diff --git a/applications/gitlab.nix b/applications/gitlab.nix index 2bfce33..ca768b9 100644 --- a/applications/gitlab.nix +++ b/applications/gitlab.nix @@ -44,6 +44,16 @@ type = types.str; default = "git"; }; + + ldap = { + base = mkOption { + type = types.str; + default = "dc=skynet,dc=ie"; + description = lib.mdDoc "The base address in the ldap server"; + }; + + }; + }; config = mkIf cfg.enable { @@ -52,8 +62,23 @@ owner = cfg.user; group = cfg.user; }; - age.secrets.gitlab_db = { - file = ../secrets/gitlab/db.age; + age.secrets.gitlab_secrets_db = { + file = ../secrets/gitlab/secrets_db.age; + owner = cfg.user; + group = cfg.user; + }; + age.secrets.gitlab_secrets_secret = { + file = ../secrets/gitlab/secrets_secret.age; + owner = cfg.user; + group = cfg.user; + }; + age.secrets.gitlab_secrets_otp = { + file = ../secrets/gitlab/secrets_otp.age; + owner = cfg.user; + group = cfg.user; + }; + age.secrets.gitlab_secrets_jws = { + file = ../secrets/gitlab/secrets_jws.age; owner = cfg.user; group = cfg.user; }; @@ -91,17 +116,18 @@ port = 443; user = cfg.user; group = cfg.user; + databaseUsername = cfg.user; #smtp = { # enable = true; # address = "localhost"; # port = 25; #}; secrets = { - dbFile = config.age.secrets.gitlab_db.path; + dbFile = config.age.secrets.gitlab_secrets_db.path; # these must be backed up for future - secretFile = "/var/keys/gitlab/secret"; - otpFile = "/var/keys/gitlab/otp"; - jwsFile = "/var/keys/gitlab/jws"; + secretFile = config.age.secrets.gitlab_secrets_secret.path; + otpFile = config.age.secrets.gitlab_secrets_otp.path; + jwsFile = config.age.secrets.gitlab_secrets_jws.path; }; extraConfig = { gitlab = { @@ -110,6 +136,32 @@ #email_reply_to = "gitlab-no-reply@example.com"; default_projects_features = { builds = false; }; }; + + ldap = { + enabled = true; + servers = { + main = { + label = "Skynet"; + host = "sso.skynet.ie"; + port = 636; + uid = "uid"; + encryption = "simple_tls"; + active_directory = false; + #base = "ou=users,${cfg.ldap.base}?sub?(|(skMemberOf=cn=skynet-users,ou=groups,${cfg.ldap.base}))"; + base = "ou=users,${cfg.ldap.base}"; + + + username = "uid"; + email = "skMail"; + name = "cn"; + + group_base= "ou=groups,${cfg.ldap.base}"; + admin_group = "skynet-admins"; + + sync_ssh_keys = "sshPublicKey"; + }; + }; + }; }; }; }; diff --git a/secrets/gitlab/db.age b/secrets/gitlab/db.age deleted file mode 100644 index 0c20bec..0000000 --- a/secrets/gitlab/db.age +++ /dev/null @@ -1,11 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 V1pwNA x5UmW5H9YW3BZq0C2lyAA5ndkUGXa3g7p+kCqvXJbnQ -RdCLP1mDscZ91abQ4Nx4+m4rH08G7lDCGe+VoVH7oks --> ssh-ed25519 rIwlvw +739LXIwXApWmn3Qc6O5ANNkL1u1JpFW+U4qxmCBtDk -wzm/eWqq77C2ROWOCkpGN+kCu1ErNdHcM3Wng5s0Kk0 --> ssh-ed25519 q8eJgg lQC3uwohGLXEQBY6KRxOJcQndWvUYMM9HaWkntqzaQs -krJdasILc/rfZfXlHVVe9yBM9qRAY0zHUyMSI+qf7U0 --> ZYK-grease @dZML*to@otCx ٵRd<`IDBEmqsv:,gN 2?)