gitlab: store secrets in age

Signed-off-by: Jeltz <jeltz@federez.net>

profiles/gitlab.nix

@@ -1,13 +1,31 @@
-{ pkgs, ... }: {
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.gitlab;
+  secrets = config.age.secrets;
+in
+{
+  age.secrets = lib.mapAttrs
+    (_: f: { file = f; owner = cfg.user; group = cfg.group; })
+    {
+      gitlab-secret = ../secrets/gitlab-secret.age;
+      gitlab-otp-secret = ../secrets/gitlab-otp-secret.age;
+      gitlab-db-secret = ../secrets/gitlab-db-secret.age;
+      gitlab-jws-secret = ../secrets/gitlab-jws-secret.age;
+      gitlab-db-password = ../secrets/gitlab-db-password.age;
+      gitlab-initial-root-password = ../secrets/gitlab-initial-root-password.age;
+      gitlab-ldap-password = ../secrets/gitlab-ldap-password.age;
+    };
+
   services.gitlab = {
     enable = true;
-    databasePasswordFile = pkgs.writeText "dbPassword" "xxx";
-    initialRootPasswordFile = pkgs.writeText "rootPassword" "xxx";
+    databasePasswordFile = secrets.gitlab-db-password.path;
+    initialRootPasswordFile = secrets.gitlab-initial-root-password.path;
     secrets = {
-      secretFile = pkgs.writeText "secret" "xxx";
-      otpFile = pkgs.writeText "otpsecret" "xxx";
-      dbFile = pkgs.writeText "dbsecret" "xxx";
-      jwsFile = pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
+      secretFile = secrets.gitlab-secret.path;
+      otpFile = secrets.gitlab-otp-secret.path;
+      dbFile = secrets.gitlab-db-secret.path;
+      jwsFile = secrets.gitlab-jws-secret.path;
     };
     extraConfig.ldap = {
       enabled = true;
@@ -19,7 +37,7 @@
           uid = "uid";
           method = "tls";
           bind_dn = "cn=gitlab,ou=service-users,dc=federez,dc=net";
-          password = "xxx";
+          password = { _secret = secrets.gitlab-ldap-password.path; };
           active_directory = false;
           allow_username_or_email_login = false;
           block_auto_created_users = false;
@@ -30,7 +48,6 @@
     };
   };
 
-  
   services.nginx = {
     enable = true;
     recommendedProxySettings = true;

