From 0961b893eb50b5de5c2885e2dc548dbdaa318fc6 Mon Sep 17 00:00:00 2001
From: Max <max@privatevoid.net>
Date: Sun, 30 Jan 2022 23:15:08 +0100
Subject: [PATCH] VEGAS: switch to GitLab

---
 hosts/VEGAS/services/git/default.nix     |  60 ----------------
 hosts/VEGAS/services/gitlab/default.nix  |  85 +++++++++++++++++++++++
 hosts/VEGAS/system.nix                   |   2 +-
 secrets/gitea-db-credentials.age         |  14 ----
 secrets/gitlab-initial-root-password.age |  12 ++++
 secrets/gitlab-openid-secret.age         |  11 +++
 secrets/gitlab-secret-db.age             | Bin 0 -> 609 bytes
 secrets/gitlab-secret-jws.age            | Bin 0 -> 3837 bytes
 secrets/gitlab-secret-otp.age            |  14 ++++
 secrets/gitlab-secret-secret.age         | Bin 0 -> 666 bytes
 secrets/secrets.nix                      |   7 +-
 11 files changed, 129 insertions(+), 76 deletions(-)
 delete mode 100644 hosts/VEGAS/services/git/default.nix
 create mode 100644 hosts/VEGAS/services/gitlab/default.nix
 delete mode 100644 secrets/gitea-db-credentials.age
 create mode 100644 secrets/gitlab-initial-root-password.age
 create mode 100644 secrets/gitlab-openid-secret.age
 create mode 100644 secrets/gitlab-secret-db.age
 create mode 100644 secrets/gitlab-secret-jws.age
 create mode 100644 secrets/gitlab-secret-otp.age
 create mode 100644 secrets/gitlab-secret-secret.age

diff --git a/hosts/VEGAS/services/git/default.nix b/hosts/VEGAS/services/git/default.nix
deleted file mode 100644
index 6e54144..0000000
--- a/hosts/VEGAS/services/git/default.nix
+++ /dev/null
@@ -1,60 +0,0 @@
-{ config, lib, tools, ... }:
-with tools.nginx;
-let
-  inherit (tools.meta) domain;
-in
-{
-  reservePortsFor = [ "gitea" ];
-
-  age.secrets = {
-    giteaDBPassword = {
-      file = ../../../../secrets/gitea-db-credentials.age;
-      owner = "git";
-      group = "gitea";
-      mode = "0400";
-    };
-  };
-
-  services.nginx.virtualHosts = mappers.mapSubdomains {
-    git = vhosts.proxy "http://127.0.0.1:${config.portsStr.gitea}";
-  };
-
-  services.gitea = {
-    enable = true;
-    appName = "Private Void Gitea";
-    httpPort = config.ports.gitea;
-    domain = "git";
-    rootUrl = "https://git.${domain}";
