depot/hosts/VEGAS/services/gitlab/default.nix

{ config, lib, tools, ... }:

let
  inherit (tools.meta) domain adminEmail;

  mkSecret = name: {
    owner = "gitlab";
    group = "gitlab";
    mode = "0400";
    file = ../../../../secrets/${name}.age;
  };

  secrets = lib.mapAttrs (_: v: v.path) config.age.secrets;

  cfg = config.services.gitlab;
in

{
  age.secrets = lib.flip lib.genAttrs mkSecret [
    "gitlab-initial-root-password"
    "gitlab-openid-secret"
    "gitlab-runner-registration"
    "gitlab-secret-db"
    "gitlab-secret-jws"
    "gitlab-secret-otp"
    "gitlab-secret-secret"
  ];

  services.gitlab = {
    enable = true;
    https = true;
    host = "git.${domain}";
    port = 443;

    initialRootEmail = adminEmail;

    statePath = "/srv/storage/private/gitlab/state";

    smtp = {
      enable = true;
      inherit domain;
    };

    initialRootPasswordFile = secrets.gitlab-initial-root-password;

    secrets = with secrets; {
      dbFile = gitlab-secret-db;
      jwsFile = gitlab-secret-jws;
      otpFile = gitlab-secret-otp;
      secretFile = gitlab-secret-secret;
    };

    extraConfig = {
      omniauth = {
        enabled = true;
        auto_sign_in_with_provider = "openid_connect";
        allow_single_sign_on = ["openid_connect"];
        block_auto_created_users = false;
        providers = [

          {
            name = "openid_connect";
            label = "Private Void Account";
            args = {
              name = "openid_connect";
              scope = ["openid" "profile"];
              response_type = "code";
              issuer = "https://login.${domain}/auth/realms/master";
              discovery = true;
              client_auth_method = "query";
              uid_field = "preferred_username";
              client_options = {
                identifier = "net.privatevoid.git2";
                secret = { _secret = secrets.gitlab-openid-secret; };
                redirect_uri = "https://${cfg.host}/users/auth/openid_connect/callback";
              };
            };
          }
          
        ];
      };
    };
  };

  systemd.services.gitlab-runner.after = [ "gitlab.target" ];
  services.gitlab-runner = {
    enable = true;
    services = {
      shell = {
        # File should contain at least these two variables:
        # `CI_SERVER_URL`
        # `REGISTRATION_TOKEN`
        registrationConfigFile = secrets.gitlab-runner-registration;
        executor = "shell";
        tagList = [ "shell" ];
      };
    };
  };

  services.nginx.virtualHosts."${cfg.host}" = tools.nginx.vhosts.proxy "http://unix:/run/gitlab/gitlab-workhorse.socket";
}