move encrypted secrets near relevant files

2025-07-06 09:40:14 +00:00 · 2025-03-09 17:09:33 +00:00
parent f59ac536a2
commit 37d1d7724a
60 changed files with 27 additions and 94 deletions
--- a/platforms/nixos/modules/nmasur/presets/services/gitea-runner-local/gitea-runner-local.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/gitea-runner-local/gitea-runner-local.nix
@ -0,0 +1,71 @@
+# Gitea Actions is a CI/CD service for the Gitea source code server, meaning it
+# allows us to run code operations (such as testing or deploys) when our git
+# repositories are updated. Any machine can act as a Gitea Action Runner, so
+# the Runners don't necessarily need to be running Gitea. All we need is an API
+# key for Gitea to connect to it and register ourselves as a Runner.
+
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  inherit (config.nmasur.settings) hostnames;
+  cfg = config.nmasur.presets.services.gitea-runner-local;
+in
+
+{
+  options.nmasur.presets.services.gitea-runner-local.enable =
+    lib.mkEnableOption "Gitea Actions runner local to Gitea instance";
+
+  config = lib.mkIf cfg.enable {
+
+    services.gitea-actions-runner.instances.${config.networking.hostName} = {
+      enable = true;
+      labels = [
+        # Provide a Debian base with NodeJS for actions
+        # "debian-latest:docker://node:18-bullseye"
+        # Fake the Ubuntu name, because Node provides no Ubuntu builds
+        # "ubuntu-latest:docker://node:18-bullseye"
+        # Provide native execution on the host using below packages
+        "native:host"
+      ];
+      hostPackages = with pkgs; [
+        bash
+        coreutils
+        curl
+        gawk
+        gitMinimal
+        gnused
+        nodejs
+        wget
+      ];
+      name = config.networking.hostName;
+      url = "https://${hostnames.git}";
+      tokenFile = config.secrets.giteaRunnerToken.dest;
+    };
+
+    # Make sure the runner doesn't start until after Gitea
+    systemd.services."gitea-runner-${config.networking.hostName}".after = [ "gitea.service" ];
+
+    # API key needed to connect to Gitea
+    secrets.giteaRunnerToken = {
+      source = ./gitea-runner-token.age; # TOKEN=xyz
+      dest = "${config.secretsDirectory}/gitea-runner-token";
+    };
+    systemd.services.giteaRunnerToken-secret = {
+      requiredBy = [
+        "gitea-runner-${
+          config.services.gitea-actions-runner.instances.${config.networking.hostName}.name
+        }.service"
+      ];
+      before = [
+        "gitea-runner-${
+          config.services.gitea-actions-runner.instances.${config.networking.hostName}.name
+        }.service"
+      ];
+    };
+  };
+}
--- a/platforms/nixos/modules/nmasur/presets/services/gitea-runner-local/gitea-runner-token.age
+++ b/platforms/nixos/modules/nmasur/presets/services/gitea-runner-local/gitea-runner-token.age
@ -0,0 +1,17 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBiVDgy
+QmFNcGNSeWx4bS9VVHdocFVFUndkQ2g0ZU9LdEdaTU5Mc1JGZ1I0CkExek1Pd1Ry
+Z3RGR3JIdXdJNHNyYTlJeEIrR1NVa3JTbjBzZmFDZk5YL00KLT4gc3NoLWVkMjU1
+MTkgWXlTVU1RIHUxN1BvTFJwby9mUC82QzFRMGNwaEovcnRJVE9YU2doM2djazVw
+K2oveTAKaldCZ0haUlNoK1BtK0NQR3VyTmNDbmlKSnBlZGNSazlFYzRsV2xWNHNI
+OAotPiBzc2gtZWQyNTUxOSBuanZYNUEgaVFUbnZ4eU83K0JlRXozSW5Yekc4MVlF
+QmdlbEV4NHpWN3BwdVVUZFhCQQpkVExtZlhKeHlVZzNtZU9vQmlNRGhqQTl3WVIz
+cnYxMkFiT3pBZEo5Z1B3Ci0+IHNzaC1lZDI1NTE5IENxSU9VQSBGaE1YdmRaSFNK
+L25uSVp2SjNhME1PUVFNeVJDNDFBSnZKeVE5NGxHcEZnCmJjS0czOHA0bTIyVTMv
+SHY0blBLY3d5Y29vR2RiM3JHOVlIb01LSzNTSzQKLT4gc3NoLWVkMjU1MTkgejFP
+Y1p3IGdWRUYxbjJySXdHK2UvdnlPaWNMcTZuUklacnNwY2dKNTh0MklYYit1bTAK
+Uk1OMExEOC9DMTZRbHNOZ2R4aWI1dVppNHZGenh4dStCYzV2bjlQamVlTQotLS0g
+cUJud2k1SmxoUWxnUEJsdnNFQVlJZG9qSjVQWXA0ZWQwK09Uci9QNnh2awqOJikC
+R8H3k0kHUew/tr0Oi8ASuS15La6bb6NxIpC/7edoNf996pxToLeHy8fOJlnPKSEb
+hw+GvqIsP+6F7BD3rCOh2d+1ZbIHjcOkX94u
+-----END AGE ENCRYPTED FILE-----