2019-08-07 09:26:08 +00:00
|
|
|
{ config, lib, pkgs, utils, ... }:
|
2014-10-25 16:22:49 +00:00
|
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
|
|
|
|
|
let
|
|
|
|
|
cfg = config.services.gitlab;
|
|
|
|
|
|
2016-02-26 07:55:25 +00:00
|
|
|
ruby = cfg.packages.gitlab.ruby;
|
2014-10-25 16:22:49 +00:00
|
|
|
|
2019-09-24 06:58:32 +00:00
|
|
|
postgresqlPackage = if config.services.postgresql.enable then
|
|
|
|
|
config.services.postgresql.package
|
|
|
|
|
else
|
2021-06-23 11:08:34 +00:00
|
|
|
pkgs.postgresql_12;
|
2019-09-24 06:58:32 +00:00
|
|
|
|
2016-02-26 06:06:07 +00:00
|
|
|
gitlabSocket = "${cfg.statePath}/tmp/sockets/gitlab.socket";
|
2017-07-05 21:53:31 +00:00
|
|
|
gitalySocket = "${cfg.statePath}/tmp/sockets/gitaly.socket";
|
2016-02-26 06:06:07 +00:00
|
|
|
pathUrlQuote = url: replaceStrings ["/"] ["%2F"] url;
|
|
|
|
|
|
2018-11-02 20:22:51 +00:00
|
|
|
databaseConfig = {
|
|
|
|
|
production = {
|
|
|
|
|
adapter = "postgresql";
|
|
|
|
|
database = cfg.databaseName;
|
|
|
|
|
host = cfg.databaseHost;
|
|
|
|
|
username = cfg.databaseUsername;
|
|
|
|
|
encoding = "utf8";
|
2019-02-06 23:45:28 +00:00
|
|
|
pool = cfg.databasePool;
|
|
|
|
|
} // cfg.extraDatabaseConfig;
|
2018-11-02 20:22:51 +00:00
|
|
|
};
|
2016-01-30 13:47:04 +00:00
|
|
|
|
2019-09-17 06:36:19 +00:00
|
|
|
# We only want to create a database if we're actually going to connect to it.
|
|
|
|
|
databaseActuallyCreateLocally = cfg.databaseCreateLocally && cfg.databaseHost == "";
|
|
|
|
|
|
2017-07-05 21:53:31 +00:00
|
|
|
gitalyToml = pkgs.writeText "gitaly.toml" ''
|
|
|
|
|
socket_path = "${lib.escape ["\""] gitalySocket}"
|
2018-01-07 01:04:49 +00:00
|
|
|
bin_dir = "${cfg.packages.gitaly}/bin"
|
2017-09-03 13:38:28 +00:00
|
|
|
prometheus_listen_addr = "localhost:9236"
|
|
|
|
|
|
2018-01-07 01:04:49 +00:00
|
|
|
[git]
|
|
|
|
|
bin_path = "${pkgs.git}/bin/git"
|
|
|
|
|
|
2017-09-03 13:38:28 +00:00
|
|
|
[gitaly-ruby]
|
|
|
|
|
dir = "${cfg.packages.gitaly.ruby}"
|
|
|
|
|
|
|
|
|
|
[gitlab-shell]
|
|
|
|
|
dir = "${cfg.packages.gitlab-shell}"
|
2020-09-29 00:41:25 +00:00
|
|
|
|
2020-12-26 21:44:36 +00:00
|
|
|
[hooks]
|
|
|
|
|
custom_hooks_dir = "${cfg.statePath}/custom_hooks"
|
|
|
|
|
|
2020-09-29 00:41:25 +00:00
|
|
|
[gitlab]
|
2020-05-31 04:21:09 +00:00
|
|
|
secret_file = "${cfg.statePath}/gitlab_shell_secret"
|
2020-09-29 00:41:25 +00:00
|
|
|
url = "http+unix://${pathUrlQuote gitlabSocket}"
|
|
|
|
|
|
|
|
|
|
[gitlab.http-settings]
|
|
|
|
|
self_signed_cert = false
|
2017-07-05 21:53:31 +00:00
|
|
|
|
|
|
|
|
${concatStringsSep "\n" (attrValues (mapAttrs (k: v: ''
|
|
|
|
|
[[storage]]
|
|
|
|
|
name = "${lib.escape ["\""] k}"
|
|
|
|
|
path = "${lib.escape ["\""] v.path}"
|
|
|
|
|
'') gitlabConfig.production.repositories.storages))}
|
|
|
|
|
'';
|
|
|
|
|
|
2020-07-18 14:46:33 +00:00
|
|
|
gitlabShellConfig = flip recursiveUpdate cfg.extraShellConfig {
|
2018-11-02 20:22:51 +00:00
|
|
|
user = cfg.user;
|
|
|
|
|
gitlab_url = "http+unix://${pathUrlQuote gitlabSocket}";
|
|
|
|
|
http_settings.self_signed_cert = false;
|
|
|
|
|
repos_path = "${cfg.statePath}/repositories";
|
2019-07-16 01:42:45 +00:00
|
|
|
secret_file = "${cfg.statePath}/gitlab_shell_secret";
|
2018-11-02 20:22:51 +00:00
|
|
|
log_file = "${cfg.statePath}/log/gitlab-shell.log";
|
|
|
|
|
redis = {
|
|
|
|
|
bin = "${pkgs.redis}/bin/redis-cli";
|
|
|
|
|
host = "127.0.0.1";
|
|
|
|
|
port = 6379;
|
|
|
|
|
database = 0;
|
|
|
|
|
namespace = "resque:gitlab";
|
|
|
|
|
};
|
|
|
|
|
};
|
2014-10-25 16:22:49 +00:00
|
|
|
|
2020-07-18 14:28:59 +00:00
|
|
|
redisConfig.production.url = cfg.redisUrl;
|
2017-09-03 13:38:28 +00:00
|
|
|
|
2020-07-18 15:46:13 +00:00
|
|
|
pagesArgs = [
|
|
|
|
|
"-pages-domain" gitlabConfig.production.pages.host
|
|
|
|
|
"-pages-root" "${gitlabConfig.production.shared.path}/pages"
|
|
|
|
|
] ++ cfg.pagesExtraArgs;
|
|
|
|
|
|
2016-01-30 13:47:04 +00:00
|
|
|
gitlabConfig = {
|
2016-02-23 21:55:35 +00:00
|
|
|
# These are the default settings from config/gitlab.example.yml
|
2016-01-30 13:47:04 +00:00
|
|
|
production = flip recursiveUpdate cfg.extraConfig {
|
|
|
|
|
gitlab = {
|
|
|
|
|
host = cfg.host;
|
|
|
|
|
port = cfg.port;
|
|
|
|
|
https = cfg.https;
|
|
|
|
|
user = cfg.user;
|
|
|
|
|
email_enabled = true;
|
|
|
|
|
email_display_name = "GitLab";
|
|
|
|
|
email_reply_to = "noreply@localhost";
|
|
|
|
|
default_theme = 2;
|
|
|
|
|
default_projects_features = {
|
|
|
|
|
issues = true;
|
|
|
|
|
merge_requests = true;
|
2016-02-23 21:55:35 +00:00
|
|
|
wiki = true;
|
2016-08-03 16:49:18 +00:00
|
|
|
snippets = true;
|
2016-01-30 13:47:04 +00:00
|
|
|
builds = true;
|
2016-08-03 16:49:18 +00:00
|
|
|
container_registry = true;
|
2016-01-30 13:47:04 +00:00
|
|
|
};
|
|
|
|
|
};
|
2017-07-05 21:53:31 +00:00
|
|
|
repositories.storages.default.path = "${cfg.statePath}/repositories";
|
|
|
|
|
repositories.storages.default.gitaly_address = "unix:${gitalySocket}";
|
2016-08-03 16:49:18 +00:00
|
|
|
artifacts.enabled = true;
|
|
|
|
|
lfs.enabled = true;
|
|
|
|
|
gravatar.enabled = true;
|
|
|
|
|
cron_jobs = { };
|
|
|
|
|
gitlab_ci.builds_path = "${cfg.statePath}/builds";
|
|
|
|
|
ldap.enabled = false;
|
|
|
|
|
omniauth.enabled = false;
|
|
|
|
|
shared.path = "${cfg.statePath}/shared";
|
2018-01-07 03:59:56 +00:00
|
|
|
gitaly.client_path = "${cfg.packages.gitaly}/bin";
|
2021-02-23 17:51:48 +00:00
|
|
|
backup = {
|
2021-08-26 15:45:01 +00:00
|
|
|
gitaly_backup_path = "${cfg.packages.gitaly}/bin/gitaly-backup";
|
2021-02-23 17:51:48 +00:00
|
|
|
path = cfg.backup.path;
|
|
|
|
|
keep_time = cfg.backup.keepTime;
|
2021-04-07 07:21:18 +00:00
|
|
|
} // (optionalAttrs (cfg.backup.uploadOptions != {}) {
|
2021-02-23 17:51:48 +00:00
|
|
|
upload = cfg.backup.uploadOptions;
|
2021-04-07 07:21:18 +00:00
|
|
|
});
|
2016-01-30 13:47:04 +00:00
|
|
|
gitlab_shell = {
|
2016-02-26 07:55:25 +00:00
|
|
|
path = "${cfg.packages.gitlab-shell}";
|
2016-01-30 13:47:04 +00:00
|
|
|
hooks_path = "${cfg.statePath}/shell/hooks";
|
2019-07-16 01:42:45 +00:00
|
|
|
secret_file = "${cfg.statePath}/gitlab_shell_secret";
|
2016-01-30 13:47:04 +00:00
|
|
|
upload_pack = true;
|
|
|
|
|
receive_pack = true;
|
|
|
|
|
};
|
2018-11-02 20:22:51 +00:00
|
|
|
workhorse.secret_file = "${cfg.statePath}/.gitlab_workhorse_secret";
|
2020-09-29 00:41:25 +00:00
|
|
|
gitlab_kas.secret_file = "${cfg.statePath}/.gitlab_kas_secret";
|
2018-11-02 20:22:51 +00:00
|
|
|
git.bin_path = "git";
|
2017-09-03 13:38:28 +00:00
|
|
|
monitoring = {
|
|
|
|
|
ip_whitelist = [ "127.0.0.0/8" "::1/128" ];
|
|
|
|
|
sidekiq_exporter = {
|
|
|
|
|
enable = true;
|
|
|
|
|
address = "localhost";
|
|
|
|
|
port = 3807;
|
|
|
|
|
};
|
|
|
|
|
};
|
2021-06-09 21:19:25 +00:00
|
|
|
registry = lib.optionalAttrs cfg.registry.enable {
|
|
|
|
|
enabled = true;
|
|
|
|
|
host = cfg.registry.externalAddress;
|
|
|
|
|
port = cfg.registry.externalPort;
|
|
|
|
|
key = cfg.registry.keyFile;
|
|
|
|
|
api_url = "http://${config.services.dockerRegistry.listenAddress}:${toString config.services.dockerRegistry.port}/";
|
|
|
|
|
issuer = "gitlab-issuer";
|
|
|
|
|
};
|
2016-01-30 13:47:04 +00:00
|
|
|
extra = {};
|
2018-05-23 20:24:24 +00:00
|
|
|
uploads.storage_path = cfg.statePath;
|
2016-01-30 13:47:04 +00:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2021-06-09 15:50:45 +00:00
|
|
|
gitlabEnv = cfg.packages.gitlab.gitlabEnv // {
|
2016-01-30 13:47:04 +00:00
|
|
|
HOME = "${cfg.statePath}/home";
|
2021-02-17 15:36:58 +00:00
|
|
|
PUMA_PATH = "${cfg.statePath}/";
|
2016-02-26 07:55:25 +00:00
|
|
|
GITLAB_PATH = "${cfg.packages.gitlab}/share/gitlab/";
|
2020-05-05 13:29:33 +00:00
|
|
|
SCHEMA = "${cfg.statePath}/db/structure.sql";
|
2019-07-16 01:42:45 +00:00
|
|
|
GITLAB_UPLOADS_PATH = "${cfg.statePath}/uploads";
|
2016-01-30 13:47:04 +00:00
|
|
|
GITLAB_LOG_PATH = "${cfg.statePath}/log";
|
2018-11-02 20:22:51 +00:00
|
|
|
GITLAB_REDIS_CONFIG_FILE = pkgs.writeText "redis.yml" (builtins.toJSON redisConfig);
|
2017-09-03 13:38:28 +00:00
|
|
|
prometheus_multiproc_dir = "/run/gitlab";
|
2016-01-30 13:47:04 +00:00
|
|
|
RAILS_ENV = "production";
|
2021-04-08 17:03:44 +00:00
|
|
|
MALLOC_ARENA_MAX = "2";
|
2021-06-08 19:29:18 +00:00
|
|
|
} // cfg.extraEnv;
|
2016-01-30 13:47:04 +00:00
|
|
|
|
2019-08-13 21:52:01 +00:00
|
|
|
gitlab-rake = pkgs.stdenv.mkDerivation {
|
2016-08-04 00:08:26 +00:00
|
|
|
name = "gitlab-rake";
|
2018-04-25 17:58:05 +00:00
|
|
|
buildInputs = [ pkgs.makeWrapper ];
|
|
|
|
|
dontBuild = true;
|
2019-06-19 15:45:34 +00:00
|
|
|
dontUnpack = true;
|
2014-10-25 16:22:49 +00:00
|
|
|
installPhase = ''
|
|
|
|
|
mkdir -p $out/bin
|
2018-04-25 17:58:05 +00:00
|
|
|
makeWrapper ${cfg.packages.gitlab.rubyEnv}/bin/rake $out/bin/gitlab-rake \
|
2016-08-03 16:49:18 +00:00
|
|
|
${concatStrings (mapAttrsToList (name: value: "--set ${name} '${value}' ") gitlabEnv)} \
|
2019-09-24 06:58:32 +00:00
|
|
|
--set PATH '${lib.makeBinPath [ pkgs.nodejs pkgs.gzip pkgs.git pkgs.gnutar postgresqlPackage pkgs.coreutils pkgs.procps ]}:$PATH' \
|
2016-08-03 16:49:18 +00:00
|
|
|
--set RAKEOPT '-f ${cfg.packages.gitlab}/share/gitlab/Rakefile' \
|
|
|
|
|
--run 'cd ${cfg.packages.gitlab}/share/gitlab'
|
2016-08-04 00:08:26 +00:00
|
|
|
'';
|
2014-10-25 16:22:49 +00:00
|
|
|
};
|
|
|
|
|
|
2019-08-13 21:52:01 +00:00
|
|
|
gitlab-rails = pkgs.stdenv.mkDerivation {
|
2019-03-25 16:17:56 +00:00
|
|
|
name = "gitlab-rails";
|
|
|
|
|
buildInputs = [ pkgs.makeWrapper ];
|
|
|
|
|
dontBuild = true;
|
2019-06-19 15:45:34 +00:00
|
|
|
dontUnpack = true;
|
2019-03-25 16:17:56 +00:00
|
|
|
installPhase = ''
|
|
|
|
|
mkdir -p $out/bin
|
|
|
|
|
makeWrapper ${cfg.packages.gitlab.rubyEnv}/bin/rails $out/bin/gitlab-rails \
|
|
|
|
|
${concatStrings (mapAttrsToList (name: value: "--set ${name} '${value}' ") gitlabEnv)} \
|
2019-09-24 06:58:32 +00:00
|
|
|
--set PATH '${lib.makeBinPath [ pkgs.nodejs pkgs.gzip pkgs.git pkgs.gnutar postgresqlPackage pkgs.coreutils pkgs.procps ]}:$PATH' \
|
2019-03-25 16:17:56 +00:00
|
|
|
--run 'cd ${cfg.packages.gitlab}/share/gitlab'
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2019-03-13 11:57:20 +00:00
|
|
|
extraGitlabRb = pkgs.writeText "extra-gitlab.rb" cfg.extraGitlabRb;
|
|
|
|
|
|
2016-08-03 16:49:18 +00:00
|
|
|
smtpSettings = pkgs.writeText "gitlab-smtp-settings.rb" ''
|
|
|
|
|
if Rails.env.production?
