services/gitlab: init on parsons

2021-08-08 22:09:37 +00:00 · 2021-08-08 22:09:37 +00:00 · 373926e33b
commit 373926e33b
parent 7881b444ba
4 changed files with 179 additions and 3 deletions
--- a/hosts/parsons/configuration.nix
+++ b/hosts/parsons/configuration.nix
@ -16,6 +16,8 @@
    ../../services/hedgedoc-i4f.nix
    ../../services/mail.nix
    ../../services/syncthing.nix
+    ../../services/gitlab.nix
+    ../../services/nginx-pages.nix
  ];

  hexchen.encboot = {
--- a/nix/sources.json
+++ b/nix/sources.json
@ -81,10 +81,10 @@
        "homepage": "",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "d4590d21006387dcb190c516724cb1e41c0f8fdf",
-        "sha256": "17q39hlx1x87xf2rdygyimj8whdbx33nzszf4rxkc6b85wz0l38n",
+        "rev": "733682c32929293341f113f297b64ea6319e9089",
+        "sha256": "0f6zi45av9s176a2pi15jyf08xk0nsg181hhjhnz3asr0whyarf1",
        "type": "tarball",
-        "url": "https://github.com/nixos/nixpkgs/archive/d4590d21006387dcb190c516724cb1e41c0f8fdf.tar.gz",
+        "url": "https://github.com/nixos/nixpkgs/archive/733682c32929293341f113f297b64ea6319e9089.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "nixpkgs-unstable": {
--- a/services/gitlab.nix
+++ b/services/gitlab.nix
@ -0,0 +1,150 @@
+{config, pkgs, lib, profiles, modules, evalConfig, sources, ...}:
+
+{
+  containers.gitlab = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = "192.168.100.1";
+    localAddress = "192.168.100.7";
+
+    bindMounts = {
+      "/persist" = {
+        hostPath = "/persist/containers/gitlab";
+        isReadOnly = false;
+      };
+    };
+
+    path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
+      boot.isContainer = true;
+      networking.useDHCP = false;
+      users.users.root.hashedPassword = "";
+
+      imports = [
+        ../modules/mattermost.nix
+        ((import sources.nix-hexchen) {}).profiles.nopersist
+      ];
+
+      nixpkgs.config.allowUnfree = true;
+      networking.firewall.enable = false;
+      networking.defaultGateway = {
+        address = "192.168.100.1";
+        interface = "eth0";
+      };
+
+      services.gitlab = {
+        enable = true;
+
+        databaseCreateLocally = true;
+
+        host = "gitlab.infra4future.de";
+        https = true;
+        port = 443;
+
+        statePath = "/persist/gitlab";
+
+        initialRootPasswordFile = "/persist/secrets/gitlab-root";
+        secrets.secretFile = "/persist/secrets/gitlab-secret";
+        secrets.dbFile = "/persist/secrets/gitlab-db";
+        secrets.otpFile = "/persist/secrets/gitlab-otp";
+        secrets.jwsFile = "/persist/secrets/gitlab-jws";
+
+        smtp = {
+          enable = true;
+          address = "mail.hacc.space";
+          port = 587;
+          authentication = "plain";
+          domain = "gitlab.infra4future.de";
+          enableStartTLSAuto = true;
+          username = "noreply@infra4future.de";
+          passwordFile = "/persist/secrets/noreply-pass";
+        };
+
+        pagesExtraArgs = [ "-listen-proxy" "0.0.0.0:8090" ];
+        extraConfig = {
+          pages = {
+            enabled = true;
+            host = "4future.dev";
+            port = 443;
+            https = true;
+          };
+          omniauth = {
+            enabled = true;
+            auto_sign_in_with_provider = "openid_connect";
+            allow_single_sign_on = ["openid_connect"];
+            block_auto_created_users = false;
+            providers = [
+              {
+                name = "openid_connect";
+                label = "infra4future Login";
+                args = {
+                  name = "openid_connect";
+                  scope = ["openid" "profile" "email"];
+                  response_type = "code";
+                  issuer = "https://auth.infra4future.de/auth/realms/forfuture";
+                  discovery = true;
+                  client_auth_method = "query";
+                  uid_field = "username";
+                  client_options = {
+                    identifier = "gitlab";
+                    secret = { _secret = "/persist/secrets/oidc-clientsecret"; };
+                    redirect_uri = "https://gitlab.infra4future.de/users/auth/openid_connect/callback";
+                  };
+                };
+              }
+            ];
+          };
+        };
+      };
+
+      services.redis.enable = true;
+      services.postgresql.package = pkgs.postgresql_13;
+
+      services.nginx = {
+        enable = true;
+        recommendedGzipSettings = true;
+        recommendedOptimisation = true;
+        recommendedTlsSettings = true;
+        virtualHosts."gitlab.infra4future.de" = {
+          default = true;
+          locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
+          locations."/".extraConfig = ''
+            proxy_redirect off;
+          '';
+        };
+      };
+
+      services.coredns = {
+        enable = true;
+        config = ''
+          .:53 {
+            forward . 1.1.1.1
+          }
+        '';
+      };
+    })).config.system.build.toplevel;
+  };
+
+  services.nginx.virtualHosts."gitlab.infra4future.de" = {
+    locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:80";
+    locations."/".extraConfig = ''
+      proxy_set_header X-Nginx-Proxy true;
+      proxy_redirect off;
+    '';
+    enableACME = true;
+    forceSSL = true;
+  };
+
+  services.nginx.virtualHosts."4future.dev" = {
+    locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090";
+    serverName = "~^((.*)\.)?4future\.dev$";
+    useACMEHost = "4future.dev";
+    forceSSL = true;
+  };
+
+  security.acme.certs."4future.dev" = {
+    dnsProvider = "cloudflare";
+    credentialsFile = "/var/lib/acme/cloudflare.pass";
+    extraDomainNames = [ "*.4future.dev" ];
+    group = config.services.nginx.group;
+  };
+}
--- a/services/nginx-pages.nix
+++ b/services/nginx-pages.nix
@ -0,0 +1,24 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  domains = [ "www.infra4future.de" "hacc.earth" "www.hacc.earth" ];
+in {
+
+  services.nginx.virtualHosts =
+    listToAttrs (map (host: nameValuePair host {
+      useACMEHost = "infra4future.de";
+      forceSSL = true;
+      locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090";
+    }) domains) // {
+      "infra4future.de" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090";
+      };
+    };
+
+  security.acme.certs."infra4future.de" = {
+    extraDomainNames = domains;
+  };
+}