diff --git a/config/secrets/secrets.nix b/config/secrets/secrets.nix index 4e07d3e..c1f0181 100644 --- a/config/secrets/secrets.nix +++ b/config/secrets/secrets.nix @@ -6,14 +6,27 @@ let in { "containers/faerber.env.age".publicKeys = default; "containers/ghcr-token.age".publicKeys = default; + "lego/porkbun-credentials.age".publicKeys = default; + "services/attic/atticd.env.age".publicKeys = default; + "services/freshrss/admin-credentials.age".publicKeys = default; + "services/gitea/password-database.age".publicKeys = default; "services/gitea/runner-token.age".publicKeys = default; + + "services/gitlab/dbFile.age".publicKeys = default; + "services/gitlab/jwsFile.age".publicKeys = default; + "services/gitlab/otpFile.age".publicKeys = default; + "services/gitlab/secretFile.age".publicKeys = default; + "services/gitlab/initialRootPasswordFile.age".publicKeys = default; + "services/invidious/config.json.age".publicKeys = default; "services/invidious/password-database.age".publicKeys = default; + "services/wakapi/password-salt.env.age".publicKeys = default; + "system/password-root.age".publicKeys = default; "system/password-winston.age".publicKeys = default; } diff --git a/config/secrets/services/gitlab/dbFile.age b/config/secrets/services/gitlab/dbFile.age new file mode 100644 index 0000000..04a066b --- /dev/null +++ b/config/secrets/services/gitlab/dbFile.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> piv-p256 ML6NcA AlQdkB/oXYRRK3gv9K3VQJ+Y1s15cmMsc35MH/37J76F +2XYHW0ecBjFFzd46wnW/jkiOS6PU5L+lNLSExQv5gPo +-> ssh-ed25519 zj2A2A 7EcFaSjzgKu9Piy4VXVYHrFNz0AlLLmeJlkFZe1xDi0 +NyQpvTEfunmReT7Ri0CfL7260cn150bqW/jiArQ1z8I +--- 5OhYw4koEcQBhnKUjA8aHkbUZ3o9v/0fRN5twU72R+0 +&K n'4pN[hF4}t#ΥƤS@MQ; u_:P]̡5d? t' U \ No newline at end of file diff --git a/config/secrets/services/gitlab/initialRootPasswordFile.age b/config/secrets/services/gitlab/initialRootPasswordFile.age new file mode 100644 index 0000000..c6f033f --- /dev/null +++ b/config/secrets/services/gitlab/initialRootPasswordFile.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> piv-p256 ML6NcA A3B/mnV9SGBb2GcY5oE5NPSkprv0mA0u2gr/x9iFz4d4 +S4db0PsWSupKRaiFoObxB6wgh+bT67Zn/xx1EWSv7HI +-> ssh-ed25519 zj2A2A AiZf7bER4xz4Z/uORWAsMC3+EkRzfnJfcRm/ticvmHg +Q84LW1Tupl2g513/O19ZX/fVjrK+OVbiRg1TR5Cx7ZA +--- i9jrVPtGgLEFks0hoPk2bdbbj+Av1/XfTgtxWS877O4 +5gۢ(}gs[LSY4uE%Gs + "ۂ7 \ No newline at end of file diff --git a/config/secrets/services/gitlab/jwsFile.age b/config/secrets/services/gitlab/jwsFile.age new file mode 100644 index 0000000..268723a Binary files /dev/null and b/config/secrets/services/gitlab/jwsFile.age differ diff --git a/config/secrets/services/gitlab/otpFile.age b/config/secrets/services/gitlab/otpFile.age new file mode 100644 index 0000000..5f2d2c2 --- /dev/null +++ b/config/secrets/services/gitlab/otpFile.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> piv-p256 ML6NcA AnpV2pIa/CJARAIeqiSnMmImKfcH9I2Rx1a60PPbj0B5 +ubQJ5fXCm8QdZxKzB1JQhM2czxcM389i3KJMVWhu/v0 +-> ssh-ed25519 zj2A2A 94bArcytcgnc4Z3rGC7OjegYmSI+wgVedBBJJdS7cjo +n+Quq/5MvYStNKO1pb6gt5+OSzdS5G69E5nz8m/4L20 +--- fjLcbdOs+eow7Bga8biE1ndVJ4YQuIsxVvBjVlaWnFk +.GyٗXhv piv-p256 ML6NcA Agle2Q7Wqs6UQid4OdoqCqXhgFDbXGmOdMWrn6dEfYMz +c5mObXbkVmeK0bkyrfRqfeVXqQEKi2s1gKGzQExJyF8 +-> ssh-ed25519 zj2A2A IzCLZxeLJr0K9oB1VXv/dEaExmyWdArcA6VLIG46CGk +KdF7I4wOp/E0mHACZEmuhYbftK95cTKD+8jXv8pIkEI +--- wtdyUN37m2GJbOCfBXR2+KYj7C1edcS5htu0a+dcB+Y + +n=|\}Ld +:+#}_Ôdʯ1c8!KXj~ׯM=֔K~Dw&p灌! \ No newline at end of file diff --git a/config/services/default.nix b/config/services/default.nix index 9886b8a..aaafb24 100644 --- a/config/services/default.nix +++ b/config/services/default.nix @@ -4,7 +4,8 @@ ./atuin.nix ./containers.nix ./freshrss.nix - ./gitea.nix + # ./gitea + ./gitlab ./invidious.nix ./libreddit.nix ./nginx.nix diff --git a/config/services/gitea/templates/custom/extra_links_footer.tmpl b/config/services/gitea/customizations/templates/custom/extra_links_footer.tmpl similarity index 100% rename from config/services/gitea/templates/custom/extra_links_footer.tmpl rename to config/services/gitea/customizations/templates/custom/extra_links_footer.tmpl diff --git