{ config, lib, pkgs, ... }: let cfg = config.services.gitlab; secrets = config.age.secrets; in { age.secrets = lib.mapAttrs (_: f: { file = f; owner = cfg.user; group = cfg.group; }) { gitlab-secret = ../secrets/gitlab-secret.age; gitlab-otp-secret = ../secrets/gitlab-otp-secret.age; gitlab-db-secret = ../secrets/gitlab-db-secret.age; gitlab-jws-secret = ../secrets/gitlab-jws-secret.age; gitlab-db-password = ../secrets/gitlab-db-password.age; gitlab-initial-root-password = ../secrets/gitlab-initial-root-password.age; gitlab-ldap-password = ../secrets/gitlab-ldap-password.age; }; backups = { directories = [ cfg.statePath ]; postgresqlDatabases = [ cfg.databaseName ]; }; services.gitlab = { enable = true; host = "gitlab2.federez.net"; https = true; databasePasswordFile = secrets.gitlab-db-password.path; initialRootPasswordFile = secrets.gitlab-initial-root-password.path; secrets = { secretFile = secrets.gitlab-secret.path; otpFile = secrets.gitlab-otp-secret.path; dbFile = secrets.gitlab-db-secret.path; jwsFile = secrets.gitlab-jws-secret.path; }; extraConfig.ldap = { enabled = true; servers = { main = { label = "LDAP"; host = "ldap.federez.net"; port = 389; uid = "uid"; method = "tls"; bind_dn = "cn=gitlab,ou=service-users,dc=federez,dc=net"; password = { _secret = secrets.gitlab-ldap-password.path; }; active_directory = false; allow_username_or_email_login = false; block_auto_created_users = false; base = "cn=Utilisateurs,dc=federez,dc=net"; user_filter = ""; }; }; }; }; services.nginx = { enable = true; recommendedProxySettings = true; virtualHosts = { "gitlab2.federez.net" = { enableACME = true; forceSSL = true; locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; }; }; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; systemd.services.gitlab-backup.environment.BACKUP = "dump"; }