add oidc for gitlab
This commit is contained in:
@@ -7,29 +7,29 @@
|
||||
|
||||
config = lib.mkIf config.sysconfig.opts.virtualization.gitlab.enable {
|
||||
|
||||
sops.secrets."gitlab/dbpass" = {
|
||||
|
||||
path = "/ssd1/Gitlab/dbpass";
|
||||
sops.secrets."gitlab/db_pass" = {
|
||||
owner = "sshd";
|
||||
};
|
||||
sops.secrets."gitlab/root_pass" = {
|
||||
|
||||
path = "/ssd1/Gitlab/rootpass";
|
||||
owner = "sshd";
|
||||
};
|
||||
sops.secrets."gitlab/secrets/secret" = {
|
||||
|
||||
path = "/ssd1/Gitlab/secret";
|
||||
owner = "sshd";
|
||||
};
|
||||
sops.secrets."gitlab/secrets/otp" = {
|
||||
|
||||
path = "/ssd1/Gitlab/otp";
|
||||
owner = "sshd";
|
||||
};
|
||||
sops.secrets."gitlab/secrets/db" = {
|
||||
|
||||
path = "/ssd1/Gitlab/db";
|
||||
owner = "sshd";
|
||||
};
|
||||
sops.secrets."gitlab/secrets/jws" = {
|
||||
|
||||
path = "/ssd1/Gitlab/jws";
|
||||
owner = "sshd";
|
||||
};
|
||||
sops.secrets."gitlab/oidc/id" = {
|
||||
owner = "sshd";
|
||||
};
|
||||
sops.secrets."gitlab/oidc/secret" = {
|
||||
owner = "sshd";
|
||||
};
|
||||
|
||||
containers.gitlab = {
|
||||
@@ -39,8 +39,40 @@
|
||||
hostAddress = "192.168.100.10";
|
||||
localAddress = "192.168.100.16";
|
||||
bindMounts = {
|
||||
"/etc/gitlab" = {
|
||||
hostPath = "/ssd1/Gitlab";
|
||||
"/etc/gitlab/data" = {
|
||||
hostPath = "/ssd1/Gitlab/data";
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/etc/gitlab/dbpass" = {
|
||||
hostPath = config.sops.secrets."gitlab/db_pass".path;
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/etc/gitlab/rootpass" = {
|
||||
hostPath = config.sops.secrets."gitlab/root_pass".path;
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/etc/gitlab/db" = {
|
||||
hostPath = config.sops.secrets."gitlab/secrets/db".path;
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/etc/gitlab/secret" = {
|
||||
hostPath = config.sops.secrets."gitlab/secrets/secret".path;
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/etc/gitlab/jws" = {
|
||||
hostPath = config.sops.secrets."gitlab/secrets/jws".path;
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/etc/gitlab/otp" = {
|
||||
hostPath = config.sops.secrets."gitlab/secrets/otp".path;
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/etc/gitlab/oidc-id" = {
|
||||
hostPath = config.sops.secrets."gitlab/oidc/id".path;
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/etc/gitlab/oidc-secret" = {
|
||||
hostPath = config.sops.secrets."gitlab/oidc/secret".path;
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
@@ -57,22 +89,73 @@
|
||||
|
||||
services.gitlab = {
|
||||
enable = true;
|
||||
https = true;
|
||||
port = 443;
|
||||
host = "localhost";
|
||||
#https = true;
|
||||
#port = 443;
|
||||
#host = "localhost";
|
||||
databasePasswordFile = "/etc/gitlab/dbpass";
|
||||
initialRootPasswordFile = "/etc/gitlab/rootpass";
|
||||
|
||||
extraEnv = {
|
||||
OIDC_CLIENT_ID = builtins.readFile "/etc/gitlab/oidc-id";
|
||||
OIDC_CLIENT_SECRET = builtins.readFile "/etc/gitlab/oidc-secret";
|
||||
};
|
||||
|
||||
secrets = {
|
||||
secretFile = "/etc/gitlab/secret";
|
||||
otpFile = "/etc/gitlab/otp";
|
||||
dbFile = "/etc/gitlab/db";
|
||||
jwsFile = "/etc/gitlab/jws";
|
||||
};
|
||||
|
||||
extraGitlabRb = ''
|
||||
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
|
||||
gitlab_rails['omniauth_sync_email_from_provider'] = 'openid_connect'
|
||||
gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect']
|
||||
gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
|
||||
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
|
||||
gitlab_rails['omniauth_block_auto_created_users'] = false
|
||||
gitlab_rails['omniauth_auto_link_saml_user'] = true
|
||||
gitlab_rails['omniauth_auto_link_user'] = ["openid_connect"]
|
||||
gitlab_rails['omniauth_providers'] = [
|
||||
{
|
||||
name: 'openid_connect',
|
||||
label: 'My Company OIDC Login',
|
||||
args: {
|
||||
name: 'openid_connect',
|
||||
scope: ['openid','profile','email'],
|
||||
response_type: 'code',
|
||||
issuer: 'https://auth.blunkall.us/application/o/gitlab/',
|
||||
discovery: true,
|
||||
client_auth_method: 'query',
|
||||
uid_field: 'preferred_username',
|
||||
send_scope_to_token_endpoint: 'true',
|
||||
pkce: true,
|
||||
client_options: {
|
||||
identifier: '$${OIDC_CLIENT_ID}',
|
||||
secret: '$${OIDC_CLIENT_SECRET}',
|
||||
redirect_uri: 'https://gitlab.blunkall.us/users/auth/openid_connect/callback'
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
'';
|
||||
};
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedProxySettings = true;
|
||||
virtualHosts = {
|
||||
localhost = {
|
||||
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.openssh.enable = true;
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 22 80 ];
|
||||
systemd.services.gitlab-backup.environment.BACKUP = "dump";
|
||||
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 22 80 443 ];
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user