depot/hosts/VEGAS/services/gitlab/default.nix

111 lines
2.8 KiB
Nix
Raw Permalink Normal View History

2022-08-09 23:33:05 +03:00
{ cluster, config, lib, tools, ... }:
2022-01-31 00:15:08 +02:00
let
inherit (tools.meta) domain adminEmail;
2022-08-09 23:33:05 +03:00
patroni = cluster.config.links.patroni-pg-access;
2022-01-31 00:15:08 +02:00
mkSecret = name: {
owner = "gitlab";
group = "gitlab";
mode = "0400";
file = ../../../../secrets/${name}.age;
};
secrets = lib.mapAttrs (_: v: v.path) config.age.secrets;
cfg = config.services.gitlab;
in
{
age.secrets = lib.flip lib.genAttrs mkSecret [
2022-08-09 23:33:05 +03:00
"gitlab-db-credentials"
2022-01-31 00:15:08 +02:00
"gitlab-initial-root-password"
"gitlab-openid-secret"
2022-02-01 22:18:08 +02:00
"gitlab-runner-registration"
2022-01-31 00:15:08 +02:00
"gitlab-secret-db"
"gitlab-secret-jws"
"gitlab-secret-otp"
"gitlab-secret-secret"
];
services.gitlab = {
enable = true;
https = true;
host = "git.${domain}";
port = 443;
2022-08-09 23:33:05 +03:00
databaseCreateLocally = false;
databaseHost = patroni.ipv4;
extraDatabaseConfig = { inherit (patroni) port; };
databaseUsername = "gitlab";
databasePasswordFile = secrets.gitlab-db-credentials;
2022-01-31 00:15:08 +02:00
initialRootEmail = adminEmail;
statePath = "/srv/storage/private/gitlab/state";
smtp = {
enable = true;
inherit domain;
};
initialRootPasswordFile = secrets.gitlab-initial-root-password;
secrets = with secrets; {
dbFile = gitlab-secret-db;
jwsFile = gitlab-secret-jws;
otpFile = gitlab-secret-otp;
secretFile = gitlab-secret-secret;
};
extraConfig = {
omniauth = {
enabled = true;
auto_sign_in_with_provider = "openid_connect";
allow_single_sign_on = ["openid_connect"];
block_auto_created_users = false;
providers = [
{
name = "openid_connect";
label = "Private Void Account";
args = {
name = "openid_connect";
scope = ["openid" "profile"];
response_type = "code";
issuer = "https://login.${domain}/auth/realms/master";
discovery = true;
client_auth_method = "query";
uid_field = "preferred_username";
client_options = {
identifier = "net.privatevoid.git2";
secret = { _secret = secrets.gitlab-openid-secret; };
redirect_uri = "https://${cfg.host}/users/auth/openid_connect/callback";
};
};
}
];
};
};
};
systemd.services.gitlab-runner.after = [ "gitlab.target" ];
2022-02-01 22:18:08 +02:00
services.gitlab-runner = {
enable = true;
services = {
shell = {
# File should contain at least these two variables:
# `CI_SERVER_URL`
# `REGISTRATION_TOKEN`
registrationConfigFile = secrets.gitlab-runner-registration;
executor = "shell";
tagList = [ "shell" ];
};
};
};
2022-01-31 00:15:08 +02:00
services.nginx.virtualHosts."${cfg.host}" = tools.nginx.vhosts.proxy "http://unix:/run/gitlab/gitlab-workhorse.socket";
}