trying gitlab again

2024-11-17 11:11:55 -06:00
parent 77662166bf
commit 18290aa55a
7 changed files with 336 additions and 491 deletions
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@@ -16,9 +16,9 @@
        inputs.nixpkgs.follows = "nixpkgs";
    };
-    arion.url = "github:hercules-ci/arion";
+    #arion.url = "github:hercules-ci/arion";
-    authentik-nix.url = "github:nix-community/authentik-nix";
+    #authentik-nix.url = "github:nix-community/authentik-nix";
    home-manager = {
      url = "github:nix-community/home-manager/release-24.05";
@@ -30,6 +30,8 @@
        inputs.nixpkgs.follows = "nixpkgs";
    };
    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
    system.url = "./system-config";
    nixvim.url = "/ssd1/Projects/Nixvim";
--- a/system-config/configuration/homebox/default.nix
+++ b/system-config/configuration/homebox/default.nix
@@ -88,9 +88,9 @@
    networking = {
        hostName = "homebox";
-        nameservers = [ "127.0.0.1" ];
+        nameservers = [ "1.1.1.1" "1.0.0.1" ];
        networkmanager.enable = true;
-        firewall.allowedTCPPorts = [ 22 80 443 9000 8080 ];
+        firewall.allowedTCPPorts = [ 22 80 443 9000 8080 8081 ];
        hosts = {
            "192.168.100.11" = [ "blunkall.us" "*.blunkall.us" "*.local.blunkall.us" ];
        };
@@ -194,10 +194,9 @@
            "pihole/pass" = {};
-            "gitlab/db_pass" = {};
+            "nextcloud/pass" = {
-            "gitlab/root_pass" = {};
+                owner = "nextcloud";
-
+            };
            "nextcloud/pass" = {};
        };
    };
--- a/system-config/configuration/homebox/secrets/secrets.yaml
+++ b/system-config/configuration/homebox/secrets/secrets.yaml
@@ -6,8 +6,13 @@ authentik:
 pihole:
    pass: ENC[AES256_GCM,data:hintZA==,iv:HA5K8mHYlLtf5s8iaLI/QRolYgcKwG8DWCH+LXnWI4k=,tag:DlnXxG0n9dBVpk2kILlPKg==,type:str]
 gitlab:
-    db_pass: ""
+    db_pass: ENC[AES256_GCM,data:N3KvXkXql/PDjxZSpGo/Apr/,iv:OOzhR4BEmV3T01PA50vqdJMg7D2OGKHn/8hiqKEaOd4=,tag:jzdonXH/D/5kZ5Cld2W//w==,type:str]
-    root_pass: ""
+    root_pass: ENC[AES256_GCM,data:bALaUkoJw3N0ugZP/4MCnEsD,iv:LJdJpXlyzA6o00UVlK+l5WCCFIL/sT/fQNjI8wA5LAg=,tag:BYk1o/rjubyEpeHbgYA1Sg==,type:str]
    secrets:
        secret: ENC[AES256_GCM,data:3/26giCD58RErtEDxQ90KxRl3aa8oH4co2Urw21r7hHCKaoSti1VpYoBtlvHdr5j,iv:SwliwLWSFfTZoc31JSm9YKBDGKiPQE7ujkiGaZmCQUc=,tag:2KT5BpJukixvhb6tnZb6lw==,type:str]
        otp: ENC[AES256_GCM,data:RWOkQVPRsrJgPVtx49hiWRMAxVOszKxaDl40XQDL+QoDuoZi03wSxHiu4Ix9X2BR,iv:uO+CTR5S4r1q7n1ycQw0hYdu8JflSrvkgLiBbCmT8mk=,tag:gqCwNOqD78lFtgxUPyUw3A==,type:str]
        db: ENC[AES256_GCM,data:rF4IIp1uFSGa67LVm8fy4/qFOmZLInRcG2IAfnuZG3+xtS9Z2RXpNcTZNFBDdOaD,iv:/KYwf3ZH6w48L49rY/FmaGQOt3jGdOUTZ9vFhmLZG60=,tag:f38iYIgpgdjWF34qD1fz2w==,type:str]
        jws: ENC[AES256_GCM,data:C+GVDeO319QGjq2+fBMr1LaY6/6Tuz6jWomkvFVul6ydJjmMFO3A9dYI66WWY6g2iZgYEWDKUikW1qDK5sGgU5ZAZzaqS01LUsSsPHUcMqIg/AjtcRfaEvHYODYPPSEwdISzhceDaim8yqhrNTIOHUHvOxcILvtUmsI61hNfVSnOQbqifIJDgGP7bKaf96t8+qcBvp/UBwP1qHj/m4jD83yc8Pdih+ZuPmyNdo3Ew0nbLTykYVX3XsrO1RlJ/Gp+KPfRSJzVGAnqUKr8mI+32LUpXSJ96bEGA67/blSh1dbBxSVo3K83aZYuY6vvXb+Et6qd4piZYKGCxA+waSrTkYHvSgS5vJRbCGWauXKCYFASxxqmdJ3cu+rbphbshBVA3SIPHhZxun6BWaP0qTYZyfB/YsSU4J+kYiE3UEYX9GYEAY9bsO89IYZSsTsmYke2EI4KMcjyUFstZ2WTYqCpwJ6CMAuerDEMHP6N3xCO5MVDZfE4sKKHpfSCVQg8ak7IxV+3jZvZi2tUbvZZf/tYORzPeTUSEpcC4cGwwAJd3XKUetaiuDwQVkLa13xotfL0d+Lwc6eZil0e/sureLqvQM6kpWhK7yscu2hKGOzxx/OZClry2Uyc1fL5iWWxvM8Djg+ShoAS5m3Nt0R+mcLdgaylkZvMl9gNWFO1uzlnhGnJQtekVaXCJ9f9QZt5RizJYwM9pMKhSDTZ0vd4y69iZpz3YXhKtkvYX02RIFtTiqsbyU0pXVjK0SpKsb5T+yphacGeZRwQS9QadW9dE6xQsxwwYC//swm5l6ke+DyZrcsc/J+MBHFuN71D2st+jtfywZYg/YT9EcCFOMjqEgfDq7YICgyqfqRGAdVWQy660T5Mi+gYKcHqbYXaaB3VNL2RGIu/uybih/7ynGRM2+0ro9oKJ+fEbdi1alSFFJ0IvA5lU6XHd2CSyizEC9ak+HBLkYeSqOPfItfLH82jRiUtrY5u4fIlioLQTA1aKHax6q8cIf30FCGenhjM6jMj2WpXKI16+1xK9Om9mg94YmFjM+erQh3o/fbPuMbkNaNJQwabupshBK2h3caaE0cDUnDukUFUANHz9q5LVxSkw39GTjGpovxQJiZHbSdeIC/AzFXRVA1ojhzkeuefygdP27Aa+fLjEBn2x8AcdhyP1n8lQyjy0Wnxq9hJDbVXJF93FIdcCmF/JGejgHcr3YZUMY4OFG9gzISDEdgR99fYvKM+A9Pj2JNtCQ5iKCctg5opIEKA1z4RIpRQs0KmXq3JgjWhU1LeOWaX2YzS5rCJWyhxnTJXGk4a/cMvhbLRjFOKcDNNMp8yJrXk1pth7nFOJ4Put6o67jtjbgpgnPuEdelnXEEaReCfJEo2z8zka63kYqbIvcG4W2pKwsA4tT0QctVwltRdYU8YyKuOpQJtKvVdlZL0oxOwxPioTT8fOebRBaecKhQKF4fp9UGlE/GStud6oFSbN685U2TKihvYNmfLRSWQk1Y/APyCRlhOmhFLaIzJxogdlKzpg4AEg/2SRoEZPsqyZThI8uhCIT1qG0UBiZBTjey322fsEEZtNxO5nX/JeBDOVty3sIGs1OKBTjMXSZ+nzU9AIH6dek9Bz+Fix7a90IkQUB5xtgrIYgCH34L4a0o1jWy5bzT9fl53VnbzrICcT/wdRU/GznYYjxlF2uRBKIu7s0glDmsPXCZuorqvJlr2hySgN/hJKOlrCghraUD14pRk4OfRVKULkPQ7betgaCVbsihXplodrAgJ0BdIbf3tKRC8Ghx8+mYAWNXj+PtWBydEjEirCH70SJu53gjF5mNgl2EIaHNK7jqBgXhDr2/7uH97Tl+S9ue+TDlpr067T5JAqU3fOqq+ZS4wqEvqMYRfXd/V2FjNbBpoH8UW6pMuFaM06DBI+6p9O9xBl1eP3Sy3vrBwK2pCwLbi0LdJ2apQTl/51ZXp2xaaUAAh1Fu/bM21V7ENa5sGxpSTYwdSLyPnd8usqECw9W1XDNUI2EmJnp9AelD/joNwuL6U7pydrNUCguCjxHfbd+m0vc/te53GerJlSXbjEWz53f3RjSB90AaA6sOGhi1BFiHYSAjzMdqVSj4M68r+UF3YIuEuoaOzrVrkb5st3tYD0dz+ORhxo44aKEzgohseha5fg0wcTz9orqkeP/FyoOeItG2UwNVAWWGh/lBtXh8c4ILUMolZ1m2DWiYj/pyDvODVnP96u6TvyMC0H8aolgGHn7nDMTi+mCIvNFQYeXdVrRCpWS9aQik=,iv:cxdargXx2a7pET7BjCSZ/yXL7AnxNqncyDQ7CR3E3AA=,tag:2xKXfhBjynDqlvH377lpSA==,type:str]
 nextcloud:
    pass: ENC[AES256_GCM,data:U/VI/uHDT1a5O4iAHUVwsz/h,iv:W0hAXBddFKhXmDWHpCB2JhjPPTEGer7721WtIRxg4Zo=,tag:OE4wzibNaaXsbfFuk0dwTA==,type:str]
 sops:
@@ -25,8 +30,8 @@ sops:
            S0NMRGJSeks0Q0UrVnZmUVdyU2NqVm8KLu2kQpD1fJdU0fTdR9A2cTQzRp+waJ6M
            8vA+E8xYb2U4d7m0YnwKkGzw0CBPb0BvdEgvWvqpFViftoDwRv5KGA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-12T14:28:49Z"
+    lastmodified: "2024-11-17T16:33:08Z"
-    mac: ENC[AES256_GCM,data:fXVSjqESPAREM5Iz3ZXS9stkYrXTeO4PR0lZuf8baR8OA9P07sQcPtq2parKL8RlALLcrdi3uqDJhv0Zw7mVwvnvzlgKsLssiz4U/N4zzIhwNXGvXccwKF4IEJD48/wRz31S87haIu0N8LHrV3LS++eZLnbWaqtVzuT39WxGUww=,iv:0QqLBKm3T+wCFgjFedViaCYBgBRKUkabqW6sv1OBSQE=,tag:ovUkgubwRfZnc94Ss4G2tA==,type:str]
+    mac: ENC[AES256_GCM,data:q+aHvOUysVDFKcXJZ0/v0BEGhmwo/1wvVwyF4oWh09AWPzf3FlwZhaHmyz8hE2nlSIAiU7RDCnJ6haweHKC532+ckoI0z10iFGSu9UWZr1k/5asqZfXR7IrZw83fhnWQkofrPYLuEcJV/RXlT8n4HK6pt+ztB2JtiVt7wtyWOg4=,iv:IAviaFZUKDCFuaklBZxY+nck9g5Vri+QGR/rLsIxA1M=,tag:KbKRqueb921ugdyRhFguWw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/system-config/services/containers/gitlab/default.nix
+++ b/system-config/services/containers/gitlab/default.nix
@@ -7,6 +7,31 @@
    config = lib.mkIf config.sysconfig.opts.virtualization.gitlab.enable {
        sops.secrets."gitlab/dbpass" = {
            path = "/ssd1/Gitlab/dbpass";
        };
        sops.secrets."gitlab/root_pass" = {
            path = "/ssd1/Gitlab/rootpass";
        };
        sops.secrets."gitlab/secrets/secret" = {
            path = "/ssd1/Gitlab/secret";
        };
        sops.secrets."gitlab/secrets/otp" = {
            path = "/ssd1/Gitlab/otp";
        };
        sops.secrets."gitlab/secrets/db" = {
            path = "/ssd1/Gitlab/db";
        };
        sops.secrets."gitlab/secrets/jws" = {
            path = "/ssd1/Gitlab/jws";
        };
        containers.gitlab = {
            autoStart = true;
@@ -14,23 +39,35 @@
            hostAddress = "192.168.100.10";
            localAddress = "192.168.100.16";
            bindMounts = {
-                "/etc/gitlab/data" = {
+                "/etc/gitlab" = {
-                    hostPath = "/ssd1/Gitlab/data";
+                    hostPath = "/ssd1/Gitlab";
                    isReadOnly = false;
                };
            };
            config = {
                systemd.tmpfiles.rules = [
                    "z /etc/gitlab/dbpass - gitlab gitlab"
                    "z /etc/gitlab/rootpass - gitlab gitlab"
                    "z /etc/gitlab/db - gitlab gitlab"
                    "z /etc/gitlab/secret - gitlab gitlab"
                    "z /etc/gitlab/jws - gitlab gitlab"
                    "z /etc/gitlab/otp - gitlab gitlab"
                ];
                services.gitlab = {
                    enable = true;
-                    #https = true;
+                    https = true;
-                    #port = 443;
+                    port = 443;
-                    #host = "localhost";
+                    host = "localhost";
-                    databasePasswordFile = pkgs.writeText "dbPassword" "hellothere!";
+                    databasePasswordFile = "/etc/gitlab/dbpass";
-                    initialRootPasswordFile = pkgs.writeText "rootPassword" "generalkenobi";
+                    initialRootPasswordFile = "/etc/gitlab/rootpass";
                    secrets = {
-
+                        secretFile = "/etc/gitlab/secret";
                        otpFile = "/etc/gitlab/otp";
                        dbFile = "/etc/gitlab/db";
                        jwsFile = "/etc/gitlab/jws";
                    };
                };
--- a/system-config/services/containers/nextcloud/default.nix
+++ b/system-config/services/containers/nextcloud/default.nix
@@ -1,21 +1,57 @@
-{ config, lib, pkgs, ... }: {
+{ config, lib, pkgs, inputs, ... }: {
    options.sysconfig.opts.virtualization.nextcloud.enable = lib.options.mkOption {
        type = lib.types.bool;
        default = false;
    };
    imports = [
        inputs.simple-nixos-mailserver.nixosModule
    ];
    config = lib.mkIf config.sysconfig.opts.virtualization.nextcloud.enable {
-        sops.templates."nextcloud_pass.txt" = {
+        /*mailserver = {
-            content = ''
+            enable = true;
-                ${config.sops.placeholder."nextcloud/pass"}
+            fqdn = "mail.blunkall.com";
-            '';
+            domains = [ "blunkall.us" ];
-            path = "/ssd1/Nextcloud/nextcloud_pass.txt";
+            loginAccounts = {
                "user1@blunkall.us" = {
                    hashedPasswordFile = "";
                };
            };
        };*/
        services.nginx.virtualHosts."localhost".listen = [ { addr = "0.0.0.0"; port = 8081; } ];
        services.nextcloud = {
            enable = true;
            package = pkgs.nextcloud30;
            hostName = "localhost";
            config = {
                adminpassFile = config.sops.secrets."nextcloud/pass".path;
                adminuser = "root";
                dbtype = "mysql";
            };
