From b94de5ca11c0200b78c5ff7ea140884ae7feca58 Mon Sep 17 00:00:00 2001
From: Charlotte Van Petegem <charlotte.vanpetegem@ugent.be>
Date: Mon, 23 Jan 2023 15:37:00 +0100
Subject: [PATCH] Use gitlab instead of gitea

---
 flake.nix                                     |   5 +
 modules/services/git/default.nix              |  98 ++++++++----------
 secrets.nix                                   |   6 ++
 secrets/passwords/services/git/db.age         | Bin 0 -> 637 bytes
 .../services/git/initial-root-password.age    |  12 +++
 secrets/passwords/services/git/jws.age        |  12 +++
 secrets/passwords/services/git/otp.age        | Bin 0 -> 579 bytes
 secrets/passwords/services/git/secret.age     |  12 +++
 8 files changed, 91 insertions(+), 54 deletions(-)
 create mode 100644 secrets/passwords/services/git/db.age
 create mode 100644 secrets/passwords/services/git/initial-root-password.age
 create mode 100644 secrets/passwords/services/git/jws.age
 create mode 100644 secrets/passwords/services/git/otp.age
 create mode 100644 secrets/passwords/services/git/secret.age

diff --git a/flake.nix b/flake.nix
index e085c547..dd9a88f0 100644
--- a/flake.nix
+++ b/flake.nix
@@ -103,6 +103,11 @@
             tetris = tetris.packages.${self.system}.default;
             udp2raw = self.callPackage ./packages/udp2raw { };
             mastodon = nixpkgs-22_11.legacyPackages.${self.system}.mastodon;
+            gitlab-pages = nixpkgs-22_11.legacyPackages.${self.system}.gitlab-pages;
+            gitlab = nixpkgs-22_11.legacyPackages.${self.system}.gitlab;
+            gitlab-gitaly = nixpkgs-22_11.legacyPackages.${self.system}.gitlab-gitaly;
+            gitlab-shell = nixpkgs-22_11.legacyPackages.${self.system}.gitlab-shell;
+            gitlab-workhorse = nixpkgs-22_11.legacyPackages.${self.system}.gitlab-workhorse;
           })
           nur.overlay
           www-chvp-be.overlay
diff --git a/modules/services/git/default.nix b/modules/services/git/default.nix
index 251217af..4397699c 100644
--- a/modules/services/git/default.nix
+++ b/modules/services/git/default.nix
@@ -10,77 +10,67 @@
     chvp.services.nginx.hosts = [{
       fqdn = "git.chvp.be";
       options = {
-        root = pkgs.gitea.data;
-        locations = {
-          "/".tryFiles = "$uri @proxy";
-          "@proxy" = {
-            proxyPass = "http://unix:/run/gitea/gitea.sock";
-            proxyWebsockets = true;
-          };
-        };
+        locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
       };
     }];
     users = {
       users = {
         git = {
-          uid = 963;
-          home = "/var/lib/git";
+          uid = lib.mkForce 963;
           group = "git";
           isSystemUser = true;
           useDefaultShell = true;
         };
         nginx.extraGroups = [ "git" ];
       };
-      groups.git.gid = 963;
+      groups.git.gid = lib.mkForce 963;
     };
     services.openssh.settings.AcceptEnv = "GIT_PROTOCOL";
-    services.gitea = {
+    services.gitlab = {
       enable = true;
-      stateDir = "/var/lib/git";
