kommode/gitea: fix declarative secrets

2026-01-13 10:58:24 +01:00 · 2025-08-03 04:44:37 +02:00
3 changed files with 15 additions and 9 deletions
--- a/hosts/kommode/services/gitea/default.nix
+++ b/hosts/kommode/services/gitea/default.nix
@@ -51,11 +51,11 @@ in {
        START_SSH_SERVER = true;
        START_LFS_SERVER = true;
        LFS_JWT_SECRET = lib.mkForce "";
-        LFS_JWT_SECRET_URI = config.sops.secrets."gitea/lfs-jwt-secret".path;
+        LFS_JWT_SECRET_URI = "file:${config.sops.secrets."gitea/lfs-jwt-secret".path}";
      };
      oauth2 = {
        JWT_SECRET = lib.mkForce "";
-        JWT_SECRET_URI = config.sops.secrets."gitea/oauth2-jwt-secret".path;
+        JWT_SECRET_URI = "file:${config.sops.secrets."gitea/oauth2-jwt-secret".path}";
      };
      "git.timeout" = {
        MIGRATE = 3600;
@@ -85,7 +85,7 @@ in {
      session.COOKIE_SECURE = true;
      security = {
        SECRET_KEY = lib.mkForce "";
-        SECRET_KEY_PATH = config.sops.secrets."gitea/secret-key".path;
+        SECRET_KEY_URI = "file:${config.sops.secrets."gitea/secret-key".path}";
      };
      database.LOG_SQL = false;
      repository = {
--- a/hosts/lupine/services/gitea-runner.nix
+++ b/hosts/lupine/services/gitea-runner.nix
@@ -6,14 +6,16 @@
  # successfully registered will gitea give you the next token.
  # - oysteikt Sep 2023
  sops = {
-    secrets."gitea/runners/token" = { };
+    secrets."gitea/runners/token" = {
+      key = "gitea/runners/${lupineName}";
+    };

    templates."gitea-runner-envfile" = {
      restartUnits = [
        "gitea-runner-${lupineName}.service"
      ];
      content = ''
-        TOKEN=${config.sops.placeholder."gitea/runners/token"}
+        TOKEN="${config.sops.placeholder."gitea/runners/token"}"
      '';
    };
  };
@@ -39,5 +41,5 @@

  networking.dhcpcd.IPv6rs = false;

-  networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 5353 ];
+  networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
 }
--- a/secrets/lupine/lupine.yaml
+++ b/secrets/lupine/lupine.yaml
@@ -1,6 +1,10 @@
 gitea:
    runners:
-        token: ENC[AES256_GCM,data:Y27trzUHuA1k9fVs/3PM/L8aIlI+37nAPTVDgWjBX+K4q23saa5XUA==,iv:J4litvX0ip/a340E7S+XHZQG+BGh+K/RzFxdS1VLwA0=,tag:H4oK4vn27U+yXqa/YQJOxA==,type:str]
+        lupine-1: ENC[AES256_GCM,data:UcZB2p/dInvcl0yNBEohzbmcVxg/QQPXlIsaVB3M3hyxFg1gtGfUGA==,iv:OigyPfPoRIjvyiId7hiiWdNrZqyZqI3OonvJC+zYEzI=,tag:SjBsvo/IJKhFQs+PiI596g==,type:str]
+        lupine-2: null
+        lupine-3: null
+        lupine-4: null
+        lupine-5: null
 sops:
    age:
        - recipient: age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
@@ -93,8 +97,8 @@ sops:
            YU5mMDlRckJCMDAzcHYyMWN1clRJRVEK77PiAQP+2+WblGYEgAf6bx6RTh0JHiSZ
            /jPIN/rbAKNv36wpZDbuLV8tcMuvhleNMRSSqbIloLSzww+Z5nOU4A==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-03T01:13:50Z"
-    mac: ENC[AES256_GCM,data:oFbwmbLk3z6oYQMCEcFAGstf6DUT7hh9OUa5HVyeIR15YVgJ9/0hwZPG1m00w1HpKjt7/iVnQQYdPvt00snwn7g0M822MquMbwavozOrWWuhpxlzjM1kn/zTHAPFMmDihAciuQSSk43Dc5FRS5Gc6gwonEsJ5EUqcq2nM/cnAUY=,iv:H1CEaaypKUMCd2zJOXhIUQQqTfOwknG+iBOpgYlirmY=,tag:gKX+OTZ+BrHvcwoyO6YFdA==,type:str]
+    lastmodified: "2025-07-30T18:29:08Z"
+    mac: ENC[AES256_GCM,data:47cki5ucPTVd4JuEyK0QkDCCEqj1pW6SA5I6ihC/MEja6TIuHTcEPFpje8+LvpGjpP9uobKX4g3UcyvkJ63j/k3hU0xPYQX3Z1ee00KIMKB0GHNjUR8ENtnwd3TU7kp5ohtXeCtcyzCjdFFuXp8AINGv3vpbU2MzauctUxn5B1Y=,iv:1mpk/f1QlRtHfA9dqyNLBrvfVPgtLnZ7ibj8qNrEGD8=,tag:drEK1+qeJy97rgeQJyqucA==,type:str]
    pgp:
        - created_at: "2025-07-30T18:27:50Z"
          enc: |-