public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

gitlab service: add option for db_key_base secret

Browse Source
This commit is contained in:
Franz Pletz 2016-08-17 13:16:32 +02:00
parent cfb930c985
commit 131bc22b84
3 changed files with 27 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
nixos/modules/services/misc/gitlab.nix
View File

@ -41,6 +41,11 @@ let
namespace: resque:gitlab namespace: resque:gitlab
''; '';
secretsYml = ''
production:
db_key_base: ${cfg.secrets.db_key_base}
'';
gitlabConfig = { gitlabConfig = {
# These are the default settings from config/gitlab.example.yml # These are the default settings from config/gitlab.example.yml
production = flip recursiveUpdate cfg.extraConfig { production = flip recursiveUpdate cfg.extraConfig {
@ -313,6 +318,19 @@ in {
}; };
}; };
secrets.db_key_base = mkOption {
type = types.str;
example = "";
description = ''
The db_key_base secrets is used to encrypt variables in the DB. If
you change or lose this key you will be unable to access variables
stored in database.
Make sure the secret is at least 30 characters and all random,
no regular words or you'll be exposed to dictionary attacks.
'';
};
extraConfig = mkOption { extraConfig = mkOption {
type = types.attrs; type = types.attrs;
default = {}; default = {};
@ -467,6 +485,7 @@ in {
# JSON is a subset of YAML # JSON is a subset of YAML
ln -fs ${pkgs.writeText "gitlab.yml" (builtins.toJSON gitlabConfig)} ${cfg.statePath}/config/gitlab.yml ln -fs ${pkgs.writeText "gitlab.yml" (builtins.toJSON gitlabConfig)} ${cfg.statePath}/config/gitlab.yml
ln -fs ${pkgs.writeText "database.yml" databaseYml} ${cfg.statePath}/config/database.yml ln -fs ${pkgs.writeText "database.yml" databaseYml} ${cfg.statePath}/config/database.yml
ln -fs ${pkgs.writeText "secrets.yml" secretsYml} ${cfg.statePath}/config/secrets.yml
ln -fs ${pkgs.writeText "unicorn.rb" unicornConfig} ${cfg.statePath}/config/unicorn.rb ln -fs ${pkgs.writeText "unicorn.rb" unicornConfig} ${cfg.statePath}/config/unicorn.rb
chown -R ${cfg.user}:${cfg.group} ${cfg.statePath}/ chown -R ${cfg.user}:${cfg.group} ${cfg.statePath}/

7
nixos/modules/services/misc/gitlab.xml
View File

@ -62,6 +62,7 @@ services.gitlab = {
address = "localhost"; address = "localhost";
port = 25; port = 25;
}; };
secrets.db_key_base = "ei3eeP1ohsh0uu3ad4YeeMeeheengah3AiZee2ohl4Ooj5mie4Ohl0vishoghaes";
extraConfig = { extraConfig = {
gitlab = { gitlab = {
email_from = "gitlab-no-reply@example.com"; email_from = "gitlab-no-reply@example.com";
@ -74,6 +75,12 @@ services.gitlab = {
</programlisting> </programlisting>
</para> </para>
<para>If you're setting up a new Gitlab instance, generate a new
<literal>db_key_base</literal> secret to encrypt sensible data in the
database. If you're restoring an existing Gitlab instance, you must
specify the <literal>db_key_base</literal> secret from
<literal>config/secrets.yml</literal> in your Gitlab state folder.</para>
<para>Refer to <xref linkend="ch-options" /> for all available configuration <para>Refer to <xref linkend="ch-options" /> for all available configuration
options for the <literal>services.gitlab</literal> module.</para> options for the <literal>services.gitlab</literal> module.</para>

1
pkgs/applications/version-management/gitlab/default.nix
View File

@ -70,6 +70,7 @@ stdenv.mkDerivation rec {
SKIP_STORAGE_VALIDATION=true \ SKIP_STORAGE_VALIDATION=true \
rake assets:precompile RAILS_ENV=production rake assets:precompile RAILS_ENV=production
mv config/gitlab.yml config/gitlab.yml.example mv config/gitlab.yml config/gitlab.yml.example
rm config/secrets.yml
mv config config.dist mv config config.dist
''; '';