Drift/pvv-nixos-config
17
5
Fork 2
Code Issues Pull Requests 9 Actions Wiki Activity

Compare commits

base: Drift:gitea-runners-secrets
Branches Tags
Drift:main Drift:minecraft-heatmap Drift:fix-import-gitea-users-script Drift:gitea-runners-secrets Drift:gitea-runners-cluster Drift:25.05 Drift:new_nodes Drift:ooye Drift:grg-ip Drift:nom Drift:add-skrott Drift:pvvvvv Drift:setup-git-mirroring-on-bicep Drift:init-bakke Drift:gitea-show-license-in-list-view Drift:nix-topology Drift:gitea-robots-txt Drift:dagali-heimdal-openldap-sasl-stack Drift:gitea-navbar-get-started Drift:backup-databases Drift:openwebui Drift:setup-openvpn-tunnel Drift:gitea-gpg-signing Drift:sleipner-authorised-keys Drift:openstack-image-builder Drift:elysium Drift:smartd-notifs Drift:systemd-journald-remote Drift:skrot Drift:deploy-doorbell Drift:misc-gitea-fixes Drift:spotifyd Drift:remote Drift:setup-bikkje-login Drift:ozai-prod Drift:add-bluemap Drift:ozai Drift:setup-postfix-for-service-machines Drift:fix-gitea-ci-runner-network-issues Drift:heimdal-openldap-sasl-testing-on-salsa-on-buskerud Drift:gitea-metrics Drift:misc1 Drift:add-simple-saml-theme Drift:misc-extra-gitea-setup Drift:setup-kerberos Drift:setup-home-areas Drift:shark-kanidm Drift:prometheusexim
..
compare: Drift:fix-import-gitea-users-script
Branches Tags
Drift:main Drift:minecraft-heatmap Drift:fix-import-gitea-users-script Drift:gitea-runners-secrets Drift:gitea-runners-cluster Drift:25.05 Drift:new_nodes Drift:ooye Drift:grg-ip Drift:nom Drift:add-skrott Drift:pvvvvv Drift:setup-git-mirroring-on-bicep Drift:init-bakke Drift:gitea-show-license-in-list-view Drift:nix-topology Drift:gitea-robots-txt Drift:dagali-heimdal-openldap-sasl-stack Drift:gitea-navbar-get-started Drift:backup-databases Drift:openwebui Drift:setup-openvpn-tunnel Drift:gitea-gpg-signing Drift:sleipner-authorised-keys Drift:openstack-image-builder Drift:elysium Drift:smartd-notifs Drift:systemd-journald-remote Drift:skrot Drift:deploy-doorbell Drift:misc-gitea-fixes Drift:spotifyd Drift:remote Drift:setup-bikkje-login Drift:ozai-prod Drift:add-bluemap Drift:ozai Drift:setup-postfix-for-service-machines Drift:fix-gitea-ci-runner-network-issues Drift:heimdal-openldap-sasl-testing-on-salsa-on-buskerud Drift:gitea-metrics Drift:misc1 Drift:add-simple-saml-theme Drift:misc-extra-gitea-setup Drift:setup-kerberos Drift:setup-home-areas Drift:shark-kanidm Drift:prometheusexim

2 Commits
gitea-runn ... fix-import

Author SHA1 Message Date
h7x4
d44699e9f8 WIP: fix import-gitea-users script
Some checks failed
Eval nix flake / evals (push) Failing after 27s
Details
2025-08-14 20:41:15 +02:00
h7x4
2010556643 kommode/gitea: fix declarative secrets
Some checks failed
Eval nix flake / evals (push) Failing after 29s
Details
2025-08-03 04:44:37 +02:00
5 changed files with 24 additions and 11 deletions
Expand all files Collapse all files

