commit 131bc22b84464443d8e88a2392e91feb79a97e28 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

gitlab service: add option for db_key_base secret

Franz Pletz 9 years ago 131bc22b cfb930c9

+27

3 changed files

expand all

unified split

nixos

modules

services

misc

gitlab.nix

gitlab.xml

pkgs

applications

version-management

gitlab

default.nix

+19

nixos/modules/services/misc/gitlab.nix

··· 41 41 namespace: resque:gitlab 42 42 ''; 43 43 44 + secretsYml = '' 45 + production: 46 + db_key_base: ${cfg.secrets.db_key_base} 47 + ''; 48 + 44 49 gitlabConfig = { 45 50 # These are the default settings from config/gitlab.example.yml 46 51 production = flip recursiveUpdate cfg.extraConfig { ··· 313 318 }; 314 319 }; 315 320 321 + secrets.db_key_base = mkOption { 322 + type = types.str; 323 + example = ""; 324 + description = '' 325 + The db_key_base secrets is used to encrypt variables in the DB. If 326 + you change or lose this key you will be unable to access variables 327 + stored in database. 328 + 329 + Make sure the secret is at least 30 characters and all random, 330 + no regular words or you'll be exposed to dictionary attacks. 331 + ''; 332 + }; 333 + 316 334 extraConfig = mkOption { 317 335 type = types.attrs; 318 336 default = {}; ··· 467 485 # JSON is a subset of YAML 468 486 ln -fs ${pkgs.writeText "gitlab.yml" (builtins.toJSON gitlabConfig)} ${cfg.statePath}/config/gitlab.yml 469 487 ln -fs ${pkgs.writeText "database.yml" databaseYml} ${cfg.statePath}/config/database.yml 488 + ln -fs ${pkgs.writeText "secrets.yml" secretsYml} ${cfg.statePath}/config/secrets.yml 470 489 ln -fs ${pkgs.writeText "unicorn.rb" unicornConfig} ${cfg.statePath}/config/unicorn.rb 471 490 472 491 chown -R ${cfg.user}:${cfg.group} ${cfg.statePath}/

nixos/modules/services/misc/gitlab.xml

··· 62 62 address = "localhost"; 63 63 port = 25; 64 64 }; 65 + secrets.db_key_base = "ei3eeP1ohsh0uu3ad4YeeMeeheengah3AiZee2ohl4Ooj5mie4Ohl0vishoghaes"; 65 66 extraConfig = { 66 67 gitlab = { 67 68 email_from = "gitlab-no-reply@example.com"; ··· 73 74 }; 74 75 </programlisting> 75 76 </para> 77 + 78 + <para>If you're setting up a new Gitlab instance, generate a new 79 + <literal>db_key_base</literal> secret to encrypt sensible data in the 80 + database. If you're restoring an existing Gitlab instance, you must 81 + specify the <literal>db_key_base</literal> secret from 82 + <literal>config/secrets.yml</literal> in your Gitlab state folder.</para> 76 83 77 84 <para>Refer to <xref linkend="ch-options" /> for all available configuration 78 85 options for the <literal>services.gitlab</literal> module.</para>

pkgs/applications/version-management/gitlab/default.nix

··· 70 70 SKIP_STORAGE_VALIDATION=true \ 71 71 rake assets:precompile RAILS_ENV=production 72 72 mv config/gitlab.yml config/gitlab.yml.example 73 + rm config/secrets.yml 73 74 mv config config.dist 74 75 ''; 75 76