More gitlab configs
This commit is contained in:
Alexander
@@ -126,7 +126,7 @@ in {
|
|||||||
###
|
###
|
||||||
dov = {
|
dov = {
|
||||||
gitlab.enable = true;
|
gitlab.enable = true;
|
||||||
jenkins.enable = true;
|
jenkins.enable = false; # will migrate to gitlab runner
|
||||||
};
|
};
|
||||||
|
|
||||||
# DO NOT CHANGE AT ANY POINT!
|
# DO NOT CHANGE AT ANY POINT!
|
||||||
|
|||||||
+61
-68
@@ -7,83 +7,74 @@ let
|
|||||||
owner = config.services.gitlab.user;
|
owner = config.services.gitlab.user;
|
||||||
group = config.services.gitlab.group;
|
group = config.services.gitlab.group;
|
||||||
domain = "susano-lab.duckdns.org";
|
domain = "susano-lab.duckdns.org";
|
||||||
|
gitlabDomain = "gitlab.${domain}";
|
||||||
in {
|
in {
|
||||||
options.dov.gitlab = { enable = mkEnableOption "gitlab config"; };
|
options.dov.gitlab = { enable = mkEnableOption "gitlab config"; };
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
sops.secrets = {
|
sops.secrets = {
|
||||||
"gitlab/databasePassword" = {
|
"gitlab/databasePassword" = { inherit owner group; };
|
||||||
inherit owner group;
|
"gitlab/initialRootPassword" = { inherit owner group; };
|
||||||
};
|
"gitlab/secret" = { inherit owner group; };
|
||||||
"gitlab/initialRootPassword" = {
|
"gitlab/otp" = { inherit owner group; };
|
||||||
inherit owner group;
|
"gitlab/db" = { inherit owner group; };
|
||||||
};
|
"gitlab/jwt" = { inherit owner group; };
|
||||||
"gitlab/secret" = {
|
"gitlab/activeRecordPrimaryKey" = { inherit owner group; };
|
||||||
inherit owner group;
|
"gitlab/activeRecordDeterministicKey" = { inherit owner group; };
|
||||||
};
|
"gitlab/activeRecordSalt" = { inherit owner group; };
|
||||||
"gitlab/otp" = {
|
"gitlab/oauth/secret" = { inherit owner group; };
|
||||||
inherit owner group;
|
|
||||||
};
|
|
||||||
"gitlab/db" = {
|
|
||||||
inherit owner group;
|
|
||||||
};
|
|
||||||
"gitlab/jwt" = {
|
|
||||||
inherit owner group;
|
|
||||||
};
|
|
||||||
"gitlab/activeRecordPrimaryKey" = {
|
|
||||||
inherit owner group;
|
|
||||||
};
|
|
||||||
"gitlab/activeRecordDeterministicKey" = {
|
|
||||||
inherit owner group;
|
|
||||||
};
|
|
||||||
"gitlab/activeRecordSalt" = {
|
|
||||||
inherit owner group;
|
|
||||||
};
|
|
||||||
"gitlab/oauth/secret" = {
|
|
||||||
inherit owner group;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
services.gitlab = {
|
services = {
|
||||||
enable = cfg.enable;
|
gitlab = {
|
||||||
databasePasswordFile = config.sops.secrets."gitlab/databasePassword".path;
|
enable = cfg.enable;
|
||||||
initialRootPasswordFile = config.sops.secrets."gitlab/initialRootPassword".path;
|
databasePasswordFile =
|
||||||
secrets = {
|
config.sops.secrets."gitlab/databasePassword".path;
|
||||||
secretFile = config.sops.secrets."gitlab/secret".path;
|
initialRootPasswordFile =
|
||||||
otpFile = config.sops.secrets."gitlab/otp".path;
|
config.sops.secrets."gitlab/initialRootPassword".path;
|
||||||
dbFile = config.sops.secrets."gitlab/db".path;
|
secrets = {
|
||||||
jwsFile = config.sops.secrets."gitlab/jwt".path;
|
secretFile = config.sops.secrets."gitlab/secret".path;
|
||||||
activeRecordPrimaryKeyFile = config.sops.secrets."gitlab/activeRecordPrimaryKey".path;
|
otpFile = config.sops.secrets."gitlab/otp".path;
|
||||||
activeRecordDeterministicKeyFile = config.sops.secrets."gitlab/activeRecordDeterministicKey".path;
|
dbFile = config.sops.secrets."gitlab/db".path;
|
||||||
activeRecordSaltFile = config.sops.secrets."gitlab/activeRecordSalt".path;
|
jwsFile = config.sops.secrets."gitlab/jwt".path;
|
||||||
};
|
activeRecordPrimaryKeyFile =
|
||||||
extraConfig = {
|
config.sops.secrets."gitlab/activeRecordPrimaryKey".path;
