From 3f670b25133e929d8a6be2aff6ae648ee18f81a2 Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Mon, 18 Jul 2022 17:33:26 -0700
Subject: feat(modules/gerrit): manage secure configuration with nix

Currently the secure configuration for gerrit is not managed by nix.
This is likely going to break in the future and I'll hate myself for
that. Let's move it into nix and encrypt it with age, like we do for
other secrets.

Change-Id: Ia7a006748a3ad64fa4b97ca9e8cbd98c99433982
Reviewed-on: https://cl.fcuny.net/c/world/+/622
Tested-by: CI
Reviewed-by: Franck Cuny <franck@fcuny.net>
---
 docs/gerrit.org                              |   2 +-
 hosts/tahoe/secrets/gerrit/secure-config.age | Bin 0 -> 717 bytes
 hosts/tahoe/secrets/secrets.nix              |   6 ++++++
 modules/services/gerrit/default.nix          |   1 +
 4 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 hosts/tahoe/secrets/gerrit/secure-config.age

diff --git a/docs/gerrit.org b/docs/gerrit.org
index fa993c7..bee0509 100644
--- a/docs/gerrit.org
+++ b/docs/gerrit.org
@@ -6,7 +6,7 @@ A gerrit instance is running at [[https://cl.fcuny.net][cl.fcuny.net]].
 - branches other than main can be pushed to the server
 - the main branch can only be modified by gerrit
 * Secure configuration
-The file =/var/lib/gerrit/etc/secure.config= is not (yet) managed by nix. The file contains:
+The file =/var/lib/gerrit/etc/secure.config= is managed by nix. The file contains:
 #+begin_src ini
 [auth]
   registerEmailPrivateKey = <redacted>
diff --git a/hosts/tahoe/secrets/gerrit/secure-config.age b/hosts/tahoe/secrets/gerrit/secure-config.age
new file mode 100644
index 0000000..45d0c42
Binary files /dev/null and b/hosts/tahoe/secrets/gerrit/secure-config.age differ
diff --git a/hosts/tahoe/secrets/secrets.nix b/hosts/tahoe/secrets/secrets.nix
index 031426f..d3571f4 100644
--- a/hosts/tahoe/secrets/secrets.nix
+++ b/hosts/tahoe/secrets/secrets.nix
@@ -31,6 +31,12 @@ in
     mode = "0440";
   };
 
+  "gerrit/secure-config.age" = {
+    publicKeys = all;
+    owner = "git";
+    path = "/var/lib/gerrit/etc/secure.config";
+  };
+
   "syncthing/key.age" = {
     publicKeys = all;
     owner = "fcuny";
diff --git a/modules/services/gerrit/default.nix b/modules/services/gerrit/default.nix
index 9ae9e50..1592839 100644
--- a/modules/services/gerrit/default.nix
+++ b/modules/services/gerrit/default.nix
@@ -1,6 +1,7 @@
 { config, pkgs, lib, ... }:
 let
   cfg = config.my.services.gerrit;
+  secrets = config.age.secrets;
 
   my-gerrit-hook = name:
     pkgs.writeShellScript "my-gerrit-hook" ''
-- 
cgit 1.4.1