nixos/gitlab: add activeRecord key files

- The behavior of the `networking.nat.externalIP` and `networking.nat.externalIPv6` options has been changed. `networking.nat.forwardPorts` now only forwards packets destined for the specified IP addresses.

- `services.gitlab` now requires the setting of `activeRecordPrimaryKeyFile`, `activeRecordDeterministicKeyFile`, `activeRecordSaltFile` as GitLab introduced Rails ActiveRecord encryption.

- `python3Packages.bpycv` has been removed due to being incompatible with Blender 4 and unmaintained.

- `python3Packages.jaeger-client` was removed because it was deprecated upstream. [OpenTelemetry](https://opentelemetry.io) is the recommended replacement.

        '';

      };

      secrets.activeRecordPrimaryKeyFile = mkOption {

        type = with types; nullOr path;

        default = null;

        description = ''

          A file containing the secret used to encrypt some rails data

          in the DB. This should not be the same as `services.gitlab.secrets.activeRecordDeterministicKeyFile`!

          Make sure the secret is at ideally 32 characters and all random,

          no regular words or you'll be exposed to dictionary attacks.

          This should be a string, not a nix path, since nix paths are

          copied into the world-readable nix store.

        '';

      };

      secrets.activeRecordDeterministicKeyFile = mkOption {

        type = with types; nullOr path;

        default = null;

        description = ''

          A file containing the secret used to encrypt some rails data in a deterministic way

          in the DB. This should not be the same as `services.gitlab.secrets.activeRecordPrimaryKeyFile`!

          Make sure the secret is at ideally 32 characters and all random,

          no regular words or you'll be exposed to dictionary attacks.

          This should be a string, not a nix path, since nix paths are

          copied into the world-readable nix store.

        '';

      };

      secrets.activeRecordSaltFile = mkOption {

        type = with types; nullOr path;

        default = null;

        description = ''

          A file containing the salt for active record encryption in the DB.

          Make sure the secret is at ideally 32 characters and all random,

          no regular words or you'll be exposed to dictionary attacks.

          This should be a string, not a nix path, since nix paths are

          copied into the world-readable nix store.

        '';

      };

      extraShellConfig = mkOption {

        type = types.attrs;

        default = { };

        assertion = cfg.secrets.jwsFile != null;

        message = "services.gitlab.secrets.jwsFile must be set!";

      }

      {

        assertion = cfg.secrets.activeRecordPrimaryKeyFile != null;

        message = "services.gitlab.secrets.activeRecordPrimaryKeyFile must be set!";

      }

      {

        assertion = cfg.secrets.activeRecordDeterministicKeyFile != null;

        message = "services.gitlab.secrets.activeRecordDeterministicKeyFile must be set!";

      }

      {

        assertion = cfg.secrets.activeRecordSaltFile != null;

        message = "services.gitlab.secrets.activeRecordSaltFile must be set!";

      }

      {

        assertion = versionAtLeast postgresqlPackage.version "14.9";

        message = "PostgreSQL >= 14.9 is required to run GitLab 17. Follow the instructions in the manual section for upgrading PostgreSQL here: https://nixos.org/manual/nixos/stable/index.html#module-services-postgres-upgrading";

            db="$(<'${cfg.secrets.dbFile}')"

            otp="$(<'${cfg.secrets.otpFile}')"

            jws="$(<'${cfg.secrets.jwsFile}')"

            export secret db otp jws

            arprimary="$(<'${cfg.secrets.activeRecordPrimaryKeyFile}')"

            ardeterministic="$(<'${cfg.secrets.activeRecordDeterministicKeyFile}')"

            arsalt="$(<'${cfg.secrets.activeRecordSaltFile}')"

            export secret db otp jws arprimary ardeterministic arsalt

            jq -n '{production: {secret_key_base: $ENV.secret,

                    otp_key_base: $ENV.otp,

                    db_key_base: $ENV.db,

                    openid_connect_signing_key: $ENV.jws}}' \

                    openid_connect_signing_key: $ENV.jws,

                    active_record_encryption_primary_key: $ENV.arprimary,

                    active_record_encryption_deterministic_key: $ENV.ardeterministic,

                    active_record_encryption_key_derivation_salt: $ENV.arsalt}}' \

               > '${cfg.statePath}/config/secrets.yml'

          )

            otpFile = pkgs.writeText "otpsecret" "Riew9mue";

            dbFile = pkgs.writeText "dbsecret" "we2quaeZ";

            jwsFile = pkgs.runCommand "oidcKeyBase" { } "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";

            activeRecordPrimaryKeyFile = pkgs.writeText "arprimary" "vsaYPZjTRxcbG7W6gNr95AwBmzFUd4Eu";

            activeRecordDeterministicKeyFile = pkgs.writeText "ardeterministic" "kQarv9wb2JVP7XzLTh5f6DFcMHms4nEC";

            activeRecordSaltFile = pkgs.writeText "arsalt" "QkgR9CfFU3MXEWGqa7LbP24AntK5ZeYw";

          };

          registry = {

      gitlab.start()

    ''

    + waitForServices

    + ''

      gitlab.succeed("cp /var/gitlab/state/config/secrets.yml /root/gitlab-secrets.yml")

    ''

    + test true

    + ''

      gitlab.systemctl("start gitlab-backup.service")

      gitlab.systemctl("start gitlab.target")

    ''

    + waitForServices

    + ''

      with subtest("Check that no secrets were auto-generated as these would be non-persistent"):

          gitlab.succeed("diff -u /root/gitlab-secrets.yml /var/gitlab/state/config/secrets.yml")

    ''

    + test false;

}