From 59f4057698dc70e953390af9fb7f06af47e43f9f Mon Sep 17 00:00:00 2001
From: Brendan Golden <git@brendan.ie>
Date: Wed, 24 May 2023 20:57:49 +0100
Subject: [PATCH] gitlab: basic setup

---
 applications/gitlab.nix           |  64 +++++++++++++++++++++++++++---
 secrets/gitlab/db.age             |  11 -----
 secrets/gitlab/db_pw.age          | Bin 613 -> 698 bytes
 secrets/gitlab/pw.age             | Bin 661 -> 735 bytes
 secrets/gitlab/secrets_db.age     | Bin 0 -> 714 bytes
 secrets/gitlab/secrets_jws.age    | Bin 0 -> 2305 bytes
 secrets/gitlab/secrets_otp.age    | Bin 0 -> 756 bytes
 secrets/gitlab/secrets_secret.age |  15 +++++++
 secrets/secrets.nix               |  11 +++--
 9 files changed, 81 insertions(+), 20 deletions(-)
 delete mode 100644 secrets/gitlab/db.age
 create mode 100644 secrets/gitlab/secrets_db.age
 create mode 100644 secrets/gitlab/secrets_jws.age
 create mode 100644 secrets/gitlab/secrets_otp.age
 create mode 100644 secrets/gitlab/secrets_secret.age

diff --git a/applications/gitlab.nix b/applications/gitlab.nix
index 2bfce33..ca768b9 100644
--- a/applications/gitlab.nix
+++ b/applications/gitlab.nix
@@ -44,6 +44,16 @@
       type = types.str;
       default = "git";
     };
+
+    ldap = {
+      base = mkOption {
+        type = types.str;
+        default = "dc=skynet,dc=ie";
+        description = lib.mdDoc "The base address in the ldap server";
+      };
+
+    };
+
   };
 
