|
|
|
@ -140,6 +140,14 @@ let |
|
|
|
|
port = 3807; |
|
|
|
|
}; |
|
|
|
|
}; |
|
|
|
|
registry = lib.optionalAttrs cfg.registry.enable { |
|
|
|
|
enabled = true; |
|
|
|
|
host = cfg.registry.externalAddress; |
|
|
|
|
port = cfg.registry.externalPort; |
|
|
|
|
key = cfg.registry.keyFile; |
|
|
|
|
api_url = "http://${config.services.dockerRegistry.listenAddress}:${toString config.services.dockerRegistry.port}/"; |
|
|
|
|
issuer = "gitlab-issuer"; |
|
|
|
|
}; |
|
|
|
|
extra = {}; |
|
|
|
|
uploads.storage_path = cfg.statePath; |
|
|
|
|
}; |
|
|
|
@ -516,6 +524,58 @@ in { |
|
|
|
|
''; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
registry = { |
|
|
|
|
enable = mkOption { |
|
|
|
|
type = types.bool; |
|
|
|
|
default = false; |
|
|
|
|
description = "Enable GitLab container registry."; |
|
|
|
|
}; |
|
|
|
|
host = mkOption { |
|
|
|
|
type = types.str; |
|
|
|
|
default = config.services.gitlab.host; |
|
|
|
|
description = "GitLab container registry host name."; |
|
|
|
|
}; |
|
|
|
|
port = mkOption { |
|
|
|
|
type = types.int; |
|
|
|
|
default = 4567; |
|
|
|
|
description = "GitLab container registry port."; |
|
|
|
|
}; |
|
|
|
|
certFile = mkOption { |
|
|
|
|
type = types.path; |
|
|
|
|
default = null; |
|
|
|
|
description = "Path to GitLab container registry certificate."; |
|
|
|
|
}; |
|
|
|
|
keyFile = mkOption { |
|
|
|
|
type = types.path; |
|
|
|
|
default = null; |
|
|
|
|
description = "Path to GitLab container registry certificate-key."; |
|
|
|
|
}; |
|
|
|
|
defaultForProjects = mkOption { |
|
|
|
|
type = types.bool; |
|
|
|
|
default = cfg.registry.enable; |
|
|
|
|
description = "If GitLab container registry should be enabled by default for projects."; |
|
|
|
|
}; |
|
|
|
|
issuer = mkOption { |
|
|
|
|
type = types.str; |
|
|
|
|
default = "gitlab-issuer"; |
|
|
|
|
description = "GitLab container registry issuer."; |
|
|
|
|
}; |
|
|
|
|
serviceName = mkOption { |
|
|
|
|
type = types.str; |
|
|
|
|
default = "container_registry"; |
|
|
|
|
description = "GitLab container registry service name."; |
|
|
|
|
}; |
|
|
|
|
externalAddress = mkOption { |
|
|
|
|
type = types.str; |
|
|
|
|
default = ""; |
|
|
|
|
description = "External address used to access registry from the internet"; |
|
|
|
|
}; |
|
|
|
|
externalPort = mkOption { |
|
|
|
|
type = types.int; |
|
|
|
|
description = "External port used to access registry from the internet"; |
|
|
|
|
}; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
smtp = { |
|
|
|
|
enable = mkOption { |
|
|
|
|
type = types.bool; |
|
|
|
@ -909,6 +969,44 @@ in { |
|
|
|
|
}; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
systemd.services.gitlab-registry-cert = optionalAttrs cfg.registry.enable { |
|
|
|
|
path = with pkgs; [ openssl ]; |
|
|
|
|
|
|
|
|
|
script = '' |
|
|
|
|
mkdir -p $(dirname ${cfg.registry.keyFile}) |
|
|
|
|
mkdir -p $(dirname ${cfg.registry.certFile}) |
|
|
|
|
openssl req -nodes -newkey rsa:4096 -keyout ${cfg.registry.keyFile} -out /tmp/registry-auth.csr -subj "/CN=${cfg.registry.issuer}" |
|
|
|
|
openssl x509 -in /tmp/registry-auth.csr -out ${cfg.registry.certFile} -req -signkey ${cfg.registry.keyFile} -days 3650 |
|
|
|
|
chown ${cfg.user}:${cfg.group} $(dirname ${cfg.registry.keyFile}) |
|
|
|
|
chown ${cfg.user}:${cfg.group} $(dirname ${cfg.registry.certFile}) |
|
|
|
|
chown ${cfg.user}:${cfg.group} ${cfg.registry.keyFile} |
|
|
|
|
chown ${cfg.user}:${cfg.group} ${cfg.registry.certFile} |
|
|
|
|
''; |
|
|
|
|
|
|
|
|
|
serviceConfig = { |
|
|
|
|
ConditionPathExists = "!${cfg.registry.certFile}"; |
|
|
|
|
}; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
# Ensure Docker Registry launches after the certificate generation job |
|
|
|
|
systemd.services.docker-registry = optionalAttrs cfg.registry.enable { |
|
|
|
|
wants = [ "gitlab-registry-cert.service" ]; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
# Enable Docker Registry, if GitLab-Container Registry is enabled |
|
|
|
|
services.dockerRegistry = optionalAttrs cfg.registry.enable { |
|
|
|
|
enable = true; |
|
|
|
|
enableDelete = true; # This must be true, otherwise GitLab won't manage it correctly |
|
|
|
|
extraConfig = { |
|
|
|
|
auth.token = { |
|
|
|
|
realm = "http${if cfg.https == true then "s" else ""}://${cfg.host}/jwt/auth"; |
|
|
|
|
service = cfg.registry.serviceName; |
|
|
|
|
issuer = cfg.registry.issuer; |
|
|
|
|
rootcertbundle = cfg.registry.certFile; |
|
|
|
|
}; |
|
|
|
|
}; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
# Use postfix to send out mails. |
|
|
|
|
services.postfix.enable = mkDefault (cfg.smtp.enable && cfg.smtp.address == "localhost"); |
|
|
|
|
|
|
|
|
|