Server/forgejo: use ssh host key from secrets

2024-04-23 13:47:41 +02:00 · 2024-04-23 13:47:41 +02:00 · c603df28bf
commit c603df28bf
parent 3d439c4893
1 changed files with 21 additions and 1 deletions
--- a/roles/server/forgejo.nix
+++ b/roles/server/forgejo.nix
@ -1,8 +1,26 @@
 {
  config,
  lib,
+  flakeSelf,
  ...
-}: {
+}: let
+  hostSecrets = "${flakeSelf.inputs.secrets}/" + config.networking.hostName + "/";
+in {
+  age.secrets = {
+    forgejo-host-key = {
+      file = hostSecrets + "forgejoPrivateKey.age";
+      mode = "0400";
+      owner = "forgejo";
+      group = "forgejo";
+    };
+    "forgejo-host-key.pub" = {
+      file = hostSecrets + "forgejoPublicKey.age";
+      mode = "0400";
+      owner = "forgejo";
+      group = "forgejo";
+    };
+  };
+
  specialisation.forgejoEnableRegistration.configuration.services.forgejo.settings.service.DISABLE_REGISTRATION = false;
  services.forgejo = {
    enable = true;
@ -14,6 +32,8 @@
        ROOT_URL = "http://git.everest.sable-pancake.ts.net";
        START_SSH_SERVER = true;
        SSH_PORT = 4222;
+        SSH_SERVER_HOST_KEYS = config.age.secrets.forgejo-host-key.path;
+        SSH_SERVER_HOST_KEY = "forgejo-host-key";
      };
      repository = {
        ENABLE_PUSH_CREATE_USER = true;