hans/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity

Handle Forgejo's secrets cleanly

Browse source
This commit is contained in:
Nicolas Jeannerod 2024-12-11 13:27:37 +01:00
parent 32378d917d
commit 36b5351f0a
Signed by untrusted user: Niols
GPG key ID: 35DB9EC8886E1CB8
5 changed files with 26 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
infra/flake-part.nix
View file

@ -17,7 +17,10 @@
}; };
nixpkgs = inputs.nixpkgs; nixpkgs = inputs.nixpkgs;
nixos.module = { nixos.module = {
imports = [ ./vm02116 ]; imports = [
./vm02116
inputs.agenix.nixosModules.default
];
}; };
}; };

14
infra/vm02116/forgejo.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }: { config, pkgs, ... }:
let let
domain = "git.fediversity.eu"; domain = "git.fediversity.eu";
in in
@ -27,15 +27,23 @@ in
FROM = "git@fediversity.eu"; FROM = "git@fediversity.eu";
USER = "git@fediversity.eu"; USER = "git@fediversity.eu";
}; };
secrets.mailer.PASSWD = "/var/lib/forgejo/data/keys/forgejo-mailpw"; secrets.mailer.PASSWD = config.age.secrets.forgejo-email-password.path;
database = { database = {
type = "mysql"; type = "mysql";
socket = "/run/mysqld/mysqld.sock"; socket = "/run/mysqld/mysqld.sock";
passwordFile = "/var/lib/forgejo/data/keys/forgejo-dbpassword"; passwordFile = config.age.secrets.forgejo-database-password.path;
}; };
}; };
age.secrets.forgejo-database-password = {
file = ../../secrets/forgejo-database-password.age;
owner = "forgejo";
group = "forgejo";
mode = "440";
};
age.secrets.forgejo-email-password.file = ../../secrets/forgejo-email-password.age;
users.groups.keys.members = [ "forgejo" ]; users.groups.keys.members = [ "forgejo" ];
services.mysql = { services.mysql = {

BIN
secrets/forgejo-database-password.age Normal file
View file

Binary file not shown.

8
secrets/forgejo-email-password.age Normal file
View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 1MUEqQ Y+wylE1yiRBPh5aX3LNeX7/5YQ/EfPOplCBmIoR69yA
Vfvi1DZo927okyWLcfoVhVOada5bVdgcLXWzroIycGU
-> ssh-ed25519 Fa25Dw PFDPqt30lbvvf1Mu/AVMKfv/XyC2fIfnpvKrmyjDiRw
S9Qn+jNMpS4T5OlTIq0SFMTyKlq4Sz7ADdtKDuQoGB4
--- 8/wxDtoP6ZfHqvQS8ld264jPEunSzbFP7Yqy664fyQ0
<>õCÉs±<73>%}+Õ xÎ¥NX¤^‚Ø»ÞË
s<EFBFBD>$bÝbæÙ<C3A6>ò€õ©N

3
secrets/secrets.nix
View file

@ -18,6 +18,7 @@ let
## Machines in this list MAY be mentioned later on as able to decrypt some of ## Machines in this list MAY be mentioned later on as able to decrypt some of
## the encrypted `.age` files. ## the encrypted `.age` files.
vm02116 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriawl1za2jbxzelkL5v8KPmcvuj7xVBgwFxuM/zhYr";
vm02179 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAsOCOsJ0vNL9fGj0XC25ir8B+k2NlVJzsiVUx+0eWM"; vm02179 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAsOCOsJ0vNL9fGj0XC25ir8B+k2NlVJzsiVUx+0eWM";
vm02186 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6mnBgEeyYE4tzHeFNHVNBV6KR+hAqh3PYSqlh0QViW"; vm02186 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6mnBgEeyYE4tzHeFNHVNBV6KR+hAqh3PYSqlh0QViW";
@ -36,6 +37,8 @@ concatMapAttrs
## are able to decrypt them. ## are able to decrypt them.
{ {
forgejo-database-password = [ vm02116 ];
forgejo-email-password = [ vm02116 ];
forgejo-runner-token = [ forgejo-runner-token = [
vm02179 vm02179
vm02186 vm02186