From 05c48fec76f429acf6e3653cb86e9bc74ba3def7 Mon Sep 17 00:00:00 2001 From: blaknull Date: Sun, 17 Nov 2024 14:33:20 -0600 Subject: [PATCH] add oidc for gitlab --- flake.lock | 18 +-- .../configuration/homebox/default.nix | 2 +- .../homebox/secrets/secrets.yaml | 7 +- .../services/containers/gitlab/default.nix | 121 +++++++++++++++--- 4 files changed, 117 insertions(+), 31 deletions(-) diff --git a/flake.lock b/flake.lock index fd68a2d..320bd56 100644 --- a/flake.lock +++ b/flake.lock @@ -1193,11 +1193,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-mrfMvef+tOYMK35horTWF43tQpES1zI7hb5RbzN3oIk=", - "path": "/nix/store/mvs0ic19pnn66mxdq0paphssqvxg0k1j-source/home-manager", + "path": "/nix/store/q46830crsjac147qc48lk311icpidql9-source/home-manager", "type": "path" }, "original": { - "path": "/nix/store/mvs0ic19pnn66mxdq0paphssqvxg0k1j-source/home-manager", + "path": "/nix/store/q46830crsjac147qc48lk311icpidql9-source/home-manager", "type": "path" } }, @@ -1807,11 +1807,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-HAuZ9X84fuwUcit6NWUoJCjHj+29nST/YN6Rs8JQugY=", - "path": "/nix/store/wh5bq8lgwdnnqvydzp5zvdl20bvr28jh-source/programs", + "path": "/nix/store/z0kg92cbspdsmgnsk68pk6qwhl273jq6-source/programs", "type": "path" }, "original": { - "path": "/nix/store/wh5bq8lgwdnnqvydzp5zvdl20bvr28jh-source/programs", + "path": "/nix/store/z0kg92cbspdsmgnsk68pk6qwhl273jq6-source/programs", "type": "path" } }, @@ -1882,11 +1882,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-0Ztx5DVQ2I7hvCK/qjGa4XTdRgbzM8rhf19m0al8lVM=", - "path": "/nix/store/wh5bq8lgwdnnqvydzp5zvdl20bvr28jh-source/services/sddm", + "path": "/nix/store/z0kg92cbspdsmgnsk68pk6qwhl273jq6-source/services/sddm", "type": "path" }, "original": { - "path": "/nix/store/wh5bq8lgwdnnqvydzp5zvdl20bvr28jh-source/services/sddm", + "path": "/nix/store/z0kg92cbspdsmgnsk68pk6qwhl273jq6-source/services/sddm", "type": "path" } }, @@ -1976,12 +1976,12 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-AV5R8VDvEf+5THLpYas8gXfGdlCKv4M9W+5ejkXlGFg=", - "path": "/nix/store/mvs0ic19pnn66mxdq0paphssqvxg0k1j-source/system-config", + "narHash": "sha256-/2sJK37sV+nJSCuyr2iW2gyO/1Jg/K9aV0dzDG+eR6c=", + "path": "/nix/store/q46830crsjac147qc48lk311icpidql9-source/system-config", "type": "path" }, "original": { - "path": "/nix/store/mvs0ic19pnn66mxdq0paphssqvxg0k1j-source/system-config", + "path": "/nix/store/q46830crsjac147qc48lk311icpidql9-source/system-config", "type": "path" } }, diff --git a/system-config/configuration/homebox/default.nix b/system-config/configuration/homebox/default.nix index d9c6749..13cd04c 100644 --- a/system-config/configuration/homebox/default.nix +++ b/system-config/configuration/homebox/default.nix @@ -258,7 +258,7 @@ nextcloud.enable = true; - gitlab.enable = false; + gitlab.enable = true; }; }; }; diff --git a/system-config/configuration/homebox/secrets/secrets.yaml