VEGAS: switch to GitLab

hosts/VEGAS/services/git/default.nix

@@ -1,60 +0,0 @@
-{ config, lib, tools, ... }:
-with tools.nginx;
-let
-  inherit (tools.meta) domain;
-in
-{
-  reservePortsFor = [ "gitea" ];
-
-  age.secrets = {
-    giteaDBPassword = {
-      file = ../../../../secrets/gitea-db-credentials.age;
-      owner = "git";
-      group = "gitea";
-      mode = "0400";
-    };
-  };
-
-  services.nginx.virtualHosts = mappers.mapSubdomains {
-    git = vhosts.proxy "http://127.0.0.1:${config.portsStr.gitea}";
-  };
-
-  services.gitea = {
-    enable = true;
-    appName = "Private Void Gitea";
-    httpPort = config.ports.gitea;
-    domain = "git";
-    rootUrl = "https://git.${domain}";
-    disableRegistration = true;
-    # TODO: re-enable securely
-    ssh.enable = false;
-    user = "git";
-    log.level = "Warn";
-    
-    database = {
-      createDatabase = false;
-      type = "postgres";
-      host = "127.0.0.1";
-      port = 5432;
-      name = "gitea";
-      user = "gitea";
-      passwordFile = config.age.secrets.giteaDBPassword.path;
-    };
-
-    # TODO: integrate branding content (css, images) into system closure
-    settings.ui = { 
-      DEFAULT_THEME = "void";
-      THEMES = "void";
-    };
-  };
-
-  systemd.services.gitea.after = [ "keycloak.service" ];
-
-  users.users.git = {
-    description = "Git Service";
-    home = config.services.gitea.stateDir;
-    useDefaultShell = true;
-    group = "gitea";
-    isSystemUser = true;
-  };
-}

hosts/VEGAS/services/gitlab/default.nix

@@ -0,0 +1,85 @@
+{ config, lib, tools, ... }:
+
+let
+  inherit (tools.meta) domain adminEmail;
+
+  mkSecret = name: {
+    owner = "gitlab";
+    group = "gitlab";
+    mode = "0400";
+    file = ../../../../secrets/${name}.age;
+  };
+
+  secrets = lib.mapAttrs (_: v: v.path) config.age.secrets;
+
+  cfg = config.services.gitlab;
+in
+
+{
+  age.secrets = lib.flip lib.genAttrs mkSecret [
+    "gitlab-initial-root-password"
+    "gitlab-openid-secret"
+    "gitlab-secret-db"
+    "gitlab-secret-jws"
+    "gitlab-secret-otp"
+    "gitlab-secret-secret"
+  ];
+
+  services.gitlab = {
+    enable = true;
+    https = true;
+    host = "git.${domain}";
+    port = 443;
+
+    initialRootEmail = adminEmail;
+
+    statePath = "/srv/storage/private/gitlab/state";
+
+    smtp = {
+      enable = true;
+      inherit domain;
+    };
+
+    initialRootPasswordFile = secrets.gitlab-initial-root-password;
+
+    secrets = with secrets; {
+      dbFile = gitlab-secret-db;
+      jwsFile = gitlab-secret-jws;
+      otpFile = gitlab-secret-otp;
+      secretFile = gitlab-secret-secret;
+    };
+
+    extraConfig = {
+      omniauth = {
+        enabled = true;
+        auto_sign_in_with_provider = "openid_connect";
+        allow_single_sign_on = ["openid_connect"];
+        block_auto_created_users = false;
+        providers = [
+
+          {
+            name = "openid_connect";
+            label = "Private Void Account";
+            args = {
+              name = "openid_connect";
+              scope = ["openid" "profile"];
+              response_type = "code";
+              issuer = "https://login.${domain}/auth/realms/master";
+              discovery = true;
+              client_auth_method = "query";
+              uid_field = "preferred_username";
+              client_options = {
+                identifier = "net.privatevoid.git2";
+                secret = { _secret = secrets.gitlab-openid-secret; };
+                redirect_uri = "https://${cfg.host}/users/auth/openid_connect/callback";
+              };
+            };
+          }
+          
+        ];
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."${cfg.host}" = tools.nginx.vhosts.proxy "http://unix:/run/gitlab/gitlab-workhorse.socket";
+}

hosts/VEGAS/system.nix

@@ -22,7 +22,7 @@
       ./services/cdn-shield
       ./services/dns
       ./services/fbi
-      ./services/git
+      ./services/gitlab
       ./services/hydra
       ./services/hyprspace
       ./services/ipfs

secrets/gitea-db-credentials.age

@@ -1,14 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 NO562A PM8oVK72FJjSPefR1JV7e9Sti+QMPmNyOWNyjjn1Eyo
-jjc6tg7dnwAajhCTO/IH+8sszSP/WbCipuROvwD0Hxk
--> ssh-ed25519 5/zT0w cvASi9DkdxdKXSnxWi/mwjlYVz9PtnQqnNFwHr22TR4
-jASmnJsbTIItkRJzgIWmPPAqMziWREjzUpk6WEQG56g
--> ssh-ed25519 eDiawA R586/78N4EYagb8c5Ff9wqtOE4QYtU/vKVhOCSn+2RY
-ekys4sz2TxUtGH2rSGgXVnHvg4G6maPkYvJd1CiLJ2E
--> ssh-ed25519 d3WGuA jj4c320WQiJ/N80fEeLe0GHD1lSnOT8hGLhsL+T8XCg
-Mt2cS6+I9vKtczzb+3mWm0MquWigMJIWJaSvh+jhOjA
--> Vsn^{"-grease \<`i)T UL]B
-pz4ZxTRE5ugg7JkLSTfkmfi4TFfOP+H1pny8rAbThQGXSIX9SxEpFVwhcYqqMkEg
-LH5NvQztS+cZYQ0Sr7q666h4H7OKBRFbTmHMWxNdIecP43On
---- nknCOv9z0f8V+PrNTAEGdrxhLeY1nlfuDINbbgPr1Wo
-­0~óØNÜa·[g³s\•Çâ!õœ*£ŠÕ0árò¥¸/²ñ^Á`c­õ¦€… 3g>oñ¿…É<>íškçv“	§­mS

