From c154dd5101c816f66d4c6e992d8f9a667e7e45c4 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Fri, 17 Jan 2020 16:03:00 +0100 Subject: [PATCH] nixos/buildkite-agent: stop deploying public keys, make ssh private key optional. SSH public keys aren't needed to clone private repos, and if we only need to configure a single attribute, there's no need for the "openssh" attrset anymore. --- .../buildkite-agent.nix | 38 ++++++++----------- 1 file changed, 16 insertions(+), 22 deletions(-) diff --git a/nixos/modules/services/continuous-integration/buildkite-agent.nix b/nixos/modules/services/continuous-integration/buildkite-agent.nix index e996680beda..49fa4271cac 100644 --- a/nixos/modules/services/continuous-integration/buildkite-agent.nix +++ b/nixos/modules/services/continuous-integration/buildkite-agent.nix @@ -93,26 +93,19 @@ in ''; }; - openssh = - { privateKeyPath = mkOption { - type = types.path; - description = '' - Private agent key. + privateSshKeyPath = mkOption { + type = types.path; + ## maximum care is taken so that secrets (ssh keys and the CI token) + ## don't end up in the Nix store. + apply = final: if final == null then null else toString final; - A run-time path to the key file, which is supposed to be provisioned - outside of Nix store. - ''; - }; - publicKeyPath = mkOption { - type = types.path; - description = '' - Public agent key. + description = '' + OpenSSH private key - A run-time path to the key file, which is supposed to be provisioned - outside of Nix store. - ''; - }; - }; + A run-time path to the key file, which is supposed to be provisioned + outside of Nix store. + ''; + }; hooks = mkHookOptions [ { name = "checkout"; @@ -217,7 +210,6 @@ in '' mkdir -m 0700 -p "${sshDir}" cp -f "${toString cfg.openssh.privateKeyPath}" "${sshDir}/id_rsa" - cp -f "${toString cfg.openssh.publicKeyPath}" "${sshDir}/id_rsa.pub" chmod 600 "${sshDir}"/id_rsa* cat > "${cfg.dataDir}/buildkite-agent.cfg" <