b/system-config/configuration/homebox/secrets/secrets.yaml index 0d2f979..d9fe0f3 100644 --- a/system-config/configuration/homebox/secrets/secrets.yaml +++ b/system-config/configuration/homebox/secrets/secrets.yaml @@ -13,6 +13,9 @@ gitlab: otp: ENC[AES256_GCM,data:RWOkQVPRsrJgPVtx49hiWRMAxVOszKxaDl40XQDL+QoDuoZi03wSxHiu4Ix9X2BR,iv:uO+CTR5S4r1q7n1ycQw0hYdu8JflSrvkgLiBbCmT8mk=,tag:gqCwNOqD78lFtgxUPyUw3A==,type:str] db: ENC[AES256_GCM,data:rF4IIp1uFSGa67LVm8fy4/qFOmZLInRcG2IAfnuZG3+xtS9Z2RXpNcTZNFBDdOaD,iv:/KYwf3ZH6w48L49rY/FmaGQOt3jGdOUTZ9vFhmLZG60=,tag:f38iYIgpgdjWF34qD1fz2w==,type:str] jws: ENC[AES256_GCM,data:C+GVDeO319QGjq2+fBMr1LaY6/6Tuz6jWomkvFVul6ydJjmMFO3A9dYI66WWY6g2iZgYEWDKUikW1qDK5sGgU5ZAZzaqS01LUsSsPHUcMqIg/AjtcRfaEvHYODYPPSEwdISzhceDaim8yqhrNTIOHUHvOxcILvtUmsI61hNfVSnOQbqifIJDgGP7bKaf96t8+qcBvp/UBwP1qHj/m4jD83yc8Pdih+ZuPmyNdo3Ew0nbLTykYVX3XsrO1RlJ/Gp+KPfRSJzVGAnqUKr8mI+32LUpXSJ96bEGA67/blSh1dbBxSVo3K83aZYuY6vvXb+Et6qd4piZYKGCxA+waSrTkYHvSgS5vJRbCGWauXKCYFASxxqmdJ3cu+rbphbshBVA3SIPHhZxun6BWaP0qTYZyfB/YsSU4J+kYiE3UEYX9GYEAY9bsO89IYZSsTsmYke2EI4KMcjyUFstZ2WTYqCpwJ6CMAuerDEMHP6N3xCO5MVDZfE4sKKHpfSCVQg8ak7IxV+3jZvZi2tUbvZZf/tYORzPeTUSEpcC4cGwwAJd3XKUetaiuDwQVkLa13xotfL0d+Lwc6eZil0e/sureLqvQM6kpWhK7yscu2hKGOzxx/OZClry2Uyc1fL5iWWxvM8Djg+ShoAS5m3Nt0R+mcLdgaylkZvMl9gNWFO1uzlnhGnJQtekVaXCJ9f9QZt5RizJYwM9pMKhSDTZ0vd4y69iZpz3YXhKtkvYX02RIFtTiqsbyU0pXVjK0SpKsb5T+yphacGeZRwQS9QadW9dE6xQsxwwYC//swm5l6ke+DyZrcsc/J+MBHFuN71D2st+jtfywZYg/YT9EcCFOMjqEgfDq7YICgyqfqRGAdVWQy660T5Mi+gYKcHqbYXaaB3VNL2RGIu/uybih/7ynGRM2+0ro9oKJ+fEbdi1alSFFJ0IvA5lU6XHd2CSyizEC9ak+HBLkYeSqOPfItfLH82jRiUtrY5u4fIlioLQTA1aKHax6q8cIf30FCGenhjM6jMj2WpXKI16+1xK9Om9mg94YmFjM+erQh3o/fbPuMbkNaNJQwabupshBK2h3caaE0cDUnDukUFUANHz9q5LVxSkw39GTjGpovxQJiZHbSdeIC/AzFXRVA1ojhzkeuefygdP27Aa+fLjEBn2x8AcdhyP1n8lQyjy0Wnxq9hJDbVXJF93FIdcCmF/JGejgHcr3YZUMY4OFG9gzISDEdgR99fYvKM+A9Pj2JNtCQ5iKCctg5opIEKA1z4RIpRQs0KmXq3JgjWhU1LeOWaX2YzS5rCJWyhxnTJXGk4a/cMvhbLRjFOKcDNNMp8yJrXk1pth7nFOJ4Put6o67jtjbgpgnPuEdelnXEEaReCfJEo2z8zka63kYqbIvcG4W2pKwsA4tT0QctVwltRdYU8YyKuOpQJtKvVdlZL0oxOwxPioTT8fOebRBaecKhQKF4fp9UGlE/GStud6oFSbN685U2TKihvYNmfLRSWQk1Y/APyCRlhOmhFLaIzJxogdlKzpg4AEg/2SRoEZPsqyZThI8uhCIT1qG0UBiZBTjey322fsEEZtNxO5nX/JeBDOVty3sIGs1OKBTjMXSZ+nzU9AIH6dek9Bz+Fix7a90IkQUB5xtgrIYgCH34L4a0o1jWy5bzT9fl53VnbzrICcT/wdRU/GznYYjxlF2uRBKIu7s0glDmsPXCZuorqvJlr2hySgN/hJKOlrCghraUD14pRk4OfRVKULkPQ7betgaCVbsihXplodrAgJ0BdIbf3tKRC8Ghx8+mYAWNXj+PtWBydEjEirCH70SJu53gjF5mNgl2EIaHNK7jqBgXhDr2/7uH97Tl+S9ue+TDlpr067T5JAqU3fOqq+ZS4wqEvqMYRfXd/V2FjNbBpoH8UW6pMuFaM06DBI+6p9O9xBl1eP3Sy3vrBwK2pCwLbi0LdJ2apQTl/51ZXp2xaaUAAh1Fu/bM21V7ENa5sGxpSTYwdSLyPnd8usqECw9W1XDNUI2EmJnp9AelD/joNwuL6U7pydrNUCguCjxHfbd+m0vc/te53GerJlSXbjEWz53f3RjSB90AaA6sOGhi1BFiHYSAjzMdqVSj4M68r+UF3YIuEuoaOzrVrkb5st3tYD0dz+ORhxo44aKEzgohseha5fg0wcTz9orqkeP/FyoOeItG2UwNVAWWGh/lBtXh8c4ILUMolZ1m2DWiYj/pyDvODVnP96u6TvyMC0H8aolgGHn7nDMTi+mCIvNFQYeXdVrRCpWS9aQik=,iv:cxdargXx2a7pET7BjCSZ/yXL7AnxNqncyDQ7CR3E3AA=,tag:2xKXfhBjynDqlvH377lpSA==,type:str] + oidc: + id: ENC[AES256_GCM,data:b6o2cCCSXJ5bIhA47InfhqwjO5Tjr0Mls+7VT5cunFfEHkdOInxplw==,iv:txren/8jnAUvCI/k9cxN29ZkSgCuPEAo0IpyREf2E9A=,tag:BFOZrM18zUJMEACpLz7KRw==,type:str] + secret: ENC[AES256_GCM,data:4HPPbVBOeDjdL81d402Rz6Luk1DZbk8InHfO+Sx/OJIvUf/shkCRyp3hStIDC03bA8HV66GeejvWFte+vQ2b5X3Fl2GXfHQi7brMFVEYfYdR2XRdra0aOeSrHtW5uUn0MpVCRwYDb1JahIWhLyqcYyOpV91xjNiIVg8S3MHr+mo=,iv:c3Q4qPMxZJuoO5XRzUDZh5XJOtff9eiMTlOx+MDMSaE=,tag:07fIkN9YXXJMEV59QEFIag==,type:str] nextcloud: pass: ENC[AES256_GCM,data:U/VI/uHDT1a5O4iAHUVwsz/h,iv:W0hAXBddFKhXmDWHpCB2JhjPPTEGer7721WtIRxg4Zo=,tag:OE4wzibNaaXsbfFuk0dwTA==,type:str] sops: @@ -30,8 +33,8 @@ sops: S0NMRGJSeks0Q0UrVnZmUVdyU2NqVm8KLu2kQpD1fJdU0fTdR9A2cTQzRp+waJ6M 8vA+E8xYb2U4d7m0YnwKkGzw0CBPb0BvdEgvWvqpFViftoDwRv5KGA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-17T16:33:08Z" - mac: ENC[AES256_GCM,data:q+aHvOUysVDFKcXJZ0/v0BEGhmwo/1wvVwyF4oWh09AWPzf3FlwZhaHmyz8hE2nlSIAiU7RDCnJ6haweHKC532+ckoI0z10iFGSu9UWZr1k/5asqZfXR7IrZw83fhnWQkofrPYLuEcJV/RXlT8n4HK6pt+ztB2JtiVt7wtyWOg4=,iv:IAviaFZUKDCFuaklBZxY+nck9g5Vri+QGR/rLsIxA1M=,tag:KbKRqueb921ugdyRhFguWw==,type:str] + lastmodified: "2024-11-17T20:28:11Z" + mac: ENC[AES256_GCM,data:O2+ukRfxK1WEmdrJSP9ljURixeLiAMuzNZkLKyhHTrC7GteNC43FYehO7Wj33fVDJO5ZK/MKwcGdGT0tLylqqcrELaZdHyGlHqcQ97DuxwZ5WxOHlpOXq3HKkjG2NrHkn8Vt4+sF/Ui4R0oCjIunyKqVUHyVFXdH63sg5XjVORA=,iv:6cWKf8UWH+SAenrd7zj1cgur5xKXecqS81fbHDmWL94=,tag:0JZcfFjX74Rj45Q7lg3wGg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/system-config/services/containers/gitlab/default.nix b/system-config/services/containers/gitlab/default.nix index 7a83a33..2e16e44 100644 --- a/system-config/services/containers/gitlab/default.nix +++ b/system-config/services/containers/gitlab/default.nix @@ -7,29 +7,29 @@ config = lib.mkIf config.sysconfig.opts.virtualization.gitlab.enable { - sops.secrets."gitlab/dbpass" = { - - path = "/ssd1/Gitlab/dbpass"; + sops.secrets."gitlab/db_pass" = { + owner = "sshd"; }; sops.secrets."gitlab/root_pass" = { - - path = "/ssd1/Gitlab/rootpass"; + owner = "sshd"; }; sops.secrets."gitlab/secrets/secret" = { - - path = "/ssd1/Gitlab/secret"; + owner = "sshd"; }; sops.secrets."gitlab/secrets/otp" = { - - path = "/ssd1/Gitlab/otp"; + owner = "sshd"; }; sops.secrets."gitlab/secrets/db" = { - - path = "/ssd1/Gitlab/db"; + owner = "sshd"; }; sops.secrets."gitlab/secrets/jws" = { - - path = "/ssd1/Gitlab/jws"; + owner = "sshd"; + }; + sops.secrets."gitlab/oidc/id" = { + owner = "sshd"; + }; + sops.secrets."gitlab/oidc/secret" = { + owner = "sshd"; }; containers.gitlab = { @@ -39,8 +39,40 @@ hostAddress = "192.168.100.10"; localAddress = "192.168.100.16"; bindMounts = { - "/etc/gitlab" = { - hostPath = "/ssd1/Gitlab"; + "/etc/gitlab/data" = { + hostPath = "/ssd1/Gitlab/data"; + isReadOnly = false; + }; + "/etc/gitlab/dbpass" = { + hostPath = config.sops.secrets."gitlab/db_pass".path; + isReadOnly = false; + }; + "/etc/gitlab/rootpass" = { + hostPath = config.sops.secrets."gitlab/root_pass".path; + isReadOnly = false; + }; + "/etc/gitlab/db" = { + hostPath = config.sops.secrets."gitlab/secrets/db".path; + isReadOnly = false; + }; + "/etc/gitlab/secret" = { + hostPath = config.sops.secrets."gitlab/secrets/secret".path; + isReadOnly = false; + }; + "/etc/gitlab/jws" = { + hostPath = config.sops.secrets."gitlab/secrets/jws".path; + isReadOnly = false; + }; + "/etc/gitlab/otp" = { + hostPath = config.sops.secrets."gitlab/secrets/otp".path; + isReadOnly = false; + }; + "/etc/gitlab/oidc-id" = { + hostPath = config.sops.secrets."gitlab/oidc/id".path; + isReadOnly = false; + }; + "/etc/gitlab/oidc-secret" = { + hostPath = config.sops.secrets."gitlab/oidc/secret".path; isReadOnly = false; }; }; @@ -57,22 +89,73 @@ services.gitlab = { enable = true; - https = true; - port = 443; - host = "localhost"; + #https = true; + #port = 443; + #host = "localhost"; databasePasswordFile = "/etc/gitlab/dbpass"; initialRootPasswordFile = "/etc/gitlab/rootpass"; + extraEnv = { + OIDC_CLIENT_ID = builtins.readFile "/etc/gitlab/oidc-id"; + OIDC_CLIENT_SECRET = builtins.readFile "/etc/gitlab/oidc-secret"; + }; + secrets = { secretFile = "/etc/gitlab/secret"; otpFile = "/etc/gitlab/otp"; dbFile = "/etc/gitlab/db"; jwsFile = "/etc/gitlab/jws"; }; + + extraGitlabRb = '' +gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect'] +gitlab_rails['omniauth_sync_email_from_provider'] = 'openid_connect' +gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect'] +gitlab_rails['omniauth_sync_profile_attributes'] = ['email'] +gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect' +gitlab_rails['omniauth_block_auto_created_users'] = false +gitlab_rails['omniauth_auto_link_saml_user'] = true +gitlab_rails['omniauth_auto_link_user'] = ["openid_connect"] +gitlab_rails['omniauth_providers'] = [ + { + name: 'openid_connect', + label: 'My Company OIDC Login', + args: { + name: 'openid_connect', + scope: ['openid','profile','email'], + response_type: 'code', + issuer: 'https://auth.blunkall.us/application/o/gitlab/', + discovery: true, + client_auth_method: 'query', + uid_field: 'preferred_username', + send_scope_to_token_endpoint: 'true', + pkce: true, + client_options: { + identifier: '$${OIDC_CLIENT_ID}', + secret: '$${OIDC_CLIENT_SECRET}', + redirect_uri: 'https://gitlab.blunkall.us/users/auth/openid_connect/callback' + } + } + } +] + ''; + }; + services.nginx = { + enable = true; + recommendedProxySettings = true; + virtualHosts = { + localhost = { + locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; + }; + }; }; + services.openssh.enable = true; - networking.firewall.allowedTCPPorts = [ 22 80 ]; + systemd.services.gitlab-backup.environment.BACKUP = "dump"; + + + networking.firewall.allowedTCPPorts = [ 22 80 443 ]; system.stateVersion = "24.05"; };