From 6a3269b587803aa538a19ccf12c53aac65a60afe Mon Sep 17 00:00:00 2001 From: blaknull Date: Sun, 17 Nov 2024 16:47:29 -0600 Subject: [PATCH] gitlab works!!! --- flake.lock | 18 ++-- .../services/containers/gitlab/default.nix | 84 +++++++++++-------- .../services/containers/traefik/default.nix | 4 +- 3 files changed, 59 insertions(+), 47 deletions(-) diff --git a/flake.lock b/flake.lock index 320bd56..bb8e6cf 100644 --- a/flake.lock +++ b/flake.lock @@ -1193,11 +1193,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-mrfMvef+tOYMK35horTWF43tQpES1zI7hb5RbzN3oIk=", - "path": "/nix/store/q46830crsjac147qc48lk311icpidql9-source/home-manager", + "path": "/nix/store/7za067g4wcxsk57zh63372x8jxkhl03v-source/home-manager", "type": "path" }, "original": { - "path": "/nix/store/q46830crsjac147qc48lk311icpidql9-source/home-manager", + "path": "/nix/store/7za067g4wcxsk57zh63372x8jxkhl03v-source/home-manager", "type": "path" } }, @@ -1807,11 +1807,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-HAuZ9X84fuwUcit6NWUoJCjHj+29nST/YN6Rs8JQugY=", - "path": "/nix/store/z0kg92cbspdsmgnsk68pk6qwhl273jq6-source/programs", + "path": "/nix/store/ib1zcvq12pk99aq8x0jh8d1xx6p12vak-source/programs", "type": "path" }, "original": { - "path": "/nix/store/z0kg92cbspdsmgnsk68pk6qwhl273jq6-source/programs", + "path": "/nix/store/ib1zcvq12pk99aq8x0jh8d1xx6p12vak-source/programs", "type": "path" } }, @@ -1882,11 +1882,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-0Ztx5DVQ2I7hvCK/qjGa4XTdRgbzM8rhf19m0al8lVM=", - "path": "/nix/store/z0kg92cbspdsmgnsk68pk6qwhl273jq6-source/services/sddm", + "path": "/nix/store/ib1zcvq12pk99aq8x0jh8d1xx6p12vak-source/services/sddm", "type": "path" }, "original": { - "path": "/nix/store/z0kg92cbspdsmgnsk68pk6qwhl273jq6-source/services/sddm", + "path": "/nix/store/ib1zcvq12pk99aq8x0jh8d1xx6p12vak-source/services/sddm", "type": "path" } }, @@ -1976,12 +1976,12 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-/2sJK37sV+nJSCuyr2iW2gyO/1Jg/K9aV0dzDG+eR6c=", - "path": "/nix/store/q46830crsjac147qc48lk311icpidql9-source/system-config", + "narHash": "sha256-JnCyzbcEKzcTNeeiF869/sv9+8LPFbgNIdsQc/T78JU=", + "path": "/nix/store/7za067g4wcxsk57zh63372x8jxkhl03v-source/system-config", "type": "path" }, "original": { - "path": "/nix/store/q46830crsjac147qc48lk311icpidql9-source/system-config", + "path": "/nix/store/7za067g4wcxsk57zh63372x8jxkhl03v-source/system-config", "type": "path" } }, diff --git a/system-config/services/containers/gitlab/default.nix b/system-config/services/containers/gitlab/default.nix index 2e16e44..0320536 100644 --- a/system-config/services/containers/gitlab/default.nix +++ b/system-config/services/containers/gitlab/default.nix @@ -85,6 +85,8 @@ "z /etc/gitlab/secret - gitlab gitlab" "z /etc/gitlab/jws - gitlab gitlab" "z /etc/gitlab/otp - gitlab gitlab" + "z /etc/gitlab/oidc-id - gitlab gitlab" + "z /etc/gitlab/oidc-secret - gitlab gitlab" ]; services.gitlab = { @@ -95,10 +97,12 @@ databasePasswordFile = "/etc/gitlab/dbpass"; initialRootPasswordFile = "/etc/gitlab/rootpass"; - extraEnv = { - OIDC_CLIENT_ID = builtins.readFile "/etc/gitlab/oidc-id"; - OIDC_CLIENT_SECRET = builtins.readFile "/etc/gitlab/oidc-secret"; - }; + statePath = "/etc/gitlab/data"; + + /*extraEnv = { + OIDC_CLIENT_ID = ""; + OIDC_CLIENT_SECRET = ""; + };*/ secrets = { secretFile = "/etc/gitlab/secret"; @@ -107,38 +111,46 @@ jwsFile = "/etc/gitlab/jws"; }; - extraGitlabRb = '' -gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect'] -gitlab_rails['omniauth_sync_email_from_provider'] = 'openid_connect' -gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect'] -gitlab_rails['omniauth_sync_profile_attributes'] = ['email'] -gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect' -gitlab_rails['omniauth_block_auto_created_users'] = false -gitlab_rails['omniauth_auto_link_saml_user'] = true -gitlab_rails['omniauth_auto_link_user'] = ["openid_connect"] -gitlab_rails['omniauth_providers'] = [ - { - name: 'openid_connect', - label: 'My Company OIDC Login', - args: { - name: 'openid_connect', - scope: ['openid','profile','email'], - response_type: 'code', - issuer: 'https://auth.blunkall.us/application/o/gitlab/', - discovery: true, - client_auth_method: 'query', - uid_field: 'preferred_username', - send_scope_to_token_endpoint: 'true', - pkce: true, - client_options: { - identifier: '$${OIDC_CLIENT_ID}', - secret: '$${OIDC_CLIENT_SECRET}', - redirect_uri: 'https://gitlab.blunkall.us/users/auth/openid_connect/callback' - } - } - } -] - ''; + extraConfig = { + gitlab = { + default_project_features = { + builds = false; + }; + }; + omniauth = { + enabled = true; + auto_sign_in_with_provider = "openid_connect"; + allow_single_sign_on = [ "openid_connect" ]; + sync_email_from_provider = "openid_connect"; + sync_profile_from_provider = [ "openid_connect" ]; + sync_profile_attributes = [ "email" ]; + auto_link_saml_user = true; + auto_link_user = [ "openid_connect" ]; + block_auto_created_users = false; + providers = [ + { + name = "openid_connect"; + label = "Authentik SSO"; + args = { + name = "openid_connect"; + scope = [ "openid" "profile" "email" ]; + response_type = "code"; + issuer = "https://auth.blunkall.us/application/o/gitlab/"; + discovery = true; + client_auth_method = "query"; + uid_field = "preferred_username"; + send_scope_to_token_endpoint = true; + pkce = true; + client_options = { + identifier = { _secret = "/etc/gitlab/oidc-id"; }; + secret = { _secret = "/etc/gitlab/oidc-secret"; }; + redirect_uri = "https://gitlab.blunkall.us/users/auth/openid_connect/callback"; + }; + }; + } + ]; + }; + }; }; services.nginx = { enable = true; diff --git a/system-config/services/containers/traefik/default.nix b/system-config/services/containers/traefik/default.nix index a1d182d..021c8eb 100644 --- a/system-config/services/containers/traefik/default.nix +++ b/system-config/services/containers/traefik/default.nix @@ -156,7 +156,7 @@ gitlab = { entryPoints = [ "localsecure" "websecure" ]; rule = "Host(`gitlab.blunkall.us`)"; - service = "homepage"; + service = "gitlab"; tls.certResolver = "cloudflare"; #middlewares = [ "authentik" ]; }; @@ -213,7 +213,7 @@ }; services = { - #gitlab.loadBalancer.servers = [ { url = "http://192.168.100.12:80"; } ]; + gitlab.loadBalancer.servers = [ { url = "http://192.168.100.16:80"; } ]; homepage.loadBalancer.servers = [ { url = "http://192.168.100.13:80"; } ];