From b7e7a52aa5b9e692b8a6edf5d17dff2bdf374601 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20Yule=20B=C3=A4dorf?= Date: Fri, 5 Apr 2024 19:14:10 +0200 Subject: [PATCH] forgejo: make SSH keys declarative --- hosts/nachtigall/apps/forgejo.nix | 14 ++++++++++++++ secrets/forgejo-ssh-private-key.age | Bin 0 -> 5539 bytes secrets/secrets.nix | 1 + 3 files changed, 15 insertions(+) create mode 100644 secrets/forgejo-ssh-private-key.age diff --git a/hosts/nachtigall/apps/forgejo.nix b/hosts/nachtigall/apps/forgejo.nix index 647f83e..f98e344 100644 --- a/hosts/nachtigall/apps/forgejo.nix +++ b/hosts/nachtigall/apps/forgejo.nix @@ -16,6 +16,19 @@ owner = "gitea"; }; + age.secrets.forgejo-ssh-private-key = { + file = "${flake.self}/secrets/forgejo-ssh-private-key.age"; + mode = "600"; + owner = "gitea"; + path = "/etc/forgejo/ssh/id_forgejo"; + }; + + environment.etc."forgejo/ssh/id_forgejo.pub" = { + text = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCkPjvF2tZ2lZtkXed6lBvaPUpsNrI5kHlCNEf4LyFtgFXHoUL8UD3Bz9Fn1S+SDkdBMw/SumjvUf7TEGqQqzmFbG7+nWdWg2L00VdN8Kp8W+kKPBByJrzjDUIGhIMt7obaZnlSAVO5Cdqc1Q6bA9POLjSHIBxSD3QUs2pjUCkciNcEtL93easuXnlMwoYa217n5sA8n+BZmOJAcmA/UxYvKsqYlpJxa44m8JgMTy+5L08i/zkx9/FwniOcKcLedxmjZfV8raitDy34LslT2nBNG4I+em7qhKhSScn/cfyPvARiK71pk/rTx9mxBEjcGAkp3+hiA3Nyms0h/qTUh8yGyhbOn8hiro34HEKswXDN1HRfseyyZ4TqOoIC07F53x4OliYA0B+QbvwOemTX2XAWHfU4xEYrIhR46o3Eu5ooOM9HZLLYzIzKjsj/rpuKalFZ+9IeT/PJ/DrbgOEBlJGTu4XucEYXSiIvWB7G9WXij7TXKYbsRAFho9jw+9UZWklFAh9dcUKlX9YxafxOrw9DhJK620hblHLY9wPPFCbZVXDGfqdtn+ncRReMAw6N3VYqxMgnxd+OC52SMsSUi9VaL26i2UvEBwNYuim8GDnVabu/ciQLHMgifBONuF9sKD58ee5nnKgtYLDy9zU86aHBU78Ijew+WhYitO7qejMHMQ=="; + mode = "600"; + user = "gitea"; + }; + services.nginx.virtualHosts."git.pub.solar" = { enableACME = true; forceSSL = true; @@ -70,6 +83,7 @@ HTTP_PORT = 3000; START_SSH_SERVER = true; SSH_LISTEN_PORT = 2223; + SSH_SERVER_HOST_KEYS = "${config.age.secrets."forgejo-ssh-private-key".path}"; }; log.LEVEL = "Warn"; diff --git a/secrets/forgejo-ssh-private-key.age b/secrets/forgejo-ssh-private-key.age new file mode 100644 index 0000000000000000000000000000000000000000..39f42d601f6d279a6ab9b482593a1ed23b00e148 GIT binary patch literal 5539 zcmZ9OgQCR~!*Sg;OJbRzty??>yIp=)iDD~P@txfF;Iy^?Z?N_@?5Az`)sWaovve2}0qIxKp(d|ZXvOMjd_M$W zV~{q`t>!Rc5-CXF`CUNBKtMBuA~w`SCx_g~fLo0h2V7?O|EGE7Y7)mE?