{ config, lib, pkgs, ... }: { options.sysconfig.opts.virtualization.gitlab.enable = lib.options.mkOption { type = lib.types.bool; default = false; }; config = lib.mkIf config.sysconfig.opts.virtualization.gitlab.enable { sops.secrets = { "gitlab/db_pass" = {}; "gitlab/root_pass" = {}; "gitlab/secrets/secret" = {}; "gitlab/secrets/otp" = {}; "gitlab/secrets/db" = {}; "gitlab/secrets/jws" = {}; "gitlab/oidc/id" = {}; "gitlab/oidc/secret" = {}; }; services.openssh.ports = [ 2222 ]; networking.firewall.allowedTCPPorts = [ 22 2222 ]; containers.gitlab = { autoStart = true; privateNetwork = true; hostAddress = "192.168.100.10"; localAddress = "192.168.100.16"; forwardPorts = [ { containerPort = 22; hostPort = 22; } ]; bindMounts = { "/etc/gitlab/data" = { hostPath = "/ssd1/Gitlab/data"; isReadOnly = false; }; }; extraFlags = [ "--load-credential=dbpass:${config.sops.secrets."gitlab/db_pass".path}" "--load-credential=rootpass:${config.sops.secrets."gitlab/root_pass".path}" "--load-credential=secret:${config.sops.secrets."gitlab/secrets/secret".path}" "--load-credential=otp:${config.sops.secrets."gitlab/secrets/otp".path}" "--load-credential=db:${config.sops.secrets."gitlab/secrets/db".path}" "--load-credential=jws:${config.sops.secrets."gitlab/secrets/jws".path}" "--load-credential=oidc_id:${config.sops.secrets."gitlab/oidc/id".path}" "--load-credential=oidc_secret:${config.sops.secrets."gitlab/oidc/secret".path}" ]; config = { systemd.services.secrets_setup = { wantedBy = [ "gitlab.service" ]; serviceConfig = { LoadCredential = [ "dbpass" "rootpass" "secret" "db" "otp" "jws" "oidc_id" "oidc_secret" ]; }; script = '' cat ''${CREDENTIALS_DIRECTORY}/dbpass > /etc/gitlab/dbpass cat ''${CREDENTIALS_DIRECTORY}/rootpass > /etc/gitlab/rootpass cat ''${CREDENTIALS_DIRECTORY}/secret > /etc/gitlab/secret cat ''${CREDENTIALS_DIRECTORY}/db > /etc/gitlab/db cat ''${CREDENTIALS_DIRECTORY}/otp > /etc/gitlab/otp cat ''${CREDENTIALS_DIRECTORY}/jws > /etc/gitlab/jws cat ''${CREDENTIALS_DIRECTORY}/oidc_id > /etc/gitlab/oidc-id cat ''${CREDENTIALS_DIRECTORY}/oidc_secret > /etc/gitlab/oidc-secret chown gitlab:gitlab /etc/gitlab/* ''; }; services.gitlab = { enable = true; #https = true; #port = 443; host = "gitlab.blunkall.us"; databasePasswordFile = "/etc/gitlab/dbpass"; initialRootPasswordFile = "/etc/gitlab/rootpass"; statePath = "/etc/gitlab/data"; secrets = { secretFile = "/etc/gitlab/secret"; otpFile = "/etc/gitlab/otp"; dbFile = "/etc/gitlab/db"; jwsFile = "/etc/gitlab/jws"; }; extraConfig = { gitlab = { default_project_features = { builds = false; }; }; omniauth = { enabled = true; auto_sign_in_with_provider = "openid_connect"; allow_single_sign_on = [ "openid_connect" ]; sync_email_from_provider = "openid_connect"; sync_profile_from_provider = [ "openid_connect" ]; sync_profile_attributes = [ "email" ]; auto_link_saml_user = true; auto_link_user = [ "openid_connect" ]; block_auto_created_users = false; providers = [ { name = "openid_connect"; label = "Authentik SSO"; args = { name = "openid_connect"; scope = [ "openid" "profile" "email" ]; response_type = "code"; issuer = "https://auth.blunkall.us/application/o/gitlab/"; discovery = true; client_auth_method = "query"; uid_field = "preferred_username"; send_scope_to_token_endpoint = true; pkce = true; client_options = { identifier = { _secret = "/etc/gitlab/oidc-id"; }; secret = { _secret = "/etc/gitlab/oidc-secret"; }; redirect_uri = "https://gitlab.blunkall.us/users/auth/openid_connect/callback"; }; }; } ]; }; }; }; services.nginx = { enable = true; recommendedProxySettings = true; virtualHosts = { "gitlab.blunkall.us" = { locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; }; }; }; services.openssh.enable = true; systemd.services.gitlab-backup.environment.BACKUP = "dump"; networking.firewall.allowedTCPPorts = [ 22 80 ]; system.stateVersion = "24.05"; }; }; }; }