federez/nix
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

profiles/gitlab: init

Browse source 
Signed-off-by: Ryan Lahfa <federez-infra@lahfa.xyz>
This commit is contained in:
Ryan Lahfa 2024-08-08 16:33:46 +02:00 committed by Jeltz
parent 0b55fc629f
commit 3b6c3f6d70
Signed by: jeltz
GPG key ID: 800882B66C0C3326
8 changed files with 115 additions and 43 deletions
Download patch file Download diff file Expand all files Collapse all files

17
hive.nix
View file

@ -117,4 +117,21 @@ in
./profiles/netdata.nix ./profiles/netdata.nix
]; ];
}; };
aragon = { name, nodes, ... }: {
deployment.tags = [ "gitlab" ];
deployment.targetHost = "aragon.federez.net";
federez.monitoring.apiKey = "370a181d-6b00-4c3d-af27-ca65e6e4c1b0";
networking.hostName = name;
glucagon.networking = {
nibble = 231;
wan-mac = "BC:24:11:E3:12:4A";
};
imports = [
./profiles/vm.nix
./profiles/gitlab.nix
];
};
} }

22
npins/sources.json
View file

@ -8,9 +8,9 @@
"repo": "agenix" "repo": "agenix"
}, },
"branch": "main", "branch": "main",
"revision": "417caa847f9383e111d1397039c9d4337d024bf0", "revision": "24a7ea390564ccd5b39b7884f597cfc8d7f6f44e",
"url": "https://github.com/ryantm/agenix/archive/417caa847f9383e111d1397039c9d4337d024bf0.tar.gz", "url": "https://github.com/ryantm/agenix/archive/24a7ea390564ccd5b39b7884f597cfc8d7f6f44e.tar.gz",
"hash": "0g240g51w62r7j67dcc73xkdnhd26nk07043qsqqavl5mbh40swy" "hash": "165am10r61wl5v4hz169zrlljvj929hgnhr9sn7ak3bz73cr1m86"
}, },
"disko": { "disko": {
"type": "Git", "type": "Git",
@ -20,9 +20,9 @@
"repo": "disko" "repo": "disko"
}, },
"branch": "master", "branch": "master",
"revision": "d07de570ba05cec2807d058daaa044f6955720c7", "revision": "285e26465a0bae510897ca04da26ce6307c652b4",
"url": "https://github.com/nix-community/disko/archive/d07de570ba05cec2807d058daaa044f6955720c7.tar.gz", "url": "https://github.com/nix-community/disko/archive/285e26465a0bae510897ca04da26ce6307c652b4.tar.gz",
"hash": "18rli5h2xmzbbwambrcrg7r22vp0rmnjm55mcqc00n3fq5kscsqy" "hash": "0clj35a0rwxci2ss6401gyi3w803bz01ixis6pdxvkmap4i65h4i"
}, },
"nix-phps": { "nix-phps": {
"type": "Git", "type": "Git",
@ -32,15 +32,15 @@
"repo": "nix-phps" "repo": "nix-phps"
}, },
"branch": "master", "branch": "master",
"revision": "509bc62c91ecf1767b0e0142373d069308cf86c5", "revision": "d40b1a19f521b1c495f60af2a9ac40e5c27d0925",
"url": "https://github.com/fossar/nix-phps/archive/509bc62c91ecf1767b0e0142373d069308cf86c5.tar.gz", "url": "https://github.com/fossar/nix-phps/archive/d40b1a19f521b1c495f60af2a9ac40e5c27d0925.tar.gz",
"hash": "0s548v1vylqdw8a5vlzz12gxjklcyqzckvbma2a3z539sfg4iils" "hash": "13rxp9l2ik360r68kvdnm62bdi909bhfw8daz1a18n96ba6k0fhf"
}, },
"nixpkgs": { "nixpkgs": {
"type": "Channel", "type": "Channel",
"name": "nixos-unstable-small", "name": "nixos-unstable-small",
"url": "https://releases.nixos.org/nixos/unstable-small/nixos-24.05pre583675.3560d1c8269d/nixexprs.tar.xz", "url": "https://releases.nixos.org/nixos/unstable-small/nixos-24.05pre617751.c8d7c8a78fb5/nixexprs.tar.xz",
"hash": "0r5p2x51ibw6sy3h76c4hk3763bixwjsid9jsmvc05589mnw31sg" "hash": "19hh0a2jbgjg8w75riyr5lmj4x4m7l6rg6j432imyrlxcbdki3mc"
} }
}, },
"version": 3 "version": 3

