diff --git a/capytal/forge.nix b/capytal/forge.nix index f21b5f7..ba7a9c8 100644 --- a/capytal/forge.nix +++ b/capytal/forge.nix @@ -1,118 +1,350 @@ { config, + inputs, lib, + self, pkgs, ... }: let cfg = config.services.forgejo; + gitea = config.services.gitea; in { - services.forgejo = { + imports = [ + self.nixosModules.gitea + ]; + + services.gitea = { enable = true; - package = pkgs.forgejo; - settings = let - initList = l: (lib.strings.concatStringsSep "," l); - in { + package = inputs.loreddev-gitea.packages.${pkgs.system}.default; + lfs.enable = true; + settings = with lib; let + initList = l: (concatStringsSep "," l); + in rec { DEFAULT = { APP_NAME = "Capytal Code"; }; - actions = { - ENABLED = true; - DEFAULT_ACTIONS_URL = "https://data.forgejo.org"; - }; - admin = { - DISABLE_REGULAR_ORG_CREATION = true; - USER_DISABLED_FEATURES = "deletion manage_ssh_keys manage_gpg_keys"; - EXTERNAL_USER_DISABLED_FEATURES = "deletion manage_ssh_keys manage_gpg_keys"; - }; - database = { - HOST = "127.0.0.1:${toString config.services.postgresql.settings.port}"; - NAME = "forgejo"; - USER = "forgejo"; - SSL_MODE = "disable"; - }; repository = { DEFAULT_REPO_UNITS = initList [ "repo.code" "repo.issues" "repo.pulls" ]; + DEFAULT_TEMPLATE_REPO_UNITS = repository.DEFAULT_REPO_UNITS; + }; + "repository.pull-request" = { + CLOSE_KEYWORDS = initList [ + # en-US + "close" + "closes" + "closed" + "fix" + "fixes" + "fixed" + "resolve" + "resolves" + "resolved" + # pt-BR + "corrige" + "completa" + "fecha" + "implementa" + "resolve" + "termina" + ]; + }; + "repository.signing" = { + DEFAULT_TRUST_MODEL = "committer"; + }; + "ui.meta" = { + AUTHOR = "Capytal"; + DESCRIPTION = replaceString "\n" " " '' + Software forge dedicated for hosting official projects from Capytal and it's members. + Explore and discover the source-code of our commercial user-facing products, internal + developer-focused libraries, and infraestructure setups. + ''; + KEYWORDS = initList [ + "capytal" + "capytal code" + "capytal-code" + "git" + "gitea" + "projects" + "development" + "open source" + "open-source" + ]; + }; + server = { + DOMAIN = "code.capytal.cc"; + ROOT_URL = "https://${server.DOMAIN}"; + PUBLIC_URL_DETECTION = "auto"; + HTTP_PORT = 9964; + }; + database = { + DB_TYPE = "sqlite3"; + NAME = "gitea"; + USER = "gitea"; + SQLITE_JOURNAL_MODE = "WAL"; }; security = { - REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128"; - }; - server = rec { - HTTP_PORT = 9960; - DOMAIN = "forge.capytal.company"; - ROOT_URL = "https://${DOMAIN}"; + INSTALL_LOCK = true; + COOKIE_REMEMBER_NAME = "__Host-capytal_code_forge_incredible"; + PASSWORD_COMPLEXITY = initList ["lower" "upper" "digit" "spec"]; + PASSWORD_CHECK_PWN = true; }; service = { + REGISTER_MANUAL_CONFIRM = true; + REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128"; DISABLE_REGISTRATION = true; + DEFAULT_KEEP_EMAIL_PRIVATE = true; + DEFAULT_ALLOW_CREATE_ORGANIZATION = false; + DEFAULT_USER_IS_RESTRICTED = true; + SHOW_REGISTRATION_BUTTON = false; + ALLOW_ONLY_INTERNAL_REGISTRATION = true; + VALID_SITE_URL_SCHEMES = initList ["https"]; }; + qos = { + # For endpoints not protected by Anubis and protect from overload in general. + ENABLED = true; + }; + cache = { + ADAPTER = "twoqueue"; + HOST = builtins.toJSON { + size = 1000; + recent_ratio = 0.25; + ghost_ratio = 0.5; + }; + }; + session = { + COOKIE_SECURE = true; + COOKIE_NAME = "__Host-i_like_capytal_code_forge"; + SAME_SITE = "strict"; + }; + picture = { + DISABLE_GRAVATAR = true; # Deprecated + ENABLE_FEDERATED_AVATAR = false; # Deprecated + }; + "cron.delete_repo_archives" = { + ENABLED = true; + }; + "cron.git_gc_repos" = { + ENABLED = true; + }; + oauth2 = { + ENABLED = true; + }; + federation = { + ENABLED = true; + }; + lfs = {}; storage = { STORAGE_TYPE = "minio"; MINIO_USE_SSL = false; - MINIO_ENDPOINT = "127.0.0.1:3461"; - MINIO_BUCKET = "forgejo"; + MINIO_ENDPOINT = "localhost:3461"; + MINIO_BUCKET = "gitea"; MINIO_LOCATION = config.services.garage.settings.s3_api.s3_region; }; - ui = { - # DEFAULT_THEME = "capytal-dark"; + "storage.repo-archive" = {}; + "repo-archive" = {}; + actions = { + ENABLE = false; # Temporarily + DEFAULT_ACTIONS_URL = "self"; }; }; secrets = { + server = { + LFS_JWT_SECRET = config.sops.secrets."gitea/server/lfs_jwt_secret".path; + }; + security = { + SECRET_KEY = config.sops.secrets."gitea/security/secret_key".path; + INTERNAL_TOKEN = config.sops.secrets."gitea/security/internal_token".path; + }; + oauth2 = { + JWT_SECRET = config.sops.secrets."gitea/oauth2/jwt_secret".path; + }; storage = { - MINIO_ACCESS_KEY_ID = "${config.sops.secrets."forgejo/s3/key".path}"; - MINIO_SECRET_ACCESS_KEY = "${config.sops.secrets."forgejo/s3/secret".path}"; + MINIO_ACCESS_KEY_ID = config.sops.secrets."gitea/storage/access_key_id".path; + MINIO_SECRET_ACCESS_KEY = config.sops.secrets."gitea/storage/secret_access_key".path; }; }; }; services.gitea-actions-runner = { - package = pkgs.forgejo-actions-runner; instances = { - "forgejo-runner-1" = { + "gitea-runner-1" = { enable = true; - name = "Forgejo Runner (${config.networking.hostName}) 1"; - url = config.services.forgejo.settings.server.ROOT_URL; - tokenFile = config.sops.secrets."forgejo/actions/token".path; + name = "Gitea Runner (${config.networking.hostName}) 1"; + url = gitea.settings.server.ROOT_URL; + tokenFile = config.sops.secrets."gitea/actions/token".path; labels = [ "alpine-3.22:docker://data.forgejo.org/oci/alpine:3.22" "golang-1.24:docker://data.forgejo.org/oci/golang:1.24-alpine3.22" - "node-24:docker://node:24-bullseye" + "ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04" ]; }; }; }; - users.users."