nixos-config/nixos/machines/robi/gitlab.nix
2022-09-20 21:48:36 +02:00

140 lines
4 KiB
Nix

{ config, lib, pkgs, ... }:
let
host = "gitlab.ingolf-wagner.de";
in
#let
#
# errorPages = pkgs.fetchgit {
# url = "https://git.ingolf-wagner.de/palo/http-errors.git";
# rev = "74b8e4c1d9bbba3db6ad858b888e1867318af1f0";
# sha256 = "0czdzafx4k76q773lyf3vsjm74g1995iz542dhw15kpy5xbivsrg";
# };
#
# error = {
# extraConfig = ''
# error_page 400 /errors/400.html;
# error_page 401 /errors/401.html;
# error_page 402 /errors/402.html;
# error_page 403 /errors/403.html;
# error_page 404 /errors/404.html;
# error_page 405 /errors/405.html;
# error_page 406 /errors/406.html;
# error_page 500 /errors/500.html;
# error_page 501 /errors/501.html;
# error_page 502 /errors/502.html;
# error_page 503 /errors/503.html;
# error_page 504 /errors/504.html;
# '';
# locations."^~ /errors/" = {
# extraConfig = "internal;";
# root = "${errorPages}/";
# };
# };
#
#in
{
#services.nginx = {
# enable = true;
# statusPage = true;
# virtualHosts = {
# "git.${config.networking.hostName}.private" = {
# extraConfig = error.extraConfig;
# locations."/" = {
# proxyPass = "http://${config.networking.hostName}.private:${
# toString config.services.gogs.httpPort
# }";
# };
# };
# };
#};
#services.gogs = {
# enable = true;
# appName = "Kruck GoGs";
# domain = "git.ingolf-wagner.de";
# httpPort = 3000;
# repositoryRoot = "/home/gogs/repositories";
# stateDir = "/home/gogs";
# rootUrl = "https://git.ingolf-wagner.de/";
# extraConfig = ''
# [service]
# DISABLE_REGISTRATION = true
# SHOW_REGISTRATION_BUTTON = false
# [server]
# SSH_DOMAIN = "git.ingolf-wagner.de"
# SSH_PORT = 2222
# START_SSH_SERVER = true
# SSH_LISTEN_PORT = 2222
# [log.file]
# LEVEL = Warn
# [log.console]
# LEVEL = Warn
# [log.sublogger.macaron]
# LEVEL = Warn
# '';
#};
#backup.dirs = [ config.services.gogs.repositoryRoot ];
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
};
};
sops.secrets.gitlab_database_password.owner = config.services.gitlab.user;
sops.secrets.gitlab_initial_root_password.owner = config.services.gitlab.user;
sops.secrets.gitlab_secrets_db.owner = config.services.gitlab.user;
sops.secrets.gitlab_secrets_jws.owner = config.services.gitlab.user;
sops.secrets.gitlab_secrets_otp.owner = config.services.gitlab.user;
sops.secrets.gitlab_secrets_secret.owner = config.services.gitlab.user;
services.postgresql = {
enable = true;
package = pkgs.postgresql_12;
};
services.gitlab = {
enable = true;
host = host;
port = 443;
https = true;
smtp.enable = false;
databasePasswordFile = config.sops.secrets.gitlab_database_password.path;
initialRootPasswordFile = config.sops.secrets.gitlab_initial_root_password.path;
secrets = {
# Make sure the secret is at least 30 characters and all random,
# no regular words or you'll be exposed to dictionary attacks
dbFile = config.sops.secrets.gitlab_secrets_db.path;
# openssl genrsa 2048
jwsFile = config.sops.secrets.gitlab_secrets_jws.path;
# Make sure the secret is at least 30 characters and all random,
# no regular words or you'll be exposed to dictionary attacks
otpFile = config.sops.secrets.gitlab_secrets_otp.path;
# Make sure the secret is at least 30 characters and all random,
# no regular words or you'll be exposed to dictionary attacks
secretFile = config.sops.secrets.gitlab_secrets_secret.path;
};
# smtp?
# gitlab-runner?
};
}