add oidc for gitlab

2024-11-17 14:33:20 -06:00
parent 18290aa55a
commit 05c48fec76
4 changed files with 117 additions and 31 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -1193,11 +1193,11 @@
      "locked": {
        "lastModified": 1,
        "narHash": "sha256-mrfMvef+tOYMK35horTWF43tQpES1zI7hb5RbzN3oIk=",
-        "path": "/nix/store/mvs0ic19pnn66mxdq0paphssqvxg0k1j-source/home-manager",
+        "path": "/nix/store/q46830crsjac147qc48lk311icpidql9-source/home-manager",
        "type": "path"
      },
      "original": {
-        "path": "/nix/store/mvs0ic19pnn66mxdq0paphssqvxg0k1j-source/home-manager",
+        "path": "/nix/store/q46830crsjac147qc48lk311icpidql9-source/home-manager",
        "type": "path"
      }
    },
@@ -1807,11 +1807,11 @@
      "locked": {
        "lastModified": 1,
        "narHash": "sha256-HAuZ9X84fuwUcit6NWUoJCjHj+29nST/YN6Rs8JQugY=",
-        "path": "/nix/store/wh5bq8lgwdnnqvydzp5zvdl20bvr28jh-source/programs",
+        "path": "/nix/store/z0kg92cbspdsmgnsk68pk6qwhl273jq6-source/programs",
        "type": "path"
      },
      "original": {
-        "path": "/nix/store/wh5bq8lgwdnnqvydzp5zvdl20bvr28jh-source/programs",
+        "path": "/nix/store/z0kg92cbspdsmgnsk68pk6qwhl273jq6-source/programs",
        "type": "path"
      }
    },
@@ -1882,11 +1882,11 @@
      "locked": {
        "lastModified": 1,
        "narHash": "sha256-0Ztx5DVQ2I7hvCK/qjGa4XTdRgbzM8rhf19m0al8lVM=",
-        "path": "/nix/store/wh5bq8lgwdnnqvydzp5zvdl20bvr28jh-source/services/sddm",
+        "path": "/nix/store/z0kg92cbspdsmgnsk68pk6qwhl273jq6-source/services/sddm",
        "type": "path"
      },
      "original": {
-        "path": "/nix/store/wh5bq8lgwdnnqvydzp5zvdl20bvr28jh-source/services/sddm",
+        "path": "/nix/store/z0kg92cbspdsmgnsk68pk6qwhl273jq6-source/services/sddm",
        "type": "path"
      }
    },
@@ -1976,12 +1976,12 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-AV5R8VDvEf+5THLpYas8gXfGdlCKv4M9W+5ejkXlGFg=",
+        "narHash": "sha256-/2sJK37sV+nJSCuyr2iW2gyO/1Jg/K9aV0dzDG+eR6c=",
-        "path": "/nix/store/mvs0ic19pnn66mxdq0paphssqvxg0k1j-source/system-config",
+        "path": "/nix/store/q46830crsjac147qc48lk311icpidql9-source/system-config",
        "type": "path"
      },
      "original": {
-        "path": "/nix/store/mvs0ic19pnn66mxdq0paphssqvxg0k1j-source/system-config",
+        "path": "/nix/store/q46830crsjac147qc48lk311icpidql9-source/system-config",
        "type": "path"
      }
    },
--- a/system-config/configuration/homebox/default.nix
+++ b/system-config/configuration/homebox/default.nix
@@ -258,7 +258,7 @@
            nextcloud.enable = true;
-            gitlab.enable = false;
+            gitlab.enable = true;
        };
    };
  };
--- a/system-config/configuration/homebox/secrets/secrets.yaml
+++ b/system-config/configuration/homebox/secrets/secrets.yaml
@@ -13,6 +13,9 @@ gitlab:
        otp: ENC[AES256_GCM,data:RWOkQVPRsrJgPVtx49hiWRMAxVOszKxaDl40XQDL+QoDuoZi03wSxHiu4Ix9X2BR,iv:uO+CTR5S4r1q7n1ycQw0hYdu8JflSrvkgLiBbCmT8mk=,tag:gqCwNOqD78lFtgxUPyUw3A==,type:str]
        db: ENC[AES256_GCM,data:rF4IIp1uFSGa67LVm8fy4/qFOmZLInRcG2IAfnuZG3+xtS9Z2RXpNcTZNFBDdOaD,iv:/KYwf3ZH6w48L49rY/FmaGQOt3jGdOUTZ9vFhmLZG60=,tag:f38iYIgpgdjWF34qD1fz2w==,type:str]
