{config, pkgs, lib, profiles, modules, evalConfig, sources, ...}: { containers.gitlab = { autoStart = true; privateNetwork = true; hostAddress = "192.168.100.1"; localAddress = "192.168.100.7"; bindMounts = { "/persist" = { hostPath = "/persist/containers/gitlab"; isReadOnly = false; }; }; path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: { boot.isContainer = true; networking.useDHCP = false; users.users.root.hashedPassword = ""; imports = [ ../modules/mattermost.nix ((import sources.nix-hexchen) {}).profiles.nopersist ]; nixpkgs.config.allowUnfree = true; networking.firewall.enable = false; networking.defaultGateway = { address = "192.168.100.1"; interface = "eth0"; }; services.gitlab = { enable = true; databaseCreateLocally = true; host = "gitlab.infra4future.de"; https = true; port = 443; statePath = "/persist/gitlab"; user = "git"; databaseUsername = "git"; initialRootPasswordFile = "/persist/secrets/gitlab-root"; secrets.secretFile = "/persist/secrets/gitlab-secret"; secrets.dbFile = "/persist/secrets/gitlab-db"; secrets.otpFile = "/persist/secrets/gitlab-otp"; secrets.jwsFile = "/persist/secrets/gitlab-jws"; smtp = { enable = true; address = "mail.hacc.space"; port = 587; authentication = "plain"; domain = "gitlab.infra4future.de"; enableStartTLSAuto = true; username = "noreply@infra4future.de"; passwordFile = "/persist/secrets/noreply-pass"; }; pagesExtraArgs = [ "-listen-proxy" "0.0.0.0:8090" ]; extraConfig = { pages = { enabled = true; host = "4future.dev"; port = 443; https = true; }; omniauth = { enabled = true; auto_sign_in_with_provider = "oauth2_generic"; allow_single_sign_on = ["oauth2_generic"]; block_auto_created_users = false; providers = [ { name = "oauth2_generic"; label = "infra4future Login"; app_id = "gitlab"; app_secret = { _secret = "/persist/secrets/oidc-clientsecret"; }; args = { client_options = { site = "https://login.infra4future.de"; user_info_url = "/oauth2/userinfo"; authorize_url = "/oauth2/authorize"; token_url = "/oauth2/token"; }; strategy_class ="OmniAuth::Strategies::OAuth2Generic"; }; } ]; }; }; }; services.redis.enable = true; services.postgresql.package = pkgs.postgresql_13; services.nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedTlsSettings = true; virtualHosts."gitlab.infra4future.de" = { default = true; locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; locations."/".extraConfig = '' proxy_redirect off; ''; }; }; services.openssh.enable = true; services.openssh.passwordAuthentication = false; users.users.git = { isSystemUser = true; group = "gitlab"; home = "/persist/gitlab/home"; uid = 165; }; services.coredns = { enable = true; config = '' .:53 { forward . 1.1.1.1 } ''; }; })).config.system.build.toplevel; }; hexchen.nftables.nat.forwardPorts = [{ ports = [ 22 ]; destination = "${config.containers.gitlab.localAddress}:22"; proto = "tcp"; }]; services.nginx.virtualHosts."gitlab.infra4future.de" = { locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:80"; locations."/".extraConfig = '' proxy_set_header X-Nginx-Proxy true; proxy_redirect off; ''; enableACME = true; forceSSL = true; }; services.nginx.virtualHosts."4future.dev" = { locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090"; serverName = "~^((.*)\.)?4future\.dev$"; useACMEHost = "4future.dev"; forceSSL = true; }; security.acme.certs."4future.dev" = { dnsProvider = "cloudflare"; credentialsFile = "/var/lib/acme/cloudflare.pass"; extraDomainNames = [ "*.4future.dev" ]; group = config.services.nginx.group; }; }