Use gitlab instead of gitea

flake.nix

@@ -103,6 +103,11 @@
             tetris = tetris.packages.${self.system}.default;
             udp2raw = self.callPackage ./packages/udp2raw { };
             mastodon = nixpkgs-22_11.legacyPackages.${self.system}.mastodon;
+            gitlab-pages = nixpkgs-22_11.legacyPackages.${self.system}.gitlab-pages;
+            gitlab = nixpkgs-22_11.legacyPackages.${self.system}.gitlab;
+            gitlab-gitaly = nixpkgs-22_11.legacyPackages.${self.system}.gitlab-gitaly;
+            gitlab-shell = nixpkgs-22_11.legacyPackages.${self.system}.gitlab-shell;
+            gitlab-workhorse = nixpkgs-22_11.legacyPackages.${self.system}.gitlab-workhorse;
           })
           nur.overlay
           www-chvp-be.overlay

modules/services/git/default.nix

@@ -10,77 +10,67 @@
     chvp.services.nginx.hosts = [{
       fqdn = "git.chvp.be";
       options = {
-        root = pkgs.gitea.data;
+        locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
-        locations = {
-          "/".tryFiles = "$uri @proxy";
-          "@proxy" = {
-            proxyPass = "http://unix:/run/gitea/gitea.sock";
-            proxyWebsockets = true;
-          };
-        };
       };
     }];
     users = {
       users = {
         git = {
-          uid = 963;
+          uid = lib.mkForce 963;
-          home = "/var/lib/git";
           group = "git";
           isSystemUser = true;
           useDefaultShell = true;
         };
         nginx.extraGroups = [ "git" ];
       };
-      groups.git.gid = 963;
+      groups.git.gid = lib.mkForce 963;
     };
     services.openssh.settings.AcceptEnv = "GIT_PROTOCOL";
-    services.gitea = {
+    services.gitlab = {
       enable = true;
-      stateDir = "/var/lib/git";
+      statePath = "/var/lib/git/state";
+      backup.path = "/var/lib/git/backup";
+      databaseCreateLocally = true;
+      databaseUsername = "git";
+      databaseName = "git";
       user = "git";
-      database = {
+      group = "git";
-        type = "postgres";
+      host = "git.chvp.be";
-        createDatabase = true;
+      port = 443;
-        user = "git";
+      https = true;
-        name = "git";
+      initialRootEmail = "charlotte@vanpetegem.me";
+      initialRootPasswordFile = config.age.secrets."passwords/services/git/initial-root-password".path;
+      secrets = {
+        dbFile = config.age.secrets."passwords/services/git/db".path;
+        jwsFile = config.age.secrets."passwords/services/git/jws".path;
+        otpFile = config.age.secrets."passwords/services/git/otp".path;
+        secretFile = config.age.secrets."passwords/services/git/secret".path;
       };
-      dump.enable = true;
+      smtp = {
-      lfs.enable = true;
+        enable = true;
-      appName = "Charlotte's personal git server";
+        enableStartTLSAuto = false;
-      domain = "git.chvp.be";
-      rootUrl = "https://git.chvp.be/";
-      enableUnixSocket = true;
-      settings = {
-        repository = {
-          DEFAULT_PRIVATE = "private";
-          ENABLE_PUSH_CREATE_USER = true;
-          ENABLE_PUSH_CREATE_ORG = true;
-        };
-        "repository.pull-request".DEFAULT_MERGE_STYLE = "squash";
-        "repository.mimetype_mapping" = {
-          ".apk" = "application/vnd.android.package-archive";
-        };
-        ui.DEFAULT_SHOW_FULL_NAME = true;
-        security.DISABLE_GIT_HOOKS = false;
-        service = {
-          ENABLE_NOTIFY_EMAIL = true;
-          EMAIL_DOMAIN_WHITELIST = "chvp.be";
-          REGISTER_EMAIL_CONFIRM = true;
-          AUTO_WATCH_ON_CHANGES = true;
-        };
-        mailer = {
-          ENABLED = true;
-          FROM = "git@chvp.be";
-          PROTOCOL = "smtp";
-          SMTP_ADDR = "localhost";
-          SMTP_PORT = 25;
-        };
-        session.COOKIE_SECURE = true;
-        cron = {
-          ENABLED = true;
-          SCHEDULE = "@every 1h";
-        };
       };
     };
+
+    age.secrets."passwords/services/git/initial-root-password" = {
+      file = ../../../secrets/passwords/services/git/initial-root-password.age;
+      owner = "git";
+    };
+    age.secrets."passwords/services/git/db" = {
+      file = ../../../secrets/passwords/services/git/db.age;
+      owner = "git";
+    };
+    age.secrets."passwords/services/git/jws" = {
+      file = ../../../secrets/passwords/services/git/jws.age;
+      owner = "git";
+    };
+    age.secrets."passwords/services/git/otp" = {
+      file = ../../../secrets/passwords/services/git/otp.age;
+      owner = "git";
+    };
+    age.secrets."passwords/services/git/secret" = {
+      file = ../../../secrets/passwords/services/git/secret.age;
+      owner = "git";
+    };
   };
 }

secrets.nix

@@ -53,6 +53,12 @@ in
 
   "secrets/passwords/services/acme.age".publicKeys = servers ++ users;
 