@_{O0<6Lo z6l%p5kR)W;tu_YL0k{lMr`W4ug*;d@2&kZb3mrnjY2+R*%I$Z!985dT$l*x&2s+E7 za0%Id0}X1B0W_$Sq65+Ve`zkaGG2!k(d>GNmdN1aWl$UqjRGWgJV_j|n6WBr$f~xG zrDU}O%I85<7Py?pRrnM}F;b`^5}n+T%xmTbkra*`!tuF5l7tB};*1VBjOlQC{W6{t z!Q&vPTp~`zF}WB}44&>a3b+J;#V3YpLM*vY%VA4Rjvy2VLZApUIY9Hfl^zR}Vo>TO z8UxoWhq-wG$0Q&SwMY;iQ~^k_oFxS;Y&=HqmT=g18PyG#F#dqa2f_GxNF9Uk^jK&X zvC!_s6JZLLUPPA~R9qZaB~sW7b`itl*0_nF9V!ZPI8?Hjh_UF9Rvr&QMnRx-1Cxu> zfkrD9M1dSVR?e0KdNt0-SI909`*2=RL#DGsP@bM5wn6NQ zpa6>HF}z5GjsY+k0D)x`N`fl3-z}w}R5YAb4>b#kbRA3%Z~-IIBnMn%7Yl_@0tNyp zh=Wj=C?d!l$yatB~4-Lo+R;&qXW-~#U&qVPFd_EWg=ELI% zI4jblg7WcbH4#vHU~Vjg%SYKk3fmu~Bk&vyMn@4ToEWhUPXR-AAr4DIgJv6oZL^{b zIG0i{K*@Ym9Xu$;czh-!hiybbxE!j{N2UQkT*GIx{c5qC&tWKKr~nRhP?Z>%9IGG* zEi%yQcmJo3%@mRl4nmX!J^(Y*tuCQoVMk)EE(Q|~^-2-;APws@BK>qHRHrrJ0EOEew+|B0#3NC~q4h1Y;tBazvi=Z4Wl&==@b$~?b_M=fOjDXK@G7tnN z2G2v-$Z`);Zc)okpg_!U_`O)15zmEa&^}H`LqZuaaE%VBhGPwOI3Gk>kPecIEfhEn z0lPuL0g-Zq4jK$X@gkv-A=YE~a+?fPBa{S)!=`njh)Ris3mAAX5maRodrf#5TBYZE z%~T7+ZVQNf9uk2avd}_=AMur43Yp3tqFxhC^$uF!G_>Gw?czOK?DFnO(X#_f|*9POS8zSO7zahEZ^s0EfZXfa%07M5{kj|kT7^F%dVC4I7$)H1j0Eeq92Fx+C3DwHsB1v z(OL*aUoM)np@tW%W>9C=N@EF?$4N7z-g2;{61-SOKS*)I=%QPGlkVT81#>(EqoN9Y$ZO z1Bu4O`vf80kLU-TM6;Bs@UWp)dq|5nIOGZqpft+eQVr9nlOpY)hT(&Wenc@v0&)6< z0k1=e*~(Jmg%CWHYBN~?EzaqN+OQ}*F0RJxizvSR^(YT!V74C|0V-2loJ4CelfE z1r;>+58sh|Oo?9(v14s=x|HWep+G!}!~qO2DIHE_x$r27pX+pRa9F8Dtu=D38uGts z@Gs3slVAWaUd&@D^f)mYWphxy3Jw{nL14Jf5MKkAc!?CM3lS9a$x5DyPxeDla=!$N zq3P*1yISKDON11zPX!XxGBE{o+r&_+QBOB}G&VWue{S}l{{cbb4vN5dp$rhhlzJUP zM@1?_B%8}GC2F_=kHh6*g`|uC6|O|_Sx^T^v_n8Oj_m;0Dmoe?GEstlEJ5z2Dzz9r zoFC%qe14_d93ryhDj(;^CR0=6gLX5AtFe1%SP9cnUN}s!j-Yth-{_?H%ZQa_9XHLUb%T|b5H~do; z6YM2E*c<&2ePd-hCk)FU6$Y!__Yw61Ja@_ax(Pm~^;+YOdR7)`=2=UrVyizjb)@_F zqbhI-t?gV*2HI$D?D>W>Yig$)AyMR@X5o>Z+q_8nt(%eO|rt(4W z@=e9R&+QyraAEP3r`O8|>?U1)ntDilwz&E*YF}+}v~QQWX=T_#W?$l0*1J)f6O)U4 zA8jJwj`~=dFEjOG>F6q8NzI@Sn!?VvFNWp8bea7GcQw-Dmk&Bu_oOENHt&M|Wqaq5 zOZKSK>d>DZ2`85BO6nKU&l2~MGsly>sq?Cz=EaPwK zJN{}yn`$&zHZ%D``}>lV2if#DfuygsSt;$n74X6i&Le(OslOp6elY1qRzyqk@ZQDW zE+x3IWrc8(5AGmAz8J4=XkA3y=8=WQW2HUQ7(fo9NzFOcIqGR(|5G24guLy;!ca^eCVj# zuFT7NSm%G8Ia{95c%9xbe_h{mDB&jZ#$(w<-^(}c4~x4V^WY_x{7k+PemD6n^?qP< zeqz;-4g9II7qsH7kG9x`#htve{tdNsV>aoydPyOn;K3NMEGRk3L|jcPC}3Nz9Ao6m zV%s~i){H!P>G!OI=dyR-iy5(tbh0b|TI-PNE%s&6DIXDy50(r(8oo9BMxAv@gvm50 zPoMBM>GA7^qsNxm7DZ)_8!%!Hx?6Q>zkhJsKbciSw)M01d)@aCBr;l>F!wTdj43uf zVaMUKX{WviuIH&A$D-FFE!);lo$mckHx#%w53XAvh5wbGvj5JzVff(LsiQxAEwHe* z^&l$j^y|LyJuBda2Quei*EAn}#7paa_V?>mjJSfMF?%E4Ctt&iXsQ}Nc+Z@IP2TqD z^BrvM!pnCYSGaME%$?aeGdn6;$;JdpM9H8BvK8whQePhb3a{Eo*AM@;xc*D=l=NGg zY3ufP6pq+luZ;QiONq}zgcZ#CsWgTt^&_^wX%|f@_1dB|lbCmGY19dyC9&pJdFV-+ zlj5xjV5RBgfw_M#%wD}>kg@vgq)+a#P1?7tzv^y zmQ0I}JdqQGu6&!4OG;vlbVXcwHVarAIWbo>H~)0yb3gTY+GtX4_ zZ)b+$FbggfFQnV*+ZslDqY{zfh^EqhEaTIXuTu`>J*82`?>(tpNqzn%_3Te?h}U^P z7i=C`G3}~j&je~^;mvaKv_#6G7bkXkE8raPePF`$$OyXbL+#F2N569Udw5cu;QF7N z%(YR2V}|V6Ixg(-h_K5UYsRSO&&t1~lye;cRh`K`^1{pa=G8^qifCG!_7BpW8P zzm1?hiEUuEtfolWxt{*o1jvm|&hsD8N4{Orf4zBtb}%-(^OuA9W_w1`n&_t~6Qrhv zE&t3bDLv7QgbrArd3ekQ;)=b^w9x2`<@CRz>|3lywD-$iL=N0~v{@F}Gc)BN$-HpZ zz!cNUtmS}oEbS^AM z;LcCER(!1NX6fuCR>gxob>;?>XK46ArI*=%@3Uo?&*`q*b9ZLU?ojF{<*sO|93ee- zu<-Yh4aC{@1v}#oZ9g;!J1+Yt_t5K0e%;iZ9t1yUw?D~APuMrKJ8UL>D!^&YTAo=DOE*V(>yshPAwl&7lc&T=S+M)blJWgyG-ga^87{wdP(aQ z^)LOmPk8)lR*_4$0ExMFji*H=I8}O0l`hT0<-LN(ZZsLG%4?JAT?mn@UO#KY_>QLBUy9Zx#i)Yan6H@rEB#gOFX(Ughrt9D3$C0r z-s$DJDD7K+ZAq#^Y*@H4WewC}^Y)${bFs72dE;iE)^yA5zS}fwq9Ts|GP8DiZ0UX& zOlg^EAM<-5E1(NEUFrZ6Wg zybUcWYI)f}s9H+C`Bt{NW$a^k=~X>Nal`uX(3$nGYL!(#uev2#@o8L=Z|wevj3dvQ z3PwCR62EekK47FPzSV6Ei`(nI1njHl6}^wHEDRiQ;>+2)n;Mf_vzN`wyO)n#g0|uY zz8xq)&->aMBajSfT`^Vvv+r2@;CpDrklyBB?=rMQ&($VY682^kl>T$6z!~jNJf9zV z3hJef+FS0IoeaNf*tZMWJvh6P*jm~C?aQOC@2J9w9~JFwgXZ_?*S+f0I7sv3gZ!4r zNl~6e;z?QFp@QN*Gls9-lDRkQ;K)7q8lRe_rFh%m#kKmKCL&H)^bhzAV_7Ipc+Ka8_^RtI(yy z$SKlUeTU^LYTRk{Q?|`IK{|(D{be~9(y{yqm~|}a<%0e*k9tb!^f5hWX(b23Ny&}I z-tgx1OZN83f2`g4uITndlH@>COn%ws&&vAjZ|4^GecsvVOSyMu#2d=}XT8l8e-O^f z4tE*8?D#GH@svB$^ZMQL4SJM3dBLi-o%1hC`?j^8T$lBxPiOH?XJ_h4(T*~WL>hi` z4>@)6e#F767%KX~v1k04ZDq3QO5X9gUB$qjp^3aT18T11T}e+ERTb4iO<5QH+kDe2p!u?) zJN{GlFrZ}C?zouW_J>DDeX3k^$EC4NJ7fMZF(-O6jJK?&_*10Z@@IEbTX|*Yq*t3~ zzFt5s&X_KFQ@N#s&A8C$m=tkLbN=_3xI14y9ype`t)u_$$?%Gu9h)kaeAM1-+ufdz zi1n)v{WPKUUD|YnhzMyAaaT*ycktF1P0e532#mOUzM|_&CBln`^lL=2RW=(~z+{ z%4f_P&^YB#G6KRdFVuBycO^!4vf=DNC?}zQ*g;rRtYmi1@D~1n(L1I-%7|;lR?Ldu z(T+>a&ho~mcCNm|9j5~m(3Kn(b2vje|ZtkX6)*wnnkJByZH8w|^zyr}Yu5i4J$Wnm literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 153a975..117ebdf 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -33,6 +33,7 @@ in "forgejo-actions-runner-token.age".publicKeys = flora6Keys ++ adminKeys; "forgejo-database-password.age".publicKeys = nachtigallKeys ++ adminKeys; "forgejo-mailer-password.age".publicKeys = nachtigallKeys ++ adminKeys; + "forgejo-ssh-private-key.age".publicKeys = nachtigallKeys ++ adminKeys; "matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ adminKeys; "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys;