Compare commits
No commits in common. "master" and "staging" have entirely different histories.
12 changed files with 215 additions and 52 deletions
10
cluster/services/gitlab/default.nix
Normal file
10
cluster/services/gitlab/default.nix
Normal file
|
@ -0,0 +1,10 @@
|
|||
{ depot, ... }:
|
||||
|
||||
{
|
||||
services.gitlab = {
|
||||
nodes.host = [ "VEGAS" ];
|
||||
nixos.host = ./host.nix;
|
||||
};
|
||||
|
||||
dns.records.git.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
|
||||
}
|
94
cluster/services/gitlab/host.nix
Normal file
94
cluster/services/gitlab/host.nix
Normal file
|
@ -0,0 +1,94 @@
|
|||
{ cluster, config, lib, depot, ... }:
|
||||
|
||||
let
|
||||
inherit (depot.lib.meta) domain adminEmail;
|
||||
|
||||
patroni = cluster.config.links.patroni-pg-access;
|
||||
|
||||
mkSecret = name: {
|
||||
owner = "gitlab";
|
||||
group = "gitlab";
|
||||
mode = "0400";
|
||||
file = ../../../secrets/${name}.age;
|
||||
};
|
||||
|
||||
secrets = lib.mapAttrs (_: v: v.path) config.age.secrets;
|
||||
|
||||
cfg = config.services.gitlab;
|
||||
in
|
||||
|
||||
{
|
||||
age.secrets = lib.flip lib.genAttrs mkSecret [
|
||||
"gitlab-db-credentials"
|
||||
"gitlab-initial-root-password"
|
||||
"gitlab-openid-secret"
|
||||
"gitlab-secret-db"
|
||||
"gitlab-secret-jws"
|
||||
"gitlab-secret-otp"
|
||||
"gitlab-secret-secret"
|
||||
];
|
||||
|
||||
services.gitlab = {
|
||||
enable = true;
|
||||
https = true;
|
||||
host = "git.${domain}";
|
||||
port = 443;
|
||||
|
||||
databaseCreateLocally = false;
|
||||
databaseHost = patroni.ipv4;
|
||||
extraDatabaseConfig = { inherit (patroni) port; };
|
||||
databaseUsername = "gitlab";
|
||||
databasePasswordFile = secrets.gitlab-db-credentials;
|
||||
|
||||
initialRootEmail = adminEmail;
|
||||
|
||||
statePath = "/srv/storage/private/gitlab/state";
|
||||
|
||||
smtp = {
|
||||
enable = true;
|
||||
inherit domain;
|
||||
};
|
||||
|
||||
initialRootPasswordFile = secrets.gitlab-initial-root-password;
|
||||
|
||||
secrets = with secrets; {
|
||||
dbFile = gitlab-secret-db;
|
||||
jwsFile = gitlab-secret-jws;
|
||||
otpFile = gitlab-secret-otp;
|
||||
secretFile = gitlab-secret-secret;
|
||||
};
|
||||
|
||||
extraConfig = {
|
||||
omniauth = {
|
||||
enabled = true;
|
||||
auto_sign_in_with_provider = "openid_connect";
|
||||
allow_single_sign_on = ["openid_connect"];
|
||||
block_auto_created_users = false;
|
||||
providers = [
|
||||
|
||||
{
|
||||
name = "openid_connect";
|
||||
label = "Private Void Account";
|
||||
args = {
|
||||
name = "openid_connect";
|
||||
scope = ["openid" "profile"];
|
||||
response_type = "code";
|
||||
issuer = "https://login.${domain}/auth/realms/master";
|
||||
discovery = true;
|
||||
client_auth_method = "query";
|
||||
uid_field = "preferred_username";
|
||||
client_options = {
|
||||
identifier = "net.privatevoid.git2";
|
||||
secret = { _secret = secrets.gitlab-openid-secret; };
|
||||
redirect_uri = "https://${cfg.host}/users/auth/openid_connect/callback";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."${cfg.host}" = depot.lib.nginx.vhosts.proxy "http://unix:/run/gitlab/gitlab-workhorse.socket";
|
||||
}
|