a/config/services/gitea/templates/custom/header.tmpl b/config/services/gitea/customizations/templates/custom/header.tmpl similarity index 100% rename from config/services/gitea/templates/custom/header.tmpl rename to config/services/gitea/customizations/templates/custom/header.tmpl diff --git a/config/services/gitea/templates/home.tmpl b/config/services/gitea/customizations/templates/home.tmpl similarity index 100% rename from config/services/gitea/templates/home.tmpl rename to config/services/gitea/customizations/templates/home.tmpl diff --git a/config/services/gitea.nix b/config/services/gitea/default.nix similarity index 95% rename from config/services/gitea.nix rename to config/services/gitea/default.nix index 3dd04cf..56e3266 100644 --- a/config/services/gitea.nix +++ b/config/services/gitea/default.nix @@ -79,14 +79,14 @@ }; services.gitea-actions-runner.instances.main = { - enable = true; + enable = false; name = "main"; url = config.services.gitea.settings.server.ROOT_URL; tokenFile = config.age.secrets."services/gitea/runner-token".path; labels = ["ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"]; settings.container = { network = "host"; - options = "--add-host=git.winston.sh:host-gateway"; + options = "--add-host=gitea.winston.sh:host-gateway"; }; }; @@ -96,7 +96,7 @@ lib.mkAfter '' chmod u+w -R ${stateDir}/custom/**/* # apply customizations - cp -Rf ${./gitea}/* ${stateDir}/custom + cp -Rf ${./customizations}/* ${stateDir}/custom chmod u-w -R ${stateDir}/custom/**/* ''; diff --git a/config/services/gitlab/default.nix b/config/services/gitlab/default.nix new file mode 100644 index 0000000..7d99af3 --- /dev/null +++ b/config/services/gitlab/default.nix @@ -0,0 +1,15 @@ +{ + imports = [ + ./module.nix + ./nginx.nix + ./secrets.nix + ]; + + services.gitlab = { + enable = true; + https = true; + port = 24136; + host = "gitlab.winston.sh"; + initialRootEmail = "hey@winston.sh"; + }; +} diff --git a/config/services/gitlab/module.nix b/config/services/gitlab/module.nix new file mode 100644 index 0000000..d454dc9 --- /dev/null +++ b/config/services/gitlab/module.nix @@ -0,0 +1,23 @@ +# swap out GitLab stable for unstable +{ + pkgs, + inputs, + ... +}: { + disabledModules = [ + "services/misc/gitlab.nix" + "services/continuous-integration/gitlab-runner.nix" + ]; + imports = [ + "${inputs.nixpkgs-unstable}/nixos/modules/services/misc/gitlab.nix" + "${inputs.nixpkgs-unstable}/nixos/modules/services/continuous-integration/gitlab-runner.nix" + ]; + services.gitlab.packages = { + gitaly = pkgs.unstable.gitaly; + gitlab = pkgs.unstable.gitlab; + gitlab-shell = pkgs.unstable.gitlab-shell; + gitlab-workhorse = pkgs.unstable.gitlab-workhorse; + pages = pkgs.unstable.gitlab-pages; + }; + services.gitlab-runner.package = pkgs.unstable.gitea-actions-runner; +} diff --git a/config/services/gitlab/nginx.nix b/config/services/gitlab/nginx.nix new file mode 100644 index 0000000..517f4c5 --- /dev/null +++ b/config/services/gitlab/nginx.nix @@ -0,0 +1,12 @@ +{config, ...}: { + services.nginx.virtualHosts.${config.services.gitlab.host} = { + forceSSL = true; + enableACME = false; + useACMEHost = "winston.sh"; + + locations."/" = { + extraConfig = "client_max_body_size 512M;"; + proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; + }; + }; +} diff --git a/config/services/gitlab/secrets.nix b/config/services/gitlab/secrets.nix new file mode 100644 index 0000000..6dee3a8 --- /dev/null +++ b/config/services/gitlab/secrets.nix @@ -0,0 +1,19 @@ +{config, ...}: { + services.gitlab = { + initialRootPasswordFile = config.age.secrets."services/gitlab/initialRootPasswordFile".path; + secrets = { + dbFile = config.age.secrets."services/gitlab/dbFile".path; + jwsFile = config.age.secrets."services/gitlab/jwsFile".path; + otpFile = config.age.secrets."services/gitlab/otpFile".path; + secretFile = config.age.secrets."services/gitlab/secretFile".path; + }; + }; + + age.secrets = { + "services/gitlab/dbFile".owner = "gitlab"; + "services/gitlab/jwsFile".owner = "gitlab"; + "services/gitlab/otpFile".owner = "gitlab"; + "services/gitlab/secretFile".owner = "gitlab"; + "services/gitlab/initialRootPasswordFile".owner = "gitlab"; + }; +}