nix/profiles/gitlab.nix

{ config, lib, pkgs, ... }:

let
  cfg = config.services.gitlab;
  secrets = config.age.secrets;
in
{
  age.secrets = lib.mapAttrs
    (_: f: { file = f; owner = cfg.user; group = cfg.group; })
    {
      gitlab-secret = ../secrets/gitlab-secret.age;
      gitlab-otp-secret = ../secrets/gitlab-otp-secret.age;
      gitlab-db-secret = ../secrets/gitlab-db-secret.age;
      gitlab-jws-secret = ../secrets/gitlab-jws-secret.age;
      gitlab-arpk-secret = ../secrets/gitlab-arpk-secret.age;
      gitlab-ardk-secret = ../secrets/gitlab-ardk-secret.age;
      gitlab-ars-secret = ../secrets/gitlab-ars-secret.age;
      gitlab-db-password = ../secrets/gitlab-db-password.age;
      gitlab-initial-root-password = ../secrets/gitlab-initial-root-password.age;
      gitlab-ldap-password = ../secrets/gitlab-ldap-password.age;
    };

  backups = {
    directories = [ cfg.statePath ];
    postgresqlDatabases = [ cfg.databaseName ];
  };

  # If you ever want to update gitlab, even despite Forgejo being in deployment:
  # 1. Make a proper gitlab backup
  # 2. Uncomment all commented line below
  # 3. Run colmena
  # 4. Restore the backup previously saved
  services.gitlab = {
    enable = true;
    host = "gitlab2.federez.net";
    port = 443;
    https = true;
    databasePasswordFile = secrets.gitlab-db-password.path;
    initialRootPasswordFile = secrets.gitlab-initial-root-password.path;
    secrets = {
      secretFile = secrets.gitlab-secret.path;
      otpFile = secrets.gitlab-otp-secret.path;
      dbFile = secrets.gitlab-db-secret.path;
      jwsFile = secrets.gitlab-jws-secret.path;
      # activeRecordPrimaryKeyFile = secrets.gitlab-arpk-secret.path;
      # activeRecordDeterministicKeyFile = secrets.gitlab-ardk-secret.path;
      # activeRecordSaltFile = secrets.gitlab-ars-secret.path;
    };
    extraConfig.ldap = {
      enabled = true;
      servers = {
        main = {
          label = "LDAP";
          host = "ldap.federez.net";
          port = 389;
          uid = "uid";
          method = "tls";
          bind_dn = "cn=gitlab,ou=service-users,dc=federez,dc=net";
          password = { _secret = secrets.gitlab-ldap-password.path; };
          active_directory = false;
          allow_username_or_email_login = false;
          block_auto_created_users = false;
          base = "cn=Utilisateurs,dc=federez,dc=net";
          user_filter = "";
        };
      };
    };
  };

  # services.postgresql = {
  #   enable = true;
  #   package = pkgs.postgresql_16;
  # };

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts = {
      "gitlab2.federez.net" = {
        enableACME = true;
        forceSSL = true;
        locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
      };
    };
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];

  systemd.services.gitlab-backup.environment.BACKUP = "dump";
}