add gitlab

nixos/primordial/configuration.nix

@@ -8,13 +8,18 @@
     add_header Access-Control-Allow-Origin *;
     return 200 '${builtins.toJSON data}';
   '';
+  secretFile = name: config.sops.secrets.${name}.path;
 in {
   sops.defaultSopsFile = ./secrets.yaml;
-  sops.secrets."gitea.env" = {};
-  sops.secrets."keycloak_db_pw" = {};
   sops.secrets."restic_mail_repository_password" = {};
   sops.secrets."restic_ssh_key" = {};
   sops.secrets."act-runner-token" = {};
+  sops.secrets."gitlab-db-password".owner = config.users.users.gitlab.name;
+  sops.secrets."gitlab-initial-root-pw".owner = config.users.users.gitlab.name;
+  sops.secrets."gitlab-db-key-base".owner = config.users.users.gitlab.name;
+  sops.secrets."gitlab-secret-key-base".owner = config.users.users.gitlab.name;
+  sops.secrets."gitlab-otp-key-base".owner = config.users.users.gitlab.name;
+  sops.secrets."gitlab-jws-key-pem".owner = config.users.users.gitlab.name;
 
   imports = [
     ./mail.nix
@@ -81,6 +86,20 @@ in {
       '';
     };
 
+    gitlab = {
+      enable = true;
+      https = true;
+      host = "gitlab.fuckwit.dev";
+      databasePasswordFile = secretFile "gitlab-db-password";
+      initialRootPasswordFile = secretFile "gitlab-initial-root-pw";
+      secrets = {
+        secretFile = secretFile "gitlab-secret-key-base";
+        otpFile = secretFile "gitlab-otp-key-base";
+        dbFile = secretFile "gitlab-db-key-base";
+        jwsFile = secretFile "gitlab-jws-key-pem";
+      };
+    };
+
     matrix-synapse = {
       enable = true;
       settings.server_name = "fuckwit.dev";
@@ -186,13 +205,12 @@ in {
         };
       };
 
-      virtualHosts."sso.fuckwit.dev" = {
+      virtualHosts."gitlab.fuckwit.dev" = {
         enableACME = true;
-        addSSL = true;
+        forceSSL = true;
 
         locations."/" = {
-          proxyPass = "http://127.0.0.1:8004";
-          proxyWebsockets = true;
+          proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
         };
       };
 
@@ -284,34 +302,6 @@ in {
         };
       };
     };
-
-    # keycloak = {
-    #   enable = true;
-    #
-    #   database = {
-    #     type = "postgresql";
-    #     createLocally = true;
-    #     passwordFile = config.sops.secrets."keycloak_db_pw".path;
-    #   };
-    #
-    #   settings = {
-    #     hostname = "sso.fuckwit.dev";
-    #     http-host = "127.0.0.1";
-    #     http-port = 8004;
-    #     proxy = "edge";
-    #   };
-    # };
-
-    # drone-server = {
-    #   enable = true;
-    #   config = {
-    #     giteaServer = "https://git.fuckwit.dev";
-    #     serverHost = "drone.fuckwit.dev";
-    #     serverPort = ":8004";
-    #     serverProto = "https";
-    #   };
-    #   environmentFile = config.sops.secrets."gitea.env".path;
-    # };
   };
 
   virtualisation.podman.enable = true;