From 3f670b25133e929d8a6be2aff6ae648ee18f81a2 Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Mon, 18 Jul 2022 17:33:26 -0700 Subject: feat(modules/gerrit): manage secure configuration with nix Currently the secure configuration for gerrit is not managed by nix. This is likely going to break in the future and I'll hate myself for that. Let's move it into nix and encrypt it with age, like we do for other secrets. Change-Id: Ia7a006748a3ad64fa4b97ca9e8cbd98c99433982 Reviewed-on: https://cl.fcuny.net/c/world/+/622 Tested-by: CI Reviewed-by: Franck Cuny --- docs/gerrit.org | 2 +- hosts/tahoe/secrets/gerrit/secure-config.age | Bin 0 -> 717 bytes hosts/tahoe/secrets/secrets.nix | 6 ++++++ modules/services/gerrit/default.nix | 1 + 4 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 hosts/tahoe/secrets/gerrit/secure-config.age diff --git a/docs/gerrit.org b/docs/gerrit.org index fa993c7..bee0509 100644 --- a/docs/gerrit.org +++ b/docs/gerrit.org @@ -6,7 +6,7 @@ A gerrit instance is running at [[https://cl.fcuny.net][cl.fcuny.net]]. - branches other than main can be pushed to the server - the main branch can only be modified by gerrit * Secure configuration -The file =/var/lib/gerrit/etc/secure.config= is not (yet) managed by nix. The file contains: +The file =/var/lib/gerrit/etc/secure.config= is managed by nix. The file contains: #+begin_src ini [auth] registerEmailPrivateKey = diff --git a/hosts/tahoe/secrets/gerrit/secure-config.age b/hosts/tahoe/secrets/gerrit/secure-config.age new file mode 100644 index 0000000..45d0c42 Binary files /dev/null and b/hosts/tahoe/secrets/gerrit/secure-config.age differ diff --git a/hosts/tahoe/secrets/secrets.nix b/hosts/tahoe/secrets/secrets.nix index 031426f..d3571f4 100644 --- a/hosts/tahoe/secrets/secrets.nix +++ b/hosts/tahoe/secrets/secrets.nix @@ -31,6 +31,12 @@ in mode = "0440"; }; + "gerrit/secure-config.age" = { + publicKeys = all; + owner = "git"; + path = "/var/lib/gerrit/etc/secure.config"; + }; + "syncthing/key.age" = { publicKeys = all; owner = "fcuny"; diff --git a/modules/services/gerrit/default.nix b/modules/services/gerrit/default.nix index 9ae9e50..1592839 100644 --- a/modules/services/gerrit/default.nix +++ b/modules/services/gerrit/default.nix @@ -1,6 +1,7 @@ { config, pkgs, lib, ... }: let cfg = config.my.services.gerrit; + secrets = config.age.secrets; my-gerrit-hook = name: pkgs.writeShellScript "my-gerrit-hook" '' -- cgit 1.4.1