2023-09-17 19:51:08 +00:00
{
config ,
pkgs ,
lib ,
. . .
} :
with lib ; let
cfg = config . services . skynet_gitlab ;
2024-03-25 12:13:09 +00:00
backup_path = " / e t c / s k y n e t / b a c k u p s / g i t l a b " ;
2023-10-13 08:54:47 +00:00
domain_base = " ${ cfg . domain . base } . ${ cfg . domain . tld } " ;
domain_full = " ${ cfg . domain . sub } . ${ domain_base } " ;
2023-09-17 19:51:08 +00:00
in {
2023-05-16 15:40:49 +00:00
imports = [
./acme.nix
2023-05-24 15:56:59 +00:00
./dns.nix
./firewall.nix
2023-05-16 15:40:49 +00:00
./nginx.nix
] ;
2023-05-24 15:56:59 +00:00
options . services . skynet_gitlab = {
enable = mkEnableOption " S k y n e t G i t l a b " ;
host = {
ip = mkOption {
type = types . str ;
} ;
name = mkOption {
type = types . str ;
} ;
} ;
domain = {
tld = mkOption {
type = types . str ;
default = " i e " ;
} ;
base = mkOption {
type = types . str ;
default = " s k y n e t " ;
} ;
sub = mkOption {
type = types . str ;
default = " g i t l a b " ;
} ;
} ;
user = mkOption {
type = types . str ;
2023-08-11 06:58:19 +00:00
# changes teh ssh user
default = " g i t " ;
2023-05-24 15:56:59 +00:00
} ;
2023-05-24 19:57:49 +00:00
ldap = {
base = mkOption {
type = types . str ;
default = " d c = s k y n e t , d c = i e " ;
description = lib . mdDoc " T h e b a s e a d d r e s s i n t h e l d a p s e r v e r " ;
} ;
} ;
2023-05-16 15:40:49 +00:00
} ;
2023-05-24 15:56:59 +00:00
config = mkIf cfg . enable {
2023-05-26 21:21:47 +00:00
# delete all data
# rm -rf /run/gitlab && rm -rf /var/gitlab && rm -rf /var/lib/postgresql && rm -rf /run/gitlab && rm -rf /var/lib/redis-gitlab
# find all data
# grep -r --exclude-dir={docker,containers,log,sys,nix,proc} gitlab /
2023-05-24 15:56:59 +00:00
age . secrets . gitlab_pw = {
file = ../secrets/gitlab/pw.age ;
owner = cfg . user ;
group = cfg . user ;
} ;
2023-05-24 19:57:49 +00:00
age . secrets . gitlab_secrets_db = {
file = ../secrets/gitlab/secrets_db.age ;
owner = cfg . user ;
group = cfg . user ;
} ;
age . secrets . gitlab_secrets_secret = {
file = ../secrets/gitlab/secrets_secret.age ;
owner = cfg . user ;
group = cfg . user ;
} ;
age . secrets . gitlab_secrets_otp = {
file = ../secrets/gitlab/secrets_otp.age ;
owner = cfg . user ;
group = cfg . user ;
} ;
age . secrets . gitlab_secrets_jws = {
file = ../secrets/gitlab/secrets_jws.age ;
2023-05-24 15:56:59 +00:00
owner = cfg . user ;
group = cfg . user ;
} ;
age . secrets . gitlab_db_pw = {
file = ../secrets/gitlab/db_pw.age ;
owner = cfg . user ;
group = cfg . user ;
} ;
2023-08-06 19:09:15 +00:00
skynet_acme . domains = [
2023-08-06 20:08:50 +00:00
" ${ cfg . domain . sub } . ${ cfg . domain . base } . ${ cfg . domain . tld } "
# Lets Encrypt seems to have a 4 levels limit for certs
2023-09-17 19:51:08 +00:00
" * . p a g e s . ${ cfg . domain . base } . ${ cfg . domain . tld } "
2023-08-06 19:09:15 +00:00
] ;
2023-05-24 15:56:59 +00:00
# using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide
2023-07-16 00:53:21 +00:00
skynet_dns . records = [
2023-09-17 19:51:08 +00:00
{
record = cfg . domain . sub ;
2023-10-13 10:21:26 +00:00
r_type = " A " ;
value = cfg . host . ip ;
2023-09-17 19:51:08 +00:00
}
2023-06-17 21:51:13 +00:00
# for gitlab pages
2023-09-17 19:51:08 +00:00
{
record = " * . p a g e s . ${ cfg . domain . base } . ${ cfg . domain . tld } . " ;
r_type = " A " ;
value = cfg . host . ip ;
}
2023-10-13 10:21:26 +00:00
# for email
{
record = " ${ cfg . domain . sub } " ;
r_type = " M X " ;
value = '' 1 0 ${ domain_full } . '' ;
}
2023-10-13 08:45:07 +00:00
{
record = cfg . host . ip ;
r_type = " P T R " ;
value = " ${ cfg . domain . sub } . ${ cfg . domain . base } . ${ cfg . domain . tld } . " ;
}
2023-10-13 10:21:26 +00:00
{
record = " ${ domain_full } . " ;
r_type = " T X T " ;
value = '' " v = s p f 1 a : g i t l a b . s k y n e t . i e - a l l " '' ;
}
{
record = " _ d m a r c . ${ domain_full } . " ;
r_type = " T X T " ;
value = '' " v = D M A R C 1 ; p = n o n e " '' ;
}
2023-06-17 21:51:13 +00:00
] ;
2023-05-24 15:56:59 +00:00
networking . firewall . allowedTCPPorts = [
# for git
2023-06-15 20:36:10 +00:00
2222
2023-05-24 15:56:59 +00:00
] ;
2023-09-17 19:51:08 +00:00
services . openssh . ports = [ 22 2222 ] ;
2023-06-15 20:36:10 +00:00
2023-06-17 21:51:13 +00:00
services . nginx . virtualHosts = {
2024-01-31 15:43:18 +00:00
" ${ cfg . host . ip } " = {
forceSSL = true ;
useACMEHost = " s k y n e t " ;
locations . " / " . return = " 3 0 7 h t t p s : / / s k y n e t . i e " ;
} ;
2023-06-17 21:51:13 +00:00
# main site
" ${ cfg . domain . sub } . ${ cfg . domain . base } . ${ cfg . domain . tld } " = {
forceSSL = true ;
useACMEHost = " s k y n e t " ;
locations . " / " . proxyPass = " h t t p : / / u n i x : / r u n / g i t l a b / g i t l a b - w o r k h o r s e . s o c k e t " ;
} ;
# pages
" * . p a g e s . ${ cfg . domain . base } . ${ cfg . domain . tld } " = {
forceSSL = true ;
useACMEHost = " s k y n e t " ;
locations . " / " . proxyPass = " h t t p : / / 1 2 7 . 0 . 0 . 1 : 8 0 9 1 " ;
} ;
2023-05-16 15:40:49 +00:00
} ;
2023-10-13 08:45:07 +00:00
# set a valid HELO address
2023-10-13 08:54:47 +00:00
services . postfix = {
hostname = lib . mkForce domain_full ;
origin = lib . mkForce domain_full ;
domain = lib . mkForce domain_base ;
} ;
2023-10-13 08:45:07 +00:00
2024-03-25 11:58:15 +00:00
services . skynet_backup . normal . backups = [
2024-03-25 12:13:09 +00:00
backup_path
2024-03-25 11:58:15 +00:00
] ;
2023-05-24 15:56:59 +00:00
services . gitlab = {
enable = true ;
2023-05-24 20:37:16 +00:00
2023-05-24 15:56:59 +00:00
databasePasswordFile = config . age . secrets . gitlab_db_pw . path ;
initialRootPasswordFile = config . age . secrets . gitlab_pw . path ;
https = true ;
host = " ${ cfg . domain . sub } . ${ cfg . domain . base } . ${ cfg . domain . tld } " ;
port = 443 ;
user = cfg . user ;
group = cfg . user ;
2023-05-24 19:57:49 +00:00
databaseUsername = cfg . user ;
2023-06-17 21:51:13 +00:00
pages = {
# TODO: https://docs.gitlab.com/ee/administration/pages/index.html#add-the-domain-to-the-public-suffix-list
enable = true ;
settings = {
