VSinerva/nixos-conf
1
0
Fork 0
Code Activity Actions

Move ci to sops-nix

Browse source
This commit is contained in:
Vili Sinervä 2025-06-21 16:17:12 +03:00
parent 92dd291700
commit 66b8b64e2b
Signed by: Vili Sinervä
SSH key fingerprint: SHA256:FladqYjaE4scJY3Hi+gnShZ6ygnTJgixy0I6BAoHyos
4 changed files with 43 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.sops.yaml
View file

@ -1,6 +1,7 @@
keys: keys:
- &vili-bw age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp - &vili-bw age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
- &helium age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q - &helium age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q
- &ci age18k4drn9kuhu5qk8cqfd390nv9r0pq0qql6s76hkhzefxskwnscxsqm78q4
- &forgejo age1mfvue6vjj445dtly39k5vlcnhpfdf0ujumm6v8degk2lvaa9avcsl2eeg7 - &forgejo age1mfvue6vjj445dtly39k5vlcnhpfdf0ujumm6v8degk2lvaa9avcsl2eeg7
- &vaultwarden age1g9xu0m2wkpcrj0lr6sjcx6ak2akwtuxdxh2lct44wkkkzklgjsss5zt3r9 - &vaultwarden age1g9xu0m2wkpcrj0lr6sjcx6ak2akwtuxdxh2lct44wkkkzklgjsss5zt3r9
creation_rules: creation_rules:
@ -14,6 +15,11 @@ creation_rules:
- age: - age:
- *vili-bw - *vili-bw
- *helium - *helium
- path_regex: ^secrets/ci.yaml$
key_groups:
- age:
- *vili-bw
- *ci
- path_regex: ^secrets/forgejo.yaml$ - path_regex: ^secrets/forgejo.yaml$
key_groups: key_groups:
- age: - age:

26
secrets/ci.yaml Normal file
View file

@ -0,0 +1,26 @@
forgejo-token: ENC[AES256_GCM,data:g/JB9n2zIt42rrBf5XEwH0A4zzNQO6T8YqyOJE72Ffr8LJM+R4fc1xkIG5Hqlw==,iv:5aAhMQa/6chXodKQBOMiesusvNdwwKsOhXyidnN+hpM=,tag:BJih7G9xEDcLEMB0kByIbQ==,type:str]
priv-cache-key: ENC[AES256_GCM,data:pNjWmbHypAsUtrktAXDWK67yseSKHAT+Nan0cHO8XFT3ADr5VbFwTZbqIQDGzSsU0P0y5BzhcxzorbK6624esuFzcawn0fKfzLaQWm4CCES4MXC4V1Rt41+7IJOY8nuq4e1Rwn917oyb,iv:7WLtQ1t7ZhQFdmeA3YDwZepq646hPhF9l465Su3WWMc=,tag:Y2k7hXYGMmjZ6g7Dy6Hd8w==,type:str]
sops:
age:
- recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4Qi82M2JNeEZHSGJHME1w
Q2FFUnB0d1lMajcvdEJZSVNLdEJkalgxVXhrCk4zRnE5Q3dpVVNJNjNEMmlmZUM4
TjdCckxwSzdRMUg1Nk5DaDFJNjQ0OGcKLS0tIEdZZEJlSEJ0cm5Qb0g0UHpza2Za
K08wNDJJSGN2M21Yb2ZERHMvMmJDNjQKEwzdP8D1wTiKX0VHapxE8IODHuyH9laU
NIz32fJWl1A5w0xE3e1YXVJpjcvQ8nHX5CceSuOorq7IPYbDpaJhDQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age18k4drn9kuhu5qk8cqfd390nv9r0pq0qql6s76hkhzefxskwnscxsqm78q4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4YUNQdkd2bzJmM1l2WEJs
cGd3RTFDbkpLQmxWRFNMRUxLZmdPWmczNzFFCkhJMVY2L3c1VEZpSEFMeHhZZXNQ
V0txcUZZK2NaRHJIcVBqWHB1R3NDN1kKLS0tIDF5amxqa3JQSS93YzErK0ttdEpu
ZDdzTEFPUXJlYnJpUndSWEkwNWNMRkkKFl3ebl0NB3c7rmLwuCSUeRKftlljj36u
WTTHu6QlXkr48ASt9/kvN+09deXu+cX7aXBHsDo7O6cmt9OJFBlwGw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-21T13:12:37Z"
mac: ENC[AES256_GCM,data:ndDoQvRTVZL+xtjkoXathY0Q90kxeN0b9BIDKXVaFkoqdb+jKG3Rv8CcfWXJLBn7P7aUxsLSkyDhxdme9wBqSSWv6BRHu3v1x0ryn0NEhVp+/UYq+05iL+QTmGjJXcFlx1BJP/wSHO4uGSbOg9y6dfzToDqhZsRqRt7Du3fvdxk=,iv:rnf0Dcyo5Pq/42rD3U6vD2Ke2XddrKyG1ah0su8QFFM=,tag:IrsW3rFfMxK1ae5a2yyugg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2

9
servers/forgejo-runner.nix
View file

@ -1,5 +1,10 @@
{ pkgs, ... }: { config, pkgs, ... }:
{ {
sops.secrets.forgejo-token = {
sopsFile = ../secrets/ci.yaml;
restartUnits = [ "gitea-runner-forgejo.sinerva.eu.service" ];
};
networking.firewall.trustedInterfaces = [ "br-+" ]; networking.firewall.trustedInterfaces = [ "br-+" ];
services.gitea-actions-runner = { services.gitea-actions-runner = {
@ -8,7 +13,7 @@
enable = true; enable = true;
name = "ci.sinerva.eu"; name = "ci.sinerva.eu";
url = "https://forgejo.sinerva.eu"; url = "https://forgejo.sinerva.eu";
tokenFile = "/persist/secrets/forgejo_token"; tokenFile = config.sops.secrets.forgejo-token.path;
labels = [ labels = [
"ubuntu-24.04-lts:docker://ubuntu:24.04" "ubuntu-24.04-lts:docker://ubuntu:24.04"
"ubuntu-22.04:docker://node:24-bullseye" "ubuntu-22.04:docker://node:24-bullseye"

6
servers/hydra.nix
View file

@ -1,4 +1,4 @@
{ lib, ... }: { config, lib, ... }:
let let
hydra_domain = "ci.sinerva.eu"; hydra_domain = "ci.sinerva.eu";
cache_domain = "cache.sinerva.eu"; cache_domain = "cache.sinerva.eu";
@ -9,6 +9,8 @@ in
./utils/acme-http-client.nix ./utils/acme-http-client.nix
]; ];
sops.secrets.priv-cache-key.sopsFile = ../secrets/ci.yaml;
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
services = { services = {
@ -30,7 +32,7 @@ in
enable = true; enable = true;
bindAddress = "127.0.0.2"; bindAddress = "127.0.0.2";
port = 8081; port = 8081;
secretKeyFile = "/persist/secrets/priv_cache_key"; secretKeyFile = config.sops.secrets.priv-cache-key.path;
}; };
nginx.virtualHosts = { nginx.virtualHosts = {