Merge pull request #126253 from mkg20001/fc-gitlab
This commit is contained in:
commit
ae54500506
|
@ -140,6 +140,14 @@ let
|
||||||
port = 3807;
|
port = 3807;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
registry = lib.optionalAttrs cfg.registry.enable {
|
||||||
|
enabled = true;
|
||||||
|
host = cfg.registry.externalAddress;
|
||||||
|
port = cfg.registry.externalPort;
|
||||||
|
key = cfg.registry.keyFile;
|
||||||
|
api_url = "http://${config.services.dockerRegistry.listenAddress}:${toString config.services.dockerRegistry.port}/";
|
||||||
|
issuer = "gitlab-issuer";
|
||||||
|
};
|
||||||
extra = {};
|
extra = {};
|
||||||
uploads.storage_path = cfg.statePath;
|
uploads.storage_path = cfg.statePath;
|
||||||
};
|
};
|
||||||
|
@ -156,7 +164,7 @@ let
|
||||||
prometheus_multiproc_dir = "/run/gitlab";
|
prometheus_multiproc_dir = "/run/gitlab";
|
||||||
RAILS_ENV = "production";
|
RAILS_ENV = "production";
|
||||||
MALLOC_ARENA_MAX = "2";
|
MALLOC_ARENA_MAX = "2";
|
||||||
};
|
} // cfg.extraEnv;
|
||||||
|
|
||||||
gitlab-rake = pkgs.stdenv.mkDerivation {
|
gitlab-rake = pkgs.stdenv.mkDerivation {
|
||||||
name = "gitlab-rake";
|
name = "gitlab-rake";
|
||||||
|
@ -277,6 +285,14 @@ in {
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
extraEnv = mkOption {
|
||||||
|
type = types.attrsOf types.str;
|
||||||
|
default = {};
|
||||||
|
description = ''
|
||||||
|
Additional environment variables for the GitLab environment.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
backup.startAt = mkOption {
|
backup.startAt = mkOption {
|
||||||
type = with types; either str (listOf str);
|
type = with types; either str (listOf str);
|
||||||
default = [];
|
default = [];
|
||||||
|
@ -508,6 +524,58 @@ in {
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
registry = {
|
||||||
|
enable = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = "Enable GitLab container registry.";
|
||||||
|
};
|
||||||
|
host = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = config.services.gitlab.host;
|
||||||
|
description = "GitLab container registry host name.";
|
||||||
|
};
|
||||||
|
port = mkOption {
|
||||||
|
type = types.int;
|
||||||
|
default = 4567;
|
||||||
|
description = "GitLab container registry port.";
|
||||||
|
};
|
||||||
|
certFile = mkOption {
|
||||||
|
type = types.path;
|
||||||
|
default = null;
|
||||||
|
description = "Path to GitLab container registry certificate.";
|
||||||
|
};
|
||||||
|
keyFile = mkOption {
|
||||||
|
type = types.path;
|
||||||
|
default = null;
|
||||||
|
description = "Path to GitLab container registry certificate-key.";
|
||||||
|
};
|
||||||
|
defaultForProjects = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = cfg.registry.enable;
|
||||||
|
description = "If GitLab container registry should be enabled by default for projects.";
|
||||||
|
};
|
||||||
|
issuer = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "gitlab-issuer";
|
||||||
|
description = "GitLab container registry issuer.";
|
||||||
|
};
|
||||||
|
serviceName = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "container_registry";
|
||||||
|
description = "GitLab container registry service name.";
|
||||||
|
};
|
||||||
|
externalAddress = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "";
|
||||||
|
description = "External address used to access registry from the internet";
|
||||||
|
};
|
||||||
|
externalPort = mkOption {
|
||||||
|
type = types.int;
|
||||||
|
description = "External port used to access registry from the internet";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
smtp = {
|
smtp = {
|
||||||
enable = mkOption {
|
enable = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
|
@ -905,6 +973,44 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemd.services.gitlab-registry-cert = optionalAttrs cfg.registry.enable {
|
||||||
|
path = with pkgs; [ openssl ];
|
||||||
|
|
||||||
|
script = ''
|
||||||
|
mkdir -p $(dirname ${cfg.registry.keyFile})
|
||||||
|
mkdir -p $(dirname ${cfg.registry.certFile})
|
||||||
|
openssl req -nodes -newkey rsa:4096 -keyout ${cfg.registry.keyFile} -out /tmp/registry-auth.csr -subj "/CN=${cfg.registry.issuer}"
|
||||||
|
openssl x509 -in /tmp/registry-auth.csr -out ${cfg.registry.certFile} -req -signkey ${cfg.registry.keyFile} -days 3650
|
||||||
|
chown ${cfg.user}:${cfg.group} $(dirname ${cfg.registry.keyFile})
|
||||||
|
chown ${cfg.user}:${cfg.group} $(dirname ${cfg.registry.certFile})
|
||||||
|
chown ${cfg.user}:${cfg.group} ${cfg.registry.keyFile}
|
||||||
|
chown ${cfg.user}:${cfg.group} ${cfg.registry.certFile}
|
||||||
|
'';
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
ConditionPathExists = "!${cfg.registry.certFile}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# Ensure Docker Registry launches after the certificate generation job
|
||||||
|
systemd.services.docker-registry = optionalAttrs cfg.registry.enable {
|
||||||
|
wants = [ "gitlab-registry-cert.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Enable Docker Registry, if GitLab-Container Registry is enabled
|
||||||
|
services.dockerRegistry = optionalAttrs cfg.registry.enable {
|
||||||
|
enable = true;
|
||||||
|
enableDelete = true; # This must be true, otherwise GitLab won't manage it correctly
|
||||||
|
extraConfig = {
|
||||||
|
auth.token = {
|
||||||
|
realm = "http${if cfg.https == true then "s" else ""}://${cfg.host}/jwt/auth";
|
||||||
|
service = cfg.registry.serviceName;
|
||||||
|
issuer = cfg.registry.issuer;
|
||||||
|
rootcertbundle = cfg.registry.certFile;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
# Use postfix to send out mails.
|
# Use postfix to send out mails.
|
||||||
services.postfix.enable = mkDefault (cfg.smtp.enable && cfg.smtp.address == "localhost");
|
services.postfix.enable = mkDefault (cfg.smtp.enable && cfg.smtp.address == "localhost");
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user