feat: add gitlab

2024-03-09 01:37:57 +00:00 · 2024-03-09 01:37:57 +00:00 · 4ad5d302a7
commit 4ad5d302a7
parent 3abd2abb29
15 changed files with 119 additions and 4 deletions
--- a/config/secrets/secrets.nix
+++ b/config/secrets/secrets.nix
@ -6,14 +6,27 @@ let
 in {
  "containers/faerber.env.age".publicKeys = default;
  "containers/ghcr-token.age".publicKeys = default;
+
  "lego/porkbun-credentials.age".publicKeys = default;
+
  "services/attic/atticd.env.age".publicKeys = default;
+
  "services/freshrss/admin-credentials.age".publicKeys = default;
+
  "services/gitea/password-database.age".publicKeys = default;
  "services/gitea/runner-token.age".publicKeys = default;
+
+  "services/gitlab/dbFile.age".publicKeys = default;
+  "services/gitlab/jwsFile.age".publicKeys = default;
+  "services/gitlab/otpFile.age".publicKeys = default;
+  "services/gitlab/secretFile.age".publicKeys = default;
+  "services/gitlab/initialRootPasswordFile.age".publicKeys = default;
+
  "services/invidious/config.json.age".publicKeys = default;
  "services/invidious/password-database.age".publicKeys = default;
+
  "services/wakapi/password-salt.env.age".publicKeys = default;
+
  "system/password-root.age".publicKeys = default;
  "system/password-winston.age".publicKeys = default;
 }
--- a/config/secrets/services/gitlab/dbFile.age
+++ b/config/secrets/services/gitlab/dbFile.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> piv-p256 ML6NcA AlQdkB/oXYRRK3gv9K3VQJ+Y1s15cmMsc35MH/37J76F
+2XYHW0ecBjFFzd46wnW/jkiOS6PU5L+lNLSExQv5gPo
+-> ssh-ed25519 zj2A2A 7EcFaSjzgKu9Piy4VXVYHrFNz0AlLLmeJlkFZe1xDi0
+NyQpvTEfunmReT7Ri0CfL7260cn150bqW/jiArQ1z8I
+--- 5OhYw4koEcQBhnKUjA8aHkbUZ3o9v/0fRN5twU72R+0
+&šKÞën”'4pNÏ[hFµÂïÁà<C381>Ñ4ù½Ø}ÝtÜ#Î¥Æ¤S¢Ó@è±ÆMQ´»Ðë„Âí;ó	u_:Pƒ]—ÞÌ¡§ÉÓ5d?
˜tÝå' ‚úœÕUõ“Õ
--- a/config/secrets/services/gitlab/initialRootPasswordFile.age
+++ b/config/secrets/services/gitlab/initialRootPasswordFile.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> piv-p256 ML6NcA A3B/mnV9SGBb2GcY5oE5NPSkprv0mA0u2gr/x9iFz4d4
+S4db0PsWSupKRaiFoObxB6wgh+bT67Zn/xx1EWSv7HI
+-> ssh-ed25519 zj2A2A AiZf7bER4xz4Z/uORWAsMC3+EkRzfnJfcRm/ticvmHg
+Q84LW1Tupl2g513/O19ZX/fVjrK+OVbiRg1TR5Cx7ZA
+--- i9jrVPtGgLEFks0hoPk2bdbbj+Av1/XfTgtxWS877O4
+<EFBFBD>5·g¸Û¢ÕÙ(}gs“[LS“ªÂòY4ïœuE%Gsù
+¸ú‘Ôý×Ëü¹Ý"“‚Û‚7ƒ§™¥ìî
--- a/config/secrets/services/gitlab/jwsFile.age
+++ b/config/secrets/services/gitlab/jwsFile.age
--- a/config/secrets/services/gitlab/otpFile.age
+++ b/config/secrets/services/gitlab/otpFile.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> piv-p256 ML6NcA AnpV2pIa/CJARAIeqiSnMmImKfcH9I2Rx1a60PPbj0B5
+ubQJ5fXCm8QdZxKzB1JQhM2czxcM389i3KJMVWhu/v0
+-> ssh-ed25519 zj2A2A 94bArcytcgnc4Z3rGC7OjegYmSI+wgVedBBJJdS7cjo
+n+Quq/5MvYStNKO1pb6gt5+OSzdS5G69E5nz8m/4L20
+--- fjLcbdOs+eow7Bga8biE1ndVJ4YQuIsxVvBjVlaWnFk
+ž.G¡yà•¨Ù—Â¯XhvÊ<‘S¸$ <>¸’?Îôlj-…Exajæ™ÖÀÌ‡+PÎéêØÃ!¢ÚÝ–Ò‡¤
+<EFBFBD>’Dw"2Æ|4}´÷Jê$¾KˆÕ6S;Ê(/§
--- a/config/secrets/services/gitlab/secretFile.age
+++ b/config/secrets/services/gitlab/secretFile.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> piv-p256 ML6NcA Agle2Q7Wqs6UQid4OdoqCqXhgFDbXGmOdMWrn6dEfYMz
+c5mObXbkVmeK0bkyrfRqfeVXqQEKi2s1gKGzQExJyF8
+-> ssh-ed25519 zj2A2A IzCLZxeLJr0K9oB1VXv/dEaExmyWdArcA6VLIG46CGk
+KdF7I4wOp/E0mHACZEmuhYbftK95cTKD+8jXv8pIkEI
+--- wtdyUN37m2GJbOCfBXR2+KYj7C1edcS5htu0a+dcB+Y
+®
+‚¡n=|¶ÜÙ\ªœÿŒ¢}‰ÿÍÅLd
+±°ø:+€#ì}_Ã”dµù¯—Ê¯øÈó1c8!KÖŸXé®õj²Ž~×¯M=Ö”´ÚKò~ÓDòý»w«&õ‡Ìpëýáç<C3A1>Œ„!
--- a/config/services/default.nix
+++ b/config/services/default.nix
@ -4,7 +4,8 @@
    ./atuin.nix
    ./containers.nix
    ./freshrss.nix
-    ./gitea.nix
+    # ./gitea
+    ./gitlab
    ./invidious.nix
    ./libreddit.nix
    ./nginx.nix
--- a/config/services/gitea/customizations/templates/custom/extra_links_footer.tmpl
+++ b/config/services/gitea/customizations/templates/custom/extra_links_footer.tmpl
--- a/config/services/gitea/customizations/templates/custom/header.tmpl
+++ b/config/services/gitea/customizations/templates/custom/header.tmpl
--- a/config/services/gitea/customizations/templates/home.tmpl
+++ b/config/services/gitea/customizations/templates/home.tmpl
--- a/config/services/gitea/default.nix
+++ b/config/services/gitea/default.nix
@ -79,14 +79,14 @@
  };

