diff --git a/applications/git/forgejo_runner.nix b/applications/git/forgejo_runner.nix index 29029cb..c43ecec 100644 --- a/applications/git/forgejo_runner.nix +++ b/applications/git/forgejo_runner.nix @@ -15,21 +15,23 @@ in { options.services.skynet."${name}" = { enable = mkEnableOption "Skynet ForgeJo Runner"; - runner = { - name = mkOption { - type = types.str; - default = config.networking.hostName; - }; + name = mkOption { + type = types.str; + default = config.networking.hostName; + }; - website = mkOption { - default = "https://forgejo.skynet.ie"; - type = types.str; - }; + website = mkOption { + default = "https://forgejo.skynet.ie"; + type = types.str; + }; - user = mkOption { - default = "gitea-runner"; - type = types.str; - }; + user = mkOption { + default = "gitea-runner"; + type = types.str; + }; + + secret = mkOption { + type = types.path; }; }; @@ -40,23 +42,23 @@ in { ]; age.secrets.forgejo_runner_token = { - file = ../../secrets/forgejo/runners/token.age; - owner = cfg.runner.user; - group = cfg.runner.user; + file = cfg.secret; + owner = cfg.user; + group = cfg.user; }; # make sure the ssh config stuff is in teh right palce systemd.tmpfiles.rules = [ - #"d /home/${cfg.runner.user} 0755 ${cfg.runner.user} ${cfg.runner.user}" - "L+ /home/${cfg.runner.user}/.ssh/config 0755 ${cfg.runner.user} ${cfg.runner.user} - ${./ssh_config}" + #"d /home/${cfg.user} 0755 ${cfg.user} ${cfg.user}" + "L+ /home/${cfg.user}/.ssh/config 0755 ${cfg.user} ${cfg.user} - ${./ssh_config}" ]; age.secrets.forgejo_runner_ssh = { file = ../../secrets/forgejo/runners/ssh.age; mode = "600"; - owner = "${cfg.runner.user}"; - group = "${cfg.runner.user}"; + owner = "${cfg.user}"; + group = "${cfg.user}"; symlink = false; - path = "/home/${cfg.runner.user}/.ssh/skynet/root"; + path = "/home/${cfg.user}/.ssh/skynet/root"; }; nix = { @@ -94,14 +96,14 @@ in { # give teh runner user a home to store teh ssh config stuff systemd.services.gitea-runner-default.serviceConfig = { DynamicUser = lib.mkForce false; - User = lib.mkForce cfg.runner.user; + User = lib.mkForce cfg.user; }; users = { - groups."${cfg.runner.user}" = {}; - users."${cfg.runner.user}" = { + groups."${cfg.user}" = {}; + users."${cfg.user}" = { #isSystemUser = true; isNormalUser = true; - group = cfg.runner.user; + group = cfg.user; createHome = true; shell = pkgs.bash; }; @@ -118,8 +120,8 @@ in { package = pkgs.forgejo-actions-runner; instances.default = { enable = true; - name = cfg.runner.name; - url = cfg.runner.website; + name = cfg.name; + url = cfg.website; tokenFile = config.age.secrets.forgejo_runner_token.path; labels = [ ## optionally provide native execution on the host: diff --git a/machines/glados.nix b/machines/glados.nix index 842da0c..5e499d8 100644 --- a/machines/glados.nix +++ b/machines/glados.nix @@ -28,6 +28,7 @@ in { imports = [ ../applications/git/gitlab.nix ../applications/git/forgejo.nix + ../applications/git/forgejo_runner.nix ]; deployment = { @@ -43,5 +44,9 @@ in { backup.enable = true; gitlab.enable = true; forgejo.enable = true; + forgejo_runner = { + enable = true; + secret = ../secrets/forgejo/runners/token2.age; + }; }; } diff --git a/machines/wheatly.nix b/machines/wheatly.nix index f38000b..cb9cdb6 100644 --- a/machines/wheatly.nix +++ b/machines/wheatly.nix @@ -39,6 +39,9 @@ in { services.skynet = { host = host; backup.enable = true; - forgejo_runner.enable = true; + forgejo_runner = { + enable = true; + secret = ../secrets/forgejo/runners/token1.age; + }; }; } diff --git a/secrets/forgejo/runners/ssh.age b/secrets/forgejo/runners/ssh.age index 7a716d1..ffda5eb 100644 Binary files a/secrets/forgejo/runners/ssh.age and b/secrets/forgejo/runners/ssh.age