othrayte/infra
1
0
Fork 0
Code Issues 1 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

Compare commits

base: othrayte:a30e60b557aa2316c32b76263ec4b564cfe2346f
Branches Tags
othrayte:main othrayte:renovate/null-3.x othrayte:renovate/litestream-litestream-0.x
..
compare: othrayte:4f2934411b27140fc3e578dd2de46a5f620ca063
Branches Tags
othrayte:main othrayte:renovate/null-3.x othrayte:renovate/litestream-litestream-0.x

2 Commits
a30e60b557 ... 4f2934411b

Author SHA1 Message Date
Adrian Cowan
4f2934411b Add GitHub token to renovate configuration so it can pull release notes 2026-04-18 16:45:35 +10:00
Adrian Cowan
54dbe0c667 Cleanup diun references from ntfy, diun was never actually committed 2026-04-18 16:44:44 +10:00
5 changed files with 10 additions and 17 deletions
Expand all files Collapse all files

11
2-nomad-config/ntfy.nomad.hcl
View File

@@ -46,14 +46,8 @@ job "ntfy" {
# Bcrypt hashes are not secrets and are hardcoded below (same as /etc/shadow — safe to commit). # Bcrypt hashes are not secrets and are hardcoded below (same as /etc/shadow — safe to commit).
# Generate with: docker run --rm -it binwiederhier/ntfy user hash # Generate with: docker run --rm -it binwiederhier/ntfy user hash
# or: echo "mypassword" | docker run --rm -i binwiederhier/ntfy user hash # or: echo "mypassword" | docker run --rm -i binwiederhier/ntfy user hash
# For the diun account the plaintext is irrelevant (token-only auth); use a random password:
# openssl rand -base64 32 | docker run --rm -i binwiederhier/ntfy user hash
#
# Required SOPS keys: # Required SOPS keys:
# ntfy.database_pw — postgres password for the ntfy role # ntfy.database_pw — postgres password for the ntfy role
# diun.ntfy_token — access token for Diun (actual secret — grants write access)
# Must start with "tk_" and be exactly 32 chars total.
# Generate: tok=$(openssl rand -hex 15); echo "tk_${tok:0:29}"
task "ntfy" { task "ntfy" {
driver = "docker" driver = "docker"
@@ -80,11 +74,6 @@ behind-proxy: true
enable-login: true enable-login: true
auth-users: auth-users:
- "admin:$2a$10$rLp4qagJnsA8Es5hQlISH.WrlzwMrXE2MBaEgz7zdd2lkAVu30lMy:admin" - "admin:$2a$10$rLp4qagJnsA8Es5hQlISH.WrlzwMrXE2MBaEgz7zdd2lkAVu30lMy:admin"
- "diun:$2y$10$4wi1VG.Vp5p3Q2OEIXaTSOmwZm.G9dpNca9BqQRMdGGnk2yQqK3Gq:user"
auth-tokens:
- "diun:{{with nomadVar "nomad/jobs/ntfy"}}{{.diun_token}}{{end}}:Diun"
auth-access:
- "diun:diun:write-only"
EOF EOF
destination = "local/server.yml" destination = "local/server.yml"
} }

1
2-nomad-config/ntfy.tf
View File

@@ -6,7 +6,6 @@ resource "nomad_variable" "ntfy" {
path = "nomad/jobs/ntfy" path = "nomad/jobs/ntfy"
items = { items = {
database_pw = data.sops_file.secrets.data["ntfy.database_pw"] database_pw = data.sops_file.secrets.data["ntfy.database_pw"]
diun_token = data.sops_file.secrets.data["diun.ntfy_token"]
} }
} }

5
2-nomad-config/renovate.nomad.hcl
View File

@@ -43,12 +43,15 @@ job "renovate" {
} }
# Required SOPS key: # Required SOPS key:
# renovate.gitea_token — PAT for the renovate bot account in Gitea # renovate.gitea_token — PAT for the renovate bot account in Gitea
# Create a dedicated 'renovate' user in Gitea with these token scopes: # Create a dedicated 'renovate' user in Gitea with these token scopes:
# repo (read+write), user (read), issue (read+write), organization (read) # repo (read+write), user (read), issue (read+write), organization (read)
# renovate.github_token — read-only GitHub PAT (any account) for
# fetching changelogs and avoiding github.com API rate limits
template { template {
data = <<EOF data = <<EOF
RENOVATE_TOKEN={{ with nomadVar "nomad/jobs/renovate" }}{{ .gitea_token }}{{ end }} RENOVATE_TOKEN={{ with nomadVar "nomad/jobs/renovate" }}{{ .gitea_token }}{{ end }}
RENOVATE_GITHUB_COM_TOKEN={{ with nomadVar "nomad/jobs/renovate" }}{{ .github_token }}{{ end }}
EOF EOF
destination = "secrets/renovate.env" destination = "secrets/renovate.env"
env = true env = true

3
2-nomad-config/renovate.tf
View File

@@ -5,6 +5,7 @@ resource "nomad_job" "renovate" {
resource "nomad_variable" "renovate" { resource "nomad_variable" "renovate" {
path = "nomad/jobs/renovate" path = "nomad/jobs/renovate"
items = { items = {
gitea_token = data.sops_file.secrets.data["renovate.gitea_token"] gitea_token = data.sops_file.secrets.data["renovate.gitea_token"]
github_token = data.sops_file.secrets.data["renovate.github_token"]
} }
} }

