Foregejo containers fully operational

modules/base/secrets.nix

@@ -6,7 +6,7 @@
 }: let
   inherit (lib) mkEnableOption mkIf;
   cfg = config.horseman.base.secrets;
-  secretFile = path: ../../secrets/${path};
+  secretFile = path: ../../secrets/${path}.age;
   username = config.horseman.username;
 in {
   options = {
@@ -19,38 +19,45 @@ in {
     environment.systemPackages = [pkgs.ragenix];
 
     age.secrets = {
-      wifi.file = secretFile "wifi.age";
+      wifi.file = secretFile "wifi";
 
       personalSSHpub = {
-        file = secretFile "ssh/id_personal.pub.age";
+        file = secretFile "ssh/id_personal.pub";
         owner = username;
         group = "users";
-        path = "/home/horseman/.ssh/id_ed25519.pub";
+        path = "/home/${username}/.ssh/id_ed25519.pub";
       };
       personalSSH = {
-        file = secretFile "ssh/id_personal.age";
+        file = secretFile "ssh/id_personal";
         owner = username;
         group = "users";
-        path = "/home/horseman/.ssh/id_ed25519";
+        path = "/home/${username}/.ssh/id_ed25519";
       };
       githubSSHpub = {
-        file = secretFile "ssh/id_github.pub.age";
+        file = secretFile "ssh/id_github.pub";
         owner = username;
         group = "users";
-        path = "/home/horseman/.ssh/id_github.pub";
+        path = "/home/${username}/.ssh/id_github.pub";
       };
       githubSSH = {
-        file = secretFile "ssh/id_github.age";
+        file = secretFile "ssh/id_github";
         owner = username;
         group = "users";
-        path = "/home/horseman/.ssh/id_github";
+        path = "/home/${username}/.ssh/id_github";
       };
 
       sshConfig = {
-        file = secretFile "ssh/config.age";
+        file = secretFile "ssh/config";
         owner = username;
         group = "users";
-        path = "/home/horseman/.ssh/config";
+        path = "/home/${username}/.ssh/config";
+      };
+
+      forgejo-secret = {
+        file = secretFile "containers/forgejo-secret";
+        path = "/run/forgejo-secrets/secret";
+        symlink = false;
+        mode = "444";
       };
     };
   };

modules/containers/forgejo.nix

@@ -13,10 +13,8 @@
   HTTP_PORT = 3000;
   SSH_PORT = 34916;
   INSTANCE_URL = "http://local.git.server:3000";
-  SECRET = "7c31591e8b67225a116d4a4519ea8e507e08f71f"; # TODO REMOVE
   DATA_DIR = "/home/${username}/backups/volumes/forgejo";
   BACKUP_FILE = "/home/${username}/backups/forgejo.tar";
-
 in {
   options = {
     horseman.containers.forgejo = {
@@ -27,7 +25,6 @@ in {
   config = mkIf cfg.enable {
     networking.extraHosts = "192.168.100.3 local.git.server";
 
-    
     systemd.timers."backup-forgejo" = {
       wantedBy = ["timers.target"];
       timerConfig = {
@@ -52,6 +49,13 @@ in {
       hostAddress = "172.16.0.2";
       localAddress = "192.168.100.2";
 
+      bindMounts = {
+        "/var/lib/secrets" = {
+          hostPath = "/run/forgejo-secrets";
+          isReadOnly = true;
+        };
+      };
+
       config = {
         config,
         pkgs,
@@ -76,7 +80,7 @@ in {
         systemd.services.startup = {
           script = ''
             cd ${config.users.users.runner.home}
-            ${pkgs.forgejo-runner}/bin/forgejo-runner create-runner-file --instance http://192.168.100.3:3000 --secret ${SECRET} --name runner
+            ${pkgs.forgejo-runner}/bin/forgejo-runner create-runner-file --instance http://192.168.100.3:3000 --secret $(cat /var/lib/secrets/secret) --name runner
             sleep 10
             ${pkgs.forgejo-runner}/bin/forgejo-runner daemon --config ${configFile}
           '';
@@ -99,6 +103,11 @@ in {
           hostPath = DATA_DIR;
           isReadOnly = false;
         };
+
+        "/var/lib/secrets" = {
+          hostPath = "/run/forgejo-secrets";
+          isReadOnly = true;
+        };
       };
 
