66 lines
2 KiB
Nix
66 lines
2 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
let
|
|
cfg = config.services.gitlab;
|
|
secrets = config.age.secrets;
|
|
in
|
|
{
|
|
age.secrets = lib.mapAttrs
|
|
(_: f: { file = f; owner = cfg.user; group = cfg.group; })
|
|
{
|
|
gitlab-secret = ../secrets/gitlab-secret.age;
|
|
gitlab-otp-secret = ../secrets/gitlab-otp-secret.age;
|
|
gitlab-db-secret = ../secrets/gitlab-db-secret.age;
|
|
gitlab-jws-secret = ../secrets/gitlab-jws-secret.age;
|
|
gitlab-db-password = ../secrets/gitlab-db-password.age;
|
|
gitlab-initial-root-password = ../secrets/gitlab-initial-root-password.age;
|
|
gitlab-ldap-password = ../secrets/gitlab-ldap-password.age;
|
|
};
|
|
|
|
services.gitlab = {
|
|
enable = true;
|
|
databasePasswordFile = secrets.gitlab-db-password.path;
|
|
initialRootPasswordFile = secrets.gitlab-initial-root-password.path;
|
|
secrets = {
|
|
secretFile = secrets.gitlab-secret.path;
|
|
otpFile = secrets.gitlab-otp-secret.path;
|
|
dbFile = secrets.gitlab-db-secret.path;
|
|
jwsFile = secrets.gitlab-jws-secret.path;
|
|
};
|
|
extraConfig.ldap = {
|
|
enabled = true;
|
|
servers = {
|
|
main = {
|
|
label = "LDAP";
|
|
host = "ldap.federez.net";
|
|
port = 389;
|
|
uid = "uid";
|
|
method = "tls";
|
|
bind_dn = "cn=gitlab,ou=service-users,dc=federez,dc=net";
|
|
password = { _secret = secrets.gitlab-ldap-password.path; };
|
|
active_directory = false;
|
|
allow_username_or_email_login = false;
|
|
block_auto_created_users = false;
|
|
base = "cn=Utilisateurs,dc=federez,dc=net";
|
|
user_filter = "";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
recommendedProxySettings = true;
|
|
virtualHosts = {
|
|
"gitlab2.federez.net" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
|
|
};
|
|
};
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
|
|
systemd.services.gitlab-backup.environment.BACKUP = "dump";
|
|
}
|