{ pkgs, ... }: {
  services.gitlab = {
    enable = true;
    databasePasswordFile = pkgs.writeText "dbPassword" "xxx";
    initialRootPasswordFile = pkgs.writeText "rootPassword" "xxx";
    secrets = {
      secretFile = pkgs.writeText "secret" "xxx";
      otpFile = pkgs.writeText "otpsecret" "xxx";
      dbFile = pkgs.writeText "dbsecret" "xxx";
      jwsFile = pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
    };
    extraConfig.ldap = {
      enabled = true;
      servers = {
        main = {
          label = "LDAP";
          host = "ldap.federez.net";
          port = 389;
          uid = "uid";
          method = "tls";
          bind_dn = "cn=gitlab,ou=service-users,dc=federez,dc=net";
          password = "xxx";
          active_directory = false;
          allow_username_or_email_login = false;
          block_auto_created_users = false;
          base = "cn=Utilisateurs,dc=federez,dc=net";
          user_filter = "";
        };
      };
    };
  };

  
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts = {
      "gitlab2.federez.net" = {
        enableACME = true;
        forceSSL = true;
        locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
      };
    };
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];

  systemd.services.gitlab-backup.environment.BACKUP = "dump";
}