2023-09-17 19:51:08 +00:00
|
|
|
{
|
|
|
|
|
config,
|
|
|
|
|
pkgs,
|
|
|
|
|
lib,
|
|
|
|
|
...
|
|
|
|
|
}:
|
|
|
|
|
with lib; let
|
2024-05-30 13:59:20 +00:00
|
|
|
name = "gitlab";
|
|
|
|
|
cfg = config.services.skynet."${name}";
|
2023-10-13 08:54:47 +00:00
|
|
|
|
|
|
|
|
domain_base = "${cfg.domain.base}.${cfg.domain.tld}";
|
|
|
|
|
domain_full = "${cfg.domain.sub}.${domain_base}";
|
2023-09-17 19:51:08 +00:00
|
|
|
in {
|
2023-05-16 15:40:49 +00:00
|
|
|
imports = [
|
|
|
|
|
];
|
|
|
|
|
|
2024-05-30 13:59:20 +00:00
|
|
|
options.services.skynet."${name}" = {
|
2023-05-24 15:56:59 +00:00
|
|
|
enable = mkEnableOption "Skynet Gitlab";
|
|
|
|
|
|
|
|
|
|
domain = {
|
|
|
|
|
tld = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "ie";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
base = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "skynet";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
sub = mkOption {
|
|
|
|
|
type = types.str;
|
2024-05-30 13:59:20 +00:00
|
|
|
default = name;
|
2023-05-24 15:56:59 +00:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
user = mkOption {
|
|
|
|
|
type = types.str;
|
2023-08-11 06:58:19 +00:00
|
|
|
# changes teh ssh user
|
|
|
|
|
default = "git";
|
2023-05-24 15:56:59 +00:00
|
|
|
};
|
2023-05-24 19:57:49 +00:00
|
|
|
|
|
|
|
|
ldap = {
|
|
|
|
|
base = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "dc=skynet,dc=ie";
|
|
|
|
|
description = lib.mdDoc "The base address in the ldap server";
|
|
|
|
|
};
|
|
|
|
|
};
|
2023-05-16 15:40:49 +00:00
|
|
|
};
|
|
|
|
|
|
2023-05-24 15:56:59 +00:00
|
|
|
config = mkIf cfg.enable {
|
2023-05-26 21:21:47 +00:00
|
|
|
# delete all data
|
|
|
|
|
# rm -rf /run/gitlab && rm -rf /var/gitlab && rm -rf /var/lib/postgresql && rm -rf /run/gitlab && rm -rf /var/lib/redis-gitlab
|
|
|
|
|
# find all data
|
|
|
|
|
# grep -r --exclude-dir={docker,containers,log,sys,nix,proc} gitlab /
|
|
|
|
|
|
2023-05-24 15:56:59 +00:00
|
|
|
age.secrets.gitlab_pw = {
|
|
|
|
|
file = ../secrets/gitlab/pw.age;
|
|
|
|
|
owner = cfg.user;
|
|
|
|
|
group = cfg.user;
|
|
|
|
|
};
|
2023-05-24 19:57:49 +00:00
|
|
|
age.secrets.gitlab_secrets_db = {
|
|
|
|
|
file = ../secrets/gitlab/secrets_db.age;
|
|
|
|
|
owner = cfg.user;
|
|
|
|
|
group = cfg.user;
|
|
|
|
|
};
|
|
|
|
|
age.secrets.gitlab_secrets_secret = {
|
|
|
|
|
file = ../secrets/gitlab/secrets_secret.age;
|
|
|
|
|
owner = cfg.user;
|
|
|
|
|
group = cfg.user;
|
|
|
|
|
};
|
|
|
|
|
age.secrets.gitlab_secrets_otp = {
|
|
|
|
|
file = ../secrets/gitlab/secrets_otp.age;
|
|
|
|
|
owner = cfg.user;
|
|
|
|
|
group = cfg.user;
|
|
|
|
|
};
|
|
|
|
|
age.secrets.gitlab_secrets_jws = {
|
|
|
|
|
file = ../secrets/gitlab/secrets_jws.age;
|
2023-05-24 15:56:59 +00:00
|
|
|
owner = cfg.user;
|
|
|
|
|
group = cfg.user;
|
|
|
|
|
};
|
|
|
|
|
age.secrets.gitlab_db_pw = {
|
|
|
|
|
file = ../secrets/gitlab/db_pw.age;
|
|
|
|
|
owner = cfg.user;
|
|
|
|
|
group = cfg.user;
|
|
|
|
|
};
|
|
|
|
|
|
2024-05-30 12:34:59 +00:00
|
|
|
services.skynet.acme.domains = [
|
2023-08-06 20:08:50 +00:00
|
|
|
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
|
|
|
|
|
# Lets Encrypt seems to have a 4 levels limit for certs
|
2023-09-17 19:51:08 +00:00