+  "secrets/passwords/services/git/initial-root-password.age".publicKeys = [ lasting-integrity ] ++ users;
+  "secrets/passwords/services/git/db.age".publicKeys = [ lasting-integrity ] ++ users;
+  "secrets/passwords/services/git/jws.age".publicKeys = [ lasting-integrity ] ++ users;
+  "secrets/passwords/services/git/otp.age".publicKeys = [ lasting-integrity ] ++ users;
+  "secrets/passwords/services/git/secret.age".publicKeys = [ lasting-integrity ] ++ users;
+
   "secrets/passwords/services/mastodon/otp.age".publicKeys = [ lasting-integrity ] ++ users;
   "secrets/passwords/services/mastodon/key.age".publicKeys = [ lasting-integrity ] ++ users;
   "secrets/passwords/services/mastodon/vapid-public.age".publicKeys = [ lasting-integrity ] ++ users;

secrets/passwords/services/git/initial-root-password.age

@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 hKAFvQ O11cPqy+/L+ePRytx27QBj//kh6U4damkDa60SEbXmo
+wnf3EwDmHJFNBglZmowqGSNn2qkrVKoZ2E2UUyZmiYk
+-> ssh-ed25519 s9rb8g PG1Hke9E2ylwVi0UatCb1BwN+fbMw0psipmiRslp70A
+zHwWbipOB2E9n7rBhsCqnhvrez99vAIYQvxAIsWnPP8
+-> ssh-ed25519 yad4VQ J8GGaJ7VDxfWOfk8wS26Lq6dphaycdsI953obqnhjSw
+G1xueXqo5hQG0UyNhKNsJZOM5NSixvcmNn1ZU6cqb9k
+-> q/`sYBb-grease >pX&`o! Ah;"|; UKI
+81VULzeBn2OvlxC5+KVzds6La8HMH57w72NIdgMbVbYI1rkUs9iaOApI8uPfSLhX
+/DFmqHvFZoXYF4oVtc2hYw3O4q4
+--- LAD40kdAbTzthRMCfhbdt5gKgneR/6Lo8rhOwajXbSc
+<EFBFBD>Ž*Ìõ}…F¢›“D[éüÀÃ!]7NÄ8Kq“à	ŒöórxGQÉ4?³<>±ôºC 	>)ðT
kM47

secrets/passwords/services/git/jws.age

@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 hKAFvQ GATA3jxp3tGFZ54Yv70z6UX0wR7g7COjM5b06NZ5Rkw
+FLIERbTaxc5GMHIUf9EYNT53G6jW95BqS4Vyw1tiRbs
+-> ssh-ed25519 s9rb8g WcMXJTBlFupeKigAbWSrgHS9P3GDsh96deoeG/bYxC4
++2K6bxswOjpSUG8L9x8hVmC8mOX9mjrb8C7D1QvOwnY
+-> ssh-ed25519 yad4VQ ATOgZtFsLAAM8OQ+iO2/yjf4TmYlsxyTKoe2kzURGn8
+8zgn2CtLb8d5TqoVH17MXNTKCITeQdXCr6Kfl8YQ+2I
+-> }3z-grease
+0fIn+ebVFxTisRMg/rOZlUcrBYdg7glm4Ci2KDzxzdni0wf9AeLenpZF4kQWdxeL
+7GwXoSsIGfYocw
+--- vVN43s7nYiXjldZEYekUZ9+k6AK8p6H+6xLrL613ctk
+uS˜å#¹5¨TÆ颢 L<>«ÉœóMÂ"	¥£9ª<39>’ÜQduNkôP²‹òm­ú7)u*ýƒ±b÷¾¢‡ù?>„”ƒžè7þ 

secrets/passwords/services/git/secret.age

@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 hKAFvQ ERObE9AI73viL134aV91m3/EkMc3vdTkuZUhypE3oCo
+4WVZo6H6h3XVsbz9iYAlCrpjh0OBNw/RER/ncnfxcLk
+-> ssh-ed25519 s9rb8g 1MyHO3Kk02KWTUzNXYL7zVUD/S2HF9MTiZfxZ2oYZz0
+9+kGnd7GueX13iexpKkqdgLZw/LE6Lg5llza99KWmtg
+-> ssh-ed25519 yad4VQ APRpzpUo/8WCS4fI18XnvYfO+d7SuWratICveDrSQW4
+knKGKmhakEebQv8CqK4uwUdcXO/DH36LhKeYmkJjThY
+-> xn-grease OWPbO kc
+EWtx7SwT3sKCg7IIfbqHdEVtLOokhO5FTJH20se04/ZIfpCa9m7KJSMa9hggUpXr
+ZkywLvxKfz5jeKNsNcyLVhziPVh1dhbp5FqjpnGDrIr6xlVQfG3kQv1E3YbfqYQ
+--- dSmPLasAE47rIgqGKhD4z4a8KYX/uI9X4iMzDM9Cn1Q
+Ã]×Ó%:cxz6…‰ö*çº
»¢úÛ–[Äa‡@€µŒ·ú·0ÈÂVŒ•3ÙÄšøœÊ¹…­]W§B£à™ˆ<E284A2>£åüŒÖ+