6
hosts/kommode/services/gitea/default.nix
View File

@@ -51,11 +51,11 @@ in {
START_SSH_SERVER = true; START_SSH_SERVER = true;
START_LFS_SERVER = true; START_LFS_SERVER = true;
LFS_JWT_SECRET = lib.mkForce ""; LFS_JWT_SECRET = lib.mkForce "";
LFS_JWT_SECRET_URI = config.sops.secrets."gitea/lfs-jwt-secret".path; LFS_JWT_SECRET_URI = "file:${config.sops.secrets."gitea/lfs-jwt-secret".path}";
}; };
oauth2 = { oauth2 = {
JWT_SECRET = lib.mkForce ""; JWT_SECRET = lib.mkForce "";
JWT_SECRET_URI = config.sops.secrets."gitea/oauth2-jwt-secret".path; JWT_SECRET_URI = "file:${config.sops.secrets."gitea/oauth2-jwt-secret".path}";
}; };
"git.timeout" = { "git.timeout" = {
MIGRATE = 3600; MIGRATE = 3600;
@@ -85,7 +85,7 @@ in {
session.COOKIE_SECURE = true; session.COOKIE_SECURE = true;
security = { security = {
SECRET_KEY = lib.mkForce ""; SECRET_KEY = lib.mkForce "";
SECRET_KEY_PATH = config.sops.secrets."gitea/secret-key".path; SECRET_KEY_URI = "file:${config.sops.secrets."gitea/secret-key".path}";
}; };
database.LOG_SQL = false; database.LOG_SQL = false;
repository = { repository = {

4
hosts/kommode/services/gitea/import-users/default.nix
View File

@@ -11,7 +11,8 @@ in
systemd.services.gitea-import-users = lib.mkIf cfg.enable { systemd.services.gitea-import-users = lib.mkIf cfg.enable {
enable = true; enable = true;
preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import''; preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd'';
environment.PASSWD_FILE_PATH = "/run/gitea-import-users/passwd";
serviceConfig = { serviceConfig = {
ExecStart = pkgs.writers.writePython3 "gitea-import-users" { ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
flakeIgnore = [ flakeIgnore = [
@@ -25,6 +26,7 @@ in
]; ];
DynamicUser="yes"; DynamicUser="yes";
EnvironmentFile=config.sops.secrets."gitea/import-user-env".path; EnvironmentFile=config.sops.secrets."gitea/import-user-env".path;
RuntimeDirectory = "gitea-import-users";
}; };
}; };

7
hosts/kommode/services/gitea/import-users/gitea-import-users.py
View File

@@ -17,6 +17,10 @@ GITEA_API_URL = os.getenv('GITEA_API_URL')
if GITEA_API_URL is None: if GITEA_API_URL is None:
GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1' GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1'
PASSWD_FILE_PATH = os.getenv('PASSWD_FILE_PATH')
if PASSWD_FILE_PATH is None:
PASSWD_FILE_PATH = '/tmp/passwd-import'
def gitea_list_all_users() -> dict[str, dict[str, any]] | None: def gitea_list_all_users() -> dict[str, dict[str, any]] | None:
r = requests.get( r = requests.get(
@@ -187,7 +191,8 @@ def main():
if existing_users is None: if existing_users is None:
exit(1) exit(1)
for username, name in passwd_file_parser("/tmp/passwd-import"): print(f"Reading passwd entries from {PASSWD_FILE_PATH}")
for username, name in passwd_file_parser(PASSWD_FILE_PATH):
print(f"Processing {username}") print(f"Processing {username}")
add_or_patch_gitea_user(username, name, existing_users) add_or_patch_gitea_user(username, name, existing_users)
for org, team_name in COMMON_USER_TEAMS: for org, team_name in COMMON_USER_TEAMS:

