Gitlab on stargate

2025-09-30 14:19:09 +02:00 · 2025-09-30 14:19:09 +02:00 · c44366f5ce
commit c44366f5ce
parent 31833e1681
3 changed files with 45 additions and 7 deletions
--- a/systems/x86_64-linux/stargate/default.nix
+++ b/systems/x86_64-linux/stargate/default.nix
@ -108,6 +108,7 @@ in {
  };
  custom.presets.default = enabled;
  custom.hardware.secureBoot = enabled;
+  hardware.bluetooth.enable = mkForce false;
  custom.impermanence = enabled;

  custom.users.kylekrein = {
--- a/systems/x86_64-linux/stargate/services/gitlab.nix
+++ b/systems/x86_64-linux/stargate/services/gitlab.nix
@ -0,0 +1,37 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}: {
+  sops.secrets."services/gitlab/dbPassword" = {owner = "gitlab";};
+  sops.secrets."services/gitlab/rootPassword" = {owner = "gitlab";};
+  sops.secrets."services/gitlab/secret" = {owner = "gitlab";};
+  sops.secrets."services/gitlab/otpsecret" = {owner = "gitlab";};
+  sops.secrets."services/gitlab/dbsecret" = {owner = "gitlab";};
+  sops.secrets."services/gitlab/oidcKeyBase" = {owner = "gitlab";};
+  sops.secrets."services/gitlab/activeRecordSalt" = {owner = "gitlab";};
+  sops.secrets."services/gitlab/activeRecordPrimaryKey" = {owner = "gitlab";};
+  sops.secrets."services/gitlab/activeRecordDeterministicKey" = {owner = "gitlab";};
+  services.gitlab = {
+    enable = true;
+    host = "gitlab.kylekrein.com";
+    https = true;
+    port = 443;
+    statePath = "/var/lib/gitlab/state";
+    backup.startAt = "3:00";
+    databasePasswordFile = config.sops.secrets."services/gitlab/dbPassword".path;
+    initialRootPasswordFile = config.sops.secrets."services/gitlab/rootPassword".path;
+    secrets = {
+      secretFile = config.sops.secrets."services/gitlab/secret".path;
+      otpFile = config.sops.secrets."services/gitlab/otpsecret".path;
+      dbFile = config.sops.secrets."services/gitlab/dbsecret".path;
+      jwsFile = config.sops.secrets."services/gitlab/oidcKeyBase".path; #pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
+      activeRecordSaltFile = config.sops.secrets."services/gitlab/activeRecordSalt".path;
+      activeRecordPrimaryKeyFile = config.sops.secrets."services/gitlab/activeRecordPrimaryKey".path;
+      activeRecordDeterministicKeyFile = config.sops.secrets."services/gitlab/activeRecordDeterministicKey".path;
+    };
+  };
+
+  systemd.services.gitlab-backup.environment.BACKUP = "dump";
+}
--- a/systems/x86_64-linux/stargate/services/nginx.nix
+++ b/systems/x86_64-linux/stargate/services/nginx.nix
@ -48,13 +48,13 @@ in {
      #  locations = matrixLocations;
      #};

-      #"gitlab.kylekrein.com" = {
-      #  enableACME = true;
-      #  forceSSL = true;
-      #  locations."/" = {
-      #    proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
-      #  };
-      #};
+      "gitlab.kylekrein.com" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
+        };
+      };

      "immich.kylekrein.com" = {
        enableACME = true;