@ -655,6 +655,7 @@ in {
# here.
systemd . services . gitlab-postgresql = let pgsql = config . services . postgresql ; in mkIf databaseActuallyCreateLocally {
after = [ " p o s t g r e s q l . s e r v i c e " ] ;
bindsTo = [ " p o s t g r e s q l . s e r v i c e " ] ;
wantedBy = [ " m u l t i - u s e r . t a r g e t " ] ;
path = [
pgsql . package
@ -686,6 +687,7 @@ in {
serviceConfig = {
User = pgsql . superUser ;
Type = " o n e s h o t " ;
RemainAfterExit = true ;
} ;
} ;
@ -733,8 +735,150 @@ in {
" L + / r u n / g i t l a b / s h e l l - c o n f i g . y m l - - - - ${ pkgs . writeText " c o n f i g . y m l " ( builtins . toJSON gitlabShellConfig ) } "
] ;
systemd . services . gitlab-config = {
wantedBy = [ " m u l t i - u s e r . t a r g e t " ] ;
path = with pkgs ; [
jq
openssl
replace
git
] ;
serviceConfig = {
Type = " o n e s h o t " ;
User = cfg . user ;
Group = cfg . group ;
TimeoutSec = " i n f i n i t y " ;
Restart = " o n - f a i l u r e " ;
WorkingDirectory = " ${ cfg . packages . gitlab } / s h a r e / g i t l a b " ;
RemainAfterExit = true ;
ExecStartPre = let
preStartFullPrivileges = ''
shopt - s dotglob nullglob
set - eu
chown - - no-dereference ' $ { cfg . user } ' : ' $ { cfg . group } ' ' $ { cfg . statePath } ' /*
if [ [ - n " $ ( l s - A ' ${ cfg . statePath } ' / c o n f i g / ) " ] ] ; then
chown - - no-dereference ' $ { cfg . user } ' : ' $ { cfg . group } ' ' $ { cfg . statePath } ' /config /*
fi
'' ;
in " + ${ pkgs . writeShellScript " g i t l a b - p r e - s t a r t - f u l l - p r i v i l e g e s " preStartFullPrivileges } " ;
ExecStart = pkgs . writeShellScript " g i t l a b - c o n f i g " ''
set - eu
umask u = rwx , g = rx , o =
cp - f $ { cfg . packages . gitlab } /share/gitlab/VERSION $ { cfg . statePath } /VERSION
rm - rf $ { cfg . statePath } /db /*
rm - f $ { cfg . statePath } /lib
find ' $ { cfg . statePath } /config / ' - maxdepth 1 - mindepth 1 - type d - execdir rm - rf { } \ ;
cp - rf - - no-preserve = mode $ { cfg . packages . gitlab } /share/gitlab/config.dist /* $ { c f g . s t a t e P a t h } / c o n f i g
cp - rf - - no-preserve = mode $ { cfg . packages . gitlab } /share/gitlab/db /* $ { c f g . s t a t e P a t h } / d b
ln - sf $ { extraGitlabRb } $ { cfg . statePath } /config/initializers/extra-gitlab.rb
$ { cfg . packages . gitlab-shell } /bin/install
$ { optionalString cfg . smtp . enable ''
install - m u = rw $ { smtpSettings } $ { cfg . statePath } /config/initializers/smtp_settings.rb
$ { optionalString ( cfg . smtp . passwordFile != null ) ''
smtp_password = $ ( < ' $ { cfg . smtp . passwordFile } ' )
replace-literal - e ' @ smtpPassword @ ' " $ s m t p _ p a s s w o r d " ' $ { cfg . statePath } /config/initializers/smtp_settings.rb '
'' }
'' }
(
umask u = rwx , g = , o =
openssl rand - hex 32 > $ { cfg . statePath } /gitlab_shell_secret
rm - f ' $ { cfg . statePath } /config/database.yml '
$ { if cfg . databasePasswordFile != null then ''
export db_password = " $ ( < ' ${ cfg . databasePasswordFile } ' ) "
if [ [ - z " $ d b _ p a s s w o r d " ] ] ; then
> & 2 echo " D a t a b a s e p a s s w o r d w a s a n e m p t y s t r i n g ! "
exit 1
fi
jq < $ { pkgs . writeText " d a t a b a s e . y m l " ( builtins . toJSON databaseConfig ) } \
' . production . password = $ ENV . db_password' \
