Add gitlab config

machines/amaterasu/main/default.nix

@@ -125,6 +125,7 @@ in {
   # My Services
   ###
   dov = {
+    gitlab.enable = true;
   };
 
   # DO NOT CHANGE AT ANY POINT!

machines/amaterasu/main/secrets/secrets.yaml

@@ -1,14 +1,16 @@
-hello: ENC[AES256_GCM,data:dTnxbD69/WCZm+OMX7+ISwtU4cc27avKwYZuWx3Eik3yUgsKpCIjYwvaOB1t5A==,iv:jAVX+epN6cdmwq6DDiGiNs7UwM2pUxvHSE7EBcuA3C8=,tag:aqYZOm7JbI6NIPi1e2ImtA==,type:str]
-example_key: ENC[AES256_GCM,data:3PzgE1mdiZRbgT8zrA==,iv:koDyUK9GA86oiH4bp0LLXRRTbNWJwdi6kQxvLKTVIH4=,tag:OBQ9HqMmV2NEbCQmNJkbNQ==,type:str]
-#ENC[AES256_GCM,data:eL+kKUBvEiK1qZa4uqyaJw==,iv:ZPRuJtZgjZcQwWyyFaIe6MOGIlBg6n3twF5ppWov1uk=,tag:Ha7Evc51RpqriY1NuYLx6Q==,type:comment]
-example_array:
-    - ENC[AES256_GCM,data:Crb/oG3557p6OnZpzsQ=,iv:7vc5Mv25ywn7SoO01iGv7QzTeEWWFUi6d6f1uB65euI=,tag:Fnw7pJsESeD4zKzxGoS2Sw==,type:str]
-    - ENC[AES256_GCM,data:aq4QEAO+DA+nfrC2Zuc=,iv:0om7NPM1VTAi8mZ7USX/SAHBIAJ2NCQHbKAo99nTv3s=,tag:DmU72MqQK9MjvWymtiX05w==,type:str]
-example_number: ENC[AES256_GCM,data:lCjhlB4Al6OsmA==,iv:8XTRC27xGmmGE8JWByr6JXdy1FoVoZyH6xs0uNrtaJw=,tag:kVka0SN2pptbmGnO7FFw3A==,type:float]
-example_booleans:
-    - ENC[AES256_GCM,data:E0UPLg==,iv:lQUlqiV5xNrAzmwbrQ+A74D34jk3OhvxggL1zida3s4=,tag:meFcMzWAWeS8DVePB77Pdg==,type:bool]
-    - ENC[AES256_GCM,data:BFpplEk=,iv:jDpPOy/3BYcrRYGXevdMzZWwrAd//DSZX8M3oofiLdI=,tag:ttrF4pJkBXuq32WUwrhmAw==,type:bool]
-test: ENC[AES256_GCM,data:mS79XA==,iv:LmtcvAN1Cw1uduLIRJYB+WqY1owPtUKsJEkt3JH7m5M=,tag:/sXKDu66enTgVewmfuIG5g==,type:str]
+gitlab:
+    oauth:
+        identifier: ENC[AES256_GCM,data:GYbh30CB7apGWRSDO8600FE3rRXLX3YX7X+7a5F91NJSRxHid/f6Xw==,iv:vhz1cKzJc/UgmVxxIdAf/1eemZlglgQzfiVkopwnWqo=,tag:+5u2v3OzeRKGpOvuzsyj3g==,type:str]
+        secret: ENC[AES256_GCM,data:hHzIfAylp6CWpGfRPlDHv6uRzDCzMYYkyzU2gqs7pu/ZImD1h8Z1iDzLLQceYY76bwLW01HRUe/3Sor3/V0XdRl9zSoGX4wMRVqxMI35ribmeUhWOaPPcWIlUJNs5RY6Bg2GGF2I2BX3cP3Ow5HABepJmkoALH8BLK200b30240=,iv:sK6JMeCJNkQROsMcnGk5E19tvSsaK1byaOhSvBIMXHI=,tag:z3EoiUPQFLmgFrDc4NLJ4w==,type:str]
+    databasePassword: ENC[AES256_GCM,data:QRekrkSQlswy5rnk+im/oAnULXI=,iv:LZ6fGEqUacjXGUmfOciFfOAp1dT9lDKG2qTSK5ObbKY=,tag:IvYmZbiS/uzgfbbj46QT1g==,type:str]
