Handle Forgejo's secrets cleanly

2024-12-11 13:27:37 +01:00 · 2024-12-11 13:27:37 +01:00 · 36b5351f0a
commit 36b5351f0a
parent 32378d917d
5 changed files with 26 additions and 4 deletions
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@ -17,7 +17,10 @@
          };
          nixpkgs = inputs.nixpkgs;
          nixos.module = {
-            imports = [ ./vm02116 ];
+            imports = [
+              ./vm02116
+              inputs.agenix.nixosModules.default
+            ];
          };
        };

--- a/infra/vm02116/forgejo.nix
+++ b/infra/vm02116/forgejo.nix
@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 let
  domain = "git.fediversity.eu";
 in
@ -27,15 +27,23 @@ in
      FROM = "git@fediversity.eu";
      USER = "git@fediversity.eu";
    };
-    secrets.mailer.PASSWD = "/var/lib/forgejo/data/keys/forgejo-mailpw";
+    secrets.mailer.PASSWD = config.age.secrets.forgejo-email-password.path;

    database = {
      type = "mysql";
      socket = "/run/mysqld/mysqld.sock";
-      passwordFile = "/var/lib/forgejo/data/keys/forgejo-dbpassword";
+      passwordFile = config.age.secrets.forgejo-database-password.path;
    };
  };

+  age.secrets.forgejo-database-password = {
+    file = ../../secrets/forgejo-database-password.age;
+    owner = "forgejo";
+    group = "forgejo";
+    mode = "440";
+  };
+  age.secrets.forgejo-email-password.file = ../../secrets/forgejo-email-password.age;
+
  users.groups.keys.members = [ "forgejo" ];

  services.mysql = {
--- a/secrets/forgejo-database-password.age
+++ b/secrets/forgejo-database-password.age
--- a/secrets/forgejo-email-password.age
+++ b/secrets/forgejo-email-password.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 1MUEqQ Y+wylE1yiRBPh5aX3LNeX7/5YQ/EfPOplCBmIoR69yA
+Vfvi1DZo927okyWLcfoVhVOada5bVdgcLXWzroIycGU
+-> ssh-ed25519 Fa25Dw PFDPqt30lbvvf1Mu/AVMKfv/XyC2fIfnpvKrmyjDiRw
+S9Qn+jNMpS4T5OlTIq0SFMTyKlq4Sz7ADdtKDuQoGB4
+--- 8/wxDtoP6ZfHqvQS8ld264jPEunSzbFP7Yqy664fyQ0
+~ó<>õCÉs±<73>%}+Õ	xÎ¥NX¤^‚Ø»ÞË
+s<EFBFBD>$bÝbæÙ<C3A6>ò€õ©‘N
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -18,6 +18,7 @@ let
  ## Machines in this list MAY be mentioned later on as able to decrypt some of
  ## the encrypted `.age` files.

+  vm02116 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriawl1za2jbxzelkL5v8KPmcvuj7xVBgwFxuM/zhYr";
  vm02179 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAsOCOsJ0vNL9fGj0XC25ir8B+k2NlVJzsiVUx+0eWM";
  vm02186 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6mnBgEeyYE4tzHeFNHVNBV6KR+hAqh3PYSqlh0QViW";

@ -36,6 +37,8 @@ concatMapAttrs
  ## are able to decrypt them.

  {
+    forgejo-database-password = [ vm02116 ];
+    forgejo-email-password = [ vm02116 ];
    forgejo-runner-token = [
      vm02179
      vm02186