Make token secret for actions runners

2024-12-11 13:32:41 +01:00 · 2024-12-11 13:32:41 +01:00 · 32378d917d
parent 5771c14249
commit 32378d917d
4 changed files with 16 additions and 8 deletions
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@ -31,7 +31,10 @@
          };
          nixpkgs = inputs.nixpkgs;
          nixos.module = {
-            imports = [ ./vm02179 ];
+            imports = [
+              ./vm02179
+              inputs.agenix.nixosModules.default
+            ];
          };
        };

@ -45,7 +48,10 @@
          };
          nixpkgs = inputs.nixpkgs;
          nixos.module = {
-            imports = [ ./vm02186 ];
+            imports = [
+              ./vm02186
+              inputs.agenix.nixosModules.default
+            ];
          };
        };
      };
--- a/infra/vm02179/gitea-runner.nix
+++ b/infra/vm02179/gitea-runner.nix
@ -1,6 +1,6 @@
-{ pkgs, ... }:
-{
+{ config, pkgs, ... }:

+{
  virtualisation.docker.enable = true;

  services.gitea-actions-runner = {
@ -9,8 +9,7 @@
      enable = true;
      name = "vm02179.procolix.com";
      url = "https://git.fediversity.eu";
-      # Obtaining the path to the runner token file may differ
-      token = "MKmFPY4nxfR4zPYHIRLoiJdrrfkGmcRymj0GWOAk";
+      tokenFile = config.age.secrets.forgejo-runner-token.path;
      labels = [
        "docker:docker://node:16-bullseye"
        "native:host"
@ -35,6 +34,8 @@
    };
  };

+  age.secrets.forgejo-runner-token.file = ../../secrets/forgejo-runner-token.age;
+
  ## The Nix configuration of the system influences the Nix configuration
  ## in the workflow, and our workflows are often flake-based.
  nix.extraOptions = ''
--- a/infra/vm02179/token.txt
+++ b/infra/vm02179/token.txt
@ -1 +0,0 @@
-MKmFPY4nxfR4zPYHIRLoiJdrrfkGmcRymj0GWOAk
--- a/infra/vm02186/gitea-runner.nix
+++ b/infra/vm02186/gitea-runner.nix
@ -9,7 +9,7 @@

      name = config.networking.fqdn;
      url = "https://git.fediversity.eu";
-      token = "MKmFPY4nxfR4zPYHIRLoiJdrrfkGmcRymj0GWOAk";
+      tokenFile = config.age.secrets.forgejo-runner-token.path;

      settings = {
        log.level = "info";
@ -38,6 +38,8 @@
    };
  };

+  age.secrets.forgejo-runner-token.file = ../../secrets/forgejo-runner-token.age;
+
  ## For the Docker mode of the runner.
  virtualisation.docker.enable = true;