secrets/gitlab-initial-root-password.age

@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A XRrOSniXZk7nvufR3liJ3ocjX257eenhQUYZdlYCpl4
+ctZGdEgc9SgWka/3R/2WW4G9m1DHIk7HLKaBNyUeHtE
+-> ssh-ed25519 5/zT0w k3z9vLsjCPABV2kTRMC3xiriW+4BwSdvnk02Xtoi3zk
+w43L1pm8VvwxVp6k8NJA73afZtPGfD8eCb2koa2goZQ
+-> ssh-ed25519 d3WGuA Bi1l2WS3kL5Y5NoVh7jAja3BG9LXxem801SSR76j52s
+fKhRIb+Ug3sW4JI2rczNnh3Frx/EEnbQfhTUGdwLSo8
+-> AOy-grease dju$ xL|5Hh q(A
+h0bIKBg8yQBMqNR8M9DlA/wZWWFB+sdo4ApLXvTT19Moz3E5Vly8N2XKHrV3ggCE
+Vn2a3snrXDrWxqQgfQEfJo7FnydItRcgO7ZDOuNAlnooyk0
+--- 9bMYjHMQsJt4fqnmE2ezRzN4AoKIrlRKAqh8pYRw8SQ
+øÜ™‹j‡>ü‘râ|ˆ>˜º<CB9C>–QÌ7¬p²¾ïÐdð¤hëÝÏ Î3œü»€¤ÃÐÿ57´âð˜{ïžZ9áLš´ééÖ$DU$—0YÙ º3ÐBMÍã‰ü@oáªU¶_ßÁ¡dÅDݶ<C39D>5jq/¿‰…j’`›6›<36>Z‡îi—åAÄÞ&Q¯”œ¬¢Ê¡*Õ•:R%+ ôò<C3B4>É¡ù£Ì

secrets/gitlab-openid-secret.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A ZCflrN3Tm5CiGr6ajyHWUBB/tQqvBuZkwTrJDrd/aV0
+ItnkxqiZTCT77SDnG0JgzaQlDL3LZ96V+kzjxjAJx5s
+-> ssh-ed25519 5/zT0w WoKnbgmzpR+HuLdXYCOkPfScle7g7U+NGA/YAmyfIhk
+pNfp+gOVyTfnXpVDRXuk16RyjlWjDILrO7Gibh7nRmU
+-> ssh-ed25519 d3WGuA L5xjtPNva83jZWsu2bCbcgaDNlou5BFVMsFkR8+L+2Q
+4+UtIsyOgY0NAuHtdg4lBJwMyZWquRsmRNeQ+YXqeA0
+-> hD-grease q%QV%; &/
+jl4ZKGU+SBSR0xhJN0yz7sV2uW/+Yhw
+--- 1LIvBjAzD1lUotPXuI4cPHSfUsMFbEaGjE/t+KnQcW4
+AWeûÛ
¨Ë¯e¤	c[ ÖÌ3mÁíyÍΈÐñè6½
g{7›rd€_Ê7ØWPö©':ð¢uË›ùá¨N

secrets/gitlab-secret-otp.age

@@ -0,0 +1,14 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A su6ATd6CDJ/TD/nAPw1K4ZmELBDdNLZI63DsZl0zCF0
+J+2ZXXZArtjDDLIaQL6HaEdawHo8tonMdzHf45IQMO4
+-> ssh-ed25519 5/zT0w wdKMnoA5/huvtT/jyj1Aixf9nKtkzcyPSs1yoUpxoAk
+yGiW4Zg0h4NGkdU0BZiWzC+72CJZK6pJdrSBuZCVGAE
+-> ssh-ed25519 d3WGuA p4QVeohmXdTo8v0Wh2pkEoyqMhZhmdrblBpq39ENnVk
+7TybdsMNokMu+2q5ESnvdcNwAeWTl/5XGZltzJ7etjI
+-> Q-grease KJL\,Pw& c!aOPX
+C6DVdLd90RXPgjf22U5Y8OsW9O9rkfE3kY0LGQhmmjCSZ7yHde4bhOAVNeNronxE
+xFy8GtD+ZllI4NPUSyl3Y/90//H2fVUb32WA3Ga5WJmksrGXzg
+--- yWDk0jbHXLxwE9jWTT85ORZy0Pw20jaRVihmkKfGnKo
+@# 
+Q)F:ÀŽ¤¶GÍû	#ógÒº¡¤«L…Ê-k{Tëd+˜´8žà܃üäá/è¹-Žaæ…Ë\O*—°!^Réãy÷›@Z/o™~I€
+œ[ô°¼PO’Â'vüše^ø,…?¢»Òo¼¸MÆ
]1
W
ƒËFò‹JëÄ™Ññ¨ôBý&y¼
yŸìVv‘_<E28098> %‹ûÇ<C3BB>«'

secrets/secrets.nix

@@ -7,7 +7,12 @@ in with hosts;
   "acme-dns-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "ghost-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
-  "gitea-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "gitlab-initial-root-password.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "gitlab-openid-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "gitlab-secret-db.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "gitlab-secret-jws.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "gitlab-secret-otp.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "gitlab-secret-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "hydra-bincache.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "hydra-builder-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];