forked from hacc/haccfiles
165 lines
4.7 KiB
Nix
165 lines
4.7 KiB
Nix
{config, pkgs, lib, profiles, modules, evalConfig, sources, ...}:
|
|
|
|
{
|
|
containers.gitlab = {
|
|
autoStart = true;
|
|
privateNetwork = true;
|
|
hostAddress = "192.168.100.1";
|
|
localAddress = "192.168.100.7";
|
|
|
|
bindMounts = {
|
|
"/persist" = {
|
|
hostPath = "/persist/containers/gitlab";
|
|
isReadOnly = false;
|
|
};
|
|
};
|
|
|
|
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
|
boot.isContainer = true;
|
|
networking.useDHCP = false;
|
|
users.users.root.hashedPassword = "";
|
|
|
|
imports = [
|
|
../modules/mattermost.nix
|
|
((import sources.nix-hexchen) {}).profiles.nopersist
|
|
];
|
|
|
|
nixpkgs.config.allowUnfree = true;
|
|
networking.firewall.enable = false;
|
|
networking.defaultGateway = {
|
|
address = "192.168.100.1";
|
|
interface = "eth0";
|
|
};
|
|
|
|
services.gitlab = {
|
|
enable = true;
|
|
|
|
databaseCreateLocally = true;
|
|
|
|
host = "gitlab.infra4future.de";
|
|
https = true;
|
|
port = 443;
|
|
|
|
statePath = "/persist/gitlab";
|
|
user = "git";
|
|
databaseUsername = "git";
|
|
|
|
initialRootPasswordFile = "/persist/secrets/gitlab-root";
|
|
secrets.secretFile = "/persist/secrets/gitlab-secret";
|
|
secrets.dbFile = "/persist/secrets/gitlab-db";
|
|
secrets.otpFile = "/persist/secrets/gitlab-otp";
|
|
secrets.jwsFile = "/persist/secrets/gitlab-jws";
|
|
|
|
smtp = {
|
|
enable = true;
|
|
address = "mail.hacc.space";
|
|
port = 587;
|
|
authentication = "plain";
|
|
domain = "gitlab.infra4future.de";
|
|
enableStartTLSAuto = true;
|
|
username = "noreply@infra4future.de";
|
|
passwordFile = "/persist/secrets/noreply-pass";
|
|
};
|
|
|
|
pagesExtraArgs = [ "-listen-proxy" "0.0.0.0:8090" ];
|
|
extraConfig = {
|
|
pages = {
|
|
enabled = true;
|
|
host = "4future.dev";
|
|
port = 443;
|
|
https = true;
|
|
};
|
|
omniauth = {
|
|
enabled = true;
|
|
auto_sign_in_with_provider = "oauth2_generic";
|
|
allow_single_sign_on = ["oauth2_generic"];
|
|
block_auto_created_users = false;
|
|
providers = [
|
|
{
|
|
name = "oauth2_generic";
|
|
label = "infra4future Login";
|
|
app_id = "gitlab";
|
|
app_secret = { _secret = "/persist/secrets/oidc-clientsecret"; };
|
|
args = {
|
|
client_options = {
|
|
site = "https://login.infra4future.de";
|
|
user_info_url = "/oauth2/userinfo";
|
|
authorize_url = "/oauth2/authorize";
|
|
token_url = "/oauth2/token";
|
|
};
|
|
strategy_class ="OmniAuth::Strategies::OAuth2Generic";
|
|
};
|
|
}
|
|
];
|
|
};
|
|
};
|
|
};
|
|
|
|
services.redis.enable = true;
|
|
services.postgresql.package = pkgs.postgresql_13;
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedTlsSettings = true;
|
|
virtualHosts."gitlab.infra4future.de" = {
|
|
default = true;
|
|
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
|
|
locations."/".extraConfig = ''
|
|
proxy_redirect off;
|
|
'';
|
|
};
|
|
};
|
|
|
|
services.openssh.enable = true;
|
|
services.openssh.passwordAuthentication = false;
|
|
|
|
users.users.git = {
|
|
isSystemUser = true;
|
|
group = "gitlab";
|
|
home = "/persist/gitlab/home";
|
|
uid = 165;
|
|
};
|
|
|
|
services.coredns = {
|
|
enable = true;
|
|
config = ''
|
|
.:53 {
|
|
forward . 1.1.1.1
|
|
}
|
|
'';
|
|
};
|
|
})).config.system.build.toplevel;
|
|
};
|
|
|
|
hexchen.nftables.nat.forwardPorts = [{
|
|
ports = [ 22 ];
|
|
destination = "${config.containers.gitlab.localAddress}:22";
|
|
proto = "tcp";
|
|
}];
|
|
|
|
services.nginx.virtualHosts."gitlab.infra4future.de" = {
|
|
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:80";
|
|
locations."/".extraConfig = ''
|
|
proxy_set_header X-Nginx-Proxy true;
|
|
proxy_redirect off;
|
|
'';
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
};
|
|
|
|
services.nginx.virtualHosts."4future.dev" = {
|
|
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090";
|
|
serverName = "~^((.*)\.)?4future\.dev$";
|
|
useACMEHost = "4future.dev";
|
|
forceSSL = true;
|
|
};
|
|
|
|
security.acme.certs."4future.dev" = {
|
|
dnsProvider = "cloudflare";
|
|
credentialsFile = "/var/lib/acme/cloudflare.pass";
|
|
extraDomainNames = [ "*.4future.dev" ];
|
|
group = config.services.nginx.group;
|
|
};
|
|
}
|