diff options
| author | Franz Pletz <fpletz@fnordicwalking.de> | 2016-08-17 13:16:32 +0200 |
|---|---|---|
| committer | Franz Pletz <fpletz@fnordicwalking.de> | 2016-08-17 13:17:47 +0200 |
| commit | 131bc22b84464443d8e88a2392e91feb79a97e28 (patch) | |
| tree | 94ef0e12eb653fbe91cb0d73bd2b886315fd251c /nixos/modules | |
| parent | cfb930c98515bb0c934784c78bfa869474bd3c28 (diff) | |
| download | nixpkgs-131bc22b84464443d8e88a2392e91feb79a97e28.tar nixpkgs-131bc22b84464443d8e88a2392e91feb79a97e28.tar.gz nixpkgs-131bc22b84464443d8e88a2392e91feb79a97e28.tar.bz2 nixpkgs-131bc22b84464443d8e88a2392e91feb79a97e28.tar.lz nixpkgs-131bc22b84464443d8e88a2392e91feb79a97e28.tar.xz nixpkgs-131bc22b84464443d8e88a2392e91feb79a97e28.tar.zst nixpkgs-131bc22b84464443d8e88a2392e91feb79a97e28.zip | |
gitlab service: add option for db_key_base secret
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/services/misc/gitlab.nix | 19 | ||||
| -rw-r--r-- | nixos/modules/services/misc/gitlab.xml | 7 |
2 files changed, 26 insertions, 0 deletions
diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index df19efb55fd..33163d9789b 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -41,6 +41,11 @@ let namespace: resque:gitlab ''; + secretsYml = '' + production: + db_key_base: ${cfg.secrets.db_key_base} + ''; + gitlabConfig = { # These are the default settings from config/gitlab.example.yml production = flip recursiveUpdate cfg.extraConfig { @@ -313,6 +318,19 @@ in { }; }; + secrets.db_key_base = mkOption { + type = types.str; + example = ""; + description = '' + The db_key_base secrets is used to encrypt variables in the DB. If + you change or lose this key you will be unable to access variables + stored in database. + + Make sure the secret is at least 30 characters and all random, + no regular words or you'll be exposed to dictionary attacks. + ''; + }; + extraConfig = mkOption { type = types.attrs; default = {}; @@ -467,6 +485,7 @@ in { # JSON is a subset of YAML ln -fs ${pkgs.writeText "gitlab.yml" (builtins.toJSON gitlabConfig)} ${cfg.statePath}/config/gitlab.yml ln -fs ${pkgs.writeText "database.yml" databaseYml} ${cfg.statePath}/config/database.yml + ln -fs ${pkgs.writeText "secrets.yml" secretsYml} ${cfg.statePath}/config/secrets.yml ln -fs ${pkgs.writeText "unicorn.rb" unicornConfig} ${cfg.statePath}/config/unicorn.rb chown -R ${cfg.user}:${cfg.group} ${cfg.statePath}/ diff --git a/nixos/modules/services/misc/gitlab.xml b/nixos/modules/services/misc/gitlab.xml index a8147b3a74f..83f715a50b4 100644 --- a/nixos/modules/services/misc/gitlab.xml +++ b/nixos/modules/services/misc/gitlab.xml @@ -62,6 +62,7 @@ services.gitlab = { address = "localhost"; port = 25; }; + secrets.db_key_base = "ei3eeP1ohsh0uu3ad4YeeMeeheengah3AiZee2ohl4Ooj5mie4Ohl0vishoghaes"; extraConfig = { gitlab = { email_from = "gitlab-no-reply@example.com"; @@ -74,6 +75,12 @@ services.gitlab = { </programlisting> </para> +<para>If you're setting up a new Gitlab instance, generate a new +<literal>db_key_base</literal> secret to encrypt sensible data in the +database. If you're restoring an existing Gitlab instance, you must +specify the <literal>db_key_base</literal> secret from +<literal>config/secrets.yml</literal> in your Gitlab state folder.</para> + <para>Refer to <xref linkend="ch-options" /> for all available configuration options for the <literal>services.gitlab</literal> module.</para> |