ragenix: migrate forgejo to agenix for secrets

progresses #1
resolves #11

nixos/hosts/toscano/configuration.nix

@@ -1,4 +1,4 @@
-# NixOps configuration for toscano
+# NixOS configuration for toscano
 #
 # https://en.wikipedia.org/wiki/Joseph_Toscano
 {
@@ -9,15 +9,22 @@
 }: {
   imports = [
     ../../../networks/linode.nix
-    #../../../profiles/gitea.nix
+    ../../../profiles/forgejo.nix
     #../../../profiles/hakyll-skeleton.nix
     #../../../profiles/jfdic-web.nix
     #../../../profiles/resrok-web.nix
     #../../../profiles/tmateServer.nix
     #../../../profiles/voc-web.nix
-    #../../../secrets/gitea.nix
   ];
 
+  age.secrets = {
+    forgejo = {
+      file = ../../../secrets/forgejo.age;
+      owner = "gitea";
+      group = "gitea";
+    };
+  };
+
   deployment = {
     tags = ["infra"];
     targetHost = "45.79.236.198";

outputs.nix

@@ -40,10 +40,10 @@ in {
         ragenix.nixosModules.default
       ];
     };
+  };
   # The below lines are in the wrong place
   #nixosConfigurations = import ./nixos/configurations.nix (inputs
   #  // {
   #    inherit inputs;
   #  });
-  };
 }

profiles/forgejo.nix

@@ -1,23 +1,26 @@
 # NixOps configuration for the hosts running Forgejo
 {
   config,
-  inputs,
   pkgs,
   lib,
   ...
-  }: {
+}: let
+  flake = builtins.getFlake (toString ../.);
+  nixpkgsUnstable = flake.inputs.nixpkgsUnstable;
+  forgejo = nixpkgsUnstable.legacyPackages."${pkgs.system}".forgejo;
+in {
   services.gitea = {
     enable = true; # Enable Forgejo
     appName = "JFDI Collective: Forgejo Service"; # Give the site a name
     database = {
       type = "postgres"; # Database type
-      passwordFile = "/run/keys/gitea-dbpass"; # Where to find the password
+      passwordFile = config.age.secrets.forgejo.path;
     };
     disableRegistration = true;
     domain = "source.jfdic.org"; # Domain name
     rootUrl = "https://source.jfdic.org/"; # Root web URL
     httpPort = 3002; # Provided unique port
-    package = inputs.nixpkgsUnstable.legacyPackages."${pkgs.system}".forgejo; # a soft fork of gitea
+    package = forgejo; # a soft fork of gitea
     settings = let
       docutils = pkgs.python37.withPackages (ps:
         with ps; [

secrets/forgejo.age

@@ -0,0 +1,11 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBzblFC
+eUZrZEw3R24weVJ2TUw3QWZ6WDNYS1NDZVpGTktnakk4M2FnVEhFCjUxK1BucVBu
+Vm52cXhyK1RyRFdTd2w1WU9NWDUranZTRkhzOHIwbXVHTlkKLT4gc3NoLWVkMjU1
+MTkgZjVUaEFnIERNWExUWk95Wk1udHYxWm1vKzAwR29kUC9JeUJoMVI3MUx3UmFG
+aDFCakkKSitsbEtsVzQ5eDAzZ0VUOXIrUkNsSkFFRXJGbEUyVTZNKzcwcTBhWnYy
+RQotPiBsbS1ncmVhc2UgLTwpJyAxTmtRMgp5OVpBSDh2azhrYjI1cmNjVmdKdlh0
+d2ZJZwotLS0gSGRZZ2k2ZDhqc3E1clBkOVZ4K3FjZUtGUG1XZ1ozVDRpZkd3ZkhG
+d3ZuYwocfVjJedKaGHSUGZE2tTu5W47y68PW51+NdYxQOT65fyZD9/Vxi+7HiFqM
+0xrmCMh3IsOvPa60vuY=
+-----END AGE ENCRYPTED FILE-----

secrets/secrets.nix

@@ -10,4 +10,5 @@ let
 in {
   "root.age".publicKeys = ops ++ systems;
   "fiscalvelvetpoet.age".publicKeys = [fiscalvelvetpoet] ++ systems;
+  "forgejo.age".publicKeys = [fiscalvelvetpoet toscano];
 }