felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2025-08-25 13:26:22 +02:00
Code Issues Projects Releases Wiki Activity

kommode/gitea: make secrets declarative

Browse Source
This commit is contained in:
h7x4 2025-08-03 03:39:18 +02:00
parent 0a7f559869
commit 234a7030f0
No known key found for this signature in database
GPG Key ID: 9F2F7D8250F35146
2 changed files with 25 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
hosts/kommode/services/gitea/default.nix
View File

@ -11,15 +11,17 @@ in {
./web-secret-provider
];
sops.secrets = {
"gitea/database" = {
owner = "gitea";
group = "gitea";
};
"gitea/email-password" = {
sops.secrets = let
defaultConfig = {
owner = "gitea";
group = "gitea";
};
in {
"gitea/database" = defaultConfig;
"gitea/email-password" = defaultConfig;
"gitea/lfs-jwt-secret" = defaultConfig;
"gitea/oauth2-jwt-secret" = defaultConfig;
"gitea/secret-key" = defaultConfig;
};
services.gitea = {
@ -45,9 +47,15 @@ in {
ROOT_URL = "https://${domain}/";
PROTOCOL = "http+unix";
SSH_PORT = sshPort;
LANDING_PAGE = "explore";
START_SSH_SERVER = true;
START_LFS_SERVER = true;
LANDING_PAGE = "explore";
LFS_JWT_SECRET = lib.mkForce "";
LFS_JWT_SECRET_URI = config.sops.secrets."gitea/lfs-jwt-secret".path;
};
oauth2 = {
JWT_SECRET = lib.mkForce "";
JWT_SECRET_URI = config.sops.secrets."gitea/oauth2-jwt-secret".path;
};
"git.timeout" = {
MIGRATE = 3600;
@ -75,6 +83,10 @@ in {
};
admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention";
session.COOKIE_SECURE = true;
security = {
SECRET_KEY = lib.mkForce "";
SECRET_KEY_PATH = config.sops.secrets."gitea/secret-key".path;
};
database.LOG_SQL = false;
repository = {
PREFERRED_LICENSES = lib.concatStringsSep "," [