  services.gitea-actions-runner.instances.main = {
-    enable = true;
+    enable = false;
    name = "main";
    url = config.services.gitea.settings.server.ROOT_URL;
    tokenFile = config.age.secrets."services/gitea/runner-token".path;
    labels = ["ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"];
    settings.container = {
      network = "host";
-      options = "--add-host=git.winston.sh:host-gateway";
+      options = "--add-host=gitea.winston.sh:host-gateway";
    };
  };

@ -96,7 +96,7 @@
    lib.mkAfter ''
      chmod u+w -R ${stateDir}/custom/**/*
      # apply customizations
-      cp -Rf ${./gitea}/* ${stateDir}/custom
+      cp -Rf ${./customizations}/* ${stateDir}/custom
      chmod u-w -R ${stateDir}/custom/**/*
    '';

--- a/config/services/gitlab/default.nix
+++ b/config/services/gitlab/default.nix
@ -0,0 +1,15 @@
+{
+  imports = [
+    ./module.nix
+    ./nginx.nix
+    ./secrets.nix
+  ];
+
+  services.gitlab = {
+    enable = true;
+    https = true;
+    port = 24136;
+    host = "gitlab.winston.sh";
+    initialRootEmail = "hey@winston.sh";
+  };
+}
--- a/config/services/gitlab/module.nix
+++ b/config/services/gitlab/module.nix
@ -0,0 +1,23 @@
+# swap out GitLab stable for unstable
+{
+  pkgs,
+  inputs,
+  ...
+}: {
+  disabledModules = [
+    "services/misc/gitlab.nix"
+    "services/continuous-integration/gitlab-runner.nix"
+  ];
+  imports = [
+    "${inputs.nixpkgs-unstable}/nixos/modules/services/misc/gitlab.nix"
+    "${inputs.nixpkgs-unstable}/nixos/modules/services/continuous-integration/gitlab-runner.nix"
+  ];
+  services.gitlab.packages = {
+    gitaly = pkgs.unstable.gitaly;
+    gitlab = pkgs.unstable.gitlab;
+    gitlab-shell = pkgs.unstable.gitlab-shell;
+    gitlab-workhorse = pkgs.unstable.gitlab-workhorse;
+    pages = pkgs.unstable.gitlab-pages;
+  };
+  services.gitlab-runner.package = pkgs.unstable.gitea-actions-runner;
+}
--- a/config/services/gitlab/nginx.nix
+++ b/config/services/gitlab/nginx.nix
@ -0,0 +1,12 @@
+{config, ...}: {
+  services.nginx.virtualHosts.${config.services.gitlab.host} = {
+    forceSSL = true;
+    enableACME = false;
+    useACMEHost = "winston.sh";
+
+    locations."/" = {
+      extraConfig = "client_max_body_size 512M;";
+      proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
+    };
+  };
+}
--- a/config/services/gitlab/secrets.nix
+++ b/config/services/gitlab/secrets.nix
@ -0,0 +1,19 @@
+{config, ...}: {
+  services.gitlab = {
+    initialRootPasswordFile = config.age.secrets."services/gitlab/initialRootPasswordFile".path;
+    secrets = {
+      dbFile = config.age.secrets."services/gitlab/dbFile".path;
+      jwsFile = config.age.secrets."services/gitlab/jwsFile".path;
+      otpFile = config.age.secrets."services/gitlab/otpFile".path;
+      secretFile = config.age.secrets."services/gitlab/secretFile".path;
+    };
+  };
+
+  age.secrets = {
+    "services/gitlab/dbFile".owner = "gitlab";
+    "services/gitlab/jwsFile".owner = "gitlab";
+    "services/gitlab/otpFile".owner = "gitlab";
+    "services/gitlab/secretFile".owner = "gitlab";
+    "services/gitlab/initialRootPasswordFile".owner = "gitlab";
+  };
+}