vault: switch out for gitea-runner, the actual user doing stuff

2024-12-30 03:04:17 +00:00 · 2024-12-30 03:04:17 +00:00 · 0e758252a2
commit 0e758252a2
parent 37491ffdd9
3 changed files with 5 additions and 25 deletions
--- a/ops/vault/cfg/binary-cache-deployer.nix
+++ b/ops/vault/cfg/binary-cache-deployer.nix
@ -15,17 +15,7 @@
    }];
  };

-  my.servers.cofractal-ams01.appPolicies.gitlab-runner = ''
-    path "''${vault_gcp_secret_roleset.binary_cache_deployer.backend}/roleset/''${vault_gcp_secret_roleset.binary_cache_deployer.roleset}/token" {
-      capabilities = ["read"]
-    }
-  '';
-  my.servers.clouvider-lon01.appPolicies.gitlab-runner = ''
-    path "''${vault_gcp_secret_roleset.binary_cache_deployer.backend}/roleset/''${vault_gcp_secret_roleset.binary_cache_deployer.roleset}/token" {
-      capabilities = ["read"]
-    }
-  '';
-  my.servers.rexxar.appPolicies.gitlab-runner = ''
+  my.servers.rexxar.appPolicies.gitea-runner = ''
    path "''${vault_gcp_secret_roleset.binary_cache_deployer.backend}/roleset/''${vault_gcp_secret_roleset.binary_cache_deployer.roleset}/token" {
      capabilities = ["read"]
    }
--- a/ops/vault/cfg/config.nix
+++ b/ops/vault/cfg/config.nix
@ -66,7 +66,7 @@
    }
  '';
  my.apps.authentik = {};
-  my.apps.forgejo-runner = {};
+  my.apps.gitea-runner = {};
  my.apps.plex-pass = {};
  my.apps.ads-b = {};
  my.apps.nixbuild = {};
@ -78,7 +78,7 @@
  my.apps.bsky-pds = {};

  my.servers.etheroute-lon01.apps = [ "pomerium" ];
-  my.servers.bvm-forgejo.apps = [ "pomerium" "forgejo-runner" ];
+  my.servers.bvm-forgejo.apps = [ "pomerium" "gitea-runner" ];
  my.servers.howl.apps = [ "nixbuild" ];
  my.servers.porcorosso.apps = [ "quotesdb" "nixbuild" ];
  my.servers.nausicaa.apps = [ "quotesdb" "nixbuild" "hacky-vouchproxy" "hackyplayer" "emfminiserv" ];
@ -91,5 +91,5 @@
  my.servers.bvm-prosody.apps = [ "turn" ];
  my.servers.bvm-nixosmgmt.apps = [ "plex-pass" ];
  my.servers.bvm-netbox.apps = [ "netbox" ];
-  my.servers.rexxar.apps = [ "deluge" "forgejo-runner" "nixbuild" "hacky-vouchproxy" "hackyplayer" "emfminiserv" "fup" "bsky-pds" ];
+  my.servers.rexxar.apps = [ "deluge" "gitea-runner" "nixbuild" "hacky-vouchproxy" "hackyplayer" "emfminiserv" "fup" "bsky-pds" ];
 }
--- a/ops/vault/cfg/lukegbcom-deployer.nix
+++ b/ops/vault/cfg/lukegbcom-deployer.nix
@ -19,17 +19,7 @@
    }];
  };

-  my.servers.clouvider-lon01.appPolicies.gitlab-runner = ''
-    path "''${vault_gcp_secret_roleset.lukegbcom_deployer.backend}/roleset/''${vault_gcp_secret_roleset.lukegbcom_deployer.roleset}/token" {
-      capabilities = ["read"]
-    }
-  '';
-  my.servers.cofractal-ams01.appPolicies.gitlab-runner = ''
-    path "''${vault_gcp_secret_roleset.lukegbcom_deployer.backend}/roleset/''${vault_gcp_secret_roleset.lukegbcom_deployer.roleset}/token" {
-      capabilities = ["read"]
-    }
-  '';
-  my.servers.rexxar.appPolicies.gitlab-runner = ''
+  my.servers.rexxar.appPolicies.gitea-runner = ''
    path "''${vault_gcp_secret_roleset.lukegbcom_deployer.backend}/roleset/''${vault_gcp_secret_roleset.lukegbcom_deployer.roleset}/token" {
      capabilities = ["read"]
    }