From a7d403eb5b758686dc458c8ed7a68132758a873c Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Wed, 1 May 2024 23:38:45 +0200
Subject: [PATCH] Encrypt k8s secrets with Forgejo action key Allow mounting
 all volumes in Forgejo actions

---
 kubenix-modules/forgejo/runner-config.nix |  2 +-
 secrets/sops.yaml                         | 19 ++++++++++++++-----
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/kubenix-modules/forgejo/runner-config.nix b/kubenix-modules/forgejo/runner-config.nix
index 1e039db..decf9a4 100644
--- a/kubenix-modules/forgejo/runner-config.nix
+++ b/kubenix-modules/forgejo/runner-config.nix
@@ -27,7 +27,7 @@
     privileged = false;
     options = "";
     workdir_parent = "";
-    valid_volumes = [ "/var/run/secrets/kubernetes.io/serviceaccount" ];
+    valid_volumes = [ "**" ];
     docker_host = "";
     force_pull = false;
   };
diff --git a/secrets/sops.yaml b/secrets/sops.yaml
index 3f5cb0f..9a2b8d2 100644
--- a/secrets/sops.yaml
+++ b/secrets/sops.yaml
@@ -29,11 +29,20 @@ sops:
         - recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsM0xTM1pFNDMwYW1FSDRB
-            SGk3dXl6RzVPVXF5N2NYSWxYVXpTYm1UUUZNCkkwOEJZbnVTanRRSXFWWXpJQ0lK
-            T0Z6QnMyZUl1WGEwaEsrbitUUFNoa2MKLS0tIHArQkIrRWlWcU9yUFVaa3pJMDlo
-            dVBPbkRib1M1cmVKZzl4TWpoSml2WDQK45jJDXpPXIBoaANhjZSWYVZ8mI51LAin
-            EqgBj7VKY+CQbw1gMd1Fdh8iDYraowwcLyd/ZhZ/M0kIdkCc5E1a5g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZ3JkeG5KMkI3THREM2Qy
+            UithR0hPQ1pXU003S1ozaGlJUXVmM1hBdVdJCmZYZ3cveFJkNkEzUTZvOWNIS2Rk
+            b1hNdjd0eVA3SlEyZnBObS9lWnMyOVEKLS0tIFJuL1k2UmJxakU2Q0JnNHc2Tkdn
+            T2hCN1VrVjFBaW5XNlVoNnA4QUE5VUEKL4ieqdtq0oDPmPYvQJUZFjeE9XPo4+o+
+            dsalIMaKZTeUK7xPixF4ZNxhxJwDMx21WjdinOJFaFzJOOfXlAQnxw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1x7wv7s2z2cxcvys223rzkzrx33l85rg6jy4klr07atf5r3d8yp3qrwg4lx
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwcU1kSFZUWEthMEVYbXBZ
+            TUtHdEhpdkRJaUtoaTdxQnRqTXVWdkNuM2s0CjVwNWoyNmdWL1kwcDFhVElBMElN
+            c2dUMWFYeTVaNzBmZGJ3NzNrWXJuaHMKLS0tIFo0Qlg3RkYydURrOXRrdzZXeFlQ
+            Z2w4d09qV29XSWNNZW9Od2taNm9Td0kKdWFS8lA4mS85XWbaf4WqRzakHVJ/AMXl
+            zK7C4DRLLOrLtPilmH5rpu2luC8BE0enxX8ZqF8GJt+Uo3sPfBlpEg==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2024-05-01T21:17:22Z"
     mac: ENC[AES256_GCM,data:Z854yGCEukya2IxAiNp/vmOpf+MqY6Pfvk2uhhH6UPoijvt7gU/AacmieKXNc+lErqh9mxwBoEoY/SwTYymqEsjm3vAWn9mrgvs6dfaTYuyFPg0ZrnV2pT5GiCLbmPhBKw/Fx53MLmB2CcYvYtJkoZk0+pSBOKpI+Mzr1tUOn98=,iv:3wZVY4KjXriFcpCAzjRZsVo/X7gi6WLVRzalKcA41Nk=,tag:evss+EvaaMpj3LyJCNOTZw==,type:str]