profiles/gitlab: init

Signed-off-by: Ryan Lahfa <federez-infra@lahfa.xyz>
2024-08-08 16:33:46 +02:00 · 2024-08-08 16:33:46 +02:00 · 3b6c3f6d70
commit 3b6c3f6d70
parent 0b55fc629f
8 changed files with 115 additions and 43 deletions
--- a/hive.nix
+++ b/hive.nix
@ -117,4 +117,21 @@ in
      ./profiles/netdata.nix
    ];
  };
+
+  aragon = { name, nodes, ... }: {
+    deployment.tags = [ "gitlab" ];
+    deployment.targetHost = "aragon.federez.net";
+    federez.monitoring.apiKey = "370a181d-6b00-4c3d-af27-ca65e6e4c1b0";
+    networking.hostName = name;
+
+    glucagon.networking = {
+      nibble = 231;
+      wan-mac = "BC:24:11:E3:12:4A";
+    };
+
+    imports = [
+      ./profiles/vm.nix
+      ./profiles/gitlab.nix
+    ];
+  };
 }
--- a/npins/sources.json
+++ b/npins/sources.json
@ -8,9 +8,9 @@
        "repo": "agenix"
      },
      "branch": "main",
-      "revision": "417caa847f9383e111d1397039c9d4337d024bf0",
-      "url": "https://github.com/ryantm/agenix/archive/417caa847f9383e111d1397039c9d4337d024bf0.tar.gz",
-      "hash": "0g240g51w62r7j67dcc73xkdnhd26nk07043qsqqavl5mbh40swy"
+      "revision": "24a7ea390564ccd5b39b7884f597cfc8d7f6f44e",
+      "url": "https://github.com/ryantm/agenix/archive/24a7ea390564ccd5b39b7884f597cfc8d7f6f44e.tar.gz",
+      "hash": "165am10r61wl5v4hz169zrlljvj929hgnhr9sn7ak3bz73cr1m86"
    },
    "disko": {
      "type": "Git",
@ -20,9 +20,9 @@
        "repo": "disko"
      },
      "branch": "master",
-      "revision": "d07de570ba05cec2807d058daaa044f6955720c7",
-      "url": "https://github.com/nix-community/disko/archive/d07de570ba05cec2807d058daaa044f6955720c7.tar.gz",
-      "hash": "18rli5h2xmzbbwambrcrg7r22vp0rmnjm55mcqc00n3fq5kscsqy"
+      "revision": "285e26465a0bae510897ca04da26ce6307c652b4",
+      "url": "https://github.com/nix-community/disko/archive/285e26465a0bae510897ca04da26ce6307c652b4.tar.gz",
+      "hash": "0clj35a0rwxci2ss6401gyi3w803bz01ixis6pdxvkmap4i65h4i"
    },
    "nix-phps": {
      "type": "Git",
@ -32,15 +32,15 @@
        "repo": "nix-phps"
      },
      "branch": "master",
-      "revision": "509bc62c91ecf1767b0e0142373d069308cf86c5",
-      "url": "https://github.com/fossar/nix-phps/archive/509bc62c91ecf1767b0e0142373d069308cf86c5.tar.gz",
-      "hash": "0s548v1vylqdw8a5vlzz12gxjklcyqzckvbma2a3z539sfg4iils"
+      "revision": "d40b1a19f521b1c495f60af2a9ac40e5c27d0925",
