From 4ad5d302a7ee37d33ceee953b898e1a4118ac368 Mon Sep 17 00:00:00 2001
From: winston <hey@winston.sh>
Date: Sat, 9 Mar 2024 01:37:57 +0000
Subject: [PATCH] feat: add gitlab

---
 config/secrets/secrets.nix                    |  13 ++++++++++
 config/secrets/services/gitlab/dbFile.age     |   7 ++++++
 .../gitlab/initialRootPasswordFile.age        |   8 ++++++
 config/secrets/services/gitlab/jwsFile.age    | Bin 0 -> 3589 bytes
 config/secrets/services/gitlab/otpFile.age    |   8 ++++++
 config/secrets/services/gitlab/secretFile.age |   9 +++++++
 config/services/default.nix                   |   3 ++-
 .../templates/custom/extra_links_footer.tmpl  |   0
 .../templates/custom/header.tmpl              |   0
 .../{ => customizations}/templates/home.tmpl  |   0
 .../services/{gitea.nix => gitea/default.nix} |   6 ++---
 config/services/gitlab/default.nix            |  15 ++++++++++++
 config/services/gitlab/module.nix             |  23 ++++++++++++++++++
 config/services/gitlab/nginx.nix              |  12 +++++++++
 config/services/gitlab/secrets.nix            |  19 +++++++++++++++
 15 files changed, 119 insertions(+), 4 deletions(-)
 create mode 100644 config/secrets/services/gitlab/dbFile.age
 create mode 100644 config/secrets/services/gitlab/initialRootPasswordFile.age
 create mode 100644 config/secrets/services/gitlab/jwsFile.age
 create mode 100644 config/secrets/services/gitlab/otpFile.age
 create mode 100644 config/secrets/services/gitlab/secretFile.age
 rename config/services/gitea/{ => customizations}/templates/custom/extra_links_footer.tmpl (100%)
 rename config/services/gitea/{ => customizations}/templates/custom/header.tmpl (100%)
 rename config/services/gitea/{ => customizations}/templates/home.tmpl (100%)
 rename config/services/{gitea.nix => gitea/default.nix} (95%)
 create mode 100644 config/services/gitlab/default.nix
 create mode 100644 config/services/gitlab/module.nix
 create mode 100644 config/services/gitlab/nginx.nix
 create mode 100644 config/services/gitlab/secrets.nix

diff --git a/config/secrets/secrets.nix b/config/secrets/secrets.nix
index 4e07d3e..c1f0181 100644
--- a/config/secrets/secrets.nix
+++ b/config/secrets/secrets.nix
@@ -6,14 +6,27 @@ let
 in {
   "containers/faerber.env.age".publicKeys = default;
   "containers/ghcr-token.age".publicKeys = default;
+
   "lego/porkbun-credentials.age".publicKeys = default;
+
   "services/attic/atticd.env.age".publicKeys = default;
+
   "services/freshrss/admin-credentials.age".publicKeys = default;
+
   "services/gitea/password-database.age".publicKeys = default;
   "services/gitea/runner-token.age".publicKeys = default;
+
+  "services/gitlab/dbFile.age".publicKeys = default;
+  "services/gitlab/jwsFile.age".publicKeys = default;
+  "services/gitlab/otpFile.age".publicKeys = default;
+  "services/gitlab/secretFile.age".publicKeys = default;
+  "services/gitlab/initialRootPasswordFile.age".publicKeys = default;
+
   "services/invidious/config.json.age".publicKeys = default;
   "services/invidious/password-database.age".publicKeys = default;
+
   "services/wakapi/password-salt.env.age".publicKeys = default;
+
   "system/password-root.age".publicKeys = default;
   "system/password-winston.age".publicKeys = default;
 }
diff --git a/config/secrets/services/gitlab/dbFile.age b/config/secrets/services/gitlab/dbFile.age
new file mode 100644
index 0000000..04a066b
--- /dev/null
+++ b/config/secrets/services/gitlab/dbFile.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> piv-p256 ML6NcA AlQdkB/oXYRRK3gv9K3VQJ+Y1s15cmMsc35MH/37J76F
+2XYHW0ecBjFFzd46wnW/jkiOS6PU5L+lNLSExQv5gPo
+-> ssh-ed25519 zj2A2A 7EcFaSjzgKu9Piy4VXVYHrFNz0AlLLmeJlkFZe1xDi0
+NyQpvTEfunmReT7Ri0CfL7260cn150bqW/jiArQ1z8I
+--- 5OhYw4koEcQBhnKUjA8aHkbUZ3o9v/0fRN5twU72R+0
+&šKÞën”'4pNÏ[hFµÂïÁàÑ4ù½Ø}ÝtÜ#Î¥Æ¤S¢Ó@è±ÆMQ´»Ðë„Âí;ó	u_:Pƒ]—ÞÌ¡§ÉÓ5d?˜tÝå' ‚úœÕUõ“Õ
\ No newline at end of file
diff --git a/config/secrets/services/gitlab/initialRootPasswordFile.age b/config/secrets/services/gitlab/initialRootPasswordFile.age
new file mode 100644
index 0000000..c6f033f
--- /dev/null
+++ b/config/secrets/services/gitlab/initialRootPasswordFile.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> piv-p256 ML6NcA A3B/mnV9SGBb2GcY5oE5NPSkprv0mA0u2gr/x9iFz4d4
+S4db0PsWSupKRaiFoObxB6wgh+bT67Zn/xx1EWSv7HI
+-> ssh-ed25519 zj2A2A AiZf7bER4xz4Z/uORWAsMC3+EkRzfnJfcRm/ticvmHg
+Q84LW1Tupl2g513/O19ZX/fVjrK+OVbiRg1TR5Cx7ZA
+--- i9jrVPtGgLEFks0hoPk2bdbbj+Av1/XfTgtxWS877O4
+5·g¸Û¢ÕÙ(}gs“[LS“ªÂòY4ïœuE%G­sù
+¸ú‘Ôý×Ëü¹Ý"“‚Û‚7ƒ§™¥ìî
\ No newline at end of file
diff --git a/config/secrets/services/gitlab/jwsFile.age b/config/secrets/services/gitlab/jwsFile.age
new file mode 100644
index 0000000000000000000000000000000000000000..268723ae7d360a66173f0ef5811ece22d0bea3c5
GIT binary patch
literal 3589
zcmV+g4*Kz7XJsvAZewzJaCB*JZZ2<fXD@a!3N1b$aA|fea56PEAWcj*PGdnJK{$45
za!+ScdMimdVOcX#Z&F8RHd${<G;B;uPE2VqOIL1Yab|dTMRRj83UO0VWK?f=X)iTK
zMle`GP&9UMOGsfdSVvk#Hcf9>c`IUaF*#ahVKHe{3N1b$b8~1dWn?lnH8D9LdTKI3
zGC?3THcV7VZ7@V>WpPh+Z&P}4S$cJ2LTEH{PC_zaYH4awYC~5^L^Dq?ZgUEDO-Dp}
zGG=BqMQmw!IZkJ2a5!0IPDV*rR(DlyFf=f0IW%%LPAf(=SU3tTEiE8+czS3|L0DRO
zICw=uS8Q5GVnjG}b~$8mOms(jLvDFRYg1-TI5jV9Ye@>5=}LQUT!>Kwz>Xr2zsR_8
z$aA_7O+BsnZJ=|xKG}%=cs%}VoMUK9)Z;#cdo_^r-hcQi2N<M;O>Lm<uT7xzAxJ^p
zvN3udQ}1{=O#YiPg=i+aa@HFL^P>cz5qB@CLN`$wB#hE3Vcrgp(^>Y_oII$<Ahf0v
z!cl=b#NYUGAI}7Kq+}JU4oXRC#uHySywPK7?Dag?$MaOj)j2TWo+@I{TJc0Q%vy5L
zJ7;uH$w|O@q}<GvjS0Vm8fBEd003V9JYA4wo6V!$D6NZ$3PjuiUKvsfhq^&YGlo%Z
zwJx*PeUKOI>QAg^AHRn{CtXqwym=ADZjzu&MV7H_X!C@M+15X?4|4-nf|apGi%_D)
z@8rg~qxOmE;3+sA{DU37w}=2Nt`$v(gVLx&V9&WjR{Gb<d?v?#j_cU|c$T^@Oer}i
z&Dq#8Sa0!?g!Pzlo8ru%xT?Jnl_Gu5&|JyPxxG``-D)ichk|pUtY$o~SB~4!RrOG{
zeX;O;RyW<kHa70#|345aYAlgW9eZcu`b4xL`Nd(2yBH{1aqGLNI}60)<U%=)3}U2w
zaC`H>yFE>Zz|A+t5YeEz<JsW<`!>Tj-t~FH{<d){VW6M0F<p;17B4?r+Xw_aADL@^
zEfoC0!XT~!%-wFJQt0iPFVBS5Y+lagp*0VEgX$b!LH#-@^}}V@&v-USeUNfqt^q)=
z<)1C^pmz|{Fuj3pY*7E|?{f}T1V1)~Id`KarzeRpjIA8&(WEh-1OB?_9KYXe{hA+l
ztKr>%BYY?6*Cp+8Nria4_h{i}qDS_hVkG(H@)dk{KIKcl$1;*adt4bqGTs%yy~+wc
zzxs2TV6IBw@7IFtC<!_)EpS_tcagG>8L7t;8UG#8reLTXo#(zJtkenJUli!GwMYfD
z=^vyBC3&A}7DpTergXz!su9Bz;XTJ$m6;UjvjVO4@2PsS?>fidG;(d8HexqZ#!?`f
z0?13XI3W~J=vd`T77YDEL`2s4_Y>vWbIbC-zWt8#<QOi2LjA;K8~TIw!o;bH=d)=@
zwp*iq+fut%B%z94;3-cm4(&12fYA?@yNDZ16$Sui>cm&7Oupw(ILs+M+!&@`>q8XG
zEA`L|o%JoK<I^8q+A<m%8^iDLjk)BHR7Z#=setaRZ_fpje?MdIZ_oomW>}bj%YT@x
zT-BB?SKjtg4Fol@6=!&*svxw%cThOSt-GhRAo$Rs@a^itQ!84cd*2xuuvtw?jGt|c
zgkQRbi0M+oN8(*v=w>VD0+<s9F+>Qg6}Z)xck8o-IVD+a+(B_X0IiQD_|8k#+>dVI
zC9IC6xp0#NhRvQKf!Ec``Czzh*uOxXAIv6E>OLo&gGo1>|0X80UsK%fxh}oi;8A)+
zMeod5A4QD(RRx>8Co<*?<w<P1w1G@|-#>)@_21k2ivrg%^ywhUVm)lP;w=HTmY3_U
