Commit Graph

108 Commits

Author SHA1 Message Date
talyz
d5db11ccbd nixos/gitlab: Remove the old lib symlink in the state directory
Also, remove the old and unused PermissionsStartOnly definition in the
gitlab-workhorse systemd service.
2019-10-28 14:56:37 +01:00
talyz
041cbd860d nixos/gitlab: Abort on error and use of unset variables
Default behavior is to continue executing the script even when one or
multiple steps fail. We want to abort early if any part of the
initialization fails to not run with a partially initialized state.

Default behavior also allows dereferencing non-existent variables,
potentially resulting in hard-to-find bugs.
2019-10-28 14:56:37 +01:00
Florian Klink
1125fb02cc
Merge pull request #71428 from talyz/gitlab-already-initialized-constant
gitlab: Get rid of most 'already initialized constant'-warnings
2019-10-21 20:52:54 +02:00
talyz
ed4a09c6f3 gitlab: Get rid of most 'already initialized constant'-warnings
On start, unicorn, sidekiq and other parts running ruby code emits
quite a few warnings similar to

/var/gitlab/state/config/application.rb:202: warning: already initialized constant Gitlab::Application::LOOSE_EE_APP_ASSETS
/nix/store/ysb0lgbzxp7a9y4yl8d4f9wrrzy9kafc-gitlab-ee-12.3.5/share/gitlab/config/application.rb:202: warning: previous definition of LOOSE_EE_APP_ASSETS was here
/var/gitlab/state/lib/gitlab.rb:38: warning: already initialized constant Gitlab::COM_URL
/nix/store/ysb0lgbzxp7a9y4yl8d4f9wrrzy9kafc-gitlab-ee-12.3.5/share/gitlab/lib/gitlab.rb:38: warning: previous definition of COM_URL was here

This seems to be caused by the same ruby files being evaluated
multiple times due to the paths being different - sometimes they're
loaded using the direct path and sometimes through a symlink, due to
our split between config and package data. To fix this, we make sure
that the offending files in the state directory always reference the
store path, regardless of that being the real file or a symlink.
2019-10-19 19:30:28 +02:00
talyz
201cca9a04 Revert "nixos/gitlab: properly clear out initializers"
This reverts commit 2ee14c34ed.

This caused the initializers directory to be cleaned out while gitlab
was running in some instances. We clean out the directory on the
preStart stage already, so ensuring existance and permissions should
suffice.
2019-10-18 08:00:56 +02:00
talyz
dc29a45fc9 nixos/gitlab: Don't print sensitive data to log on startup
gitlab:db:configure prints the root user's password to stdout on
successful setup, which means it will be logged to the
journal. Silence this informational output. Errors are printed to
stderr and will thus still be let through.
2019-10-09 16:59:18 +02:00
Robin Gloster
b5449e65b5
Merge pull request #69344 from talyz/gitlab-create-database
nixos/gitlab: Fix databaseCreateLocally evaluation and operation
2019-10-09 00:28:21 +02:00
talyz
c6efa9fd2d nixos/gitlab: Clean up the initializers on start
The initializers directory is populated with files from the gitlab
distribution on start, but old files will be left in the state folder
even if they're removed from the distribution, which can lead to
startup failures. Fix this by always purging the directory on start
before populating it.
2019-10-03 14:38:54 +02:00
talyz
0f8133d633 nixos/gitlab: Fix state directory permissions
Since the preStart script is no longer running in privileged mode, we
reassign the files in the state directory and its config subdirectory
to the user we're running as. This is done by splitting the preStart
script into a privileged and an unprivileged part where the privileged
part does the reassignment.

Also, delete the database.yml symlink if it exists, since we want to
create a real file in its place.

