From 26e6dce213502c15f6a102b76141bb7400909427 Mon Sep 17 00:00:00 2001 From: Michael Schneider Date: Wed, 12 Feb 2025 10:54:46 +0300 Subject: [PATCH 01/23] staging-hydra: init --- flake.lock | 160 +++++++++++++++++- flake.nix | 4 + non-critical-infra/.sops.yaml | 17 ++ non-critical-infra/flake-module.nix | 57 ++++--- .../hosts/staging-hydra/default.nix | 37 ++++ .../hosts/staging-hydra/disko.nix | 61 +++++++ .../hosts/staging-hydra/hardware.nix | 15 ++ .../hosts/staging-hydra/hydra.nix | 154 +++++++++++++++++ .../secrets/signing-key.staging-hydra | 28 +++ .../secrets/staging-hydra.hostkeys | 24 +++ .../secrets/staging-hydra.hostkeys.pub.tmp | 1 + .../secrets/staging-hydra.hostkeys.tmp | 7 + 12 files changed, 537 insertions(+), 28 deletions(-) create mode 100644 non-critical-infra/hosts/staging-hydra/default.nix create mode 100644 non-critical-infra/hosts/staging-hydra/disko.nix create mode 100644 non-critical-infra/hosts/staging-hydra/hardware.nix create mode 100644 non-critical-infra/hosts/staging-hydra/hydra.nix create mode 100644 non-critical-infra/secrets/signing-key.staging-hydra create mode 100644 non-critical-infra/secrets/staging-hydra.hostkeys create mode 100644 non-critical-infra/secrets/staging-hydra.hostkeys.pub.tmp create mode 100644 non-critical-infra/secrets/staging-hydra.hostkeys.tmp diff --git a/flake.lock b/flake.lock index 524c1c3b..dfe09074 100644 --- a/flake.lock +++ b/flake.lock @@ -177,6 +177,28 @@ "type": "github" } }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "hydra", + "nix-eval-jobs", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1722555600, + "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" @@ -217,6 +239,115 @@ "type": "github" } }, + "hydra": { + "inputs": { + "libgit2": "libgit2", + "nix": "nix", + "nix-eval-jobs": "nix-eval-jobs", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1738975358, + "narHash": "sha256-jTImB+S+CTyGaE6PgAD5KiUOCf+AMWPvVIKhjzjHqWM=", + "owner": "NixOS", + "repo": "hydra", + "rev": "25eb7251f66ceee527ae50e4057edc17d75dd316", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "hydra.nixos.org", + "repo": "hydra", + "type": "github" + } + }, + "libgit2": { + "flake": false, + "locked": { + "lastModified": 1715853528, + "narHash": "sha256-J2rCxTecyLbbDdsyBWn9w7r3pbKRMkI9E7RvRgAqBdY=", + "owner": "libgit2", + "repo": "libgit2", + "rev": "36f7e21ad757a3dacc58cf7944329da6bc1d6e96", + "type": "github" + }, + "original": { + "owner": "libgit2", + "ref": "v1.8.1", + "repo": "libgit2", + "type": "github" + } + }, + "nix": { + "inputs": { + "flake-compat": [ + "hydra" + ], + "flake-parts": [ + "hydra" + ], + "git-hooks-nix": [ + "hydra" + ], + "libgit2": [ + "hydra", + "libgit2" + ], + "nixpkgs": [ + "hydra", + "nixpkgs" + ], + "nixpkgs-23-11": [ + "hydra" + ], + "nixpkgs-regression": [ + "hydra" + ] + }, + "locked": { + "lastModified": 1726787955, + "narHash": "sha256-XFznzb8L4SdUm9u+w3DPpMWJhffuv+/6+aiVl00slns=", + "owner": "NixOS", + "repo": "nix", + "rev": "a7fdef6858dd45b9d7bda7c92324c63faee7f509", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "2.24-maintenance", + "repo": "nix", + "type": "github" + } + }, + "nix-eval-jobs": { + "inputs": { + "flake-parts": "flake-parts_2", + "nix-github-actions": [ + "hydra" + ], + "nixpkgs": [ + "hydra", + "nixpkgs" + ], + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1733814344, + "narHash": "sha256-3wwtKpS5tUBdjaGeSia7CotonbiRB6K5Kp0dsUt3nzU=", + "owner": "nix-community", + "repo": "nix-eval-jobs", + "rev": "889ea1406736b53cf165b6c28398aae3969418d1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-2.24", + "repo": "nix-eval-jobs", + "type": "github" + } + }, "nix-github-actions": { "inputs": { "nixpkgs": [ @@ -354,12 +485,17 @@ "first-time-contribution-tagger": "first-time-contribution-tagger", "flake-parts": "flake-parts", "flake-utils": "flake-utils", + "hydra": "hydra", + "nix": [ + "hydra", + "nix" + ], "nixpkgs": "nixpkgs", "nixpkgs-unstable": "nixpkgs-unstable", "simple-nixos-mailserver": "simple-nixos-mailserver", "sops-nix": "sops-nix", "srvos": "srvos", - "treefmt-nix": "treefmt-nix" + "treefmt-nix": "treefmt-nix_2" } }, "simple-nixos-mailserver": { @@ -439,6 +575,28 @@ } }, "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "hydra", + "nix-eval-jobs", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1723303070, + "narHash": "sha256-krGNVA30yptyRonohQ+i9cnK+CfCpedg6z3qzqVJcTs=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "14c092e0326de759e16b37535161b3cb9770cea3", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_2": { "inputs": { "nixpkgs": "nixpkgs_3" }, diff --git a/flake.nix b/flake.nix index dca94029..f7f20acf 100644 --- a/flake.nix +++ b/flake.nix @@ -48,6 +48,10 @@ flake-utils.follows = "flake-utils"; }; }; + + hydra.url = "github:NixOS/hydra/hydra.nixos.org"; + hydra.inputs.nixpkgs.follows = "nixpkgs"; + nix.follows = "hydra/nix"; }; outputs = inputs@{ flake-parts, ... }: diff --git a/non-critical-infra/.sops.yaml b/non-critical-infra/.sops.yaml index 82d3baca..f4cdce55 100644 --- a/non-critical-infra/.sops.yaml +++ b/non-critical-infra/.sops.yaml @@ -3,6 +3,9 @@ keys: - &zimbatm age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h - &caliban age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq - &umbriel age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6 + - &staging-hydra age13emk4xkrde0qhgnuu24jl7vt6mdq99w56c4ngse9mxh4j0pxvuvq3zsppt + - &m1-s age1j3spleg4m7rtjww4zqsws6qaj69v5j0rc3asaxxlpwnu7fmx8p9qvmvjn8 + - &mic92 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz creation_rules: - path_regex: secrets/[^/]+.caliban @@ -18,3 +21,17 @@ creation_rules: - *umbriel - *hexa - *zimbatm + + # ssh keys used to bootstrap new machines + - path_regex: secrets/[^/]+.hostkeys + key_groups: + - age: + - *m1-s + - *mic92 + + - path_regex: secrets/[^/]+.staging-hydra + key_groups: + - age: + - *staging-hydra + - *m1-s + - *mic92 diff --git a/non-critical-infra/flake-module.nix b/non-critical-infra/flake-module.nix index 45c5cd33..4faa90e9 100644 --- a/non-critical-infra/flake-module.nix +++ b/non-critical-infra/flake-module.nix @@ -1,8 +1,7 @@ -{ - self, - inputs, - lib, - ... +{ self +, inputs +, lib +, ... }: { flake = @@ -14,25 +13,27 @@ )); in { - nixosConfigurations = builtins.mapAttrs ( - _name: value: - inputs.nixpkgs.lib.nixosSystem { - inherit lib; - system = "x86_64-linux"; - specialArgs = { - inherit inputs; - }; - modules = [ - value - inputs.disko.nixosModules.disko - inputs.first-time-contribution-tagger.nixosModule - inputs.simple-nixos-mailserver.nixosModule - inputs.sops-nix.nixosModules.sops - ]; - extraModules = [ inputs.colmena.nixosModules.deploymentOptions ]; + nixosConfigurations = builtins.mapAttrs + ( + _name: value: + inputs.nixpkgs.lib.nixosSystem { + inherit lib; + system = "x86_64-linux"; + specialArgs = { + inherit inputs; + }; + modules = [ + value + inputs.disko.nixosModules.disko + inputs.first-time-contribution-tagger.nixosModule + inputs.simple-nixos-mailserver.nixosModule + inputs.sops-nix.nixosModules.sops + ]; + extraModules = [ inputs.colmena.nixosModules.deploymentOptions ]; - } - ) (importConfig ./hosts); + } + ) + (importConfig ./hosts); colmena = { @@ -43,10 +44,12 @@ specialArgs.lib = lib; }; } - // builtins.mapAttrs (_: v: { - deployment.tags = [ "non-critical-infra" ]; - imports = v._module.args.modules; - }) self.nixosConfigurations; + // builtins.mapAttrs + (_: v: { + deployment.tags = [ "non-critical-infra" ]; + imports = v._module.args.modules; + }) + self.nixosConfigurations; }; perSystem = diff --git a/non-critical-infra/hosts/staging-hydra/default.nix b/non-critical-infra/hosts/staging-hydra/default.nix new file mode 100644 index 00000000..ae088371 --- /dev/null +++ b/non-critical-infra/hosts/staging-hydra/default.nix @@ -0,0 +1,37 @@ +{ inputs, lib, ... }: +{ + imports = [ + ./hardware.nix + inputs.srvos.nixosModules.server + inputs.srvos.nixosModules.hardware-hetzner-cloud-arm + ../../modules/common.nix + ./hydra.nix + inputs.hydra.nixosModules.hydra + ]; + + boot = { + loader = { + systemd-boot.enable = true; + timeout = lib.mkForce 5; + efi.efiSysMountPoint = "/efi"; + }; + kernelParams = [ "console=tty" ]; + }; + networking = { + hostName = "staging-hydra"; + domain = "nixos.org"; + }; + + systemd.network.networks."10-uplink".networkConfig.Address = "2a01:4f9:c012:d5d3::1/128"; + + disko.devices = import ./disko.nix; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + networking.firewall.allowedUDPPorts = [ ]; + + system.stateVersion = "24.11"; + users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFq+rXslVKnGlJKlSmuenBaZtVUZCL2rtFgmDmcbLQyT" ]; +} diff --git a/non-critical-infra/hosts/staging-hydra/disko.nix b/non-critical-infra/hosts/staging-hydra/disko.nix new file mode 100644 index 00000000..dcc19066 --- /dev/null +++ b/non-critical-infra/hosts/staging-hydra/disko.nix @@ -0,0 +1,61 @@ +{ + disk = { + main = { + device = "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + esp = { + type = "EF00"; + size = "1024M"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/efi"; + }; + }; + root = { + size = "100%"; + content = { + type = "zfs"; + pool = "zroot"; + }; + }; + }; + }; + }; + }; + + zpool.zroot = { + type = "zpool"; + options = { + # smartctl --all /dev/sda + # Logical block size: 512 bytes + ashift = "9"; + }; + rootFsOptions = { + acltype = "posixacl"; + compression = "zstd"; + mountpoint = "none"; + xattr = "sa"; + }; + datasets = { + "root" = { + type = "zfs_fs"; + mountpoint = "/"; + }; + "nix" = { + type = "zfs_fs"; + mountpoint = "/nix"; + }; + "reserved" = { + type = "zfs_fs"; + options = { + canmount = "off"; + refreservation = "1G"; + }; + }; + }; + }; +} diff --git a/non-critical-infra/hosts/staging-hydra/hardware.nix b/non-critical-infra/hosts/staging-hydra/hardware.nix new file mode 100644 index 00000000..4b0b75f7 --- /dev/null +++ b/non-critical-infra/hosts/staging-hydra/hardware.nix @@ -0,0 +1,15 @@ +{ lib, ... }: +{ + + boot.initrd = { + availableKernelModules = [ + "xhci_pci" + "virtio_pci" + "usbhid" + "sr_mod" + ]; + kernelModules = [ "virtio_gpu" ]; + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/non-critical-infra/hosts/staging-hydra/hydra.nix b/non-critical-infra/hosts/staging-hydra/hydra.nix new file mode 100644 index 00000000..195a89dd --- /dev/null +++ b/non-critical-infra/hosts/staging-hydra/hydra.nix @@ -0,0 +1,154 @@ +{ lib +, pkgs +, config +, ... +}: +let + narCache = "/var/cache/hydra/nar-cache"; + localSystems = [ + "builtin" + config.nixpkgs.hostPlatform.system + ]; +in +{ + networking.firewall.allowedTCPPorts = [ + 9198 # queue-runnner metrics + 9199 # hydra-notify metrics + ]; + + # garbage collection + nix.gc = { + automatic = true; + options = ''--max-freed "$((400 * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))"''; + dates = "03,09,15,21:15"; + }; + + # gc outputs as well, since they are served from the cache + nix.settings.gc-keep-outputs = lib.mkForce false; + + # Don't rate-limit the journal. + services.journald.rateLimitBurst = 0; + + # age.secrets.hydra-aws-credentials = { + # file = ./secrets/hydra-aws-credentials.age; + # path = "/var/lib/hydra/queue-runner/.aws/credentials"; + # owner = "hydra-queue-runner"; + # group = "hydra"; + # }; + + sops.secrets.signing-key = { + sopsFile = ../../secrets/signing-key.staging-hydra; + format = "binary"; + }; + + services.hydra-dev = { + enable = true; + package = pkgs.hydra; + buildMachinesFiles = [ + (pkgs.writeText "local" '' + localhost ${lib.concatStringsSep "," localSystems} - 3 1 ${lib.concatStringsSep "," config.nix.settings.system-features} - - + '') + ]; + logo = ../../../build/hydra-logo.png; + hydraURL = "https://hydra.nixos.org"; + notificationSender = "edolstra@gmail.com"; + smtpHost = "localhost"; + useSubstitutes = false; + extraConfig = '' + max_servers 30 + + store_uri = s3://nixos-cache-staging?secret-key=${config.sops.secrets.signing-key.path}=1&ls-compression=br&log-compression=br + server_store_uri = https://cache-staging.nixos.org?local-nar-cache=${narCache} + binary_cache_public_uri = https://cache-staging.nixos.org + + + cache_size = 32m + + + # patchelf:master:3 + xxx-jobset-repeats = nixos:reproducibility:1 + + upload_logs_to_binary_cache = true + compress_build_logs = false # conflicts with upload_logs_to_binary_cache + + log_prefix = https://cache.nixos.org/ + + evaluator_workers = 16 + evaluator_max_memory_size = 8192 + + max_concurrent_evals = 1 + + # increase the number of active compress slots (CPU is 48*2 on mimas) + max_local_worker_threads = 144 + + max_unsupported_time = 86400 + + allow_import_from_derivation = false + + max_output_size = 3821225472 # 3 << 30 + 600000000 = 3 GiB + 0.6 GB + max_db_connections = 350 + + queue_runner_metrics_address = [::]:9198 + + + + listen_address = 0.0.0.0 + port = 9199 + + + ''; + }; + + systemd = { + tmpfiles.rules = [ + "d /var/cache/hydra 0755 hydra hydra - -" + "d ${narCache} 0775 hydra hydra 1d -" + ]; + + # eats memory as if it was free + services = { + hydra-notify.enable = false; + hydra-queue-runner = { + # restarting the scheduler is very expensive + restartIfChanged = false; + serviceConfig = { + ManagedOOMPreference = "avoid"; + LimitNOFILE = 65535; + }; + }; + + hydra-prune-build-logs = { + description = "Clean up old build logs"; + startAt = "weekly"; + serviceConfig = { + User = "hydra-queue-runner"; + Group = "hydra"; + ExecStart = lib.concatStringsSep " " [ + (lib.getExe pkgs.findutils) + "/var/lib/hydra/build-logs/" + "-ignore_readdir_race" + "-type" + "f" + "-mtime" + "+${toString (3 * 365)}" # days + "-delete" + ]; + }; + }; + }; + }; + + programs.ssh = { + hostKeyAlgorithms = [ + "rsa-sha2-512-cert-v01@openssh.com" + "ssh-ed25519" + "ssh-rsa" + "ecdsa-sha2-nistp256" + ]; + + extraConfig = lib.mkAfter '' + ServerAliveInterval 120 + TCPKeepAlive yes + ''; + }; +} diff --git a/non-critical-infra/secrets/signing-key.staging-hydra b/non-critical-infra/secrets/signing-key.staging-hydra new file mode 100644 index 00000000..27ba3103 --- /dev/null +++ b/non-critical-infra/secrets/signing-key.staging-hydra @@ -0,0 +1,28 @@ +{ + "data": "ENC[AES256_GCM,data:r5OuTSn3XvJnDotfbVuCC/CmMJM30GTpvi9xYd824nc8RwoFG5ivV29mUo8kj2A/C8I1sgmxHbRSM3zCDQ5nDV6ul9XFqsFlK+9l5O2hZXSEq7crE6IEPJKXlYvQGTbZH9VcIrigDOCUiZgbfDFTnWIQ,iv:DcMMvNoINfUwCp4kKcQt3Ya5iOD1rQ08ft0blz7QuoA=,tag:APdvyc+0L9rz+5vhtothtQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age13emk4xkrde0qhgnuu24jl7vt6mdq99w56c4ngse9mxh4j0pxvuvq3zsppt", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1U0xMRmlPV2ROMnFOVk9X\nZC9NWjJ5a2ZoTWlWVTNwUTVxWlFhZHN1bFd3Cnl5TmgwRE5aVkdjMVluYmI5VHJD\nMVhyQTM0eVVpejVRMjV1WWxyTGRzQkEKLS0tIG1IZnM4cmo5NW9ha3h2cFFOdWRQ\nb25yUmVOdkZ6NCt4QW9LNHpDSWNJZXcKbvtROz30bj6DYn8bRX++TpZWYTc6LPBl\nu3WgIKIq1nucagf+tAsIO5ZTdNByK3DGYKFdp9+RLFxHLu6XCTePZg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1j3spleg4m7rtjww4zqsws6qaj69v5j0rc3asaxxlpwnu7fmx8p9qvmvjn8", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrNHJCcmUzT2pFL3ZrT2FF\nN1grblQvL3Y2eWNXb2pJS0JXeEVOMUlPVFZvCmgyMDRwamFaSFk5TzE4cFJGaHlF\ncStOaUplOUZOTVBWUCtnWVNseFpoOHcKLS0tIDRIUGtpd1dWV2pqQnliK3NBcHVQ\nQnU2MTJNeUtHMEpmcmI0K0lzMjhZaHMKgGzuhwZqGLzufcGAYD/Io7rRO7EMmegq\ntKik/ZPqCRSw8XIX+Iiqp1miDV2MzgmLwQXm8IAT/9kWJmVK4j8ILg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWb2ljNWl5SUhGUXZmQXhP\nTDF4bzhVYnpSdUFFVWVzeURnS1gxSVUrNWtVClR0S05HWUtpSU5ETWh0YVhJcS9C\nMmtwS1ZZSnRSMlVYQWtMMk5GVGhWVjAKLS0tIGdnYmEyaDBMbDhaUVpOUzN5OWk3\nKzkvSU1wQWxETDJiMWxVYUhuV1V4aEkKwjiLNhN2WvjV1WC648tl2bUIgcthFo/r\nwGF2G+J7ueAp3WGWRtd1a2kQNn8MLqCZksUMeksy4+3570kKmdCOrg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-02-12T07:28:02Z", + "mac": "ENC[AES256_GCM,data:Kk+FO9fjspAPkzs1orp5iXuVc1iLXbMr5PRmM9lDULjGZ2gpgS2JJF/Uf+4OeWrmLRmUwqa0dPPr3gR4/BEQmPk7FKqlr66iFun8Y/ExV38hWKGzBOvDxZIGdzT5i0S5SrohjhjQN2qzM8l6YANN21wogv/I0Mb/KKUNlBK/z9E=,iv:2fN19YDoZ7+0BVBo9FQJkPpjyGr2AB9GtYp4kvX+tUw=,tag:KrYOLR38mxv1eYOEoG9pNg==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.4" + } +} \ No newline at end of file diff --git a/non-critical-infra/secrets/staging-hydra.hostkeys b/non-critical-infra/secrets/staging-hydra.hostkeys new file mode 100644 index 00000000..898aaeb1 --- /dev/null +++ b/non-critical-infra/secrets/staging-hydra.hostkeys @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:6b/6T5yhrAHKFORpq0JM0ge/lI0LUTdT+IcyYu5oDwy4LEhIKfICpziYqKeRm1JWHf+DAjCweJlTsK53HT31h6wcC7eA9j4J2pEk2ws7UYKKAeeqaAdaQO0EKaZvcwcVq48tY2gvdVhsaIS9s7/rvZEWXrrAOaNn9h3hM/HWLgfZTo9HZm87A+EKMPnQ75LRYZubZFLgrkKU/t82ocSIQD4VGk8ne58ncLY8BT/BdXOdwauyho6BQ8VKMK4JzXEK4ISvOwW+xrnOjuOz0R5QwPHyewBF9hLx6Wd8JT1fDqLdpTsWTi2uPlGHgkvBFcrbBxHpioJ5Z5wQVIWkKG21+7cRhLK1TJCi0O+z0czxS2BMNaPxrKiE5QfL+vtmnyX2xfYTcxrWdg3pqkemaM7T54kIa3O1SIQxitGXlgBsFQxr9Nw/iiz+Ys05ObhWPmENQIZlslUUg3ounnXmTA7eU7ogoH05feNOawPDWcUdyLX9eQ2JfhC9SlfQnKSJ7egNZd1592ybFPJkTnQeE5QFCxUOzISSV33BTnObFPSXYOEHYixvyPm8ALHZQdL9xbWu7qSADouc4xgR9vWm85BxJwjSqUNAM/L2CCDJtJqYT+O8k8M0DLHqrYeuMlnL5zLQ4ZcDYF2agezZStf7Cdm8xVHdd+Tfi1AePU9op3MeHmYMHzIIkc/eLGNOhBlQ5pZZ3S0gjqbD+0av+qSLTdx6fjaqnUCp7eS44QRSVUbzqO8mYWgXbRlfh0ewpBIHaTM=,iv:5z+8/wJR2tFuZF5aRKUX7xa89QqHVx0YVCjsPfIoC8Y=,tag:sC4/gyabxyFhdhWc7jAFIg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1j3spleg4m7rtjww4zqsws6qaj69v5j0rc3asaxxlpwnu7fmx8p9qvmvjn8", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTSzY3WFc2dDhPRVNTOFJH\ncVlkWnQ2L1V4dGNhZllvZVhlYnlVZXQvVzFnCnBiWXkwS2FFbVMrdjNZOGhIU001\nL3VmOGp1QTRpMWlRY2s5UGFqN01tc0UKLS0tIHV1b2FwWEhTY09SdGlGc3NhbnVZ\nUmd5dVdIZE9jWUV2VW8vb3dNK0JDYlkKElQj+C53jgVk2QTKAhsHCFMzKAwXWozP\ngSI8j4osvza/GqEM6XvQl/tW/TYcxIPDazK9tXOJEfbHmGh8ADyCaA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMakVLWHFSaDVwTnpud2ZF\nZExnSDY1VGI1YjF4ZGl0NWdLQi9udGlwS2d3CnhwVEtIU1ZLMGdFaGhLQlNMSjVJ\nTjZXTUo4SzJiVUZiM2tjQVJJT3ZiL2MKLS0tIDkxUlhTZnZmVEN6RVdSTndwazdn\nZU1QcWlWL0gwTWIvWXhtQVFOb2VYaWsKEZX9COQbwRP/OvimWL6ijR2lsQBihssd\n7lZwH5xcKNWXH/u4lLxXQx7ARtEBX9kMKGtF8uGq6NCt2Gjlt/lJWg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-02-12T07:19:21Z", + "mac": "ENC[AES256_GCM,data:ZS6cY/umbUO7Aj1cnmLiCMLyhiiyAupEBL8/qDkO5JYZ4ufQN3WfiKebbndpLyl+35bMBL9C640BWTFh90Y0AwaZ2IxbAmTLGiqaeMG7ESzNXv1XYWF1MJdIa5i7hsl6DdKn26aHocmDIMMQ1tglZfk42fucJTWncUbio4trPfg=,iv:9dPqNw6utDO9boVzbRdtd1CtKSTG84upG0QQDPfH5Ow=,tag:CJm4QzxRi0SwCuGHxxw/Ew==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.1" + } +} \ No newline at end of file diff --git a/non-critical-infra/secrets/staging-hydra.hostkeys.pub.tmp b/non-critical-infra/secrets/staging-hydra.hostkeys.pub.tmp new file mode 100644 index 00000000..d958d044 --- /dev/null +++ b/non-critical-infra/secrets/staging-hydra.hostkeys.pub.tmp @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK81IHfeA/GXIgb9N5hl/qtCSsSBqs+FkppGklxworUD m1-s@thinkbook diff --git a/non-critical-infra/secrets/staging-hydra.hostkeys.tmp b/non-critical-infra/secrets/staging-hydra.hostkeys.tmp new file mode 100644 index 00000000..1b67dd75 --- /dev/null +++ b/non-critical-infra/secrets/staging-hydra.hostkeys.tmp @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACCvNSB33gPxlyIG/TeYZf6rQkrEgarPhZKaRpJccKK1AwAAAJhqdU+1anVP +tQAAAAtzc2gtZWQyNTUxOQAAACCvNSB33gPxlyIG/TeYZf6rQkrEgarPhZKaRpJccKK1Aw +AAAEBsDJIMqVf7Y3FoTZk42DsRyLaBz0fGJUjazwskqATxxq81IHfeA/GXIgb9N5hl/qtC +SsSBqs+FkppGklxworUDAAAADm0xLXNAdGhpbmtib29rAQIDBAUGBw== +-----END OPENSSH PRIVATE KEY----- From d1fc8441ed62cb05f6011a939204e22cf76ff132 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Wed, 12 Feb 2025 14:58:06 +0700 Subject: [PATCH 02/23] add aws s3 keys for staging --- terraform-iam/cache-staging.tf | 46 ++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 terraform-iam/cache-staging.tf diff --git a/terraform-iam/cache-staging.tf b/terraform-iam/cache-staging.tf new file mode 100644 index 00000000..22c5197d --- /dev/null +++ b/terraform-iam/cache-staging.tf @@ -0,0 +1,46 @@ +resource "aws_iam_user" "s3-upload-cache-staging" { + name = "s3-upload-cache-staging" +} + +resource "aws_iam_access_key" "s3-upload-cache-staging" { + user = aws_iam_user.s3-upload-cache-staging.name +} + +data "aws_iam_policy_document" "s3-upload-cache-staging" { + statement { + # Read-only access and listing permissions + # To the cache and releases inventories, + # as well as the bucket where cache bucket logs end up in. + sid = "NixCacheStagingBucket" + + actions = [ + "s3:*" + ] + + resources = [ + "arn:aws:s3:::nix-cache-staging", + "arn:aws:s3:::nix-cache-staging/*", + "arn:aws:s3:::nix-cache-staging-202410", + "arn:aws:s3:::nix-cache-staging-202410/*", + ] + } +} + +# This is the role that is given to the AWS Identity Center users +resource "aws_iam_policy" "s3-upload-cache-staging" { + provider = aws.us + + name = "s3-upload-cache-staging" + description = "used by staging hydra" + + policy = data.aws_iam_policy_document.s3-upload-cache-staging.json +} + +output "s3-upload-key-staging" { + value = { + key = aws_iam_access_key.s3-upload-cache-staging.id + secret = aws_iam_access_key.s3-upload-cache-staging.secret + } + sensitive = true +} + From f49882b1cd866ecbaeb33df6dd0b87cc71d8bae3 