|
|
|
"*.pages.${cfg.domain.base}.${cfg.domain.tld}"
|
2023-08-06 19:09:15 +00:00
|
|
|
];
|
|
|
|
|
|
2023-05-24 15:56:59 +00:00
|
|
|
# using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide
|
2024-05-30 12:25:52 +00:00
|
|
|
services.skynet.dns.records = [
|
2023-09-17 19:51:08 +00:00
|
|
|
{
|
|
|
|
|
record = cfg.domain.sub;
|
2023-10-13 10:21:26 +00:00
|
|
|
r_type = "A";
|
2024-05-30 16:55:29 +00:00
|
|
|
value = config.services.skynet.host.ip;
|
2023-09-17 19:51:08 +00:00
|
|
|
}
|
2023-06-17 21:51:13 +00:00
|
|
|
# for gitlab pages
|
2023-09-17 19:51:08 +00:00
|
|
|
{
|
|
|
|
|
record = "*.pages.${cfg.domain.base}.${cfg.domain.tld}.";
|
|
|
|
|
r_type = "A";
|
2024-05-30 16:55:29 +00:00
|
|
|
value = config.services.skynet.host.ip;
|
2023-09-17 19:51:08 +00:00
|
|
|
}
|
2023-10-13 10:21:26 +00:00
|
|
|
|
|
|
|
|
# for email
|
|
|
|
|
{
|
|
|
|
|
record = "${cfg.domain.sub}";
|
|
|
|
|
r_type = "MX";
|
|
|
|
|
value = ''10 ${domain_full}.'';
|
|
|
|
|
}
|
2023-10-13 08:45:07 +00:00
|
|
|
{
|
2024-05-30 16:55:29 +00:00
|
|
|
record = config.services.skynet.host.ip;
|
2023-10-13 08:45:07 +00:00
|
|
|
r_type = "PTR";
|
|
|
|
|
value = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}.";
|
|
|
|
|
}
|
2023-10-13 10:21:26 +00:00
|
|
|
{
|
|
|
|
|
record = "${domain_full}.";
|
|
|
|
|
r_type = "TXT";
|
|
|
|
|
value = ''"v=spf1 a:gitlab.skynet.ie -all"'';
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
record = "_dmarc.${domain_full}.";
|
|
|
|
|
r_type = "TXT";
|
|
|
|
|
value = ''"v=DMARC1; p=none"'';
|
|
|
|
|
}
|
2023-06-17 21:51:13 +00:00
|
|
|
];
|
|
|
|
|
|
2023-05-24 15:56:59 +00:00
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
|
|
|
# for git
|
2023-06-15 20:36:10 +00:00
|
|
|
2222
|
2023-05-24 15:56:59 +00:00
|
|
|
];
|
|
|
|
|
|
2023-09-17 19:51:08 +00:00
|
|
|
services.openssh.ports = [22 2222];
|
2023-06-15 20:36:10 +00:00
|
|
|
|
2023-06-17 21:51:13 +00:00
|
|
|
services.nginx.virtualHosts = {
|
|
|
|
|
# main site
|
|
|
|
|
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
|
|
|
|
|
forceSSL = true;
|
|
|
|
|
useACMEHost = "skynet";
|
2024-05-27 10:31:37 +00:00
|
|
|
locations."/" = {
|
|
|
|
|
proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
|
|
|
|
|
extraConfig = ''
|
|
|
|
|
client_max_body_size 1000M;
|
|
|
|
|
'';
|
|
|
|
|
};
|
2023-06-17 21:51:13 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# pages
|
|
|
|
|
"*.pages.${cfg.domain.base}.${cfg.domain.tld}" = {
|
|
|
|
|
forceSSL = true;
|
|
|
|
|
useACMEHost = "skynet";
|
|
|
|
|
locations."/".proxyPass = "http://127.0.0.1:8091";
|
|
|
|
|
};
|
2023-05-16 15:40:49 +00:00
|
|
|
};
|
|
|
|
|
|
2023-10-13 08:45:07 +00:00
|
|
|
# set a valid HELO address
|
2023-10-13 08:54:47 +00:00
|
|
|
services.postfix = {
|
|
|
|
|
hostname = lib.mkForce domain_full;
|
|
|
|
|
origin = lib.mkForce domain_full;
|
|
|
|
|
domain = lib.mkForce domain_base;
|
|
|
|
|
};
|
2023-10-13 08:45:07 +00:00
|
|
|
|
2023-05-24 15:56:59 +00:00
|
|
|
services.gitlab = {
|
|
|
|
|
enable = true;
|
2023-05-24 20:37:16 +00:00
|
|
|
|
2023-05-24 15:56:59 +00:00
|
|
|
databasePasswordFile = config.age.secrets.gitlab_db_pw.path;
|
|
|
|
|
initialRootPasswordFile = config.age.secrets.gitlab_pw.path;
