diff options
| author | Maciej Krüger <mkg20001@gmail.com> | 2021-06-09 23:19:25 +0200 |
|---|---|---|
| committer | Maciej Krüger <mkg20001@gmail.com> | 2021-06-09 23:19:25 +0200 |
| commit | f4ddc02b0e75fa051bebcc5b882443a3970ed7ac (patch) | |
| tree | 6b00969e6426c08333d4c45ee6fc6e4b2ec8aa40 /nixos | |
| parent | 7135ac0e005453a8e94854ded879fd1bcc741220 (diff) | |
| download | nixpkgs-f4ddc02b0e75fa051bebcc5b882443a3970ed7ac.tar nixpkgs-f4ddc02b0e75fa051bebcc5b882443a3970ed7ac.tar.gz nixpkgs-f4ddc02b0e75fa051bebcc5b882443a3970ed7ac.tar.bz2 nixpkgs-f4ddc02b0e75fa051bebcc5b882443a3970ed7ac.tar.lz nixpkgs-f4ddc02b0e75fa051bebcc5b882443a3970ed7ac.tar.xz nixpkgs-f4ddc02b0e75fa051bebcc5b882443a3970ed7ac.tar.zst nixpkgs-f4ddc02b0e75fa051bebcc5b882443a3970ed7ac.zip | |
nixos/gitlab: add container registry
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/misc/gitlab.nix | 98 |
1 files changed, 98 insertions, 0 deletions
diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index 9f4af76b1cf..317b4a546da 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -140,6 +140,14 @@ let port = 3807; }; }; + registry = lib.optionalAttrs cfg.registry.enable { + enabled = true; + host = cfg.registry.externalAddress; + port = cfg.registry.externalPort; + key = cfg.registry.keyFile; + api_url = "http://${config.services.dockerRegistry.listenAddress}:${toString config.services.dockerRegistry.port}/"; + issuer = "gitlab-issuer"; + }; extra = {}; uploads.storage_path = cfg.statePath; }; @@ -516,6 +524,58 @@ in { ''; }; + registry = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enable GitLab container registry."; + }; + host = mkOption { + type = types.str; + default = config.services.gitlab.host; + description = "GitLab container registry host name."; + }; + port = mkOption { + type = types.int; + default = 4567; + description = "GitLab container registry port."; + }; + certFile = mkOption { + type = types.path; + default = null; + description = "Path to GitLab container registry certificate."; + }; + keyFile = mkOption { + type = types.path; + default = null; + description = "Path to GitLab container registry certificate-key."; + }; + defaultForProjects = mkOption { + type = types.bool; + default = cfg.registry.enable; + description = "If GitLab container registry should be enabled by default for projects."; + }; + issuer = mkOption { + type = types.str; + default = "gitlab-issuer"; + description = "GitLab container registry issuer."; + }; + serviceName = mkOption { + type = types.str; + default = "container_registry"; + description = "GitLab container registry service name."; + }; + externalAddress = mkOption { + type = types.str; + default = ""; + description = "External address used to access registry from the internet"; + }; + externalPort = mkOption { + type = types.int; + description = "External port used to access registry from the internet"; + }; + }; + smtp = { enable = mkOption { type = types.bool; @@ -909,6 +969,44 @@ in { }; }; + systemd.services.gitlab-registry-cert = optionalAttrs cfg.registry.enable { + path = with pkgs; [ openssl ]; + + script = '' + mkdir -p $(dirname ${cfg.registry.keyFile}) + mkdir -p $(dirname ${cfg.registry.certFile}) + openssl req -nodes -newkey rsa:4096 -keyout ${cfg.registry.keyFile} -out /tmp/registry-auth.csr -subj "/CN=${cfg.registry.issuer}" + openssl x509 -in /tmp/registry-auth.csr -out ${cfg.registry.certFile} -req -signkey ${cfg.registry.keyFile} -days 3650 + chown ${cfg.user}:${cfg.group} $(dirname ${cfg.registry.keyFile}) + chown ${cfg.user}:${cfg.group} $(dirname ${cfg.registry.certFile}) + chown ${cfg.user}:${cfg.group} ${cfg.registry.keyFile} + chown ${cfg.user}:${cfg.group} ${cfg.registry.certFile} + ''; + + serviceConfig = { + ConditionPathExists = "!${cfg.registry.certFile}"; + }; + }; + + # Ensure Docker Registry launches after the certificate generation job + systemd.services.docker-registry = optionalAttrs cfg.registry.enable { + wants = [ "gitlab-registry-cert.service" ]; + }; + + # Enable Docker Registry, if GitLab-Container Registry is enabled + services.dockerRegistry = optionalAttrs cfg.registry.enable { + enable = true; + enableDelete = true; # This must be true, otherwise GitLab won't manage it correctly + extraConfig = { + auth.token = { + realm = "http${if cfg.https == true then "s" else ""}://${cfg.host}/jwt/auth"; + service = cfg.registry.serviceName; + issuer = cfg.registry.issuer; + rootcertbundle = cfg.registry.certFile; + }; + }; + }; + # Use postfix to send out mails. services.postfix.enable = mkDefault (cfg.smtp.enable && cfg.smtp.address == "localhost"); |