gitlab: 8.0.5 -> 8.5.0, service improvements

Updates gitlab to the current stable version and fixes a lot of features that were broken, at least with the current version and our configuration. Quite a lot of sweat and tears has gone into testing nearly all features and reading/patching the Gitlab source as we're about to deploy gitlab for our whole company. Things to note: * The gitlab config is now written as a nix attribute set and will be converted to JSON. Gitlab uses YAML but JSON is a subset of YAML. The `extraConfig` opition is also an attribute set that will be merged with the default config. This way *all* Gitlab options are supported. * Some paths like uploads and configs are hardcoded in rails (at least after my study of the Gitlab source). This is why they are linked from the Gitlab root to /run/gitlab and then linked to the configurable `statePath`. * Backup & restore should work out of the box from another Gitlab instance. * gitlab-git-http-server has been replaced by gitlab-workhorse upstream. Push & pull over HTTPS works perfectly. Communication to gitlab is done over unix sockets. An HTTP server is required to proxy requests to gitlab-workhorse over another unix socket at `/run/gitlab/gitlab-workhorse.socket`. * The user & group running gitlab are now configurable. These can even be changed for live instances. * The initial email address & password of the root user can be configured. Fixes #8598.
2016-01-30 14:47:04 +01:00 · 2016-01-30 14:47:04 +01:00 · bcfa59bf82
parent 30891166be
commit bcfa59bf82
14 changed files with 3741 additions and 3578 deletions
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@ -28,6 +28,9 @@ with lib;
    (mkRenamedOptionModule [ "services" "subsonic" "host" ] [ "services" "subsonic" "listenAddress" ])
    (mkRenamedOptionModule [ "jobs" ] [ "systemd" "services" ])

+    (mkRenamedOptionModule [ "services" "gitlab" "stateDir" ] [ "services" "gitlab" "statePath" ])
+    (mkRemovedOptionModule [ "services" "gitlab" "satelliteDir" ])
+
    # Old Grub-related options.
    (mkRenamedOptionModule [ "boot" "initrd" "extraKernelModules" ] [ "boot" "initrd" "kernelModules" ])
    (mkRenamedOptionModule [ "boot" "extraKernelParams" ] [ "boot" "kernelParams" ])
--- a/nixos/modules/services/misc/gitlab.nix
+++ b/nixos/modules/services/misc/gitlab.nix
@ -21,14 +21,15 @@ let
      username: ${cfg.databaseUsername}
      encoding: utf8
  '';
+
  gitlabShellYml = ''
-    user: gitlab
-    gitlab_url: "http://${cfg.host}:${toString cfg.port}/"
+    user: ${cfg.user}
+    gitlab_url: "http://localhost:8080/"
    http_settings:
      self_signed_cert: false
-    repos_path: "${cfg.stateDir}/repositories"
-    secret_file: "${cfg.stateDir}/config/gitlab_shell_secret"
-    log_file: "${cfg.stateDir}/log/gitlab-shell.log"
+    repos_path: "${cfg.statePath}/repositories"
+    secret_file: "${cfg.statePath}/config/gitlab_shell_secret"
+    log_file: "${cfg.statePath}/log/gitlab-shell.log"
    redis:
      bin: ${pkgs.redis}/bin/redis-cli
      host: 127.0.0.1
@ -37,33 +38,101 @@ let
      namespace: resque:gitlab
  '';

+  gitlabConfig = {
+    production = flip recursiveUpdate cfg.extraConfig {
+      gitlab = {
+        host = cfg.host;
+        port = cfg.port;
+        https = cfg.https;
+        user = cfg.user;
+        email_enabled = true;
+        email_display_name = "GitLab";
+        email_reply_to = "noreply@localhost";
+        default_theme = 2;
+        default_projects_features = {
+          issues = true;
+          merge_requests = true;
+          wiki = false;
+          snippets = false;
+          builds = true;
+        };
+      };
+      artifacts = {
+        enabled = true;
+      };
+      lfs = {
+        enabled = true;
+      };
+      gravatar = {
+        enabled = true;
+      };
+      cron_jobs = {
+        stuck_ci_builds_worker = {
+          cron = "0 0 * * *";
+        };
+      };
+      gitlab_ci = {
+        builds_path = "${cfg.statePath}/builds";
+      };
+      ldap = {
+        enabled = false;
+      };
+      omniauth = {
+        enabled = false;
+      };
+      shared = {
+        path = "${cfg.statePath}/shared";
+      };
+      backup = {
+        path = "${cfg.backupPath}";
+      };
+      gitlab_shell = {
+        path = "${pkgs.gitlab-shell}";
+        repos_path = "${cfg.statePath}/repositories";
+        hooks_path = "${cfg.statePath}/shell/hooks";
+        secret_file = "${cfg.statePath}/config/gitlab_shell_secret";
+        upload_pack = true;
+        receive_pack = true;
+      };
+      git = {
+        bin_path = "git";
+        max_size = 20971520; # 20MB
+        timeout = 10;
+      };
+      extra = {};
+    };
+  };
+
+  gitlabEnv = {
+    HOME = "${cfg.statePath}/home";
+    GEM_HOME = gemHome;
+    BUNDLE_GEMFILE = "${pkgs.gitlab}/share/gitlab/Gemfile";
+    UNICORN_PATH = "${cfg.statePath}/";
+    GITLAB_PATH = "${pkgs.gitlab}/share/gitlab/";
+    GITLAB_STATE_PATH = "${cfg.statePath}";
+    GITLAB_UPLOADS_PATH = "${cfg.statePath}/uploads";
+    GITLAB_LOG_PATH = "${cfg.statePath}/log";
+    GITLAB_SHELL_PATH = "${pkgs.gitlab-shell}";
+    GITLAB_SHELL_CONFIG_PATH = "${cfg.statePath}/shell/config.yml";
+    GITLAB_SHELL_SECRET_PATH = "${cfg.statePath}/config/gitlab_shell_secret";
+    GITLAB_SHELL_HOOKS_PATH = "${cfg.statePath}/shell/hooks";
+    RAILS_ENV = "production";
+  };
+
  unicornConfig = builtins.readFile ./defaultUnicornConfig.rb;

  gitlab-runner = pkgs.stdenv.mkDerivation rec {
    name = "gitlab-runner";
-    buildInputs = [ pkgs.gitlab pkgs.bundler pkgs.makeWrapper ];
+    buildInputs = with pkgs; [ gitlab bundler makeWrapper ];
    phases = "installPhase fixupPhase";
    buildPhase = "";
    installPhase = ''
      mkdir -p $out/bin
-      makeWrapper ${bundler}/bin/bundle $out/bin/gitlab-runner\
-          --set RAKEOPT '"-f ${pkgs.gitlab}/share/gitlab/Rakefile"'\
-          --set GEM_HOME '${gemHome}'\
-          --set UNICORN_PATH "${cfg.stateDir}/"\
-          --set GITLAB_PATH "${pkgs.gitlab}/share/gitlab/"\
-          --set GITLAB_APPLICATION_LOG_PATH "${cfg.stateDir}/log/application.log"\
-          --set GITLAB_SATELLITES_PATH "${cfg.stateDir}/satellites"\
-          --set GITLAB_SHELL_PATH "${pkgs.gitlab-shell}"\
-          --set GITLAB_REPOSITORIES_PATH "${cfg.stateDir}/repositories"\
-          --set GITLAB_SHELL_HOOKS_PATH "${cfg.stateDir}/shell/hooks"\
-          --set BUNDLE_GEMFILE "${pkgs.gitlab}/share/gitlab/Gemfile"\
-          --set GITLAB_EMAIL_FROM "${cfg.emailFrom}"\
-          --set GITLAB_SHELL_CONFIG_PATH "${cfg.stateDir}/shell/config.yml"\
-          --set GITLAB_SHELL_SECRET_PATH "${cfg.stateDir}/config/gitlab_shell_secret"\
-          --set GITLAB_HOST "${cfg.host}"\
-          --set GITLAB_PORT "${toString cfg.port}"\
-          --set GITLAB_BACKUP_PATH "${cfg.backupPath}"\
-          --set RAILS_ENV "production"
+      makeWrapper ${bundler}/bin/bundle $out/bin/gitlab-runner \
+          ${concatStrings (mapAttrsToList (name: value: "--set ${name} '\"${value}\"' ") gitlabEnv)} \
+          --set GITLAB_CONFIG_PATH '"${cfg.statePath}/config"' \
+          --set PATH '"${pkgs.nodejs}/bin:${pkgs.gzip}/bin:${config.services.postgresql.package}/bin:$PATH"' \
+          --set RAKEOPT '"-f ${pkgs.gitlab}/share/gitlab/Rakefile"'
    '';
  };