49
profiles/gitlab.nix Normal file
View file

@ -0,0 +1,49 @@
{ pkgs, ... }: {
services.gitlab = {
enable = true;
databasePasswordFile = pkgs.writeText "dbPassword" "xxx";
initialRootPasswordFile = pkgs.writeText "rootPassword" "xxx";
secrets = {
secretFile = pkgs.writeText "secret" "xxx";
otpFile = pkgs.writeText "otpsecret" "xxx";
dbFile = pkgs.writeText "dbsecret" "xxx";
jwsFile = pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
};
extraConfig.ldap = {
enabled = true;
servers = {
main = {
label = "LDAP";
host = "ldap.federez.net";
port = 389;
uid = "uid";
method = "tls";
bind_dn = "cn=gitlab,ou=service-users,dc=federez,dc=net";
password = "xxx";
active_directory = false;
allow_username_or_email_login = false;
block_auto_created_users = false;
base = "cn=Utilisateurs,dc=federez,dc=net";
user_filter = "";
};
};
};
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts = {
"gitlab2.federez.net" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
systemd.services.gitlab-backup.environment.BACKUP = "dump";
}

67
secrets/ldap-bind-password.age
View file

@ -1,34 +1,39 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 GxF6ZA OjQmqOJccj+MF5atvDBSFQ1JMKLBYWhKr0Shr2Z8Bws -> ssh-ed25519 GxF6ZA eVhJxY3U7X2/1+ea3MhmrbTptCi7Rvj6ggSYQ0RkokQ
wdwMQsgMsIOCMayUrBqepQEphbJKK1WThpg69adSkOU QB+2uJ2MEjesBZsExtmbtb9o8K5LefxgE6VQs2YodFA
-> ssh-ed25519 Kw53Kw ITayxp4Bba3lr4UYKz0QOIdzJX3ZZ9ufODjHaXL+SzM -> ssh-ed25519 Kw53Kw SK+QhIRleYsN75d+Yd8Yn3l9B6jKySgXBpIxGeeyfjE
Wp7ZQrxHPN1/K3DRV3RiHcgpBpM4Qxjmp2cv6NvfBQE nritb1PfdRrrAsAcBO5x5Vcl2+Z/ZJJgdm5lDZQkxAo
-> ssh-ed25519 FCRFOQ 9ex8FuTdbUuhZvk8TvBD6BBwymPeJ5Efkt3ioc3M32Y -> ssh-ed25519 FCRFOQ LbVXdgtrIpV8glXMv2brD5BZkyK0qGQOCTvOIljxzRY
uGOuUeGXn7cD8xWhjpz9qb7lHzsjW2h7QBdv8a5RyoU Ge7V/AIq3X0Z0MnHr0q1cD1UsafNmQxaqKQm2Uz8SW0
-> ssh-ed25519 B36KCg EGp4RxQca6dtSgwQYGNLdQ9BNSJ+fHWmr/Q4mka+6h8 -> ssh-ed25519 B36KCg mwlJtL7JPVzY4jAzuljKbABc22aGsIvgUiOdzNK7FEU
V2djTR4or1M+mbh8d4R643CvP8dQU2jbwlsoMKdoj+w 9M4wnm/KrI94d79N+u9+RqB9GG8P62u5rJItcDzz6jc
-> ssh-ed25519 G5TwMg dokYM4Mj3fReLXLW7qr0Gr043/5hy3oj0M3TRQnryw0
kS8exFEwHnbmDd3LWp4YcWYzbkpqDoWLs5HDKGJnNGQ
-> ssh-rsa krWCLQ -> ssh-rsa krWCLQ
bWGdQA+nWtvvzNRiyvzHfZArfT1LVDT3NnttMiUJC1Jo6eMKje3wS0fxDbuDZ4vo GWIUHPR87n3Ronw7DVTEKmXFGiabIGlTKuVnXktcXwDD5eQULpWFHoInEES/sNm9
odtFhxK2hH6hR0DxIK97mzr4rfr521TWn50KCcxqIlZ8q6+i2Y51RpDMDB7tTHJv C2tbfhpaF1vQRu/Gno55CdU1tN1hh8cK1MR/IoEEJfZmmL4z7v+eIK9NxqTz2IEl
MBlRMEDkt03atFyaCcBYqxCbosb8hQI0Osr4j1MDyj0PrUZJNmpr0o7immWkSCE1 Re6vx1eMnG6vd6mQbuY3owQOnf8exFPkFyo1StUasg2qkZgsjqFYy7IU8pNQzoCc
