gitlab service: add option for db_key_base secret
This commit is contained in:
parent
cfb930c985
commit
131bc22b84
@ -41,6 +41,11 @@ let
|
||||
namespace: resque:gitlab
|
||||
'';
|
||||
|
||||
secretsYml = ''
|
||||
production:
|
||||
db_key_base: ${cfg.secrets.db_key_base}
|
||||
'';
|
||||
|
||||
gitlabConfig = {
|
||||
# These are the default settings from config/gitlab.example.yml
|
||||
production = flip recursiveUpdate cfg.extraConfig {
|
||||
@ -313,6 +318,19 @@ in {
|
||||
};
|
||||
};
|
||||
|
||||
secrets.db_key_base = mkOption {
|
||||
type = types.str;
|
||||
example = "";
|
||||
description = ''
|
||||
The db_key_base secrets is used to encrypt variables in the DB. If
|
||||
you change or lose this key you will be unable to access variables
|
||||
stored in database.
|
||||
|
||||
Make sure the secret is at least 30 characters and all random,
|
||||
no regular words or you'll be exposed to dictionary attacks.
|
||||
'';
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
type = types.attrs;
|
||||
default = {};
|
||||
@ -467,6 +485,7 @@ in {
|
||||
# JSON is a subset of YAML
|
||||
ln -fs ${pkgs.writeText "gitlab.yml" (builtins.toJSON gitlabConfig)} ${cfg.statePath}/config/gitlab.yml
|
||||
ln -fs ${pkgs.writeText "database.yml" databaseYml} ${cfg.statePath}/config/database.yml
|
||||
ln -fs ${pkgs.writeText "secrets.yml" secretsYml} ${cfg.statePath}/config/secrets.yml
|
||||
ln -fs ${pkgs.writeText "unicorn.rb" unicornConfig} ${cfg.statePath}/config/unicorn.rb
|
||||
|
||||
chown -R ${cfg.user}:${cfg.group} ${cfg.statePath}/
|
||||
|
@ -62,6 +62,7 @@ services.gitlab = {
|
||||
address = "localhost";
|
||||
port = 25;
|
||||
};
|
||||
secrets.db_key_base = "ei3eeP1ohsh0uu3ad4YeeMeeheengah3AiZee2ohl4Ooj5mie4Ohl0vishoghaes";
|
||||
extraConfig = {
|
||||
gitlab = {
|
||||
email_from = "gitlab-no-reply@example.com";
|
||||
@ -74,6 +75,12 @@ services.gitlab = {
|
||||
</programlisting>
|
||||
</para>
|
||||
|
||||
<para>If you're setting up a new Gitlab instance, generate a new
|
||||
<literal>db_key_base</literal> secret to encrypt sensible data in the
|
||||
database. If you're restoring an existing Gitlab instance, you must
|
||||
specify the <literal>db_key_base</literal> secret from
|
||||
<literal>config/secrets.yml</literal> in your Gitlab state folder.</para>
|
||||
|
||||
<para>Refer to <xref linkend="ch-options" /> for all available configuration
|
||||
options for the <literal>services.gitlab</literal> module.</para>
|
||||
|
||||
|
@ -70,6 +70,7 @@ stdenv.mkDerivation rec {
|
||||
SKIP_STORAGE_VALIDATION=true \
|
||||
rake assets:precompile RAILS_ENV=production
|
||||
mv config/gitlab.yml config/gitlab.yml.example
|
||||
rm config/secrets.yml
|
||||
mv config config.dist
|
||||
'';
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user