From 09ea1acdbe1c71022e898b8f0e3c09e22f6ef2e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Wed, 12 Feb 2025 18:35:08 +0100 Subject: [PATCH] Full resource for `forgejo-ci` --- infra/forgejo-ci/flake-part.nix | 38 +++++++++++++++++++++++++++++---- 1 file changed, 34 insertions(+), 4 deletions(-) diff --git a/infra/forgejo-ci/flake-part.nix b/infra/forgejo-ci/flake-part.nix index 4efed0f0..2c6b72b8 100644 --- a/infra/forgejo-ci/flake-part.nix +++ b/infra/forgejo-ci/flake-part.nix @@ -1,5 +1,20 @@ -{ inputs, ... }: +{ lib, inputs, ... }: +## NOTE: Hackish solution mostly taken from `../common/resource.nix`. +## Eventually, `forgejo-ci` should move to a datacentre somewhere and this code +## should be integrated with the code for other machines (in particular VMs). + +let + inherit (lib) attrValues elem; + inherit (lib.attrsets) concatMapAttrs optionalAttrs; + inherit (lib.strings) removeSuffix; + + secretsPrefix = ../../secrets; + secrets = import (secretsPrefix + "/secrets.nix"); + keys = import ../../keys; + hostPublicKey = keys.systems.forgejo-ci; + +in { nixops4Deployments.forgejo-ci = { providers, ... }: @@ -12,12 +27,27 @@ ssh = { host = "45.142.234.216"; - opts = "-J orianne"; - hostPublicKey = (import ../../keys).systems.forgejo-ci; + opts = "-J orianne"; # FIXME + hostPublicKey = hostPublicKey; }; nixpkgs = inputs.nixpkgs; - nixos.module = import ./configuration.nix; + + nixos.module = { + imports = [ + inputs.agenix.nixosModules.default + ./configuration.nix + ]; + + age.secrets = concatMapAttrs ( + name: secret: + optionalAttrs (elem hostPublicKey secret.publicKeys) ({ + ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}"; + }) + ) secrets; + + users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors; + }; }; }; }