diff --git a/cluster/services/gitlab/default.nix b/cluster/services/gitlab/default.nix deleted file mode 100644 index fd1c416..0000000 --- a/cluster/services/gitlab/default.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ depot, ... }: - -{ - services.gitlab = { - nodes.host = [ "VEGAS" ]; - nixos.host = ./host.nix; - }; - - dns.records.git.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ]; -} diff --git a/cluster/services/gitlab/host.nix b/cluster/services/gitlab/host.nix deleted file mode 100644 index 85f548c..0000000 --- a/cluster/services/gitlab/host.nix +++ /dev/null @@ -1,94 +0,0 @@ -{ cluster, config, lib, depot, ... }: - -let - inherit (depot.lib.meta) domain adminEmail; - - patroni = cluster.config.links.patroni-pg-access; - - mkSecret = name: { - owner = "gitlab"; - group = "gitlab"; - mode = "0400"; - file = ../../../secrets/${name}.age; - }; - - secrets = lib.mapAttrs (_: v: v.path) config.age.secrets; - - cfg = config.services.gitlab; -in - -{ - age.secrets = lib.flip lib.genAttrs mkSecret [ - "gitlab-db-credentials" - "gitlab-initial-root-password" - "gitlab-openid-secret" - "gitlab-secret-db" - "gitlab-secret-jws" - "gitlab-secret-otp" - "gitlab-secret-secret" - ]; - - services.gitlab = { - enable = true; - https = true; - host = "git.${domain}"; - port = 443; - - databaseCreateLocally = false; - databaseHost = patroni.ipv4; - extraDatabaseConfig = { inherit (patroni) port; }; - databaseUsername = "gitlab"; - databasePasswordFile = secrets.gitlab-db-credentials; - - initialRootEmail = adminEmail; - - statePath = "/srv/storage/private/gitlab/state"; - - smtp = { - enable = true; - inherit domain; - }; - - initialRootPasswordFile = secrets.gitlab-initial-root-password; - - secrets = with secrets; { - dbFile = gitlab-secret-db; - jwsFile = gitlab-secret-jws; - otpFile = gitlab-secret-otp; - secretFile = gitlab-secret-secret; - }; - - extraConfig = { - omniauth = { - enabled = true; - auto_sign_in_with_provider = "openid_connect"; - allow_single_sign_on = ["openid_connect"]; - block_auto_created_users = false; - providers = [ - - { - name = "openid_connect"; - label = "Private Void Account"; - args = { - name = "openid_connect"; - scope = ["openid" "profile"]; - response_type = "code"; - issuer = "https://login.${domain}/auth/realms/master"; - discovery = true; - client_auth_method = "query"; - uid_field = "preferred_username"; - client_options = { - identifier = "net.privatevoid.git2"; - secret = { _secret = secrets.gitlab-openid-secret; }; - redirect_uri = "https://${cfg.host}/users/auth/openid_connect/callback"; - }; - }; - } - - ]; - }; - }; - }; - - services.nginx.virtualHosts."${cfg.host}" = depot.lib.nginx.vhosts.proxy "http://unix:/run/gitlab/gitlab-workhorse.socket"; -} diff --git a/flake.lock b/flake.lock index 3959b01..54ae55f 100644 --- a/flake.lock +++ b/flake.lock @@ -173,11 +173,11 @@ "flake-compat_2": { "flake": false, "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "owner": "edolstra", "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "type": "github" }, "original": { @@ -235,11 +235,11 @@ ] }, "locked": { - "lastModified": 1712014858, - "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=", + "lastModified": 1719994518, + "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d", + "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7", "type": "github" }, "original": { @@ -248,18 +248,34 @@ "type": "github" } }, - "flake-utils": { + "git-hooks-nix": { + "inputs": { + "flake-compat": [ + "nix-super" + ], + "gitignore": [ + "nix-super" + ], + "nixpkgs": [ + "nix-super", + "nixpkgs" + ], + "nixpkgs-stable": [ + "nix-super", + "nixpkgs" + ] + }, "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "lastModified": 1721042469, + "narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "f451c19376071a90d8c58ab1a953c6e9840527fd", "type": "github" }, "original": { - "owner": "numtide", - "repo": "flake-utils", + "owner": "cachix", + "repo": "git-hooks.nix", "type": "github" } }, @@ -369,15 +385,16 @@ "libgit2": { "flake": false, "locked": { - "lastModified": 1697646580, - "narHash": "sha256-oX4Z3S9WtJlwvj0uH9HlYcWv+x1hqp8mhXl7HsLu2f0=", + "lastModified": 1715853528, + "narHash": "sha256-J2rCxTecyLbbDdsyBWn9w7r3pbKRMkI9E7RvRgAqBdY=", "owner": "libgit2", "repo": "libgit2", - "rev": "45fd9ed7ae1a9b74b957ef4f337bc3c8b3df01b5", + "rev": "36f7e21ad757a3dacc58cf7944329da6bc1d6e96", "type": "github" }, "original": { "owner": "libgit2", + "ref": "v1.8.1", "repo": "libgit2", "type": "github" } @@ -472,27 +489,26 @@ "inputs": { "flake-compat": "flake-compat_2", "flake-parts": "flake-parts_3", + "git-hooks-nix": "git-hooks-nix", "libgit2": "libgit2", "nixpkgs": "nixpkgs_3", - "nixpkgs-regression": [ + "nixpkgs-23-11": [ "blank" ], - "pre-commit-hooks": "pre-commit-hooks" + "nixpkgs-regression": [ + "blank" + ] }, "locked": { - "host": "git.privatevoid.net", - "lastModified": 1713821351, - "narHash": "sha256-JctHGT1oa4pet4PgUKRM7pf0w+qGe0a/ahVij8bee3o=", - "owner": "max", - "repo": "nix-super", - "rev": "5ecd820c18b1aaa3c8ee257a7a9a2624c4107031", - "type": "gitlab" + "lastModified": 1731271232, + "narHash": "sha256-HSNUAfhtG/A2hnrzPMT3asZZ2Wb3dAmedOr1VzptOCg=", + "rev": "1eb19dd804a83d99c497118af8ab781eee569c65", + "type": "tarball", + "url": "https://forge.privatevoid.net/api/v1/repos/max/nix-super/archive/1eb19dd804a83d99c497118af8ab781eee569c65.tar.gz" }, "original": { - "host": "git.privatevoid.net", - "owner": "max", - "repo": "nix-super", - "type": "gitlab" + "type": "tarball", + "url": "https://forge.privatevoid.net/max/nix-super/archive/master.tar.gz" } }, "nixpkgs": { @@ -529,16 +545,16 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1709083642, - "narHash": "sha256-7kkJQd4rZ+vFrzWu8sTRtta5D1kBG0LSRYAfhtmMlSo=", + "lastModified": 1723688146, + "narHash": "sha256-sqLwJcHYeWLOeP/XoLwAtYjr01TISlkOfz+NG82pbdg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b550fe4b4776908ac2a861124307045f8e717c8e", + "rev": "c3d4ac725177c030b1e289015989da2ad9d56af0", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-23.11", + "ref": "nixos-24.05", "repo": "nixpkgs", "type": "github" } @@ -559,38 +575,6 @@ "type": "github" } }, - "pre-commit-hooks": { - "inputs": { - "flake-compat": [ - "nix-super" - ], - "flake-utils": "flake-utils", - "gitignore": [ - "nix-super" - ], - "nixpkgs": [ - "nix-super", - "nixpkgs" - ], - "nixpkgs-stable": [ - "nix-super", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1712897695, - "narHash": "sha256-nMirxrGteNAl9sWiOhoN5tIHyjBbVi5e2tgZUgZlK3Y=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "40e6053ecb65fcbf12863338a6dcefb3f55f1bf8", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, "repin-flake-utils": { "inputs": { "systems": [ diff --git a/flake.nix b/flake.nix index 419a526..da52e8e 100644 --- a/flake.nix +++ b/flake.nix @@ -30,9 +30,10 @@ nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small"; nix-super = { - url = "gitlab:max/nix-super?host=git.privatevoid.net"; + url = "https://forge.privatevoid.net/max/nix-super/archive/master.tar.gz"; inputs = { nixpkgs-regression.follows = "blank"; + nixpkgs-23-11.follows = "blank"; }; }; diff --git a/secrets.nix b/secrets.nix index 3e1c920..a2225f1 100644 --- a/secrets.nix +++ b/secrets.nix @@ -16,13 +16,6 @@ in with hosts; "cluster/services/storage/secrets/garage-rpc-secret.age".publicKeys = max ++ map systemKeys [ grail VEGAS prophet ]; "cluster/services/storage/secrets/storage-box-credentials.age".publicKeys = max ++ map systemKeys [ grail VEGAS prophet ]; "secrets/dovecot-ldap-token.age".publicKeys = max ++ map systemKeys [ VEGAS ]; - "secrets/gitlab-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ]; - "secrets/gitlab-initial-root-password.age".publicKeys = max ++ map systemKeys [ VEGAS ]; - "secrets/gitlab-openid-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ]; - "secrets/gitlab-secret-db.age".publicKeys = max ++ map systemKeys [ VEGAS ]; - "secrets/gitlab-secret-jws.age".publicKeys = max ++ map systemKeys [ VEGAS ]; - "secrets/gitlab-secret-otp.age".publicKeys = max ++ map systemKeys [ VEGAS ]; - "secrets/gitlab-secret-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "secrets/hyprspace-key-checkmate.age".publicKeys = max ++ map systemKeys [ checkmate ]; "secrets/hyprspace-key-grail.age".publicKeys = max ++ map systemKeys [ grail ]; "secrets/hyprspace-key-thunderskin.age".publicKeys = max ++ map systemKeys [ thunderskin ]; diff --git a/secrets/gitlab-db-credentials.age b/secrets/gitlab-db-credentials.age deleted file mode 100644 index 485ac15..0000000 Binary files a/secrets/gitlab-db-credentials.age and /dev/null differ diff --git a/secrets/gitlab-initial-root-password.age b/secrets/gitlab-initial-root-password.age deleted file mode 100644 index 1f703ff..0000000 --- a/secrets/gitlab-initial-root-password.age +++ /dev/null @@ -1,12 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 NO562A XRrOSniXZk7nvufR3liJ3ocjX257eenhQUYZdlYCpl4 -ctZGdEgc9SgWka/3R/2WW4G9m1DHIk7HLKaBNyUeHtE --> ssh-ed25519 5/zT0w k3z9vLsjCPABV2kTRMC3xiriW+4BwSdvnk02Xtoi3zk -w43L1pm8VvwxVp6k8NJA73afZtPGfD8eCb2koa2goZQ --> ssh-ed25519 d3WGuA Bi1l2WS3kL5Y5NoVh7jAja3BG9LXxem801SSR76j52s -fKhRIb+Ug3sW4JI2rczNnh3Frx/EEnbQfhTUGdwLSo8 --> AOy-grease dju$ xL|5Hh q(A -h0bIKBg8yQBMqNR8M9DlA/wZWWFB+sdo4ApLXvTT19Moz3E5Vly8N2XKHrV3ggCE -Vn2a3snrXDrWxqQgfQEfJo7FnydItRcgO7ZDOuNAlnooyk0 ---- 9bMYjHMQsJt4fqnmE2ezRzN4AoKIrlRKAqh8pYRw8SQ -ܙj>r|>Q7pdh 357{Z9L $DU$0Y٠3BM@oU_dDݶ5jq/j`6ZiA&Qʡ*Օ:R%+ ɡ \ No newline at end of file diff --git a/secrets/gitlab-openid-secret.age b/secrets/gitlab-openid-secret.age deleted file mode 100644 index 3a57392..0000000 --- a/secrets/gitlab-openid-secret.age +++ /dev/null @@ -1,11 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 NO562A ZCflrN3Tm5CiGr6ajyHWUBB/tQqvBuZkwTrJDrd/aV0 -ItnkxqiZTCT77SDnG0JgzaQlDL3LZ96V+kzjxjAJx5s --> ssh-ed25519 5/zT0w WoKnbgmzpR+HuLdXYCOkPfScle7g7U+NGA/YAmyfIhk -pNfp+gOVyTfnXpVDRXuk16RyjlWjDILrO7Gibh7nRmU --> ssh-ed25519 d3WGuA L5xjtPNva83jZWsu2bCbcgaDNlou5BFVMsFkR8+L+2Q -4+UtIsyOgY0NAuHtdg4lBJwMyZWquRsmRNeQ+YXqeA0 --> hD-grease q%QV%; &/ -jl4ZKGU+SBSR0xhJN0yz7sV2uW/+Yhw ---- 1LIvBjAzD1lUotPXuI4cPHSfUsMFbEaGjE/t+KnQcW4 -AWee c[ 3myΈ6 g{7rd_7WP':u N \ No newline at end of file diff --git a/secrets/gitlab-secret-db.age b/secrets/gitlab-secret-db.age deleted file mode 100644 index 347fe7f..0000000 Binary files a/secrets/gitlab-secret-db.age and /dev/null differ diff --git a/secrets/gitlab-secret-jws.age b/secrets/gitlab-secret-jws.age deleted file mode 100644 index 7b99d4e..0000000 Binary files a/secrets/gitlab-secret-jws.age and /dev/null differ diff --git a/secrets/gitlab-secret-otp.age b/secrets/gitlab-secret-otp.age deleted file mode 100644 index 28e6c7f..0000000 --- a/secrets/gitlab-secret-otp.age +++ /dev/null @@ -1,14 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 NO562A su6ATd6CDJ/TD/nAPw1K4ZmELBDdNLZI63DsZl0zCF0 -J+2ZXXZArtjDDLIaQL6HaEdawHo8tonMdzHf45IQMO4 --> ssh-ed25519 5/zT0w wdKMnoA5/huvtT/jyj1Aixf9nKtkzcyPSs1yoUpxoAk -yGiW4Zg0h4NGkdU0BZiWzC+72CJZK6pJdrSBuZCVGAE --> ssh-ed25519 d3WGuA p4QVeohmXdTo8v0Wh2pkEoyqMhZhmdrblBpq39ENnVk -7TybdsMNokMu+2q5ESnvdcNwAeWTl/5XGZltzJ7etjI --> Q-grease KJL\,Pw& c!aOPX -C6DVdLd90RXPgjf22U5Y8OsW9O9rkfE3kY0LGQhmmjCSZ7yHde4bhOAVNeNronxE -xFy8GtD+ZllI4NPUSyl3Y/90//H2fVUb32WA3Ga5WJmksrGXzg ---- yWDk0jbHXLxwE9jWTT85ORZy0Pw20jaRVihmkKfGnKo -@# -Q)F:G # gL-k{Td+8܃/-a\O*!^Ry@Z/o~I -[PO've^,?oM]1WFJęB&y yVv_ %Ǐ' \ No newline at end of file diff --git a/secrets/gitlab-secret-secret.age b/secrets/gitlab-secret-secret.age deleted file mode 100644 index 0b8f89e..0000000 Binary files a/secrets/gitlab-secret-secret.age and /dev/null differ