z5`*e`It~3`fZAFED@Pi2C5(;zFk?uk&;Cs17>vbo23N1SD>qC)I#cUABW><Q0ZE~K
z+E?>4_Fzo5o#*7k_w(k>0o4H21MVkL2x`p_+@bN*%+O2OsVj|eyiIZ?k)nh!&T$US
zDtgVZYU|&84S1>S*~FH}QqHIxU1fUWLxX`W+LnpFgnhoLT<j@(M6Ll|7HL8hnO4B$
zOGcp+rqBV|X9jYz+Qt*BG(QJx)J^?8Y(K6aRb40o;ho&N$A5W4oZhu($XkairK}Y{
zP*Z@I%NK(ndjy=vj(u^EPGX+R%)=mqAMZFLVj0}@cGS#1pqDq@`d9>EhLL{6A#bQP
z93zb}zbYPlub%Brb+LoK%YN0P383nEo!{mhGFV2fqv0-q!94QXTqL_?)!=cw4qRCW
z)VgFwizu%9vTa0-geQ3F%IaYR^@)#;@Uh{W|00R(x=dUVlpjIQb!9K%W@=RV%#!WB
zXM;tY!Z9YLees1hSx=@k2s*O?`?1=Gp0hyzMUYL#+jiy<23&e}hXq0Wy^j{?NRHuf
z&BuP9ZuFUK1naj3M(N_*0GUJ~12BCOk_W<KL9*Pa3!!GG8{TNM8L!Lh*;7`0`@5vS
zD#5c<>mJ?7`A^Al;@3d}vD&+(d_O#Rwz~&7fEYAYY(?Cwt!b2Fq6EZ2A3(GMSv?u8
zseG3AE`;linj47jLOlJM<9#%@ocMzdpGN!go5k$7t3KZQka_|)+$1&?tHwIIxeNNe
zbSDOGAa0Ot<o^owKVB}0MD;vf-18{Cprpvd)~-a<9-O84xgk(tG<(ox{6Fc>Bmxu=
z&_?;^n`5^0)pQm*D}Nvj`#q)afD1-&YM|G$7OV>cdSC<B``O%!7gm9x8^spBPhr#f
zV!!w!MBBPgmoOS$+RSni!BaiGH38xiBjt#e=KIc#deg!bVwC<b76bxQ0kv-uM_pUt
zdzKTKH*4C{-*IUuyW!wp&Tw<-=wsK9vsUR~^lJ|BGy-*fXvrYptQQIY%t&B|Qc_KR
zUxLijr#ak?97|~2*pWz!WS}fj7>NDsO`lv!hWo2y!3~c3l6bK}6G1FU{HuoA1~5Ic
zkn~vMX7G6K5Sn}qMt|ZUI{;_1Z=EE(V+02sT$1~NGsEhx<)Ssaj3q7=AU?)K+vXdI
z#DbW9>DIQ_fmXGvafeK&dWJg__y)_$DW|GtJ!xlsxjH~)_AT$#XsSBBzAT-B@svzF
zi8Z9x9#?g`AQy|+oSYhdr)}V}$`g$WN^xk5UoowR+Pn~|lI%%wl$XnyJHdhXa2E+^
zWZ9oK1_p$?>#FLSNH$9xw;R3{is%75!NnOy3)a%xX?Oy>iNzGAe4=zOUJGq<B#ZyW
z`BPCav@)h=tk^NsDowXA*l#lJ>8#c=N|b3w7Sz?}vDIh($;4WIF3b&542VFgkJ#S&
z{}z`inoxJU2eLwPW$X+*&jO8fs8t)Gh755c?ss3R>n-F_Cc&)C;6kG$5TDSxCwgb-
zn6EXY+oMukS6lcwoO>nDo5CIU0{ko)Qdf{UOXvYv_)vFXstYLwaY>n%q_(@=h!XY=
zCJDQy(NHI&Y62hRTq05Br>5bWat&$gb`w0*089o<i_RkYZQy^j?k;`pdNVUyiIi@&
zc<Uc<gth5Qega*ag7k^LsbYcpUkGaEJG-L|Y>dD_1UO`66``r@Qb7hW2^bRs5wi0t
z4w{=7OX&0R-VD=&|9*?2zU)zXGuf{}w}?dloC)2A#c%6y4WeN2f_5&_;S9rq&J8m~
zgM_yuhU@ZPAr4DtVG4VN+C{*x`m(}NwKkNc!w9yK&vzqG0gDJv!mLMEeztZ=?UF#+
z-}s4JefNO%L3}oEC@MxjB{Y?tEM&h{K06Z5w7OBn#iO{e6%iJZK?bpy2V@j@-dR`2
zH}c%)QF_}JIGOzKLQ!A%+jthVxG-su&+~14?m;RuYpgpC08o6-RFgQmyE6MJO)&jf
z(X_(+XYD)dDpdap=@O|74;;(lz*Qjobbw~EF|O_1QlT_9z?zJ{TT^YYEMda9?ww?m
z?C+y;_Bx<{t6hSOQR;T7Lfezz+-b8HQanA0Ho9&0dtVeqQjw9iWt8E>=I+1#{bAcB
zkMCQ77Yx7-?FiD$?WeI2P>E?yF>AIqo08Gq6Y0Ybx~J{g;;V#vpP$7*f_$?%{73%n
zf@kf)z0l$yK5Qs{DBzHMBOct&<!3ceq{fIub`!T8QN?CB1*tZ}m~B~{Mrd`d_K)i!
