VEGAS: switch to GitLab
This commit is contained in:
parent
2162bf9991
commit
0961b893eb
11 changed files with 129 additions and 76 deletions
|
@ -1,60 +0,0 @@
|
||||||
{ config, lib, tools, ... }:
|
|
||||||
with tools.nginx;
|
|
||||||
let
|
|
||||||
inherit (tools.meta) domain;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
reservePortsFor = [ "gitea" ];
|
|
||||||
|
|
||||||
age.secrets = {
|
|
||||||
giteaDBPassword = {
|
|
||||||
file = ../../../../secrets/gitea-db-credentials.age;
|
|
||||||
owner = "git";
|
|
||||||
group = "gitea";
|
|
||||||
mode = "0400";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx.virtualHosts = mappers.mapSubdomains {
|
|
||||||
git = vhosts.proxy "http://127.0.0.1:${config.portsStr.gitea}";
|
|
||||||
};
|
|
||||||
|
|
||||||
services.gitea = {
|
|
||||||
enable = true;
|
|
||||||
appName = "Private Void Gitea";
|
|
||||||
httpPort = config.ports.gitea;
|
|
||||||
domain = "git";
|
|
||||||
rootUrl = "https://git.${domain}";
|
|
||||||
disableRegistration = true;
|
|
||||||
# TODO: re-enable securely
|
|
||||||
ssh.enable = false;
|
|
||||||
user = "git";
|
|
||||||
log.level = "Warn";
|
|
||||||
|
|
||||||
database = {
|
|
||||||
createDatabase = false;
|
|
||||||
type = "postgres";
|
|
||||||
host = "127.0.0.1";
|
|
||||||
port = 5432;
|
|
||||||
name = "gitea";
|
|
||||||
user = "gitea";
|
|
||||||
passwordFile = config.age.secrets.giteaDBPassword.path;
|
|
||||||
};
|
|
||||||
|
|
||||||
# TODO: integrate branding content (css, images) into system closure
|
|
||||||
settings.ui = {
|
|
||||||
DEFAULT_THEME = "void";
|
|
||||||
THEMES = "void";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.gitea.after = [ "keycloak.service" ];
|
|
||||||
|
|
||||||
users.users.git = {
|
|
||||||
description = "Git Service";
|
|
||||||
home = config.services.gitea.stateDir;
|
|
||||||
useDefaultShell = true;
|
|
||||||
group = "gitea";
|
|
||||||
isSystemUser = true;
|
|
||||||
};
|
|
||||||
}
|
|
85
hosts/VEGAS/services/gitlab/default.nix
Normal file
85
hosts/VEGAS/services/gitlab/default.nix
Normal file
|
@ -0,0 +1,85 @@
|
||||||
|
{ config, lib, tools, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
inherit (tools.meta) domain adminEmail;
|
||||||
|
|
||||||
|
mkSecret = name: {
|
||||||
|
owner = "gitlab";
|
||||||
|
group = "gitlab";
|
||||||
|
mode = "0400";
|
||||||
|
file = ../../../../secrets/${name}.age;
|
||||||
|
};
|
||||||
|
|
||||||
|
secrets = lib.mapAttrs (_: v: v.path) config.age.secrets;
|
||||||
|
|
||||||
|
cfg = config.services.gitlab;
|
||||||
|
in
|
||||||
|
|
||||||
|
{
|
||||||
|
age.secrets = lib.flip lib.genAttrs mkSecret [
|
||||||
|
"gitlab-initial-root-password"
|
||||||
|
"gitlab-openid-secret"
|
||||||
|
"gitlab-secret-db"
|
||||||
|
"gitlab-secret-jws"
|
||||||
|
"gitlab-secret-otp"
|
||||||
|
"gitlab-secret-secret"
|
||||||
|
];
|
||||||
|
|
||||||
|
services.gitlab = {
|
||||||
|
enable = true;
|
||||||
|
https = true;
|
||||||
|
host = "git.${domain}";
|
||||||
|
port = 443;
|
||||||
|
|
||||||
|
initialRootEmail = adminEmail;
|
||||||
|
|
||||||
|
statePath = "/srv/storage/private/gitlab/state";
|
||||||
|
|
||||||
|
smtp = {
|
||||||
|
enable = true;
|
||||||
|
inherit domain;
|
||||||
|
};
|
||||||
|
|
||||||
|
initialRootPasswordFile = secrets.gitlab-initial-root-password;
|
||||||
|
|
||||||
|
secrets = with secrets; {
|
||||||
