VEGAS: switch to GitLab

This commit is contained in:
Max Headroom 2022-01-30 23:15:08 +01:00
parent 2162bf9991
commit 0961b893eb
11 changed files with 129 additions and 76 deletions

View file

@ -1,60 +0,0 @@
{ config, lib, tools, ... }:
with tools.nginx;
let
inherit (tools.meta) domain;
in
{
reservePortsFor = [ "gitea" ];
age.secrets = {
giteaDBPassword = {
file = ../../../../secrets/gitea-db-credentials.age;
owner = "git";
group = "gitea";
mode = "0400";
};
};
services.nginx.virtualHosts = mappers.mapSubdomains {
git = vhosts.proxy "http://127.0.0.1:${config.portsStr.gitea}";
};
services.gitea = {
enable = true;
appName = "Private Void Gitea";
httpPort = config.ports.gitea;
domain = "git";
rootUrl = "https://git.${domain}";
disableRegistration = true;
# TODO: re-enable securely
ssh.enable = false;
user = "git";
log.level = "Warn";
database = {
createDatabase = false;
type = "postgres";
host = "127.0.0.1";
port = 5432;
name = "gitea";
user = "gitea";
passwordFile = config.age.secrets.giteaDBPassword.path;
};
# TODO: integrate branding content (css, images) into system closure
settings.ui = {
DEFAULT_THEME = "void";
THEMES = "void";
};
};
systemd.services.gitea.after = [ "keycloak.service" ];
users.users.git = {
description = "Git Service";
home = config.services.gitea.stateDir;
useDefaultShell = true;
group = "gitea";
isSystemUser = true;
};
}

View file

@ -0,0 +1,85 @@
{ config, lib, tools, ... }:
let
inherit (tools.meta) domain adminEmail;
mkSecret = name: {
owner = "gitlab";
group = "gitlab";
mode = "0400";
file = ../../../../secrets/${name}.age;
};
secrets = lib.mapAttrs (_: v: v.path) config.age.secrets;
cfg = config.services.gitlab;
in
{
age.secrets = lib.flip lib.genAttrs mkSecret [
"gitlab-initial-root-password"
"gitlab-openid-secret"
"gitlab-secret-db"
"gitlab-secret-jws"
"gitlab-secret-otp"
"gitlab-secret-secret"
];
services.gitlab = {
enable = true;
https = true;
host = "git.${domain}";
port = 443;
initialRootEmail = adminEmail;
statePath = "/srv/storage/private/gitlab/state";
smtp = {
enable = true;
inherit domain;
};
initialRootPasswordFile = secrets.gitlab-initial-root-password;
secrets = with secrets; {
dbFile = gitlab-secret-db;
jwsFile = gitlab-secret-jws;
otpFile = gitlab-secret-otp;
secretFile = gitlab-secret-secret;
};
extraConfig = {
omniauth = {
enabled = true;
auto_sign_in_with_provider = "openid_connect";
allow_single_sign_on = ["openid_connect"];
block_auto_created_users = false;
providers = [
{
name = "openid_connect";
label = "Private Void Account";
args = {
name = "openid_connect";
scope = ["openid" "profile"];
response_type = "code";
issuer = "https://login.${domain}/auth/realms/master";
discovery = true;
client_auth_method = "query";
uid_field = "preferred_username";
client_options = {
identifier = "net.privatevoid.git2";
secret = { _secret = secrets.gitlab-openid-secret; };
redirect_uri = "https://${cfg.host}/users/auth/openid_connect/callback";
};
};
}
];
};
};
};
services.nginx.virtualHosts."${cfg.host}" = tools.nginx.vhosts.proxy "http://unix:/run/gitlab/gitlab-workhorse.socket";
}

View file

@ -22,7 +22,7 @@
./services/cdn-shield ./services/cdn-shield
./services/dns ./services/dns
./services/fbi ./services/fbi
./services/git ./services/gitlab
./services/hydra ./services/hydra
./services/hyprspace ./services/hyprspace
./services/ipfs ./services/ipfs

View file

@ -1,14 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A PM8oVK72FJjSPefR1JV7e9Sti+QMPmNyOWNyjjn1Eyo
jjc6tg7dnwAajhCTO/IH+8sszSP/WbCipuROvwD0Hxk
-> ssh-ed25519 5/zT0w cvASi9DkdxdKXSnxWi/mwjlYVz9PtnQqnNFwHr22TR4
jASmnJsbTIItkRJzgIWmPPAqMziWREjzUpk6WEQG56g
-> ssh-ed25519 eDiawA R586/78N4EYagb8c5Ff9wqtOE4QYtU/vKVhOCSn+2RY
ekys4sz2TxUtGH2rSGgXVnHvg4G6maPkYvJd1CiLJ2E
-> ssh-ed25519 d3WGuA jj4c320WQiJ/N80fEeLe0GHD1lSnOT8hGLhsL+T8XCg
Mt2cS6+I9vKtczzb+3mWm0MquWigMJIWJaSvh+jhOjA
-> Vsn^{"-grease \<`i)T UL]B
pz4ZxTRE5ugg7JkLSTfkmfi4TFfOP+H1pny8rAbThQGXSIX9SxEpFVwhcYqqMkEg
LH5NvQztS+cZYQ0Sr7q666h4H7OKBRFbTmHMWxNdIecP43On
--- nknCOv9z0f8V+PrNTAEGdrxhLeY1nlfuDINbbgPr1Wo
­0~óØNÜa·[g³s\•Çâ!õœ*£ŠÕ0árò¥¸/²ñ^Á`c­õ¦€… 3g>oñ¿…É<>íškçv“ §­mS

View file

@ -0,0 +1,12 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A XRrOSniXZk7nvufR3liJ3ocjX257eenhQUYZdlYCpl4
ctZGdEgc9SgWka/3R/2WW4G9m1DHIk7HLKaBNyUeHtE
-> ssh-ed25519 5/zT0w k3z9vLsjCPABV2kTRMC3xiriW+4BwSdvnk02Xtoi3zk
w43L1pm8VvwxVp6k8NJA73afZtPGfD8eCb2koa2goZQ
-> ssh-ed25519 d3WGuA Bi1l2WS3kL5Y5NoVh7jAja3BG9LXxem801SSR76j52s
fKhRIb+Ug3sW4JI2rczNnh3Frx/EEnbQfhTUGdwLSo8
-> AOy-grease dju$ xL|5Hh q(A
h0bIKBg8yQBMqNR8M9DlA/wZWWFB+sdo4ApLXvTT19Moz3E5Vly8N2XKHrV3ggCE
Vn2a3snrXDrWxqQgfQEfJo7FnydItRcgO7ZDOuNAlnooyk0
--- 9bMYjHMQsJt4fqnmE2ezRzN4AoKIrlRKAqh8pYRw8SQ
øÜ™j‡râ|ˆ>˜º<CB9C>QÌ7¬p²¾ïÐdð¤hëÝÏ Î3œü»€¤ÃÐÿ57´âð˜{ïžZ9á´é éÖ$DU$—0YÙ º3ÐBMÍã‰ü@oáªU¶_ßÁ¡dÅDݶ<C39D>5jq/¿‰…j`6<36>Z‡îi—åAÄÞ&Q¯”œ¬¢Ê¡*Õ•:R%+ ôò<C3B4>É¡ù£Ì

View file

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A ZCflrN3Tm5CiGr6ajyHWUBB/tQqvBuZkwTrJDrd/aV0
ItnkxqiZTCT77SDnG0JgzaQlDL3LZ96V+kzjxjAJx5s
-> ssh-ed25519 5/zT0w WoKnbgmzpR+HuLdXYCOkPfScle7g7U+NGA/YAmyfIhk
pNfp+gOVyTfnXpVDRXuk16RyjlWjDILrO7Gibh7nRmU
-> ssh-ed25519 d3WGuA L5xjtPNva83jZWsu2bCbcgaDNlou5BFVMsFkR8+L+2Q
4+UtIsyOgY0NAuHtdg4lBJwMyZWquRsmRNeQ+YXqeA0
-> hD-grease q%QV%; &/
jl4ZKGU+SBSR0xhJN0yz7sV2uW/+Yhw
--- 1LIvBjAzD1lUotPXuI4cPHSfUsMFbEaGjE/t+KnQcW4
AWeûۨ˯e¤ c[ ÖÌ 3mÁíyÍΈÐñè6½ g{7rd€_Ê7ØWPö©':ð¢uË ùá¨N

Binary file not shown.

Binary file not shown.

View file

@ -0,0 +1,14 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A su6ATd6CDJ/TD/nAPw1K4ZmELBDdNLZI63DsZl0zCF0
J+2ZXXZArtjDDLIaQL6HaEdawHo8tonMdzHf45IQMO4
-> ssh-ed25519 5/zT0w wdKMnoA5/huvtT/jyj1Aixf9nKtkzcyPSs1yoUpxoAk
yGiW4Zg0h4NGkdU0BZiWzC+72CJZK6pJdrSBuZCVGAE
-> ssh-ed25519 d3WGuA p4QVeohmXdTo8v0Wh2pkEoyqMhZhmdrblBpq39ENnVk
7TybdsMNokMu+2q5ESnvdcNwAeWTl/5XGZltzJ7etjI
-> Q-grease KJL\,Pw& c!aOPX
C6DVdLd90RXPgjf22U5Y8OsW9O9rkfE3kY0LGQhmmjCSZ7yHde4bhOAVNeNronxE
xFy8GtD+ZllI4NPUSyl3Y/90//H2fVUb32WA3Ga5WJmksrGXzg
--- yWDk0jbHXLxwE9jWTT85ORZy0Pw20jaRVihmkKfGnKo
@#
Q)F:ÀŽ¤¶GÍû # 󺡤«L…Ê-k{Tëd+˜´8žà܃üäá/è¹-Žaæ…Ë\O*—°!^Réãy÷@Z/o™~I€
œ[ô°¼POÂ'vüše^ø,…?¢»Òo¼¸]1WƒËFòJëÄ™Ññ¨ôBý&y¼ yŸìVv_<E28098> %ûÇ<C3BB>«'

Binary file not shown.

View file

@ -7,7 +7,12 @@ in with hosts;
"acme-dns-key.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "acme-dns-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"ghost-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "ghost-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"gitea-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "gitlab-initial-root-password.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"gitlab-openid-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"gitlab-secret-db.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"gitlab-secret-jws.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"gitlab-secret-otp.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"gitlab-secret-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"hydra-bincache.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "hydra-bincache.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"hydra-builder-key.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "hydra-builder-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];