From 7212b80c3da39730c9d3257b3d66a28215774659 Mon Sep 17 00:00:00 2001 From: stupidcomputer Date: Thu, 26 Dec 2024 23:07:30 -0600 Subject: [PATCH] test managing gitea credential with agenix --- boxes/netbox/agenix.nix | 3 + boxes/netbox/default.nix | 1 + boxes/netbox/gitea.nix | 4 +- flake.lock | 110 ++++++++++++++++++++++++++-- flake.nix | 15 ++-- secrets/gitea-postgres-password.age | 9 +++ secrets/secrets.nix | 8 ++ 7 files changed, 136 insertions(+), 14 deletions(-) create mode 100644 boxes/netbox/agenix.nix create mode 100644 secrets/gitea-postgres-password.age create mode 100644 secrets/secrets.nix diff --git a/boxes/netbox/agenix.nix b/boxes/netbox/agenix.nix new file mode 100644 index 0000000..a4d0215 --- /dev/null +++ b/boxes/netbox/agenix.nix @@ -0,0 +1,3 @@ +{ + age.secrets.gitea-postgres-password.file = ../../secrets/gitea-postgres-password.age; +} diff --git a/boxes/netbox/default.nix b/boxes/netbox/default.nix index cd2635a..1f33bb0 100644 --- a/boxes/netbox/default.nix +++ b/boxes/netbox/default.nix @@ -5,6 +5,7 @@ ./hardware-configuration.nix ../../lib/bootstrap.nix + ./agenix.nix ./franklincce.nix ./gitea.nix ./mail.nix diff --git a/boxes/netbox/gitea.nix b/boxes/netbox/gitea.nix index 990526e..5292bdd 100644 --- a/boxes/netbox/gitea.nix +++ b/boxes/netbox/gitea.nix @@ -1,11 +1,11 @@ -{ lib, config, pkgs, ... }: +{ config, ... }: { services.gitea = { enable = true; appName = "beepboop.systems"; # Give the site a name database = { type = "postgres"; - passwordFile = "/etc/gittea-pass"; + passwordFile = config.age.secrets.gitea-postgres-password.path; }; settings.security.INSTALL_LOCK = true; settings.service = { diff --git a/flake.lock b/flake.lock index 6459bf5..5711253 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,26 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1723293904, + "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", + "owner": "ryantm", + "repo": "agenix", + "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "blobs": { "flake": false, "locked": { @@ -16,6 +37,28 @@ "type": "gitlab" } }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -32,18 +75,39 @@ "type": "github" } }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "nixpkgs": { "locked": { - "lastModified": 1735066050, - "narHash": "sha256-vCBl6vYGi0QB11TMqdndLa7/UzxvuJUvKazlEnMTEX4=", + "lastModified": 1703013332, + "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "17fcc7929706c2bd08db2b785edbb23a66b2f681", + "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-24.05", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -64,6 +128,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1735066050, + "narHash": "sha256-vCBl6vYGi0QB11TMqdndLa7/UzxvuJUvKazlEnMTEX4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "17fcc7929706c2bd08db2b785edbb23a66b2f681", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1717602782, "narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=", @@ -80,7 +160,8 @@ }, "root": { "inputs": { - "nixpkgs": "nixpkgs", + "agenix": "agenix", + "nixpkgs": "nixpkgs_2", "simple-nixos-mailserver": "simple-nixos-mailserver" } }, @@ -88,7 +169,7 @@ "inputs": { "blobs": "blobs", "flake-compat": "flake-compat", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "nixpkgs-24_05": "nixpkgs-24_05", "utils": "utils" }, @@ -122,9 +203,24 @@ "type": "github" } }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "utils": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1709126324, diff --git a/flake.nix b/flake.nix index 8353937..5778cfd 100644 --- a/flake.nix +++ b/flake.nix @@ -2,17 +2,16 @@ description = "stupidcomputer's nixos flake"; inputs = { - # regular nixos stuff nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; - simple-nixos-mailserver = { - url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05"; - }; + simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05"; + agenix.url = "github:ryantm/agenix"; }; outputs = { self, nixpkgs, simple-nixos-mailserver, + agenix, ... }@inputs: let mkSystem = modules: @@ -28,7 +27,13 @@ builtins.listToAttrs ( map (name: { inherit name; - value = mkSystem [ (./boxes/. + "/${name}") ]; + value = mkSystem [ + (./boxes/. + "/${name}") + agenix.nixosModules.default + { + environment.systemPackages = [ agenix.packages."x86_64-linux".default ]; + } + ]; }) configurations ); in { diff --git a/secrets/gitea-postgres-password.age b/secrets/gitea-postgres-password.age new file mode 100644 index 0000000..c6726dc --- /dev/null +++ b/secrets/gitea-postgres-password.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 q1rODg F9OCaJaxwE7VF1csZrUlgfdUojYeUMFLgPfC7m/0k1M +FkSpyrB4HIxh2LDBlyURAEWrKLh5fATv8BBegzUfelE +-> ssh-ed25519 NIIFZw ucEw/6qvf5qsJ+NSq9dmd21iXekGtaA7Mqanq7NZ/hI +O/Joh242cso5VExqBmppfaRyZMy2w/74bcxP3x6MxIs +-> ssh-ed25519 E0Y+lw lwsnjHRcAqK1jrqrKTw0nzNDO4hUayDrDxG6173yUwo +AM6Uv6tvsio/qPDqTAvAAfMQ6IHvH0yztU3vVTjYvds +--- 7HawQQ8/esbfMzcsAmPdCyhANtXwOF6O9HiGB6+qAEc ++jJ-'FԺ,ǎ4$VM(12O~?d|0㶸r_dRŀnYp6z{Y8hIv \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..8dda21d --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,8 @@ +let + machines = import ../lib/machines.nix; + server-netbox = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvinRGdd9GuiPnZYBQPzraXeBxeStwakzmtfzNNpDxy"; + + all = [ server-netbox machines.copernicus.pubkey machines.aristotle.pubkey ]; +in { + "gitea-postgres-password.age".publicKeys = all; +}