services/gitlab: init on parsons
This commit is contained in:
parent
7881b444ba
commit
373926e33b
4 changed files with 179 additions and 3 deletions
|
@ -16,6 +16,8 @@
|
||||||
../../services/hedgedoc-i4f.nix
|
../../services/hedgedoc-i4f.nix
|
||||||
../../services/mail.nix
|
../../services/mail.nix
|
||||||
../../services/syncthing.nix
|
../../services/syncthing.nix
|
||||||
|
../../services/gitlab.nix
|
||||||
|
../../services/nginx-pages.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
hexchen.encboot = {
|
hexchen.encboot = {
|
||||||
|
|
|
@ -81,10 +81,10 @@
|
||||||
"homepage": "",
|
"homepage": "",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "d4590d21006387dcb190c516724cb1e41c0f8fdf",
|
"rev": "733682c32929293341f113f297b64ea6319e9089",
|
||||||
"sha256": "17q39hlx1x87xf2rdygyimj8whdbx33nzszf4rxkc6b85wz0l38n",
|
"sha256": "0f6zi45av9s176a2pi15jyf08xk0nsg181hhjhnz3asr0whyarf1",
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://github.com/nixos/nixpkgs/archive/d4590d21006387dcb190c516724cb1e41c0f8fdf.tar.gz",
|
"url": "https://github.com/nixos/nixpkgs/archive/733682c32929293341f113f297b64ea6319e9089.tar.gz",
|
||||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||||
},
|
},
|
||||||
"nixpkgs-unstable": {
|
"nixpkgs-unstable": {
|
||||||
|
|
150
services/gitlab.nix
Normal file
150
services/gitlab.nix
Normal file
|
@ -0,0 +1,150 @@
|
||||||
|
{config, pkgs, lib, profiles, modules, evalConfig, sources, ...}:
|
||||||
|
|
||||||
|
{
|
||||||
|
containers.gitlab = {
|
||||||
|
autoStart = true;
|
||||||
|
privateNetwork = true;
|
||||||
|
hostAddress = "192.168.100.1";
|
||||||
|
localAddress = "192.168.100.7";
|
||||||
|
|
||||||
|
bindMounts = {
|
||||||
|
"/persist" = {
|
||||||
|
hostPath = "/persist/containers/gitlab";
|
||||||
|
isReadOnly = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
||||||
|
boot.isContainer = true;
|
||||||
|
networking.useDHCP = false;
|
||||||
|
users.users.root.hashedPassword = "";
|
||||||
|
|
||||||
|
imports = [
|
||||||
|
../modules/mattermost.nix
|
||||||
|
((import sources.nix-hexchen) {}).profiles.nopersist
|
||||||
|
];
|
||||||
|
|
||||||
|
nixpkgs.config.allowUnfree = true;
|
||||||
|
networking.firewall.enable = false;
|
||||||
|
networking.defaultGateway = {
|
||||||
|
address = "192.168.100.1";
|
||||||
|
interface = "eth0";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.gitlab = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
databaseCreateLocally = true;
|
||||||
|
|
||||||
|
host = "gitlab.infra4future.de";
|
||||||
|
https = true;
|
||||||
|
port = 443;
|
||||||
|
|
||||||
|
statePath = "/persist/gitlab";
|
||||||
|
|
||||||
|
initialRootPasswordFile = "/persist/secrets/gitlab-root";
|
||||||
|
secrets.secretFile = "/persist/secrets/gitlab-secret";
|
||||||
|
secrets.dbFile = "/persist/secrets/gitlab-db";
|
||||||
|
secrets.otpFile = "/persist/secrets/gitlab-otp";
|
||||||
|
secrets.jwsFile = "/persist/secrets/gitlab-jws";
|
||||||
|
|
||||||
|
smtp = {
|
||||||
|
enable = true;
|
||||||
|
address = "mail.hacc.space";
|
||||||
|
port = 587;
|
||||||
|
authentication = "plain";
|
||||||
|
domain = "gitlab.infra4future.de";
|
||||||
|
enableStartTLSAuto = true;
|
||||||
|
username = "noreply@infra4future.de";
|
||||||
|
passwordFile = "/persist/secrets/noreply-pass";
|
||||||
|
};
|
||||||
|
|
||||||
|
