profiles/gitlab: init

Signed-off-by: Ryan Lahfa <federez-infra@lahfa.xyz>
2024-08-08 16:33:46 +02:00 · 2024-08-08 16:33:46 +02:00 · 3b6c3f6d70
commit 3b6c3f6d70
parent 0b55fc629f
8 changed files with 115 additions and 43 deletions
--- a/profiles/gitlab.nix
+++ b/profiles/gitlab.nix
@ -0,0 +1,49 @@
+{ pkgs, ... }: {
+  services.gitlab = {
+    enable = true;
+    databasePasswordFile = pkgs.writeText "dbPassword" "xxx";
+    initialRootPasswordFile = pkgs.writeText "rootPassword" "xxx";
+    secrets = {
+      secretFile = pkgs.writeText "secret" "xxx";
+      otpFile = pkgs.writeText "otpsecret" "xxx";
+      dbFile = pkgs.writeText "dbsecret" "xxx";
+      jwsFile = pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
+    };
+    extraConfig.ldap = {
+      enabled = true;
+      servers = {
+        main = {
+          label = "LDAP";
+          host = "ldap.federez.net";
+          port = 389;
+          uid = "uid";
+          method = "tls";
+          bind_dn = "cn=gitlab,ou=service-users,dc=federez,dc=net";
+          password = "xxx";
+          active_directory = false;
+          allow_username_or_email_login = false;
+          block_auto_created_users = false;
+          base = "cn=Utilisateurs,dc=federez,dc=net";
+          user_filter = "";
+        };
+      };
+    };
+  };
+
+  
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    virtualHosts = {
+      "gitlab2.federez.net" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  systemd.services.gitlab-backup.environment.BACKUP = "dump";
+}