|
dbFile = gitlab-secret-db;
|
||||||
|
jwsFile = gitlab-secret-jws;
|
||||||
|
otpFile = gitlab-secret-otp;
|
||||||
|
secretFile = gitlab-secret-secret;
|
||||||
|
};
|
||||||
|
|
||||||
|
extraConfig = {
|
||||||
|
omniauth = {
|
||||||
|
enabled = true;
|
||||||
|
auto_sign_in_with_provider = "openid_connect";
|
||||||
|
allow_single_sign_on = ["openid_connect"];
|
||||||
|
block_auto_created_users = false;
|
||||||
|
providers = [
|
||||||
|
|
||||||
|
{
|
||||||
|
name = "openid_connect";
|
||||||
|
label = "Private Void Account";
|
||||||
|
args = {
|
||||||
|
name = "openid_connect";
|
||||||
|
scope = ["openid" "profile"];
|
||||||
|
response_type = "code";
|
||||||
|
issuer = "https://login.${domain}/auth/realms/master";
|
||||||
|
discovery = true;
|
||||||
|
client_auth_method = "query";
|
||||||
|
uid_field = "preferred_username";
|
||||||
|
client_options = {
|
||||||
|
identifier = "net.privatevoid.git2";
|
||||||
|
secret = { _secret = secrets.gitlab-openid-secret; };
|
||||||
|
redirect_uri = "https://${cfg.host}/users/auth/openid_connect/callback";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."${cfg.host}" = tools.nginx.vhosts.proxy "http://unix:/run/gitlab/gitlab-workhorse.socket";
|
||||||
|
}
|
|
@ -22,7 +22,7 @@
|
||||||
./services/cdn-shield
|
./services/cdn-shield
|
||||||
./services/dns
|
./services/dns
|
||||||
./services/fbi
|
./services/fbi
|
||||||
./services/git
|
./services/gitlab
|
||||||
./services/hydra
|
./services/hydra
|
||||||
./services/hyprspace
|
./services/hyprspace
|
||||||
./services/ipfs
|
./services/ipfs
|
||||||
|
|
|
@ -1,14 +0,0 @@
|
||||||
age-encryption.org/v1
|
|
||||||
-> ssh-ed25519 NO562A PM8oVK72FJjSPefR1JV7e9Sti+QMPmNyOWNyjjn1Eyo
|
|
||||||
jjc6tg7dnwAajhCTO/IH+8sszSP/WbCipuROvwD0Hxk
|
|
||||||
-> ssh-ed25519 5/zT0w cvASi9DkdxdKXSnxWi/mwjlYVz9PtnQqnNFwHr22TR4
|
|
||||||
jASmnJsbTIItkRJzgIWmPPAqMziWREjzUpk6WEQG56g
|
|
||||||
-> ssh-ed25519 eDiawA R586/78N4EYagb8c5Ff9wqtOE4QYtU/vKVhOCSn+2RY
|
|
||||||
ekys4sz2TxUtGH2rSGgXVnHvg4G6maPkYvJd1CiLJ2E
|
|
||||||
-> ssh-ed25519 d3WGuA jj4c320WQiJ/N80fEeLe0GHD1lSnOT8hGLhsL+T8XCg
|
|
||||||
Mt2cS6+I9vKtczzb+3mWm0MquWigMJIWJaSvh+jhOjA
|
|
||||||
-> Vsn^{"-grease \<`i)T UL]B
|
|
||||||
pz4ZxTRE5ugg7JkLSTfkmfi4TFfOP+H1pny8rAbThQGXSIX9SxEpFVwhcYqqMkEg
|
|
||||||
LH5NvQztS+cZYQ0Sr7q666h4H7OKBRFbTmHMWxNdIecP43On
|
|
||||||
--- nknCOv9z0f8V+PrNTAEGdrxhLeY1nlfuDINbbgPr1Wo
|
|
||||||
0~óØNÜa·[g³s\•Çâ!õœ*£ŠÕ0árò¥¸/²ñ^Á`cõ¦€… 3g>oñ¿…É<>íškçv“ §mS
|
|
12
secrets/gitlab-initial-root-password.age
Normal file
12
secrets/gitlab-initial-root-password.age
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 NO562A XRrOSniXZk7nvufR3liJ3ocjX257eenhQUYZdlYCpl4
|
||||||
|
ctZGdEgc9SgWka/3R/2WW4G9m1DHIk7HLKaBNyUeHtE
|
||||||
|
-> ssh-ed25519 5/zT0w k3z9vLsjCPABV2kTRMC3xiriW+4BwSdvnk02Xtoi3zk
|
||||||
|
w43L1pm8VvwxVp6k8NJA73afZtPGfD8eCb2koa2goZQ
|
||||||
|
-> ssh-ed25519 d3WGuA Bi1l2WS3kL5Y5NoVh7jAja3BG9LXxem801SSR76j52s
|
||||||
|
fKhRIb+Ug3sW4JI2rczNnh3Frx/EEnbQfhTUGdwLSo8
|
||||||
|
-> AOy-grease dju$ xL|5Hh q(A
|
||||||
|
h0bIKBg8yQBMqNR8M9DlA/wZWWFB+sdo4ApLXvTT19Moz3E5Vly8N2XKHrV3ggCE
|
||||||
|
Vn2a3snrXDrWxqQgfQEfJo7FnydItRcgO7ZDOuNAlnooyk0
|
||||||
|
--- 9bMYjHMQsJt4fqnmE2ezRzN4AoKIrlRKAqh8pYRw8SQ
|
||||||
|
øÜ™‹j‡>ü‘râ|ˆ>˜º<CB9C>–QÌ7¬p²¾ïÐdð¤hëÝÏ Î3œü»€¤ÃÐÿ57´âð˜{ïžZ9áLš´ééÖ$DU$—0YÙ º3ÐBMÍã‰ü@oáªU¶_ßÁ¡dÅDݶ<C39D>5jq/¿‰…j’`›6›<36>Z‡îi—åAÄÞ&Q¯”œ¬¢Ê¡*Õ•:R%+ ôò<C3B4>É¡ù£Ì
