diff --git a/modules/base/secrets.nix b/modules/base/secrets.nix index 6699d79..429d96e 100644 --- a/modules/base/secrets.nix +++ b/modules/base/secrets.nix @@ -6,7 +6,7 @@ }: let inherit (lib) mkEnableOption mkIf; cfg = config.horseman.base.secrets; - secretFile = path: ../../secrets/${path}; + secretFile = path: ../../secrets/${path}.age; username = config.horseman.username; in { options = { @@ -19,38 +19,45 @@ in { environment.systemPackages = [pkgs.ragenix]; age.secrets = { - wifi.file = secretFile "wifi.age"; + wifi.file = secretFile "wifi"; personalSSHpub = { - file = secretFile "ssh/id_personal.pub.age"; + file = secretFile "ssh/id_personal.pub"; owner = username; group = "users"; - path = "/home/horseman/.ssh/id_ed25519.pub"; + path = "/home/${username}/.ssh/id_ed25519.pub"; }; personalSSH = { - file = secretFile "ssh/id_personal.age"; + file = secretFile "ssh/id_personal"; owner = username; group = "users"; - path = "/home/horseman/.ssh/id_ed25519"; + path = "/home/${username}/.ssh/id_ed25519"; }; githubSSHpub = { - file = secretFile "ssh/id_github.pub.age"; + file = secretFile "ssh/id_github.pub"; owner = username; group = "users"; - path = "/home/horseman/.ssh/id_github.pub"; + path = "/home/${username}/.ssh/id_github.pub"; }; githubSSH = { - file = secretFile "ssh/id_github.age"; + file = secretFile "ssh/id_github"; owner = username; group = "users"; - path = "/home/horseman/.ssh/id_github"; + path = "/home/${username}/.ssh/id_github"; }; sshConfig = { - file = secretFile "ssh/config.age"; + file = secretFile "ssh/config"; owner = username; group = "users"; - path = "/home/horseman/.ssh/config"; + path = "/home/${username}/.ssh/config"; + }; + + forgejo-secret = { + file = secretFile "containers/forgejo-secret"; + path = "/run/forgejo-secrets/secret"; + symlink = false; + mode = "444"; }; }; }; diff --git a/modules/containers/forgejo.nix b/modules/containers/forgejo.nix index a54522f..bc7333b 100644 --- a/modules/containers/forgejo.nix +++ b/modules/containers/forgejo.nix @@ -13,10 +13,8 @@ HTTP_PORT = 3000; SSH_PORT = 34916; INSTANCE_URL = "http://local.git.server:3000"; - SECRET = "7c31591e8b67225a116d4a4519ea8e507e08f71f"; # TODO REMOVE - DATA_DIR = "/home/${username}/backups/volumes/forgejo"; + DATA_DIR = "/home/${username}/backups/volumes/forgejo"; BACKUP_FILE = "/home/${username}/backups/forgejo.tar"; - in { options = { horseman.containers.forgejo = { @@ -27,7 +25,6 @@ in { config = mkIf cfg.enable { networking.extraHosts = "192.168.100.3 local.git.server"; - systemd.timers."backup-forgejo" = { wantedBy = ["timers.target"]; timerConfig = { @@ -36,7 +33,7 @@ in { }; }; - environment.systemPackages = [ pkgs.gnutar ]; + environment.systemPackages = [pkgs.gnutar]; systemd.services."backup-forgejo" = { script = '' ${pkgs.gnutar} -cf ${BACKUP_FILE} ${DATA_DIR} @@ -52,6 +49,13 @@ in { hostAddress = "172.16.0.2"; localAddress = "192.168.100.2"; + bindMounts = { + "/var/lib/secrets" = { + hostPath = "/run/forgejo-secrets"; + isReadOnly = true; + }; + }; + config = { config, pkgs, @@ -76,7 +80,7 @@ in { systemd.services.startup = { script = '' cd ${config.users.users.runner.home} - ${pkgs.forgejo-runner}/bin/forgejo-runner create-runner-file --instance http://192.168.100.3:3000 --secret ${SECRET} --name runner + ${pkgs.forgejo-runner}/bin/forgejo-runner create-runner-file --instance http://192.168.100.3:3000 --secret $(cat /var/lib/secrets/secret) --name runner sleep 10 ${pkgs.forgejo-runner}/bin/forgejo-runner daemon --config ${configFile} ''; @@ -99,6 +103,11 @@ in { hostPath = DATA_DIR; isReadOnly = false; }; + + "/var/lib/secrets" = { + hostPath = "/run/forgejo-secrets"; + isReadOnly = true; + }; }; config = { @@ -130,7 +139,7 @@ in { systemd.services.startup = { script = '' cd ${config.users.users.forgejo.home} - ${pkgs.forgejo}/bin/forgejo forgejo-cli actions register --name runner --secret ${SECRET} --config ${config.services.forgejo.stateDir}/custom/conf/app.ini + ${pkgs.forgejo}/bin/forgejo forgejo-cli actions register --name runner --secret $(cat /var/lib/secrets/secret) --config ${config.services.forgejo.stateDir}/custom/conf/app.ini ''; serviceConfig.User = "forgejo"; wantedBy = ["multi-user.target"]; diff --git a/secrets.nix b/secrets.nix index 52a7f5c..edb111b 100644 --- a/secrets.nix +++ b/secrets.nix @@ -17,6 +17,7 @@ let "ssh/id_github" "ssh/id_github.pub" "ssh/config" + "containers/forgejo-secret" ]; attrs = map (secret: {"secrets/${secret}.age".publicKeys = all;}) secrets; in diff --git a/secrets/containers/forgejo-secret.age b/secrets/containers/forgejo-secret.age new file mode 100644 index 0000000..ce8bab1 --- /dev/null +++ b/secrets/containers/forgejo-secret.age @@ -0,0 +1,19 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9tczZkdyAvNG9K +UEttaC8zNHlPVDJFT1NoOHBBKzduaThIcFR3TkdvZVF3UVFBSFhvClpLZGw0RmVp +cm1JRkNwL2RKN0lKRlEyb25YeUpjSWx0WXorNWZIa2ZHMzgKLT4gc3NoLWVkMjU1 +MTkgZ1BJZFpBIEUyeGlybExFS3dPWXZOdk41TG9GYWQzajFPeVh3MjBlcjQ2b3Bn +NkRiRXcKSzdORWN3NC9IQ2JCRTF3UVRRc1k4eW5uQ2tMZXo0UEczWk1IS3BDbEV4 +UQotPiBzc2gtZWQyNTUxOSBXeUlGekEgR0hhQitRZ2haZExXeVNlV0pBY0JkWTY0 +S05PMnNmdVh5QUUyVmhjK1psNApMVWtDR0ZUNjBHNHdUbDVEdFI3SkU3TnhtbHN4 +L3hiYnlYdmx5L2VmU3NBCi0+IHNzaC1lZDI1NTE5IGRiT2VoQSBpK2h2YlFCTk9a +Z21YZS9tQk9iUDdCQmpYNE9RK0k1SGtCbzhDdG9wVUFrCmlrNjBRQk9lWHVRRHVJ +dnFsSmJsTmNnaFA3MUorYkFGTklkWk94TUk3dHMKLT4gc3NoLWVkMjU1MTkgdHYv +Q3pnIGRUb21iKzlKY3hzcUhqaEZlK2EraEFQTmN0Nm5SZ05jdG1ia0xlN2NoelkK +d0R5Z0sxa0VDMy9aUTFJSS9jRmdDOGk5ZWVVVjIwdzJ4MUI3clR2bVE5SQotPiBi +NlJDOTpCWS1ncmVhc2UKR25PbzYrN2JsTXZwbXV5Z0NuUTZ0b2dTdU11Rlh6cmFL +cDlVOUUxNFd3VWg2V1ltU1N5dXZBWVM5UGI4d3cKLS0tIC9qQ0ZZUnVQRkc5dHRX +L0xpOTFxRk4xdTRCdUEwclU1dzB5RkVZbFRVZlUKhXXapogUWYhZ+Baie7Alcv7Z +hnMTGD+Wti8VhvHOmwS+z66mpbidJdNwcoiGOpeCfIJyKbQehQrzsI0wWbqjyA50 +PKWqT6dq3w== +-----END AGE ENCRYPTED FILE-----