From 7227b71a9126af53d284087ff875a1de61f5640a Mon Sep 17 00:00:00 2001 From: Alexander Date: Wed, 13 Aug 2025 15:33:05 +0200 Subject: [PATCH] Add gitlab config --- machines/amaterasu/main/default.nix | 1 + machines/amaterasu/main/secrets/secrets.yaml | 28 ++-- machines/amaterasu/main/sops.nix | 2 - modules/default.nix | 1 + modules/gitlab/default.nix | 131 +++++++++++++++++++ 5 files changed, 148 insertions(+), 15 deletions(-) create mode 100644 modules/gitlab/default.nix diff --git a/machines/amaterasu/main/default.nix b/machines/amaterasu/main/default.nix index 3d835ff..cb5dc76 100644 --- a/machines/amaterasu/main/default.nix +++ b/machines/amaterasu/main/default.nix @@ -125,6 +125,7 @@ in { # My Services ### dov = { + gitlab.enable = true; }; # DO NOT CHANGE AT ANY POINT! diff --git a/machines/amaterasu/main/secrets/secrets.yaml b/machines/amaterasu/main/secrets/secrets.yaml index 54c959b..0c3eeca 100644 --- a/machines/amaterasu/main/secrets/secrets.yaml +++ b/machines/amaterasu/main/secrets/secrets.yaml @@ -1,14 +1,16 @@ -hello: ENC[AES256_GCM,data:dTnxbD69/WCZm+OMX7+ISwtU4cc27avKwYZuWx3Eik3yUgsKpCIjYwvaOB1t5A==,iv:jAVX+epN6cdmwq6DDiGiNs7UwM2pUxvHSE7EBcuA3C8=,tag:aqYZOm7JbI6NIPi1e2ImtA==,type:str] -example_key: ENC[AES256_GCM,data:3PzgE1mdiZRbgT8zrA==,iv:koDyUK9GA86oiH4bp0LLXRRTbNWJwdi6kQxvLKTVIH4=,tag:OBQ9HqMmV2NEbCQmNJkbNQ==,type:str] -#ENC[AES256_GCM,data:eL+kKUBvEiK1qZa4uqyaJw==,iv:ZPRuJtZgjZcQwWyyFaIe6MOGIlBg6n3twF5ppWov1uk=,tag:Ha7Evc51RpqriY1NuYLx6Q==,type:comment] -example_array: - - ENC[AES256_GCM,data:Crb/oG3557p6OnZpzsQ=,iv:7vc5Mv25ywn7SoO01iGv7QzTeEWWFUi6d6f1uB65euI=,tag:Fnw7pJsESeD4zKzxGoS2Sw==,type:str] - - ENC[AES256_GCM,data:aq4QEAO+DA+nfrC2Zuc=,iv:0om7NPM1VTAi8mZ7USX/SAHBIAJ2NCQHbKAo99nTv3s=,tag:DmU72MqQK9MjvWymtiX05w==,type:str] -example_number: ENC[AES256_GCM,data:lCjhlB4Al6OsmA==,iv:8XTRC27xGmmGE8JWByr6JXdy1FoVoZyH6xs0uNrtaJw=,tag:kVka0SN2pptbmGnO7FFw3A==,type:float] -example_booleans: - - ENC[AES256_GCM,data:E0UPLg==,iv:lQUlqiV5xNrAzmwbrQ+A74D34jk3OhvxggL1zida3s4=,tag:meFcMzWAWeS8DVePB77Pdg==,type:bool] - - ENC[AES256_GCM,data:BFpplEk=,iv:jDpPOy/3BYcrRYGXevdMzZWwrAd//DSZX8M3oofiLdI=,tag:ttrF4pJkBXuq32WUwrhmAw==,type:bool] -test: ENC[AES256_GCM,data:mS79XA==,iv:LmtcvAN1Cw1uduLIRJYB+WqY1owPtUKsJEkt3JH7m5M=,tag:/sXKDu66enTgVewmfuIG5g==,type:str] +gitlab: + oauth: + identifier: ENC[AES256_GCM,data:GYbh30CB7apGWRSDO8600FE3rRXLX3YX7X+7a5F91NJSRxHid/f6Xw==,iv:vhz1cKzJc/UgmVxxIdAf/1eemZlglgQzfiVkopwnWqo=,tag:+5u2v3OzeRKGpOvuzsyj3g==,type:str] + secret: ENC[AES256_GCM,data:hHzIfAylp6CWpGfRPlDHv6uRzDCzMYYkyzU2gqs7pu/ZImD1h8Z1iDzLLQceYY76bwLW01HRUe/3Sor3/V0XdRl9zSoGX4wMRVqxMI35ribmeUhWOaPPcWIlUJNs5RY6Bg2GGF2I2BX3cP3Ow5HABepJmkoALH8BLK200b30240=,iv:sK6JMeCJNkQROsMcnGk5E19tvSsaK1byaOhSvBIMXHI=,tag:z3EoiUPQFLmgFrDc4NLJ4w==,type:str] + databasePassword: ENC[AES256_GCM,data:QRekrkSQlswy5rnk+im/oAnULXI=,iv:LZ6fGEqUacjXGUmfOciFfOAp1dT9lDKG2qTSK5ObbKY=,tag:IvYmZbiS/uzgfbbj46QT1g==,type:str] + initialRootPassword: ENC[AES256_GCM,data:6uBo+HxNfJTrUVo3m9Ly5UhC2Co=,iv:EwcTzPPSZmsJbE9MnsPdydSUl7+rTmDYtn8/A6B1Ql8=,tag:RawXu2YIshMoV5/iCAP0gg==,type:str] + secret: ENC[AES256_GCM,data:Bjdl94D3j1x4S+ygfxlIT7Zd4CU=,iv:75gFLyqHPnj1r+lXJFbNHoSqzrDYrrnbxmzRL2RLpgE=,tag:gmrxArUkkdraZAwWMbRtvQ==,type:str] + otp: ENC[AES256_GCM,data:t2hAbxgNv2Tt1Ixt/gJKplbXSVs=,iv:XsQF0DuouNC8IuqLV+upkdNAPTcQ1yA2a44RgU8icBw=,tag:o/o1G7IQnQx+y/CAlYjUSQ==,type:str] + db: ENC[AES256_GCM,data:Yh5L5LXYmdkXyPNFCsA88D6Mfr4=,iv:VxJ+ZmSTGbb+z3u/W5OEFs7ATxNAaLShkpnHDZBH/rM=,tag:mlobFB/WTJUXunk+lwskCg==,type:str] + activeRecordPrimaryKey: ENC[AES256_GCM,data:oZqMrFb/ACsoBoXeZJtNA/Q1TAE=,iv:MeFRTI/+LxBtu8vIlmCuozDJop9mzAj8LKzoVBPmTl4=,tag:8hPY0kSRHZpWekn7R1/dig==,type:str] + activeRecordDeterministicKey: ENC[AES256_GCM,data:dZI5/eDJ9oRRpA1HTbFwWNhBAuA=,iv:TVn6X6z0WGRwmB6zuKrujdVMPdK3wIpo4lqdq79gklA=,tag:lX2LGLmzaZ5cQ/q/kvdXQg==,type:str] + activeRecordSalt: ENC[AES256_GCM,data:1A52VguR9qJ8iGRdp2vYahwSkSM=,iv:+woRR8fVA6Yllj16t25c3dCZCdV/xmWehH729jtHhUI=,tag:AkcELc3ljp87WTOQCNHKSg==,type:str] + jwt: ENC[AES256_GCM,data:mo80A1DiLrtL/7mA8njbugtEI9odDjLNBPc9gL4fi6HZrQA17o/pe7W065w3PXV6hFsnzIHxVefGN2ZRbQ2l5IVw5tohMc4ZFp5VC1E1fr2OsZFEToTLHPct/eZIcEkbr5wKLngRNTjlT20MI/p1RUjKGSeqgnxmKKy188BhcAwX8JxzMD2gEsbaCnHfFK1RBzrz4uaHGhaqn0puIEmxFJSlXJePxBYH9pGF9SZwHv/zGTVocRMgRLu+XWDLCDmUwbIl2ttUwnBGayTXYgA95AqXa0ZEXl6f+XLTsN3m0RIQuTqNR7lve9LSFLLDaSX8IGL8n52tnBqbYXK1llVVjWW9PL1kGJjOHNc37JyBw5HMxw/7m/O4EYMaCHme+Od0uH/KgnelL/n/3Qi4IufA6hI20lSNPBvwypn06sA9OXvNjPzA5+vZ7e2aGPtLzl+YUvDpSpt/8nLkT1VHKFkGp1ER2jpIe2+jD5KQhP7