How to configure GitLab-Registry on NixOS?

Help
1

Hi,

I recently switched my GitLab-Instance from CentOS to NixOS. While most of the switching process ran smoothly, I can’t seem to get the GitLab Docker-Registry up and running. I already tried different methods and configuraitons which either used the docker-registry service from nixpkgs or the official registry container, provided on Docker-Hub.

My current configuration looks something like this:

{ config, pkgs, ... }:
let 
  gitlab_url = "url-to-gitlab";
  registry_url = "url-to-registry;
  local_registry_port = "5000";
in {
  # ...
  networking.firewall.allowedTCPPorts = [ 25 80 443 ];

  services = {
    # ...
    dockerRegistry = {
      enable = true;
      listenAddress = "127.0.0.1";
      port = 5000;
      extraConfig = {
        REGISTRY_AUTH_TOKEN_REALM = "https://${gitlab_url}/jwt/auth";
        REGISTRY_AUTH_TOKEN_SERVICE = "container_registry";
        REGISTRY_AUTH_TOKEN_ISSUER = "gitlab-issuer";
        REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE = "/var/certs/registry/cert.pem";
      };
    };
    nginx = {
      enable = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      virtualHosts = {
        "${gitlab_url}" = {
          enableACME = true;
          forceSSL = true;
          locations."/".proxyPass =
            "http://unix:/run/gitlab/gitlab-workhorse.socket";
        };
        "${registry_url}" = {
          enableACME = true;
          forceSSL = true;
          locations."/".proxyPass = "http://localhost:${local_registry_port}";
        };
      };
    };
    gitlab = {
      enable = true;
      databasePasswordFile = "/var/keys/gitlab/db_password";
      initialRootPasswordFile = "/var/keys/gitlab/root_password";
      databaseUsername = "git";
      backupPath = "/mnt/gitlab-backup";
      https = true;
      host = "${gitlab_url}";
      port = 443;
      user = "git";
      group = "git";
      smtp = {
        enable = true;
        address = "localhost";
        port = 25;
      };
      secrets = {
        dbFile = "/var/keys/gitlab/db";
        secretFile = "/var/keys/gitlab/secret";
        otpFile = "/var/keys/gitlab/otp";
        jwsFile = "/var/keys/gitlab/jws";
      };
      extraConfig = {
        gitlab = {
          email_from = "gitlab-no-reply@example.com";
          email_display_name = "Example GitLab";
          email_reply_to = "gitlab-no-reply@example.com";
          default_projects_features = {
            builds = true;
            container_registry = true;
          };
        };
        registry = {
          enabled = true;
          host = "${registry_url}";
          port = 443;
          key = "/var/certs/registry/key.pem";
          api_url = "http://localhost:${local_registry_port}";
          issuer = "gitlab-issuer";
        };
        packages = { enabled = true; };
      };
    };
  };

Has anyone successfully configured the GitLab-Registry and could share their configuration or advices with me?

Thanks in advance for your help! :slight_smile:
avocadoom

3 Likes