Server: migrate secrets to sops

2025-12-08 17:51:55 +01:00 · 2025-12-08 17:51:55 +01:00 · b668212daf
commit b668212daf
parent 859a4b20a5
5 changed files with 35 additions and 63 deletions
--- a/roles/server/forgejo.nix
+++ b/roles/server/forgejo.nix
@ -1,24 +1,20 @@
 {
  config,
  lib,
-  flakeSelf,
  pkgs,
  ...
-}: let
-  hostSecrets = "${flakeSelf.inputs.secrets}/" + config.networking.hostName + "/";
-in {
-  age.secrets = {
-    forgejo-host-key = {
-      file = hostSecrets + "forgejoPrivateKey.age";
-      mode = "0400";
-      owner = "forgejo";
-      group = "forgejo";
+}: {
+  sops.secrets = let
+    owner = config.services.forgejo.user;
+    group = config.services.forgejo.group;
+  in{
+    "forgejoHostKey/private" = {
+      inherit owner group;
+      name = "id_forgejo";
    };
-    "forgejo-host-key.pub" = {
-      file = hostSecrets + "forgejoPublicKey.age";
-      mode = "0400";
-      owner = "forgejo";
-      group = "forgejo";
+    "forgejoHostKey/public" = {
+      inherit owner group;
+      name = "id_forgejo.pub";
    };
  };

@ -36,8 +32,8 @@ in {
        ROOT_URL = "https://git.toast003.xyz";
        START_SSH_SERVER = true;
        SSH_PORT = 4222;
-        SSH_SERVER_HOST_KEYS = config.age.secrets.forgejo-host-key.path;
-        SSH_SERVER_HOST_KEY = "forgejo-host-key";
+        SSH_SERVER_HOST_KEYS = config.sops.secrets."forgejoHostKey/private".path;
+        SSH_SERVER_HOST_KEY = "id_forgejo";
      };
      repository = {
        ENABLE_PUSH_CREATE_USER = true;