{ config, pkgs, lib, ... }: with lib; let cfg = config.services.skynet_gitlab; in { imports = [ ./acme.nix ./dns.nix ./firewall.nix ./nginx.nix ]; options.services.skynet_gitlab = { enable = mkEnableOption "Skynet Gitlab"; host = { ip = mkOption { type = types.str; }; name = mkOption { type = types.str; }; }; domain = { tld = mkOption { type = types.str; default = "ie"; }; base = mkOption { type = types.str; default = "skynet"; }; sub = mkOption { type = types.str; default = "gitlab"; }; }; user = mkOption { type = types.str; default = "git"; }; ldap = { base = mkOption { type = types.str; default = "dc=skynet,dc=ie"; description = lib.mdDoc "The base address in the ldap server"; }; }; }; config = mkIf cfg.enable { # delete all data # rm -rf /run/gitlab && rm -rf /var/gitlab && rm -rf /var/lib/postgresql && rm -rf /run/gitlab && rm -rf /var/lib/redis-gitlab # find all data # grep -r --exclude-dir={docker,containers,log,sys,nix,proc} gitlab / age.secrets.gitlab_pw = { file = ../secrets/gitlab/pw.age; owner = cfg.user; group = cfg.user; }; age.secrets.gitlab_secrets_db = { file = ../secrets/gitlab/secrets_db.age; owner = cfg.user; group = cfg.user; }; age.secrets.gitlab_secrets_secret = { file = ../secrets/gitlab/secrets_secret.age; owner = cfg.user; group = cfg.user; }; age.secrets.gitlab_secrets_otp = { file = ../secrets/gitlab/secrets_otp.age; owner = cfg.user; group = cfg.user; }; age.secrets.gitlab_secrets_jws = { file = ../secrets/gitlab/secrets_jws.age; owner = cfg.user; group = cfg.user; }; age.secrets.gitlab_db_pw = { file = ../secrets/gitlab/db_pw.age; owner = cfg.user; group = cfg.user; }; # using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide skynet_dns.records.cname = [ "${cfg.domain.sub} CNAME ${cfg.host.name}" ]; networking.firewall.allowedTCPPorts = [ 80 443 # for git 22 ]; services.nginx. virtualHosts."${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = { forceSSL = true; useACMEHost = "skynet"; locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; }; nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ # "gitlab-ee" ]; services.gitlab = { enable = true; #packages.gitlab = pkgs.gitlab-ee; databasePasswordFile = config.age.secrets.gitlab_db_pw.path; initialRootPasswordFile = config.age.secrets.gitlab_pw.path; https = true; host = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"; port = 443; user = cfg.user; group = cfg.user; databaseUsername = cfg.user; #smtp = { # enable = true; # address = "localhost"; # port = 25; #}; secrets = { dbFile = config.age.secrets.gitlab_secrets_db.path; # these must be backed up for future secretFile = config.age.secrets.gitlab_secrets_secret.path; otpFile = config.age.secrets.gitlab_secrets_otp.path; jwsFile = config.age.secrets.gitlab_secrets_jws.path; }; extraConfig = { gitlab = { #email_from = "gitlab-no-reply@example.com"; #email_display_name = "Example GitLab"; #email_reply_to = "gitlab-no-reply@example.com"; default_projects_features = { builds = false; }; }; ldap = { enabled = true; servers = { main = { label = "Skynet"; host = "sso.skynet.ie"; port = 636; uid = "uid"; encryption = "simple_tls"; active_directory = false; #base = "ou=users,${cfg.ldap.base}?sub?(|(skMemberOf=cn=skynet-users,ou=groups,${cfg.ldap.base}))"; base = "ou=users,${cfg.ldap.base}"; user_filter = "(skMemberOf=cn=skynet-users,ou=groups,${cfg.ldap.base})"; attributes = { username = "uid"; email = "skMail"; name = "cn"; }; group_base= "ou=groups,${cfg.ldap.base}"; admin_group = "skynet-admins"; sync_ssh_keys = "sshPublicKey"; }; }; }; }; }; }; }