   config = mkIf cfg.enable {
@@ -52,8 +62,23 @@
       owner = cfg.user;
       group = cfg.user;
     };
-    age.secrets.gitlab_db = {
-      file = ../secrets/gitlab/db.age;
+    age.secrets.gitlab_secrets_db = {
+      file = ../secrets/gitlab/secrets_db.age;
+      owner = cfg.user;
+      group = cfg.user;
+    };
+    age.secrets.gitlab_secrets_secret = {
+      file = ../secrets/gitlab/secrets_secret.age;
+      owner = cfg.user;
+      group = cfg.user;
+    };
+    age.secrets.gitlab_secrets_otp = {
+      file = ../secrets/gitlab/secrets_otp.age;
+      owner = cfg.user;
+      group = cfg.user;
+    };
+    age.secrets.gitlab_secrets_jws = {
+      file = ../secrets/gitlab/secrets_jws.age;
       owner = cfg.user;
       group = cfg.user;
     };
@@ -91,17 +116,18 @@
       port = 443;
       user = cfg.user;
       group = cfg.user;
+      databaseUsername = cfg.user;
       #smtp = {
       #  enable = true;
       #  address = "localhost";
       #  port = 25;
       #};
       secrets = {
-        dbFile = config.age.secrets.gitlab_db.path;
+        dbFile = config.age.secrets.gitlab_secrets_db.path;
         # these must be backed up for future
-        secretFile = "/var/keys/gitlab/secret";
-        otpFile = "/var/keys/gitlab/otp";
-        jwsFile = "/var/keys/gitlab/jws";
+        secretFile = config.age.secrets.gitlab_secrets_secret.path;
+        otpFile = config.age.secrets.gitlab_secrets_otp.path;
+        jwsFile = config.age.secrets.gitlab_secrets_jws.path;
       };
       extraConfig = {
         gitlab = {
@@ -110,6 +136,32 @@
           #email_reply_to = "gitlab-no-reply@example.com";
           default_projects_features = { builds = false; };
         };
+
+        ldap = {
+          enabled = true;
+          servers = {
+            main = {
+              label = "Skynet";
+              host = "sso.skynet.ie";
+              port = 636;
+              uid = "uid";
+              encryption = "simple_tls";
+              active_directory = false;
+              #base = "ou=users,${cfg.ldap.base}?sub?(|(skMemberOf=cn=skynet-users,ou=groups,${cfg.ldap.base}))";
+              base = "ou=users,${cfg.ldap.base}";
+
+
+              username = "uid";
+              email = "skMail";
+              name = "cn";
+
+              group_base= "ou=groups,${cfg.ldap.base}";
+              admin_group = "skynet-admins";
+
+              sync_ssh_keys = "sshPublicKey";
+            };
+          };
+        };
       };
     };
   };
diff --git a/secrets/gitlab/db.age b/secrets/gitlab/db.age
deleted file mode 100644
index 0c20bec..0000000
--- a/secrets/gitlab/db.age
+++ /dev/null
@@ -1,11 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 V1pwNA x5UmW5H9YW3BZq0C2lyAA5ndkUGXa3g7p+kCqvXJbnQ
-RdCLP1mDscZ91abQ4Nx4+m4rH08G7lDCGe+VoVH7oks
--> ssh-ed25519 rIwlvw +739LXIwXApWmn3Qc6O5ANNkL1u1JpFW+U4qxmCBtDk
-wzm/eWqq77C2ROWOCkpGN+kCu1ErNdHcM3Wng5s0Kk0
--> ssh-ed25519 q8eJgg lQC3uwohGLXEQBY6KRxOJcQndWvUYMM9HaWkntqzaQs
-krJdasILc/rfZfXlHVVe9yBM9qRAY0zHUyMSI+qf7U0
--> ZYK-grease @dZM<wW
-MJo
---- 68GAAtHIwm4Nc5dHhPYFzG8yCsRdc0SWLvtn7k85y+E
-³ÑeÇ)ïq/¦0'’·#CvÈ¾blÛOeJ­ìWýCSl4ðÛ×skÁÒÿtÎd[§tðnµ²úQŸþ}Á°iäOÐmÖ‡¯BìQ±™!à>L­õ*to@otC‰Íx	ÙµRýdóôäß<ñØ`ú‚ID¶BE¨–mq÷sv‹ß»ÿ:É,gÓõçËN ÿ2?ÝéÉ)×¯{Õtø´™
\ No newline at end of file
diff --git a/secrets/gitlab/db_pw.age b/secrets/gitlab/db_pw.age
index f687f74929cdd07a0398bbdd27b7902172e4e288..1f4111511863f62eb2ae0275ed3d9fe8cb3be4aa 100644
GIT binary patch
delta 646
zcmZ9{OK8&o0Dxgp=OHrLL8myT#W7^dO53z)8<<Md=Fv87(=2Tsx28#xrfJhQZPNs#
zAfh`s@qq{)L>+jLU434h2tEd)?jnd24;H;B?&e{NdiDGtKK|j(M<W;J253>}OFl!5
ziM~Wi$~SolkBO8XPQ@wL$tGl@)k?8pnh4fH07~>=AtaU?2&`4@XfB&fxlT7=rh72!
zhl4dx*Bx9(>@Ft&-s2w2(!7cc!EgZaw3D{cvppRfsf92>giE=&Wsq4Jry)(OL{zCz
zLIMpVhN*>!pOnI6!UWKII$G*zb&lyMdA7<>UB)(Dl%)s|X_r_C_4`sm!S00Q{Kd`v
z1E^ed{9xXn<D>>s?7Kw{TqqmKLLi=uwoFA&!*N)*(O8L70hLO3B0-jM;#!VGxJo7^
zS~UpvxlARZ=`t7M$W|6JjRKqb|0Gd#7pkg9XQXOBuhjX5P3oGW_y!C_(TwP#E>TQi
z*{I^+Jq{5~y>0@UAxCw*+-^H676fCwD~LUzTQAkB5^57L5u(Xbnzv-JhW+D=>DeP*
zwXKva#Zzq_!_w|aK!yJ%uh+v6Ldr)sdnVb<(Ml17pd6?bB(XUNYhj)yYY5V93Dry{
z!TNzgYsfFn%Rl{B?;kq7es?xI3Vgn^arnj2$AhnDhqvdN>io-3E94qIe0%x%yDe;N
zdu2@KrLCF#H28j*8P7f({my>l$&o2?ZuRwz2WM~v*iS9a00*A!nc_BA2yn;2*u=hH
z3!C9B_)TKly7i>9d*YNuw9Zf7yXAbOzx=p)r82!Zd+pqZ>rXFjtg6eeMycQ9yC#?V
KCvd#HckK_L<L7n&

