2024-01-29 08:57:18 -06:00
|
|
|
<div align="center">
|
|
|
|
<img src="https://upload.wikimedia.org/wikipedia/commons/d/df/Runic_letter_algiz.svg">
|
2024-01-29 10:31:18 -06:00
|
|
|
<h1>algiz</h1>
|
2024-01-29 08:57:18 -06:00
|
|
|
</div>
|
|
|
|
|
|
|
|
## Setting up git user for use with gitea originally
|
|
|
|
|
|
|
|
```sh
|
2024-01-23 11:51:13 -06:00
|
|
|
sudo -u git ssh-keygen -t rsa -b 4096 -C "Gitea Host Key"
|
|
|
|
sudo -u git cat /home/git/.ssh/id_rsa.pub | sudo -u git tee -a /home/git/.ssh/authorized_keys
|
|
|
|
sudo -u git chmod 600 /home/git/.ssh/authorized_keys
|
2024-01-29 08:57:18 -06:00
|
|
|
```
|
2024-01-23 11:51:13 -06:00
|
|
|
|
2024-01-29 09:37:00 -06:00
|
|
|
`/home/git/.ssh/authorized_keys` should look like this:
|
2024-01-29 08:57:18 -06:00
|
|
|
|
|
|
|
```txt
|
2024-01-23 11:51:13 -06:00
|
|
|
# SSH pubkey from git user
|
|
|
|
ssh-rsa <Gitea Host Key>
|
|
|
|
|
|
|
|
# other keys from users
|
|
|
|
command="/usr/local/bin/gitea --config=/data/gitea/conf/app.ini serv key-1",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty <user pubkey>
|
|
|
|
```
|
|
|
|
|
2024-01-29 09:37:00 -06:00
|
|
|
To point gitea/forgejo to the shim gitea binary for SSH I symlink the current system version to `/usr/local/bin/gitea`.
|
|
|
|
|
|
|
|
```sh
|
|
|
|
ln -s /run/current-system/sw/bin/gitea /usr/local/bin/gitea
|
|
|
|
```
|
|
|
|
|
2024-10-29 16:58:36 -05:00
|
|
|
## Setting up Attic
|
|
|
|
|
|
|
|
Generated a key using command provided in attic docs:
|
2025-01-13 13:09:01 -06:00
|
|
|
|
2024-10-29 16:58:36 -05:00
|
|
|
```sh
|
|
|
|
nix run nixpkgs#openssl -- genrsa -traditional 4096 | base64 -w0
|
|
|
|
```
|
2025-01-13 13:09:01 -06:00
|
|
|
|
2024-10-29 16:58:36 -05:00
|
|
|
And wrote `ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64="output from above"` to `/etc/attic.env`
|
|
|
|
|
|
|
|
I generated a token to configure the caches using the following command:
|
|
|
|
|
|
|
|
```
|
|
|
|
atticd-atticadm make-token --sub daylin --push "*" --pull "*" --validity '1y' --create-cache "*" --configure-cache "*" --configure-cache-retention "*" --destroy-cache "*" --delete "*"
|
|
|
|
```
|
|
|
|
|
|
|
|
If I handled secrets via `sops` or `agenix` I think this could be stored directly in the repo.
|
|
|
|
I also had to modify the firewall so that docker would forward along the requests by caddy to `host.docker.internal` correctly.
|