From 9311a406180ffef31078fed66ee28a117b36a47e Mon Sep 17 00:00:00 2001 From: Joey Hafner Date: Sat, 1 Feb 2025 00:27:21 -0800 Subject: [PATCH] Feature: Init stack.nix for gitea-runner. - Move secrets.env to registration.token. - Rotate key for registration token. --- .../stacks/gitea-runner/docker-compose.yml | 4 +- .../stacks/gitea-runner/registration.token | 24 ++++++++ homelab/stacks/gitea-runner/secrets.env | 58 ------------------- homelab/stacks/gitea-runner/stack.nix | 21 +++++++ 4 files changed, 47 insertions(+), 60 deletions(-) create mode 100644 homelab/stacks/gitea-runner/registration.token delete mode 100644 homelab/stacks/gitea-runner/secrets.env create mode 100644 homelab/stacks/gitea-runner/stack.nix diff --git a/homelab/stacks/gitea-runner/docker-compose.yml b/homelab/stacks/gitea-runner/docker-compose.yml index 9a458003..4aef0110 100644 --- a/homelab/stacks/gitea-runner/docker-compose.yml +++ b/homelab/stacks/gitea-runner/docker-compose.yml @@ -4,10 +4,10 @@ services: image: gitea/act_runner:latest volumes: - ./config.yaml:/config.yaml - - ./registration.token:/registration.token - /var/run/docker.sock:/var/run/docker.sock environment: CONFIG_FILE: /config.yaml GITEA_INSTANCE_URL: https://gitea.jafner.tools env_file: - - ./secrets.env # Defines GITEA_RUNNER_REGISTRATION_TOKEN \ No newline at end of file + - path: /run/secrets/gitea-runner # Defines GITEA_RUNNER_REGISTRATION_TOKEN + required: true \ No newline at end of file diff --git a/homelab/stacks/gitea-runner/registration.token b/homelab/stacks/gitea-runner/registration.token new file mode 100644 index 00000000..5d61b3a2 --- /dev/null +++ b/homelab/stacks/gitea-runner/registration.token @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:pgWlw0dukkVOGUiRN4m3SblKS/pKB4yvRadvfsOAnrHtXMC+L+LXJf757btpGL+mHpjYzRCk4F4C/4SmmtFdag0kQHRd4vOn,iv:ET7Bv4RDj/nNl5GzX2iOxP8CObY+KLmddxZAFAurkwo=,tag:qSAgiAN5yZuYRXkcUIbP9w==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1v5wy7epv5mm8ddf3cfv8m0e9w4s693dw7djpuytz9td8ycha5f0sv2se9n", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArRHhsOEliTWl5RmVYdTNh\nVm5Pb2txSjhpS04rY1hCbkJwRmMyWDFKRzFBCi9ySkNjU2RVbXlMVFU3cFpjenpa\nM2dpNXhhbUVGQk0xNnBVQXlXL29SUEkKLS0tIFBaYmNnVTBvRXNIdStua1FmdjdK\nRlphQ3JTZ0YxVmRZajBVNVdtdzJXUlUKK/BjfmFvmdr5hM8YZWqNbpgJHsCC7vm2\nAYNnFkIh/oRZou76Wqnrl8/87li8CXZnDhrlbso8DsppNmIu3lIHDg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYVFgrcGpDcmtTbDJKRzMw\nY29kRzc0UFVLT05jaHRGUDNFcjVQd0hlTUhzCkhybWMrcWtxbzFNM2c5dEcwSGNw\nUUpSMzNhemYwSm5GbldRekZ1KzhNNHMKLS0tIE1lS1RXOHMvZFFDVHFwVFJZTDRn\nZ25nRnQxNTJOc3lmTzBLRFAyMXJrOUkKL/X3CDDqJev4Vzy7Y0q+mJBGvnWKBMi9\nUIJQQQPdTbn5le7BmYe060nxQoac/VG3685BtrTaO3cxHr5u16iRDQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-02-01T08:24:22Z", + "mac": "ENC[AES256_GCM,data:dGu/OD9Ih5K85tRf0iolAH9lhaklDgPWehHSavnLC77F6LoE08kIbg2OBMZpQXprmnGEdrk0xsiCV5zyXYr7Migp+JUSueEYjBZO6vPZz0JH6RtYm07k2XDqFKgICjyZaz8pT6lLRVfgszr1eTNMNBcuUQ/d3IuN6Axej8l59PM=,iv:44E70lC5HscQcXEvBI+HrZTTcOQmMV7PJYsb3sKwbaM=,tag:zr0fdyMY6CA4aIVTpReefw==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.2" + } +} \ No newline at end of file diff --git a/homelab/stacks/gitea-runner/secrets.env b/homelab/stacks/gitea-runner/secrets.env deleted file mode 100644 index dfe5777b..00000000 --- a/homelab/stacks/gitea-runner/secrets.env +++ /dev/null @@ -1,58 +0,0 @@ -{ - "GITEA_RUNNER_REGISTRATION_TOKEN": "ENC[AES256_GCM,data:n1LLmwwqtoZYJ8AirNlOZFer+CT6dD3E5RIrEF9cqY7/HgNW8vU3oA==,iv:rFSJlvQ34u4uMPWlZCjyRlP42YPPaGkG3kHPReGRhBg=,tag:BwdkvNGL5o67Wa/PngkdRQ==,type:str]", - "sops": { - "shamir_threshold": 