security: start setting permissions on secrets properly

2025-12-01 23:53:27 +01:00 · 2025-12-01 23:53:27 +01:00 · ad9862019c
commit ad9862019c
parent 01fb6d8ec9
11 changed files with 126 additions and 53 deletions
--- a/modules/server/hydra.nix
+++ b/modules/server/hydra.nix
@ -1,8 +1,18 @@
 {
  flake.modules.nixos.hydra =
-    { ... }:
+    { config, pkgs, ... }:
    let
      httpPort = 2000;
+
+      remotebuild-ssh-config = pkgs.writeTextFile {
+        name = "remotebuild-ssh-config";
+        text = ''
+          Host nixberry
+            IdentitiesOnly yes
+            IdentityFile ${config.sops.secrets."hydra/remotebuild/private-key".path}
+            User remotebuild
+        '';
+      };
    in
    {
      services.nix-serve = {
@ -18,5 +28,27 @@
        useSubstitutes = true;
      };

+      systemd =
+        let
+          user = "hydra-queue-runner";
+        in
+        {
+          tmpfiles.rules = [
+            "d ${config.users.users.${user}.home}/.ssh 0700 ${user} ${user} -"
+          ];
+
+          services.hydra-queue-runner = {
+
+            serviceConfig.ExecStartPre =
+              let
+                targetFile = "${config.users.users.${user}.home}/.ssh/config";
+              in
+              ''
+                ${pkgs.coreutils}/bin/ln -sf ${remotebuild-ssh-config} ${targetFile}
+                ${pkgs.coreutils}/bin/chown ${user}:${user} ${targetFile} 
+              '';
+          };
+        };
+
    };
 }