add oidc for gitlab
This commit is contained in:
@@ -258,7 +258,7 @@
|
||||
|
||||
nextcloud.enable = true;
|
||||
|
||||
gitlab.enable = false;
|
||||
gitlab.enable = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@@ -13,6 +13,9 @@ gitlab:
|
||||
otp: ENC[AES256_GCM,data:RWOkQVPRsrJgPVtx49hiWRMAxVOszKxaDl40XQDL+QoDuoZi03wSxHiu4Ix9X2BR,iv:uO+CTR5S4r1q7n1ycQw0hYdu8JflSrvkgLiBbCmT8mk=,tag:gqCwNOqD78lFtgxUPyUw3A==,type:str]
|
||||
db: ENC[AES256_GCM,data:rF4IIp1uFSGa67LVm8fy4/qFOmZLInRcG2IAfnuZG3+xtS9Z2RXpNcTZNFBDdOaD,iv:/KYwf3ZH6w48L49rY/FmaGQOt3jGdOUTZ9vFhmLZG60=,tag:f38iYIgpgdjWF34qD1fz2w==,type:str]
|
||||
jws: ENC[AES256_GCM,data:C+GVDeO319QGjq2+fBMr1LaY6/6Tuz6jWomkvFVul6ydJjmMFO3A9dYI66WWY6g2iZgYEWDKUikW1qDK5sGgU5ZAZzaqS01LUsSsPHUcMqIg/AjtcRfaEvHYODYPPSEwdISzhceDaim8yqhrNTIOHUHvOxcILvtUmsI61hNfVSnOQbqifIJDgGP7bKaf96t8+qcBvp/UBwP1qHj/m4jD83yc8Pdih+ZuPmyNdo3Ew0nbLTykYVX3XsrO1RlJ/Gp+KPfRSJzVGAnqUKr8mI+32LUpXSJ96bEGA67/blSh1dbBxSVo3K83aZYuY6vvXb+Et6qd4piZYKGCxA+waSrTkYHvSgS5vJRbCGWauXKCYFASxxqmdJ3cu+rbphbshBVA3SIPHhZxun6BWaP0qTYZyfB/YsSU4J+kYiE3UEYX9GYEAY9bsO89IYZSsTsmYke2EI4KMcjyUFstZ2WTYqCpwJ6CMAuerDEMHP6N3xCO5MVDZfE4sKKHpfSCVQg8ak7IxV+3jZvZi2tUbvZZf/tYORzPeTUSEpcC4cGwwAJd3XKUetaiuDwQVkLa13xotfL0d+Lwc6eZil0e/sureLqvQM6kpWhK7yscu2hKGOzxx/OZClry2Uyc1fL5iWWxvM8Djg+ShoAS5m3Nt0R+mcLdgaylkZvMl9gNWFO1uzlnhGnJQtekVaXCJ9f9QZt5RizJYwM9pMKhSDTZ0vd4y69iZpz3YXhKtkvYX02RIFtTiqsbyU0pXVjK0SpKsb5T+yphacGeZRwQS9QadW9dE6xQsxwwYC//swm5l6ke+DyZrcsc/J+MBHFuN71D2st+jtfywZYg/YT9EcCFOMjqEgfDq7YICgyqfqRGAdVWQy660T5Mi+gYKcHqbYXaaB3VNL2RGIu/uybih/7ynGRM2+0ro9oKJ+fEbdi1alSFFJ0IvA5lU6XHd2CSyizEC9ak+HBLkYeSqOPfItfLH82jRiUtrY5u4fIlioLQTA1aKHax6q8cIf30FCGenhjM6jMj2WpXKI16+1xK9Om9mg94YmFjM+erQh3o/fbPuMbkNaNJQwabupshBK2h3caaE0cDUnDukUFUANHz9q5LVxSkw39GTjGpovxQJiZHbSdeIC/AzFXRVA1ojhzkeuefygdP27Aa+fLjEBn2x8AcdhyP1n8lQyjy0Wnxq9hJDbVXJF93FIdcCmF/JGejgHcr3YZUMY4OFG9gzISDEdgR99fYvKM+A9Pj2JNtCQ5iKCctg5opIEKA1z4RIpRQs0KmXq3JgjWhU1LeOWaX2YzS5rCJWyhxnTJXGk4a/cMvhbLRjFOKcDNNMp8yJrXk1pth7nFOJ4Put6o67jtjbgpgnPuEdelnXEEaReCfJEo2z8zka63kYqbIvcG4W2pKwsA4tT0QctVwltRdYU8YyKuOpQJtKvVdlZL0oxOwxPioTT8fOebRBaecKhQKF4fp9UGlE/GStud6oFSbN685U2TKihvYNmfLRSWQk1Y/APyCRlhOmhFLaIzJxogdlKzpg4AEg/2SRoEZPsqyZThI8uhCIT1qG0UBiZBTjey322fsEEZtNxO5nX/JeBDOVty3sIGs1OKBTjMXSZ+nzU9AIH6dek9Bz+Fix7a90IkQUB5xtgrIYgCH34L4a0o1jWy5bzT9fl53VnbzrICcT/wdRU/GznYYjxlF2uRBKIu7s0glDmsPXCZuorqvJlr2hySgN/hJKOlrCghraUD