From 72bb47abe31886e1aae328875b303137721479fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= <theo.barnouin@le43.eu>
Date: Wed, 23 Oct 2024 13:10:45 +0200
Subject: [PATCH] Agenix config for forgejo tested and working

---
 flake.lock                                    | 114 ++++++++++++++++--
 flake.nix                                     |   4 +-
 secrets/forgejo-runner-token.age              | Bin 363 -> 363 bytes
 services/forgejo-runner/default.nix           |   6 +-
 .../secrets/forgejo-runner-token.age          | Bin 0 -> 363 bytes
 5 files changed, 111 insertions(+), 13 deletions(-)
 create mode 100644 services/forgejo-runner/secrets/forgejo-runner-token.age

diff --git a/flake.lock b/flake.lock
index 0be0e3d..9629357 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,26 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": "nixpkgs",
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1723293904,
+        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "authentik-nix": {
       "inputs": {
         "authentik-src": "authentik-src",
@@ -7,9 +28,9 @@
         "flake-parts": "flake-parts",
         "flake-utils": "flake-utils",
         "napalm": "napalm",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
         "poetry2nix": "poetry2nix",
-        "systems": "systems"
+        "systems": "systems_2"
       },
       "locked": {
         "lastModified": 1727699431,
@@ -42,6 +63,28 @@
         "type": "github"
       }
     },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1700795494,
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -99,7 +142,7 @@
     },
     "flake-utils_2": {
       "inputs": {
-        "systems": "systems_2"
+        "systems": "systems_3"
       },
       "locked": {
         "lastModified": 1710146030,
@@ -116,6 +159,27 @@
       }
     },
     "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703113217,
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
@@ -208,11 +272,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1726937504,
-        "narHash": "sha256-bvGoiQBvponpZh8ClUcmJ6QnsNKw0EMrCQJARK3bI1c=",
+        "lastModified": 1703013332,
+        "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9357f4f23713673f310988025d9dc261c20e70c6",
+        "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
         "type": "github"
       },
       "original": {
@@ -235,6 +299,22 @@
       }
     },
     "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1726937504,
+        "narHash": "sha256-bvGoiQBvponpZh8ClUcmJ6QnsNKw0EMrCQJARK3bI1c=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "9357f4f23713673f310988025d9dc261c20e70c6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
       "locked": {
         "lastModified": 1728740863,
         "narHash": "sha256-u+rxA79a0lyhG+u+oPBRtTDtzz8kvkc9a6SWSt9ekVc=",
@@ -283,10 +363,11 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "authentik-nix": "authentik-nix",
-        "home-manager": "home-manager",
+        "home-manager": "home-manager_2",
         "microvm": "microvm",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs_3"
       }
     },
     "spectrum": {
@@ -306,6 +387,21 @@
       }
     },
     "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
       "locked": {
         "lastModified": 1689347949,
         "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
@@ -320,7 +416,7 @@
         "type": "github"
       }
     },
-    "systems_2": {
+    "systems_3": {
       "locked": {
         "lastModified": 1681028828,
         "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
diff --git a/flake.nix b/flake.nix
index 5ea3b0e..e2ed5c9 100644
--- a/flake.nix
+++ b/flake.nix
@@ -10,9 +10,10 @@
     microvm.url = "github:astro/microvm.nix";
     microvm.inputs.nixpkgs.follows = "nixpkgs";
     authentik-nix.url = "github:nix-community/authentik-nix";
+    agenix.url = "github:ryantm/agenix";
   };
 
-  outputs = inputs@{ self, nixpkgs, home-manager, microvm, ... }:
+  outputs = inputs@{ self, nixpkgs, home-manager, microvm, agenix, ... }:
     let
       system     = "x86_64-linux";
       username   = "tbarnouin";
@@ -114,6 +115,7 @@
         forgejo-runner = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
+            agenix.nixosModules.default
             "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
             "${inputs.self}/services"
             {
diff --git a/secrets/forgejo-runner-token.age b/secrets/forgejo-runner-token.age
index 748572c58d91c3d103548f6a779f38c861478739..451b4edbdfae01a7bb805d5730dfb5beebe3912e 100644
GIT binary patch
delta 328
zcmV-O0k{6^0_y^hEPppLZ)9m|WN2bhI8QK7b~Q9ZS6N7Ecxz!aRyj3qIWI9mG&FHG
zD@ajMSqgPIOG!z2R$@U^FKsYwaB*#PWp++ePjE^yGGRq>c6f3@N^VVLMKf$GRSGRW
zAaiqQEoEdfH8n9gAWc+HF>q%fb4EmAPBvyYXK*!WIZHuRF@Hx-ZcI=}ZBArzbaO>&
zH(FLvSSv+%VO2tN3RrnUbWBQ1Gj=v-S5sJ5W=e2qWGhWHL0V3BZZu_hMmb?ILS|QW
zG%`YG3N0-yAa;09GGj<`a70#8FilTxc`!6&H)AwWd0A*kRBJY8buwpkRd*|DX){$#
z3QZEL<RYZD_CcG7WznPnZ5i_WQ?8)G?G~pmW}ZY{X<8lQf@Q_8j?z_baPg{9Qh=M6
aYK-FXi%y1b(z)yZk3(jcHm%)+F7(XWBzdv`