+    initialRootPassword: ENC[AES256_GCM,data:6uBo+HxNfJTrUVo3m9Ly5UhC2Co=,iv:EwcTzPPSZmsJbE9MnsPdydSUl7+rTmDYtn8/A6B1Ql8=,tag:RawXu2YIshMoV5/iCAP0gg==,type:str]
+    secret: ENC[AES256_GCM,data:Bjdl94D3j1x4S+ygfxlIT7Zd4CU=,iv:75gFLyqHPnj1r+lXJFbNHoSqzrDYrrnbxmzRL2RLpgE=,tag:gmrxArUkkdraZAwWMbRtvQ==,type:str]
+    otp: ENC[AES256_GCM,data:t2hAbxgNv2Tt1Ixt/gJKplbXSVs=,iv:XsQF0DuouNC8IuqLV+upkdNAPTcQ1yA2a44RgU8icBw=,tag:o/o1G7IQnQx+y/CAlYjUSQ==,type:str]
+    db: ENC[AES256_GCM,data:Yh5L5LXYmdkXyPNFCsA88D6Mfr4=,iv:VxJ+ZmSTGbb+z3u/W5OEFs7ATxNAaLShkpnHDZBH/rM=,tag:mlobFB/WTJUXunk+lwskCg==,type:str]
+    activeRecordPrimaryKey: ENC[AES256_GCM,data:oZqMrFb/ACsoBoXeZJtNA/Q1TAE=,iv:MeFRTI/+LxBtu8vIlmCuozDJop9mzAj8LKzoVBPmTl4=,tag:8hPY0kSRHZpWekn7R1/dig==,type:str]
+    activeRecordDeterministicKey: ENC[AES256_GCM,data:dZI5/eDJ9oRRpA1HTbFwWNhBAuA=,iv:TVn6X6z0WGRwmB6zuKrujdVMPdK3wIpo4lqdq79gklA=,tag:lX2LGLmzaZ5cQ/q/kvdXQg==,type:str]
+    activeRecordSalt: ENC[AES256_GCM,data:1A52VguR9qJ8iGRdp2vYahwSkSM=,iv:+woRR8fVA6Yllj16t25c3dCZCdV/xmWehH729jtHhUI=,tag:AkcELc3ljp87WTOQCNHKSg==,type:str]
+    jwt: ENC[AES256_GCM,data:mo80A1DiLrtL/7mA8njbugtEI9odDjLNBPc9gL4fi6HZrQA17o/pe7W065w3PXV6hFsnzIHxVefGN2ZRbQ2l5IVw5tohMc4ZFp5VC1E1fr2OsZFEToTLHPct/eZIcEkbr5wKLngRNTjlT20MI/p1RUjKGSeqgnxmKKy188BhcAwX8JxzMD2gEsbaCnHfFK1RBzrz4uaHGhaqn0puIEmxFJSlXJePxBYH9pGF9SZwHv/zGTVocRMgRLu+XWDLCDmUwbIl2ttUwnBGayTXYgA95AqXa0ZEXl6f+XLTsN3m0RIQuTqNR7lve9LSFLLDaSX8IGL8n52tnBqbYXK1llVVjWW9PL1kGJjOHNc37JyBw5HMxw/7m/O4EYMaCHme+Od0uH/KgnelL/n/3Qi4IufA6hI20lSNPBvwypn06sA9OXvNjPzA5+vZ7e2aGPtLzl+YUvDpSpt/8nLkT1VHKFkGp1ER2jpIe2+jD5KQhP7vCLkEXUwrZ2OO8/Mw/5HqojjwD8TMrmHaX3nozJIbbAQR3JZMMSgLeGJZIYsmTtszOPHN7gWy05qO99HDTIxiLSSC465sDP+kxr9L0Lhr1KaG2t2c+sxZTbLldolfcXmWOL4vcet2kx8gu0OL2S5TxhJ0LBPDrjmtHpnJ8qPSwORj7EeIoBK+RCXya2/rKehikTt4G3TfolK1ZPsPNXXAibETZs6JWzQrdZ3kwY5tleGHGBzzRZRqaceD5VIimEYOO/xUWCjRsw+m8/9117YWbxBbQ6yQbYQ4KYimi+7iFIlkvUvty29it5w5V/Zq50gppVIcOJOkTfwJGPeMdl2yKwVXmKmK96zKU8Jk7evcDvsccpINVyB58te8EYF1Zl47N0ZIGW8zFnkimRaoMVAV0igq93THw4H+C6QOe8vki8pIkOcSiTeJAvU1OzK6ZnM1VkGpfPKvJFQUvh9MEIWIkpz5ZXl+0vXZ15NWf/FDChy1WByTytu3XHXSlawDbgMS2d4CLsRhQhZm4hejFQFSX9SeEypZ3aUIACxO9FkWtJi4Opswq2mqZxm9rWXA7VLFtV3qtxYASKIYIeAT8ECUSshYFktLG3MbgUaByWpI/7ORdwaHN5AYPcK14ILCJEIb4HAuTrjz