14pRk4OfRVKULkPQ7betgaCVbsihXplodrAgJ0BdIbf3tKRC8Ghx8+mYAWNXj+PtWBydEjEirCH70SJu53gjF5mNgl2EIaHNK7jqBgXhDr2/7uH97Tl+S9ue+TDlpr067T5JAqU3fOqq+ZS4wqEvqMYRfXd/V2FjNbBpoH8UW6pMuFaM06DBI+6p9O9xBl1eP3Sy3vrBwK2pCwLbi0LdJ2apQTl/51ZXp2xaaUAAh1Fu/bM21V7ENa5sGxpSTYwdSLyPnd8usqECw9W1XDNUI2EmJnp9AelD/joNwuL6U7pydrNUCguCjxHfbd+m0vc/te53GerJlSXbjEWz53f3RjSB90AaA6sOGhi1BFiHYSAjzMdqVSj4M68r+UF3YIuEuoaOzrVrkb5st3tYD0dz+ORhxo44aKEzgohseha5fg0wcTz9orqkeP/FyoOeItG2UwNVAWWGh/lBtXh8c4ILUMolZ1m2DWiYj/pyDvODVnP96u6TvyMC0H8aolgGHn7nDMTi+mCIvNFQYeXdVrRCpWS9aQik=,iv:cxdargXx2a7pET7BjCSZ/yXL7AnxNqncyDQ7CR3E3AA=,tag:2xKXfhBjynDqlvH377lpSA==,type:str]
|
||||
oidc:
|
||||
id: ENC[AES256_GCM,data:b6o2cCCSXJ5bIhA47InfhqwjO5Tjr0Mls+7VT5cunFfEHkdOInxplw==,iv:txren/8jnAUvCI/k9cxN29ZkSgCuPEAo0IpyREf2E9A=,tag:BFOZrM18zUJMEACpLz7KRw==,type:str]
|
||||
secret: ENC[AES256_GCM,data:4HPPbVBOeDjdL81d402Rz6Luk1DZbk8InHfO+Sx/OJIvUf/shkCRyp3hStIDC03bA8HV66GeejvWFte+vQ2b5X3Fl2GXfHQi7brMFVEYfYdR2XRdra0aOeSrHtW5uUn0MpVCRwYDb1JahIWhLyqcYyOpV91xjNiIVg8S3MHr+mo=,iv:c3Q4qPMxZJuoO5XRzUDZh5XJOtff9eiMTlOx+MDMSaE=,tag:07fIkN9YXXJMEV59QEFIag==,type:str]
|
||||
nextcloud:
|
||||
pass: ENC[AES256_GCM,data:U/VI/uHDT1a5O4iAHUVwsz/h,iv:W0hAXBddFKhXmDWHpCB2JhjPPTEGer7721WtIRxg4Zo=,tag:OE4wzibNaaXsbfFuk0dwTA==,type:str]
|
||||
sops:
|
||||
@@ -30,8 +33,8 @@ sops:
|
||||
S0NMRGJSeks0Q0UrVnZmUVdyU2NqVm8KLu2kQpD1fJdU0fTdR9A2cTQzRp+waJ6M
|
||||
8vA+E8xYb2U4d7m0YnwKkGzw0CBPb0BvdEgvWvqpFViftoDwRv5KGA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-11-17T16:33:08Z"
|
||||
mac: ENC[AES256_GCM,data:q+aHvOUysVDFKcXJZ0/v0BEGhmwo/1wvVwyF4oWh09AWPzf3FlwZhaHmyz8hE2nlSIAiU7RDCnJ6haweHKC532+ckoI0z10iFGSu9UWZr1k/5asqZfXR7IrZw83fhnWQkofrPYLuEcJV/RXlT8n4HK6pt+ztB2JtiVt7wtyWOg4=,iv:IAviaFZUKDCFuaklBZxY+nck9g5Vri+QGR/rLsIxA1M=,tag:KbKRqueb921ugdyRhFguWw==,type:str]
|
||||
lastmodified: "2024-11-17T20:28:11Z"
|
||||
mac: ENC[AES256_GCM,data:O2+ukRfxK1WEmdrJSP9ljURixeLiAMuzNZkLKyhHTrC7GteNC43FYehO7Wj33fVDJO5ZK/MKwcGdGT0tLylqqcrELaZdHyGlHqcQ97DuxwZ5WxOHlpOXq3HKkjG2NrHkn8Vt4+sF/Ui4R0oCjIunyKqVUHyVFXdH63sg5XjVORA=,iv:6cWKf8UWH+SAenrd7zj1cgur5xKXecqS81fbHDmWL94=,tag:0JZcfFjX74Rj45Q7lg3wGg==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
|
||||
@@ -7,29 +7,29 @@
|
||||
|
||||
config = lib.mkIf config.sysconfig.opts.virtualization.gitlab.enable {
|
||||
|
||||
sops.secrets."gitlab/dbpass" = {
|
||||
|
||||