+      "url": "https://github.com/fossar/nix-phps/archive/d40b1a19f521b1c495f60af2a9ac40e5c27d0925.tar.gz",
+      "hash": "13rxp9l2ik360r68kvdnm62bdi909bhfw8daz1a18n96ba6k0fhf"
    },
    "nixpkgs": {
      "type": "Channel",
      "name": "nixos-unstable-small",
-      "url": "https://releases.nixos.org/nixos/unstable-small/nixos-24.05pre583675.3560d1c8269d/nixexprs.tar.xz",
-      "hash": "0r5p2x51ibw6sy3h76c4hk3763bixwjsid9jsmvc05589mnw31sg"
+      "url": "https://releases.nixos.org/nixos/unstable-small/nixos-24.05pre617751.c8d7c8a78fb5/nixexprs.tar.xz",
+      "hash": "19hh0a2jbgjg8w75riyr5lmj4x4m7l6rg6j432imyrlxcbdki3mc"
    }
  },
  "version": 3
--- a/profiles/gitlab.nix
+++ b/profiles/gitlab.nix
@ -0,0 +1,49 @@
+{ pkgs, ... }: {
+  services.gitlab = {
+    enable = true;
+    databasePasswordFile = pkgs.writeText "dbPassword" "xxx";
+    initialRootPasswordFile = pkgs.writeText "rootPassword" "xxx";
+    secrets = {
+      secretFile = pkgs.writeText "secret" "xxx";
+      otpFile = pkgs.writeText "otpsecret" "xxx";
+      dbFile = pkgs.writeText "dbsecret" "xxx";
+      jwsFile = pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
+    };
+    extraConfig.ldap = {
+      enabled = true;
+      servers = {
+        main = {
+          label = "LDAP";
+          host = "ldap.federez.net";
+          port = 389;
+          uid = "uid";
+          method = "tls";
+          bind_dn = "cn=gitlab,ou=service-users,dc=federez,dc=net";
+          password = "xxx";
+          active_directory = false;
+          allow_username_or_email_login = false;
+          block_auto_created_users = false;
+          base = "cn=Utilisateurs,dc=federez,dc=net";
+          user_filter = "";
+        };
+      };
+    };
+  };
+
+  
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    virtualHosts = {
+      "gitlab2.federez.net" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  systemd.services.gitlab-backup.environment.BACKUP = "dump";
+}
--- a/secrets/ldap-bind-password.age
+++ b/secrets/ldap-bind-password.age
@ -1,34 +1,39 @@
 age-encryption.org/v1
-> ssh-ed25519 GxF6ZA OjQmqOJccj+MF5atvDBSFQ1JMKLBYWhKr0Shr2Z8Bws
-wdwMQsgMsIOCMayUrBqepQEphbJKK1WThpg69adSkOU
-> ssh-ed25519 Kw53Kw ITayxp4Bba3lr4UYKz0QOIdzJX3ZZ9ufODjHaXL+SzM
-Wp7ZQrxHPN1/K3DRV3RiHcgpBpM4Qxjmp2cv6NvfBQE
-> ssh-ed25519 FCRFOQ 9ex8FuTdbUuhZvk8TvBD6BBwymPeJ5Efkt3ioc3M32Y
-uGOuUeGXn7cD8xWhjpz9qb7lHzsjW2h7QBdv8a5RyoU