|
|
|
|
|
Rails.application.config.action_mailer.delivery_method = :smtp
|
|
|
|
|
|
|
|
|
|
ActionMailer::Base.delivery_method = :smtp
|
|
|
|
|
ActionMailer::Base.smtp_settings = {
|
|
|
|
|
address: "${cfg.smtp.address}",
|
|
|
|
|
port: ${toString cfg.smtp.port},
|
|
|
|
|
${optionalString (cfg.smtp.username != null) ''user_name: "${cfg.smtp.username}",''}
|
2019-07-31 16:09:27 +00:00
|
|
|
${optionalString (cfg.smtp.passwordFile != null) ''password: "@smtpPassword@",''}
|
2016-08-03 16:49:18 +00:00
|
|
|
domain: "${cfg.smtp.domain}",
|
|
|
|
|
${optionalString (cfg.smtp.authentication != null) "authentication: :${cfg.smtp.authentication},"}
|
2020-04-28 07:05:26 +00:00
|
|
|
enable_starttls_auto: ${boolToString cfg.smtp.enableStartTLSAuto},
|
2021-03-20 14:05:29 +00:00
|
|
|
tls: ${boolToString cfg.smtp.tls},
|
2019-07-31 15:14:52 +00:00
|
|
|
ca_file: "/etc/ssl/certs/ca-certificates.crt",
|
2016-08-03 16:49:18 +00:00
|
|
|
openssl_verify_mode: '${cfg.smtp.opensslVerifyMode}'
|
|
|
|
|
}
|
|
|
|
|
end
|
|
|
|
|
'';
|
|
|
|
|
|
2014-10-25 16:22:49 +00:00
|
|
|
in {
|
|
|
|
|
|
2019-12-10 01:51:19 +00:00
|
|
|
imports = [
|
|
|
|
|
(mkRenamedOptionModule [ "services" "gitlab" "stateDir" ] [ "services" "gitlab" "statePath" ])
|
2021-02-23 17:51:48 +00:00
|
|
|
(mkRenamedOptionModule [ "services" "gitlab" "backupPath" ] [ "services" "gitlab" "backup" "path" ])
|
2019-12-10 01:51:19 +00:00
|
|
|
(mkRemovedOptionModule [ "services" "gitlab" "satelliteDir" ] "")
|
|
|
|
|
];
|
|
|
|
|
|
2014-10-25 16:22:49 +00:00
|
|
|
options = {
|
|
|
|
|
services.gitlab = {
|
|
|
|
|
enable = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
|
|
|
|
description = ''
|
|
|
|
|
Enable the gitlab service.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2016-02-26 07:55:25 +00:00
|
|
|
packages.gitlab = mkOption {
|
|
|
|
|
type = types.package;
|
|
|
|
|
default = pkgs.gitlab;
|
2016-11-21 15:26:03 +00:00
|
|
|
defaultText = "pkgs.gitlab";
|
2016-02-26 07:55:25 +00:00
|
|
|
description = "Reference to the gitlab package";
|
2018-09-21 07:41:38 +00:00
|
|
|
example = "pkgs.gitlab-ee";
|
2016-02-26 07:55:25 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
packages.gitlab-shell = mkOption {
|
|
|
|
|
type = types.package;
|
|
|
|
|
default = pkgs.gitlab-shell;
|
2016-11-21 15:26:03 +00:00
|
|
|
defaultText = "pkgs.gitlab-shell";
|
2016-02-26 07:55:25 +00:00
|
|
|
description = "Reference to the gitlab-shell package";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
packages.gitlab-workhorse = mkOption {
|
|
|
|
|
type = types.package;
|
|
|
|
|
default = pkgs.gitlab-workhorse;
|
2016-11-21 15:26:03 +00:00
|
|
|
defaultText = "pkgs.gitlab-workhorse";
|
2016-02-26 07:55:25 +00:00
|
|
|
description = "Reference to the gitlab-workhorse package";
|
|
|
|
|
};
|
|
|
|
|
|
2017-07-05 21:53:31 +00:00
|
|
|
packages.gitaly = mkOption {
|
|
|
|
|
type = types.package;
|
|
|
|
|
default = pkgs.gitaly;
|
|
|
|
|
defaultText = "pkgs.gitaly";
|
|
|
|
|
description = "Reference to the gitaly package";
|
|
|
|
|
};
|
|
|
|
|
|
2020-07-18 15:46:13 +00:00
|
|
|
packages.pages = mkOption {
|
|
|
|
|
type = types.package;
|
|
|
|
|
default = pkgs.gitlab-pages;
|
|
|
|
|
defaultText = "pkgs.gitlab-pages";
|
|
|
|
|
description = "Reference to the gitlab-pages package";
|
|
|
|
|
};
|
|
|
|
|
|
2016-01-30 13:47:04 +00:00
|
|
|
statePath = mkOption {
|
2014-10-25 16:22:49 +00:00
|
|
|
type = types.str;
|
|
|
|
|
default = "/var/gitlab/state";
|
2019-09-20 16:04:03 +00:00
|
|
|
description = ''
|
2021-02-25 11:02:55 +00:00
|
|
|
GitLab state directory. Configuration, repositories and
|
2019-09-20 16:04:03 +00:00
|
|
|
logs, among other things, are stored here.
|
|
|
|
|
|
|
|
|
|
The directory will be created automatically if it doesn't
|
|
|
|
|
exist already. Its parent directories must be owned by
|
|
|
|
|
either <literal>root</literal> or the user set in
|
|
|
|
|
<option>services.gitlab.user</option>.
|
|
|
|
|
'';
|
2014-10-25 16:22:49 +00:00
|
|
|
};
|
|
|
|
|
|
2021-06-08 19:29:18 +00:00
|
|
|
extraEnv = mkOption {
|
|
|
|
|
type = types.attrsOf types.str;
|
|
|
|
|
default = {};
|
|
|
|
|
description = ''
|
|
|
|
|
Additional environment variables for the GitLab environment.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2021-02-23 17:51:48 +00:00
|
|
|
backup.startAt = mkOption {
|
|
|
|
|
type = with types; either str (listOf str);
|
|
|
|
|
default = [];
|
|
|
|
|
example = "03:00";
|
|
|
|
|
description = ''
|
|
|
|
|
The time(s) to run automatic backup of GitLab
|
|
|
|
|
state. Specified in systemd's time format; see
|
|
|
|
|
<citerefentry><refentrytitle>systemd.time</refentrytitle>
|
|
|
|
|
<manvolnum>7</manvolnum></citerefentry>.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
backup.path = mkOption {
|
2014-10-25 16:22:49 +00:00
|
|
|
type = types.str;
|
2016-01-30 13:47:04 +00:00
|
|
|
default = cfg.statePath + "/backup";
|
2021-02-23 17:51:48 +00:00
|
|
|
description = "GitLab path for backups.";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
backup.keepTime = mkOption {
|
|
|
|
|
type = types.int;
|
|
|
|
|
default = 0;
|
|
|
|
|
example = 48;
|
|
|
|
|
apply = x: x * 60 * 60;
|
|
|
|
|
description = ''
|
|
|
|
|
How long to keep the backups around, in
|
|
|
|
|
hours. <literal>0</literal> means <quote>keep
|
|
|
|
|
forever</quote>.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
backup.skip = mkOption {
|
|
|
|
|
type = with types;
|
|
|
|
|
let value = enum [
|
|
|
|
|
"db"
|
|
|
|
|
"uploads"
|
|
|
|
|
"builds"
|
|
|
|
|
"artifacts"
|
|
|
|
|
"lfs"
|
|
|
|
|
"registry"
|
|
|
|
|
"pages"
|
|
|
|
|
"repositories"
|
|
|
|
|
"tar"
|
|
|
|
|
];
|
|
|
|
|
in
|
|
|
|
|
either value (listOf value);
|
|
|
|
|
default = [];
|
|
|
|
|
example = [ "artifacts" "lfs" ];
|
|
|
|
|
apply = x: if isString x then x else concatStringsSep "," x;
|
|
|
|
|
description = ''
|
|
|
|
|
Directories to exclude from the backup. The example excludes
|
|
|
|
|
CI artifacts and LFS objects from the backups. The
|
|
|
|
|
<literal>tar</literal> option skips the creation of a tar
|
|
|
|
|
file.
|
|
|
|
|
|
|
|
|
|
Refer to <link xlink:href="https://docs.gitlab.com/ee/raketasks/backup_restore.html#excluding-specific-directories-from-the-backup"/>
|
|
|
|
|
for more information.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
backup.uploadOptions = mkOption {
|
|
|
|
|
type = types.attrs;
|
|
|
|
|
default = {};
|
|
|
|
|
example = literalExample ''
|
|
|
|
|
{
|
|
|
|
|
# Fog storage connection settings, see http://fog.io/storage/
|
|
|
|
|
connection = {
|
|
|
|
|
provider = "AWS";
|
|
|
|
|
region = "eu-north-1";
|
|
|
|
|
aws_access_key_id = "AKIAXXXXXXXXXXXXXXXX";
|
|
|
|
|
aws_secret_access_key = { _secret = config.deployment.keys.aws_access_key.path; };
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# The remote 'directory' to store your backups in.
