kookie
/
nomicon
1
0
Fork 0
Code Issues Projects Releases 1 Activity

nixos/gitlab: add container registry

Browse Source
wip/nixpkgs-raku
Maciej Krüger 3 years ago
parent 7135ac0e00
commit f4ddc02b0e
No known key found for this signature in database
GPG Key ID: 0D948CE19CF49C5F
1 changed files with 98 additions and 0 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 98
      nixos/modules/services/misc/gitlab.nix

98
nixos/modules/services/misc/gitlab.nix
Unescape View File

@ -140,6 +140,14 @@ let
port = 3807;
};
};
registry = lib.optionalAttrs cfg.registry.enable {
enabled = true;
host = cfg.registry.externalAddress;
port = cfg.registry.externalPort;
key = cfg.registry.keyFile;
api_url = "http://${config.services.dockerRegistry.listenAddress}:${toString config.services.dockerRegistry.port}/";
issuer = "gitlab-issuer";
};
extra = {};
uploads.storage_path = cfg.statePath;
};
@ -516,6 +524,58 @@ in {
'';
};
registry = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enable GitLab container registry.";
};
host = mkOption {
type = types.str;
default = config.services.gitlab.host;
description = "GitLab container registry host name.";
};
port = mkOption {
type = types.int;
default = 4567;
description = "GitLab container registry port.";
};
certFile = mkOption {
type = types.path;
default = null;
description = "Path to GitLab container registry certificate.";
};
keyFile = mkOption {
type = types.path;
default = null;
description = "Path to GitLab container registry certificate-key.";
};
defaultForProjects = mkOption {
type = types.bool;
default = cfg.registry.enable;
description = "If GitLab container registry should be enabled by default for projects.";
};
issuer = mkOption {
type = types.str;
default = "gitlab-issuer";
description = "GitLab container registry issuer.";
};
serviceName = mkOption {
type = types.str;
default = "container_registry";
description = "GitLab container registry service name.";
};
externalAddress = mkOption {
type = types.str;
default = "";
description = "External address used to access registry from the internet";
};
externalPort = mkOption {
type = types.int;
description = "External port used to access registry from the internet";
};
};
smtp = {
enable = mkOption {
type = types.bool;
@ -909,6 +969,44 @@ in {
};
};
systemd.services.gitlab-registry-cert = optionalAttrs cfg.registry.enable {
path = with pkgs; [ openssl ];
script = ''
mkdir -p $(dirname ${cfg.registry.keyFile})
mkdir -p $(dirname ${cfg.registry.certFile})
openssl req -nodes -newkey rsa:4096 -keyout ${cfg.registry.keyFile} -out /tmp/registry-auth.csr -subj "/CN=${cfg.registry.issuer}"
openssl x509 -in /tmp/registry-auth.csr -out ${cfg.registry.certFile} -req -signkey ${cfg.registry.keyFile} -days 3650
chown ${cfg.user}:${cfg.group} $(dirname ${cfg.registry.keyFile})
chown ${cfg.user}:${cfg.group} $(dirname ${cfg.registry.certFile})
chown ${cfg.user}:${cfg.group} ${cfg.registry.keyFile}
chown ${cfg.user}:${cfg.group} ${cfg.registry.certFile}
'';
serviceConfig = {
ConditionPathExists = "!${cfg.registry.certFile}";
};
};
# Ensure Docker Registry launches after the certificate generation job
systemd.services.docker-registry = optionalAttrs cfg.registry.enable {
wants = [ "gitlab-registry-cert.service" ];
};
# Enable Docker Registry, if GitLab-Container Registry is enabled
services.dockerRegistry = optionalAttrs cfg.registry.enable {
enable = true;
enableDelete = true; # This must be true, otherwise GitLab won't manage it correctly
extraConfig = {
auth.token = {
realm = "http${if cfg.https == true then "s" else ""}://${cfg.host}/jwt/auth";
service = cfg.registry.serviceName;
issuer = cfg.registry.issuer;
rootcertbundle = cfg.registry.certFile;
};
};
};
# Use postfix to send out mails.
services.postfix.enable = mkDefault (cfg.smtp.enable && cfg.smtp.address == "localhost");

Write Preview
Loading…
Cancel
Save