@ -79,13 +148,7 @@ in {
        '';
      };

-      satelliteDir = mkOption {
-        type = types.str;
-        default = "/var/gitlab/git-satellites";
-        description = "Gitlab directory to store checked out git trees requires for operation.";
-      };
-
-      stateDir = mkOption {
+      statePath = mkOption {
        type = types.str;
        default = "/var/gitlab/state";
        description = "Gitlab state directory, logs are stored here.";
@ -93,7 +156,7 @@ in {

      backupPath = mkOption {
        type = types.str;
-        default = cfg.stateDir + "/backup";
+        default = cfg.statePath + "/backup";
        description = "Gitlab path for backups.";
      };

@ -136,7 +199,60 @@ in {
      port = mkOption {
        type = types.int;
        default = 8080;
-        description = "Gitlab server listening port.";
+        description = ''
+          Gitlab server port for copy-paste URLs, e.g. 80 or 443 if you're
+          service over https.
+        '';
+      };
+
+      https = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Whether gitlab prints URLs with https as scheme.";
+      };
+
+      user = mkOption {
+        type = types.str;
+        default = "gitlab";
+        description = "User to run gitlab and all related services.";
+      };
+
+      group = mkOption {
+        type = types.str;
+        default = "gitlab";
+        description = "Group to run gitlab and all related services.";
+      };
+
+      initialRootEmail = mkOption {
+        type = types.str;
+        default = "admin@local.host";
+        description = ''
+          Initial email address of the root account if this is a new install.
+        '';
+      };
+
+      initialRootPassword = mkOption {
+        type = types.str;
+        default = "UseNixOS!";
+        description = ''
+          Initial password of the root account if this is a new install.
+        '';
+      };
+
+      extraConfig = mkOption {
+        type = types.attrs;
+        default = "";
+        example = {
+          gitlab = {
+            default_projects_features = {
+              builds = false;
+            };
+          };
+        };
+        description = ''
+          Extra options to be merged into config/gitlab.yml as nix
+          attribute set.
+        '';
      };
    };
  };
@ -159,39 +275,24 @@ in {
    services.postfix.enable = mkDefault true;

    users.extraUsers = [
-      { name = "gitlab";
-        group = "gitlab";
-        home = "${cfg.stateDir}/home";
+      { name = cfg.user;
+        group = cfg.group;
+        home = "${cfg.statePath}/home";
        shell = "${pkgs.bash}/bin/bash";
        uid = config.ids.uids.gitlab;
-      } ];
+      }
+    ];

    users.extraGroups = [
-      { name = "gitlab";
+      { name = cfg.group;
        gid = config.ids.gids.gitlab;
-      } ];
+      }
+    ];

    systemd.services.gitlab-sidekiq = {
      after = [ "network.target" "redis.service" ];
      wantedBy = [ "multi-user.target" ];
-      environment.HOME = "${cfg.stateDir}/home";
-      environment.GEM_HOME = gemHome;
-      environment.UNICORN_PATH = "${cfg.stateDir}/";
-      environment.GITLAB_PATH = "${pkgs.gitlab}/share/gitlab/";
-      environment.GITLAB_APPLICATION_LOG_PATH = "${cfg.stateDir}/log/application.log";
-      environment.GITLAB_SATELLITES_PATH = "${cfg.stateDir}/satellites";
-      environment.GITLAB_SHELL_PATH = "${pkgs.gitlab-shell}";
-      environment.GITLAB_REPOSITORIES_PATH = "${cfg.stateDir}/repositories";
-      environment.GITLAB_SHELL_HOOKS_PATH = "${cfg.stateDir}/shell/hooks";
-      environment.BUNDLE_GEMFILE = "${pkgs.gitlab}/share/gitlab/Gemfile";
-      environment.GITLAB_EMAIL_FROM = "${cfg.emailFrom}";
-      environment.GITLAB_SHELL_CONFIG_PATH = "${cfg.stateDir}/shell/config.yml";
-      environment.GITLAB_SHELL_SECRET_PATH = "${cfg.stateDir}/config/gitlab_shell_secret";
-      environment.GITLAB_HOST = "${cfg.host}";
-      environment.GITLAB_PORT = "${toString cfg.port}";
-      environment.GITLAB_DATABASE_HOST = "${cfg.databaseHost}";
-      environment.GITLAB_DATABASE_PASSWORD = "${cfg.databasePassword}";
-      environment.RAILS_ENV = "production";
+      environment = gitlabEnv;
      path = with pkgs; [
        config.services.postgresql.package
        gitAndTools.git
@ -201,116 +302,132 @@ in {
      ];
      serviceConfig = {
        Type = "simple";
-        User = "gitlab";
-        Group = "gitlab";
+        User = cfg.user;
+        Group = cfg.group;
        TimeoutSec = "300";
        WorkingDirectory = "${pkgs.gitlab}/share/gitlab";
-        ExecStart="${bundler}/bin/bundle exec \"sidekiq -q post_receive -q mailer -q system_hook -q project_web_hook -q gitlab_shell -q common -q default -e production -P ${cfg.stateDir}/tmp/sidekiq.pid\"";
+        ExecStart="${bundler}/bin/bundle exec \"sidekiq -q post_receive -q mailer -q system_hook -q project_web_hook -q gitlab_shell -q common -q default -e production -P ${cfg.statePath}/tmp/sidekiq.pid\"";
      };
    };

