{ cluster, config, lib, depot, ... }:
let
inherit (depot.lib.meta) domain adminEmail;
patroni = cluster.config.links.patroni-pg-access;
mkSecret = name: {
owner = "gitlab";
group = "gitlab";
mode = "0400";
file = ../../../secrets/${name}.age;
};
secrets = lib.mapAttrs (_: v: v.path) config.age.secrets;
cfg = config.services.gitlab;
in
{
age.secrets = lib.flip lib.genAttrs mkSecret [
"gitlab-db-credentials"
"gitlab-initial-root-password"
"gitlab-openid-secret"
"gitlab-secret-db"
"gitlab-secret-jws"
"gitlab-secret-otp"
"gitlab-secret-secret"
];
services.gitlab = {
enable = true;
https = true;
host = "git.${domain}";
port = 443;
databaseCreateLocally = false;
databaseHost = patroni.ipv4;
extraDatabaseConfig = { inherit (patroni) port; };
databaseUsername = "gitlab";
databasePasswordFile = secrets.gitlab-db-credentials;
initialRootEmail = adminEmail;
statePath = "/srv/storage/private/gitlab/state";
smtp = {
enable = true;
inherit domain;
};
initialRootPasswordFile = secrets.gitlab-initial-root-password;
secrets = with secrets; {
dbFile = gitlab-secret-db;
jwsFile = gitlab-secret-jws;
otpFile = gitlab-secret-otp;
secretFile = gitlab-secret-secret;
};
extraConfig = {
omniauth = {
enabled = true;
auto_sign_in_with_provider = "openid_connect";
allow_single_sign_on = ["openid_connect"];
block_auto_created_users = false;
providers = [
{
name = "openid_connect";
label = "Private Void Account";
args = {
name = "openid_connect";
scope = ["openid" "profile"];
response_type = "code";
issuer = "https://login.${domain}/auth/realms/master";
discovery = true;
client_auth_method = "query";
uid_field = "preferred_username";
client_options = {
identifier = "net.privatevoid.git2";
secret = { _secret = secrets.gitlab-openid-secret; };
redirect_uri = "https://${cfg.host}/users/auth/openid_connect/callback";
};
};
}
];
};
};
};
services.nginx.virtualHosts."${cfg.host}" = depot.lib.nginx.vhosts.proxy "http://unix:/run/gitlab/gitlab-workhorse.socket";
}