-    disableRegistration = true;
-    # TODO: re-enable securely
-    ssh.enable = false;
-    user = "git";
-    log.level = "Warn";
-    
-    database = {
-      createDatabase = false;
-      type = "postgres";
-      host = "127.0.0.1";
-      port = 5432;
-      name = "gitea";
-      user = "gitea";
-      passwordFile = config.age.secrets.giteaDBPassword.path;
-    };
-
-    # TODO: integrate branding content (css, images) into system closure
-    settings.ui = { 
-      DEFAULT_THEME = "void";
-      THEMES = "void";
-    };
-  };
-
-  systemd.services.gitea.after = [ "keycloak.service" ];
-
-  users.users.git = {
-    description = "Git Service";
-    home = config.services.gitea.stateDir;
-    useDefaultShell = true;
-    group = "gitea";
-    isSystemUser = true;
-  };
-}
diff --git a/hosts/VEGAS/services/gitlab/default.nix b/hosts/VEGAS/services/gitlab/default.nix
new file mode 100644
index 0000000..3c3fd93
--- /dev/null
+++ b/hosts/VEGAS/services/gitlab/default.nix
@@ -0,0 +1,85 @@
+{ config, lib, tools, ... }:
+
+let
+  inherit (tools.meta) domain adminEmail;
+
+  mkSecret = name: {
+    owner = "gitlab";
+    group = "gitlab";
+    mode = "0400";
+    file = ../../../../secrets/${name}.age;
+  };
+
+  secrets = lib.mapAttrs (_: v: v.path) config.age.secrets;
+
+  cfg = config.services.gitlab;
+in
+
+{
+  age.secrets = lib.flip lib.genAttrs mkSecret [
+    "gitlab-initial-root-password"
+    "gitlab-openid-secret"
+    "gitlab-secret-db"
+    "gitlab-secret-jws"
+    "gitlab-secret-otp"
+    "gitlab-secret-secret"
+  ];
+
+  services.gitlab = {
+    enable = true;
+    https = true;
+    host = "git.${domain}";
+    port = 443;
+
+    initialRootEmail = adminEmail;
+
+    statePath = "/srv/storage/private/gitlab/state";
+
+    smtp = {
+      enable = true;
+      inherit domain;
+    };
+
+    initialRootPasswordFile = secrets.gitlab-initial-root-password;
+
+    secrets = with secrets; {
+      dbFile = gitlab-secret-db;
+      jwsFile = gitlab-secret-jws;
+      otpFile = gitlab-secret-otp;
+      secretFile = gitlab-secret-secret;
+    };
+
+    extraConfig = {
+      omniauth = {
+        enabled = true;
