From 6b5589e0f2007d4abe4fd0b4b981ae0551cfc966 Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Fri, 31 Dec 2021 19:15:48 +0100 Subject: [PATCH] gitlab in place --- flake.lock | 2 +- nixos/configs/robi/configuration.nix | 9 +- nixos/configs/robi/gitlab.nix | 140 ++++++++++++++++++++++++++ nixos/configs/robi/gogs.nix | 122 ---------------------- nixos/system/desktop/home-manager.nix | 24 +++-- 5 files changed, 163 insertions(+), 134 deletions(-) create mode 100644 nixos/configs/robi/gitlab.nix delete mode 100644 nixos/configs/robi/gogs.nix diff --git a/flake.lock b/flake.lock index 739a495..7bd1406 100644 --- a/flake.lock +++ b/flake.lock @@ -62,7 +62,7 @@ "secrets": { "flake": false, "locked": { - "narHash": "sha256-OlWM45xthVFn2NnXrIYRslLFt1m+q2ytMuasN8zXfNs=", + "narHash": "sha256-iifEYM1BKzvOs4K5dWiZofwEhiUTlgTvBzwtqo6MRr8=", "path": "/home/palo/dev/secrets", "type": "path" }, diff --git a/nixos/configs/robi/configuration.nix b/nixos/configs/robi/configuration.nix index 9866981..1614986 100644 --- a/nixos/configs/robi/configuration.nix +++ b/nixos/configs/robi/configuration.nix @@ -7,14 +7,16 @@ ./hetzner.nix - # todo - ./nextcloud.nix ./packages.nix ./tinc.nix ./syncthing.nix ./taskserver.nix ./transmission.nix + ./nextcloud.nix + + # todo + ./gitlab.nix #../../system/server @@ -22,7 +24,6 @@ #./mail-fetcher.nix #./borg.nix #./finance.nix - #./gogs.nix #./grafana.nix #./graylog.nix #./jenkins.nix @@ -34,6 +35,8 @@ ]; + services.sshguard.enable = true; + # Shell configuration # ------------------- programs.custom = { diff --git a/nixos/configs/robi/gitlab.nix b/nixos/configs/robi/gitlab.nix new file mode 100644 index 0000000..28d9a84 --- /dev/null +++ b/nixos/configs/robi/gitlab.nix @@ -0,0 +1,140 @@ +{ config, lib, pkgs, ... }: +let + host = "gitlab.ingolf-wagner.de"; +in + +#let +# +# errorPages = pkgs.fetchgit { +# url = "https://git.ingolf-wagner.de/palo/http-errors.git"; +# rev = "74b8e4c1d9bbba3db6ad858b888e1867318af1f0"; +# sha256 = "0czdzafx4k76q773lyf3vsjm74g1995iz542dhw15kpy5xbivsrg"; +# }; +# +# error = { +# extraConfig = '' +# error_page 400 /errors/400.html; +# error_page 401 /errors/401.html; +# error_page 402 /errors/402.html; +# error_page 403 /errors/403.html; +# error_page 404 /errors/404.html; +# error_page 405 /errors/405.html; +# error_page 406 /errors/406.html; +# error_page 500 /errors/500.html; +# error_page 501 /errors/501.html; +# error_page 502 /errors/502.html; +# error_page 503 /errors/503.html; +# error_page 504 /errors/504.html; +# ''; +# locations."^~ /errors/" = { +# extraConfig = "internal;"; +# root = "${errorPages}/"; +# }; +# }; +# +#in +{ + + #services.nginx = { + # enable = true; + # statusPage = true; + # virtualHosts = { + # "git.${config.networking.hostName}.private" = { + # extraConfig = error.extraConfig; + # locations."/" = { + # proxyPass = "http://${config.networking.hostName}.private:${ + # toString config.services.gogs.httpPort + # }"; + # }; + # }; + # }; + #}; + + #services.gogs = { + # enable = true; + # appName = "Kruck GoGs"; + # domain = "git.ingolf-wagner.de"; + # httpPort = 3000; + # repositoryRoot = "/home/gogs/repositories"; + # stateDir = "/home/gogs"; + # rootUrl = "https://git.ingolf-wagner.de/"; + # extraConfig = '' + # [service] + # DISABLE_REGISTRATION = true + # SHOW_REGISTRATION_BUTTON = false + # [server] + # SSH_DOMAIN = "git.ingolf-wagner.de" + # SSH_PORT = 2222 + # START_SSH_SERVER = true + # SSH_LISTEN_PORT = 2222 + + # [log.file] + # LEVEL = Warn + + # [log.console] + # LEVEL = Warn + + # [log.sublogger.macaron] + # LEVEL = Warn + # ''; + #}; + #backup.dirs = [ config.services.gogs.repositoryRoot ]; + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts.${host} = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; + }; + }; + + sops.secrets.gitlab_database_password.owner = config.services.gitlab.user; + sops.secrets.gitlab_initial_root_password.owner = config.services.gitlab.user; + sops.secrets.gitlab_secrets_db.owner = config.services.gitlab.user; + sops.secrets.gitlab_secrets_jws.owner = config.services.gitlab.user; + sops.secrets.gitlab_secrets_otp.owner = config.services.gitlab.user; + sops.secrets.gitlab_secrets_secret.owner = config.services.gitlab.user; + + services.postgresql = { + enable = true; + package = pkgs.postgresql_12; + }; + + services.gitlab = { + enable = true; + host = host; + port = 443; + https = true; + smtp.enable = false; + + databasePasswordFile = config.sops.secrets.gitlab_database_password.path; + initialRootPasswordFile = config.sops.secrets.gitlab_initial_root_password.path; + + secrets = { + # Make sure the secret is at least 30 characters and all random, + # no regular words or you'll be exposed to dictionary attacks + dbFile = config.sops.secrets.gitlab_secrets_db.path; + + # openssl genrsa 2048 + jwsFile = config.sops.secrets.gitlab_secrets_jws.path; + + # Make sure the secret is at least 30 characters and all random, + # no regular words or you'll be exposed to dictionary attacks + otpFile = config.sops.secrets.gitlab_secrets_otp.path; + + # Make sure the secret is at least 30 characters and all random, + # no regular words or you'll be exposed to dictionary attacks + secretFile = config.sops.secrets.gitlab_secrets_secret.path; + }; + + # smtp? + + # gitlab-runner? + }; + +} diff --git a/nixos/configs/robi/gogs.nix b/nixos/configs/robi/gogs.nix deleted file mode 100644 index 258ceea..0000000 --- a/nixos/configs/robi/gogs.nix +++ /dev/null @@ -1,122 +0,0 @@ -{ config, lib, pkgs, ... }: -let - - errorPages = pkgs.fetchgit { - url = "https://git.ingolf-wagner.de/palo/http-errors.git"; - rev = "74b8e4c1d9bbba3db6ad858b888e1867318af1f0"; - sha256 = "0czdzafx4k76q773lyf3vsjm74g1995iz542dhw15kpy5xbivsrg"; - }; - - error = { - extraConfig = '' - error_page 400 /errors/400.html; - error_page 401 /errors/401.html; - error_page 402 /errors/402.html; - error_page 403 /errors/403.html; - error_page 404 /errors/404.html; - error_page 405 /errors/405.html; - error_page 406 /errors/406.html; - error_page 500 /errors/500.html; - error_page 501 /errors/501.html; - error_page 502 /errors/502.html; - error_page 503 /errors/503.html; - error_page 504 /errors/504.html; - ''; - locations."^~ /errors/" = { - extraConfig = "internal;"; - root = "${errorPages}/"; - }; - }; - -in -{ - - services.nginx = { - enable = true; - statusPage = true; - virtualHosts = { - "git.${config.networking.hostName}.private" = { - extraConfig = error.extraConfig; - locations."/" = { - proxyPass = "http://${config.networking.hostName}.private:${ - toString config.services.gogs.httpPort - }"; - }; - }; - }; - }; - - services.gogs = { - enable = true; - appName = "Kruck GoGs"; - domain = "git.ingolf-wagner.de"; - httpPort = 3000; - repositoryRoot = "/home/gogs/repositories"; - stateDir = "/home/gogs"; - rootUrl = "https://git.ingolf-wagner.de/"; - extraConfig = '' - [service] - DISABLE_REGISTRATION = true - SHOW_REGISTRATION_BUTTON = false - [server] - SSH_DOMAIN = "git.ingolf-wagner.de" - SSH_PORT = 2222 - START_SSH_SERVER = true - SSH_LISTEN_PORT = 2222 - - [log.file] - LEVEL = Warn - - [log.console] - LEVEL = Warn - - [log.sublogger.macaron] - LEVEL = Warn - ''; - }; - backup.dirs = [ config.services.gogs.repositoryRoot ]; - - # services.nginx = { - # enable = true; - # statusPage = true; - # virtualHosts = { - # "gitlab.${config.networking.hostName}.private" = { - # extraConfig = error.extraConfig; - # locations."/" = { - # proxyPass = "http://${config.networking.hostName}.private:${ - # toString config.services.gitlab.port - # }"; - # }; - # }; - # }; - # }; - # services.gitlab = { - # enable = true; - # host = "gitlab.${config.networking.hostname}.private"; - # port = 9897; - # #databasePasswordFile = "path/todo"; - # #initialRootPasswordFile = "path/todo"; - # - # secrets = { - # # Make sure the secret is at least 30 characters and all random, - # # no regular words or you'll be exposed to dictionary attacks - # dbFile = "path/todo"; - # - # # openssl genrsa 2048 - # jwsFile = "path/todo"; - # - # # Make sure the secret is at least 30 characters and all random, - # # no regular words or you'll be exposed to dictionary attacks - # otpFile = "path/todo"; - # - # # Make sure the secret is at least 30 characters and all random, - # # no regular words or you'll be exposed to dictionary attacks - # secretFile = "path/todo"; - # }; - # - # # smtp? - # - # # gitlab-runner? - # }; - -} diff --git a/nixos/system/desktop/home-manager.nix b/nixos/system/desktop/home-manager.nix index c0804b6..ba85f27 100644 --- a/nixos/system/desktop/home-manager.nix +++ b/nixos/system/desktop/home-manager.nix @@ -80,22 +80,30 @@ in home.git-pull = { enable = mkDefault true; repositories = [ - { - source = "git@git.space-left.org:space-left/rc3-map.git"; - target = "~/dev/space-left/rc3-map"; - } - { - source = "git@github.com:krebs/rc3-map.git"; - target = "~/dev/krebs/rc3-map"; - } + # krebs { source = "git@github.com:krebs/stockholm.git"; target = "~/dev/krebs/stockholm"; } + { + source = "git@github.com:krebs/rc3-map.git"; + target = "~/dev/krebs/rc3-map"; + } + # spaceleft + { + source = "git@git.space-left.org:space-left/rc3-map.git"; + target = "~/dev/space-left/rc3-map"; + } + # nixos { source = "git@github.com:mrVanDalo/home-manager-utils.git"; target = "~/dev/home-manager-utils"; } + { + source = "gitlab@gitlab.ingolf-wagner.de:palo/nixos-config.git"; + target = "~/dev/nixos"; + } + # terranix { source = "git@github.com:terranix/terranix.git"; target = "~/dev/terranix/terranix";