c8h4/nixos-config
1
0
Fork 0
Code Issues Actions Activity

services: forgejo: pin secret key
All checks were successful
flake / build (push) Successful in 3m18s
Details

Browse source 
Signed-off-by: Christoph Heiss <christoph@c8h4.io>
This commit is contained in:
Christoph Heiss 2024-08-24 13:58:01 +02:00
parent 30d55d5792
commit 35dcf3d3ba
Signed by: c8h4
GPG key ID: 6817E9C75C0785D7
2 changed files with 17 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
secrets/sops/forgejo.yaml
View file

@ -1,4 +1,5 @@
forgejo:
secret-key: ENC[AES256_GCM,data:rGASpDPdyTWUt73MRcpzdVLCcRIyp0+8wOcWBJ0gMy8nlKK9bVhJ3IHh4FZ/1Ol4QNkF9DdWmUOGihqi8l6rEQ==,iv:/KIcl7MzwO4XC3xLttcF99d6lSN75xNVMftnL5UDZw8=,tag:KnsayAuke3IvtDq4yxqILg==,type:str]
mail:
host: ENC[AES256_GCM,data:pezxEQq+Etvf2WPI6YAv+aNS,iv:8wWcA58Wvdf2cNxccaiZyu0NAKa34sJuYKssUPWeZLA=,tag:MJr16+zDev6GCpe574FgHw==,type:str]
password: ENC[AES256_GCM,data:tJhV6Wx2/+A4UZHXZzFwXYnwjZNufNPAmXFqk6ojL+XXaOdcD0SOaOjyh94X0nnOJfPHR6goG58vljuQPmOkzQ==,iv:32rm482fe7NhwZiDE3myG9NDIZfJbmjBfHGxy/A1dnA=,tag:Ajufsg/8K7aiOpZGeTLP4A==,type:str]
@ -44,8 +45,8 @@ sops:
YVMzY2xiY1FBcHZicjBrKzlUZ2FyOEUKlMvpN5grIvL9/Lwf57V96jeZjOf9SJeA
hxHUQDqiS5R5nUP5FRWEss8rUKCzuzVP3WqEIiYePZY7tZHvcemvWg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-24T11:23:27Z"
mac: ENC[AES256_GCM,data:6WMNrzb6fcCnphhQwLV4lXNqtJp6T57jFqK6pbDYrAc5kVz7UjODNc2r0qmsEsQ4FHzjF1bLJkPqGHKdJdefWj7MHYu3ygxYiBPIoy3SwS1A8uqbywIxLFJzuoIaZ0t5Rtt4hni5eK4DKKzWyqgtgUD1WjPFiPH7unlAyowiQYM=,iv:m7pXlPv0tpoQY1OOy9jZuMXI/IpQHa1WCBWJtGO7zbU=,tag:AD3pBAa2LcI2HZkDFmCBjg==,type:str]
lastmodified: "2024-08-24T11:24:50Z"
mac: ENC[AES256_GCM,data:hLQFlPVWq4eMuHZPgYr3QaGe0lRk610yrXwLIN4l5iWT8vGTFlBNwHNDsZXKTs7v5f8CgCkY5ZsDM5fmflRiXI2eH/ZZF3sEnpLRX7Eh15xk714/fW/0Wr6HymhMNl/7Os6JtOekPb0SsyzpMqTVLh+sBnU3jPJ6aMQcFCTBDTE=,iv:R2gpV9gzhhiIUbR2C/yt19C8YJ1C8RUin9Gq7626Xmw=,tag:6P2WnUfJfLnp7/n+VeZerw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

21
services/forgejo.nix
View file

@ -5,13 +5,19 @@ let
fqdn = "git.${my.domain}";
dataDir = "/mnt/data/forgejo";
in {
sops.secrets."forgejo/mail/host" = {
sopsFile = ../secrets/sops/forgejo.yaml;
restartUnits = [ "forgejo.service" ];
};
sops.secrets."forgejo/mail/password" = {
sopsFile = ../secrets/sops/forgejo.yaml;
restartUnits = [ "forgejo.service" ];
sops.secrets = {
"forgejo/mail/host" = {
sopsFile = ../secrets/sops/forgejo.yaml;
restartUnits = [ "forgejo.service" ];
};
"forgejo/mail/password" = {
sopsFile = ../secrets/sops/forgejo.yaml;
restartUnits = [ "forgejo.service" ];
};
"forgejo/secret-key" = {
sopsFile = ../secrets/sops/forgejo.yaml;
restartUnits = [ "forgejo.service" ];
};
};
services.forgejo = {
@ -106,6 +112,7 @@ in {
SMTP_ADDR = secrets."forgejo/mail/host".path;
PASSWD = secrets."forgejo/mail/password".path;
};
security.SECRET_KEY = lib.mkForce secrets."forgejo/secret-key".path;
};
dump = {
enable = true;