From c44366f5cec246daff57cad1b4b95c8d09d8b056 Mon Sep 17 00:00:00 2001
From: Aleksandr Lebedev <alex.lebedev2003@icloud.com>
Date: Tue, 30 Sep 2025 14:19:09 +0200
Subject: [PATCH] Gitlab on stargate

---
 systems/x86_64-linux/stargate/default.nix     |  1 +
 .../x86_64-linux/stargate/services/gitlab.nix | 37 +++++++++++++++++++
 .../x86_64-linux/stargate/services/nginx.nix  | 14 +++----
 3 files changed, 45 insertions(+), 7 deletions(-)
 create mode 100644 systems/x86_64-linux/stargate/services/gitlab.nix

diff --git a/systems/x86_64-linux/stargate/default.nix b/systems/x86_64-linux/stargate/default.nix
index e6baee7..2130589 100644
--- a/systems/x86_64-linux/stargate/default.nix
+++ b/systems/x86_64-linux/stargate/default.nix
@@ -108,6 +108,7 @@ in {
   };
   custom.presets.default = enabled;
   custom.hardware.secureBoot = enabled;
+  hardware.bluetooth.enable = mkForce false;
   custom.impermanence = enabled;
 
   custom.users.kylekrein = {
diff --git a/systems/x86_64-linux/stargate/services/gitlab.nix b/systems/x86_64-linux/stargate/services/gitlab.nix
new file mode 100644
index 0000000..f5d18ff
--- /dev/null
+++ b/systems/x86_64-linux/stargate/services/gitlab.nix
@@ -0,0 +1,37 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}: {
+  sops.secrets."services/gitlab/dbPassword" = {owner = "gitlab";};
+  sops.secrets."services/gitlab/rootPassword" = {owner = "gitlab";};
+  sops.secrets."services/gitlab/secret" = {owner = "gitlab";};
+  sops.secrets."services/gitlab/otpsecret" = {owner = "gitlab";};
+  sops.secrets."services/gitlab/dbsecret" = {owner = "gitlab";};
+  sops.secrets."services/gitlab/oidcKeyBase" = {owner = "gitlab";};
+  sops.secrets."services/gitlab/activeRecordSalt" = {owner = "gitlab";};
+  sops.secrets."services/gitlab/activeRecordPrimaryKey" = {owner = "gitlab";};
+  sops.secrets."services/gitlab/activeRecordDeterministicKey" = {owner = "gitlab";};
+  services.gitlab = {
+    enable = true;
+    host = "gitlab.kylekrein.com";
+    https = true;
+    port = 443;
+    statePath = "/var/lib/gitlab/state";
+    backup.startAt = "3:00";
+    databasePasswordFile = config.sops.secrets."services/gitlab/dbPassword".path;
+    initialRootPasswordFile = config.sops.secrets."services/gitlab/rootPassword".path;
+    secrets = {
+      secretFile = config.sops.secrets."services/gitlab/secret".path;
+      otpFile = config.sops.secrets."services/gitlab/otpsecret".path;
+      dbFile = config.sops.secrets."services/gitlab/dbsecret".path;
+      jwsFile = config.sops.secrets."services/gitlab/oidcKeyBase".path; #pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
+      activeRecordSaltFile = config.sops.secrets."services/gitlab/activeRecordSalt".path;
+      activeRecordPrimaryKeyFile = config.sops.secrets."services/gitlab/activeRecordPrimaryKey".path;
+      activeRecordDeterministicKeyFile = config.sops.secrets."services/gitlab/activeRecordDeterministicKey".path;
+    };
+  };
+
+  systemd.services.gitlab-backup.environment.BACKUP = "dump";
+}
diff --git a/systems/x86_64-linux/stargate/services/nginx.nix b/systems/x86_64-linux/stargate/services/nginx.nix
index ea2ddbf..2738d20 100644
--- a/systems/x86_64-linux/stargate/services/nginx.nix
+++ b/systems/x86_64-linux/stargate/services/nginx.nix
@@ -48,13 +48,13 @@ in {
       #  locations = matrixLocations;
       #};
 
-      #"gitlab.kylekrein.com" = {
-      #  enableACME = true;
-      #  forceSSL = true;
-      #  locations."/" = {
-      #    proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
-      #  };
-      #};
+      "gitlab.kylekrein.com" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
+        };
+      };
 
       "immich.kylekrein.com" = {
         enableACME = true;