{ config, lib, pkgs, ... }: { options.sysconfig.opts.virtualization.gitlab.enable = lib.options.mkOption { type = lib.types.bool; default = false; }; config = lib.mkIf config.sysconfig.opts.virtualization.gitlab.enable { sops.secrets."gitlab/db_pass" = { owner = "sshd"; }; sops.secrets."gitlab/root_pass" = { owner = "sshd"; }; sops.secrets."gitlab/secrets/secret" = { owner = "sshd"; }; sops.secrets."gitlab/secrets/otp" = { owner = "sshd"; }; sops.secrets."gitlab/secrets/db" = { owner = "sshd"; }; sops.secrets."gitlab/secrets/jws" = { owner = "sshd"; }; sops.secrets."gitlab/oidc/id" = { owner = "sshd"; }; sops.secrets."gitlab/oidc/secret" = { owner = "sshd"; }; containers.gitlab = { autoStart = true; privateNetwork = true; hostAddress = "192.168.100.10"; localAddress = "192.168.100.16"; bindMounts = { "/etc/gitlab/data" = { hostPath = "/ssd1/Gitlab/data"; isReadOnly = false; }; "/etc/gitlab/dbpass" = { hostPath = config.sops.secrets."gitlab/db_pass".path; isReadOnly = false; }; "/etc/gitlab/rootpass" = { hostPath = config.sops.secrets."gitlab/root_pass".path; isReadOnly = false; }; "/etc/gitlab/db" = { hostPath = config.sops.secrets."gitlab/secrets/db".path; isReadOnly = false; }; "/etc/gitlab/secret" = { hostPath = config.sops.secrets."gitlab/secrets/secret".path; isReadOnly = false; }; "/etc/gitlab/jws" = { hostPath = config.sops.secrets."gitlab/secrets/jws".path; isReadOnly = false; }; "/etc/gitlab/otp" = { hostPath = config.sops.secrets."gitlab/secrets/otp".path; isReadOnly = false; }; "/etc/gitlab/oidc-id" = { hostPath = config.sops.secrets."gitlab/oidc/id".path; isReadOnly = false; }; "/etc/gitlab/oidc-secret" = { hostPath = config.sops.secrets."gitlab/oidc/secret".path; isReadOnly = false; }; }; config = { systemd.tmpfiles.rules = [ "z /etc/gitlab/dbpass - gitlab gitlab" "z /etc/gitlab/rootpass - gitlab gitlab" "z /etc/gitlab/db - gitlab gitlab" "z /etc/gitlab/secret - gitlab gitlab" "z /etc/gitlab/jws - gitlab gitlab" "z /etc/gitlab/otp - gitlab gitlab" "z /etc/gitlab/oidc-id - gitlab gitlab" "z /etc/gitlab/oidc-secret - gitlab gitlab" ]; services.gitlab = { enable = true; #https = true; #port = 443; #host = "localhost"; databasePasswordFile = "/etc/gitlab/dbpass"; initialRootPasswordFile = "/etc/gitlab/rootpass"; statePath = "/etc/gitlab/data"; /*extraEnv = { OIDC_CLIENT_ID = ""; OIDC_CLIENT_SECRET = ""; };*/ secrets = { secretFile = "/etc/gitlab/secret"; otpFile = "/etc/gitlab/otp"; dbFile = "/etc/gitlab/db"; jwsFile = "/etc/gitlab/jws"; }; extraConfig = { gitlab = { default_project_features = { builds = false; }; }; omniauth = { enabled = true; auto_sign_in_with_provider = "openid_connect"; allow_single_sign_on = [ "openid_connect" ]; sync_email_from_provider = "openid_connect"; sync_profile_from_provider = [ "openid_connect" ]; sync_profile_attributes = [ "email" ]; auto_link_saml_user = true; auto_link_user = [ "openid_connect" ]; block_auto_created_users = false; providers = [ { name = "openid_connect"; label = "Authentik SSO"; args = { name = "openid_connect"; scope = [ "openid" "profile" "email" ]; response_type = "code"; issuer = "https://auth.blunkall.us/application/o/gitlab/"; discovery = true; client_auth_method = "query"; uid_field = "preferred_username"; send_scope_to_token_endpoint = true; pkce = true; client_options = { identifier = { _secret = "/etc/gitlab/oidc-id"; }; secret = { _secret = "/etc/gitlab/oidc-secret"; }; redirect_uri = "https://gitlab.blunkall.us/users/auth/openid_connect/callback"; }; }; } ]; }; }; }; services.nginx = { enable = true; recommendedProxySettings = true; virtualHosts = { localhost = { locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; }; }; }; services.openssh.enable = true; systemd.services.gitlab-backup.environment.BACKUP = "dump"; networking.firewall.allowedTCPPorts = [ 22 80 443 ]; system.stateVersion = "24.05"; }; }; }; }