services/gitlab: init on parsons

This commit is contained in:
hexchen 2021-08-08 22:09:37 +00:00
parent 7881b444ba
commit 373926e33b
4 changed files with 179 additions and 3 deletions

View file

@ -16,6 +16,8 @@
../../services/hedgedoc-i4f.nix ../../services/hedgedoc-i4f.nix
../../services/mail.nix ../../services/mail.nix
../../services/syncthing.nix ../../services/syncthing.nix
../../services/gitlab.nix
../../services/nginx-pages.nix
]; ];
hexchen.encboot = { hexchen.encboot = {

View file

@ -81,10 +81,10 @@
"homepage": "", "homepage": "",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "d4590d21006387dcb190c516724cb1e41c0f8fdf", "rev": "733682c32929293341f113f297b64ea6319e9089",
"sha256": "17q39hlx1x87xf2rdygyimj8whdbx33nzszf4rxkc6b85wz0l38n", "sha256": "0f6zi45av9s176a2pi15jyf08xk0nsg181hhjhnz3asr0whyarf1",
"type": "tarball", "type": "tarball",
"url": "https://github.com/nixos/nixpkgs/archive/d4590d21006387dcb190c516724cb1e41c0f8fdf.tar.gz", "url": "https://github.com/nixos/nixpkgs/archive/733682c32929293341f113f297b64ea6319e9089.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {

150
services/gitlab.nix Normal file
View file

@ -0,0 +1,150 @@
{config, pkgs, lib, profiles, modules, evalConfig, sources, ...}:
{
containers.gitlab = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.1";
localAddress = "192.168.100.7";
bindMounts = {
"/persist" = {
hostPath = "/persist/containers/gitlab";
isReadOnly = false;
};
};
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
boot.isContainer = true;
networking.useDHCP = false;
users.users.root.hashedPassword = "";
imports = [
../modules/mattermost.nix
((import sources.nix-hexchen) {}).profiles.nopersist
];
nixpkgs.config.allowUnfree = true;
networking.firewall.enable = false;
networking.defaultGateway = {
address = "192.168.100.1";
interface = "eth0";
};
services.gitlab = {
enable = true;
databaseCreateLocally = true;
host = "gitlab.infra4future.de";
https = true;
port = 443;
statePath = "/persist/gitlab";
initialRootPasswordFile = "/persist/secrets/gitlab-root";
secrets.secretFile = "/persist/secrets/gitlab-secret";
secrets.dbFile = "/persist/secrets/gitlab-db";
secrets.otpFile = "/persist/secrets/gitlab-otp";
secrets.jwsFile = "/persist/secrets/gitlab-jws";
smtp = {
enable = true;
address = "mail.hacc.space";
port = 587;
authentication = "plain";
domain = "gitlab.infra4future.de";
enableStartTLSAuto = true;
username = "noreply@infra4future.de";
passwordFile = "/persist/secrets/noreply-pass";
};
pagesExtraArgs = [ "-listen-proxy" "0.0.0.0:8090" ];
extraConfig = {
pages = {
enabled = true;
host = "4future.dev";
port = 443;
https = true;
};
omniauth = {
enabled = true;
auto_sign_in_with_provider = "openid_connect";
allow_single_sign_on = ["openid_connect"];
block_auto_created_users = false;
providers = [
{
name = "openid_connect";
label = "infra4future Login";
args = {
name = "openid_connect";
scope = ["openid" "profile" "email"];
response_type = "code";
issuer = "https://auth.infra4future.de/auth/realms/forfuture";
discovery = true;
client_auth_method = "query";
uid_field = "username";
client_options = {
identifier = "gitlab";
secret = { _secret = "/persist/secrets/oidc-clientsecret"; };
redirect_uri = "https://gitlab.infra4future.de/users/auth/openid_connect/callback";
};
};
}
];
};
};
};
services.redis.enable = true;
services.postgresql.package = pkgs.postgresql_13;
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts."gitlab.infra4future.de" = {
default = true;
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
locations."/".extraConfig = ''
proxy_redirect off;
'';
};
};
services.coredns = {
enable = true;
config = ''
.:53 {
forward . 1.1.1.1
}
'';
};
})).config.system.build.toplevel;
};
services.nginx.virtualHosts."gitlab.infra4future.de" = {
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:80";
locations."/".extraConfig = ''
proxy_set_header X-Nginx-Proxy true;
proxy_redirect off;
'';
enableACME = true;
forceSSL = true;
};
services.nginx.virtualHosts."4future.dev" = {
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090";
serverName = "~^((.*)\.)?4future\.dev$";
useACMEHost = "4future.dev";
forceSSL = true;
};
security.acme.certs."4future.dev" = {
dnsProvider = "cloudflare";
credentialsFile = "/var/lib/acme/cloudflare.pass";
extraDomainNames = [ "*.4future.dev" ];
group = config.services.nginx.group;
};
}

24
services/nginx-pages.nix Normal file
View file

@ -0,0 +1,24 @@
{ config, lib, pkgs, ... }:
with lib;
let
domains = [ "www.infra4future.de" "hacc.earth" "www.hacc.earth" ];
in {
services.nginx.virtualHosts =
listToAttrs (map (host: nameValuePair host {
useACMEHost = "infra4future.de";
forceSSL = true;
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090";
}) domains) // {
"infra4future.de" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090";
};
};
security.acme.certs."infra4future.de" = {
extraDomainNames = domains;
};
}