116
flake.lock
116
flake.lock
|
@ -173,11 +173,11 @@
|
|||
"flake-compat_2": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1696426674,
|
||||
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||
"lastModified": 1673956053,
|
||||
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
||||
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -235,11 +235,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1719994518,
|
||||
"narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
|
||||
"lastModified": 1712014858,
|
||||
"narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
|
||||
"rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -248,34 +248,18 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"git-hooks-nix": {
|
||||
"inputs": {
|
||||
"flake-compat": [
|
||||
"nix-super"
|
||||
],
|
||||
"gitignore": [
|
||||
"nix-super"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nix-super",
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-stable": [
|
||||
"nix-super",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"flake-utils": {
|
||||
"locked": {
|
||||
"lastModified": 1721042469,
|
||||
"narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=",
|
||||
"owner": "cachix",
|
||||
"repo": "git-hooks.nix",
|
||||
"rev": "f451c19376071a90d8c58ab1a953c6e9840527fd",
|
||||
"lastModified": 1667395993,
|
||||
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "cachix",
|
||||
"repo": "git-hooks.nix",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
|
@ -385,16 +369,15 @@
|
|||
"libgit2": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1715853528,
|
||||
"narHash": "sha256-J2rCxTecyLbbDdsyBWn9w7r3pbKRMkI9E7RvRgAqBdY=",
|
||||
"lastModified": 1697646580,
|
||||
"narHash": "sha256-oX4Z3S9WtJlwvj0uH9HlYcWv+x1hqp8mhXl7HsLu2f0=",
|
||||
"owner": "libgit2",
|
||||
"repo": "libgit2",
|
||||
"rev": "36f7e21ad757a3dacc58cf7944329da6bc1d6e96",
|
||||
"rev": "45fd9ed7ae1a9b74b957ef4f337bc3c8b3df01b5",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "libgit2",
|
||||
"ref": "v1.8.1",
|
||||
"repo": "libgit2",
|
||||
"type": "github"
|
||||
}
|
||||
|
@ -489,26 +472,27 @@
|
|||
"inputs": {
|
||||
"flake-compat": "flake-compat_2",
|
||||
"flake-parts": "flake-parts_3",
|
||||
"git-hooks-nix": "git-hooks-nix",
|
||||
"libgit2": "libgit2",
|
||||
"nixpkgs": "nixpkgs_3",
|
||||
"nixpkgs-23-11": [
|
||||
"blank"
|
||||
],
|
||||
"nixpkgs-regression": [
|
||||
"blank"
|
||||
]
|
||||
],
|
||||
"pre-commit-hooks": "pre-commit-hooks"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1731271232,
|
||||
"narHash": "sha256-HSNUAfhtG/A2hnrzPMT3asZZ2Wb3dAmedOr1VzptOCg=",
|
||||
"rev": "1eb19dd804a83d99c497118af8ab781eee569c65",
|
||||
"type": "tarball",
|
||||
"url": "https://forge.privatevoid.net/api/v1/repos/max/nix-super/archive/1eb19dd804a83d99c497118af8ab781eee569c65.tar.gz"
|
||||
"host": "git.privatevoid.net",
|
||||
"lastModified": 1713821351,
|
||||
"narHash": "sha256-JctHGT1oa4pet4PgUKRM7pf0w+qGe0a/ahVij8bee3o=",
|
||||
"owner": "max",
|
||||
"repo": "nix-super",
|
||||
"rev": "5ecd820c18b1aaa3c8ee257a7a9a2624c4107031",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
"type": "tarball",
|
||||
"url": "https://forge.privatevoid.net/max/nix-super/archive/master.tar.gz"
|
||||
"host": "git.privatevoid.net",
|
||||
"owner": "max",
|
||||
"repo": "nix-super",
|
||||
"type": "gitlab"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
|
@ -545,16 +529,16 @@
|
|||
},
|
||||
"nixpkgs_3": {
|
||||
"locked": {
|
||||
"lastModified": 1723688146,
|
||||
"narHash": "sha256-sqLwJcHYeWLOeP/XoLwAtYjr01TISlkOfz+NG82pbdg=",
|
||||
"lastModified": 1709083642,
|
||||
"narHash": "sha256-7kkJQd4rZ+vFrzWu8sTRtta5D1kBG0LSRYAfhtmMlSo=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "c3d4ac725177c030b1e289015989da2ad9d56af0",
|
||||
"rev": "b550fe4b4776908ac2a861124307045f8e717c8e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-24.05",
|
||||
"ref": "release-23.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
|
@ -575,6 +559,38 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"pre-commit-hooks": {
|
||||
"inputs": {
|
||||
"flake-compat": [
|
||||
"nix-super"
|
||||
],
|
||||
"flake-utils": "flake-utils",
|
||||
"gitignore": [
|
||||
"nix-super"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nix-super",
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-stable": [
|
||||
"nix-super",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1712897695,
|
||||
"narHash": "sha256-nMirxrGteNAl9sWiOhoN5tIHyjBbVi5e2tgZUgZlK3Y=",
|
||||
"owner": "cachix",
|
||||
"repo": "pre-commit-hooks.nix",
|
||||
"rev": "40e6053ecb65fcbf12863338a6dcefb3f55f1bf8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "cachix",
|
||||
"repo": "pre-commit-hooks.nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"repin-flake-utils": {
|
||||
"inputs": {
|
||||
"systems": [
|
||||
|
|
|
@ -30,10 +30,9 @@
|
|||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
|
||||
|
||||
nix-super = {
|
||||
url = "https://forge.privatevoid.net/max/nix-super/archive/master.tar.gz";
|
||||
url = "gitlab:max/nix-super?host=git.privatevoid.net";
|
||||
inputs = {
|
||||
nixpkgs-regression.follows = "blank";
|
||||
nixpkgs-23-11.follows = "blank";
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -16,6 +16,13 @@ in with hosts;
|
|||
"cluster/services/storage/secrets/garage-rpc-secret.age".publicKeys = max ++ map systemKeys [ grail VEGAS prophet ];
|
||||
"cluster/services/storage/secrets/storage-box-credentials.age".publicKeys = max ++ map systemKeys [ grail VEGAS prophet ];
|
||||
"secrets/dovecot-ldap-token.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"secrets/gitlab-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"secrets/gitlab-initial-root-password.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"secrets/gitlab-openid-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"secrets/gitlab-secret-db.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"secrets/gitlab-secret-jws.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"secrets/gitlab-secret-otp.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"secrets/gitlab-secret-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"secrets/hyprspace-key-checkmate.age".publicKeys = max ++ map systemKeys [ checkmate ];
|
||||
"secrets/hyprspace-key-grail.age".publicKeys = max ++ map systemKeys [ grail ];
|
||||
"secrets/hyprspace-key-thunderskin.age".publicKeys = max ++ map systemKeys [ thunderskin ];
|
||||
|
|
BIN
secrets/gitlab-db-credentials.age
Normal file
BIN
secrets/gitlab-db-credentials.age
Normal file
Binary file not shown.
12
secrets/gitlab-initial-root-password.age
Normal file
12
secrets/gitlab-initial-root-password.age
Normal file
|
@ -0,0 +1,12 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 NO562A XRrOSniXZk7nvufR3liJ3ocjX257eenhQUYZdlYCpl4
|
||||
ctZGdEgc9SgWka/3R/2WW4G9m1DHIk7HLKaBNyUeHtE
|
||||
-> ssh-ed25519 5/zT0w k3z9vLsjCPABV2kTRMC3xiriW+4BwSdvnk02Xtoi3zk
|
||||
w43L1pm8VvwxVp6k8NJA73afZtPGfD8eCb2koa2goZQ
|
||||
-> ssh-ed25519 d3WGuA Bi1l2WS3kL5Y5NoVh7jAja3BG9LXxem801SSR76j52s
|
||||
fKhRIb+Ug3sW4JI2rczNnh3Frx/EEnbQfhTUGdwLSo8
|
||||
-> AOy-grease dju$ xL|5Hh q(A
|
||||
h0bIKBg8yQBMqNR8M9DlA/wZWWFB+sdo4ApLXvTT19Moz3E5Vly8N2XKHrV3ggCE
|
||||
Vn2a3snrXDrWxqQgfQEfJo7FnydItRcgO7ZDOuNAlnooyk0
|
||||
--- 9bMYjHMQsJt4fqnmE2ezRzN4AoKIrlRKAqh8pYRw8SQ
|
||||
øÜ™‹j‡>ü‘râ|ˆ>˜º<CB9C>–QÌ7¬p²¾ïÐdð¤hëÝÏ Î3œü»€¤ÃÐÿ57´âð˜{ïžZ9áLš´ééÖ$DU$—0YÙ º3ÐBMÍã‰ü@oáªU¶_ßÁ¡dÅDݶ<C39D>5jq/¿‰…j’`›6›<36>Z‡îi—åAÄÞ&Q¯”œ¬¢Ê¡*Õ•:R%+ ôò<C3B4>É¡ù£Ì
|
11
secrets/gitlab-openid-secret.age
Normal file
11
secrets/gitlab-openid-secret.age
Normal file
|
@ -0,0 +1,11 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 NO562A ZCflrN3Tm5CiGr6ajyHWUBB/tQqvBuZkwTrJDrd/aV0
|
||||
ItnkxqiZTCT77SDnG0JgzaQlDL3LZ96V+kzjxjAJx5s
|
||||
-> ssh-ed25519 5/zT0w WoKnbgmzpR+HuLdXYCOkPfScle7g7U+NGA/YAmyfIhk
|
||||
pNfp+gOVyTfnXpVDRXuk16RyjlWjDILrO7Gibh7nRmU
|
||||
-> ssh-ed25519 d3WGuA L5xjtPNva83jZWsu2bCbcgaDNlou5BFVMsFkR8+L+2Q
|
||||
4+UtIsyOgY0NAuHtdg4lBJwMyZWquRsmRNeQ+YXqeA0
|
||||
-> hD-grease q%QV%; &/
|
||||
jl4ZKGU+SBSR0xhJN0yz7sV2uW/+Yhw
|
||||
--- 1LIvBjAzD1lUotPXuI4cPHSfUsMFbEaGjE/t+KnQcW4
|
||||
AWeûۨ˯e¤ c[ ÖÌ3mÁíyÍΈÐñè6½
g{7›rd€_Ê7ØWPö©':ð¢uË›ùá¨N
|
BIN
secrets/gitlab-secret-db.age
Normal file
BIN
secrets/gitlab-secret-db.age
Normal file
Binary file not shown.
BIN
secrets/gitlab-secret-jws.age
Normal file
BIN
secrets/gitlab-secret-jws.age
Normal file
Binary file not shown.
14
secrets/gitlab-secret-otp.age
Normal file
14
secrets/gitlab-secret-otp.age
Normal file
|
@ -0,0 +1,14 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 NO562A su6ATd6CDJ/TD/nAPw1K4ZmELBDdNLZI63DsZl0zCF0
|
||||
J+2ZXXZArtjDDLIaQL6HaEdawHo8tonMdzHf45IQMO4
|
||||
-> ssh-ed25519 5/zT0w wdKMnoA5/huvtT/jyj1Aixf9nKtkzcyPSs1yoUpxoAk
|
||||
yGiW4Zg0h4NGkdU0BZiWzC+72CJZK6pJdrSBuZCVGAE
|
||||
-> ssh-ed25519 d3WGuA p4QVeohmXdTo8v0Wh2pkEoyqMhZhmdrblBpq39ENnVk
|
||||
7TybdsMNokMu+2q5ESnvdcNwAeWTl/5XGZltzJ7etjI
|
||||
-> Q-grease KJL\,Pw& c!aOPX
|
||||
C6DVdLd90RXPgjf22U5Y8OsW9O9rkfE3kY0LGQhmmjCSZ7yHde4bhOAVNeNronxE
|
||||
xFy8GtD+ZllI4NPUSyl3Y/90//H2fVUb32WA3Ga5WJmksrGXzg
|
||||
--- yWDk0jbHXLxwE9jWTT85ORZy0Pw20jaRVihmkKfGnKo
|
||||
@#
|
||||
Q)F:ÀŽ¤¶GÍû #ógÒº¡¤«L…Ê-k{Tëd+˜´8žà܃üäá/è¹-Žaæ…Ë\O*—°!^Réãy÷›@Z/o™~I€
|
||||
œ[ô°¼PO’Â'vüše^ø,…?¢»Òo¼¸MÆ]1WƒËFò‹JëÄ™Ññ¨ôBý&y¼
yŸìVv‘_<E28098> %‹ûÇ<C3BB>«'
|
BIN
secrets/gitlab-secret-secret.age
Normal file
BIN
secrets/gitlab-secret-secret.age
Normal file
Binary file not shown.
Loading…
Reference in a new issue