From 7135ac0e005453a8e94854ded879fd1bcc741220 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20Kr=C3=BCger?= <mkg20001@gmail.com>
Date: Tue, 8 Jun 2021 21:29:18 +0200
Subject: [PATCH 1/2] nixos/gitlab: add extraEnv option
This allows users to define custom environment variables for gitlab,
without having to modify the service file directly
---
nixos/modules/services/misc/gitlab.nix | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix
index 253d87537cfe..9f4af76b1cf6 100644
--- a/nixos/modules/services/misc/gitlab.nix
+++ b/nixos/modules/services/misc/gitlab.nix
@@ -156,7 +156,7 @@ let
prometheus_multiproc_dir = "/run/gitlab";
RAILS_ENV = "production";
MALLOC_ARENA_MAX = "2";
- };
+ } // cfg.extraEnv;
gitlab-rake = pkgs.stdenv.mkDerivation {
name = "gitlab-rake";
@@ -277,6 +277,14 @@ in {
'';
};
+ extraEnv = mkOption {
+ type = types.attrsOf types.str;
+ default = {};
+ description = ''
+ Additional environment variables for the GitLab environment.
+ '';
+ };
+
backup.startAt = mkOption {
type = with types; either str (listOf str);
default = [];
From f4ddc02b0e75fa051bebcc5b882443a3970ed7ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20Kr=C3=BCger?= <mkg20001@gmail.com>
Date: Wed, 9 Jun 2021 23:19:25 +0200
Subject: [PATCH 2/2] nixos/gitlab: add container registry
---
nixos/modules/services/misc/gitlab.nix | 98 ++++++++++++++++++++++++++
1 file changed, 98 insertions(+)
diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix
index 9f4af76b1cf6..317b4a546da5 100644
--- a/nixos/modules/services/misc/gitlab.nix
+++ b/nixos/modules/services/misc/gitlab.nix
@@ -140,6 +140,14 @@ let
port = 3807;
};
};
+ registry = lib.optionalAttrs cfg.registry.enable {
+ enabled = true;
+ host = cfg.registry.externalAddress;
+ port = cfg.registry.externalPort;
+ key = cfg.registry.keyFile;
+ api_url = "http://${config.services.dockerRegistry.listenAddress}:${toString config.services.dockerRegistry.port}/";
+ issuer = "gitlab-issuer";
+ };
extra = {};
uploads.storage_path = cfg.statePath;
};
@@ -516,6 +524,58 @@ in {
'';
};
+ registry = {
+ enable = mkOption {
+ type = types.bool;
+ default = false;
+ description = "Enable GitLab container registry.";
+ };
+ host = mkOption {
+ type = types.str;
+ default = config.services.gitlab.host;
+ description = "GitLab container registry host name.";
+ };
+ port = mkOption {
+ type = types.int;
+ default = 4567;
+ description = "GitLab container registry port.";
+ };
+ certFile = mkOption {
+ type = types.path;
+ default = null;
+ description = "Path to GitLab container registry certificate.";
+ };
+ keyFile = mkOption {
+ type = types.path;
+ default = null;
+ description = "Path to GitLab container registry certificate-key.";
+ };
+ defaultForProjects = mkOption {
+ type = types.bool;
+ default = cfg.registry.enable;
+ description = "If GitLab container registry should be enabled by default for projects.";
+ };
+ issuer = mkOption {
+ type = types.str;
+ default = "gitlab-issuer";
+ description = "GitLab container registry issuer.";
+ };
+ serviceName = mkOption {
+ type = types.str;
+ default = "container_registry";
+ description = "GitLab container registry service name.";
+ };
+ externalAddress = mkOption {
+ type = types.str;
+ default = "";
+ description = "External address used to access registry from the internet";
+ };
+ externalPort = mkOption {
+ type = types.int;
+ description = "External port used to access registry from the internet";
+ };
+ };
+
smtp = {
enable = mkOption {
type = types.bool;
@@ -909,6 +969,44 @@ in {
};
};
+ systemd.services.gitlab-registry-cert = optionalAttrs cfg.registry.enable {
+ path = with pkgs; [ openssl ];
+
+ script = ''
+ mkdir -p $(dirname ${cfg.registry.keyFile})
+ mkdir -p $(dirname ${cfg.registry.certFile})
+ openssl req -nodes -newkey rsa:4096 -keyout ${cfg.registry.keyFile} -out /tmp/registry-auth.csr -subj "/CN=${cfg.registry.issuer}"
+ openssl x509 -in /tmp/registry-auth.csr -out ${cfg.registry.certFile} -req -signkey ${cfg.registry.keyFile} -days 3650
+ chown ${cfg.user}:${cfg.group} $(dirname ${cfg.registry.keyFile})
+ chown ${cfg.user}:${cfg.group} $(dirname ${cfg.registry.certFile})
+ chown ${cfg.user}:${cfg.group} ${cfg.registry.keyFile}
+ chown ${cfg.user}:${cfg.group} ${cfg.registry.certFile}
+ '';
+
+ serviceConfig = {
+ ConditionPathExists = "!${cfg.registry.certFile}";
+ };
+ };
+
+ # Ensure Docker Registry launches after the certificate generation job
+ systemd.services.docker-registry = optionalAttrs cfg.registry.enable {
+ wants = [ "gitlab-registry-cert.service" ];
+ };
+
+ # Enable Docker Registry, if GitLab-Container Registry is enabled
+ services.dockerRegistry = optionalAttrs cfg.registry.enable {
+ enable = true;
+ enableDelete = true; # This must be true, otherwise GitLab won't manage it correctly
+ extraConfig = {
+ auth.token = {
+ realm = "http${if cfg.https == true then "s" else ""}://${cfg.host}/jwt/auth";
+ service = cfg.registry.serviceName;
+ issuer = cfg.registry.issuer;
+ rootcertbundle = cfg.registry.certFile;
+ };
+ };
+ };
+
# Use postfix to send out mails.
services.postfix.enable = mkDefault (cfg.smtp.enable && cfg.smtp.address == "localhost");