diff --git a/flake.nix b/flake.nix index e085c547..dd9a88f0 100644 --- a/flake.nix +++ b/flake.nix @@ -103,6 +103,11 @@ tetris = tetris.packages.${self.system}.default; udp2raw = self.callPackage ./packages/udp2raw { }; mastodon = nixpkgs-22_11.legacyPackages.${self.system}.mastodon; + gitlab-pages = nixpkgs-22_11.legacyPackages.${self.system}.gitlab-pages; + gitlab = nixpkgs-22_11.legacyPackages.${self.system}.gitlab; + gitlab-gitaly = nixpkgs-22_11.legacyPackages.${self.system}.gitlab-gitaly; + gitlab-shell = nixpkgs-22_11.legacyPackages.${self.system}.gitlab-shell; + gitlab-workhorse = nixpkgs-22_11.legacyPackages.${self.system}.gitlab-workhorse; }) nur.overlay www-chvp-be.overlay diff --git a/modules/services/git/default.nix b/modules/services/git/default.nix index 251217af..4397699c 100644 --- a/modules/services/git/default.nix +++ b/modules/services/git/default.nix @@ -10,77 +10,67 @@ chvp.services.nginx.hosts = [{ fqdn = "git.chvp.be"; options = { - root = pkgs.gitea.data; - locations = { - "/".tryFiles = "$uri @proxy"; - "@proxy" = { - proxyPass = "http://unix:/run/gitea/gitea.sock"; - proxyWebsockets = true; - }; - }; + locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; }; }]; users = { users = { git = { - uid = 963; - home = "/var/lib/git"; + uid = lib.mkForce 963; group = "git"; isSystemUser = true; useDefaultShell = true; }; nginx.extraGroups = [ "git" ]; }; - groups.git.gid = 963; + groups.git.gid = lib.mkForce 963; }; services.openssh.settings.AcceptEnv = "GIT_PROTOCOL"; - services.gitea = { + services.gitlab = { enable = true; - stateDir = "/var/lib/git"; + statePath = "/var/lib/git/state"; + backup.path = "/var/lib/git/backup"; + databaseCreateLocally = true; + databaseUsername = "git"; + databaseName = "git"; user = "git"; - database = { - type = "postgres"; - createDatabase = true; - user = "git"; - name = "git"; + group = "git"; + host = "git.chvp.be"; + port = 443; + https = true; + initialRootEmail = "charlotte@vanpetegem.me"; + initialRootPasswordFile = config.age.secrets."passwords/services/git/initial-root-password".path; + secrets = { + dbFile = config.age.secrets."passwords/services/git/db".path; + jwsFile = config.age.secrets."passwords/services/git/jws".path; + otpFile = config.age.secrets."passwords/services/git/otp".path; + secretFile = config.age.secrets."passwords/services/git/secret".path; }; - dump.enable = true; - lfs.enable = true; - appName = "Charlotte's personal git server"; - domain = "git.chvp.be"; - rootUrl = "https://git.chvp.be/"; - enableUnixSocket = true; - settings = { - repository = { - DEFAULT_PRIVATE = "private"; - ENABLE_PUSH_CREATE_USER = true; - ENABLE_PUSH_CREATE_ORG = true; - }; - "repository.pull-request".DEFAULT_MERGE_STYLE = "squash"; - "repository.mimetype_mapping" = { - ".apk" = "application/vnd.android.package-archive"; - }; - ui.DEFAULT_SHOW_FULL_NAME = true; - security.DISABLE_GIT_HOOKS = false; - service = { - ENABLE_NOTIFY_EMAIL = true; - EMAIL_DOMAIN_WHITELIST = "chvp.be"; - REGISTER_EMAIL_CONFIRM = true; - AUTO_WATCH_ON_CHANGES = true; - }; - mailer = { - ENABLED = true; - FROM = "git@chvp.be"; - PROTOCOL = "smtp"; - SMTP_ADDR = "localhost"; - SMTP_PORT = 25; - }; - session.COOKIE_SECURE = true; - cron = { - ENABLED = true; - SCHEDULE = "@every 1h"; - }; + smtp = { + enable = true; + enableStartTLSAuto = false; }; }; + + age.secrets."passwords/services/git/initial-root-password" = { + file = ../../../secrets/passwords/services/git/initial-root-password.age; + owner = "git"; + }; + age.secrets."passwords/services/git/db" = { + file = ../../../secrets/passwords/services/git/db.age; + owner = "git"; + }; + age.secrets."passwords/services/git/jws" = { + file = ../../../secrets/passwords/services/git/jws.age; + owner = "git"; + }; + age.secrets."passwords/services/git/otp" = { + file = ../../../secrets/passwords/services/git/otp.age; + owner = "git"; + }; + age.secrets."passwords/services/git/secret" = { + file = ../../../secrets/passwords/services/git/secret.age; + owner = "git"; + }; }; } diff --git a/secrets.nix b/secrets.nix index 39d27611..82f81182 100644 --- a/secrets.nix +++ b/secrets.nix @@ -53,6 +53,12 @@ in "secrets/passwords/services/acme.age".publicKeys = servers ++ users; + "secrets/passwords/services/git/initial-root-password.age".publicKeys = [ lasting-integrity ] ++ users; + "secrets/passwords/services/git/db.age".publicKeys = [ lasting-integrity ] ++ users; + "secrets/passwords/services/git/jws.age".publicKeys = [ lasting-integrity ] ++ users; + "secrets/passwords/services/git/otp.age".publicKeys = [ lasting-integrity ] ++ users; + "secrets/passwords/services/git/secret.age".publicKeys = [ lasting-integrity ] ++ users; + "secrets/passwords/services/mastodon/otp.age".publicKeys = [ lasting-integrity ] ++ users; "secrets/passwords/services/mastodon/key.age".publicKeys = [ lasting-integrity ] ++ users; "secrets/passwords/services/mastodon/vapid-public.age".publicKeys = [ lasting-integrity ] ++ users; diff --git a/secrets/passwords/services/git/db.age b/secrets/passwords/services/git/db.age new file mode 100644 index 00000000..6a0453f1 Binary files /dev/null and b/secrets/passwords/services/git/db.age differ diff --git a/secrets/passwords/services/git/initial-root-password.age b/secrets/passwords/services/git/initial-root-password.age new file mode 100644 index 00000000..7f3b37c3 --- /dev/null +++ b/secrets/passwords/services/git/initial-root-password.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 hKAFvQ O11cPqy+/L+ePRytx27QBj//kh6U4damkDa60SEbXmo +wnf3EwDmHJFNBglZmowqGSNn2qkrVKoZ2E2UUyZmiYk +-> ssh-ed25519 s9rb8g PG1Hke9E2ylwVi0UatCb1BwN+fbMw0psipmiRslp70A +zHwWbipOB2E9n7rBhsCqnhvrez99vAIYQvxAIsWnPP8 +-> ssh-ed25519 yad4VQ J8GGaJ7VDxfWOfk8wS26Lq6dphaycdsI953obqnhjSw +G1xueXqo5hQG0UyNhKNsJZOM5NSixvcmNn1ZU6cqb9k +-> q/`sYBb-grease >pX&`o! Ah;"|; UKI +81VULzeBn2OvlxC5+KVzds6La8HMH57w72NIdgMbVbYI1rkUs9iaOApI8uPfSLhX +/DFmqHvFZoXYF4oVtc2hYw3O4q4 +--- LAD40kdAbTzthRMCfhbdt5gKgneR/6Lo8rhOwajXbSc +*}FD[!]7N8Kq rxGQ4?C >)TkM47 \ No newline at end of file diff --git a/secrets/passwords/services/git/jws.age b/secrets/passwords/services/git/jws.age new file mode 100644 index 00000000..457c8c38 --- /dev/null +++ b/secrets/passwords/services/git/jws.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 hKAFvQ GATA3jxp3tGFZ54Yv70z6UX0wR7g7COjM5b06NZ5Rkw +FLIERbTaxc5GMHIUf9EYNT53G6jW95BqS4Vyw1tiRbs +-> ssh-ed25519 s9rb8g WcMXJTBlFupeKigAbWSrgHS9P3GDsh96deoeG/bYxC4 ++2K6bxswOjpSUG8L9x8hVmC8mOX9mjrb8C7D1QvOwnY +-> ssh-ed25519 yad4VQ ATOgZtFsLAAM8OQ+iO2/yjf4TmYlsxyTKoe2kzURGn8 +8zgn2CtLb8d5TqoVH17MXNTKCITeQdXCr6Kfl8YQ+2I +-> }3z-grease +0fIn+ebVFxTisRMg/rOZlUcrBYdg7glm4Ci2KDzxzdni0wf9AeLenpZF4kQWdxeL +7GwXoSsIGfYocw +--- vVN43s7nYiXjldZEYekUZ9+k6AK8p6H+6xLrL613ctk +uS#5T颢 LɜM" 9QduNkPm7)u*b?>7 \ No newline at end of file diff --git a/secrets/passwords/services/git/otp.age b/secrets/passwords/services/git/otp.age new file mode 100644 index 00000000..f6e65f38 Binary files /dev/null and b/secrets/passwords/services/git/otp.age differ diff --git a/secrets/passwords/services/git/secret.age b/secrets/passwords/services/git/secret.age new file mode 100644 index 00000000..6821445d --- /dev/null +++ b/secrets/passwords/services/git/secret.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 hKAFvQ ERObE9AI73viL134aV91m3/EkMc3vdTkuZUhypE3oCo +4WVZo6H6h3XVsbz9iYAlCrpjh0OBNw/RER/ncnfxcLk +-> ssh-ed25519 s9rb8g 1MyHO3Kk02KWTUzNXYL7zVUD/S2HF9MTiZfxZ2oYZz0 +9+kGnd7GueX13iexpKkqdgLZw/LE6Lg5llza99KWmtg +-> ssh-ed25519 yad4VQ APRpzpUo/8WCS4fI18XnvYfO+d7SuWratICveDrSQW4 +knKGKmhakEebQv8CqK4uwUdcXO/DH36LhKeYmkJjThY +-> xn-grease OWPbO kc +EWtx7SwT3sKCg7IIfbqHdEVtLOokhO5FTJH20se04/ZIfpCa9m7KJSMa9hggUpXr +ZkywLvxKfz5jeKNsNcyLVhziPVh1dhbp5FqjpnGDrIr6xlVQfG3kQv1E3YbfqYQ +--- dSmPLasAE47rIgqGKhD4z4a8KYX/uI9X4iMzDM9Cn1Q +]%:cxz6*ۖ[a@0V3ʹ]WB+ \ No newline at end of file