+        auto_sign_in_with_provider = "openid_connect";
+        allow_single_sign_on = ["openid_connect"];
+        block_auto_created_users = false;
+        providers = [
+
+          {
+            name = "openid_connect";
+            label = "Private Void Account";
+            args = {
+              name = "openid_connect";
+              scope = ["openid" "profile"];
+              response_type = "code";
+              issuer = "https://login.${domain}/auth/realms/master";
+              discovery = true;
+              client_auth_method = "query";
+              uid_field = "preferred_username";
+              client_options = {
+                identifier = "net.privatevoid.git2";
+                secret = { _secret = secrets.gitlab-openid-secret; };
+                redirect_uri = "https://${cfg.host}/users/auth/openid_connect/callback";
+              };
+            };
+          }
+          
+        ];
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."${cfg.host}" = tools.nginx.vhosts.proxy "http://unix:/run/gitlab/gitlab-workhorse.socket";
+}
diff --git a/hosts/VEGAS/system.nix b/hosts/VEGAS/system.nix
index 664689b..fa2fc44 100644
--- a/hosts/VEGAS/system.nix
+++ b/hosts/VEGAS/system.nix
@@ -22,7 +22,7 @@
       ./services/cdn-shield
       ./services/dns
       ./services/fbi
-      ./services/git
+      ./services/gitlab
       ./services/hydra
       ./services/hyprspace
       ./services/ipfs
diff --git a/secrets/gitea-db-credentials.age b/secrets/gitea-db-credentials.age
deleted file mode 100644
index 8ec49a3..0000000
--- a/secrets/gitea-db-credentials.age
+++ /dev/null
@@ -1,14 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 NO562A PM8oVK72FJjSPefR1JV7e9Sti+QMPmNyOWNyjjn1Eyo
-jjc6tg7dnwAajhCTO/IH+8sszSP/WbCipuROvwD0Hxk
--> ssh-ed25519 5/zT0w cvASi9DkdxdKXSnxWi/mwjlYVz9PtnQqnNFwHr22TR4
-jASmnJsbTIItkRJzgIWmPPAqMziWREjzUpk6WEQG56g
--> ssh-ed25519 eDiawA R586/78N4EYagb8c5Ff9wqtOE4QYtU/vKVhOCSn+2RY
-ekys4sz2TxUtGH2rSGgXVnHvg4G6maPkYvJd1CiLJ2E
--> ssh-ed25519 d3WGuA jj4c320WQiJ/N80fEeLe0GHD1lSnOT8hGLhsL+T8XCg
-Mt2cS6+I9vKtczzb+3mWm0MquWigMJIWJaSvh+jhOjA
--> Vsn^{"-grease \<`i)T UL]B
-pz4ZxTRE5ugg7JkLSTfkmfi4TFfOP+H1pny8rAbThQGXSIX9SxEpFVwhcYqqMkEg
