nixos/applications/gitlab.nix

177 lines
No EOL
4.3 KiB
Nix

{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.skynet_gitlab;
in {
imports = [
./acme.nix
./dns.nix
./firewall.nix
./nginx.nix
];
options.services.skynet_gitlab = {
enable = mkEnableOption "Skynet Gitlab";
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
domain = {
tld = mkOption {
type = types.str;
default = "ie";
};
base = mkOption {
type = types.str;
default = "skynet";
};
sub = mkOption {
type = types.str;
default = "gitlab";
};
};
user = mkOption {
type = types.str;
default = "git";
};
ldap = {
base = mkOption {
type = types.str;
default = "dc=skynet,dc=ie";
description = lib.mdDoc "The base address in the ldap server";
};
};
};
config = mkIf cfg.enable {
age.secrets.gitlab_pw = {
file = ../secrets/gitlab/pw.age;
owner = cfg.user;
group = cfg.user;
};
age.secrets.gitlab_secrets_db = {
file = ../secrets/gitlab/secrets_db.age;
owner = cfg.user;
group = cfg.user;
};
age.secrets.gitlab_secrets_secret = {
file = ../secrets/gitlab/secrets_secret.age;
owner = cfg.user;
group = cfg.user;
};
age.secrets.gitlab_secrets_otp = {
file = ../secrets/gitlab/secrets_otp.age;
owner = cfg.user;
group = cfg.user;
};
age.secrets.gitlab_secrets_jws = {
file = ../secrets/gitlab/secrets_jws.age;
owner = cfg.user;
group = cfg.user;
};
age.secrets.gitlab_db_pw = {
file = ../secrets/gitlab/db_pw.age;
owner = cfg.user;
group = cfg.user;
};
# using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide
skynet_dns.records.cname = [
"${cfg.domain.sub} CNAME ${cfg.host.name}"
];
networking.firewall.allowedTCPPorts = [
80
443
# for git
22
];
services.nginx. virtualHosts."${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
};
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
# "gitlab-ee"
];
services.gitlab = {
enable = true;
#packages.gitlab = pkgs.gitlab-ee;
databasePasswordFile = config.age.secrets.gitlab_db_pw.path;
initialRootPasswordFile = config.age.secrets.gitlab_pw.path;
https = true;
host = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
port = 443;
user = cfg.user;
group = cfg.user;
databaseUsername = cfg.user;
#smtp = {
# enable = true;
# address = "localhost";
# port = 25;
#};
secrets = {
dbFile = config.age.secrets.gitlab_secrets_db.path;
# these must be backed up for future
secretFile = config.age.secrets.gitlab_secrets_secret.path;
otpFile = config.age.secrets.gitlab_secrets_otp.path;
jwsFile = config.age.secrets.gitlab_secrets_jws.path;
};
extraConfig = {
gitlab = {
#email_from = "gitlab-no-reply@example.com";
#email_display_name = "Example GitLab";
#email_reply_to = "gitlab-no-reply@example.com";
default_projects_features = { builds = false; };
};
ldap = {
enabled = true;
servers = {
main = {
label = "Skynet";
host = "sso.skynet.ie";
port = 636;
uid = "uid";
encryption = "simple_tls";
active_directory = false;
#base = "ou=users,${cfg.ldap.base}?sub?(|(skMemberOf=cn=skynet-users,ou=groups,${cfg.ldap.base}))";
base = "ou=users,${cfg.ldap.base}";
user_filter = "(skMemberOf=cn=skynet-users,ou=groups,${cfg.ldap.base})";
attributes = {
username = "uid";
email = "skMail";
name = "cn";
};
group_base= "ou=groups,${cfg.ldap.base}";
admin_group = "skynet-admins";
sync_ssh_keys = "sshPublicKey";
};
};
};
};
};
};
}