treewide: move nixos modules

2024-07-18 15:04:18 +02:00 · 2024-07-18 15:04:18 +02:00 · 8eff4c5e4f
commit 8eff4c5e4f
parent d84be7c616
73 changed files with 62 additions and 62 deletions
--- a/modules/nixos/services/git/default.nix
+++ b/modules/nixos/services/git/default.nix
@ -0,0 +1,85 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [ ./runner.nix ];
+
+  options.chvp.services.git.enable = lib.mkOption {
+    default = false;
+    example = true;
+  };
+
+  config = lib.mkIf config.chvp.services.git.enable {
+    chvp.services.nginx.hosts = [{
+      fqdn = "git.chvp.be";
+      options = {
+        locations."/" = {
+          proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
+          extraConfig = ''
+            client_max_body_size 50M;
+          '';
+        };
+      };
+    }];
+    users = {
+      users = {
+        git = {
+          uid = lib.mkForce 963;
+          group = "git";
+          isSystemUser = true;
+          useDefaultShell = true;
+        };
+        nginx.extraGroups = [ "git" ];
+      };
+      groups.git.gid = lib.mkForce 963;
+    };
+    services.openssh.settings.AcceptEnv = "GIT_PROTOCOL";
+    services.gitlab = {
+      enable = true;
+      statePath = "/var/lib/git/state";
+      backup.path = "/var/lib/git/backup";
+      databaseCreateLocally = true;
+      databaseUsername = "git";
+      databaseName = "git";
+      user = "git";
+      group = "git";
+      host = "git.chvp.be";
+      port = 443;
+      https = true;
+      initialRootEmail = "charlotte@vanpetegem.be";
+      initialRootPasswordFile = config.age.secrets."passwords/services/git/initial-root-password".path;
+      # Hack, https://github.com/NixOS/nixpkgs/pull/135926 broke stuff
+      pages.settings.pages-domain = "not.actually.enabled";
+      secrets = {
+        dbFile = config.age.secrets."passwords/services/git/db".path;
+        jwsFile = config.age.secrets."passwords/services/git/jws".path;
+        otpFile = config.age.secrets."passwords/services/git/otp".path;
+        secretFile = config.age.secrets."passwords/services/git/secret".path;
+      };
+      smtp = {
+        enable = true;
+        enableStartTLSAuto = false;
+      };
+    };
+
+    age.secrets."passwords/services/git/initial-root-password" = {
+      file = ../../../../secrets/passwords/services/git/initial-root-password.age;
+      owner = "git";
+    };
+    age.secrets."passwords/services/git/db" = {
+      file = ../../../../secrets/passwords/services/git/db.age;
+      owner = "git";
+    };
+    age.secrets."passwords/services/git/jws" = {
+      file = ../../../../secrets/passwords/services/git/jws.age;
+      owner = "git";
+    };
+    age.secrets."passwords/services/git/otp" = {
+      file = ../../../../secrets/passwords/services/git/otp.age;
+      owner = "git";
+    };
+    age.secrets."passwords/services/git/secret" = {
+      file = ../../../../secrets/passwords/services/git/secret.age;
+      owner = "git";
+    };
+  };
+}
--- a/modules/nixos/services/git/runner.nix
+++ b/modules/nixos/services/git/runner.nix
@ -0,0 +1,57 @@
+{ config, lib, pkgs, ... }:
+
+{
+  options.chvp.services.git.runner.enable = lib.mkOption {
+    default = false;
+    example = true;
+  };
+
+  config = lib.mkIf config.chvp.services.git.runner.enable {
+    services.gitlab-runner = {
+      enable = true;
+      settings.concurrent = 8;
+      services = {
+        nix = {
+          authenticationTokenConfigFile = config.age.secrets."passwords/services/gitlab-runner/registration".path;
+          dockerImage = "alpine";
+          dockerVolumes = [
+            "/nix/store:/nix/store:ro"
+            "/nix/var/nix/db:/nix/var/nix/db:ro"
+            "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
+            "/etc/nix/nix.conf:/etc/nix/nix.conf:ro"
+          ];
+          preBuildScript = pkgs.writeScript "setup-container" ''
+            mkdir -p -m 0755 /nix/var/log/nix/drvs
+            mkdir -p -m 0755 /nix/var/nix/gcroots
+            mkdir -p -m 0755 /nix/var/nix/profiles
+            mkdir -p -m 0755 /nix/var/nix/temproots
+            mkdir -p -m 0755 /nix/var/nix/userpool
+            mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
+            mkdir -p -m 1777 /nix/var/nix/profiles/per-user
+            mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
+            mkdir -p -m 0700 "$HOME/.nix-defexpr"
+
+            . ${pkgs.nix}/etc/profile.d/nix.sh
+
+            ${pkgs.nix}/bin/nix-env -i ${lib.concatStringsSep " " (with pkgs; [ nix cacert git openssh ])}
+          '';
+          environmentVariables = {
+            ENV = "/etc/profile";
+            USER = "root";
+            NIX_REMOTE = "daemon";
+            PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
+            NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
+          };
+          requestConcurrency = 4;
+        };
+      };
+    };
+    virtualisation.docker = {
+      enable = true;
+      storageDriver = "zfs";
+    };
+    age.secrets."passwords/services/gitlab-runner/registration" = {
+      file = ../../../../secrets/passwords/services/gitlab-runner/registration.age;
+    };
+  };
+}