gitlab: basic setup

2023-05-24 20:57:49 +01:00 · 2023-05-24 20:57:49 +01:00 · 59f4057698
commit 59f4057698
parent 2b2917d34b
9 changed files with 81 additions and 20 deletions
--- a/applications/gitlab.nix
+++ b/applications/gitlab.nix
@ -44,6 +44,16 @@
      type = types.str;
      default = "git";
    };
+
+    ldap = {
+      base = mkOption {
+        type = types.str;
+        default = "dc=skynet,dc=ie";
+        description = lib.mdDoc "The base address in the ldap server";
+      };
+
+    };
+
  };

  config = mkIf cfg.enable {
@ -52,8 +62,23 @@
      owner = cfg.user;
      group = cfg.user;
    };
-    age.secrets.gitlab_db = {
-      file = ../secrets/gitlab/db.age;
+    age.secrets.gitlab_secrets_db = {
+      file = ../secrets/gitlab/secrets_db.age;
+      owner = cfg.user;
+      group = cfg.user;
+    };
+    age.secrets.gitlab_secrets_secret = {
+      file = ../secrets/gitlab/secrets_secret.age;
+      owner = cfg.user;
+      group = cfg.user;
+    };
+    age.secrets.gitlab_secrets_otp = {
+      file = ../secrets/gitlab/secrets_otp.age;
+      owner = cfg.user;
+      group = cfg.user;
+    };
+    age.secrets.gitlab_secrets_jws = {
+      file = ../secrets/gitlab/secrets_jws.age;
      owner = cfg.user;
      group = cfg.user;
    };
@ -91,17 +116,18 @@
      port = 443;
      user = cfg.user;
      group = cfg.user;
+      databaseUsername = cfg.user;
      #smtp = {
      #  enable = true;
      #  address = "localhost";
      #  port = 25;
      #};
      secrets = {
-        dbFile = config.age.secrets.gitlab_db.path;
+        dbFile = config.age.secrets.gitlab_secrets_db.path;
        # these must be backed up for future
-        secretFile = "/var/keys/gitlab/secret";
-        otpFile = "/var/keys/gitlab/otp";
-        jwsFile = "/var/keys/gitlab/jws";
+        secretFile = config.age.secrets.gitlab_secrets_secret.path;
+        otpFile = config.age.secrets.gitlab_secrets_otp.path;
+        jwsFile = config.age.secrets.gitlab_secrets_jws.path;
      };
      extraConfig = {
        gitlab = {
@ -110,6 +136,32 @@
          #email_reply_to = "gitlab-no-reply@example.com";
          default_projects_features = { builds = false; };
        };
+
+        ldap = {
+          enabled = true;
+          servers = {
+            main = {
+              label = "Skynet";
+              host = "sso.skynet.ie";
+              port = 636;
+              uid = "uid";
+              encryption = "simple_tls";
+              active_directory = false;
+              #base = "ou=users,${cfg.ldap.base}?sub?(|(skMemberOf=cn=skynet-users,ou=groups,${cfg.ldap.base}))";
+              base = "ou=users,${cfg.ldap.base}";
+
+
+              username = "uid";
+              email = "skMail";
+              name = "cn";
+
+              group_base= "ou=groups,${cfg.ldap.base}";
+              admin_group = "skynet-admins";
+
+              sync_ssh_keys = "sshPublicKey";
+            };
+          };
+        };
      };
    };
  };