Mon Sep 17 00:00:00 2001 From: Michael Schneider Date: Wed, 12 Feb 2025 10:54:46 +0300 Subject: [PATCH 03/23] staging-hydra: init --- non-critical-infra/.sops.yaml | 4 +- non-critical-infra/flake-module.nix | 57 +++++++++---------- .../staging-hydra/bootstrap-staging-hydra.sh | 21 +++++++ .../secrets/signing-key.staging-hydra | 6 +- .../secrets/staging-hydra-hostkeys.yaml | 31 ++++++++++ .../secrets/staging-hydra.hostkeys | 24 -------- .../secrets/staging-hydra.hostkeys.pub.tmp | 1 - .../secrets/staging-hydra.hostkeys.tmp | 7 --- 8 files changed, 84 insertions(+), 67 deletions(-) create mode 100755 non-critical-infra/hosts/staging-hydra/bootstrap-staging-hydra.sh create mode 100644 non-critical-infra/secrets/staging-hydra-hostkeys.yaml delete mode 100644 non-critical-infra/secrets/staging-hydra.hostkeys delete mode 100644 non-critical-infra/secrets/staging-hydra.hostkeys.pub.tmp delete mode 100644 non-critical-infra/secrets/staging-hydra.hostkeys.tmp diff --git a/non-critical-infra/.sops.yaml b/non-critical-infra/.sops.yaml index f4cdce55..dff48b1e 100644 --- a/non-critical-infra/.sops.yaml +++ b/non-critical-infra/.sops.yaml @@ -3,7 +3,7 @@ keys: - &zimbatm age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h - &caliban age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq - &umbriel age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6 - - &staging-hydra age13emk4xkrde0qhgnuu24jl7vt6mdq99w56c4ngse9mxh4j0pxvuvq3zsppt + - &staging-hydra age1vawam63mv097z4ae94tm2xlzkc66u3s87n7neu5jzm6687482u4sx8us3v - &m1-s age1j3spleg4m7rtjww4zqsws6qaj69v5j0rc3asaxxlpwnu7fmx8p9qvmvjn8 - &mic92 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz @@ -23,7 +23,7 @@ creation_rules: - *zimbatm # ssh keys used to bootstrap new machines - - path_regex: secrets/[^/]+.hostkeys + - path_regex: secrets/[^/]+-hostkeys.yaml key_groups: - age: - *m1-s diff --git a/non-critical-infra/flake-module.nix b/non-critical-infra/flake-module.nix index 4faa90e9..45c5cd33 100644 --- a/non-critical-infra/flake-module.nix +++ b/non-critical-infra/flake-module.nix @@ -1,7 +1,8 @@ -{ self -, inputs -, lib -, ... +{ + self, + inputs, + lib, + ... }: { flake = @@ -13,27 +14,25 @@ )); in { - nixosConfigurations = builtins.mapAttrs - ( - _name: value: - inputs.nixpkgs.lib.nixosSystem { - inherit lib; - system = "x86_64-linux"; - specialArgs = { - inherit inputs; - }; - modules = [ - value - inputs.disko.nixosModules.disko - inputs.first-time-contribution-tagger.nixosModule - inputs.simple-nixos-mailserver.nixosModule - inputs.sops-nix.nixosModules.sops - ]; - extraModules = [ inputs.colmena.nixosModules.deploymentOptions ]; + nixosConfigurations = builtins.mapAttrs ( + _name: value: + inputs.nixpkgs.lib.nixosSystem { + inherit lib; + system = "x86_64-linux"; + specialArgs = { + inherit inputs; + }; + modules = [ + value + inputs.disko.nixosModules.disko + inputs.first-time-contribution-tagger.nixosModule + inputs.simple-nixos-mailserver.nixosModule + inputs.sops-nix.nixosModules.sops + ]; + extraModules = [ inputs.colmena.nixosModules.deploymentOptions ]; - } - ) - (importConfig ./hosts); + } + ) (importConfig ./hosts); colmena = { @@ -44,12 +43,10 @@ specialArgs.lib = lib; }; } - // builtins.mapAttrs - (_: v: { - deployment.tags = [ "non-critical-infra" ]; - imports = v._module.args.modules; - }) - self.nixosConfigurations; + // builtins.mapAttrs (_: v: { + deployment.tags = [ "non-critical-infra" ]; + imports = v._module.args.modules; + }) self.nixosConfigurations; }; perSystem = diff --git a/non-critical-infra/hosts/staging-hydra/bootstrap-staging-hydra.sh b/non-critical-infra/hosts/staging-hydra/bootstrap-staging-hydra.sh new file mode 100755 index 00000000..213069bb --- /dev/null +++ b/non-critical-infra/hosts/staging-hydra/bootstrap-staging-hydra.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env bash + +# Use this script to deploy the initial keys when bootstrapping a new machines. + +set -euo pipefail +tmpDir=$(mktemp -d) +sshDir="$tmpDir/etc/ssh" +mkdir -p "$sshDir" +trap 'rm -rf "$tmpDir"' EXIT + +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" + +for keyname in ssh_host_ed25519_key ssh_host_ed25519_key.pub; do + if [[ $keyname == *.pub ]]; then + umask 0133 + else + umask 0177 + fi + sops --extract '["'$keyname'"]' --decrypt "$SCRIPT_DIR/../../secrets/staging-hydra-hostkeys.yaml" >"$sshDir/$keyname" +done +nix run nixpkgs#nixos-anywhere -- --extra-files "$tmpDir" -f .#staging-hydra root@157.180.25.203 diff --git a/non-critical-infra/secrets/signing-key.staging-hydra b/non-critical-infra/secrets/signing-key.staging-hydra index 27ba3103..71b1532b 100644 --- a/non-critical-infra/secrets/signing-key.staging-hydra +++ b/non-critical-infra/secrets/signing-key.staging-hydra @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:r5OuTSn3XvJnDotfbVuCC/CmMJM30GTpvi9xYd824nc8RwoFG5ivV29mUo8kj2A/C8I1sgmxHbRSM3zCDQ5nDV6ul9XFqsFlK+9l5O2hZXSEq7crE6IEPJKXlYvQGTbZH9VcIrigDOCUiZgbfDFTnWIQ,iv:DcMMvNoINfUwCp4kKcQt3Ya5iOD1rQ08ft0blz7QuoA=,tag:APdvyc+0L9rz+5vhtothtQ==,type:str]", + "data": "ENC[AES256_GCM,data:cPViz9seX59g1dneq/kngFZSIUP81osOEs/kbLr+OrKB8MSe4tg6O1G5c3uSHPfMNbeYdhG6CinZZCY5Lk22rRyrFLaJfHi8xTsnsEtIcC9v4q+cFyOfPmJE7SblmiNGyjYNTZl6sdC5awnbXjo1aNPGfQ==,iv:DrY/VDNXiV/WMNjyD8wrQmEE36jHbCTUn7UiHk/PeDM=,tag:DRVVu7VMqlfnxwDJaobSpw==,type:str]", "sops": { "kms": null, "gcp_kms": null, @@ -19,8 +19,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWb2ljNWl5SUhGUXZmQXhP\nTDF4bzhVYnpSdUFFVWVzeURnS1gxSVUrNWtVClR0S05HWUtpSU5ETWh0YVhJcS9C\nMmtwS1ZZSnRSMlVYQWtMMk5GVGhWVjAKLS0tIGdnYmEyaDBMbDhaUVpOUzN5OWk3\nKzkvSU1wQWxETDJiMWxVYUhuV1V4aEkKwjiLNhN2WvjV1WC648tl2bUIgcthFo/r\nwGF2G+J7ueAp3WGWRtd1a2kQNn8MLqCZksUMeksy4+3570kKmdCOrg==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-02-12T07:28:02Z", - "mac": "ENC[AES256_GCM,data:Kk+FO9fjspAPkzs1orp5iXuVc1iLXbMr5PRmM9lDULjGZ2gpgS2JJF/Uf+4OeWrmLRmUwqa0dPPr3gR4/BEQmPk7FKqlr66iFun8Y/ExV38hWKGzBOvDxZIGdzT5i0S5SrohjhjQN2qzM8l6YANN21wogv/I0Mb/KKUNlBK/z9E=,iv:2fN19YDoZ7+0BVBo9FQJkPpjyGr2AB9GtYp4kvX+tUw=,tag:KrYOLR38mxv1eYOEoG9pNg==,type:str]", + "lastmodified": "2025-02-12T09:27:43Z", + "mac": "ENC[AES256_GCM,data:6IPR2vcE0XxIbwsyaTIADl34wHSikT/Jy1UYPJPexvw22JbAQyIJn8dZQvpa6IrIi1+thLyambL1BXwiYmOepQWCXIWTYNDhu3xNi9UwpjdwGpLGCFQz18eXnqRLWZT3UXyZ5aEFdHGHgbMbHEkJ+suK3FqJCXn4AvmlqER211Q=,iv:q1ZKHd4VwLLmx5lUekt0yVdSy7kiZCUMzuygjg/jCh8=,tag:VBkblBU0osFoANXymHiWcw==,type:str]", "pgp": null, "unencrypted_suffix": "_unencrypted", "version": "3.9.4" diff --git a/non-critical-infra/secrets/staging-hydra-hostkeys.yaml b/non-critical-infra/secrets/staging-hydra-hostkeys.yaml new file mode 100644 index 00000000..4c1a8a62 --- /dev/null +++ b/non-critical-infra/secrets/staging-hydra-hostkeys.yaml @@ -0,0 +1,31 @@ +ssh_host_ed25519_key: ENC[AES256_GCM,data:Okg9SB54M1j/Os2cjYL4b7Xy9qafNKjTD+/pJx8NoPg5+GACiPuiseDa3WcF7gtozzpzLOn+37nrnE11Qy+GT7FrRFnbhWlv41ZEWaktaysOOnVdclHu1e8gGdLYqX32cK2AL4hQYxVJgk9aVVQ+Zm0cnv9Tz8FEdCPuItOwaph6N0WF9+Ssq+zf50RKn8DwOrssGb/QOM45JC4R1wLP6Qf3OjvJRThP8TvVoFCn2kaQS1rKmJ84kn6HAjOkkDZVIHekea0OegKY1szA4FL+Tt+9S1PbtTcjkWnLVISCOkH3FpzNFWDRkLAloZtAHOSOUCwxumzBKApLpvp1K4Z/ctFWIqEI7pCpVxL32KJC2S7u2xc/tXvH2KWG+/u0dfX9UXHEm5UCZ8njHZYGRQl46tbBfBv45KQUi+mL+Xpcv176XGpx08kYeIlKIQ/vKqp2hPfBQkHMisA+bUwzIqg3eWQrrfbNU1cevMqSPg3VzXtfdf7sTnG5tsIqsEHspTURzIdBFSEKPxB5TR2MWLPM9iO9LQCLuyvA/qTG,iv:kWEbM4cKF2gBc6YFkjag38CQFHwPr1WjoFazQJKJCPA=,tag:JTcCuDq5VbwcvnLX7/fT3Q==,type:str] +ssh_host_ed25519_key.pub: ENC[AES256_GCM,data:l81c4JwjKoWutFi1+WzyDh8Hcr5spDbRCOtghyPlRjq8vIzCqwnhtf5ifTKVgIvN1Updd0oYDSWa9YhjFhrWvCGBh0JVqKLVKB/ejm1jRdUO,iv:W9CY6YjtnCv6L7kdSwpFB/38GoU2AIIzdWTsxUPHnGU=,tag:TNq7oDVbUb6mrSdZ4Z6/wg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1v5qpkvs3zpz65gvfr2gv3ln7x6yfexvpregdr02hyvxnunu63ujqgwevf8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBubThhZ2U2Tnp3VjEyVEtD + TnNScHFVaVFVV21WbmZNSjlEcG1FSGYvbHhBClVHVEJPZnNvVGhHbWJvRkVENXFu + OGlZWUFBL2N2T0kvWnI0cXZnU01vMHcKLS0tIEcrUG84bGhQZEVpWVN3REZhNVgy + bUFzL0xJZVlTaGpEdnk3NG8rS1o5VDAKDQc62S+uy/sl7lDyUMfrqDhurqAua5ik + l2y+nFnzv4/RVa3Y4xbJyy/TEuNpEsNS0s3bgnHD5kOAgjtIKjEFkQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGaEZVMVVqSlYyTDVuT29p + Yk9lT0VZb2dIV3MyR2luV21taGV2ZC85akRJCjNnYktKWFg0MjlqU2hDNXZOYk9J + Y0VUK3BJR1l5S0d3eVRjM3MxR3hUSzgKLS0tIFNPNitGOGgrK05hSXhCWkFDNHZa + eFF2SlQwSmVoVUszeVI0SWRZK2ROS0kKUAjRNmIDiavnbL9/sgLu12DPf5qEXiFu + w0vTGO5ffR0I04SYpHznSf28Ja/EcbpDrZ6fMh6bC7Q+k1uLvASBEA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-02-12T09:19:59Z" + mac: ENC[AES256_GCM,data:Ym3YsYfQOd4D8iZ0K01gF6IzvYYvQEKFWzLqL815Nk0ozW1g3D8xPcNxVxb0juvRjbeBXlz0fkDLXxJ1N0ZMASmZ2wHxfR9w5J+CL8hyCmsutJ+ofdiZVJ+ZwEKfenPp/Ke02ce+5EixxU5X3Ad04kLjNalOmmkNhTd5WRFbFe8=,iv:guGa3Nz1DC8Bo5yVP6unoCFGVigKmAKliXA8r5gKyNg=,tag:k69LdmsWW5gYbamdD2S4Ig==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/non-critical-infra/secrets/staging-hydra.hostkeys b/non-critical-infra/secrets/staging-hydra.hostkeys deleted file mode 100644 index 898aaeb1..00000000 --- a/non-critical-infra/secrets/staging-hydra.hostkeys +++ /dev/null @@ -1,24 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:6b/6T5yhrAHKFORpq0JM0ge/lI0LUTdT+IcyYu5oDwy4LEhIKfICpziYqKeRm1JWHf+DAjCweJlTsK53HT31h6wcC7eA9j4J2pEk2ws7UYKKAeeqaAdaQO0EKaZvcwcVq48tY2gvdVhsaIS9s7/rvZEWXrrAOaNn9h3hM/HWLgfZTo9HZm87A+EKMPnQ75LRYZubZFLgrkKU/t82ocSIQD4VGk8ne58ncLY8BT/BdXOdwauyho6BQ8VKMK4JzXEK4ISvOwW+xrnOjuOz0R5QwPHyewBF9hLx6Wd8JT1fDqLdpTsWTi2uPlGHgkvBFcrbBxHpioJ5Z5wQVIWkKG21+7cRhLK1TJCi0O+z0czxS2BMNaPxrKiE5QfL+vtmnyX2xfYTcxrWdg3pqkemaM7T54kIa3O1SIQxitGXlgBsFQxr9Nw/iiz+Ys05ObhWPmENQIZlslUUg3ounnXmTA7eU7ogoH05feNOawPDWcUdyLX9eQ2JfhC9SlfQnKSJ7egNZd1592ybFPJkTnQeE5QFCxUOzISSV33BTnObFPSXYOEHYixvyPm8ALHZQdL9xbWu7qSADouc4xgR9vWm85BxJwjSqUNAM/L2CCDJtJqYT+O8k8M0DLHqrYeuMlnL5zLQ4ZcDYF2agezZStf7Cdm8xVHdd+Tfi1AePU9op3MeHmYMHzIIkc/eLGNOhBlQ5pZZ3S0gjqbD+0av+qSLTdx6fjaqnUCp7eS44QRSVUbzqO8mYWgXbRlfh0ewpBIHaTM=,iv:5z+8/wJR2tFuZF5aRKUX7xa89QqHVx0YVCjsPfIoC8Y=,tag:sC4/gyabxyFhdhWc7jAFIg==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1j3spleg4m7rtjww4zqsws6qaj69v5j0rc3asaxxlpwnu7fmx8p9qvmvjn8", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTSzY3WFc2dDhPRVNTOFJH\ncVlkWnQ2L1V4dGNhZllvZVhlYnlVZXQvVzFnCnBiWXkwS2FFbVMrdjNZOGhIU001\nL3VmOGp1QTRpMWlRY2s5UGFqN01tc0UKLS0tIHV1b2FwWEhTY09SdGlGc3NhbnVZ\nUmd5dVdIZE9jWUV2VW8vb3dNK0JDYlkKElQj+C53jgVk2QTKAhsHCFMzKAwXWozP\ngSI8j4osvza/GqEM6XvQl/tW/TYcxIPDazK9tXOJEfbHmGh8ADyCaA==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMakVLWHFSaDVwTnpud2ZF\nZExnSDY1VGI1YjF4ZGl0NWdLQi9udGlwS2d3CnhwVEtIU1ZLMGdFaGhLQlNMSjVJ\nTjZXTUo4SzJiVUZiM2tjQVJJT3ZiL2MKLS0tIDkxUlhTZnZmVEN6RVdSTndwazdn\nZU1QcWlWL0gwTWIvWXhtQVFOb2VYaWsKEZX9COQbwRP/OvimWL6ijR2lsQBihssd\n7lZwH5xcKNWXH/u4lLxXQx7ARtEBX9kMKGtF8uGq6NCt2Gjlt/lJWg==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-02-12T07:19:21Z", - "mac": "ENC[AES256_GCM,data:ZS6cY/umbUO7Aj1cnmLiCMLyhiiyAupEBL8/qDkO5JYZ4ufQN3WfiKebbndpLyl+35bMBL9C640BWTFh90Y0AwaZ2IxbAmTLGiqaeMG7ESzNXv1XYWF1MJdIa5i7hsl6DdKn26aHocmDIMMQ1tglZfk42fucJTWncUbio4trPfg=,iv:9dPqNw6utDO9boVzbRdtd1CtKSTG84upG0QQDPfH5Ow=,tag:CJm4QzxRi0SwCuGHxxw/Ew==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.9.1" - } -} \ No newline at end of file diff --git a/non-critical-infra/secrets/staging-hydra.hostkeys.pub.tmp b/non-critical-infra/secrets/staging-hydra.hostkeys.pub.tmp deleted file mode 100644 index d958d044..00000000 --- a/non-critical-infra/secrets/staging-hydra.hostkeys.pub.tmp +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK81IHfeA/GXIgb9N5hl/qtCSsSBqs+FkppGklxworUD m1-s@thinkbook diff --git a/non-critical-infra/secrets/staging-hydra.hostkeys.tmp b/non-critical-infra/secrets/staging-hydra.hostkeys.tmp deleted file mode 100644 index 1b67dd75..00000000 --- a/non-critical-infra/secrets/staging-hydra.hostkeys.tmp +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN OPENSSH PRIVATE KEY----- -b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW -QyNTUxOQAAACCvNSB33gPxlyIG/TeYZf6rQkrEgarPhZKaRpJccKK1AwAAAJhqdU+1anVP -tQAAAAtzc2gtZWQyNTUxOQAAACCvNSB33gPxlyIG/TeYZf6rQkrEgarPhZKaRpJccKK1Aw -AAAEBsDJIMqVf7Y3FoTZk42DsRyLaBz0fGJUjazwskqATxxq81IHfeA/GXIgb9N5hl/qtC -SsSBqs+FkppGklxworUDAAAADm0xLXNAdGhpbmtib29rAQIDBAUGBw== ------END OPENSSH PRIVATE KEY----- From 9a3116193832173a29d05d22acd2177a8e5cb0e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Wed, 12 Feb 2025 16:37:35 +0700 Subject: [PATCH 04/23] add staging aws s3 keys --- .../hydra-aws-credentials.staging-hydra | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 non-critical-infra/secrets/hydra-aws-credentials.staging-hydra diff --git a/non-critical-infra/secrets/hydra-aws-credentials.staging-hydra b/non-critical-infra/secrets/hydra-aws-credentials.staging-hydra new file mode 100644 index 00000000..87a0e3be --- /dev/null +++ b/non-critical-infra/secrets/hydra-aws-credentials.staging-hydra @@ -0,0 +1,28 @@ +{ + "data": "ENC[AES256_GCM,data:CWXoy4wCzx4N7SrcnfMwT0ctrJqTeVgSRlMjHfBrLVFXG+4bKw4jb0KINsarB75VJjE9xVb6Ccrs4iZ1eeTwGQ6xK6cDQpFOfqzxOOJYd4fqgRkVHtUi7m6lv0STrsXyuY/6A5jZg46908gEnsoRikdicn0=,iv:llZCq43c83EPrMMaDH7effRFUWl6BA3QJI9pgnN47zM=,tag:RYFxkPl5x6eL5Gx+tQH34g==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age13emk4xkrde0qhgnuu24jl7vt6mdq99w56c4ngse9mxh4j0pxvuvq3zsppt", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2b3pvazZwVnlZYXY1UjVO\nSjRsV3VRNHJjb0RPTU1lemMvUFhXYkxRQUdVCnFaaW9zd1BNT1hvMHBVeXRsRmw1\nNnovcjFMTzl4a3pKU3ZLd1BNVFBnSk0KLS0tIHZCUkE2Mmg4RTZoUW90WmhXSkhI\nMDNIenQ1UTdNK0VYRmE0UjRyQnlTak0Ki2ZT0WS0a09VldISk+RoUPOlv8RV6G4v\nolrCSX2IRAt+KZYbnXCfVgO3cOltNLD+k+sl6Pe2nKX6Jo9V+/r3Xw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1j3spleg4m7rtjww4zqsws6qaj69v5j0rc3asaxxlpwnu7fmx8p9qvmvjn8", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkRG0yZ3lZUzRtS0IzUnZk\nUlpQTlhBVFZSRUtHdnV5R1VvZGhtWXFIa1VFCkV4MGQ0dlNqNXloalVFYUdYb2Vu\nWEpxMkhlcEpyUXZ4N3FxY0tzMnpFaDQKLS0tIE1McmFISEpRRlNPbG14U2QyeUYy\nV05CczN3VW1pZDFsbDVmUnltWGNobW8KtHFX2gyh5+KCamEUhiMlbqBG9R4C7884\nFfzhcIuWMJTqk72TBnRyvuPPvdX3YTQE9vce240GObX+ccKHBApH1g==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByZkdET2FNQmRtSlFnSjBL\nRVd1QjZoZW51NmloWDg3Zko4MjVmaldNM1dFCmR3bWJaemtpb2FsdzFUMmt0aHJI\na0d3SlhWcnVJNy9EeWVXU1F3ZU5kVzQKLS0tIG5mUGpXSk1PRXlKUzRBSjFLUGJy\nTTNiZkkwZTdsazloSFQwdk1WVnllSk0K06IY5kC5KGdKX3QvVA37RMZV4A9s5EDr\nxCgiAUii6d7xtUNYTBhgMj9tNGcs1Rs1yRurfM86IBLRsohXkSN1oQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-02-12T09:37:26Z", + "mac": "ENC[AES256_GCM,data:a4uXcqFoAKCqBeYH8Dw3qG9LQ0OaKhPWmKtXPBdyV1mR42LjvYaQkw+vFjSLwzzdYgRhC0B3F9C1Sdt17enFI+HL37XlxNRYn/28rm48BqWf1V5/HPijEusvefFpWlHYO/8qbslciH0YjV32SPfgGB79USzCen6EXK78FAeqngo=,iv:plk7T/a8/LyPCwpwvtQN1oJsbErNIFxuUbYgUmdhx9Q=,tag:sYIaorwrqsbC+Co7fJ0u4Q==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.4" + } +} \ No newline at end of file From 58bc17380eb9f0a4e3a8fad8df7a3e6f3320491f Mon Sep 17 00:00:00 2001 From: Michael Schneider Date: Wed, 12 Feb 2025 12:53:42 +0300 Subject: [PATCH 05/23] update secrets --- .../staging-hydra/bootstrap-staging-hydra.sh | 2 +- .../hosts/staging-hydra/hydra.nix | 19 +++++++++---------- .../hydra-aws-credentials.staging-hydra | 16 ++++++++-------- .../secrets/signing-key.staging-hydra | 10 +++++----- 4 files changed, 23 insertions(+), 24 deletions(-) diff --git a/non-critical-infra/hosts/staging-hydra/bootstrap-staging-hydra.sh b/non-critical-infra/hosts/staging-hydra/bootstrap-staging-hydra.sh index 213069bb..46ff1894 100755 --- a/non-critical-infra/hosts/staging-hydra/bootstrap-staging-hydra.sh +++ b/non-critical-infra/hosts/staging-hydra/bootstrap-staging-hydra.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# Use this script to deploy the initial keys when bootstrapping a new machines. +# Use this script to deploy the initial keys when bootstrapping a new machine. set -euo pipefail tmpDir=$(mktemp -d) diff --git a/non-critical-infra/hosts/staging-hydra/hydra.nix b/non-critical-infra/hosts/staging-hydra/hydra.nix index 195a89dd..3cd7acb1 100644 --- a/non-critical-infra/hosts/staging-hydra/hydra.nix +++ b/non-critical-infra/hosts/staging-hydra/hydra.nix @@ -29,16 +29,15 @@ in # Don't rate-limit the journal. services.journald.rateLimitBurst = 0; - # age.secrets.hydra-aws-credentials = { - # file = ./secrets/hydra-aws-credentials.age; - # path = "/var/lib/hydra/queue-runner/.aws/credentials"; - # owner = "hydra-queue-runner"; - # group = "hydra"; - # }; - - sops.secrets.signing-key = { - sopsFile = ../../secrets/signing-key.staging-hydra; - format = "binary"; + sops.secrets = { + signing-key = { + sopsFile = ../../secrets/signing-key.staging-hydra; + format = "binary"; + }; + hydra-aws-credentials = { + sopsFile = ../../secrets/hydra-aws-credentials.staging-hydra; + format = "binary"; + }; }; services.hydra-dev = { diff --git a/non-critical-infra/secrets/hydra-aws-credentials.staging-hydra b/non-critical-infra/secrets/hydra-aws-credentials.staging-hydra index 87a0e3be..38d4dfe7 100644 --- a/non-critical-infra/secrets/hydra-aws-credentials.staging-hydra +++ b/non-critical-infra/secrets/hydra-aws-credentials.staging-hydra @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:CWXoy4wCzx4N7SrcnfMwT0ctrJqTeVgSRlMjHfBrLVFXG+4bKw4jb0KINsarB75VJjE9xVb6Ccrs4iZ1eeTwGQ6xK6cDQpFOfqzxOOJYd4fqgRkVHtUi7m6lv0STrsXyuY/6A5jZg46908gEnsoRikdicn0=,iv:llZCq43c83EPrMMaDH7effRFUWl6BA3QJI9pgnN47zM=,tag:RYFxkPl5x6eL5Gx+tQH34g==,type:str]", + "data": "ENC[AES256_GCM,data:d/rjsri6EXmB4IXu8atZRKjk9pAn9GLTDybq89RnvRDy8olxc7S0z8CABqZXcCYwlyzlbBXYLTm75EwhfDq/GYstD9Bxh7j/iRctnNmBxRkzk5fiIMYCTXOyOCbPyeNkZ0+AkrmVs+11usH25DU2C/1g16o=,iv:0bTqh+lVMIT4gIYJ20LbX6KOJnhq6cEbWLSJEBtW4ko=,tag:uxgfFVbPozT3QetMg4AAeQ==,type:str]", "sops": { "kms": null, "gcp_kms": null, @@ -7,20 +7,20 @@ "hc_vault": null, "age": [ { - "recipient": "age13emk4xkrde0qhgnuu24jl7vt6mdq99w56c4ngse9mxh4j0pxvuvq3zsppt", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2b3pvazZwVnlZYXY1UjVO\nSjRsV3VRNHJjb0RPTU1lemMvUFhXYkxRQUdVCnFaaW9zd1BNT1hvMHBVeXRsRmw1\nNnovcjFMTzl4a3pKU3ZLd1BNVFBnSk0KLS0tIHZCUkE2Mmg4RTZoUW90WmhXSkhI\nMDNIenQ1UTdNK0VYRmE0UjRyQnlTak0Ki2ZT0WS0a09VldISk+RoUPOlv8RV6G4v\nolrCSX2IRAt+KZYbnXCfVgO3cOltNLD+k+sl6Pe2nKX6Jo9V+/r3Xw==\n-----END AGE ENCRYPTED FILE-----\n" + "recipient": "age1vawam63mv097z4ae94tm2xlzkc66u3s87n7neu5jzm6687482u4sx8us3v", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBReHQ1WkRhbHRDOTBtQ2JL\ndFk2eVJuM2JaU2NCY0pSL0lCalc1ek1iYVE0Ckd4ajR4TGRHM1pnNEZCeUJZYjQy\ndFVpSTJ2Ynk5TDN2UlRXb09Ha09sSnMKLS0tIHFiQ1M0SmRvQVlQbDk4OThSRFBX\nTG5QbktuK2JrTDdGdHZkUURVRUhkSEEKnD+B5Bft0oW2hc7/Gmj7UnqLTXlQz18E\n+3jNAk9hPDrynzFU8SqRqK4hsawb88xYGbZPJGQE5twp6O5OzNhMrg==\n-----END AGE ENCRYPTED FILE-----\n" }, { - "recipient": "age1j3spleg4m7rtjww4zqsws6qaj69v5j0rc3asaxxlpwnu7fmx8p9qvmvjn8", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkRG0yZ3lZUzRtS0IzUnZk\nUlpQTlhBVFZSRUtHdnV5R1VvZGhtWXFIa1VFCkV4MGQ0dlNqNXloalVFYUdYb2Vu\nWEpxMkhlcEpyUXZ4N3FxY0tzMnpFaDQKLS0tIE1McmFISEpRRlNPbG14U2QyeUYy\nV05CczN3VW1pZDFsbDVmUnltWGNobW8KtHFX2gyh5+KCamEUhiMlbqBG9R4C7884\nFfzhcIuWMJTqk72TBnRyvuPPvdX3YTQE9vce240GObX+ccKHBApH1g==\n-----END AGE ENCRYPTED FILE-----\n" + "recipient": "age1v5qpkvs3zpz65gvfr2gv3ln7x6yfexvpregdr02hyvxnunu63ujqgwevf8", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtc015Q0paTmlLWWVWMTJG\nWUgvK0E2R0hLaFcvSlZoNDlIK0dsaWhXR3prClFJLzRvdGowemdRbGZ1U281ZVBt\nc2RyRFFMa3QyV09BcFBXMFI4ZXJoR0UKLS0tIGs3T1MrTGo5RDY2UjdhV1UwNDQ0\nSnN6RHFkaHBsVXdiekVZRC9UajRRaDQKCoc8Xc1R6atrbdZsroe+xJ1TyucIUlmO\ny5sCxtuG423KzYOkAEaiB4ZRgtB5pXpxuvfEBHfGiBn9xdsO8qzY+w==\n-----END AGE ENCRYPTED FILE-----\n" }, { "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByZkdET2FNQmRtSlFnSjBL\nRVd1QjZoZW51NmloWDg3Zko4MjVmaldNM1dFCmR3bWJaemtpb2FsdzFUMmt0aHJI\na0d3SlhWcnVJNy9EeWVXU1F3ZU5kVzQKLS0tIG5mUGpXSk1PRXlKUzRBSjFLUGJy\nTTNiZkkwZTdsazloSFQwdk1WVnllSk0K06IY5kC5KGdKX3QvVA37RMZV4A9s5EDr\nxCgiAUii6d7xtUNYTBhgMj9tNGcs1Rs1yRurfM86IBLRsohXkSN1oQ==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiSlVJOVJQL1B1NFhnRFpC\nSlczMVlCRllQVE83clJSd0JmMEJwTlpybmtrCk8xaisvV0t4Y29ZQ0VUZVo3OXcw\nYmFPZXJrWnBuL0tzK2x6M3pnSmltQkUKLS0tIFNQUmVTNU9mYVB0Q0tvL0RXNlFV\nVVMwa0lGN2krODYrN0ZXWk1XZFgzakkKsU/gYH12e0EqAKlh0e36JQTqa0FG1LCv\n+D1F/8cM+FnWdIp9m2rRn4Y17F4TlQ4G+z1s/1qFPNrX3xyQ1VpKEw==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-02-12T09:37:26Z", - "mac": "ENC[AES256_GCM,data:a4uXcqFoAKCqBeYH8Dw3qG9LQ0OaKhPWmKtXPBdyV1mR42LjvYaQkw+vFjSLwzzdYgRhC0B3F9C1Sdt17enFI+HL37XlxNRYn/28rm48BqWf1V5/HPijEusvefFpWlHYO/8qbslciH0YjV32SPfgGB79USzCen6EXK78FAeqngo=,iv:plk7T/a8/LyPCwpwvtQN1oJsbErNIFxuUbYgUmdhx9Q=,tag:sYIaorwrqsbC+Co7fJ0u4Q==,type:str]", + "lastmodified": "2025-02-12T09:43:35Z", + "mac": "ENC[AES256_GCM,data:NFlmL4am9aN+K8xQeR7qBYyQMJNl5exAlOo6IvmVd0tQ51n5uzyZ7rxJK5ku3amh/ZxNF4G2FJKJQFbN+7I5aq58xJWUF4ApsZfAsNBUG8e1/4/Jzdk5BSHaP3N8wkkNb3zWBFqE7aijcq+GH/P8Ra+hprbkAYLjEoTcJoMVtsE=,iv:kdqS91wd4cat1dgxbVo0AuHPxJ4BPSKFyTAOg3VP+KM=,tag:9vvYEwJWFTdXB4HJ8viy8g==,type:str]", "pgp": null, "unencrypted_suffix": "_unencrypted", "version": "3.9.4" diff --git a/non-critical-infra/secrets/signing-key.staging-hydra b/non-critical-infra/secrets/signing-key.staging-hydra