141 lines
4 KiB
Nix
141 lines
4 KiB
Nix
|
{ config, lib, pkgs, ... }:
|
||
|
let
|
||
|
host = "gitlab.ingolf-wagner.de";
|
||
|
in
|
||
|
|
||
|
#let
|
||
|
#
|
||
|
# errorPages = pkgs.fetchgit {
|
||
|
# url = "https://git.ingolf-wagner.de/palo/http-errors.git";
|
||
|
# rev = "74b8e4c1d9bbba3db6ad858b888e1867318af1f0";
|
||
|
# sha256 = "0czdzafx4k76q773lyf3vsjm74g1995iz542dhw15kpy5xbivsrg";
|
||
|
# };
|
||
|
#
|
||
|
# error = {
|
||
|
# extraConfig = ''
|
||
|
# error_page 400 /errors/400.html;
|
||
|
# error_page 401 /errors/401.html;
|
||
|
# error_page 402 /errors/402.html;
|
||
|
# error_page 403 /errors/403.html;
|
||
|
# error_page 404 /errors/404.html;
|
||
|
# error_page 405 /errors/405.html;
|
||
|
# error_page 406 /errors/406.html;
|
||
|
# error_page 500 /errors/500.html;
|
||
|
# error_page 501 /errors/501.html;
|
||
|
# error_page 502 /errors/502.html;
|
||
|
# error_page 503 /errors/503.html;
|
||
|
# error_page 504 /errors/504.html;
|
||
|
# '';
|
||
|
# locations."^~ /errors/" = {
|
||
|
# extraConfig = "internal;";
|
||
|
# root = "${errorPages}/";
|
||
|
# };
|
||
|
# };
|
||
|
#
|
||
|
#in
|
||
|
{
|
||
|
|
||
|
#services.nginx = {
|
||
|
# enable = true;
|
||
|
# statusPage = true;
|
||
|
# virtualHosts = {
|
||
|
# "git.${config.networking.hostName}.private" = {
|
||
|
# extraConfig = error.extraConfig;
|
||
|
# locations."/" = {
|
||
|
# proxyPass = "http://${config.networking.hostName}.private:${
|
||
|
# toString config.services.gogs.httpPort
|
||
|
# }";
|
||
|
# };
|
||
|
# };
|
||
|
# };
|
||
|
#};
|
||
|
|
||
|
#services.gogs = {
|
||
|
# enable = true;
|
||
|
# appName = "Kruck GoGs";
|
||
|
# domain = "git.ingolf-wagner.de";
|
||
|
# httpPort = 3000;
|
||
|
# repositoryRoot = "/home/gogs/repositories";
|
||
|
# stateDir = "/home/gogs";
|
||
|
# rootUrl = "https://git.ingolf-wagner.de/";
|
||
|
# extraConfig = ''
|
||
|
# [service]
|
||
|
# DISABLE_REGISTRATION = true
|
||
|
# SHOW_REGISTRATION_BUTTON = false
|
||
|
# [server]
|
||
|
# SSH_DOMAIN = "git.ingolf-wagner.de"
|
||
|
# SSH_PORT = 2222
|
||
|
# START_SSH_SERVER = true
|
||
|
# SSH_LISTEN_PORT = 2222
|
||
|
|
||
|
# [log.file]
|
||
|
# LEVEL = Warn
|
||
|
|
||
|
# [log.console]
|
||
|
# LEVEL = Warn
|
||
|
|
||
|
# [log.sublogger.macaron]
|
||
|
# LEVEL = Warn
|
||
|
# '';
|
||
|
#};
|
||
|
#backup.dirs = [ config.services.gogs.repositoryRoot ];
|
||
|
|
||
|
services.nginx = {
|
||
|
enable = true;
|
||
|
recommendedGzipSettings = true;
|
||
|
recommendedOptimisation = true;
|
||
|
recommendedProxySettings = true;
|
||
|
recommendedTlsSettings = true;
|
||
|
virtualHosts.${host} = {
|
||
|
enableACME = true;
|
||
|
forceSSL = true;
|
||
|
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
|
||
|
};
|
||
|
};
|
||
|
|
||
|
sops.secrets.gitlab_database_password.owner = config.services.gitlab.user;
|
||
|
sops.secrets.gitlab_initial_root_password.owner = config.services.gitlab.user;
|
||
|
sops.secrets.gitlab_secrets_db.owner = config.services.gitlab.user;
|
||
|
sops.secrets.gitlab_secrets_jws.owner = config.services.gitlab.user;
|
||
|
sops.secrets.gitlab_secrets_otp.owner = config.services.gitlab.user;
|
||
|
sops.secrets.gitlab_secrets_secret.owner = config.services.gitlab.user;
|
||
|
|
||
|
services.postgresql = {
|
||
|
enable = true;
|
||
|
package = pkgs.postgresql_12;
|
||
|
};
|
||
|
|
||
|
services.gitlab = {
|
||
|
enable = true;
|
||
|
host = host;
|
||
|
port = 443;
|
||
|
https = true;
|
||
|
smtp.enable = false;
|
||
|
|
||
|
databasePasswordFile = config.sops.secrets.gitlab_database_password.path;
|
||
|
initialRootPasswordFile = config.sops.secrets.gitlab_initial_root_password.path;
|
||
|
|
||
|
secrets = {
|
||
|
# Make sure the secret is at least 30 characters and all random,
|
||
|
# no regular words or you'll be exposed to dictionary attacks
|
||
|
dbFile = config.sops.secrets.gitlab_secrets_db.path;
|
||
|
|
||
|
# openssl genrsa 2048
|
||
|
jwsFile = config.sops.secrets.gitlab_secrets_jws.path;
|
||
|
|
||
|
# Make sure the secret is at least 30 characters and all random,
|
||
|
# no regular words or you'll be exposed to dictionary attacks
|
||
|
otpFile = config.sops.secrets.gitlab_secrets_otp.path;
|
||
|
|
||
|
# Make sure the secret is at least 30 characters and all random,
|
||
|
# no regular words or you'll be exposed to dictionary attacks
|
||
|
secretFile = config.sops.secrets.gitlab_secrets_secret.path;
|
||
|
};
|
||
|
|
||
|
# smtp?
|
||
|
|
||
|
# gitlab-runner?
|
||
|
};
|
||
|
|
||
|
}
|