+      statePath = "/var/lib/git/state";
+      backup.path = "/var/lib/git/backup";
+      databaseCreateLocally = true;
+      databaseUsername = "git";
+      databaseName = "git";
       user = "git";
-      database = {
-        type = "postgres";
-        createDatabase = true;
-        user = "git";
-        name = "git";
+      group = "git";
+      host = "git.chvp.be";
+      port = 443;
+      https = true;
+      initialRootEmail = "charlotte@vanpetegem.me";
+      initialRootPasswordFile = config.age.secrets."passwords/services/git/initial-root-password".path;
+      secrets = {
+        dbFile = config.age.secrets."passwords/services/git/db".path;
+        jwsFile = config.age.secrets."passwords/services/git/jws".path;
+        otpFile = config.age.secrets."passwords/services/git/otp".path;
+        secretFile = config.age.secrets."passwords/services/git/secret".path;
       };
-      dump.enable = true;
-      lfs.enable = true;
-      appName = "Charlotte's personal git server";
-      domain = "git.chvp.be";
-      rootUrl = "https://git.chvp.be/";
-      enableUnixSocket = true;
-      settings = {
-        repository = {
-          DEFAULT_PRIVATE = "private";
-          ENABLE_PUSH_CREATE_USER = true;
-          ENABLE_PUSH_CREATE_ORG = true;
-        };
-        "repository.pull-request".DEFAULT_MERGE_STYLE = "squash";
-        "repository.mimetype_mapping" = {
-          ".apk" = "application/vnd.android.package-archive";
-        };
-        ui.DEFAULT_SHOW_FULL_NAME = true;
-        security.DISABLE_GIT_HOOKS = false;
-        service = {
-          ENABLE_NOTIFY_EMAIL = true;
-          EMAIL_DOMAIN_WHITELIST = "chvp.be";
-          REGISTER_EMAIL_CONFIRM = true;
-          AUTO_WATCH_ON_CHANGES = true;
-        };
-        mailer = {
-          ENABLED = true;
-          FROM = "git@chvp.be";
-          PROTOCOL = "smtp";
-          SMTP_ADDR = "localhost";
-          SMTP_PORT = 25;
-        };
-        session.COOKIE_SECURE = true;
-        cron = {
-          ENABLED = true;
-          SCHEDULE = "@every 1h";
-        };
+      smtp = {
+        enable = true;
+        enableStartTLSAuto = false;
       };
     };
+
+    age.secrets."passwords/services/git/initial-root-password" = {
+      file = ../../../secrets/passwords/services/git/initial-root-password.age;
+      owner = "git";
+    };
+    age.secrets."passwords/services/git/db" = {
+      file = ../../../secrets/passwords/services/git/db.age;
+      owner = "git";
+    };
+    age.secrets."passwords/services/git/jws" = {
+      file = ../../../secrets/passwords/services/git/jws.age;
+      owner = "git";
+    };
+    age.secrets."passwords/services/git/otp" = {
+      file = ../../../secrets/passwords/services/git/otp.age;
+      owner = "git";
+    };
+    age.secrets."passwords/services/git/secret" = {
+      file = ../../../secrets/passwords/services/git/secret.age;
+      owner = "git";
+    };
   };
 }
diff --git a/secrets.nix b/secrets.nix
index 39d27611..82f81182 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -53,6 +53,12 @@ in
 