-    systemd.services.gitlab-git-http-server = {
+    systemd.services.gitlab-workhorse = {
      after = [ "network.target" "gitlab.service" ];
      wantedBy = [ "multi-user.target" ];
-      environment.HOME = "${cfg.stateDir}/home";
+      environment.HOME = gitlabEnv.HOME;
+      environment.GITLAB_SHELL_CONFIG_PATH = gitlabEnv.GITLAB_SHELL_CONFIG_PATH;
      path = with pkgs; [
        gitAndTools.git
        openssh
      ];
+      preStart = ''
+        mkdir -p /run/gitlab
+        chown ${cfg.user}:${cfg.group} /run/gitlab
+      '';
      serviceConfig = {
+        PermissionsStartOnly = true; # preStart must be run as root
        Type = "simple";
-        User = "gitlab";
-        Group = "gitlab";
+        User = cfg.user;
+        Group = cfg.group;
        TimeoutSec = "300";
-        ExecStart = "${pkgs.gitlab-git-http-server}/bin/gitlab-git-http-server -listenUmask 0 -listenNetwork unix -listenAddr ${cfg.stateDir}/tmp/sockets/gitlab-git-http-server.socket -authBackend http://localhost:8080 ${cfg.stateDir}/repositories";
+        ExecStart =
+          "${pkgs.gitlab-workhorse}/bin/gitlab-workhorse "
+          + "-listenUmask 0 "
+          + "-listenNetwork unix "
+          + "-listenAddr /run/gitlab/gitlab-workhorse.socket "
+          + "-authSocket ${cfg.statePath}/tmp/sockets/gitlab.socket "
+          + "-documentRoot ${pkgs.gitlab}/share/gitlab/public";
      };
    };

    systemd.services.gitlab = {
      after = [ "network.target" "postgresql.service" "redis.service" ];
      wantedBy = [ "multi-user.target" ];
-      environment.HOME = "${cfg.stateDir}/home";
-      environment.GEM_HOME = gemHome;
-      environment.UNICORN_PATH = "${cfg.stateDir}/";
-      environment.GITLAB_PATH = "${pkgs.gitlab}/share/gitlab/";
-      environment.GITLAB_APPLICATION_LOG_PATH = "${cfg.stateDir}/log/application.log";
-      environment.GITLAB_SATELLITES_PATH = "${cfg.stateDir}/satellites";
-      environment.GITLAB_SHELL_PATH = "${pkgs.gitlab-shell}";
-      environment.GITLAB_SHELL_CONFIG_PATH = "${cfg.stateDir}/shell/config.yml";
-      environment.GITLAB_SHELL_SECRET_PATH = "${cfg.stateDir}/config/gitlab_shell_secret";
-      environment.GITLAB_REPOSITORIES_PATH = "${cfg.stateDir}/repositories";
-      environment.GITLAB_SHELL_HOOKS_PATH = "${cfg.stateDir}/shell/hooks";
-      environment.BUNDLE_GEMFILE = "${pkgs.gitlab}/share/gitlab/Gemfile";
-      environment.GITLAB_EMAIL_FROM = "${cfg.emailFrom}";
-      environment.GITLAB_HOST = "${cfg.host}";
-      environment.GITLAB_PORT = "${toString cfg.port}";
-      environment.GITLAB_DATABASE_HOST = "${cfg.databaseHost}";
-      environment.GITLAB_DATABASE_PASSWORD = "${cfg.databasePassword}";
-      environment.RAILS_ENV = "production";
+      environment = gitlabEnv;
      path = with pkgs; [
        config.services.postgresql.package
        gitAndTools.git
-        ruby
        openssh
        nodejs
+        sudo
      ];
      preStart = ''
-        # TODO: use env vars
-        mkdir -p ${cfg.stateDir}
-        mkdir -p ${cfg.stateDir}/log
-        mkdir -p ${cfg.stateDir}/satellites
-        mkdir -p ${cfg.stateDir}/repositories
-        mkdir -p ${cfg.stateDir}/shell/hooks
-        mkdir -p ${cfg.stateDir}/tmp/pids
-        mkdir -p ${cfg.stateDir}/tmp/sockets
-        rm -rf ${cfg.stateDir}/config
-        mkdir -p ${cfg.stateDir}/config
+        mkdir -p ${cfg.backupPath}
+        mkdir -p ${cfg.statePath}/builds
+        mkdir -p ${cfg.statePath}/repositories
+        mkdir -p ${gitlabConfig.production.shared.path}/artifacts
+        mkdir -p ${gitlabConfig.production.shared.path}/lfs-objects
+        mkdir -p ${cfg.statePath}/log
+        mkdir -p ${cfg.statePath}/shell
+        mkdir -p ${cfg.statePath}/tmp/pids
+        mkdir -p ${cfg.statePath}/tmp/sockets
+
+        rm -rf ${cfg.statePath}/config ${cfg.statePath}/shell/hooks
+        mkdir -p ${cfg.statePath}/config ${cfg.statePath}/shell
+
        # TODO: What exactly is gitlab-shell doing with the secret?
-        tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c 20 > ${cfg.stateDir}/config/gitlab_shell_secret
-        mkdir -p ${cfg.stateDir}/home/.ssh
-        touch ${cfg.stateDir}/home/.ssh/authorized_keys
+        tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c 20 > ${cfg.statePath}/config/gitlab_shell_secret

-        cp -rf ${pkgs.gitlab}/share/gitlab/config ${cfg.stateDir}/
-        cp ${pkgs.gitlab}/share/gitlab/VERSION ${cfg.stateDir}/VERSION
+        # The uploads directory is hardcoded somewhere deep in rails. It is
+        # symlinked in the gitlab package to /run/gitlab/uploads to make it
+        # configurable
+        mkdir -p /run/gitlab
+        mkdir -p ${cfg.statePath}/uploads
+        ln -sf ${cfg.statePath}/uploads /run/gitlab/uploads
+        chown -R ${cfg.user}:${cfg.group} /run/gitlab

-        ln -fs ${pkgs.writeText "database.yml" databaseYml} ${cfg.stateDir}/config/database.yml
-        ln -fs ${pkgs.writeText "unicorn.rb" unicornConfig} ${cfg.stateDir}/config/unicorn.rb
+        # Prepare home directory
+        mkdir -p ${gitlabEnv.HOME}/.ssh
+        touch ${gitlabEnv.HOME}/.ssh/authorized_keys
+        chown -R ${cfg.user}:${cfg.group} ${gitlabEnv.HOME}/
+        chmod -R u+rwX,go-rwx+X ${gitlabEnv.HOME}/

-        chown -R gitlab:gitlab ${cfg.stateDir}/
-        chmod -R 755 ${cfg.stateDir}/
+        cp -rf ${pkgs.gitlab}/share/gitlab/config.dist/* ${cfg.statePath}/config
+        ln -sf ${cfg.statePath}/config /run/gitlab/config
+        cp ${pkgs.gitlab}/share/gitlab/VERSION ${cfg.statePath}/VERSION
+
+        # JSON is a subset of YAML
+        ln -fs ${pkgs.writeText "gitlab.yml" (builtins.toJSON gitlabConfig)} ${cfg.statePath}/config/gitlab.yml
+        ln -fs ${pkgs.writeText "database.yml" databaseYml} ${cfg.statePath}/config/database.yml
+        ln -fs ${pkgs.writeText "unicorn.rb" unicornConfig} ${cfg.statePath}/config/unicorn.rb
+
+        chown -R ${cfg.user}:${cfg.group} ${cfg.statePath}/
+        chmod -R ug+rwX,o-rwx+X ${cfg.statePath}/
+
+        # Install the shell required to push repositories
+        ln -fs ${pkgs.writeText "config.yml" gitlabShellYml} "$GITLAB_SHELL_CONFIG_PATH"
+        ln -fs ${pkgs.gitlab-shell}/hooks "$GITLAB_SHELL_HOOKS_PATH"
+        ${pkgs.gitlab-shell}/bin/install

        if [ "${cfg.databaseHost}" = "127.0.0.1" ]; then
-          if ! test -e "${cfg.stateDir}/db-created"; then
-            psql postgres -c "CREATE ROLE gitlab WITH LOGIN NOCREATEDB NOCREATEROLE NOCREATEUSER ENCRYPTED PASSWORD '${cfg.databasePassword}'"
+          if ! test -e "${cfg.statePath}/db-created"; then
+            psql postgres -c "CREATE ROLE gitlab WITH LOGIN CREATEDB NOCREATEROLE NOCREATEUSER ENCRYPTED PASSWORD '${cfg.databasePassword}'"
            ${config.services.postgresql.package}/bin/createdb --owner gitlab gitlab || true
-            touch "${cfg.stateDir}/db-created"
+            touch "${cfg.statePath}/db-created"