|
|
|
|
|
https = true;
|
|
|
|
|
host = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
|
|
|
|
|
port = 443;
|
|
|
|
|
user = cfg.user;
|
|
|
|
|
group = cfg.user;
|
2023-05-24 19:57:49 +00:00
|
|
|
databaseUsername = cfg.user;
|
2023-06-17 21:51:13 +00:00
|
|
|
|
|
|
|
|
pages = {
|
|
|
|
|
# TODO: https://docs.gitlab.com/ee/administration/pages/index.html#add-the-domain-to-the-public-suffix-list
|
|
|
|
|
enable = true;
|
|
|
|
|
settings = {
|
|
|
|
|
# these are just examples, not to use
|
|
|
|
|
#artifacts-server = "http(s)://<services.gitlab.host>/api/v4"
|
|
|
|
|
#gitlab-server = "http(s)://<services.gitlab.host>"
|
|
|
|
|
pages-domain = "pages.${cfg.domain.base}.${cfg.domain.tld}";
|
|
|
|
|
|
|
|
|
|
listen-http = [
|
|
|
|
|
"127.0.0.1:8091"
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
auth-client-id = "generated-id-xxxxxxx";
|
|
|
|
|
auth-client-secret = { _secret = "/var/keys/auth-client-secret"; };
|
|
|
|
|
auth-redirect-uri = "https://projects.example.com/auth";
|
|
|
|
|
auth-secret = { _secret = "/var/keys/auth-secret"; };
|
|
|
|
|
auth-server = "https://gitlab.example.com";
|
|
|
|
|
*/
|
|
|
|
|
};
|
|
|
|
|
};
|
2023-10-01 20:24:02 +00:00
|
|
|
|
|
|
|
|
# use the local email client
|
|
|
|
|
smtp.enable = true;
|
|
|
|
|
|
2023-05-24 15:56:59 +00:00
|
|
|
secrets = {
|
2023-05-24 19:57:49 +00:00
|
|
|
dbFile = config.age.secrets.gitlab_secrets_db.path;
|
|
|
|
|
secretFile = config.age.secrets.gitlab_secrets_secret.path;
|
|
|
|
|
otpFile = config.age.secrets.gitlab_secrets_otp.path;
|
|
|
|
|
jwsFile = config.age.secrets.gitlab_secrets_jws.path;
|
2023-05-24 15:56:59 +00:00
|
|
|
};
|
|
|
|
|
extraConfig = {
|
2023-06-15 20:36:10 +00:00
|
|
|
gitlab_shell = {
|
|
|
|
|
ssh_port = 2222;
|
2023-05-24 15:56:59 +00:00
|
|
|
};
|
2023-05-24 19:57:49 +00:00
|
|
|
|
|
|
|
|
ldap = {
|
|
|
|
|
enabled = true;
|
|
|
|
|
servers = {
|
|
|
|
|
main = {
|
|
|
|
|
label = "Skynet";
|
2023-08-06 18:00:02 +00:00
|
|
|
host = "account.skynet.ie";
|
2023-05-24 19:57:49 +00:00
|
|
|
port = 636;
|
|
|
|
|
uid = "uid";
|
|
|
|
|
encryption = "simple_tls";
|
|
|
|
|
active_directory = false;
|
|
|
|
|
base = "ou=users,${cfg.ldap.base}";
|
2023-06-15 13:29:06 +00:00
|
|
|
user_filter = "(memberOf=cn=skynet-users,ou=groups,${cfg.ldap.base}))";
|
2023-05-24 19:57:49 +00:00
|
|
|
|
2023-05-24 20:08:42 +00:00
|
|
|
attributes = {
|
|
|
|
|
username = "uid";
|
|
|
|
|
email = "skMail";
|
|
|
|
|
name = "cn";
|
|
|
|
|
};
|
2023-05-24 19:57:49 +00:00
|
|
|
|
2023-09-17 19:51:08 +00:00
|
|
|
group_base = "ou=groups,${cfg.ldap.base}";
|
2023-05-24 19:57:49 +00:00
|
|
|
admin_group = "skynet-admins";
|
|
|
|
|
|
|
|
|
|
sync_ssh_keys = "sshPublicKey";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
2023-06-17 21:51:13 +00:00
|
|
|
|
|
|
|
|
pages = {
|
|
|
|
|
# default for pages is set to 8090 but that leaves an "ugly" port in the url,
|
|
|
|
|
# override it here to make it look good
|
|
|
|
|
port = 80;
|
2024-05-30 16:55:29 +00:00
|
|
|
#external_http = ["${config.services.skynet.host.ip}:80"];
|
2023-06-17 21:51:13 +00:00
|
|
|
};
|
2023-05-16 15:40:49 +00:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
2023-09-17 19:51:08 +00:00
|
|
|
}
|
