pyrox.dev
Merge pull request #113201 from talyz/gitlab-db-key-base-patch
gitlab: Add patch for db_key_base length bug, fix descriptions
authored by
Kim Lindberger
and committed by
GitHub
e50164a7
8e1f3bcf
+3
-3
nixos/modules/services/misc/gitlab.nix
+3
-3
nixos/modules/services/misc/gitlab.nix
···
588
the DB. If you change or lose this key you will be unable to
589
access variables stored in database.
590
591
-
Make sure the secret is at least 30 characters and all random,
592
no regular words or you'll be exposed to dictionary attacks.
593
594
This should be a string, not a nix path, since nix paths are
···
604
the DB. If you change or lose this key you will be unable to
605
access variables stored in database.
606
607
-
Make sure the secret is at least 30 characters and all random,
608
no regular words or you'll be exposed to dictionary attacks.
609
610
This should be a string, not a nix path, since nix paths are
···
620
tokens. If you change or lose this key, users which have 2FA
621
enabled for login won't be able to login anymore.
622
623
-
Make sure the secret is at least 30 characters and all random,
624
no regular words or you'll be exposed to dictionary attacks.
625
626
This should be a string, not a nix path, since nix paths are
···
588
the DB. If you change or lose this key you will be unable to
589
access variables stored in database.
590
591
+
Make sure the secret is at least 32 characters and all random,
592
no regular words or you'll be exposed to dictionary attacks.
593
594
This should be a string, not a nix path, since nix paths are
···
604
the DB. If you change or lose this key you will be unable to
605
access variables stored in database.
606
607
+
Make sure the secret is at least 32 characters and all random,
608
no regular words or you'll be exposed to dictionary attacks.
609
610
This should be a string, not a nix path, since nix paths are
···
620
tokens. If you change or lose this key, users which have 2FA
621
enabled for login won't be able to login anymore.
622
623
+
Make sure the secret is at least 32 characters and all random,
624
no regular words or you'll be exposed to dictionary attacks.
625
626
This should be a string, not a nix path, since nix paths are
+3
-3
nixos/tests/gitlab.nix
+3
-3
nixos/tests/gitlab.nix
···
57
};
58
};
59
secrets = {
60
-
secretFile = pkgs.writeText "secret" "r8X9keSKynU7p4aKlh4GO1Bo77g5a7vj";
61
-
otpFile = pkgs.writeText "otpsecret" "Zu5hGx3YvQx40DvI8WoZJQpX2paSDOlG";
62
-
dbFile = pkgs.writeText "dbsecret" "lsGltKWTejOf6JxCVa7nLDenzkO9wPLR";
63
jwsFile = pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
64
};
65
};
+10
-1
pkgs/applications/version-management/gitlab/default.nix
+10
-1
pkgs/applications/version-management/gitlab/default.nix
···
1
-
{ stdenv, lib, fetchurl, fetchFromGitLab, bundlerEnv
2
, ruby, tzdata, git, nettools, nixosTests, nodejs, openssl
3
, gitlabEnterprise ? false, callPackage, yarn
4
, fixup_yarn_lock, replace, file
···
125
patches = [
126
# Change hardcoded paths to the NixOS equivalent
127
./remove-hardcoded-locations.patch
128
];
129
130
postPatch = ''
···
1
+
{ stdenv, lib, fetchurl, fetchpatch, fetchFromGitLab, bundlerEnv
2
, ruby, tzdata, git, nettools, nixosTests, nodejs, openssl
3
, gitlabEnterprise ? false, callPackage, yarn
4
, fixup_yarn_lock, replace, file
···
125
patches = [
126
# Change hardcoded paths to the NixOS equivalent
127
./remove-hardcoded-locations.patch
128
+
129
+
# Use the exactly 32 byte long version of db_key_base with
130
+
# aes-256-gcm, see
131
+
# https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53602
132
+
(fetchpatch {
133
+
name = "secrets_db_key_base_length.patch";
134
+
url = "https://gitlab.com/gitlab-org/gitlab/-/commit/dea620633d446ca0f53a75674454ff0dd4bd8f99.patch";
135
+
sha256 = "19m4z4np3sai9kqqqgabl44xv7p8lkcyqr6s5471axfxmf9m2023";
136
+
})
137
];
138
139
postPatch = ''