secrets/gitlab-db-password.age

@@ -0,0 +1,32 @@
+age-encryption.org/v1
+-> ssh-ed25519 G5TwMg n0wufFDOd6evVD9b6NZMJYYaJyw7QyFyXwg4ftbUG2o
+fc/HkB+kV2RB77SRrNwRRyfCcnlwwOYCUntBo8599pQ
+-> ssh-rsa krWCLQ
+0KejmiN6LEg74mC1Lx/DuTtFpn0SUZKUiJG3P3GF0Hu6jOU3Oh80HywlIjCIJdyy
+H+DFon3UVpC/ZMaLme51CTKFkeC6DBCd2tyIbwEvqh/LevldOEEspQfdXDICDlRG
+k/1kvcwwELnH5aCWQiUun+jy2Fs9f50C81MBNh3GHbSYEusTPLk4omm5QQ2QsM/M
+wIcILzWG5cVodWwZr209Bg5HOnEp0x783EIucWR1v8/GknJPHSMiv7hxGS/rVoCm
+4IFsz4zlPsHOZVqURIoFdE9EFr+j5cpCdw4lxOiFhVSWrWynqGmZ/FFB5AqJCQQn
+QxW1CFTM8O9CP57+nzRffA
+-> ssh-ed25519 /vwQcQ Ibq7pr/RXh+alWH/HDU6dvEeREp+slu357MTIxO2ME0
+8wA3U0C22pLX2EzCRR6t2LFtAR+mOpQyGAKDWPBd19E
+-> ssh-ed25519 0R97PA UcKZB0V1M1ckpNlQ/9zGkDF/Umr9zwhYp3x0+lGLsXo
+MoZ/8mjSMPPG1/ezsvNIUonllGvzbBKz77h47nri3w8
+-> ssh-rsa jL+Elw
+MWbJ+XUhgdWYUcbDRqLwTmDvwBxmfCMpMP5Y4Zm3jug9zTMQrTIkN2R9ceclqo9Q
+M2oTcHhS0GsQTuMt2Gd7ho0chHDv1DmuilJpas+XpiZPTL6L+8F1s9r0d7MX1hwT
+v4FRwziCVRAjRtn+fH2T57u9T9e5mQ1aZ8GdlCEB0GttAb8YAE6+FSMtVIN0/sKp
+d2pm6kLpTlJUuLM+eCRNRAR5noJgeBNwHV8z02Kl6KRI/sQPXrPSwjzxATMNF9Ek
+r+waJBrEbqpUO5fgnXOS4nTPAB98MasAvV/X728Lfnz47qb2+BjL7C3kkO08YflT
+nRPBV6NSO7BvtCXi6Ad6BowErrltjRy+UmZL0yEtJl/FlUwkaexf20vMDZfRsEcK
+96zd8dj1KWDt+fnhxDS0Q4YLyn0/GzMuktjakgCZrjb9G1ux9MzKSzNP8SzWEZX0
+E0yWGXm8z3YFJnYtAYTwO6APyVkrEJ5Hg38kwkqnOxn7JoEALb+4tUBv6CM5hQr/
+clGq2I1H+BSF+KN/hjajYoskgLLUnFHsHE+np2F8+vBHUc3AmRmt9mxsuGipA5Jb
+TDOkqlqlFV2bbaSxHRQFNXT7I9H/MzhDLDq8RjNW9M9mD3cLm310RH7yWgcs8k9g
+LnD+b8E+3GheeOKlG/bVhbHNBOXsHV3E/zN/Wf4+/Qc
+-> ssh-ed25519 jIXfPA qegll2Df+qlfxxUaNSknpUrBeSuFp/jFlBPTKHow1xk
+T+5vbn2CVE1df4lo7imzTE+Z4AudX+RgmyERQZUoPZk
+-> ssh-ed25519 um7xWA 9O/XsY4ypXE83MLgunawEADLyNHlGbYgD/NqoUazTys
+vF1wGSBw7EhMmOwYr3fgXz/+hw8i54LBzWIlNXHK+OU
+--- dj78cC17wxYwHBkvl2vo5+9bnnUZECEl5ZJn8hm1UeY
+5ÆzÔ%ºX&–.<2E>Á“ï‹‚ŽQÐ>j<>`oŒÀ´Y’øª“Zêö(ð¯<w&“D<E2809C>