# these are just examples, not to use
#artifacts-server = "http(s)://<services.gitlab.host>/api/v4"
#gitlab-server = "http(s)://<services.gitlab.host>"
pages-domain = " p a g e s . ${ cfg . domain . base } . ${ cfg . domain . tld } " ;
listen-http = [
" 1 2 7 . 0 . 0 . 1 : 8 0 9 1 "
] ;
/*
auth-client-id = " g e n e r a t e d - i d - x x x x x x x " ;
auth-client-secret = { _secret = " / v a r / k e y s / a u t h - c l i e n t - s e c r e t " ; } ;
auth-redirect-uri = " h t t p s : / / p r o j e c t s . e x a m p l e . c o m / a u t h " ;
auth-secret = { _secret = " / v a r / k e y s / a u t h - s e c r e t " ; } ;
auth-server = " h t t p s : / / g i t l a b . e x a m p l e . c o m " ;
* /
} ;
} ;
2023-10-01 20:24:02 +00:00
2024-03-25 11:58:15 +00:00
# see https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/misc/gitlab.nix#L295
backup = {
startAt = " S a t * - * - * 0 4 : 0 0 : 0 0 " ; # Sat 4am weekly
2024-03-25 12:54:14 +00:00
path = backup_path ;
2024-03-25 12:03:51 +00:00
keepTime = 24 ; # (Hours) Backups are uploaded to seperate server
2024-03-25 13:22:57 +00:00
skip = [ " b u i l d s " " a r t i f a c t s " " r e g i s t r y " ] ; # see https://docs.gitlab.com/ee/administration/backup_restore/backup_gitlab.html#excluding-specific-data-from-the-backup
2024-03-25 11:58:15 +00:00
} ;
2023-10-01 20:24:02 +00:00
# use the local email client
smtp . enable = true ;
2023-05-24 15:56:59 +00:00
secrets = {
2023-05-24 19:57:49 +00:00
dbFile = config . age . secrets . gitlab_secrets_db . path ;
secretFile = config . age . secrets . gitlab_secrets_secret . path ;
otpFile = config . age . secrets . gitlab_secrets_otp . path ;
jwsFile = config . age . secrets . gitlab_secrets_jws . path ;
2023-05-24 15:56:59 +00:00
} ;
extraConfig = {
2023-06-15 20:36:10 +00:00
gitlab_shell = {
ssh_port = 2222 ;
2023-05-24 15:56:59 +00:00
} ;
2023-05-24 19:57:49 +00:00
ldap = {
enabled = true ;
servers = {
main = {
label = " S k y n e t " ;
2023-08-06 18:00:02 +00:00
host = " a c c o u n t . s k y n e t . i e " ;
2023-05-24 19:57:49 +00:00
port = 636 ;
uid = " u i d " ;
encryption = " s i m p l e _ t l s " ;
active_directory = false ;
base = " o u = u s e r s , ${ cfg . ldap . base } " ;
2023-06-15 13:29:06 +00:00
user_filter = " ( m e m b e r O f = c n = s k y n e t - u s e r s , o u = g r o u p s , ${ cfg . ldap . base } ) ) " ;
2023-05-24 19:57:49 +00:00
2023-05-24 20:08:42 +00:00
attributes = {
username = " u i d " ;
email = " s k M a i l " ;
name = " c n " ;
} ;
2023-05-24 19:57:49 +00:00
2023-09-17 19:51:08 +00:00
group_base = " o u = g r o u p s , ${ cfg . ldap . base } " ;
2023-05-24 19:57:49 +00:00
admin_group = " s k y n e t - a d m i n s " ;
sync_ssh_keys = " s s h P u b l i c K e y " ;
} ;
} ;
} ;
2023-06-17 21:51:13 +00:00
pages = {
# default for pages is set to 8090 but that leaves an "ugly" port in the url,
# override it here to make it look good
port = 80 ;
2023-06-18 00:14:10 +00:00
#external_http = ["${cfg.host.ip}:80"];
2023-06-17 21:51:13 +00:00
} ;
2023-05-16 15:40:49 +00:00
} ;
} ;
} ;
2023-09-17 19:51:08 +00:00
}