differ diff --git a/secrets/forgejo/runners/token.age b/secrets/forgejo/runners/token.age deleted file mode 100644 index 2bdb872..0000000 --- a/secrets/forgejo/runners/token.age +++ /dev/null @@ -1,19 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 V1pwNA kZ6MC1GXuminn2Hlomkep1wIv1lp6KpJOJcpXkhQWWM -K1B58FSyb4QpINlhuvVv4dGFNjTChU1KNoezZcS/a6Y --> ssh-ed25519 4PzZog pbxwzRvcsOgY9hd48BZEOH6VHFLn93gJ8yDHQyNIiSI -Fa/Z6si9vyox/pmPvWTndyYCQxo7tcvdlRuTgw6IY9g --> ssh-ed25519 dA0vRg OW2y/LkN/287NVuRRlSpihR+k/MZ+a0R5cIrHFne6RI -U0ZqipfDlpz9LeXKNWkl7tYCnsBjSQz8q4mETBVEalI --> ssh-ed25519 5Nd93w jDy3i1Z1NWYqdVdw4h+maaBjokVWNrSfHtSQotb2bWg -PtgX9L78wpJHiX4lmP+H0bfRZd/tNfHrUEAShJ38ss8 --> ssh-ed25519 q8eJgg BCaUEZ3H3BglgKPAbl/ITQaEv9Jc2rRAoFuPXhy4WFI -DMqJu0vjDJ8rIXLSL17Dx4Aoq8Uhdo4jU8g1jTSvMK4 --> ssh-ed25519 KVr8rw dKk0SN9SXTQsPwMFiKKMuoRwzTHJB8kr33nadRzBoDc -m2xPKYFMC/y5fKkgaBc+5TVg9ZH+zVSM9I4I3htSm7I --> ssh-ed25519 fia1eQ NGl1o/38iTm6QiQB7pl0NBkohMZGLMeaXZ37TV184B4 -zk/DTLhuGfhDU3gNA7S0BjGOowteEhR9v5oNmOkWTGU --> ssh-ed25519 CqOTGQ JbZYKqGfWeVu/JEAAeC6wE4QvKLEeidvggQnm6beJxA -ArogOkTDAnvC1SKPkSGapNix2W6yvku1QFOFs9bvuGA ---- yWZoUAOfSIL4FbWSAvhVkOEbUA1u3XPGKB1gNka/xfo -zlȑ LC$?Hc|۹.-j l}9:KӮU^IO6 \ No newline at end of file diff --git a/secrets/forgejo/runners/token1.age b/secrets/forgejo/runners/token1.age new file mode 100644 index 0000000..50ad61e Binary files /dev/null and b/secrets/forgejo/runners/token1.age differ diff --git a/secrets/forgejo/runners/token2.age b/secrets/forgejo/runners/token2.age new file mode 100644 index 0000000..3c1c894 --- /dev/null +++ b/secrets/forgejo/runners/token2.age @@ -0,0 +1,21 @@ +age-encryption.org/v1 +-> ssh-ed25519 V1pwNA DmSENr+7db9t/epcMdOAjr2qt4rSHWopkuS3/xyz+xY +ClfO4iYTReIp6jvUBqQutkXx4XRJ++u8EsspNdDZ8kw +-> ssh-ed25519 4PzZog QzQ5iPiSSruoDS+PDNI+/6PnIYEnnFTvnrxK4W2ZK3Y +iTETtsauc6clML06hoMr7kinsOirURTECfB/PzJaFT4 +-> ssh-ed25519 dA0vRg UCPTgYh2/8JTajlTIgvk64eKNNMHe4ZxIDILxIGAL18 +Qj0ZS/iNwusCONf9Rh05ftd4cHSmWz7bLZ8HHtQewMo +-> ssh-ed25519 5Nd93w D/87p469o+CW9TOqQb4C+3a9+xRvZ4bzk7vr0wXhdRk +E/uvMfpOPvWosWS4s18f+xmexQcpJ0NED1N35pL5IjI +-> ssh-ed25519 q8eJgg pSW+R1LjAdCTL/ys1X93jSSC+ga1phB8iYqAJ1Ic0yw +IFl+195woVbHjz23w3mxBPkjtbfke3C+jYacWWKOpio +-> ssh-ed25519 KVr8rw KfPs+1IA7M7dYqkUW9vty+xl/8loMZDgVFee/ZR+F0M +mTK9yjQR18aKfw/xEdfsnGXPKxqDi1bKPj2mLtB2Xg4 +-> ssh-ed25519 fia1eQ M7nASBk9cGmZmMHf115JAazAEx3tS+sIVB49KlXltWc +YJ48iqVSJQooltbXvw+olKC4ZZt9a92TR2uQ0xROAPY +-> ssh-ed25519 CqOTGQ CeIqatgAbFS8oNy3fOOJdIkLM0X9AwV2zbpQHcOcICM +qAHOkFsbM5fTxcpLFz9Iz16MVBA1oVqlxUADrLxDRrA +-> ssh-ed25519 uZzB3g eA/GpdA5UKoleGcq9BHwj59Hz86YX7oF3LoG6zZ1ogE +sIs5D3s72gVGglG37S0eDLUTEzuy2U9Nbi03aOJ3W4c +--- rkCxZNLeKI9HMNZnwiFRaL1AsIUYtXYJT/YyJ1UMRqc +!Vp-p|_to Ukt`@ xzWں GF=]iY;YOi}J/, \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index ca7480f..cad986a 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -77,6 +77,7 @@ let gitlab_runners = [ wheatly + glados ]; grafana = [ @@ -117,7 +118,8 @@ in { "gitlab/runners/runner01.age".publicKeys = users ++ gitlab_runners; "gitlab/runners/runner02.age".publicKeys = users ++ gitlab_runners; - "forgejo/runners/token.age".publicKeys = users ++ gitlab_runners; + "forgejo/runners/token1.age".publicKeys = users ++ gitlab_runners; + "forgejo/runners/token2.age".publicKeys = users ++ gitlab_runners; "forgejo/runners/ssh.age".publicKeys = users ++ gitlab_runners; # for ldap @@ -130,7 +132,7 @@ in { "backup/restic_pw.age".publicKeys = users ++ restic; # discord bot and discord - "discord/token.age".publicKeys = users ++ discord; + "discord/token1.age".publicKeys = users ++ discord; # email stuff "email/details.age".publicKeys = users ++ ldap ++ discord;