From a6c40df359b6035e624340aaf1b847ab34db0acf Mon Sep 17 00:00:00 2001 From: Simon Gardling Date: Mon, 30 Mar 2026 21:14:54 -0400 Subject: [PATCH] ci: add git-crypt unlock for server-config build-time secrets --- .gitea/workflows/deploy.yml | 4 ++++ modules/age-secrets.nix | 8 ++++++++ secrets/git-crypt-key-server-config.age | Bin 0 -> 382 bytes 3 files changed, 12 insertions(+) create mode 100644 secrets/git-crypt-key-server-config.age diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index 40b5fb8..4e15855 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -13,6 +13,10 @@ jobs: with: fetch-depth: 0 + - name: Unlock git-crypt + run: | + git-crypt unlock /run/agenix/git-crypt-key-server-config + - name: Build NixOS configuration run: | nix build .#nixosConfigurations.muffin.config.system.build.toplevel -L diff --git a/modules/age-secrets.nix b/modules/age-secrets.nix index 6e527bf..f820ea1 100644 --- a/modules/age-secrets.nix +++ b/modules/age-secrets.nix @@ -144,6 +144,14 @@ group = "gitea-runner"; }; + # Git-crypt symmetric key for server-config repo + git-crypt-key-server-config = { + file = ../secrets/git-crypt-key-server-config.age; + mode = "0400"; + owner = "gitea-runner"; + group = "gitea-runner"; + }; + # Gitea Actions runner registration token gitea-runner-token = { file = ../secrets/gitea-runner-token.age; diff --git a/secrets/git-crypt-key-server-config.age b/secrets/git-crypt-key-server-config.age new file mode 100644 index 0000000000000000000000000000000000000000..19931fe507a756a4e2633973abb4301b5491acb9 GIT binary patch literal 382 zcmZQ@_Y83kiVO&0c+0nbafa%PjN>>DE`IQsiPBMSxpOpKs z_l%m-@AMz8mK`cKuim{B?>ZFbyP6QgZ``oY6^3gaRk!mzQ>WkDn zzs3n|sf@XH%}XbVFAV84UAZB57n7Ic>!1A$(osQQj)y#-8FsM2T5zVV`NBh%4=XjqJm09<5ha;!LEAicpt0FDF?EdX5Wo>=@=IvWs zPbPf4K7mhcZQEIy+}Y0;uAN(-__;_+{=IvUNcGamTw9B`7m6gk-^~0hT3DiL%h~`B z)u~r6h6()g^EcMte){2c=R+@B*IPN26 zuwU6XSHW%ll*YZ2POjmMnyw*TAh>tuPZ7)Vnl%SS4%$_