|
|
|
|
|
# For S3, this would be the bucket name.
|
|
|
|
|
remote_directory = "my-gitlab-backups";
|
|
|
|
|
|
|
|
|
|
# Use multipart uploads when file size reaches 100MB, see
|
|
|
|
|
# http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html
|
|
|
|
|
multipart_chunk_size = 104857600;
|
|
|
|
|
|
|
|
|
|
# Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional
|
|
|
|
|
encryption = "AES256";
|
|
|
|
|
|
|
|
|
|
# Specifies Amazon S3 storage class to use for backups, this is optional
|
|
|
|
|
storage_class = "STANDARD";
|
|
|
|
|
};
|
|
|
|
|
'';
|
|
|
|
|
description = ''
|
|
|
|
|
GitLab automatic upload specification. Tells GitLab to
|
|
|
|
|
upload the backup to a remote location when done.
|
|
|
|
|
|
|
|
|
|
Attributes specified here are added under
|
|
|
|
|
<literal>production -> backup -> upload</literal> in
|
|
|
|
|
<filename>config/gitlab.yml</filename>.
|
|
|
|
|
'';
|
2014-10-25 16:22:49 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
databaseHost = mkOption {
|
|
|
|
|
type = types.str;
|
2019-08-01 14:59:24 +00:00
|
|
|
default = "";
|
|
|
|
|
description = ''
|
2021-02-25 11:02:55 +00:00
|
|
|
GitLab database hostname. An empty string means <quote>use
|
2019-08-01 14:59:24 +00:00
|
|
|
local unix socket connection</quote>.
|
|
|
|
|
'';
|
2014-10-25 16:22:49 +00:00
|
|
|
};
|
|
|
|
|
|
2019-07-31 16:09:27 +00:00
|
|
|
databasePasswordFile = mkOption {
|
|
|
|
|
type = with types; nullOr path;
|
|
|
|
|
default = null;
|
|
|
|
|
description = ''
|
2021-02-25 11:02:55 +00:00
|
|
|
File containing the GitLab database user password.
|
2019-07-31 16:09:27 +00:00
|
|
|
|
|
|
|
|
This should be a string, not a nix path, since nix paths are
|
|
|
|
|
copied into the world-readable nix store.
|
|
|
|
|
'';
|
2014-10-25 16:22:49 +00:00
|
|
|
};
|
|
|
|
|
|
2019-08-01 14:59:24 +00:00
|
|
|
databaseCreateLocally = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = true;
|
|
|
|
|
description = ''
|
|
|
|
|
Whether a database should be automatically created on the
|
|
|
|
|
local host. Set this to <literal>false</literal> if you plan
|
2019-09-17 06:36:19 +00:00
|
|
|
on provisioning a local database yourself. This has no effect
|
|
|
|
|
if <option>services.gitlab.databaseHost</option> is customized.
|
2019-08-01 14:59:24 +00:00
|
|
|
'';
|
2014-10-25 16:22:49 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
databaseName = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "gitlab";
|
2021-02-25 11:02:55 +00:00
|
|
|
description = "GitLab database name.";
|
2014-10-25 16:22:49 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
databaseUsername = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "gitlab";
|
2021-02-25 11:02:55 +00:00
|
|
|
description = "GitLab database user.";
|
2014-10-25 16:22:49 +00:00
|
|
|
};
|
|
|
|
|
|
2019-02-06 23:45:28 +00:00
|
|
|
databasePool = mkOption {
|
|
|
|
|
type = types.int;
|
|
|
|
|
default = 5;
|
|
|
|
|
description = "Database connection pool size.";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
extraDatabaseConfig = mkOption {
|
|
|
|
|
type = types.attrs;
|
|
|
|
|
default = {};
|
|
|
|
|
description = "Extra configuration in config/database.yml.";
|
|
|
|
|
};
|
2014-10-25 16:22:49 +00:00
|
|
|
|
2020-07-18 14:28:59 +00:00
|
|
|
redisUrl = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "redis://localhost:6379/";
|
|
|
|
|
description = "Redis URL for all GitLab services except gitlab-shell";
|
|
|
|
|
};
|
|
|
|
|
|
2019-03-13 11:57:20 +00:00
|
|
|
extraGitlabRb = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "";
|
|
|
|
|
example = ''
|
|
|
|
|
if Rails.env.production?
|
|
|
|
|
Rails.application.config.action_mailer.delivery_method = :sendmail
|
|
|
|
|
ActionMailer::Base.delivery_method = :sendmail
|
|
|
|
|
ActionMailer::Base.sendmail_settings = {
|
|
|
|
|
location: "/run/wrappers/bin/sendmail",
|
|
|
|
|
arguments: "-i -t"
|
|
|
|
|
}
|
|
|
|
|
end
|
|
|
|
|
'';
|
|
|
|
|
description = ''
|
|
|
|
|
Extra configuration to be placed in config/extra-gitlab.rb. This can
|
|
|
|
|
be used to add configuration not otherwise exposed through this module's
|
|
|
|
|
options.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2014-10-25 16:22:49 +00:00
|
|
|
host = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = config.networking.hostName;
|
2021-02-25 11:02:55 +00:00
|
|
|
description = "GitLab host name. Used e.g. for copy-paste URLs.";
|
2014-11-29 23:56:22 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
port = mkOption {
|
2021-05-25 17:37:34 +00:00
|
|
|
type = types.port;
|
2014-11-29 23:56:22 +00:00
|
|
|
default = 8080;
|
2016-01-30 13:47:04 +00:00
|
|
|
description = ''
|
2021-02-25 11:02:55 +00:00
|
|
|
GitLab server port for copy-paste URLs, e.g. 80 or 443 if you're
|
2016-01-30 13:47:04 +00:00
|
|
|
service over https.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
https = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
|
|
|
|
description = "Whether gitlab prints URLs with https as scheme.";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
user = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "gitlab";
|
|
|
|
|
description = "User to run gitlab and all related services.";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
group = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "gitlab";
|
|
|
|
|
description = "Group to run gitlab and all related services.";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
initialRootEmail = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "admin@local.host";
|
|
|
|
|
description = ''
|
|
|
|
|
Initial email address of the root account if this is a new install.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2019-07-31 16:09:27 +00:00
|
|
|
initialRootPasswordFile = mkOption {
|
|
|
|
|
type = with types; nullOr path;
|
|
|
|
|
default = null;
|
2016-01-30 13:47:04 +00:00
|
|
|
description = ''
|
2019-07-31 16:09:27 +00:00
|
|
|
File containing the initial password of the root account if
|
|
|
|
|
this is a new install.
|
|
|
|
|
|
|
|
|
|
This should be a string, not a nix path, since nix paths are
|
|
|
|
|
copied into the world-readable nix store.
|
2016-01-30 13:47:04 +00:00
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2021-06-09 21:19:25 +00:00
|
|
|
registry = {
|
|
|
|
|
enable = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
|
|
|
|
description = "Enable GitLab container registry.";
|
|
|
|
|
};
|
|
|
|
|
host = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = config.services.gitlab.host;
|
|
|
|
|
description = "GitLab container registry host name.";
|
|
|
|
|
};
|
|
|
|
|
port = mkOption {
|
|
|
|
|
type = types.int;
|
|
|
|
|
default = 4567;
|
|
|
|
|
description = "GitLab container registry port.";
|
|
|
|
|
};
|
|
|
|
|
certFile = mkOption {
|
|
|
|
|
type = types.path;
|
|
|
|
|
default = null;
|
|
|
|
|
description = "Path to GitLab container registry certificate.";
|
|
|
|
|
};
|
|
|
|
|
keyFile = mkOption {
|
|
|
|
|
type = types.path;
|
|
|
|
|
default = null;
|
|
|
|
|
description = "Path to GitLab container registry certificate-key.";
|
|
|
|
|
};
|
|
|
|
|
defaultForProjects = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = cfg.registry.enable;
|
|
|
|
|
description = "If GitLab container registry should be enabled by default for projects.";
|
|
|
|
|
};
|
|
|
|
|
issuer = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "gitlab-issuer";
|
|
|
|
|
description = "GitLab container registry issuer.";
|
|
|
|
|
};
|
|
|
|
|
serviceName = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "container_registry";
|
|
|
|
|
description = "GitLab container registry service name.";
|
|
|
|
|
};
|
|
|
|
|
externalAddress = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "";
|
|
|
|
|
description = "External address used to access registry from the internet";
|
|
|
|
|
};
|
|
|
|
|
externalPort = mkOption {
|
|
|
|
|
type = types.int;
|
|
|
|
|
description = "External port used to access registry from the internet";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2016-08-03 16:49:18 +00:00
|
|
|
smtp = {
|
|
|
|
|
enable = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
|
|
|
|
description = "Enable gitlab mail delivery over SMTP.";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
address = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "localhost";
|
2021-02-25 11:02:55 +00:00
|
|
|
description = "Address of the SMTP server for GitLab.";
|
2016-08-03 16:49:18 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
port = mkOption {
|
|
|
|
|
type = types.int;
|
2021-02-18 16:26:20 +00:00
|
|
|
default = 25;
|
2021-02-25 11:02:55 +00:00
|
|
|
description = "Port of the SMTP server for GitLab.";
|
2016-08-03 16:49:18 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
username = mkOption {
|
2019-07-31 16:09:27 +00:00
|
|
|
type = with types; nullOr str;
|
2016-08-03 16:49:18 +00:00
|
|
|
default = null;
|
2021-02-25 11:02:55 +00:00
|
|
|
description = "Username of the SMTP server for GitLab.";
|
2016-08-03 16:49:18 +00:00
|
|
|
};
|
|
|
|
|
|
2019-07-31 16:09:27 +00:00
|
|
|
passwordFile = mkOption {
|
|
|
|
|
type = types.nullOr types.path;
|
2016-08-03 16:49:18 +00:00
|
|
|
default = null;
|
2019-07-31 16:09:27 +00:00
|
|
|
description = ''
|
2021-02-25 11:02:55 +00:00
|
|
|
File containing the password of the SMTP server for GitLab.
|
2019-07-31 16:09:27 +00:00
|
|
|
|
|
|
|
|
This should be a string, not a nix path, since nix paths
|
|
|
|
|
are copied into the world-readable nix store.
|
|
|
|
|
'';
|
2016-08-03 16:49:18 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
domain = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "localhost";
|
|
|
|
|
description = "HELO domain to use for outgoing mail.";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
authentication = mkOption {
|
2019-07-31 16:09:27 +00:00
|
|
|
type = with types; nullOr str;
|
2016-08-03 16:49:18 +00:00
|
|
|
default = null;
|
2021-02-14 14:55:54 +00:00
|
|
|
description = "Authentication type to use, see http://api.rubyonrails.org/classes/ActionMailer/Base.html";
|
2016-08-03 16:49:18 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
enableStartTLSAuto = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = true;
|
|
|
|
|
description = "Whether to try to use StartTLS.";
|
|
|
|
|
};
|
|
|
|
|
|
2021-03-20 14:05:29 +00:00
|
|
|
tls = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
|
|
|
|
description = "Whether to use TLS wrapper-mode.";
|
|
|
|
|
};
|
|
|
|
|
|
2016-08-03 16:49:18 +00:00
|
|
|
opensslVerifyMode = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "peer";
|
|
|
|
|
description = "How OpenSSL checks the certificate, see http://api.rubyonrails.org/classes/ActionMailer/Base.html";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2020-07-18 15:46:13 +00:00
|
|
|
pagesExtraArgs = mkOption {
|
|
|
|
|
type = types.listOf types.str;
|
|
|
|
|
default = [ "-listen-proxy" "127.0.0.1:8090" ];
|
|
|
|
|
description = "Arguments to pass to the gitlab-pages daemon";
|
|
|
|
|
};
|
|
|
|
|
|
2019-07-31 16:09:27 +00:00
|
|
|
secrets.secretFile = mkOption {
|
|
|
|
|
type = with types; nullOr path;
|
|
|
|
|
default = null;
|
2016-08-17 11:16:32 +00:00
|
|
|
description = ''
|
2019-07-31 16:09:27 +00:00
|
|
|
A file containing the secret used to encrypt variables in
|
|
|
|
|
the DB. If you change or lose this key you will be unable to
|
|
|
|
|
access variables stored in database.
|
2016-08-17 11:16:32 +00:00
|
|
|
|
gitlab: Add patch for db_key_base length bug, fix descriptions
The upstream recommended minimum length for db_key_base is 30 bytes,
which our option descriptions repeated. Recently, however, upstream
has, in many places, moved to using aes-256-gcm, which requires a key
of exactly 32 bytes. To allow for shorter keys, the upstream code pads
the key in some places. However, in many others, it just truncates the
key if it's too long, leaving it too short if it was to begin
with. This adds a patch that fixes this and updates the descriptions
to recommend a key of at least 32 characters.
