ci: add git-crypt unlock for server-config build-time secrets

2026-03-30 21:14:54 -04:00
parent ed7fda31fe
commit a6c40df359
3 changed files with 12 additions and 0 deletions
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -13,6 +13,10 @@ jobs:
        with:
          fetch-depth: 0

+      - name: Unlock git-crypt
+        run: |
+          git-crypt unlock /run/agenix/git-crypt-key-server-config
+
      - name: Build NixOS configuration
        run: |
          nix build .#nixosConfigurations.muffin.config.system.build.toplevel -L
--- a/modules/age-secrets.nix
+++ b/modules/age-secrets.nix
@@ -144,6 +144,14 @@
      group = "gitea-runner";
    };

+    # Git-crypt symmetric key for server-config repo
+    git-crypt-key-server-config = {
+      file = ../secrets/git-crypt-key-server-config.age;
+      mode = "0400";
+      owner = "gitea-runner";
+      group = "gitea-runner";
+    };
+
    # Gitea Actions runner registration token
    gitea-runner-token = {
      file = ../secrets/gitea-runner-token.age;
--- a/secrets/git-crypt-key-server-config.age
+++ b/secrets/git-crypt-key-server-config.age