From a3ec5dce2bcc7b346acd7a507821dc2bc105fbac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kristoffer=20Th=C3=B8mt=20Ravneberg?= <ktra@dbc.dk>
Date: Thu, 8 Nov 2018 13:11:19 +0100
Subject: [PATCH 1/2] gitlab-shell: don't hardcode gitlab-shell paths in
 authorized_keys

---
 .../gitlab-shell/remove-hardcoded-locations.patch   | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/pkgs/applications/version-management/gitlab/gitlab-shell/remove-hardcoded-locations.patch b/pkgs/applications/version-management/gitlab/gitlab-shell/remove-hardcoded-locations.patch
index 6d29f5f9e6c5..3d381404c63b 100644
--- a/pkgs/applications/version-management/gitlab/gitlab-shell/remove-hardcoded-locations.patch
+++ b/pkgs/applications/version-management/gitlab/gitlab-shell/remove-hardcoded-locations.patch
@@ -43,3 +43,16 @@ index 57c70f5..700569b 100644
    end
  
    def api
+diff --git a/lib/gitlab_keys.rb b/lib/gitlab_keys.rb
+index 0600a18..6814f0a 100644
+--- a/lib/gitlab_keys.rb
++++ b/lib/gitlab_keys.rb
+@@ -10,7 +10,7 @@ class GitlabKeys # rubocop:disable Metrics/ClassLength
+   attr_accessor :auth_file, :key
+
+   def self.command(whatever)
+-    "#{ROOT_PATH}/bin/gitlab-shell #{whatever}"
++    "/run/current-system/sw/bin/gitlab-shell #{whatever}"
+   end
+
+   def self.command_key(key_id)

From 3caeeabb1484358b5d6d63f346767dc1764c424a Mon Sep 17 00:00:00 2001
From: Florian Klink <flokli@flokli.de>
Date: Wed, 28 Nov 2018 19:16:33 +0100
Subject: [PATCH 2/2] gitlab: stop regenerating the authorized_keys file

---
 nixos/doc/manual/release-notes/rl-1903.xml | 18 ++++++++++++++++--
 nixos/modules/services/misc/gitlab.nix     |  4 ----
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/nixos/doc/manual/release-notes/rl-1903.xml b/nixos/doc/manual/release-notes/rl-1903.xml
index cedd5fc21c6d..376a5355f7c9 100644
--- a/nixos/doc/manual/release-notes/rl-1903.xml
+++ b/nixos/doc/manual/release-notes/rl-1903.xml
@@ -241,8 +241,22 @@
      (<literal>networking.firewall.interfaces.default.*</literal>), and assigning
      to this pseudo device will override the (<literal>networking.firewall.allow*</literal>)
      options.
-    </para>
-   </listitem>
+   </para>
+  </listitem>
+  <listitem>
+   <para>
+     GitLab Shell previously used the nix store paths for the
+     <literal>gitlab-shell</literal> command in its
+     <literal>authorized_keys</literal> file, which might stop working after
+     garbage collection. To circumvent that, we regenerated that file on each
+     startup.  As <literal>gitlab-shell</literal> has now been changed to use
+     <literal>/var/run/current-system/sw/bin/gitlab-shell</literal>, this is
+     not necessary anymore, but there might be leftover lines with a nix store
+     path. Regenerate the <literal>authorized_keys</literal> file via
+     <command>sudo -u git -H gitlab-rake gitlab:shell:setup</command> in that
+     case.
+   </para>
+  </listitem>
   </itemizedlist>
  </section>
 
diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix
index 07adf58c9b26..769a9526cf64 100644
--- a/nixos/modules/services/misc/gitlab.nix
+++ b/nixos/modules/services/misc/gitlab.nix
@@ -609,10 +609,6 @@ in {
           touch "${cfg.statePath}/db-seeded"
         fi
 
-        # The gitlab:shell:setup regenerates the authorized_keys file so that
-        # the store path to the gitlab-shell in it gets updated
-        ${pkgs.sudo}/bin/sudo -u ${cfg.user} -H force=yes ${gitlab-rake}/bin/gitlab-rake gitlab:shell:setup
-
         # The gitlab:shell:create_hooks task seems broken for fixing links
         # so we instead delete all the hooks and create them anew
         rm -f ${cfg.statePath}/repositories/**/*.git/hooks