            https = true;
            datadir = "/ssd1/Nextcloud/data";
            home = "/ssd1/Nextcloud/nextcloud_home";
            appstoreEnable = true;
            extraApps = with config.services.nextcloud.package.packages.apps; {
                inherit mail contacts calendar tasks user_oidc;
            };
            extraAppsEnable = true;
            settings = {
                overwriteprotocol = "https";
                trusted_domains = [ "nextcloud.blunkall.us" ];
                trusted_proxies = [ "192.168.100.11" ];
                default_phone_region = "US";
            };
            database.createLocally = true;
        };
-        containers.nextcloud = {
+        /*containers.nextcloud = {
            autoStart = true;
            privateNetwork = true;
@@ -24,33 +60,26 @@
            bindMounts = {
-                "/var/lib/nextcloud" = {
+                "/etc/nextcloud" = {
                    hostPath = "/ssd1/Nextcloud";
                    isReadOnly = false;
                };
            };
-            config = {
+            config = { config, lib, pkgs, ... }: {
                networking.firewall.allowedTCPPorts = [ 80 ];
                networking.firewall.allowedTCPPorts = [ 80 443 ];
                services.nginx.virtualHosts."192.168.100.16".listen = [ { addr = "0.0.0.0"; port = 80; } ];
                environment.etc."nextcloud-admin-pass".text = "//falconAdjacent42";
                services.nextcloud = {
                    enable = true;
-                    package = pkgs.nextcloud30;
+                    package = pkgs.nextcloud28;
-                    hostName = "localhost";
+                    hostName = "192.168.100.16";
-                    config.adminpassFile = "/var/lib/nextcloud/nextcloud_pass.txt";
+                    config.adminpassFile = "/etc/nextcloud-admin-pass";
                    datadir = "/var/lib/nextcloud/data";
                    home = "/var/lib/nextcloud/nextcloud_home";
                    https = true;
                    maxUploadSize = "5G";
                    settings = {
                        overwriteprotocol = "https";
                    };
                };
-                system.stateVersion = "24.05";
+                system.stateVersion = "23.05";
            };
-        };
+        };*/
    };
 }
--- a/system-config/services/containers/traefik/default.nix
+++ b/system-config/services/containers/traefik/default.nix
@@ -128,32 +128,44 @@
                                    entryPoints = [ "localsecure" "websecure" ];
                                    rule = "Host(`blunkall.us`) || Host(`www.blunkall.us`)";
                                    service = "homepage";
                                    tls.certResolver = "cloudflare";
                                    middlewares = [
                                        "authentik"
                                    ];
                                };
                                nathan = {
                                    entryPoints = [ "localsecure" "websecure" ];
                                    rule = "Host(`nathan.blunkall.us`)";
                                    service = "homepage";
                                    tls.certResolver = "cloudflare";
                                };
                                jellyfin = {
                                    entryPoints = [ "localsecure" "websecure" ];