secrets/gitlab-db-secret.age

@@ -0,0 +1,32 @@
+age-encryption.org/v1
+-> ssh-ed25519 G5TwMg fZbPOfiAhoCr9fnNR/pMrInFyT98vEAfDFFsaWKCCFY
++J4sqflS6u0iynvStw+K4nuPhRqq+TJJDTiWUhFDmbo
+-> ssh-rsa krWCLQ
+nQJKJWWkbOFQPeEjsM3yMqfKkWjtxWCsjFqguk9+wytHZxYQYZ3174Njoi5qPqfb
+X3RA8xl7hxvDYqsGCCSwmZx4YdOF8T3mrzdageyFPJ9Jxw1iJx319QBQC9cMuWeI
+1/aIhwq0ntR+FNqHLgCwvnqsg1YikXCRi3dhYLm1iSn+oDgutqyo2/iFiJEFWU7+
+bPBOETMwyBbWXDiazoa8TvU8+9eh9Srm/uFGE9bUDK5tmu1++AkQcsaWDvGudbQ7
+9pvc12Pv0bMqG3tantxEelhm0mBCUynDr4PAMP3feqZ3Oyylcl8zUl0KHacljAsF
+rAVfrONPHNM7nMUSQ8r6qA
+-> ssh-ed25519 /vwQcQ 2ABiP0NRQF1e0wD9OZUbrbWdX7K2XOl7b+1xPLys7ws
+vdcdmFhE3A+IoTwvkVVepLmAcaejJyGfX0CZLshRogo
+-> ssh-ed25519 0R97PA GkJfihQnAAV1uVqG+M1up28TC4mRY7cFFnbEUM2hBjI
+sv5mFw8MRMEj9cJV7RyWdTJYFsibCdp87bpn6YiJOHQ
+-> ssh-rsa jL+Elw
+HIsPWQAVq7i9aWnWTDh9rFmNOTbRG1Pud0KU0DPpsPKRM6UMr3w9BqHv7tXQUzB7
+QLsdfT2vHQjcpGJ3V6EE9e+0mHoeeB0feWwASdZp8H0rK7iTzfUddwOH4Wc3uXPK
+yZmgR503RP4BLNBc5HEyr52AkCKM6F/OuIZjLW8J89oL1JqDiGngXD0zCBRpLTIE
+yHIOdq4/JctbLAnQDBd52SLmXKZ2WSh0c+lf7TZxq9L3lU/FG++MExuoGqHVuGUv
+yEo55zH+a+SqIz+dL7peKVtgCrQhennESxq1sREwQJqnMZfLLM2MG+DgVZQ3KKwI
+DfGBnuu8NXC8fp28xg4JjSqi9KzWLYsuI4Pb8TjD1D4FFRiEvWZTnHV1uM4flDDs
+mr6+yOP98Ju/gPMxMA68f/JV4xN53FtZpNi8NoeXZHmDpBjBL+ONQha078WdlICd
+0Hx+addJyA+XMNLMoixHftR+cwiw+ByKnFVWzdXk7rkxHYgDlKDAAgErc2TkKa5N
+2H3jawwuj8Cs9Rh9Ma7a6F8rEXpR/gy7mLTmRZF3fnK+0gyZ2ln6d9eJhEk64pTY
+PqFDcFu3y6iidw+3IupHQqo1heH8WXaITtJi638VhVYUsozvWQw8OY1TCXPyQoJD
+B0mdNqm/CFGs+gHgMCjS7N2ee/CtJu5luUuUaHQzdOg
+-> ssh-ed25519 jIXfPA N+jtq8NQ+3ufDqa6H3/xvrordQF0jDUPiJQgXxLR1z8
+Hpx9MC/RoZenb0W91XZyJQXNRju2LOdeBH6ZJn/Hlmg
+-> ssh-ed25519 um7xWA o30H+3Rhpls2xpqAWDJl66vVXUUrqK81fDJK/50rH2U
+PfTo7R+IWCgSpEvdsaJChFruWjbHfLj+juo4qNPcFBE
+--- dQNI4Fa6u7he6MfjZuM4bCIdbvPCd29P3bQYI3G4m8k
+ëf£ÕÙBâ'&I“óìV{¶­Þ&#ÍÆ çÊÎy<C38E>ËêzT“¶

