diff --git a/hive.nix b/hive.nix index 009775e..fd93914 100644 --- a/hive.nix +++ b/hive.nix @@ -117,4 +117,21 @@ in ./profiles/netdata.nix ]; }; + + aragon = { name, nodes, ... }: { + deployment.tags = [ "gitlab" ]; + deployment.targetHost = "aragon.federez.net"; + federez.monitoring.apiKey = "370a181d-6b00-4c3d-af27-ca65e6e4c1b0"; + networking.hostName = name; + + glucagon.networking = { + nibble = 231; + wan-mac = "BC:24:11:E3:12:4A"; + }; + + imports = [ + ./profiles/vm.nix + ./profiles/gitlab.nix + ]; + }; } diff --git a/npins/sources.json b/npins/sources.json index a651066..caf69a8 100644 --- a/npins/sources.json +++ b/npins/sources.json @@ -8,9 +8,9 @@ "repo": "agenix" }, "branch": "main", - "revision": "417caa847f9383e111d1397039c9d4337d024bf0", - "url": "https://github.com/ryantm/agenix/archive/417caa847f9383e111d1397039c9d4337d024bf0.tar.gz", - "hash": "0g240g51w62r7j67dcc73xkdnhd26nk07043qsqqavl5mbh40swy" + "revision": "24a7ea390564ccd5b39b7884f597cfc8d7f6f44e", + "url": "https://github.com/ryantm/agenix/archive/24a7ea390564ccd5b39b7884f597cfc8d7f6f44e.tar.gz", + "hash": "165am10r61wl5v4hz169zrlljvj929hgnhr9sn7ak3bz73cr1m86" }, "disko": { "type": "Git", @@ -20,9 +20,9 @@ "repo": "disko" }, "branch": "master", - "revision": "d07de570ba05cec2807d058daaa044f6955720c7", - "url": "https://github.com/nix-community/disko/archive/d07de570ba05cec2807d058daaa044f6955720c7.tar.gz", - "hash": "18rli5h2xmzbbwambrcrg7r22vp0rmnjm55mcqc00n3fq5kscsqy" + "revision": "285e26465a0bae510897ca04da26ce6307c652b4", + "url": "https://github.com/nix-community/disko/archive/285e26465a0bae510897ca04da26ce6307c652b4.tar.gz", + "hash": "0clj35a0rwxci2ss6401gyi3w803bz01ixis6pdxvkmap4i65h4i" }, "nix-phps": { "type": "Git", @@ -32,15 +32,15 @@ "repo": "nix-phps" }, "branch": "master", - "revision": "509bc62c91ecf1767b0e0142373d069308cf86c5", - "url": "https://github.com/fossar/nix-phps/archive/509bc62c91ecf1767b0e0142373d069308cf86c5.tar.gz", - "hash": "0s548v1vylqdw8a5vlzz12gxjklcyqzckvbma2a3z539sfg4iils" + "revision": "d40b1a19f521b1c495f60af2a9ac40e5c27d0925", + "url": "https://github.com/fossar/nix-phps/archive/d40b1a19f521b1c495f60af2a9ac40e5c27d0925.tar.gz", + "hash": "13rxp9l2ik360r68kvdnm62bdi909bhfw8daz1a18n96ba6k0fhf" }, "nixpkgs": { "type": "Channel", "name": "nixos-unstable-small", - "url": "https://releases.nixos.org/nixos/unstable-small/nixos-24.05pre583675.3560d1c8269d/nixexprs.tar.xz", - "hash": "0r5p2x51ibw6sy3h76c4hk3763bixwjsid9jsmvc05589mnw31sg" + "url": "https://releases.nixos.org/nixos/unstable-small/nixos-24.05pre617751.c8d7c8a78fb5/nixexprs.tar.xz", + "hash": "19hh0a2jbgjg8w75riyr5lmj4x4m7l6rg6j432imyrlxcbdki3mc" } }, "version": 