harald/nixcfg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
nixcfg/systems/x86_64-linux/mx/forgejo.nix
Harald Hoyer 01f42c0851 feat(sops): trigger service restarts on secret rotation 
Wire up restartUnits on secrets whose consumers cache them in memory
(daemons read at startup), so sops-nix restarts the affected unit on
activation when the decrypted content changes:

- firefly: app_key → phpfpm-firefly-iii;
  auto_import_secret + access_token → phpfpm-firefly-iii-data-importer
- searx: secret_key → uwsgi
- opencode: web password → opencode-serve
- mail: sasl_passwd → postfix
- forgejo: gitea_dbpass → forgejo; runner-token → gitea-runner-default

Secrets read on demand by oneshots/timers (firefly sparda_pin, ntfy
token, restic backup creds, acme dns creds, wg conf) are left as-is.
2026-05-03 15:23:40 +02:00

67 lines
1.8 KiB
Nix
Raw Blame History

{
pkgs,
config,
...
}:
{
sops.secrets."postgres/gitea_dbpass" = {
sopsFile = ../../../.secrets/hetzner/postgres.yaml; # bring your own password file
owner = config.services.forgejo.user;
restartUnits = [ "forgejo.service" ];
};
services.forgejo = {
enable = true;
user = "gitea";
group = "gitea";
stateDir = "/var/lib/gitea";
database = {
name = "gitea";
user = "gitea";
type = "postgres";
passwordFile = config.sops.secrets."postgres/gitea_dbpass".path;
};
settings.service.DISABLE_REGISTRATION = true;
settings.server = {
DOMAIN = "git.hoyer.xyz";
ROOT_URL = "https://git.hoyer.xyz/";
HTTP_PORT = 3001;
};
settings.log.LEVEL = "Warn";
};
users.users.gitea = {
home = "/var/lib/gitea";
useDefaultShell = true;
group = "gitea";
isSystemUser = true;
};
users.groups.gitea = { };
sops.secrets."forgejo-runner-token" = {
sopsFile = ../../../.secrets/hetzner/forgejo-runner-token.yaml; # bring your own password file
restartUnits = [ "gitea-runner-default.service" ];
};
services.gitea-actions-runner = {
package = pkgs.forgejo-runner;
instances.default = {
enable = true;
name = "base";
url = "https://git.hoyer.xyz";
tokenFile = config.sops.secrets.forgejo-runner-token.path;
settings.container.network = "host";
labels = [
"ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
"ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
"ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04"
"nix:docker://git.hoyer.xyz/harald/nix-runner:latest"
];
};
};
systemd.services.gitea-runner-default.requires = [ "nginx.service" ];
systemd.services.gitea-runner-default.after = [ "nginx.service" ];
}
Reference in a new issue View git blame Copy permalink