stupidcomputer/dot_testing
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

test managing gitea credential with sops-nix

Browse Source
This commit is contained in:
stupidcomputer 2024-12-26 21:59:49 -06:00
parent 9f2ecb2329
commit 1c2fcb7951
6 changed files with 50 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.sops.yaml Normal file
View File

@ -0,0 +1,9 @@
keys:
- &admin age13flq29rfu03np26ujargsjml3wdhlruvhqyjnfhlq87s56lrxy2sgl8z6h
- &server_netbox: age1y5y2k2zn9w3ss2drqw3d295ny0t0xww5855dkuh4g2f934gt74eqxgmhvh
creation_rules:
- path_regex: boxes/netbox/secrets.yaml
key_groups:
- age:
- *admin
- *server_netbox

1
boxes/netbox/default.nix
View File

@ -4,6 +4,7 @@
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../lib/bootstrap.nix ../../lib/bootstrap.nix
./sops.nix
./franklincce.nix ./franklincce.nix
./gitea.nix ./gitea.nix

4
boxes/netbox/gitea.nix
View File

@ -1,11 +1,11 @@
{ lib, config, pkgs, ... }: { config, ... }:
{ {
services.gitea = { services.gitea = {
enable = true; enable = true;
appName = "beepboop.systems"; # Give the site a name appName = "beepboop.systems"; # Give the site a name
database = { database = {
type = "postgres"; type = "postgres";
passwordFile = "/etc/gittea-pass"; passwordFile = config.sops.secrets."gitea/postgres-password".path;
}; };
settings.security.INSTALL_LOCK = true; settings.security.INSTALL_LOCK = true;
settings.service = { settings.service = {

22
boxes/netbox/secrets.yaml Normal file
View File

@ -0,0 +1,22 @@
gitea:
postgres-password: ENC[AES256_GCM,data:lcF+qOUo3PuCM/ymuIsxrZ/Ui5lwWuto8FMAQNY2nGWEvtf/yjcRzFwWIyqfszb19Wl3Z70a3i5fyurCdQ+izwAL83TOMA==,iv:+ValvmW5P4geg/2LdvrR28mp1lbB2a/Lu1zpHsxg6Uo=,tag:fayiaAf3MTSJE6Fnic9RPw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age13flq29rfu03np26ujargsjml3wdhlruvhqyjnfhlq87s56lrxy2sgl8z6h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1UkFWVm5GanMvQXdUZUc1
TFhxVDhWSDZwb3BMUHNnZHg5c2sxbmY0Y2lVCjF1T3FFdUE0bVJ1T3BaNnpjeThH
Sld6K2gydVN0YmJvUHdlTmd3VkV0ZTgKLS0tIE1VSElDbXdDUkd6aWFGSW02VTRP
MGwzY3dySzJHQzJWUTArVDU4MSszakUK3u5xVX+Oey1Ax6I4PH8IuJ/eQAWMgFyK
SaEgS7z/pHSEKQZeGmZwrk5+1ahI+qkjX4XPiTxiM4rxjiluxhyqQg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-27T03:59:29Z"
mac: ENC[AES256_GCM,data:BJQOgkeU71G9Cy9tRxSCNJce4NDlc73ZKoWfpMkYcIbBIkpQotmnEzmWvjmDjcR9hEayDoDHVXZA4DWtpPPSYCuls5tkHV0wFg3usLRAFWWhMOWLL4D9ZJl9C8uuW21c8mlhDf+5n+sWY5UGaRSD5SBqYdqn68E62bunLm6kHrM=,iv:Z7A686d5B7oG1GODtUDdMG9zsf2tSyqWLrofdBC9PLo=,tag:U5sf23+BRBDuqXkdb/LYGw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

14
boxes/netbox/sops.nix Normal file
View File

@ -0,0 +1,14 @@
{ inputs, config, ... }:
{
imports = [
inputs.sops-nix.nixosModules.sops
];
sops = {
defaultSopsFile = ./secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets = {
"gitea/postgres-password" = {};
};
};
}

6
flake.nix
View File

@ -2,11 +2,9 @@
description = "stupidcomputer's nixos flake"; description = "stupidcomputer's nixos flake";
inputs = { inputs = {
# regular nixos stuff
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
simple-nixos-mailserver = { simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05"; sops-nix.url = "github:Mic92/sops-nix";
};
}; };
outputs = { outputs = {