0rWU9zN3RPZ0JLb2lNCklOT3ZlSDcwQzA3RTNMUU5wcS9K\nUHNYS0xXMitacXZMWW9rYzdqcnRIUVUKLS0tIFZTMFpWR004WG5HSitvMy9pMzI0\nT0MyOEMvNmRLaEY5eTZRdHcrUUFEQUEKiSEe9qD9oe8BzB2ABhlmbN91EVOZDhd9\nt2ZpqvUnIN2uAYAcORM6KKj5S2GYNGi6BE1xNiHSFCPA3IX2DQnQiw==\n-----END AGE ENCRYPTED FILE-----\n"
+ }
+ ],
+ "lastmodified": "2025-02-16T03:16:30Z",
+ "mac": "ENC[AES256_GCM,data:fzEO67Uo6KkeHFY5OwI0dHeSwzWf93HgxGsm8QwSFL6oHDFfWX2ssHU6in+hK61FH4/3di8fWZpfE92IGSinci6QIW9Gr3MMr+arpQoFBZJFYGKakLOxGioauStup5l5G/XDacgVYfrAuQhC8bGvg/RF3nnJ5Q4OinNot4r51Ag=,iv:+ndd8LFWdOiyuO9G5fgPAjaoS1dzOr/Ta51WEmTReJk=,tag:LrSTNAotzJKNaGfAcZu1Ag==,type:str]",
+ "pgp": null,
+ "unencrypted_suffix": "_unencrypted",
+ "version": "3.9.4"
+ }
+}
\ No newline at end of file
diff --git a/non-critical-infra/secrets/hydra-users.staging-hydra b/non-critical-infra/secrets/hydra-users.staging-hydra
new file mode 100644
index 00000000..323b897e
--- /dev/null
+++ b/non-critical-infra/secrets/hydra-users.staging-hydra
@@ -0,0 +1,32 @@
+{
+ "data": "ENC[AES256_GCM,data:nYqeHsAnm9xw/NxIMycbexTtGGDfZyEjq/FyDM3oGuxyiLfaWUrpsbS9KE1Hu6m/cUjPRfthid/KyhoWNdu5yHZLhCmmmSeI1ukqLS++G3rXeY1Cz1GQ4lQgYOEDrUU5W4eTJRfc9Z+zN58Wat4BAnJVeQ/NMq5Hzhyhg7hEGu4=,iv:MMuuZ47yWBqhQ7f27FmRK7XyhoojhuFgflgerTFlJ+w=,tag:raFoWuMqUXcHIvuD95f8Ng==,type:str]",
+ "sops": {
+ "kms": null,
+ "gcp_kms": null,
+ "azure_kv": null,
+ "hc_vault": null,
+ "age": [
+ {
+ "recipient": "age1vawam63mv097z4ae94tm2xlzkc66u3s87n7neu5jzm6687482u4sx8us3v",
+ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHdlJaVE1XOWc0WFBrQTlz\nK3JhNWwrUUNYdXZkMVYzaTFoa2ZLL2dKbDM4CnlzRDJ0OGJPbFFQVmVISzBDSGdY\nVnU1ZHhlMVpEWUhYWTNydHZGYlE1TEEKLS0tIFUxZXRBN3ZWdThSRVAwZENXSXZI\nSVVUc1d3TXk3MHdzdlNQT3MxWHhwaWsK08hZaOCh7vquB1emKy0FYvenzB7IHbMm\nxoFna2slhAzgJUPgOCODeEpel3G9B+KnZ9UzHF/mQ4Nw1CI2NqaqkA==\n-----END AGE ENCRYPTED FILE-----\n"
+ },
+ {
+ "recipient": "age1rskg564672la06lqyla73je6e00hx92j9uhyycn3m3vtpw54avwqcn6wx9",
+ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVakdZL1VxSmE3VTM4RTly\nZnFaQ0FaclVzUmc2cXBoUkVQaXk2ekN1aEcwCnVxZW9iUm01RzM1RGxGYlRkTjdF\nWmJ6UUFUZFdFQ1B4SmZjeGhMV1pIZjQKLS0tIEgwL1kzQ3BqR1BxRzRtOWxSU3Ji\nODI4K2k3cm9JeVEwNnAwTkxwRUxiMUUKtBpngvyVxtqw913doLq8FEaMwOH2Y8mV\nFFtIlxdSwI3PorVxxytq1zdqndQKW3rPrpGOvRqtLYsKL9w5whwWmQ==\n-----END AGE ENCRYPTED FILE-----\n"
