From 5d7affba07678f50994cc9c372a99913fb2042f5 Mon Sep 17 00:00:00 2001 From: zackartz Date: Sun, 5 May 2024 21:24:08 -0400 Subject: [PATCH] add gitlab --- hosts/pluto/services/gitlab.nix | 33 +++++++++++++++++++++++++++++++- sec/gitlab_db.age | Bin 0 -> 575 bytes sec/gitlab_initpw.age | Bin 0 -> 575 bytes sec/gitlab_otp.age | 12 ++++++++++++ sec/gitlab_pw.age | 11 +++++++++++ sec/gitlab_sec.age | 11 +++++++++++ 6 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 sec/gitlab_db.age create mode 100644 sec/gitlab_initpw.age create mode 100644 sec/gitlab_otp.age create mode 100644 sec/gitlab_pw.age create mode 100644 sec/gitlab_sec.age diff --git a/hosts/pluto/services/gitlab.nix b/hosts/pluto/services/gitlab.nix index f9aa997..c63bc14 100644 --- a/hosts/pluto/services/gitlab.nix +++ b/hosts/pluto/services/gitlab.nix @@ -1,4 +1,35 @@ { - services.gitlab = { + config, + pkgs, + ... +}: let + sec = config.age.secrets; +in { + age.secrets = { + gitlab_db.file = ../../../sec/gitlab_db.age; + gitlab_initpw.file = ../../../src/gitlab_initpw.age; + gitlab_otp.file = ../../../sec/gitlab_otp.age; + gitlab_pw.file = ../../../sec/gitlab_pw.age; + gitlab_sec.file = ../../../sec/gitlab_sec.age; }; + + services.gitlab = { + enable = true; + databasePasswordFile = sec.gitlab_db.path; + initialRootPasswordFile = sec.gitlab_initpw.path; + secrets = { + secretFile = sec.gitlab_sec.path; + otpFile = sec.gitlab_otp.path; + dbFile = sec.gitlab_db.path; + jwsFile = pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out"; + }; + }; + + services.nginx.virtualHosts."git.zackmyers.io" = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; + }; + + systemd.services.gitlab-backup.environment.BACKUP = "dump"; } diff --git a/sec/gitlab_db.age b/sec/gitlab_db.age new file mode 100644 index 0000000000000000000000000000000000000000..c020cc5ffacbb3d3cbc05c457ecfa2f5541dc2dc GIT binary patch literal 575 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSn5BE*+OIIlO3M$Bm zN-0QkGYQG?4hm06iAr?$3@$e+cCYj)&PX=%^e`-U&&>%5GvV^FH1e=84Nfw3sm!k^ zbqsV2HqFn=H8FHADK04T(y#J!jxsfJP0K6{3`DoBSlch6Do`QcFUd5jz%bDz+$B58 zH77COFR{2VA~U2UGdtfROF!H>vDhiixH75S*@DX_Pus~LB)GIFDmgi`BrVO~T-(j0 z*eSHcD=jp&!apcQ-!;NK(l?~gA|KthO4pLAq(Fs8Z_^Z?GB?8l|FEEf%)p{tiz-tC zr&9l%z+!Kow4{KrbnT)73#aVRia;)})G9NRApJl?i`0-{7uTSQ3}1hL5AS@law8Y- zumB5>U>|+&+??c+lu&frf_(kb($W=-yn+h?3@vgZ3S3>&!Yw?_bMnLdLwrpt9aAGJ zT_T-beUp+?-3#UbbBlr_0&_jJ zgR@gy`~tajb#)b7T#C%hqN2>pQYtILDkDl$DqXUp!itQ%LrYAe%zP6qEUTOXGNUSz zf_=ICS0A3W!