gitlab service: add option for db_key_base secret

2024-11-11 15:27:20 +03:00 · 2016-08-17 13:16:32 +02:00 · 2016-08-17 13:16:32 +02:00 · 131bc22b84
commit 131bc22b84
parent cfb930c985
3 changed files with 27 additions and 0 deletions
--- a/nixos/modules/services/misc/gitlab.nix
+++ b/nixos/modules/services/misc/gitlab.nix
@ -41,6 +41,11 @@ let
      namespace: resque:gitlab
  '';

+  secretsYml = ''
+    production:
+      db_key_base: ${cfg.secrets.db_key_base}
+  '';
+
  gitlabConfig = {
    # These are the default settings from config/gitlab.example.yml
    production = flip recursiveUpdate cfg.extraConfig {
@ -313,6 +318,19 @@ in {
        };
      };

+      secrets.db_key_base = mkOption {
+        type = types.str;
+        example = "";
+        description = ''
+          The db_key_base secrets is used to encrypt variables in the DB. If
+          you change or lose this key you will be unable to access variables
+          stored in database.
+
+          Make sure the secret is at least 30 characters and all random,
+          no regular words or you'll be exposed to dictionary attacks.
+        '';
+      };
+
      extraConfig = mkOption {
        type = types.attrs;
        default = {};
@ -467,6 +485,7 @@ in {
        # JSON is a subset of YAML
        ln -fs ${pkgs.writeText "gitlab.yml" (builtins.toJSON gitlabConfig)} ${cfg.statePath}/config/gitlab.yml
        ln -fs ${pkgs.writeText "database.yml" databaseYml} ${cfg.statePath}/config/database.yml
+        ln -fs ${pkgs.writeText "secrets.yml" secretsYml} ${cfg.statePath}/config/secrets.yml
        ln -fs ${pkgs.writeText "unicorn.rb" unicornConfig} ${cfg.statePath}/config/unicorn.rb

        chown -R ${cfg.user}:${cfg.group} ${cfg.statePath}/
--- a/nixos/modules/services/misc/gitlab.xml
+++ b/nixos/modules/services/misc/gitlab.xml
@ -62,6 +62,7 @@ services.gitlab = {
    address = "localhost";
    port = 25;
  };
+  secrets.db_key_base = "ei3eeP1ohsh0uu3ad4YeeMeeheengah3AiZee2ohl4Ooj5mie4Ohl0vishoghaes";
  extraConfig = {
    gitlab = {
      email_from = "gitlab-no-reply@example.com";
@ -74,6 +75,12 @@ services.gitlab = {
 </programlisting>
 </para>

+<para>If you're setting up a new Gitlab instance, generate a new
+<literal>db_key_base</literal> secret to encrypt sensible data in the
+database. If you're restoring an existing Gitlab instance, you must
+specify the <literal>db_key_base</literal> secret from
+<literal>config/secrets.yml</literal> in your Gitlab state folder.</para>
+
 <para>Refer to <xref linkend="ch-options" /> for all available configuration
 options for the <literal>services.gitlab</literal> module.</para>

--- a/pkgs/applications/version-management/gitlab/default.nix
+++ b/pkgs/applications/version-management/gitlab/default.nix
@ -70,6 +70,7 @@ stdenv.mkDerivation rec {
      SKIP_STORAGE_VALIDATION=true \
      rake assets:precompile RAILS_ENV=production
    mv config/gitlab.yml config/gitlab.yml.example
+    rm config/secrets.yml
    mv config config.dist
  '';