Cleanup age secrets and install forgejo runner

2026-03-28 13:01:55 +01:00 · 2026-03-28 13:01:55 +01:00 · 3577845679
commit 3577845679
parent f268e1e462
6 changed files with 28 additions and 9 deletions
--- a/modules/nixos/caddy.nix
+++ b/modules/nixos/caddy.nix
@ -1,6 +1,6 @@
 {
  systemd.tmpfiles.rules = [
-    "d /var/www/jankremer.de 755 jan users -"
+    "d /var/www/jankremer.de 755 forgejo-runner users -"
  ];
  services.caddy = {
--- a/modules/nixos/copyparty.nix
+++ b/modules/nixos/copyparty.nix
@ -6,7 +6,6 @@
 {
  age.secrets."copyparty-jan" = {
    file = ../secrets/copyparty-jan.age;
    mode = "400";
    owner = "copyparty";
  };
--- a/modules/nixos/forgejo.nix
+++ b/modules/nixos/forgejo.nix
@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, lib, ... }:
 let
  domain = "git.jankremer.de";
 in
@ -7,6 +7,7 @@ in
    file = ../../modules/secrets/forgejo-mailer.age;
    owner = "forgejo";
  };
  age.secrets.forgejo-runner.file = ../../modules/secrets/forgejo-runner.age;
  services = {
    forgejo = {
@ -19,7 +20,7 @@ in
          DOMAIN = domain;
          ROOT_URL = "https://${domain}";
          START_SSH_SERVER = false;
-          SSH_PORT = 22;
+          SSH_PORT = lib.head config.services.openssh.ports;
        };
        mailer = {
          ENABLED = true;
@ -28,14 +29,24 @@ in
          FROM = "git@jankremer.de";
          USER = "janurskremer@me.com";
        };
-        # actions = {
+        actions = {
-        #   ENABLED = true;
+          ENABLED = true;
-        #   DEFAULT_ACTIONS_URL = "github";
+          DEFAULT_ACTIONS_URL = "github";
-        # };
+        };
      };
      secrets = {
        mailer.PASSWD = config.age.secrets.forgejo-mailer.path;
      };
    };
    gitea-actions-runner.instances.nimbus = {
      enable = true;
      url = "https://${domain}";
      tokenFile = config.age.secrets.forgejo-runner.path;
      name = "nimbus";
      labels = [
        "native:host"
      ];
    };
  };
 }
--- a/modules/nixos/matrix.nix
+++ b/modules/nixos/matrix.nix
@ -2,7 +2,6 @@
 {
  age.secrets."matrix-registration-token" = {
    file = ../secrets/matrix-registration-token.age;
    mode = "400";
    owner = "tuwunel";
  };
--- a/modules/secrets/forgejo-runner.age
+++ b/modules/secrets/forgejo-runner.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> ssh-ed25519 2otpcg BKk+n4hh+NId35ZAUygwF8paTCY1Nbg3qo6MrTyOUwk
 TiTl0BVeqXEXQ7y3ySDKDW2N0R3RAYzaPn1mvwM7W9k
 -> ssh-ed25519 40YjXQ Vk49T74+I5qs6dY4mXQeGFzHR6i75xthZYZ1Y/bsyHc
 QqBkWmkarBoSc5zmFO67Hwck3d+BioL444RitOxsR4w
 -> ssh-ed25519 wbs2Dw NoJGVHAcH+PAoNQn+KCgwy/T14sHo+xYaGKvcTDHMUk
 XFsOkgaXNQgkpKcmui1hbgywDRSIWtIAq7oFJI/LrjM
 --- glH3vTvqZkaJqFLYGHPsNhu5Riyxjz0AKtMMnlaZYHo
 “ÀÂçÙæhOŽjfì™ãXbØ¤"’6ÿ,ù!ü\X<Užjªæ«8ó8ÛP…¹xÈe¿Q#fëÚ}ÚÆ|ê<>àV=§¹:
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@ -15,4 +15,5 @@ in
  "tailscale.age".publicKeys = all;
  "matrix-registration-token.age".publicKeys = all;
  "forgejo-mailer.age".publicKeys = all;
  "forgejo-runner.age".publicKeys = all;
 }