-            # force=yes disables the manual-interaction yes/no prompt
-            # which breaks without an stdin.
-            force=yes ${bundler}/bin/bundle exec rake -f ${pkgs.gitlab}/share/gitlab/Rakefile gitlab:setup RAILS_ENV=production
+            # The gitlab:setup task is horribly broken somehow, these two tasks will do the same for setting up the initial database
+            ${gitlab-runner}/bin/gitlab-runner exec rake db:migrate RAILS_ENV=production
+            ${gitlab-runner}/bin/gitlab-runner exec rake db:seed_fu RAILS_ENV=production \
+              GITLAB_ROOT_PASSWORD="${cfg.initialRootPassword}" GITLAB_ROOT_EMAIL="${cfg.initialRootEmail}";
          fi
        fi

-      ${bundler}/bin/bundle exec rake -f ${pkgs.gitlab}/share/gitlab/Rakefile db:migrate RAILS_ENV=production
-      # Install the shell required to push repositories
-      ln -fs ${pkgs.writeText "config.yml" gitlabShellYml} ${cfg.stateDir}/shell/config.yml
-      export GITLAB_SHELL_CONFIG_PATH=""${cfg.stateDir}/shell/config.yml
-      ${pkgs.gitlab-shell}/bin/install
+        # Always do the db migrations just to be sure the database is up-to-date
+        ${gitlab-runner}/bin/gitlab-runner exec rake db:migrate RAILS_ENV=production

-      # Change permissions in the last step because some of the
-      # intermediary scripts like to create directories as root.
-      chown -R gitlab:gitlab ${cfg.stateDir}/
-      chmod -R 755 ${cfg.stateDir}/
+        # Change permissions in the last step because some of the
+        # intermediary scripts like to create directories as root.
+        chown -R ${cfg.user}:${cfg.group} ${cfg.statePath}
+        chmod -R u+rwX,go-rwx+X ${cfg.statePath}
      '';

      serviceConfig = {
        PermissionsStartOnly = true; # preStart must be run as root
        Type = "simple";
-        User = "gitlab";
-        Group = "gitlab";
+        User = cfg.user;
+        Group = cfg.group;
        TimeoutSec = "300";
        WorkingDirectory = "${pkgs.gitlab}/share/gitlab";
-        ExecStart="${bundler}/bin/bundle exec \"unicorn -c ${cfg.stateDir}/config/unicorn.rb -E production\"";
+        ExecStart="${bundler}/bin/bundle exec \"unicorn -c ${cfg.statePath}/config/unicorn.rb -E production\"";
      };

    };
--- a/pkgs/applications/version-management/gitlab-git-http-server/default.nix
+++ b/pkgs/applications/version-management/gitlab-git-http-server/default.nix
@ -1,23 +0,0 @@
-{ stdenv, fetchgit, git, go }:
-
-stdenv.mkDerivation rec {
-  version = "0.2.14";
-  name = "gitlab-git-http-server-${version}";
-
-  srcs = fetchgit {
-    url = "https://gitlab.com/gitlab-org/gitlab-git-http-server.git";
-    rev = "7c63f08f7051348e56b903fc0bbefcfed398fc1c";
-    sha256 = "557d63a90c61371598b971a06bc056993610b58c2ef5762d9ef145ec2fdada78";
-  };
-
-  buildInputs = [ git go ];
-
-  buildPhase = ''
-    make PREFIX=$out
-  '';
-
-  installPhase = ''
-    mkdir -p $out/bin
-    make install PREFIX=$out
-  '';
-}
--- a/pkgs/applications/version-management/gitlab-shell/default.nix
+++ b/pkgs/applications/version-management/gitlab-shell/default.nix
@ -1,19 +1,22 @@
-{ stdenv, ruby, bundler, fetchgit }:
+{ stdenv, ruby, bundler, fetchFromGitLab }:

 stdenv.mkDerivation rec {
-  version = "2.1.0";
+  version = "2.6.10";
  name = "gitlab-shell-${version}";

-  srcs = fetchgit {
-    url = "https://gitlab.com/gitlab-org/gitlab-shell.git";
-    rev = "ebbb9d80811c23d49a7d1b75d7a7d2b8ffe7437b";
-    sha256 = "fe69ab85d75a3871b4afa11ebc17f43008d135bbdbd6c581f6bebee2a4a3c75d";
+  srcs = fetchFromGitLab {
+    owner = "gitlab-org";
+    repo = "gitlab-shell";
+    rev = "v${version}";
+    sha256 = "1f1ma49xpkan2iksnw9amzjdw6i0bxnzdbsk0329m7if4987vcqd";
  };

  buildInputs = [
    ruby bundler
  ];

+  patches = [ ./remove-hardcoded-locations.patch ];
+
  installPhase = ''
    mkdir -p $out/
    cp -R . $out/
--- a/pkgs/applications/version-management/gitlab-shell/remove-hardcoded-locations.patch
+++ b/pkgs/applications/version-management/gitlab-shell/remove-hardcoded-locations.patch
@ -0,0 +1,13 @@
+diff --git a/lib/gitlab_projects.rb b/lib/gitlab_projects.rb
+index c1d175a..7f7fd2f 100644
+--- a/lib/gitlab_projects.rb
+++ b/lib/gitlab_projects.rb
+@@ -5,7 +5,7 @@ require_relative 'gitlab_config'
+ require_relative 'gitlab_logger'
+ 
+ class GitlabProjects
+-  GLOBAL_HOOKS_DIRECTORY = File.join(ROOT_PATH, 'hooks')
+  GLOBAL_HOOKS_DIRECTORY = ENV['GITLAB_SHELL_HOOKS_PATH'] || File.join(ROOT_PATH, 'hooks')
+ 
+   # Project name is a directory name for repository with .git at the end
+   # It may be namespaced or not. Like repo.git or gitlab/repo.git
--- a/pkgs/applications/version-management/gitlab-workhorse/default.nix
+++ b/pkgs/applications/version-management/gitlab-workhorse/default.nix
@ -0,0 +1,26 @@
+{ stdenv, fetchFromGitLab, git, go }:
+
+stdenv.mkDerivation rec {
+  version = "0.6.4";
+  name = "gitlab-workhorse-${version}";
+
+  srcs = fetchFromGitLab {
+    owner = "gitlab-org";
+    repo = "gitlab-workhorse";
+    rev = version;
+    sha256 = "09bs3kdmqi6avdak2nqma141y4fhfv050zwqqx7qh9a9hgkgwjxw";
+  };
+
+  buildInputs = [ git go ];
+
+  patches = [ ./remove-hardcoded-paths.patch ];
+
+  buildPhase = ''
+    make PREFIX=$out
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin
+    make install PREFIX=$out
+  '';
+}
--- a/pkgs/applications/version-management/gitlab-workhorse/remove-hardcoded-paths.patch
+++ b/pkgs/applications/version-management/gitlab-workhorse/remove-hardcoded-paths.patch
@ -0,0 +1,12 @@
+diff --git a/internal/git/command.go b/internal/git/command.go
+index 0e5496c..5778294 100644
+--- a/internal/git/command.go
+++ b/internal/git/command.go
+@@ -16,6 +16,7 @@ func gitCommand(gl_id string, name string, args ...string) *exec.Cmd {
+ 	cmd.Env = []string{
+ 		fmt.Sprintf("HOME=%s", os.Getenv("HOME")),
+ 		fmt.Sprintf("PATH=%s", os.Getenv("PATH")),
+		fmt.Sprintf("GITLAB_SHELL_CONFIG_PATH=%s", os.Getenv("GITLAB_SHELL_CONFIG_PATH")),
+ 		fmt.Sprintf("LD_LIBRARY_PATH=%s", os.Getenv("LD_LIBRARY_PATH")),
+ 		fmt.Sprintf("GL_ID=%s", gl_id),
+ 	}
--- a/pkgs/applications/version-management/gitlab/Gemfile
+++ b/pkgs/applications/version-management/gitlab/Gemfile
@ -1,14 +1,10 @@
 source "https://rubygems.org"