secrets/gitlab-initial-root-password.age

@@ -0,0 +1,32 @@
+age-encryption.org/v1
+-> ssh-ed25519 G5TwMg eLPwkzRRuLvUEPG3v8RXyRgpbHQUUQ3XAOVn4R7ZaHs
+6PnjHqaDsTsAsGJdZrPveXPyhrQyYeE5qBZPZQv6qVY
+-> ssh-rsa krWCLQ
+XXBnfV1JVNO6KBoTJmkaQssg+X29noa4/ZOul8DxIKfRYyKP0CKp6WMwwCc008ez
+xF4jn6Ul3FGrwcea+CFDlUpDSdnRB+lUx4ofhGgWg7yWSkHXCaTq8d2+bcHej/Sa
+OcXA+A/3QQZVtbq5LltnuuRua+ErZJxS708nyFyQB/enNeY01jIxGBUoPqsrWnYX
+NTNguh3MfYki/I0lkJzOaKSaAIYMQRIWk5aozBxuvM6sydrYyBm95C/+yxpmNrCE
+NMKW+VMa8r0oqVT7tvk/nwS8aLro8Nltrz7PJjZO1/+L3ll1BplWqu5sIHGMsxKS
+YQLLo1R7DSbc+R09og26FA
+-> ssh-ed25519 /vwQcQ GXAS6i1QRunaZNWpH6EH6GcQH9TEHTBpDpcf1tK90iI
+Ete8K//La4yPRD1aclnsAnJxr8uigLhj9KPNC7t6Rh0
+-> ssh-ed25519 0R97PA mYWmZmx6IRHxl4B7U1j5CjsknrQ+kkl6govKfpwcgFE
+eWFEpH9TWPXYllxHKlGjHhcCevuAp5YqzelMUaVPJww
+-> ssh-rsa jL+Elw
+F4gAHJWnannBaM/mHIOZbI+ZrkdKPpSmrTPyLZoQ2GkPT5wH4b5oyT46DVZ0vFNt
+wWr33/pZd+pskNNIP/8mTzP5vXurQanqwi1ocOwALk4n8mrwZdIKhENpRNuAMuJ+
+eVtRn8mKiv8NcTWHV1sJGWJYILum2bwccdVVMGr6jHJTYf4HgmxWqwiSxtQC22Av
+p+pybxDuRmKuPGm2QEYDtLKPfID9gaOq3tktYedDfE7DEoVN5Z2AUWxz29fpx+RJ
+FM7Be7tJEMDk2vVZL9OO4XVkP3Anfp8VyFtuK5mdoj5hIo+BqcrIy17KMu67cG3P
+lUJR3LphGjvs91/Dr4nW6Nh1tlp2V725fXIC5comj4WLI4FcdwB28MDjjIlBEr+8
+F+Wgs3Hk7qVR/82jy3SbGXil+oTosU0dWA+Idus1vbAZujTu94qoqq4flV3vxG42
+0vLtVRicctJWw7gBFJEts5FQQ1R+bMESu7ZVcOJyjzjPTV+r808UuPbQl4EUbLM5
+UeWNYbESJKMheZaa7R5/2KgSC9qjHtMFgXNNI8u8NXv9fEIhFzCBCVIEIfmZX9Kz
+DCG7wNLQ1KYqTMd1TLA54Zck2q6M1URSUaeuWHRcJGCVfhbhhj0pjFRiJLl0HVUl
+HWa4mYie37zMLhEjn44RwvWFTqxMWVioOv3J+u4dAVM
+-> ssh-ed25519 jIXfPA 3CVs+mSyME4RAlY+mSXC3mGs2tAwaduHeG6aBd6l/3E
+BSNCG3hyBh1Y8s5RfL62OKYyEuw4fx6Veo16jM5TTro
+-> ssh-ed25519 um7xWA ExkdVpnh0fsGZkttcep0kjtG8rR94Ij1qbsTui8p50w
+4ZVlX5Yq9jeiye18DATEZZgkkL4FPcvNPwK9rCvZJw4
+--- qq3MPYesi5jX2PKNiDiQF+SklABrjnhpgSrZ0gndzEU
+aaCêIwÚfXPùyçáÑçQ—îî¾¢™Ü¥©¯#¤–V9CÙI¬ÿZVà_o¹ä½

