nixos/gitlab: Extract arbitrary secrets from extraConfig
Adds the ability to make any parameter specified in extraConfig secret by defining it an attrset containing the attr _secret, which in turn is a path to a file containing the actual secret.
This commit is contained in:
		
							parent
							
								
									64358cb0e9
								
							
						
					
					
						commit
						240649a510
					
				| @ -1,4 +1,4 @@ | |||||||
| { config, lib, pkgs, ... }: | { config, lib, pkgs, utils, ... }: | ||||||
| 
 | 
 | ||||||
| # TODO: support non-postgresql | # TODO: support non-postgresql | ||||||
| 
 | 
 | ||||||
| @ -492,16 +492,56 @@ in { | |||||||
|       extraConfig = mkOption { |       extraConfig = mkOption { | ||||||
|         type = types.attrs; |         type = types.attrs; | ||||||
|         default = {}; |         default = {}; | ||||||
|         example = { |         example = literalExample '' | ||||||
|           gitlab = { |           { | ||||||
|             default_projects_features = { |             gitlab = { | ||||||
|               builds = false; |               default_projects_features = { | ||||||
|  |                 builds = false; | ||||||
|  |               }; | ||||||
|  |             }; | ||||||
|  |             omniauth = { | ||||||
|  |               enabled = true; | ||||||
|  |               auto_sign_in_with_provider = "openid_connect"; | ||||||
|  |               allow_single_sign_on = ["openid_connect"]; | ||||||
|  |               block_auto_created_users = false; | ||||||
|  |               providers = [ | ||||||
|  |                 { | ||||||
|  |                   name = "openid_connect"; | ||||||
|  |                   label = "OpenID Connect"; | ||||||
|  |                   args = { | ||||||
|  |                     name = "openid_connect"; | ||||||
|  |                     scope = ["openid" "profile"]; | ||||||
|  |                     response_type = "code"; | ||||||
|  |                     issuer = "https://keycloak.example.com/auth/realms/My%20Realm"; | ||||||
|  |                     discovery = true; | ||||||
|  |                     client_auth_method = "query"; | ||||||
|  |                     uid_field = "preferred_username"; | ||||||
|  |                     client_options = { | ||||||
|  |                       identifier = "gitlab"; | ||||||
|  |                       secret = { _secret = "/var/keys/gitlab_oidc_secret"; }; | ||||||
|  |                       redirect_uri = "https://git.example.com/users/auth/openid_connect/callback"; | ||||||
|  |                     }; | ||||||
|  |                   }; | ||||||
|  |                 } | ||||||
|  |               ]; | ||||||
|             }; |             }; | ||||||
|           }; |           }; | ||||||
|         }; |         ''; | ||||||
|         description = '' |         description = '' | ||||||
|           Extra options to be merged into config/gitlab.yml as nix |           Extra options to be added under | ||||||
|           attribute set. |           <literal>production</literal> in | ||||||
|  |           <filename>config/gitlab.yml</filename>, as a nix attribute | ||||||
|  |           set. | ||||||
|  | 
 | ||||||
|  |           Options containing secret data should be set to an attribute | ||||||
|  |           set containing the attribute <literal>_secret</literal> - a | ||||||
|  |           string pointing to a file containing the value the option | ||||||
|  |           should be set to. See the example to get a better picture of | ||||||
|  |           this: in the resulting | ||||||
|  |           <filename>config/gitlab.yml</filename> file, the | ||||||
|  |           <literal>production.omniauth.providers[0].args.client_options.secret</literal> | ||||||
|  |           key will be set to the contents of the | ||||||
|  |           <filename>/var/keys/gitlab_oidc_secret</filename> file. | ||||||
|         ''; |         ''; | ||||||
|       }; |       }; | ||||||
|     }; |     }; | ||||||
| @ -620,7 +660,6 @@ in { | |||||||
| 
 | 
 | ||||||
|       "L+ /run/gitlab/shell-config.yml - - - - ${pkgs.writeText "config.yml" (builtins.toJSON gitlabShellConfig)}" |       "L+ /run/gitlab/shell-config.yml - - - - ${pkgs.writeText "config.yml" (builtins.toJSON gitlabShellConfig)}" | ||||||
| 
 | 
 | ||||||
|       "L+ ${cfg.statePath}/config/gitlab.yml - - - - ${pkgs.writeText "gitlab.yml" (builtins.toJSON gitlabConfig)}" |  | ||||||
|       "L+ ${cfg.statePath}/config/unicorn.rb - - - - ${./defaultUnicornConfig.rb}" |       "L+ ${cfg.statePath}/config/unicorn.rb - - - - ${./defaultUnicornConfig.rb}" | ||||||
|       "L+ ${cfg.statePath}/config/initializers/extra-gitlab.rb - - - - ${extraGitlabRb}" |       "L+ ${cfg.statePath}/config/initializers/extra-gitlab.rb - - - - ${extraGitlabRb}" | ||||||
|     ]; |     ]; | ||||||
| @ -753,6 +792,11 @@ in { | |||||||
|             '' |             '' | ||||||
|           } |           } | ||||||
| 
 | 
 | ||||||
|  |           ${utils.genJqSecretsReplacementSnippet | ||||||
|  |               gitlabConfig | ||||||
|  |               "${cfg.statePath}/config/gitlab.yml" | ||||||
|  |           } | ||||||
|  | 
 | ||||||
|           if [[ -h '${cfg.statePath}/config/secrets.yml' ]]; then |           if [[ -h '${cfg.statePath}/config/secrets.yml' ]]; then | ||||||
|             rm '${cfg.statePath}/config/secrets.yml' |             rm '${cfg.statePath}/config/secrets.yml' | ||||||
|           fi |           fi | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user
	 talyz
						talyz