From 16c6aa3b61b2c05979e54c02c417c795708b26fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Benjamin=20Yule=20B=C3=A4dorf?= <git@benjaminbaedorf.eu>
Date: Fri, 5 Apr 2024 19:14:10 +0200
Subject: [PATCH] forgejo: make SSH keys declarative

---
 hosts/nachtigall/apps/forgejo.nix   |  14 ++++++++++++++
 secrets/forgejo-ssh-private-key.age | Bin 0 -> 5539 bytes
 secrets/secrets.nix                 |   1 +
 3 files changed, 15 insertions(+)
 create mode 100644 secrets/forgejo-ssh-private-key.age

diff --git a/hosts/nachtigall/apps/forgejo.nix b/hosts/nachtigall/apps/forgejo.nix
index 647f83e..f98e344 100644
--- a/hosts/nachtigall/apps/forgejo.nix
+++ b/hosts/nachtigall/apps/forgejo.nix
@@ -16,6 +16,19 @@
     owner = "gitea";
   };
 
+  age.secrets.forgejo-ssh-private-key = {
+    file = "${flake.self}/secrets/forgejo-ssh-private-key.age";
+    mode = "600";
+    owner = "gitea";
+    path = "/etc/forgejo/ssh/id_forgejo";
+  };
+
+  environment.etc."forgejo/ssh/id_forgejo.pub" = {
+    text = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCkPjvF2tZ2lZtkXed6lBvaPUpsNrI5kHlCNEf4LyFtgFXHoUL8UD3Bz9Fn1S+SDkdBMw/SumjvUf7TEGqQqzmFbG7+nWdWg2L00VdN8Kp8W+kKPBByJrzjDUIGhIMt7obaZnlSAVO5Cdqc1Q6bA9POLjSHIBxSD3QUs2pjUCkciNcEtL93easuXnlMwoYa217n5sA8n+BZmOJAcmA/UxYvKsqYlpJxa44m8JgMTy+5L08i/zkx9/FwniOcKcLedxmjZfV8raitDy34LslT2nBNG4I+em7qhKhSScn/cfyPvARiK71pk/rTx9mxBEjcGAkp3+hiA3Nyms0h/qTUh8yGyhbOn8hiro34HEKswXDN1HRfseyyZ4TqOoIC07F53x4OliYA0B+QbvwOemTX2XAWHfU4xEYrIhR46o3Eu5ooOM9HZLLYzIzKjsj/rpuKalFZ+9IeT/PJ/DrbgOEBlJGTu4XucEYXSiIvWB7G9WXij7TXKYbsRAFho9jw+9UZWklFAh9dcUKlX9YxafxOrw9DhJK620hblHLY9wPPFCbZVXDGfqdtn+ncRReMAw6N3VYqxMgnxd+OC52SMsSUi9VaL26i2UvEBwNYuim8GDnVabu/ciQLHMgifBONuF9sKD58ee5nnKgtYLDy9zU86aHBU78Ijew+WhYitO7qejMHMQ==";
+    mode = "600";
+    user = "gitea";
+  };
+
   services.nginx.virtualHosts."git.pub.solar" = {
     enableACME = true;
     forceSSL = true;
@@ -70,6 +83,7 @@
         HTTP_PORT = 3000;
         START_SSH_SERVER = true;
         SSH_LISTEN_PORT = 2223;
+        SSH_SERVER_HOST_KEYS = "${config.age.secrets."forgejo-ssh-private-key".path}";
       };
 
       log.LEVEL = "Warn";
diff --git a/secrets/forgejo-ssh-private-key.age b/secrets/forgejo-ssh-private-key.age
new file mode 100644
