From 1ca6a7d6d5cd24f4a062d817b1c03770300d0b3c Mon Sep 17 00:00:00 2001 From: Aleksandr Lebedev Date: Tue, 20 May 2025 22:25:12 +0200 Subject: [PATCH] Gitlab --- nixos/hosts/kylekrein-server/default.nix | 30 ++++++++++++++++++++++-- nixos/modules/sops/secrets/secrets.yaml | 10 ++++++-- 2 files changed, 36 insertions(+), 4 deletions(-) diff --git a/nixos/hosts/kylekrein-server/default.nix b/nixos/hosts/kylekrein-server/default.nix index 377cf67..e1db136 100644 --- a/nixos/hosts/kylekrein-server/default.nix +++ b/nixos/hosts/kylekrein-server/default.nix @@ -66,6 +66,31 @@ users = { networking.firewall.allowedTCPPorts = [ 80 443 22 8448 ]; networking.firewall.allowedUDPPorts = [ 3478 5349 ]; #sops.secrets."services/conduwuit" = {mode = "0755";}; + + + sops.secrets."services/gitlab/dbPassword" = { owner = "gitlab"; }; + sops.secrets."services/gitlab/rootPassword" = { owner = "gitlab"; }; + sops.secrets."services/gitlab/secret" = { owner = "gitlab"; }; + sops.secrets."services/gitlab/otpsecret" = { owner = "gitlab"; }; + sops.secrets."services/gitlab/dbsecret" = { owner = "gitlab"; }; + sops.secrets."services/gitlab/oidcKeyBase" = { owner = "gitlab"; }; + services.gitlab = { + enable = true; + host = "0.0.0.0"; + port = 4219; + statePath = "/persist/gitlab/state"; + backup.startAt = "3:00"; + databasePasswordFile = sops.secrets."services/gitlab/dbPassword".path; + initialRootPasswordFile = sops.secrets."services/gitlab/rootPassword".path; + secrets = { + secretFile = sops.secrets."services/gitlab/secret".path; + otpFile = sops.secrets."services/gitlab/otpsecret".path; + dbFile = sops.secrets."services/gitlab/dbsecret".path; + jwsFile = sops.secrets."services/gitlab/oidcKeyBase".path;#pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out"; + }; + }; + + systemd.services.gitlab-backup.environment.BACKUP = "dump"; kk.services.conduwuit = { enable = true; @@ -138,6 +163,9 @@ handle_path /.well-known/matrix/* { respond /.well-known/element/element.json `{"call":{"widget_url":"https://call.element.io"}}` reverse_proxy * http://localhost:6167 ''; + virtualHosts."gitlab.kylekrein.com".extraConfig = '' + reverse_proxy * unix//run/gitlab/gitlab-workhorse.socket + ''; }; system.stateVersion = "24.11"; nix = { @@ -151,13 +179,11 @@ respond /.well-known/element/element.json `{"call":{"widget_url":"https://call.e "https://hyprland.cachix.org" "https://nix-gaming.cachix.org" "https://nix-community.cachix.org" - "https://attic.kennel.juneis.dog/conduwuit" ]; trusted-public-keys = [ "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc=" "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "conduwuit:BbycGUgTISsltcmH0qNjFR9dbrQNYgdIAcmViSGoVTE=" ]; }; }; diff --git a/nixos/modules/sops/secrets/secrets.yaml b/nixos/modules/sops/secrets/secrets.yaml index 2d9900e..ffb6f8b 100644 --- a/nixos/modules/sops/secrets/secrets.yaml +++ b/nixos/modules/sops/secrets/secrets.yaml @@ -7,6 +7,12 @@ ssh_keys: kylekrein-homepc: ENC[AES256_GCM,data:/7b7wHk9jX+2Gel3157KO4YHia+IyEurUic0BX9flNKdsjIyG/3N8lORAkIjwnPlFaN2VqGu6o1pFgW2dzkSAyATQIUeWpqL5rjxsG3mJ9/9TLh58Y7MIpFKx2r8AeUY0xEAhT1A4BCbnDMsneQtM9gBkgPdhhv6vVpe4XJS3n+dGPER/bQxxRbEt260EjxvL1OPf5C7Z7qNVhOzxNdgdJMQvXxyhRGlXRrrHFRdbw0nChStevgBL4+FoMuBFkqF/aJSoapwe8PNxp8z+Hk5Em+BQv/ieFcscESssCK1gSbvfz6MQyX+5ig+Gy+t28yy56/ir44PHwX47IOILzg7lABSvN+Uyt+sRKyBfx124hJjqgXf65YQ/fgknQt0NDKwZyP/gPSLC9HiLKdva/P9nuenfSnlLrGtfugejBAVQBMOP2HTp/ZKtveeKLVIzM7NLeHAw8ul1OL8OlOgyO3vhEkEVagLwtQYHqwoF7+z30TzTtGyDzuhohbhUH36D8BD/LTaPHxnnVIzWq/IBOmAU06U/EvS5x/JJtqMm8aaDFFEYA==,iv:+4umMhsr8s0IuiYuEdhDAOfLjAELEHbFVvWqaVyF2yQ=,tag:eE9gCZ3pC4wDLeMs5cQGZg==,type:str] services: conduwuit: ENC[AES256_GCM,data:1shEq67QJTkeqrfYSr/eYG7gYWH//5ey6XQ=,iv:hy5wQmue8qU4ALfn9BrNQLnsTk8BsVVXY/8bDj18mXk=,tag:h6+hL0HjgSzd15Kc7Zg4ng==,type:str] + gitlab: + dbPassword: ENC[AES256_GCM,data:itn9xyNZO+xkSk0GKvLzjLRzM0uZ+TalqLtj6tyjKXM=,iv:U8bX/On89wz6Lz4R2/fZ+FWRObehlnjFhUQdAhmxb60=,tag:oEbee14jCGfRs8i5bJZ5FA==,type:str] + rootPassword: ENC[AES256_GCM,data:lXq+GIn6ooTzZL4iMYFzx3kn8gdcdsNaLQ/zVCr75Nw=,iv:mGp9gxL9uABpbod/ZNNyEllBbcfrQuFG4pQgs0v/xbk=,tag:CZzj4hauh/Qi8fvtmaZ/KQ==,type:str] + secret: ENC[AES256_GCM,data:W7PfRh80hzMZrJebHgs4CJeeABWIVVkh3ByTF1Yfavw=,iv:WnLEACeCZOf+YpF4RzQCXG6uPEq7zrE6u7DQQLZjL/Q=,tag:3qjnIeoptMsIxIbTh5TR+Q==,type:str] + otpsecret: ENC[AES256_GCM,data:enBP2fsr+VaHuK93GGDtgGMSf20yxgLloHIHIibFfLo=,iv:iLLVuypLXySsw363Y9CSz5Kqa3CCNQFwURdOoi5Ig20=,tag:CgUMcT+x/134JJaScHLlOQ==,type:str] + oidcKeyBase: ENC[AES256_GCM,data:hHBdaIynMg8eWiwDjDfN+8PcUjOPl9VzG6lu2Z1eRrC2PaVXORg1Eh6YPi83efqhaSbONHeiORGsLM/NYHFcviEvQ8aZXb9y/ojKPHdyjYvkedIU1alyfWqiz8+xP/H2JFPgMdDsO6Tt4IswTMCfbNOXY2+RwImLACxTDoeY9LX2wklrGWh7F7DqAYymM2T6PrulJqGtbrep3yEylb5kqPZU34aJQzdZ7/zA5EW68xTOWEElCcxfkr2ThCywk6quUQaaCsqVAjZhULRDYfDA/umF8r6S7eNh0eFm6X17xsLTgkSMkx4gLvaUxtLG9bGM/5FJ6823hyRSTNXZx0cV7f195mqeUhn6rvUIl6qC8O7Ln6auWxjuJDRo+1Phr4J3dQMBXBaG2WpQFufgXNw8qWpMEqpiN6CjXhFYWJT/TxCZR+Bdxqt8Fegk0DjcEQFbJDOKKV3/JMu1hIsydeVRTmyy06EbBKSfAIgFddQIA7DmxqK6tqLRtITQ1K9xGnt4msiqgfv1XiyeTo+vmptYVDGLSLtB6yfOKvs/U31RlNESwcHwIqlisl1bex5HV10OCcMkFVhhffoiT1Swdj9ilMhd3TkgL2uJstC26QuyB4Gdnmz28MWU28JXP7qVf0rvq6nNPYAKpO3LgNPx5JrCz6DGCxSZiJOQ0fYDxz5QC2EznAbmZachg8tBb4Hmd/CvEtMMvWfkxueadTV7fWR0l3R4H1cizUF8j2NIfqWb6TQLIy25PaOSNnyZ+a4NFZDgZQcpl4zbCLVKHEKGDGhMr4SpEtKzasZSwv1jw7TZoiN8I2g1hSdZRCq3KJ2nAIGvlZd8NUTsksxsIXcxaoM1rfl4dIOfHm3H+HcKmnMYafnCH0EgdRZeAv1sonDzUOEl2G8myUTa3xNlR43lauIG0ipat83UO6INFh4N0TFJtirPHjm72ZMfUK89ut5fWnYqiKopkJEtAy7Bk1EUbXwuRfBDB34m8AFdDGbVWWVaoVJkSuIr8PHMsFhJRGn1TUit7tDQfgPvLpPD0Wiq2PBgoExZ8qLYUDdOCvTxWnZ+gpTRghiBebulNR0xGOCeopg4qiMZ7rWfUJHsqNUazpak1JPIWC8wYIJ4vojjIH1TCpl11lYUvXy1ffFkcWBYplsGYBuY3qpXG/Od3yrdwPKzhHPjPpWDdxZJBW91HRdq0qhq9mYIr28kqGF4Mg60cGGdin+/O0jcfzWzwhjibEfrfuzBqhHknTPXDTlKPBctdvcQZRUsOS0d6SrNRXOvvzlSTrUowaQTSrZNzNDpAt3VKYJDnXGgwnAZSk8zhRM7J6bc9artgm75qBWuZCxLHbcqyBeWVRALYPkWp5h1bLCaGHgC7x986d0mGxfU9p2szIRyacbJN/ITIuDuDmvBt9NWydkkdT3GZE9uhbxQMgfkKyLyXvf7LrF1iSmIos15tYCZrxAcu0LMo2mqW51e92uc4AXE8rVB4k7z2j19F5sW9GMQgKOk6qT1CSpzfHvPpVdKQ5cVVj4X5GZOao5flo1tO/sNwE92Jpc/jLw96737rRDGe9vSkdbyhSS1wrF4+P59QPxsdelSAYZF6YMgSN0yCJFuRLWfj6IpxpBIEEuB5QACCHnDiWi9cFEwRaq6EX6f87Joznd9o1kwASmMXpkXqv/rLorjlqdXajwdFXEmNUFMqX90va7LvlZJPHhvXmgJCwdHAKacQj1m0Ji4EqSZhM/I1uEhG6zTc2jE46N2peVf2JytEGpbgF/m2pyGJDDQ5SDIfG+4AdUXVTk68wl0Q2SSjBb4d/N8XNfPHHToXEuNsNmHZx/4Yt9b+RJqzl3Mi+HOvJP/mz8wR7TxceHnuqE0RTvl9TYN0MXkXVfh6ECj6AaDuiL930IYabRZ5do7eMaA2OYZoPvZA4udoctDApyzs0Dn0gVu9sFXUgmNV7YnkETeEtjKEn/sjWmkMFQ+vJoK27H4OuILxYj5jtBhWbjNYeheBVo5jXmANakDO95vlLhlp2t11LrEoR59dNVVvvN3zDuX1/EYI0OvS4Isl7HTk8ud0+8tfzywGAY3LtEhpEffe91gqEleu2atKYWZQ8917ugvmGkNQ5SNJloDFtUFvAAjJypoovQ6JxQOgFGSsgKMMUMSyuUQnjkxThrGL6oMavAGKElJn6xFc48xSvS4dluTotqwzN2gaV5a98PFbw4zda3ltx2uJD3XxYqr1J92P39YMjKihFIALrcXIESV0Aehfap3WATjlRLikTq726wo2n+k,iv:P8C/7NUd1G/VbKz7iWjTVXxMFOxZQxX5d0V4Tj6KeCw=,tag:iq4s3ahqkmf4e7BffjlIcQ==,type:str] sops: kms: [] gcp_kms: [] @@ -22,8 +28,8 @@ sops: M0hSNWNYbGM3a21McUVMaGNqWTdmNTQK3VRFV4EaC8K8AJi2PUt6TeBgueEmPLI8 Vdwwbh89+xD5xf4Zm0LctPRlxxM6diubv0gIZZPy/ZXZfiU32ZnM0w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-04-02T14:08:10Z" - mac: ENC[AES256_GCM,data:ATGlRrgS1LilKyMpLHPlQj9NV6eK8IaDr36KjFcyMsslzq68Zw/s14C+RjMUYT8dQkzymMxhxh9jAsPtS/J81XFG4RMl7mo6KNmhpPKEkzBuP0cAAIXgSrF4dovveI0imxxsjBba4iOi6Syjo/myg2dGpFwgU1/OgJ2suwB07ME=,iv:37UDQfMvk/o2BByZQfY9ry7ETCC2zU8K+EoRjGHKykc=,tag:wUFJ0fZMt4RZTM3oLJ2YaA==,type:str] + lastmodified: "2025-05-20T20:14:44Z" + mac: ENC[AES256_GCM,data:4A+PoSlyiTX9z9oYAa8u/xe8OspaqX8gQtCI8vopljMztFknlKiEyHs220iqez786uMZAl27bqDNwRxd3ktZfHvOWwBOv+LrNTVqUIAJQhCOeL3bXDe+pIiakcqlsfPbvpSdFWNTW7Y457u3Krredl9d4jS/YAao4Wzva3F0l1Q=,iv:CZ/jiFfYcMRYMyFpJpVqZzHy+0/IFFO5HE58Csf/9AU=,tag:S+sCUClyrKqbLZsrt+UC6w==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4