        jws: ENC[AES256_GCM,data:C+GVDeO319QGjq2+fBMr1LaY6/6Tuz6jWomkvFVul6ydJjmMFO3A9dYI66WWY6g2iZgYEWDKUikW1qDK5sGgU5ZAZzaqS01LUsSsPHUcMqIg/AjtcRfaEvHYODYPPSEwdISzhceDaim8yqhrNTIOHUHvOxcILvtUmsI61hNfVSnOQbqifIJDgGP7bKaf96t8+qcBvp/UBwP1qHj/m4jD83yc8Pdih+ZuPmyNdo3Ew0nbLTykYVX3XsrO1RlJ/Gp+KPfRSJzVGAnqUKr8mI+32LUpXSJ96bEGA67/blSh1dbBxSVo3K83aZYuY6vvXb+Et6qd4piZYKGCxA+waSrTkYHvSgS5vJRbCGWauXKCYFASxxqmdJ3cu+rbphbshBVA3SIPHhZxun6BWaP0qTYZyfB/YsSU4J+kYiE3UEYX9GYEAY9bsO89IYZSsTsmYke2EI4KMcjyUFstZ2WTYqCpwJ6CMAuerDEMHP6N3xCO5MVDZfE4sKKHpfSCVQg8ak7IxV+3jZvZi2tUbvZZf/tYORzPeTUSEpcC4cGwwAJd3XKUetaiuDwQVkLa13xotfL0d+Lwc6eZil0e/sureLqvQM6kpWhK7yscu2hKGOzxx/OZClry2Uyc1fL5iWWxvM8Djg+ShoAS5m3Nt0R+mcLdgaylkZvMl9gNWFO1uzlnhGnJQtekVaXCJ9f9QZt5RizJYwM9pMKhSDTZ0vd4y69iZpz3YXhKtkvYX02RIFtTiqsbyU0pXVjK0SpKsb5T+yphacGeZRwQS9QadW9dE6xQsxwwYC//swm5l6ke+DyZrcsc/J+MBHFuN71D2st+jtfywZYg/YT9EcCFOMjqEgfDq7YICgyqfqRGAdVWQy660T5Mi+gYKcHqbYXaaB3VNL2RGIu/uybih/7ynGRM2+0ro9oKJ+fEbdi1alSFFJ0IvA5lU6XHd2CSyizEC9ak+HBLkYeSqOPfItfLH82jRiUtrY5u4fIlioLQTA1aKHax6q8cIf30FCGenhjM6jMj2WpXKI16+1xK9Om9mg94YmFjM+erQh3o/fbPuMbkNaNJQwabupshBK2h3caaE0cDUnDukUFUANHz9q5LVxSkw39GTjGpovxQJiZHbSdeIC/AzFXRVA1ojhzkeuefygdP27Aa+fLjEBn2x8AcdhyP1n8lQyjy0Wnxq9hJDbVXJF93FIdcCmF/JGejgHcr3YZUMY4OFG9gzISDEdgR99fYvKM+A9Pj2JNtCQ5iKCctg5opIEKA1z4RIpRQs0KmXq3JgjWhU1LeOWaX2YzS5rCJWyhxnTJXGk4a/cMvhbLRjFOKcDNNMp8yJrXk1pth7nFOJ4Put6o67jtjbgpgnPuEdelnXEEaReCfJEo2z8zka63kYqbIvcG4W2pKwsA4tT0QctVwltRdYU8YyKuOpQJtKvVdlZL0oxOwxPioTT8fOebRBaecKhQKF4fp9UGlE/GStud6oFSbN685U2TKihvYNmfLRSWQk1Y/APyCRlhOmhFLaIzJxogdlKzpg4AEg/2SRoEZPsqyZThI8uhCIT1qG0UBiZBTjey322fsEEZtNxO5nX/JeBDOVty3sIGs1OKBTjMXSZ+nzU9AIH6dek9Bz+Fix7a90IkQUB5xtgrIYgCH34L4a0o1jWy5bzT9fl53VnbzrICcT/wdRU/GznYYjxlF2uRBKIu7s0glDmsPXCZuorqvJlr2hySgN/hJKOlrCghraUD14pRk4OfRVKULkPQ7betgaCVbsihXplodrAgJ0BdIbf3tKRC8Ghx8+mYAWNXj+PtWBydEjEirCH70SJu53gjF5mNgl2EIaHNK7jqBgXhDr2/7uH97Tl+S9ue+TDlpr067T5JAqU3fOqq+ZS4wqEvqMYRfXd/V2FjNbBpoH8UW6pMuFaM06DBI+6p9O9xBl1eP3Sy3vrBwK2pCwLbi0LdJ2apQTl/51ZXp2xaaUAAh1Fu/bM21V7ENa5sGxpSTYwdSLyPnd8usqECw9W1XDNUI2EmJnp9AelD/joNwuL6U7pydrNUCguCjxHfbd+m0vc/te53GerJlSXbjEWz53f3RjSB90AaA6sOGhi1BFiHYSAjzMdqVSj4M68r+UF3YIuEuoaOzrVrkb5st3tYD0dz+ORhxo44aKEzgohseha5fg0wcTz9orqkeP/FyoOeItG2UwNVAWWGh/lBtXh8c4ILUMolZ1m2DWiYj/pyDvODVnP96u6TvyMC0H8aolgGHn7nDMTi+mCIvNFQYeXdVrRCpWS9aQik=,iv:cxdargXx2a7pET7BjCSZ/yXL7AnxNqncyDQ7CR3E3AA=,tag:2xKXfhBjynDqlvH377lpSA==,type:str]
    oidc:
        id: ENC[AES256_GCM,data:b6o2cCCSXJ5bIhA47InfhqwjO5Tjr0Mls+7VT5cunFfEHkdOInxplw==,iv:txren/8jnAUvCI/k9cxN29ZkSgCuPEAo0IpyREf2E9A=,tag:BFOZrM18zUJMEACpLz7KRw==,type:str]
        secret: ENC[AES256_GCM,data:4HPPbVBOeDjdL81d402Rz6Luk1DZbk8InHfO+Sx/OJIvUf/shkCRyp3hStIDC03bA8HV66GeejvWFte+vQ2b5X3Fl2GXfHQi7brMFVEYfYdR2XRdra0aOeSrHtW5uUn0MpVCRwYDb1JahIWhLyqcYyOpV91xjNiIVg8S3MHr+mo=,iv:c3Q4qPMxZJuoO5XRzUDZh5XJOtff9eiMTlOx+MDMSaE=,tag:07fIkN9YXXJMEV59QEFIag==,type:str]
 nextcloud:
    pass: ENC[AES256_GCM,data:U/VI/uHDT1a5O4iAHUVwsz/h,iv:W0hAXBddFKhXmDWHpCB2JhjPPTEGer7721WtIRxg4Zo=,tag:OE4wzibNaaXsbfFuk0dwTA==,type:str]
 sops:
@@ -30,8 +33,8 @@ sops:
            S0NMRGJSeks0Q0UrVnZmUVdyU2NqVm8KLu2kQpD1fJdU0fTdR9A2cTQzRp+waJ6M
            8vA+E8xYb2U4d7m0YnwKkGzw0CBPb0BvdEgvWvqpFViftoDwRv5KGA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-17T16:33:08Z"
