lupine: add runner token for all runners

hosts/kommode/services/gitea/default.nix

@@ -51,11 +51,11 @@ in {
         START_SSH_SERVER = true;
         START_LFS_SERVER = true;
         LFS_JWT_SECRET = lib.mkForce "";
-        LFS_JWT_SECRET_URI = "file:${config.sops.secrets."gitea/lfs-jwt-secret".path}";
+        LFS_JWT_SECRET_URI = config.sops.secrets."gitea/lfs-jwt-secret".path;
       };
       oauth2 = {
         JWT_SECRET = lib.mkForce "";
-        JWT_SECRET_URI = "file:${config.sops.secrets."gitea/oauth2-jwt-secret".path}";
+        JWT_SECRET_URI = config.sops.secrets."gitea/oauth2-jwt-secret".path;
       };
       "git.timeout" = {
         MIGRATE = 3600;
@@ -85,7 +85,7 @@ in {
       session.COOKIE_SECURE = true;
       security = {
         SECRET_KEY = lib.mkForce "";
-        SECRET_KEY_URI = "file:${config.sops.secrets."gitea/secret-key".path}";
+        SECRET_KEY_PATH = config.sops.secrets."gitea/secret-key".path;
       };
       database.LOG_SQL = false;
       repository = {

hosts/kommode/services/gitea/import-users/default.nix

@@ -11,8 +11,7 @@ in
 
   systemd.services.gitea-import-users = lib.mkIf cfg.enable {
     enable = true;
-    preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd'';
-    environment.PASSWD_FILE_PATH = "/run/gitea-import-users/passwd";
+    preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import'';
     serviceConfig = {
       ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
         flakeIgnore = [
@@ -26,7 +25,6 @@ in
       ];
       DynamicUser="yes";
       EnvironmentFile=config.sops.secrets."gitea/import-user-env".path;
-      RuntimeDirectory = "gitea-import-users";
     };
   };
 

hosts/kommode/services/gitea/import-users/gitea-import-users.py

@@ -17,10 +17,6 @@ GITEA_API_URL = os.getenv('GITEA_API_URL')
 if GITEA_API_URL is None:
     GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1'
 
-PASSWD_FILE_PATH = os.getenv('PASSWD_FILE_PATH')
-if PASSWD_FILE_PATH is None:
-    PASSWD_FILE_PATH = '/tmp/passwd-import'
-
 
 def gitea_list_all_users() -> dict[str, dict[str, any]] | None:
     r = requests.get(
@@ -191,8 +187,7 @@ def main():
     if existing_users is None:
         exit(1)
 
-    print(f"Reading passwd entries from {PASSWD_FILE_PATH}")
-    for username, name in passwd_file_parser(PASSWD_FILE_PATH):
+    for username, name in passwd_file_parser("/tmp/passwd-import"):
         print(f"Processing {username}")
         add_or_patch_gitea_user(username, name, existing_users)
         for org, team_name in COMMON_USER_TEAMS:

hosts/lupine/services/gitea-runner.nix

@@ -6,16 +6,14 @@
   # successfully registered will gitea give you the next token.
   # - oysteikt Sep 2023
   sops = {
-    secrets."gitea/runners/token" = {
-      key = "gitea/runners/${lupineName}";
-    };
+    secrets."gitea/runners/token" = { };
 
     templates."gitea-runner-envfile" = {
       restartUnits = [
         "gitea-runner-${lupineName}.service"
       ];
       content = ''
-        TOKEN="${config.sops.placeholder."gitea/runners/token"}"
+        TOKEN=${config.sops.placeholder."gitea/runners/token"}
       '';
     };
   };
@@ -41,5 +39,5 @@
 
   networking.dhcpcd.IPv6rs = false;
 
-  networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
+  networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 5353 ];
 }

secrets/lupine/lupine.yaml

@@ -1,10 +1,6 @@
 gitea:
     runners:
-        lupine-1: ENC[AES256_GCM,data:UcZB2p/dInvcl0yNBEohzbmcVxg/QQPXlIsaVB3M3hyxFg1gtGfUGA==,iv:OigyPfPoRIjvyiId7hiiWdNrZqyZqI3OonvJC+zYEzI=,tag:SjBsvo/IJKhFQs+PiI596g==,type:str]
-        lupine-2: null
-        lupine-3: null
-        lupine-4: null
-        lupine-5: null
+        token: ENC[AES256_GCM,data:Y27trzUHuA1k9fVs/3PM/L8aIlI+37nAPTVDgWjBX+K4q23saa5XUA==,iv:J4litvX0ip/a340E7S+XHZQG+BGh+K/RzFxdS1VLwA0=,tag:H4oK4vn27U+yXqa/YQJOxA==,type:str]
 sops:
     age:
         - recipient: age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
@@ -97,8 +93,8 @@ sops:
             YU5mMDlRckJCMDAzcHYyMWN1clRJRVEK77PiAQP+2+WblGYEgAf6bx6RTh0JHiSZ
             /jPIN/rbAKNv36wpZDbuLV8tcMuvhleNMRSSqbIloLSzww+Z5nOU4A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-30T18:29:08Z"
-    mac: ENC[AES256_GCM,data:47cki5ucPTVd4JuEyK0QkDCCEqj1pW6SA5I6ihC/MEja6TIuHTcEPFpje8+LvpGjpP9uobKX4g3UcyvkJ63j/k3hU0xPYQX3Z1ee00KIMKB0GHNjUR8ENtnwd3TU7kp5ohtXeCtcyzCjdFFuXp8AINGv3vpbU2MzauctUxn5B1Y=,iv:1mpk/f1QlRtHfA9dqyNLBrvfVPgtLnZ7ibj8qNrEGD8=,tag:drEK1+qeJy97rgeQJyqucA==,type:str]
+    lastmodified: "2025-08-03T01:13:50Z"
+    mac: ENC[AES256_GCM,data:oFbwmbLk3z6oYQMCEcFAGstf6DUT7hh9OUa5HVyeIR15YVgJ9/0hwZPG1m00w1HpKjt7/iVnQQYdPvt00snwn7g0M822MquMbwavozOrWWuhpxlzjM1kn/zTHAPFMmDihAciuQSSk43Dc5FRS5Gc6gwonEsJ5EUqcq2nM/cnAUY=,iv:H1CEaaypKUMCd2zJOXhIUQQqTfOwknG+iBOpgYlirmY=,tag:gKX+OTZ+BrHvcwoyO6YFdA==,type:str]
     pgp:
         - created_at: "2025-07-30T18:27:50Z"
           enc: |-