security: harden CI pipeline (pin host keys, suppress ntfy topic, restrict secrets)

2026-03-31 11:03:07 -04:00
parent c556b82f9a
commit 40fa8147e6
4 changed files with 16 additions and 8 deletions
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -7,7 +7,7 @@ jobs:
  deploy:
    runs-on: nix
    env:
-      GIT_SSH_COMMAND: "ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=no"
+      GIT_SSH_COMMAND: "ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=yes -o UserKnownHostsFile=/etc/ci-known-hosts"
    steps:
      - uses: https://github.com/actions/checkout@v4
        with:
@@ -25,12 +25,12 @@ jobs:
        run: |
          eval $(ssh-agent -s)
          ssh-add /run/agenix/ci-deploy-key
-          nix run github:serokell/deploy-rs -- .#muffin --skip-checks --ssh-opts="-o StrictHostKeyChecking=no"
+          nix run github:serokell/deploy-rs -- .#muffin --skip-checks --ssh-opts="-o StrictHostKeyChecking=yes -o UserKnownHostsFile=/etc/ci-known-hosts"
      - name: Health check
        run: |
          sleep 10
-          ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=no root@server-public \
+          ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=yes -o UserKnownHostsFile=/etc/ci-known-hosts root@server-public \
            "systemctl is-active gitea && systemctl is-active caddy && systemctl is-active continuwuity && systemctl is-active coturn"
      - name: Notify success
@@ -38,7 +38,7 @@ jobs:
        run: |
          TOPIC=$(cat /run/agenix/ntfy-alerts-topic | tr -d '[:space:]')
          TOKEN=$(cat /run/agenix/ntfy-alerts-token | tr -d '[:space:]')
-          curl -sf -X POST \
+          curl -sf -o /dev/null -X POST \
            "https://ntfy.sigkill.computer/$TOPIC" \
            -H "Authorization: Bearer $TOKEN" \
            -H "Title: [muffin] Deploy succeeded" \
@@ -51,7 +51,7 @@ jobs:
        run: |
          TOPIC=$(cat /run/agenix/ntfy-alerts-topic 2>/dev/null | tr -d '[:space:]')
          TOKEN=$(cat /run/agenix/ntfy-alerts-token 2>/dev/null | tr -d '[:space:]')
-          curl -sf -X POST \
+          curl -sf -o /dev/null -X POST \
            "https://ntfy.sigkill.computer/$TOPIC" \
            -H "Authorization: Bearer $TOKEN" \
            -H "Title: [muffin] Deploy FAILED" \
--- a/configuration.nix
+++ b/configuration.nix
@@ -79,6 +79,14 @@
  networking.hosts."192.168.1.50" = [ "server-public" ];
  networking.hosts."192.168.1.223" = [ "desktop" ];
  # SSH known_hosts for CI runner (pinned host keys)
  environment.etc."ci-known-hosts".text = ''
    server-public ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMjgaMnE+zS7tL+m5E7gh9Q9U1zurLdmU0qcmEmaucu
    192.168.1.50 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMjgaMnE+zS7tL+m5E7gh9Q9U1zurLdmU0qcmEmaucu
    git.sigkill.computer ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMjgaMnE+zS7tL+m5E7gh9Q9U1zurLdmU0qcmEmaucu
    git.gardling.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMjgaMnE+zS7tL+m5E7gh9Q9U1zurLdmU0qcmEmaucu
  '';
  services.kmscon.enable = true;
  systemd.targets = {
--- a/modules/age-secrets.nix
+++ b/modules/age-secrets.nix
@@ -140,8 +140,8 @@
    git-crypt-key-dotfiles = {
      file = ../secrets/git-crypt-key-dotfiles.age;
      mode = "0400";
-      owner = "gitea-runner";
+      owner = "root";
-      group = "gitea-runner";
+      group = "root";
    };
    # Git-crypt symmetric key for server-config repo
--- a/services/gitea-actions-runner.nix
+++ b/services/gitea-actions-runner.nix
@@ -41,6 +41,6 @@
      User = "gitea-runner";
      Group = "gitea-runner";
    };
-    environment.GIT_SSH_COMMAND = "ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=no";
+    environment.GIT_SSH_COMMAND = "ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=yes -o UserKnownHostsFile=/etc/ci-known-hosts";
  };
 }