nixos/gitlab: Improve support for GitLab Pages

    };

  };

  pagesArgs = [

    "-pages-domain" gitlabConfig.production.pages.host

    "-pages-root" "${gitlabConfig.production.shared.path}/pages"

  ] ++ cfg.pagesExtraArgs;

  gitlabConfig = {

    # These are the default settings from config/gitlab.example.yml

    production = flip recursiveUpdate cfg.extraConfig {

      };

      extra = {};

      uploads.storage_path = cfg.statePath;

      pages = {

        enabled = cfg.pages.enable;

        port = 8090;

        host = cfg.pages.settings.pages-domain;

        secret_file = cfg.pages.settings.api-secret-key;

      };

    };

  };

    (mkRenamedOptionModule [ "services" "gitlab" "backupPath" ] [ "services" "gitlab" "backup" "path" ])

    (mkRemovedOptionModule [ "services" "gitlab" "satelliteDir" ] "")

    (mkRemovedOptionModule [ "services" "gitlab" "logrotate" "extraConfig" ] "Modify services.logrotate.settings.gitlab directly instead")

    (mkRemovedOptionModule [ "services" "gitlab" "pagesExtraArgs" ] "Use services.gitlab.pages.settings instead")

  ];

  options = {

        };

      };

      pagesExtraArgs = mkOption {

        type = types.listOf types.str;

        default = [ "-listen-proxy" "127.0.0.1:8090" ];

        description = lib.mdDoc "Arguments to pass to the gitlab-pages daemon";

      pages.enable = mkEnableOption (lib.mdDoc "the GitLab Pages service");

      pages.settings = mkOption {

        description = lib.mdDoc ''

          Configuration options to set in the GitLab Pages config

          file.

        '';

        type = types.submodule {

          freeformType = with types; attrsOf (nullOr (oneOf [ str int bool ]));

          options = {

            listen-http = mkOption {

              type = with types; listOf str;

              apply = x: if x == [] then null else lib.concatStringsSep "," x;

              default = [];

              description = lib.mdDoc ''

                The address(es) to listen on for HTTP requests.

              '';

            };

            listen-https = mkOption {

              type = with types; listOf str;

              apply = x: if x == [] then null else lib.concatStringsSep "," x;

              default = [];

              description = lib.mdDoc ''

                The address(es) to listen on for HTTPS requests.

              '';

            };

            listen-proxy = mkOption {

              type = with types; listOf str;

              apply = x: if x == [] then null else lib.concatStringsSep "," x;

              default = [ "127.0.0.1:8090" ];

              description = lib.mdDoc ''

                The address(es) to listen on for proxy requests.

              '';

            };

            artifacts-server = mkOption {

              type = with types; nullOr str;

              default = "http${optionalString cfg.https "s"}://${cfg.host}/api/v4";

              defaultText = "http(s)://<services.gitlab.host>/api/v4";

              example = "https://gitlab.example.com/api/v4";

              description = lib.mdDoc ''

                API URL to proxy artifact requests to.

              '';

            };

            gitlab-server = mkOption {

              type = with types; nullOr str;

              default = "http${optionalString cfg.https "s"}://${cfg.host}";

              defaultText = "http(s)://<services.gitlab.host>";

              example = "https://gitlab.example.com";

              description = lib.mdDoc ''

                Public GitLab server URL.

              '';

            };

            internal-gitlab-server = mkOption {

              type = with types; nullOr str;

              default = null;

              defaultText = "http(s)://<services.gitlab.host>";

              example = "https://gitlab.example.internal";

              description = lib.mdDoc ''

                Internal GitLab server used for API requests, useful

                if you want to send that traffic over an internal load

                balancer. By default, the value of

                `services.gitlab.pages.settings.gitlab-server` is

                used.

              '';

            };

            api-secret-key = mkOption {

              type = with types; nullOr str;

              default = "${cfg.statePath}/gitlab_pages_secret";

              internal = true;

              description = lib.mdDoc ''

                File with secret key used to authenticate with the

                GitLab API.

              '';

            };

            pages-domain = mkOption {

              type = with types; nullOr str;

              example = "example.com";

              description = lib.mdDoc ''

                The domain to serve static pages on.

              '';

            };

            pages-root = mkOption {

              type = types.str;

              default = "${gitlabConfig.production.shared.path}/pages";

              defaultText = literalExpression ''config.${opt.extraConfig}.production.shared.path + "/pages"'';

              description = lib.mdDoc ''

                The directory where pages are stored.

              '';

            };

          };

        };

      };

      secrets.secretFile = mkOption {

            umask u=rwx,g=,o=

            openssl rand -hex 32 > ${cfg.statePath}/gitlab_shell_secret

            ${optionalString cfg.pages.enable ''

                openssl rand -base64 32 > ${cfg.pages.settings.api-secret-key}

            ''}

            rm -f '${cfg.statePath}/config/database.yml'

      };

    };

    systemd.services.gitlab-pages = mkIf (gitlabConfig.production.pages.enabled or false) {

    services.gitlab.pages.settings = {

      api-secret-key = "${cfg.statePath}/gitlab_pages_secret";

    };

    systemd.services.gitlab-pages =

      let

        filteredConfig = filterAttrs (_: v: v != null) cfg.pages.settings;

        configFile = pkgs.writeText "gitlab-pages.conf" (lib.generators.toKeyValue {} filteredConfig);

      in

        mkIf cfg.pages.enable {

          description = "GitLab static pages daemon";

      after = [ "network.target" "gitlab-config.service" ];

      bindsTo = [ "gitlab-config.service" ];

          after = [ "network.target" "gitlab-config.service" "gitlab.service" ];

          bindsTo = [ "gitlab-config.service" "gitlab.service" ];

          wantedBy = [ "gitlab.target" ];

          partOf = [ "gitlab.target" ];

            User = cfg.user;

            Group = cfg.group;

        ExecStart = "${cfg.packages.pages}/bin/gitlab-pages ${escapeShellArgs pagesArgs}";

            ExecStart = "${cfg.packages.pages}/bin/gitlab-pages -config=${configFile}";

            WorkingDirectory = gitlabEnv.HOME;

          };

        };

        databasePasswordFile = pkgs.writeText "dbPassword" "xo0daiF4";

        initialRootPasswordFile = pkgs.writeText "rootPassword" initialRootPassword;

        smtp.enable = true;

        pages = {

          enable = true;

          settings.pages-domain = "localhost";

        };

        extraConfig = {

          incoming_email = {

            enabled = true;

            host = "localhost";

            port = 143;

          };

          # https://github.com/NixOS/nixpkgs/issues/132295

          # pages = {

          #   enabled = true;

          #   host = "localhost";

          # };

        };

        secrets = {

          secretFile = pkgs.writeText "secret" "Aig5zaic";

      waitForServices = ''

        gitlab.wait_for_unit("gitaly.service")

        gitlab.wait_for_unit("gitlab-workhorse.service")

        # https://github.com/NixOS/nixpkgs/issues/132295

        # gitlab.wait_for_unit("gitlab-pages.service")

        gitlab.wait_for_unit("gitlab-mailroom.service")

        gitlab.wait_for_unit("gitlab.service")

        gitlab.wait_for_unit("gitlab-pages.service")

        gitlab.wait_for_unit("gitlab-sidekiq.service")

        gitlab.wait_for_file("${nodes.gitlab.config.services.gitlab.statePath}/tmp/sockets/gitlab.socket")

        gitlab.wait_until_succeeds("curl -sSf http://gitlab/users/sign_in")