Move ci to sops-nix

2025-06-21 16:17:12 +03:00 · 2025-06-21 16:17:12 +03:00 · 66b8b64e2b
commit 66b8b64e2b
parent 92dd291700
4 changed files with 43 additions and 4 deletions
--- a/servers/forgejo-runner.nix
+++ b/servers/forgejo-runner.nix
@ -1,5 +1,10 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 {
+  sops.secrets.forgejo-token = {
+    sopsFile = ../secrets/ci.yaml;
+    restartUnits = [ "gitea-runner-forgejo.sinerva.eu.service" ];
+  };
+
  networking.firewall.trustedInterfaces = [ "br-+" ];

  services.gitea-actions-runner = {
@ -8,7 +13,7 @@
      enable = true;
      name = "ci.sinerva.eu";
      url = "https://forgejo.sinerva.eu";
-      tokenFile = "/persist/secrets/forgejo_token";
+      tokenFile = config.sops.secrets.forgejo-token.path;
      labels = [
        "ubuntu-24.04-lts:docker://ubuntu:24.04"
        "ubuntu-22.04:docker://node:24-bullseye"
--- a/servers/hydra.nix
+++ b/servers/hydra.nix
@ -1,4 +1,4 @@
-{ lib, ... }:
+{ config, lib, ... }:
 let
  hydra_domain = "ci.sinerva.eu";
  cache_domain = "cache.sinerva.eu";
@ -9,6 +9,8 @@ in
    ./utils/acme-http-client.nix
  ];

+  sops.secrets.priv-cache-key.sopsFile = ../secrets/ci.yaml;
+
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];

  services = {
@ -30,7 +32,7 @@ in
      enable = true;
      bindAddress = "127.0.0.2";
      port = 8081;
-      secretKeyFile = "/persist/secrets/priv_cache_key";
+      secretKeyFile = config.sops.secrets.priv-cache-key.path;
    };

    nginx.virtualHosts = {