+    lastmodified: "2024-11-17T20:28:11Z"
-    mac: ENC[AES256_GCM,data:q+aHvOUysVDFKcXJZ0/v0BEGhmwo/1wvVwyF4oWh09AWPzf3FlwZhaHmyz8hE2nlSIAiU7RDCnJ6haweHKC532+ckoI0z10iFGSu9UWZr1k/5asqZfXR7IrZw83fhnWQkofrPYLuEcJV/RXlT8n4HK6pt+ztB2JtiVt7wtyWOg4=,iv:IAviaFZUKDCFuaklBZxY+nck9g5Vri+QGR/rLsIxA1M=,tag:KbKRqueb921ugdyRhFguWw==,type:str]
+    mac: ENC[AES256_GCM,data:O2+ukRfxK1WEmdrJSP9ljURixeLiAMuzNZkLKyhHTrC7GteNC43FYehO7Wj33fVDJO5ZK/MKwcGdGT0tLylqqcrELaZdHyGlHqcQ97DuxwZ5WxOHlpOXq3HKkjG2NrHkn8Vt4+sF/Ui4R0oCjIunyKqVUHyVFXdH63sg5XjVORA=,iv:6cWKf8UWH+SAenrd7zj1cgur5xKXecqS81fbHDmWL94=,tag:0JZcfFjX74Rj45Q7lg3wGg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/system-config/services/containers/gitlab/default.nix
+++ b/system-config/services/containers/gitlab/default.nix
@@ -7,29 +7,29 @@
    config = lib.mkIf config.sysconfig.opts.virtualization.gitlab.enable {
-        sops.secrets."gitlab/dbpass" = {
+        sops.secrets."gitlab/db_pass" = {
-        
+            owner = "sshd";
            path = "/ssd1/Gitlab/dbpass";
        };
        sops.secrets."gitlab/root_pass" = {
-
+            owner = "sshd";
            path = "/ssd1/Gitlab/rootpass";
        };
        sops.secrets."gitlab/secrets/secret" = {
-
+            owner = "sshd";
            path = "/ssd1/Gitlab/secret";
        };
        sops.secrets."gitlab/secrets/otp" = {
-
+            owner = "sshd";
            path = "/ssd1/Gitlab/otp";
        };
        sops.secrets."gitlab/secrets/db" = {
-
+            owner = "sshd";
            path = "/ssd1/Gitlab/db";
        };
        sops.secrets."gitlab/secrets/jws" = {
-
+            owner = "sshd";
-            path = "/ssd1/Gitlab/jws";
+        };
        sops.secrets."gitlab/oidc/id" = {
            owner = "sshd";
        };
        sops.secrets."gitlab/oidc/secret" = {
            owner = "sshd";
        };
        containers.gitlab = {
@@ -39,8 +39,40 @@
            hostAddress = "192.168.100.10";
            localAddress = "192.168.100.16";
            bindMounts = {
-                "/etc/gitlab" = {
+                "/etc/gitlab/data" = {
-                    hostPath = "/ssd1/Gitlab";
+                    hostPath = "/ssd1/Gitlab/data";
                    isReadOnly = false;
                };
                "/etc/gitlab/dbpass" = {
                    hostPath = config.sops.secrets."gitlab/db_pass".path;
                    isReadOnly = false;
                };
                "/etc/gitlab/rootpass" = {
                    hostPath = config.sops.secrets."gitlab/root_pass".path;
                    isReadOnly = false;
                };
                "/etc/gitlab/db" = {
                    hostPath = config.sops.secrets."gitlab/secrets/db".path;
                    isReadOnly = false;
                };
                "/etc/gitlab/secret" = {
                    hostPath = config.sops.secrets."gitlab/secrets/secret".path;
                    isReadOnly = false;
                };
                "/etc/gitlab/jws" = {
                    hostPath = config.sops.secrets."gitlab/secrets/jws".path;
                    isReadOnly = false;
                };
                "/etc/gitlab/otp" = {
                    hostPath = config.sops.secrets."gitlab/secrets/otp".path;