secrets/gitlab-ldap-password.age

@@ -0,0 +1,33 @@
+age-encryption.org/v1
+-> ssh-ed25519 G5TwMg KOL0VBZmfIpF0UYzVhJMhNOMkutEd+kR2M6tV7fv6xI
+Rb1RjIN0cfJf4Vof0f4gyAEh34bLNFVo6QPLBFQHC0w
+-> ssh-rsa krWCLQ
+hGu9VuOtr0A93falVJvpMEm12yICl8LQZO3ujfzv7Sx0XCWFDRZ3Ua6pO8hPMoUK
++BCWaGwa4PQ7GnZ/jXfwoBAesaHUEFNMPq2omsXKOnwP7U9NGXFZT3oqdlCz1JYe
+SuT2WUKNKN9WD8uF/9oFajnCXTKr7Mls2i6P9Ga4RSu6GzC8iO0SEFiqLoueH9zC
+b4c2BPGDgSTY9TqURQmeZRTRIfjkmuM+RInP76caLeNcfpTdHLBEktr3i5Cdp6lR
+qFYDOk+JGGxzlKE+nvUsQUsvPurEUasZYdZCl4lz9T5RfoSYLEGJJOJaaiKdZbFP
+UVttJ3bCepb0CSNATRxwog
+-> ssh-ed25519 /vwQcQ wR+6w1i/pYWxGBUL/QvrlgNQWoejZ/Cze7cMBIrpJCQ
+VG8sk2pwP/6GNf2C/vAR9hW4IqTGRP4iS+U+3gLZnbI
+-> ssh-ed25519 0R97PA ODWKX8YbSJ+wVtJwdCJ5908zsgtXID4p+i6ivcuUInU
+XhQhJK3gEg5o5z4igNtk58u0CEJUdn7zm4StmR6dqYE
+-> ssh-rsa jL+Elw
+iLaUmUxTJtsRKJo5HguKn/PO7Nxr1/qXOTJZM5dyYO3xoJf7V2N+rrVsnRSafBnK
+oIpvkMsaeB+ENcZnAC0GeTmca2kQ6YJwn0Gtnz9r01GLYHgZ0FvNhxSk6VYXvZsg
+lZqmyOVGNcSRawwQrK2XsHIGjS9Zgrlvbp0yPxLppOiPTYU+6W7BWBR91alJBzzZ
+at1g9pcHJfMjAz7l3l3MIDg0YDu0hiKsnVCyAK+SXsnA94EuSYaPkvbvA53UVJUP
+jj5y0zapXuLqVmp9HtWguP37MhYFRxRcKp6O89qofaB9Dmw5rwpzQ2iHkok1N5l+
+qJXn2SKJcb6bn5RpPNgkmL5p5DSrt9GTj5HPnJW4MA5SlGBLSexnLhXU4pjUf0q9
+AtBVoBiqi5kHqU6Fx5qaO/kup5VD2I9c1iAEUoyHxPb6cn3BqpA0X9OWO+4c1RJp
+SvQn3GZ160q/c/7jAssp17teclPDGUj7YuVf7T3N+5olANAobZLYuO2Gp77r9pj/
+RupeQXvAMuk6GXqLu1wSEpwBPC+gOSc/iFm5wppwhyzKUoarOzOkSC/dy7dFGpvM
+npSNvI6cqcyT05FN5s/JMbPR3mvxKrvqAtrNn2L6+A7YNftMwxF7nSTlnAYsoAtn
+LJP2MGtH9o3SqAH7asOsXXi6f85Tl6zgVYSGQHkLTWE
+-> ssh-ed25519 jIXfPA Yzsg5EfxKrWwYzlU9S9XCY/MfXNcftynyNil6NIAVHY
+79bXZgmfkH3YEsmYfiJqgIJGG+4jpedHqA8vHMp1F+k
+-> ssh-ed25519 um7xWA +meoIcs80LfZZDUGKlxcqiuCl1QaatE4i6nx/ZsiNQQ
+j53yVGawECk8EMZRL4XvvqqlJbZZajTFPe3Cl4/ryYA
+--- Ouboqd0EKTrtuW/5P/KvN4hhPTEvki9NNSaohrDJp1g
+.âTŒ$ÅG'¨Ï^Z$ø`
+eEƒsÒ"Å3<L‰Í	8’Ô	¤Ùaÿ$ìŽãÔ