delta 560
zcmV-00?+-r1?2>gEPqo>d2vcway4c+O-)ZPVsthyMM^?(Z#8suWKw2CcS~VtGgo<K
zVq{J+ZwgsvM09OuQCLk_adI_yOnF*yHfUEeG<a!kdT&o{L05WGSY~-lWHxnUGzu*~
zAaiqQEoEdfH8n9gAaY4}Y<71bLQzL^YH)f>YEe)zM0YDUVMb9aZ#Q#ObZ#>@M{7@6
zF=sD!bZ%-*bWK5P3Sw4TR&iu6OLcidc1}VtGdOWIX>e>zLSke@b4x)(P;Fy*a70UM
zLuzd_k?|LQMr~L$V`FAVLt-{?Pb)++Nis@KS5$XdHd$zHS4C`iNLO%8c6vlpLu*wE
zZbxKlc}h-DQfpH|Fh?*}R8MGUcu;UxH*#Tdc2IdrdUIMxHAiSSH)BZ(Ej}P;Z8kA2
zXL4m>b7dedaZ*TUAXs}+TYNEcAWtJYQ*SvwBp^tCc0*Qe3Po>iSTRLO3N0-yAarv?
zY->+9cw$jOac4|pZF)9#GH6v*b4^Y-MOIojR#$XLPHj_ESZ8Ku3K6W8hP%}x*Vt4c
z4EkusP_20{F3z2}bp_avB0D7AgbCpAf4lfw>k=<;l#?t5keRrB*H~jZ`odwL2b5Cu
z_BdN#H$y{jM{a?=s`vLiu{w|{qe}XF_N%kl^gpu%gd2(?m!W7yg5K-&uE{QkAQic!
yp)F4aWoaZ0+$2a;W)-@(IF^c!X&!%2-0~><pj$-=LW%fvJ@@rV$}*>&@bmZ91l6|y