index 0000000000000000000000000000000000000000..39f42d601f6d279a6ab9b482593a1ed23b00e148
GIT binary patch
literal 5539
zcmZ9Og<F(~x5r&X&;bK+Wo=MFVPq%XNekcU?iPgU?j8jJ6+y*fZCGr<TE#*XRB)G2
z6gvP>QCR~!*Sg;OJbRzty??>yIp=)iDD~P@txfF;Iy^?Z?N_@?5Az`)sWao<ZbPb8
zgG8ed_;@3UY4YpiMJA0)%lAQ%ZXS(fgZkNQ22+h>vve2}0qIxKp(d|ZXvOMjd_M$W
zV~{q`t>!Rc5-CXF`CUNBKtMBuA~w`SCx_g~fLo0h2V7?O|EGE7Y7)mE?@_{O0<6Lo
z6l%p5kR)W;tu_YL0k{lMr`W4ug*;d@2&kZb3mrnjY2+R*%I$Z!985dT$l*x&2s+E7
za0%Id0}X1B0W_$Sq65+Ve`zkaGG2!k(d>GNmdN1aWl$UqjRGWgJV_j|n6WBr$f~xG
zrDU}O%I85<7Py?pRrnM}F;b`^5}n+T%xmTbkra*`!tuF5l7tB};*1VBjOlQC{W6{t
z!Q&vPTp~`zF}WB}44&>a3b+J;#V3YpLM*vY%VA4Rjvy2VLZApUIY9Hfl^zR}Vo>TO
z8UxoWhq-wG$0Q&SwMY;iQ~^k_oFxS;Y&=HqmT=g18PyG#F#dqa2f_GxNF9Uk^jK&X
zvC!_s6JZLLUPPA~R9qZaB~sW7b`itl*0_nF9V!ZPI8?Hjh_UF9Rvr&QMnRx-1Cxu>
zfkrD9M1dSVR?e0KdN<Dqut*wj0128rf&f%P@>t0-SI909`*2=RL#DGsP@bM5wn6NQ
zpa6>HF}z5GjsY+k0D)x`N`fl3-z}w}R5YAb4>b#kbRA3%Z~-IIBnMn%7Yl_@0tNyp
zh=Wj=C?d<F$8zO*Vo-*rA_+pPR1C!ttwEfP3j_Ul7+n<bV?mDD;By7IVu1%v#p-+}
z5RYT?ELaE_&@(Ay9za8z(IlLa$N=C5iiJRdxujUX)n&)?j9im2fafz<YEbOZ2+?#N
zjRND^U_lw4WAH%8CM%A_^up9iI>!l$yatB~4-Lo+R;&qXW-~#U&qVPFd_EWg=ELI%
zI4jblg7WcbH4#vHU~Vjg%SYKk3fmu~Bk&vyMn@4ToEWhUPXR-AAr4DIgJv6oZL^{b
zIG0i{K*@Ym9Xu$;czh-!hiybbxE!j{N2UQkT*GIx{c5qC&tWKKr~nRhP?Z>%9IGG*
zEi%yQcmJo3%@mRl4nmX!J^(Y*tuCQoVMk)EE(Q|~^-2-;APws@BK>qHRHrrJ0E<Ni
z)mjl8E)&TW>OEew+|B0#3NC~q4h1Y;tBazvi=Z4Wl&==@b$~?b_M=fOjDXK@G7tnN
z2G2v-$Z`);Zc)okpg_!U_`O)15zmEa&^}H`LqZuaaE%VBhGPwOI3Gk>kPecIEfhEn
z0lPuL0g-Zq4jK$X@gkv-A=YE~a+?fPBa{S)!=`njh)Ris3mAAX5maRodrf#5TBYZE
z%~T7+ZVQNf9uk2avd}_=AM<!9fCm)OI4CkvD5HcRd@+@(kOvS@sgJ_52Y6;Vn&{?|
zkR${WC4q(DE*;B4;40}lxPXI@8Ui3)%Vw+4J_m=v7E!eVNC+AvV2vQC_jw3*9n{CB
zvH`A~$k*CJ3JicILjxiqO`>ur43Yp3tqFxhC^$uF!G_>Gw?czOK?DFnO(X#_f|<yI
zTP-X;3vH%xR1CVrrctXjY=WEOGkd8zD;29IQOyQ|g$)nEbs;WCs^NHCI*7r^A$sXn
z9so7Luw*ew&DJ;+G{B|Cx->*9POS8zSO7zahEZ^s0EfZXf<A;%%S7-sBpF2^5<^Th
zzK^cQ0{WmVfY*AcbQJ?>a%07M5{kj|kT7^F%dVC4I7$)H1j0Eeq92Fx+C3DwHsB1v
z(OL*a<RytkOrg;$^kC5fJzqyO*~wbJo*z)K31lf%Ae7jV-T)%#(b|++JJu}=!HjmH
z+>UoM)np@tW%W>9C=N@EF?$4N7z-g2;{61-SOKS*)I=%QPGlkVT81#>(EqoN9Y$ZO
z1Bu4O`vf80kLU-TM6;Bs@UWp)dq|5nIOGZqpft+eQVr9nlOpY)hT(&Wenc@v0&)6<
z0k1<WmRgk{6io)P?hsK=aJ$)JJOyLn;4mr`k?xZs#b)vUVTGJdnDGb8tnxc-RHTO_
zQ^ARV7Kx(b<vfO##WhHA9)kcTV*>=e*~(Jmg%CWHYBN~?EzaqN+OQ}<EQOoI0jY%!
