From 13d9acd26ed4c6edfe12548eb74347d97d70d666 Mon Sep 17 00:00:00 2001
From: GaspardCulis <gaspard@gasdev.fr>
Date: Thu, 24 Oct 2024 12:29:18 +0200
Subject: [PATCH] feat(services): Added `gitlab` services. Not enabled tho

---
 secrets/OVHCloud.yaml       | 11 +++++++++--
 services/gitlab/default.nix | 27 +++++++++++++++++++++++++++
 2 files changed, 36 insertions(+), 2 deletions(-)
 create mode 100644 services/gitlab/default.nix

diff --git a/secrets/OVHCloud.yaml b/secrets/OVHCloud.yaml
index a0dec03..74541cb 100644
--- a/secrets/OVHCloud.yaml
+++ b/secrets/OVHCloud.yaml
@@ -15,6 +15,13 @@ caddy:
     ovh_consumer_key: ENC[AES256_GCM,data:oFLHB7obwz3F59Vt8LRxpKaHBjEaoYCrKLKPoqVHz4M=,iv:rXxR2Nv3YaT2QubZUqIi60RxaHe9ZaIT9hLiogbPVFw=,tag:5m+xXEUbN+a2fHCf+EXf9A==,type:str]
 garage:
     RPC_SECRET: ENC[AES256_GCM,data:OJbIST1mtpqMNk+MKnGFy6+tXjc6aEOMIWnfs8QY9ozpxN2apAN7ZrjAAZc3J7ORUIhUQh8Vjkb1EhxdqGxERA==,iv:NhREhGE0wz3/0sdXUxuDqWaPdjeeQFau2OEVsqpV3F0=,tag:yGYd5txtVQzIOchh2L/XXQ==,type:str]
+gitlab:
+    DATABASE_PASSWORD: ENC[AES256_GCM,data:XINUoSf8FdPdZamlU5OlVf5cwNzd+1cC,iv:pdExA2VOiaQPEVSqNqnTLpqC72Q/bMlZqVVKuUOjTlg=,tag:nTZiUxo4YIDluRSJJ0yj0w==,type:str]
+    INITIAL_ROOT_PASSWORD: ENC[AES256_GCM,data:Bst1bbspfLgcvRk=,iv:3H2b9gL8jCEmMUWhrlzy05LghfMa/+6wRDNGITjO3XM=,tag:PXsZ6+2kp9SuS6XRUjCeGw==,type:str]
+    SECRET_KEY: ENC[AES256_GCM,data:JBaEx7ktyvbAHoShcgWygrOZcdRoNcpZfiQ8oksxWj+py0dSkbKjzQ0SRRQ=,iv:C6W2SJoIPMg2WYMj1ZrcabcYxwqUgGZzQcKOrBp+rFs=,tag:EpykSmAEvgryxNEca9TM8A==,type:str]
+    OTP_KEY: ENC[AES256_GCM,data:BphY+ZO26N82iN1782ephpyqYwTt3UmCawX9/1kwvWEo5OebpUOOOQnR03I=,iv:EaHAW/sb1MGfN9ZFeB8t4xxVUtxb5jM7uL06/eGPxck=,tag:Qg+0oBsc0oB1T8NO2Znw5g==,type:str]
+    DB_KEY: ENC[AES256_GCM,data:9Yso0CEnpAU/sX2NW8roSz+w/lhfK220f35U8Z3t+GNOi+Zd7Ybb/7kill4=,iv:fsQ86NRJbLYfjFZ/ka6po1o35dagqmiqhfQmUQNzlPg=,tag:LV9Sh+TlYv+kRW0bLWajnw==,type:str]
+    JWS_KEY: ENC[AES256_GCM,data:7QGTClTixUmLFuPwkdvaVbPfZhVFpjtnW4/T6W0Lpu2j5Xt1jxijgRSHYRo=,iv:9v5TGU8+SlKzAQtfF/3VBQ4D9asyNcOOa4ElEG7OQdE=,tag:MPWKPJtFfIeo38uCVG1H7w==,type:str]
 penpot:
     SECRET_KEY: ENC[AES256_GCM,data:Ebeehmby3FBDOaTxwTWg9vKTsB+w8wpa6FdxcvvRTwDR07A0Ljk4WCaPmbPBArbwB14cMSuGeDGBrvNo1x8N+u3FeMMei+TGvgJGssZynxEN7+g5gTg=,iv:ZAa3n7CCyeeeAIv48JpIZmjFiyHiXLFK+Q0Wqf7utFY=,tag:6JZZ53jEM579vYhQG4X2Fw==,type:str]
     OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:+GrXq113byY5XqFDE1tF4n5xcrhIjg2KI39xgxY6hEcS3r6KcF6SAFmczoscMFPJccaTv7Pcr7zfzDxGT7zDuNyj324nzvff,iv:onZV3ESU4Kbvp9x9rfXuq17FlhaoE/4ZXIwH4/bOXPc=,tag:I02FFF54NDMyJuicdwy4TA==,type:str]
@@ -58,8 +65,8 @@ sops:
             MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN
             y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-23T12:22:14Z"
-    mac: ENC[AES256_GCM,data:+x/QFSLjXqgJ3FLTvXABF0dpLBMVKfTb3o2qmQvygzaPiXHP0rjGQbXKaxczMng8t8nGo8nEKbSvf/0Ih8ruOCnmpw5ByB4iLd5vtlhhYmQ7vXlpCDHAjtkwA/aTJpZbJLUvPnDLCDX1uopcVUfJZstuRgBBMqEa4TQ8uHZAQ5M=,iv:O5bozwctz2q0YERDllsGyUDHAPNtosqetaUqjC2pIac=,tag:NR671Rrpo3HuJl+o/9mPWw==,type:str]
+    lastmodified: "2024-10-24T10:04:55Z"
+    mac: ENC[AES256_GCM,data:fXCKFVev+ALjXdSPDw7QynQvh2ItusAUq/ZHCUv2dTLZcoW1/42hOyRexQPoQTAw+mACB1Sp9IPu5N5Gg3TSoxV6I67q7+S8FZVzfB1a8wMTIDF1vSOp5eHM3g6i8Wjip23V0LqUqjok4tuunDVnkOmp0uD0fLlaIiTpFgS3HJo=,iv:iq8CYdzR2F4knyTBHYIsS/hF+WCYcWXrpBAl2Ow60A0=,tag:hmNaTtIUqHRbU9aFzD6gww==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0
diff --git a/services/gitlab/default.nix b/services/gitlab/default.nix
new file mode 100644
index 0000000..9502e90
--- /dev/null
+++ b/services/gitlab/default.nix
@@ -0,0 +1,27 @@
+{config, ...}: let
+  port = 8086;
+in {
+  sops.secrets."gitlab/DATABASE_PASSWORD".owner = "gitlab";
+  sops.secrets."gitlab/INITIAL_ROOT_PASSWORD".owner = "gitlab";
+  sops.secrets."gitlab/SECRET_KEY".owner = "gitlab";
+  sops.secrets."gitlab/OTP_KEY".owner = "gitlab";
+  sops.secrets."gitlab/DB_KEY".owner = "gitlab";
+  sops.secrets."gitlab/JWS_KEY".owner = "gitlab";
+
+  services.caddy.virtualHosts."git.gasdev.fr".extraConfig = ''
+    reverse_proxy http://127.0.0.1:${toString port}
+  '';
+
+  services.gitlab = {
+    enable = true;
+    port = port;
+    databasePasswordFile = config.sops.secrets."gitlab/DATABASE_PASSWORD".path;
+    initialRootPasswordFile = config.sops.secrets."gitlab/INITIAL_ROOT_PASSWORD".path;
+    secrets = {
+      secretFile = config.sops.secrets."gitlab/SECRET_KEY".path;
+      otpFile = config.sops.secrets."gitlab/OTP_KEY".path;
+      dbFile = config.sops.secrets."gitlab/DB_KEY".path;
+      jwsFile = config.sops.secrets."gitlab/JWS_KEY".path;
+    };
+  };
+}