> ' $ { cfg . statePath } /config/database.yml '
''
else ''
jq < $ { pkgs . writeText " d a t a b a s e . y m l " ( builtins . toJSON databaseConfig ) } \
> ' $ { cfg . statePath } /config/database.yml '
''
}
$ { utils . genJqSecretsReplacementSnippet
gitlabConfig
" ${ cfg . statePath } / c o n f i g / g i t l a b . y m l "
}
rm - f ' $ { cfg . statePath } /config/secrets.yml '
export secret = " $ ( < ' ${ cfg . secrets . secretFile } ' ) "
export db = " $ ( < ' ${ cfg . secrets . dbFile } ' ) "
export otp = " $ ( < ' ${ cfg . secrets . otpFile } ' ) "
export jws = " $ ( < ' ${ cfg . secrets . jwsFile } ' ) "
jq - n ' { production : { secret_key_base : $ ENV . secret ,
otp_key_base : $ ENV . otp ,
db_key_base : $ ENV . db ,
openid_connect_signing_key : $ ENV . jws } } ' \
> ' $ { cfg . statePath } /config/secrets.yml '
)
# We remove potentially broken links to old gitlab-shell versions
rm - Rf $ { cfg . statePath } /repositories /* */ * .git/hooks
git config - - global core . autocrlf " i n p u t "
'' ;
} ;
} ;
systemd . services . gitlab-db-config = {
after = [ " g i t l a b - c o n f i g . s e r v i c e " " g i t l a b - p o s t g r e s q l . s e r v i c e " " p o s t g r e s q l . s e r v i c e " ] ;
bindsTo = [
" g i t l a b - c o n f i g . s e r v i c e "
] ++ optional ( cfg . databaseHost == " " ) " p o s t g r e s q l . s e r v i c e "
++ optional databaseActuallyCreateLocally " g i t l a b - p o s t g r e s q l . s e r v i c e " ;
wantedBy = [ " m u l t i - u s e r . t a r g e t " ] ;
serviceConfig = {
Type = " o n e s h o t " ;
User = cfg . user ;
Group = cfg . group ;
TimeoutSec = " i n f i n i t y " ;
Restart = " o n - f a i l u r e " ;
WorkingDirectory = " ${ cfg . packages . gitlab } / s h a r e / g i t l a b " ;
RemainAfterExit = true ;
ExecStart = pkgs . writeShellScript " g i t l a b - d b - c o n f i g " ''
set - eu
umask u = rwx , g = rx , o =
initial_root_password = " $ ( < ' ${ cfg . initialRootPasswordFile } ' ) "
$ { gitlab-rake } /bin/gitlab-rake gitlab:db:configure GITLAB_ROOT_PASSWORD = " $ i n i t i a l _ r o o t _ p a s s w o r d " \
GITLAB_ROOT_EMAIL = ' $ { cfg . initialRootEmail } ' > /dev/null
'' ;
} ;
} ;
systemd . services . gitlab-sidekiq = {
after = [ " n e t w o r k . t a r g e t " " r e d i s . s e r v i c e " " g i t l a b . s e r v i c e " ] ;
after = [
" n e t w o r k . t a r g e t "
" r e d i s . s e r v i c e "
" p o s t g r e s q l . s e r v i c e "
" g i t l a b - c o n f i g . s e r v i c e "
" g i t l a b - d b - c o n f i g . s e r v i c e "
] ;
bindsTo = [
" r e d i s . s e r v i c e "
" g i t l a b - c o n f i g . s e r v i c e "
" g i t l a b - d b - c o n f i g . s e r v i c e "
] ++ optional ( cfg . databaseHost == " " ) " p o s t g r e s q l . s e r v i c e " ;
wantedBy = [ " m u l t i - u s e r . t a r g e t " ] ;
environment = gitlabEnv ;
path = with pkgs ; [
@ -761,8 +905,8 @@ in {
} ;
systemd . services . gitaly = {
after = [ " n e t w o r k . t a r g e t " " g i t l a b . s e r v i c e " ] ;
bindsTo = [ " g i t l a b . s e r v i c e " ] ;
after = [ " n e t w o r k . t a r g e t " " g i t l a b - c o n f i g .s e r v i c e " ] ;
bindsTo = [ " g i t l a b - c o n f i g .s e r v i c e " ] ;
wantedBy = [ " m u l t i - u s e r . t a r g e t " ] ;
path = with pkgs ; [
openssh
@ -786,7 +930,8 @@ in {