${cfg.user}".packages = [ - (pkgs.symlinkJoin { - paths = [pkgs.forgejo]; - buildInputs = [pkgs.makeWrapper]; - postFixup = '' - wrapProgram $out/bin/gitea \ - --add-flags --config '${cfg.customDir}/conf/app.ini' - ''; - inherit (pkgs.forgejo) name pname meta; - }) - ]; + # systemd.services.gitea-custom = let + # gitea = config.services.gitea; + # rsync = lib.getExe pkgs.rsync; + # in { + # before = [ + # "gitea-secrets.service" + # "gitea.service" + # ]; + # script = '' + # ${rsync} -av "${./assets}" "${gitea.customDir}/public/assets" + # ''; + # serviceConfig = { + # Type = "oneshot"; + # RemainAfterExit = true; + # User = gitea.user; + # Group = gitea.group; + # ReadWritePaths = [gitea.customDir]; + # UMask = "0077"; + # }; + # }; - services.anubis.instances."forgejo" = { + services.anubis.instances."gitea" = { settings = { - BIND = ":${toString (cfg.settings.server.HTTP_PORT + 2)}"; + BIND = ":${toString (gitea.settings.server.HTTP_PORT + 2)}"; BIND_NETWORK = "tcp"; - METRICS_BIND = ":${toString (cfg.settings.server.HTTP_PORT + 3)}"; + METRICS_BIND = ":${toString (gitea.settings.server.HTTP_PORT + 3)}"; METRICS_BIND_NETWORK = "tcp"; SERVE_ROBOTS_TXT = true; - TARGET = "http://localhost:${toString cfg.settings.server.HTTP_PORT}"; - ED25519_PRIVATE_KEY_HEX_FILE = config.sops.secrets."anubis/forgejo/hex_file".path; + TARGET = "http://localhost:${toString gitea.settings.server.HTTP_PORT}"; + ED25519_PRIVATE_KEY_HEX_FILE = config.sops.secrets."anubis/gitea/hex_file".path; }; }; - services.caddy.virtualHosts.":${toString (cfg.settings.server.HTTP_PORT + 1)}" = { - extraConfig = '' - reverse_proxy http://localhost${config.services.anubis.instances."forgejo".settings.BIND} { - header_up X-Real-Ip {remote_host} - } - ''; + services.caddy.virtualHosts = let + redir = { + extraConfig = '' + redir https://code.capytal.cc{uri} permanent + ''; + }; + in { + ":${toString (gitea.settings.server.HTTP_PORT + 1)}" = { + extraConfig = '' + reverse_proxy http://localhost${config.services.anubis.instances."gitea".settings.BIND} { + header_up X-Http-Version {http.request.proto} + header_up X-Real-Ip {remote_host} + } + ''; + }; + # Old ports used by legacy https://forge.capytal.company + ":9961" = redir; + ":9962" = redir; }; + + # services.forgejo = { + # enable = true; + # package = pkgs.forgejo; + # settings = let + # initList = l: (lib.strings.concatStringsSep "," l); + # in { + # DEFAULT = { + # APP_NAME = "Capytal Code"; + # }; + # actions = { + # ENABLED = true; + # DEFAULT_ACTIONS_URL = "https://data.forgejo.org"; + # }; + # admin = { + # DISABLE_REGULAR_ORG_CREATION = true; + # USER_DISABLED_FEATURES = "deletion manage_ssh_keys manage_gpg_keys"; + # EXTERNAL_USER_DISABLED_FEATURES = "deletion manage_ssh_keys manage_gpg_keys"; + # }; + # database = { + # HOST = "127.0.0.1:${toString config.services.postgresql.settings.port}"; + # NAME = "forgejo"; + # USER = "forgejo"; + # SSL_MODE = "disable"; + # }; + # repository = { + # DEFAULT_REPO_UNITS = initList [ + # "repo.code" + # "repo.issues" + # "repo.pulls" + # ]; + # }; + # security = { + # REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128"; + # }; + # server = rec { + # HTTP_PORT = 9960; + # DOMAIN = "forge.capytal.company"; + # ROOT_URL = "https://${DOMAIN}"; + # }; + # service = { + # DISABLE_REGISTRATION = true; + # }; + # storage = { + # STORAGE_TYPE = "minio"; + # MINIO_USE_SSL = false; + # MINIO_ENDPOINT = "127.0.0.1:3461"; + # MINIO_BUCKET = "forgejo"; + # MINIO_LOCATION = config.services.garage.settings.s3_api.s3_region; + # }; + # ui = { + # # DEFAULT_THEME = "capytal-dark"; + # }; + # }; + # secrets = { + # storage = { + # MINIO_ACCESS_KEY_ID = "${config.sops.secrets."forgejo/s3/key".path}"; + # MINIO_SECRET_ACCESS_KEY = "${config.sops.secrets."forgejo/s3/secret".path}"; + # }; + # }; + # }; + + # services.gitea-actions-runner = { + # package = pkgs.forgejo-actions-runner; + # instances = { + # "forgejo-runner-1" = { + # enable = true; + # name = "Forgejo Runner (${config.networking.hostName}) 1"; + # url = config.services.forgejo.settings.server.ROOT_URL; + # tokenFile = config.sops.secrets."forgejo/actions/token".path; + # labels = [ + # "alpine-3.22:docker://data.forgejo.org/oci/alpine:3.22" + # "golang-1.24:docker://data.forgejo.org/oci/golang:1.24-alpine3.22" + # "node-24:docker://node:24-bullseye" + # ]; + # }; + # }; + # }; + # + # users.users."${cfg.user}".packages = [ + # (pkgs.symlinkJoin { + # paths = [pkgs.forgejo]; + # buildInputs = [pkgs.makeWrapper]; + # postFixup = '' + # wrapProgram $out/bin/gitea \ + # --add-flags --config '${cfg.customDir}/conf/app.ini' + # ''; + # inherit (pkgs.forgejo) name pname meta; + # }) + # ]; + # + # services.anubis.instances."forgejo" = { + # settings = { + # BIND = ":${toString (cfg.settings.server.HTTP_PORT + 2)}"; + # BIND_NETWORK = "tcp"; + # METRICS_BIND = ":${toString (cfg.settings.server.HTTP_PORT + 3)}"; + # METRICS_BIND_NETWORK = "tcp"; + # SERVE_ROBOTS_TXT = true; + # TARGET = "http://localhost:${toString cfg.settings.server.HTTP_PORT}"; + # ED25519_PRIVATE_KEY_HEX_FILE = config.sops.secrets."anubis/forgejo/hex_file".path; + # }; + # }; + + # services.caddy.virtualHosts.":${toString (cfg.settings.server.HTTP_PORT + 1)}" = { + # extraConfig = '' + # reverse_proxy http://localhost${config.services.anubis.instances."forgejo".settings.BIND} { + # header_up X-Real-Ip {remote_host} + # } + # ''; + # }; } diff --git a/flake.lock b/flake.lock index 1e42e0f..db5e44d 100644 --- a/flake.lock +++ b/flake.lock @@ -145,11 +145,11 @@ "rev": "305579e103f4ca3e4f891f6e919eac5dab5a0057", "revCount": 122, "type": "git", - "url": "https://forge.capytal.company/capytal/capytal.cc" + "url": "https://code.capytal.cc/capytal/capytal.cc" }, "original": { "type": "git", - "url": "https://forge.capytal.company/capytal/capytal.cc" + "url": "https://code.capytal.cc/capytal/capytal.cc" } }, "crane": { @@ -931,11 +931,29 @@ "rev": "bb9a6c5b18f7124c99a144a7ec18b2d5be75decf", "revCount": 57, "type": "git", - "url": "https://forge.capytal.company/guz013/keikos.work" + "url": "https://code.capytal.cc/guz013/keikos.work" }, "original": { "type": "git", - "url": "https://forge.capytal.company/guz013/keikos.work" + "url": "https://code.capytal.cc/guz013/keikos.work" + } + }, + "loreddev-gitea": { + "inputs": { + "nixpkgs": "nixpkgs_9" + }, + "locked": { + "lastModified": 