commit f79b568519a89d35ca8c6e10b2fb5dc389826a99 · pyrox.dev/nixpkgs

nixos/doc/manual/release-notes/rl-2505.section.md

···

       329
       329
        
       

     

       330
       330
        
       - The behavior of the `networking.nat.externalIP` and `networking.nat.externalIPv6` options has been changed. `networking.nat.forwardPorts` now only forwards packets destined for the specified IP addresses.

     

       331
       331
        
       

     

       332
       332
       +
       - `services.gitlab` now requires the setting of `activeRecordPrimaryKeyFile`, `activeRecordDeterministicKeyFile`, `activeRecordSaltFile` as GitLab introduced Rails ActiveRecord encryption.

     

       333
       333
       +
       

     

       332
       334
        
       - `python3Packages.bpycv` has been removed due to being incompatible with Blender 4 and unmaintained.

     

       333
       335
        
       

     

       334
       336
        
       - `python3Packages.jaeger-client` was removed because it was deprecated upstream. [OpenTelemetry](https://opentelemetry.io) is the recommended replacement.

+64 -2

nixos/modules/services/misc/gitlab.nix

···

       907
       907
        
               '';

     

       908
       908
        
             };

     

       909
       909
        
       

     

       910
       910
       +
             secrets.activeRecordPrimaryKeyFile = mkOption {

     

       911
       911
       +
               type = with types; nullOr path;

     

       912
       912
       +
               default = null;

     

       913
       913
       +
               description = ''

     

       914
       914
       +
                 A file containing the secret used to encrypt some rails data

     

       915
       915
       +
                 in the DB. This should not be the same as `services.gitlab.secrets.activeRecordDeterministicKeyFile`!

     

       916
       916
       +
       

     

       917
       917
       +
                 Make sure the secret is at ideally 32 characters and all random,

     

       918
       918
       +
                 no regular words or you'll be exposed to dictionary attacks.

     

       919
       919
       +
       

     

       920
       920
       +
                 This should be a string, not a nix path, since nix paths are

     

       921
       921
       +
                 copied into the world-readable nix store.

     

       922
       922
       +
               '';

     

       923
       923
       +
             };

     

       924
       924
       +
       

     

       925
       925
       +
             secrets.activeRecordDeterministicKeyFile = mkOption {

     

       926
       926
       +
               type = with types; nullOr path;

     

       927
       927
       +
               default = null;

     

       928
       928
       +
               description = ''

     

       929
       929
       +
                 A file containing the secret used to encrypt some rails data in a deterministic way

     

       930
       930
       +
                 in the DB. This should not be the same as `services.gitlab.secrets.activeRecordPrimaryKeyFile`!

     

       931
       931
       +
       

     

       932
       932
       +
                 Make sure the secret is at ideally 32 characters and all random,

     

       933
       933
       +
                 no regular words or you'll be exposed to dictionary attacks.

     

       934
       934
       +
       

     

       935
       935
       +
                 This should be a string, not a nix path, since nix paths are

     

       936
       936
       +
                 copied into the world-readable nix store.

     

       937
       937
       +
               '';

     

       938
       938
       +
             };

     

       939
       939
       +
       

     

       940
       940
       +
             secrets.activeRecordSaltFile = mkOption {

     

       941
       941
       +
               type = with types; nullOr path;

     

       942
       942
       +
               default = null;

     

       943
       943
       +
               description = ''

     

       944
       944
       +
                 A file containing the salt for active record encryption in the DB.

     

       945
       945
       +
       

     

       946
       946
       +
                 Make sure the secret is at ideally 32 characters and all random,

     

       947
       947
       +
                 no regular words or you'll be exposed to dictionary attacks.

     

       948
       948
       +
       

     

       949
       949
       +
                 This should be a string, not a nix path, since nix paths are

     

       950
       950
       +
                 copied into the world-readable nix store.

     

       951
       951
       +
               '';

     

       952
       952
       +
             };

     

       953
       953
       +
       

     

       910
       954
        
             extraShellConfig = mkOption {

     

       911
       955
        
               type = types.attrs;

     

       912
       956
        
               default = { };

     
···

       1181
       1225
        
               message = "services.gitlab.secrets.jwsFile must be set!";

     

       1182
       1226
        
             }

     

       1183
       1227
        
             {

     

       1228
       1228
       +
               assertion = cfg.secrets.activeRecordPrimaryKeyFile != null;

     

       1229
       1229
       +
               message = "services.gitlab.secrets.activeRecordPrimaryKeyFile must be set!";

     

       1230
       1230
       +
             }

     

       1231
       1231
       +
             {

     

       1232
       1232
       +
               assertion = cfg.secrets.activeRecordDeterministicKeyFile != null;

     

       1233
       1233
       +
               message = "services.gitlab.secrets.activeRecordDeterministicKeyFile must be set!";

     

       1234
       1234
       +
             }

     

       1235
       1235
       +
             {

     

       1236
       1236
       +
               assertion = cfg.secrets.activeRecordSaltFile != null;

     

       1237
       1237
       +
               message = "services.gitlab.secrets.activeRecordSaltFile must be set!";

     

       1238
       1238
       +
             }

     

       1239
       1239
       +
             {

     

       1184
       1240
        
               assertion = versionAtLeast postgresqlPackage.version "14.9";

     

       1185
       1241
        
               message = "PostgreSQL >= 14.9 is required to run GitLab 17. Follow the instructions in the manual section for upgrading PostgreSQL here: https://nixos.org/manual/nixos/stable/index.html#module-services-postgres-upgrading";

     

       1186
       1242
        
             }

     
···

       1480
       1536
        
                   db="$(<'${cfg.secrets.dbFile}')"

     

       1481
       1537
        
                   otp="$(<'${cfg.secrets.otpFile}')"

     

       1482
       1538
        
                   jws="$(<'${cfg.secrets.jwsFile}')"

     

       1483
       1483
       -
                   export secret db otp jws

     

       1539
       1539
       +
                   arprimary="$(<'${cfg.secrets.activeRecordPrimaryKeyFile}')"

     

       1540
       1540
       +
                   ardeterministic="$(<'${cfg.secrets.activeRecordDeterministicKeyFile}')"

     

       1541
       1541
       +
                   arsalt="$(<'${cfg.secrets.activeRecordSaltFile}')"

     

       1542
       1542
       +
                   export secret db otp jws arprimary ardeterministic arsalt

     

       1484
       1543
        
                   jq -n '{production: {secret_key_base: $ENV.secret,

     

       1485
       1544
        
                           otp_key_base: $ENV.otp,

     

       1486
       1545
        
                           db_key_base: $ENV.db,

     

       1487
       1487
       -
                           openid_connect_signing_key: $ENV.jws}}' \

     

       1546
       1546
       +
                           openid_connect_signing_key: $ENV.jws,

     

       1547
       1547
       +
                           active_record_encryption_primary_key: $ENV.arprimary,

     

       1548
       1548
       +
                           active_record_encryption_deterministic_key: $ENV.ardeterministic,

     

       1549
       1549
       +
                           active_record_encryption_key_derivation_salt: $ENV.arsalt}}' \

     

       1488
       1550
        
                      > '${cfg.statePath}/config/secrets.yml'

     

       1489
       1551
        
                 )

     

       1490
       1552

+10

nixos/tests/gitlab.nix

···

       106
       106
        
                   otpFile = pkgs.writeText "otpsecret" "Riew9mue";

     

       107
       107
        
                   dbFile = pkgs.writeText "dbsecret" "we2quaeZ";

     

       108
       108
        
                   jwsFile = pkgs.runCommand "oidcKeyBase" { } "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";

     

       109
       109
       +
                   activeRecordPrimaryKeyFile = pkgs.writeText "arprimary" "vsaYPZjTRxcbG7W6gNr95AwBmzFUd4Eu";

     

       110
       110
       +
                   activeRecordDeterministicKeyFile = pkgs.writeText "ardeterministic" "kQarv9wb2JVP7XzLTh5f6DFcMHms4nEC";

     

       111
       111
       +
                   activeRecordSaltFile = pkgs.writeText "arsalt" "QkgR9CfFU3MXEWGqa7LbP24AntK5ZeYw";

     

       109
       112
        
                 };

     

       110
       113
        
       

     

       111
       114
        
                 registry = {

     
···

       477
       480
        
             gitlab.start()

     

       478
       481
        
           ''

     

       479
       482
        
           + waitForServices

     

       483
       483
       +
           + ''

     

       484
       484
       +
             gitlab.succeed("cp /var/gitlab/state/config/secrets.yml /root/gitlab-secrets.yml")

     

       485
       485
       +
           ''

     

       480
       486
        
           + test true

     

       481
       487
        
           + ''

     

       482
       488
        
             gitlab.systemctl("start gitlab-backup.service")

     
···

       496
       502
        
             gitlab.systemctl("start gitlab.target")

     

       497
       503
        
           ''

     

       498
       504
        
           + waitForServices

     

       505
       505
       +
           + ''

     

       506
       506
       +
             with subtest("Check that no secrets were auto-generated as these would be non-persistent"):

     

       507
       507
       +
                 gitlab.succeed("diff -u /root/gitlab-secrets.yml /var/gitlab/state/config/secrets.yml")

     

       508
       508
       +
           ''

     

       499
       509
        
           + test false;

     

       500
       510
        
       }