systemd . services . gitlab-pages = mkIf ( gitlabConfig . production . pages . enabled or false ) {
description = " G i t L a b s t a t i c p a g e s d a e m o n " ;
after = [ " n e t w o r k . t a r g e t " " r e d i s . s e r v i c e " " g i t l a b . s e r v i c e " ] ; # gitlab.service creates configs
after = [ " n e t w o r k . t a r g e t " " g i t l a b - c o n f i g . s e r v i c e " ] ;
bindsTo = [ " g i t l a b - c o n f i g . s e r v i c e " ] ;
wantedBy = [ " m u l t i - u s e r . t a r g e t " ] ;
path = [ pkgs . unzip ] ;
@ -835,7 +980,8 @@ in {
systemd . services . gitlab-mailroom = mkIf ( gitlabConfig . production . incoming_email . enabled or false ) {
description = " G i t L a b i n c o m i n g m a i l d a e m o n " ;
after = [ " n e t w o r k . t a r g e t " " r e d i s . s e r v i c e " " g i t l a b . s e r v i c e " ] ; # gitlab.service creates configs
after = [ " n e t w o r k . t a r g e t " " r e d i s . s e r v i c e " " g i t l a b - c o n f i g . s e r v i c e " ] ;
bindsTo = [ " g i t l a b - c o n f i g . s e r v i c e " ] ;
wantedBy = [ " m u l t i - u s e r . t a r g e t " ] ;
environment = gitlabEnv ;
serviceConfig = {
@ -845,14 +991,24 @@ in {
User = cfg . user ;
Group = cfg . group ;
ExecStart = " ${ cfg . packages . gitlab . rubyEnv } / b i n / b u n d l e e x e c m a i l _ r o o m - c ${ cfg . packages . gitlab } / s h a r e / g i t l a b / c o n f i g . d i s t / m a i l _ r o o m . y m l " ;
ExecStart = " ${ cfg . packages . gitlab . rubyEnv } / b i n / b u n d l e e x e c m a i l _ r o o m - c ${ cfg . statePath } / c o n f i g / m a i l _ r o o m . y m l " ;
WorkingDirectory = gitlabEnv . HOME ;
} ;
} ;
systemd . services . gitlab = {
after = [ " g i t l a b - w o r k h o r s e . s e r v i c e " " n e t w o r k . t a r g e t " " g i t l a b - p o s t g r e s q l . s e r v i c e " " r e d i s . s e r v i c e " ] ;
requires = [ " g i t l a b - s i d e k i q . s e r v i c e " ] ;
after = [
" g i t l a b - w o r k h o r s e . s e r v i c e "
" n e t w o r k . t a r g e t "
" r e d i s . s e r v i c e "
" g i t l a b - c o n f i g . s e r v i c e "
" g i t l a b - d b - c o n f i g . s e r v i c e "
] ;
bindsTo = [
" r e d i s . s e r v i c e "
" g i t l a b - c o n f i g . s e r v i c e "
" g i t l a b - d b - c o n f i g . s e r v i c e "
] ++ optional ( cfg . databaseHost == " " ) " p o s t g r e s q l . s e r v i c e " ;
wantedBy = [ " m u l t i - u s e r . t a r g e t " ] ;
environment = gitlabEnv ;
path = with pkgs ; [
@ -871,97 +1027,6 @@ in {
TimeoutSec = " i n f i n i t y " ;
Restart = " o n - f a i l u r e " ;
WorkingDirectory = " ${ cfg . packages . gitlab } / s h a r e / g i t l a b " ;
ExecStartPre = let
preStartFullPrivileges = ''
shopt - s dotglob nullglob
set - eu
chown - - no-dereference ' $ { cfg . user } ' : ' $ { cfg . group } ' ' $ { cfg . statePath } ' /*
if [ [ ! - z " $ ( l s - A ' ${ cfg . statePath } ' / c o n f i g / ) " ] ] ; then
chown - - no-dereference ' $ { cfg . user } ' : ' $ { cfg . group } ' ' $ { cfg . statePath } ' /config /*
fi
'' ;
preStart = ''
set - eu
umask u = rwx , g = rx , o =
cp - f $ { cfg . packages . gitlab } /share/gitlab/VERSION $ { cfg . statePath } /VERSION
rm - rf $ { cfg . statePath } /db /*
rm - f $ { cfg . statePath } /lib