delta 328
zcmV-O0k{6^0_y^hEPrB2H8(FuW-(z_YI<{YST-~_cx-ubXH{BnF<4W1ZFxpvH*t7u
zOF}e3Q3_*bLSis0aA7rPX)-ZYVL@R=cXMKRVQh6ma&&DoFf>j`bwpHfX>>|2Gzu*~
zAaiqQEoEdfH8n9gAa84UR%<~ZLTN=ZWmj}}WmYd@SxkC0Y=31zD{?DQcQ|%YWl?4_
zQ%5f}Z$^1$X)sYZ3PXBoLPIrXZ&X!mYC&@~b}?^GYIaU}Y&2PFP&8OraaC4DM@(>9
zN_T8$3N0-yAZS7`WJy|jaAY=QPC;*Bax+0xcWN(iWi~`|FIqWIRYG=eF-K-|XF_sG
z3P~|q*Hz4&$w9mN>jXyu8)gJH%z~QXK1gc)H%<LPjZ*a(1B<QOv}^*QQ6L;V;w6#~
alk!Gu!g1(|UWB{R_1fF&I^z5?(L!^E(Rlv=

diff --git a/services/forgejo-runner/default.nix b/services/forgejo-runner/default.nix
index cce9d55..aa56d0c 100644
--- a/services/forgejo-runner/default.nix
+++ b/services/forgejo-runner/default.nix
@@ -7,8 +7,8 @@ in
     enable = lib.mkEnableOption "Enable Forgejo service";
   };
   config = lib.mkIf cfg.enable {
-    age.secrets.forgejo-runner-token.file = ./secrets/forgejo-runner-token.age
-    services.forgejo-actions-runner = {
+    age.secrets.forgejo-runner-token.file = ./secrets/forgejo-runner-token.age;
+    services.gitea-actions-runner = {
       package = pkgs.forgejo-actions-runner;
       instances.default = {
         enable = true;
@@ -16,7 +16,7 @@ in
         url = "https://git.le43.eu";
         tokenFile = config.age.secrets.forgejo-runner-token.path;
         labels = [
-          "ubuntu-latest:docker://node:16-bullseye"
+          "native:host"
         ];
       };
     };
diff --git a/services/forgejo-runner/secrets/forgejo-runner-token.age b/services/forgejo-runner/secrets/forgejo-runner-token.age
new file mode 100644
index 0000000000000000000000000000000000000000..451b4edbdfae01a7bb805d5730dfb5beebe3912e
GIT binary patch
literal 363
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUl56=#ZC|58y%1_D6
zO36qHwD33ZFEcf94v+N6s>n_>39~fKx70UuG%+bO)Ak4qjN~e{^!D_u3`=qh(a$x=
zEhx+_NiFjW_Al@<GD>tUDyt}R^vd&1aW&4-4n?=kH^kqtAYGx@%_Y&#EX_Q<z%;|s
z+cDJ8-9OJKz$4c$rKqIXHOo9IEHFabwIVUpshBIG(y7G9%iFljEIm9pB0SBjAR|TF
z*TgZ(uPo0bwZhFZ(a<R^ywt?VDV<AKS688|!rv&_qo}|oEXcsuKd;ijB*i@0B(O3v
z!y_cyEWOkyy(F|;J1f&T)R)UwX!R4NCELEu?nu43gdtb*)9>JQ3l6;%Tdtor&m}f9
wO7?M6>e2OmmqPOjKCTK3YM4DetLM?jZojttOFLix?{`j{ZnpMri{6(r04IKgBLDyZ

literal 0
HcmV?d00001