z3d{~9Q^wN*0<tAY<kJ4PXa4O_IYr2I>*F0RJxizvSR^(YT!V74C|0V-2loJ4CelfE
z1r;>+58sh|Oo?9(v14s=x|HWep+G!}!~qO2DIHE_x$r27pX+pRa9F8Dtu=D38uGts
z@Gs3slVAWaUd&@D^f)mYWphxy3Jw{nL14Jf5MKkAc!?CM3lS9a$x5DyPxeDla=!$N
zq3P*1yISKDON11zPX!XxGBE{o+r&_+QBOB}G&VWue{S}l{{cbb4vN5dp$rhhlzJUP
zM@1?_B%8}GC2F_=kHh6*g`|uC6|O|_Sx^T^v_n8Oj_m;0Dmoe?GEstlEJ5z2Dzz9r
zoFC%qe14_d93ryhDj(;^CR0=6gLX5AtFe1%SP9<?Xe4lsBq$&X%s=`@U?T8^M4E&U
z5W^+T5FMh+$jIAKorn{ZoRGhav>cnUN}s!j-Yth-{_?H%ZQa_9XHLUb%T|b5H~do;
z6YM2E*c<&2ePd-hCk)FU6$Y!__Yw61Ja@_ax(Pm~^;+YOdR7)`=2=UrVyizjb)@_F
zqbhI-t?<uh+za}SdG}VWmY$z^nN=9mr8ex_kYrh!Veztep+Bx(@n}!<Y=%Q{9B3@g
z+qP)Qw(N?@C*KKIcpG_#V7jH`OVew*xMlC!ZzQkU7U-Bm==b0uWV}b{IK1unORoF$
zLvv$H&Fg+0M;U#G?R}cNwkt(T01Iz###WtHFD#Fkb|yPs^!Zj-TIc9V;pByLYE2XR
zwlBIidm<}p6lwAB`kI}e>gV*2HI$D?D>W>Yig$)AyMR@X5o>Z+q_8nt(%eO|rt(4W
z@=e9R&+QyraAEP3r`O8|>?U1)ntDilwz&E*YF}+}v~QQWX=T_#W?$l0*1J)f6O)U4
zA8jJwj`~=dFEjOG>F6q8NzI@Sn!?VvFNWp8bea7GcQw-Dmk&Bu_oOENHt&M|Wqaq5
zOZKSK>d>DZ2`85BO6nKU&l2~MGsly><wW7`ji1q~*v-f1Nn5r;HqJ>sq?Cz=EaPwK
zJN{}yn`$&zHZ%D``}>lV2if#DfuygsSt;$n74X6i&Le(OslOp6elY1qRzyqk@ZQDW
zE+<E+AKayLIUA;zU7BXkq;hu0w!ypK3SaG+&b)clzKls(@y**7T7KF3eSM!Xf6SRv
zLcJJmQ5^vmy(toGJ$2;khGDPGBWkY+>x3IWrc8(5AGmAz8J4=XkA3y=8=WQW<J%9<
zuhWDJ!aWDul?8EAvz{I+oHaGDbZWH4SBh<J5S}k-J2Nt8<jl6Mg<Bv!mV%3E`q@Vc
zDl4;Pqx9C8Pn$2?7F8XnCpJI1TVMPN`o}!*+WGDo=*7cB8`}O_LxNY%c{#Bt;Bd}O
z$1WaKy2UHU-n=n<Mj)&I(;~&hh>2HUQ7(fo9NzFOcIqGR(|5G24guLy;!ca^eCVj#
zuFT7NSm%G8Ia{95c%9xbe_h{mDB&jZ#$(w<-^(}c4~x4V^WY_x{7k+PemD6n^?qP<
zeqz;-4g9II7qsH7kG9x`#htve{tdNsV>aoydPyOn;K3NMEGRk3L|jcPC}3Nz9Ao6m
zV%s~i){H!P>G!OI=dyR-iy5(tbh0b|TI-PNE%s&6DIXDy50(r(8oo9BMxAv@gvm50
zPoMBM>GA7^qsNxm7DZ)_8!%!Hx?6Q>zkhJsKbciSw)M01d)@aCBr;l>F!wTdj43uf
zVaMUKX{WviuIH&A$D-FFE!);lo$mckHx#%w53XAvh5wbGvj5JzVff(LsiQxAEwHe*
z^&l$j^y|LyJuBda2Quei*EAn}#7paa_V?>mjJSfMF?%E4Ctt&iXsQ}Nc+Z@IP2TqD
