nixos/applications/gitlab.nix

216 lines
No EOL
5.6 KiB
Nix

{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.skynet_gitlab;
in {
imports = [
./acme.nix
./dns.nix
./firewall.nix
./nginx.nix
];
options.services.skynet_gitlab = {
enable = mkEnableOption "Skynet Gitlab";
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
domain = {
tld = mkOption {
type = types.str;
default = "ie";
};
base = mkOption {
type = types.str;
default = "skynet";
};
sub = mkOption {
type = types.str;
default = "gitlab";
};
};
user = mkOption {
type = types.str;
default = "git";
};
ldap = {
base = mkOption {
type = types.str;
default = "dc=skynet,dc=ie";
description = lib.mdDoc "The base address in the ldap server";
};
};
};
config = mkIf cfg.enable {
# delete all data
# rm -rf /run/gitlab && rm -rf /var/gitlab && rm -rf /var/lib/postgresql && rm -rf /run/gitlab && rm -rf /var/lib/redis-gitlab
# find all data
# grep -r --exclude-dir={docker,containers,log,sys,nix,proc} gitlab /
age.secrets.gitlab_pw = {
file = ../secrets/gitlab/pw.age;
owner = cfg.user;
group = cfg.user;
};
age.secrets.gitlab_secrets_db = {
file = ../secrets/gitlab/secrets_db.age;
owner = cfg.user;
group = cfg.user;
};
age.secrets.gitlab_secrets_secret = {
file = ../secrets/gitlab/secrets_secret.age;
owner = cfg.user;
group = cfg.user;
};
age.secrets.gitlab_secrets_otp = {
file = ../secrets/gitlab/secrets_otp.age;
owner = cfg.user;
group = cfg.user;
};
age.secrets.gitlab_secrets_jws = {
file = ../secrets/gitlab/secrets_jws.age;
owner = cfg.user;
group = cfg.user;
};
age.secrets.gitlab_db_pw = {
file = ../secrets/gitlab/db_pw.age;
owner = cfg.user;
group = cfg.user;
};
# using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide
skynet_dns.records.cname = [
"${cfg.domain.sub} CNAME ${cfg.host.name}"
];
skynet_dns.records.external = [
# for gitlab pages
"*.pages.${cfg.domain.base}.${cfg.domain.tld}. 1800 IN A ${cfg.host.ip}"
];
networking.firewall.allowedTCPPorts = [
# for git
2222
];
services.openssh.ports = [ 22 2222 ];
services.nginx.virtualHosts = {
# main site
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
};
# pages
"*.pages.${cfg.domain.base}.${cfg.domain.tld}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".proxyPass = "http://127.0.0.1:8091";
};
};
services.gitlab = {
enable = true;
databasePasswordFile = config.age.secrets.gitlab_db_pw.path;
initialRootPasswordFile = config.age.secrets.gitlab_pw.path;
https = true;
host = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
port = 443;
user = cfg.user;
group = cfg.user;
databaseUsername = cfg.user;
pages = {
# TODO: https://docs.gitlab.com/ee/administration/pages/index.html#add-the-domain-to-the-public-suffix-list
enable = true;
settings = {
# these are just examples, not to use
#artifacts-server = "http(s)://<services.gitlab.host>/api/v4"
#gitlab-server = "http(s)://<services.gitlab.host>"
pages-domain = "pages.${cfg.domain.base}.${cfg.domain.tld}";
listen-http = [
"127.0.0.1:8091"
];
/*
auth-client-id = "generated-id-xxxxxxx";
auth-client-secret = { _secret = "/var/keys/auth-client-secret"; };
auth-redirect-uri = "https://projects.example.com/auth";
auth-secret = { _secret = "/var/keys/auth-secret"; };
auth-server = "https://gitlab.example.com";
*/
};
};
#smtp = {
# enable = true;
# address = "localhost";
# port = 25;
#};
secrets = {
dbFile = config.age.secrets.gitlab_secrets_db.path;
secretFile = config.age.secrets.gitlab_secrets_secret.path;
otpFile = config.age.secrets.gitlab_secrets_otp.path;
jwsFile = config.age.secrets.gitlab_secrets_jws.path;
};
extraConfig = {
gitlab_shell = {
ssh_port = 2222;
};
ldap = {
enabled = true;
servers = {
main = {
label = "Skynet";
host = "sso.skynet.ie";
port = 636;
uid = "uid";
encryption = "simple_tls";
active_directory = false;
base = "ou=users,${cfg.ldap.base}";
user_filter = "(memberOf=cn=skynet-users,ou=groups,${cfg.ldap.base}))";
attributes = {
username = "uid";
email = "skMail";
name = "cn";
};
group_base= "ou=groups,${cfg.ldap.base}";
admin_group = "skynet-admins";
sync_ssh_keys = "sshPublicKey";
};
};
};
pages = {
# default for pages is set to 8090 but that leaves an "ugly" port in the url,
# override it here to make it look good
port = 80;
#external_http = ["${cfg.host.ip}:80"];
};
};
};
};
}