-> ssh-ed25519 B36KCg EGp4RxQca6dtSgwQYGNLdQ9BNSJ+fHWmr/Q4mka+6h8
-V2djTR4or1M+mbh8d4R643CvP8dQU2jbwlsoMKdoj+w
+-> ssh-ed25519 GxF6ZA eVhJxY3U7X2/1+ea3MhmrbTptCi7Rvj6ggSYQ0RkokQ
+QB+2uJ2MEjesBZsExtmbtb9o8K5LefxgE6VQs2YodFA
+-> ssh-ed25519 Kw53Kw SK+QhIRleYsN75d+Yd8Yn3l9B6jKySgXBpIxGeeyfjE
+nritb1PfdRrrAsAcBO5x5Vcl2+Z/ZJJgdm5lDZQkxAo
+-> ssh-ed25519 FCRFOQ LbVXdgtrIpV8glXMv2brD5BZkyK0qGQOCTvOIljxzRY
+Ge7V/AIq3X0Z0MnHr0q1cD1UsafNmQxaqKQm2Uz8SW0
+-> ssh-ed25519 B36KCg mwlJtL7JPVzY4jAzuljKbABc22aGsIvgUiOdzNK7FEU
+9M4wnm/KrI94d79N+u9+RqB9GG8P62u5rJItcDzz6jc
+-> ssh-ed25519 G5TwMg dokYM4Mj3fReLXLW7qr0Gr043/5hy3oj0M3TRQnryw0
+kS8exFEwHnbmDd3LWp4YcWYzbkpqDoWLs5HDKGJnNGQ
 -> ssh-rsa krWCLQ
-bWGdQA+nWtvvzNRiyvzHfZArfT1LVDT3NnttMiUJC1Jo6eMKje3wS0fxDbuDZ4vo
-odtFhxK2hH6hR0DxIK97mzr4rfr521TWn50KCcxqIlZ8q6+i2Y51RpDMDB7tTHJv
-MBlRMEDkt03atFyaCcBYqxCbosb8hQI0Osr4j1MDyj0PrUZJNmpr0o7immWkSCE1
-0VV9JiTDwkdR/lbJ/qkwhA/0+wWABeYEXZYvEmsQ3I7Mx0oX3W41DClhrfNkixTQ
-VLc4o6Z1d7HqCdeOadqmEx4rtWuFZ7jMTaRV0hqEDr6MWe4KXNxR/7pF1O4a+Mzs
-nhwG+n+4ta603MPWpkWnoQ
-> ssh-ed25519 /vwQcQ ynKyWE8qqquPN6WX7PsLuwUwtlNS/VBluDHTpXrIOE0
-VivMdBXUYl6ZHlgPx4+WJKPmiobgVXsftQdvClmIOLM
-> ssh-ed25519 0R97PA 5pzkJFYkvjVQYOgjIZPgdhEH8GFaHBrE7PHEg//lQVE
-/Bfvwlo4CbUjv5uHjSAtfPxTBVfLoA6sIF2poDI4S68
+GWIUHPR87n3Ronw7DVTEKmXFGiabIGlTKuVnXktcXwDD5eQULpWFHoInEES/sNm9
+C2tbfhpaF1vQRu/Gno55CdU1tN1hh8cK1MR/IoEEJfZmmL4z7v+eIK9NxqTz2IEl
+Re6vx1eMnG6vd6mQbuY3owQOnf8exFPkFyo1StUasg2qkZgsjqFYy7IU8pNQzoCc
+KqnBChCmB9lHjxBx/xcaNgLWFpxWWFZfLsse/bmzEm/XwFwLiEgQNsaC+GiNYU6z
+yR+e8Cu4VyFk2NHMPOzqhYHtUhlqhIoK1ssMpUKKoMOo7Oct0TeCvfpDnpAaV6hp
+fxM4x8MjncVpd+I0v0kODw
+-> ssh-ed25519 /vwQcQ 9ld5Grs3T+mRrImgjHpKcrzO9pkOkmLl4gaQxs1lpRU
+4cJffaxOnbcd0hLRBOS+I+nKxzNCl3PkCRv9HAMioU0
+-> ssh-ed25519 0R97PA Gxl4hNPUBbVYFoDQ32XvHHCRf0nxUDj1nsj5iFktbF4
+3fx/9nlvg3R+XVU7BX5kSibSvWKec0/+/emXKoGuGu8
 -> ssh-rsa jL+Elw
-gyeeOmvoxeIvxQ0OGsRaFVeF/fkE6TxpYGHsJdA4w3yJSlLCtk+WYv228hx9if3+
-bXvBZL5uRF4psP36i0gQto4NjHEUP5hfdjaRzSIai/xdb78UD/UtvyOOhhpO1NRE
-fmNYn5uAI2zCOzqpncgYTWaoI+Bl2LrBoNFrYHARgRg2dmx8kNIA/1cFTIzM+EC8
-GSRAHe/UI9FrjIPw32zYD81Y9SuTLDgnnyZQ+LJ9BEsA6xkmx6PwGt841Hwjn22s
-HjI3EWHoTwzrjFA+CGN1TmR50jl5h90F19fu6TGbDPYnmQdm+9+xhTEGxIwZBblN
-MAt2xbQbNSVruooRaB+0eKXCyQiHgn+2aSM0m4lq6i27W5KK9fFJoZpFRyYNVicS
-z/3bbn5G37LNRQ7S2uaQpO5E093Q/TO/cAiDdpexxjWPY74BZQXpuCrd0kwQA5OA
-YZqRrwnsbyU/1PIik+CfkoSzVieru8cYnZp9gltdLu998LoKh5tW3DTmTe5/RqiF