-LH5NvQztS+cZYQ0Sr7q666h4H7OKBRFbTmHMWxNdIecP43On
---- nknCOv9z0f8V+PrNTAEGdrxhLeY1nlfuDINbbgPr1Wo
-�0~��N�a�[g�s\���!��*���0�r�/��^�`c������3g>o�ɍ�k�v�	��mS
\ No newline at end of file
diff --git a/secrets/gitlab-initial-root-password.age b/secrets/gitlab-initial-root-password.age
new file mode 100644
index 0000000..1f703ff
--- /dev/null
+++ b/secrets/gitlab-initial-root-password.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A XRrOSniXZk7nvufR3liJ3ocjX257eenhQUYZdlYCpl4
+ctZGdEgc9SgWka/3R/2WW4G9m1DHIk7HLKaBNyUeHtE
+-> ssh-ed25519 5/zT0w k3z9vLsjCPABV2kTRMC3xiriW+4BwSdvnk02Xtoi3zk
+w43L1pm8VvwxVp6k8NJA73afZtPGfD8eCb2koa2goZQ
+-> ssh-ed25519 d3WGuA Bi1l2WS3kL5Y5NoVh7jAja3BG9LXxem801SSR76j52s
+fKhRIb+Ug3sW4JI2rczNnh3Frx/EEnbQfhTUGdwLSo8
+-> AOy-grease dju$ xL|5Hh q(A
+h0bIKBg8yQBMqNR8M9DlA/wZWWFB+sdo4ApLXvTT19Moz3E5Vly8N2XKHrV3ggCE
+Vn2a3snrXDrWxqQgfQEfJo7FnydItRcgO7ZDOuNAlnooyk0
+--- 9bMYjHMQsJt4fqnmE2ezRzN4AoKIrlRKAqh8pYRw8SQ
+�ܙ�j�>��r�|�>����Q�7�p����d�h��� �3��������57���{�Z9�L�����$DU$�0Y٠�3�BM���@o�U�_���d�Dݶ�5jq/���j�`�6��Z��i��A��&Q�����ʡ*Օ:R%+ ��ɡ���
\ No newline at end of file
diff --git a/secrets/gitlab-openid-secret.age b/secrets/gitlab-openid-secret.age
new file mode 100644
index 0000000..3a57392
--- /dev/null
+++ b/secrets/gitlab-openid-secret.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A ZCflrN3Tm5CiGr6ajyHWUBB/tQqvBuZkwTrJDrd/aV0
+ItnkxqiZTCT77SDnG0JgzaQlDL3LZ96V+kzjxjAJx5s
+-> ssh-ed25519 5/zT0w WoKnbgmzpR+HuLdXYCOkPfScle7g7U+NGA/YAmyfIhk
+pNfp+gOVyTfnXpVDRXuk16RyjlWjDILrO7Gibh7nRmU
+-> ssh-ed25519 d3WGuA L5xjtPNva83jZWsu2bCbcgaDNlou5BFVMsFkR8+L+2Q
+4+UtIsyOgY0NAuHtdg4lBJwMyZWquRsmRNeQ+YXqeA0
+-> hD-grease q%QV%; &/
+jl4ZKGU+SBSR0xhJN0yz7sV2uW/+Yhw
+--- 1LIvBjAzD1lUotPXuI4cPHSfUsMFbEaGjE/t+KnQcW4
+AWe��
���e�	c[���3m��y�Έ���6�
g{7�rd�_�7�WP��':�u����N
\ No newline at end of file
diff --git a/secrets/gitlab-secret-db.age b/secrets/gitlab-secret-db.age
new file mode 100644
index 0000000000000000000000000000000000000000..347fe7f2c707b92eaddbfc6f1cdad81c0e3a4583
GIT binary patch
literal 609
zcmZ9_OKZ~r003YQW7;quD8fLHpu>YDOVT#UqA*C4Y-^GwZPV@%aN0JnwrR3F+N3$`
zAbRrPe1Jz~-~$oyAhP*HWYde@L=U3EU_%iR_2Oe7UibZhuVQGBX4ky#Y*2UXLB})T