z^BrvM!pnCYSGaME%$?aeGdn6;$;JdpM9H8BvK8whQePhb3a{Eo*AM@;xc*D=l=NGg
zY3ufP6pq+luZ;QiONq}zgcZ#CsWgTt^&_^wX%|f@_1dB|lbCmGY19dyC9&pJdFV-+
zlj5xjV5RBgfw_M#%wD}>kg@vgq)+a#P1?7tzv^y<MG}plzgJ<6=&rTA*DdSRuM?Gz
z5{`{{|Gjl2qNv~K9%SHDcFL)vJ6b<v&k%pk+fg6C_<S<)aNWBvS08?uKPqyZ`n;xo
z*^JMND*g^DG1|u=Un3h$4LOU-1~v)P?p+)$+4+n5biW!5YTfag$Jn0kb(sy^nxiq>
zmQ0I}JdqQGu6&!4OG;vlbVXcwHVarAIWbo>H~)0yb3gTY+<CTTP)Q{%Y4GO>GtX4_
zZ)b+$FbggfFQnV*+ZslDqY{zfh^EqhEaTIXuTu`>J*82`?>(tpNqzn%_3Te?h}U^P
z7i=C`G3}~j&je~^;mvaKv_#6G7bkXkE8raPePF`$$OyXbL+#F2N569Udw5cu;QF7N
z%(YR2V}|V6Ixg(-h_K5UYsRSO&&<a>t1~lye;cRh`K`^1{pa=G8^qifCG!_7BpW8P
zzm1?hiEUuEtfolWxt{*o1jvm|&hsD8N4{Orf4zBtb}%-(^OuA9W_w1`n&_t~6Qrhv
zE&t3bDLv7QgbrArd3ekQ;)=b^w9x2`<@CRz>|3lywD-$iL=N0~v{@F}Gc)BN$-HpZ
zz<ZS~izejlWgeWFJnU9aZzrYka?VuQmY;Hm;}f2AH6u?lex4h9?}0UJcGgo-`o7cr
z!EbHOQLWz4_7q3?o5q1}_NzyRmG}SoOLJL{_UYKo6@6Yd&PHB>!cNUtmS}oEbS^AM
z;LcCER(!1NX6fuCR>gxob>;?>XK46ArI*=%@3Uo?&*`q*b9ZLU?ojF{<*sO|93ee-
zu<-Yh4aC{@1v}#oZ9g;!J1+Yt_t5K0e%;iZ9t1yUw?D~APu<hgKQZO+X=O_*MT?~0
zUe>MrKJ8UL>D!^&YTAo=DOE*V(>yshPAwl&7lc&T=S+M)blJWgyG-ga^87{wdP(aQ
z^)LOmPk8)l<hh>R*_4$0ExMFji*H=I8}O0l`hT0<-LN(ZZsLG%4?JA<iX9$SG~^s;
zz22LfyI*)86I!->T?mn@UO#KY_>QLBUy9Zx#i)Yan6H@rEB#gOFX(Ughrt9D3$C0r
z-s$DJDD7K+ZAq#^Y*@H4WewC}^Y)${bFs72dE;iE)^yA5zS}fwq9Ts|GP8DiZ0UX&
z<YIVN@8*W)sU;D2BP2t6F!?jbSHF6<@S^<nvAT+k-_(h(YIY6lTv<F>O<PPT3+oo&
zPa3-+f8tN)7qlj*ru;qVB4j0HPpdw~RB=D{&xrC<19~rIE)IK9KBQA%o0`GC?x5aE
ze(rfcn8k%W51!~CMt)edH5ZEA-15BVSID0$mzt`%&eJK5pSPF2;~X1vxNRGFyqK(~
z7mZ(4a`TE}QOY-xuc&s&m$c-;)uYna=AN<+{wsRZi_g#ZKa5?b2z$vlCs!}3OJ)51
zG|@I!o_6gQ({2bQabEp`IZZE^-|79JWg{ccL&~%ZKd1320rN5`^B?^8;<rn<`&Rw(
zaZ&r?TK*H34^v%oe&v=2vX;xMYQLj*E$$zCvi$pyL_1>lg^EAM<-5E1(NEUFrZ6Wg
zybUcWYI)f}s9H+C`Bt{NW$a^k=~X>Nal`uX(3$nGYL!(#uev2#@o8L=Z|wevj3dvQ
