gitlab in place

flake.lock

@@ -62,7 +62,7 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "narHash": "sha256-OlWM45xthVFn2NnXrIYRslLFt1m+q2ytMuasN8zXfNs=",
+        "narHash": "sha256-iifEYM1BKzvOs4K5dWiZofwEhiUTlgTvBzwtqo6MRr8=",
         "path": "/home/palo/dev/secrets",
         "type": "path"
       },

nixos/configs/robi/configuration.nix

@@ -7,14 +7,16 @@
 
     ./hetzner.nix
 
-    # todo
-    ./nextcloud.nix
 
     ./packages.nix
     ./tinc.nix
     ./syncthing.nix
     ./taskserver.nix
     ./transmission.nix
+    ./nextcloud.nix
+
+    # todo
+    ./gitlab.nix
 
     #../../system/server
 
@@ -22,7 +24,6 @@
     #./mail-fetcher.nix
     #./borg.nix
     #./finance.nix
-    #./gogs.nix
     #./grafana.nix
     #./graylog.nix
     #./jenkins.nix
@@ -34,6 +35,8 @@
 
   ];
 
+  services.sshguard.enable = true;
+
   # Shell configuration
   # -------------------
   programs.custom = {

nixos/configs/robi/gitlab.nix

@@ -0,0 +1,140 @@
+{ config, lib, pkgs, ... }:
+let
+    host = "gitlab.ingolf-wagner.de";
+in
+
+#let
+#
+#  errorPages = pkgs.fetchgit {
+#    url = "https://git.ingolf-wagner.de/palo/http-errors.git";
+#    rev = "74b8e4c1d9bbba3db6ad858b888e1867318af1f0";
+#    sha256 = "0czdzafx4k76q773lyf3vsjm74g1995iz542dhw15kpy5xbivsrg";
+#  };
+#
+#  error = {
+#    extraConfig = ''
+#      error_page 400 /errors/400.html;
+#      error_page 401 /errors/401.html;
+#      error_page 402 /errors/402.html;
+#      error_page 403 /errors/403.html;
+#      error_page 404 /errors/404.html;
+#      error_page 405 /errors/405.html;
+#      error_page 406 /errors/406.html;
+#      error_page 500 /errors/500.html;
+#      error_page 501 /errors/501.html;
+#      error_page 502 /errors/502.html;
+#      error_page 503 /errors/503.html;
+#      error_page 504 /errors/504.html;
+#    '';
+#    locations."^~ /errors/" = {
+#      extraConfig = "internal;";
+#      root = "${errorPages}/";
+#    };
+#  };
+#
+#in
+{
+
+  #services.nginx = {
+  #  enable = true;
+  #  statusPage = true;
+  #  virtualHosts = {
+  #    "git.${config.networking.hostName}.private" = {
+  #      extraConfig = error.extraConfig;
+  #      locations."/" = {
+  #        proxyPass = "http://${config.networking.hostName}.private:${
+  #            toString config.services.gogs.httpPort
+  #          }";
+  #      };
+  #    };
+  #  };
+  #};
+
+  #services.gogs = {
+  #  enable = true;
+  #  appName = "Kruck GoGs";
+  #  domain = "git.ingolf-wagner.de";
+  #  httpPort = 3000;
+  #  repositoryRoot = "/home/gogs/repositories";
+  #  stateDir = "/home/gogs";
+  #  rootUrl = "https://git.ingolf-wagner.de/";
+  #  extraConfig = ''
+  #    [service]
+  #    DISABLE_REGISTRATION     = true
+  #    SHOW_REGISTRATION_BUTTON = false
+  #    [server]
+  #    SSH_DOMAIN               = "git.ingolf-wagner.de"
+  #    SSH_PORT                 = 2222
+  #    START_SSH_SERVER         = true
+  #    SSH_LISTEN_PORT          = 2222
+
+  #    [log.file]
+  #    LEVEL = Warn
+
+  #    [log.console]
+  #    LEVEL = Warn
+
+  #    [log.sublogger.macaron]
+  #    LEVEL = Warn
+  #  '';
+  #};
+  #backup.dirs = [ config.services.gogs.repositoryRoot ];
+
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts.${host} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
+    };
+  };
+
+  sops.secrets.gitlab_database_password.owner = config.services.gitlab.user;
+  sops.secrets.gitlab_initial_root_password.owner = config.services.gitlab.user;
+  sops.secrets.gitlab_secrets_db.owner = config.services.gitlab.user;
+  sops.secrets.gitlab_secrets_jws.owner = config.services.gitlab.user;
+  sops.secrets.gitlab_secrets_otp.owner = config.services.gitlab.user;
+  sops.secrets.gitlab_secrets_secret.owner = config.services.gitlab.user;
+
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_12;
+  };
+
+  services.gitlab = {
+    enable = true;
+    host = host;
+    port = 443;
+    https = true;
+    smtp.enable = false;
+
+    databasePasswordFile = config.sops.secrets.gitlab_database_password.path;
+    initialRootPasswordFile = config.sops.secrets.gitlab_initial_root_password.path;
+
+    secrets = {
+      # Make sure the secret is at least 30 characters and all random,
+      # no regular words or you'll be exposed to dictionary attacks
+      dbFile = config.sops.secrets.gitlab_secrets_db.path;
+
+      # openssl genrsa 2048
+      jwsFile = config.sops.secrets.gitlab_secrets_jws.path;
+
+      # Make sure the secret is at least 30 characters and all random,
+      # no regular words or you'll be exposed to dictionary attacks
+      otpFile = config.sops.secrets.gitlab_secrets_otp.path;
+
+      # Make sure the secret is at least 30 characters and all random,
+      # no regular words or you'll be exposed to dictionary attacks
+      secretFile = config.sops.secrets.gitlab_secrets_secret.path;
+    };
+
+    # smtp?
+
+    # gitlab-runner?
+  };
+
+}