Fixes #68696.
2019-10-03 09:02:00 +02:00
talyz
58a7502421 nixos/gitlab: Only create the database when databaseHost is unset
Make sure that we don't create a database if we're not going to
connect to it. Also, fix the assertion that usernames be equal to only
trig when peer authentication is used (databaseHost == "").
2019-09-24 15:04:20 +02:00
talyz
ec958d46ac nixos/gitlab: Fix evaluation failure when postgresql is disabled
config.services.postgresql.package is only defined when the postgresql
service is activated, which means we fail to evaluate when
databaseCreateLocally == false. Fix this by using the default
postgresql package when the postgresql service is disabled.
2019-09-24 15:04:19 +02:00
talyz
dfc43f7d0a nixos/gitlab: Document the restriction introduced on statePath
The state path now, since the transition from initialization in
preStart to using systemd-tmpfiles, has the following restriction: no
parent directory can be owned by any other user than root or the user
specified in services.gitlab.user. This is a potentially breaking
change and the cause of the error isn't immediately obvious, so
document it both in the release notes and statePath description.
2019-09-23 17:55:58 +02:00
talyz
aceac9d531 nixos/gitlab: Add gnutar and gzip to gitlab-sidekiq's path
Tar and gzip are needed when importing GitLab project exports.
2019-09-17 09:27:16 +02:00
schneefux
bab6e6eb04
nixos/gitlab: Remove todo about mysql support
GitLab has ended MySQL support.
https://about.gitlab.com/2019/06/27/removing-mysql-support/
2019-09-14 11:26:22 +02:00
talyz
4b6ba5b27c nixos/gitlab: Fix swap of secrets
Fix accidental swap of the otp and db secrets in the secrets.yml
file. Fixes #68613.
2019-09-13 08:40:59 +02:00
Florian Klink
2f3b9cd52c
Merge pull request #66274 from talyz/gitlab
nixos/gitlab: Add support for secure secrets and more
2019-09-07 12:52:44 -07:00
talyz
240649a510 nixos/gitlab: Extract arbitrary secrets from extraConfig
Adds the ability to make any parameter specified in extraConfig secret
by defining it an attrset containing the attr _secret, which in turn
is a path to a file containing the actual secret.
2019-09-06 16:57:23 +02:00
talyz
b351454cac nixos/gitlab: Use postgresql module options to provision local db
Use the postgresql module to provision a local db (if
databaseCreateLocally is true) instead of doing this locally.

Switch to using the local unix socket for db connections by default;
this is needed since dbs created by the postgresql module only support
peer authentication.

Instead of running the rake tasks db:schema:load, db:migrate and
db:seed_fu, run gitlab:db:configure, which in turn runs these tasks
when needed.

Solves issue #53852 for gitlab.
2019-09-06 16:56:20 +02:00
talyz
cbdf94c0f3 nixos/gitlab: Add support for storing secrets in files
Add support for storing secrets in files outside the nix store, since
files in the nix store are world-readable and secrets therefore can't
be stored safely there.

