From 36b5351f0ac217d6c4209accee677df4c59a2e23 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Wed, 11 Dec 2024 13:27:37 +0100 Subject: [PATCH] Handle Forgejo's secrets cleanly --- infra/flake-part.nix | 5 ++++- infra/vm02116/forgejo.nix | 14 +++++++++++--- secrets/forgejo-database-password.age | Bin 0 -> 337 bytes secrets/forgejo-email-password.age | 8 ++++++++ secrets/secrets.nix | 3 +++ 5 files changed, 26 insertions(+), 4 deletions(-) create mode 100644 secrets/forgejo-database-password.age create mode 100644 secrets/forgejo-email-password.age diff --git a/infra/flake-part.nix b/infra/flake-part.nix index 76329a6..9926af6 100644 --- a/infra/flake-part.nix +++ b/infra/flake-part.nix @@ -17,7 +17,10 @@ }; nixpkgs = inputs.nixpkgs; nixos.module = { - imports = [ ./vm02116 ]; + imports = [ + ./vm02116 + inputs.agenix.nixosModules.default + ]; }; }; diff --git a/infra/vm02116/forgejo.nix b/infra/vm02116/forgejo.nix index 157e8d6..b72466b 100644 --- a/infra/vm02116/forgejo.nix +++ b/infra/vm02116/forgejo.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ config, pkgs, ... }: let domain = "git.fediversity.eu"; in @@ -27,15 +27,23 @@ in FROM = "git@fediversity.eu"; USER = "git@fediversity.eu"; }; - secrets.mailer.PASSWD = "/var/lib/forgejo/data/keys/forgejo-mailpw"; + secrets.mailer.PASSWD = config.age.secrets.forgejo-email-password.path; database = { type = "mysql"; socket = "/run/mysqld/mysqld.sock"; - passwordFile = "/var/lib/forgejo/data/keys/forgejo-dbpassword"; + passwordFile = config.age.secrets.forgejo-database-password.path; }; }; + age.secrets.forgejo-database-password = { + file = ../../secrets/forgejo-database-password.age; + owner = "forgejo"; + group = "forgejo"; + mode = "440"; + }; + age.secrets.forgejo-email-password.file = ../../secrets/forgejo-email-password.age; + users.groups.keys.members = [ "forgejo" ]; services.mysql = { diff --git a/secrets/forgejo-database-password.age b/secrets/forgejo-database-password.age new file mode 100644 index 0000000000000000000000000000000000000000..435d5a0de67d5e1b16912d305f31fdaefbc74f84 GIT binary patch literal 337 zcmZ9_Jx+sA007`_CQK&AI5sM_Rj?w$Mu8SueDnc*K>b-9dH~}M zJcPTq&{-2t;HtA1_&#?QFah$?YMDm~I!e-6lK_f2rL!z#0-qHGAkhGtJ#5e|l)6Pu zI>r^WAhE{E2+m4n3I+vO6tW)Wwh*gYNqE+zxRz;WimJGNA(L42+ey&7T9s2g8CE8? zrL@rhplAZ)?EltxS)p6dX*=w&0;jk8ZqqU~NsiX?I^={omi!e#y~cE+mOKi>3!V~h z799^)3o&#C{P22eYh-22yIFYNg$?8@-pCvAGN{VXq!@;wO~)re<_;WBRLzEt^s%#a z9dKr3Vvge$4gi;EP9;ZbLgBr-3STzM>K5(ZJ?~J~cmM74^5^(tyM8FuHV?He2A;e= My;}#?{nz9EFXjDkxc~qF literal 0 HcmV?d00001 diff --git a/secrets/forgejo-email-password.age b/secrets/forgejo-email-password.age new file mode 100644 index 0000000..9de91e3 --- /dev/null +++ b/secrets/forgejo-email-password.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 1MUEqQ Y+wylE1yiRBPh5aX3LNeX7/5YQ/EfPOplCBmIoR69yA +Vfvi1DZo927okyWLcfoVhVOada5bVdgcLXWzroIycGU +-> ssh-ed25519 Fa25Dw PFDPqt30lbvvf1Mu/AVMKfv/XyC2fIfnpvKrmyjDiRw +S9Qn+jNMpS4T5OlTIq0SFMTyKlq4Sz7ADdtKDuQoGB4 +--- 8/wxDtoP6ZfHqvQS8ld264jPEunSzbFP7Yqy664fyQ0 +~Cs%}+ xΥNX^ +s$bbٝN \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 3ef18c8..54a86bc 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -18,6 +18,7 @@ let ## Machines in this list MAY be mentioned later on as able to decrypt some of ## the encrypted `.age` files. + vm02116 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriawl1za2jbxzelkL5v8KPmcvuj7xVBgwFxuM/zhYr"; vm02179 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAsOCOsJ0vNL9fGj0XC25ir8B+k2NlVJzsiVUx+0eWM"; vm02186 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6mnBgEeyYE4tzHeFNHVNBV6KR+hAqh3PYSqlh0QViW"; @@ -36,6 +37,8 @@ concatMapAttrs ## are able to decrypt them. { + forgejo-database-password = [ vm02116 ]; + forgejo-email-password = [ vm02116 ]; forgejo-runner-token = [ vm02179 vm02186