0VV9JiTDwkdR/lbJ/qkwhA/0+wWABeYEXZYvEmsQ3I7Mx0oX3W41DClhrfNkixTQ KqnBChCmB9lHjxBx/xcaNgLWFpxWWFZfLsse/bmzEm/XwFwLiEgQNsaC+GiNYU6z
VLc4o6Z1d7HqCdeOadqmEx4rtWuFZ7jMTaRV0hqEDr6MWe4KXNxR/7pF1O4a+Mzs yR+e8Cu4VyFk2NHMPOzqhYHtUhlqhIoK1ssMpUKKoMOo7Oct0TeCvfpDnpAaV6hp
nhwG+n+4ta603MPWpkWnoQ fxM4x8MjncVpd+I0v0kODw
-> ssh-ed25519 /vwQcQ ynKyWE8qqquPN6WX7PsLuwUwtlNS/VBluDHTpXrIOE0 -> ssh-ed25519 /vwQcQ 9ld5Grs3T+mRrImgjHpKcrzO9pkOkmLl4gaQxs1lpRU
VivMdBXUYl6ZHlgPx4+WJKPmiobgVXsftQdvClmIOLM 4cJffaxOnbcd0hLRBOS+I+nKxzNCl3PkCRv9HAMioU0
-> ssh-ed25519 0R97PA 5pzkJFYkvjVQYOgjIZPgdhEH8GFaHBrE7PHEg//lQVE -> ssh-ed25519 0R97PA Gxl4hNPUBbVYFoDQ32XvHHCRf0nxUDj1nsj5iFktbF4
/Bfvwlo4CbUjv5uHjSAtfPxTBVfLoA6sIF2poDI4S68 3fx/9nlvg3R+XVU7BX5kSibSvWKec0/+/emXKoGuGu8
-> ssh-rsa jL+Elw -> ssh-rsa jL+Elw
gyeeOmvoxeIvxQ0OGsRaFVeF/fkE6TxpYGHsJdA4w3yJSlLCtk+WYv228hx9if3+ AzeKXeyrYk5PjrPTuu2Oyk2tVUvyjcA87ZslWhDS3bO3CEX54+5icgSbSXlsdkRs
bXvBZL5uRF4psP36i0gQto4NjHEUP5hfdjaRzSIai/xdb78UD/UtvyOOhhpO1NRE vU8f+OghRbDTryFjK6/B8ekBkuEekBxjsG9F3/J0CPiBZ6Wa8Tnh6GmQQC5hSggH
fmNYn5uAI2zCOzqpncgYTWaoI+Bl2LrBoNFrYHARgRg2dmx8kNIA/1cFTIzM+EC8 eJB1bIbe9RkzWR9OR8NI9WDl0FVJgj49u3OOHHw5imJsNNM5l5fnL1VbzdSyp31n
GSRAHe/UI9FrjIPw32zYD81Y9SuTLDgnnyZQ+LJ9BEsA6xkmx6PwGt841Hwjn22s jdS27krdRo7VG3vd3v6x9uHGMhITpWB2XXmN9hAE/vILPvoVQZ6FafHkDC8/jD+P
HjI3EWHoTwzrjFA+CGN1TmR50jl5h90F19fu6TGbDPYnmQdm+9+xhTEGxIwZBblN rG7bjo3uw4Ky3wQavEm9pifziCGHNt5qvd3PxYpvQnBwTkaR71gBuRdhdTrzpQs/
MAt2xbQbNSVruooRaB+0eKXCyQiHgn+2aSM0m4lq6i27W5KK9fFJoZpFRyYNVicS sAfaN9AgF5IwP/2dcJIWSbcOT4nmWfyoZQuo2wsHxAoWX46+Bjxbok+AUlzRd4z+
z/3bbn5G37LNRQ7S2uaQpO5E093Q/TO/cAiDdpexxjWPY74BZQXpuCrd0kwQA5OA uqsoKbpduxKy1GtkiIBrpztX2z1LFHHUGzt4SgMTc0tbVA7MGFGZjPDXdszGsqqy
YZqRrwnsbyU/1PIik+CfkoSzVieru8cYnZp9gltdLu998LoKh5tW3DTmTe5/RqiF U76wa1Eu4TYkbJh/wZ12JKg0Jf5rK5xG2PPBuzHU5SIaedMfMiZ5/ufc8O0dsL4P
2fyZk+M/6QKQMrIX1HnOtZWfAdN+vh7E5VB2W7Ysq8SYHYHAG/a9rH8OJgkDIbpW 4FD43vnUwdM8nNrLqCiMJIqffbnail2dokZvFF9wizoB49aFmJCavvpZ23UJ3LBD
58g5Weidb9SKK3Ubunl1Ok7mzOmK5fLu5u+lM3UVqdVMhaxX1uwL9pgeei5aqIUo 3OTzEX0AlMRTj+mT5BDcgfi7Aux1P4BkHdwrzUvHrz+Z1ekOeevg/mCrbUOzR1ej
+KCsjx+0Wb554MitUvSaw00yS0A+z0H78nKv3waZL8k ++2LczvCewkp76DQhaXQ2NulNoJDeZHBC/v+2qCtj98
--- NNyRDQ7VL64kPyPUtiUkjKts16ia4Oz4KYJdOsykT9Q -> ssh-ed25519 jIXfPA OWWwVNOFOQqF3l1Q4qQzg+NMa9rqtlltYu/oI0SFDTc
ŕŇÁIDĚžKe*µ]¤Ö4ŞuňýüPhÄ<13>Üŕ9ÔFȤcz°7‰†zš&ž<EÜZ(^Ń$™#]Ľ 5KTYzI0YRvfCi8A465kx3ro4cKdbjKobJwpvBR2DKXc
--- PMaTKbs1ooYCprys3kTPYUEDpFlGN/9NTyAFaJAsVBA
Æ}Ž:Q)£ÚC=M©¼b·Å¡ õÐ] iÀf¿» N-pKpQ±8q ×0¿'ÑÄo+þ
¸óÞ‹¥

