gitea: add actions runner and CI/CD deploy workflow
This will avoid me having to run "deploy" myself on my laptop. All I will need to do is push a commit and it will self-deploy.
This commit is contained in:
@@ -99,7 +99,11 @@ Each service file in `services/` follows this structure:
|
||||
- **git-crypt**: `secrets/` directory and `usb-secrets/usb-secrets-key*` are encrypted (see `.gitattributes`)
|
||||
- **agenix**: secrets declared in `modules/age-secrets.nix`, decrypted at runtime to `/run/agenix/`
|
||||
- **Identity**: USB drive at `/mnt/usb-secrets/usb-secrets-key`
|
||||
- **Encrypting new secrets**: The agenix encryption key is in `usb-secrets/usb-secrets-key` (SSH private key, git-crypt encrypted). To create a new secret: derive the age public key with `ssh-keygen -y -f usb-secrets/usb-secrets-key | ssh-to-age`, then encrypt with `age -r <public-key> -o secrets/<name>.age`.
|
||||
- **Encrypting new secrets**: The agenix identity is an SSH private key at `usb-secrets/usb-secrets-key` (git-crypt encrypted). To encrypt a new secret, use the SSH public key directly with `age -R`:
|
||||
```bash
|
||||
age -R <(ssh-keygen -y -f usb-secrets/usb-secrets-key) -o secrets/<name>.age /path/to/plaintext
|
||||
```
|
||||
- **DO NOT use `ssh-to-age`**. Using `ssh-to-age` to derive a native age public key and then encrypting with `age -r age1...` produces `X25519` recipient stanzas. The SSH private key identity on the server can only decrypt `ssh-ed25519` stanzas. This mismatch causes `age: error: no identity matched any of the recipients` at deploy time. Always use `age -R` with the SSH public key directly.
|
||||
- Never read or commit plaintext secrets. Never log secret values.
|
||||
|
||||
### Important Patterns
|
||||
|
||||
Reference in New Issue
Block a user