   "secrets/passwords/services/acme.age".publicKeys = servers ++ users;
 
+  "secrets/passwords/services/git/initial-root-password.age".publicKeys = [ lasting-integrity ] ++ users;
+  "secrets/passwords/services/git/db.age".publicKeys = [ lasting-integrity ] ++ users;
+  "secrets/passwords/services/git/jws.age".publicKeys = [ lasting-integrity ] ++ users;
+  "secrets/passwords/services/git/otp.age".publicKeys = [ lasting-integrity ] ++ users;
+  "secrets/passwords/services/git/secret.age".publicKeys = [ lasting-integrity ] ++ users;
+
   "secrets/passwords/services/mastodon/otp.age".publicKeys = [ lasting-integrity ] ++ users;
   "secrets/passwords/services/mastodon/key.age".publicKeys = [ lasting-integrity ] ++ users;
   "secrets/passwords/services/mastodon/vapid-public.age".publicKeys = [ lasting-integrity ] ++ users;
diff --git a/secrets/passwords/services/git/db.age b/secrets/passwords/services/git/db.age
new file mode 100644
index 0000000000000000000000000000000000000000..6a0453f1abaa244d2fe49efafb2e5c43c60b2702
GIT binary patch
literal 637
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7@OE@73skW1O0D$C
z3^b^!%C$&$bMnsg@eZ!?EwVJpHP7}<_oyf{E-cFl4-E4N&*t*>jPS1r3Mj8iD)x3X
zFD|M`FE2>b&x|zn%*qM0Ff$Dc4$eq&^YL*_%}2Mb*s>_eB3&WWvCOhCGu*_&tSHB%
z!YsAQJvk+_#4F!FQ9si)!Z|cEAS~TKtiU5LG@r{oFEuQ$v?3xoJTj{&)2ZCAB*ou9
zFW<8)DJRRz!Yfk0syrvH#J?aX%mm%G%ET0tut0@UKc^ytV#Acotc=j$iVUBC9QS;4
zKZET2g1nLp*Ca2u?8vOhs(?U8Lszb}#E@*~px}z!V#ms4$I<||0B4`#V1p3<!a!Hg
zL~pk&gQBvi;w=5le6Zj23)GBt(~D9Qi&GWc3v0X;a-xDPtr8V{)D_Gl$^$I8a&s*V
zQ@k=Njs0BGywg2WoqUTugZ(RA%d*Y11B;_fol}E@oLwE0Qa!37LsN|MJt90)!qUB?
zDxFM1QnDh0xpE6k{X+9A(#vv!oud2-0(}a-lZ*ok!wO2$GqUqdb1TcUv-O<}T}<){
za})Ezb4?@64Du>Wa$Svr68#;ybaizV46*})(+d3kEkfM0s{%`$0|T>6(~5Fay_^ez
zvdfcvN=%$HgIudhjeSkH?j2onkLAdb?7YCP?N=U0?K*d6-BYo;ML`!|F<L)YniZ>g
uBe>?pnsc+}3+<AbHSto+Hp4eb0S>a?PfX(ss+B3r_hER?%~f9H#0&sD<lhwl

