{ config, lib, pkgs, ... }: let host = "gitlab.ingolf-wagner.de"; in #let # # errorPages = pkgs.fetchgit { # url = "https://git.ingolf-wagner.de/palo/http-errors.git"; # rev = "74b8e4c1d9bbba3db6ad858b888e1867318af1f0"; # sha256 = "0czdzafx4k76q773lyf3vsjm74g1995iz542dhw15kpy5xbivsrg"; # }; # # error = { # extraConfig = '' # error_page 400 /errors/400.html; # error_page 401 /errors/401.html; # error_page 402 /errors/402.html; # error_page 403 /errors/403.html; # error_page 404 /errors/404.html; # error_page 405 /errors/405.html; # error_page 406 /errors/406.html; # error_page 500 /errors/500.html; # error_page 501 /errors/501.html; # error_page 502 /errors/502.html; # error_page 503 /errors/503.html; # error_page 504 /errors/504.html; # ''; # locations."^~ /errors/" = { # extraConfig = "internal;"; # root = "${errorPages}/"; # }; # }; # #in { #services.nginx = { # enable = true; # statusPage = true; # virtualHosts = { # "git.${config.networking.hostName}.private" = { # extraConfig = error.extraConfig; # locations."/" = { # proxyPass = "http://${config.networking.hostName}.private:${ # toString config.services.gogs.httpPort # }"; # }; # }; # }; #}; #services.gogs = { # enable = true; # appName = "Kruck GoGs"; # domain = "git.ingolf-wagner.de"; # httpPort = 3000; # repositoryRoot = "/home/gogs/repositories"; # stateDir = "/home/gogs"; # rootUrl = "https://git.ingolf-wagner.de/"; # extraConfig = '' # [service] # DISABLE_REGISTRATION = true # SHOW_REGISTRATION_BUTTON = false # [server] # SSH_DOMAIN = "git.ingolf-wagner.de" # SSH_PORT = 2222 # START_SSH_SERVER = true # SSH_LISTEN_PORT = 2222 # [log.file] # LEVEL = Warn # [log.console] # LEVEL = Warn # [log.sublogger.macaron] # LEVEL = Warn # ''; #}; #backup.dirs = [ config.services.gogs.repositoryRoot ]; services.nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; virtualHosts.${host} = { enableACME = true; forceSSL = true; locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; }; }; sops.secrets.gitlab_database_password.owner = config.services.gitlab.user; sops.secrets.gitlab_initial_root_password.owner = config.services.gitlab.user; sops.secrets.gitlab_secrets_db.owner = config.services.gitlab.user; sops.secrets.gitlab_secrets_jws.owner = config.services.gitlab.user; sops.secrets.gitlab_secrets_otp.owner = config.services.gitlab.user; sops.secrets.gitlab_secrets_secret.owner = config.services.gitlab.user; services.postgresql = { enable = true; package = pkgs.postgresql_12; }; services.gitlab = { enable = true; host = host; port = 443; https = true; smtp.enable = false; databasePasswordFile = config.sops.secrets.gitlab_database_password.path; initialRootPasswordFile = config.sops.secrets.gitlab_initial_root_password.path; secrets = { # Make sure the secret is at least 30 characters and all random, # no regular words or you'll be exposed to dictionary attacks dbFile = config.sops.secrets.gitlab_secrets_db.path; # openssl genrsa 2048 jwsFile = config.sops.secrets.gitlab_secrets_jws.path; # Make sure the secret is at least 30 characters and all random, # no regular words or you'll be exposed to dictionary attacks otpFile = config.sops.secrets.gitlab_secrets_otp.path; # Make sure the secret is at least 30 characters and all random, # no regular words or you'll be exposed to dictionary attacks secretFile = config.sops.secrets.gitlab_secrets_secret.path; }; # smtp? # gitlab-runner? }; }