Koen/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Foregejo containers fully operational

Browse source
This commit is contained in:
KoenDR06 2025-12-25 13:11:54 +01:00
parent 2de1a62d2f
commit f1b3559434
4 changed files with 55 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

31
modules/base/secrets.nix
View file

@ -6,7 +6,7 @@
}: let
inherit (lib) mkEnableOption mkIf;
cfg = config.horseman.base.secrets;
secretFile = path: ../../secrets/${path};
secretFile = path: ../../secrets/${path}.age;
username = config.horseman.username;
in {
options = {
@ -19,38 +19,45 @@ in {
environment.systemPackages = [pkgs.ragenix];
age.secrets = {
wifi.file = secretFile "wifi.age";
wifi.file = secretFile "wifi";
personalSSHpub = {
file = secretFile "ssh/id_personal.pub.age";
file = secretFile "ssh/id_personal.pub";
owner = username;
group = "users";
path = "/home/horseman/.ssh/id_ed25519.pub";
path = "/home/${username}/.ssh/id_ed25519.pub";
};
personalSSH = {
file = secretFile "ssh/id_personal.age";
file = secretFile "ssh/id_personal";
owner = username;
group = "users";
path = "/home/horseman/.ssh/id_ed25519";
path = "/home/${username}/.ssh/id_ed25519";
};
githubSSHpub = {
file = secretFile "ssh/id_github.pub.age";
file = secretFile "ssh/id_github.pub";
owner = username;
group = "users";
path = "/home/horseman/.ssh/id_github.pub";
path = "/home/${username}/.ssh/id_github.pub";
};
githubSSH = {
file = secretFile "ssh/id_github.age";
file = secretFile "ssh/id_github";
owner = username;
group = "users";
path = "/home/horseman/.ssh/id_github";
path = "/home/${username}/.ssh/id_github";
};
sshConfig = {
file = secretFile "ssh/config.age";
file = secretFile "ssh/config";
owner = username;
group = "users";
path = "/home/horseman/.ssh/config";
path = "/home/${username}/.ssh/config";
};
forgejo-secret = {
file = secretFile "containers/forgejo-secret";
path = "/run/forgejo-secrets/secret";
symlink = false;
mode = "444";
};
};
};

19
modules/containers/forgejo.nix
View file

@ -13,10 +13,8 @@
HTTP_PORT = 3000;
SSH_PORT = 34916;
INSTANCE_URL = "http://local.git.server:3000";
SECRET = "7c31591e8b67225a116d4a4519ea8e507e08f71f"; # TODO REMOVE
DATA_DIR = "/home/${username}/backups/volumes/forgejo";
BACKUP_FILE = "/home/${username}/backups/forgejo.tar";
in {
options = {
horseman.containers.forgejo = {
@ -27,7 +25,6 @@ in {
config = mkIf cfg.enable {
networking.extraHosts = "192.168.100.3 local.git.server";
systemd.timers."backup-forgejo" = {
wantedBy = ["timers.target"];
timerConfig = {
@ -52,6 +49,13 @@ in {
hostAddress = "172.16.0.2";
localAddress = "192.168.100.2";
bindMounts = {
"/var/lib/secrets" = {
hostPath = "/run/forgejo-secrets";
isReadOnly = true;
};
};
config = {
config,
pkgs,
@ -76,7 +80,7 @@ in {
systemd.services.startup = {
script = ''
cd ${config.users.users.runner.home}
${pkgs.forgejo-runner}/bin/forgejo-runner create-runner-file --instance http://192.168.100.3:3000 --secret ${SECRET} --name runner
${pkgs.forgejo-runner}/bin/forgejo-runner create-runner-file --instance http://192.168.100.3:3000 --secret $(cat /var/lib/secrets/secret) --name runner
sleep 10
${pkgs.forgejo-runner}/bin/forgejo-runner daemon --config ${configFile}
'';
@ -99,6 +103,11 @@ in {
hostPath = DATA_DIR;
isReadOnly = false;
};
"/var/lib/secrets" = {
hostPath = "/run/forgejo-secrets";
isReadOnly = true;
};
};
config = {
@ -130,7 +139,7 @@ in {
systemd.services.startup = {
script = ''
cd ${config.users.users.forgejo.home}
${pkgs.forgejo}/bin/forgejo forgejo-cli actions register --name runner --secret ${SECRET} --config ${config.services.forgejo.stateDir}/custom/conf/app.ini
${pkgs.forgejo}/bin/forgejo forgejo-cli actions register --name runner --secret $(cat /var/lib/secrets/secret) --config ${config.services.forgejo.stateDir}/custom/conf/app.ini
'';
serviceConfig.User = "forgejo";
wantedBy = ["multi-user.target"];

1
secrets.nix
View file

@ -17,6 +17,7 @@ let
"ssh/id_github"
"ssh/id_github.pub"
"ssh/config"
"containers/forgejo-secret"
];
attrs = map (secret: {"secrets/${secret}.age".publicKeys = all;}) secrets;
in

19
secrets/containers/forgejo-secret.age Normal file
View file

@ -0,0 +1,19 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9tczZkdyAvNG9K
UEttaC8zNHlPVDJFT1NoOHBBKzduaThIcFR3TkdvZVF3UVFBSFhvClpLZGw0RmVp
cm1JRkNwL2RKN0lKRlEyb25YeUpjSWx0WXorNWZIa2ZHMzgKLT4gc3NoLWVkMjU1
MTkgZ1BJZFpBIEUyeGlybExFS3dPWXZOdk41TG9GYWQzajFPeVh3MjBlcjQ2b3Bn
NkRiRXcKSzdORWN3NC9IQ2JCRTF3UVRRc1k4eW5uQ2tMZXo0UEczWk1IS3BDbEV4
UQotPiBzc2gtZWQyNTUxOSBXeUlGekEgR0hhQitRZ2haZExXeVNlV0pBY0JkWTY0
S05PMnNmdVh5QUUyVmhjK1psNApMVWtDR0ZUNjBHNHdUbDVEdFI3SkU3TnhtbHN4
L3hiYnlYdmx5L2VmU3NBCi0+IHNzaC1lZDI1NTE5IGRiT2VoQSBpK2h2YlFCTk9a
Z21YZS9tQk9iUDdCQmpYNE9RK0k1SGtCbzhDdG9wVUFrCmlrNjBRQk9lWHVRRHVJ
dnFsSmJsTmNnaFA3MUorYkFGTklkWk94TUk3dHMKLT4gc3NoLWVkMjU1MTkgdHYv
Q3pnIGRUb21iKzlKY3hzcUhqaEZlK2EraEFQTmN0Nm5SZ05jdG1ia0xlN2NoelkK
d0R5Z0sxa0VDMy9aUTFJSS9jRmdDOGk5ZWVVVjIwdzJ4MUI3clR2bVE5SQotPiBi
NlJDOTpCWS1ncmVhc2UKR25PbzYrN2JsTXZwbXV5Z0NuUTZ0b2dTdU11Rlh6cmFL
cDlVOUUxNFd3VWg2V1ltU1N5dXZBWVM5UGI4d3cKLS0tIC9qQ0ZZUnVQRkc5dHRX
L0xpOTFxRk4xdTRCdUEwclU1dzB5RkVZbFRVZlUKhXXapogUWYhZ+Baie7Alcv7Z
hnMTGD+Wti8VhvHOmwS+z66mpbidJdNwcoiGOpeCfIJyKbQehQrzsI0wWbqjyA50
PKWqT6dq3w==
-----END AGE ENCRYPTED FILE-----