Move ci to sops-nix

This commit is contained in:
Vili Sinervä 2025-06-21 16:17:12 +03:00
parent 92dd291700
commit 66b8b64e2b
Signed by: Vili Sinervä
SSH key fingerprint: SHA256:FladqYjaE4scJY3Hi+gnShZ6ygnTJgixy0I6BAoHyos
4 changed files with 43 additions and 4 deletions

View file

@ -1,5 +1,10 @@
{ pkgs, ... }:
{ config, pkgs, ... }:
{
sops.secrets.forgejo-token = {
sopsFile = ../secrets/ci.yaml;
restartUnits = [ "gitea-runner-forgejo.sinerva.eu.service" ];
};
networking.firewall.trustedInterfaces = [ "br-+" ];
services.gitea-actions-runner = {
@ -8,7 +13,7 @@
enable = true;
name = "ci.sinerva.eu";
url = "https://forgejo.sinerva.eu";
tokenFile = "/persist/secrets/forgejo_token";
tokenFile = config.sops.secrets.forgejo-token.path;
labels = [
"ubuntu-24.04-lts:docker://ubuntu:24.04"
"ubuntu-22.04:docker://node:24-bullseye"

View file

@ -1,4 +1,4 @@
{ lib, ... }:
{ config, lib, ... }:
let
hydra_domain = "ci.sinerva.eu";
cache_domain = "cache.sinerva.eu";
@ -9,6 +9,8 @@ in
./utils/acme-http-client.nix
];
sops.secrets.priv-cache-key.sopsFile = ../secrets/ci.yaml;
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
services = {
@ -30,7 +32,7 @@ in
enable = true;
bindAddress = "127.0.0.2";
port = 8081;
secretKeyFile = "/persist/secrets/priv_cache_key";
secretKeyFile = config.sops.secrets.priv-cache-key.path;
};
nginx.virtualHosts = {