The old string options are kept, since they can potentially be handy
for testing purposes, but their descriptions now state that they
shouldn't be used in production. The manual section is updated to use
the file options rather than the string options and the tests now test
both.
2019-09-06 16:54:22 +02:00
talyz
7648b4f8ba nixos/gitlab: Fix missing ca_file for SMTP
Work around upstream issue #790 by explicitly referencing the
ca-certificates.crt file.
2019-09-06 10:17:31 +02:00
volth
08f68313a4 treewide: remove redundant rec 2019-08-28 11:07:32 +00:00
Ben Gamari
d7d873b8cb nixos/gitlab: Delete stale hooks directories with -R
These can be directories.
2019-08-14 15:29:50 +02:00
Jeff Slight
2ee14c34ed
nixos/gitlab: properly clear out initializers 2019-08-12 12:50:02 -07:00
Jeff Slight
7efcbead2c
nixos/gitlab: fix config initializer permissions 2019-07-31 14:55:08 -07:00
Johan Thomsen
bbd4a0c100 nixos/gitlab: gitlab-workhorse requires exiftool on path to process uploaded images 2019-07-22 16:41:16 +00:00
Robin Gloster
0972409c95
Merge pull request #64550 from bgamari/gitlab-12.0
gitlab: 11.10.8 -> 12.0.3
2019-07-17 16:01:03 +00:00
Robin Gloster
52fd300b8c
gitlab module: fix permissions 2019-07-16 03:51:17 +02:00
Robin Gloster
3469c206f2
gitlab-shell: better gitlab_shell_secret location
So this won't be cleaned up by removing config/*
2019-07-16 03:51:11 +02:00
Robin Gloster
783c2f6106
gitlab module: clean up permission handling
This is WIP to get rid of PermissionsStartOnly=true
2019-07-16 01:19:07 +02:00
worldofpeace
3f4a353737 treewide: use dontUnpack 2019-07-01 04:23:51 -04:00
Florian Klink
aa2878cfcf
Merge pull request #58284 from bgamari/gitlab-rails
nixos/gitlab: Package gitlab-rails
2019-03-28 21:12:15 +01:00
Ben Gamari
af909b3238 nixos/gitlab: Package gitlab-rails
This utility (particularly `gitlab-rails console`) is packaged by GitLab
Omnibus and is used for diagnostics and maintenance operations.
2019-03-28 11:45:31 -04:00
Ben Gamari
b90f5f03c2 nixos/gitaly: Run gitaly with procps in scope
Gitaly uses `ps` to track the RSS of `gitlab-ruby` and kills it when it
detects excessive memory leakage. See
https://gitlab.com/gitlab-org/gitaly/issues/1562.
2019-03-28 10:48:51 -04:00
Ben Gamari
f2bdc91b35 nixos/gitlab: Allow configuration of extra initializers
This adds a configuration option allowing the addition of additional
initializers in config/extra-gitlab.rb.
2019-03-25 15:18:35 -04:00
Johan Thomsen
292c1ce7ff nixos/gitlab: added gzip and bzip2 as dependencies for gitaly 2019-03-12 15:04:45 +00:00
Florian Klink
11699d03bc
Merge pull request #56072 from bgamari/gitlab-database-config
nixos/gitlab: Introduce database pool size option
2019-02-20 01:56:28 +01:00
Ben Gamari
bd5ba09b79 nixos/gitlab: Introduce database pool size option
As well as a extraDatabaseConfig option.
2019-02-19 17:49:15 -05:00
Jeff Slight
059e5e0ba0 gitlab: add openssh dependency to gitaly 2019-01-30 11:29:32 -08:00
Florian Klink
3caeeabb14 gitlab: stop regenerating the authorized_keys file 2018-11-28 23:09:23 +01:00
Robin Gloster
74df0823f3
gitlab: fix smtp setting
fixes #50163
2018-11-14 18:58:45 +01:00
Robin Gloster
eadb998581
gitlab module: fix config handling 2018-11-04 00:26:01 +01:00
Robin Gloster
ec7cb84bf0
gitlab: refactor and fix test 2018-11-02 22:40:21 +01:00
Jeff Slight
7bafe25553 add custom hooks directory to gitlab-shell
Add custom_hooks_dir to gitlab-shell yml config file.
2018-10-12 09:33:37 -07:00
WilliButz
78ad8d4a62 nixos/gitlab: rebuild authorized_keys during preStart
This updates the path to the 'gitlab-shell' to the
correct store path when gitlab is restarted.
2018-09-25 03:53:32 +02:00
Robin Gloster
dc915565ba gitlab module: workhorse may start before gitlab 2018-09-25 03:53:32 +02:00
Kristoffer Thømt Ravneberg
f17f59ca8e nixos/gitlab: avoid creating recursive symlinks, add gitlab-rake deps 2018-09-25 03:53:32 +02:00
Teo Klestrup Röijezon
6c54cfb280 nixos/gitlab: don't install pg_trgm for remote hosts
Fixes #41476
2018-07-30 19:41:12 +02:00
Teo Klestrup Röijezon
e0983f3eec nixos/gitlab: create uploads folder
It seems like Gitlab doesn't pick up GITLAB_UPLOADS_PATH. The internal uploads
folder is already symlinked to /run/gitlab/uploads by the gitlab package. Here
we symlink this further to ${statePath}/uploads, since /run is (usually) a tmpfs.
2018-07-30 19:41:12 +02:00
Teo Klestrup Röijezon
3250b89987 nixos/gitlab: don't delete ${statePath}/lib if it doesn't exist
The old behaviour caused new instances to be unable to start
2018-07-30 19:41:12 +02:00
Florian Klink
fff5923686 nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00