z4hlfSpzoWIrlv3qB|%Zb@Dv4-^=YidOH*i3)7!3>a?=!19T5vIHQnmCp^_rtVwGZ5
zlxBf6!edfXpekjykzzwX?L@^=mY_H$84H#QM`b>8;yB+PbvADp9G8#~Ea%6&u$WOP
zE1kwitKo<)pq`#2u#g|AX%#u;hIP6m^W#Vv;D#_1$sl9FkVo2CxQIwYN<r7NWTq<4
zss$vg;iyUD0$ML`-qiHuXqy5vct!Mck*x=2ZX!=}j8w8QRjM>&1*2>R5%>V-gH)uo
za)2{!$b{pW4TJGrd~C8-DHce@4g-_Tjd!|rI2X!_?qN-$`G4zZ$05VhD!vACfTyUE
znJEaZEEZ-7Jz^XgE|PhM5fyd9$N>-pfqug-<ZH4KBvIdz3bYV#akb^QLW<THQntEI
zpk}(=DRq(s{`9@?P5d~m-@ZY&`wx59o_~*5+>O4)k8@WB-ps}GTd2O5^Q)JmgT}>I
zdlzO;td;gHow<5fnCbj#j4eN~1_v5z2LSe%{p9!Rg?r|sg_U(`>E}Z`!R@(p=p6rW
zc>QML?fJha-*KO}t<YbdU2pWhei|$z`t}b;^N-D)8@Kvj?5~S=X8M;-?cQN+P4pab
S?)Q8(7JIGax3j^nPyYafSKHkH

literal 0
HcmV?d00001

diff --git a/secrets/gitlab-secret-jws.age b/secrets/gitlab-secret-jws.age
new file mode 100644
index 0000000000000000000000000000000000000000..7b99d4eaa6277a1138d510cbba2118f7c8bb68c1
GIT binary patch
literal 3837
zcmV<Z4g&FEXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LPER#9GC?3@
zWO;gNNI^DbYIkW)PFHO=IZ|$EMMGvVZA&mqMPy7xNLgBKV^LEvM_CGCFIP-9MRa*g
zNK934Q8!LQRckj&Sz$tHd01#oLRxc9aadzlHdS_XG))REJ|J^*Xf0)AGBq_ZIUqGJ
zdQ>oXAVh9<Qdn7TO?5RdZ!=G5Yez3ZYDZOYLvd<KNkwHVP()94Q$|y1acO!q3M*JJ
zQ&BTWF-2=aSZZxBOITrKPIxmgN?K-VZA(FSYj8&}Z&o)=I81Xz3N1b$b8~1dWn?ln
zH8D9LWHVPsbwMCPL1}n$FIHDUH*t4Ob$N4WO=M?qIdw#1P+3lLGDdhWZCY-0K~+;)
zL{SQCVM0<ta&b#bOi(m-NP0|0bXZSvS6F3JaWZK_Hdt$AHdk**R%1?DX-Nt#J|JjT
zEoX9NVRL05HY#XyO-3RhWKJMMLs4csYJ7AcXh{k~SVKuLO<8I}Wo1ijG;M59a8fgJ
zXmfHfZ$@-WLvb-!Yi?RpcTZ1kN@Yh-Y;blmO<_%UWM^wlNi{EIFnKZxZE0jOae6~y
zZ*Ng+V>C%HNNF@Lcu8ntXJt5WacFXKWN1idS4?(6cvw(vK}T|OH$g*dIW|Z$WKK0=
z3N0-yAUIQWR5WOKQ)^>EM=w-wac?ngS5Z`WNo`YNS!i}bXhlqKWI0ktVQxul3IS`Z
zTlcu_WE^PH3J|Q$Lyb>aosWVw_%uAQ4~s4h5mC$&svD=>lN)9M8Q<e0#-i4*iqmqh
z!gz}pVcRkfQ3*gdYkWE2`nT>_CU6eU(H%4b@BJGYVQJYY$J)zIh8KA%VWKtCWcZq|
zzs$cAB@yc0d_Or4aR)LK+zZ)`PW@G*Ju9*e7xm<HN&7?s%Nnl$v%44>I=h5O2*L@N
z#l?1?8$G4k#meWc{`I7u)(4HKZ>?|vrgem23~rGrusgQ!Mps+H3FC8mN)OLjD$(>b
zIieR@5+BQUOQnu!;$D+PISLVbz(Z35Znf&PqRdRmJRWc>Glu*s<di7Dtr*?A=B>3B
z&7!WNK`P^wn^bmLP68fbRT8|gj-PNMjFh1|KuDOg2*^pV)#o&OUY6Y?GJRks3k|0Q
zfIxc=)OvKYOArH&IWrNx+HRe)uRpPep+lR#H|X81D<i5G*t<Gn{-!b15nm+%A>YRV
zs{wJ$-aS>Ghc5{V)QkfpTeHcC4b5Ph{dN~iWIhx%Ln~>{h2wXZV1(KpUM%%ezlsM|
