From 0e758252a2f51bf8347ffc550ca77d35317dd0b7 Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Mon, 30 Dec 2024 03:04:17 +0000
Subject: [PATCH] vault: switch out for gitea-runner, the actual user doing
 stuff

---
 ops/vault/cfg/binary-cache-deployer.nix | 12 +-----------
 ops/vault/cfg/config.nix                |  6 +++---
 ops/vault/cfg/lukegbcom-deployer.nix    | 12 +-----------
 3 files changed, 5 insertions(+), 25 deletions(-)

diff --git a/ops/vault/cfg/binary-cache-deployer.nix b/ops/vault/cfg/binary-cache-deployer.nix
index 310702db9e..1bb4d0822d 100644
--- a/ops/vault/cfg/binary-cache-deployer.nix
+++ b/ops/vault/cfg/binary-cache-deployer.nix
@@ -15,17 +15,7 @@
     }];
   };
 
-  my.servers.cofractal-ams01.appPolicies.gitlab-runner = ''
-    path "''${vault_gcp_secret_roleset.binary_cache_deployer.backend}/roleset/''${vault_gcp_secret_roleset.binary_cache_deployer.roleset}/token" {
-      capabilities = ["read"]
-    }
-  '';
-  my.servers.clouvider-lon01.appPolicies.gitlab-runner = ''
-    path "''${vault_gcp_secret_roleset.binary_cache_deployer.backend}/roleset/''${vault_gcp_secret_roleset.binary_cache_deployer.roleset}/token" {
-      capabilities = ["read"]
-    }
-  '';
-  my.servers.rexxar.appPolicies.gitlab-runner = ''
+  my.servers.rexxar.appPolicies.gitea-runner = ''
     path "''${vault_gcp_secret_roleset.binary_cache_deployer.backend}/roleset/''${vault_gcp_secret_roleset.binary_cache_deployer.roleset}/token" {
       capabilities = ["read"]
     }
diff --git a/ops/vault/cfg/config.nix b/ops/vault/cfg/config.nix
index 68db2bd5ae..0da7ef313a 100644
--- a/ops/vault/cfg/config.nix
+++ b/ops/vault/cfg/config.nix
@@ -66,7 +66,7 @@
     }
   '';
   my.apps.authentik = {};
-  my.apps.forgejo-runner = {};
+  my.apps.gitea-runner = {};
   my.apps.plex-pass = {};
   my.apps.ads-b = {};
   my.apps.nixbuild = {};
@@ -78,7 +78,7 @@
   my.apps.bsky-pds = {};
 
   my.servers.etheroute-lon01.apps = [ "pomerium" ];
-  my.servers.bvm-forgejo.apps = [ "pomerium" "forgejo-runner" ];
+  my.servers.bvm-forgejo.apps = [ "pomerium" "gitea-runner" ];
   my.servers.howl.apps = [ "nixbuild" ];
   my.servers.porcorosso.apps = [ "quotesdb" "nixbuild" ];
   my.servers.nausicaa.apps = [ "quotesdb" "nixbuild" "hacky-vouchproxy" "hackyplayer" "emfminiserv" ];
@@ -91,5 +91,5 @@
   my.servers.bvm-prosody.apps = [ "turn" ];
   my.servers.bvm-nixosmgmt.apps = [ "plex-pass" ];
   my.servers.bvm-netbox.apps = [ "netbox" ];
-  my.servers.rexxar.apps = [ "deluge" "forgejo-runner" "nixbuild" "hacky-vouchproxy" "hackyplayer" "emfminiserv" "fup" "bsky-pds" ];
+  my.servers.rexxar.apps = [ "deluge" "gitea-runner" "nixbuild" "hacky-vouchproxy" "hackyplayer" "emfminiserv" "fup" "bsky-pds" ];
 }
diff --git a/ops/vault/cfg/lukegbcom-deployer.nix b/ops/vault/cfg/lukegbcom-deployer.nix
index bbb442807b..92688aca6f 100644
--- a/ops/vault/cfg/lukegbcom-deployer.nix
+++ b/ops/vault/cfg/lukegbcom-deployer.nix
@@ -19,17 +19,7 @@
     }];
   };
 
-  my.servers.clouvider-lon01.appPolicies.gitlab-runner = ''
-    path "''${vault_gcp_secret_roleset.lukegbcom_deployer.backend}/roleset/''${vault_gcp_secret_roleset.lukegbcom_deployer.roleset}/token" {
-      capabilities = ["read"]
-    }
-  '';
-  my.servers.cofractal-ams01.appPolicies.gitlab-runner = ''
-    path "''${vault_gcp_secret_roleset.lukegbcom_deployer.backend}/roleset/''${vault_gcp_secret_roleset.lukegbcom_deployer.roleset}/token" {
-      capabilities = ["read"]
-    }
-  '';
-  my.servers.rexxar.appPolicies.gitlab-runner = ''
+  my.servers.rexxar.appPolicies.gitea-runner = ''
     path "''${vault_gcp_secret_roleset.lukegbcom_deployer.backend}/roleset/''${vault_gcp_secret_roleset.lukegbcom_deployer.roleset}/token" {
       capabilities = ["read"]
     }