literal 0
HcmV?d00001

diff --git a/secrets/passwords/services/git/initial-root-password.age b/secrets/passwords/services/git/initial-root-password.age
new file mode 100644
index 00000000..7f3b37c3
--- /dev/null
+++ b/secrets/passwords/services/git/initial-root-password.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 hKAFvQ O11cPqy+/L+ePRytx27QBj//kh6U4damkDa60SEbXmo
+wnf3EwDmHJFNBglZmowqGSNn2qkrVKoZ2E2UUyZmiYk
+-> ssh-ed25519 s9rb8g PG1Hke9E2ylwVi0UatCb1BwN+fbMw0psipmiRslp70A
+zHwWbipOB2E9n7rBhsCqnhvrez99vAIYQvxAIsWnPP8
+-> ssh-ed25519 yad4VQ J8GGaJ7VDxfWOfk8wS26Lq6dphaycdsI953obqnhjSw
+G1xueXqo5hQG0UyNhKNsJZOM5NSixvcmNn1ZU6cqb9k
+-> q/`sYBb-grease >pX&`o! Ah;"|; UKI
+81VULzeBn2OvlxC5+KVzds6La8HMH57w72NIdgMbVbYI1rkUs9iaOApI8uPfSLhX
+/DFmqHvFZoXYF4oVtc2hYw3O4q4
+--- LAD40kdAbTzthRMCfhbdt5gKgneR/6Lo8rhOwajXbSc
+��*��}�F���D[����!]7N�8Kq��	���rxGQ�4?�����C 	>)�T
kM47
\ No newline at end of file
diff --git a/secrets/passwords/services/git/jws.age b/secrets/passwords/services/git/jws.age
new file mode 100644
index 00000000..457c8c38
--- /dev/null
+++ b/secrets/passwords/services/git/jws.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 hKAFvQ GATA3jxp3tGFZ54Yv70z6UX0wR7g7COjM5b06NZ5Rkw
+FLIERbTaxc5GMHIUf9EYNT53G6jW95BqS4Vyw1tiRbs
+-> ssh-ed25519 s9rb8g WcMXJTBlFupeKigAbWSrgHS9P3GDsh96deoeG/bYxC4
++2K6bxswOjpSUG8L9x8hVmC8mOX9mjrb8C7D1QvOwnY
+-> ssh-ed25519 yad4VQ ATOgZtFsLAAM8OQ+iO2/yjf4TmYlsxyTKoe2kzURGn8
+8zgn2CtLb8d5TqoVH17MXNTKCITeQdXCr6Kfl8YQ+2I
+-> }3z-grease
+0fIn+ebVFxTisRMg/rOZlUcrBYdg7glm4Ci2KDzxzdni0wf9AeLenpZF4kQWdxeL
+7GwXoSsIGfYocw
+--- vVN43s7nYiXjldZEYekUZ9+k6AK8p6H+6xLrL613ctk
+uS��#�5�T�颢 L��ɜ�M�"	��9����QduNk�P���m��7)u*���b�����?>�����7��
\ No newline at end of file
diff --git a/secrets/passwords/services/git/otp.age b/secrets/passwords/services/git/otp.age
new file mode 100644
index 0000000000000000000000000000000000000000..f6e65f388ecd173f25cf6ccdd8e6af4c1b039e38
GIT binary patch
literal 579
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7@OE@73sf+)bn<aF
zN-}aQuuLp4NH?)as>*W<%l0cQGYibrFZ6K@*N-rCc1+7O4CD%r$nsCkHFM22O!4(7
zaV^Mo4aqAuDXsE~^ff3B^zbVQOV3F&H!m|U$Va!W*s>_eB3&WVHKW+ssW8>T)u~cH
zusA)^Ji{ZqJS);5SliOiB+A&$FU&G5+{Dw-D3U9)EH^hbC(JCzvDCFF*eSy~#jV8C
z!^A(+y`U<x%*V;I&`jI2Dz#YKBof`W%ET0tus{XvyuzHk!txTIQr9wn^HAT)q$H0(
z?fjAopWwova+9=5<MK4uGBbDIOcO50U}yh){m4MKvdWyqGGogyH*Yg9ujFFaQtixK
z^VFn_a{X*eOG~2+zhsbYmeo3H`SyB=y6Hu!iN&c3b>X^Y1`5W>T$Yh8xn5N!Vd0jg
z83v&d*%s-}&Se2k{t-rDrq1q>rn!l}S)P@NAx3Ft`evEN?yeEu!3LRO5w4CY2Hxq$
z!Cd+lQQ4LyVJ?Nn!696_y1EMK#mQ!At_B$;X#wfJ#!gig!KvvU6_$aniMgpoUXfL9
zUMa<aRhb4}rh!~x8&kO&lXUk!H^`S|@fLkwaoRC|LHu12!PZ-ik*k*Od31c<p8B<`
o|8RE%m(O}LKj-adhTB_B7*;qHKHTy|f?eW)tikp$|H^gC0ML=d6aWAK

literal 0
HcmV?d00001

diff --git a/secrets/passwords/services/git/secret.age b/secrets/passwords/services/git/secret.age
new file mode 100644
index 00000000..6821445d
--- /dev/null
+++ b/secrets/passwords/services/git/secret.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 hKAFvQ ERObE9AI73viL134aV91m3/EkMc3vdTkuZUhypE3oCo
+4WVZo6H6h3XVsbz9iYAlCrpjh0OBNw/RER/ncnfxcLk
+-> ssh-ed25519 s9rb8g 1MyHO3Kk02KWTUzNXYL7zVUD/S2HF9MTiZfxZ2oYZz0
+9+kGnd7GueX13iexpKkqdgLZw/LE6Lg5llza99KWmtg
+-> ssh-ed25519 yad4VQ APRpzpUo/8WCS4fI18XnvYfO+d7SuWratICveDrSQW4
+knKGKmhakEebQv8CqK4uwUdcXO/DH36LhKeYmkJjThY
+-> xn-grease OWPbO kc
+EWtx7SwT3sKCg7IIfbqHdEVtLOokhO5FTJH20se04/ZIfpCa9m7KJSMa9hggUpXr
+ZkywLvxKfz5jeKNsNcyLVhziPVh1dhbp5FqjpnGDrIr6xlVQfG3kQv1E3YbfqYQ
+--- dSmPLasAE47rIgqGKhD4z4a8KYX/uI9X4iMzDM9Cn1Q
+�]��%:cxz6���*�
���ۖ[�a�@������0��V��3�����ʹ��]W�B����������+
\ No newline at end of file