{ config, lib, pkgs, ... }: { options.sysconfig.opts.virtualization.gitlab.enable = lib.options.mkOption { type = lib.types.bool; default = false; }; config = lib.mkIf config.sysconfig.opts.virtualization.gitlab.enable { sops.secrets."gitlab/db_pass" = { owner = "sshd"; }; sops.secrets."gitlab/root_pass" = { owner = "sshd"; }; sops.secrets."gitlab/secrets/secret" = { owner = "sshd"; }; sops.secrets."gitlab/secrets/otp" = { owner = "sshd"; }; sops.secrets."gitlab/secrets/db" = { owner = "sshd"; }; sops.secrets."gitlab/secrets/jws" = { owner = "sshd"; }; sops.secrets."gitlab/oidc/id" = { owner = "sshd"; }; sops.secrets."gitlab/oidc/secret" = { owner = "sshd"; }; containers.gitlab = { autoStart = true; privateNetwork = true; hostAddress = "192.168.100.10"; localAddress = "192.168.100.16"; bindMounts = { "/etc/gitlab/data" = { hostPath = "/ssd1/Gitlab/data"; isReadOnly = false; }; "/etc/gitlab/dbpass" = { hostPath = config.sops.secrets."gitlab/db_pass".path; isReadOnly = false; }; "/etc/gitlab/rootpass" = { hostPath = config.sops.secrets."gitlab/root_pass".path; isReadOnly = false; }; "/etc/gitlab/db" = { hostPath = config.sops.secrets."gitlab/secrets/db".path; isReadOnly = false; }; "/etc/gitlab/secret" = { hostPath = config.sops.secrets."gitlab/secrets/secret".path; isReadOnly = false; }; "/etc/gitlab/jws" = { hostPath = config.sops.secrets."gitlab/secrets/jws".path; isReadOnly = false; }; "/etc/gitlab/otp" = { hostPath = config.sops.secrets."gitlab/secrets/otp".path; isReadOnly = false; }; "/etc/gitlab/oidc-id" = { hostPath = config.sops.secrets."gitlab/oidc/id".path; isReadOnly = false; }; "/etc/gitlab/oidc-secret" = { hostPath = config.sops.secrets."gitlab/oidc/secret".path; isReadOnly = false; }; }; config = { systemd.tmpfiles.rules = [ "z /etc/gitlab/dbpass - gitlab gitlab" "z /etc/gitlab/rootpass - gitlab gitlab" "z /etc/gitlab/db - gitlab gitlab" "z /etc/gitlab/secret - gitlab gitlab" "z /etc/gitlab/jws - gitlab gitlab" "z /etc/gitlab/otp - gitlab gitlab" ]; services.gitlab = { enable = true; #https = true; #port = 443; #host = "localhost"; databasePasswordFile = "/etc/gitlab/dbpass"; initialRootPasswordFile = "/etc/gitlab/rootpass"; extraEnv = { OIDC_CLIENT_ID = builtins.readFile "/etc/gitlab/oidc-id"; OIDC_CLIENT_SECRET = builtins.readFile "/etc/gitlab/oidc-secret"; }; secrets = { secretFile = "/etc/gitlab/secret"; otpFile = "/etc/gitlab/otp"; dbFile = "/etc/gitlab/db"; jwsFile = "/etc/gitlab/jws"; }; extraGitlabRb = '' gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect'] gitlab_rails['omniauth_sync_email_from_provider'] = 'openid_connect' gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect'] gitlab_rails['omniauth_sync_profile_attributes'] = ['email'] gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect' gitlab_rails['omniauth_block_auto_created_users'] = false gitlab_rails['omniauth_auto_link_saml_user'] = true gitlab_rails['omniauth_auto_link_user'] = ["openid_connect"] gitlab_rails['omniauth_providers'] = [ { name: 'openid_connect', label: 'My Company OIDC Login', args: { name: 'openid_connect', scope: ['openid','profile','email'], response_type: 'code', issuer: 'https://auth.blunkall.us/application/o/gitlab/', discovery: true, client_auth_method: 'query', uid_field: 'preferred_username', send_scope_to_token_endpoint: 'true', pkce: true, client_options: { identifier: '$${OIDC_CLIENT_ID}', secret: '$${OIDC_CLIENT_SECRET}', redirect_uri: 'https://gitlab.blunkall.us/users/auth/openid_connect/callback' } } } ] ''; }; services.nginx = { enable = true; recommendedProxySettings = true; virtualHosts = { localhost = { locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; }; }; }; services.openssh.enable = true; systemd.services.gitlab-backup.environment.BACKUP = "dump"; networking.firewall.allowedTCPPorts = [ 22 80 443 ]; system.stateVersion = "24.05"; }; }; }; }