From d672a1d1ee715acd2fc22429927d4ab9594bdd9b Mon Sep 17 00:00:00 2001
From: Jeltz <jeltz@federez.net>
Date: Sat, 5 Apr 2025 20:40:09 +0200
Subject: [PATCH] gitlab: store secrets in age

Signed-off-by: Jeltz <jeltz@federez.net>
---
 profiles/gitlab.nix                      |  35 +++++++++++++++++------
 secrets/gitlab-db-password.age           |  32 +++++++++++++++++++++
 secrets/gitlab-db-secret.age             |  32 +++++++++++++++++++++
 secrets/gitlab-initial-root-password.age |  32 +++++++++++++++++++++
 secrets/gitlab-jws-secret.age            | Bin 0 -> 3433 bytes
 secrets/gitlab-ldap-password.age         |  33 +++++++++++++++++++++
 secrets/gitlab-otp-secret.age            |  33 +++++++++++++++++++++
 secrets/gitlab-secret.age                | Bin 0 -> 1738 bytes
 secrets/secrets.nix                      |   8 ++++++
 9 files changed, 196 insertions(+), 9 deletions(-)
 create mode 100644 secrets/gitlab-db-password.age
 create mode 100644 secrets/gitlab-db-secret.age
 create mode 100644 secrets/gitlab-initial-root-password.age
 create mode 100644 secrets/gitlab-jws-secret.age
 create mode 100644 secrets/gitlab-ldap-password.age
 create mode 100644 secrets/gitlab-otp-secret.age
 create mode 100644 secrets/gitlab-secret.age

diff --git a/profiles/gitlab.nix b/profiles/gitlab.nix
index cbccec0..36f83af 100644
--- a/profiles/gitlab.nix
+++ b/profiles/gitlab.nix
@@ -1,13 +1,31 @@
-{ pkgs, ... }: {
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.gitlab;
+  secrets = config.age.secrets;
+in
+{
+  age.secrets = lib.mapAttrs
+    (_: f: { file = f; owner = cfg.user; group = cfg.group; })
+    {
+      gitlab-secret = ../secrets/gitlab-secret.age;
+      gitlab-otp-secret = ../secrets/gitlab-otp-secret.age;
+      gitlab-db-secret = ../secrets/gitlab-db-secret.age;
+      gitlab-jws-secret = ../secrets/gitlab-jws-secret.age;
+      gitlab-db-password = ../secrets/gitlab-db-password.age;
+      gitlab-initial-root-password = ../secrets/gitlab-initial-root-password.age;
+      gitlab-ldap-password = ../secrets/gitlab-ldap-password.age;
+    };
+
   services.gitlab = {
     enable = true;
-    databasePasswordFile = pkgs.writeText "dbPassword" "xxx";
-    initialRootPasswordFile = pkgs.writeText "rootPassword" "xxx";
+    databasePasswordFile = secrets.gitlab-db-password.path;
+    initialRootPasswordFile = secrets.gitlab-initial-root-password.path;
     secrets = {
-      secretFile = pkgs.writeText "secret" "xxx";
-      otpFile = pkgs.writeText "otpsecret" "xxx";
-      dbFile = pkgs.writeText "dbsecret" "xxx";
-      jwsFile = pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
+      secretFile = secrets.gitlab-secret.path;
+      otpFile = secrets.gitlab-otp-secret.path;
+      dbFile = secrets.gitlab-db-secret.path;
+      jwsFile = secrets.gitlab-jws-secret.path;
     };