13
secrets/kommode/kommode.yaml
View File

@ -8,11 +8,10 @@ gitea:
gpg-signing-key: ENC[AES256_GCM,data:AyafTF3H8p1qDk9xsNvT68BksoKGLwE2uE3hjz0TrT2XPxCRDOIlfAVYEPSu2Ih6l5a2uruEJhHPtU2fPCB2hln3Bv3gZfFGLb3GFWkSvdePIYFxG56uqGK5dE1KaMccc2cTi+raDImKqSTbp7Qpdo/c6C0WYVglYrD+2l8Y4QOiFuazyLY9zwcX0qG7pIjJ+akCUjfE4rJDAW6H/v+OqvHpcED3q4iXOYuw9sj/UeIgZfJ5Xc/uVrRmPewP4yALnA8o9gsaaLdjWRFIILe7VRwPr0YqwQ6XGgc+pEartkV8AzxjCq6DOtifOOzmu8EI1U1yoaOViYCAMbSHfP6SIKr7pJbrdU+YDBq9mvRx8KPXWUU2uNGrMObATEzlqMYAYA/HJeOdV4w3Axvq8RG2FLkJxJJniwNP5VZRF3bbbI3w+hprRP2yAwgeQw19KBU8yF8upKga/GdMNScpKJvRyVLjZtI0rsfvSC81lHawouuje6aPXT3dH1S5ROJBHMTeV0sP0vK6liBevz9RZpvNs6JVyNCgiRRtRSSYqsgwPJonDKuPeI/Zpgih7HboA8HqhIibqpO96h5/4yO69oJAbLUYV3zlKQcMDTaqadL4Ox5Z+8ygSAL3l1ufZIFGSj73SNHGQqQlIS/a3dAccRi5fPqv0gOmGFAAUJPKfeauFn3TclwojKzu5vwmQxZ5g50txEpTSTaYOy++qq6UZa/dXEyDC7fle75dXhqXyqMCf9kDwZZl5E9eBsabNdTF+auQCp82iLQivdBy7uJX2hkJFSg84fF9MLgH4mOcMQc2E/z961uNzEgoyvVhbDY6+SIJ+6SGmnardbFW7mYrj/QqnSUiMc4tHukAB4NGQYHgjOYRZMpHfVO/6dLbjmTOljnPsnfQUCepvb9rGim8NazvnARaVzezx4t3tfbNR8uLQudSeLZzn/Fu1mKSQvpP+IjdglmyAgp6QhB4OCDPbiaMRDUtOQIzlVILdz1/geUVzhZkJ4xzkm5klGukhtv+3TqjiTcEnoVJC+A1jRvxBQUfEE92GFuupJUfrw8bIDqsWQLkHPCNUMgdoKa/q2OkrWeQz2zm2yUqMAJn1/puoLHdSH5aCELUggx1gQZoc480pSBUvSCML+Qc4B4Cd6hX2PPp+/KQeKtfqHIsKz2I+DMT6KDirReX6WHxqk+s2DtLw7Wx/j65PWCIWLCz,iv:c9BDRxQImWTmwq11+T2CW0S00Dixd8d0od5xn5zZmY8=,tag:brnMedsdTwlkbaHaLa2w2g==,type:str]
ssh-known-hosts: ENC[AES256_GCM,data:P6hKaCpcZdXIy4rE/1b1+66Md/3Kmviileb0OIT3Vz4IVsDLecBh3IiadHq66V4KocXC4LBUNFjcrxlVVGIonHJ3qd6VpQUwG0n83yhj6LD5hgxmZ5phAyR77Ri8BiH1lWUcg51L2k0U+WJFPP6JkumT9MEz1t1+JYr5Imij6GKRWRKFwTbU6QJwFH4tCA/iGw0ElrzIjSHiNiwIKfbm8yas9vlOhr4y7vCeV10hVyvV,iv:dZ8hQxhn7pokWbQG/8rQ2vFDpPYut7WCG3xy9g6kzNs=,tag:xMyPtJJoh8kjJcOT4t9aRA==,type:str]
import-user-env: ENC[AES256_GCM,data:9SE2k3/IJqbdexj0QFSQBQ1+u1AduWNjt+0XIHryJlxIEdvv9a+6hP4EXPo+31GnaE4=,iv:qZlWOBV5owr3ESTyFaV/R8VwlGl04kaui80I2zYk4zY=,tag:PhjRfEC1xoHaYyl648yCVw==,type:str]
secret-key: ENC[AES256_GCM,data:YqwSJazPqz1OOsUVIPKsGvIHbX7SyJqryan1KWSRGRJkt9yZlaiRtQG/mQugAM6IvLFD3pj+gPTcXyqenaAQKA==,iv:nyPnL7wuhpb0kl0tm1JhOHmF7KI9vVcTN1SRGTgD2o8=,tag:Rt/IPC/YtBcmTx5osGlbBg==,type:str]
oauth2-jwt-secret: ENC[AES256_GCM,data:YUVbf0xgnzeNoahu57yzoib2XSB0rR2AAIkdlEe8eC9AFEdv4vE0S372jw==,iv:k1cEa/sWqJZ9b/NetVSR37BYy6UUOM4qAnbsfLEw+5Y=,tag:CrUh0xDWA77dAFp8FY0jPA==,type:str]
lfs-jwt-secret: ENC[AES256_GCM,data:fAirrt7Ue1XpHYB12e8l+47x1dY/eIsDV61KrDA/sRSKvZherRNnahtLQw==,iv:S6+rQHf3TL/1tKcknX/jHJ7k79GCU1BRBZHhuqXSRME=,tag:WUjNaP8bb1HvZnAX3+vXoQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
enc: |
@ -68,8 +67,8 @@ sops:
OCtLcUZwL084TUp0QmpSQXNtSFhHYkUKwGvXXE9AWlrlDgRl2ECCmej7IMztO+fx
852Vu610cI9FLv5oghlKM769+/A2QP82KwdxZ4MaRSDvJwXKBi16aw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-16T13:03:12Z"
mac: ENC[AES256_GCM,data:cuMHvEjR3nA/LqGHwIGOD+rWwmvg0fPiFtVTDLATKuc0Ulf+0PKogv9cddmXlmqaBOLMkmZue44egEpiLoNm38kEr7gPfP7XKj3kkwL2U4BiS43JEokt5CEq44sSETKylEMEVajgOEwyWn1od4MLxa7xsuhbvGvDpsbvjyPvzh0=,iv:zWFNpOS9cgCs36rdW9FcJ+jG3HrjRmcw2Ogz7QZuyJQ=,tag:L3x6Bsu+7n5A0/Dx0HghkA==,type:str]
lastmodified: "2025-08-03T01:35:52Z"
mac: ENC[AES256_GCM,data:wQPIW9zRhB6IjK1OQy69Ln+dj6OMNLnNKIzFIhv/vbQ4GllMJ3N/gZjuzMJIumcVND+jEY/qiYnsCFSptStlDYtB3/zHWo1e6It2pM4igtoTP29uiQME0vPJSz0guakZlDMa20mOTN0vVZODEbeBiQNXWtnTbl93R2JVJlZrWcI=,iv:L9Dk5S+hbBO0LTM0irfLuqjLYHzVtY5Tq+Q7m65u6p8=,tag:0GT9IyPeGY5YM6PP/LNs/Q==,type:str]
pgp:
- created_at: "2025-03-16T13:02:45Z"
enc: |-
@ -92,4 +91,4 @@ sops:
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.9.4
version: 3.10.2