-def darwin_only(require_as)
-  RUBY_PLATFORM.include?('darwin') && require_as
-end
+gem 'rails', '4.2.5.1'
+gem 'rails-deprecated_sanitizer', '~> 1.0.3'

-def linux_only(require_as)
-  RUBY_PLATFORM.include?('linux') && require_as
-end
-
-gem 'rails', '4.1.12'
+# Responders respond_to and respond_with
+gem 'responders', '~> 2.0'

 # Specify a sprockets version due to security issue
 # See https://groups.google.com/forum/#!topic/rubyonrails-security/doAVp0YaTqY
@ -22,20 +18,27 @@ gem "mysql2", '~> 0.3.16', group: :mysql
 gem "pg", '~> 0.18.2', group: :postgres

 # Authentication libraries
-gem "devise", '~> 3.5.2'
-gem "devise-async", '~> 0.9.0'
-gem 'omniauth', "~> 1.2.2"
-gem 'omniauth-google-oauth2', '~> 0.2.5'
-gem 'omniauth-twitter', '~> 1.0.1'
-gem 'omniauth-github', '~> 1.1.1'
-gem 'omniauth-shibboleth', '~> 1.1.1'
-gem 'omniauth-kerberos', '~> 0.2.0', group: :kerberos
-gem 'omniauth-gitlab', '~> 1.0.0'
-gem 'omniauth-bitbucket', '~> 0.0.2'
-gem 'omniauth-saml', '~> 1.4.0'
-gem 'doorkeeper', '~> 2.1.3'
-gem 'omniauth_crowd'
-gem "rack-oauth2", "~> 1.0.5"
+gem 'devise',                 '~> 3.5.4'
+gem 'devise-async',           '~> 0.9.0'
+gem 'doorkeeper',             '~> 2.2.0'
+gem 'omniauth',               '~> 1.3.1'
+gem 'omniauth-azure-oauth2',  '~> 0.0.6'
+gem 'omniauth-bitbucket',     '~> 0.0.2'
+gem 'omniauth-cas3',          '~> 1.1.2'
+gem 'omniauth-facebook',      '~> 3.0.0'
+gem 'omniauth-github',        '~> 1.1.1'
+gem 'omniauth-gitlab',        '~> 1.0.0'
+gem 'omniauth-google-oauth2', '~> 0.2.0'
+gem 'omniauth-kerberos',      '~> 0.3.0', group: :kerberos
+gem 'omniauth-saml',          '~> 1.4.2'
+gem 'omniauth-shibboleth',    '~> 1.2.0'
+gem 'omniauth-twitter',       '~> 1.2.0'
+gem 'omniauth_crowd',         '~> 2.2.0'
+gem 'rack-oauth2',            '~> 1.2.1'
+
+# Spam and anti-bot protection
+gem 'recaptcha', require: 'recaptcha/rails'
+gem 'akismet', '~> 2.0'

 # Two-factor authentication
 gem 'devise-two-factor', '~> 2.0.0'
@ -47,7 +50,7 @@ gem "browser", '~> 1.0.0'

 # Extracting information from a git repository
 # Provide access to Gitlab::Git library
-gem "gitlab_git", '~> 7.2.15'
+gem "gitlab_git", '~> 8.2'

 # LDAP Auth
 # GitLab fork with several improvements to original library. For full list of changes
@ -55,32 +58,21 @@ gem "gitlab_git", '~> 7.2.15'
 gem 'gitlab_omniauth-ldap', '~> 1.2.1', require: "omniauth-ldap"

 # Git Wiki
-gem 'gollum-lib', '~> 4.0.2'
+gem 'gollum-lib', '~> 4.1.0'

 # Language detection
-# GitLab fork of linguist does not require pygments/python dependency.
-# New version of original gem also dropped pygments support but it has strict
-# dependency to unstable rugged version. We have internal issue for replacing
-# fork with original gem when we meet on same rugged version - https://dev.gitlab.org/gitlab/gitlabhq/issues/2052.
-gem "gitlab-linguist", "~> 3.0.1", require: "linguist"
+gem "github-linguist", "~> 4.7.0", require: "linguist"

 # API
-gem "grape", "~> 0.6.1"
-gem "grape-entity", "~> 0.4.2"
-gem 'rack-cors', '~> 0.2.9', require: 'rack/cors'
-
-# Format dates and times
-# based on human-friendly examples
-gem "stamp", '~> 0.5.0'
-
-# Enumeration fields
-gem 'enumerize', '~> 0.7.0'
+gem 'grape',        '~> 0.13.0'
+gem 'grape-entity', '~> 0.4.2'
+gem 'rack-cors',    '~> 0.4.0', require: 'rack/cors'

 # Pagination
-gem "kaminari", "~> 0.15.1"
+gem "kaminari", "~> 0.16.3"

 # HAML
-gem "haml-rails", '~> 0.5.3'
+gem "haml-rails", '~> 0.9.0'

 # Files attachments
 gem "carrierwave", '~> 0.9.0'
@ -89,7 +81,7 @@ gem "carrierwave", '~> 0.9.0'
 gem 'dropzonejs-rails', '~> 0.7.1'

 # for aws storage
-gem "fog", "~> 1.25.0"
+gem "fog", "~> 1.36.0"
 gem "unf", '~> 0.1.4'

 # Authorization
@ -102,13 +94,18 @@ gem "seed-fu", '~> 2.3.5'
 gem 'html-pipeline', '~> 1.11.0'
 gem 'task_list',     '~> 1.0.2', require: 'task_list/railtie'
 gem 'github-markup', '~> 1.3.1'
-gem 'redcarpet',     '~> 3.3.2'
+gem 'redcarpet',     '~> 3.3.3'
 gem 'RedCloth',      '~> 4.2.9'
 gem 'rdoc',          '~>3.6'
 gem 'org-ruby',      '~> 0.9.12'
-gem 'creole',        '~>0.3.6'
+gem 'creole',        '~> 0.5.0'
 gem 'wikicloth',     '0.8.1'
 gem 'asciidoctor',   '~> 1.5.2'
+gem 'rouge',         '~> 1.10.1'
+
+# See https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s
+# and https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM
+gem 'nokogiri', '~> 1.6.7', '>= 1.6.7.2'

 # Diffs
 gem 'diffy', '~> 3.0.3'
@ -120,7 +117,7 @@ group :unicorn do
 end

 # State machine
-gem "state_machine", '~> 1.2.0'
+gem "state_machines-activerecord", '~> 0.3.0'
 # Run events after state machine commits
 gem 'after_commit_queue'

@ -128,17 +125,16 @@ gem 'after_commit_queue'
 gem 'acts-as-taggable-on', '~> 3.4'