secrets/gitlab-otp-secret.age

@@ -0,0 +1,33 @@
+age-encryption.org/v1
+-> ssh-ed25519 G5TwMg 3y5GveRaTnMe91zk6SHcbPVlXXEVeFHo3GIZNlWVSmg
+s+BiuROGQI3qGkCA8Ama8itspTFuVwdkYXjkulGvwh8
+-> ssh-rsa krWCLQ
+KZDpi1b5yHvKQ5iR9Wu44fVpYMtJcoab3SoJbVypgyJZDPdmKHPrtUyy6K4g6fJR
+f/+jJ/8roVAr4SiDCVZl7KtNUM7DgW3HRCWIQQHBoCxY61Sgm+E4OiqghM0Htm0r
+pGZkHxTSKQRfdBTBCpuM5/cYgXIE4TINT67RqIl+HpaG+jXbuIslFuPdJ9HUq/ty
+0zI7CwEMS/UXk0Fzc4S0ZWLnL2dCOCigYyb+xRWvu37lutM/7FIM2HNE44MVWNl3
+KQ0586k7WWT5MoBa8vu757LzC/lTeVbkWpI6keCFjo68vO0Ssli6WZYBLs6XOeHy
+kBX8pYWjQphuV+3bE2BFcw
+-> ssh-ed25519 /vwQcQ WW0caw79g1UIl7PAmNnCOuJmi7RhWjDFNzLeh4tHXnw
+45AjburCI/mtzIFNqJY51jt37yV94kfcL2i/vZANRTI
+-> ssh-ed25519 0R97PA JtkFAtoULFUAFcU5wIMGsHMBWcQdXNHpFMoYWyCi1Cw
+CbM+8NRP2/qhIYsP+137LwOFmU/rRnx7scAiPJDRHGI
+-> ssh-rsa jL+Elw
+Qq8SqS5AJ7D6zRIE83K2wlSRMepicfyjGaMk7h7OU8kxBZWKCYKzQavDyiwZTAA/
+04Ch639FDl7pOCKOUsYesI9TBgqhyS3kIIqO9PfqEbY5MFY0ZIKz2xhKHWz/5Vj9
+yfUfRzDXwoTRffxjDgJmDDFLaG8sxjfsAc/cQq6cnQQHMywh7MC2fFKOJqWrYqs3
+iKTaONn9WH8PD1FfcGSBfVqK3TkY53uLwNA8wLWlugeEq1oXsdjBvSXBMj4XuJ1c
+oUM5X6QaClmj2unPHjg83QUXm3vzzhhfS1xrMOCkOMhxi2mfj7BBa2LCPzGsn+2t
+A15pLXamHfG+vQjgbDsPA24TsgfZaRZUjF71QHiokGiQofd+S2zsAqr4AJ6cGZrW
+shmXEI8vIQNmyOtAlG1/DTZy/2dJSPuJExe8i0u2VyGAs/tLDJpG8B7o4bYF2786
+OQmzd9GSmSQT7MUhyEExWbq1mg4IyRHu+MGSIq6LgNNp6WR9hyTisq66zHr6lqgI
+W8qSd96frCEOqdshpetYroB9ohACj3hfe0rDa/+or8ORYlBMTjF8m6oJ6PECOwJA
+X2xsUMcQODp7qlQbNBNYbNgJKq+5BV0cWcuGPE07nl3/Jrff4dbFVaF523e8NrVR
+JGZPpp7Qopd+CyxwBm54o3IHxJI8pgN95WMeiOwaQ9M
+-> ssh-ed25519 jIXfPA FByI2pUpXdT8P5nrdbaJJmWtbpsdbzXV1kD6Xl56Cnk
+65PEEAWkAd0+GfU815XDJq1aa92dRPVmrTY2iyy9FZE
+-> ssh-ed25519 um7xWA PxSzlE8+VUQsWKgJPFcKQ6jUHTCZSSRafTe83y/0lyI
+t1I8OPaIeCOtIk3CWre4YctYn3sMyvgmkqFqHLW5NXQ
+--- F2xpctG5N9DQ2ro+SdhIt+FtZdW7UQrya6PzsQLj1eM
+Þ––¦p#$†Ì„Ãü$sÄp¢ÅvQ›æmÂÓ
+A‚Š‰aæø4

secrets/secrets.nix

@@ -26,6 +26,7 @@ let
   indico-admins = active-admins;
   grafana-admins = active-admins;
   alertbot-admins = active-admins;
+  gitlab-admins = active-admins;
   servers = [
     estragon
     wagon
@@ -54,4 +55,11 @@ in
     "vogon-wg-infra-key.age".publicKeys = [ vogon ] ++ wg-admins;
     "grafana-ldap-bind-password.age".publicKeys = [ martagon ] ++ grafana-admins;
     "alertbot-matrix-password.age".publicKeys = [ martagon ] ++ alertbot-admins;
+    "gitlab-secret.age".publicKeys = [ aragon ] ++ gitlab-admins;
+    "gitlab-otp-secret.age".publicKeys = [ aragon ] ++ gitlab-admins;
+    "gitlab-db-secret.age".publicKeys = [ aragon ] ++ gitlab-admins;
+    "gitlab-jws-secret.age".publicKeys = [ aragon ] ++ gitlab-admins;
+    "gitlab-db-password.age".publicKeys = [ aragon ] ++ gitlab-admins;
+    "gitlab-initial-root-password.age".publicKeys = [ aragon ] ++ gitlab-admins;
+    "gitlab-ldap-password.age".publicKeys = [ aragon ] ++ gitlab-admins;
   }