homepage: allow deployment via gitea actions runner #15
12
flake.lock
12
flake.lock
|
@ -82,16 +82,16 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1689247091,
|
||||
"narHash": "sha256-sg6yVZGU4yQ8vx/u/jeR7etUIQZhcc4Ss6PHNHAFZjU=",
|
||||
"owner": "Mic92",
|
||||
"lastModified": 1689638193,
|
||||
"narHash": "sha256-7SCl/TEswRCtVSFD9p2SXKH4iWbXDmly2O1oYsxidDc=",
|
||||
"owner": "DavHau",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "dc54601ce60a6e7b427d124550d43067ee605b53",
|
||||
"rev": "2ab9f837047affd23ebf27b0175aff34d6b9e7e3",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Mic92",
|
||||
"ref": "daemon",
|
||||
"owner": "DavHau",
|
||||
"ref": "gitea",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
|
||||
inputs = {
|
||||
# https://github.com/NixOS/nixpkgs/pull/243252
|
||||
nixpkgs.url = "github:Mic92/nixpkgs/daemon";
|
||||
nixpkgs.url = "github:DavHau/nixpkgs/gitea";
|
||||
flake-parts.url = "github:hercules-ci/flake-parts";
|
||||
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
|
||||
treefmt-nix.url = "github:numtide/treefmt-nix";
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
{ config, self, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
sops.secrets.ssh-homepage-key.owner = config.users.users.gitea.name;
|
||||
|
||||
systemd.services.gitea-runner-nix-token = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "gitea.service" ];
|
||||
|
@ -12,8 +14,14 @@
|
|||
set -euo pipefail
|
||||
token=$(${lib.getExe self.packages.${pkgs.hostPlatform.system}.gitea} actions generate-runner-token)
|
||||
echo "TOKEN=$token" > /var/lib/gitea-actions-runner/token
|
||||
mkdir -p /var/lib/gitea-actions-runner/secrets
|
||||
cp ${config.sops.secrets.ssh-homepage-key.path} /var/lib/gitea-actions-runner/secrets/ssh-homepage-key
|
||||
chmod 600 -R /var/lib/gitea-actions-runner/secrets/ssh-homepage-key
|
||||
'';
|
||||
unitConfig.ConditionPathExists = [ "!/var/lib/gitea-actions-runner/token" ];
|
||||
unitConfig.ConditionPathExists = [
|
||||
"|!/var/lib/gitea-actions-runner/token"
|
||||
"|!/var/lib/gitea-actions-runner/secrets/ssh-homepage-key"
|
||||
];
|
||||
serviceConfig = {
|
||||
User = "gitea";
|
||||
Group = "gitea";
|
||||
|
@ -27,8 +35,15 @@
|
|||
after = [ "gitea-runner-nix-token.service" ];
|
||||
requires = [ "gitea-runner-nix-token.service" ];
|
||||
|
||||
|
||||
# TODO: systemd confinment
|
||||
serviceConfig = {
|
||||
# User is set to gitea-runner in upstream nixos module
|
||||
# This user only gets created on service startup. We cannot chown the file
|
||||
# any time earlier
|
||||
ExecStartPre = [
|
||||
"+${pkgs.coreutils}/bin/chown -R ${config.systemd.services.gitea-runner-nix.serviceConfig.User} /var/lib/gitea-actions-runner/secrets"
|
||||
DavHau marked this conversation as resolved
Outdated
|
||||
];
|
||||
# Hardening (may overlap with DynamicUser=)
|
||||
# The following options are only for optimizing output of systemd-analyze
|
||||
AmbientCapabilities = "";
|
||||
|
@ -98,6 +113,9 @@
|
|||
# "/run/nscd/socket"
|
||||
# "/var/lib/drone"
|
||||
# ];
|
||||
BindPaths = [
|
||||
"/var/lib/gitea-actions-runner/secrets"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -133,6 +151,8 @@
|
|||
# unset the token so it doesn't leak into the runner
|
||||
TOKEN = "";
|
||||
PAGER = "cat";
|
||||
SSH_HOMEPAGE_KEY =
|
||||
"/var/lib/gitea-actions-runner/secrets/ssh-homepage-key";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,7 +1,21 @@
|
|||
{ pkgs, self, ... }: {
|
||||
{ config, pkgs, self, ... }: {
|
||||
security.acme.defaults.email = "admins@clan.lol";
|
||||
security.acme.acceptTerms = true;
|
||||
|
||||
# www user to push website artifacts via ssh
|
||||
users.users.www = {
|
||||
openssh.authorizedKeys.keys = [
|
||||
# ssh-homepage-key
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPcQi7FThpE2dFcb08d7DSQzhit8e/0W9OUZXasH0JJA ssh-homepage-key"
|
||||
];
|
||||
isNormalUser = true;
|
||||
};
|
||||
|
||||
# ensure /var/www can be accessed by nginx and www user
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /var/www 0755 www nginx"
|
||||
];
|
||||
|
||||
services.nginx = {
|
||||
virtualHosts."clan.lol" = {
|
||||
forceSSL = true;
|
||||
|
|
|
@ -10,6 +10,7 @@ harmonia-key: ENC[AES256_GCM,data:pZObqfbLogp0DYs47Tg2STKT9HptPSiP4sgcf31FD68PKS
|
|||
matrix-server-key: ENC[AES256_GCM,data:0148ezOFk8jX5KPQPCG0jQK9ajSfe/iOdUqlvys5/M8DrIwPXH9GzrkknwH+l8kF9ViTRDC/q5md8J2bj3/FBR/RW4rwjDrYx9cBEFm8wjHrywUlwON8kNKtj9ycJmXgtRyCrVGv7sBmODy0ZC5ZfWbhIQh6xWBkX2/rsSh4zwi/1PoHLpOO3u4=,iv:IwHPDi1E3R9LAY/seGpvx1U+N8mB9NMrUjLg4KMA1UA=,tag:pwRJ/CqkFN2eedrnMAaj2w==,type:str]
|
||||
registration-secret: ENC[AES256_GCM,data:EvPearZAxxb2irZFYgvy/tFA72h+IABuzwCbvy94IYR0eoHjuYw6GBde8CNUWG4SUiwyXJr4v438o/YThDhehsZ/cZFjg2o=,iv:ogN4/Iia5Zl95a3HP1KZoy86K8LyBFYw50cZUpkDNQo=,tag:5wU2OrNi7b5gWPfFZcGLjg==,type:str]
|
||||
gitea-actions-runner: ENC[AES256_GCM,data:JKXAa7J1V3GH8lp3UtHTBmiezJlqxX1ItHLE7UcaIeNFQH8We2imaOMVftMpVCeXTpRX,iv:W9+4wH4asw3+w28i5om0OcJFHrABC85bhjhbgGWEs8E=,tag:Rf9XBeiEoJ1Pt8Z1TDIyJA==,type:str]
|
||||
ssh-homepage-key: ENC[AES256_GCM,data:TjC6k2X2kMwMn7oe61p8VyPaP0886BJWLU01LgT71NrDhvVQJbSrx5GgIflZunyCqeDzSoT4+U9EtGZKP/ZhST5TC45MdodpNrIq83rQ63o9pM94uRqxZTpWtwZ4zlFHN1Ei2Y5K7TD7mhB+FFeYORWq3El6nNwCB2sVNR2NYZlDJwYT4hCGoVjxvoa4gOKq7kxVb/jOVvQ19ASrK4NHWGRT7JoxbXq08s56UQcEiJMIzKhFREKhheIHLtasRXouRouV+NKdXzoyVKvcFCzqyUJAY2UEAL7/Cm3Bwa5QfHEn343VLfUF8h4yeNWNk2/pqDClvzF6Pehj4HSy5XNxSUsFT1C7IE7uAf7dZivnEkuD8pKNDGrwl8QdY1ApD19LOmgQ7iJaLCEs1L/vRAnlOv3RQXzZW2zWzs4HaC9cH2hfwdkIvo2VrYkGM5fhZ2lYIpjEpogjNbb0Fxlu4JEtd9oF5uNFgmiryrBQcUZxOZXMmumZiuKd4ijY1ztjyr4t+GX9iK8zTUhGjjl9iB/09kb6yUw6weA0hWmN,iv:oHTmugUvMYLirTfNfAHz854feTIpkLUKC3OvE6CWhOY=,tag:94NSVbi0L19KMI+2l4QnIA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
|
Loading…
Reference in New Issue
Block a user
Is it possible to scope this secret for the repository only? Because this is supposed to be a public CI where also untrusted user may run stuff on.