find ' $ { cfg . statePath } /config / ' - maxdepth 1 - mindepth 1 - type d - execdir rm - rf { } \ ;
cp - rf - - no-preserve = mode $ { cfg . packages . gitlab } /share/gitlab/config.dist /* $ { c f g . s t a t e P a t h } / c o n f i g
cp - rf - - no-preserve = mode $ { cfg . packages . gitlab } /share/gitlab/db /* $ { c f g . s t a t e P a t h } / d b
ln - sf $ { extraGitlabRb } $ { cfg . statePath } /config/initializers/extra-gitlab.rb
$ { cfg . packages . gitlab-shell } /bin/install
$ { optionalString cfg . smtp . enable ''
install - m u = rw $ { smtpSettings } $ { cfg . statePath } /config/initializers/smtp_settings.rb
$ { optionalString ( cfg . smtp . passwordFile != null ) ''
smtp_password = $ ( < ' $ { cfg . smtp . passwordFile } ' )
$ { pkgs . replace } /bin/replace-literal - e ' @ smtpPassword @ ' " $ s m t p _ p a s s w o r d " ' $ { cfg . statePath } /config/initializers/smtp_settings.rb '
'' }
'' }
(
umask u = rwx , g = , o =
$ { pkgs . openssl } /bin/openssl rand - hex 32 > $ { cfg . statePath } /gitlab_shell_secret
if [ [ - h ' $ { cfg . statePath } /config/database.yml ' ] ] ; then
rm ' $ { cfg . statePath } /config/database.yml '
fi
$ { if cfg . databasePasswordFile != null then ''
export db_password = " $ ( < ' ${ cfg . databasePasswordFile } ' ) "
if [ [ - z " $ d b _ p a s s w o r d " ] ] ; then
> & 2 echo " D a t a b a s e p a s s w o r d w a s a n e m p t y s t r i n g ! "
exit 1
fi
$ { pkgs . jq } /bin/jq < $ { pkgs . writeText " d a t a b a s e . y m l " ( builtins . toJSON databaseConfig ) } \
' . production . password = $ ENV . db_password' \
> ' $ { cfg . statePath } /config/database.yml '
''
else ''
$ { pkgs . jq } /bin/jq < $ { pkgs . writeText " d a t a b a s e . y m l " ( builtins . toJSON databaseConfig ) } \
> ' $ { cfg . statePath } /config/database.yml '
''
}
$ { utils . genJqSecretsReplacementSnippet
gitlabConfig
" ${ cfg . statePath } / c o n f i g / g i t l a b . y m l "
}
rm - f ' $ { cfg . statePath } /config/secrets.yml '
export secret = " $ ( < ' ${ cfg . secrets . secretFile } ' ) "
export db = " $ ( < ' ${ cfg . secrets . dbFile } ' ) "
export otp = " $ ( < ' ${ cfg . secrets . otpFile } ' ) "
export jws = " $ ( < ' ${ cfg . secrets . jwsFile } ' ) "
$ { pkgs . jq } /bin/jq - n ' { production : { secret_key_base : $ ENV . secret ,
otp_key_base : $ ENV . otp ,
db_key_base : $ ENV . db ,
openid_connect_signing_key : $ ENV . jws } } ' \
> ' $ { cfg . statePath } /config/secrets.yml '
)
initial_root_password = " $ ( < ' ${ cfg . initialRootPasswordFile } ' ) "
$ { gitlab-rake } /bin/gitlab-rake gitlab:db:configure GITLAB_ROOT_PASSWORD = " $ i n i t i a l _ r o o t _ p a s s w o r d " \
GITLAB_ROOT_EMAIL = ' $ { cfg . initialRootEmail } ' > /dev/null
# We remove potentially broken links to old gitlab-shell versions
rm - Rf $ { cfg . statePath } /repositories /* */ * .git/hooks
$ { pkgs . git } /bin/git config - - global core . autocrlf " i n p u t "
'' ;
in [
" + ${ pkgs . writeShellScript " g i t l a b - p r e - s t a r t - f u l l - p r i v i l e g e s " preStartFullPrivileges } "
" ${ pkgs . writeShellScript " g i t l a b - p r e - s t a r t " preStart } "
] ;
ExecStart = " ${ cfg . packages . gitlab . rubyEnv } / b i n / p u m a - C ${ cfg . statePath } / c o n f i g / p u m a . r b - e p r o d u c t i o n " ;
} ;