                    isReadOnly = false;
                };
                "/etc/gitlab/oidc-id" = {
                    hostPath = config.sops.secrets."gitlab/oidc/id".path;
                    isReadOnly = false;
                };
                "/etc/gitlab/oidc-secret" = {
                    hostPath = config.sops.secrets."gitlab/oidc/secret".path;
                    isReadOnly = false;
                };
            };
@@ -57,22 +89,73 @@
                services.gitlab = {
                    enable = true;
-                    https = true;
+                    #https = true;
-                    port = 443;
+                    #port = 443;
-                    host = "localhost";
+                    #host = "localhost";
                    databasePasswordFile = "/etc/gitlab/dbpass";
                    initialRootPasswordFile = "/etc/gitlab/rootpass";
                    extraEnv = {
                        OIDC_CLIENT_ID = builtins.readFile "/etc/gitlab/oidc-id";
                        OIDC_CLIENT_SECRET = builtins.readFile "/etc/gitlab/oidc-secret";
                    };
                    secrets = {
                        secretFile = "/etc/gitlab/secret";
                        otpFile = "/etc/gitlab/otp";
                        dbFile = "/etc/gitlab/db";
                        jwsFile = "/etc/gitlab/jws";
                    };
                    extraGitlabRb = ''
 gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
 gitlab_rails['omniauth_sync_email_from_provider'] = 'openid_connect'
 gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect']
 gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
 gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
 gitlab_rails['omniauth_block_auto_created_users'] = false
 gitlab_rails['omniauth_auto_link_saml_user'] = true
 gitlab_rails['omniauth_auto_link_user'] = ["openid_connect"]
 gitlab_rails['omniauth_providers'] = [
  {
    name: 'openid_connect',
    label: 'My Company OIDC Login',
    args: {
      name: 'openid_connect',
      scope: ['openid','profile','email'],
      response_type: 'code',
      issuer: 'https://auth.blunkall.us/application/o/gitlab/',
      discovery: true,
      client_auth_method: 'query',
      uid_field: 'preferred_username',
      send_scope_to_token_endpoint: 'true',
      pkce: true,
      client_options: {
        identifier: '$${OIDC_CLIENT_ID}',
        secret: '$${OIDC_CLIENT_SECRET}',
        redirect_uri: 'https://gitlab.blunkall.us/users/auth/openid_connect/callback'
      }
    }
  }
 ]
                    '';
                };
                services.nginx = {
                    enable = true;
                    recommendedProxySettings = true;
                    virtualHosts = {
                        localhost = {
                            locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
                        };
                    };
                };
                services.openssh.enable = true;
-                networking.firewall.allowedTCPPorts = [ 22 80 ];
+                systemd.services.gitlab-backup.environment.BACKUP = "dump";
                networking.firewall.allowedTCPPorts = [ 22 80 443 ];
                system.stateVersion = "24.05";
            };