add some secrets & asyncnomi key to sysadmin

2025-06-22 01:15:31 +02:00 · 2025-06-22 01:15:31 +02:00 · 1ce8f529ee
commit 1ce8f529ee
parent 9b61f7e9b5
4 changed files with 17 additions and 2 deletions
--- a/npins/sources.json
+++ b/npins/sources.json
@ -42,8 +42,8 @@
    "nixpkgs": {
      "type": "Channel",
      "name": "nixos-unstable-small",
-      "url": "https://releases.nixos.org/nixos/unstable-small/nixos-25.11pre819016.618b6dbfc210/nixexprs.tar.xz",
-      "hash": "0iykh9dp93av07qjabiqmslc372jki3jzqpfy54nsy04702nz4b9"
+      "url": "https://releases.nixos.org/nixos/unstable-small/nixos-25.11pre819403.86c02c145a0b/nixexprs.tar.xz",
+      "hash": "1m8yiq7jaz24lbfdkch8m22lr8m1jkxkh9d1p4j1svm18f1nilyx"
    },
    "nixpkgs-24.11": {
      "type": "Channel",
--- a/profiles/gitlab.nix
+++ b/profiles/gitlab.nix
@ -12,6 +12,9 @@ in
      gitlab-otp-secret = ../secrets/gitlab-otp-secret.age;
      gitlab-db-secret = ../secrets/gitlab-db-secret.age;
      gitlab-jws-secret = ../secrets/gitlab-jws-secret.age;
+      gitlab-arpk-secret = ../secrets/gitlab-arpk-secret.age;
+      gitlab-ardk-secret = ../secrets/gitlab-ardk-secret.age;
+      gitlab-ars-secret = ../secrets/gitlab-ars-secret.age;
      gitlab-db-password = ../secrets/gitlab-db-password.age;
      gitlab-initial-root-password = ../secrets/gitlab-initial-root-password.age;
      gitlab-ldap-password = ../secrets/gitlab-ldap-password.age;
@ -33,6 +36,9 @@ in
      otpFile = secrets.gitlab-otp-secret.path;
      dbFile = secrets.gitlab-db-secret.path;
      jwsFile = secrets.gitlab-jws-secret.path;
+      activeRecordPrimaryKeyFile = secrets.gitlab-arpk-secret.path;
+      activeRecordDeterministicKeyFile = secrets.gitlab-ardk-secret.path;
+      activeRecordSaltFile = secrets.gitlab-ars-secret.path;
    };
    extraConfig.ldap = {
      enabled = true;
@ -55,6 +61,11 @@ in
    };
  };

+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_16;
+  };
+
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
--- a/profiles/sysadmin.nix
+++ b/profiles/sysadmin.nix
@ -4,6 +4,7 @@
    ../pubkeys/bensmrs.keys
    ../pubkeys/tomate.keys
    ../pubkeys/jeltz.keys
+    ../pubkeys/asyncnomi.keys
  ];

  backups.directories = [ "/root" ];
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -66,6 +66,9 @@ in
    "gitlab-otp-secret.age".publicKeys = [ aragon ] ++ gitlab-admins;
    "gitlab-db-secret.age".publicKeys = [ aragon ] ++ gitlab-admins;
    "gitlab-jws-secret.age".publicKeys = [ aragon ] ++ gitlab-admins;
+    "gitlab-arpk-secret.age".publicKeys = [ aragon ] ++ gitlab-admins;
+    "gitlab-ardk-secret.age".publicKeys = [ aragon ] ++ gitlab-admins;
+    "gitlab-ars-secret.age".publicKeys = [ aragon ] ++ gitlab-admins;
    "gitlab-db-password.age".publicKeys = [ aragon ] ++ gitlab-admins;
    "gitlab-initial-root-password.age".publicKeys = [ aragon ] ++ gitlab-admins;
    "gitlab-ldap-password.age".publicKeys = [ aragon ] ++ gitlab-admins;