z+P5TAW|Rm(k|$@Ij4f9``bi@`IWo}s^Q$SEg^55vDZ**!UxWeyAUdS+x7;|cEiuu5
zzZdS`UhVPRZLEH}2@cwc=1kUC)(tSX)_|9L55;i}WsJ^_S@TJqoFgQu1mdi^OnzDZ
zpHI&#6*PsMQ4$S%gHsROkU$ndp5qTAMW%q3kfCJJWx_?%G$OO|<pk<Sm<xZYip#gC
zt-`VY8(u`tDyWefLTvn&<qAS86tBCz@33C7Lg?8Y=X-!2{`yY-@4ga1`A8-wPv#`3
zyBb|op;pJJCwBg%N6z(31<|wza8TC9jt<ERrio(5H(mv|k;0mM<~oX%lU9OhFs`><
zb$N(X$*7x%&UZ^Qm~R5ej0~)nUZ>R*BV9Db#d$x3-hc0Gc{<C#HQUpM@yF-ncu}M<
zOKQekUfDV}>eW%Ss46xNj@W&h4!f?=OJjMNMS1A<h;O_ecxFgv17)=}=7eJO#Ik-^
zq<cNVpNCjZj6T2(e23SciP1j}@enrlq?Sc>X3Lv7{)0GYT5|6iUVKo@6f=$Ar*<d6
z{O%EfRl$+u?TCSW5(`4I%9&u&G<*%G(GGX|E&+eZssEqGOFWdC)9mfI0m^5ZSYdyr
zb^tP2YI#Q7zQFmB&6`q}zIyA#HGkh<Y*E2|G}2t#IH-@gx~gEavtWW?Bs9<Z%WV?`
z2BvV~Nf|pAN280ASqj}w^!d&RriZiP9D`5T(W0d^WD&5(EP3^DD%_(TDuSXh8U4JL
z-fVM-y&TES4?KW`hNFPR?@)u!uD6!r8OQvc#;VdRn(#9805-!E(4TUXGt1%S*;u|M
zeTkS80xd#9kn%S_6QEs??ZYaGd0NXAC?7}mv3FZ|8q2z3F_i7~Gf>qsIlXd4^+tnp
z!m{=S(wgCf2KNTN(U#aM0Uh7MPO*DOyrSUBHrr^F<wf_ul~<PMI5)vr7$n^43RmWa
z4NQ*3lxI7=^qo;|?$s{;6_-5*9Y~B->{`O{mvitT$bA=@$YtB{m#+&8#|lU3KmN7e
z)sx8gFF#+8h{2qNN}WH=tD&e7Ga>I}yZ*(_18H;Tt0&PG6{i7de1xcBl-)LA1b)eS
z5W@rnxE)#z+Fd+{(h`tN6+ZoOX#9HFEi1)s`;~7d>bk5ZN$>nv$r1PLnp{$HAYNiC
z^Nxc0)cCRiovML1P;T1XB%}nv+7Coa(JK>qU;d!-wy>1fs5P&8Y>~=CoIixFZ`-ha
z>!qk7O2yg|H}5~42;MDBsEQTG{I?rdNV9gE3R|cG2XAn70v<crzNQ@r2c*gtwA|ph
zwb6%)^dyIZRPDbC9}B8g$U*F_E^9<VVpI-ETJkcXiBOh@RNz1j*H*0>xj*tbcw~>~
z4J$6kgS}rdXE3Mz$)x=Uss=u1HurtxX9b&)XkjbwBvGph>h2nUuKA5mwu0FFLzEu5
z4Gy6y{jvy5q%Hy1=!~`<%i$_&d8<-njEI2cY0W*zWXakSLbF1%j8mUL$T$L=>lzf3
zm~CboQqs5_`L*_jkQ;AL1r@c|<Xc}hpEN-wKrLRM*}`!b(?FPzusZon7n+#0;2@8#
zHZDFI7@G=hzZ&az#>|5g1In*qb$IlC@fHT9a&UA%{!Oz({%&(&C%OW6ILX<wrayIS
z{a&P}#cI_1;p}29=R8dr2yhrE-t|8NfS&~vBtHR~$uJ-2=Y}AS7X!GiRi@v{`pHO}
zwZ7jOaRwPD06RU_UzCBK`#P(pb^||dNVMhvaD=;_FzX-6N6(HtqS1aP%lf=RtRR4@
zbc)fmTmir!ld=9l-5Jb)6pI_@M86{896yWQ+dpXYDFiD$9+XfHi&~p4s!{bZok|?D
z$(#H7SukK(VkZ->YMY8q7cw+XX8<Hkyuh=O=<4PlV<hM$<~j!{fIlL&@d9KOZq;uE
zT<jYC`Y3YpFL*8nEsGxkgf;&87WgIo113>4#|?4v!<J6*ASz3`&iB`w{Cn)hYmBNx
z1n4<;nYxxAb1qHarZOf`ghrjGW#gACB%-ZS@Y+Fg8&EyPf#wj$#0xiBY+#$m&nNb)
z9Dm%rJ#`-xEe!a;de0Fi{b~PwWJ`v#lL<c-$SJrgWC3$HplI49jO>N!NLn@a*QZx5
zWM#_x)hOFg1!Grpz>cEDXrVMhoOuY~SYlqTGG~*w_VnaKYa^GSRdfRAkE<xf#R7KV
zU}E;{M`(G~m!T1GO--`Gc51gQN`b24I9;@v%ThEW<VeE7N4YW(TG2Q-2_KQV$8uXZ