2, - "key_groups": [ - { - "hc_vault": null, - "age": [ - { - "recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSSVpoOTQvTVRYNjdscEpy\nNGZzSzBrL1Z1NjJ2YVZSWEtqVG5uWkNvTlhvCkZVdWllTU93Nlg3aklrWkNmUXow\nWW51ZS9DaWJmQWgrVWlxQlJZenUwU3MKLS0tIEZVRHhHbDdMNWxmUUhNbUdjdHpY\nYUxJMUFCWHZKMHFPV1I3MldITW84K1EKUK+2E93+2iyVibN5+C+VK8SESdHCpkWK\nqW6+sPFTxmDP4sz9dviNQID1BbL48E4VEBxwRoSnzUcwHS0qwTE6M58=\n-----END AGE ENCRYPTED FILE-----\n" - } - ] - }, - { - "hc_vault": null, - "age": [ - { - "recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpSEFxbzk2QjN0SVc0ZGRw\nUzVCRG41WnRWZDRMOEY3QXllZVRFUm5zVVhZCkxXY3EzbFRwRmVpUThEN0ZESlB5\nYmh1L3Fhc2E4UnhUSXlwalZPeGE3Q3MKLS0tIHArRWlEd2tGTGd1N1RtSEg0Z3NC\nQ1J1bDZNa1RQa1pmRzlQK0JnZDlpaDAKGG+88NFHlac/uAH+peCQ387TcVimccr3\na/vzPw8ugR2gLdKqvBSwuPFJwy/LEm1hKGI4+/gnddyAglfEbFOSrbA=\n-----END AGE ENCRYPTED FILE-----\n" - } - ] - }, - { - "hc_vault": null, - "age": [ - { - "recipient": "age193t908fjxl8ekl77p5xqnpj4xmw3y0khvyzlrw22hdzjduk6l53q05spq3", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbURORWdrYi9FcHo5eUkz\nT0FLTWVtZ1hBTTB0MjRCQ1RtakRvMWNhcFQ0CnhBQUdEYWVtYjNXRTlRVXY2c3Nl\nS0ZHYmJJQ3VTNTdRVHhMUTRtQzJaeUUKLS0tIGdpSDYwOXJTVEN2aGhPc0d4ZkNo\nRm9BLzR2a0ZmQXJwL3UxVTZiSzJnM0UK8lMLWn3TO75GrMhI0iSMQnF8sBfE1nUb\nBHjlR5PggfuewrFSqPHcsyyGitR0MFkRl4r2j9/sf1Vyqnp7KYiq05k=\n-----END AGE ENCRYPTED FILE-----\n" - } - ] - }, - { - "hc_vault": null, - "age": [ - { - "recipient": "age13prhyye2jy3ysa6ltnjgkrqtxrxgs0035d86jyn4ltgk3wxtqgrqgav855", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMRVNYVDEwZXNYcTJyR0o5\nYlcrK1BOenFEM1I0Q3plWW8vUzg1VkVVd0hZCitQL2Z0bGpyS2k4OEg0WE5oWDl1\nR2ErTGRONXJoSUdpd3czU3BjVWNENEkKLS0tIDkxMjdncm41b1BOY3JuSXB3UHBs\ncEdISHpzY3V0QWMxRmxYOXUyRFA0bWMKk5aHC+yqP9pdYjJQBv3GnWvvk1PAXIdZ\nG+qX6nSgsLbRu5RwFlaxtMl+pp+8ctaiOVqbJDEKlV5x3v/fpQRPdfI=\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1n20krynrj75jqfy2muvhrygvzd4ee8ngamljqavsrk033zwx0ses2tdtfe", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0RzVhL2lEdzdtWDkrOER3\nVkRFa3dYdFZUQnY5K21mcWFTczViZlJMZkQ0CkNrSmpSdDNuMWRZRTVMTmQ0Zm41\ndVk2UVY0alg5a1RJcTc5cStKV0twc2cKLS0tIFREbTRRT1g4TWV6bmlKekdGRnNS\nL3ZENVdPcEFuSC9Tb2Z6czhtWTJlQ3MKk5NgF2Wmepx+OMoP632uW7jmIeKIFS5G\nE6Vqd8B/sAil8MAc/kK+fKXm3cSnHNI0gv+UzFVB9iU0Nxb5WyK48AI=\n-----END AGE ENCRYPTED FILE-----\n" - } - ] - } - ], - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": null, - "lastmodified": "2024-08-30T03:21:43Z", - "mac": "ENC[AES256_GCM,data:cyNCA1sZsftZ9vRRXO5pawg13xq/oWdVFb+zZnxUcd+n83lIdo4vRx1R5lVZWhvJRIcz7Zf6oFGEQwEHAW85DWvgRC8WIyuGnEmSNS9+n5SGC9cBLhrieqPqvkqc3F6RilVq5v8JPUU0/1zk5805LiaNVkuoLZ/L4nKSPuYoH4o=,iv:osE9t+t8xTEiTYbii4VTZFz/Lrq4HJoV2RwAlAEblKk=,tag:81sVG9nEVg+kyt4omCo59w==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.9.0" - } -} \ No newline at end of file diff --git a/homelab/stacks/gitea-runner/stack.nix b/homelab/stacks/gitea-runner/stack.nix new file mode 100644 index 00000000..3ab6ec3f --- /dev/null +++ b/homelab/stacks/gitea-runner/stack.nix @@ -0,0 +1,21 @@ +{ sys, ... }: let stack = "gitea-runner"; in { + home-manager.users."${sys.username}".home.file = { + "${stack}" = { + enable = true; + recursive = true; + source = ./.; + target = "stacks/${stack}/"; + }; + "${stack}/.env" = { + enable = true; + text = ''APPDATA=${sys.dataDirs.appdata}/${stack}''; + target = "stacks/${stack}/.env"; + }; + }; + sops.secrets."${stack}" = { + sopsFile = ./registration.token; + key = ""; + mode = "0440"; + owner = sys.username; + }; +} \ No newline at end of file