split forgejo-runner into own service file for staged deployment
- Extract forgejo-runner config from forgejo.nix into forgejo-runner.nix - Move forgejo-runner to stage 2 (requires running Forgejo for token) - Remove all stage-2 secrets from sops.nix (each service file owns its secrets) - Update first-install docs with corrected staged deployment flow - Fixes deployment failure caused by runner crashing with placeholder token
This commit is contained in:
steffen
parent
da37a2dce3
commit
4c560abffd
6 changed files with 36 additions and 41 deletions
|
|
@ -243,30 +243,13 @@ Services **ohne externe Abhaengigkeiten** aktivieren:
|
||||||
./sops.nix
|
./sops.nix
|
||||||
|
|
||||||
# Stufe 2: Erst nach Schritt 4 aktivieren
|
# Stufe 2: Erst nach Schritt 4 aktivieren
|
||||||
# ./headplane.nix # braucht: headplane/agent_pre_authkey (Headscale)
|
# ./forgejo-runner.nix # braucht: forgejo-runner/token (Forgejo)
|
||||||
# ./tailscale.nix # braucht: tailscale/auth-key (Headscale)
|
# ./headplane.nix # braucht: headplane/agent_pre_authkey (Headscale)
|
||||||
|
# ./tailscale.nix # braucht: tailscale/auth-key (Headscale)
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
Ebenso in `hosts/<hostname>/services/sops.nix` die Secrets-Definitionen wieder
|
|
||||||
einkommentieren, **aber nur die fuer Stufe-1-Services**:
|
|
||||||
|
|
||||||
```nix
|
|
||||||
sops = {
|
|
||||||
defaultSopsFile = ../secrets.yaml;
|
|
||||||
secrets = {
|
|
||||||
# "forgejo-runner/token" = { }; # Stufe 2
|
|
||||||
"tailscale/auth-key" = { };
|
|
||||||
};
|
|
||||||
};
|
|
||||||
```
|
|
||||||
|
|
||||||
> **Hinweis:** `tailscale/auth-key` muss in `sops.nix` definiert bleiben, da das
|
|
||||||
> Tailscale-Modul es referenziert. Es wird aber erst in Schritt 4 mit einem
|
|
||||||
> echten Wert befuellt. Solange Tailscale nicht importiert ist, hat das keinen
|
|
||||||
> Effekt.
|
|
||||||
|
|
||||||
### 3.5 Deployen (Stufe 1)
|
### 3.5 Deployen (Stufe 1)
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
|
@ -329,6 +312,7 @@ Nachdem der Server mit Headscale und Forgejo laeuft:
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./forgejo.nix
|
./forgejo.nix
|
||||||
|
./forgejo-runner.nix
|
||||||
./headplane.nix
|
./headplane.nix
|
||||||
./headscale.nix
|
./headscale.nix
|
||||||
./mailserver.nix
|
./mailserver.nix
|
||||||
|
|
@ -341,8 +325,6 @@ Nachdem der Server mit Headscale und Forgejo laeuft:
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
Und in `sops.nix` auch `forgejo-runner/token` einkommentieren.
|
|
||||||
|
|
||||||
6. **Erneut deployen**:
|
6. **Erneut deployen**:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
|
|
||||||
|
|
@ -1,13 +1,17 @@
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
|
# Stufe 1: Services ohne externe Abhaengigkeiten
|
||||||
./forgejo.nix
|
./forgejo.nix
|
||||||
./headplane.nix
|
|
||||||
./headscale.nix
|
./headscale.nix
|
||||||
./mailserver.nix
|
./mailserver.nix
|
||||||
./netdata.nix
|
./netdata.nix
|
||||||
./nginx.nix
|
./nginx.nix
|
||||||
./openssh.nix
|
./openssh.nix
|
||||||
./sops.nix
|
./sops.nix
|
||||||
./tailscale.nix
|
|
||||||
|
# Stufe 2: Erst aktivieren wenn Headscale/Forgejo laufen und echte Secrets existieren
|
||||||
|
# ./forgejo-runner.nix # braucht: forgejo-runner/token (Forgejo)
|
||||||
|
# ./headplane.nix # braucht: headplane/agent_pre_authkey (Headscale)
|
||||||
|
# ./tailscale.nix # braucht: tailscale/auth-key (Headscale)
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
||||||
22
hosts/cryodev-main/services/forgejo-runner.nix
Normal file
22
hosts/cryodev-main/services/forgejo-runner.nix
Normal file
|
|
@ -0,0 +1,22 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
outputs,
|
||||||
|
constants,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
outputs.nixosModules.forgejo-runner
|
||||||
|
];
|
||||||
|
|
||||||
|
services.forgejo-runner = {
|
||||||
|
enable = true;
|
||||||
|
url = "https://${constants.services.forgejo.fqdn}";
|
||||||
|
tokenFile = config.sops.secrets."forgejo-runner/token".path;
|
||||||
|
};
|
||||||
|
|
||||||
|
sops.secrets."forgejo-runner/token" = {
|
||||||
|
mode = "0400";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
@ -8,7 +8,6 @@
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
outputs.nixosModules.forgejo
|
outputs.nixosModules.forgejo
|
||||||
outputs.nixosModules.forgejo-runner
|
|
||||||
];
|
];
|
||||||
|
|
||||||
services.forgejo = {
|
services.forgejo = {
|
||||||
|
|
@ -32,17 +31,6 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.forgejo-runner = {
|
|
||||||
enable = true;
|
|
||||||
url = "https://${constants.services.forgejo.fqdn}";
|
|
||||||
tokenFile = config.sops.secrets."forgejo-runner/token".path;
|
|
||||||
};
|
|
||||||
|
|
||||||
sops.secrets."forgejo-runner/token" = {
|
|
||||||
# gitea-runner user is created by gitea-actions-runner service
|
|
||||||
mode = "0400";
|
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx.virtualHosts."${constants.services.forgejo.fqdn}" = {
|
services.nginx.virtualHosts."${constants.services.forgejo.fqdn}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
|
|
|
||||||
|
|
@ -13,9 +13,9 @@
|
||||||
sops = {
|
sops = {
|
||||||
defaultSopsFile = ../secrets.yaml;
|
defaultSopsFile = ../secrets.yaml;
|
||||||
# age.keyFile is not set, sops-nix defaults to using /etc/ssh/ssh_host_ed25519_key
|
# age.keyFile is not set, sops-nix defaults to using /etc/ssh/ssh_host_ed25519_key
|
||||||
secrets = {
|
|
||||||
"forgejo-runner/token" = { };
|
# Secrets fuer Stufe-2-Services werden in deren eigenen Dateien definiert:
|
||||||
"tailscale/auth-key" = { };
|
# forgejo-runner/token -> forgejo-runner.nix
|
||||||
};
|
# tailscale/auth-key -> tailscale.nix (via Modul)
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
1
result
1
result
|
|
@ -1 +0,0 @@
|
||||||
/nix/store/xmcpz8rawfcbzr528rlnm5v0fmnrd8dj-nixos-system-cryodev-main-25.11.20260309.44bae27
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue