From 95ebd02445c912908ac751818e11173d870108d6 Mon Sep 17 00:00:00 2001
From: Lyn <lynatic@noreply.git.shibe.pro>
Date: Thu, 5 Sep 2024 23:48:43 +0200
Subject: [PATCH] got started with sops and made forgejo use it

---
 .sops.yaml                   | 15 +++++++++++++++
 secrets/hosts/forgenite.yaml | 31 +++++++++++++++++++++++++++++++
 services/forgejo.nix         |  2 +-
 3 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 .sops.yaml
 create mode 100644 secrets/hosts/forgenite.yaml

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..f14f0e2
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,15 @@
+  keys:
+    - &Lyn age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv
+    - &forgenite age1u4dtlq4lavqufzsqfqlsnu67u3x2t3d7ffxkqrah2des4dlxns2slegl38
+  creation_rules:
+    - path_regex: secrets/all/[^/]+\.yaml$
+      key_groups:      
+      - age:
+        - *Lyn
+        - *forgenite
+    #hosts
+    - path_regex: secrets/hosts/forgenite.yaml
+      key_groups:
+        - age:
+          - *Lyn
+          - *forgenite
diff --git a/secrets/hosts/forgenite.yaml b/secrets/hosts/forgenite.yaml
new file mode 100644
index 0000000..39435ed
--- /dev/null
+++ b/secrets/hosts/forgenite.yaml
@@ -0,0 +1,31 @@
+forgejo:
+    db_password: ENC[AES256_GCM,data:Gkk441Tlty2ENGqBSDL/xSS75FOunM/Bfa0TBVV9KjW1DnD/Bx7lSw==,iv:V6g/vuPIhEE6OBaHDPdWIDdv7YAgy0crpmUMpMceJnk=,tag:LH8+qRtrCaHJLKzRB5Nnvw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBySlhJWGtCd21zM3BxeEox
+            NG9VcHBoYkxHeUVwN1dQMHZVVmtpVTV6ekRRClB2MzNlKzVwbkdXRFY0QlUwOEUw
+            R2xBNkZGK09pZzBmTUJDdC95bU4vdTAKLS0tIGQ2Z1RpZjRHQUNya2JzZzFQQjA0
+            YlJIcmQrUVJMMUdkMjNoOUkva1hIMWMK+56bsZXNIeYiuj+QAuajsCDWPAv9IYV9
+            7oh61PZvFYql6TXWjVioIBpS0MxKTbidjWQoYwD4vp8ZikfYUwuoqQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1u4dtlq4lavqufzsqfqlsnu67u3x2t3d7ffxkqrah2des4dlxns2slegl38
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5R2lUZkdXQTUrQmRhMnE3
+            bnRkdUF1WW1obG1acmdQN0NmSkNmWGlFYzFJCkNGQ2lNVFMvYXZYT2dERE1aMVEy
+            a3AybWpZcTZIakVrUExHeTl0MXoxbFkKLS0tIE4wdTRtcUtZTkxiWVkyZC9QSDlR
+            YnpWY3ZsZWdQcEc2YTJJeldTaTdCVkkKA8cfHrWV7COWKYf19IP/dt/mPM6PDWvm
+            DiTB8JBSKTlsBsvA26qkPHcKyXCBjLDaSi1hmGI6PhI7nIDTQ15t6w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-05T21:45:11Z"
+    mac: ENC[AES256_GCM,data:201CRHfhVUf5v1X1LfMH1p59eiLd+ZYEU937iZqCo5+rZ05hSpfXF6XVUdqMI6qgtl1jHY7hWQC4frnprM1BRh0ai/9aV4MKZn4oUCGq6x/avEf442eDL/RPV5pLlvVw1w/SA7lDqOqjaCuF9nDjr03uO7IhqsCLDaUv4JOI/Fg=,iv:W5ulyrMD6XeQ5j3TGhMfC8bh76C+jgXXSn9Em1+XbQo=,tag:sJne9+WMTh1HWTbqzHAiHQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0
diff --git a/services/forgejo.nix b/services/forgejo.nix
index 01f18c0..0bf7267 100644
--- a/services/forgejo.nix
+++ b/services/forgejo.nix
@@ -26,7 +26,7 @@ with lib; with builtins; {
     };
     database = {
       user = "forgejo";
-      passwordFile = "/etc/nixos/forgejo-dbpassword";
+      passwordFile = config.sops.secrets."hosts/forgenite/forgejo/db_password".path;
       name = "forgejodb";
       type = "mysql";
     };