z`}W*)KoEt7vZsXXrnaggHcaxl)n5L;KyJjzq}-SV3kK8)GX}4D+y9lD`O6Z}jZ1Ar
zI#)I``4);_RjB$aGA7KSq)KDc?3xo7?7YjLUG1}LPv$lk36vX4F02nvtVLFFjp*np
zDrVC`8Es}Evr@e7R91BQK=`l(HWo0IV5|$eY8S5!@UyH3%c(>58gIh#1*JHQCnrI`
z>E67MMIuNeMIoVB<x9>)B3!K$bcJ;!m1kMXIl8kZgH+&O!xHv2=^)_ZH+&J?(4Gxo
z!%c;`9ztaHxkKPivluE8s2gw^-c>j9h-v|jR?+&JeLg@9@42D01U^CewzMK2Mn#Gn
zx9!TCKkp#`AeD{ojhccQ@-Y4XohN|ofhmvTI>8snn$nd%ii|!l<-V>^>TFU#WmLEa
zv_9up)i9Nq=Z2M=j-<bQcl0ZKtHGTZ;U?tB73H8@NhKlUV!#c@^6F0*&m2Bzyzh-M
z%=%FMfL7cxs=BE0#+zL@q+=-oe>i&xBGt8-ste~cD55rfYbrd>GoS4Mf_)e<#p|I;
zg|4jq{bySSfP2t13}W8Z%&U3!PVK8n%X8+N39NjN3MDd&G6W|~CF_weOyyBVJ3$>=
z7Q4s_t*4;yS5+0!dq;njgBT2s0f6DJI8s#(fQRTadAjnrvQg(t&uEbh0Dk;#j2@M-
zMyj=B!zB2jXQxh=arlLp2!x-m`G!u9mHp(}vtH;=6yEFfVMqASf~|ETJ*S`BLGlsY
zWZhloh#D}CHv&|<eRVJ>h70oRvm&nrRW#(iVLz`-0g1WWd{Ormn4fk+sFR}Ufx)s|
zwg_hOwkvB()BJL$X@7UQL{8Bz*;b^yfags=^D1CanAEtE-EN4p%JJ;sl-bX>z1e<%
zbwySixy$hrqBFKv(5)uT4We+wN`{S;ZD>ZW)jou;nQ$-1xeW=I#;cQE&#lJju}*TO
z6|h!#V{f-k+SeaBNmCjvtwnZWu7zKv(%oK{m%TJq*}KSi{P^b{Ut?7>oGyjVZVHDO
zym@<BiS};g9PQ|e^!j_>l8&sWi;k=&oH0!2Kt$3xpnBRAv4|%g+Fz38$8oJWNgG>q
zbX_9nfi;D^7h9Ij1QMe&Y0M_f0_`auil_;)9=#S-7Sz8>rokL<1ROnZI(!x_zwK;7
zbGUR^jKS-aAyj}p2yXw5-3jDZua19$Q`)fD^iHWN9e(B#THywJE){9AgpdxHvXC0D
z|GvWu2x)NiNdM0XD@)VABZ7<V7?p8F;(tPL%*TRq>l4T=g`9E9eo7SahJ4Kz4w5u0
z&oyH?nc<a2JbLHNpD^6|B9}dr{g)HrJg)~?uNqsf+d(Vji-SGTmJRh}k9?kX1v)OJ
z6n&4`A5paSP9x-?m#5gu!Z*JSKO;p7$n)<TI^&-cMcj}VUvrOtP9?nse_|apK;_^{
zATethiAl!!(;N2SOP`HkUc>XPFs+-4REuzf*}T^{wLt7he!0F-boj|Lo=acyG3@}c

literal 0
HcmV?d00001

diff --git a/secrets/gitlab-secret-otp.age b/secrets/gitlab-secret-otp.age
new file mode 100644
index 0000000..28e6c7f
--- /dev/null
+++ b/secrets/gitlab-secret-otp.age
@@ -0,0 +1,14 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A su6ATd6CDJ/TD/nAPw1K4ZmELBDdNLZI63DsZl0zCF0
+J+2ZXXZArtjDDLIaQL6HaEdawHo8tonMdzHf45IQMO4
+-> ssh-ed25519 5/zT0w wdKMnoA5/huvtT/jyj1Aixf9nKtkzcyPSs1yoUpxoAk
+yGiW4Zg0h4NGkdU0BZiWzC+72CJZK6pJdrSBuZCVGAE
+-> ssh-ed25519 d3WGuA p4QVeohmXdTo8v0Wh2pkEoyqMhZhmdrblBpq39ENnVk
+7TybdsMNokMu+2q5ESnvdcNwAeWTl/5XGZltzJ7etjI
+-> Q-grease KJL\,Pw& c!aOPX
+C6DVdLd90RXPgjf22U5Y8OsW9O9rkfE3kY0LGQhmmjCSZ7yHde4bhOAVNeNronxE
+xFy8GtD+ZllI4NPUSyl3Y/90//H2fVUb32WA3Ga5WJmksrGXzg
