diff --git a/applications/gitlab.nix b/applications/gitlab.nix index e5dad8a..2bfce33 100644 --- a/applications/gitlab.nix +++ b/applications/gitlab.nix @@ -1,68 +1,116 @@ -{ ... }: +{ config, pkgs, lib, ... }: + with lib; let - hostname = "gitlab.skynet.ie"; - user = "git"; + cfg = config.services.skynet_gitlab; in { imports = [ ./acme.nix + ./dns.nix + ./firewall.nix ./nginx.nix ]; - age.secrets.gitlab_pw = { - file = ../secrets/gitlab/pw.age; - owner = user; - group = user; - }; - age.secrets.gitlab_db = { - file = ../secrets/gitlab/db.age; - owner = user; - group = user; - }; - age.secrets.gitlab_db_pw = { - file = ../secrets/gitlab/db_pw.age; - owner = user; - group = user; + options.services.skynet_gitlab = { + enable = mkEnableOption "Skynet Gitlab"; + + host = { + ip = mkOption { + type = types.str; + }; + + name = mkOption { + type = types.str; + }; + }; + + domain = { + tld = mkOption { + type = types.str; + default = "ie"; + }; + + base = mkOption { + type = types.str; + default = "skynet"; + }; + + sub = mkOption { + type = types.str; + default = "gitlab"; + }; + }; + + user = mkOption { + type = types.str; + default = "git"; + }; }; - # using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide + config = mkIf cfg.enable { + age.secrets.gitlab_pw = { + file = ../secrets/gitlab/pw.age; + owner = cfg.user; + group = cfg.user; + }; + age.secrets.gitlab_db = { + file = ../secrets/gitlab/db.age; + owner = cfg.user; + group = cfg.user; + }; + age.secrets.gitlab_db_pw = { + file = ../secrets/gitlab/db_pw.age; + owner = cfg.user; + group = cfg.user; + }; - services.nginx = { - virtualHosts."${hostname}" = { + # using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide + skynet_dns.records.cname = [ + "${cfg.domain.sub} CNAME ${cfg.host.name}" + ]; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + + # for git + 22 + ]; + + services.nginx. virtualHosts."${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = { forceSSL = true; useACMEHost = "skynet"; locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; }; - }; - services.gitlab = { - enable = true; - databasePasswordFile = config.age.secrets.gitlab_db_pw.path; - initialRootPasswordFile = config.age.secrets.gitlab_pw.path; - https = true; - host = "${hostname}"; - port = 443; - user = user; - group = user; - #smtp = { - # enable = true; - # address = "localhost"; - # port = 25; - #}; - secrets = { - dbFile = config.age.secrets.gitlab_db.path; - # these must be backed up for future - secretFile = "/var/keys/gitlab/secret"; - otpFile = "/var/keys/gitlab/otp"; - jwsFile = "/var/keys/gitlab/jws"; - }; - extraConfig = { - gitlab = { - #email_from = "gitlab-no-reply@example.com"; - #email_display_name = "Example GitLab"; - #email_reply_to = "gitlab-no-reply@example.com"; - default_projects_features = { builds = false; }; + services.gitlab = { + enable = true; + databasePasswordFile = config.age.secrets.gitlab_db_pw.path; + initialRootPasswordFile = config.age.secrets.gitlab_pw.path; + https = true; + host = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"; + port = 443; + user = cfg.user; + group = cfg.user; + #smtp = { + # enable = true; + # address = "localhost"; + # port = 25; + #}; + secrets = { + dbFile = config.age.secrets.gitlab_db.path; + # these must be backed up for future + secretFile = "/var/keys/gitlab/secret"; + otpFile = "/var/keys/gitlab/otp"; + jwsFile = "/var/keys/gitlab/jws"; + }; + extraConfig = { + gitlab = { + #email_from = "gitlab-no-reply@example.com"; + #email_display_name = "Example GitLab"; + #email_reply_to = "gitlab-no-reply@example.com"; + default_projects_features = { builds = false; }; + }; }; }; }; - } \ No newline at end of file