 # Background jobs
-gem 'slim', '~> 2.0.2'
 gem 'sinatra', '~> 1.4.4', require: nil
-gem 'sidekiq', '3.3.0'
-gem 'sidetiq', '~> 0.6.3'
+gem 'sidekiq', '~> 4.0'
+gem 'sidekiq-cron', '~> 0.4.0'
+gem 'redis-namespace'

 # HTTP requests
 gem "httparty", '~> 0.13.3'

 # Colored output to console
-gem "colored", '~> 1.2'
-gem "colorize", '~> 0.5.8'
+gem "colorize", '~> 0.7.0'

 # GitLab settings
 gem 'settingslogic', '~> 2.0.9'
@ -151,7 +147,7 @@ gem 'version_sorter', '~> 2.0.0'
 gem "redis-rails", '~> 4.0.0'

 # Campfire integration
-gem 'tinder', '~> 1.9.2'
+gem 'tinder', '~> 1.10.0'

 # HipChat integration
 gem 'hipchat', '~> 1.5.0'
@ -163,28 +159,32 @@ gem "gitlab-flowdock-git-hook", "~> 1.0.1"
 gem "gemnasium-gitlab-service", "~> 0.2"

 # Slack integration
-gem "slack-notifier", "~> 1.0.0"
+gem "slack-notifier", "~> 1.2.0"

 # Asana integration
-gem 'asana', '~> 0.0.6'
+gem 'asana', '~> 0.4.0'

 # FogBugz integration
 gem 'ruby-fogbugz', '~> 0.2.1'

 # d3
-gem 'd3_rails', '~> 3.5.5'
+gem 'd3_rails', '~> 3.5.0'

 #cal-heatmap
-gem "cal-heatmap-rails", "~> 0.0.1"
+gem 'cal-heatmap-rails', '~> 3.5.0'

 # underscore-rails
-gem "underscore-rails", "~> 1.4.4"
+gem "underscore-rails", "~> 1.8.0"

 # Sanitize user input
 gem "sanitize", '~> 2.0'
+gem 'babosa', '~> 1.0.2'
+
+# Sanitizes SVG input
+gem "loofah", "~> 2.0.3"

 # Protect against bruteforcing
-gem "rack-attack", '~> 4.3.0'
+gem "rack-attack", '~> 4.3.1'

 # Ace editor
 gem 'ace-rails-ap', '~> 2.0.1'
@ -193,38 +193,52 @@ gem 'ace-rails-ap', '~> 2.0.1'
 gem 'mousetrap-rails', '~> 1.4.6'

 # Detect and convert string character encoding
-gem 'charlock_holmes', '~> 0.6.9.4'
+gem 'charlock_holmes', '~> 0.7.3'

-gem "sass-rails", '~> 4.0.5'
+gem "sass-rails", '~> 5.0.0'
 gem "coffee-rails", '~> 4.1.0'
-gem "uglifier", '~> 2.3.2'
+gem "uglifier", '~> 2.7.2'
 gem 'turbolinks', '~> 2.5.0'
-gem 'jquery-turbolinks', '~> 2.0.1'
+gem 'jquery-turbolinks', '~> 2.1.0'

 gem 'addressable',        '~> 2.3.8'
-gem 'bootstrap-sass',     '~> 3.0'
+gem 'bootstrap-sass',     '~> 3.3.0'
 gem 'font-awesome-rails', '~> 4.2'
-gem 'gitlab_emoji',       '~> 0.1'
-gem 'gon',                '~> 5.0.0'
-gem 'jquery-atwho-rails', '~> 1.0.0'
-gem 'jquery-rails',       '~> 3.1.3'
+gem 'gitlab_emoji',       '~> 0.3.0'
+gem 'gon',                '~> 6.0.1'
+gem 'jquery-atwho-rails', '~> 1.3.2'
+gem 'jquery-rails',       '~> 4.0.0'
 gem 'jquery-scrollto-rails', '~> 1.4.3'
-gem 'jquery-ui-rails',    '~> 4.2.1'
-gem 'nprogress-rails',    '~> 0.1.2.3'
+gem 'jquery-ui-rails',    '~> 5.0.0'
+gem 'nprogress-rails',    '~> 0.1.6.7'
 gem 'raphael-rails',      '~> 2.1.2'
 gem 'request_store',      '~> 1.2.0'
 gem 'select2-rails',      '~> 3.5.9'
 gem 'virtus',             '~> 1.0.1'
+gem 'net-ssh',            '~> 3.0.1'
+
+# Sentry integration
+gem 'sentry-raven'
+
+# Metrics
+group :metrics do
+  gem 'allocations', '~> 1.0', require: false, platform: :mri
+  gem 'method_source', '~> 0.8', require: false
+  gem 'influxdb', '~> 0.2', require: false
+  gem 'connection_pool', '~> 2.0', require: false
+end

 group :development do
  gem "foreman"
-  gem 'brakeman', '3.0.1', require: false
+  gem 'brakeman', '~> 3.1.0', require: false

  gem "annotate", "~> 2.6.0"
  gem "letter_opener", '~> 1.1.2'
  gem 'quiet_assets', '~> 1.0.2'
-  gem 'rack-mini-profiler', '~> 0.9.0', require: false
-  gem 'rerun', '~> 0.10.0'
+  gem 'rerun', '~> 0.11.0'
+  gem 'bullet', require: false
+  gem 'rblineprof', platform: :mri, require: false
+  gem 'web-console', '~> 2.0'

  # Better errors handler
  gem 'better_errors', '~> 1.0.1'
@ -241,7 +255,7 @@ group :development, :test do
  gem 'byebug', platform: :mri
  gem 'pry-rails'

-  gem 'awesome_print', '~> 1.2.0'
+  gem 'awesome_print', '~> 1.2.0', require: false
  gem 'fuubar', '~> 2.0.0'

  gem 'database_cleaner', '~> 1.4.0'
@ -257,7 +271,7 @@ group :development, :test do

  gem 'capybara',            '~> 2.4.0'
  gem 'capybara-screenshot', '~> 1.0.0'
-  gem 'poltergeist',         '~> 1.6.0'
+  gem 'poltergeist',         '~> 1.8.1'

  gem 'teaspoon', '~> 1.0.0'
  gem 'teaspoon-jasmine', '~> 2.2.0'
@ -267,16 +281,21 @@ group :development, :test do
  gem 'spring-commands-spinach',  '~> 1.0.0'
  gem 'spring-commands-teaspoon', '~> 0.0.2'

-  gem 'rubocop',  '~> 0.28.0',  require: false
+  gem 'rubocop', '~> 0.35.0', require: false
  gem 'coveralls',  '~> 0.8.2', require: false
  gem 'simplecov', '~> 0.10.0', require: false
+  gem 'flog', require: false
+  gem 'flay', require: false
+  gem 'bundler-audit', require: false
+
+  gem 'benchmark-ips', require: false
 end

 group :test do
  gem 'shoulda-matchers', '~> 2.8.0', require: false
  gem 'email_spec', '~> 1.6.0'
  gem 'webmock', '~> 1.21.0'
-  gem 'test_after_commit', '~> 0.2.2'
+  gem 'test_after_commit', '~> 0.4.2'
  gem 'sham_rack'
 end

@ -284,12 +303,9 @@ group :production do
  gem "gitlab_meta", '7.0'
 end

-gem "newrelic_rpm", '~> 3.9.4.245'
-gem 'newrelic-grape'
+gem 'octokit', '~> 3.8.0'

-gem 'octokit', '~> 3.7.0'
-
-gem "mail_room", "~> 0.5.2"
+gem "mail_room", "~> 0.6.1"

 gem 'email_reply_parser', '~> 0.5.8'

