privatevoid.net/depot
1
1
Fork 0
Code Issues 23 Pull requests 2 Projects 3 Releases Packages Wiki Activity Actions

Compare commits

base: privatevoid.net:master
Branches Tags
privatevoid.net:master
privatevoid.net:pr-simulacrum-performance
privatevoid.net:pr-drop-gitlab
privatevoid.net:pr-s3ql-5.2.2-fix
privatevoid.net:staging
privatevoid.net:pr-hyprspace-libp2p-0.37-test
privatevoid.net:pr-consul-acl
privatevoid.net:pr-hci-no-ifd
privatevoid.net:pr-frangiclave
privatevoid.net:attic-ha
privatevoid.net:pg-auto-migrations
privatevoid.net:pkg-ircbot
privatevoid.net:d2n-bug-symlink-bin
..
compare: privatevoid.net:staging
Branches Tags
privatevoid.net:pr-simulacrum-performance
privatevoid.net:master
privatevoid.net:pr-drop-gitlab
privatevoid.net:pr-s3ql-5.2.2-fix
privatevoid.net:staging
privatevoid.net:pr-hyprspace-libp2p-0.37-test
privatevoid.net:pr-consul-acl
privatevoid.net:pr-hci-no-ifd
privatevoid.net:pr-frangiclave
privatevoid.net:attic-ha
privatevoid.net:pg-auto-migrations
privatevoid.net:pkg-ircbot
privatevoid.net:d2n-bug-symlink-bin

No commits in common. "master" and "staging" have entirely different histories.
master ... staging

12 changed files with 215 additions and 52 deletions
Show stats Expand all files Collapse all files

10
cluster/services/gitlab/default.nix Normal file
View file

@ -0,0 +1,10 @@
{ depot, ... }:
{
services.gitlab = {
nodes.host = [ "VEGAS" ];
nixos.host = ./host.nix;
};
dns.records.git.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
}

94
cluster/services/gitlab/host.nix Normal file
View file

@ -0,0 +1,94 @@
{ cluster, config, lib, depot, ... }:
let
inherit (depot.lib.meta) domain adminEmail;
patroni = cluster.config.links.patroni-pg-access;
mkSecret = name: {
owner = "gitlab";
group = "gitlab";
mode = "0400";
file = ../../../secrets/${name}.age;
};
secrets = lib.mapAttrs (_: v: v.path) config.age.secrets;
cfg = config.services.gitlab;
in
{
age.secrets = lib.flip lib.genAttrs mkSecret [
"gitlab-db-credentials"
"gitlab-initial-root-password"
"gitlab-openid-secret"
"gitlab-secret-db"
"gitlab-secret-jws"
"gitlab-secret-otp"
"gitlab-secret-secret"
];
services.gitlab = {
enable = true;
https = true;
host = "git.${domain}";
port = 443;
databaseCreateLocally = false;
databaseHost = patroni.ipv4;
extraDatabaseConfig = { inherit (patroni) port; };
databaseUsername = "gitlab";
databasePasswordFile = secrets.gitlab-db-credentials;
initialRootEmail = adminEmail;
statePath = "/srv/storage/private/gitlab/state";
smtp = {
enable = true;
inherit domain;
};
initialRootPasswordFile = secrets.gitlab-initial-root-password;
secrets = with secrets; {
dbFile = gitlab-secret-db;
jwsFile = gitlab-secret-jws;
otpFile = gitlab-secret-otp;
secretFile = gitlab-secret-secret;
};
extraConfig = {
omniauth = {
enabled = true;
auto_sign_in_with_provider = "openid_connect";
allow_single_sign_on = ["openid_connect"];
block_auto_created_users = false;
providers = [
{
name = "openid_connect";
label = "Private Void Account";
args = {
name = "openid_connect";
scope = ["openid" "profile"];
response_type = "code";
issuer = "https://login.${domain}/auth/realms/master";
discovery = true;
client_auth_method = "query";
uid_field = "preferred_username";
client_options = {
identifier = "net.privatevoid.git2";
secret = { _secret = secrets.gitlab-openid-secret; };
redirect_uri = "https://${cfg.host}/users/auth/openid_connect/callback";
};
};
}
];
};
};
};
services.nginx.virtualHosts."${cfg.host}" = depot.lib.nginx.vhosts.proxy "http://unix:/run/gitlab/gitlab-workhorse.socket";
}