|
11
secrets/gitlab-openid-secret.age
Normal file
11
secrets/gitlab-openid-secret.age
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 NO562A ZCflrN3Tm5CiGr6ajyHWUBB/tQqvBuZkwTrJDrd/aV0
|
||||||
|
ItnkxqiZTCT77SDnG0JgzaQlDL3LZ96V+kzjxjAJx5s
|
||||||
|
-> ssh-ed25519 5/zT0w WoKnbgmzpR+HuLdXYCOkPfScle7g7U+NGA/YAmyfIhk
|
||||||
|
pNfp+gOVyTfnXpVDRXuk16RyjlWjDILrO7Gibh7nRmU
|
||||||
|
-> ssh-ed25519 d3WGuA L5xjtPNva83jZWsu2bCbcgaDNlou5BFVMsFkR8+L+2Q
|
||||||
|
4+UtIsyOgY0NAuHtdg4lBJwMyZWquRsmRNeQ+YXqeA0
|
||||||
|
-> hD-grease q%QV%; &/
|
||||||
|
jl4ZKGU+SBSR0xhJN0yz7sV2uW/+Yhw
|
||||||
|
--- 1LIvBjAzD1lUotPXuI4cPHSfUsMFbEaGjE/t+KnQcW4
|
||||||
|
AWeûۨ˯e¤ c[ ÖÌ3mÁíyÍΈÐñè6½
g{7›rd€_Ê7ØWPö©':ð¢uË›ùá¨N
|
BIN
secrets/gitlab-secret-db.age
Normal file
BIN
secrets/gitlab-secret-db.age
Normal file
Binary file not shown.
BIN
secrets/gitlab-secret-jws.age
Normal file
BIN
secrets/gitlab-secret-jws.age
Normal file
Binary file not shown.
14
secrets/gitlab-secret-otp.age
Normal file
14
secrets/gitlab-secret-otp.age
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 NO562A su6ATd6CDJ/TD/nAPw1K4ZmELBDdNLZI63DsZl0zCF0
|
||||||
|
J+2ZXXZArtjDDLIaQL6HaEdawHo8tonMdzHf45IQMO4
|
||||||
|
-> ssh-ed25519 5/zT0w wdKMnoA5/huvtT/jyj1Aixf9nKtkzcyPSs1yoUpxoAk
|
||||||
|
yGiW4Zg0h4NGkdU0BZiWzC+72CJZK6pJdrSBuZCVGAE
|
||||||
|
-> ssh-ed25519 d3WGuA p4QVeohmXdTo8v0Wh2pkEoyqMhZhmdrblBpq39ENnVk
|
||||||
|
7TybdsMNokMu+2q5ESnvdcNwAeWTl/5XGZltzJ7etjI
|
||||||
|
-> Q-grease KJL\,Pw& c!aOPX
|
||||||
|
C6DVdLd90RXPgjf22U5Y8OsW9O9rkfE3kY0LGQhmmjCSZ7yHde4bhOAVNeNronxE
|
||||||
|
xFy8GtD+ZllI4NPUSyl3Y/90//H2fVUb32WA3Ga5WJmksrGXzg
|
||||||
|
--- yWDk0jbHXLxwE9jWTT85ORZy0Pw20jaRVihmkKfGnKo
|
||||||
|
@#
|
||||||
|
Q)F:ÀŽ¤¶GÍû #ógÒº¡¤«L…Ê-k{Tëd+˜´8žà܃üäá/è¹-Žaæ…Ë\O*—°!^Réãy÷›@Z/o™~I€
|
||||||
|
œ[ô°¼PO’Â'vüše^ø,…?¢»Òo¼¸MÆ]1WƒËFò‹JëÄ™Ññ¨ôBý&y¼
yŸìVv‘_<E28098> %‹ûÇ<C3BB>«'
|
BIN
secrets/gitlab-secret-secret.age
Normal file
BIN
secrets/gitlab-secret-secret.age
Normal file
Binary file not shown.
|
@ -7,7 +7,12 @@ in with hosts;
|
||||||
"acme-dns-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
"acme-dns-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
"coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
"coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
"ghost-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
"ghost-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
"gitea-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
"gitlab-initial-root-password.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
|
"gitlab-openid-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
|
"gitlab-secret-db.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
|
"gitlab-secret-jws.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
|
"gitlab-secret-otp.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
|
"gitlab-secret-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
"hydra-bincache.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
"hydra-bincache.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
"hydra-builder-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
"hydra-builder-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
"hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
"hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
|
|
Loading…
Reference in a new issue