diff --git a/secrets/gitlab/pw.age b/secrets/gitlab/pw.age
index 4127f184789aeba415d90b90b7eb821ef4b50f0a..f4b2312281085ea73cf950abefa6f0c6e0960acc 100644
GIT binary patch
delta 683
zcmZ9{*=y5q0KoBq&SAlq4OA2*h?`?wX}Tsoa1PQmZPFZVlQeBJ5z_6~G;Px(>DsP{
zg$>+Z+`RTAZitAR;Q26N;K>j~@xcSODfprwBFKCY(J_x#|AFs^?@a6a*3-RBDikWF
z@F4BZ(TJU6Vr98NxUD3?b7e#jRFTt@CV@1f4VblPG8N2mWT29wSW_ASEFzGMolLsW
zu#-fvm>@8`BN6q*5yD~{fJ`%E1H*kN>hMAaRm)dvkP}nrkedLYCN|94h$;l=S|xxM
z{BA+^*$HR3PY{xfx1{?L9*f~u36t{UsFzSgKWb(%rU564cDQ6zDO&Tuvcd~IB6^(a
zne|=GT$xn!MKQ-IMOR!1xN><mSe0VgXdT7#Y7*p`G)dZnse}}@<h@3X4Thv-MvtYD
ze8#QkcrfhC!0sU!jQXQKISFHxK-wxL|3C3d4M9_(0-P`$jE2#Tx|!ue8rp=76z*}v
z9Z_BnyFen7lXO~whjInNQcg$|A1YU=A}t$3Kw}bwP6kOH_2LR%3bOVpN2xji3JCU(
z>+J3)dJfuD11Khds#z2CR-n#G2I{d6@JFG+$bn4Bk^-2CT8rhHZ@5$sGi0+`iDy;y
zZ@^}QtYB2En3|I{)rcI5mlbhD#v<XY3`B+F>aMCL#rqoRjES?Bm2cV0Q*+n@?VPdr
zWqEV&;a7zhAF%O@pSsxVFMFr<%#E&MGsoK7uk5&eeD={~%V6N`(v1tx@U?48`<FX(
z#C&6U4HgZ#YhmJHTk6!)ZP7O5=kAT)+lljz?5wV@u3TEbpZswsa(4ctc;ek!M`7dM
zldpHWKgK8MyDh)?tJAkO$G$teS6kfsTJl?roys&kJ$`fS@#K6zvGw`F=Ocdr<aYTq

delta 609
zcmV-n0-pWf1(gMmEPqZyb#F#PWkpR_S6X>XZh1m!cUMGcaW7+QM^h^`QBrwjGGlgC
zO>99|a|$p)X+~;cWN>CmPgiz!b#-qqGImHcG%q-7Yi2=hc0y%RF;g)?QCC+~FbXX`
zAaiqQEoEdfH8n9gAaY4}Y<71bbW%b=X<AQMcxpyeOGayKD@I~9O-foeO?og@R7GNF
zcxOUyW<)DcNn=H03TAC`aY8UzZAVTxSxit(dUR27MoMLEXIVFFdU<eBcuX-gG;U~A
zW^_(fk?|LQT2o9(Yc(rKHZo&IQBZMAb4g25Mp1Qba!qY+bUAHeaYJ-(YjJZ*I7nFv
zH%2sXPjh*6V?jrCOk{3qNK#rsRyj;kXjd>eO;$O2Oj<c=NoILTR#-_2Ej}PNNG)e_
zWnpt=AYfK^E-Pdtcpy=EY&s?&Nqj?9J5(cmAS*O~3P?wDZ*WaCaWpbmS8!EAL^pRg
zXJI)nHdjGUYc^6&NHcL_FHcKGbU9>ZR6#UJMm2aeQg1VHcQ<KO3N0-yAb4^&NmO@6
zP;GNLa6&^vSvGnxHb_x+ZZlJGM|E&{OmR3fQBgKyD==zf3SC`TUq}FBT<nZJrY}Hf
zLIiJr>sp6&^|P08<>ckTUj{z<CQirt;9->I1<jZMsH5klVn;%_R%f>AO$!_J=#xA}
zly4@j6pulN8^A(+RPvstb>N5ADZ9NC&ZEBEJL5ycT&`0$mzOgtwfZhwEo==@A&&|F
vZexhpC@$@np>wjJBaS-AT}*3i^up$6+{j!I1%Udr3OG;9Xg?bxGWTafP3hm$