-2fyZk+M/6QKQMrIX1HnOtZWfAdN+vh7E5VB2W7Ysq8SYHYHAG/a9rH8OJgkDIbpW
-58g5Weidb9SKK3Ubunl1Ok7mzOmK5fLu5u+lM3UVqdVMhaxX1uwL9pgeei5aqIUo
-+KCsjx+0Wb554MitUvSaw00yS0A+z0H78nKv3waZL8k
--- NNyRDQ7VL64kPyPUtiUkjKts16ia4Oz4KYJdOsykT9Q
-ŕŇÁIDĚžKe*µ]¤Ö4ŞuňýüPhÄ<13>Üŕ9ÔFČ¤cz°7–‰†zš&ž<EÜZ(^Ń$™#]Ľ
+AzeKXeyrYk5PjrPTuu2Oyk2tVUvyjcA87ZslWhDS3bO3CEX54+5icgSbSXlsdkRs
+vU8f+OghRbDTryFjK6/B8ekBkuEekBxjsG9F3/J0CPiBZ6Wa8Tnh6GmQQC5hSggH
+eJB1bIbe9RkzWR9OR8NI9WDl0FVJgj49u3OOHHw5imJsNNM5l5fnL1VbzdSyp31n
+jdS27krdRo7VG3vd3v6x9uHGMhITpWB2XXmN9hAE/vILPvoVQZ6FafHkDC8/jD+P
+rG7bjo3uw4Ky3wQavEm9pifziCGHNt5qvd3PxYpvQnBwTkaR71gBuRdhdTrzpQs/
+sAfaN9AgF5IwP/2dcJIWSbcOT4nmWfyoZQuo2wsHxAoWX46+Bjxbok+AUlzRd4z+
+uqsoKbpduxKy1GtkiIBrpztX2z1LFHHUGzt4SgMTc0tbVA7MGFGZjPDXdszGsqqy
+U76wa1Eu4TYkbJh/wZ12JKg0Jf5rK5xG2PPBuzHU5SIaedMfMiZ5/ufc8O0dsL4P
+4FD43vnUwdM8nNrLqCiMJIqffbnail2dokZvFF9wizoB49aFmJCavvpZ23UJ3LBD
+3OTzEX0AlMRTj+mT5BDcgfi7Aux1P4BkHdwrzUvHrz+Z1ekOeevg/mCrbUOzR1ej
++2LczvCewkp76DQhaXQ2NulNoJDeZHBC/v+2qCtj98
+-> ssh-ed25519 jIXfPA OWWwVNOFOQqF3l1Q4qQzg+NMa9rqtlltYu/oI0SFDTc
+5KTYzI0YRvfCi8A465kx3ro4cKdbjKobJwpvBR2DKXc
+--- PMaTKbs1ooYCprys3kTPYUEDpFlGN/9NTyAFaJAsVBA
+Æ}Ž:Q)£ÚC=M©¼b·Å¡ õÐ]
iÀf¿»N-pKpQ±8qF¼×0¶¿'ÑÄo+þ
+¸óÞ‹¥
--- a/secrets/matrix-shared-secret.age
+++ b/secrets/matrix-shared-secret.age
--- a/secrets/mautrix-telegram.age
+++ b/secrets/mautrix-telegram.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -4,6 +4,7 @@ let
  wagon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJqBgXGbnPPmDHrn05Fr3X66cmgP6zvnMtPL21d4ebfh root@wagon";
  lagon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8fiqJw9RvVVQghG0OVKsXAkBcWox4JsozfxToLAiIK root@lagon";
  klingon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/P58bPqi8yTl12jpP8oFcYG7S8j1WpfgqwZz+EuQqy root@kligon";
+  aragon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUDEhYDtCLI4ypIXhimPjleiGUI3lOTv5LntzNEPM1p root@aragon";
  # Add yourself.
  raito = readKeyFile ../pubkeys/raito.keys;
  bensmrs = readKeyFile ../pubkeys/bensmrs.keys;
@ -16,7 +17,7 @@ let
  vaultwarden-admins = active-admins;
  keycloak-admins = active-admins;
  ldap-bind-admins = active-admins;
-  servers = [ estragon wagon lagon klingon ];
+  servers = [ estragon wagon lagon klingon aragon ];
 in
  {
    "matrix-shared-secret.age".publicKeys = [ estragon ] ++ matrix-admins;
--- a/secrets/vaultwarden-secrets.age
+++ b/secrets/vaultwarden-secrets.age