vCLkEXUwrZ2OO8/Mw/5HqojjwD8TMrmHaX3nozJIbbAQR3JZMMSgLeGJZIYsmTtszOPHN7gWy05qO99HDTIxiLSSC465sDP+kxr9L0Lhr1KaG2t2c+sxZTbLldolfcXmWOL4vcet2kx8gu0OL2S5TxhJ0LBPDrjmtHpnJ8qPSwORj7EeIoBK+RCXya2/rKehikTt4G3TfolK1ZPsPNXXAibETZs6JWzQrdZ3kwY5tleGHGBzzRZRqaceD5VIimEYOO/xUWCjRsw+m8/9117YWbxBbQ6yQbYQ4KYimi+7iFIlkvUvty29it5w5V/Zq50gppVIcOJOkTfwJGPeMdl2yKwVXmKmK96zKU8Jk7evcDvsccpINVyB58te8EYF1Zl47N0ZIGW8zFnkimRaoMVAV0igq93THw4H+C6QOe8vki8pIkOcSiTeJAvU1OzK6ZnM1VkGpfPKvJFQUvh9MEIWIkpz5ZXl+0vXZ15NWf/FDChy1WByTytu3XHXSlawDbgMS2d4CLsRhQhZm4hejFQFSX9SeEypZ3aUIACxO9FkWtJi4Opswq2mqZxm9rWXA7VLFtV3qtxYASKIYIeAT8ECUSshYFktLG3MbgUaByWpI/7ORdwaHN5AYPcK14ILCJEIb4HAuTrjz1/dlXV63XvAR8AJtWuPNWZLZ8s2mdwukSbWz3mfubXdq9aGlB46fYWz4cky8pSBGEwZl47W2yR+TnA32mTy8g9+yYNRgIUTFSltrzAtEPL3uRw6cjoOShZMfhJY6iv9irpt0Yp1TyyVxt4p9MssjrW+gsRaSNzggMQPxsWPuSssLhfktWdJalZHmAd1V/Wv6d2+0M1WFFh1Vg1saRhKF6ffJAUg2HnZD33cQYXLEP3C0Ujz2NFfkKGs8vh7gowPku/QG9xryT6qVp0ss+XJ13szeuC3nvyAe4NKx0C33dTKmRLP7ELYUIRFNlCqZSmGK8RnezxalEOhQ6Kvr/xQvmxNaeNO+lzVZHkRRsNSkZXzGI/148HtYRzLdzuuS02mbTPq5BHIDzD0B7+XjCACMTFODP41oCQZsqU5WNiSwV6++7FyZthdWhCx7Us+GSjI6ljKII6JHIyOL18U66IVMUv6Hl2U8jrBfDgP+5yelvU4wbhe4krjW32oEdl7mWM+RjOIZvSqYfOnlzG5m+omUwVZTSpmxznYsgn9aJqeHaNzowXQypH8lZYW0f1BUztMG/+HUJ7sAv26e8ArVB+a3HKv/4IkNK+k3yboodZ0/eq8qJhPG7T0Vr33bZaO97oqDwdL/AzheFy8+lZ2/D/JJszvpEhwdRG7lj0U965WBs62pL8+LsViARPCqM10edMGkBdP+Y0vC8K0JZLlhrwxqfsaa7tXFy3pOEtD2Hh6j/OFFEFnRx4+VTAu2F2KQe1YvsknkU3efDW2ki4p5BVazSLoHfJ9znQTPW5kyUa2zm+AF/febZac1bbWNH6W/3DbPb+UTG5Rmy7PPGFUR3sJvy0Jih6qE6KSS1mz5HThe8izliP4NbBORnscVmO8C1P5rY8s4YzcAUTXmDAvasDzsZw/ZlC6xv5aYozrilMXACzHYkRGP7bNr64xjO1Ag1FJHcWhBtkScmT0B1UcQt/Bpi3RYW2VWIPApUDpG8u4jlAhmY7HRmIx2G06Y6WzZI6wvEhtPxPQVuaZSzdunJ2DKcHCpu3ZlmjfX8571KY/FGTuQErXypGIlaBUODwBi7/Rplp2+GOKCPAKBOIV269jPKhE/rWu2ZizILmp3VdKH3UgR1G54,iv:GI6pzirXaL37hMkL23CQ3S0yY2lANTMV45bklmrU2kg=,tag:tKVvD1yIxxVqdxSmLdIbxQ==,type:str] sops: age: - recipient: age19wvqtn4ju6k4vs8fxr34unl6xx4cv04jw0lx9ps20xlde927zfssgl4qke @@ -29,7 +31,7 @@ sops: V2VTc2FYSExPMWthbFpRa2RLZ0JYbEUK9r6CAN7DfrWor5SReLkFLfRv506F2jRn TVqBGEGGsfE59e57D/1faw1RD9gxhZlrGk9C0tFS1mnwLROth97m4g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-08-13T10:22:45Z" - mac: ENC[AES256_GCM,data:O6er2UuvKJEf1ZekaquIpRmALveDhObU4PB20ObIydqEVApqplPf+qG0KR9b1kcezbc4VFyEwN3p3yjcDGn3bB2uL/7iiJgYoUp2Y7l4bW6BzXfhbT9yZzA/1xry0oMYRvuxU2ekyPCsOfb2YQkxIcLhJZrfxRIh4IcR6WBrRoo=,iv:MmLrd9IfXQLwuGYPhqMW5OZ7JxtlKzg8Uv+A5EoCiI0=,tag:QyeCEw4J0+E9wEyOI/R4kg==,type:str] + lastmodified: "2025-08-13T12:57:07Z" + mac: ENC[AES256_GCM,data:qMA/vlniMmYyGpq/GLcLE8RIBvJws59qqhPVK1KEV0ALmi3y7ZS8kkvicK9/BMhfXlCMC5GuGvbjKSRPRr94QJA7pBcIi8g3iJlZ412THvK7kisx/BYs6PwxTeampevc1mSgJD40YCQ6h0DF46Ry4IKDd1ulfqfNKqzCA4ajf6A=,iv:mzEq8Z4PtpKeiibM1RKhx0xB730SibKBp23jQBK7boA=,tag:u3l2/aKxNt1GU0LLlqh4eQ==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/machines/amaterasu/main/sops.nix b/machines/amaterasu/main/sops.nix index 5efc3b6..f2d63f4 100644 --- a/machines/amaterasu/main/sops.nix +++ b/machines/amaterasu/main/sops.nix @@ -12,7 +12,5 @@ generateKey = true; # This is the actual specification of the secrets. }; - - secrets = { }; }; } diff --git a/modules/default.nix b/modules/default.nix index 3b462e9..fad0b34 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -12,5 +12,6 @@ ./development ./window-manager ./display-manager + ./gitlab ]; } diff --git a/modules/gitlab/default.nix b/modules/gitlab/default.nix new file mode 100644 index 0000000..60fc709 --- /dev/null +++ b/modules/gitlab/default.nix @@ -0,0 +1,131 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.dov.gitlab; + owner = config.services.gitlab.user; + group = config.services.gitlab.group; + domain = "susano-lab.duckdns.org"; +in { + options.dov.gitlab = { enable = mkEnableOption "gitlab config"; }; + + config = mkIf cfg.enable { + sops.secrets = { + "gitlab/databasePassword" = { + inherit owner group; + }; + "gitlab/initialRootPassword" = { + inherit owner group; + }; + "gitlab/secret" = { + inherit owner group; + }; + "gitlab/otp" = { + inherit owner group; + }; + "gitlab/db" = { + inherit owner group; + }; + "gitlab/jwt" = { + inherit owner group; + }; + "gitlab/activeRecordPrimaryKey" = { + inherit owner group; + }; + "gitlab/activeRecordDeterministicKey" = { + inherit owner group; + }; + "gitlab/activeRecordSalt" = { + inherit owner group; + }; + "gitlab/oauth/secret" = { + inherit owner group; + }; + }; + + services.gitlab = { + enable = true; + databasePasswordFile = config.sops.secrets."gitlab/databasePassword".path; + initialRootPasswordFile = config.sops.secrets."gitlab/initialRootPassword".path; + secrets = { + secretFile = config.sops.secrets."gitlab/secret".path; + otpFile = config.sops.secrets."gitlab/otp".path; + dbFile = config.sops.secrets."gitlab/db".path; + jwsFile = config.sops.secrets."gitlab/jwt".path; + activeRecordPrimaryKeyFile = config.sops.secrets."gitlab/activeRecordPrimaryKey".path; + activeRecordDeterministicKeyFile = config.sops.secrets."gitlab/activeRecordDeterministicKey".path; + activeRecordSaltFile = config.sops.secrets."gitlab/activeRecordSalt".path; + }; + extraConfig = { + # GitLab-specific configuration + gitlab = { + default_projects_features = { + builds = true; + }; + }; + + # OmniAuth configuration (direct, not under gitlab_rails) + omniauth = { + enabled = true; + allow_single_sign_on = ["openid_connect"]; + sync_email_from_provider = "openid_connect"; + sync_profile_from_provider = ["openid_connect"]; + sync_profile_attributes = ["email"]; + # Enable if want to auto login with sso + #auto_sign_in_with_provider = "openid_connect"; + block_auto_created_users = true; + auto_link_user = ["openid_connect"]; + + providers = [ + { + name = "openid_connect"; + label = "My Company OIDC Login"; + args = { + name = "openid_connect"; + scope = ["openid" "profile" "email"]; + response_type = "code"; + issuer = "https://authentik.${domain}/application/o/gitlab/"; + discovery = true; + client_auth_method = "query"; + uid_field = "preferred_username"; + send_scope_to_token_endpoint = "true"; + pkce = true; + client_options = { + # For production, use secret management with _secret attribute + identifier = "QoAaWAv7TSaRFeLahVLs4mugeXpaJ0WWYIUIXhWk"; + secret._secret = config.sops.secrets."gitlab/oauth/secret".path; + redirect_uri = "https://gitlab.${domain}/users/auth/openid_connect/callback"; + }; + }; + } + ]; + }; + }; + }; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + + virtualHosts = { + # Default server - accepts any hostname/IP + localhost = { + locations."/" = { + proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; + }; + }; + }; + }; + + networking.firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; # HTTP and HTTPS + }; + + services.openssh.enable = true; + + systemd.services.gitlab-backup.environment.BACKUP = "dump"; + }; + +}