+--- yWDk0jbHXLxwE9jWTT85ORZy0Pw20jaRVihmkKfGnKo
+@# 
+Q)F:����G��	#�g�����L��-k{T�d+��8��܃���/�-�a���\O*��!^R��y��@Z/o�~I�
+�[���PO��'v��e^�,�?���o��M�
]1
W
��F�J���B�&y�
y��Vv�_� %��Ǐ�'
\ No newline at end of file
diff --git a/secrets/gitlab-secret-secret.age b/secrets/gitlab-secret-secret.age
new file mode 100644
index 0000000000000000000000000000000000000000..0b8f89ee44b2f695098fe4d802d99a4483c47c00
GIT binary patch
literal 666
zcmZ9_O>5I&007_}bZnJ5^&ogM9>xwOOVT#!3iG3FnzT)mr7>-mu}juBY11}M@+RrW
zb{bv;6)d}mAfkBCTgAhe-eh_bRK#6GMZJh~1JQ#xb>el;A9%E?j_R!n>^Z(^x29}Z
z#o9y&J%e~&4b?$}B#8tf%#u_ji4^&4ouvqo6Qw$@<RW;gB=$(CT9i(Cju}XPn4=oS
zYD%_4iw<As<tmL;VkPc;FXxs(2M7s;@eKhNqtkSUD~IC+n9lS2HxgTt@eUGE%WYlp
zlaiXZOc%If*A53{x+{PnZc3R<rid5#JgCcaYDg$R%gE;%;hIM9c~9;V&5D&U0T0`4
zDI9nGNXm=Uv4X)j_HQ7nut5?b^|0mXm3Wt#o3CJWiK|-k46V={7cK-s*)A{P0jtX_
zn^Hpt%fxiM0dThgeNb!3e6}nF4G(MA%!FLU>0r@^24tb2{@?0TXcg+3rz6WQGT&6&
zQ7#Bkr7ZBtZrqZ(6pj0;$%>+3!#HI$GaAFBD!{2HXbQ{o(|M?vR+CVZ?J#s9;g)8p
zv=*|QEJ?D{JnS;AB<DgXiXs6<N9rZj(cESlbSy1LIDl06R>04y9L!W=7Bs}N>o_qr
zG?C~p+?wQGKiM4F`>@kI7o`bw>GY*-2HeyhZdr#L70|!eKXQlNx_$S?qtE^I3vXve
z4%lz5O5mM0wDId>^xJ~>`^)g))!D)LALQs?xOq)f#y_p^t`uiZr0kjI<10hMqYJA$
zKe6o}FL&(~aqs=+vB5>`#e=Wt{gaoyk-gQ?v8T^^&nM^7-`9legNajz;s;}?jpebm
H<Eh1egJtoF

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 8375dd0..0b64728 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -7,7 +7,12 @@ in with hosts;
   "acme-dns-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "ghost-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
-  "gitea-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "gitlab-initial-root-password.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "gitlab-openid-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "gitlab-secret-db.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "gitlab-secret-jws.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "gitlab-secret-otp.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "gitlab-secret-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "hydra-bincache.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "hydra-builder-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];