clan/clan-infra
10
0
Fork 1
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

homepage: remove ssh-homepage-key
All checks were successful
build / test (push) Successful in 16s
Details

Browse Source
This commit is contained in:
DavHau 2023-07-19 19:48:40 +02:00
parent fe0c442a7c
commit ae28874208
3 changed files with 4 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
modules/web01/gitea/actions-runner.nix
View File

@ -1,8 +1,6 @@
{ config, self, pkgs, lib, ... }:
{
sops.secrets.ssh-homepage-key.owner = config.users.users.gitea.name;
systemd.services.gitea-runner-nix-token = {
wantedBy = [ "multi-user.target" ];
after = [ "gitea.service" ];
@ -14,13 +12,9 @@
set -euo pipefail
token=$(${lib.getExe self.packages.${pkgs.hostPlatform.system}.gitea} actions generate-runner-token)
echo "TOKEN=$token" > /var/lib/gitea-actions-runner/token
mkdir -p /var/lib/gitea-actions-runner/secrets
cp ${config.sops.secrets.ssh-homepage-key.path} /var/lib/gitea-actions-runner/secrets/ssh-homepage-key
chmod 600 -R /var/lib/gitea-actions-runner/secrets/ssh-homepage-key
'';
unitConfig.ConditionPathExists = [
"|!/var/lib/gitea-actions-runner/token"
"|!/var/lib/gitea-actions-runner/secrets/ssh-homepage-key"
"!/var/lib/gitea-actions-runner/token"
];
serviceConfig = {
User = "gitea";
@ -38,12 +32,6 @@
# TODO: systemd confinment
serviceConfig = {
# User is set to gitea-runner in upstream nixos module
# This user only gets created on service startup. We cannot chown the file
# any time earlier
ExecStartPre = [
"+${pkgs.coreutils}/bin/chown -R ${config.systemd.services.gitea-runner-nix.serviceConfig.User} /var/lib/gitea-actions-runner/secrets"
];
# Hardening (may overlap with DynamicUser=)
# The following options are only for optimizing output of systemd-analyze
AmbientCapabilities = "";
@ -113,9 +101,6 @@
# "/run/nscd/socket"
# "/var/lib/drone"
# ];
BindPaths = [
"/var/lib/gitea-actions-runner/secrets"
];
};
};
@ -151,8 +136,6 @@
# unset the token so it doesn't leak into the runner
TOKEN = "";
PAGER = "cat";
SSH_HOMEPAGE_KEY =
"/var/lib/gitea-actions-runner/secrets/ssh-homepage-key";
};
};
};

2
modules/web01/homepage.nix
View File

@ -6,7 +6,7 @@
users.users.www = {
openssh.authorizedKeys.keys = [
# ssh-homepage-key
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPcQi7FThpE2dFcb08d7DSQzhit8e/0W9OUZXasH0JJA ssh-homepage-key"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxZ3Av30M6Sh6NU1mnCskB16bYtNP8vskc/+ud0AU1C ssh-homepage-key"
];
isNormalUser = true;
};

