add key to read from cache

diogotcorreia · Jan 18, 2024 · 8a1c71d · 8a1c71d
1 parent cd0a92a
commit 8a1c71d
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 18 deletions.
diff --git a/hosts/phobos/atticd.nix b/hosts/phobos/atticd.nix
@@ -10,8 +10,7 @@ let
   host = "nix-cache.diogotc.com";
   port = 8004;
   dbUser = config.services.atticd.user;
-in
-{
+in {
 
   age.secrets = {
     phobosAtticdEnvVariables = {
@@ -40,9 +39,7 @@ in
       soft-delete-caches = false;
       require-proof-of-possession = true;
 
-      database = {
-        url = "postgresql:///${dbUser}";
-      };
+      database.url = "postgresql:///${dbUser}";
 
       chunking = {
         nar-size-threshold = 65536; # chunk files that are 64 KiB or larger
@@ -51,9 +48,7 @@ in
         max-size = 262144; # 256 KiB
       };
 
-      compression = {
-        type = "zstd";
-      };
+      compression = { type = "zstd"; };
 
       garbage-collection = {
         interval = "12 hours";

diff --git a/modules/system.nix b/modules/system.nix
@@ -5,18 +5,22 @@
 #
 # System config common across all hosts
 
-{ inputs, pkgs, lib, ... }: {
+{ config, inputs, pkgs, lib, secretsDir, ... }: {
+  # Contains:
+  # machine nix-cache.diogotc.com
+  # password <token>
+  age.secrets.nixCacheDiogotcReadTokenNetrc.file =
+    "${secretsDir}/nixCacheDiogotcReadTokenNetrc.age";
+
   nix = {
     settings = {
       auto-optimise-store = true;
       experimental-features = [ "nix-command" "flakes" ];
       trusted-users = [ "root" "@wheel" ];
-      substituters = [
-        "https://nix-cache.diogotc.com/dtc"
-      ];
-      trusted-public-keys = [
-        "dtc:HU5hQrzlNDSFAcA/kvzKx+IhyDYLvR+xUS/1drh3o2U="
-      ];
+      substituters = [ "https://nix-cache.diogotc.com/dtc" ];
+      trusted-public-keys =
+        [ "dtc:HU5hQrzlNDSFAcA/kvzKx+IhyDYLvR+xUS/1drh3o2U=" ];
+      netrc-file = config.age.secrets.nixCacheDiogotcReadTokenNetrc.path;
     };
 
     # Lock flake registry to keep it synced with the inputs

diff --git a/secrets/nixCacheDiogotcReadTokenNetrc.age b/secrets/nixCacheDiogotcReadTokenNetrc.age
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -9,10 +9,13 @@ let
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH/L7HpMOr7L8qDBJRF19lXR90xrn7tHmjhMnQhGGqvO";
   phobosSystem =
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMDvcqB4ljQ4EvoiL6WS+8BqhtoMv/quzqExd3juqRU";
+
+  personalSystems = [ apolloSystem bacchusSystem ];
+  allSystems = personalSystems ++ [ broSystem heraSystem phobosSystem ];
 in {
-  "nebulaCA.age".publicKeys =
-    [ apolloSystem bacchusSystem broSystem heraSystem phobosSystem ];
-  "openvpnIstAuthUserPass.age".publicKeys = [ apolloSystem bacchusSystem ];
+  "nebulaCA.age".publicKeys = allSystems;
+  "nixCacheDiogotcReadTokenNetrc.age".publicKeys = allSystems;
+  "openvpnIstAuthUserPass.age".publicKeys = personalSystems;
 
   "apollo/nebulaCert.age".publicKeys = [ apolloSystem ];
   "apollo/nebulaKey.age".publicKeys = [ apolloSystem ];