path = "/ssd1/Gitlab/dbpass";
|
||||
sops.secrets."gitlab/db_pass" = {
|
||||
owner = "sshd";
|
||||
};
|
||||
sops.secrets."gitlab/root_pass" = {
|
||||
|
||||
path = "/ssd1/Gitlab/rootpass";
|
||||
owner = "sshd";
|
||||
};
|
||||
sops.secrets."gitlab/secrets/secret" = {
|
||||
|
||||
path = "/ssd1/Gitlab/secret";
|
||||
owner = "sshd";
|
||||
};
|
||||
sops.secrets."gitlab/secrets/otp" = {
|
||||
|
||||
path = "/ssd1/Gitlab/otp";
|
||||
owner = "sshd";
|
||||
};
|
||||
sops.secrets."gitlab/secrets/db" = {
|
||||
|
||||
path = "/ssd1/Gitlab/db";
|
||||
owner = "sshd";
|
||||
};
|
||||
sops.secrets."gitlab/secrets/jws" = {
|
||||
|
||||
path = "/ssd1/Gitlab/jws";
|
||||
owner = "sshd";
|
||||
};
|
||||
sops.secrets."gitlab/oidc/id" = {
|
||||
owner = "sshd";
|
||||
};
|
||||
sops.secrets."gitlab/oidc/secret" = {
|
||||
owner = "sshd";
|
||||
};
|
||||
|
||||
containers.gitlab = {
|
||||
@@ -39,8 +39,40 @@
|
||||
hostAddress = "192.168.100.10";
|
||||
localAddress = "192.168.100.16";
|
||||
bindMounts = {
|
||||
"/etc/gitlab" = {
|
||||
hostPath = "/ssd1/Gitlab";
|
||||
"/etc/gitlab/data" = {
|
||||
hostPath = "/ssd1/Gitlab/data";
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/etc/gitlab/dbpass" = {
|
||||
hostPath = config.sops.secrets."gitlab/db_pass".path;
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/etc/gitlab/rootpass" = {
|
||||
hostPath = config.sops.secrets."gitlab/root_pass".path;
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/etc/gitlab/db" = {
|
||||
hostPath = config.sops.secrets."gitlab/secrets/db".path;
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/etc/gitlab/secret" = {
|
||||
hostPath = config.sops.secrets."gitlab/secrets/secret".path;
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/etc/gitlab/jws" = {
|
||||
hostPath = config.sops.secrets."gitlab/secrets/jws".path;
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/etc/gitlab/otp" = {
|
||||
hostPath = config.sops.secrets."gitlab/secrets/otp".path;
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/etc/gitlab/oidc-id" = {
|
||||
hostPath = config.sops.secrets."gitlab/oidc/id".path;
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/etc/gitlab/oidc-secret" = {
|
||||
hostPath = config.sops.secrets."gitlab/oidc/secret".path;
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
@@ -57,22 +89,73 @@
|
||||
|
||||
services.gitlab = {
|
