From 3a74d0b6478979aec237a6bf53601bc706602620 Mon Sep 17 00:00:00 2001 From: Max Date: Wed, 10 Jul 2024 23:18:52 +0200 Subject: [PATCH] cluster/services/forge: switch to locksmith secrets --- cluster/secrets/forge-s3AccessKeyID.age | 9 --------- cluster/secrets/forge-s3SecretAccessKey.age | Bin 497 -> 0 bytes cluster/services/forge/default.nix | 4 +--- cluster/services/forge/server.nix | 9 +++++++-- 4 files changed, 8 insertions(+), 14 deletions(-) delete mode 100644 cluster/secrets/forge-s3AccessKeyID.age delete mode 100644 cluster/secrets/forge-s3SecretAccessKey.age diff --git a/cluster/secrets/forge-s3AccessKeyID.age b/cluster/secrets/forge-s3AccessKeyID.age deleted file mode 100644 index 1d3cdce..0000000 --- a/cluster/secrets/forge-s3AccessKeyID.age +++ /dev/null @@ -1,9 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 NO562A 5NtIVE60zj6mR2+/2N0eS6lWTkddt3rsDWHZpNefLAo -5b8sLEf76HReLUuBcTVjTOnzjrVdwcxnG0TraO+eHww --> ssh-ed25519 5/zT0w RbikYmV32iG1QgMDiObNPV+GZOW35K6hbx2n2eLCvno -bXVeCmC2UpnTx8Udpx657mMGqRvYO7Gn53YwtW6NJEk --> ssh-ed25519 d3WGuA 4+sPg6CCmOxlJUls3qZpWvN+f2V4SHRXhrBxKQPQyho -z2TCvvpOZ8Nh4IQ0oPKD1yj0dP3rnLMzuvRpZxE2SSU ---- aj9laXQ3ccpGvhDpYIrpPzxfC4G6A5LdCkaWFSgUXUY -0žÜ¾K ÿWðúÉ=þ,nÃÑðŽ—½O{9Z±HÇN\—ûwšᇎ#›•Ù´gYÊD¬PåJÿÀ \ No newline at end of file diff --git a/cluster/secrets/forge-s3SecretAccessKey.age b/cluster/secrets/forge-s3SecretAccessKey.age deleted file mode 100644 index 5637d4d41c350bcbc9a3436a0fe728f282f46211..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 497 zcmZ9_t8>$E003YFf(v4jafirZ5WOs~C20kNw8_#g{UuG8HYLpD-R9La51IsrL%?xh zikLuccW~Tr=ot>NNyJdVRqc*Duo(Qlf8aAb2XSI6t&)5;kGJNjhd#j}WCzZ&DdN}! zMd2-2k|~;CVU@+*teG>mv*650M>9pL8+1`Sl!x3z+g>mx(@gZ7u<$t~f)IqYD0+3P zJtRezwIz4IJ$4eX9CXWROVkU!SoF&%^{#FdTC3O+4x?5&#x#T0YaQKNFmx=%1Ybp? zU9yLz%gQxb(yxS~)D)-~QFKF<{T^>;R%M0_AaYr=Gm!yfT6y_M8h45gt)dNQ`|4(s znozKCYY5!ZpO?H+0wZk_Gfs<2ydTqwE;vC(2(w;TrTn7uEoeZfqr%EvE|R_OlvO=h zp0ovq<2y4AlXB1XW514S3{QIyf*`O2Qa}`5qKczB@(rO7888;qJu(QFwiVT*B#0H+ z-XEd?bhi2Z_xj}P7IC(I);&03FQw}j{+G|U(2qygjDvgb&sXnH@BjJmWAOU##=q14 z>eKqgOKp|D5vXJ3>E*W_?FJ5htqvc*yLluZZ`?V*`yhWC4R_BU9uDx^&->WLfBt>3 AHvj+t diff --git a/cluster/services/forge/default.nix b/cluster/services/forge/default.nix index 8f28ed4..4b591c9 100644 --- a/cluster/services/forge/default.nix +++ b/cluster/services/forge/default.nix @@ -14,8 +14,6 @@ owner = "forgejo"; }; dbCredentials.nodes = server; - s3AccessKeyID.nodes = server; - s3SecretAccessKey.nodes = server; }; }; @@ -24,7 +22,7 @@ in config.hostLinks.${host}.forge.url; garage = { - keys.forgejo = { }; + keys.forgejo.locksmith.nodes = config.services.forge.nodes.server; buckets.forgejo.allow.forgejo = [ "read" "write" ]; }; } diff --git a/cluster/services/forge/server.nix b/cluster/services/forge/server.nix index 3375f94..4e93211 100644 --- a/cluster/services/forge/server.nix +++ b/cluster/services/forge/server.nix @@ -23,6 +23,11 @@ in ]; }; + services.locksmith.waitForSecrets.forgejo = [ + "garage-forgejo-id" + "garage-forgejo-secret" + ]; + services.forgejo = { enable = true; package = depot.packages.forgejo; @@ -73,8 +78,8 @@ in }; secrets = { storage = { - MINIO_ACCESS_KEY_ID = secrets.s3AccessKeyID.path; - MINIO_SECRET_ACCESS_KEY = secrets.s3SecretAccessKey.path; + MINIO_ACCESS_KEY_ID = "/run/locksmith/garage-forgejo-id"; + MINIO_SECRET_ACCESS_KEY = "/run/locksmith/garage-forgejo-secret"; }; }; };