suzanne.soy/nixpkgs
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

nixos/gitlab: Fix state directory permissions

Browse Source 
Since the preStart script is no longer running in privileged mode, we
reassign the files in the state directory and its config subdirectory
to the user we're running as. This is done by splitting the preStart
script into a privileged and an unprivileged part where the privileged
part does the reassignment.

Also, delete the database.yml symlink if it exists, since we want to
create a real file in its place.

Fixes #68696.
This commit is contained in:
talyz 2019-09-14 01:38:54 +02:00
parent ea5d2a0efa
commit 0f8133d633
1 changed files with 82 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
nixos/modules/services/misc/gitlab.nix
View File

@ -763,6 +763,20 @@ in {
procps procps
gnupg gnupg
]; ];
serviceConfig = {
Type = "simple";
User = cfg.user;
Group = cfg.group;
TimeoutSec = "infinity";
Restart = "on-failure";
WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab";
ExecStartPre = let
preStartFullPrivileges = ''
shopt -s dotglob nullglob
chown --no-dereference '${cfg.user}':'${cfg.group}' '${cfg.statePath}'/*
chown --no-dereference '${cfg.user}':'${cfg.group}' '${cfg.statePath}'/config/*
'';
preStart = '' preStart = ''
cp -f ${cfg.packages.gitlab}/share/gitlab/VERSION ${cfg.statePath}/VERSION cp -f ${cfg.packages.gitlab}/share/gitlab/VERSION ${cfg.statePath}/VERSION
rm -rf ${cfg.statePath}/db/* rm -rf ${cfg.statePath}/db/*
@ -784,6 +798,10 @@ in {
${pkgs.openssl}/bin/openssl rand -hex 32 > ${cfg.statePath}/gitlab_shell_secret ${pkgs.openssl}/bin/openssl rand -hex 32 > ${cfg.statePath}/gitlab_shell_secret
if [[ -h '${cfg.statePath}/config/database.yml' ]]; then
rm '${cfg.statePath}/config/database.yml'
fi
${if cfg.databasePasswordFile != null then '' ${if cfg.databasePasswordFile != null then ''
export db_password="$(<'${cfg.databasePasswordFile}')" export db_password="$(<'${cfg.databasePasswordFile}')"
@ -831,14 +849,10 @@ in {
${pkgs.git}/bin/git config --global core.autocrlf "input" ${pkgs.git}/bin/git config --global core.autocrlf "input"
''; '';
in [
serviceConfig = { "+${pkgs.writeShellScript "gitlab-pre-start-full-privileges" preStartFullPrivileges}"
Type = "simple"; "${pkgs.writeShellScript "gitlab-pre-start" preStart}"
User = cfg.user; ];
Group = cfg.group;
TimeoutSec = "infinity";
Restart = "on-failure";
WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab";
ExecStart = "${cfg.packages.gitlab.rubyEnv}/bin/unicorn -c ${cfg.statePath}/config/unicorn.rb -E production"; ExecStart = "${cfg.packages.gitlab.rubyEnv}/bin/unicorn -c ${cfg.statePath}/config/unicorn.rb -E production";
}; };