index 71b1532b..1e87750e 100644 --- a/non-critical-infra/secrets/signing-key.staging-hydra +++ b/non-critical-infra/secrets/signing-key.staging-hydra @@ -7,16 +7,16 @@ "hc_vault": null, "age": [ { - "recipient": "age13emk4xkrde0qhgnuu24jl7vt6mdq99w56c4ngse9mxh4j0pxvuvq3zsppt", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1U0xMRmlPV2ROMnFOVk9X\nZC9NWjJ5a2ZoTWlWVTNwUTVxWlFhZHN1bFd3Cnl5TmgwRE5aVkdjMVluYmI5VHJD\nMVhyQTM0eVVpejVRMjV1WWxyTGRzQkEKLS0tIG1IZnM4cmo5NW9ha3h2cFFOdWRQ\nb25yUmVOdkZ6NCt4QW9LNHpDSWNJZXcKbvtROz30bj6DYn8bRX++TpZWYTc6LPBl\nu3WgIKIq1nucagf+tAsIO5ZTdNByK3DGYKFdp9+RLFxHLu6XCTePZg==\n-----END AGE ENCRYPTED FILE-----\n" + "recipient": "age1vawam63mv097z4ae94tm2xlzkc66u3s87n7neu5jzm6687482u4sx8us3v", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmcTBnUzBNU0J1MGN1MnJN\naUR5dnEwSmQwQVlHcjVFcmJ4QWZRSDlXVXlzCndyd1dSa2l3ZGtTN0l3ZEJKM1Fl\nNWNOOEFBS0M2bFVGcGczc2J6SUpjVnMKLS0tIEcvYmJjWlFkZXozOHhxcTlHemla\nOTl5dlhsRkM0MGdrR0ZtU1p4UEdOZHcKnIXOb8UaRSPFwM+yztXsu2KJr4afVwqd\nevTsIfzXH5inEvkMOW8emtkexCc9TBVSvP8+8lKE63M3ysFmaToy8w==\n-----END AGE ENCRYPTED FILE-----\n" }, { - "recipient": "age1j3spleg4m7rtjww4zqsws6qaj69v5j0rc3asaxxlpwnu7fmx8p9qvmvjn8", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrNHJCcmUzT2pFL3ZrT2FF\nN1grblQvL3Y2eWNXb2pJS0JXeEVOMUlPVFZvCmgyMDRwamFaSFk5TzE4cFJGaHlF\ncStOaUplOUZOTVBWUCtnWVNseFpoOHcKLS0tIDRIUGtpd1dWV2pqQnliK3NBcHVQ\nQnU2MTJNeUtHMEpmcmI0K0lzMjhZaHMKgGzuhwZqGLzufcGAYD/Io7rRO7EMmegq\ntKik/ZPqCRSw8XIX+Iiqp1miDV2MzgmLwQXm8IAT/9kWJmVK4j8ILg==\n-----END AGE ENCRYPTED FILE-----\n" + "recipient": "age1v5qpkvs3zpz65gvfr2gv3ln7x6yfexvpregdr02hyvxnunu63ujqgwevf8", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTjNkdTJRQ3MrKytVYkV2\nK3hVR25DWVpNUUpWOG1xS25FYk45WDI5bmcwCmpWZTRzbFZTbmxqaU5IcmViK0dY\nVW5VVzNxaGRKaVpDSFhseVBEL084T2cKLS0tIFRoRDNCSXQ1eDFZYWtnY2t6SEhk\nd2FRTFE3dG1sR2VvLzhwWms4cHUxSDgKPT3VyycykmGXTeKZXD9SfeUhZcN7NIr5\nYOFO9J/pdqJ90G4m8WSaBG82w1ktJblrcy8sEzD2V37Nfl4UiB/QwA==\n-----END AGE ENCRYPTED FILE-----\n" }, { "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWb2ljNWl5SUhGUXZmQXhP\nTDF4bzhVYnpSdUFFVWVzeURnS1gxSVUrNWtVClR0S05HWUtpSU5ETWh0YVhJcS9C\nMmtwS1ZZSnRSMlVYQWtMMk5GVGhWVjAKLS0tIGdnYmEyaDBMbDhaUVpOUzN5OWk3\nKzkvSU1wQWxETDJiMWxVYUhuV1V4aEkKwjiLNhN2WvjV1WC648tl2bUIgcthFo/r\nwGF2G+J7ueAp3WGWRtd1a2kQNn8MLqCZksUMeksy4+3570kKmdCOrg==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDd2taT3JJcjhwVGZORGp5\nTFd1Ym85VnBiU2psektnT3grcGx6UlhYbkVNCnUwQUQzc2JZV0JMWXkwSjNXZGdq\nL3ZSOHpNQ3hwV1VuSXc4eVNOZklNNjQKLS0tIHlvZGYzQnliak5VKzdxeUFQakJn\nQ1A4RWk3ZjF2bEtpNktXMklScVBUUXMKrOW8MDPUjtsjOBcHx7BxOK4Kt2BYl318\nA1ytiiSi8kan3ta1QSZJOuQLYmSmlI/TGuFjY17wQJsrx0a2OAYFng==\n-----END AGE ENCRYPTED FILE-----\n" } ], "lastmodified": "2025-02-12T09:27:43Z", From 6f299775de26e0f00060de701880c92870ad67f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 15 Feb 2025 17:10:35 +0700 Subject: [PATCH 06/23] add staging-hydra.nixos.org to dns --- terraform/dns.tf | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/terraform/dns.tf b/terraform/dns.tf index d70005de..1b9c47ad 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -51,6 +51,16 @@ locals { type = "CNAME" value = "mimas.nixos.org" }, + { + hostname = "staging-hydra.nixos.org" + type = "A" + value = "157.180.25.203" + }, + { + hostname = "staging-hydra.nixos.org" + type = "AAAA" + value = "2a01:4f9:c012:d5d3::1" + }, { hostname = "monitoring.nixos.org" type = "CNAME" @@ -269,6 +279,7 @@ locals { value = "142.132.140.199" }, + # oakhost m2 { hostname = "eager-heisenberg.mac.nixos.org" From 89aebb010706440433c929a26a83ab4423133766 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 15 Feb 2025 17:16:00 +0700 Subject: [PATCH 07/23] add staging hydra-proxy --- .../hosts/staging-hydra/default.nix | 1 + .../hosts/staging-hydra/hydra-proxy.nix | 97 +++++++++++++++++++ 2 files changed, 98 insertions(+) create mode 100644 non-critical-infra/hosts/staging-hydra/hydra-proxy.nix diff --git a/non-critical-infra/hosts/staging-hydra/default.nix b/non-critical-infra/hosts/staging-hydra/default.nix index ae088371..f8f586df 100644 --- a/non-critical-infra/hosts/staging-hydra/default.nix +++ b/non-critical-infra/hosts/staging-hydra/default.nix @@ -5,6 +5,7 @@ inputs.srvos.nixosModules.server inputs.srvos.nixosModules.hardware-hetzner-cloud-arm ../../modules/common.nix + ./hydra-proxy.nix ./hydra.nix inputs.hydra.nixosModules.hydra ]; diff --git a/non-critical-infra/hosts/staging-hydra/hydra-proxy.nix b/non-critical-infra/hosts/staging-hydra/hydra-proxy.nix new file mode 100644 index 00000000..3bea6b98 --- /dev/null +++ b/non-critical-infra/hosts/staging-hydra/hydra-proxy.nix @@ -0,0 +1,97 @@ +{ + config, + lib, + pkgs, + ... +}: + +let + bannedUserAgentPatterns = [ + "Trident/" + "Android\\s[123456789]\\." + "iPod" + "iPad\\sOS\\s" + "iPhone\\sOS\\s[23456789]" + "Opera/[89]" + "(Chrome|CriOS)/(\\d\\d?\\.|1[01]|12[4])" + "(Firefox|FxiOS)/(\\d\\d?\\.|1[01]|12[012345679]\\.)" + "PPC\\sMac\\sOS" + "Windows\\sCE" + "Windows\\s95" + "Windows\\s98" + "Windows\\sNT\\s[12345]\\." + ]; +in +{ + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + services.nginx = { + enable = true; + enableReload = true; + + recommendedBrotliSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedZstdSettings = true; + + proxyTimeout = "900s"; + + appendConfig = '' + worker_processes auto; + ''; + + eventsConfig = '' + worker_connections 1024; + ''; + + appendHttpConfig = '' + map $http_user_agent $badagent { + default 0; + ${lib.concatMapStringsSep "\n" (pattern: '' + ~${pattern} 1; + '') bannedUserAgentPatterns} + } + ''; + + virtualHosts."staging-hydra.nixos.org" = { + forceSSL = true; + enableACME = true; + + extraConfig = '' + error_page 502 /502.html; + error_page 503 /503.html; + location ~ /(502|503).html { + root ${../../../build/nginx-error-pages}; + internal; + } + ''; + + # Ask robots not to scrape hydra, it has various expensive endpoints + locations."=/robots.txt".alias = pkgs.writeText "hydra.nixos.org-robots.txt" '' + User-agent: * + Disallow: / + Allow: /$ + ''; + + locations."/" = { + proxyPass = "http://127.0.0.1:3000"; + extraConfig = '' + if ($badagent) { + access_log /var/log/nginx/abuse.log; + return 403; + } + ''; + }; + + locations."/static/" = { + alias = "${config.services.hydra-dev.package}/libexec/hydra/root/static/"; + }; + }; + }; + +} From 3ea4935a4ca6e6ddc30a159ebd2fc8c1e5458138 Mon Sep 17 00:00:00 2001 From: Michael Schneider Date: Sat, 15 Feb 2025 17:58:18 +0300 Subject: [PATCH 08/23] update m1-s age key --- non-critical-infra/.sops.yaml | 2 +- non-critical-infra/pub-key.txt | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 non-critical-infra/pub-key.txt diff --git a/non-critical-infra/.sops.yaml b/non-critical-infra/.sops.yaml index dff48b1e..1fd69e5d 100644 --- a/non-critical-infra/.sops.yaml +++ b/non-critical-infra/.sops.yaml @@ -4,7 +4,7 @@ keys: - &caliban age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq - &umbriel age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6 - &staging-hydra age1vawam63mv097z4ae94tm2xlzkc66u3s87n7neu5jzm6687482u4sx8us3v - - &m1-s age1j3spleg4m7rtjww4zqsws6qaj69v5j0rc3asaxxlpwnu7fmx8p9qvmvjn8 + - &m1-s age1v5qpkvs3zpz65gvfr2gv3ln7x6yfexvpregdr02hyvxnunu63ujqgwevf8 - &mic92 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz creation_rules: diff --git a/non-critical-infra/pub-key.txt b/non-critical-infra/pub-key.txt new file mode 100644 index 00000000..d8d1cb72 --- /dev/null +++ b/non-critical-infra/pub-key.txt @@ -0,0 +1 @@ +age1v5qpkvs3zpz65gvfr2gv3ln7x6yfexvpregdr02hyvxnunu63ujqgwevf8 From 0ebb7febc2252972d1ae8e23a1c90b2b9a2476ae Mon Sep 17 00:00:00 2001 From: Michael Schneider Date: Sat, 15 Feb 2025 18:12:19 +0300 Subject: [PATCH 09/23] remove pub key --- non-critical-infra/pub-key.txt | 1 - 1 file changed, 1 deletion(-) delete mode 100644 non-critical-infra/pub-key.txt diff --git a/non-critical-infra/pub-key.txt b/non-critical-infra/pub-key.txt deleted file mode 100644 index d8d1cb72..00000000 --- a/non-critical-infra/pub-key.txt +++ /dev/null @@ -1 +0,0 @@ -age1v5qpkvs3zpz65gvfr2gv3ln7x6yfexvpregdr02hyvxnunu63ujqgwevf8 From 578371b87acadfbf17dadf66e0050e0f85b60b41 Mon Sep 17 00:00:00 2001 From: Michael Schneider Date: Sat, 15 Feb 2025 18:31:55 +0300 Subject: [PATCH 10/23] add hydra user init --- .../hosts/staging-hydra/hydra.nix | 29 +++++++++++++++++++ .../secrets/hydra-user.staging-hydra | 28 ++++++++++++++++++ 2 files changed, 57 insertions(+) create mode 100644 non-critical-infra/secrets/hydra-user.staging-hydra diff --git a/non-critical-infra/hosts/staging-hydra/hydra.nix b/non-critical-infra/hosts/staging-hydra/hydra.nix index 3cd7acb1..a1123b54 100644 --- a/non-critical-infra/hosts/staging-hydra/hydra.nix +++ b/non-critical-infra/hosts/staging-hydra/hydra.nix @@ -134,6 +134,35 @@ in ]; }; }; + hydra-post-init = { + serviceConfig = { + Type = "oneshot"; + TimeoutStartSec = "60"; + }; + wantedBy = [ config.systemd.targets.multi-user.name ]; + after = [ config.systemd.services.hydra-server.name ]; + requires = [ config.systemd.services.hydra-server.name ]; + environment = { + inherit (config.systemd.services.hydra-init.environment) HYDRA_DBI; + }; + path = [ + config.services.hydra.package + pkgs.netcat + ]; + script = '' + set -e + while IFS=';' read -r user role passwordhash email fullname; do + opts=("$user" "--role" "$role" "--password-hash" "$passwordhash") + if [[ -n "$email" ]]; then + opts+=("--email-address" "$email") + fi + if [[ -n "$fullname" ]]; then + opts+=("--full-name" "$fullname") + fi + hydra-create-user "''${opts[@]}" + done < ${config.sops.secrets.hydra-users.path} + ''; + }; }; }; diff --git a/non-critical-infra/secrets/hydra-user.staging-hydra b/non-critical-infra/secrets/hydra-user.staging-hydra new file mode 100644 index 00000000..bb8104c6 --- /dev/null +++ b/non-critical-infra/secrets/hydra-user.staging-hydra @@ -0,0 +1,28 @@ +{ + "data": "ENC[AES256_GCM,data:WvJf4tSJeVjYzXZv50LAz6xfc3GZjYXhRja3W/UAbTYtPzL1yPdMO4p3fkN6x5LUw99yW+c7BQ60NKFpj8XMa8WacVIgzX9KqQO7Kq8+LY/II2sBnhXNUpMbkIsaXRBeX7sDYEd9KNC9yUVAILzaOwIONqjTXzzoMQt5PxixtHbH,iv:C9HYmVDqZ++smz3RKv496jE8ymEk/xa74vL9dH9t3VQ=,tag:lXI4NpoHfYpHLE3d5T1D7w==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1vawam63mv097z4ae94tm2xlzkc66u3s87n7neu5jzm6687482u4sx8us3v", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMYVJQaTNxZUZ5SWwyUTBq\nU2kveW5wMzBVSWd3Qi9jZHd2djJwVXFCZ3pjCmhSMXF1YVJMS3FVNVRndGgvbWNC\nR3VpS3dVdDNZQzc4V0haQ3J2Vkt4NDAKLS0tIHl3N2dscC9oMHNJZnBpYzVjNlc0\nTnIrWFA3YjZ2aHAwMGR5UStDL2UyKzgKSTdcEY1oVC6RnJmigj/EGz5/LhpLmhcj\nBUlah8cxgStQDpF9N3mmc90FQRpQUHBRnE9kbE7rpHILhbl3NqYnfg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1v5qpkvs3zpz65gvfr2gv3ln7x6yfexvpregdr02hyvxnunu63ujqgwevf8", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBK3FLOXBkM2IzdnRrd21K\nNTZtbUdycHNXSG9iOUhyNTFuWFlLR2U0NHhZCnVWR0RwSmw0NGJWVEFGdDhtbE5I\nOU5JZm53SjIwRDZnazlaaU90MUhPVnMKLS0tIG9JazZnY2RGYmxLdGN6c3hiRFgy\nVVk4cnJGcFFjdkFyT1JXRFlLNjI5eEkKTjEd5RIMv8TLPipT/BwpdEAcr4MmUw9i\nNkolj6duCw0m8PgRjHBMcN3vKbCPJC7vxqPqBtndy0rwr7pbJ7WHbg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwNFB0bXNFKzk3dnBJTkNw\nQytpNFJBWWtINFpqUVFod0piekgwUVlpN0hFClpzY1FWUmJZNFJtQ09IVVRhVnN3\nSGtFNExrakFySjhGS3Y4ZTR1UjlPeHMKLS0tICtMNExQb3orZzJJaUJ5UUVmWGpQ\nS2RFcXVFN0ltL2pYNlNYc2JqaFZtZlEKOsfFinN/zbsYIB4PLSaHgN7f8QRgK8wt\nzqzk7uk00jSEni/uLj2b74QlLbxEEVnNXWb1+ZWGXSU0XNahGYreOQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-02-15T15:31:35Z", + "mac": "ENC[AES256_GCM,data:sVE0BSe/R5qyQkBqGFrUPLoARkhWckUlkF8cKWVVx0mo7HXxt3mahyPbo5Qk2pzxM7GZt+jOBBDOTuCUT6SlX5ENoSGQ6Bnf1a33g7k4aBGNyvekXlXC2GBH5w65yoEm5qax+6SsNhqp/EnDnIoIKwXqx8ipOOhYCoWw9gxCdnk=,iv:3zMqazSGVqsewj+zwTc0B5dJ3mNEf2I81GMXDMf66Hw=,tag:mB5MsGb9a7Ed8wc0+WCc8w==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.4" + } +} \ No newline at end of file From 18592041fcd08bb33e513373a51635761e4936e7 Mon Sep 17 00:00:00 2001 From: Michael Schneider Date: Sat, 15 Feb 2025 18:34:52 +0300 Subject: [PATCH 11/23] add new m1-s ssh key --- non-critical-infra/hosts/staging-hydra/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/non-critical-infra/hosts/staging-hydra/default.nix b/non-critical-infra/hosts/staging-hydra/default.nix index f8f586df..9d58ee9e 100644 --- a/non-critical-infra/hosts/staging-hydra/default.nix +++ b/non-critical-infra/hosts/staging-hydra/default.nix @@ -34,5 +34,5 @@ networking.firewall.allowedUDPPorts = [ ]; system.stateVersion = "24.11"; - users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFq+rXslVKnGlJKlSmuenBaZtVUZCL2rtFgmDmcbLQyT" ]; + users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINaGspw6myJ5GKHHxN+7jaJWyU1SlVo4nCzDajyJdtvg" ]; } From 96fc15dc865c978ff7ecf912f95281d67146a5cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 15 Feb 2025 22:59:34 +0700 Subject: [PATCH 12/23] staging-hydra: add missing hydra-users secrets --- non-critical-infra/hosts/staging-hydra/hydra.nix | 5 +++++ .../{hydra-user.staging-hydra => hydra-users.staging-hydra} | 6 +++--- 2 files changed, 8 insertions(+), 3 deletions(-) rename non-critical-infra/secrets/{hydra-user.staging-hydra => hydra-users.staging-hydra} (72%) diff --git a/non-critical-infra/hosts/staging-hydra/hydra.nix b/non-critical-infra/hosts/staging-hydra/hydra.nix index a1123b54..183c3158 100644 --- a/non-critical-infra/hosts/staging-hydra/hydra.nix +++ b/non-critical-infra/hosts/staging-hydra/hydra.nix @@ -98,6 +98,11 @@ in ''; }; + sops.secrets.hydra-users = { + sopsFile = ../../secrets/hydra-users.staging-hydra; + format = "binary"; + }; + systemd = { tmpfiles.rules = [ "d /var/cache/hydra 0755 hydra hydra - -" diff --git a/non-critical-infra/secrets/hydra-user.staging-hydra b/non-critical-infra/secrets/hydra-users.staging-hydra similarity index 72% rename from non-critical-infra/secrets/hydra-user.staging-hydra rename to non-critical-infra/secrets/hydra-users.staging-hydra index bb8104c6..98ec141e 100644 --- a/non-critical-infra/secrets/hydra-user.staging-hydra +++ b/non-critical-infra/secrets/hydra-users.staging-hydra @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:WvJf4tSJeVjYzXZv50LAz6xfc3GZjYXhRja3W/UAbTYtPzL1yPdMO4p3fkN6x5LUw99yW+c7BQ60NKFpj8XMa8WacVIgzX9KqQO7Kq8+LY/II2sBnhXNUpMbkIsaXRBeX7sDYEd9KNC9yUVAILzaOwIONqjTXzzoMQt5PxixtHbH,iv:C9HYmVDqZ++smz3RKv496jE8ymEk/xa74vL9dH9t3VQ=,tag:lXI4NpoHfYpHLE3d5T1D7w==,type:str]", + "data": "ENC[AES256_GCM,data:nYqeHsAnm9xw/NxIMycbexTtGGDfZyEjq/FyDM3oGuxyiLfaWUrpsbS9KE1Hu6m/cUjPRfthid/KyhoWNdu5yHZLhCmmmSeI1ukqLS++G3rXeY1Cz1GQ4lQgYOEDrUU5W4eTJRfc9Z+zN58Wat4BAnJVeQ/NMq5Hzhyhg7hEGu4=,iv:MMuuZ47yWBqhQ7f27FmRK7XyhoojhuFgflgerTFlJ+w=,tag:raFoWuMqUXcHIvuD95f8Ng==,type:str]", "sops": { "kms": null, "gcp_kms": null, @@ -19,8 +19,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwNFB0bXNFKzk3dnBJTkNw\nQytpNFJBWWtINFpqUVFod0piekgwUVlpN0hFClpzY1FWUmJZNFJtQ09IVVRhVnN3\nSGtFNExrakFySjhGS3Y4ZTR1UjlPeHMKLS0tICtMNExQb3orZzJJaUJ5UUVmWGpQ\nS2RFcXVFN0ltL2pYNlNYc2JqaFZtZlEKOsfFinN/zbsYIB4PLSaHgN7f8QRgK8wt\nzqzk7uk00jSEni/uLj2b74QlLbxEEVnNXWb1+ZWGXSU0XNahGYreOQ==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-02-15T15:31:35Z", - "mac": "ENC[AES256_GCM,data:sVE0BSe/R5qyQkBqGFrUPLoARkhWckUlkF8cKWVVx0mo7HXxt3mahyPbo5Qk2pzxM7GZt+jOBBDOTuCUT6SlX5ENoSGQ6Bnf1a33g7k4aBGNyvekXlXC2GBH5w65yoEm5qax+6SsNhqp/EnDnIoIKwXqx8ipOOhYCoWw9gxCdnk=,iv:3zMqazSGVqsewj+zwTc0B5dJ3mNEf2I81GMXDMf66Hw=,tag:mB5MsGb9a7Ed8wc0+WCc8w==,type:str]", + "lastmodified": "2025-02-15T15:41:52Z", + "mac": "ENC[AES256_GCM,data:29dM/9JDoGaJ76nqfcXHGvVzuYgUiaC/PCmO2rha4SwPqdxrLGRKHNQDpVCVXLdsdVBjsw2lwRDKJvZ112zTDSAIFOust1h3NIl0BwcDr/4slEDRVNmy6N01NjQxmvODT6wYv5XXkarSmPFDLEfc8JaYitA7FsuD64sXjY6AbVc=,iv:i7ZiAOHVBtQkP2u97xAqDnSorPAHIdnKSreqxzZQijc=,tag:neaUr/ZUg3GlHjulYWbZ3A==,type:str]", "pgp": null, "unencrypted_suffix": "_unencrypted", "version": "3.9.4" From ec6cb159fd554df7ddc5abe8bd07498e3eff6d33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 15 Feb 2025 22:59:49 +0700 Subject: [PATCH 13/23] staging-hydra: add missing hydra/nix overlays --- non-critical-infra/hosts/staging-hydra/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/non-critical-infra/hosts/staging-hydra/default.nix b/non-critical-infra/hosts/staging-hydra/default.nix index 9d58ee9e..f06eea7e 100644 --- a/non-critical-infra/hosts/staging-hydra/default.nix +++ b/non-critical-infra/hosts/staging-hydra/default.nix @@ -10,6 +10,12 @@ inputs.hydra.nixosModules.hydra ]; + nixpkgs.overlays = [ + inputs.nix.overlays.default + inputs.hydra.overlays.default + ]; + + boot = { loader = { systemd-boot.enable = true; From d3b5c84174887aadd57c54483e44d6d9debd2765 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 15 Feb 2025 23:00:20 +0700 Subject: [PATCH 14/23] staging-hydra: comment on additional admin ssh key --- non-critical-infra/hosts/staging-hydra/default.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/non-critical-infra/hosts/staging-hydra/default.nix b/non-critical-infra/hosts/staging-hydra/default.nix index f06eea7e..2ad41ef9 100644 --- a/non-critical-infra/hosts/staging-hydra/default.nix +++ b/non-critical-infra/hosts/staging-hydra/default.nix @@ -40,5 +40,8 @@ networking.firewall.allowedUDPPorts = [ ]; system.stateVersion = "24.11"; - users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINaGspw6myJ5GKHHxN+7jaJWyU1SlVo4nCzDajyJdtvg" ]; + users.users.root.openssh.authorizedKeys.keys = [ + # m1-s + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINaGspw6myJ5GKHHxN+7jaJWyU1SlVo4nCzDajyJdtvg" + ]; } From 96555845d613d077482b01e5c5eb437f492f379c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 15 Feb 2025 23:00:30 +0700 Subject: [PATCH 15/23] staging-hydra: bump hydra flake --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index dfe09074..97182e93 100644 --- a/flake.lock +++ b/flake.lock @@ -249,11 +249,11 @@ ] }, "locked": { - "lastModified": 1738975358, - "narHash": "sha256-jTImB+S+CTyGaE6PgAD5KiUOCf+AMWPvVIKhjzjHqWM=", + "lastModified": 1739352917, + "narHash": "sha256-IMxe7Jl3efquTO7xzDcxpotDZBHRmD9Jxnw+is1SjDo=", "owner": "NixOS", "repo": "hydra", - "rev": "25eb7251f66ceee527ae50e4057edc17d75dd316", + "rev": "c60e7955bfa7ac3de7c707f7f8555180646e56f7", "type": "github" }, "original": { From 2a32b2f265eccb3ac387611a0f9e77e7f0553258 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 15 Feb 2025 23:26:55 +0700 Subject: [PATCH 16/23] staging-hydra: allow substitutes --- non-critical-infra/hosts/staging-hydra/hydra.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/non-critical-infra/hosts/staging-hydra/hydra.nix b/non-critical-infra/hosts/staging-hydra/hydra.nix index 183c3158..ae1351bd 100644 --- a/non-critical-infra/hosts/staging-hydra/hydra.nix +++ b/non-critical-infra/hosts/staging-hydra/hydra.nix @@ -52,7 +52,7 @@ in hydraURL = "https://hydra.nixos.org"; notificationSender = "edolstra@gmail.com"; smtpHost = "localhost"; - useSubstitutes = false; + useSubstitutes = true; extraConfig = '' max_servers 30 From b12a415de9e1d4d740baeefc22fcc8cbe82720b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 15 Feb 2025 23:27:11 +0700 Subject: [PATCH 17/23] staging-hydra: fix secret key location --- non-critical-infra/hosts/staging-hydra/hydra.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/non-critical-infra/hosts/staging-hydra/hydra.nix b/non-critical-infra/hosts/staging-hydra/hydra.nix index ae1351bd..882e3499 100644 --- a/non-critical-infra/hosts/staging-hydra/hydra.nix +++ b/non-critical-infra/hosts/staging-hydra/hydra.nix @@ -56,7 +56,7 @@ in extraConfig = '' max_servers 30 - store_uri = s3://nixos-cache-staging?secret-key=${config.sops.secrets.signing-key.path}=1&ls-compression=br&log-compression=br + store_uri = s3://nixos-cache-staging?secret-key=${config.sops.secrets.signing-key.path}&ls-compression=br&log-compression=br server_store_uri = https://cache-staging.nixos.org?local-nar-cache=${narCache} binary_cache_public_uri = https://cache-staging.nixos.org From 5640bdaf49b37f77fd7c7b391c379760ad2f66c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 15 Feb 2025 23:27:32 +0700 Subject: [PATCH 18/23] staging-hydra: reduce eval worker & memory according to resources --- non-critical-infra/hosts/staging-hydra/hydra.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/non-critical-infra/hosts/staging-hydra/hydra.nix b/non-critical-infra/hosts/staging-hydra/hydra.nix index 882e3499..9e54ab1e 100644 --- a/non-critical-infra/hosts/staging-hydra/hydra.nix +++ b/non-critical-infra/hosts/staging-hydra/hydra.nix @@ -72,8 +72,8 @@ in log_prefix = https://cache.nixos.org/ - evaluator_workers = 16 - evaluator_max_memory_size = 8192 + evaluator_workers = 1 + evaluator_max_memory_size = 4096 max_concurrent_evals = 1 From 2018bcfc5243a7d6852b5dc2073e827282a40bf2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 15 Feb 2025 23:32:37 +0700 Subject: [PATCH 19/23] staging-hydra: fix owner of signing key --- non-critical-infra/hosts/staging-hydra/hydra.