See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53602
2021-02-10 17:42:07 +00:00
|
|
|
Make sure the secret is at least 32 characters and all random,
|
2016-08-17 11:16:32 +00:00
|
|
|
no regular words or you'll be exposed to dictionary attacks.
|
2019-07-31 16:09:27 +00:00
|
|
|
|
|
|
|
|
This should be a string, not a nix path, since nix paths are
|
|
|
|
|
copied into the world-readable nix store.
|
2016-08-17 11:16:32 +00:00
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2019-07-31 16:09:27 +00:00
|
|
|
secrets.dbFile = mkOption {
|
|
|
|
|
type = with types; nullOr path;
|
|
|
|
|
default = null;
|
2016-08-26 12:08:53 +00:00
|
|
|
description = ''
|
2019-07-31 16:09:27 +00:00
|
|
|
A file containing the secret used to encrypt variables in
|
|
|
|
|
the DB. If you change or lose this key you will be unable to
|
|
|
|
|
access variables stored in database.
|
2016-08-26 12:08:53 +00:00
|
|
|
|
gitlab: Add patch for db_key_base length bug, fix descriptions
The upstream recommended minimum length for db_key_base is 30 bytes,
which our option descriptions repeated. Recently, however, upstream
has, in many places, moved to using aes-256-gcm, which requires a key
of exactly 32 bytes. To allow for shorter keys, the upstream code pads
the key in some places. However, in many others, it just truncates the
key if it's too long, leaving it too short if it was to begin
with. This adds a patch that fixes this and updates the descriptions
to recommend a key of at least 32 characters.
See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53602
2021-02-10 17:42:07 +00:00
|
|
|
Make sure the secret is at least 32 characters and all random,
|
2016-08-26 12:08:53 +00:00
|
|
|
no regular words or you'll be exposed to dictionary attacks.
|
2019-07-31 16:09:27 +00:00
|
|
|
|
|
|
|
|
This should be a string, not a nix path, since nix paths are
|
|
|
|
|
copied into the world-readable nix store.
|
2016-08-26 12:08:53 +00:00
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2019-07-31 16:09:27 +00:00
|
|
|
secrets.otpFile = mkOption {
|
|
|
|
|
type = with types; nullOr path;
|
|
|
|
|
default = null;
|
2016-08-26 12:08:53 +00:00
|
|
|
description = ''
|
2019-07-31 16:09:27 +00:00
|
|
|
A file containing the secret used to encrypt secrets for OTP
|
|
|
|
|
tokens. If you change or lose this key, users which have 2FA
|
|
|
|
|
enabled for login won't be able to login anymore.
|
2016-08-26 12:08:53 +00:00
|
|
|
|
gitlab: Add patch for db_key_base length bug, fix descriptions
The upstream recommended minimum length for db_key_base is 30 bytes,
which our option descriptions repeated. Recently, however, upstream
has, in many places, moved to using aes-256-gcm, which requires a key
of exactly 32 bytes. To allow for shorter keys, the upstream code pads
the key in some places. However, in many others, it just truncates the
key if it's too long, leaving it too short if it was to begin
with. This adds a patch that fixes this and updates the descriptions
to recommend a key of at least 32 characters.
See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53602
2021-02-10 17:42:07 +00:00
|
|
|
Make sure the secret is at least 32 characters and all random,
|
2016-08-26 12:08:53 +00:00
|
|
|
no regular words or you'll be exposed to dictionary attacks.
|
2019-07-31 16:09:27 +00:00
|
|
|
|
|
|
|
|
This should be a string, not a nix path, since nix paths are
|
|
|
|
|
copied into the world-readable nix store.
|
2016-08-26 12:08:53 +00:00
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2019-07-31 16:09:27 +00:00
|
|
|
secrets.jwsFile = mkOption {
|
|
|
|
|
type = with types; nullOr path;
|
|
|
|
|
default = null;
|
2017-07-05 21:53:31 +00:00
|
|
|
description = ''
|
2019-07-31 16:09:27 +00:00
|
|
|
A file containing the secret used to encrypt session
|
|
|
|
|
keys. If you change or lose this key, users will be
|
|
|
|
|
disconnected.
|
2017-07-05 21:53:31 +00:00
|
|
|
|
|
|
|
|
Make sure the secret is an RSA private key in PEM format. You can
|
|
|
|
|
generate one with
|
|
|
|
|
|
2017-10-03 14:09:30 +00:00
|
|
|
openssl genrsa 2048
|
2019-07-31 16:09:27 +00:00
|
|
|
|
|
|
|
|
This should be a string, not a nix path, since nix paths are
|
|
|
|
|
copied into the world-readable nix store.
|
2017-07-05 21:53:31 +00:00
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2020-07-18 14:46:33 +00:00
|
|
|
extraShellConfig = mkOption {
|
|
|
|
|
type = types.attrs;
|
|
|
|
|
default = {};
|
|
|
|
|
description = "Extra configuration to merge into shell-config.yml";
|
|
|
|
|
};
|
|
|
|
|
|
2021-04-01 17:47:27 +00:00
|
|
|
puma.workers = mkOption {
|
|
|
|
|
type = types.int;
|
|
|
|
|
default = 2;
|
|
|
|
|
apply = x: builtins.toString x;
|
|
|
|
|
description = ''
|
|
|
|
|
The number of worker processes Puma should spawn. This
|
|
|
|
|
controls the amount of parallel Ruby code can be
|
|
|
|
|
executed. GitLab recommends <quote>Number of CPU cores -
|
|
|
|
|
1</quote>, but at least two.
|
|
|
|
|
|
|
|
|
|
<note>
|
|
|
|
|
<para>
|
|
|
|
|
Each worker consumes quite a bit of memory, so
|
|
|
|
|
be careful when increasing this.
|
|
|
|
|
</para>
|
|
|
|
|
</note>
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
puma.threadsMin = mkOption {
|
|
|
|
|
type = types.int;
|
|
|
|
|
default = 0;
|
|
|
|
|
apply = x: builtins.toString x;
|
|
|
|
|
description = ''
|
|
|
|
|
The minimum number of threads Puma should use per
|
|
|
|
|
worker.
|
|
|
|
|
|
|
|
|
|
<note>
|
|
|
|
|
<para>
|
|
|
|
|
Each thread consumes memory and contributes to Global VM
|
|
|
|
|
Lock contention, so be careful when increasing this.
|
|
|
|
|
</para>
|
|
|
|
|
</note>
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
puma.threadsMax = mkOption {
|
|
|
|
|
type = types.int;
|
|
|
|
|
default = 4;
|
|
|
|
|
apply = x: builtins.toString x;
|
|
|
|
|
description = ''
|
|
|
|
|
The maximum number of threads Puma should use per
|
|
|
|
|
worker. This limits how many threads Puma will automatically
|
|
|
|
|
spawn in response to requests. In contrast to workers,
|
|
|
|
|
threads will never be able to run Ruby code in parallel, but
|
|
|
|
|
give higher IO parallelism.
|
|
|
|
|
|
|
|
|
|
<note>
|
|
|
|
|
<para>
|
|
|
|
|
Each thread consumes memory and contributes to Global VM
|
|
|
|
|
Lock contention, so be careful when increasing this.
|
|
|
|
|
</para>
|
|
|
|
|
</note>
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2021-04-08 17:01:22 +00:00
|
|
|
sidekiq.memoryKiller.enable = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = true;
|
|
|
|
|
description = ''
|
|
|
|
|
Whether the Sidekiq MemoryKiller should be turned
|
|
|
|
|
on. MemoryKiller kills Sidekiq when its memory consumption
|
|
|
|
|
exceeds a certain limit.
|
|
|
|
|
|
|
|
|
|
See <link xlink:href="https://docs.gitlab.com/ee/administration/operations/sidekiq_memory_killer.html"/>
|
|
|
|
|
for details.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
sidekiq.memoryKiller.maxMemory = mkOption {
|
|
|
|
|
type = types.int;
|
|
|
|
|
default = 2000;
|
|
|
|
|
apply = x: builtins.toString (x * 1024);
|
|
|
|
|
description = ''
|
|
|
|
|
The maximum amount of memory, in MiB, a Sidekiq worker is
|
|
|
|
|
allowed to consume before being killed.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
sidekiq.memoryKiller.graceTime = mkOption {
|
|
|
|
|
type = types.int;
|
|
|
|
|
default = 900;
|
|
|
|
|
apply = x: builtins.toString x;
|
|
|
|
|
description = ''
|
|
|
|
|
The time MemoryKiller waits after noticing excessive memory
|
|
|
|
|
consumption before killing Sidekiq.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
sidekiq.memoryKiller.shutdownWait = mkOption {
|
|
|
|
|
type = types.int;
|
|
|
|
|
default = 30;
|
|
|
|
|
apply = x: builtins.toString x;
|
|
|
|
|
description = ''
|
|
|
|
|
The time allowed for all jobs to finish before Sidekiq is
|
|
|
|
|
killed forcefully.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2016-01-30 13:47:04 +00:00
|
|
|
extraConfig = mkOption {
|
|
|
|
|
type = types.attrs;
|
2016-02-23 21:55:35 +00:00
|
|
|
default = {};
|
2019-08-07 09:26:08 +00:00
|
|
|
example = literalExample ''
|
|
|
|
|
{
|
|
|
|
|
gitlab = {
|
|
|
|
|
default_projects_features = {
|
|
|
|
|
builds = false;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
omniauth = {
|
|
|
|
|
enabled = true;
|
|
|
|
|
auto_sign_in_with_provider = "openid_connect";
|
|
|
|
|
allow_single_sign_on = ["openid_connect"];
|
|
|
|
|
block_auto_created_users = false;
|
|
|
|
|
providers = [
|
|
|
|
|
{
|
|
|
|
|
name = "openid_connect";
|
|
|
|
|
label = "OpenID Connect";
|
|
|
|
|
args = {
|
|
|
|
|
name = "openid_connect";
|
|
|
|
|
scope = ["openid" "profile"];
|
|
|
|
|
response_type = "code";
|
|
|
|
|
issuer = "https://keycloak.example.com/auth/realms/My%20Realm";
|
|
|
|
|
discovery = true;
|
|
|
|
|
client_auth_method = "query";
|
|
|
|
|
uid_field = "preferred_username";
|
|
|
|
|
client_options = {
|
|
|
|
|
identifier = "gitlab";
|
|
|
|
|
secret = { _secret = "/var/keys/gitlab_oidc_secret"; };
|
|
|
|
|
redirect_uri = "https://git.example.com/users/auth/openid_connect/callback";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
];
|
2016-01-30 13:47:04 +00:00
|
|
|
};
|
|
|
|
|
};
|
2019-08-07 09:26:08 +00:00
|
|
|
'';
|
2016-01-30 13:47:04 +00:00
|
|
|
description = ''
|
2019-08-07 09:26:08 +00:00
|
|
|
Extra options to be added under
|
|
|
|
|
<literal>production</literal> in
|
|
|
|
|
<filename>config/gitlab.yml</filename>, as a nix attribute
|
|
|
|
|
set.
|
|
|
|
|
|
|
|
|
|
Options containing secret data should be set to an attribute
|
|
|
|
|
set containing the attribute <literal>_secret</literal> - a
|
|
|
|
|
string pointing to a file containing the value the option
|
|
|
|
|
should be set to. See the example to get a better picture of
|
|
|
|
|
this: in the resulting
|
|
|
|
|
<filename>config/gitlab.yml</filename> file, the
|
|
|
|
|
<literal>production.omniauth.providers[0].args.client_options.secret</literal>
|
|
|
|
|
key will be set to the contents of the
|
|
|
|
|
<filename>/var/keys/gitlab_oidc_secret</filename> file.
