gitlab: basic setup

2023-05-24 20:57:49 +01:00 · 2023-05-24 20:57:49 +01:00 · 59f4057698
commit 59f4057698
parent 2b2917d34b
9 changed files with 81 additions and 20 deletions
--- a/applications/gitlab.nix
+++ b/applications/gitlab.nix
@ -44,6 +44,16 @@
      type = types.str;
      default = "git";
    };
    ldap = {
      base = mkOption {
        type = types.str;
        default = "dc=skynet,dc=ie";
        description = lib.mdDoc "The base address in the ldap server";
      };
    };
  };
  config = mkIf cfg.enable {
@ -52,8 +62,23 @@
      owner = cfg.user;
      group = cfg.user;
    };
-    age.secrets.gitlab_db = {
+    age.secrets.gitlab_secrets_db = {
-      file = ../secrets/gitlab/db.age;
+      file = ../secrets/gitlab/secrets_db.age;
      owner = cfg.user;
      group = cfg.user;
    };
    age.secrets.gitlab_secrets_secret = {
      file = ../secrets/gitlab/secrets_secret.age;
      owner = cfg.user;
      group = cfg.user;
    };
    age.secrets.gitlab_secrets_otp = {
      file = ../secrets/gitlab/secrets_otp.age;
      owner = cfg.user;
      group = cfg.user;
    };
    age.secrets.gitlab_secrets_jws = {
      file = ../secrets/gitlab/secrets_jws.age;
      owner = cfg.user;
      group = cfg.user;
    };
@ -91,17 +116,18 @@
      port = 443;
      user = cfg.user;
      group = cfg.user;
      databaseUsername = cfg.user;
      #smtp = {
      #  enable = true;
      #  address = "localhost";
      #  port = 25;
      #};
      secrets = {
-        dbFile = config.age.secrets.gitlab_db.path;
+        dbFile = config.age.secrets.gitlab_secrets_db.path;
        # these must be backed up for future
-        secretFile = "/var/keys/gitlab/secret";
+        secretFile = config.age.secrets.gitlab_secrets_secret.path;
-        otpFile = "/var/keys/gitlab/otp";
+        otpFile = config.age.secrets.gitlab_secrets_otp.path;
-        jwsFile = "/var/keys/gitlab/jws";
+        jwsFile = config.age.secrets.gitlab_secrets_jws.path;
      };
      extraConfig = {
        gitlab = {
@ -110,6 +136,32 @@
          #email_reply_to = "gitlab-no-reply@example.com";
          default_projects_features = { builds = false; };
        };
        ldap = {
          enabled = true;
          servers = {
            main = {
              label = "Skynet";
              host = "sso.skynet.ie";
              port = 636;
              uid = "uid";
              encryption = "simple_tls";
              active_directory = false;
              #base = "ou=users,${cfg.ldap.base}?sub?(|(skMemberOf=cn=skynet-users,ou=groups,${cfg.ldap.base}))";
              base = "ou=users,${cfg.ldap.base}";
              username = "uid";
              email = "skMail";
              name = "cn";
              group_base= "ou=groups,${cfg.ldap.base}";
              admin_group = "skynet-admins";
              sync_ssh_keys = "sshPublicKey";
            };
          };
        };
      };
    };
  };
--- a/secrets/gitlab/db.age
+++ b/secrets/gitlab/db.age
@ -1,11 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 V1pwNA x5UmW5H9YW3BZq0C2lyAA5ndkUGXa3g7p+kCqvXJbnQ
 RdCLP1mDscZ91abQ4Nx4+m4rH08G7lDCGe+VoVH7oks
 -> ssh-ed25519 rIwlvw +739LXIwXApWmn3Qc6O5ANNkL1u1JpFW+U4qxmCBtDk
 wzm/eWqq77C2ROWOCkpGN+kCu1ErNdHcM3Wng5s0Kk0
 -> ssh-ed25519 q8eJgg lQC3uwohGLXEQBY6KRxOJcQndWvUYMM9HaWkntqzaQs
 krJdasILc/rfZfXlHVVe9yBM9qRAY0zHUyMSI+qf7U0
 -> ZYK-grease @dZM<wW
 MJo
 --- 68GAAtHIwm4Nc5dHhPYFzG8yCsRdc0SWLvtn7k85y+E
 ³ÑeÇ)ïq/¦0'’·#CvÈ¾blÛOeJìWýCSl4ðÛ×s<C397>kÁÒÿtÎd[§tðnµ²úQŸþ}Á°iäOÐmÖ‡¯BìQ±™!à>Lõ*to@otC‰Íx	ÙµRýdóôäß<ñØ`ú‚ID¶BE¨–<13>m<18>q÷sv‹ß»ÿ:É,gÓõçËN ÿ2?ÝéÉ)×¯{Õtø´™
--- a/secrets/gitlab/db_pw.age
+++ b/secrets/gitlab/db_pw.age
--- a/secrets/gitlab/pw.age
+++ b/secrets/gitlab/pw.age
--- a/secrets/gitlab/secrets_db.age
+++ b/secrets/gitlab/secrets_db.age
--- a/secrets/gitlab/secrets_jws.age
+++ b/secrets/gitlab/secrets_jws.age
--- a/secrets/gitlab/secrets_otp.age
+++ b/secrets/gitlab/secrets_otp.age
--- a/secrets/gitlab/secrets_secret.age
+++ b/secrets/gitlab/secrets_secret.age
@ -0,0 +1,15 @@
 age-encryption.org/v1
 -> ssh-ed25519 V1pwNA JGktU0gGovPnnYr9an6lueZnEKDLde9ES0Y6m06pLUc
 vPcPTDCVwgK72KnMN8t7C9AR7fV9EggTUC5F9EFyuoI
 -> ssh-ed25519 rIwlvw FMYXiAcwxioJex74HfvM7Tnvp2VKAOKtHTRqTKgYVHA
 B/RdgW4nsMTD1sF12OxgJElFx6SfCL03WKWdeeTjeYg
 -> ssh-ed25519 q8eJgg AxBdKkiZh7NOqpLMwBNsEo3dgTj+6NPtONYkLKENWRw
 qqvrwOFlE52/Sa15kplKXBq5jdTZ+dUn/2EjUBByQQs
 -> ssh-ed25519 DVzSig I04tljSY9N+GyRWwO1ULPhojDOLDxXC5gOqw922Z3Xk
 OiZe8nWcQaY6UCDGW5IkWpqTeMTpNRtUoDxOQ/ALwwg
 -> *=AwI,H2-grease
 3Y9OngljfiuJCfOMrjB3Ze0+PKnNto4BcK2krTU8jVCVlxUXtFUFHsnuhQsuYejo
 J5SQjXliLn5r7SK2R7hw2OmWCVkbVuYsBFvGtrc6Kocr0yXGxaqImNsMBA+V5rWT
 Ng
 --- E6/+09Fw8LXNmezYen3GZ1SQvTsnsxty4fgItWnMITc
 UÅßü.ê¸—žý\c¥Žä>ôÝðxY%r|ÓWÜf‹f9ª¯¿èÙ"÷l:µ!‹'™+ê@Œt¬ì=J<15>QÌQÕ<¥”¨<19>yIO,‰Û·ªžÈéÿ™ë£}6?yI’ðœü©]UAkì™8Åh¹µˆ§\‰\ËÞÀº¹òÄòvx3Cüˆ•]9‡ÞÔé¡!_½‹ É
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -55,6 +55,8 @@ let
  # ldap servers are web facing
  ++ ldap;
  gitlab = optimus;
 in
 {
  # nix run github:ryantm/agenix -- -e secret1.age
@ -65,9 +67,12 @@ in
  "stream_ulfm.age".publicKeys = users ++ [galatea];
-  "gitlab/pw.age".publicKeys = users ++ [glados];
+  "gitlab/pw.age".publicKeys = users ++ [gitlab];
-  "gitlab/db.age".publicKeys = users ++ [glados];
+  "gitlab/db_pw.age".publicKeys = users ++ [gitlab];
-  "gitlab/db_pw.age".publicKeys = users ++ [glados];
+  "gitlab/secrets_db.age".publicKeys = users ++ [gitlab];
  "gitlab/secrets_secret.age".publicKeys = users ++ [gitlab];
  "gitlab/secrets_otp.age".publicKeys = users ++ [gitlab];
  "gitlab/secrets_jws.age".publicKeys = users ++ [gitlab];
  # for ldap
  "ldap/pw.age".publicKeys = users ++ ldap;