zL1D4Cu*!9bsEyG;OEMz(JbOE7+jf_tx0>)5wN@^|0;TkI<|(xL7&22}_n}X_8baA>
z4(S0QKk~P&(ain$;;#=kk41)Nv8$3732n<8jeuC#z5buVTivBsn`3_pq~Ch3i_#4-
z>3g5%5$1HRN6cAGetb_M2ROD|Bz<zr63m0<YHH-jDfC|7hajb0Av?kz7?H<Fh$i^D
zv#Ci@6~OOfO$t9;dU*I(L&rHeJ@#+*O{v@A5OfmEBQ;R*Vi%t-{n8GR<^@3lCxxB@
z?TSHp@ofjGZz_xkOB_g7^tS_Ej6dU34T(TNUse5l#mie&5@Dz&D{Kr<L_o6p*KwpS
zDw*i{&bASggGY_t$Y;?bo)@Lnrn-Tzd#1;hH0K2ECTlx4t$$twd27~v@cnw8rTF4w
z-8E+kUr7+zb(|7v`EOWVAZ8<gHRyMvEZ;K`w3o^DzlRdqfZQ#bgokXjycl{3lpcri
zC;*^6TWG<r)IG|~goXDs56jPpaiZE7&vW-1Nu9v77$gEM-{Mm;xzVa<F0i0MPsJ_Y
zbpx5tHg_V*BcWi0L>OkW_4+ViR%S2oxwfDA3I^2d05DzjXu{(V*4wOg@09I!3ib#t
L%zpt)8&9kl-^t!4

literal 0
HcmV?d00001

diff --git a/config/secrets/services/gitlab/otpFile.age b/config/secrets/services/gitlab/otpFile.age
new file mode 100644
index 0000000..5f2d2c2
--- /dev/null
+++ b/config/secrets/services/gitlab/otpFile.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> piv-p256 ML6NcA AnpV2pIa/CJARAIeqiSnMmImKfcH9I2Rx1a60PPbj0B5
+ubQJ5fXCm8QdZxKzB1JQhM2czxcM389i3KJMVWhu/v0
+-> ssh-ed25519 zj2A2A 94bArcytcgnc4Z3rGC7OjegYmSI+wgVedBBJJdS7cjo
+n+Quq/5MvYStNKO1pb6gt5+OSzdS5G69E5nz8m/4L20
+--- fjLcbdOs+eow7Bga8biE1ndVJ4YQuIsxVvBjVlaWnFk
+ž.G¡yà•¨Ù—Â¯XhvÊ<‘S¸$ ¸’?Îôlj-…Exajæ™ÖÀÌ‡+PÎéêØÃ!¢ÚÝ–Ò‡¤
+’Dw"2Æ|4}´÷Jê$¾KˆÕ6S;Ê(/§
\ No newline at end of file
diff --git a/config/secrets/services/gitlab/secretFile.age b/config/secrets/services/gitlab/secretFile.age
new file mode 100644
index 0000000..5eb3d5a
--- /dev/null
+++ b/config/secrets/services/gitlab/secretFile.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> piv-p256 ML6NcA Agle2Q7Wqs6UQid4OdoqCqXhgFDbXGmOdMWrn6dEfYMz
+c5mObXbkVmeK0bkyrfRqfeVXqQEKi2s1gKGzQExJyF8
+-> ssh-ed25519 zj2A2A IzCLZxeLJr0K9oB1VXv/dEaExmyWdArcA6VLIG46CGk
+KdF7I4wOp/E0mHACZEmuhYbftK95cTKD+8jXv8pIkEI
+--- wtdyUN37m2GJbOCfBXR2+KYj7C1edcS5htu0a+dcB+Y
+®
+‚¡n=|¶ÜÙ\ªœÿŒ¢}‰ÿÍÅLd
+±°ø:+€#ì}_Ã”dµù¯—Ê¯øÈó1c8!KÖŸXé®õj²Ž~×¯M=Ö”´ÚKò~ÓDòý»w«&õ‡ÌpëýáçŒ„!
\ No newline at end of file
diff --git a/config/services/default.nix b/config/services/default.nix
index 9886b8a..aaafb24 100644
--- a/config/services/default.nix
+++ b/config/services/default.nix
@@ -4,7 +4,8 @@
     ./atuin.nix
     ./containers.nix
     ./freshrss.nix
-    ./gitea.nix
+    # ./gitea
+    ./gitlab
     ./invidious.nix
     ./libreddit.nix
     ./nginx.nix
diff --git a/config/services/gitea/templates/custom/extra_links_footer.tmpl b/config/services/gitea/customizations/templates/custom/extra_links_footer.tmpl
similarity index 100%
rename from config/services/gitea/templates/custom/extra_links_footer.tmpl
rename to config/services/gitea/customizations/templates/custom/extra_links_footer.tmpl
diff --git a/config/services/gitea/templates/custom/header.tmpl b/config/services/gitea/customizations/templates/custom/header.tmpl
similarity index 100%
rename from config/services/gitea/templates/custom/header.tmpl
rename to config/services/gitea/customizations/templates/custom/header.tmpl
diff --git a/config/services/gitea/templates/home.tmpl b/config/services/gitea/customizations/templates/home.tmpl
similarity index 100%
rename from config/services/gitea/templates/home.tmpl
rename to config/services/gitea/customizations/templates/home.tmpl
diff --git a/config/services/gitea.nix b/config/services/gitea/default.nix
similarity index 95%
rename from config/services/gitea.nix
rename to config/services/gitea/default.nix
index 3dd04cf..56e3266 100644
--- a/config/services/gitea.nix
+++ b/config/services/gitea/default.nix
@@ -79,14 +79,14 @@
   };
 
   services.gitea-actions-runner.instances.main = {
