Skip to content

Commit f48ebe1

Browse files
picnoirpicnoir
committed
staging-hydra: sign paths with multiple keys
POC for NixOS/rfcs#149
1 parent 25839db commit f48ebe1

File tree

2 files changed

+41
-1
lines changed

2 files changed

+41
-1
lines changed

non-critical-infra/hosts/staging-hydra/hydra.nix

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,11 @@ in
3636
format = "binary";
3737
owner = config.systemd.services.hydra-queue-runner.serviceConfig.User;
3838
};
39+
signing-key-2 = {
40+
sopsFile = ../../secrets/signing-key-2.staging-hydra;
41+
format = "binary";
42+
owner = config.systemd.services.hydra-queue-runner.serviceConfig.User;
43+
};
3944
hydra-aws-credentials = {
4045
sopsFile = ../../secrets/hydra-aws-credentials.staging-hydra;
4146
format = "binary";
@@ -60,7 +65,7 @@ in
6065
extraConfig = ''
6166
max_servers 30
6267
63-
store_uri = s3://nix-cache-staging?secret-key=${config.sops.secrets.signing-key.path}&ls-compression=br&log-compression=br
68+
store_uri = s3://nix-cache-staging?secret-key=${config.sops.secrets.signing-key.path}&secret-key=${config.sops.secrets.signing-key-2.path}&ls-compression=br&log-compression=br
6469
server_store_uri = https://cache-staging.nixos.org?local-nar-cache=${narCache}
6570
binary_cache_public_uri = https://cache-staging.nixos.org
6671

