nixos/gitlab: Fix state directory permissions

Since the preStart script is no longer running in privileged mode, we reassign the files in the state directory and its config subdirectory to the user we're running as. This is done by splitting the preStart script into a privileged and an unprivileged part where the privileged part does the reassignment. Also, delete the database.yml symlink if it exists, since we want to create a real file in its place. Fixes #68696.
2019-09-14 01:38:54 +02:00 · 2019-09-14 01:38:54 +02:00 · 0f8133d633
commit 0f8133d633
parent ea5d2a0efa
1 changed files with 82 additions and 68 deletions
--- a/nixos/modules/services/misc/gitlab.nix
+++ b/nixos/modules/services/misc/gitlab.nix
@ -763,6 +763,20 @@ in {
        procps
        gnupg
      ];
+
+      serviceConfig = {
+        Type = "simple";
+        User = cfg.user;
+        Group = cfg.group;
+        TimeoutSec = "infinity";
+        Restart = "on-failure";
+        WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab";
+        ExecStartPre = let
+          preStartFullPrivileges = ''
+            shopt -s dotglob nullglob
+            chown --no-dereference '${cfg.user}':'${cfg.group}' '${cfg.statePath}'/*
+            chown --no-dereference '${cfg.user}':'${cfg.group}' '${cfg.statePath}'/config/*
+          '';
          preStart = ''
            cp -f ${cfg.packages.gitlab}/share/gitlab/VERSION ${cfg.statePath}/VERSION
            rm -rf ${cfg.statePath}/db/*
@ -784,6 +798,10 @@ in {

              ${pkgs.openssl}/bin/openssl rand -hex 32 > ${cfg.statePath}/gitlab_shell_secret

+              if [[ -h '${cfg.statePath}/config/database.yml' ]]; then
+                rm '${cfg.statePath}/config/database.yml'
+              fi
+
              ${if cfg.databasePasswordFile != null then ''
                  export db_password="$(<'${cfg.databasePasswordFile}')"

@ -831,14 +849,10 @@ in {

            ${pkgs.git}/bin/git config --global core.autocrlf "input"
          '';
-
-      serviceConfig = {
-        Type = "simple";
-        User = cfg.user;
-        Group = cfg.group;
-        TimeoutSec = "infinity";
-        Restart = "on-failure";
-        WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab";
+        in [
+          "+${pkgs.writeShellScript "gitlab-pre-start-full-privileges" preStartFullPrivileges}"
+          "${pkgs.writeShellScript "gitlab-pre-start" preStart}"
+        ];
        ExecStart = "${cfg.packages.gitlab.rubyEnv}/bin/unicorn -c ${cfg.statePath}/config/unicorn.rb -E production";
      };