116
flake.lock
View file

@ -173,11 +173,11 @@
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
@ -235,11 +235,11 @@
]
},
"locked": {
"lastModified": 1719994518,
"narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
"lastModified": 1712014858,
"narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
"rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
"type": "github"
},
"original": {
@ -248,34 +248,18 @@
"type": "github"
}
},
"git-hooks-nix": {
"inputs": {
"flake-compat": [
"nix-super"
],
"gitignore": [
"nix-super"
],
"nixpkgs": [
"nix-super",
"nixpkgs"
],
"nixpkgs-stable": [
"nix-super",
"nixpkgs"
]
},
"flake-utils": {
"locked": {
"lastModified": 1721042469,
"narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "f451c19376071a90d8c58ab1a953c6e9840527fd",
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
@ -385,16 +369,15 @@
"libgit2": {
"flake": false,
"locked": {
"lastModified": 1715853528,
"narHash": "sha256-J2rCxTecyLbbDdsyBWn9w7r3pbKRMkI9E7RvRgAqBdY=",
"lastModified": 1697646580,
"narHash": "sha256-oX4Z3S9WtJlwvj0uH9HlYcWv+x1hqp8mhXl7HsLu2f0=",
"owner": "libgit2",
"repo": "libgit2",
"rev": "36f7e21ad757a3dacc58cf7944329da6bc1d6e96",
"rev": "45fd9ed7ae1a9b74b957ef4f337bc3c8b3df01b5",
"type": "github"
},
"original": {
"owner": "libgit2",
"ref": "v1.8.1",
"repo": "libgit2",
"type": "github"
}
@ -489,26 +472,27 @@
"inputs": {
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts_3",
"git-hooks-nix": "git-hooks-nix",
"libgit2": "libgit2",
"nixpkgs": "nixpkgs_3",
"nixpkgs-23-11": [
"blank"
],
"nixpkgs-regression": [
"blank"
]
],
"pre-commit-hooks": "pre-commit-hooks"
},
"locked": {
"lastModified": 1731271232,
"narHash": "sha256-HSNUAfhtG/A2hnrzPMT3asZZ2Wb3dAmedOr1VzptOCg=",
"rev": "1eb19dd804a83d99c497118af8ab781eee569c65",
"type": "tarball",
"url": "https://forge.privatevoid.net/api/v1/repos/max/nix-super/archive/1eb19dd804a83d99c497118af8ab781eee569c65.tar.gz"
"host": "git.privatevoid.net",
"lastModified": 1713821351,
"narHash": "sha256-JctHGT1oa4pet4PgUKRM7pf0w+qGe0a/ahVij8bee3o=",
"owner": "max",
"repo": "nix-super",
"rev": "5ecd820c18b1aaa3c8ee257a7a9a2624c4107031",
"type": "gitlab"
},
"original": {
"type": "tarball",
"url": "https://forge.privatevoid.net/max/nix-super/archive/master.tar.gz"
"host": "git.privatevoid.net",
"owner": "max",
"repo": "nix-super",
"type": "gitlab"
}
},
"nixpkgs": {
@ -545,16 +529,16 @@
},
"nixpkgs_3": {
"locked": {
"lastModified": 1723688146,
"narHash": "sha256-sqLwJcHYeWLOeP/XoLwAtYjr01TISlkOfz+NG82pbdg=",
"lastModified": 1709083642,
"narHash": "sha256-7kkJQd4rZ+vFrzWu8sTRtta5D1kBG0LSRYAfhtmMlSo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c3d4ac725177c030b1e289015989da2ad9d56af0",
"rev": "b550fe4b4776908ac2a861124307045f8e717c8e",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"ref": "release-23.11",
"repo": "nixpkgs",
"type": "github"
}
@ -575,6 +559,38 @@
"type": "github"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": [
"nix-super"
],
"flake-utils": "flake-utils",
"gitignore": [
"nix-super"
],
"nixpkgs": [
"nix-super",
"nixpkgs"
],
"nixpkgs-stable": [
"nix-super",
"nixpkgs"
]
},
"locked": {
"lastModified": 1712897695,
"narHash": "sha256-nMirxrGteNAl9sWiOhoN5tIHyjBbVi5e2tgZUgZlK3Y=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "40e6053ecb65fcbf12863338a6dcefb3f55f1bf8",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"repin-flake-utils": {
"inputs": {
"systems": [

3
flake.nix
View file

@ -30,10 +30,9 @@
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
nix-super = {
url = "https://forge.privatevoid.net/max/nix-super/archive/master.tar.gz";
url = "gitlab:max/nix-super?host=git.privatevoid.net";
inputs = {
nixpkgs-regression.follows = "blank";
nixpkgs-23-11.follows = "blank";
};
};

7
secrets.nix
View file

@ -16,6 +16,13 @@ in with hosts;
"cluster/services/storage/secrets/garage-rpc-secret.age".publicKeys = max ++ map systemKeys [ grail VEGAS prophet ];
"cluster/services/storage/secrets/storage-box-credentials.age".publicKeys = max ++ map systemKeys [ grail VEGAS prophet ];
"secrets/dovecot-ldap-token.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"secrets/gitlab-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"secrets/gitlab-initial-root-password.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"secrets/gitlab-openid-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"secrets/gitlab-secret-db.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"secrets/gitlab-secret-jws.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"secrets/gitlab-secret-otp.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"secrets/gitlab-secret-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"secrets/hyprspace-key-checkmate.age".publicKeys = max ++ map systemKeys [ checkmate ];
"secrets/hyprspace-key-grail.age".publicKeys = max ++ map systemKeys [ grail ];
"secrets/hyprspace-key-thunderskin.age".publicKeys = max ++ map systemKeys [ thunderskin ];

BIN
secrets/gitlab-db-credentials.age Normal file
View file

Binary file not shown.