|
2016-01-30 13:47:04 +00:00
|
|
|
'';
|
2014-10-25 16:22:49 +00:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
|
|
2019-07-31 16:09:27 +00:00
|
|
|
assertions = [
|
|
|
|
|
{
|
2019-09-17 06:36:19 +00:00
|
|
|
assertion = databaseActuallyCreateLocally -> (cfg.user == cfg.databaseUsername);
|
|
|
|
|
message = ''For local automatic database provisioning (services.gitlab.databaseCreateLocally == true) with peer authentication (services.gitlab.databaseHost == "") to work services.gitlab.user and services.gitlab.databaseUsername must be identical.'';
|
2019-08-01 14:59:24 +00:00
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
assertion = (cfg.databaseHost != "") -> (cfg.databasePasswordFile != null);
|
|
|
|
|
message = "When services.gitlab.databaseHost is customized, services.gitlab.databasePasswordFile must be set!";
|
2019-07-31 16:09:27 +00:00
|
|
|
}
|
|
|
|
|
{
|
2019-08-01 14:59:24 +00:00
|
|
|
assertion = cfg.initialRootPasswordFile != null;
|
|
|
|
|
message = "services.gitlab.initialRootPasswordFile must be set!";
|
2019-07-31 16:09:27 +00:00
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
assertion = cfg.secrets.secretFile != null;
|
|
|
|
|
message = "services.gitlab.secrets.secretFile must be set!";
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
assertion = cfg.secrets.dbFile != null;
|
|
|
|
|
message = "services.gitlab.secrets.dbFile must be set!";
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
assertion = cfg.secrets.otpFile != null;
|
|
|
|
|
message = "services.gitlab.secrets.otpFile must be set!";
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
assertion = cfg.secrets.jwsFile != null;
|
|
|
|
|
message = "services.gitlab.secrets.jwsFile must be set!";
|
|
|
|
|
}
|
2021-06-23 11:08:34 +00:00
|
|
|
{
|
|
|
|
|
assertion = versionAtLeast postgresqlPackage.version "12.0.0";
|
2021-07-12 12:20:20 +00:00
|
|
|
message = "PostgreSQL >=12 is required to run GitLab 14. Follow the instructions in the manual section for upgrading PostgreSQL here: https://nixos.org/manual/nixos/stable/index.html#module-services-postgres-upgrading";
|
2021-06-23 11:08:34 +00:00
|
|
|
}
|
2019-07-31 16:09:27 +00:00
|
|
|
];
|
|
|
|
|
|
2019-03-25 16:17:56 +00:00
|
|
|
environment.systemPackages = [ pkgs.git gitlab-rake gitlab-rails cfg.packages.gitlab-shell ];
|
2014-10-25 16:22:49 +00:00
|
|
|
|
2021-02-25 10:33:06 +00:00
|
|
|
systemd.targets.gitlab = {
|
|
|
|
|
description = "Common target for all GitLab services.";
|
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
|
};
|
|
|
|
|
|
2014-10-25 16:22:49 +00:00
|
|
|
# Redis is required for the sidekiq queue runner.
|
|
|
|
|
services.redis.enable = mkDefault true;
|
2019-08-01 14:59:24 +00:00
|
|
|
|
2014-10-25 16:22:49 +00:00
|
|
|
# We use postgres as the main data store.
|
2019-09-17 06:36:19 +00:00
|
|
|
services.postgresql = optionalAttrs databaseActuallyCreateLocally {
|
2019-08-01 14:59:24 +00:00
|
|
|
enable = true;
|
|
|
|
|
ensureUsers = singleton { name = cfg.databaseUsername; };
|
|
|
|
|
};
|
2020-08-07 02:37:48 +00:00
|
|
|
|
2019-08-01 14:59:24 +00:00
|
|
|
# The postgresql module doesn't currently support concepts like
|
|
|
|
|
# objects owners and extensions; for now we tack on what's needed
|
|
|
|
|
# here.
|
2020-08-07 02:37:48 +00:00
|
|
|
systemd.services.gitlab-postgresql = let pgsql = config.services.postgresql; in mkIf databaseActuallyCreateLocally {
|
|
|
|
|
after = [ "postgresql.service" ];
|
nixos/gitlab: Make gitlab.service's PreStart into two new services
Make the config initialization script run in gitlab.service's PreStart
section into two new services, `gitlab-config.service` and
`gitlab-db-config.service`. Other services can then depend on the
config scripts they need instead of unnecessarily depending on
`gitlab.service`. This makes the reason for the configured service
dependencies much clearer and should also reduce the restart time of
the `gitlab` service quite a lot, when triggered manually.
Also, set up stricter service dependencies, using `bindsTo`, to ensure
that if a service fails or is stopped, its dependants are also
stopped. For example, if we're using the `postgresql` service and it's
stopped, `gitlab.service` and `gitlab-sidekiq.service`, which depend on
it to function, should also be stopped.
2021-02-18 16:47:07 +00:00
|
|
|
bindsTo = [ "postgresql.service" ];
|
2021-02-25 10:33:06 +00:00
|
|
|
wantedBy = [ "gitlab.target" ];
|
|
|
|
|
partOf = [ "gitlab.target" ];
|
2021-02-18 16:33:21 +00:00
|
|
|
path = [
|
|
|
|
|
pgsql.package
|
|
|
|
|
pkgs.util-linux
|
|
|
|
|
];
|
2020-08-07 02:37:48 +00:00
|
|
|
script = ''
|
|
|
|
|
set -eu
|
|
|
|
|
|
2021-02-18 16:33:21 +00:00
|
|
|
PSQL() {
|
|
|
|
|
psql --port=${toString pgsql.port} "$@"
|
|
|
|
|
}
|
2020-08-07 02:37:48 +00:00
|
|
|
|
2021-02-18 16:33:21 +00:00
|
|
|
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${cfg.databaseName}'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "${cfg.databaseName}" OWNER "${cfg.databaseUsername}"'
|
|
|
|
|
current_owner=$(PSQL -tAc "SELECT pg_catalog.pg_get_userbyid(datdba) FROM pg_catalog.pg_database WHERE datname = '${cfg.databaseName}'")
|
2020-08-07 02:37:48 +00:00
|
|
|
if [[ "$current_owner" != "${cfg.databaseUsername}" ]]; then
|
2021-02-18 16:33:21 +00:00
|
|
|
PSQL -tAc 'ALTER DATABASE "${cfg.databaseName}" OWNER TO "${cfg.databaseUsername}"'
|
2020-08-07 02:37:48 +00:00
|
|
|
if [[ -e "${config.services.postgresql.dataDir}/.reassigning_${cfg.databaseName}" ]]; then
|
|
|
|
|
echo "Reassigning ownership of database ${cfg.databaseName} to user ${cfg.databaseUsername} failed on last boot. Failing..."
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
touch "${config.services.postgresql.dataDir}/.reassigning_${cfg.databaseName}"
|
2021-02-18 16:33:21 +00:00
|
|
|
PSQL "${cfg.databaseName}" -tAc "REASSIGN OWNED BY \"$current_owner\" TO \"${cfg.databaseUsername}\""
|
2020-08-07 02:37:48 +00:00
|
|
|
rm "${config.services.postgresql.dataDir}/.reassigning_${cfg.databaseName}"
|
|
|
|
|
fi
|
2021-02-18 16:33:21 +00:00
|
|
|
PSQL '${cfg.databaseName}' -tAc "CREATE EXTENSION IF NOT EXISTS pg_trgm"
|
|
|
|
|
PSQL '${cfg.databaseName}' -tAc "CREATE EXTENSION IF NOT EXISTS btree_gist;"
|
2020-08-07 02:37:48 +00:00
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
serviceConfig = {
|
2021-02-18 16:33:21 +00:00
|
|
|
User = pgsql.superUser;
|
2020-08-07 02:37:48 +00:00
|
|
|
Type = "oneshot";
|
nixos/gitlab: Make gitlab.service's PreStart into two new services
Make the config initialization script run in gitlab.service's PreStart
section into two new services, `gitlab-config.service` and
`gitlab-db-config.service`. Other services can then depend on the
config scripts they need instead of unnecessarily depending on
`gitlab.service`. This makes the reason for the configured service
dependencies much clearer and should also reduce the restart time of
the `gitlab` service quite a lot, when triggered manually.
Also, set up stricter service dependencies, using `bindsTo`, to ensure
that if a service fails or is stopped, its dependants are also
stopped. For example, if we're using the `postgresql` service and it's
stopped, `gitlab.service` and `gitlab-sidekiq.service`, which depend on
it to function, should also be stopped.
2021-02-18 16:47:07 +00:00
|
|
|
RemainAfterExit = true;
|
2020-08-07 02:37:48 +00:00
|
|
|
};
|
|
|
|
|
};
|
2019-08-01 14:59:24 +00:00
|
|
|
|
2021-06-09 21:19:25 +00:00
|
|
|
systemd.services.gitlab-registry-cert = optionalAttrs cfg.registry.enable {
|
|
|
|
|
path = with pkgs; [ openssl ];
|
|
|
|
|
|
|
|
|
|
script = ''
|
|
|
|
|
mkdir -p $(dirname ${cfg.registry.keyFile})
|
|
|
|
|
mkdir -p $(dirname ${cfg.registry.certFile})
|
|
|
|
|
openssl req -nodes -newkey rsa:4096 -keyout ${cfg.registry.keyFile} -out /tmp/registry-auth.csr -subj "/CN=${cfg.registry.issuer}"
|
|
|
|
|
openssl x509 -in /tmp/registry-auth.csr -out ${cfg.registry.certFile} -req -signkey ${cfg.registry.keyFile} -days 3650
|
|
|
|
|
chown ${cfg.user}:${cfg.group} $(dirname ${cfg.registry.keyFile})
|
|
|
|
|
chown ${cfg.user}:${cfg.group} $(dirname ${cfg.registry.certFile})
|
|
|
|
|
chown ${cfg.user}:${cfg.group} ${cfg.registry.keyFile}
|
|
|
|
|
chown ${cfg.user}:${cfg.group} ${cfg.registry.certFile}
|
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
serviceConfig = {
|
|
|
|
|
ConditionPathExists = "!${cfg.registry.certFile}";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# Ensure Docker Registry launches after the certificate generation job
|
|
|
|
|
systemd.services.docker-registry = optionalAttrs cfg.registry.enable {
|
|
|
|
|
wants = [ "gitlab-registry-cert.service" ];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# Enable Docker Registry, if GitLab-Container Registry is enabled
|
|
|
|
|
services.dockerRegistry = optionalAttrs cfg.registry.enable {
|
|
|
|
|
enable = true;
|
|
|
|
|
enableDelete = true; # This must be true, otherwise GitLab won't manage it correctly
|
|
|
|
|
extraConfig = {
|
|
|
|
|
auth.token = {
|
|
|
|
|
realm = "http${if cfg.https == true then "s" else ""}://${cfg.host}/jwt/auth";
|
|
|
|
|
service = cfg.registry.serviceName;
|
|
|
|
|
issuer = cfg.registry.issuer;
|
|
|
|
|
rootcertbundle = cfg.registry.certFile;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2014-10-25 16:22:49 +00:00
|
|
|
# Use postfix to send out mails.
|
2021-02-18 16:26:20 +00:00
|
|
|
services.postfix.enable = mkDefault (cfg.smtp.enable && cfg.smtp.address == "localhost");
|
2014-10-25 16:22:49 +00:00
|
|
|
|
2019-09-14 17:51:29 +00:00
|
|
|
users.users.${cfg.user} =
|
|
|
|
|
{ group = cfg.group;
|
2016-01-30 13:47:04 +00:00
|
|
|
home = "${cfg.statePath}/home";
|
2014-10-25 16:22:49 +00:00
|
|
|
shell = "${pkgs.bash}/bin/bash";
|
|
|
|
|
uid = config.ids.uids.gitlab;
|
2019-09-14 17:51:29 +00:00
|
|
|
};
|
2014-10-25 16:22:49 +00:00
|
|
|
|
2019-09-14 17:51:29 +00:00
|
|
|
users.groups.${cfg.group}.gid = config.ids.gids.gitlab;
|
2014-10-25 16:22:49 +00:00
|
|
|
|
2018-11-02 20:22:51 +00:00
|
|
|
systemd.tmpfiles.rules = [
|
|
|
|
|
"d /run/gitlab 0755 ${cfg.user} ${cfg.group} -"
|
|
|
|
|
"d ${gitlabEnv.HOME} 0750 ${cfg.user} ${cfg.group} -"
|
2019-07-16 01:48:13 +00:00
|
|
|
"z ${gitlabEnv.HOME}/.ssh/authorized_keys 0600 ${cfg.user} ${cfg.group} -"
|
2021-02-23 17:51:48 +00:00
|
|
|
"d ${cfg.backup.path} 0750 ${cfg.user} ${cfg.group} -"
|
2019-07-15 23:19:07 +00:00
|
|
|
"d ${cfg.statePath} 0750 ${cfg.user} ${cfg.group} -"
|
2018-11-02 20:22:51 +00:00
|
|
|
"d ${cfg.statePath}/builds 0750 ${cfg.user} ${cfg.group} -"
|
|
|
|
|
"d ${cfg.statePath}/config 0750 ${cfg.user} ${cfg.group} -"
|
|
|
|
|
"d ${cfg.statePath}/db 0750 ${cfg.user} ${cfg.group} -"
|
|
|
|
|
"d ${cfg.statePath}/log 0750 ${cfg.user} ${cfg.group} -"
|
|
|
|
|
"d ${cfg.statePath}/repositories 2770 ${cfg.user} ${cfg.group} -"
|
|
|
|
|
"d ${cfg.statePath}/shell 0750 ${cfg.user} ${cfg.group} -"
|
2019-07-15 23:19:07 +00:00
|
|
|
"d ${cfg.statePath}/tmp 0750 ${cfg.user} ${cfg.group} -"
|
2018-11-02 20:22:51 +00:00
|
|
|
"d ${cfg.statePath}/tmp/pids 0750 ${cfg.user} ${cfg.group} -"
|
|
|
|
|
"d ${cfg.statePath}/tmp/sockets 0750 ${cfg.user} ${cfg.group} -"
|
|
|
|
|
"d ${cfg.statePath}/uploads 0700 ${cfg.user} ${cfg.group} -"
|
2019-07-15 23:19:07 +00:00
|
|
|
"d ${cfg.statePath}/custom_hooks 0700 ${cfg.user} ${cfg.group} -"
|
2018-11-02 20:22:51 +00:00
|
|
|
"d ${cfg.statePath}/custom_hooks/pre-receive.d 0700 ${cfg.user} ${cfg.group} -"
|
|
|
|
|
"d ${cfg.statePath}/custom_hooks/post-receive.d 0700 ${cfg.user} ${cfg.group} -"
|
|
|
|
|
"d ${cfg.statePath}/custom_hooks/update.d 0700 ${cfg.user} ${cfg.group} -"
|
2019-07-15 23:19:07 +00:00
|
|
|
"d ${gitlabConfig.production.shared.path} 0750 ${cfg.user} ${cfg.group} -"
|
2018-11-02 20:22:51 +00:00
|
|
|
"d ${gitlabConfig.production.shared.path}/artifacts 0750 ${cfg.user} ${cfg.group} -"
|
|
|
|
|
"d ${gitlabConfig.production.shared.path}/lfs-objects 0750 ${cfg.user} ${cfg.group} -"
|
|
|
|
|
"d ${gitlabConfig.production.shared.path}/pages 0750 ${cfg.user} ${cfg.group} -"
|
2019-07-15 23:19:07 +00:00
|
|
|
"L+ /run/gitlab/config - - - - ${cfg.statePath}/config"
|
|
|
|
|
"L+ /run/gitlab/log - - - - ${cfg.statePath}/log"
|
|
|
|
|
"L+ /run/gitlab/tmp - - - - ${cfg.statePath}/tmp"
|
|
|
|
|
"L+ /run/gitlab/uploads - - - - ${cfg.statePath}/uploads"
|
|
|
|
|
|
|
|
|
|
"L+ /run/gitlab/shell-config.yml - - - - ${pkgs.writeText "config.yml" (builtins.toJSON gitlabShellConfig)}"
|
2019-07-31 16:09:27 +00:00
|
|
|
];
|
2018-11-02 20:22:51 +00:00
|
|
|
|
nixos/gitlab: Make gitlab.service's PreStart into two new services
Make the config initialization script run in gitlab.service's PreStart
section into two new services, `gitlab-config.service` and
`gitlab-db-config.service`. Other services can then depend on the
config scripts they need instead of unnecessarily depending on
`gitlab.service`. This makes the reason for the configured service
dependencies much clearer and should also reduce the restart time of
the `gitlab` service quite a lot, when triggered manually.
Also, set up stricter service dependencies, using `bindsTo`, to ensure
that if a service fails or is stopped, its dependants are also
stopped. For example, if we're using the `postgresql` service and it's
stopped, `gitlab.service` and `gitlab-sidekiq.service`, which depend on
it to function, should also be stopped.
2021-02-18 16:47:07 +00:00
|
|
|
|
|
|
|
|
systemd.services.gitlab-config = {
|
2021-02-25 10:33:06 +00:00
|
|
|
wantedBy = [ "gitlab.target" ];
|
|
|
|
|
partOf = [ "gitlab.target" ];
|
nixos/gitlab: Make gitlab.service's PreStart into two new services
Make the config initialization script run in gitlab.service's PreStart
section into two new services, `gitlab-config.service` and
`gitlab-db-config.service`. Other services can then depend on the
config scripts they need instead of unnecessarily depending on
`gitlab.service`. This makes the reason for the configured service
dependencies much clearer and should also reduce the restart time of
the `gitlab` service quite a lot, when triggered manually.
Also, set up stricter service dependencies, using `bindsTo`, to ensure
that if a service fails or is stopped, its dependants are also
stopped. For example, if we're using the `postgresql` service and it's
stopped, `gitlab.service` and `gitlab-sidekiq.service`, which depend on
it to function, should also be stopped.
2021-02-18 16:47:07 +00:00
|
|
|
path = with pkgs; [
|
|
|
|
|
jq
|
|
|
|
|
openssl
|
2021-05-04 14:10:23 +00:00
|
|
|
replace-secret
|
nixos/gitlab: Make gitlab.service's PreStart into two new services
Make the config initialization script run in gitlab.service's PreStart
section into two new services, `gitlab-config.service` and
`gitlab-db-config.service`. Other services can then depend on the
config scripts they need instead of unnecessarily depending on
`gitlab.service`. This makes the reason for the configured service
dependencies much clearer and should also reduce the restart time of
the `gitlab` service quite a lot, when triggered manually.
Also, set up stricter service dependencies, using `bindsTo`, to ensure
that if a service fails or is stopped, its dependants are also
stopped. For example, if we're using the `postgresql` service and it's
stopped, `gitlab.service` and `gitlab-sidekiq.service`, which depend on
it to function, should also be stopped.
2021-02-18 16:47:07 +00:00
|
|
|
git
|
|
|
|
|
];
|
|
|
|
|
serviceConfig = {
|
|
|
|
|
Type = "oneshot";
|
|
|
|
|
User = cfg.user;
|
|
|
|
|
Group = cfg.group;
|
|
|
|
|
TimeoutSec = "infinity";
|
|
|
|
|
Restart = "on-failure";
|
|
|
|
|
WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab";
|
|
|
|
|
RemainAfterExit = true;
|
|
|
|
|
|
|
|
|
|
ExecStartPre = let
|
|
|
|
|
preStartFullPrivileges = ''
|
|
|
|
|
shopt -s dotglob nullglob
|
|
|
|
|
set -eu
|
|
|
|
|
|
|
|
|
|
chown --no-dereference '${cfg.user}':'${cfg.group}' '${cfg.statePath}'/*
|
|
|
|
|
if [[ -n "$(ls -A '${cfg.statePath}'/config/)" ]]; then
|
|
|
|
|
chown --no-dereference '${cfg.user}':'${cfg.group}' '${cfg.statePath}'/config/*
|
|
|
|
|
fi
|
|
|
|
|
'';
|
|
|
|
|
in "+${pkgs.writeShellScript "gitlab-pre-start-full-privileges" preStartFullPrivileges}";
|
|
|
|
|
|
|
|
|
|
ExecStart = pkgs.writeShellScript "gitlab-config" ''
|
|
|
|
|
set -eu
|
|
|
|
|
|
|
|
|
|
umask u=rwx,g=rx,o=
|
|
|
|
|
|
|
|
|
|
cp -f ${cfg.packages.gitlab}/share/gitlab/VERSION ${cfg.statePath}/VERSION
|
|
|
|
|
rm -rf ${cfg.statePath}/db/*
|
|
|
|
|
rm -f ${cfg.statePath}/lib
|
|
|
|
|
find '${cfg.statePath}/config/' -maxdepth 1 -mindepth 1 -type d -execdir rm -rf {} \;
|
|
|
|
|
cp -rf --no-preserve=mode ${cfg.packages.gitlab}/share/gitlab/config.dist/* ${cfg.statePath}/config
|
|
|
|
|
cp -rf --no-preserve=mode ${cfg.packages.gitlab}/share/gitlab/db/* ${cfg.statePath}/db
|
|
|
|
|
ln -sf ${extraGitlabRb} ${cfg.statePath}/config/initializers/extra-gitlab.rb
|
|
|
|
|
|
|
|
|
|
${cfg.packages.gitlab-shell}/bin/install
|
|
|
|
|
|
|
|
|
|
${optionalString cfg.smtp.enable ''
|
|
|
|
|
install -m u=rw ${smtpSettings} ${cfg.statePath}/config/initializers/smtp_settings.rb
|
|
|
|
|
${optionalString (cfg.smtp.passwordFile != null) ''
|
2021-05-04 14:10:23 +00:00
|
|
|
replace-secret '@smtpPassword@' '${cfg.smtp.passwordFile}' '${cfg.statePath}/config/initializers/smtp_settings.rb'
|
nixos/gitlab: Make gitlab.service's PreStart into two new services
Make the config initialization script run in gitlab.service's PreStart
section into two new services, `gitlab-config.service` and
`gitlab-db-config.service`. Other services can then depend on the
config scripts they need instead of unnecessarily depending on
`gitlab.service`. This makes the reason for the configured service
dependencies much clearer and should also reduce the restart time of
the `gitlab` service quite a lot, when triggered manually.
Also, set up stricter service dependencies, using `bindsTo`, to ensure
that if a service fails or is stopped, its dependants are also
stopped. For example, if we're using the `postgresql` service and it's
stopped, `gitlab.service` and `gitlab-sidekiq.service`, which depend on
it to function, should also be stopped.
2021-02-18 16:47:07 +00:00
|
|
|
''}
|
|
|
|
|
''}
|
|
|
|
|
|
|
|
|
|
(
|
|
|
|
|
umask u=rwx,g=,o=
|
|
|
|
|
|
|
|
|
|
openssl rand -hex 32 > ${cfg.statePath}/gitlab_shell_secret
|
|
|
|
|
|
|
|
|
|
rm -f '${cfg.statePath}/config/database.yml'
|
|
|
|
|
|
|
|
|
|
${if cfg.databasePasswordFile != null then ''
|
|
|
|
|
export db_password="$(<'${cfg.databasePasswordFile}')"
|
|
|
|
|
|
|
|
|
|
if [[ -z "$db_password" ]]; then
|
|
|
|
|
>&2 echo "Database password was an empty string!"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
jq <${pkgs.writeText "database.yml" (builtins.toJSON databaseConfig)} \
|
|
|
|
|
'.production.password = $ENV.db_password' \
|
|
|
|
|
>'${cfg.statePath}/config/database.yml'
|
|
|
|
|
''
|
|
|
|
|
else ''
|
|
|
|
|
jq <${pkgs.writeText "database.yml" (builtins.toJSON databaseConfig)} \
|
|
|
|
|
>'${cfg.statePath}/config/database.yml'
|
|
|
|
|
''
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
${utils.genJqSecretsReplacementSnippet
|
|
|
|
|
gitlabConfig
|
|
|
|
|
"${cfg.statePath}/config/gitlab.yml"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rm -f '${cfg.statePath}/config/secrets.yml'
|
|
|
|
|
|
|
|
|
|
export secret="$(<'${cfg.secrets.secretFile}')"
|
|
|
|
|
export db="$(<'${cfg.secrets.dbFile}')"
|
|
|
|
|
export otp="$(<'${cfg.secrets.otpFile}')"
|
|
|
|
|
export jws="$(<'${cfg.secrets.jwsFile}')"
|
|
|
|
|
jq -n '{production: {secret_key_base: $ENV.secret,
|
|
|
|
|
otp_key_base: $ENV.otp,
|
|
|
|
|
db_key_base: $ENV.db,
|
|
|
|
|
openid_connect_signing_key: $ENV.jws}}' \
|
|
|
|
|
> '${cfg.statePath}/config/secrets.yml'
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
# We remove potentially broken links to old gitlab-shell versions
|
|
|
|
|
rm -Rf ${cfg.statePath}/repositories/**/*.git/hooks
|
|
|
|
|
|
|
|
|
|
git config --global core.autocrlf "input"
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
systemd.services.gitlab-db-config = {
|
|
|
|
|
after = [ "gitlab-config.service" "gitlab-postgresql.service" "postgresql.service" ];
|
|
|
|
|
bindsTo = [
|
|
|
|
|
"gitlab-config.service"
|
|
|
|
|
] ++ optional (cfg.databaseHost == "") "postgresql.service"
|
|
|
|
|
++ optional databaseActuallyCreateLocally "gitlab-postgresql.service";
|
2021-02-25 10:33:06 +00:00
|
|
|
wantedBy = [ "gitlab.target" ];
|
|
|
|
|
partOf = [ "gitlab.target" ];
|
nixos/gitlab: Make gitlab.service's PreStart into two new services
Make the config initialization script run in gitlab.service's PreStart
section into two new services, `gitlab-config.service` and
`gitlab-db-config.service`. Other services can then depend on the
config scripts they need instead of unnecessarily depending on
`gitlab.service`. This makes the reason for the configured service
dependencies much clearer and should also reduce the restart time of
the `gitlab` service quite a lot, when triggered manually.