1/dlXV63XvAR8AJtWuPNWZLZ8s2mdwukSbWz3mfubXdq9aGlB46fYWz4cky8pSBGEwZl47W2yR+TnA32mTy8g9+yYNRgIUTFSltrzAtEPL3uRw6cjoOShZMfhJY6iv9irpt0Yp1TyyVxt4p9MssjrW+gsRaSNzggMQPxsWPuSssLhfktWdJalZHmAd1V/Wv6d2+0M1WFFh1Vg1saRhKF6ffJAUg2HnZD33cQYXLEP3C0Ujz2NFfkKGs8vh7gowPku/QG9xryT6qVp0ss+XJ13szeuC3nvyAe4NKx0C33dTKmRLP7ELYUIRFNlCqZSmGK8RnezxalEOhQ6Kvr/xQvmxNaeNO+lzVZHkRRsNSkZXzGI/148HtYRzLdzuuS02mbTPq5BHIDzD0B7+XjCACMTFODP41oCQZsqU5WNiSwV6++7FyZthdWhCx7Us+GSjI6ljKII6JHIyOL18U66IVMUv6Hl2U8jrBfDgP+5yelvU4wbhe4krjW32oEdl7mWM+RjOIZvSqYfOnlzG5m+omUwVZTSpmxznYsgn9aJqeHaNzowXQypH8lZYW0f1BUztMG/+HUJ7sAv26e8ArVB+a3HKv/4IkNK+k3yboodZ0/eq8qJhPG7T0Vr33bZaO97oqDwdL/AzheFy8+lZ2/D/JJszvpEhwdRG7lj0U965WBs62pL8+LsViARPCqM10edMGkBdP+Y0vC8K0JZLlhrwxqfsaa7tXFy3pOEtD2Hh6j/OFFEFnRx4+VTAu2F2KQe1YvsknkU3efDW2ki4p5BVazSLoHfJ9znQTPW5kyUa2zm+AF/febZac1bbWNH6W/3DbPb+UTG5Rmy7PPGFUR3sJvy0Jih6qE6KSS1mz5HThe8izliP4NbBORnscVmO8C1P5rY8s4YzcAUTXmDAvasDzsZw/ZlC6xv5aYozrilMXACzHYkRGP7bNr64xjO1Ag1FJHcWhBtkScmT0B1UcQt/Bpi3RYW2VWIPApUDpG8u4jlAhmY7HRmIx2G06Y6WzZI6wvEhtPxPQVuaZSzdunJ2DKcHCpu3ZlmjfX8571KY/FGTuQErXypGIlaBUODwBi7/Rplp2+GOKCPAKBOIV269jPKhE/rWu2ZizILmp3VdKH3UgR1G54,iv:GI6pzirXaL37hMkL23CQ3S0yY2lANTMV45bklmrU2kg=,tag:tKVvD1yIxxVqdxSmLdIbxQ==,type:str]
 sops:
     age:
         - recipient: age19wvqtn4ju6k4vs8fxr34unl6xx4cv04jw0lx9ps20xlde927zfssgl4qke
@@ -29,7 +31,7 @@ sops:
             V2VTc2FYSExPMWthbFpRa2RLZ0JYbEUK9r6CAN7DfrWor5SReLkFLfRv506F2jRn
             TVqBGEGGsfE59e57D/1faw1RD9gxhZlrGk9C0tFS1mnwLROth97m4g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-13T10:22:45Z"
-    mac: ENC[AES256_GCM,data:O6er2UuvKJEf1ZekaquIpRmALveDhObU4PB20ObIydqEVApqplPf+qG0KR9b1kcezbc4VFyEwN3p3yjcDGn3bB2uL/7iiJgYoUp2Y7l4bW6BzXfhbT9yZzA/1xry0oMYRvuxU2ekyPCsOfb2YQkxIcLhJZrfxRIh4IcR6WBrRoo=,iv:MmLrd9IfXQLwuGYPhqMW5OZ7JxtlKzg8Uv+A5EoCiI0=,tag:QyeCEw4J0+E9wEyOI/R4kg==,type:str]
+    lastmodified: "2025-08-13T12:57:07Z"
+    mac: ENC[AES256_GCM,data:qMA/vlniMmYyGpq/GLcLE8RIBvJws59qqhPVK1KEV0ALmi3y7ZS8kkvicK9/BMhfXlCMC5GuGvbjKSRPRr94QJA7pBcIi8g3iJlZ412THvK7kisx/BYs6PwxTeampevc1mSgJD40YCQ6h0DF46Ry4IKDd1ulfqfNKqzCA4ajf6A=,iv:mzEq8Z4PtpKeiibM1RKhx0xB730SibKBp23jQBK7boA=,tag:u3l2/aKxNt1GU0LLlqh4eQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

