privatevoid.net/depot
1
1
Fork 0
Code Issues 18 Pull requests 2 Projects 3 Releases Packages Wiki Activity Actions

cluster/services/forge: use cluster secrets

Browse source
This commit is contained in:
Max Headroom 2024-07-08 16:08:39 +02:00
parent 04031ef198
commit 0c4e603e86
6 changed files with 15 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

0
cluster/services/forge/credentials/forgejo-db-credentials.age → cluster/secrets/forge-dbCredentials.age
View file

0
cluster/services/forge/credentials/forgejo-oidc-secret.age → cluster/secrets/forge-oidcSecret.age
View file

0
cluster/services/forge/credentials/forgejo-s3-access-key-id.age → cluster/secrets/forge-s3AccessKeyID.age
View file

0
cluster/services/forge/credentials/forgejo-s3-secret-access-key.age → cluster/secrets/forge-s3SecretAccessKey.age
View file

9
cluster/services/forge/default.nix
View file

@ -8,6 +8,15 @@
name = "forge";
link.protocol = "http";
};
secrets = with config.services.forge.nodes; {
oidcSecret = {
nodes = server;
owner = "forgejo";
};
dbCredentials.nodes = server;
s3AccessKeyID.nodes = server;
s3SecretAccessKey.nodes = server;
};
};
ways.forge.target = let

32
cluster/services/forge/server.nix
View file

@ -2,8 +2,7 @@
let
inherit (depot.lib.meta) domain;
inherit (depot.lib.nginx) vhosts;
inherit (config.age) secrets;
inherit (cluster.config.services.forge) secrets;
patroni = cluster.config.links.patroni-pg-access;
@ -24,25 +23,6 @@ in
];
};
age.secrets = {
forgejoOidcSecret = {
file = ./credentials/forgejo-oidc-secret.age;
owner = "forgejo";
};
forgejoDbCredentials = {
file = ./credentials/forgejo-db-credentials.age;
owner = "forgejo";
};
forgejoS3AccessKeyID = {
file = ./credentials/forgejo-s3-access-key-id.age;
owner = "forgejo";
};
forgejoS3SecretAccessKey = {
file = ./credentials/forgejo-s3-secret-access-key.age;
owner = "forgejo";
};
};
services.forgejo = {
enable = true;
package = depot.packages.forgejo;
@ -54,7 +34,7 @@ in
inherit (patroni) port;
name = "forge";
user = "forge";
passwordFile = secrets.forgejoDbCredentials.path;
passwordFile = secrets.dbCredentials.path;
};
settings = {
DEFAULT = {
@ -93,8 +73,8 @@ in
};
secrets = {
storage = {
MINIO_ACCESS_KEY_ID = secrets.forgejoS3AccessKeyID.path;
MINIO_SECRET_ACCESS_KEY = secrets.forgejoS3SecretAccessKey.path;
MINIO_ACCESS_KEY_ID = secrets.s3AccessKeyID.path;
MINIO_SECRET_ACCESS_KEY = secrets.s3SecretAccessKey.path;
};
};
};
@ -112,9 +92,9 @@ in
in lib.mkAfter /*bash*/ ''
providerId="$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)"
if [[ -z "$providerId" ]]; then
FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${secrets.forgejoOidcSecret.path})" ${exe} admin auth add-oauth ${args}
FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${secrets.oidcSecret.path})" ${exe} admin auth add-oauth ${args}
else
FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${secrets.forgejoOidcSecret.path})" ${exe} admin auth update-oauth --id "$providerId" ${args}
FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${secrets.oidcSecret.path})" ${exe} admin auth update-oauth --id "$providerId" ${args}
fi
'';
}