-    enable = true;
+    enable = false;
     name = "main";
     url = config.services.gitea.settings.server.ROOT_URL;
     tokenFile = config.age.secrets."services/gitea/runner-token".path;
     labels = ["ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"];
     settings.container = {
       network = "host";
-      options = "--add-host=git.winston.sh:host-gateway";
+      options = "--add-host=gitea.winston.sh:host-gateway";
     };
   };
 
@@ -96,7 +96,7 @@
     lib.mkAfter ''
       chmod u+w -R ${stateDir}/custom/**/*
       # apply customizations
-      cp -Rf ${./gitea}/* ${stateDir}/custom
+      cp -Rf ${./customizations}/* ${stateDir}/custom
       chmod u-w -R ${stateDir}/custom/**/*
     '';
 
diff --git a/config/services/gitlab/default.nix b/config/services/gitlab/default.nix
new file mode 100644
index 0000000..7d99af3
--- /dev/null
+++ b/config/services/gitlab/default.nix
@@ -0,0 +1,15 @@
+{
+  imports = [
+    ./module.nix
+    ./nginx.nix
+    ./secrets.nix
+  ];
+
+  services.gitlab = {
+    enable = true;
+    https = true;
+    port = 24136;
+    host = "gitlab.winston.sh";
+    initialRootEmail = "hey@winston.sh";
+  };
+}
diff --git a/config/services/gitlab/module.nix b/config/services/gitlab/module.nix
new file mode 100644
index 0000000..d454dc9
--- /dev/null
+++ b/config/services/gitlab/module.nix
@@ -0,0 +1,23 @@
+# swap out GitLab stable for unstable
+{
+  pkgs,
+  inputs,
+  ...
+}: {
+  disabledModules = [
+    "services/misc/gitlab.nix"
+    "services/continuous-integration/gitlab-runner.nix"
+  ];
+  imports = [
+    "${inputs.nixpkgs-unstable}/nixos/modules/services/misc/gitlab.nix"
+    "${inputs.nixpkgs-unstable}/nixos/modules/services/continuous-integration/gitlab-runner.nix"
+  ];
+  services.gitlab.packages = {
+    gitaly = pkgs.unstable.gitaly;
+    gitlab = pkgs.unstable.gitlab;
+    gitlab-shell = pkgs.unstable.gitlab-shell;
+    gitlab-workhorse = pkgs.unstable.gitlab-workhorse;
+    pages = pkgs.unstable.gitlab-pages;
+  };
+  services.gitlab-runner.package = pkgs.unstable.gitea-actions-runner;
+}
diff --git a/config/services/gitlab/nginx.nix b/config/services/gitlab/nginx.nix
new file mode 100644
index 0000000..517f4c5
--- /dev/null
+++ b/config/services/gitlab/nginx.nix
@@ -0,0 +1,12 @@
+{config, ...}: {
+  services.nginx.virtualHosts.${config.services.gitlab.host} = {
+    forceSSL = true;
+    enableACME = false;
+    useACMEHost = "winston.sh";
+
+    locations."/" = {
+      extraConfig = "client_max_body_size 512M;";
+      proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
+    };
+  };
+}
diff --git a/config/services/gitlab/secrets.nix b/config/services/gitlab/secrets.nix
new file mode 100644
index 0000000..6dee3a8
--- /dev/null
+++ b/config/services/gitlab/secrets.nix
@@ -0,0 +1,19 @@
+{config, ...}: {
+  services.gitlab = {
+    initialRootPasswordFile = config.age.secrets."services/gitlab/initialRootPasswordFile".path;
+    secrets = {
+      dbFile = config.age.secrets."services/gitlab/dbFile".path;
+      jwsFile = config.age.secrets."services/gitlab/jwsFile".path;
+      otpFile = config.age.secrets."services/gitlab/otpFile".path;
+      secretFile = config.age.secrets."services/gitlab/secretFile".path;
+    };
+  };
+
+  age.secrets = {
+    "services/gitlab/dbFile".owner = "gitlab";
+    "services/gitlab/jwsFile".owner = "gitlab";
+    "services/gitlab/otpFile".owner = "gitlab";
+    "services/gitlab/secretFile".owner = "gitlab";
+    "services/gitlab/initialRootPasswordFile".owner = "gitlab";
+  };
+}