pyrox.dev
Merge pull request #113201 from talyz/gitlab-db-key-base-patch
gitlab: Add patch for db_key_base length bug, fix descriptions
authored by
Kim Lindberger
and committed by
GitHub
e50164a7
8e1f3bcf
+3
-3
nixos/modules/services/misc/gitlab.nix
+3
-3
nixos/modules/services/misc/gitlab.nix
···
588
588
the DB. If you change or lose this key you will be unable to
589
589
access variables stored in database.
590
590
591
-
Make sure the secret is at least 30 characters and all random,
591
+
Make sure the secret is at least 32 characters and all random,
592
592
no regular words or you'll be exposed to dictionary attacks.
593
593
594
594
This should be a string, not a nix path, since nix paths are
···
604
604
the DB. If you change or lose this key you will be unable to
605
605
access variables stored in database.
606
606
607
-
Make sure the secret is at least 30 characters and all random,
607
+
Make sure the secret is at least 32 characters and all random,
608
608
no regular words or you'll be exposed to dictionary attacks.
609
609
610
610
This should be a string, not a nix path, since nix paths are
···
620
620
tokens. If you change or lose this key, users which have 2FA
621
621
enabled for login won't be able to login anymore.
622
622
623
-
Make sure the secret is at least 30 characters and all random,
623
+
Make sure the secret is at least 32 characters and all random,
624
624
no regular words or you'll be exposed to dictionary attacks.
625
625
626
626
This should be a string, not a nix path, since nix paths are
+3
-3
nixos/tests/gitlab.nix
+3
-3
nixos/tests/gitlab.nix
···
57
57
};
58
58
};
59
59
secrets = {
60
-
secretFile = pkgs.writeText "secret" "r8X9keSKynU7p4aKlh4GO1Bo77g5a7vj";
61
-
otpFile = pkgs.writeText "otpsecret" "Zu5hGx3YvQx40DvI8WoZJQpX2paSDOlG";
62
-
dbFile = pkgs.writeText "dbsecret" "lsGltKWTejOf6JxCVa7nLDenzkO9wPLR";
60
+
secretFile = pkgs.writeText "secret" "Aig5zaic";
61
+
otpFile = pkgs.writeText "otpsecret" "Riew9mue";
62
+
dbFile = pkgs.writeText "dbsecret" "we2quaeZ";
63
63
jwsFile = pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
64
64
};
65
65
};
+10
-1
pkgs/applications/version-management/gitlab/default.nix
+10
-1
pkgs/applications/version-management/gitlab/default.nix
···
1
-
{ stdenv, lib, fetchurl, fetchFromGitLab, bundlerEnv
1
+
{ stdenv, lib, fetchurl, fetchpatch, fetchFromGitLab, bundlerEnv
2
2
, ruby, tzdata, git, nettools, nixosTests, nodejs, openssl
3
3
, gitlabEnterprise ? false, callPackage, yarn
4
4
, fixup_yarn_lock, replace, file
···
125
125
patches = [
126
126
# Change hardcoded paths to the NixOS equivalent
127
127
./remove-hardcoded-locations.patch
128
+
129
+
# Use the exactly 32 byte long version of db_key_base with
130
+
# aes-256-gcm, see
131
+
# https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53602
132
+
(fetchpatch {
133
+
name = "secrets_db_key_base_length.patch";
134
+
url = "https://gitlab.com/gitlab-org/gitlab/-/commit/dea620633d446ca0f53a75674454ff0dd4bd8f99.patch";
135
+
sha256 = "19m4z4np3sai9kqqqgabl44xv7p8lkcyqr6s5471axfxmf9m2023";
136
+
})
128
137
];
129
138
130
139
postPatch = ''