Also, set up stricter service dependencies, using `bindsTo`, to ensure
that if a service fails or is stopped, its dependants are also
stopped. For example, if we're using the `postgresql` service and it's
stopped, `gitlab.service` and `gitlab-sidekiq.service`, which depend on
it to function, should also be stopped.
2021-02-18 16:47:07 +00:00
|
|
|
serviceConfig = {
|
|
|
|
|
Type = "oneshot";
|
|
|
|
|
User = cfg.user;
|
|
|
|
|
Group = cfg.group;
|
|
|
|
|
TimeoutSec = "infinity";
|
|
|
|
|
Restart = "on-failure";
|
|
|
|
|
WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab";
|
|
|
|
|
RemainAfterExit = true;
|
|
|
|
|
|
|
|
|
|
ExecStart = pkgs.writeShellScript "gitlab-db-config" ''
|
|
|
|
|
set -eu
|
|
|
|
|
umask u=rwx,g=rx,o=
|
|
|
|
|
|
|
|
|
|
initial_root_password="$(<'${cfg.initialRootPasswordFile}')"
|
|
|
|
|
${gitlab-rake}/bin/gitlab-rake gitlab:db:configure GITLAB_ROOT_PASSWORD="$initial_root_password" \
|
|
|
|
|
GITLAB_ROOT_EMAIL='${cfg.initialRootEmail}' > /dev/null
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2014-10-25 16:22:49 +00:00
|
|
|
systemd.services.gitlab-sidekiq = {
|
nixos/gitlab: Make gitlab.service's PreStart into two new services
Make the config initialization script run in gitlab.service's PreStart
section into two new services, `gitlab-config.service` and
`gitlab-db-config.service`. Other services can then depend on the
config scripts they need instead of unnecessarily depending on
`gitlab.service`. This makes the reason for the configured service
dependencies much clearer and should also reduce the restart time of
the `gitlab` service quite a lot, when triggered manually.
Also, set up stricter service dependencies, using `bindsTo`, to ensure
that if a service fails or is stopped, its dependants are also
stopped. For example, if we're using the `postgresql` service and it's
stopped, `gitlab.service` and `gitlab-sidekiq.service`, which depend on
it to function, should also be stopped.
2021-02-18 16:47:07 +00:00
|
|
|
after = [
|
|
|
|
|
"network.target"
|
|
|
|
|
"redis.service"
|
|
|
|
|
"postgresql.service"
|
|
|
|
|
"gitlab-config.service"
|
|
|
|
|
"gitlab-db-config.service"
|
|
|
|
|
];
|
|
|
|
|
bindsTo = [
|
|
|
|
|
"redis.service"
|
|
|
|
|
"gitlab-config.service"
|
|
|
|
|
"gitlab-db-config.service"
|
|
|
|
|
] ++ optional (cfg.databaseHost == "") "postgresql.service";
|
2021-02-25 10:33:06 +00:00
|
|
|
wantedBy = [ "gitlab.target" ];
|
|
|
|
|
partOf = [ "gitlab.target" ];
|
2021-04-08 17:01:22 +00:00
|
|
|
environment = gitlabEnv // (optionalAttrs cfg.sidekiq.memoryKiller.enable {
|
|
|
|
|
SIDEKIQ_MEMORY_KILLER_MAX_RSS = cfg.sidekiq.memoryKiller.maxMemory;
|
|
|
|
|
SIDEKIQ_MEMORY_KILLER_GRACE_TIME = cfg.sidekiq.memoryKiller.graceTime;
|
|
|
|
|
SIDEKIQ_MEMORY_KILLER_SHUTDOWN_WAIT = cfg.sidekiq.memoryKiller.shutdownWait;
|
|
|
|
|
});
|
2014-10-25 16:22:49 +00:00
|
|
|
path = with pkgs; [
|
2019-09-24 06:58:32 +00:00
|
|
|
postgresqlPackage
|
gitAndTools: move everything to the top level
The comment at the top of git-and-tools/default.nix said:
/* All git-relates tools live here, in a separate attribute set so that users
* can get a fast overview over what's available.
but unfortunately that hasn't actually held up in practice.
Git-related packages have continued to be added to the top level, or
into gitAndTools, or sometimes both, basically at random, so having
gitAndTools is just confusing. In fact, until I looked as part of
working on getting rid of gitAndTools, one program (ydiff) was
packaged twice independently, once in gitAndTools and once at the top
level (I fixed this in 98c34901969).
So I think it's for the best if we move away from gitAndTools, and
just put all the packages it previously contained at the top level.
I've implemented this here by just making gitAndTools an alias for the
top level -- this saves having loads of lines in aliases.nix. This
means that people can keep referring to gitAndTools in their
configuration, but it won't be allowed to be used within Nixpkgs, and
it won't be presented to new users by e.g. nix search.
The only other change here that I'm aware of is that
appendToName "minimal" is not longer called on the default git
package, because doing that would have necessitated having a private
gitBase variable like before. I think it makes more sense not to do
that anyway, and reserve the "minimal" suffix only for gitMinimal.
2021-01-14 17:49:32 +00:00
|
|
|
git
|
2014-10-25 16:22:49 +00:00
|
|
|
ruby
|
|
|
|
|
openssh
|
2014-12-14 01:24:12 +00:00
|
|
|
nodejs
|
2017-09-03 13:38:28 +00:00
|
|
|
gnupg
|
2019-09-16 14:22:18 +00:00
|
|
|
|
|
|
|
|
# Needed for GitLab project imports
|
|
|
|
|
gnutar
|
|
|
|
|
gzip
|
2021-04-08 17:01:22 +00:00
|
|
|
|
|
|
|
|
procps # Sidekiq MemoryKiller
|
2014-10-25 16:22:49 +00:00
|
|
|
];
|
|
|
|
|
serviceConfig = {
|
|
|
|
|
Type = "simple";
|
2016-01-30 13:47:04 +00:00
|
|
|
User = cfg.user;
|
|
|
|
|
Group = cfg.group;
|
2018-04-25 17:58:05 +00:00
|
|
|
TimeoutSec = "infinity";
|
2021-04-08 17:01:22 +00:00
|
|
|
Restart = "always";
|
2016-02-26 07:55:25 +00:00
|
|
|
WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab";
|
2020-07-18 14:00:04 +00:00
|
|
|
ExecStart="${cfg.packages.gitlab.rubyEnv}/bin/sidekiq -C \"${cfg.packages.gitlab}/share/gitlab/config/sidekiq_queues.yml\" -e production";
|
2017-07-05 21:53:31 +00:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
systemd.services.gitaly = {
|
nixos/gitlab: Make gitlab.service's PreStart into two new services
Make the config initialization script run in gitlab.service's PreStart
section into two new services, `gitlab-config.service` and
`gitlab-db-config.service`. Other services can then depend on the
config scripts they need instead of unnecessarily depending on
`gitlab.service`. This makes the reason for the configured service
dependencies much clearer and should also reduce the restart time of
the `gitlab` service quite a lot, when triggered manually.
Also, set up stricter service dependencies, using `bindsTo`, to ensure
that if a service fails or is stopped, its dependants are also
stopped. For example, if we're using the `postgresql` service and it's
stopped, `gitlab.service` and `gitlab-sidekiq.service`, which depend on
it to function, should also be stopped.
2021-02-18 16:47:07 +00:00
|
|
|
after = [ "network.target" "gitlab-config.service" ];
|
|
|
|
|
bindsTo = [ "gitlab-config.service" ];
|
2021-02-25 10:33:06 +00:00
|
|
|
wantedBy = [ "gitlab.target" ];
|
|
|
|
|
partOf = [ "gitlab.target" ];
|
2019-01-30 19:29:32 +00:00
|
|
|
path = with pkgs; [
|
|
|
|
|
openssh
|
2019-03-28 14:46:22 +00:00
|
|
|
procps # See https://gitlab.com/gitlab-org/gitaly/issues/1562
|
gitAndTools: move everything to the top level
The comment at the top of git-and-tools/default.nix said:
/* All git-relates tools live here, in a separate attribute set so that users
* can get a fast overview over what's available.
but unfortunately that hasn't actually held up in practice.
Git-related packages have continued to be added to the top level, or
into gitAndTools, or sometimes both, basically at random, so having
gitAndTools is just confusing. In fact, until I looked as part of
working on getting rid of gitAndTools, one program (ydiff) was
packaged twice independently, once in gitAndTools and once at the top
level (I fixed this in 98c34901969).
So I think it's for the best if we move away from gitAndTools, and
just put all the packages it previously contained at the top level.
I've implemented this here by just making gitAndTools an alias for the
top level -- this saves having loads of lines in aliases.nix. This
means that people can keep referring to gitAndTools in their
configuration, but it won't be allowed to be used within Nixpkgs, and
it won't be presented to new users by e.g. nix search.
The only other change here that I'm aware of is that
appendToName "minimal" is not longer called on the default git
package, because doing that would have necessitated having a private
gitBase variable like before. I think it makes more sense not to do
that anyway, and reserve the "minimal" suffix only for gitMinimal.
2021-01-14 17:49:32 +00:00
|
|
|
git
|
2019-01-30 19:29:32 +00:00
|
|
|
cfg.packages.gitaly.rubyEnv
|
|
|
|
|
cfg.packages.gitaly.rubyEnv.wrappedRuby
|
2019-03-10 22:04:27 +00:00
|
|
|
gzip
|
|
|
|
|
bzip2
|
2019-01-30 19:29:32 +00:00
|
|
|
];
|
2017-07-05 21:53:31 +00:00
|
|
|
serviceConfig = {
|
|
|
|
|
Type = "simple";
|
|
|
|
|
User = cfg.user;
|
|
|
|
|
Group = cfg.group;
|
2018-03-19 20:52:36 +00:00
|
|
|
TimeoutSec = "infinity";
|
2017-07-05 21:53:31 +00:00
|
|
|
Restart = "on-failure";
|
|
|
|
|
WorkingDirectory = gitlabEnv.HOME;
|
|
|
|
|
ExecStart = "${cfg.packages.gitaly}/bin/gitaly ${gitalyToml}";
|
2014-10-25 16:22:49 +00:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2020-07-18 15:46:13 +00:00
|
|
|
systemd.services.gitlab-pages = mkIf (gitlabConfig.production.pages.enabled or false) {
|
|
|
|
|
description = "GitLab static pages daemon";
|
nixos/gitlab: Make gitlab.service's PreStart into two new services
Make the config initialization script run in gitlab.service's PreStart
section into two new services, `gitlab-config.service` and
`gitlab-db-config.service`. Other services can then depend on the
config scripts they need instead of unnecessarily depending on
`gitlab.service`. This makes the reason for the configured service
dependencies much clearer and should also reduce the restart time of
the `gitlab` service quite a lot, when triggered manually.
Also, set up stricter service dependencies, using `bindsTo`, to ensure
that if a service fails or is stopped, its dependants are also
stopped. For example, if we're using the `postgresql` service and it's
stopped, `gitlab.service` and `gitlab-sidekiq.service`, which depend on
it to function, should also be stopped.
