federez/nix
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

gitlab: store secrets in age

Browse source 
Signed-off-by: Jeltz <jeltz@federez.net>
This commit is contained in:
jeltz 2025-04-05 20:40:09 +02:00
parent a64b34810d
commit d672a1d1ee
Signed by: jeltz
GPG key ID: 800882B66C0C3326
9 changed files with 196 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

35
profiles/gitlab.nix
View file

@ -1,13 +1,31 @@
{ pkgs, ... }: {
{ config, lib, pkgs, ... }:
let
cfg = config.services.gitlab;
secrets = config.age.secrets;
in
{
age.secrets = lib.mapAttrs
(_: f: { file = f; owner = cfg.user; group = cfg.group; })
{
gitlab-secret = ../secrets/gitlab-secret.age;
gitlab-otp-secret = ../secrets/gitlab-otp-secret.age;
gitlab-db-secret = ../secrets/gitlab-db-secret.age;
gitlab-jws-secret = ../secrets/gitlab-jws-secret.age;
gitlab-db-password = ../secrets/gitlab-db-password.age;
gitlab-initial-root-password = ../secrets/gitlab-initial-root-password.age;
gitlab-ldap-password = ../secrets/gitlab-ldap-password.age;
};
services.gitlab = {
enable = true;
databasePasswordFile = pkgs.writeText "dbPassword" "xxx";
initialRootPasswordFile = pkgs.writeText "rootPassword" "xxx";
databasePasswordFile = secrets.gitlab-db-password.path;
initialRootPasswordFile = secrets.gitlab-initial-root-password.path;
secrets = {
secretFile = pkgs.writeText "secret" "xxx";
otpFile = pkgs.writeText "otpsecret" "xxx";
dbFile = pkgs.writeText "dbsecret" "xxx";
jwsFile = pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
secretFile = secrets.gitlab-secret.path;
otpFile = secrets.gitlab-otp-secret.path;
dbFile = secrets.gitlab-db-secret.path;
jwsFile = secrets.gitlab-jws-secret.path;
};
extraConfig.ldap = {
enabled = true;
@ -19,7 +37,7 @@
uid = "uid";
method = "tls";
bind_dn = "cn=gitlab,ou=service-users,dc=federez,dc=net";
password = "xxx";
password = { _secret = secrets.gitlab-ldap-password.path; };
active_directory = false;
allow_username_or_email_login = false;
block_auto_created_users = false;
@ -30,7 +48,6 @@
};
};
services.nginx = {
enable = true;
recommendedProxySettings = true;