Add agenix secrets management / test forgejo runner deployment

2024-10-23 12:14:11 +02:00 · 2024-10-23 12:14:11 +02:00 · 409c65a779
commit 409c65a779
parent fe5c92ae8c
6 changed files with 63 additions and 2 deletions
--- a/flake.nix
+++ b/flake.nix
@ -111,6 +111,22 @@
            }
          ];
        };
        forgejo-runner = nixpkgs.lib.nixosSystem {
          inherit system;
          modules = [
            "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
            "${inputs.self}/services"
            {
              networking.hostName = "forgejo-runner";
              services.vm_forgejo = {
                enable = true;
              };
              services.ct = {
                enable = true;
              };
            }
          ];
        };
        jellyfin = nixpkgs.lib.nixosSystem {
          inherit system;
          modules = [
--- a/secrets/forgejo-runner-token.age
+++ b/secrets/forgejo-runner-token.age
@ -0,0 +1,7 @@
 age-encryption.org/v1
 -> ssh-ed25519 OWkVXw bI57/Gf1aVjzstX647xlyqgUZo1XSymyFa7qxlKB4AQ
 cfBb0+pa5gi21UaAaFwsbxaluBrtm304NHuDTpitJ/4
 -> ssh-ed25519 okxVkA BiE2eWtweV/bYLz5leA+r+Qw8vQeQf2SG/4oFyfi0Q8
 CzjBC5foTUljAs5v1oNjvNyl4YjP4XXqUVEGLpZJwlg
 --- hB0dIZzpd6dNAoar3ATwj/pe6Dr/Z9OUBvo1GfsgBrI
 I1Z×UÌ<EFBFBD>É»úëGf6Ì‚šá>Hjý7MýA<C3BD>Rõ‹Û´l¡Q <â%’“òFkÂqèŠ^„»ÑõÚÛê:âü2ÑBs
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,14 @@
 let
  tbarnouin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos";
  users     = [ tbarnouin ];
  laptop  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDYomb5vtXsfYGZiVjSY7eOzWI+tp1YRLlPkpKDXIwGl root@nixos";
  forgejo  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2NAam+nseSCzJV/1UTyO2LgMjx0xT7/vTOOi5EG9HV root@forgejo-runner";
  systems = [ laptop forgejo ];
 in
 {
  "forgejo-runner-token.age".publicKeys = [ tbarnouin forgejo ];
 }
--- a/services/default.nix
+++ b/services/default.nix
@ -4,6 +4,7 @@
    ./nginx
    ./netbox
    ./gitea
    ./forgejo-runner
    ./redis
    ./jellyfin
    ./nextcloud
--- a/services/forgejo-runner/default.nix
+++ b/services/forgejo-runner/default.nix
@ -0,0 +1,23 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.vm_forgejo;
 in
 {
  options.services.vm_forgejo = {
    enable = lib.mkEnableOption "Enable Forgejo service";
  };
  config = lib.mkIf cfg.enable {
    services.forgejo-actions-runner = {
      package = pkgs.forgejo-actions-runner;
      instances.default = {
        enable = true;
        name = "monolith";
        url = "https://git.le43.eu";
        tokenFile = config.age.secrets.forgejo-runner-token.path;
        labels = [
          "ubuntu-latest:docker://node:16-bullseye"
        ];
      };
    };
  };
 }
--- a/services/minimalConfig/default.nix
+++ b/services/minimalConfig/default.nix
@ -93,7 +93,7 @@
      settings.PermitRootLogin = "prohibit-password";
      hostKeys = [
        {
-          path = "/var/ssh/ssh_host_ed25519_key";
+          path = "/etc/ssh/ssh_host_ed25519_key";
          type = "ed25519";
        }
      ];
@ -118,6 +118,6 @@
  system = {
    stateVersion = "24.05";
-    activationScripts.ensure-ssh-key-dir.text = "mkdir -p /var/ssh";
+    activationScripts.ensure-ssh-key-dir.text = "mkdir -p /etc/ssh";
  };
 }