7
2-nomad-config/secrets/secrets.enc.json
View File

@@ -53,7 +53,8 @@
"database_pw": "ENC[AES256_GCM,data:79c2KFs3tcbet1dSGnkSDlAeKLCZrh4aMYLXTROM8w==,iv:eZ4limyjl++nsvHUzPKy82hfLZEOc+XQYpO6Czo/8os=,tag:iX9SiEACQ5IM8f1jhZh5Qw==,type:str]" "database_pw": "ENC[AES256_GCM,data:79c2KFs3tcbet1dSGnkSDlAeKLCZrh4aMYLXTROM8w==,iv:eZ4limyjl++nsvHUzPKy82hfLZEOc+XQYpO6Czo/8os=,tag:iX9SiEACQ5IM8f1jhZh5Qw==,type:str]"
}, },
"renovate": { "renovate": {
"gitea_token": "ENC[AES256_GCM,data:/J3CDMgWZLe20oQ+ENKBMi8fs/+jgsARV7xihMq0OLmRk8C8ae/IXg==,iv:e7WYOanSOCZ/LhN6SKrH0VrR3xLPTTppOKpGpSl+oAc=,tag:XBAilRdK3jL7WtM+92Fsmg==,type:str]" "gitea_token": "ENC[AES256_GCM,data:/J3CDMgWZLe20oQ+ENKBMi8fs/+jgsARV7xihMq0OLmRk8C8ae/IXg==,iv:e7WYOanSOCZ/LhN6SKrH0VrR3xLPTTppOKpGpSl+oAc=,tag:XBAilRdK3jL7WtM+92Fsmg==,type:str]",
"github_token": "ENC[AES256_GCM,data:omZpdsTV1aFgQ9PjIApITEyIRKk6Z8QyvD2Kp5tJnBWzFCm4v2lRAg==,iv:cKL7z+CSChzF9eZEcske2lbmx9KV6CrWw0tn7rmP/10=,tag:gon3Sc1d3ntNSbWwenHuOw==,type:str]"
}, },
"sops": { "sops": {
"age": [ "age": [
@@ -62,8 +63,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUWM4ZDVVbGFrUGdMRHBX\nUFBmU3Nlc0RBSzhFK0tHNHpkQXUvUVdiZUZJCmpRN1lFdENpWW0rcThjVlVQNUl6\nWnlLU0RnQ3FZby81Ly8xTFBrek9nMncKLS0tIFQ4UTRNOC9CRmx4OFJWem1wckZz\nUDFTSzdWZldFK3FqcTNWTWRyNDhHQ2MKS811mR5xn7qiC/aVgPFYJ5c6Q3zxRfcr\nHcvxUvB01vNJKZpRg92vvKPkV6lQO3DXCT98OdfwiymlEOvYxg71Pg==\n-----END AGE ENCRYPTED FILE-----\n" "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUWM4ZDVVbGFrUGdMRHBX\nUFBmU3Nlc0RBSzhFK0tHNHpkQXUvUVdiZUZJCmpRN1lFdENpWW0rcThjVlVQNUl6\nWnlLU0RnQ3FZby81Ly8xTFBrek9nMncKLS0tIFQ4UTRNOC9CRmx4OFJWem1wckZz\nUDFTSzdWZldFK3FqcTNWTWRyNDhHQ2MKS811mR5xn7qiC/aVgPFYJ5c6Q3zxRfcr\nHcvxUvB01vNJKZpRg92vvKPkV6lQO3DXCT98OdfwiymlEOvYxg71Pg==\n-----END AGE ENCRYPTED FILE-----\n"
} }
], ],
"lastmodified": "2026-04-18T06:07:22Z", "lastmodified": "2026-04-18T06:30:49Z",
"mac": "ENC[AES256_GCM,data:4UJMEZNS8HXtn1vIJ+qCkBJL5oh3Jp7wbaGm5hMiSNPseNq3smTYmMgh+TNK4t/K7yxfukTuhEFTUsnMfi7rIxTrbCpcTdnqJSYm/iflkdA57Tx+mHpY9iG7wtRmObow18Ea0rj6foMu+1V8pVFomzhc/ipafinTCuqodKW1a2Y=,iv:Gu/Lh8mir36ltN++qJg122ry+eJA0GKSrfijulYM7q4=,tag:5tjBzrCZcQUvc76No+E9Ow==,type:str]", "mac": "ENC[AES256_GCM,data:ZqT+lJxFOxbRaDkex8URHRRoNSoHVkB9tbMCDVWoln0otMUBFDnxa1Fqwzl77G+JxD/I7W5QX5qUx+oSoDxhyCvC97tjBfTZ+nlqTos25wLddSKwOfbvRNS7oZrzMt5AepgauApucNDjjUWtZB55mTV497PzESLBrZeI/4zpCU0=,iv:AVvlyJLyLJup2PtLt8NzZO+uCbuQKmUV0S2swwl6nME=,tag:HxywCeG6NQotrsN7ovDfrw==,type:str]",
"encrypted_regex": "^(.*)$", "encrypted_regex": "^(.*)$",
"version": "3.10.2" "version": "3.10.2"
} }