                                    rule = "Host(`jellyfin.blunkall.us`)";
                                    service = "jellyfin";
                                    tls.certResolver = "cloudflare";
                                };
                                auth = {
                                    entryPoints = [ "localsecure" "websecure" ];
                                    rule = "Host(`auth.blunkall.us`)";
                                    service = "authentik";
                                    tls.certResolver = "cloudflare";
                                };
-                                /*gitlab = {
+                                gitlab = {
                                    entryPoints = [ "localsecure" "websecure" ];
                                    rule = "Host(`gitlab.blunkall.us`)";
-                                    service = "gitlab";
+                                    service = "homepage";
-                                };*/
+                                    tls.certResolver = "cloudflare";
                                    #middlewares = [ "authentik" ];
                                };
                                nextcloud = {
                                    entryPoints = [ "localsecure" "websecure" ];
                                    rule = "Host(`nextcloud.blunkall.us`)";
                                    service = "nextcloud";
                                    tls.certResolver = "cloudflare";
                                    middlewares = [
                                        "nextcloud_redirectregex"
                                    ];
@@ -163,12 +175,14 @@
                                    entryPoints = [ "localsecure" ];
                                    rule = "Host(`traefik.local.blunkall.us`)";
                                    service = "api@internal";
                                    tls.certResolver = "cloudflare";
                                };
                                pihole = {
                                    entryPoints = [ "localsecure" ];
                                    rule = "Host(`pihole.local.blunkall.us`)";
                                    service = "pihole";
                                    tls.certResolver = "cloudflare";
                                };
                            };
@@ -193,8 +207,8 @@
                                nextcloud_redirectregex.redirectregex = {
                                    permanent = true;
-                                    regex = "https://(.*)/.well-known/(?:card|cal)dav";
+                                    regex = "https://nextcloud.blunkall.us/.well-known/(?:card|cal)dav";
-                                    replacement = "https://$${1}/remote.php/dav";
+                                    replacement = "https://nextcloud.blunkall.us/remote.php/dav";
                                };
                            };
@@ -209,7 +223,7 @@
                                pihole.loadBalancer.servers = [ { url = "http://192.168.100.10:8080"; } ];
-                                nextcloud.loadBalancer.servers = [ { url = "http://192.168.100.16:80"; } ];
+                                nextcloud.loadBalancer.servers = [ { url = "http://192.168.100.10:8081"; } ];
                            };
                        };
                    };