{ cluster, config, lib, depot, ... }: let inherit (depot.lib.meta) domain adminEmail; patroni = cluster.config.links.patroni-pg-access; mkSecret = name: { owner = "gitlab"; group = "gitlab"; mode = "0400"; file = ../../../../secrets/${name}.age; }; secrets = lib.mapAttrs (_: v: v.path) config.age.secrets; cfg = config.services.gitlab; in { age.secrets = lib.flip lib.genAttrs mkSecret [ "gitlab-db-credentials" "gitlab-initial-root-password" "gitlab-openid-secret" "gitlab-secret-db" "gitlab-secret-jws" "gitlab-secret-otp" "gitlab-secret-secret" ]; services.gitlab = { enable = true; https = true; host = "git.${domain}"; port = 443; databaseCreateLocally = false; databaseHost = patroni.ipv4; extraDatabaseConfig = { inherit (patroni) port; }; databaseUsername = "gitlab"; databasePasswordFile = secrets.gitlab-db-credentials; initialRootEmail = adminEmail; statePath = "/srv/storage/private/gitlab/state"; smtp = { enable = true; inherit domain; }; initialRootPasswordFile = secrets.gitlab-initial-root-password; secrets = with secrets; { dbFile = gitlab-secret-db; jwsFile = gitlab-secret-jws; otpFile = gitlab-secret-otp; secretFile = gitlab-secret-secret; }; extraConfig = { omniauth = { enabled = true; auto_sign_in_with_provider = "openid_connect"; allow_single_sign_on = ["openid_connect"]; block_auto_created_users = false; providers = [ { name = "openid_connect"; label = "Private Void Account"; args = { name = "openid_connect"; scope = ["openid" "profile"]; response_type = "code"; issuer = "https://login.${domain}/auth/realms/master"; discovery = true; client_auth_method = "query"; uid_field = "preferred_username"; client_options = { identifier = "net.privatevoid.git2"; secret = { _secret = secrets.gitlab-openid-secret; }; redirect_uri = "https://${cfg.host}/users/auth/openid_connect/callback"; }; }; } ]; }; }; }; services.nginx.virtualHosts."${cfg.host}" = depot.lib.nginx.vhosts.proxy "http://unix:/run/gitlab/gitlab-workhorse.socket"; }