ׯ{t \ No newline at end of file diff --git a/secrets/gitlab/db_pw.age b/secrets/gitlab/db_pw.age index f687f74..1f41115 100644 Binary files a/secrets/gitlab/db_pw.age and b/secrets/gitlab/db_pw.age differ diff --git a/secrets/gitlab/pw.age b/secrets/gitlab/pw.age index 4127f18..f4b2312 100644 Binary files a/secrets/gitlab/pw.age and b/secrets/gitlab/pw.age differ diff --git a/secrets/gitlab/secrets_db.age b/secrets/gitlab/secrets_db.age new file mode 100644 index 0000000..400b282 Binary files /dev/null and b/secrets/gitlab/secrets_db.age differ diff --git a/secrets/gitlab/secrets_jws.age b/secrets/gitlab/secrets_jws.age new file mode 100644 index 0000000..5600e85 Binary files /dev/null and b/secrets/gitlab/secrets_jws.age differ diff --git a/secrets/gitlab/secrets_otp.age b/secrets/gitlab/secrets_otp.age new file mode 100644 index 0000000..3003a26 Binary files /dev/null and b/secrets/gitlab/secrets_otp.age differ diff --git a/secrets/gitlab/secrets_secret.age b/secrets/gitlab/secrets_secret.age new file mode 100644 index 0000000..d6cb2a2 --- /dev/null +++ b/secrets/gitlab/secrets_secret.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> ssh-ed25519 V1pwNA JGktU0gGovPnnYr9an6lueZnEKDLde9ES0Y6m06pLUc +vPcPTDCVwgK72KnMN8t7C9AR7fV9EggTUC5F9EFyuoI +-> ssh-ed25519 rIwlvw FMYXiAcwxioJex74HfvM7Tnvp2VKAOKtHTRqTKgYVHA +B/RdgW4nsMTD1sF12OxgJElFx6SfCL03WKWdeeTjeYg +-> ssh-ed25519 q8eJgg AxBdKkiZh7NOqpLMwBNsEo3dgTj+6NPtONYkLKENWRw +qqvrwOFlE52/Sa15kplKXBq5jdTZ+dUn/2EjUBByQQs +-> ssh-ed25519 DVzSig I04tljSY9N+GyRWwO1ULPhojDOLDxXC5gOqw922Z3Xk +OiZe8nWcQaY6UCDGW5IkWpqTeMTpNRtUoDxOQ/ALwwg +-> *=AwI,H2-grease +3Y9OngljfiuJCfOMrjB3Ze0+PKnNto4BcK2krTU8jVCVlxUXtFUFHsnuhQsuYejo +J5SQjXliLn5r7SK2R7hw2OmWCVkbVuYsBFvGtrc6Kocr0yXGxaqImNsMBA+V5rWT +Ng +--- E6/+09Fw8LXNmezYen3GZ1SQvTsnsxty4fgItWnMITc +U.긗\c>xY%r|Wff9"l:!'+@t=JQQ <yIO,۷}6?yI]UAk8h\\vx3C]9!_ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 3115cbb..ab78b1c 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -55,6 +55,8 @@ let # ldap servers are web facing ++ ldap; + gitlab = optimus; + in { # nix run github:ryantm/agenix -- -e secret1.age @@ -65,9 +67,12 @@ in "stream_ulfm.age".publicKeys = users ++ [galatea]; - "gitlab/pw.age".publicKeys = users ++ [glados]; - "gitlab/db.age".publicKeys = users ++ [glados]; - "gitlab/db_pw.age".publicKeys = users ++ [glados]; + "gitlab/pw.age".publicKeys = users ++ [gitlab]; + "gitlab/db_pw.age".publicKeys = users ++ [gitlab]; + "gitlab/secrets_db.age".publicKeys = users ++ [gitlab]; + "gitlab/secrets_secret.age".publicKeys = users ++ [gitlab]; + "gitlab/secrets_otp.age".publicKeys = users ++ [gitlab]; + "gitlab/secrets_jws.age".publicKeys = users ++ [gitlab]; # for ldap "ldap/pw.age".publicKeys = users ++ ldap;