From 373926e33b9e11f8007689312dd6bc50e227885a Mon Sep 17 00:00:00 2001
From: hexchen <hexchen@lilwit.ch>
Date: Sun, 8 Aug 2021 22:09:37 +0000
Subject: [PATCH] services/gitlab: init on parsons

---
 hosts/parsons/configuration.nix |   2 +
 nix/sources.json                |   6 +-
 services/gitlab.nix             | 150 ++++++++++++++++++++++++++++++++
 services/nginx-pages.nix        |  24 +++++
 4 files changed, 179 insertions(+), 3 deletions(-)
 create mode 100644 services/gitlab.nix
 create mode 100644 services/nginx-pages.nix

diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix
index c154b16..6c858b1 100644
--- a/hosts/parsons/configuration.nix
+++ b/hosts/parsons/configuration.nix
@@ -16,6 +16,8 @@
     ../../services/hedgedoc-i4f.nix
     ../../services/mail.nix
     ../../services/syncthing.nix
+    ../../services/gitlab.nix
+    ../../services/nginx-pages.nix
   ];
 
   hexchen.encboot = {
diff --git a/nix/sources.json b/nix/sources.json
index 1c11518..70693fe 100644
--- a/nix/sources.json
+++ b/nix/sources.json
@@ -81,10 +81,10 @@
         "homepage": "",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "d4590d21006387dcb190c516724cb1e41c0f8fdf",
-        "sha256": "17q39hlx1x87xf2rdygyimj8whdbx33nzszf4rxkc6b85wz0l38n",
+        "rev": "733682c32929293341f113f297b64ea6319e9089",
+        "sha256": "0f6zi45av9s176a2pi15jyf08xk0nsg181hhjhnz3asr0whyarf1",
         "type": "tarball",
-        "url": "https://github.com/nixos/nixpkgs/archive/d4590d21006387dcb190c516724cb1e41c0f8fdf.tar.gz",
+        "url": "https://github.com/nixos/nixpkgs/archive/733682c32929293341f113f297b64ea6319e9089.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs-unstable": {
diff --git a/services/gitlab.nix b/services/gitlab.nix
new file mode 100644
index 0000000..550847c
--- /dev/null
+++ b/services/gitlab.nix
@@ -0,0 +1,150 @@
+{config, pkgs, lib, profiles, modules, evalConfig, sources, ...}:
+
+{
+  containers.gitlab = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = "192.168.100.1";
+    localAddress = "192.168.100.7";
+
+    bindMounts = {
+      "/persist" = {
+        hostPath = "/persist/containers/gitlab";
+        isReadOnly = false;
+      };
+    };
+
+    path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
+      boot.isContainer = true;
+      networking.useDHCP = false;
+      users.users.root.hashedPassword = "";
+
+      imports = [
+        ../modules/mattermost.nix
+        ((import sources.nix-hexchen) {}).profiles.nopersist
+      ];
+
+      nixpkgs.config.allowUnfree = true;
+      networking.firewall.enable = false;
+      networking.defaultGateway = {
+        address = "192.168.100.1";
+        interface = "eth0";
+      };
+
+      services.gitlab = {
+        enable = true;
+
+        databaseCreateLocally = true;
+
+        host = "gitlab.infra4future.de";
+        https = true;
+        port = 443;
+
+        statePath = "/persist/gitlab";
+
+        initialRootPasswordFile = "/persist/secrets/gitlab-root";
+        secrets.secretFile = "/persist/secrets/gitlab-secret";
+        secrets.dbFile = "/persist/secrets/gitlab-db";
+        secrets.otpFile = "/persist/secrets/gitlab-otp";
+        secrets.jwsFile = "/persist/secrets/gitlab-jws";
+
+        smtp = {
+          enable = true;
+          address = "mail.hacc.space";
+          port = 587;
+          authentication = "plain";
+          domain = "gitlab.infra4future.de";
+          enableStartTLSAuto = true;
+          username = "noreply@infra4future.de";
+          passwordFile = "/persist/secrets/noreply-pass";
+        };
+
+        pagesExtraArgs = [ "-listen-proxy" "0.0.0.0:8090" ];
+        extraConfig = {
+          pages = {
+            enabled = true;
+            host = "4future.dev";
+            port = 443;
+            https = true;
+          };
+          omniauth = {
+            enabled = true;
+            auto_sign_in_with_provider = "openid_connect";
+            allow_single_sign_on = ["openid_connect"];
+            block_auto_created_users = false;
+            providers = [
+              {
+                name = "openid_connect";
+                label = "infra4future Login";
+                args = {
+                  name = "openid_connect";
+                  scope = ["openid" "profile" "email"];
+                  response_type = "code";
+                  issuer = "https://auth.infra4future.de/auth/realms/forfuture";
+                  discovery = true;
+                  client_auth_method = "query";
+                  uid_field = "username";
+                  client_options = {
+                    identifier = "gitlab";
+                    secret = { _secret = "/persist/secrets/oidc-clientsecret"; };
+                    redirect_uri = "https://gitlab.infra4future.de/users/auth/openid_connect/callback";
+                  };
+                };
+              }
+            ];
+          };
+        };
+      };
+
+      services.redis.enable = true;
+      services.postgresql.package = pkgs.postgresql_13;
+
+      services.nginx = {
+        enable = true;
+        recommendedGzipSettings = true;
+        recommendedOptimisation = true;
+        recommendedTlsSettings = true;
+        virtualHosts."gitlab.infra4future.de" = {
+          default = true;
+          locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
+          locations."/".extraConfig = ''
+            proxy_redirect off;
+          '';
+        };
+      };
+
+      services.coredns = {
+        enable = true;
+        config = ''
+          .:53 {
+            forward . 1.1.1.1
+          }
+        '';
+      };
+    })).config.system.build.toplevel;
+  };
+
+  services.nginx.virtualHosts."gitlab.infra4future.de" = {
+    locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:80";
+    locations."/".extraConfig = ''
+      proxy_set_header X-Nginx-Proxy true;
+      proxy_redirect off;
+    '';
+    enableACME = true;
+    forceSSL = true;
+  };
+
+  services.nginx.virtualHosts."4future.dev" = {
+    locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090";
+    serverName = "~^((.*)\.)?4future\.dev$";
+    useACMEHost = "4future.dev";
+    forceSSL = true;
+  };
+
+  security.acme.certs."4future.dev" = {
+    dnsProvider = "cloudflare";
+    credentialsFile = "/var/lib/acme/cloudflare.pass";
+    extraDomainNames = [ "*.4future.dev" ];
+    group = config.services.nginx.group;
+  };
+}
diff --git a/services/nginx-pages.nix b/services/nginx-pages.nix
new file mode 100644
index 0000000..e977e18
--- /dev/null
+++ b/services/nginx-pages.nix
@@ -0,0 +1,24 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  domains = [ "www.infra4future.de" "hacc.earth" "www.hacc.earth" ];
+in {
+
+  services.nginx.virtualHosts =
+    listToAttrs (map (host: nameValuePair host {
+      useACMEHost = "infra4future.de";
+      forceSSL = true;
+      locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090";
+    }) domains) // {
+      "infra4future.de" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090";
+      };
+    };
+
+  security.acme.certs."infra4future.de" = {
+    extraDomainNames = domains;
+  };
+}