Merge pull request #126253 from mkg20001/fc-gitlab

This commit is contained in:
Maciej Krüger 2021-07-06 20:58:12 +02:00 committed by GitHub
commit ae54500506
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -140,6 +140,14 @@ let
port = 3807;
};
};
registry = lib.optionalAttrs cfg.registry.enable {
enabled = true;
host = cfg.registry.externalAddress;
port = cfg.registry.externalPort;
key = cfg.registry.keyFile;
api_url = "http://${config.services.dockerRegistry.listenAddress}:${toString config.services.dockerRegistry.port}/";
issuer = "gitlab-issuer";
};
extra = {};
uploads.storage_path = cfg.statePath;
};
@ -156,7 +164,7 @@ let
prometheus_multiproc_dir = "/run/gitlab";
RAILS_ENV = "production";
MALLOC_ARENA_MAX = "2";
};
} // cfg.extraEnv;
gitlab-rake = pkgs.stdenv.mkDerivation {
name = "gitlab-rake";
@ -277,6 +285,14 @@ in {
'';
};
extraEnv = mkOption {
type = types.attrsOf types.str;
default = {};
description = ''
Additional environment variables for the GitLab environment.
'';
};
backup.startAt = mkOption {
type = with types; either str (listOf str);
default = [];
@ -508,6 +524,58 @@ in {
'';
};
registry = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enable GitLab container registry.";
};
host = mkOption {
type = types.str;
default = config.services.gitlab.host;
description = "GitLab container registry host name.";
};
port = mkOption {
type = types.int;
default = 4567;
description = "GitLab container registry port.";
};
certFile = mkOption {
type = types.path;
default = null;
description = "Path to GitLab container registry certificate.";
};
keyFile = mkOption {
type = types.path;
default = null;
description = "Path to GitLab container registry certificate-key.";
};
defaultForProjects = mkOption {
type = types.bool;
default = cfg.registry.enable;
description = "If GitLab container registry should be enabled by default for projects.";
};
issuer = mkOption {
type = types.str;
default = "gitlab-issuer";
description = "GitLab container registry issuer.";
};
serviceName = mkOption {
type = types.str;
default = "container_registry";
description = "GitLab container registry service name.";
};
externalAddress = mkOption {
type = types.str;
default = "";
description = "External address used to access registry from the internet";
};
externalPort = mkOption {
type = types.int;
description = "External port used to access registry from the internet";
};
};
smtp = {
enable = mkOption {
type = types.bool;
@ -905,6 +973,44 @@ in {
};
};
systemd.services.gitlab-registry-cert = optionalAttrs cfg.registry.enable {
path = with pkgs; [ openssl ];
script = ''
mkdir -p $(dirname ${cfg.registry.keyFile})
mkdir -p $(dirname ${cfg.registry.certFile})
openssl req -nodes -newkey rsa:4096 -keyout ${cfg.registry.keyFile} -out /tmp/registry-auth.csr -subj "/CN=${cfg.registry.issuer}"
openssl x509 -in /tmp/registry-auth.csr -out ${cfg.registry.certFile} -req -signkey ${cfg.registry.keyFile} -days 3650
chown ${cfg.user}:${cfg.group} $(dirname ${cfg.registry.keyFile})
chown ${cfg.user}:${cfg.group} $(dirname ${cfg.registry.certFile})
chown ${cfg.user}:${cfg.group} ${cfg.registry.keyFile}
chown ${cfg.user}:${cfg.group} ${cfg.registry.certFile}
'';
serviceConfig = {
ConditionPathExists = "!${cfg.registry.certFile}";
};
};
# Ensure Docker Registry launches after the certificate generation job
systemd.services.docker-registry = optionalAttrs cfg.registry.enable {
wants = [ "gitlab-registry-cert.service" ];
};
# Enable Docker Registry, if GitLab-Container Registry is enabled
services.dockerRegistry = optionalAttrs cfg.registry.enable {
enable = true;
enableDelete = true; # This must be true, otherwise GitLab won't manage it correctly
extraConfig = {
auth.token = {
realm = "http${if cfg.https == true then "s" else ""}://${cfg.host}/jwt/auth";
service = cfg.registry.serviceName;
issuer = cfg.registry.issuer;
rootcertbundle = cfg.registry.certFile;
};
};
};
# Use postfix to send out mails.
services.postfix.enable = mkDefault (cfg.smtp.enable && cfg.smtp.address == "localhost");