VSinerva/nixos-conf
1
0
Fork 0
Code Activity Actions

Move forgejo to sops-nix

Browse source
This commit is contained in:
Vili Sinervä 2025-06-21 16:04:22 +03:00
parent 9a36134fac
commit 92dd291700
Signed by: Vili Sinervä
SSH key fingerprint: SHA256:FladqYjaE4scJY3Hi+gnShZ6ygnTJgixy0I6BAoHyos
3 changed files with 37 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.sops.yaml
View file

@ -1,6 +1,7 @@
keys: keys:
- &vili-bw age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp - &vili-bw age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
- &helium age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q - &helium age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q
- &forgejo age1mfvue6vjj445dtly39k5vlcnhpfdf0ujumm6v8degk2lvaa9avcsl2eeg7
- &vaultwarden age1g9xu0m2wkpcrj0lr6sjcx6ak2akwtuxdxh2lct44wkkkzklgjsss5zt3r9 - &vaultwarden age1g9xu0m2wkpcrj0lr6sjcx6ak2akwtuxdxh2lct44wkkkzklgjsss5zt3r9
creation_rules: creation_rules:
- path_regex: ^secrets/helium/.*\.yaml$ - path_regex: ^secrets/helium/.*\.yaml$
@ -13,6 +14,11 @@ creation_rules:
- age: - age:
- *vili-bw - *vili-bw
- *helium - *helium
- path_regex: ^secrets/forgejo.yaml$
key_groups:
- age:
- *vili-bw
- *forgejo
- path_regex: ^secrets/vaultwarden.yaml$ - path_regex: ^secrets/vaultwarden.yaml$
key_groups: key_groups:
- age: - age:

25
secrets/forgejo.yaml Normal file
View file

@ -0,0 +1,25 @@
smtp-pass: ENC[AES256_GCM,data:1V5EHK5itI44ZmSALPF/SA==,iv:vGSipMUvWT+qAo7JXeCGFdiiRATnYPl77SODm4SQD5c=,tag:eboMUsoJDjVIPcqT+liQCg==,type:str]
sops:
age:
- recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArbHZvZHBFcVlON0FaQ0lP
bjBSQS9RcXlrM25nUElDQzc5ZFVMN3ZuWTMwCkx3WWVDNm4xRVBFYmIwcnM4blQ2
d1A5R2hwTjNUcWFJRXlqUFBYN1BoK0kKLS0tIFQ4dG1RdUNDamFaa1FZazAzVVB4
Vm84bEdPNVErWTM3TkVVSmdYa3kvcWcKix28pKgG2Nm2kPo/IC8VMxWpd9D9CUNp
4QFed716oCATJnW0qYww/sM8dc+DHa8dABNzdh25yX85LuleCrRj8Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mfvue6vjj445dtly39k5vlcnhpfdf0ujumm6v8degk2lvaa9avcsl2eeg7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlMVAwb1VONlUrL0l3RUQy
K3RpMk1icVlja0Y3dlJvYi9CQzUzMDN5NkhnCjlWaGhBaXhZMzZDL1cwV1B4MWpC
bEJYa0NHeGRKa0s4aDBleUc3TnRTYzAKLS0tIFR5b1EzR2xBZEtIdFNzSkZWVmVE
dHQ5M2JwUE5tdjBBZklXYW0wZGNlTEkKssrzEuDJXjzLBAoW5ZvOMynREFpkTbT+
tVhQdg+llvM1D3xV7SlCt8hTIZkv6mIIGAq/0VC7lgVjq6bilny/Sg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-21T12:59:33Z"
mac: ENC[AES256_GCM,data:Y0Z39BJDJJZlvlJ33pQzEYWpDzw1qSMMPufQ8iPvmNpjIXpCHxQ2LDLXyV91bMPY0OTG6cfLkF4bAOl21L5xjJ45nVNsgrqEFeWc3mxLQNnqiDP8Av0Z2L/sQbJpWppN44y/ussGQNMdndze57eNiKUp8GLRqAGJ9bFyxg8uiLE=,iv:Ddh9njJr7Ao8GMaMHPEDsz+uu9RMRIXzZNVcYAyPb1U=,tag:EjqM8DNohUcoiGwf4v8tAg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2

7
servers/forgejo.nix
View file

@ -5,12 +5,17 @@
./utils/acme-http-client.nix ./utils/acme-http-client.nix
]; ];
sops.secrets.smtp-pass = {
sopsFile = ../secrets/forgejo.yaml;
restartUnits = [ "forgejo.service" ];
};
services = { services = {
forgejo = { forgejo = {
enable = true; enable = true;
lfs.enable = true; lfs.enable = true;
secrets.mailer.PASSWD = "${config.services.forgejo.stateDir}/smtp_pass"; secrets.mailer.PASSWD = config.sops.secrets.smtp-pass.path;
settings = { settings = {
DEFAULT.APP_NAME = "Forgejo for Vili Sinervä"; DEFAULT.APP_NAME = "Forgejo for Vili Sinervä";
repository = { repository = {