       config = {
@@ -130,7 +139,7 @@ in {
         systemd.services.startup = {
           script = ''
             cd ${config.users.users.forgejo.home}
-            ${pkgs.forgejo}/bin/forgejo forgejo-cli actions register --name runner --secret ${SECRET} --config ${config.services.forgejo.stateDir}/custom/conf/app.ini
+            ${pkgs.forgejo}/bin/forgejo forgejo-cli actions register --name runner --secret $(cat /var/lib/secrets/secret) --config ${config.services.forgejo.stateDir}/custom/conf/app.ini
           '';
           serviceConfig.User = "forgejo";
           wantedBy = ["multi-user.target"];

secrets.nix

@@ -17,6 +17,7 @@ let
     "ssh/id_github"
     "ssh/id_github.pub"
     "ssh/config"
+    "containers/forgejo-secret"
   ];
   attrs = map (secret: {"secrets/${secret}.age".publicKeys = all;}) secrets;
 in

secrets/containers/forgejo-secret.age

@@ -0,0 +1,19 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9tczZkdyAvNG9K
+UEttaC8zNHlPVDJFT1NoOHBBKzduaThIcFR3TkdvZVF3UVFBSFhvClpLZGw0RmVp
+cm1JRkNwL2RKN0lKRlEyb25YeUpjSWx0WXorNWZIa2ZHMzgKLT4gc3NoLWVkMjU1
+MTkgZ1BJZFpBIEUyeGlybExFS3dPWXZOdk41TG9GYWQzajFPeVh3MjBlcjQ2b3Bn
+NkRiRXcKSzdORWN3NC9IQ2JCRTF3UVRRc1k4eW5uQ2tMZXo0UEczWk1IS3BDbEV4
+UQotPiBzc2gtZWQyNTUxOSBXeUlGekEgR0hhQitRZ2haZExXeVNlV0pBY0JkWTY0
+S05PMnNmdVh5QUUyVmhjK1psNApMVWtDR0ZUNjBHNHdUbDVEdFI3SkU3TnhtbHN4
+L3hiYnlYdmx5L2VmU3NBCi0+IHNzaC1lZDI1NTE5IGRiT2VoQSBpK2h2YlFCTk9a
+Z21YZS9tQk9iUDdCQmpYNE9RK0k1SGtCbzhDdG9wVUFrCmlrNjBRQk9lWHVRRHVJ
+dnFsSmJsTmNnaFA3MUorYkFGTklkWk94TUk3dHMKLT4gc3NoLWVkMjU1MTkgdHYv
+Q3pnIGRUb21iKzlKY3hzcUhqaEZlK2EraEFQTmN0Nm5SZ05jdG1ia0xlN2NoelkK
+d0R5Z0sxa0VDMy9aUTFJSS9jRmdDOGk5ZWVVVjIwdzJ4MUI3clR2bVE5SQotPiBi
+NlJDOTpCWS1ncmVhc2UKR25PbzYrN2JsTXZwbXV5Z0NuUTZ0b2dTdU11Rlh6cmFL
+cDlVOUUxNFd3VWg2V1ltU1N5dXZBWVM5UGI4d3cKLS0tIC9qQ0ZZUnVQRkc5dHRX
+L0xpOTFxRk4xdTRCdUEwclU1dzB5RkVZbFRVZlUKhXXapogUWYhZ+Baie7Alcv7Z
+hnMTGD+Wti8VhvHOmwS+z66mpbidJdNwcoiGOpeCfIJyKbQehQrzsI0wWbqjyA50
+PKWqT6dq3w==
+-----END AGE ENCRYPTED FILE-----