12
secrets/gitlab-initial-root-password.age Normal file
View file

@ -0,0 +1,12 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A XRrOSniXZk7nvufR3liJ3ocjX257eenhQUYZdlYCpl4
ctZGdEgc9SgWka/3R/2WW4G9m1DHIk7HLKaBNyUeHtE
-> ssh-ed25519 5/zT0w k3z9vLsjCPABV2kTRMC3xiriW+4BwSdvnk02Xtoi3zk
w43L1pm8VvwxVp6k8NJA73afZtPGfD8eCb2koa2goZQ
-> ssh-ed25519 d3WGuA Bi1l2WS3kL5Y5NoVh7jAja3BG9LXxem801SSR76j52s
fKhRIb+Ug3sW4JI2rczNnh3Frx/EEnbQfhTUGdwLSo8
-> AOy-grease dju$ xL|5Hh q(A
h0bIKBg8yQBMqNR8M9DlA/wZWWFB+sdo4ApLXvTT19Moz3E5Vly8N2XKHrV3ggCE
Vn2a3snrXDrWxqQgfQEfJo7FnydItRcgO7ZDOuNAlnooyk0
--- 9bMYjHMQsJt4fqnmE2ezRzN4AoKIrlRKAqh8pYRw8SQ
øÜ™j‡râ|ˆ>˜º<CB9C>QÌ7¬p²¾ïÐdð¤hëÝÏ Î3œü»€¤ÃÐÿ57´âð˜{ïžZ9á´é éÖ$DU$—0YÙ º3ÐBMÍã‰ü@oáªU¶_ßÁ¡dÅDݶ<C39D>5jq/¿‰…j`6<36>Z‡îi—åAÄÞ&Q¯”œ¬¢Ê¡*Õ•:R%+ ôò<C3B4>É¡ù£Ì

11
secrets/gitlab-openid-secret.age Normal file
View file

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A ZCflrN3Tm5CiGr6ajyHWUBB/tQqvBuZkwTrJDrd/aV0
ItnkxqiZTCT77SDnG0JgzaQlDL3LZ96V+kzjxjAJx5s
-> ssh-ed25519 5/zT0w WoKnbgmzpR+HuLdXYCOkPfScle7g7U+NGA/YAmyfIhk
pNfp+gOVyTfnXpVDRXuk16RyjlWjDILrO7Gibh7nRmU
-> ssh-ed25519 d3WGuA L5xjtPNva83jZWsu2bCbcgaDNlou5BFVMsFkR8+L+2Q
4+UtIsyOgY0NAuHtdg4lBJwMyZWquRsmRNeQ+YXqeA0
-> hD-grease q%QV%; &/
jl4ZKGU+SBSR0xhJN0yz7sV2uW/+Yhw
--- 1LIvBjAzD1lUotPXuI4cPHSfUsMFbEaGjE/t+KnQcW4
AWeûۨ˯e¤ c[ ÖÌ 3mÁíyÍΈÐñè6½ g{7rd€_Ê7ØWPö©':ð¢uË ùá¨N

BIN
secrets/gitlab-secret-db.age Normal file
View file

Binary file not shown.

BIN
secrets/gitlab-secret-jws.age Normal file
View file

Binary file not shown.

14
secrets/gitlab-secret-otp.age Normal file
View file

@ -0,0 +1,14 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A su6ATd6CDJ/TD/nAPw1K4ZmELBDdNLZI63DsZl0zCF0
J+2ZXXZArtjDDLIaQL6HaEdawHo8tonMdzHf45IQMO4
-> ssh-ed25519 5/zT0w wdKMnoA5/huvtT/jyj1Aixf9nKtkzcyPSs1yoUpxoAk
yGiW4Zg0h4NGkdU0BZiWzC+72CJZK6pJdrSBuZCVGAE
-> ssh-ed25519 d3WGuA p4QVeohmXdTo8v0Wh2pkEoyqMhZhmdrblBpq39ENnVk
7TybdsMNokMu+2q5ESnvdcNwAeWTl/5XGZltzJ7etjI
-> Q-grease KJL\,Pw& c!aOPX
C6DVdLd90RXPgjf22U5Y8OsW9O9rkfE3kY0LGQhmmjCSZ7yHde4bhOAVNeNronxE
xFy8GtD+ZllI4NPUSyl3Y/90//H2fVUb32WA3Ga5WJmksrGXzg
--- yWDk0jbHXLxwE9jWTT85ORZy0Pw20jaRVihmkKfGnKo
@#
Q)F:ÀŽ¤¶GÍû # 󺡤«L…Ê-k{Tëd+˜´8žà܃üäá/è¹-Žaæ…Ë\O*—°!^Réãy÷@Z/o™~I€
œ[ô°¼POÂ'vüše^ø,…?¢»Òo¼¸]1WƒËFòJëÄ™Ññ¨ôBý&y¼ yŸìVv_<E28098> %ûÇ<C3BB>«'

BIN
secrets/gitlab-secret-secret.age Normal file
View file

Binary file not shown.