     extraConfig.ldap = {
       enabled = true;
@@ -19,7 +37,7 @@
           uid = "uid";
           method = "tls";
           bind_dn = "cn=gitlab,ou=service-users,dc=federez,dc=net";
-          password = "xxx";
+          password = { _secret = secrets.gitlab-ldap-password.path; };
           active_directory = false;
           allow_username_or_email_login = false;
           block_auto_created_users = false;
@@ -30,7 +48,6 @@
     };
   };
 
-  
   services.nginx = {
     enable = true;
     recommendedProxySettings = true;
diff --git a/secrets/gitlab-db-password.age b/secrets/gitlab-db-password.age
new file mode 100644
index 0000000..7ccbab6
--- /dev/null
+++ b/secrets/gitlab-db-password.age
@@ -0,0 +1,32 @@
+age-encryption.org/v1
+-> ssh-ed25519 G5TwMg n0wufFDOd6evVD9b6NZMJYYaJyw7QyFyXwg4ftbUG2o
+fc/HkB+kV2RB77SRrNwRRyfCcnlwwOYCUntBo8599pQ
+-> ssh-rsa krWCLQ
+0KejmiN6LEg74mC1Lx/DuTtFpn0SUZKUiJG3P3GF0Hu6jOU3Oh80HywlIjCIJdyy
+H+DFon3UVpC/ZMaLme51CTKFkeC6DBCd2tyIbwEvqh/LevldOEEspQfdXDICDlRG
+k/1kvcwwELnH5aCWQiUun+jy2Fs9f50C81MBNh3GHbSYEusTPLk4omm5QQ2QsM/M
+wIcILzWG5cVodWwZr209Bg5HOnEp0x783EIucWR1v8/GknJPHSMiv7hxGS/rVoCm
+4IFsz4zlPsHOZVqURIoFdE9EFr+j5cpCdw4lxOiFhVSWrWynqGmZ/FFB5AqJCQQn
+QxW1CFTM8O9CP57+nzRffA
+-> ssh-ed25519 /vwQcQ Ibq7pr/RXh+alWH/HDU6dvEeREp+slu357MTIxO2ME0
+8wA3U0C22pLX2EzCRR6t2LFtAR+mOpQyGAKDWPBd19E
+-> ssh-ed25519 0R97PA UcKZB0V1M1ckpNlQ/9zGkDF/Umr9zwhYp3x0+lGLsXo
+MoZ/8mjSMPPG1/ezsvNIUonllGvzbBKz77h47nri3w8
+-> ssh-rsa jL+Elw
+MWbJ+XUhgdWYUcbDRqLwTmDvwBxmfCMpMP5Y4Zm3jug9zTMQrTIkN2R9ceclqo9Q
+M2oTcHhS0GsQTuMt2Gd7ho0chHDv1DmuilJpas+XpiZPTL6L+8F1s9r0d7MX1hwT
+v4FRwziCVRAjRtn+fH2T57u9T9e5mQ1aZ8GdlCEB0GttAb8YAE6+FSMtVIN0/sKp
+d2pm6kLpTlJUuLM+eCRNRAR5noJgeBNwHV8z02Kl6KRI/sQPXrPSwjzxATMNF9Ek
+r+waJBrEbqpUO5fgnXOS4nTPAB98MasAvV/X728Lfnz47qb2+BjL7C3kkO08YflT
+nRPBV6NSO7BvtCXi6Ad6BowErrltjRy+UmZL0yEtJl/FlUwkaexf20vMDZfRsEcK
+96zd8dj1KWDt+fnhxDS0Q4YLyn0/GzMuktjakgCZrjb9G1ux9MzKSzNP8SzWEZX0
+E0yWGXm8z3YFJnYtAYTwO6APyVkrEJ5Hg38kwkqnOxn7JoEALb+4tUBv6CM5hQr/
+clGq2I1H+BSF+KN/hjajYoskgLLUnFHsHE+np2F8+vBHUc3AmRmt9mxsuGipA5Jb
+TDOkqlqlFV2bbaSxHRQFNXT7I9H/MzhDLDq8RjNW9M9mD3cLm310RH7yWgcs8k9g
+LnD+b8E+3GheeOKlG/bVhbHNBOXsHV3E/zN/Wf4+/Qc
+-> ssh-ed25519 jIXfPA qegll2Df+qlfxxUaNSknpUrBeSuFp/jFlBPTKHow1xk
+T+5vbn2CVE1df4lo7imzTE+Z4AudX+RgmyERQZUoPZk
+-> ssh-ed25519 um7xWA 9O/XsY4ypXE83MLgunawEADLyNHlGbYgD/NqoUazTys
+vF1wGSBw7EhMmOwYr3fgXz/+hw8i54LBzWIlNXHK+OU
+--- dj78cC17wxYwHBkvl2vo5+9bnnUZECEl5ZJn8hm1UeY
+5ÆzÔ%ºX&–.Á“ï‹‚ŽQÐ>j`oŒÀ´Y’øª“Zêö(ð¯<w&“D
\ No newline at end of file
diff --git a/secrets/gitlab-db-secret.age b/secrets/gitlab-db-secret.age
new file mode 100644
index 0000000..ab20355
--- /dev/null
+++ b/secrets/gitlab-db-secret.age
@@ -0,0 +1,32 @@
+age-encryption.org/v1
+-> ssh-ed25519 G5TwMg fZbPOfiAhoCr9fnNR/pMrInFyT98vEAfDFFsaWKCCFY
++J4sqflS6u0iynvStw+K4nuPhRqq+TJJDTiWUhFDmbo
+-> ssh-rsa krWCLQ
