fujin/Nixos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

More gitlab configs

Browse Source
This commit is contained in:
Alexander
2025-08-13 23:58:36 +02:00
parent 783f0da31a
commit ed2bfd552a
2 changed files with 62 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files
machines/amaterasu/main/default.nix
+1 -1
View File
@@ -126,7 +126,7 @@ in {
### ###
dov = { dov = {
gitlab.enable = true; gitlab.enable = true;
jenkins.enable = true; jenkins.enable = false; # will migrate to gitlab runner
}; };
# DO NOT CHANGE AT ANY POINT! # DO NOT CHANGE AT ANY POINT!
modules/gitlab/default.nix
+39 -46
View File
@@ -7,62 +7,54 @@ let
owner = config.services.gitlab.user; owner = config.services.gitlab.user;
group = config.services.gitlab.group; group = config.services.gitlab.group;
domain = "susano-lab.duckdns.org"; domain = "susano-lab.duckdns.org";
gitlabDomain = "gitlab.${domain}";
in { in {
options.dov.gitlab = { enable = mkEnableOption "gitlab config"; }; options.dov.gitlab = { enable = mkEnableOption "gitlab config"; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
sops.secrets = { sops.secrets = {
"gitlab/databasePassword" = { "gitlab/databasePassword" = { inherit owner group; };
inherit owner group; "gitlab/initialRootPassword" = { inherit owner group; };
}; "gitlab/secret" = { inherit owner group; };
"gitlab/initialRootPassword" = { "gitlab/otp" = { inherit owner group; };
inherit owner group; "gitlab/db" = { inherit owner group; };
}; "gitlab/jwt" = { inherit owner group; };
"gitlab/secret" = { "gitlab/activeRecordPrimaryKey" = { inherit owner group; };
inherit owner group; "gitlab/activeRecordDeterministicKey" = { inherit owner group; };
}; "gitlab/activeRecordSalt" = { inherit owner group; };
"gitlab/otp" = { "gitlab/oauth/secret" = { inherit owner group; };
inherit owner group;
};
"gitlab/db" = {
inherit owner group;
};
"gitlab/jwt" = {
inherit owner group;
};
"gitlab/activeRecordPrimaryKey" = {
inherit owner group;
};
"gitlab/activeRecordDeterministicKey" = {
inherit owner group;
};
"gitlab/activeRecordSalt" = {
inherit owner group;
};
"gitlab/oauth/secret" = {
inherit owner group;
};
}; };
services.gitlab = { services = {
gitlab = {
enable = cfg.enable; enable = cfg.enable;
databasePasswordFile = config.sops.secrets."gitlab/databasePassword".path; databasePasswordFile =
initialRootPasswordFile = config.sops.secrets."gitlab/initialRootPassword".path; config.sops.secrets."gitlab/databasePassword".path;
initialRootPasswordFile =
config.sops.secrets."gitlab/initialRootPassword".path;
secrets = { secrets = {
secretFile = config.sops.secrets."gitlab/secret".path; secretFile = config.sops.secrets."gitlab/secret".path;
otpFile = config.sops.secrets."gitlab/otp".path; otpFile = config.sops.secrets."gitlab/otp".path;
dbFile = config.sops.secrets."gitlab/db".path; dbFile = config.sops.secrets."gitlab/db".path;
jwsFile = config.sops.secrets."gitlab/jwt".path; jwsFile = config.sops.secrets."gitlab/jwt".path;
activeRecordPrimaryKeyFile = config.sops.secrets."gitlab/activeRecordPrimaryKey".path; activeRecordPrimaryKeyFile =
activeRecordDeterministicKeyFile = config.sops.secrets."gitlab/activeRecordDeterministicKey".path; config.sops.secrets."gitlab/activeRecordPrimaryKey".path;
activeRecordSaltFile = config.sops.secrets."gitlab/activeRecordSalt".path; activeRecordDeterministicKeyFile =
config.sops.secrets."gitlab/activeRecordDeterministicKey".path;
activeRecordSaltFile =
config.sops.secrets."gitlab/activeRecordSalt".path;
}; };
extraConfig = { extraConfig = {
# GitLab-specific configuration # GitLab-specific configuration
gitlab = { gitlab = { default_projects_features = { builds = true; }; };
default_projects_features = {
builds = true; # Configure GitLab to trust our nginx proxy and set external URL
}; gitlab_rails = {
trusted_proxies = [ "127.0.0.1" "::1" ];
# Force GitLab to use the correct external URL for generating links
gitlab_host = gitlabDomain;
gitlab_port = 443;
gitlab_https = true;
}; };
# OmniAuth configuration (direct, not under gitlab_rails) # OmniAuth configuration (direct, not under gitlab_rails)
@@ -77,8 +69,7 @@ in {
block_auto_created_users = true; block_auto_created_users = true;
auto_link_user = [ "openid_connect" ]; auto_link_user = [ "openid_connect" ];
providers = [ providers = [{
{
name = "openid_connect"; name = "openid_connect";
label = "My Company OIDC Login"; label = "My Company OIDC Login";
args = { args = {
@@ -94,12 +85,14 @@ in {
client_options = { client_options = {
# For production, use secret management with _secret attribute # For production, use secret management with _secret attribute
identifier = "QoAaWAv7TSaRFeLahVLs4mugeXpaJ0WWYIUIXhWk"; identifier = "QoAaWAv7TSaRFeLahVLs4mugeXpaJ0WWYIUIXhWk";
secret._secret = config.sops.secrets."gitlab/oauth/secret".path; secret._secret =
redirect_uri = "https://gitlab.${domain}/users/auth/openid_connect/callback"; config.sops.secrets."gitlab/oauth/secret".path;
redirect_uri =
"https://gitlab.${domain}/users/auth/openid_connect/callback";
}; };
}; };
} }];
]; };
}; };
}; };
}; };