{ secrets, config, specialArgs, fqdn, ... }: let gitlab_home = "/var/lib/gitlab"; gitlab_host = "gitlab.${fqdn}"; in { environment.persistence.save.directories = [ gitlab_home ]; systemd.timers.delay-gitlab-start = { after = [ "docker.service" "docker.socket" "network-online.target" ]; wantedBy = [ "timers.target" ]; timerConfig = { OnActiveSec = "30sec"; Unit = "docker-gitlab.service"; }; }; virtualisation.oci-containers.containers.gitlab = { image = "gitlab/gitlab-ee:latest"; autoStart = true; ports = [ "127.0.0.1:8080:80" "2222:22" ]; volumes = [ "${gitlab_home}/config:/etc/gitlab" "${gitlab_home}/logs:/var/log/gitlab" "${gitlab_home}/data:/var/opt/gitlab" ]; extraOptions = [ "--shm-size=256m" "--hostname=${gitlab_host}" "--pull=always" ]; }; systemd.services.docker-gitlab.after = [ "delay-gitlab.timer" ]; networking.firewall.allowedTCPPorts = [ 2222 ]; age.secrets.gitlab-runner-reg-config.file = "${secrets}/gitlab-runner-reg-config.age"; services.gitlab-runner = { enable = true; services = { default = { registrationConfigFile = config.age.secrets.gitlab-runner-reg-config.path; dockerImage = "alpine"; tagList = [ "alpine" "default" ]; }; }; }; services.nginx.virtualHosts."${gitlab_host}" = { locations."/".proxyPass = "http://127.0.0.1:8080"; forceSSL = true; enableACME = true; }; }