2023-08-31 01:55:45 +03:00
|
|
|
{ cluster, config, lib, depot, ... }:
|
2022-01-31 00:15:08 +02:00
|
|
|
|
|
|
|
let
|
2023-08-31 01:55:45 +03:00
|
|
|
inherit (depot.lib.meta) domain adminEmail;
|
2022-01-31 00:15:08 +02:00
|
|
|
|
2022-08-09 23:33:05 +03:00
|
|
|
patroni = cluster.config.links.patroni-pg-access;
|
|
|
|
|
2022-01-31 00:15:08 +02:00
|
|
|
mkSecret = name: {
|
|
|
|
owner = "gitlab";
|
|
|
|
group = "gitlab";
|
|
|
|
mode = "0400";
|
|
|
|
file = ../../../../secrets/${name}.age;
|
|
|
|
};
|
|
|
|
|
|
|
|
secrets = lib.mapAttrs (_: v: v.path) config.age.secrets;
|
|
|
|
|
|
|
|
cfg = config.services.gitlab;
|
|
|
|
in
|
|
|
|
|
|
|
|
{
|
|
|
|
age.secrets = lib.flip lib.genAttrs mkSecret [
|
2022-08-09 23:33:05 +03:00
|
|
|
"gitlab-db-credentials"
|
2022-01-31 00:15:08 +02:00
|
|
|
"gitlab-initial-root-password"
|
|
|
|
"gitlab-openid-secret"
|
2022-02-01 22:18:08 +02:00
|
|
|
"gitlab-runner-registration"
|
2022-01-31 00:15:08 +02:00
|
|
|
"gitlab-secret-db"
|
|
|
|
"gitlab-secret-jws"
|
|
|
|
"gitlab-secret-otp"
|
|
|
|
"gitlab-secret-secret"
|
|
|
|
];
|
|
|
|
|
|
|
|
services.gitlab = {
|
|
|
|
enable = true;
|
|
|
|
https = true;
|
|
|
|
host = "git.${domain}";
|
|
|
|
port = 443;
|
|
|
|
|
2022-08-09 23:33:05 +03:00
|
|
|
databaseCreateLocally = false;
|
|
|
|
databaseHost = patroni.ipv4;
|
|
|
|
extraDatabaseConfig = { inherit (patroni) port; };
|
|
|
|
databaseUsername = "gitlab";
|
|
|
|
databasePasswordFile = secrets.gitlab-db-credentials;
|
|
|
|
|
2022-01-31 00:15:08 +02:00
|
|
|
initialRootEmail = adminEmail;
|
|
|
|
|
|
|
|
statePath = "/srv/storage/private/gitlab/state";
|
|
|
|
|
|
|
|
smtp = {
|
|
|
|
enable = true;
|
|
|
|
inherit domain;
|
|
|
|
};
|
|
|
|
|
|
|
|
initialRootPasswordFile = secrets.gitlab-initial-root-password;
|
|
|
|
|
|
|
|
secrets = with secrets; {
|
|
|
|
dbFile = gitlab-secret-db;
|
|
|
|
jwsFile = gitlab-secret-jws;
|
|
|
|
otpFile = gitlab-secret-otp;
|
|
|
|
secretFile = gitlab-secret-secret;
|
|
|
|
};
|
|
|
|
|
|
|
|
extraConfig = {
|
|
|
|
omniauth = {
|
|
|
|
enabled = true;
|
|
|
|
auto_sign_in_with_provider = "openid_connect";
|
|
|
|
allow_single_sign_on = ["openid_connect"];
|
|
|
|
block_auto_created_users = false;
|
|
|
|
providers = [
|
|
|
|
|
|
|
|
{
|
|
|
|
name = "openid_connect";
|
|
|
|
label = "Private Void Account";
|
|
|
|
args = {
|
|
|
|
name = "openid_connect";
|
|
|
|
scope = ["openid" "profile"];
|
|
|
|
response_type = "code";
|
|
|
|
issuer = "https://login.${domain}/auth/realms/master";
|
|
|
|
discovery = true;
|
|
|
|
client_auth_method = "query";
|
|
|
|
uid_field = "preferred_username";
|
|
|
|
client_options = {
|
|
|
|
identifier = "net.privatevoid.git2";
|
|
|
|
secret = { _secret = secrets.gitlab-openid-secret; };
|
|
|
|
redirect_uri = "https://${cfg.host}/users/auth/openid_connect/callback";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2022-06-18 19:30:19 +03:00
|
|
|
systemd.services.gitlab-runner.after = [ "gitlab.target" ];
|
2022-02-01 22:18:08 +02:00
|
|
|
services.gitlab-runner = {
|
|
|
|
enable = true;
|
|
|
|
services = {
|
|
|
|
shell = {
|
|
|
|
# File should contain at least these two variables:
|
|
|
|
# `CI_SERVER_URL`
|
|
|
|
# `REGISTRATION_TOKEN`
|
|
|
|
registrationConfigFile = secrets.gitlab-runner-registration;
|
|
|
|
executor = "shell";
|
|
|
|
tagList = [ "shell" ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2023-08-31 01:55:45 +03:00
|
|
|
services.nginx.virtualHosts."${cfg.host}" = depot.lib.nginx.vhosts.proxy "http://unix:/run/gitlab/gitlab-workhorse.socket";
|
2022-01-31 00:15:08 +02:00
|
|
|
}
|