test managing gitea credential with agenix

2024-12-26 23:07:30 -06:00 · 2024-12-26 23:07:30 -06:00 · bcda626017
commit bcda626017
parent 78e26c8dd0
7 changed files with 141 additions and 14 deletions
--- a/boxes/netbox/agenix.nix
+++ b/boxes/netbox/agenix.nix
@ -0,0 +1,8 @@
+{
+  age.secrets.gitea-postgres-password = {
+    file = ../../secrets/gitea-postgres-password.age;
+    mode = "0700";
+    owner = "gitea";
+    group = "gitea";
+  };
+}
--- a/boxes/netbox/default.nix
+++ b/boxes/netbox/default.nix
@ -5,6 +5,7 @@
    ./hardware-configuration.nix
    ../../lib/bootstrap.nix

+    ./agenix.nix
    ./franklincce.nix
    ./gitea.nix
    ./mail.nix
--- a/boxes/netbox/gitea.nix
+++ b/boxes/netbox/gitea.nix
@ -1,11 +1,11 @@
-{ lib, config, pkgs, ... }:
+{ config, ... }:
 {
  services.gitea = {
    enable = true;
    appName = "beepboop.systems"; # Give the site a name
    database = {
      type = "postgres";
-      passwordFile = "/etc/gittea-pass"; 
+      passwordFile = config.age.secrets.gitea-postgres-password.path;
    };
    settings.security.INSTALL_LOCK = true;
    settings.service = {
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,26 @@
 {
  "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": "nixpkgs",
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1723293904,
+        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
    "blobs": {
      "flake": false,
      "locked": {
@ -16,6 +37,28 @@
        "type": "gitlab"
      }
    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1700795494,
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
    "flake-compat": {
      "flake": false,
      "locked": {
@ -32,18 +75,39 @@
        "type": "github"
      }
    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703113217,
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1735066050,
-        "narHash": "sha256-vCBl6vYGi0QB11TMqdndLa7/UzxvuJUvKazlEnMTEX4=",
+        "lastModified": 1703013332,
+        "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "17fcc7929706c2bd08db2b785edbb23a66b2f681",
+        "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-24.05",
+        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -64,6 +128,22 @@
      }
    },
    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1735066050,
+        "narHash": "sha256-vCBl6vYGi0QB11TMqdndLa7/UzxvuJUvKazlEnMTEX4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "17fcc7929706c2bd08db2b785edbb23a66b2f681",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
      "locked": {
        "lastModified": 1717602782,
        "narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=",
@ -80,7 +160,8 @@
    },
    "root": {
      "inputs": {
-        "nixpkgs": "nixpkgs",
+        "agenix": "agenix",
+        "nixpkgs": "nixpkgs_2",
        "simple-nixos-mailserver": "simple-nixos-mailserver"
      }
    },
@ -88,7 +169,7 @@
      "inputs": {
        "blobs": "blobs",
        "flake-compat": "flake-compat",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs_3",
        "nixpkgs-24_05": "nixpkgs-24_05",
        "utils": "utils"
      },
@ -122,9 +203,24 @@
        "type": "github"
      }
    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
    "utils": {
      "inputs": {
-        "systems": "systems"
+        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1709126324,
--- a/flake.nix
+++ b/flake.nix
@ -2,17 +2,16 @@
  description = "stupidcomputer's nixos flake";

  inputs = {
-    # regular nixos stuff
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
-    simple-nixos-mailserver = {
-      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
-    };
+    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
+    agenix.url = "github:ryantm/agenix";
  };

  outputs = {
      self,
      nixpkgs,
      simple-nixos-mailserver,
+      agenix,
      ...
    }@inputs: let
      mkSystem = modules:
@ -28,7 +27,13 @@
        builtins.listToAttrs (
          map (name: {
            inherit name;
-            value = mkSystem [ (./boxes/. + "/${name}") ];
+            value = mkSystem [
+              (./boxes/. + "/${name}")
+              agenix.nixosModules.default
+              {
+                environment.systemPackages = [ agenix.packages."x86_64-linux".default ];
+              }
+            ];
          }) configurations
        );
    in {
--- a/secrets/gitea-postgres-password.age
+++ b/secrets/gitea-postgres-password.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 q1rODg F9OCaJaxwE7VF1csZrUlgfdUojYeUMFLgPfC7m/0k1M
+FkSpyrB4HIxh2LDBlyURAEWrKLh5fATv8BBegzUfelE
+-> ssh-ed25519 NIIFZw ucEw/6qvf5qsJ+NSq9dmd21iXekGtaA7Mqanq7NZ/hI
+O/Joh242cso5VExqBmppfaRyZMy2w/74bcxP3x6MxIs
+-> ssh-ed25519 E0Y+lw lwsnjHRcAqK1jrqrKTw0nzNDO4hUayDrDxG6173yUwo
+AM6Uv6tvsio/qPDqTAvAAfMQ6IHvH0yztU3vVTjYvds
+--- 7HawQQ8/esbfMzcsAmPdCyhANtXwOF6O9HiGB6+qAEc
+¶jJ-'Ûÿ¿»½ÚFÔºÉ,àçÇŽØ4öëƒø<C692>$½VMÖÖ(ö°12OÄ~”? ù±<C3B9>²”dÁò|©0¹žü£ã¶¸r_<72>ÖdR‡…Å€nYîõp6ÊzÒ{Y8ä£h¶¬Iê×vÐéª
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,8 @@
+let
+  machines = import ../lib/machines.nix;
+  server-netbox = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvinRGdd9GuiPnZYBQPzraXeBxeStwakzmtfzNNpDxy";
+
+  all = [ server-netbox machines.copernicus.pubkey machines.aristotle.pubkey ];
+in {
+  "gitea-postgres-password.age".publicKeys = all;
+}