recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(2): declarative Docker Hub auth — sops dockerhub_auth + config.json template (rate-limit fix)

Browse Source 
- secrets submodule -> cdd5e0a (adds sops dockerhub_auth = base64 nptest2:PAT).
- nix/modules/secrets.nix: sops.secrets.dockerhub_auth + sops.templates."docker-config.json"
  renders /root/.docker/config.json (0600 root) so abra/docker pulls authenticate (200/6h
  per-account) instead of the exhausted 100/6h shared-IP anon limit. Survives 1c rebuild.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
2026-05-28 22:05:09 +01:00
parent 46e9d1c43a
commit 5e14963d51
2 changed files with 21 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
nix/modules/secrets.nix
View File

@ -48,11 +48,31 @@
path = "/var/lib/ci-certs/live/privkey.pem";
mode = "0400"; # private key — root only
};
# Phase-2 rate-limit fix (Class A1 registry creds, operator-2026-05-28). Authenticated Docker
# Hub pulls (200/6h per-account) replace the exhausted 100/6h shared-IP anonymous limit that
# was blocking heavy recipe deploys with `toomanyrequests`. Value is base64("nptest2:<PAT>")
# — i.e. the exact `auth` field docker config.json expects — so the template below is a pure
# render with no runtime base64. Read-only PAT; both the host exec runner and manual root
# deploys run as root (drone-runner-exec User=root), so /root/.docker/config.json covers both.
dockerhub_auth = { };
};
# EnvironmentFile for the host exec runner: DRONE_RPC_SECRET rendered from the sops secret.
templates."drone-runner.env".content = ''
DRONE_RPC_SECRET=${config.sops.placeholder.drone_rpc_secret}
'';
# Declarative root docker auth — survives a 1c rebuild (replaces the imperative `docker login`).
# abra runs `docker stack deploy` as root and reads this config.json to authenticate Docker Hub
# pulls (manifest resolution + image pulls). 0600/root-only since it embeds the PAT.
templates."docker-config.json" = {
path = "/root/.docker/config.json";
mode = "0600";
owner = "root";
content = ''
{"auths":{"https://index.docker.io/v1/":{"auth":"${config.sops.placeholder.dockerhub_auth}"}}}
'';
};
};
}

2
secrets

Submodule secrets updated: 2312f1cc67...cdd5e0ad25