diff options
| author | talyz <kim.lindberger@gmail.com> | 2019-08-07 11:26:08 +0200 |
|---|---|---|
| committer | talyz <kim.lindberger@gmail.com> | 2019-09-06 16:57:23 +0200 |
| commit | 240649a5100fcb5ea6f18bc5bc87acc3ce216646 (patch) | |
| tree | 809dafeac55f8b0c6d0be6301948789289624ea6 /nixos/modules | |
| parent | 64358cb0e9dce1d2032e4feaae02f8f59d892b9d (diff) | |
| download | nixlib-240649a5100fcb5ea6f18bc5bc87acc3ce216646.tar nixlib-240649a5100fcb5ea6f18bc5bc87acc3ce216646.tar.gz nixlib-240649a5100fcb5ea6f18bc5bc87acc3ce216646.tar.bz2 nixlib-240649a5100fcb5ea6f18bc5bc87acc3ce216646.tar.lz nixlib-240649a5100fcb5ea6f18bc5bc87acc3ce216646.tar.xz nixlib-240649a5100fcb5ea6f18bc5bc87acc3ce216646.tar.zst nixlib-240649a5100fcb5ea6f18bc5bc87acc3ce216646.zip | |
nixos/gitlab: Extract arbitrary secrets from extraConfig
Adds the ability to make any parameter specified in extraConfig secret by defining it an attrset containing the attr _secret, which in turn is a path to a file containing the actual secret.
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/services/misc/gitlab.nix | 62 |
1 files changed, 53 insertions, 9 deletions
diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index b4588fa67d80..9cb4b0d6884e 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, utils, ... }: # TODO: support non-postgresql @@ -492,16 +492,56 @@ in { extraConfig = mkOption { type = types.attrs; default = {}; - example = { - gitlab = { - default_projects_features = { - builds = false; + example = literalExample '' + { + gitlab = { + default_projects_features = { + builds = false; + }; + }; + omniauth = { + enabled = true; + auto_sign_in_with_provider = "openid_connect"; + allow_single_sign_on = ["openid_connect"]; + block_auto_created_users = false; + providers = [ + { + name = "openid_connect"; + label = "OpenID Connect"; + args = { + name = "openid_connect"; + scope = ["openid" "profile"]; + response_type = "code"; + issuer = "https://keycloak.example.com/auth/realms/My%20Realm"; + discovery = true; + client_auth_method = "query"; + uid_field = "preferred_username"; + client_options = { + identifier = "gitlab"; + secret = { _secret = "/var/keys/gitlab_oidc_secret"; }; + redirect_uri = "https://git.example.com/users/auth/openid_connect/callback"; + }; + }; + } + ]; }; }; - }; + ''; description = '' - Extra options to be merged into config/gitlab.yml as nix - attribute set. + Extra options to be added under + <literal>production</literal> in + <filename>config/gitlab.yml</filename>, as a nix attribute + set. + + Options containing secret data should be set to an attribute + set containing the attribute <literal>_secret</literal> - a + string pointing to a file containing the value the option + should be set to. See the example to get a better picture of + this: in the resulting + <filename>config/gitlab.yml</filename> file, the + <literal>production.omniauth.providers[0].args.client_options.secret</literal> + key will be set to the contents of the + <filename>/var/keys/gitlab_oidc_secret</filename> file. ''; }; }; @@ -620,7 +660,6 @@ in { "L+ /run/gitlab/shell-config.yml - - - - ${pkgs.writeText "config.yml" (builtins.toJSON gitlabShellConfig)}" - "L+ ${cfg.statePath}/config/gitlab.yml - - - - ${pkgs.writeText "gitlab.yml" (builtins.toJSON gitlabConfig)}" "L+ ${cfg.statePath}/config/unicorn.rb - - - - ${./defaultUnicornConfig.rb}" "L+ ${cfg.statePath}/config/initializers/extra-gitlab.rb - - - - ${extraGitlabRb}" ]; @@ -753,6 +792,11 @@ in { '' } + ${utils.genJqSecretsReplacementSnippet + gitlabConfig + "${cfg.statePath}/config/gitlab.yml" + } + if [[ -h '${cfg.statePath}/config/secrets.yml' ]]; then rm '${cfg.statePath}/config/secrets.yml' fi |