diff --git a/secrets/gitlab/secrets_db.age b/secrets/gitlab/secrets_db.age
new file mode 100644
index 0000000000000000000000000000000000000000..400b282af1b29f9d8e0cbddf8c5b5217152a77b7
GIT binary patch
literal 714
zcmZ9{O>5I&003ZR>Y?aiJBaL*O>u{kwQ1TW5geu;Y16D}+O$hrh0!$W+obtwk~UpI
zMR1D4i+ECD9#mA&({7^f;$<)p9HOGg^f1_Aio$lAQ?L644^JH^uwpixIone$bJB7^
zsD}jLDadtOup&odF@%6-5Zh--h-F>9E>*BJAxVNk=Gih`^SfliOe0c(iF1Q~tySo>
z-2vGSlqjI*83x4+k()7*TEqZJP&Be?0+qQe)@!Lfy(vWKt{>j7Ikd0$d`Oc))lAcr
z<_n#sr6l!Wolmh@F3R^S9AGt+NQR4^L<ZYdK<-inw2X%Aa>El)EXUERB_wi*Mw}0e
zpw)@ujtHW$xTxa$wGOW20D!tqTuvEIgKS!PgBb*StZr2WtE7`^q>DNKUU<n!MLm)S
z0oo3h8GFET{Q;3G*t!-<bHSKw(KU}GIHe9Mr81K(*84Sozm}RA@G5{(Y%ZLLG|I^Y
zf#ZN@YY3-znnf4ET9#3@TUt9*N@v@YpDG40O_AfW=Egd*j-(4z4rqPel!HdbA+kY*
zM4}Z*$mxAe0ROe|_Juj3JlTYSqtsm`fZ5_SmCns%3nGq_8m^mYELX7tFbqRfH3pb)
z7wJUfg56cjOeEn^7%l3kkA~1<zNGLG$<NePFB~}ai+-YA+SogEaLGG<wRHdW-N(n?
z4}IG37xtu8XRy2X>Z!Hpjqt9*geTnKkr!{4x5n7y<$Ix*UzZL**KaSJo?hF!HJnc~
z#QNcwada9V`;9(a$<L3Y-#%B)&rX07&;DGzGLnC=GcpA~dUtN+`P+7*duC^7ds&1x
mR~L6ich_crX1C{WHcw`TcQ=20xU)X0f4_0oufkuhef$f*)&OAu

literal 0
HcmV?d00001

diff --git a/secrets/gitlab/secrets_jws.age b/secrets/gitlab/secrets_jws.age
new file mode 100644
index 0000000000000000000000000000000000000000..5600e85eae3a8cfe1168d0f787d4d7b8ca78b587
GIT binary patch
literal 2305
zcmZ9_`6CmG0|0O(GL)2hd=o>F#Oz|5^svoNyNubAVw)Yd*^C{EC>=!COB5A4P%lL(
zJxfJ&%vHXQ5G5o>MUHgvzTaQ_2R@%j0pFc3<Hl*_@uFCnM{Jw`qyn3|ZwD%sLU%q7
z0*8Z<z)-MUP4NeU!C)9xLw1XX!?|c^ki?4-g=eAtsXSZ^Mog4*B#2lZ2}@D%@SdhY
z1Q16O%0T0z_!v5$g=e5430_D^6kSQgga*>RC~%g5fIy<<T*B{L96>EnseufrM2eR3
z`Tlr<mKBd+gQSWmp&ObOODAJMTq%fxNl+1>;+RB?ziAwo3<(j(Gr179CP>RvD}+HZ
z8YNo9p$AamicpbOMOVmiQUadN{e4p)_(XvKNMg|gXmX8&kwB8m&;(H;9jYK`m|lrq
z%1|yt923g(mT{Fhq(-bZ1@ma=I2la~lQNY&kvtNkA_d@r>0$gxCI-R_3xNq?OfLwM
zDN2m}eZzz%28#qh9#qR@CsL8Y-eCf67*{Hcrt)Gqo}yqhTSUMT-56x47zzr|s2KuN
zP9mI2L{K4gvOkrA!>Wip1Y1K#g2U9&0&O&$9t}Z2JVUie5k&p}O%>tfE{NktD)~Sa
zkmU@d1%v=0Qd1a2fn<|Of<PuOP{bhzyNN_fK3*XqQn3iHL=BFRzz&Lvrb^YG5($~9
z;YQ;E5S~Q5SoJ^D-5p4S!#%?UP$U%xNr(*bPV~k^VM$UP1*4Ku;898y8tuh$<DofF
z2-fr^_0#wA^j?Cfj8OWbX3tW)WrZK7{6@gf&n+29aoE10wh?ruColr9nFt@ZPSLx7
z*fu>k=2JE~DUyl+8Mm7Ee3YY%lHiqq1)F&@N5~ufNNUQ~#jAV%ge55&gE>dFn3}__
zcF>%v?rlHfOY%o4y@hkp=3G&4ZyxoD?#Gel_?YpffIV()H;SilgMi&-R)V#S?-rgF
z7Yx}*kF+h@uK+~VS|AQghhMCw2=W2h$)_YsWFviq$5)0NgVRrixEtq3{aD!<H$(lo
zZfvLi=ETP9%ZgJDjiHvLIOelvJVtsxt&F()^n@zyZpo^=2=gja1<XFi&5(%gm)0-N
zd$lD`XI(}O-ZcV<J>&J0vrkH2)l{g5S%nA6{IZtlS{q9Jb?+B*wsp6BYCyGUS1*4#
z^<)}rpXllh{!i@#e%8V^b@fYS`OMVZx(CG!D`(Mq^NRql%zpSDz*E2((wfHLOR;xm
zE-Id1ndT(`l2&~<0^;mmsmE$+^EO8GwYT(EPF^NCTUC5MF5qkxN8Rjkbdz-p(srhg
z{!C7&D=CWCamBb4pEEv4wx<8ucCn!^Mdw#{=aB`$@BNKj)yzC5-D@hU%3_O4+pAIk
zJd6BeR~=81XGCwA%8mnvEJJt7sPCG*OJOW)^ZkNz#RJ<$5&|>NJ?FC;)1upfOq+MZ
zF=kyAikyy=;-G`1*yrmDd8;1=AI4z&n>%Cl1RtOF=LIx}4JN~yQ{yhKc6N5P@f$A1
zPDnhB9^EgmOP6Il-I%uK%TUyf$3;s6(HUiyv_E0j^P9>}QHkoaAW|4s$f}uaZTWV)
z*9F<;e2D-)9@_DE<qnlEbSEb09(nZ)Wpix+)}gXn3zlxaWj|-!L%o3N+hq%}W@a4E
zZ#w`H*ucABqvIO!O^~~NML?bLcxIr`Tpf_*y1Ucw<{HH5s{412QC_uIs76+GU+4Gl
z*X;YI#~PMjQTGg+rByt;oU5xwo><wl29<w|Jd)z<97w+Q?U02<tSjqWd$&o#C|>UI
z^ligyKcj@^%zTe$KDL}xG!2{unIG)i#N|(>3TExPPxTR9mW@tpd$%0gto^TjZbj92
z)@|szOL(6z9+OUIg-+Zz*$V&B)TS!$u8XCPsq43Pesn^_za0Lldx`$A%&;}qctqAe
z#<hAhQZnT*W4U9tVA+vrZSB__p=pP->fZ98s~w%!?3wR>=?BF<ym_0vZ?mdwD%oH_
zcd>Ox;l`#_+1~H&Pfaj=^Cr7)(};B_t?gqu=z>kA6Dg;tYZn@@+2s(vA-<j$W?Nd&
zG@n?IRUiH#PKUAdI6pB_EId8oJAWHRO3fFSy&$ggFh8;#wGff9V|JrEYU!La0CN?7
zUP;^#FIZaQeSsu-b#lH4vD`JN9r&SIJX`fq8cEpdi|{$x1Ni>W*lc}dUcJ2%7Dw#!
zN$FpIVk)O{-<Q9-FU8zX%B8q^SfBiGv0Z8SV`*g?973!xD%DLaH!Lo1CU>yA3s!i#
zP%~X^=h;84dMPtr-y21B7M~VF&975A4m&Ly2dY=^wP%MHKg}Lgx`ta@<@OuDM`?N^
zmzRD$GG7vRtx0sIB^f6&Q0YOXy+Pp&bMuL*-h~<STaz~CDFeZS9Y~wqFOJ(=%w}@F
z*wq;Jz15jdIu;a|EaDx;4Ay_H@{P-Idk^EzVzaBHv9Vgl(Ss+yZjT|HI1qo<p!3+Q
z8Plii#dKF)@E@9nKK=P^yPM3uA9#KKFmqv7I$KZP7(!^ZTRd}*fMXbVI_}-n=pk;9
zbr}WumK}cUtf=>Pcyi55bZ+L+^nS*Lx0|6goQI#!8zwcpwkUseRC}ngH8}?5T5+D%
zU1xmL^95MXs9dyOoQwP84q@1RfPdz4vGOkpl@@VXgc(ka&|A0MS@m`1uKd@VO^wy5
zR>r4JCSQssO(a|hUtx%9p1eZ7XCT}Sm}>etGz&60c_B-Isz<r~tgw1mdwT8)zTa?p
zut|?y$%O3n>FBY_UoM2neQOFb@^L>*oBi=}hFOGcY)3&+XJ=Y3VBkK=DSZX8#62tL
zbLmhXbzlE*_0U{F)`<u9j=Lm<$M1f!G%_mpX0X#zVY`ec2tCv-Uo1^F?a$3kYPM~D
zI;c>Uu4jh$2N}PyGsX{gFhzpA4W3nhha4RHuy?J_&;9n7rhkkZPP{LD1N-}7Sz$Iy
z0@r~w8oQ*LqJ`#a{E$!prT<zB<YxlgKI3X$RWwKB0Ze}2bjiXhs?}&miZibAbivqn
J;+Q`|{V!3?9Vh?*

literal 0
HcmV?d00001

diff --git a/secrets/gitlab/secrets_otp.age b/secrets/gitlab/secrets_otp.age
new file mode 100644
index 0000000000000000000000000000000000000000..3003a26ddf096bf988e983fda864fb3a9aef4ff5
GIT binary patch
literal 756
zcmZ9_O>5I&003YS*&%ow!|8;8lPRU9ZJMSL5!$9ro1{t8bWK|iTiU!!vxI!MNgCK3
z2s?;41Q90#FM<f-VFN`4nIDG@^ytkwM8%T_PacFRUibWgM^-@`m_2u74>ZfXV7V&d
zC!zRd*z@{vprkM?Nx;pd9dJ3gsq}IMJtIhA)g4J`7bmJ9l_}Q=nqZo`<LFGv@l`n#
zv>YVKR7W2veb>Ob3|cQXMyd>|C80R1q#7gA@UlSD31IlO#No}Y1co2L9xFusJ`1!;
zBX8SyrOowbkybPevIZ{;#i;KPv%J~m`lt#SC?@4=!}f^l^>m^kJ9Wbjnx>W;w(43f
z;Rq!X<LGD*cC&{!Cktp*g(KDp#TY8`tx%DwF@&si+&XRtX(i&?NY52~p;OZlyIP)w
z^67E~5SHLsG%Ly}$Ki}Tqk*=ix6&4mh9#4eJVywN`S#(BY(}D{!g;Z)>4gShYH6OK
z%Or*=0~#M<I>I}iDK-%)UE>L%%ZU~wHU&4w%2KPYEC93%m@r0nSvBRG>LTe`0naO~
z4yD-%M*qJ}M`z=z3uF(#)XcdSyGV85ZVw`{0T%iJ5KD$4g#^QjShkZ(mXjFQ8ALc<
zF3?F0WVk|ArK*K8Ac!JGW-1+;tU&R299D#6VK~gmEk(uJ`C{Ft7?Ut`Pb=0)2}uRX
zLXV0<)|C@gXztO~G4OrCzIP;=Jo<!K+I_rv1DSJo?rier)(dWB``OE-FABM~zgzln
zYWZOG=KA`t)1~>f)!Q4hUL*Y)WT#^x_ihE%y({j6-&1Ek&mVuN>Dt9lsm~K1H^P&`
z2|u<xmb(wfX4J{4txM<M{`jV8=CP;FyhZ$l#!GL0Zd`khqkp{T+Z=JA((WEQvCrJS
L{%Yse-uTyl76%I1

literal 0
HcmV?d00001

diff --git a/secrets/gitlab/secrets_secret.age b/secrets/gitlab/secrets_secret.age
new file mode 100644
index 0000000..d6cb2a2
--- /dev/null
+++ b/secrets/gitlab/secrets_secret.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 V1pwNA JGktU0gGovPnnYr9an6lueZnEKDLde9ES0Y6m06pLUc
+vPcPTDCVwgK72KnMN8t7C9AR7fV9EggTUC5F9EFyuoI
+-> ssh-ed25519 rIwlvw FMYXiAcwxioJex74HfvM7Tnvp2VKAOKtHTRqTKgYVHA
+B/RdgW4nsMTD1sF12OxgJElFx6SfCL03WKWdeeTjeYg
+-> ssh-ed25519 q8eJgg AxBdKkiZh7NOqpLMwBNsEo3dgTj+6NPtONYkLKENWRw
+qqvrwOFlE52/Sa15kplKXBq5jdTZ+dUn/2EjUBByQQs
+-> ssh-ed25519 DVzSig I04tljSY9N+GyRWwO1ULPhojDOLDxXC5gOqw922Z3Xk
+OiZe8nWcQaY6UCDGW5IkWpqTeMTpNRtUoDxOQ/ALwwg
+-> *=AwI,H2-grease
+3Y9OngljfiuJCfOMrjB3Ze0+PKnNto4BcK2krTU8jVCVlxUXtFUFHsnuhQsuYejo
+J5SQjXliLn5r7SK2R7hw2OmWCVkbVuYsBFvGtrc6Kocr0yXGxaqImNsMBA+V5rWT
+Ng
+--- E6/+09Fw8LXNmezYen3GZ1SQvTsnsxty4fgItWnMITc
+UÅ­ßü.ê¸—žý\c¥Žä>ôÝðxY%r|ÓWÜf‹f9ª¯¿èÙ"÷l:µ!‹'™+ê@Œt¬ì=JQÌQÕ<¥”¨yIO,‰Û·ªžÈéÿ™ë£}6?yI’ðœü©]UAkì™8Åh¹µˆ§\‰\ËÞÀº¹òÄòvx3Cüˆ•]9‡ÞÔé¡!_½‹ É
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 3115cbb..ab78b1c 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -55,6 +55,8 @@ let
   # ldap servers are web facing
   ++ ldap;
 
+  gitlab = optimus;
+
 in
 {
   # nix run github:ryantm/agenix -- -e secret1.age
@@ -65,9 +67,12 @@ in
   "stream_ulfm.age".publicKeys = users ++ [galatea];
 
 
-  "gitlab/pw.age".publicKeys = users ++ [glados];
-  "gitlab/db.age".publicKeys = users ++ [glados];
-  "gitlab/db_pw.age".publicKeys = users ++ [glados];
+  "gitlab/pw.age".publicKeys = users ++ [gitlab];
+  "gitlab/db_pw.age".publicKeys = users ++ [gitlab];
+  "gitlab/secrets_db.age".publicKeys = users ++ [gitlab];
+  "gitlab/secrets_secret.age".publicKeys = users ++ [gitlab];
+  "gitlab/secrets_otp.age".publicKeys = users ++ [gitlab];
+  "gitlab/secrets_jws.age".publicKeys = users ++ [gitlab];
 
   # for ldap
   "ldap/pw.age".publicKeys = users ++ ldap;