Compare commits

..

1 Commits

Author SHA1 Message Date
7cf1c0b6e7 lupine: add runner token for all runners
Some checks failed
Eval nix flake / evals (push) Failing after 13s
2025-08-03 04:36:25 +02:00
5 changed files with 11 additions and 24 deletions

View File

@@ -51,11 +51,11 @@ in {
START_SSH_SERVER = true;
START_LFS_SERVER = true;
LFS_JWT_SECRET = lib.mkForce "";
LFS_JWT_SECRET_URI = "file:${config.sops.secrets."gitea/lfs-jwt-secret".path}";
LFS_JWT_SECRET_URI = config.sops.secrets."gitea/lfs-jwt-secret".path;
};
oauth2 = {
JWT_SECRET = lib.mkForce "";
JWT_SECRET_URI = "file:${config.sops.secrets."gitea/oauth2-jwt-secret".path}";
JWT_SECRET_URI = config.sops.secrets."gitea/oauth2-jwt-secret".path;
};
"git.timeout" = {
MIGRATE = 3600;
@@ -85,7 +85,7 @@ in {
session.COOKIE_SECURE = true;
security = {
SECRET_KEY = lib.mkForce "";
SECRET_KEY_URI = "file:${config.sops.secrets."gitea/secret-key".path}";
SECRET_KEY_PATH = config.sops.secrets."gitea/secret-key".path;
};
database.LOG_SQL = false;
repository = {

View File

@@ -11,8 +11,7 @@ in
systemd.services.gitea-import-users = lib.mkIf cfg.enable {
enable = true;
preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd'';
environment.PASSWD_FILE_PATH = "/run/gitea-import-users/passwd";
preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import'';
serviceConfig = {
ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
flakeIgnore = [
@@ -26,7 +25,6 @@ in
];
DynamicUser="yes";
EnvironmentFile=config.sops.secrets."gitea/import-user-env".path;
RuntimeDirectory = "gitea-import-users";
};
};

View File

@@ -17,10 +17,6 @@ GITEA_API_URL = os.getenv('GITEA_API_URL')
if GITEA_API_URL is None:
GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1'
PASSWD_FILE_PATH = os.getenv('PASSWD_FILE_PATH')
if PASSWD_FILE_PATH is None:
PASSWD_FILE_PATH = '/tmp/passwd-import'
def gitea_list_all_users() -> dict[str, dict[str, any]] | None:
r = requests.get(
@@ -191,8 +187,7 @@ def main():
if existing_users is None:
exit(1)
print(f"Reading passwd entries from {PASSWD_FILE_PATH}")
for username, name in passwd_file_parser(PASSWD_FILE_PATH):
for username, name in passwd_file_parser("/tmp/passwd-import"):
print(f"Processing {username}")
add_or_patch_gitea_user(username, name, existing_users)
for org, team_name in COMMON_USER_TEAMS:

View File

@@ -6,16 +6,14 @@
# successfully registered will gitea give you the next token.
# - oysteikt Sep 2023
sops = {
secrets."gitea/runners/token" = {
key = "gitea/runners/${lupineName}";
};
secrets."gitea/runners/token" = { };
templates."gitea-runner-envfile" = {
restartUnits = [
"gitea-runner-${lupineName}.service"
];
content = ''
TOKEN="${config.sops.placeholder."gitea/runners/token"}"
TOKEN=${config.sops.placeholder."gitea/runners/token"}
'';
};
};
@@ -41,5 +39,5 @@
networking.dhcpcd.IPv6rs = false;
networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 5353 ];
}

View File

@@ -1,10 +1,6 @@
gitea:
runners:
lupine-1: ENC[AES256_GCM,data:UcZB2p/dInvcl0yNBEohzbmcVxg/QQPXlIsaVB3M3hyxFg1gtGfUGA==,iv:OigyPfPoRIjvyiId7hiiWdNrZqyZqI3OonvJC+zYEzI=,tag:SjBsvo/IJKhFQs+PiI596g==,type:str]
lupine-2: null
lupine-3: null
lupine-4: null
lupine-5: null
token: ENC[AES256_GCM,data:Y27trzUHuA1k9fVs/3PM/L8aIlI+37nAPTVDgWjBX+K4q23saa5XUA==,iv:J4litvX0ip/a340E7S+XHZQG+BGh+K/RzFxdS1VLwA0=,tag:H4oK4vn27U+yXqa/YQJOxA==,type:str]
sops:
age:
- recipient: age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
@@ -97,8 +93,8 @@ sops:
YU5mMDlRckJCMDAzcHYyMWN1clRJRVEK77PiAQP+2+WblGYEgAf6bx6RTh0JHiSZ
/jPIN/rbAKNv36wpZDbuLV8tcMuvhleNMRSSqbIloLSzww+Z5nOU4A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-30T18:29:08Z"
mac: ENC[AES256_GCM,data:47cki5ucPTVd4JuEyK0QkDCCEqj1pW6SA5I6ihC/MEja6TIuHTcEPFpje8+LvpGjpP9uobKX4g3UcyvkJ63j/k3hU0xPYQX3Z1ee00KIMKB0GHNjUR8ENtnwd3TU7kp5ohtXeCtcyzCjdFFuXp8AINGv3vpbU2MzauctUxn5B1Y=,iv:1mpk/f1QlRtHfA9dqyNLBrvfVPgtLnZ7ibj8qNrEGD8=,tag:drEK1+qeJy97rgeQJyqucA==,type:str]
lastmodified: "2025-08-03T01:13:50Z"
mac: ENC[AES256_GCM,data:oFbwmbLk3z6oYQMCEcFAGstf6DUT7hh9OUa5HVyeIR15YVgJ9/0hwZPG1m00w1HpKjt7/iVnQQYdPvt00snwn7g0M822MquMbwavozOrWWuhpxlzjM1kn/zTHAPFMmDihAciuQSSk43Dc5FRS5Gc6gwonEsJ5EUqcq2nM/cnAUY=,iv:H1CEaaypKUMCd2zJOXhIUQQqTfOwknG+iBOpgYlirmY=,tag:gKX+OTZ+BrHvcwoyO6YFdA==,type:str]
pgp:
- created_at: "2025-07-30T18:27:50Z"
enc: |-