z3PwCR62EekK47FPzSV6Ei`(nI1njHl6}^wHEDRiQ;>+2)n;Mf_vzN`wyO)n#g0|uY
zz8xq)&->aMBajSfT`^Vvv+r2@;CpDrklyBB?=rMQ&($VY682^kl>T$6z!~jNJf9zV
z3hJef+FS0IoeaNf*tZMWJvh6P*jm~C?aQOC@2J9w9~JFwgXZ_?*S+f0I7sv3gZ!4r
zNl~6e;z?QFp@QN*Gls9-lDRkQ;<PW;k9E~&4^RBr++ZL6xO+E0`y#kChZ2oFxAD;`
zL22fmmEq$}#+$5r)m>K)7q8lRe_rFh%m#kKmKCL&H)^bhzAV_7Ipc+Ka8_^RtI(yy
z$SKlUeTU^LYTRk{Q?|`IK{|(D{be~9(y{yqm~|}a<%0e*k9tb!^f5hWX(b23Ny&}I
z-tgx1OZN83f2`g4uITndlH@>COn%ws&&vAjZ|4^GecsvVOSyMu#2d=}XT8l8e-O^f
z4tE*8?D#GH@svB$^ZMQL4SJM3dBLi-o%1hC`?j^8T$lBxPiOH?XJ_h4(T*~WL>hi`
z4>@)6e#F767%KX<R``rsyDQPx08FX*TJTpM_Yijl6<2D#dSO!bM(mw+W!UH4!2#{4
zspH;cEVz>~v1k04ZDq3QO5X9gUB$qjp^3aT18T11T}e+ERTb4iO<5QH+kDe2p!u?)
zJN{GlFrZ}C?zouW_J>DDeX3k^$EC4NJ7fMZF(-O6jJK?&_*10Z@@IEbTX|*Yq*t3~
zzFt5s&X_KFQ@N#s&A8C$m=tkLbN=_3xI14y9ype`t)u_$$?%Gu9h)kaeAM1-+ufdz
zi1n)v{WPKUUD|YnhzMyAaaT*ycktF1P0e532#mOUz<TYk=&1Lz22Cp|9PoKSKiuuE
zsI14MHOiVNJ+ntI*}eHuLf?_$xrpvDl9-pjJ`elEs4>M|_&CBln`^lL=2RW=(~z+{
z%4f_P&^YB#G6KRdFVuBycO^!4vf=DNC?}zQ*g;rRtYmi1@D~1n(L1I-%7|;lR?Ldu
z(T+>a&ho~mcCNm|9j<euXY{S?AG`JF?y_b#6aMb;<k6f{2OCb)de7D@%c;$(%~GdC
z-8|fsgo%Z|$Di+WvwbL$k&VXA8VKPZ=xBkSUI)m53$F`z;g&OQr-yA@e6G6qj-YmL
z>5~m(3Kn(b2vje|ZtkX6)*wnnkJByZH8w<kZ?+&UzCsyY_;@>|^zyr}Yu5i4J$Wnm

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 153a975..117ebdf 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -33,6 +33,7 @@ in
   "forgejo-actions-runner-token.age".publicKeys = flora6Keys ++ adminKeys;
   "forgejo-database-password.age".publicKeys = nachtigallKeys ++ adminKeys;
   "forgejo-mailer-password.age".publicKeys = nachtigallKeys ++ adminKeys;
+  "forgejo-ssh-private-key.age".publicKeys = nachtigallKeys ++ adminKeys;
 
   "matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ adminKeys;
   "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys;