gitlab: basic setup

applications/gitlab.nix

@@ -44,6 +44,16 @@
       type = types.str;
       default = "git";
     };
+
+    ldap = {
+      base = mkOption {
+        type = types.str;
+        default = "dc=skynet,dc=ie";
+        description = lib.mdDoc "The base address in the ldap server";
+      };
+
+    };
+
   };
 
   config = mkIf cfg.enable {
@@ -52,8 +62,23 @@
       owner = cfg.user;
       group = cfg.user;
     };
-    age.secrets.gitlab_db = {
-      file = ../secrets/gitlab/db.age;
+    age.secrets.gitlab_secrets_db = {
+      file = ../secrets/gitlab/secrets_db.age;
+      owner = cfg.user;
+      group = cfg.user;
+    };
+    age.secrets.gitlab_secrets_secret = {
+      file = ../secrets/gitlab/secrets_secret.age;
+      owner = cfg.user;
+      group = cfg.user;
+    };
+    age.secrets.gitlab_secrets_otp = {
+      file = ../secrets/gitlab/secrets_otp.age;
+      owner = cfg.user;
+      group = cfg.user;
+    };
+    age.secrets.gitlab_secrets_jws = {
+      file = ../secrets/gitlab/secrets_jws.age;
       owner = cfg.user;
       group = cfg.user;
     };
@@ -91,17 +116,18 @@
       port = 443;
       user = cfg.user;
       group = cfg.user;
+      databaseUsername = cfg.user;
       #smtp = {
       #  enable = true;
       #  address = "localhost";
       #  port = 25;
       #};
       secrets = {
-        dbFile = config.age.secrets.gitlab_db.path;
+        dbFile = config.age.secrets.gitlab_secrets_db.path;
         # these must be backed up for future
-        secretFile = "/var/keys/gitlab/secret";
-        otpFile = "/var/keys/gitlab/otp";
-        jwsFile = "/var/keys/gitlab/jws";
+        secretFile = config.age.secrets.gitlab_secrets_secret.path;
+        otpFile = config.age.secrets.gitlab_secrets_otp.path;
+        jwsFile = config.age.secrets.gitlab_secrets_jws.path;
       };
       extraConfig = {
         gitlab = {
@@ -110,6 +136,32 @@
           #email_reply_to = "gitlab-no-reply@example.com";
           default_projects_features = { builds = false; };
         };
+
+        ldap = {
+          enabled = true;
+          servers = {
+            main = {
+              label = "Skynet";
+              host = "sso.skynet.ie";
+              port = 636;
+              uid = "uid";
+              encryption = "simple_tls";
+              active_directory = false;
+              #base = "ou=users,${cfg.ldap.base}?sub?(|(skMemberOf=cn=skynet-users,ou=groups,${cfg.ldap.base}))";
+              base = "ou=users,${cfg.ldap.base}";
+
+
+              username = "uid";
+              email = "skMail";
+              name = "cn";
+
+              group_base= "ou=groups,${cfg.ldap.base}";
+              admin_group = "skynet-admins";
+
+              sync_ssh_keys = "sshPublicKey";
+            };
+          };
+        };
       };
     };
   };

secrets/gitlab/db.age

@@ -1,11 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 V1pwNA x5UmW5H9YW3BZq0C2lyAA5ndkUGXa3g7p+kCqvXJbnQ
-RdCLP1mDscZ91abQ4Nx4+m4rH08G7lDCGe+VoVH7oks
--> ssh-ed25519 rIwlvw +739LXIwXApWmn3Qc6O5ANNkL1u1JpFW+U4qxmCBtDk
-wzm/eWqq77C2ROWOCkpGN+kCu1ErNdHcM3Wng5s0Kk0
--> ssh-ed25519 q8eJgg lQC3uwohGLXEQBY6KRxOJcQndWvUYMM9HaWkntqzaQs
-krJdasILc/rfZfXlHVVe9yBM9qRAY0zHUyMSI+qf7U0
--> ZYK-grease @dZM<wW
-MJo
---- 68GAAtHIwm4Nc5dHhPYFzG8yCsRdc0SWLvtn7k85y+E
-³ÑeÇ)ïq/¦0'’·#CvȾ
blÛOeJ­ìWýCSl4ðÛ×s<C397>kÁÒÿtÎd[§tðnµ²úQŸþ}Á°iäOÐmÖ‡¯BìQ±™!à>L­õ*to@otC‰Íx	ÙµRýdóôäß<ñØ`ú‚ID¶BE¨–<13>m<18>q÷sv‹ß»ÿ:É,gÓõçËN ÿ2?ÝéÉ)ׯ{Õtø´™

secrets/gitlab/secrets_secret.age

@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 V1pwNA JGktU0gGovPnnYr9an6lueZnEKDLde9ES0Y6m06pLUc
+vPcPTDCVwgK72KnMN8t7C9AR7fV9EggTUC5F9EFyuoI
+-> ssh-ed25519 rIwlvw FMYXiAcwxioJex74HfvM7Tnvp2VKAOKtHTRqTKgYVHA
+B/RdgW4nsMTD1sF12OxgJElFx6SfCL03WKWdeeTjeYg
+-> ssh-ed25519 q8eJgg AxBdKkiZh7NOqpLMwBNsEo3dgTj+6NPtONYkLKENWRw
+qqvrwOFlE52/Sa15kplKXBq5jdTZ+dUn/2EjUBByQQs
+-> ssh-ed25519 DVzSig I04tljSY9N+GyRWwO1ULPhojDOLDxXC5gOqw922Z3Xk
+OiZe8nWcQaY6UCDGW5IkWpqTeMTpNRtUoDxOQ/ALwwg
+-> *=AwI,H2-grease
+3Y9OngljfiuJCfOMrjB3Ze0+PKnNto4BcK2krTU8jVCVlxUXtFUFHsnuhQsuYejo
+J5SQjXliLn5r7SK2R7hw2OmWCVkbVuYsBFvGtrc6Kocr0yXGxaqImNsMBA+V5rWT
+Ng
+--- E6/+09Fw8LXNmezYen3GZ1SQvTsnsxty4fgItWnMITc
+UÅ­ßü.긗žý\c¥Žä>ôÝðxY%r|ÓWÜf‹f9ª¯¿èÙ"÷l:µ!‹'™+ê@Œt¬ì=J<15>QÌQÕ<¥”¨<19>yIO,‰Û·ªžÈéÿ™ë£}6?yI’ðœü©]UAkì™8Åh¹µˆ§\‰\ËÞÀº¹òÄòvx3C
üˆ•]9‡ÞÔé¡!_½‹ É

secrets/secrets.nix

@@ -55,6 +55,8 @@ let
   # ldap servers are web facing
   ++ ldap;
 
+  gitlab = optimus;
+
 in
 {
   # nix run github:ryantm/agenix -- -e secret1.age
@@ -65,9 +67,12 @@ in
   "stream_ulfm.age".publicKeys = users ++ [galatea];
 
 
-  "gitlab/pw.age".publicKeys = users ++ [glados];
-  "gitlab/db.age".publicKeys = users ++ [glados];
-  "gitlab/db_pw.age".publicKeys = users ++ [glados];
+  "gitlab/pw.age".publicKeys = users ++ [gitlab];
+  "gitlab/db_pw.age".publicKeys = users ++ [gitlab];
+  "gitlab/secrets_db.age".publicKeys = users ++ [gitlab];
+  "gitlab/secrets_secret.age".publicKeys = users ++ [gitlab];
+  "gitlab/secrets_otp.age".publicKeys = users ++ [gitlab];
+  "gitlab/secrets_jws.age".publicKeys = users ++ [gitlab];
 
   # for ldap
   "ldap/pw.age".publicKeys = users ++ ldap;