5
targets/web01/secrets.yaml
View File

@ -10,7 +10,6 @@ harmonia-key: ENC[AES256_GCM,data:pZObqfbLogp0DYs47Tg2STKT9HptPSiP4sgcf31FD68PKS
matrix-server-key: ENC[AES256_GCM,data:0148ezOFk8jX5KPQPCG0jQK9ajSfe/iOdUqlvys5/M8DrIwPXH9GzrkknwH+l8kF9ViTRDC/q5md8J2bj3/FBR/RW4rwjDrYx9cBEFm8wjHrywUlwON8kNKtj9ycJmXgtRyCrVGv7sBmODy0ZC5ZfWbhIQh6xWBkX2/rsSh4zwi/1PoHLpOO3u4=,iv:IwHPDi1E3R9LAY/seGpvx1U+N8mB9NMrUjLg4KMA1UA=,tag:pwRJ/CqkFN2eedrnMAaj2w==,type:str]
registration-secret: ENC[AES256_GCM,data:EvPearZAxxb2irZFYgvy/tFA72h+IABuzwCbvy94IYR0eoHjuYw6GBde8CNUWG4SUiwyXJr4v438o/YThDhehsZ/cZFjg2o=,iv:ogN4/Iia5Zl95a3HP1KZoy86K8LyBFYw50cZUpkDNQo=,tag:5wU2OrNi7b5gWPfFZcGLjg==,type:str]
gitea-actions-runner: ENC[AES256_GCM,data:JKXAa7J1V3GH8lp3UtHTBmiezJlqxX1ItHLE7UcaIeNFQH8We2imaOMVftMpVCeXTpRX,iv:W9+4wH4asw3+w28i5om0OcJFHrABC85bhjhbgGWEs8E=,tag:Rf9XBeiEoJ1Pt8Z1TDIyJA==,type:str]
ssh-homepage-key: ENC[AES256_GCM,data:TjC6k2X2kMwMn7oe61p8VyPaP0886BJWLU01LgT71NrDhvVQJbSrx5GgIflZunyCqeDzSoT4+U9EtGZKP/ZhST5TC45MdodpNrIq83rQ63o9pM94uRqxZTpWtwZ4zlFHN1Ei2Y5K7TD7mhB+FFeYORWq3El6nNwCB2sVNR2NYZlDJwYT4hCGoVjxvoa4gOKq7kxVb/jOVvQ19ASrK4NHWGRT7JoxbXq08s56UQcEiJMIzKhFREKhheIHLtasRXouRouV+NKdXzoyVKvcFCzqyUJAY2UEAL7/Cm3Bwa5QfHEn343VLfUF8h4yeNWNk2/pqDClvzF6Pehj4HSy5XNxSUsFT1C7IE7uAf7dZivnEkuD8pKNDGrwl8QdY1ApD19LOmgQ7iJaLCEs1L/vRAnlOv3RQXzZW2zWzs4HaC9cH2hfwdkIvo2VrYkGM5fhZ2lYIpjEpogjNbb0Fxlu4JEtd9oF5uNFgmiryrBQcUZxOZXMmumZiuKd4ijY1ztjyr4t+GX9iK8zTUhGjjl9iB/09kb6yUw6weA0hWmN,iv:oHTmugUvMYLirTfNfAHz854feTIpkLUKC3OvE6CWhOY=,tag:94NSVbi0L19KMI+2l4QnIA==,type:str]
sops:
kms: []
gcp_kms: []
@ -53,8 +52,8 @@ sops:
TGk4dUlwcE9XWWIzZE1nQXdXcWY0V0kKJi5yXdrsEOP4Z8K6k/sPA7yadNPKQtzo
Iyt//Y+Y7n55KwuO8Doogu42SiVTUhHDICM9lezQmcugFqCoh3Lk4A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-07-19T12:39:56Z"
mac: ENC[AES256_GCM,data:baVe7FXbyJ7qAiTFtSB6YO/cNZTaHskRiut7XjmvqIltLGvMAkmOKYYzjPgSZ+RHz2az/MAF+05npP0Poy/jgR3qQ8s+Z3ml6u+Ze53bZFBofnNf8oxKp5uZ7RjDnPKwh3Uz3x4hTW2QbC2s1ik+LdxMpwuU641y0N32UkODU44=,iv:oYtjQUjL7pkxE7gpdDv9SGpJAl1UellVXztvKG5mH+U=,tag:U7bL1zr2y74LSDXQzmqRtw==,type:str]
lastmodified: "2023-07-19T17:46:20Z"
mac: ENC[AES256_GCM,data:TP13I8Ssg+OwgMrRb1SKzxD6RJRipr/rkZwjY3TMVmJDp0GDipXzWFXZmiIpe2t76BxeRLTfgc9fmEflxhlcV+SVxLYZzXax6OT6rniDkAshlIdYR0H0LsgE9gfAYHGnvQW6dM1S8z+NFifvBeJM76FugM9IXjcVSYq7iaDY5fU=,iv:CktTCdtfpOfprMuOVfmfCO/2MAlV46DHEHSM8C0gfpA=,tag:V2EjkVXoRgtX81KbLXZCcA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3