1760046992, + "narHash": "sha256-gxn4TqMjccch1ULBNlau9t0HANrElrahaRw0r39oROw=", + "ref": "refs/heads/main", + "rev": "d9021491c727caceb47ec2f5a057e9d197ce6f1d", + "revCount": 19905, + "type": "git", + "url": "https://code.capytal.cc/loreddev/gitea" + }, + "original": { + "type": "git", + "url": "https://code.capytal.cc/loreddev/gitea" } }, "mdfmt": { @@ -1089,6 +1107,22 @@ "type": "github" } }, + "nixpkgs_10": { + "locked": { + "lastModified": 1757810152, + "narHash": "sha256-Vp9K5ol6h0J90jG7Rm4RWZsCB3x7v5VPx588TQ1dkfs=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "9a094440e02a699be5c57453a092a8baf569bdad", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1753489912, @@ -1203,16 +1237,16 @@ }, "nixpkgs_9": { "locked": { - "lastModified": 1757810152, - "narHash": "sha256-Vp9K5ol6h0J90jG7Rm4RWZsCB3x7v5VPx588TQ1dkfs=", + "lastModified": 1758690382, + "narHash": "sha256-NY3kSorgqE5LMm1LqNwGne3ZLMF2/ILgLpFr1fS4X3o=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9a094440e02a699be5c57453a092a8baf569bdad", + "rev": "e643668fd71b949c53f8626614b21ff71a07379d", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-25.05", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -1297,7 +1331,8 @@ "dot013-nix": "dot013-nix", "home-manager": "home-manager_3", "keikoswork": "keikoswork", - "nixpkgs": "nixpkgs_9", + "loreddev-gitea": "loreddev-gitea", + "nixpkgs": "nixpkgs_10", "nixpkgs-unstable": "nixpkgs-unstable_2", "sops-nix": "sops-nix_2" } diff --git a/flake.nix b/flake.nix index 0f14c48..551faeb 100644 --- a/flake.nix +++ b/flake.nix @@ -14,15 +14,19 @@ }; capytalcc = { - url = "git+https://forge.capytal.company/capytal/capytal.cc"; + url = "git+https://code.capytal.cc/capytal/capytal.cc"; inputs.nixpkgs.follows = "nixpkgs"; }; keikoswork = { - url = "git+https://forge.capytal.company/guz013/keikos.work"; + url = "git+https://code.capytal.cc/guz013/keikos.work"; # inputs.nixpkgs.follows = "nixpkgs"; }; + loreddev-gitea = { + url = "git+https://code.capytal.cc/loreddev/gitea"; + }; + dot013-nix = { url = "github:dot013/nix"; }; diff --git a/modules/gitea.nix b/modules/gitea.nix index 9d18f79..3d71ffe 100644 --- a/modules/gitea.nix +++ b/modules/gitea.nix @@ -141,12 +141,12 @@ in { services.gitea.secrets = { security = { - SECRET_KEY = "${cfg.customDir}/conf/secret_key"; - INTERNAL_TOKEN = "${cfg.customDir}/conf/internal_token"; + SECRET_KEY = mkDefault "${cfg.customDir}/conf/secret_key"; + INTERNAL_TOKEN = mkDefault "${cfg.customDir}/conf/internal_token"; }; oauth2 = { - JWT_SECRET = "${cfg.customDir}/conf/oauth2_jwt_secret"; + JWT_SECRET = mkDefault "${cfg.customDir}/conf/oauth2_jwt_secret"; }; database = mkIf (cfg.database.passwordFile != null) { @@ -154,7 +154,7 @@ in { }; server = mkIf cfg.lfs.enable { - LFS_JWT_SECRET = "${cfg.customDir}/conf/lfs_jwt_secret"; + LFS_JWT_SECRET = mkDefault "${cfg.customDir}/conf/lfs_jwt_secret"; }; }; diff --git a/secrets.nix b/secrets.nix index 95facd7..da2ab6d 100644 --- a/secrets.nix +++ b/secrets.nix @@ -32,18 +32,10 @@ with lib; { # Anubis ${config.services.anubis.defaultOptions.user} = [ - "anubis/forgejo/hex_file" + "anubis/gitea/hex_file" "anubis/medama/hex_file" ]; - # Forgejo - ${config.services.forgejo.user} = [ - "forgejo/actions/token" - "forgejo/git_password" - "forgejo/s3/key" - "forgejo/s3/secret" - ]; - # Garage "garage" = [ "garage/admin_key" @@ -53,6 +45,16 @@ with lib; { "garage/rpc_secret" ]; + # Gitea + ${config.services.gitea.user} = [ + "gitea/actions/token" + "gitea/oauth2/jwt_secret" + "gitea/security/internal_token" + "gitea/security/secret_key" + "gitea/server/lfs_jwt_secret" + "gitea/storage/access_key_id" + "gitea/storage/secret_access_key" + ]; # keikos.work ${config.services.keikos.web.user} = [ diff --git a/secrets.yaml b/secrets.yaml index d819eaf..35a2eae 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -1,12 +1,14 @@ anubis: forgejo: hex_file: ENC[AES256_GCM,data:UlFkdy1MfwaQqDnxtMtg4kH/dMJVl8sk4DMfdaCczHGaPtPuP4ADxcBxqpNkzYnQPxbv5ZXqR4qz8Ur5QHWxUg==,iv:WQHkSMiJEV0IWMVvfxC/EuE/e8QabhJinRHADm7kdSg=,tag:1JRwMp94APRszgBuQ0yaQQ==,type:str] + gitea: + hex_file: ENC[AES256_GCM,data:VeF2FRqZdsYe3A002QLGG8jc5s+Tfr5V4dpO/aZ4Rbh9T/O3XQznocDsmUOvjIysH9wbVwvBXGdH1U3vd0qmVg==,iv:/3VQLK+C76HoCbpZAUQaxOFsiFKDuuP2KWAV0EBasp4=,tag:brqDAaHv7r9DRLBoMMmRqw==,type:str] medama: hex_file: ENC[AES256_GCM,data:wLRw34+uPWpR5GJuI8Q+nlX4hEx3sMn5mSl/lF5kX0Z8N99Eb6Qj4Emx2mK4dNukYNO8j9blw1/RAL94I+QCjQ==,iv:/dW5Z+S14dByXIUyOyEIxxRFl7e4lZZfBKtukV4s68M=,tag:fELbLVzwIgMJUjhNJw4kYg==,type:str] cloudflared: tunnel_env: ENC[AES256_GCM,data:2DYmoNJYIUAgbDzwJO4I4CSEMVoQredhDfiAWkzNTJBzNEuWc3PgYlonr+FwCnu1wU6aep5iNascpscMtN1Y8ef2m4S1p+mef872pBoElgMG1S2suLvwKdwXPafWHaQdxmEbRxMJjWhLGxmbnlExq8w88/VKm6V0TG183bPOjATU+empoGpHWKT6dNoIBOJnjdoeDjoP4fSIW1UVmYWYAePBuwsr6d4y/TjXyoBuCRG02WbCzELFMnkKY3PwamIn0PXs5ifg,iv:vfgzOn4Oo10Uk3gdm3LDo96vBZ87NuILaDjht9btAHA=,tag:Awwx3DdD0BU0H7lsjJQPug==,type:str] forgejo: - git-password: ENC[AES256_GCM,data:SDyFBCwTxnZ1E6R/8HZCBIBj4AREYfqWrgzSEQ6SA3BDGPFsHghiVmF+Jt4omdzUQSoCCblMBsAx0NQBbBJrCbEoBWtybRM7Cg==,iv:KbtjXW1F8YJeapVpEkf8AdXhojmhOQKxG8nCZv7vW4k=,tag:odrL53KeKLVD5AoQB14veA==,type:str] + git_password: ENC[AES256_GCM,data:PLgQBO7ZwApkhWPFDFhTjGxVqWSve2D3mzSVbnOB4YK1jPUSqmE32yQtffEaGQWakFD6c7c4fbtm+eusc81jHYN5gvWh7lwoXA==,iv:D1nypE0CfubCe8J0psJRiJBc0AR9PsZGcXigdXCReQs=,tag:1j8gw//MLKJXScfth8ClOg==,type:str] s3: key: ENC[AES256_GCM,data:kdzRs/3kBXJt+jOVlFAm5EaRHNWq5XnK/Ts=,iv:qcqXQsxJXX9JlJwCuoz9y6izR9b1gs3xhnhO3tTpwK0=,tag:ikx95iSB/kGZ6/RFL+rvjg==,type:str] secret: ENC[AES256_GCM,data:DVF4DB6dnWpVGK4QwStjMcYbvNQlnJn84xmRxI86r5tqDnyPbFDYN8RNlLyjulBQzJH6pMUkfk5vShNpaLaffA==,iv:5aUuyVnNK20y/NTAw2VZNxE+EaN6tfciwtyb7e/vJGg=,tag:+McVG3UdgEp0OfuuKsmOFw==,type:str] @@ -16,6 +18,19 @@ forgejo: email: ENC[AES256_GCM,data:e6GOwBzRBxa00CHYHgV8,iv:oerF3kJWzjzOatND8Tngp3MADw2kaBKyigeFxtH/ypQ=,tag:1q093JG9hRDxs6OzOIU3vw==,type:str] actions: token: ENC[AES256_GCM,data:tjzIEA+TuwInBwfic7P6ZpN7XyQ2RWC7CZrGEjRtFR/Lj7xb4ysPfZ7d91AjNjw=,iv:e3nWZ3BvDeZvEUiJJ6h7u37UC4GZd/i582MRzE9pkyI=,tag:rZZnz5kGiLtCrUdNwgy8Xw==,type:str] +gitea: + actions: + token: ENC[AES256_GCM,data:BrsTb1JNp5+eRtWk1/bqdgEdS7eDhUzZatl68jBSFqyv/4aHy3xzybxotdpmIQM=,iv:Mx+naexdYq1Gy3oCPTjYz5cdf4p2Mx8AFxmhwzfOPXo=,tag:/o2X2BlPwUAPkTo0iumMMw==,type:str] + oauth2: + jwt_secret: ENC[AES256_GCM,data:Mrdh35mf7zhuNHSrUJNmlRpzC4qPLlMQotZYJDnVcjtSbqi8Vr2Xa0o19Q==,iv:JFjs9rgDqgf7rEtlRhyO8lz71CgiEc1DUO6+w5Xvq00=,tag:fu4K3okXxKfezI+V+s+G6w==,type:str] + security: + internal_token: ENC[AES256_GCM,data:Wxozs+7XPkTUr6fcOyRGSVbekArrJs1IIdxDB3nUJmESJ5jhhB493r3nw3+Ftj1poZXNDXLBilGjQ5rYi+FW4pjH21pWNyJ2gtXEmwDFG7VMhTa/kqMK0RdvN+m683y91vBmkm4AJmQU,iv:+1Tl8mxhd0YpWvJtW2da3yFmm2aJXES+b9T97WNJqWU=,tag:osq0yeWVOuNpqopVkNDz/Q==,type:str] + secret_key: ENC[AES256_GCM,data:PBNDuXo2vLEewr5z5S4ocVDPDcU49v24iFF7TOlpWS9Lawp9Y+/3xMSr8z8v3ajfK8K46sE9GlXuOt1g5QmGqg==,iv:FDG2G4UlFmKLn9S3tDQCpI1I92vaWo8j7Y5mp0x85Bs=,tag:yf15GwQ5HmwOIlSUVzcsPg==,type:str] + server: + lfs_jwt_secret: ENC[AES256_GCM,data:yY969ZtaVcF7KYT/n1H+ZBM+tNH1Bvx+WwUTXJSVenlz8zzk9SepkDPbdg==,iv:GL17rWtHjzzBZiyrZ/UWkHzrAvHX5vyv4BIhNtq3AL0=,tag:T8weRUemG3b7DVnNtMEFoQ==,type:str] + storage: + access_key_id: ENC[AES256_GCM,data:lMWloeJmqehgw407FGmUYyj0LUW6ogT5M40=,iv:GCr0EMspwK5ByxEXFSdk+GKkY5YL7nweZeOaVx7XNl8=,tag:2f4C0J5xxsTNDjKmSe/+7g==,type:str] + secret_access_key: ENC[AES256_GCM,data:ygQfso7dWktV9BhureOE9JuXePOYGF71YKfs0K0Co8786YxltQEel/zyvAccT/wtM9bcqfcnvYx1E6QqpAA/Ow==,iv:rvPuD2mF+X8TfvL3By6wOrxVC6g3oIPM9BFWX59DAlQ=,tag:1y9wPd34xdrmU+4ECCJP+A==,type:str] garage: admin_key: ENC[AES256_GCM,data:ORtjXzJrbWITofjNpVsTHE1gHcwNhBcbMNM=,iv:99XCuu5hGa3ZnAqbOsmgjeMouC8EnTzsJ0HuOoHwKEE=,tag:eJVx+A8MJ4g1xXr2F5hTkg==,type:str] admin_secret: ENC[AES256_GCM,data:7hMOXJwIr0pkCFBBh5vnDy//R9UwD+eTlddT1VGOpqYaA0andf0jRfGOr0efcX0x/EvlDOrfFqn8ME8icZRRbw==,iv:KGxqXhzNWFWiwBHRSP+aov2fCNHgFuUtpBF4nd40mGw=,tag:ixcehvjzs6CfVyAAl315dw==,type:str] @@ -42,7 +57,7 @@ sops: amRmVkVoS2RqeEs3OXZVeTlsZUVEV28K1WcbGJHT8LMah5b7NN1psiucTl1OfZYO 4T3RDSQMB3qj1TGQSdixjwRRKbMGtL3LXnvkNd+caVi5Z9OkF1O9Yg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-10T02:06:29Z" - mac: ENC[AES256_GCM,data:/FSwyA7AfbRZgCPfn0MbUaW+OduFpluWX5RntzjJMieJzfdix+NAwFnOThr+vtN24VybepvlayXzfTlf9lWlfotozit/jdZMoPipEifEiO8LoXDrmNUZow8AOJ9cmCOKNx8YdcN0K28mE0nTTkP8aXPumcyWKuLa8+faLEgPs0Q=,iv:uQIHkfTbuM7dy34S4mpYEmLG3B2ff003IaSp07rN50g=,tag:qkFwvjxojtksfEDVpsFAYw==,type:str] + lastmodified: "2025-10-10T21:47:17Z" + mac: ENC[AES256_GCM,data:4K5fNM05Mm3VCFTx2lntPUcaW/fznjchMdd26VJURBTED3Hr8wpLyNMFtWqWlKZvVuMyk7VQyyBmysb0clmydHpuDR9TtJSJA+IyIyK6IQJi86mQs7IpcSf4Z6uXA33ed3z2aJWhwA8l+5XtwQjYQbDeME1v/ir7xTeqz8P4STI=,iv:iaXcW+3UumdAR/v4/Pp8ZCqJQ2WmL6fucRFJwTugxrc=,tag:sxUajgkMkYjshIgU24o+/w==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2