about summary refs log tree commit diff
diff options
context:
space:
mode:
authorFranck Cuny <franck@fcuny.net>2022-07-18 17:33:26 -0700
committerFranck Cuny <franck@fcuny.net>2022-07-18 17:34:55 -0700
commit3f670b25133e929d8a6be2aff6ae648ee18f81a2 (patch)
tree35d5323d57233277e1e106b4981204ca3483295d
parentfix(modules/backup): reduce verbosity for restic (diff)
downloadworld-3f670b25133e929d8a6be2aff6ae648ee18f81a2.tar.gz
feat(modules/gerrit): manage secure configuration with nix
Currently the secure configuration for gerrit is not managed by nix.
This is likely going to break in the future and I'll hate myself for
that. Let's move it into nix and encrypt it with age, like we do for
other secrets.

Change-Id: Ia7a006748a3ad64fa4b97ca9e8cbd98c99433982
Reviewed-on: https://cl.fcuny.net/c/world/+/622
Tested-by: CI
Reviewed-by: Franck Cuny <franck@fcuny.net>
-rw-r--r--docs/gerrit.org2
-rw-r--r--hosts/tahoe/secrets/gerrit/secure-config.agebin0 -> 717 bytes
-rw-r--r--hosts/tahoe/secrets/secrets.nix6
-rw-r--r--modules/services/gerrit/default.nix1
4 files changed, 8 insertions, 1 deletions
diff --git a/docs/gerrit.org b/docs/gerrit.org
index fa993c7..bee0509 100644
--- a/docs/gerrit.org
+++ b/docs/gerrit.org
@@ -6,7 +6,7 @@ A gerrit instance is running at [[https://cl.fcuny.net][cl.fcuny.net]].
 - branches other than main can be pushed to the server
 - the main branch can only be modified by gerrit
 * Secure configuration
-The file =/var/lib/gerrit/etc/secure.config= is not (yet) managed by nix. The file contains:
+The file =/var/lib/gerrit/etc/secure.config= is managed by nix. The file contains:
 #+begin_src ini
 [auth]
   registerEmailPrivateKey = <redacted>
diff --git a/hosts/tahoe/secrets/gerrit/secure-config.age b/hosts/tahoe/secrets/gerrit/secure-config.age
new file mode 100644
index 0000000..45d0c42
--- /dev/null
+++ b/hosts/tahoe/secrets/gerrit/secure-config.age
Binary files differdiff --git a/hosts/tahoe/secrets/secrets.nix b/hosts/tahoe/secrets/secrets.nix
index 031426f..d3571f4 100644
--- a/hosts/tahoe/secrets/secrets.nix
+++ b/hosts/tahoe/secrets/secrets.nix
@@ -31,6 +31,12 @@ in
     mode = "0440";
   };
 
+  "gerrit/secure-config.age" = {
+    publicKeys = all;
+    owner = "git";
+    path = "/var/lib/gerrit/etc/secure.config";
+  };
+
   "syncthing/key.age" = {
     publicKeys = all;
     owner = "fcuny";
diff --git a/modules/services/gerrit/default.nix b/modules/services/gerrit/default.nix
index 9ae9e50..1592839 100644
--- a/modules/services/gerrit/default.nix
+++ b/modules/services/gerrit/default.nix
@@ -1,6 +1,7 @@
 { config, pkgs, lib, ... }:
 let
   cfg = config.my.services.gerrit;
+  secrets = config.age.secrets;
 
   my-gerrit-hook = name:
     pkgs.writeShellScript "my-gerrit-hook" ''