pagesExtraArgs = [ "-listen-proxy" "0.0.0.0:8090" ];
|
||||||
|
extraConfig = {
|
||||||
|
pages = {
|
||||||
|
enabled = true;
|
||||||
|
host = "4future.dev";
|
||||||
|
port = 443;
|
||||||
|
https = true;
|
||||||
|
};
|
||||||
|
omniauth = {
|
||||||
|
enabled = true;
|
||||||
|
auto_sign_in_with_provider = "openid_connect";
|
||||||
|
allow_single_sign_on = ["openid_connect"];
|
||||||
|
block_auto_created_users = false;
|
||||||
|
providers = [
|
||||||
|
{
|
||||||
|
name = "openid_connect";
|
||||||
|
label = "infra4future Login";
|
||||||
|
args = {
|
||||||
|
name = "openid_connect";
|
||||||
|
scope = ["openid" "profile" "email"];
|
||||||
|
response_type = "code";
|
||||||
|
issuer = "https://auth.infra4future.de/auth/realms/forfuture";
|
||||||
|
discovery = true;
|
||||||
|
client_auth_method = "query";
|
||||||
|
uid_field = "username";
|
||||||
|
client_options = {
|
||||||
|
identifier = "gitlab";
|
||||||
|
secret = { _secret = "/persist/secrets/oidc-clientsecret"; };
|
||||||
|
redirect_uri = "https://gitlab.infra4future.de/users/auth/openid_connect/callback";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.redis.enable = true;
|
||||||
|
services.postgresql.package = pkgs.postgresql_13;
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
recommendedOptimisation = true;
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
virtualHosts."gitlab.infra4future.de" = {
|
||||||
|
default = true;
|
||||||
|
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
|
||||||
|
locations."/".extraConfig = ''
|
||||||
|
proxy_redirect off;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.coredns = {
|
||||||
|
enable = true;
|
||||||
|
config = ''
|
||||||
|
.:53 {
|
||||||
|
forward . 1.1.1.1
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
})).config.system.build.toplevel;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."gitlab.infra4future.de" = {
|
||||||
|
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:80";
|
||||||
|
locations."/".extraConfig = ''
|
||||||
|
proxy_set_header X-Nginx-Proxy true;
|
||||||
|
proxy_redirect off;
|
||||||
|
'';
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."4future.dev" = {
|
||||||
|
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090";
|
||||||
|
serverName = "~^((.*)\.)?4future\.dev$";
|
||||||
|
useACMEHost = "4future.dev";
|
||||||
|
forceSSL = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
security.acme.certs."4future.dev" = {
|
||||||
|
dnsProvider = "cloudflare";
|
||||||
|
credentialsFile = "/var/lib/acme/cloudflare.pass";
|
||||||
|
extraDomainNames = [ "*.4future.dev" ];
|
||||||
|
group = config.services.nginx.group;
|
||||||
|
};
|
||||||
|
}
|
24
services/nginx-pages.nix
Normal file
24
services/nginx-pages.nix
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
domains = [ "www.infra4future.de" "hacc.earth" "www.hacc.earth" ];
|
||||||
|
in {
|
||||||
|
|
||||||
|
services.nginx.virtualHosts =
|
||||||
|
listToAttrs (map (host: nameValuePair host {
|
||||||
|
useACMEHost = "infra4future.de";
|
||||||
|
forceSSL = true;
|
||||||
|
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090";
|
||||||
|
}) domains) // {
|
||||||
|
"infra4future.de" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
security.acme.certs."infra4future.de" = {
|
||||||
|
extraDomainNames = domains;
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue