public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/buildkite-agent: stop deploying public keys, make ssh private key optional.

Browse Source 
SSH public keys aren't needed to clone private repos, and if we only
need to configure a single attribute, there's no need for the "openssh"
attrset anymore.
This commit is contained in:
Florian Klink 2020-01-17 16:03:00 +01:00
parent c80ebc9317
commit c154dd5101
1 changed files with 16 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
nixos/modules/services/continuous-integration/buildkite-agent.nix
View File

@ -93,26 +93,19 @@ in
''; '';
}; };
openssh = privateSshKeyPath = mkOption {
{ privateKeyPath = mkOption {
type = types.path; type = types.path;
## maximum care is taken so that secrets (ssh keys and the CI token)
## don't end up in the Nix store.
apply = final: if final == null then null else toString final;
description = '' description = ''
Private agent key. OpenSSH private key
A run-time path to the key file, which is supposed to be provisioned A run-time path to the key file, which is supposed to be provisioned
outside of Nix store. outside of Nix store.
''; '';
}; };
publicKeyPath = mkOption {
type = types.path;
description = ''
Public agent key.
A run-time path to the key file, which is supposed to be provisioned
outside of Nix store.
'';
};
};
hooks = mkHookOptions [ hooks = mkHookOptions [
{ name = "checkout"; { name = "checkout";
@ -217,7 +210,6 @@ in
'' ''
mkdir -m 0700 -p "${sshDir}" mkdir -m 0700 -p "${sshDir}"
cp -f "${toString cfg.openssh.privateKeyPath}" "${sshDir}/id_rsa" cp -f "${toString cfg.openssh.privateKeyPath}" "${sshDir}/id_rsa"
cp -f "${toString cfg.openssh.publicKeyPath}" "${sshDir}/id_rsa.pub"
chmod 600 "${sshDir}"/id_rsa* chmod 600 "${sshDir}"/id_rsa*
cat > "${cfg.dataDir}/buildkite-agent.cfg" <<EOF cat > "${cfg.dataDir}/buildkite-agent.cfg" <<EOF
@ -250,7 +242,9 @@ in
}; };
imports = [ imports = [
(mkRenamedOptionModule [ "services" "buildkite-agent" "token" ] [ "services" "buildkite-agent" "tokenPath" ]) (mkRenamedOptionModule [ "services" "buildkite-agent" "token" ] [ "services" "buildkite-agent" "tokenPath" ])
(mkRenamedOptionModule [ "services" "buildkite-agent" "openssh" "privateKey" ] [ "services" "buildkite-agent" "openssh" "privateKeyPath" ]) (mkRenamedOptionModule [ "services" "buildkite-agent" "openssh" "privateKey" ] [ "services" "buildkite-agent" "privateSshKeyPath" ])
(mkRenamedOptionModule [ "services" "buildkite-agent" "openssh" "publicKey" ] [ "services" "buildkite-agent" "openssh" "publicKeyPath" ]) (mkRenamedOptionModule [ "services" "buildkite-agent" "openssh" "privateKeyPath" ] [ "services" "buildkite-agent" "privateSshKeyPath" ])
(mkRemovedOptionModule [ "services" "buildkite-agent" "openssh" "publicKey" ] "SSH public keys aren't necessary to clone private repos.")
(mkRemovedOptionModule [ "services" "buildkite-agent" "openssh" "publicKeyPath" ] "SSH public keys aren't necessary to clone private repos.")
]; ];
} }