+ },
+ {
+ "recipient": "age1v5qpkvs3zpz65gvfr2gv3ln7x6yfexvpregdr02hyvxnunu63ujqgwevf8",
+ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6ZHhFQzgrdUgrSjJ3ZjNp\nSmtER3daTVAyT2k0ZDNjbnNzWDNsbm1sTndFCnJiUWd3b2Nja2hHNjJ5MUFlSXZU\nMElEVVg3VGpKdVhxQlNWM1E0S1J3Yk0KLS0tIDFDdDUxemhoaFZlM2N6U1MrcFox\nK0RFdlFkb2lQVG5tUVg3Mmx3bDNJNTgKRFBsVoRGtjciJ9K8WU07u28fbjuZfvGv\njeoZR6T2grpQaw5iLnBwJ9qWXpqHiCmuM/hNICNlskmPhUR8TK9scw==\n-----END AGE ENCRYPTED FILE-----\n"
+ },
+ {
+ "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
+ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpVGxWZTZFNFFXTEExVlha\nbHZDS2JVREhxWWtJRnVHUExFT2RQRmJwblFnCjhPbFdTY1Q5Yk1sYlYxdDV2RWZ0\neHVSVEJIL0FqeDBqY3Voa2JRaGMrVk0KLS0tIHdQNkZJblRncDJpdStYbGkwMVZu\nWFF2aVJ2cDFyTk5HNGV5VUduL1JSa3MKrVlkqPdPwNfJGx0cdh8Tw+TbVkuNub3m\nlCrYi1H8Z5EY3TfBM/0ZbcLj7WckrxSDllclmUS5PoUuCtscSKoDdg==\n-----END AGE ENCRYPTED FILE-----\n"
+ }
+ ],
+ "lastmodified": "2025-02-15T15:41:52Z",
+ "mac": "ENC[AES256_GCM,data:29dM/9JDoGaJ76nqfcXHGvVzuYgUiaC/PCmO2rha4SwPqdxrLGRKHNQDpVCVXLdsdVBjsw2lwRDKJvZ112zTDSAIFOust1h3NIl0BwcDr/4slEDRVNmy6N01NjQxmvODT6wYv5XXkarSmPFDLEfc8JaYitA7FsuD64sXjY6AbVc=,iv:i7ZiAOHVBtQkP2u97xAqDnSorPAHIdnKSreqxzZQijc=,tag:neaUr/ZUg3GlHjulYWbZ3A==,type:str]",
+ "pgp": null,
+ "unencrypted_suffix": "_unencrypted",
+ "version": "3.9.4"
+ }
+}
\ No newline at end of file
diff --git a/non-critical-infra/secrets/signing-key.staging-hydra b/non-critical-infra/secrets/signing-key.staging-hydra
new file mode 100644
index 00000000..d28df0a7
--- /dev/null
+++ b/non-critical-infra/secrets/signing-key.staging-hydra
@@ -0,0 +1,32 @@
+{
+ "data": "ENC[AES256_GCM,data:cPViz9seX59g1dneq/kngFZSIUP81osOEs/kbLr+OrKB8MSe4tg6O1G5c3uSHPfMNbeYdhG6CinZZCY5Lk22rRyrFLaJfHi8xTsnsEtIcC9v4q+cFyOfPmJE7SblmiNGyjYNTZl6sdC5awnbXjo1aNPGfQ==,iv:DrY/VDNXiV/WMNjyD8wrQmEE36jHbCTUn7UiHk/PeDM=,tag:DRVVu7VMqlfnxwDJaobSpw==,type:str]",
+ "sops": {
+ "kms": null,
+ "gcp_kms": null,
+ "azure_kv": null,
+ "hc_vault": null,
+ "age": [
+ {
+ "recipient": "age1vawam63mv097z4ae94tm2xlzkc66u3s87n7neu5jzm6687482u4sx8us3v",
+ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEVElpb0lUY1RpYmtJdEE0\nL0FtdTNCSEpMK1gxTTZzSjAyLzRSd1Q3VzBNCmJyRTBWaDNuU0lIbzg3aGp0TG90\nV25ZOHNhMmhDRXFsWXJWc2xiRFYxQncKLS0tIG1iQk02WkRQOGNJTmo2R05JSnVH\ncEdhNlJ3SlhDOGNJYWYycWFmY0pZQ00KGqj7vzYgbYNZYF8sG/e7wDaEXhwdRjI9\nJhfCMw8EN6eRG7k11ThFXIk07EQOlvEUiSRb8GdovEBaMIZBxaI3Pw==\n-----END AGE ENCRYPTED FILE-----\n"
+ },
+ {
+ "recipient": "age1rskg564672la06lqyla73je6e00hx92j9uhyycn3m3vtpw54avwqcn6wx9",
+ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIQzVHVi81RkxmcjhYRUVX\nNGdCZlQ3TWFRVnR5ZDhQK1dGQzREaktkZGtvCkp6UFdWbUFNY1JOaVZiQXpXL09G\nRW81NGdnQUo3LzFYQW42SUgvTTNqTTgKLS0tIEpva09SQWwvTitRbkxNOUkwL2FT\nNlNrVHVsc1dlbnZIazM3b0tRT0JpbmsKgrGxxEnzsyryna7we/OMGs9QH7qaoGY5\ny3eK24fHf0gXIUCIidjzG/WJGcmv6KYMUdTv9ThNxJIZaeDNR85b7Q==\n-----END AGE ENCRYPTED FILE-----\n"
+ },
+ {
+ "recipient": "age1v5qpkvs3zpz65gvfr2gv3ln7x6yfexvpregdr02hyvxnunu63ujqgwevf8",
+ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdm10NXN2NUZ2VkFYWjNk\nS3NOd0xhemd2WWdJNmNCWm9YaGZXTGJ6SGt3Cm53Q05TTGpacklDNGJZc01aUmxj\nK0tQOStuNXMxWEVCZTl0OFdyU0dWc28KLS0tIHU5NlR5SDJCREVQTlQ5RXFSK2Q0\nazY3RHJDVkVhOE1KQkRiU2NUYTBWQkkKKf4hOc3AhVvUbAQldTLWgEaG6IypJGdV\nV1XN/fbDozDcm0CHB/JJZsRErrpYQNSC4XJMR1kM2ZD1Rw3DnJjvtg==\n-----END AGE ENCRYPTED FILE-----\n"
+ },
+ {
+ "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
+ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiOUppNDBwQmsxdmtZVWJs\nenRDeUNqZzZxaW56eWVHTTg0Z2RYamlLOGlVCmlxVDd3clU0SldFZFJZcFlMRGJx\nZ1BkTmtPN1k0SXkzTVVxUXdGc1dMbFkKLS0tIGVYYUtnRGxPcmRIQnM4MkYxSjRJ\ndktHbEU3TE5WT21UYXllejhNR1RyY0EKBaK7nv12X+bjQn0ogxMFfrnY76W5no8r\nmCrPBQ63YhRVfgnDD81tjBcIblDoBHcOuvyXTX3F1oYCOnGWcVjxHg==\n-----END AGE ENCRYPTED FILE-----\n"
+ }
+ ],
+ "lastmodified": "2025-02-12T09:27:43Z",
+ "mac": "ENC[AES256_GCM,data:6IPR2vcE0XxIbwsyaTIADl34wHSikT/Jy1UYPJPexvw22JbAQyIJn8dZQvpa6IrIi1+thLyambL1BXwiYmOepQWCXIWTYNDhu3xNi9UwpjdwGpLGCFQz18eXnqRLWZT3UXyZ5aEFdHGHgbMbHEkJ+suK3FqJCXn4AvmlqER211Q=,iv:q1ZKHd4VwLLmx5lUekt0yVdSy7kiZCUMzuygjg/jCh8=,tag:VBkblBU0osFoANXymHiWcw==,type:str]",
+ "pgp": null,
+ "unencrypted_suffix": "_unencrypted",
+ "version": "3.9.4"
+ }
+}
\ No newline at end of file
diff --git a/non-critical-infra/secrets/staging-hydra-hostkeys.yaml b/non-critical-infra/secrets/staging-hydra-hostkeys.yaml
new file mode 100644
index 00000000..c2bdb6d5
--- /dev/null
+++ b/non-critical-infra/secrets/staging-hydra-hostkeys.yaml
@@ -0,0 +1,40 @@