@ -298,19 +314,10 @@ gem 'activerecord-deprecated_finders', '~> 1.0.3'
 gem 'activerecord-session_store', '~> 0.1.0'
 gem "nested_form", '~> 0.3.2'

-# Scheduled
-gem 'whenever', '~> 0.8.4', require: false
-
 # OAuth
 gem 'oauth2', '~> 1.0.0'

 # Soft deletion
 gem "paranoia", "~> 2.0"

-group :development, :test do
-  gem 'guard-rspec', '~> 4.2.0'
-
-  gem 'rb-fsevent', require: darwin_only('rb-fsevent')
-  gem 'growl',      require: darwin_only('growl')
-  gem 'rb-inotify', require: linux_only('rb-inotify')
-end
+gem "activerecord-nulldb-adapter"
--- a/pkgs/applications/version-management/gitlab/Gemfile.lock
+++ b/pkgs/applications/version-management/gitlab/Gemfile.lock
--- a/pkgs/applications/version-management/gitlab/default.nix
+++ b/pkgs/applications/version-management/gitlab/default.nix
@ -1,7 +1,10 @@
-{ stdenv, lib, bundler, fetchgit, bundlerEnv, defaultGemConfig, libiconv, ruby
+{ stdenv, lib, bundler, fetchFromGitHub, bundlerEnv, defaultGemConfig, libiconv, ruby
 , tzdata, git, nodejs, procps
 }:

+/* When updating the Gemfile add `gem "activerecord-nulldb-adapter"`
+   to allow building the assets without a database */
+
 let
  env = bundlerEnv {
    name = "gitlab";
@ -21,19 +24,23 @@ in

 stdenv.mkDerivation rec {
  name = "gitlab-${version}";
-  version = "8.0.5";
+  version = "8.5.0";
+
  buildInputs = [ ruby bundler tzdata git nodejs procps ];
-  src = fetchgit {
-    url = "https://github.com/gitlabhq/gitlabhq.git";
-    rev = "2866c501b5a5abb69d101cc07261a1d684b4bd4c";
-    fetchSubmodules = false;
-    sha256 = "edc6bedd5e79940189355d8cb343d20b0781b69fcef56ccae5906fa5e81ed521";
+
+  src = fetchFromGitHub {
+    owner = "gitlabhq";
+    repo = "gitlabhq";
+    rev = "v${version}";
+    sha256 = "1rhl906xnvpxkw3ngwfzi80cl3daihx5vizy04b9b39adyd3i5hl";
  };

  patches = [
    ./remove-hardcoded-locations.patch
    ./disable-dump-schema-after-migration.patch
+    ./nulladapter.patch
  ];
+
  postPatch = ''
    # For reasons I don't understand "bundle exec" ignores the
    # RAILS_ENV causing tests to be executed that fail because we're
@ -41,7 +48,6 @@ stdenv.mkDerivation rec {
    # tests works though.:
    rm lib/tasks/test.rake

-    mv config/gitlab.yml.example config/gitlab.yml
    rm config/initializers/gitlab_shell_secret_token.rb

    substituteInPlace app/controllers/admin/background_jobs_controller.rb \
@ -50,7 +56,7 @@ stdenv.mkDerivation rec {
    # required for some gems:
    cat > config/database.yml <<EOF
      production:
-        adapter: postgresql
+        adapter: <%= ENV["GITLAB_DATABASE_ADAPTER"] || sqlite %>
        database: gitlab
        host: <%= ENV["GITLAB_DATABASE_HOST"] || "127.0.0.1" %>
        password: <%= ENV["GITLAB_DATABASE_PASSWORD"] || "blerg" %>
@ -58,14 +64,22 @@ stdenv.mkDerivation rec {
        encoding: utf8
    EOF
  '';
+
  buildPhase = ''
    export GEM_HOME=${env}/${ruby.gemPath}
-    bundle exec rake assets:precompile RAILS_ENV=production
+    mv config/gitlab.yml.example config/gitlab.yml
+    GITLAB_DATABASE_ADAPTER=nulldb bundle exec rake assets:precompile RAILS_ENV=production
+    mv config/gitlab.yml config/gitlab.yml.example
+    mv config config.dist
  '';
+
  installPhase = ''
    mkdir -p $out/share
    cp -r . $out/share/gitlab
+    ln -sf /run/gitlab/uploads $out/share/gitlab/public/uploads
+    ln -sf /run/gitlab/config $out/share/gitlab/config
  '';
+
  passthru = {
    inherit env;
    inherit ruby;
--- a/pkgs/applications/version-management/gitlab/gemset.nix
+++ b/pkgs/applications/version-management/gitlab/gemset.nix
--- a/pkgs/applications/version-management/gitlab/nulladapter.patch
+++ b/pkgs/applications/version-management/gitlab/nulladapter.patch
@ -0,0 +1,29 @@
+index acd1874..f493451 100644
+--- a/Gemfile
+++ b/Gemfile
+@@ -318,3 +318,5 @@ gem 'oauth2', '~> 1.0.0'
+ 
+ # Soft deletion
+ gem "paranoia", "~> 2.0"
+
+gem "activerecord-nulldb-adapter"
+index 14d2c76..7a010f0 100644
+--- a/Gemfile.lock
+++ b/Gemfile.lock
+@@ -34,6 +34,8 @@ GEM
+       activesupport (= 4.2.5.1)
+       arel (~> 6.0)
+     activerecord-deprecated_finders (1.0.4)
+    activerecord-nulldb-adapter (0.3.2)
+      activerecord (>= 2.0.0)
+     activerecord-session_store (0.1.2)
+       actionpack (>= 4.0.0, < 5)
+       activerecord (>= 4.0.0, < 5)
+@@ -880,6 +882,7 @@ DEPENDENCIES
+   RedCloth (~> 4.2.9)
+   ace-rails-ap (~> 2.0.1)
+   activerecord-deprecated_finders (~> 1.0.3)
+  activerecord-nulldb-adapter
+   activerecord-session_store (~> 0.1.0)
+   acts-as-taggable-on (~> 3.4)
+   addressable (~> 2.3.8)
--- a/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch
+++ b/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch
@ -1,8 +1,8 @@
 diff --git a/config/environments/production.rb b/config/environments/production.rb
-index 3316ece..c34dec0 100644
+index 9095266..694a4c5 100644
 --- a/config/environments/production.rb
 +++ b/config/environments/production.rb
-@@ -67,10 +67,10 @@ Gitlab::Application.configure do
+@@ -67,10 +67,10 @@ Rails.application.configure do
 
   config.action_mailer.delivery_method = :sendmail
   # Defaults to:
@ -18,74 +18,10 @@ index 3316ece..c34dec0 100644
   config.action_mailer.raise_delivery_errors = true
 
 diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
-index 15930fc..bdb423c 100644
+index 05f127d..1daef74 100644
 --- a/config/gitlab.yml.example
 +++ b/config/gitlab.yml.example
-@@ -29,8 +29,8 @@ production: &base
-   ## GitLab settings
-   gitlab:
-     ## Web server settings (note: host is the FQDN, do not include http://)
-    host: localhost
-    port: 80 # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
-+    host: <%= ENV['GITLAB_HOST'] || 'localhost' %>
-+    port: <%= ENV['GITLAB_PORT'] || 80 %>
-     https: false # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
- 
-     # Uncommment this line below if your ssh host is different from HTTP/HTTPS one
-@@ -43,7 +43,7 @@ production: &base
-     # relative_url_root: /gitlab
- 
-     # Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
-    # user: git
-+    user: gitlab
- 
-     ## Date & Time settings
-     # Uncomment and customize if you want to change the default time zone of GitLab application.
-@@ -54,7 +54,7 @@ production: &base
-     # Uncomment and set to false if you need to disable email sending from GitLab (default: true)
-     # email_enabled: true
-     # Email address used in the "From" field in mails sent by GitLab
-    email_from: example@example.com
-+    email_from: <%= ENV['GITLAB_EMAIL_FROM'] %>
-     email_display_name: GitLab
-     email_reply_to: noreply@example.com
- 
-@@ -298,12 +298,12 @@ production: &base
-   # GitLab Satellites
-   satellites:
-     # Relative paths are relative to Rails.root (default: tmp/repo_satellites/)
-    path: /home/git/gitlab-satellites/
-+    path: <%= ENV['GITLAB_SATELLITES_PATH'] %>
-     timeout: 30
- 
-   ## Backup settings
-   backup:
-    path: "tmp/backups"   # Relative paths are relative to Rails.root (default: tmp/backups/)
-+    path: <%= ENV['GITLAB_BACKUP_PATH'] %>
-     # archive_permissions: 0640 # Permissions for the resulting backup.tar file (default: 0600)
-     # keep_time: 604800   # default: 0 (forever) (in seconds)
-     # pg_schema: public     # default: nil, it means that all schemas will be backed up
-@@ -322,15 +322,15 @@ production: &base
- 
-   ## GitLab Shell settings
-   gitlab_shell:
-    path: /home/git/gitlab-shell/
-+    path: <%= ENV['GITLAB_SHELL_PATH'] %>
- 
-     # REPOS_PATH MUST NOT BE A SYMLINK!!!
-    repos_path: /home/git/repositories/
-    hooks_path: /home/git/gitlab-shell/hooks/
-+    repos_path: <%= ENV['GITLAB_REPOSITORIES_PATH'] %>
-+    hooks_path: <%= ENV['GITLAB_SHELL_HOOKS_PATH'] %>
- 
-     # File that contains the secret key for verifying access for gitlab-shell.
-     # Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app).
-    # secret_file: /home/git/gitlab/.gitlab_shell_secret
-+    secret_file: <%= ENV['GITLAB_SHELL_SECRET_PATH'] %>
- 
-     # Git over HTTP
-     upload_pack: true
-@@ -343,7 +343,7 @@ production: &base
+@@ -423,7 +422,7 @@ production: &base
   # CAUTION!
   # Use the default values unless you really know what you are doing
   git:
@ -94,25 +30,82 @@ index 15930fc..bdb423c 100644
     # The next value is the maximum memory size grit can use
     # Given in number of bytes per git object (e.g. a commit)
     # This value can be increased if you have very large commits
-@@ -388,7 +388,7 @@ test:
-   gravatar:
-     enabled: true
-   gitlab:
-    host: localhost
-+    host: <%= ENV['GITLAB_HOST'] %>
-     port: 80
- 
-     # When you run tests we clone and setup gitlab-shell
-diff --git a/lib/gitlab/app_logger.rb b/lib/gitlab/app_logger.rb
-index dddcb25..d61f10a 100644
--- a/lib/gitlab/app_logger.rb
-+++ b/lib/gitlab/app_logger.rb
-@@ -1,7 +1,7 @@
- module Gitlab
-   class AppLogger < Gitlab::Logger
-     def self.file_name_noext
-      'application'
-+      ENV["GITLAB_APPLICATION_LOG_PATH"]
+
+diff --git a/lib/gitlab/logger.rb b/lib/gitlab/logger.rb
+index 59b2114..4f4a39a 100644
+--- a/lib/gitlab/logger.rb
+++ b/lib/gitlab/logger.rb
+@@ -13,20 +13,20 @@ module Gitlab
     end
 
-     def format_message(severity, timestamp, progname, msg)
+     def self.read_latest
+-      path = Rails.root.join("log", file_name)
+      path = File.join(ENV["GITLAB_LOG_PATH"], file_name)
+       self.build unless File.exist?(path)
+       tail_output, _ = Gitlab::Popen.popen(%W(tail -n 2000 #{path}))
+       tail_output.split("\n")
+     end
+ 
+     def self.read_latest_for(filename)
+-      path = Rails.root.join("log", filename)
+      path = File.join(ENV["GITLAB_LOG_PATH"], filename)
+       tail_output, _ = Gitlab::Popen.popen(%W(tail -n 2000 #{path}))
+       tail_output.split("\n")
+     end
+ 
+     def self.build
+-      new(Rails.root.join("log", file_name))
+      new(File.join(ENV["GITLAB_LOG_PATH"], file_name))
+     end
+   end
+ end
+diff --git a/lib/gitlab/uploads_transfer.rb b/lib/gitlab/uploads_transfer.rb
+index be8fcc7..7642d74 100644
+--- a/lib/gitlab/uploads_transfer.rb
+++ b/lib/gitlab/uploads_transfer.rb
+@@ -29,7 +29,7 @@ module Gitlab
+     end
+ 
+     def root_dir
+-      File.join(Rails.root, "public", "uploads")
+      ENV['GITLAB_UPLOADS_PATH'] || File.join(Rails.root, "public", "uploads")
+     end
+   end
+ end
+diff --git a/lib/tasks/gitlab/check.rake b/lib/tasks/gitlab/check.rake
+index 81099cb..a40b1ad 100644
+--- a/lib/tasks/gitlab/check.rake
+++ b/lib/tasks/gitlab/check.rake
+@@ -223,7 +223,7 @@ namespace :gitlab do
+     def check_log_writable
+       print "Log directory writable? ... "
+ 
+-      log_path = Rails.root.join("log")
+      log_path = ENV["GITLAB_LOG_PATH"]
+ 
+       if File.writable?(log_path)
+         puts "yes".green
+@@ -263,10 +263,12 @@ namespace :gitlab do
+     def check_uploads
+       print "Uploads directory setup correctly? ... "
+ 
+-      unless File.directory?(Rails.root.join('public/uploads'))
+      uploads_dir = ENV['GITLAB_UPLOADS_PATH'] || Rails.root.join('public/uploads')
+
+      unless File.directory?(uploads_dir)
+         puts "no".red
+         try_fixing_it(
+-          "sudo -u #{gitlab_user} mkdir -m 750 #{Rails.root}/public/uploads"
+          "sudo -u #{gitlab_user} mkdir -m 750 #{uploads_dir}"
+         )
+         for_more_information(
+           see_installation_guide_section "GitLab"
+@@ -275,7 +277,7 @@ namespace :gitlab do
+         return
+       end
+ 
+-      upload_path = File.realpath(Rails.root.join('public/uploads'))
+      upload_path = File.realpath(Rails.root.join(uploads_dir))
+       upload_path_tmp = File.join(upload_path, 'tmp')
+ 
+       if File.stat(upload_path).mode == 040750
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -1719,14 +1719,14 @@ let
  gitinspector = callPackage ../applications/version-management/gitinspector { };

  gitlab = callPackage ../applications/version-management/gitlab {
-    ruby = ruby_2_2_2;
+    ruby = ruby_2_2;
  };

  gitlab-shell = callPackage ../applications/version-management/gitlab-shell {
-    ruby = ruby_2_2_2;
+    ruby = ruby_2_2;
  };

-  gitlab-git-http-server = callPackage ../applications/version-management/gitlab-git-http-server { };
+  gitlab-workhorse = callPackage ../applications/version-management/gitlab-workhorse { };

  git-latexdiff = callPackage ../tools/typesetting/git-latexdiff { };