BIN
secrets/matrix-shared-secret.age
View file

Binary file not shown.

BIN
secrets/mautrix-telegram.age
View file

Binary file not shown.

3
secrets/secrets.nix
View file

@ -4,6 +4,7 @@ let
wagon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJqBgXGbnPPmDHrn05Fr3X66cmgP6zvnMtPL21d4ebfh root@wagon"; wagon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJqBgXGbnPPmDHrn05Fr3X66cmgP6zvnMtPL21d4ebfh root@wagon";
lagon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8fiqJw9RvVVQghG0OVKsXAkBcWox4JsozfxToLAiIK root@lagon"; lagon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8fiqJw9RvVVQghG0OVKsXAkBcWox4JsozfxToLAiIK root@lagon";
klingon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/P58bPqi8yTl12jpP8oFcYG7S8j1WpfgqwZz+EuQqy root@kligon"; klingon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/P58bPqi8yTl12jpP8oFcYG7S8j1WpfgqwZz+EuQqy root@kligon";
aragon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUDEhYDtCLI4ypIXhimPjleiGUI3lOTv5LntzNEPM1p root@aragon";
# Add yourself. # Add yourself.
raito = readKeyFile ../pubkeys/raito.keys; raito = readKeyFile ../pubkeys/raito.keys;
bensmrs = readKeyFile ../pubkeys/bensmrs.keys; bensmrs = readKeyFile ../pubkeys/bensmrs.keys;
@ -16,7 +17,7 @@ let
vaultwarden-admins = active-admins; vaultwarden-admins = active-admins;
keycloak-admins = active-admins; keycloak-admins = active-admins;
ldap-bind-admins = active-admins; ldap-bind-admins = active-admins;
servers = [ estragon wagon lagon klingon ]; servers = [ estragon wagon lagon klingon aragon ];
in in
{ {
"matrix-shared-secret.age".publicKeys = [ estragon ] ++ matrix-admins; "matrix-shared-secret.age".publicKeys = [ estragon ] ++ matrix-admins;

BIN
secrets/vaultwarden-secrets.age
View file

Binary file not shown.