diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml
index 58ab7207f53..e4dcc90cdd3 100644
--- a/nixos/doc/manual/release-notes/rl-1909.xml
+++ b/nixos/doc/manual/release-notes/rl-1909.xml
@@ -484,6 +484,35 @@
(citrix_workspace).
+
+
+ The services.gitlab module has had its literal secret options (,
+ ,
+ ,
+ ,
+ ,
+ and
+ ) replaced by file-based versions (,
+ ,
+ ,
+ ,
+ ,
+ and
+ ). This was done so that secrets aren't stored
+ in the world-readable nix store, but means that for each option you'll have to create a file with
+ the same exact string, add "File" to the end of the option name, and change the definition to a
+ string pointing to the corresponding file; e.g. services.gitlab.databasePassword = "supersecurepassword"
+ becomes services.gitlab.databasePasswordFile = "/path/to/secret_file" where the
+ file secret_file contains the string supersecurepassword.
+
+
+ The state path () now has the following restriction:
+ no parent directory can be owned by any other user than root or the user
+ specified in ; i.e. if
+ is set to /var/lib/gitlab/state, gitlab and all parent directories
+ must be owned by either root or the user specified in .
+
+
diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix
index 1e1eb0fd9a1..4c1ffead00c 100644
--- a/nixos/modules/services/misc/gitlab.nix
+++ b/nixos/modules/services/misc/gitlab.nix
@@ -223,7 +223,15 @@ in {
statePath = mkOption {
type = types.str;
default = "/var/gitlab/state";
- description = "Gitlab state directory, logs are stored here.";
+ description = ''
+ Gitlab state directory. Configuration, repositories and
+ logs, among other things, are stored here.
+
+ The directory will be created automatically if it doesn't
+ exist already. Its parent directories must be owned by
+ either root or the user set in
+ .
+ '';
};
backupPath = mkOption {