From 65f82370152f812d813538fdc477c5c7c13c3f6c Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 1 May 2024 23:28:18 +0200 Subject: [PATCH] Decrypt sops secrets in Forgejo action --- .forgejo/workflows/deploy.yaml | 5 ++++- .sops.yaml | 2 +- secrets/sops.yaml | 5 +++-- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.forgejo/workflows/deploy.yaml b/.forgejo/workflows/deploy.yaml index fe2198e..ca5e199 100644 --- a/.forgejo/workflows/deploy.yaml +++ b/.forgejo/workflows/deploy.yaml @@ -14,4 +14,7 @@ jobs: - run: nix run nixpkgs#kubectl -- config set-context my-context --cluster=my-cluster --user=my-service-account - run: nix run nixpkgs#kubectl -- config use-context my-context - run: nix run nixpkgs#kubectl -- get pods - + - run: | + mkdir -p ~/.config/sops/age + echo -n "${{ secrets.AGE_SECRET_KEY }}" > ~/.config/sops/age/keys.txt + - run: nix run nixpkgs#sops --decrypt src/secrets/sops.yaml | grep "paperless-ngx:" diff --git a/.sops.yaml b/.sops.yaml index ff1eaee..7d48812 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,2 +1,2 @@ creation_rules: - - age: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw + - age: "age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw,age1x7wv7s2z2cxcvys223rzkzrx33l85rg6jy4klr07atf5r3d8yp3qrwg4lx" diff --git a/secrets/sops.yaml b/secrets/sops.yaml index be1861a..3f5cb0f 100644 --- a/secrets/sops.yaml +++ b/secrets/sops.yaml @@ -16,6 +16,7 @@ forgejo: lfsJwtSecret: ENC[AES256_GCM,data:TZaptdiX/3HT2Q5lHqAOEQBkT3gV49dD6+RIludIcJVA6AevijgDonuVQA==,iv:hwU0K4JjFs8LaSNe5Dqmsj5Vz/w3sOWgSrnEW22bM/M=,tag:RJTDtYqRQdGVQ6PO2V+31g==,type:str] internalToken: ENC[AES256_GCM,data:28sIm0OW2G48ZECjCf5WM9/O5kbo54S96aD20MYfGrK0pbxgAwLjL8jXO/dNobSQ+26vet2WKfLbC9MPdBjhsQ5zC/keGHUFw6TPqnuhFchTLnP+JvMoqNZzcRo2kHi/EM93luG6xQvy,iv:Iy+1EVS7lvLust4MPkxyFonna/q1NVzRyMcTSJ3F5oM=,tag:v075jl/jtqcjSkEhRZVO2g==,type:str] runnerToken: ENC[AES256_GCM,data:F6PsbkhT1epKfi9MpLpMqDosloVkhIiq/olBi/bbt8k88qxfw0vwvg==,iv:I/LH8V0Um+PCpjSrcjiZAN71nXcqv1m84wBUPLWT33Q=,tag:Y3qhbt7OqkRbHOCXRKLUeg==,type:str] + agePrivateKey: ENC[AES256_GCM,data:sEsVKpDd9VQKiaQNeLMqnA5304yf+4byCG2n4PIITM7c/HBRsdqpd4/BQEiYo8w95d41SjnFBay36KX+GWvJrx9vmCx7FPmv2kU=,iv:9jCW6ZL9nhcLZiGGmcylJKGh9erTOJdCTyWQXA1cgRY=,tag:ZgSeIcqDsvJipH+M1KGhMA==,type:str] atticd: jwtToken: ENC[AES256_GCM,data:DTiREnIdZxsewzLXeZgERBJKorUuqI71TgmUyKyc8iH6ioJLciU/9wfLiO+ltUA+3eEnuyuJHTpFwtLS0Wrjh5G4kYNkiX6Mw1bEJZnR+x2xJAJmfa4sJw==,iv:8jJfPosy02vezJOA0oKSphUItWqQ0Pr1cc8rBSuSawE=,tag:p+dZBP5+EYHjtTH9EkdYsw==,type:str] databaseURL: ENC[AES256_GCM,data:beyFNmbapw9asGHZN52taNx6klO3IQJ7wXbYTvo1NMaFyvo5qk2osocrwkeVv3w8bUWGgbQ/LKLuvg==,iv:qGFwhuLj0ApY9EpclM0x1nVBqXjv8XZC58cy6AE3AtQ=,tag:an+slq4Wlh7/sunX44yxOQ==,type:str] @@ -34,8 +35,8 @@ sops: dVBPbkRib1M1cmVKZzl4TWpoSml2WDQK45jJDXpPXIBoaANhjZSWYVZ8mI51LAin EqgBj7VKY+CQbw1gMd1Fdh8iDYraowwcLyd/ZhZ/M0kIdkCc5E1a5g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-27T18:37:27Z" - mac: ENC[AES256_GCM,data:LP0gbW3AI0hKE3dfVdDC0+BMtz2fRbtgfxVF7zPZ6cg09cXaOlNPExAxEIzp0pBtTN7114hL3MNzczov64ES9YvP8XIXDcEZzQxVqUgkacgrCIfm1Zd2o1sIT9ORreK04+S4gnvMgbXq9TAEnxnK2SVhvthwmLVw3MXjBb2+/wc=,iv:Nf7c+AdaU8yCnhHYKwERdMzFw0qY0y0c8VMxa/Hcg50=,tag:SRvJ0YqimkswD8Ljp69jog==,type:str] + lastmodified: "2024-05-01T21:17:22Z" + mac: ENC[AES256_GCM,data:Z854yGCEukya2IxAiNp/vmOpf+MqY6Pfvk2uhhH6UPoijvt7gU/AacmieKXNc+lErqh9mxwBoEoY/SwTYymqEsjm3vAWn9mrgvs6dfaTYuyFPg0ZrnV2pT5GiCLbmPhBKw/Fx53MLmB2CcYvYtJkoZk0+pSBOKpI+Mzr1tUOn98=,iv:3wZVY4KjXriFcpCAzjRZsVo/X7gi6WLVRzalKcA41Nk=,tag:evss+EvaaMpj3LyJCNOTZw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1