cluster/services/forge: switch to locksmith secrets

2024-07-10 23:18:52 +02:00 · 2024-07-10 23:18:52 +02:00 · 72e19de53a
commit 72e19de53a
parent 55741bc8f6
4 changed files with 8 additions and 14 deletions
--- a/cluster/secrets/forge-s3AccessKeyID.age
+++ b/cluster/secrets/forge-s3AccessKeyID.age
@ -1,9 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 NO562A 5NtIVE60zj6mR2+/2N0eS6lWTkddt3rsDWHZpNefLAo
-5b8sLEf76HReLUuBcTVjTOnzjrVdwcxnG0TraO+eHww
-> ssh-ed25519 5/zT0w RbikYmV32iG1QgMDiObNPV+GZOW35K6hbx2n2eLCvno
-bXVeCmC2UpnTx8Udpx657mMGqRvYO7Gn53YwtW6NJEk
-> ssh-ed25519 d3WGuA 4+sPg6CCmOxlJUls3qZpWvN+f2V4SHRXhrBxKQPQyho
-z2TCvvpOZ8Nh4IQ0oPKD1yj0dP3rnLMzuvRpZxE2SSU
--- aj9laXQ3ccpGvhDpYIrpPzxfC4G6A5LdCkaWFSgUXUY
-0žÜ¾KÿWðúÉ=þ,nÃÑðŽ—½O{9Z±HÇN\—ûwšá‡Ž#›•Ù´gYÊD¬PåJÿÀ
--- a/cluster/secrets/forge-s3SecretAccessKey.age
+++ b/cluster/secrets/forge-s3SecretAccessKey.age
--- a/cluster/services/forge/default.nix
+++ b/cluster/services/forge/default.nix
@ -14,8 +14,6 @@
        owner = "forgejo";
      };
      dbCredentials.nodes = server;
-      s3AccessKeyID.nodes = server;
-      s3SecretAccessKey.nodes = server;
    };
  };

@ -24,7 +22,7 @@
  in config.hostLinks.${host}.forge.url;

  garage = {
-    keys.forgejo = { };
+    keys.forgejo.locksmith.nodes = config.services.forge.nodes.server;
    buckets.forgejo.allow.forgejo = [ "read" "write" ];
  };
 }
--- a/cluster/services/forge/server.nix
+++ b/cluster/services/forge/server.nix
@ -23,6 +23,11 @@ in
    ];
  };

+  services.locksmith.waitForSecrets.forgejo = [
+    "garage-forgejo-id"
+    "garage-forgejo-secret"
+  ];
+
  services.forgejo = {
    enable = true;
    package = depot.packages.forgejo;
@ -73,8 +78,8 @@ in
    };
    secrets = {
      storage = {
-        MINIO_ACCESS_KEY_ID = secrets.s3AccessKeyID.path;
-        MINIO_SECRET_ACCESS_KEY = secrets.s3SecretAccessKey.path;
+        MINIO_ACCESS_KEY_ID = "/run/locksmith/garage-forgejo-id";
+        MINIO_SECRET_ACCESS_KEY = "/run/locksmith/garage-forgejo-secret";
      };
    };
  };