machines/amaterasu/main/sops.nix

@@ -12,7 +12,5 @@
       generateKey = true;
       # This is the actual specification of the secrets.
     };
-
-    secrets = { };
   };
 }

modules/default.nix

@@ -12,5 +12,6 @@
     ./development
     ./window-manager
     ./display-manager
+    ./gitlab
   ];
 }

modules/gitlab/default.nix

@@ -0,0 +1,131 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.dov.gitlab;
+  owner = config.services.gitlab.user;
+  group = config.services.gitlab.group;
+  domain = "susano-lab.duckdns.org";
+in {
+  options.dov.gitlab = { enable = mkEnableOption "gitlab config"; };
+
+  config = mkIf cfg.enable {
+    sops.secrets = {
+      "gitlab/databasePassword" = {
+        inherit owner group;
+      };
+      "gitlab/initialRootPassword" = {
+        inherit owner group;
+      };
+      "gitlab/secret" = {
+        inherit owner group;
+      };
+      "gitlab/otp" = {
+        inherit owner group;
+      };
+      "gitlab/db" = {
+        inherit owner group;
+      };
+      "gitlab/jwt" = {
+        inherit owner group;
+      };
+      "gitlab/activeRecordPrimaryKey" = {
+        inherit owner group;
+      };
+      "gitlab/activeRecordDeterministicKey" = {
+        inherit owner group;
+      };
+      "gitlab/activeRecordSalt" = {
+        inherit owner group;
+      };
+      "gitlab/oauth/secret" = {
+        inherit owner group;
+      };
+    };
+
+    services.gitlab = {
+      enable = true;
+      databasePasswordFile = config.sops.secrets."gitlab/databasePassword".path;
+      initialRootPasswordFile = config.sops.secrets."gitlab/initialRootPassword".path;
+      secrets = {
+        secretFile = config.sops.secrets."gitlab/secret".path;
+        otpFile = config.sops.secrets."gitlab/otp".path;
+        dbFile = config.sops.secrets."gitlab/db".path;
+        jwsFile = config.sops.secrets."gitlab/jwt".path;
+        activeRecordPrimaryKeyFile = config.sops.secrets."gitlab/activeRecordPrimaryKey".path;
+        activeRecordDeterministicKeyFile = config.sops.secrets."gitlab/activeRecordDeterministicKey".path;
+        activeRecordSaltFile = config.sops.secrets."gitlab/activeRecordSalt".path;
+      };
+      extraConfig = {
+        # GitLab-specific configuration
+        gitlab = {
+          default_projects_features = {
+            builds = true;
+          };
+        };
+
+        # OmniAuth configuration (direct, not under gitlab_rails)
+        omniauth = {
+          enabled = true;
+          allow_single_sign_on = ["openid_connect"];
+          sync_email_from_provider = "openid_connect";
+          sync_profile_from_provider = ["openid_connect"];
+          sync_profile_attributes = ["email"];
+          # Enable if want to auto login with sso
+          #auto_sign_in_with_provider = "openid_connect";
+          block_auto_created_users = true;
+          auto_link_user = ["openid_connect"];
+
+          providers = [
+            {
+              name = "openid_connect";
+              label = "My Company OIDC Login";
+              args = {
+                name = "openid_connect";
+                scope = ["openid" "profile" "email"];
+                response_type = "code";
+                issuer = "https://authentik.${domain}/application/o/gitlab/";
+                discovery = true;
+                client_auth_method = "query";
+                uid_field = "preferred_username";
+                send_scope_to_token_endpoint = "true";
+                pkce = true;
+                client_options = {
+                  # For production, use secret management with _secret attribute
+                  identifier = "QoAaWAv7TSaRFeLahVLs4mugeXpaJ0WWYIUIXhWk";
+                  secret._secret = config.sops.secrets."gitlab/oauth/secret".path;
+                  redirect_uri = "https://gitlab.${domain}/users/auth/openid_connect/callback";
+                };
+              };
+            }
+          ];
+        };
+      };
+    };
+
+    services.nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+
+      virtualHosts = {
+        # Default server - accepts any hostname/IP
+        localhost = {
+          locations."/" = {
+            proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
+          };
+        };
+      };
+    };
+
+    networking.firewall = {
+      enable = true;
+      allowedTCPPorts = [ 80 443 ];  # HTTP and HTTPS
+    };
+
+    services.openssh.enable = true;
+
+    systemd.services.gitlab-backup.environment.BACKUP = "dump";
+  };
+
+}