diff options
| author | Kim Lindberger <kim.lindberger@gmail.com> | 2022-02-03 22:19:03 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-02-03 22:19:03 +0100 |
| commit | 415b9c3b5a5e7867aaf5d2e4c145d440cf6316ed (patch) | |
| tree | a8082638d6f2c4868372d7f3a14399072558499f /nixos | |
| parent | b00ecd5e3d4610fb61777ba7c0fe6a1da2b30cb6 (diff) | |
| parent | b65b9bf73cf49765e5802615b10c6eab7a2036a8 (diff) | |
| download | nixpkgs-415b9c3b5a5e7867aaf5d2e4c145d440cf6316ed.tar nixpkgs-415b9c3b5a5e7867aaf5d2e4c145d440cf6316ed.tar.gz nixpkgs-415b9c3b5a5e7867aaf5d2e4c145d440cf6316ed.tar.bz2 nixpkgs-415b9c3b5a5e7867aaf5d2e4c145d440cf6316ed.tar.lz nixpkgs-415b9c3b5a5e7867aaf5d2e4c145d440cf6316ed.tar.xz nixpkgs-415b9c3b5a5e7867aaf5d2e4c145d440cf6316ed.tar.zst nixpkgs-415b9c3b5a5e7867aaf5d2e4c145d440cf6316ed.zip | |
Merge pull request #157519 from talyz/gitlab-error-handling
nixos/gitlab: Implement better script error handling
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/lib/utils.nix | 9 | ||||
| -rw-r--r-- | nixos/modules/services/misc/gitlab.nix | 22 |
2 files changed, 21 insertions, 10 deletions
diff --git a/nixos/lib/utils.nix b/nixos/lib/utils.nix index bbebf8ba35a..190c4db4d49 100644 --- a/nixos/lib/utils.nix +++ b/nixos/lib/utils.nix @@ -149,10 +149,16 @@ rec { if [[ -h '${output}' ]]; then rm '${output}' fi + + inherit_errexit_restore=$(shopt -p inherit_errexit) + shopt -s inherit_errexit '' + concatStringsSep "\n" - (imap1 (index: name: "export secret${toString index}=$(<'${secrets.${name}}')") + (imap1 (index: name: '' + secret${toString index}=$(<'${secrets.${name}}') + export secret${toString index} + '') (attrNames secrets)) + "\n" + "${pkgs.jq}/bin/jq >'${output}' '" @@ -164,6 +170,7 @@ rec { ' <<'EOF' ${builtins.toJSON set} EOF + $inherit_errexit_restore ''; systemdUtils = { diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index 6f6a9e3110a..19f270d373f 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -1131,8 +1131,8 @@ in { ExecStartPre = let preStartFullPrivileges = '' - shopt -s dotglob nullglob - set -eu + set -o errexit -o pipefail -o nounset + shopt -s dotglob nullglob inherit_errexit chown --no-dereference '${cfg.user}':'${cfg.group}' '${cfg.statePath}'/* if [[ -n "$(ls -A '${cfg.statePath}'/config/)" ]]; then @@ -1142,7 +1142,8 @@ in { in "+${pkgs.writeShellScript "gitlab-pre-start-full-privileges" preStartFullPrivileges}"; ExecStart = pkgs.writeShellScript "gitlab-config" '' - set -eu + set -o errexit -o pipefail -o nounset + shopt -s inherit_errexit umask u=rwx,g=rx,o= @@ -1171,7 +1172,8 @@ in { rm -f '${cfg.statePath}/config/database.yml' ${if cfg.databasePasswordFile != null then '' - export db_password="$(<'${cfg.databasePasswordFile}')" + db_password="$(<'${cfg.databasePasswordFile}')" + export db_password if [[ -z "$db_password" ]]; then >&2 echo "Database password was an empty string!" @@ -1195,10 +1197,11 @@ in { rm -f '${cfg.statePath}/config/secrets.yml' - export secret="$(<'${cfg.secrets.secretFile}')" - export db="$(<'${cfg.secrets.dbFile}')" - export otp="$(<'${cfg.secrets.otpFile}')" - export jws="$(<'${cfg.secrets.jwsFile}')" + secret="$(<'${cfg.secrets.secretFile}')" + db="$(<'${cfg.secrets.dbFile}')" + otp="$(<'${cfg.secrets.otpFile}')" + jws="$(<'${cfg.secrets.jwsFile}')" + export secret db otp jws jq -n '{production: {secret_key_base: $ENV.secret, otp_key_base: $ENV.otp, db_key_base: $ENV.db, @@ -1232,7 +1235,8 @@ in { RemainAfterExit = true; ExecStart = pkgs.writeShellScript "gitlab-db-config" '' - set -eu + set -o errexit -o pipefail -o nounset + shopt -s inherit_errexit umask u=rwx,g=rx,o= initial_root_password="$(<'${cfg.initialRootPasswordFile}')" |