||||
enable = true;
|
||||
https = true;
|
||||
port = 443;
|
||||
host = "localhost";
|
||||
#https = true;
|
||||
#port = 443;
|
||||
#host = "localhost";
|
||||
databasePasswordFile = "/etc/gitlab/dbpass";
|
||||
initialRootPasswordFile = "/etc/gitlab/rootpass";
|
||||
|
||||
extraEnv = {
|
||||
OIDC_CLIENT_ID = builtins.readFile "/etc/gitlab/oidc-id";
|
||||
OIDC_CLIENT_SECRET = builtins.readFile "/etc/gitlab/oidc-secret";
|
||||
};
|
||||
|
||||
secrets = {
|
||||
secretFile = "/etc/gitlab/secret";
|
||||
otpFile = "/etc/gitlab/otp";
|
||||
dbFile = "/etc/gitlab/db";
|
||||
jwsFile = "/etc/gitlab/jws";
|
||||
};
|
||||
|
||||
extraGitlabRb = ''
|
||||
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
|
||||
gitlab_rails['omniauth_sync_email_from_provider'] = 'openid_connect'
|
||||
gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect']
|
||||
gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
|
||||
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
|
||||
gitlab_rails['omniauth_block_auto_created_users'] = false
|
||||
gitlab_rails['omniauth_auto_link_saml_user'] = true
|
||||
gitlab_rails['omniauth_auto_link_user'] = ["openid_connect"]
|
||||
gitlab_rails['omniauth_providers'] = [
|
||||
{
|
||||
name: 'openid_connect',
|
||||
label: 'My Company OIDC Login',
|
||||
args: {
|
||||
name: 'openid_connect',
|
||||
scope: ['openid','profile','email'],
|
||||
response_type: 'code',
|
||||
issuer: 'https://auth.blunkall.us/application/o/gitlab/',
|
||||
discovery: true,
|
||||
client_auth_method: 'query',
|
||||
uid_field: 'preferred_username',
|
||||
send_scope_to_token_endpoint: 'true',
|
||||
pkce: true,
|
||||
client_options: {
|
||||
identifier: '$${OIDC_CLIENT_ID}',
|
||||
secret: '$${OIDC_CLIENT_SECRET}',
|
||||
redirect_uri: 'https://gitlab.blunkall.us/users/auth/openid_connect/callback'
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
'';
|
||||
};
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedProxySettings = true;
|
||||
virtualHosts = {
|
||||
localhost = {
|
||||
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.openssh.enable = true;
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 22 80 ];
|
||||
systemd.services.gitlab-backup.environment.BACKUP = "dump";
|
||||
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 22 80 443 ];
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user