2021-02-18 16:47:07 +00:00
|
|
|
after = [ "network.target" "gitlab-config.service" ];
|
|
|
|
|
bindsTo = [ "gitlab-config.service" ];
|
2021-02-25 10:33:06 +00:00
|
|
|
wantedBy = [ "gitlab.target" ];
|
|
|
|
|
partOf = [ "gitlab.target" ];
|
2020-07-18 15:46:13 +00:00
|
|
|
|
|
|
|
|
path = [ pkgs.unzip ];
|
|
|
|
|
|
|
|
|
|
serviceConfig = {
|
|
|
|
|
Type = "simple";
|
|
|
|
|
TimeoutSec = "infinity";
|
|
|
|
|
Restart = "on-failure";
|
|
|
|
|
|
|
|
|
|
User = cfg.user;
|
|
|
|
|
Group = cfg.group;
|
|
|
|
|
|
|
|
|
|
ExecStart = "${cfg.packages.pages}/bin/gitlab-pages ${escapeShellArgs pagesArgs}";
|
|
|
|
|
WorkingDirectory = gitlabEnv.HOME;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2016-01-30 13:47:04 +00:00
|
|
|
systemd.services.gitlab-workhorse = {
|
2018-07-30 19:49:18 +00:00
|
|
|
after = [ "network.target" ];
|
2021-02-25 10:33:06 +00:00
|
|
|
wantedBy = [ "gitlab.target" ];
|
|
|
|
|
partOf = [ "gitlab.target" ];
|
2015-10-21 17:48:56 +00:00
|
|
|
path = with pkgs; [
|
2019-07-19 12:16:15 +00:00
|
|
|
exiftool
|
gitAndTools: move everything to the top level
The comment at the top of git-and-tools/default.nix said:
/* All git-relates tools live here, in a separate attribute set so that users
* can get a fast overview over what's available.
but unfortunately that hasn't actually held up in practice.
Git-related packages have continued to be added to the top level, or
into gitAndTools, or sometimes both, basically at random, so having
gitAndTools is just confusing. In fact, until I looked as part of
working on getting rid of gitAndTools, one program (ydiff) was
packaged twice independently, once in gitAndTools and once at the top
level (I fixed this in 98c34901969).
So I think it's for the best if we move away from gitAndTools, and
just put all the packages it previously contained at the top level.
I've implemented this here by just making gitAndTools an alias for the
top level -- this saves having loads of lines in aliases.nix. This
means that people can keep referring to gitAndTools in their
configuration, but it won't be allowed to be used within Nixpkgs, and
it won't be presented to new users by e.g. nix search.
The only other change here that I'm aware of is that
appendToName "minimal" is not longer called on the default git
package, because doing that would have necessitated having a private
gitBase variable like before. I think it makes more sense not to do
that anyway, and reserve the "minimal" suffix only for gitMinimal.
2021-01-14 17:49:32 +00:00
|
|
|
git
|
2017-07-19 19:34:17 +00:00
|
|
|
gnutar
|
|
|
|
|
gzip
|
2015-10-21 17:48:56 +00:00
|
|
|
openssh
|
2017-05-12 06:52:33 +00:00
|
|
|
gitlab-workhorse
|
2015-10-21 17:48:56 +00:00
|
|
|
];
|
|
|
|
|
serviceConfig = {
|
|
|
|
|
Type = "simple";
|
2016-01-30 13:47:04 +00:00
|
|
|
User = cfg.user;
|
|
|
|
|
Group = cfg.group;
|
2018-04-25 17:58:05 +00:00
|
|
|
TimeoutSec = "infinity";
|
2016-08-12 17:17:43 +00:00
|
|
|
Restart = "on-failure";
|
2016-09-27 13:49:21 +00:00
|
|
|
WorkingDirectory = gitlabEnv.HOME;
|
2016-01-30 13:47:04 +00:00
|
|
|
ExecStart =
|
2021-08-26 15:45:01 +00:00
|
|
|
"${cfg.packages.gitlab-workhorse}/bin/workhorse "
|
2016-01-30 13:47:04 +00:00
|
|
|
+ "-listenUmask 0 "
|
|
|
|
|
+ "-listenNetwork unix "
|
|
|
|
|
+ "-listenAddr /run/gitlab/gitlab-workhorse.socket "
|
2016-02-26 06:06:07 +00:00
|
|
|
+ "-authSocket ${gitlabSocket} "
|
2016-09-27 13:49:21 +00:00
|
|
|
+ "-documentRoot ${cfg.packages.gitlab}/share/gitlab/public "
|
2017-09-03 13:38:28 +00:00
|
|
|
+ "-secretPath ${cfg.statePath}/.gitlab_workhorse_secret";
|
2015-10-21 17:48:56 +00:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2020-07-18 14:35:37 +00:00
|
|
|
systemd.services.gitlab-mailroom = mkIf (gitlabConfig.production.incoming_email.enabled or false) {
|
|
|
|
|
description = "GitLab incoming mail daemon";
|
nixos/gitlab: Make gitlab.service's PreStart into two new services
Make the config initialization script run in gitlab.service's PreStart
section into two new services, `gitlab-config.service` and
`gitlab-db-config.service`. Other services can then depend on the
config scripts they need instead of unnecessarily depending on
`gitlab.service`. This makes the reason for the configured service
dependencies much clearer and should also reduce the restart time of
the `gitlab` service quite a lot, when triggered manually.
Also, set up stricter service dependencies, using `bindsTo`, to ensure
that if a service fails or is stopped, its dependants are also
stopped. For example, if we're using the `postgresql` service and it's
stopped, `gitlab.service` and `gitlab-sidekiq.service`, which depend on
it to function, should also be stopped.
2021-02-18 16:47:07 +00:00
|
|
|
after = [ "network.target" "redis.service" "gitlab-config.service" ];
|
|
|
|
|
bindsTo = [ "gitlab-config.service" ];
|
2021-02-25 10:33:06 +00:00
|
|
|
wantedBy = [ "gitlab.target" ];
|
|
|
|
|
partOf = [ "gitlab.target" ];
|
2020-07-18 14:35:37 +00:00
|
|
|
environment = gitlabEnv;
|
|
|
|
|
serviceConfig = {
|
|
|
|
|
Type = "simple";
|
|
|
|
|
TimeoutSec = "infinity";
|
|
|
|
|
Restart = "on-failure";
|
|
|
|
|
|
|
|
|
|
User = cfg.user;
|
|
|
|
|
Group = cfg.group;
|
nixos/gitlab: Make gitlab.service's PreStart into two new services
Make the config initialization script run in gitlab.service's PreStart
section into two new services, `gitlab-config.service` and
`gitlab-db-config.service`. Other services can then depend on the
config scripts they need instead of unnecessarily depending on
`gitlab.service`. This makes the reason for the configured service
dependencies much clearer and should also reduce the restart time of
the `gitlab` service quite a lot, when triggered manually.
Also, set up stricter service dependencies, using `bindsTo`, to ensure
that if a service fails or is stopped, its dependants are also
stopped. For example, if we're using the `postgresql` service and it's
stopped, `gitlab.service` and `gitlab-sidekiq.service`, which depend on
it to function, should also be stopped.
2021-02-18 16:47:07 +00:00
|
|
|
ExecStart = "${cfg.packages.gitlab.rubyEnv}/bin/bundle exec mail_room -c ${cfg.statePath}/config/mail_room.yml";
|
2020-07-18 14:35:37 +00:00
|
|
|
WorkingDirectory = gitlabEnv.HOME;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2014-10-25 16:22:49 +00:00
|
|
|
systemd.services.gitlab = {
|
nixos/gitlab: Make gitlab.service's PreStart into two new services
Make the config initialization script run in gitlab.service's PreStart
section into two new services, `gitlab-config.service` and
`gitlab-db-config.service`. Other services can then depend on the
config scripts they need instead of unnecessarily depending on
`gitlab.service`. This makes the reason for the configured service
dependencies much clearer and should also reduce the restart time of
the `gitlab` service quite a lot, when triggered manually.
Also, set up stricter service dependencies, using `bindsTo`, to ensure
that if a service fails or is stopped, its dependants are also
stopped. For example, if we're using the `postgresql` service and it's
stopped, `gitlab.service` and `gitlab-sidekiq.service`, which depend on
it to function, should also be stopped.
2021-02-18 16:47:07 +00:00
|
|
|
after = [
|
|
|
|
|
"gitlab-workhorse.service"
|
|
|
|
|
"network.target"
|
|
|
|
|
"redis.service"
|
|
|
|
|
"gitlab-config.service"
|
|
|
|
|
"gitlab-db-config.service"
|
|
|
|
|
];
|
|
|
|
|
bindsTo = [
|
|
|
|
|
"redis.service"
|
|
|
|
|
"gitlab-config.service"
|
|
|
|
|
"gitlab-db-config.service"
|
|
|
|
|
] ++ optional (cfg.databaseHost == "") "postgresql.service";
|
2021-02-25 10:33:06 +00:00
|
|
|
wantedBy = [ "gitlab.target" ];
|
|
|
|
|
partOf = [ "gitlab.target" ];
|
2016-01-30 13:47:04 +00:00
|
|
|
environment = gitlabEnv;
|
2014-10-25 16:22:49 +00:00
|
|
|
path = with pkgs; [
|
2019-09-24 06:58:32 +00:00
|
|
|
postgresqlPackage
|
gitAndTools: move everything to the top level
The comment at the top of git-and-tools/default.nix said:
/* All git-relates tools live here, in a separate attribute set so that users
* can get a fast overview over what's available.
but unfortunately that hasn't actually held up in practice.
Git-related packages have continued to be added to the top level, or
into gitAndTools, or sometimes both, basically at random, so having
gitAndTools is just confusing. In fact, until I looked as part of
working on getting rid of gitAndTools, one program (ydiff) was
packaged twice independently, once in gitAndTools and once at the top
level (I fixed this in 98c34901969).
So I think it's for the best if we move away from gitAndTools, and
just put all the packages it previously contained at the top level.
I've implemented this here by just making gitAndTools an alias for the
top level -- this saves having loads of lines in aliases.nix. This
means that people can keep referring to gitAndTools in their
configuration, but it won't be allowed to be used within Nixpkgs, and
it won't be presented to new users by e.g. nix search.
The only other change here that I'm aware of is that
appendToName "minimal" is not longer called on the default git
package, because doing that would have necessitated having a private
gitBase variable like before. I think it makes more sense not to do
that anyway, and reserve the "minimal" suffix only for gitMinimal.
2021-01-14 17:49:32 +00:00
|
|
|
git
|
2014-10-25 16:22:49 +00:00
|
|
|
openssh
|
2014-12-14 01:24:12 +00:00
|
|
|
nodejs
|
2017-07-05 21:53:31 +00:00
|
|
|
procps
|
2017-09-21 18:23:16 +00:00
|
|
|
gnupg
|
2014-10-25 16:22:49 +00:00
|
|
|
];
|
2019-09-13 23:38:54 +00:00
|
|
|
serviceConfig = {
|
2021-08-27 14:58:06 +00:00
|
|
|
Type = "notify";
|
2019-09-13 23:38:54 +00:00
|
|
|
User = cfg.user;
|
|
|
|
|
Group = cfg.group;
|
|
|
|
|
TimeoutSec = "infinity";
|
|
|
|
|
Restart = "on-failure";
|
|
|
|
|
WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab";
|
2021-04-01 17:47:27 +00:00
|
|
|
ExecStart = concatStringsSep " " [
|
|
|
|
|
"${cfg.packages.gitlab.rubyEnv}/bin/puma"
|
|
|
|
|
"-e production"
|
|
|
|
|
"-C ${cfg.statePath}/config/puma.rb"
|
|
|
|
|
"-w ${cfg.puma.workers}"
|
|
|
|
|
"-t ${cfg.puma.threadsMin}:${cfg.puma.threadsMax}"
|
|
|
|
|
];
|
2014-10-25 16:22:49 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
2021-02-23 17:51:48 +00:00
|
|
|
systemd.services.gitlab-backup = {
|
|
|
|
|
after = [ "gitlab.service" ];
|
|
|
|
|
bindsTo = [ "gitlab.service" ];
|
|
|
|
|
startAt = cfg.backup.startAt;
|
|
|
|
|
environment = {
|
|
|
|
|
RAILS_ENV = "production";
|
|
|
|
|
CRON = "1";
|
|
|
|
|
} // optionalAttrs (stringLength cfg.backup.skip > 0) {
|
|
|
|
|
SKIP = cfg.backup.skip;
|
|
|
|
|
};
|
|
|
|
|
serviceConfig = {
|
|
|
|
|
User = cfg.user;
|
|
|
|
|
Group = cfg.group;
|
|
|
|
|
ExecStart = "${gitlab-rake}/bin/gitlab-rake gitlab:backup:create";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2014-10-25 16:22:49 +00:00
|
|
|
};
|
2016-05-09 05:53:27 +00:00
|
|
|
|
|
|
|
|
meta.doc = ./gitlab.xml;
|
|
|
|
|
|
2014-10-25 16:22:49 +00:00
|
|
|
}
|