}HBk!Gy#W=VhK Y^O{1A11;xn@0Ffv==Xx-?A8TG08Nd>*Z=?k literal 0 HcmV?d00001 diff --git a/sec/gitlab_initpw.age b/sec/gitlab_initpw.age new file mode 100644 index 0000000000000000000000000000000000000000..56271af05422844bfb69889a2b7d414f8d935cbc GIT binary patch literal 575 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSn5BE*+OIIjK3o5bn zk1Ft}3eKoX4{$0s&NB{4EcY-CFfi~*^>8#X3Qu=3DlSVlDCROVGs#KKEefbijMVlj zDmKU|H1`hisPazsGY$_j%B&15Pjjm9H%QFR%SX4ZSlch6Dp0|oyfCFAti&K7(XhZX zD!($L%D}j^yfUrG*uy(L#lp?NH{7Kv+%GTD&6ms4#K#G^RXz%VMwE5)EFI1=5qO4pLAq(BAzeAnc{iX8vSob(ERv-I>33lr1y zvcTeO%QQnDlS)5>6wj=RsPLqUU{|he=c@F`?7)KL3e)0}px~0=3|FT@N8hq=pTrbL zN4E;!V571C?<*4a-e~y`54E zJROS)T$7yiwS7JEgDkkh&B9%ibDVO0A_LQ+EIb|4JhHvb^27a#Owz0TD?)-3T~Y%r zd@G8aeNDJ@b#)cO%0jaPJPa!RN_|Z-vMRC)4YEueqg+Cg(?iT6!d#=WoGSt|9rH`7 zd_%b`{lcasIf~f1^46?acjorh0^6F!b(5q+UCtL5oc^x8iK)>k)=})r?nU3i)_r5R YI$ho6d*I8$)~BbLyHwmhKhqZh0KhiG`Tzg` literal 0 HcmV?d00001 diff --git a/sec/gitlab_otp.age b/sec/gitlab_otp.age new file mode 100644 index 0000000..aaa119c --- /dev/null +++ b/sec/gitlab_otp.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 gWMdNg QLS11Q5VVV+CSO3ABvuAjoKrn9Ngr9SfQgUavXcJ2Cc +mpaNeqlJCwq0ZTUwgS6ikaZXAnKPtusRH7UxIGbaZR8 +-> ssh-ed25519 s+NXzQ 5m2L4IfDL86NwPio8QaU7tKUpeyzpn4KKILjSz5aSDU +eVRvK2SnHO3x9hrYQ+8HDbB0EQWf3oKyY+XuLP97dYI +-> ssh-ed25519 yEtzbQ Wehlo8c0ggz4Lo7Rnsb/Forlr1bD2OXXaaffI4BLwnw +UeX3lmyvW/eBBbbDqBR1CSyBSJLnqlCmPyikIPu1bSA +-> ssh-ed25519 RMNffg 0+nJtxu6ZQ/08gHe/BMz5kcr+xtuGKOakqUt8G+vxzM +2Lee87QLUGG3tEqS9Dv7RYJ1rkD1JKs4aHWf23VmzPw +--- UBfkhnuhW71Do8qc1Qi/MiUbHopvnqcDkm9rNOlndIw +K +'Q XJd:}(4zu63 آ۟IG]„B@NP&7< \ No newline at end of file diff --git a/sec/gitlab_pw.age b/sec/gitlab_pw.age new file mode 100644 index 0000000..8bc3ac6 --- /dev/null +++ b/sec/gitlab_pw.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 gWMdNg RnK0NTHFFLDVr3Tprxjxyqmwysj2FQDY90eb4XeKGDc +cjsHyNmm3jl2rE/vrSHj11z99NWKQr74pyE+dDnvwkM +-> ssh-ed25519 s+NXzQ vEo6fgYpEBK7awnuhhCCotp/ZJIXP0Oe+Ubclk3R8Hw +J1OVdLdB9mL/kqbRvyI7I9pA8v3pOa9h4zf01Ex3ahE +-> ssh-ed25519 yEtzbQ 6hueq9fdq0eqzw0DwpnzEnumpqhuFZr3X34cpjMi0RM +8yciNrgnth5jSgzNDQKVcuWwU7FfTaWIUUlYnWq0TRk +-> ssh-ed25519 RMNffg gz+19esQsg57A/CPRwf6zPlzZ2mgoEmc2SwFf1tywn0 +OoMengIceY3hXg77OADBWEVfblVfR6LLQH+65+8YFyU +--- MYfJC2tPFoeGW7r+FykP0ZFDVj+ATtkNKKDmqF7JcCg +.4 Rbj=t"/q+~u, ssh-ed25519 gWMdNg AABvJQahR0CWvdNngKHyV58DtGh3VWKJDIulZpMh8FY +02oHHyrI79V2XPa18KFd3PBqilcfPXFKWcWRIGhAh5E +-> ssh-ed25519 s+NXzQ ChzQaM2slin1U4YuqPxWzERc6f7KlAlUzi+mctCEbgo +LnX9est+vDxHj8RLOeY5OK9MeYntkTE49Ar6Pnw1l1Q +-> ssh-ed25519 yEtzbQ 1hVV52NlaFBTLACj8ZKh3vazmaS7fJWs3rtO7HK9NgM +y2EDkxijP/eVRGRaZjzIB4G9FFJQ8O/XFiKrPZDF7bM +-> ssh-ed25519 RMNffg 8mZ6sxNfhxNalYjkT8mDT1PZKTvp/7p3BUs+lUS2S2o +5E1n+dV04+ZwaJZ/VeUOHKrrL3lBdtlQFiAx/ttwAD0 +--- Sgm5iMT1Uqmb4U4ZTxWyvX40tuivnfDHO/jTPS37i68 +8u>2]}DYBqDFiU