diff --git a/infra/flake-part.nix b/infra/flake-part.nix index 76329a6..9926af6 100644 --- a/infra/flake-part.nix +++ b/infra/flake-part.nix @@ -17,7 +17,10 @@ }; nixpkgs = inputs.nixpkgs; nixos.module = { - imports = [ ./vm02116 ]; + imports = [ + ./vm02116 + inputs.agenix.nixosModules.default + ]; }; }; diff --git a/infra/vm02116/forgejo.nix b/infra/vm02116/forgejo.nix index 157e8d6..b72466b 100644 --- a/infra/vm02116/forgejo.nix +++ b/infra/vm02116/forgejo.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ config, pkgs, ... }: let domain = "git.fediversity.eu"; in @@ -27,15 +27,23 @@ in FROM = "git@fediversity.eu"; USER = "git@fediversity.eu"; }; - secrets.mailer.PASSWD = "/var/lib/forgejo/data/keys/forgejo-mailpw"; + secrets.mailer.PASSWD = config.age.secrets.forgejo-email-password.path; database = { type = "mysql"; socket = "/run/mysqld/mysqld.sock"; - passwordFile = "/var/lib/forgejo/data/keys/forgejo-dbpassword"; + passwordFile = config.age.secrets.forgejo-database-password.path; }; }; + age.secrets.forgejo-database-password = { + file = ../../secrets/forgejo-database-password.age; + owner = "forgejo"; + group = "forgejo"; + mode = "440"; + }; + age.secrets.forgejo-email-password.file = ../../secrets/forgejo-email-password.age; + users.groups.keys.members = [ "forgejo" ]; services.mysql = { diff --git a/secrets/forgejo-database-password.age b/secrets/forgejo-database-password.age new file mode 100644 index 0000000..435d5a0 Binary files /dev/null and b/secrets/forgejo-database-password.age differ diff --git a/secrets/forgejo-email-password.age b/secrets/forgejo-email-password.age new file mode 100644 index 0000000..9de91e3 --- /dev/null +++ b/secrets/forgejo-email-password.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 1MUEqQ Y+wylE1yiRBPh5aX3LNeX7/5YQ/EfPOplCBmIoR69yA +Vfvi1DZo927okyWLcfoVhVOada5bVdgcLXWzroIycGU +-> ssh-ed25519 Fa25Dw PFDPqt30lbvvf1Mu/AVMKfv/XyC2fIfnpvKrmyjDiRw +S9Qn+jNMpS4T5OlTIq0SFMTyKlq4Sz7ADdtKDuQoGB4 +--- 8/wxDtoP6ZfHqvQS8ld264jPEunSzbFP7Yqy664fyQ0 +~��C�s��%}+� xΥNX�^����� +s�$b�b�ٝ����N \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 3ef18c8..54a86bc 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -18,6 +18,7 @@ let ## Machines in this list MAY be mentioned later on as able to decrypt some of ## the encrypted `.age` files. + vm02116 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriawl1za2jbxzelkL5v8KPmcvuj7xVBgwFxuM/zhYr"; vm02179 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAsOCOsJ0vNL9fGj0XC25ir8B+k2NlVJzsiVUx+0eWM"; vm02186 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6mnBgEeyYE4tzHeFNHVNBV6KR+hAqh3PYSqlh0QViW"; @@ -36,6 +37,8 @@ concatMapAttrs ## are able to decrypt them. { + forgejo-database-password = [ vm02116 ]; + forgejo-email-password = [ vm02116 ]; forgejo-runner-token = [ vm02179 vm02186