From 409c65a77934ad4fdadeded80e3de972581b705e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Wed, 23 Oct 2024 12:14:11 +0200 Subject: [PATCH] Add agenix secrets management / test forgejo runner deployment --- flake.nix | 16 ++++++++++++++++ secrets/forgejo-runner-token.age | 7 +++++++ secrets/secrets.nix | 14 ++++++++++++++ services/default.nix | 1 + services/forgejo-runner/default.nix | 23 +++++++++++++++++++++++ services/minimalConfig/default.nix | 4 ++-- 6 files changed, 63 insertions(+), 2 deletions(-) create mode 100644 secrets/forgejo-runner-token.age create mode 100644 secrets/secrets.nix create mode 100644 services/forgejo-runner/default.nix diff --git a/flake.nix b/flake.nix index 9faccb1..5ea3b0e 100644 --- a/flake.nix +++ b/flake.nix @@ -111,6 +111,22 @@ } ]; }; + forgejo-runner = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" + "${inputs.self}/services" + { + networking.hostName = "forgejo-runner"; + services.vm_forgejo = { + enable = true; + }; + services.ct = { + enable = true; + }; + } + ]; + }; jellyfin = nixpkgs.lib.nixosSystem { inherit system; modules = [ diff --git a/secrets/forgejo-runner-token.age b/secrets/forgejo-runner-token.age new file mode 100644 index 0000000..748572c --- /dev/null +++ b/secrets/forgejo-runner-token.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 OWkVXw bI57/Gf1aVjzstX647xlyqgUZo1XSymyFa7qxlKB4AQ +cfBb0+pa5gi21UaAaFwsbxaluBrtm304NHuDTpitJ/4 +-> ssh-ed25519 okxVkA BiE2eWtweV/bYLz5leA+r+Qw8vQeQf2SG/4oFyfi0Q8 +CzjBC5foTUljAs5v1oNjvNyl4YjP4XXqUVEGLpZJwlg +--- hB0dIZzpd6dNAoar3ATwj/pe6Dr/Z9OUBvo1GfsgBrI +I1ZU̝ɻGf6̂>Hj7MAR۴lQ <%Fkq^:2Bs \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..8eb4f4a --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,14 @@ +let + tbarnouin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"; + users = [ tbarnouin ]; + + laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDYomb5vtXsfYGZiVjSY7eOzWI+tp1YRLlPkpKDXIwGl root@nixos"; + + forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2NAam+nseSCzJV/1UTyO2LgMjx0xT7/vTOOi5EG9HV root@forgejo-runner"; + + systems = [ laptop forgejo ]; +in +{ + "forgejo-runner-token.age".publicKeys = [ tbarnouin forgejo ]; +} + diff --git a/services/default.nix b/services/default.nix index ef1581e..228be30 100644 --- a/services/default.nix +++ b/services/default.nix @@ -4,6 +4,7 @@ ./nginx ./netbox ./gitea + ./forgejo-runner ./redis ./jellyfin ./nextcloud diff --git a/services/forgejo-runner/default.nix b/services/forgejo-runner/default.nix new file mode 100644 index 0000000..c4ec77a --- /dev/null +++ b/services/forgejo-runner/default.nix @@ -0,0 +1,23 @@ +{ config, pkgs, lib, ... }: +let + cfg = config.services.vm_forgejo; +in +{ + options.services.vm_forgejo = { + enable = lib.mkEnableOption "Enable Forgejo service"; + }; + config = lib.mkIf cfg.enable { + services.forgejo-actions-runner = { + package = pkgs.forgejo-actions-runner; + instances.default = { + enable = true; + name = "monolith"; + url = "https://git.le43.eu"; + tokenFile = config.age.secrets.forgejo-runner-token.path; + labels = [ + "ubuntu-latest:docker://node:16-bullseye" + ]; + }; + }; + }; +} diff --git a/services/minimalConfig/default.nix b/services/minimalConfig/default.nix index 810fb55..061b33a 100644 --- a/services/minimalConfig/default.nix +++ b/services/minimalConfig/default.nix @@ -93,7 +93,7 @@ settings.PermitRootLogin = "prohibit-password"; hostKeys = [ { - path = "/var/ssh/ssh_host_ed25519_key"; + path = "/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; } ]; @@ -118,6 +118,6 @@ system = { stateVersion = "24.05"; - activationScripts.ensure-ssh-key-dir.text = "mkdir -p /var/ssh"; + activationScripts.ensure-ssh-key-dir.text = "mkdir -p /etc/ssh"; }; }