|
||||||
# GitLab-specific configuration
|
activeRecordDeterministicKeyFile =
|
||||||
gitlab = {
|
config.sops.secrets."gitlab/activeRecordDeterministicKey".path;
|
||||||
default_projects_features = {
|
activeRecordSaltFile =
|
||||||
builds = true;
|
config.sops.secrets."gitlab/activeRecordSalt".path;
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
extraConfig = {
|
||||||
|
# GitLab-specific configuration
|
||||||
|
gitlab = { default_projects_features = { builds = true; }; };
|
||||||
|
|
||||||
# OmniAuth configuration (direct, not under gitlab_rails)
|
# Configure GitLab to trust our nginx proxy and set external URL
|
||||||
omniauth = {
|
gitlab_rails = {
|
||||||
enabled = true;
|
trusted_proxies = [ "127.0.0.1" "::1" ];
|
||||||
allow_single_sign_on = ["openid_connect"];
|
# Force GitLab to use the correct external URL for generating links
|
||||||
sync_email_from_provider = "openid_connect";
|
gitlab_host = gitlabDomain;
|
||||||
sync_profile_from_provider = ["openid_connect"];
|
gitlab_port = 443;
|
||||||
sync_profile_attributes = ["email"];
|
gitlab_https = true;
|
||||||
# Enable if want to auto login with sso
|
};
|
||||||
#auto_sign_in_with_provider = "openid_connect";
|
|
||||||
block_auto_created_users = true;
|
|
||||||
auto_link_user = ["openid_connect"];
|
|
||||||
|
|
||||||
providers = [
|
# OmniAuth configuration (direct, not under gitlab_rails)
|
||||||
{
|
omniauth = {
|
||||||
|
enabled = true;
|
||||||
|
allow_single_sign_on = [ "openid_connect" ];
|
||||||
|
sync_email_from_provider = "openid_connect";
|
||||||
|
sync_profile_from_provider = [ "openid_connect" ];
|
||||||
|
sync_profile_attributes = [ "email" ];
|
||||||
|
# Enable if want to auto login with sso
|
||||||
|
#auto_sign_in_with_provider = "openid_connect";
|
||||||
|
block_auto_created_users = true;
|
||||||
|
auto_link_user = [ "openid_connect" ];
|
||||||
|
|
||||||
|
providers = [{
|
||||||
name = "openid_connect";
|
name = "openid_connect";
|
||||||
label = "My Company OIDC Login";
|
label = "My Company OIDC Login";
|
||||||
args = {
|
args = {
|
||||||
name = "openid_connect";
|
name = "openid_connect";
|
||||||
scope = ["openid" "profile" "email"];
|
scope = [ "openid" "profile" "email" ];
|
||||||
response_type = "code";
|
response_type = "code";
|
||||||
issuer = "https://authentik.${domain}/application/o/gitlab/";
|
issuer = "https://authentik.${domain}/application/o/gitlab/";
|
||||||
discovery = true;
|
discovery = true;
|
||||||
@@ -94,12 +85,14 @@ in {
|
|||||||
client_options = {
|
client_options = {
|
||||||
# For production, use secret management with _secret attribute
|
# For production, use secret management with _secret attribute
|
||||||
identifier = "QoAaWAv7TSaRFeLahVLs4mugeXpaJ0WWYIUIXhWk";
|
identifier = "QoAaWAv7TSaRFeLahVLs4mugeXpaJ0WWYIUIXhWk";
|
||||||
secret._secret = config.sops.secrets."gitlab/oauth/secret".path;
|
secret._secret =
|
||||||
redirect_uri = "https://gitlab.${domain}/users/auth/openid_connect/callback";
|
config.sops.secrets."gitlab/oauth/secret".path;
|
||||||
|
redirect_uri =
|
||||||
|
"https://gitlab.${domain}/users/auth/openid_connect/callback";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}];
|
||||||
];
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@@ -120,7 +113,7 @@ in {
|
|||||||
|
|
||||||
networking.firewall = {
|
networking.firewall = {
|
||||||
enable = cfg.enable;
|
enable = cfg.enable;
|
||||||
allowedTCPPorts = [ 80 443 ]; # HTTP and HTTPS
|
allowedTCPPorts = [ 80 443 ]; # HTTP and HTTPS
|
||||||
};
|
};
|
||||||
|
|
||||||
services.openssh.enable = cfg.enable;
|
services.openssh.enable = cfg.enable;
|
||||||
|
|||||||
Reference in New Issue
Block a user