diff options
| author | Franck Cuny <franck@fcuny.net> | 2022-07-18 17:33:26 -0700 |
|---|---|---|
| committer | Franck Cuny <franck@fcuny.net> | 2022-07-18 17:34:55 -0700 |
| commit | 3f670b25133e929d8a6be2aff6ae648ee18f81a2 (patch) | |
| tree | 35d5323d57233277e1e106b4981204ca3483295d | |
| parent | fix(modules/backup): reduce verbosity for restic (diff) | |
| download | world-3f670b25133e929d8a6be2aff6ae648ee18f81a2.tar.gz | |
feat(modules/gerrit): manage secure configuration with nix
Currently the secure configuration for gerrit is not managed by nix. This is likely going to break in the future and I'll hate myself for that. Let's move it into nix and encrypt it with age, like we do for other secrets. Change-Id: Ia7a006748a3ad64fa4b97ca9e8cbd98c99433982 Reviewed-on: https://cl.fcuny.net/c/world/+/622 Tested-by: CI Reviewed-by: Franck Cuny <franck@fcuny.net>
| -rw-r--r-- | docs/gerrit.org | 2 | ||||
| -rw-r--r-- | hosts/tahoe/secrets/gerrit/secure-config.age | bin | 0 -> 717 bytes | |||
| -rw-r--r-- | hosts/tahoe/secrets/secrets.nix | 6 | ||||
| -rw-r--r-- | modules/services/gerrit/default.nix | 1 |
4 files changed, 8 insertions, 1 deletions
diff --git a/docs/gerrit.org b/docs/gerrit.org index fa993c7..bee0509 100644 --- a/docs/gerrit.org +++ b/docs/gerrit.org @@ -6,7 +6,7 @@ A gerrit instance is running at [[https://cl.fcuny.net][cl.fcuny.net]]. - branches other than main can be pushed to the server - the main branch can only be modified by gerrit * Secure configuration -The file =/var/lib/gerrit/etc/secure.config= is not (yet) managed by nix. The file contains: +The file =/var/lib/gerrit/etc/secure.config= is managed by nix. The file contains: #+begin_src ini [auth] registerEmailPrivateKey = <redacted> diff --git a/hosts/tahoe/secrets/gerrit/secure-config.age b/hosts/tahoe/secrets/gerrit/secure-config.age new file mode 100644 index 0000000..45d0c42 --- /dev/null +++ b/hosts/tahoe/secrets/gerrit/secure-config.age Binary files differdiff --git a/hosts/tahoe/secrets/secrets.nix b/hosts/tahoe/secrets/secrets.nix index 031426f..d3571f4 100644 --- a/hosts/tahoe/secrets/secrets.nix +++ b/hosts/tahoe/secrets/secrets.nix @@ -31,6 +31,12 @@ in mode = "0440"; }; + "gerrit/secure-config.age" = { + publicKeys = all; + owner = "git"; + path = "/var/lib/gerrit/etc/secure.config"; + }; + "syncthing/key.age" = { publicKeys = all; owner = "fcuny"; diff --git a/modules/services/gerrit/default.nix b/modules/services/gerrit/default.nix index 9ae9e50..1592839 100644 --- a/modules/services/gerrit/default.nix +++ b/modules/services/gerrit/default.nix @@ -1,6 +1,7 @@ { config, pkgs, lib, ... }: let cfg = config.my.services.gerrit; + secrets = config.age.secrets; my-gerrit-hook = name: pkgs.writeShellScript "my-gerrit-hook" '' |