pyrox.dev / nixpkgs
lol
fork atom

gitlab service: add option for db_key_base secret

Franz Pletz 131bc22b cfb930c9

options
unified split
Changed files
+27
nixos
modules
services
misc
gitlab.nix
gitlab.xml
pkgs
applications
version-management
gitlab
default.nix
+19
nixos/modules/services/misc/gitlab.nix 
···

       
41

       
41

       
 

       
      namespace: resque:gitlab


     

       
42

       
42

       
 

       
  '';


     

       
43

       
43

       
 

       



     

       

       
44

       
+

       
  secretsYml = ''


     

       

       
45

       
+

       
    production:


     

       

       
46

       
+

       
      db_key_base: ${cfg.secrets.db_key_base}


     

       

       
47

       
+

       
  '';


     

       

       
48

       
+

       



     

       
44

       
49

       
 

       
  gitlabConfig = {


     

       
45

       
50

       
 

       
    # These are the default settings from config/gitlab.example.yml


     

       
46

       
51

       
 

       
    production = flip recursiveUpdate cfg.extraConfig {


     
···

       
313

       
318

       
 

       
        };


     

       
314

       
319

       
 

       
      };


     

       
315

       
320

       
 

       



     

       

       
321

       
+

       
      secrets.db_key_base = mkOption {


     

       

       
322

       
+

       
        type = types.str;


     

       

       
323

       
+

       
        example = "";


     

       

       
324

       
+

       
        description = ''


     

       

       
325

       
+

       
          The db_key_base secrets is used to encrypt variables in the DB. If


     

       

       
326

       
+

       
          you change or lose this key you will be unable to access variables


     

       

       
327

       
+

       
          stored in database.


     

       

       
328

       
+

       



     

       

       
329

       
+

       
          Make sure the secret is at least 30 characters and all random,


     

       

       
330

       
+

       
          no regular words or you'll be exposed to dictionary attacks.


     

       

       
331

       
+

       
        '';


     

       

       
332

       
+

       
      };


     

       

       
333

       
+

       



     

       
316

       
334

       
 

       
      extraConfig = mkOption {


     

       
317

       
335

       
 

       
        type = types.attrs;


     

       
318

       
336

       
 

       
        default = {};


     
···

       
467

       
485

       
 

       
        # JSON is a subset of YAML


     

       
468

       
486

       
 

       
        ln -fs ${pkgs.writeText "gitlab.yml" (builtins.toJSON gitlabConfig)} ${cfg.statePath}/config/gitlab.yml


     

       
469

       
487

       
 

       
        ln -fs ${pkgs.writeText "database.yml" databaseYml} ${cfg.statePath}/config/database.yml


     

       

       
488

       
+

       
        ln -fs ${pkgs.writeText "secrets.yml" secretsYml} ${cfg.statePath}/config/secrets.yml


     

       
470

       
489

       
 

       
        ln -fs ${pkgs.writeText "unicorn.rb" unicornConfig} ${cfg.statePath}/config/unicorn.rb


     

       
471

       
490

       
 

       



     

       
472

       
491

       
 

       
        chown -R ${cfg.user}:${cfg.group} ${cfg.statePath}/
+7
nixos/modules/services/misc/gitlab.xml 
···

       
62

       
62

       
 

       
    address = "localhost";


     

       
63

       
63

       
 

       
    port = 25;


     

       
64

       
64

       
 

       
  };


     

       

       
65

       
+

       
  secrets.db_key_base = "ei3eeP1ohsh0uu3ad4YeeMeeheengah3AiZee2ohl4Ooj5mie4Ohl0vishoghaes";


     

       
65

       
66

       
 

       
  extraConfig = {


     

       
66

       
67

       
 

       
    gitlab = {


     

       
67

       
68

       
 

       
      email_from = "gitlab-no-reply@example.com";


     
···

       
73

       
74

       
 

       
};


     

       
74

       
75

       
 

       
</programlisting>


     

       
75

       
76

       
 

       
</para>


     

       

       
77

       
+

       



     

       

       
78

       
+

       
<para>If you're setting up a new Gitlab instance, generate a new


     

       

       
79

       
+

       
<literal>db_key_base</literal> secret to encrypt sensible data in the


     

       

       
80

       
+

       
database. If you're restoring an existing Gitlab instance, you must


     

       

       
81

       
+

       
specify the <literal>db_key_base</literal> secret from


     

       

       
82

       
+

       
<literal>config/secrets.yml</literal> in your Gitlab state folder.</para>


     

       
76

       
83

       
 

       



     

       
77

       
84

       
 

       
<para>Refer to <xref linkend="ch-options" /> for all available configuration


     

       
78

       
85

       
 

       
options for the <literal>services.gitlab</literal> module.</para>
+1
pkgs/applications/version-management/gitlab/default.nix 
···

       
70

       
70

       
 

       
      SKIP_STORAGE_VALIDATION=true \


     

       
71

       
71

       
 

       
      rake assets:precompile RAILS_ENV=production


     

       
72

       
72

       
 

       
    mv config/gitlab.yml config/gitlab.yml.example


     

       

       
73

       
+

       
    rm config/secrets.yml


     

       
73

       
74

       
 

       
    mv config config.dist


     

       
74

       
75

       
 

       
  '';


     

       
75

       
76