+nQJKJWWkbOFQPeEjsM3yMqfKkWjtxWCsjFqguk9+wytHZxYQYZ3174Njoi5qPqfb
+X3RA8xl7hxvDYqsGCCSwmZx4YdOF8T3mrzdageyFPJ9Jxw1iJx319QBQC9cMuWeI
+1/aIhwq0ntR+FNqHLgCwvnqsg1YikXCRi3dhYLm1iSn+oDgutqyo2/iFiJEFWU7+
+bPBOETMwyBbWXDiazoa8TvU8+9eh9Srm/uFGE9bUDK5tmu1++AkQcsaWDvGudbQ7
+9pvc12Pv0bMqG3tantxEelhm0mBCUynDr4PAMP3feqZ3Oyylcl8zUl0KHacljAsF
+rAVfrONPHNM7nMUSQ8r6qA
+-> ssh-ed25519 /vwQcQ 2ABiP0NRQF1e0wD9OZUbrbWdX7K2XOl7b+1xPLys7ws
+vdcdmFhE3A+IoTwvkVVepLmAcaejJyGfX0CZLshRogo
+-> ssh-ed25519 0R97PA GkJfihQnAAV1uVqG+M1up28TC4mRY7cFFnbEUM2hBjI
+sv5mFw8MRMEj9cJV7RyWdTJYFsibCdp87bpn6YiJOHQ
+-> ssh-rsa jL+Elw
+HIsPWQAVq7i9aWnWTDh9rFmNOTbRG1Pud0KU0DPpsPKRM6UMr3w9BqHv7tXQUzB7
+QLsdfT2vHQjcpGJ3V6EE9e+0mHoeeB0feWwASdZp8H0rK7iTzfUddwOH4Wc3uXPK
+yZmgR503RP4BLNBc5HEyr52AkCKM6F/OuIZjLW8J89oL1JqDiGngXD0zCBRpLTIE
+yHIOdq4/JctbLAnQDBd52SLmXKZ2WSh0c+lf7TZxq9L3lU/FG++MExuoGqHVuGUv
+yEo55zH+a+SqIz+dL7peKVtgCrQhennESxq1sREwQJqnMZfLLM2MG+DgVZQ3KKwI
+DfGBnuu8NXC8fp28xg4JjSqi9KzWLYsuI4Pb8TjD1D4FFRiEvWZTnHV1uM4flDDs
+mr6+yOP98Ju/gPMxMA68f/JV4xN53FtZpNi8NoeXZHmDpBjBL+ONQha078WdlICd
+0Hx+addJyA+XMNLMoixHftR+cwiw+ByKnFVWzdXk7rkxHYgDlKDAAgErc2TkKa5N
+2H3jawwuj8Cs9Rh9Ma7a6F8rEXpR/gy7mLTmRZF3fnK+0gyZ2ln6d9eJhEk64pTY
+PqFDcFu3y6iidw+3IupHQqo1heH8WXaITtJi638VhVYUsozvWQw8OY1TCXPyQoJD
+B0mdNqm/CFGs+gHgMCjS7N2ee/CtJu5luUuUaHQzdOg
+-> ssh-ed25519 jIXfPA N+jtq8NQ+3ufDqa6H3/xvrordQF0jDUPiJQgXxLR1z8
+Hpx9MC/RoZenb0W91XZyJQXNRju2LOdeBH6ZJn/Hlmg
+-> ssh-ed25519 um7xWA o30H+3Rhpls2xpqAWDJl66vVXUUrqK81fDJK/50rH2U
+PfTo7R+IWCgSpEvdsaJChFruWjbHfLj+juo4qNPcFBE
+--- dQNI4Fa6u7he6MfjZuM4bCIdbvPCd29P3bQYI3G4m8k
+ëf£ÕÙBâ'&I“óìV{¶­Þ&#ÍÆ çÊÎyËêzT“¶
\ No newline at end of file
diff --git a/secrets/gitlab-initial-root-password.age b/secrets/gitlab-initial-root-password.age
new file mode 100644
index 0000000..30b6c52
--- /dev/null
+++ b/secrets/gitlab-initial-root-password.age
@@ -0,0 +1,32 @@
+age-encryption.org/v1
+-> ssh-ed25519 G5TwMg eLPwkzRRuLvUEPG3v8RXyRgpbHQUUQ3XAOVn4R7ZaHs
+6PnjHqaDsTsAsGJdZrPveXPyhrQyYeE5qBZPZQv6qVY
+-> ssh-rsa krWCLQ
+XXBnfV1JVNO6KBoTJmkaQssg+X29noa4/ZOul8DxIKfRYyKP0CKp6WMwwCc008ez
+xF4jn6Ul3FGrwcea+CFDlUpDSdnRB+lUx4ofhGgWg7yWSkHXCaTq8d2+bcHej/Sa
+OcXA+A/3QQZVtbq5LltnuuRua+ErZJxS708nyFyQB/enNeY01jIxGBUoPqsrWnYX
+NTNguh3MfYki/I0lkJzOaKSaAIYMQRIWk5aozBxuvM6sydrYyBm95C/+yxpmNrCE
+NMKW+VMa8r0oqVT7tvk/nwS8aLro8Nltrz7PJjZO1/+L3ll1BplWqu5sIHGMsxKS
+YQLLo1R7DSbc+R09og26FA
+-> ssh-ed25519 /vwQcQ GXAS6i1QRunaZNWpH6EH6GcQH9TEHTBpDpcf1tK90iI
+Ete8K//La4yPRD1aclnsAnJxr8uigLhj9KPNC7t6Rh0
+-> ssh-ed25519 0R97PA mYWmZmx6IRHxl4B7U1j5CjsknrQ+kkl6govKfpwcgFE
+eWFEpH9TWPXYllxHKlGjHhcCevuAp5YqzelMUaVPJww
+-> ssh-rsa jL+Elw
+F4gAHJWnannBaM/mHIOZbI+ZrkdKPpSmrTPyLZoQ2GkPT5wH4b5oyT46DVZ0vFNt
+wWr33/pZd+pskNNIP/8mTzP5vXurQanqwi1ocOwALk4n8mrwZdIKhENpRNuAMuJ+
+eVtRn8mKiv8NcTWHV1sJGWJYILum2bwccdVVMGr6jHJTYf4HgmxWqwiSxtQC22Av
+p+pybxDuRmKuPGm2QEYDtLKPfID9gaOq3tktYedDfE7DEoVN5Z2AUWxz29fpx+RJ
+FM7Be7tJEMDk2vVZL9OO4XVkP3Anfp8VyFtuK5mdoj5hIo+BqcrIy17KMu67cG3P
+lUJR3LphGjvs91/Dr4nW6Nh1tlp2V725fXIC5comj4WLI4FcdwB28MDjjIlBEr+8
+F+Wgs3Hk7qVR/82jy3SbGXil+oTosU0dWA+Idus1vbAZujTu94qoqq4flV3vxG42
+0vLtVRicctJWw7gBFJEts5FQQ1R+bMESu7ZVcOJyjzjPTV+r808UuPbQl4EUbLM5
+UeWNYbESJKMheZaa7R5/2KgSC9qjHtMFgXNNI8u8NXv9fEIhFzCBCVIEIfmZX9Kz
+DCG7wNLQ1KYqTMd1TLA54Zck2q6M1URSUaeuWHRcJGCVfhbhhj0pjFRiJLl0HVUl
+HWa4mYie37zMLhEjn44RwvWFTqxMWVioOv3J+u4dAVM
+-> ssh-ed25519 jIXfPA 3CVs+mSyME4RAlY+mSXC3mGs2tAwaduHeG6aBd6l/3E
+BSNCG3hyBh1Y8s5RfL62OKYyEuw4fx6Veo16jM5TTro
+-> ssh-ed25519 um7xWA ExkdVpnh0fsGZkttcep0kjtG8rR94Ij1qbsTui8p50w
+4ZVlX5Yq9jeiye18DATEZZgkkL4FPcvNPwK9rCvZJw4
+--- qq3MPYesi5jX2PKNiDiQF+SklABrjnhpgSrZ0gndzEU
+aaCêIwÚfXPùyçáÑçQ—îî¾¢™Ü¥©¯#¤–V9CÙI¬ÿZVà_o¹ä½
\ No newline at end of file
diff --git a/secrets/gitlab-jws-secret.age b/secrets/gitlab-jws-secret.age
new file mode 100644
index 0000000000000000000000000000000000000000..a47319413567885b02521ba8305462d9b8a4e2ce
GIT binary patch
literal 3433
zcmZ9M_kR=x8pa7A#H9-&pg=B(v`yGvhQ2%7`^@$UkZhT<Wwy-DY%?GwG-(o=Ae<DX
zN+*Jl&@ll50#c;+B2B8{auAREf&1b9g74>fzt8h}aI_eW_^3>b4n!jZqZH0b@>s>g
z@)8N681?f-A|8;Z7THopJWnA@f*b{<(wk8?U!#E3LM$RrS_5v6*~<-NtY(9k)WK1X
z+?irAAqWvgpg`1Ph(=5yW6WfMvV1{C=#Pi+aEJ~^v~o5m06^6Do<=1+c_GRP8X#80
z5ik*0Tti01v`4_fLhf|f5|ewq6huJ)iSuQMKNTPXDv3}ScDRITKO1ss{fx=QXnl^9
zj-^U#MHVVxHi$@B)(Y#rga``g><)zzC9{6WPRkGr;|uW>K|5)HgFxEC205v;(HB$;
zt$>})3Sdksl7P)>J<sd03n9d<aTv0^NQeMqnT!vMDY$7L;pUpdj8Ye4GEpM#C7kJ`
zO^|d6O{AU0xMMy{pl7sNy+UR1qXdaiq9_VDY&4h!WEPh!O~w)e%B`0eFu#u<RH9)?
z0sylKoYab)85T#Wj%MSqR?GEx<K~1_LRm9upC7VeYB{DueGVaqBlCwcR$(><ut_r%
z!DI=3QbJ*&hz!-itbjADFdNgF6z%b)jaHox#5ExP{@U-|a*`>?2jyv<R+=)yE(Cy_
z9=lrSlFEfzfkFqmi8K<EiqI&Dx)hPLQ66I9xJl@tK&LgNArk=y?!{$t7*^`6L9dh&
zXv`rI*QZwyNr&uzZr{_mFd(tW@*?c01M<lD2q2E}X$_`Og>fh=qnUt}LcEM4gg`Ni
zBoL-jJ{BOCClf}!BC0a;y`;t-4#rY2Cu#O^d`Xm$Kt?eng(0OQ4ocr=`)`wi2DUPs
zVuex}4~|$YOjN^>2gNdp1~ZGLX%bT~7OoV~fmVeYj;ADyIDueEo{P^!(y&NrHT%sx
zs{z)tkSHC=#L#d|#-TAlBv*(j83$p4(IhSb%^4fpt@80Wk^~(K`!x_hnm`bxk`~Fi
zKFDYw0D@&ndc+ah<`-JgEar4)OfEF&0oc)aMh`gM0$WPvM(mu7PN!AMahj`kf?6Du
z$|)BwVRtJHAdBMoy=Wl94Vge(CCmcKtR)Zz-C_vfAv8rN!wMecQ=)d<Y!kvf4ed?o
z;t<G3DVr#j(L)NBU&6=PDwCPE(eLmgMGA5NPCegFIMg8<?t#@>P8N>`;|e8PLTUUW
z6a(TyAIBdLCsE9ciCDq37LzG)2$KgX(>u-5FrHK-<zBrKL+mt|fwif0$Q~A1vjnX|
ziA+$Y4Mt6fJ>aqlqI|~85<4SqE}zfCC{XE5S#&5vP->ssizMtApES!tN*xdO%Sk>i
z5nus{FRjR$Np-}e;AF!I6tT06YRHItQ(-XXh*-!>z+_PZLXRd4Ce#Q>`mwai%g!1A
zENviC$~eVkY)FjYgyN!zRHmdIHkO%)i4$p&!A6OKlqCY&96>h2<tE%FsgTHOViGS0
zOo36IC1BGAJUnh#9t@<!aRG#A6_n`RY|K0boZvcyf~Y@Yu_h39Sc)N*pi8NUI3S0E
zAA`hPrz#6#j8N_a!X7EXPP<&FC2aKYC}&*CvPyhnwm=kx5h4g8N*odLd}1*Q=p~d`
zMo8o!2luAgB0p$^-uL+ZYJyr9_HH$Fh>@#6cS>yJ!~l;)tm5HJ)Flcy0VWw$r4&Y~
zJ&wz*oR}@dQg8yeGQ|#R9Y(_MH}b530HTNNStEpy&R8-j4QD+B>hY#Hq5r2bq$KT>
z<wX-}jz}&SCmBvA9d*h{xfS4x=_siU8;nkY6g8=%AvWVrM{t%MHOa9sTM1_HsE$k!
zN*5Luh9ofJr-G2dYthFAW|fby)0%hLii`6CQKu92k=8iiBH6q^6vi_ay%Z0Uut~^M
z8h9SHEy1H<qk^wxF(lfd({XEcu<eoAJ5D;Pei-k)_^1m~m)ErFg$g~C8d}@X|8eE%
z1)|Zbrf$z~0n3l9X!vx1Vs>Lc6Fy(pd4XiddinL%!|B#@CYP6258HI|bm*o1aABY0
zo|y7QZN^C+pKX2jIpBiIqA!riTiZ^&(`&=QoaeVQnF&>EaAEV$Yg_M`+U_giAB{`t
zN$IA(wxN3C+^Nr`-paB~Z4J*Z#Rs*TN3`yVO_*DJ=o|Hs=kTxV_+#AWZ7cf2*G}JA
zfAH(2>_34{z>EW@7gVor0;caPeEf32cdN|>FWequ(|3stgU1xmjeQT)tdl?Mxa3w2
zQ@mkI-~Bf}Sk%Y2trx!Kd?UK2zS-re8@pXR(_G$rUoT$K`~$BaZF^b&I=f((gk4%O
zG&iwzX8Vgbrdu7n5!!w7XT2VGPDyTO`nR05eci*Nr8fTL5&t@yK39ayz4GclWAf5e
zDfeWz7r-5E=YplRA6C{sA9pI}9{0wf4jroIFaPr!e|GzXTX`2OEJ5k>vXA?Wp0jD+
zux8)%KG60zu;%`Nu>-ywJ>$fQyyVLBYU!dQBh0n=$F_QZxkvT*v3Itg^sA-K3^jxH
z->B=ltf+kdFK`s;YD>)dGu~xSW1EgW0DAV+r(fEt?cB`^`_%6Id)~f^L03=THecv)
zICZ>5Pt_Mck6LS=_lfM>#TRe#wnBfs!NL{4%)0Ynk_4XEs>MHdk7+;iz>d3<UZtx)
z8_;uPhmux0C2!2|*C$HK``moE-!ZbVC2z&@aWr}C<VRH;{;}bcrQaT}zO-d#!*84S
ztytUq%Sn}Qe*V1K{wJds&dB*l=dPNBJb9oWNvHRGA!e}`AHBjB5qF!d1ctemH=jdR
zmHWMuN-Cb*F3F$0Yps80!*lLt==JH!i5D+-7)3}YcKf|)_^mQS{$l;?S64QFpE2>a
zMu`mvE;Q|0#~Cz=`ta4|Xt!Ez(Q@+bicrH*aN*TS+{J?(;|`5m;VKz<qeBzWYvCEq
zdGt|%WLQPd^4u$l%h~c~G4S%^g7L=krcSxnHCv93UAV60{#gC)pSzJA#}C|(=kD9G
zy3<ch+t5#TkNtai_p)Jc3!SyZG~W4_z^uFLYniE+XDm)uJo$Y{j;;*WwJc$d-6OYt
z7}$99L1@G@Pp8IyvnF5K#Q9|)xBe?L82GiU`;k2tOAp4=B|o05=-kv_LG_<=3B9w+
zXM8x>G^ru`uwl{uP3;=%SHB&q+rIl7S#Ef=vCpc8M<ajD8(jMF`LSzbH$#8vZY*z(
z5$)C^Z@+zhzT?w1yZ&r{jULh?qOtBB{dn<^CHJRzR^{f`*<RloQq#gLsAzrQA+S-#
zm&>6Yt9lp=|6sb@FM2Uz#nH-Bhgt1zgq{+m`8eA8lJfcG-J^PjjuwnB8Y=%BGZZkj
zOZ3GwXE;ajVBosnH-+{ud!rlq#i?m)pUGNG??3I@#_b2695rs=b(1rG27AW(C9w<N
z<?pUOg?~~}XNAXo;3NK0Kb&2G?`s$^Rg=81{SsBs^3kdfBquwS>||_)&;D)wq4-Mv
z_)Jf)^=SoSK6Uk8zdi1@gL09h4=zoqe^Whe!QSzgPCkv)jF>RddHI;pwlyP36_(EF
z(^s}4x`yb~Zc1@rT=`YcPuVHgM^>dTPbhmqU(9b`eXsJ5>MpOplVVj%;28{0acjhe
z-&?42Cba*ke)WQ7jb~k-=5%gfCM?MvcCT&juQT?3RMN5T>9~c5^X_)c#S3e0AMQP`
z%M0D|!uefy#&^~a*>vVB#b>_N)g9*UdRlg?ZqfQzb-T{ZPLJ+eqkcQRlo~u^kVn+6
z)s7R*Mku@Xz5gJsz!vrS`bemaTV3$2^+cm&C3|p=`ev+SUEUu<hV@%Af8P9Kv3OSo
zzU?ZmTUeQRws>ce+GpPPsC(!0<h`6^%j|BGwsH8Ew|n<UoW4-^c8`<parXOlA1_<E
zcHGxjR&KfYz5n3tLeY|+CXYN9;)e$ve8m*;7mZJ}9(nCmJFu{Ntp1<fKkT<cG_O2c
zmO{UOS$>PX=H`o<N7~{+=hmaSOUK;oQZ{!LwD6|je5By0^=)a@q(j?FYCfIW<;~!R
zHlcY3EB>`^n-z#Ly{?`eIPD+(TlG`I<BGTDxBo%FN?xyQHmcP@$@DhGvOYxXA4mDB
zMm$4!sq8cA`Z>Wh?yQZa;dYPr-Z`_AxZd|{YTc;vy?en$8(_hi4rRyhwkp}g@orZB
z{B7*;;z6MA<6X(254Y-#zxCBNR}7BVulaGo*N@r^RxC}`?4%CPvmX|!3hTR{Sg6li
zHg)@j^jI$CpV_08$$LzF>(1wG|JpgP9U3U|1`j2x%5xrE?7a9~kC!`|k;x<I4^!Ui
Hmhk@rlqrf8

literal 0
HcmV?d00001

diff --git a/secrets/gitlab-ldap-password.age b/secrets/gitlab-ldap-password.age
new file mode 100644
index 0000000..2bc854d
--- /dev/null
+++ b/secrets/gitlab-ldap-password.age
@@ -0,0 +1,33 @@
+age-encryption.org/v1
+-> ssh-ed25519 G5TwMg KOL0VBZmfIpF0UYzVhJMhNOMkutEd+kR2M6tV7fv6xI
+Rb1RjIN0cfJf4Vof0f4gyAEh34bLNFVo6QPLBFQHC0w
+-> ssh-rsa krWCLQ
+hGu9VuOtr0A93falVJvpMEm12yICl8LQZO3ujfzv7Sx0XCWFDRZ3Ua6pO8hPMoUK
++BCWaGwa4PQ7GnZ/jXfwoBAesaHUEFNMPq2omsXKOnwP7U9NGXFZT3oqdlCz1JYe
+SuT2WUKNKN9WD8uF/9oFajnCXTKr7Mls2i6P9Ga4RSu6GzC8iO0SEFiqLoueH9zC
+b4c2BPGDgSTY9TqURQmeZRTRIfjkmuM+RInP76caLeNcfpTdHLBEktr3i5Cdp6lR
+qFYDOk+JGGxzlKE+nvUsQUsvPurEUasZYdZCl4lz9T5RfoSYLEGJJOJaaiKdZbFP
+UVttJ3bCepb0CSNATRxwog
+-> ssh-ed25519 /vwQcQ wR+6w1i/pYWxGBUL/QvrlgNQWoejZ/Cze7cMBIrpJCQ
+VG8sk2pwP/6GNf2C/vAR9hW4IqTGRP4iS+U+3gLZnbI
+-> ssh-ed25519 0R97PA ODWKX8YbSJ+wVtJwdCJ5908zsgtXID4p+i6ivcuUInU
+XhQhJK3gEg5o5z4igNtk58u0CEJUdn7zm4StmR6dqYE
+-> ssh-rsa jL+Elw
+iLaUmUxTJtsRKJo5HguKn/PO7Nxr1/qXOTJZM5dyYO3xoJf7V2N+rrVsnRSafBnK
+oIpvkMsaeB+ENcZnAC0GeTmca2kQ6YJwn0Gtnz9r01GLYHgZ0FvNhxSk6VYXvZsg
+lZqmyOVGNcSRawwQrK2XsHIGjS9Zgrlvbp0yPxLppOiPTYU+6W7BWBR91alJBzzZ
+at1g9pcHJfMjAz7l3l3MIDg0YDu0hiKsnVCyAK+SXsnA94EuSYaPkvbvA53UVJUP
+jj5y0zapXuLqVmp9HtWguP37MhYFRxRcKp6O89qofaB9Dmw5rwpzQ2iHkok1N5l+
+qJXn2SKJcb6bn5RpPNgkmL5p5DSrt9GTj5HPnJW4MA5SlGBLSexnLhXU4pjUf0q9
+AtBVoBiqi5kHqU6Fx5qaO/kup5VD2I9c1iAEUoyHxPb6cn3BqpA0X9OWO+4c1RJp
+SvQn3GZ160q/c/7jAssp17teclPDGUj7YuVf7T3N+5olANAobZLYuO2Gp77r9pj/
+RupeQXvAMuk6GXqLu1wSEpwBPC+gOSc/iFm5wppwhyzKUoarOzOkSC/dy7dFGpvM
+npSNvI6cqcyT05FN5s/JMbPR3mvxKrvqAtrNn2L6+A7YNftMwxF7nSTlnAYsoAtn
+LJP2MGtH9o3SqAH7asOsXXi6f85Tl6zgVYSGQHkLTWE
+-> ssh-ed25519 jIXfPA Yzsg5EfxKrWwYzlU9S9XCY/MfXNcftynyNil6NIAVHY
+79bXZgmfkH3YEsmYfiJqgIJGG+4jpedHqA8vHMp1F+k
+-> ssh-ed25519 um7xWA +meoIcs80LfZZDUGKlxcqiuCl1QaatE4i6nx/ZsiNQQ
+j53yVGawECk8EMZRL4XvvqqlJbZZajTFPe3Cl4/ryYA
+--- Ouboqd0EKTrtuW/5P/KvN4hhPTEvki9NNSaohrDJp1g
+.âTŒ$ÅG'¨Ï^Z$ø`
+eEƒsÒ"Å3<L‰Í	8’Ô	¤Ùaÿ$ìŽãÔ
\ No newline at end of file
diff --git a/secrets/gitlab-otp-secret.age b/secrets/gitlab-otp-secret.age
new file mode 100644
index 0000000..a17e2fc
--- /dev/null
+++ b/secrets/gitlab-otp-secret.age
@@ -0,0 +1,33 @@
+age-encryption.org/v1
+-> ssh-ed25519 G5TwMg 3y5GveRaTnMe91zk6SHcbPVlXXEVeFHo3GIZNlWVSmg
+s+BiuROGQI3qGkCA8Ama8itspTFuVwdkYXjkulGvwh8
+-> ssh-rsa krWCLQ
+KZDpi1b5yHvKQ5iR9Wu44fVpYMtJcoab3SoJbVypgyJZDPdmKHPrtUyy6K4g6fJR
+f/+jJ/8roVAr4SiDCVZl7KtNUM7DgW3HRCWIQQHBoCxY61Sgm+E4OiqghM0Htm0r
+pGZkHxTSKQRfdBTBCpuM5/cYgXIE4TINT67RqIl+HpaG+jXbuIslFuPdJ9HUq/ty
+0zI7CwEMS/UXk0Fzc4S0ZWLnL2dCOCigYyb+xRWvu37lutM/7FIM2HNE44MVWNl3
+KQ0586k7WWT5MoBa8vu757LzC/lTeVbkWpI6keCFjo68vO0Ssli6WZYBLs6XOeHy
+kBX8pYWjQphuV+3bE2BFcw
+-> ssh-ed25519 /vwQcQ WW0caw79g1UIl7PAmNnCOuJmi7RhWjDFNzLeh4tHXnw
+45AjburCI/mtzIFNqJY51jt37yV94kfcL2i/vZANRTI
+-> ssh-ed25519 0R97PA JtkFAtoULFUAFcU5wIMGsHMBWcQdXNHpFMoYWyCi1Cw
+CbM+8NRP2/qhIYsP+137LwOFmU/rRnx7scAiPJDRHGI
+-> ssh-rsa jL+Elw
+Qq8SqS5AJ7D6zRIE83K2wlSRMepicfyjGaMk7h7OU8kxBZWKCYKzQavDyiwZTAA/
+04Ch639FDl7pOCKOUsYesI9TBgqhyS3kIIqO9PfqEbY5MFY0ZIKz2xhKHWz/5Vj9
+yfUfRzDXwoTRffxjDgJmDDFLaG8sxjfsAc/cQq6cnQQHMywh7MC2fFKOJqWrYqs3
+iKTaONn9WH8PD1FfcGSBfVqK3TkY53uLwNA8wLWlugeEq1oXsdjBvSXBMj4XuJ1c
+oUM5X6QaClmj2unPHjg83QUXm3vzzhhfS1xrMOCkOMhxi2mfj7BBa2LCPzGsn+2t
+A15pLXamHfG+vQjgbDsPA24TsgfZaRZUjF71QHiokGiQofd+S2zsAqr4AJ6cGZrW
+shmXEI8vIQNmyOtAlG1/DTZy/2dJSPuJExe8i0u2VyGAs/tLDJpG8B7o4bYF2786
+OQmzd9GSmSQT7MUhyEExWbq1mg4IyRHu+MGSIq6LgNNp6WR9hyTisq66zHr6lqgI
+W8qSd96frCEOqdshpetYroB9ohACj3hfe0rDa/+or8ORYlBMTjF8m6oJ6PECOwJA
+X2xsUMcQODp7qlQbNBNYbNgJKq+5BV0cWcuGPE07nl3/Jrff4dbFVaF523e8NrVR
+JGZPpp7Qopd+CyxwBm54o3IHxJI8pgN95WMeiOwaQ9M
+-> ssh-ed25519 jIXfPA FByI2pUpXdT8P5nrdbaJJmWtbpsdbzXV1kD6Xl56Cnk
+65PEEAWkAd0+GfU815XDJq1aa92dRPVmrTY2iyy9FZE
+-> ssh-ed25519 um7xWA PxSzlE8+VUQsWKgJPFcKQ6jUHTCZSSRafTe83y/0lyI
+t1I8OPaIeCOtIk3CWre4YctYn3sMyvgmkqFqHLW5NXQ
+--- F2xpctG5N9DQ2ro+SdhIt+FtZdW7UQrya6PzsQLj1eM
+Þ––¦p#$†Ì„Ãü$sÄp¢ÅvQ›æmÂÓ
+A‚Š‰aæø4
\ No newline at end of file
diff --git a/secrets/gitlab-secret.age b/secrets/gitlab-secret.age
new file mode 100644
index 0000000000000000000000000000000000000000..56e8ff90c3a5f0c936ef6ea02a6c790eeb076338
GIT binary patch
literal 1738
zcmZ9LxvInr8HN?qBAp->7JB;OIN3815wlPBeYKEGCi}i8gSB9-ck$yzh`m=J7NU3;
z;#i#KZ{OzOd%yRI^Yk<AlIa|lvhRN0Px*C&fX`oj%yaRXK4A=l$PWQ?b~XRlpS`7R
z>|=B`jX!+#I*R(!;6vQsXg6gxq9pOWSuM&(fy2!z$}=txL|&HsRw)JIE=pO};i${4
z1de1bt@$a1Cig{~=J=zYd`2;W#Y?c>q$FE3;j7nmPL9|$M*9wVCl?W6l2Sem6q_N0
zI{9{c@OY^ymm)$hoS!)U4Ul@@0>PVc76Va9ii~ZK?b#@7mE2y03?}l5x!7|!)4noR
z2!>Mwj5e9KO#Qj!Q^5g`{ElgN9?J3op>iaqaaNm@*1nxiSqzYV+;=Z;x=6D!I4inx
zKO`(F<Mc+}HHNi$z$A`(OVO>QY7^`VlCEx#sVbGcdK~2;pzZWJh8SXq%MRPgNItW(
zRJ&XY{Q~E(ga*)xdmMTm-HGxltyL`$L@)%FEpOre=w6=O(s+;27<H+tDW4$8D$AEx
zSVI~ToY-@KfgD_Rb{Tpb(=AvfKedwH{A&B_x7Teq6Z6A}6n{mmv??J<c(!_L*YLqK
zCaDYTY3d@~xTv8Pxeif)kv!;^d7h8jEHPF*o#-r3fmvFFX4pJhXD3RHX~XcE`Zf);
zNW!2#c&ayOJZbBYnotg+-Ny8@oK~%hYzaZG&ajnKo7pg72ht_ZFOrcHmm<)5m~N#~
zhDJZIF=*-GWO1`33mfoici|W9|4XWr3)k#`b%nq)U~am3b&|ZH(Y_GsORxBDgLa-R
z$K1PEIa9E}Sb8Ztp(5^t&^+jJ=6#rs0WO-!<s9+mh{9C2Dg|~EW!wZXz38G|3BE+>
zjk+sqN+ByNaoRdtj@#82dI}ygtpoYQKFbqZ-+3_k$lB19bqp4B)QCk3t<!XUoQ$4C
zWJIVtf*x{t_Lv<FnRau^dKh4IZj|pF+|nfxs`%!=cBfRi4)5zHRj=c9-A`+Q5z{2p
z)suW4f_J8imBAR{rhD5&=H8AWa@Fp55id#>ftcceJu1e=<rW;B3bk!@tn(n2L(s*o
z3VMOhyIeWh^vp&JAQ@r0l^y9uuHB(+IR&>ueBUyl5Tnjiq4>*drZU={=_An=?=|~G
z(`x5%4ca^!Q9vzCQ>3-k88&3>y)8U6v|i`;G=)QjS?fMKss|Uz_JRpc0MQy-U+|?B
zjzL%+zRUr~kiKqmMAIyPrpn-EFnr5*_kg&F&{G5r55W`$cc5-|bj`$a>?!}I%Ep{=
zwwF#O5bT>eJ1I%#eeMbxvRx#;Z_{L~Sex*=qFBKN-NmT#nz|Z$w-Ph787EP|+y`e&
z5@5L~7YWx!%Mg<7FvC}>OqO@?)x@J);7){fPkZk56{$6Y;R);T>wJ%2ir;nlhI&8@
zzX%FnaF{#Fbxa-ZB}1A)Q8TGj8k)C<FjipZ+U0fs+VPj8l^A4iYc{%GY6Rbf`7Wsp
zbdSzMxYy+t`|~?nS)O}PCFs8|Qh_GeG-b#f1ft5Y*MzPpBeUJ%Rff2&m6yTSXyH~Z
z{#bvTwzkCKQy*}mvhuy6`RINRvxH%aFu2$2j?OEu1&*_Mw>XT2*@sXdw{kM@?yAzw
z(8U+1V6|9K<t#<rG=>bGMz$B8l7YkccJ%Y}ql4H>MR$Ev!bMdS_;%bo_3#P%_Dm3W
zA5K^c@SMguJ^_CCy?_1syYV0X{o_CV^EZF_!JmKs-=Ceo_|NzM`ZxNIKmEz&AHQwB
O`40Q{U;ge#-~109<v{fS

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 3ca3941..301119f 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -26,6 +26,7 @@ let
   indico-admins = active-admins;
   grafana-admins = active-admins;
   alertbot-admins = active-admins;
+  gitlab-admins = active-admins;
   servers = [
     estragon
     wagon
@@ -54,4 +55,11 @@ in
     "vogon-wg-infra-key.age".publicKeys = [ vogon ] ++ wg-admins;
     "grafana-ldap-bind-password.age".publicKeys = [ martagon ] ++ grafana-admins;
     "alertbot-matrix-password.age".publicKeys = [ martagon ] ++ alertbot-admins;
+    "gitlab-secret.age".publicKeys = [ aragon ] ++ gitlab-admins;
+    "gitlab-otp-secret.age".publicKeys = [ aragon ] ++ gitlab-admins;
+    "gitlab-db-secret.age".publicKeys = [ aragon ] ++ gitlab-admins;
+    "gitlab-jws-secret.age".publicKeys = [ aragon ] ++ gitlab-admins;
+    "gitlab-db-password.age".publicKeys = [ aragon ] ++ gitlab-admins;
+    "gitlab-initial-root-password.age".publicKeys = [ aragon ] ++ gitlab-admins;
+    "gitlab-ldap-password.age".publicKeys = [ aragon ] ++ gitlab-admins;
   }