feat: basic gitlab setup

applications/gitlab.nix

@@ -0,0 +1,68 @@
+{  ... }:
+  let
+    hostname = "gitlab.skynet.ie";
+    user = "git";
+  in {
+  imports = [
+    ./acme.nix
+    ./nginx.nix
+  ];
+
+  age.secrets.gitlab_pw = {
+    file = ../secrets/gitlab/pw.age;
+    owner = user;
+    group = user;
+  };
+  age.secrets.gitlab_db = {
+    file = ../secrets/gitlab/db.age;
+    owner = user;
+    group = user;
+  };
+  age.secrets.gitlab_db_pw = {
+    file = ../secrets/gitlab/db_pw.age;
+    owner = user;
+    group = user;
+  };
+
+  # using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide
+
+  services.nginx = {
+    virtualHosts."${hostname}" = {
+      forceSSL = true;
+      useACMEHost = "skynet";
+      locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
+    };
+  };
+
+  services.gitlab = {
+    enable = true;
+    databasePasswordFile = config.age.secrets.gitlab_db_pw.path;
+    initialRootPasswordFile = config.age.secrets.gitlab_pw.path;
+    https = true;
+    host = "${hostname}";
+    port = 443;
+    user = user;
+    group = user;
+    #smtp = {
+    #  enable = true;
+    #  address = "localhost";
+    #  port = 25;
+    #};
+    secrets = {
+      dbFile = config.age.secrets.gitlab_db.path;
+      # these must be backed up for future
+      secretFile = "/var/keys/gitlab/secret";
+      otpFile = "/var/keys/gitlab/otp";
+      jwsFile = "/var/keys/gitlab/jws";
+    };
+    extraConfig = {
+      gitlab = {
+        #email_from = "gitlab-no-reply@example.com";
+        #email_display_name = "Example GitLab";
+        #email_reply_to = "gitlab-no-reply@example.com";
+        default_projects_features = { builds = false; };
+      };
+    };
+  };
+
+}

secrets/gitlab/db.age

@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 V1pwNA l99EDFzdxhrhqX7PTVgDB1XLRLWlNA9Ah/OMnhSywQc
+FINnfEGNuE8M+1a49KvkcS+UVqZBJgNXsGvl9RPvT/8
+-> ssh-ed25519 rIwlvw XhUekhfkThrDVPBItJhXNX0sAup+bv1OU3+HWQwxgHE
+PQ2V2zmzEqKzaf37NpQm1Wm/osBEpjYxbXbnC9Y7EQw
+-> ssh-ed25519 q8eJgg yc+NaJoUBZMQaOaEgLw2M9xlUKmMVhVVjndi03hac3I
+2JWQ6OHWBjBD2zA3H+vz6KDyd3EYYVQF/sEIGRDG7U4
+-> 1wLyBA"-grease _-0D@TCk BT2r
+QsNjPlch
+--- RrST/7Y85PqLSqRBZK6RzozjHxHD28JYeUpI9LH13HY
+ñS!-ƒ¶|˜÷)ç/P¤¿
+Ó™qlB±Ù¹HlzDû5Ð]øwœeÕÚûHE‡ð½Y$¡›ÿún<C3BA>@g9<67>áôÁE»òãå³íö5Âx…0ÊL¤«¾}›G¼Ó(TÈ,wtzþTL™“¾k)@c<>íÃÇ{žwß®M$%‡ül¶›^ñ€Ø¢ébtû+9%Í^)Ï.<9¹~U¾T"M!Þ<HH;

secrets/gitlab/db_pw.age

@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 V1pwNA BOEf42dr0ovi7tK+h4bKGEXdayMeI39+j92N4uEQuj4
+5vHmK1nQks4cc18yDK5di2XePWnoT3eSZ2MDsnV7gGQ
+-> ssh-ed25519 rIwlvw pB4NFeSRVgFHNEKZyLy1PNBPkjkSiBUk4xptMB4Biyw
+BWhM/zDBWXFdOCi+LoDoaY0scGR8eb7zFLAK0SwjL3Y
+-> ssh-ed25519 q8eJgg kgvMBm+T9rACXXHzK/huE8TKzMyZmt1JfeKiyhmNMUY
+SHY84rfJIYGQDGyh7qGDw7vVa8Dm7RuRbezLWjW5RDA
+-> va-KFND-grease +L-g& o|sn9 &D
+qmqveE91pG5SzeqK5JECiho8jpWhl6PWNSM6FEvGlGA87URFlxk3QcWuZ/Z1MjAn
+TfdveEpao4t0/D/xLIpyZg00i2csW3m9VvaefOGwXJX/WvGkwyDLWg
+--- voJQ2+8n4R7gvZYpFnAfrmrLevGncTJrOpYjklYZ9O8
+b‡¼Î™"r5ch_>Šª2Kñ}O½´¤œEú?8}kª€Å·„àü-<2D>§A«c
%p¦
<vx¢Å<C2A2>?›*“<>ÞHžÑ‘TuŽj“¦ñôöŽkª^?¼Ìr4|!b¸î&²%’5œ?<3F>6gšChXÍW0lx·=D»*ÌùÇÝ>m€L
UçÊç|K½Æ¸“N
ô<>¥„OD§Úй

secrets/secrets.nix

@@ -23,6 +23,8 @@ let
 
   optimus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIqYbbWy3WWtxvD96Hx+RfTx7fJPPirIEa5bOvUILi9r root@optimus";
 
+  glados = "";
+
   systems = [
     agentjones
     ash
@@ -50,4 +52,9 @@ in
 
   "stream_ulfm.age".publicKeys = users ++ [galatea];
 
+
+  "gitlab/pw.age".publicKeys = users ++ [glados];
+  "gitlab/db.age".publicKeys = users ++ [glados];
+  "gitlab/db_pw.age".publicKeys = users ++ [glados];
+
 }