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/non-critical-infra/hosts/staging-hydra/hydra.nix b/non-critical-infra/hosts/staging-hydra/hydra.nix index 9e54ab1e..03d33ebe 100644 --- a/non-critical-infra/hosts/staging-hydra/hydra.nix +++ b/non-critical-infra/hosts/staging-hydra/hydra.nix @@ -33,6 +33,7 @@ in signing-key = { sopsFile = ../../secrets/signing-key.staging-hydra; format = "binary"; + owner = config.systemd.services.hydra-queue-runner.serviceConfig.User; }; hydra-aws-credentials = { sopsFile = ../../secrets/hydra-aws-credentials.staging-hydra; From 083f9089d5ae4ce0f10c0a87c2b5e9c56f0a70a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 16 Feb 2025 00:04:17 +0700 Subject: [PATCH 20/23] hydra-staging: fix s3 bucket auth --- non-critical-infra/hosts/staging-hydra/hydra.nix | 4 +++- .../secrets/hydra-aws-credentials.staging-hydra | 6 +++--- terraform-iam/cache-staging.tf | 5 +++++ 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/non-critical-infra/hosts/staging-hydra/hydra.nix b/non-critical-infra/hosts/staging-hydra/hydra.nix index 03d33ebe..2c939231 100644 --- a/non-critical-infra/hosts/staging-hydra/hydra.nix +++ b/non-critical-infra/hosts/staging-hydra/hydra.nix @@ -38,6 +38,8 @@ in hydra-aws-credentials = { sopsFile = ../../secrets/hydra-aws-credentials.staging-hydra; format = "binary"; + path = "/var/lib/hydra/queue-runner/.aws/credentials"; + owner = config.systemd.services.hydra-queue-runner.serviceConfig.User; }; }; @@ -57,7 +59,7 @@ in extraConfig = '' max_servers 30 - store_uri = s3://nixos-cache-staging?secret-key=${config.sops.secrets.signing-key.path}&ls-compression=br&log-compression=br + store_uri = s3://nix-cache-staging?secret-key=${config.sops.secrets.signing-key.path}&ls-compression=br&log-compression=br server_store_uri = https://cache-staging.nixos.org?local-nar-cache=${narCache} binary_cache_public_uri = https://cache-staging.nixos.org diff --git a/non-critical-infra/secrets/hydra-aws-credentials.staging-hydra b/non-critical-infra/secrets/hydra-aws-credentials.staging-hydra index 38d4dfe7..d827411a 100644 --- a/non-critical-infra/secrets/hydra-aws-credentials.staging-hydra +++ b/non-critical-infra/secrets/hydra-aws-credentials.staging-hydra @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:d/rjsri6EXmB4IXu8atZRKjk9pAn9GLTDybq89RnvRDy8olxc7S0z8CABqZXcCYwlyzlbBXYLTm75EwhfDq/GYstD9Bxh7j/iRctnNmBxRkzk5fiIMYCTXOyOCbPyeNkZ0+AkrmVs+11usH25DU2C/1g16o=,iv:0bTqh+lVMIT4gIYJ20LbX6KOJnhq6cEbWLSJEBtW4ko=,tag:uxgfFVbPozT3QetMg4AAeQ==,type:str]", + "data": "ENC[AES256_GCM,data:OTKF4ciLxhfcmeqS78NsoS24e2PaUmpdbD+Ol2toWDcc/WdRYDcw8uimtJE/B0VfXUgz8sqEPISXOHV1kw2Jh3+089HVLlQPdJPpC9aCSQ9zPv3wwyCAXATH2nOv1piF+h8tNqHYmsxykDFVkMs1oEvGPQOlo9HaFd4OSB2y1nSAA/S79wOa,iv:ZCH/gsD91QcVKQtyymUXXOrSioHrOwa9mW/PIe6WG1k=,tag:ck4C6U5RphH5rR0yR0rqIw==,type:str]", "sops": { "kms": null, "gcp_kms": null, @@ -19,8 +19,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiSlVJOVJQL1B1NFhnRFpC\nSlczMVlCRllQVE83clJSd0JmMEJwTlpybmtrCk8xaisvV0t4Y29ZQ0VUZVo3OXcw\nYmFPZXJrWnBuL0tzK2x6M3pnSmltQkUKLS0tIFNQUmVTNU9mYVB0Q0tvL0RXNlFV\nVVMwa0lGN2krODYrN0ZXWk1XZFgzakkKsU/gYH12e0EqAKlh0e36JQTqa0FG1LCv\n+D1F/8cM+FnWdIp9m2rRn4Y17F4TlQ4G+z1s/1qFPNrX3xyQ1VpKEw==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-02-12T09:43:35Z", - "mac": "ENC[AES256_GCM,data:NFlmL4am9aN+K8xQeR7qBYyQMJNl5exAlOo6IvmVd0tQ51n5uzyZ7rxJK5ku3amh/ZxNF4G2FJKJQFbN+7I5aq58xJWUF4ApsZfAsNBUG8e1/4/Jzdk5BSHaP3N8wkkNb3zWBFqE7aijcq+GH/P8Ra+hprbkAYLjEoTcJoMVtsE=,iv:kdqS91wd4cat1dgxbVo0AuHPxJ4BPSKFyTAOg3VP+KM=,tag:9vvYEwJWFTdXB4HJ8viy8g==,type:str]", + "lastmodified": "2025-02-15T16:47:02Z", + "mac": "ENC[AES256_GCM,data:wilD1Hhi9/+eFmfPznq4WQYBYROkPfvKV7cjKsfRzgm1k5GRwvXe1V2bHpHJAVgPADFQ8b5JJrRmOGqNwds28Tx5fKmp8B4g7s7i8v7JK62OLMOl1BX3AeJxjvDBEPIKLkZUZuosSmCZUBEWcXppyVmdvHJETLi6RIFpAEw/Zc4=,iv:CcSj6oSjmWPQXJv9O7GlPIVfj+0h7fgktIZHVFWdFbI=,tag:2C0vY1Fvh5nvuzmdcoUYNA==,type:str]", "pgp": null, "unencrypted_suffix": "_unencrypted", "version": "3.9.4" diff --git a/terraform-iam/cache-staging.tf b/terraform-iam/cache-staging.tf index 22c5197d..13f69a8b 100644 --- a/terraform-iam/cache-staging.tf +++ b/terraform-iam/cache-staging.tf @@ -36,6 +36,11 @@ resource "aws_iam_policy" "s3-upload-cache-staging" { policy = data.aws_iam_policy_document.s3-upload-cache-staging.json } +resource "aws_iam_user_policy_attachment" "s3-upload-cache-staging-attachment" { + user = aws_iam_user.s3-upload-cache-staging.name + policy_arn = aws_iam_policy.s3-upload-cache-staging.arn +} + output "s3-upload-key-staging" { value = { key = aws_iam_access_key.s3-upload-cache-staging.id From 6429d05293ff8f8c9d597c32a86f1d321cbfa016 Mon Sep 17 00:00:00 2001 From: shivaraj-bh Date: Sun, 16 Feb 2025 08:15:29 +0530 Subject: [PATCH 21/23] staging-hydra: add shivaraj-bh --- non-critical-infra/hosts/staging-hydra/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/non-critical-infra/hosts/staging-hydra/default.nix b/non-critical-infra/hosts/staging-hydra/default.nix index 2ad41ef9..d2cf69cf 100644 --- a/non-critical-infra/hosts/staging-hydra/default.nix +++ b/non-critical-infra/hosts/staging-hydra/default.nix @@ -43,5 +43,7 @@ users.users.root.openssh.authorizedKeys.keys = [ # m1-s "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINaGspw6myJ5GKHHxN+7jaJWyU1SlVo4nCzDajyJdtvg" + # shivaraj-bh + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFN5Ov2zDIG59/DaYKjT0sMWIY15er1DZCT9SIak07vK" ]; } From 499b636f70b1048cb3d825c8bef15e9867e5a16e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 16 Feb 2025 10:03:34 +0700 Subject: [PATCH 22/23] add shivaraj-bh sops key --- non-critical-infra/.sops.yaml | 3 ++ .../hydra-aws-credentials.staging-hydra | 10 +++++-- .../secrets/hydra-users.staging-hydra | 10 +++++-- .../secrets/signing-key.staging-hydra | 10 +++++-- .../secrets/staging-hydra-hostkeys.yaml | 29 ++++++++++++------- 5 files changed, 43 insertions(+), 19 deletions(-) diff --git a/non-critical-infra/.sops.yaml b/non-critical-infra/.sops.yaml index 1fd69e5d..11f19819 100644 --- a/non-critical-infra/.sops.yaml +++ b/non-critical-infra/.sops.yaml @@ -6,6 +6,7 @@ keys: - &staging-hydra age1vawam63mv097z4ae94tm2xlzkc66u3s87n7neu5jzm6687482u4sx8us3v - &m1-s age1v5qpkvs3zpz65gvfr2gv3ln7x6yfexvpregdr02hyvxnunu63ujqgwevf8 - &mic92 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz + - &shivaraj-bh age1rskg564672la06lqyla73je6e00hx92j9uhyycn3m3vtpw54avwqcn6wx9 creation_rules: - path_regex: secrets/[^/]+.caliban @@ -27,11 +28,13 @@ creation_rules: key_groups: - age: - *m1-s + - *shivaraj-bh - *mic92 - path_regex: secrets/[^/]+.staging-hydra key_groups: - age: - *staging-hydra + - *shivaraj-bh - *m1-s - *mic92 diff --git a/non-critical-infra/secrets/hydra-aws-credentials.staging-hydra b/non-critical-infra/secrets/hydra-aws-credentials.staging-hydra index d827411a..6fbf0df5 100644 --- a/non-critical-infra/secrets/hydra-aws-credentials.staging-hydra +++ b/non-critical-infra/secrets/hydra-aws-credentials.staging-hydra @@ -8,15 +8,19 @@ "age": [ { "recipient": "age1vawam63mv097z4ae94tm2xlzkc66u3s87n7neu5jzm6687482u4sx8us3v", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBReHQ1WkRhbHRDOTBtQ2JL\ndFk2eVJuM2JaU2NCY0pSL0lCalc1ek1iYVE0Ckd4ajR4TGRHM1pnNEZCeUJZYjQy\ndFVpSTJ2Ynk5TDN2UlRXb09Ha09sSnMKLS0tIHFiQ1M0SmRvQVlQbDk4OThSRFBX\nTG5QbktuK2JrTDdGdHZkUURVRUhkSEEKnD+B5Bft0oW2hc7/Gmj7UnqLTXlQz18E\n+3jNAk9hPDrynzFU8SqRqK4hsawb88xYGbZPJGQE5twp6O5OzNhMrg==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIbHBoNkZzY0E1NytUMGsw\nVHQ3NnJQbjJCQ0JpdXEyVXBFVS9CcTVBU1JzClBYa1pLQWdlREhIbnFJbUhrWWdY\naE9rRE0ySWlaMTZGMGpXeWRHVE96a1EKLS0tIExnYTBXdE16Z2h5UGhsK3gyMm53\nWGlmUkhndnZYOE9COE5wVDRsZi8zbTQKNqiJ+vpmwhpdHAmh++A4s7kJQEASXi+o\nbZd6Wr/F7ucZqrB+BZAoqYFb5XGfBrQ/TeTBOi8drS58y0yYilsATQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1rskg564672la06lqyla73je6e00hx92j9uhyycn3m3vtpw54avwqcn6wx9", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQVW43N3BOeWZpK3BPMTZv\ndE5KVndUSFNaR3FaalhVdjVhN2JPbVdtQUhRCnFlNkQrSSs2MDkxVEhxYThkVVg0\nSVp5Y1VTeWI4a2Z5SSsvVlNzQTg1OVUKLS0tIERMbjNSSzJsc1F0TWZYaUhiQU5l\nbUFZTUtjVmFWRUl4OEkwZjNMWVpsN0kKpaENj5CzhSIj5JcCx+5mydbsugjONig6\nIRBvuG/RJBQnwVTyBcYdezV+OlhX86FHbf1KmO94B8crUoUePLL24Q==\n-----END AGE ENCRYPTED FILE-----\n" }, { "recipient": "age1v5qpkvs3zpz65gvfr2gv3ln7x6yfexvpregdr02hyvxnunu63ujqgwevf8", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtc015Q0paTmlLWWVWMTJG\nWUgvK0E2R0hLaFcvSlZoNDlIK0dsaWhXR3prClFJLzRvdGowemdRbGZ1U281ZVBt\nc2RyRFFMa3QyV09BcFBXMFI4ZXJoR0UKLS0tIGs3T1MrTGo5RDY2UjdhV1UwNDQ0\nSnN6RHFkaHBsVXdiekVZRC9UajRRaDQKCoc8Xc1R6atrbdZsroe+xJ1TyucIUlmO\ny5sCxtuG423KzYOkAEaiB4ZRgtB5pXpxuvfEBHfGiBn9xdsO8qzY+w==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWc1RWQ1c5ZmV3cU56QzhQ\nclpNNU9ycCtKa1piWTBnQVdrbEpOQlJwYUJJCnB2NlVXd0J3NElueHo0ZEsvMEpC\nc2RTa2RFV0lvaDg5THoyWjcyV2ttQ00KLS0tIG5lZnFBVHdxQjhkYjQrM0ZUQnRM\nbGRZaGJiNUFIc2orS2x4TGNxa2kvNUUKldYSnCr3NEdV1WtpWrrNxd6e129T40Fh\nSrSr2cLlUN/tvw5o96ysO3zfYhTF2kbjADxFvMW25T2jjliGNzPKTQ==\n-----END AGE ENCRYPTED FILE-----\n" }, { "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiSlVJOVJQL1B1NFhnRFpC\nSlczMVlCRllQVE83clJSd0JmMEJwTlpybmtrCk8xaisvV0t4Y29ZQ0VUZVo3OXcw\nYmFPZXJrWnBuL0tzK2x6M3pnSmltQkUKLS0tIFNQUmVTNU9mYVB0Q0tvL0RXNlFV\nVVMwa0lGN2krODYrN0ZXWk1XZFgzakkKsU/gYH12e0EqAKlh0e36JQTqa0FG1LCv\n+D1F/8cM+FnWdIp9m2rRn4Y17F4TlQ4G+z1s/1qFPNrX3xyQ1VpKEw==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtNzBuNGJxakZaNXJONU11\nSkNsN2ZzYWhzVWl0U3lUWTAzK1NvT1hnOG5rCnJHTjBxcExzdjgvUGxUSVBqZjdW\nRTZUYTR1bFd6NEltRmZQZ0pYVmI5TzAKLS0tIHZVbWM4Y2NTN2JDckRPZWk0ZDgv\nVXMybjlaWUplSkRjdDlma1RGMFFSZGMKDUPalwL72E1ISuuYVa8JOyO2evqAvke/\nc1B/S6QZDZocmPZpxlyJ1Dmb2OxhNr+kA9YhL/LRMQplI7v7qI6uxw==\n-----END AGE ENCRYPTED FILE-----\n" } ], "lastmodified": "2025-02-15T16:47:02Z", diff --git a/non-critical-infra/secrets/hydra-users.staging-hydra b/non-critical-infra/secrets/hydra-users.staging-hydra index 98ec141e..323b897e 100644 --- a/non-critical-infra/secrets/hydra-users.staging-hydra +++ b/non-critical-infra/secrets/hydra-users.staging-hydra @@ -8,15 +8,19 @@ "age": [ { "recipient": "age1vawam63mv097z4ae94tm2xlzkc66u3s87n7neu5jzm6687482u4sx8us3v", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMYVJQaTNxZUZ5SWwyUTBq\nU2kveW5wMzBVSWd3Qi9jZHd2djJwVXFCZ3pjCmhSMXF1YVJMS3FVNVRndGgvbWNC\nR3VpS3dVdDNZQzc4V0haQ3J2Vkt4NDAKLS0tIHl3N2dscC9oMHNJZnBpYzVjNlc0\nTnIrWFA3YjZ2aHAwMGR5UStDL2UyKzgKSTdcEY1oVC6RnJmigj/EGz5/LhpLmhcj\nBUlah8cxgStQDpF9N3mmc90FQRpQUHBRnE9kbE7rpHILhbl3NqYnfg==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHdlJaVE1XOWc0WFBrQTlz\nK3JhNWwrUUNYdXZkMVYzaTFoa2ZLL2dKbDM4CnlzRDJ0OGJPbFFQVmVISzBDSGdY\nVnU1ZHhlMVpEWUhYWTNydHZGYlE1TEEKLS0tIFUxZXRBN3ZWdThSRVAwZENXSXZI\nSVVUc1d3TXk3MHdzdlNQT3MxWHhwaWsK08hZaOCh7vquB1emKy0FYvenzB7IHbMm\nxoFna2slhAzgJUPgOCODeEpel3G9B+KnZ9UzHF/mQ4Nw1CI2NqaqkA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1rskg564672la06lqyla73je6e00hx92j9uhyycn3m3vtpw54avwqcn6wx9", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVakdZL1VxSmE3VTM4RTly\nZnFaQ0FaclVzUmc2cXBoUkVQaXk2ekN1aEcwCnVxZW9iUm01RzM1RGxGYlRkTjdF\nWmJ6UUFUZFdFQ1B4SmZjeGhMV1pIZjQKLS0tIEgwL1kzQ3BqR1BxRzRtOWxSU3Ji\nODI4K2k3cm9JeVEwNnAwTkxwRUxiMUUKtBpngvyVxtqw913doLq8FEaMwOH2Y8mV\nFFtIlxdSwI3PorVxxytq1zdqndQKW3rPrpGOvRqtLYsKL9w5whwWmQ==\n-----END