8
hosts/lupine/services/gitea-runner.nix
View File

@@ -6,14 +6,16 @@
# successfully registered will gitea give you the next token. # successfully registered will gitea give you the next token.
# - oysteikt Sep 2023 # - oysteikt Sep 2023
sops = { sops = {
secrets."gitea/runners/token" = { }; secrets."gitea/runners/token" = {
key = "gitea/runners/${lupineName}";
};
templates."gitea-runner-envfile" = { templates."gitea-runner-envfile" = {
restartUnits = [ restartUnits = [
"gitea-runner-${lupineName}.service" "gitea-runner-${lupineName}.service"
]; ];
content = '' content = ''
TOKEN=${config.sops.placeholder."gitea/runners/token"} TOKEN="${config.sops.placeholder."gitea/runners/token"}"
''; '';
}; };
}; };
@@ -39,5 +41,5 @@
networking.dhcpcd.IPv6rs = false; networking.dhcpcd.IPv6rs = false;
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 5353 ]; networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
} }

10
secrets/lupine/lupine.yaml
View File

@@ -1,6 +1,10 @@
gitea: gitea:
runners: runners:
token: ENC[AES256_GCM,data:Y27trzUHuA1k9fVs/3PM/L8aIlI+37nAPTVDgWjBX+K4q23saa5XUA==,iv:J4litvX0ip/a340E7S+XHZQG+BGh+K/RzFxdS1VLwA0=,tag:H4oK4vn27U+yXqa/YQJOxA==,type:str] lupine-1: ENC[AES256_GCM,data:UcZB2p/dInvcl0yNBEohzbmcVxg/QQPXlIsaVB3M3hyxFg1gtGfUGA==,iv:OigyPfPoRIjvyiId7hiiWdNrZqyZqI3OonvJC+zYEzI=,tag:SjBsvo/IJKhFQs+PiI596g==,type:str]
lupine-2: null
lupine-3: null
lupine-4: null
lupine-5: null
sops: sops:
age: age:
- recipient: age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e - recipient: age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
@@ -93,8 +97,8 @@ sops:
YU5mMDlRckJCMDAzcHYyMWN1clRJRVEK77PiAQP+2+WblGYEgAf6bx6RTh0JHiSZ YU5mMDlRckJCMDAzcHYyMWN1clRJRVEK77PiAQP+2+WblGYEgAf6bx6RTh0JHiSZ
/jPIN/rbAKNv36wpZDbuLV8tcMuvhleNMRSSqbIloLSzww+Z5nOU4A== /jPIN/rbAKNv36wpZDbuLV8tcMuvhleNMRSSqbIloLSzww+Z5nOU4A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-08-03T01:13:50Z" lastmodified: "2025-07-30T18:29:08Z"
mac: ENC[AES256_GCM,data:oFbwmbLk3z6oYQMCEcFAGstf6DUT7hh9OUa5HVyeIR15YVgJ9/0hwZPG1m00w1HpKjt7/iVnQQYdPvt00snwn7g0M822MquMbwavozOrWWuhpxlzjM1kn/zTHAPFMmDihAciuQSSk43Dc5FRS5Gc6gwonEsJ5EUqcq2nM/cnAUY=,iv:H1CEaaypKUMCd2zJOXhIUQQqTfOwknG+iBOpgYlirmY=,tag:gKX+OTZ+BrHvcwoyO6YFdA==,type:str] mac: ENC[AES256_GCM,data:47cki5ucPTVd4JuEyK0QkDCCEqj1pW6SA5I6ihC/MEja6TIuHTcEPFpje8+LvpGjpP9uobKX4g3UcyvkJ63j/k3hU0xPYQX3Z1ee00KIMKB0GHNjUR8ENtnwd3TU7kp5ohtXeCtcyzCjdFFuXp8AINGv3vpbU2MzauctUxn5B1Y=,iv:1mpk/f1QlRtHfA9dqyNLBrvfVPgtLnZ7ibj8qNrEGD8=,tag:drEK1+qeJy97rgeQJyqucA==,type:str]
pgp: pgp:
- created_at: "2025-07-30T18:27:50Z" - created_at: "2025-07-30T18:27:50Z"
enc: |- enc: |-