diff options
| -rw-r--r-- | nixos/modules/services/misc/gitlab.nix | 19 | ||||
| -rw-r--r-- | nixos/modules/services/misc/gitlab.xml | 7 | ||||
| -rw-r--r-- | pkgs/applications/version-management/gitlab/default.nix | 1 |
3 files changed, 27 insertions, 0 deletions
diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index df19efb55fd..33163d9789b 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -41,6 +41,11 @@ let namespace: resque:gitlab ''; + secretsYml = '' + production: + db_key_base: ${cfg.secrets.db_key_base} + ''; + gitlabConfig = { # These are the default settings from config/gitlab.example.yml production = flip recursiveUpdate cfg.extraConfig { @@ -313,6 +318,19 @@ in { }; }; + secrets.db_key_base = mkOption { + type = types.str; + example = ""; + description = '' + The db_key_base secrets is used to encrypt variables in the DB. If + you change or lose this key you will be unable to access variables + stored in database. + + Make sure the secret is at least 30 characters and all random, + no regular words or you'll be exposed to dictionary attacks. + ''; + }; + extraConfig = mkOption { type = types.attrs; default = {}; @@ -467,6 +485,7 @@ in { # JSON is a subset of YAML ln -fs ${pkgs.writeText "gitlab.yml" (builtins.toJSON gitlabConfig)} ${cfg.statePath}/config/gitlab.yml ln -fs ${pkgs.writeText "database.yml" databaseYml} ${cfg.statePath}/config/database.yml + ln -fs ${pkgs.writeText "secrets.yml" secretsYml} ${cfg.statePath}/config/secrets.yml ln -fs ${pkgs.writeText "unicorn.rb" unicornConfig} ${cfg.statePath}/config/unicorn.rb chown -R ${cfg.user}:${cfg.group} ${cfg.statePath}/ diff --git a/nixos/modules/services/misc/gitlab.xml b/nixos/modules/services/misc/gitlab.xml index a8147b3a74f..83f715a50b4 100644 --- a/nixos/modules/services/misc/gitlab.xml +++ b/nixos/modules/services/misc/gitlab.xml @@ -62,6 +62,7 @@ services.gitlab = { address = "localhost"; port = 25; }; + secrets.db_key_base = "ei3eeP1ohsh0uu3ad4YeeMeeheengah3AiZee2ohl4Ooj5mie4Ohl0vishoghaes"; extraConfig = { gitlab = { email_from = "gitlab-no-reply@example.com"; @@ -74,6 +75,12 @@ services.gitlab = { </programlisting> </para> +<para>If you're setting up a new Gitlab instance, generate a new +<literal>db_key_base</literal> secret to encrypt sensible data in the +database. If you're restoring an existing Gitlab instance, you must +specify the <literal>db_key_base</literal> secret from +<literal>config/secrets.yml</literal> in your Gitlab state folder.</para> + <para>Refer to <xref linkend="ch-options" /> for all available configuration options for the <literal>services.gitlab</literal> module.</para> diff --git a/pkgs/applications/version-management/gitlab/default.nix b/pkgs/applications/version-management/gitlab/default.nix index 19ba21e9e76..453bae3613c 100644 --- a/pkgs/applications/version-management/gitlab/default.nix +++ b/pkgs/applications/version-management/gitlab/default.nix @@ -70,6 +70,7 @@ stdenv.mkDerivation rec { SKIP_STORAGE_VALIDATION=true \ rake assets:precompile RAILS_ENV=production mv config/gitlab.yml config/gitlab.yml.example + rm config/secrets.yml mv config config.dist ''; |