nixos/configs/robi/gogs.nix

@@ -1,122 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-
-  errorPages = pkgs.fetchgit {
-    url = "https://git.ingolf-wagner.de/palo/http-errors.git";
-    rev = "74b8e4c1d9bbba3db6ad858b888e1867318af1f0";
-    sha256 = "0czdzafx4k76q773lyf3vsjm74g1995iz542dhw15kpy5xbivsrg";
-  };
-
-  error = {
-    extraConfig = ''
-      error_page 400 /errors/400.html;
-      error_page 401 /errors/401.html;
-      error_page 402 /errors/402.html;
-      error_page 403 /errors/403.html;
-      error_page 404 /errors/404.html;
-      error_page 405 /errors/405.html;
-      error_page 406 /errors/406.html;
-      error_page 500 /errors/500.html;
-      error_page 501 /errors/501.html;
-      error_page 502 /errors/502.html;
-      error_page 503 /errors/503.html;
-      error_page 504 /errors/504.html;
-    '';
-    locations."^~ /errors/" = {
-      extraConfig = "internal;";
-      root = "${errorPages}/";
-    };
-  };
-
-in
-{
-
-  services.nginx = {
-    enable = true;
-    statusPage = true;
-    virtualHosts = {
-      "git.${config.networking.hostName}.private" = {
-        extraConfig = error.extraConfig;
-        locations."/" = {
-          proxyPass = "http://${config.networking.hostName}.private:${
-              toString config.services.gogs.httpPort
-            }";
-        };
-      };
-    };
-  };
-
-  services.gogs = {
-    enable = true;
-    appName = "Kruck GoGs";
-    domain = "git.ingolf-wagner.de";
-    httpPort = 3000;
-    repositoryRoot = "/home/gogs/repositories";
-    stateDir = "/home/gogs";
-    rootUrl = "https://git.ingolf-wagner.de/";
-    extraConfig = ''
-      [service]
-      DISABLE_REGISTRATION     = true
-      SHOW_REGISTRATION_BUTTON = false
-      [server]
-      SSH_DOMAIN               = "git.ingolf-wagner.de"
-      SSH_PORT                 = 2222
-      START_SSH_SERVER         = true
-      SSH_LISTEN_PORT          = 2222
-
-      [log.file]
-      LEVEL = Warn
-
-      [log.console]
-      LEVEL = Warn
-
-      [log.sublogger.macaron]
-      LEVEL = Warn
-    '';
-  };
-  backup.dirs = [ config.services.gogs.repositoryRoot ];
-
-  #  services.nginx = {
-  #    enable = true;
-  #    statusPage = true;
-  #    virtualHosts = {
-  #      "gitlab.${config.networking.hostName}.private" = {
-  #        extraConfig = error.extraConfig;
-  #        locations."/" = {
-  #          proxyPass = "http://${config.networking.hostName}.private:${
-  #              toString config.services.gitlab.port
-  #            }";
-  #        };
-  #      };
-  #    };
-  #  };
-  #  services.gitlab = {
-  #    enable = true;
-  #    host = "gitlab.${config.networking.hostname}.private";
-  #    port = 9897;
-  #    #databasePasswordFile = "path/todo";
-  #    #initialRootPasswordFile = "path/todo";
-  #
-  #    secrets = {
-  #      #  Make sure the secret is at least 30 characters and all random,
-  #      # no regular words or you'll be exposed to dictionary attacks
-  #      dbFile = "path/todo";
-  #
-  #      # openssl genrsa 2048
-  #      jwsFile = "path/todo";
-  #
-  #      # Make sure the secret is at least 30 characters and all random,
-  #      # no regular words or you'll be exposed to dictionary attacks
-  #      otpFile = "path/todo";
-  #
-  #      # Make sure the secret is at least 30 characters and all random,
-  #      # no regular words or you'll be exposed to dictionary attacks
-  #      secretFile = "path/todo";
-  #    };
-  #
-  #    # smtp?
-  #
-  #    # gitlab-runner?
-  #  };
-
-}

nixos/system/desktop/home-manager.nix

@@ -80,22 +80,30 @@ in
     home.git-pull = {
       enable = mkDefault true;
       repositories = [
-        {
-          source = "git@git.space-left.org:space-left/rc3-map.git";
-          target = "~/dev/space-left/rc3-map";
-        }
-        {
-          source = "git@github.com:krebs/rc3-map.git";
-          target = "~/dev/krebs/rc3-map";
-        }
+        # krebs
         {
           source = "git@github.com:krebs/stockholm.git";
           target = "~/dev/krebs/stockholm";
         }
+        {
+          source = "git@github.com:krebs/rc3-map.git";
+          target = "~/dev/krebs/rc3-map";
+        }
+        # spaceleft
+        {
+          source = "git@git.space-left.org:space-left/rc3-map.git";
+          target = "~/dev/space-left/rc3-map";
+        }
+        # nixos
         {
           source = "git@github.com:mrVanDalo/home-manager-utils.git";
           target = "~/dev/home-manager-utils";
         }
+        {
+          source = "gitlab@gitlab.ingolf-wagner.de:palo/nixos-config.git";
+          target = "~/dev/nixos";
+        }
+        # terranix
         {
           source = "git@github.com:terranix/terranix.git";
           target = "~/dev/terranix/terranix";