AGE ENCRYPTED FILE-----\n" }, { "recipient": "age1v5qpkvs3zpz65gvfr2gv3ln7x6yfexvpregdr02hyvxnunu63ujqgwevf8", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBK3FLOXBkM2IzdnRrd21K\nNTZtbUdycHNXSG9iOUhyNTFuWFlLR2U0NHhZCnVWR0RwSmw0NGJWVEFGdDhtbE5I\nOU5JZm53SjIwRDZnazlaaU90MUhPVnMKLS0tIG9JazZnY2RGYmxLdGN6c3hiRFgy\nVVk4cnJGcFFjdkFyT1JXRFlLNjI5eEkKTjEd5RIMv8TLPipT/BwpdEAcr4MmUw9i\nNkolj6duCw0m8PgRjHBMcN3vKbCPJC7vxqPqBtndy0rwr7pbJ7WHbg==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6ZHhFQzgrdUgrSjJ3ZjNp\nSmtER3daTVAyT2k0ZDNjbnNzWDNsbm1sTndFCnJiUWd3b2Nja2hHNjJ5MUFlSXZU\nMElEVVg3VGpKdVhxQlNWM1E0S1J3Yk0KLS0tIDFDdDUxemhoaFZlM2N6U1MrcFox\nK0RFdlFkb2lQVG5tUVg3Mmx3bDNJNTgKRFBsVoRGtjciJ9K8WU07u28fbjuZfvGv\njeoZR6T2grpQaw5iLnBwJ9qWXpqHiCmuM/hNICNlskmPhUR8TK9scw==\n-----END AGE ENCRYPTED FILE-----\n" }, { "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwNFB0bXNFKzk3dnBJTkNw\nQytpNFJBWWtINFpqUVFod0piekgwUVlpN0hFClpzY1FWUmJZNFJtQ09IVVRhVnN3\nSGtFNExrakFySjhGS3Y4ZTR1UjlPeHMKLS0tICtMNExQb3orZzJJaUJ5UUVmWGpQ\nS2RFcXVFN0ltL2pYNlNYc2JqaFZtZlEKOsfFinN/zbsYIB4PLSaHgN7f8QRgK8wt\nzqzk7uk00jSEni/uLj2b74QlLbxEEVnNXWb1+ZWGXSU0XNahGYreOQ==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpVGxWZTZFNFFXTEExVlha\nbHZDS2JVREhxWWtJRnVHUExFT2RQRmJwblFnCjhPbFdTY1Q5Yk1sYlYxdDV2RWZ0\neHVSVEJIL0FqeDBqY3Voa2JRaGMrVk0KLS0tIHdQNkZJblRncDJpdStYbGkwMVZu\nWFF2aVJ2cDFyTk5HNGV5VUduL1JSa3MKrVlkqPdPwNfJGx0cdh8Tw+TbVkuNub3m\nlCrYi1H8Z5EY3TfBM/0ZbcLj7WckrxSDllclmUS5PoUuCtscSKoDdg==\n-----END AGE ENCRYPTED FILE-----\n" } ], "lastmodified": "2025-02-15T15:41:52Z", diff --git a/non-critical-infra/secrets/signing-key.staging-hydra b/non-critical-infra/secrets/signing-key.staging-hydra index 1e87750e..d28df0a7 100644 --- a/non-critical-infra/secrets/signing-key.staging-hydra +++ b/non-critical-infra/secrets/signing-key.staging-hydra @@ -8,15 +8,19 @@ "age": [ { "recipient": "age1vawam63mv097z4ae94tm2xlzkc66u3s87n7neu5jzm6687482u4sx8us3v", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmcTBnUzBNU0J1MGN1MnJN\naUR5dnEwSmQwQVlHcjVFcmJ4QWZRSDlXVXlzCndyd1dSa2l3ZGtTN0l3ZEJKM1Fl\nNWNOOEFBS0M2bFVGcGczc2J6SUpjVnMKLS0tIEcvYmJjWlFkZXozOHhxcTlHemla\nOTl5dlhsRkM0MGdrR0ZtU1p4UEdOZHcKnIXOb8UaRSPFwM+yztXsu2KJr4afVwqd\nevTsIfzXH5inEvkMOW8emtkexCc9TBVSvP8+8lKE63M3ysFmaToy8w==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEVElpb0lUY1RpYmtJdEE0\nL0FtdTNCSEpMK1gxTTZzSjAyLzRSd1Q3VzBNCmJyRTBWaDNuU0lIbzg3aGp0TG90\nV25ZOHNhMmhDRXFsWXJWc2xiRFYxQncKLS0tIG1iQk02WkRQOGNJTmo2R05JSnVH\ncEdhNlJ3SlhDOGNJYWYycWFmY0pZQ00KGqj7vzYgbYNZYF8sG/e7wDaEXhwdRjI9\nJhfCMw8EN6eRG7k11ThFXIk07EQOlvEUiSRb8GdovEBaMIZBxaI3Pw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1rskg564672la06lqyla73je6e00hx92j9uhyycn3m3vtpw54avwqcn6wx9", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIQzVHVi81RkxmcjhYRUVX\nNGdCZlQ3TWFRVnR5ZDhQK1dGQzREaktkZGtvCkp6UFdWbUFNY1JOaVZiQXpXL09G\nRW81NGdnQUo3LzFYQW42SUgvTTNqTTgKLS0tIEpva09SQWwvTitRbkxNOUkwL2FT\nNlNrVHVsc1dlbnZIazM3b0tRT0JpbmsKgrGxxEnzsyryna7we/OMGs9QH7qaoGY5\ny3eK24fHf0gXIUCIidjzG/WJGcmv6KYMUdTv9ThNxJIZaeDNR85b7Q==\n-----END AGE ENCRYPTED FILE-----\n" }, { "recipient": "age1v5qpkvs3zpz65gvfr2gv3ln7x6yfexvpregdr02hyvxnunu63ujqgwevf8", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTjNkdTJRQ3MrKytVYkV2\nK3hVR25DWVpNUUpWOG1xS25FYk45WDI5bmcwCmpWZTRzbFZTbmxqaU5IcmViK0dY\nVW5VVzNxaGRKaVpDSFhseVBEL084T2cKLS0tIFRoRDNCSXQ1eDFZYWtnY2t6SEhk\nd2FRTFE3dG1sR2VvLzhwWms4cHUxSDgKPT3VyycykmGXTeKZXD9SfeUhZcN7NIr5\nYOFO9J/pdqJ90G4m8WSaBG82w1ktJblrcy8sEzD2V37Nfl4UiB/QwA==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdm10NXN2NUZ2VkFYWjNk\nS3NOd0xhemd2WWdJNmNCWm9YaGZXTGJ6SGt3Cm53Q05TTGpacklDNGJZc01aUmxj\nK0tQOStuNXMxWEVCZTl0OFdyU0dWc28KLS0tIHU5NlR5SDJCREVQTlQ5RXFSK2Q0\nazY3RHJDVkVhOE1KQkRiU2NUYTBWQkkKKf4hOc3AhVvUbAQldTLWgEaG6IypJGdV\nV1XN/fbDozDcm0CHB/JJZsRErrpYQNSC4XJMR1kM2ZD1Rw3DnJjvtg==\n-----END AGE ENCRYPTED FILE-----\n" }, { "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDd2taT3JJcjhwVGZORGp5\nTFd1Ym85VnBiU2psektnT3grcGx6UlhYbkVNCnUwQUQzc2JZV0JMWXkwSjNXZGdq\nL3ZSOHpNQ3hwV1VuSXc4eVNOZklNNjQKLS0tIHlvZGYzQnliak5VKzdxeUFQakJn\nQ1A4RWk3ZjF2bEtpNktXMklScVBUUXMKrOW8MDPUjtsjOBcHx7BxOK4Kt2BYl318\nA1ytiiSi8kan3ta1QSZJOuQLYmSmlI/TGuFjY17wQJsrx0a2OAYFng==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiOUppNDBwQmsxdmtZVWJs\nenRDeUNqZzZxaW56eWVHTTg0Z2RYamlLOGlVCmlxVDd3clU0SldFZFJZcFlMRGJx\nZ1BkTmtPN1k0SXkzTVVxUXdGc1dMbFkKLS0tIGVYYUtnRGxPcmRIQnM4MkYxSjRJ\ndktHbEU3TE5WT21UYXllejhNR1RyY0EKBaK7nv12X+bjQn0ogxMFfrnY76W5no8r\nmCrPBQ63YhRVfgnDD81tjBcIblDoBHcOuvyXTX3F1oYCOnGWcVjxHg==\n-----END AGE ENCRYPTED FILE-----\n" } ], "lastmodified": "2025-02-12T09:27:43Z", diff --git a/non-critical-infra/secrets/staging-hydra-hostkeys.yaml b/non-critical-infra/secrets/staging-hydra-hostkeys.yaml index 4c1a8a62..c2bdb6d5 100644 --- a/non-critical-infra/secrets/staging-hydra-hostkeys.yaml +++ b/non-critical-infra/secrets/staging-hydra-hostkeys.yaml @@ -9,20 +9,29 @@ sops: - recipient: age1v5qpkvs3zpz65gvfr2gv3ln7x6yfexvpregdr02hyvxnunu63ujqgwevf8 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBubThhZ2U2Tnp3VjEyVEtD - TnNScHFVaVFVV21WbmZNSjlEcG1FSGYvbHhBClVHVEJPZnNvVGhHbWJvRkVENXFu - OGlZWUFBL2N2T0kvWnI0cXZnU01vMHcKLS0tIEcrUG84bGhQZEVpWVN3REZhNVgy - bUFzL0xJZVlTaGpEdnk3NG8rS1o5VDAKDQc62S+uy/sl7lDyUMfrqDhurqAua5ik - l2y+nFnzv4/RVa3Y4xbJyy/TEuNpEsNS0s3bgnHD5kOAgjtIKjEFkQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCWEZWT2h1L05lb2gyODlx + S3ZudXg0Wnk4OWIvenBOejFBMWhtNTNDdHg4CkZ2Vmx1bnF1QnNXNktzRmErOFJq + cFF1RHU4c214eDJKdzMzOXI5Q1hkaFkKLS0tIE53bitoZkNHVFVEUE13eVg3czZh + WmNZWHFiUGN2WnpWcWcxdkdlNlJ5UFEKLD2155H+5RU+wB3JUFm1smJGmNI72DJD + 6eH62pn8RzdzFPcSg7wmdTSfI+nRtXkVz6wdjd/g3vix6e6Lz5O8GA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1rskg564672la06lqyla73je6e00hx92j9uhyycn3m3vtpw54avwqcn6wx9 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBSWRlYnBDbHdyNnJaRnYw + M1RsMGd1QUgzZVl1aXRPUHluMm5Wdk1LZnlZCndQRFUzcEcxWXFNZGhSbm9LMzhI + YTd4eXZQdm9yTHlFQUxVZDBjTU1aVncKLS0tIFZkR2hUZ1BMVytGUTBnNWROT1g5 + bFpuZ2hFSzV4WVlIZ0tVMERkRzkvK2cKicdx+Sw/t//pH3sUilRwfTQ4M6rk6mcz + fsotjUPd76aelejHG2S719WrPE2M8JPGV7YHekP0hr4rLJAE+cKbVQ== -----END AGE ENCRYPTED FILE----- - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGaEZVMVVqSlYyTDVuT29p - Yk9lT0VZb2dIV3MyR2luV21taGV2ZC85akRJCjNnYktKWFg0MjlqU2hDNXZOYk9J - Y0VUK3BJR1l5S0d3eVRjM3MxR3hUSzgKLS0tIFNPNitGOGgrK05hSXhCWkFDNHZa - eFF2SlQwSmVoVUszeVI0SWRZK2ROS0kKUAjRNmIDiavnbL9/sgLu12DPf5qEXiFu - w0vTGO5ffR0I04SYpHznSf28Ja/EcbpDrZ6fMh6bC7Q+k1uLvASBEA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFV29GUWNDSCtkVjdrNUFW + TG1VU2Y2d1hUenoyV1ZwL1ZuTkQ4Tm9pQUNVCktIeXVNQXd0RTl0TkxnNFRVcWw0 + bUFodzJpdm55MmtZb2wrVmtydW8zZUEKLS0tIFFkS0lmK2o5cHQzbWZiZWc3M1pD + Ly9CYm9Ed1F1Q2JhU2p4Zytnd0lsREkK4JY16UGHu41RYxqdSr7b1owUSuZtxhmK + 15PSfEEiTnR3nrpO0L+66Tmmz4aM5nUfmUBgwkh7mYhs5/0C4YvOsA== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-02-12T09:19:59Z" mac: ENC[AES256_GCM,data:Ym3YsYfQOd4D8iZ0K01gF6IzvYYvQEKFWzLqL815Nk0ozW1g3D8xPcNxVxb0juvRjbeBXlz0fkDLXxJ1N0ZMASmZ2wHxfR9w5J+CL8hyCmsutJ+ofdiZVJ+ZwEKfenPp/Ke02ce+5EixxU5X3Ad04kLjNalOmmkNhTd5WRFbFe8=,iv:guGa3Nz1DC8Bo5yVP6unoCFGVigKmAKliXA8r5gKyNg=,tag:k69LdmsWW5gYbamdD2S4Ig==,type:str] From 6e95301d2ad144610c9dc40f358fc06e281179ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 16 Feb 2025 10:16:52 +0700 Subject: [PATCH 23/23] staging-hydra: add hydra-password --- .../secrets/hydra-password.staging-hydra | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 non-critical-infra/secrets/hydra-password.staging-hydra diff --git a/non-critical-infra/secrets/hydra-password.staging-hydra b/non-critical-infra/secrets/hydra-password.staging-hydra new file mode 100644 index 00000000..231fa657 --- /dev/null +++ b/non-critical-infra/secrets/hydra-password.staging-hydra @@ -0,0 +1,32 @@ +{ + "data": "ENC[AES256_GCM,data:6pJnTnWOCfA/vM+eV4cGc5Cif/gvXq8aNGiL,iv:PqGRNS4u9Ok6OJ4XE2oqcgTeuHbdMsteV3TucOA59IQ=,tag:P5E036UhXxJyqGyat+bzsg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1vawam63mv097z4ae94tm2xlzkc66u3s87n7neu5jzm6687482u4sx8us3v", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNZmJYcHJ5VndldTBCOS9z\nZ1Z0ci9yM2d5d2MzNml6ZmJtU2JzUUhzU0VNCnRnTnlXbng5NDBUVnd0VWkyUHFK\nZGRrVGpRZ3pEKzRwWEQ2bHZQbUNROEEKLS0tIGhuTGhtOEFNa1NpSW9qa3IvQTV2\nck44cUwxZTJZNGNxSVlVRUlzWmp1SlUKuqR/rAE1Sig4mORIy+WZoZUw0m+TY93d\nVwKn6YoEs5qiLUpNa0a2wPaj1Iec8eZlJYzkt1eoZFx7ErB/it66mg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1rskg564672la06lqyla73je6e00hx92j9uhyycn3m3vtpw54avwqcn6wx9", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvNWZOR2V6Q29sNlUrWVps\ndnRrWGZodnhxZEI3cGlPRXRKMWI2eWxxZUEwCi9BUE5oeW5rTnJlVE5td2Q5SVkz\nbVNKVFBsazFMeVg3d0hkL3o2WWJJNE0KLS0tIGdGT1ZibTV6VjkwaEpxbFVVTFJR\ndWxVL1J2eElvaUFEblJwSVRwbkVzV28KxUx+YuFZqAVj3moTnoSblXrcf4EMiZjq\nVlGD0ccJfqfQU/1SAnExebUODcIWA22tCvTr6fTT8vQm9MAJDmz5Mg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1v5qpkvs3zpz65gvfr2gv3ln7x6yfexvpregdr02hyvxnunu63ujqgwevf8", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzTVdZUDgzbWRKa3oxMXFn\nbWZlN0djdWUySXBsZ3U0RDAyWld1QkJYRjAwCkNPUC9JRVM4Vi9LUGlWSWhFQVNG\ndXhwSjRxNXB2eE9IdEtsTXl4VitEWHMKLS0tIHkwTUFHWGl2VUZMd215T1VZZGw0\na2xVTHA4b1JMNFJZUG9kTU5nZ0VzVUEKljLLoGh0tJ9KYZocrZ0LT79mXQF916aQ\nsDi67K5yB5pDwsyZAfo5Gmp2FsJCJmt93ao/iSL2J91rdap0uo9ZCw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnSHdrYXA1WkxmU2VrSkto\nNnBnNjk3MEVBdlB0aE0rWU9zN3RPZ0JLb2lNCklOT3ZlSDcwQzA3RTNMUU5wcS9K\nUHNYS0xXMitacXZMWW9rYzdqcnRIUVUKLS0tIFZTMFpWR004WG5HSitvMy9pMzI0\nT0MyOEMvNmRLaEY5eTZRdHcrUUFEQUEKiSEe9qD9oe8BzB2ABhlmbN91EVOZDhd9\nt2ZpqvUnIN2uAYAcORM6KKj5S2GYNGi6BE1xNiHSFCPA3IX2DQnQiw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-02-16T03:16:30Z", + "mac": "ENC[AES256_GCM,data:fzEO67Uo6KkeHFY5OwI0dHeSwzWf93HgxGsm8QwSFL6oHDFfWX2ssHU6in+hK61FH4/3di8fWZpfE92IGSinci6QIW9Gr3MMr+arpQoFBZJFYGKakLOxGioauStup5l5G/XDacgVYfrAuQhC8bGvg/RF3nnJ5Q4OinNot4r51Ag=,iv:+ndd8LFWdOiyuO9G5fgPAjaoS1dzOr/Ta51WEmTReJk=,tag:LrSTNAotzJKNaGfAcZu1Ag==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.4" + } +} \ No newline at end of file