+ssh_host_ed25519_key: ENC[AES256_GCM,data:Okg9SB54M1j/Os2cjYL4b7Xy9qafNKjTD+/pJx8NoPg5+GACiPuiseDa3WcF7gtozzpzLOn+37nrnE11Qy+GT7FrRFnbhWlv41ZEWaktaysOOnVdclHu1e8gGdLYqX32cK2AL4hQYxVJgk9aVVQ+Zm0cnv9Tz8FEdCPuItOwaph6N0WF9+Ssq+zf50RKn8DwOrssGb/QOM45JC4R1wLP6Qf3OjvJRThP8TvVoFCn2kaQS1rKmJ84kn6HAjOkkDZVIHekea0OegKY1szA4FL+Tt+9S1PbtTcjkWnLVISCOkH3FpzNFWDRkLAloZtAHOSOUCwxumzBKApLpvp1K4Z/ctFWIqEI7pCpVxL32KJC2S7u2xc/tXvH2KWG+/u0dfX9UXHEm5UCZ8njHZYGRQl46tbBfBv45KQUi+mL+Xpcv176XGpx08kYeIlKIQ/vKqp2hPfBQkHMisA+bUwzIqg3eWQrrfbNU1cevMqSPg3VzXtfdf7sTnG5tsIqsEHspTURzIdBFSEKPxB5TR2MWLPM9iO9LQCLuyvA/qTG,iv:kWEbM4cKF2gBc6YFkjag38CQFHwPr1WjoFazQJKJCPA=,tag:JTcCuDq5VbwcvnLX7/fT3Q==,type:str]
+ssh_host_ed25519_key.pub: ENC[AES256_GCM,data:l81c4JwjKoWutFi1+WzyDh8Hcr5spDbRCOtghyPlRjq8vIzCqwnhtf5ifTKVgIvN1Updd0oYDSWa9YhjFhrWvCGBh0JVqKLVKB/ejm1jRdUO,iv:W9CY6YjtnCv6L7kdSwpFB/38GoU2AIIzdWTsxUPHnGU=,tag:TNq7oDVbUb6mrSdZ4Z6/wg==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age1v5qpkvs3zpz65gvfr2gv3ln7x6yfexvpregdr02hyvxnunu63ujqgwevf8
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCWEZWT2h1L05lb2gyODlx
+ S3ZudXg0Wnk4OWIvenBOejFBMWhtNTNDdHg4CkZ2Vmx1bnF1QnNXNktzRmErOFJq
+ cFF1RHU4c214eDJKdzMzOXI5Q1hkaFkKLS0tIE53bitoZkNHVFVEUE13eVg3czZh
+ WmNZWHFiUGN2WnpWcWcxdkdlNlJ5UFEKLD2155H+5RU+wB3JUFm1smJGmNI72DJD
+ 6eH62pn8RzdzFPcSg7wmdTSfI+nRtXkVz6wdjd/g3vix6e6Lz5O8GA==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1rskg564672la06lqyla73je6e00hx92j9uhyycn3m3vtpw54avwqcn6wx9
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBSWRlYnBDbHdyNnJaRnYw
+ M1RsMGd1QUgzZVl1aXRPUHluMm5Wdk1LZnlZCndQRFUzcEcxWXFNZGhSbm9LMzhI
+ YTd4eXZQdm9yTHlFQUxVZDBjTU1aVncKLS0tIFZkR2hUZ1BMVytGUTBnNWROT1g5
+ bFpuZ2hFSzV4WVlIZ0tVMERkRzkvK2cKicdx+Sw/t//pH3sUilRwfTQ4M6rk6mcz
+ fsotjUPd76aelejHG2S719WrPE2M8JPGV7YHekP0hr4rLJAE+cKbVQ==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFV29GUWNDSCtkVjdrNUFW
+ TG1VU2Y2d1hUenoyV1ZwL1ZuTkQ4Tm9pQUNVCktIeXVNQXd0RTl0TkxnNFRVcWw0
+ bUFodzJpdm55MmtZb2wrVmtydW8zZUEKLS0tIFFkS0lmK2o5cHQzbWZiZWc3M1pD
+ Ly9CYm9Ed1F1Q2JhU2p4Zytnd0lsREkK4JY16UGHu41RYxqdSr7b1owUSuZtxhmK
+ 15PSfEEiTnR3nrpO0L+66Tmmz4aM5nUfmUBgwkh7mYhs5/0C4YvOsA==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2025-02-12T09:19:59Z"
