diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index f86653f3ead..38a541485e5 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -588,7 +588,7 @@ in { the DB. If you change or lose this key you will be unable to access variables stored in database. - Make sure the secret is at least 30 characters and all random, + Make sure the secret is at least 32 characters and all random, no regular words or you'll be exposed to dictionary attacks. This should be a string, not a nix path, since nix paths are @@ -604,7 +604,7 @@ in { the DB. If you change or lose this key you will be unable to access variables stored in database. - Make sure the secret is at least 30 characters and all random, + Make sure the secret is at least 32 characters and all random, no regular words or you'll be exposed to dictionary attacks. This should be a string, not a nix path, since nix paths are @@ -620,7 +620,7 @@ in { tokens. If you change or lose this key, users which have 2FA enabled for login won't be able to login anymore. - Make sure the secret is at least 30 characters and all random, + Make sure the secret is at least 32 characters and all random, no regular words or you'll be exposed to dictionary attacks. This should be a string, not a nix path, since nix paths are diff --git a/nixos/tests/gitlab.nix b/nixos/tests/gitlab.nix index 582f5faf9bc..af2ab12bf4b 100644 --- a/nixos/tests/gitlab.nix +++ b/nixos/tests/gitlab.nix @@ -57,9 +57,9 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : with lib; { }; }; secrets = { - secretFile = pkgs.writeText "secret" "r8X9keSKynU7p4aKlh4GO1Bo77g5a7vj"; - otpFile = pkgs.writeText "otpsecret" "Zu5hGx3YvQx40DvI8WoZJQpX2paSDOlG"; - dbFile = pkgs.writeText "dbsecret" "lsGltKWTejOf6JxCVa7nLDenzkO9wPLR"; + secretFile = pkgs.writeText "secret" "Aig5zaic"; + otpFile = pkgs.writeText "otpsecret" "Riew9mue"; + dbFile = pkgs.writeText "dbsecret" "we2quaeZ"; jwsFile = pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out"; }; }; diff --git a/pkgs/applications/version-management/gitlab/default.nix b/pkgs/applications/version-management/gitlab/default.nix index 5d2b923628b..89a2ac6ec95 100644 --- a/pkgs/applications/version-management/gitlab/default.nix +++ b/pkgs/applications/version-management/gitlab/default.nix @@ -1,4 +1,4 @@ -{ stdenv, lib, fetchurl, fetchFromGitLab, bundlerEnv +{ stdenv, lib, fetchurl, fetchpatch, fetchFromGitLab, bundlerEnv , ruby, tzdata, git, nettools, nixosTests, nodejs, openssl , gitlabEnterprise ? false, callPackage, yarn , fixup_yarn_lock, replace, file @@ -125,6 +125,15 @@ stdenv.mkDerivation { patches = [ # Change hardcoded paths to the NixOS equivalent ./remove-hardcoded-locations.patch + + # Use the exactly 32 byte long version of db_key_base with + # aes-256-gcm, see + # https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53602 + (fetchpatch { + name = "secrets_db_key_base_length.patch"; + url = "https://gitlab.com/gitlab-org/gitlab/-/commit/dea620633d446ca0f53a75674454ff0dd4bd8f99.patch"; + sha256 = "19m4z4np3sai9kqqqgabl44xv7p8lkcyqr6s5471axfxmf9m2023"; + }) ]; postPatch = ''