3 diff --git a/profiles/gitlab.nix b/profiles/gitlab.nix new file mode 100644 index 0000000..cbccec0 --- /dev/null +++ b/profiles/gitlab.nix @@ -0,0 +1,49 @@ +{ pkgs, ... }: { + services.gitlab = { + enable = true; + databasePasswordFile = pkgs.writeText "dbPassword" "xxx"; + initialRootPasswordFile = pkgs.writeText "rootPassword" "xxx"; + secrets = { + secretFile = pkgs.writeText "secret" "xxx"; + otpFile = pkgs.writeText "otpsecret" "xxx"; + dbFile = pkgs.writeText "dbsecret" "xxx"; + jwsFile = pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out"; + }; + extraConfig.ldap = { + enabled = true; + servers = { + main = { + label = "LDAP"; + host = "ldap.federez.net"; + port = 389; + uid = "uid"; + method = "tls"; + bind_dn = "cn=gitlab,ou=service-users,dc=federez,dc=net"; + password = "xxx"; + active_directory = false; + allow_username_or_email_login = false; + block_auto_created_users = false; + base = "cn=Utilisateurs,dc=federez,dc=net"; + user_filter = ""; + }; + }; + }; + }; + + + services.nginx = { + enable = true; + recommendedProxySettings = true; + virtualHosts = { + "gitlab2.federez.net" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + systemd.services.gitlab-backup.environment.BACKUP = "dump"; +} diff --git a/secrets/ldap-bind-password.age b/secrets/ldap-bind-password.age index 6bcb93b..202bea1 100644 --- a/secrets/ldap-bind-password.age +++ b/secrets/ldap-bind-password.age @@ -1,34 +1,39 @@ age-encryption.org/v1 --> ssh-ed25519 GxF6ZA OjQmqOJccj+MF5atvDBSFQ1JMKLBYWhKr0Shr2Z8Bws -wdwMQsgMsIOCMayUrBqepQEphbJKK1WThpg69adSkOU --> ssh-ed25519 Kw53Kw ITayxp4Bba3lr4UYKz0QOIdzJX3ZZ9ufODjHaXL+SzM -Wp7ZQrxHPN1/K3DRV3RiHcgpBpM4Qxjmp2cv6NvfBQE --> ssh-ed25519 FCRFOQ 9ex8FuTdbUuhZvk8TvBD6BBwymPeJ5Efkt3ioc3M32Y -uGOuUeGXn7cD8xWhjpz9qb7lHzsjW2h7QBdv8a5RyoU --> ssh-ed25519 B36KCg EGp4RxQca6dtSgwQYGNLdQ9BNSJ+fHWmr/Q4mka+6h8 -V2djTR4or1M+mbh8d4R643CvP8dQU2jbwlsoMKdoj+w +-> ssh-ed25519 GxF6ZA eVhJxY3U7X2/1+ea3MhmrbTptCi7Rvj6ggSYQ0RkokQ +QB+2uJ2MEjesBZsExtmbtb9o8K5LefxgE6VQs2YodFA +-> ssh-ed25519 Kw53Kw SK+QhIRleYsN75d+Yd8Yn3l9B6jKySgXBpIxGeeyfjE +nritb1PfdRrrAsAcBO5x5Vcl2+Z/ZJJgdm5lDZQkxAo +-> ssh-ed25519 FCRFOQ LbVXdgtrIpV8glXMv2brD5BZkyK0qGQOCTvOIljxzRY +Ge7V/AIq3X0Z0MnHr0q1cD1UsafNmQxaqKQm2Uz8SW0 +-> ssh-ed25519 B36KCg mwlJtL7JPVzY4jAzuljKbABc22aGsIvgUiOdzNK7FEU +9M4wnm/KrI94d79N+u9+RqB9GG8P62u5rJItcDzz6jc +-> ssh-ed25519 G5TwMg dokYM4Mj3fReLXLW7qr0Gr043/5hy3oj0M3TRQnryw0 +kS8exFEwHnbmDd3LWp4YcWYzbkpqDoWLs5HDKGJnNGQ -> ssh-rsa krWCLQ -bWGdQA+nWtvvzNRiyvzHfZArfT1LVDT3NnttMiUJC1Jo6eMKje3wS0fxDbuDZ4vo -odtFhxK2hH6hR0DxIK97mzr4rfr521TWn50KCcxqIlZ8q6+i2Y51RpDMDB7tTHJv -MBlRMEDkt03atFyaCcBYqxCbosb8hQI0Osr4j1MDyj0PrUZJNmpr0o7immWkSCE1 -0VV9JiTDwkdR/lbJ/qkwhA/0+wWABeYEXZYvEmsQ3I7Mx0oX3W41DClhrfNkixTQ -VLc4o6Z1d7HqCdeOadqmEx4rtWuFZ7jMTaRV0hqEDr6MWe4KXNxR/7pF1O4a+Mzs -nhwG+n+4ta603MPWpkWnoQ --> ssh-ed25519 /vwQcQ ynKyWE8qqquPN6WX7PsLuwUwtlNS/VBluDHTpXrIOE0 -VivMdBXUYl6ZHlgPx4+WJKPmiobgVXsftQdvClmIOLM --> ssh-ed25519 0R97PA 5pzkJFYkvjVQYOgjIZPgdhEH8GFaHBrE7PHEg//lQVE -/Bfvwlo4CbUjv5uHjSAtfPxTBVfLoA6sIF2poDI4S68 +GWIUHPR87n3Ronw7DVTEKmXFGiabIGlTKuVnXktcXwDD5eQULpWFHoInEES/sNm9 +C2tbfhpaF1vQRu/Gno55CdU1tN1hh8cK1MR/IoEEJfZmmL4z7v+eIK9NxqTz2IEl +Re6vx1eMnG6vd6mQbuY3owQOnf8exFPkFyo1StUasg2qkZgsjqFYy7IU8pNQzoCc +KqnBChCmB9lHjxBx/xcaNgLWFpxWWFZfLsse/bmzEm/XwFwLiEgQNsaC+GiNYU6z +yR+e8Cu4VyFk2NHMPOzqhYHtUhlqhIoK1ssMpUKKoMOo7Oct0TeCvfpDnpAaV6hp +fxM4x8MjncVpd+I0v0kODw +-> ssh-ed25519 /vwQcQ 9ld5Grs3T+mRrImgjHpKcrzO9pkOkmLl4gaQxs1lpRU +4cJffaxOnbcd0hLRBOS+I+nKxzNCl3PkCRv9HAMioU0 +-> ssh-ed25519 0R97PA Gxl4hNPUBbVYFoDQ32XvHHCRf0nxUDj1nsj5iFktbF4 +3fx/9nlvg3R+XVU7BX5kSibSvWKec0/+/emXKoGuGu8 -> ssh-rsa jL+Elw -gyeeOmvoxeIvxQ0OGsRaFVeF/fkE6TxpYGHsJdA4w3yJSlLCtk+WYv228hx9if3+ -bXvBZL5uRF4psP36i0gQto4NjHEUP5hfdjaRzSIai/xdb78UD/UtvyOOhhpO1NRE -fmNYn5uAI2zCOzqpncgYTWaoI+Bl2LrBoNFrYHARgRg2dmx8kNIA/1cFTIzM+EC8 -GSRAHe/UI9FrjIPw32zYD81Y9SuTLDgnnyZQ+LJ9BEsA6xkmx6PwGt841Hwjn22s -HjI3EWHoTwzrjFA+CGN1TmR50jl5h90F19fu6TGbDPYnmQdm+9+xhTEGxIwZBblN -MAt2xbQbNSVruooRaB+0eKXCyQiHgn+2aSM0m4lq6i27W5KK9fFJoZpFRyYNVicS -z/3bbn5G37LNRQ7S2uaQpO5E093Q/TO/cAiDdpexxjWPY74BZQXpuCrd0kwQA5OA -YZqRrwnsbyU/1PIik+CfkoSzVieru8cYnZp9gltdLu998LoKh5tW3DTmTe5/RqiF -2fyZk+M/6QKQMrIX1HnOtZWfAdN+vh7E5VB2W7Ysq8SYHYHAG/a9rH8OJgkDIbpW -58g5Weidb9SKK3Ubunl1Ok7mzOmK5fLu5u+lM3UVqdVMhaxX1uwL9pgeei5aqIUo -+KCsjx+0Wb554MitUvSaw00yS0A+z0H78nKv3waZL8k ---- NNyRDQ7VL64kPyPUtiUkjKts16ia4Oz4KYJdOsykT9Q -àÒÁIDÌžKe*µ]¤Ö4ªuòýüPhĈÜà9ÔFȤcz°7–‰†zš&ž<EÜZ(^Ñ$™#]¼ \ No newline at end of file +AzeKXeyrYk5PjrPTuu2Oyk2tVUvyjcA87ZslWhDS3bO3CEX54+5icgSbSXlsdkRs +vU8f+OghRbDTryFjK6/B8ekBkuEekBxjsG9F3/J0CPiBZ6Wa8Tnh6GmQQC5hSggH +eJB1bIbe9RkzWR9OR8NI9WDl0FVJgj49u3OOHHw5imJsNNM5l5fnL1VbzdSyp31n +jdS27krdRo7VG3vd3v6x9uHGMhITpWB2XXmN9hAE/vILPvoVQZ6FafHkDC8/jD+P +rG7bjo3uw4Ky3wQavEm9pifziCGHNt5qvd3PxYpvQnBwTkaR71gBuRdhdTrzpQs/ +sAfaN9AgF5IwP/2dcJIWSbcOT4nmWfyoZQuo2wsHxAoWX46+Bjxbok+AUlzRd4z+ +uqsoKbpduxKy1GtkiIBrpztX2z1LFHHUGzt4SgMTc0tbVA7MGFGZjPDXdszGsqqy +U76wa1Eu4TYkbJh/wZ12JKg0Jf5rK5xG2PPBuzHU5SIaedMfMiZ5/ufc8O0dsL4P +4FD43vnUwdM8nNrLqCiMJIqffbnail2dokZvFF9wizoB49aFmJCavvpZ23UJ3LBD +3OTzEX0AlMRTj+mT5BDcgfi7Aux1P4BkHdwrzUvHrz+Z1ekOeevg/mCrbUOzR1ej +++2LczvCewkp76DQhaXQ2NulNoJDeZHBC/v+2qCtj98 +-> ssh-ed25519 jIXfPA OWWwVNOFOQqF3l1Q4qQzg+NMa9rqtlltYu/oI0SFDTc +5KTYzI0YRvfCi8A465kx3ro4cKdbjKobJwpvBR2DKXc +--- PMaTKbs1ooYCprys3kTPYUEDpFlGN/9NTyAFaJAsVBA +Æ}Ž:Q)£ÚC=M©¼b·Å¡ õÐ] iÀf¿» N-pKpQ±8q F¼×0¶¿'ÑÄo+þ +¸óÞ‹¥ \ No newline at end of file diff --git a/secrets/matrix-shared-secret.age b/secrets/matrix-shared-secret.age index a5f2485..93fa848 100644 Binary files a/secrets/matrix-shared-secret.age and b/secrets/matrix-shared-secret.age differ diff --git a/secrets/mautrix-telegram.age b/secrets/mautrix-telegram.age index 80ea67c..b6c4b32 100644 Binary files a/secrets/mautrix-telegram.age and b/secrets/mautrix-telegram.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 0fe4ffa..6ca386c 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -4,6 +4,7 @@ let wagon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJqBgXGbnPPmDHrn05Fr3X66cmgP6zvnMtPL21d4ebfh root@wagon"; lagon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8fiqJw9RvVVQghG0OVKsXAkBcWox4JsozfxToLAiIK root@lagon"; klingon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/P58bPqi8yTl12jpP8oFcYG7S8j1WpfgqwZz+EuQqy root@kligon"; + aragon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUDEhYDtCLI4ypIXhimPjleiGUI3lOTv5LntzNEPM1p root@aragon"; # Add yourself. raito = readKeyFile ../pubkeys/raito.keys; bensmrs = readKeyFile ../pubkeys/bensmrs.keys; @@ -16,7 +17,7 @@ let vaultwarden-admins = active-admins; keycloak-admins = active-admins; ldap-bind-admins = active-admins; - servers = [ estragon wagon lagon klingon ]; + servers = [ estragon wagon lagon klingon aragon ]; in { "matrix-shared-secret.age".publicKeys = [ estragon ] ++ matrix-admins; diff --git a/secrets/vaultwarden-secrets.age b/secrets/vaultwarden-secrets.age index c237fa5..af25b11 100644 Binary files a/secrets/vaultwarden-secrets.age and b/secrets/vaultwarden-secrets.age differ