+ mac: ENC[AES256_GCM,data:Ym3YsYfQOd4D8iZ0K01gF6IzvYYvQEKFWzLqL815Nk0ozW1g3D8xPcNxVxb0juvRjbeBXlz0fkDLXxJ1N0ZMASmZ2wHxfR9w5J+CL8hyCmsutJ+ofdiZVJ+ZwEKfenPp/Ke02ce+5EixxU5X3Ad04kLjNalOmmkNhTd5WRFbFe8=,iv:guGa3Nz1DC8Bo5yVP6unoCFGVigKmAKliXA8r5gKyNg=,tag:k69LdmsWW5gYbamdD2S4Ig==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.9.4
diff --git a/terraform-iam/cache-staging.tf b/terraform-iam/cache-staging.tf
new file mode 100644
index 00000000..13f69a8b
--- /dev/null
+++ b/terraform-iam/cache-staging.tf
@@ -0,0 +1,51 @@
+resource "aws_iam_user" "s3-upload-cache-staging" {
+ name = "s3-upload-cache-staging"
+}
+
+resource "aws_iam_access_key" "s3-upload-cache-staging" {
+ user = aws_iam_user.s3-upload-cache-staging.name
+}
+
+data "aws_iam_policy_document" "s3-upload-cache-staging" {
+ statement {
+ # Read-only access and listing permissions
+ # To the cache and releases inventories,
+ # as well as the bucket where cache bucket logs end up in.
+ sid = "NixCacheStagingBucket"
+
+ actions = [
+ "s3:*"
+ ]
+
+ resources = [
+ "arn:aws:s3:::nix-cache-staging",
+ "arn:aws:s3:::nix-cache-staging/*",
+ "arn:aws:s3:::nix-cache-staging-202410",
+ "arn:aws:s3:::nix-cache-staging-202410/*",
+ ]
+ }
+}
+
+# This is the role that is given to the AWS Identity Center users
+resource "aws_iam_policy" "s3-upload-cache-staging" {
+ provider = aws.us
+
+ name = "s3-upload-cache-staging"
+ description = "used by staging hydra"
+
+ policy = data.aws_iam_policy_document.s3-upload-cache-staging.json
+}
+
+resource "aws_iam_user_policy_attachment" "s3-upload-cache-staging-attachment" {
+ user = aws_iam_user.s3-upload-cache-staging.name
+ policy_arn = aws_iam_policy.s3-upload-cache-staging.arn
+}
+
+output "s3-upload-key-staging" {
+ value = {
+ key = aws_iam_access_key.s3-upload-cache-staging.id
+ secret = aws_iam_access_key.s3-upload-cache-staging.secret
+ }
+ sensitive = true
+}
+
diff --git a/terraform/dns.tf b/terraform/dns.tf
index d70005de..1b9c47ad 100644
--- a/terraform/dns.tf
+++ b/terraform/dns.tf
@@ -51,6 +51,16 @@ locals {
type = "CNAME"
value = "mimas.nixos.org"
},
+ {
+ hostname = "staging-hydra.nixos.org"
+ type = "A"
+ value = "157.180.25.203"
+ },
+ {
+ hostname = "staging-hydra.nixos.org"
+ type = "AAAA"
+ value = "2a01:4f9:c012:d5d3::1"
+ },
{
hostname = "monitoring.nixos.org"
type = "CNAME"
@@ -269,6 +279,7 @@ locals {
value = "142.132.140.199"
},
+
# oakhost m2
{
hostname = "eager-heisenberg.mac.nixos.org"