non-critical-infra/secrets/signing-key-2.staging-hydra

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
{
2+
"data": "ENC[AES256_GCM,data:+OyGSbJB66gkadKm4yxQJIxLyMTSx5iKrmkgj8RxSfPRE0VpMdWfbo8BSD2tR2zeXkAb7jFLpwzArWDtUe2JB5icSkVBZsSHdD/L+1nmDeh2A/MHRqLXg4ewuD2OyI5z/hrZ59mTQg9E9TAV2mLSBuD0jjM4QvAh30RlxluY1/I=,iv:UOm2+DnUO87vVKe/GK5ZVenLjmZ+YoCxP+PoDyu4EE8=,tag:YuVaVIzXLyqEPg3bK6Uhqg==,type:str]",
3+
"sops": {
4+
"age": [
5+
{
6+
"recipient": "age1xj4dl6xdl5ztmetp9axa0epjj922hu6a2gut3rrs5rdc5xv85yjsq5ggpx",
7+
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRVTdVYXJrYUpqRDE1OUlD\nRkV3VTFLQzZMbGFuNVZpbnp2blV1blJKVTNVCmxvZ0RxUlpST29kaE02UUhYOC9z\ndzA3SVlodTdnSmRQdU9WNUdmZ2YzZTAKLS0tIDZ5N0VGdW5GYjFoY3hYc1dFTU50\nNytHZTRhKzRYSDE1dmxUajBlcm5VQ1kKZu1azUS0YQH2NwbrkyGxzxP2h+9dfTmo\nTB1/kiqXVVjNiJBaGQUoWQ5jYgvB446MV0DnoMbveQGgts1G94vSuA==\n-----END AGE ENCRYPTED FILE-----\n"
8+
},
9+
{
10+
"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
11+
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHblVDaThSVDI3bWxhT1Aw\nSXdLRzRQdzRwRUlGdEVPMTBOSnowYmlIVjNnCmxySVFyL2FjaVZCVzNNY3J3Z0xC\nTHJvanBtb0dCTmY1L0VkaW5odk5HN1UKLS0tIFlMOTVSL1YyQTFGN24zd05LUXlH\nbGt2S2pnZjNjQW9NU0hSVFJUSDZBa2MK/THSW5Lsan7K76XIxjbog7vT0VDe4dzM\nYKSWKuClmVihU2Pp6+He+bVa6/y9e9aVLtpZAm68jup6PMVYP1znbg==\n-----END AGE ENCRYPTED FILE-----\n"
12+
},
13+
{
14+
"recipient": "age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h",
15+
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlN29QMDdNZUJSaExNbllh\nd3JlM1MrbFEwSm01bytscGhSa2FYRjhrclFrCllWdi94RFR3WU5uUWlOVFdoU0hy\nL2ZaemRsampqUjIrVWc5eDFkL2RZcVkKLS0tIDRkUCtpTGFvVTZXTkJma0VOS1BB\nRzFLVk1GQ29KejBuQkpNZDZrT2FNa1EKKEIBflHfRwkGt8bs+sLO3f5ORCrJayMX\ngfJTfhDdiM60+HbB717UsmROvv0gaWdNXZziohF2s7lv1IUgTxKDCQ==\n-----END AGE ENCRYPTED FILE-----\n"
16+
},
17+
{
18+
"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
19+
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGMTVBK00rV0RpRmR1RHVk\nZkVUbG1WYWhWcXhLMkE4RVpPMUc1QUprODFFCnZwcUV1cnJwRjMzdnliZklPbm13\ncTd1L3hLQlYvUUN6bmJoSTROYzR3eWcKLS0tIEd0cy9GaHNCRjNhK1c4cVQvR1I3\nclF4eHJoRGtDeXdLVFVQQWg0U2QwUXcKr+1kGWmxZgy/2OyuB1p8OsfTHCqN6gE6\nzBPjOHFaSkNlR5Tj4LyWD3p0SPruLN6gv6J4C4nSTvx8540yWSYgxw==\n-----END AGE ENCRYPTED FILE-----\n"
20+
},
21+
{
22+
"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
23+
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtS2tGd0pzcWJBL2Fzb1FC\naExIMnZRSWRpNThwQk51SGdpVE9TeFMrM1VZCjN0bVZiQkxSZW5wSlVKdVU3WkRU\nU2dMV25zVk9pVVVpQ24rRnd2SU1PdG8KLS0tIHZVay84aVQyaWtxQXY1U2JEWnRm\nVlVSRDJVL0FaL2JzMElxdDJ6cDd4L0EKdDbZeubhEBpcmBGQaUdnh1mxZ7uacyOn\nnpUb3NE+8MEVC3NCqRZblsqjbaQQneXvKCRFrSGLR0IP34ciqaQ8tw==\n-----END AGE ENCRYPTED FILE-----\n"
24+
},
25+
{
26+
"recipient": "age17ez23w2kpxl0gcdx4ehcglkcfcfnv4qz0gq2n8ylxwx4yrtjpvjqxfasua",
27+
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0ZEJkazdXODJ0aDQ5d09m\nZHRtVGZaeUJoMmxHWHlvQThNQlpTUXF1ZEZNCkRRUG8weXR5Vm16NzlGM1V0MUZD\nUUFZMFYzYWRvOEliZzdTNlkxbk94d1kKLS0tIEJDdFJYUHM3Y1F6dmRwV0FGOGtj\ncWtmZ3BXNURvZ25nU2N5RXVCSGdtcEEKIojh950vtjxU1/muCzoPhAeO6ISpVogR\nWNBTg2+6w8w8P8Ds4XyEVfYeTI2cAcOpNMuWiCuQslk8UIoRlNx8sQ==\n-----END AGE ENCRYPTED FILE-----\n"
28+
}
29+
],
30+
"lastmodified": "2025-08-08T17:05:25Z",
31+
"mac": "ENC[AES256_GCM,data:rlFOHtGSBfgl68CjQKmlBEJT5IwInTD1WhJrBr3qiFuvOv8S1o1OMYRKHejU6qKxOfTagR2j0koSDbvM2+hGb0S/HRWCl4/tQNLMrCmwxES0a1oADcwpclgE5KtjUIKsYHOxhKSnuFBWiT17jHKz3Tsx7VboSj8cpHof+Xby5rY=,iv:mQGoOMUFj3NGI7JI0RB+Cs0FYEglZSGJJDDTYyOPhDc=,tag:Xytm/xhrn8AaQhxDLX6Gxw==,type:str]",
32+
"unencrypted_suffix": "_unencrypted",
33+
"version": "3.10.2"
34+
}
35+
}

0 commit comments

Comments
 (0)