gitlab: Add patch for db_key_base length bug, fix descriptions

The upstream recommended minimum length for db_key_base is 30 bytes, which our option descriptions repeated. Recently, however, upstream has, in many places, moved to using aes-256-gcm, which requires a key of exactly 32 bytes. To allow for shorter keys, the upstream code pads the key in some places. However, in many others, it just truncates the key if it's too long, leaving it too short if it was to begin with. This adds a patch that fixes this and updates the descriptions to recommend a key of at least 32 characters. See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53602
2021-02-10 18:42:07 +01:00 · 2021-02-10 18:42:07 +01:00 · 7a67a2d1a8
parent ba6f0e8f03
commit 7a67a2d1a8
2 changed files with 13 additions and 4 deletions
--- a/nixos/modules/services/misc/gitlab.nix
+++ b/nixos/modules/services/misc/gitlab.nix
@ -588,7 +588,7 @@ in {
          the DB. If you change or lose this key you will be unable to
          access variables stored in database.

-          Make sure the secret is at least 30 characters and all random,
+          Make sure the secret is at least 32 characters and all random,
          no regular words or you'll be exposed to dictionary attacks.

          This should be a string, not a nix path, since nix paths are
@ -604,7 +604,7 @@ in {
          the DB. If you change or lose this key you will be unable to
          access variables stored in database.

-          Make sure the secret is at least 30 characters and all random,
+          Make sure the secret is at least 32 characters and all random,
          no regular words or you'll be exposed to dictionary attacks.

          This should be a string, not a nix path, since nix paths are
@ -620,7 +620,7 @@ in {
          tokens. If you change or lose this key, users which have 2FA
          enabled for login won't be able to login anymore.

-          Make sure the secret is at least 30 characters and all random,
+          Make sure the secret is at least 32 characters and all random,
          no regular words or you'll be exposed to dictionary attacks.

          This should be a string, not a nix path, since nix paths are
--- a/pkgs/applications/version-management/gitlab/default.nix
+++ b/pkgs/applications/version-management/gitlab/default.nix
@ -1,4 +1,4 @@
-{ stdenv, lib, fetchurl, fetchFromGitLab, bundlerEnv
+{ stdenv, lib, fetchurl, fetchpatch, fetchFromGitLab, bundlerEnv
 , ruby, tzdata, git, nettools, nixosTests, nodejs, openssl
 , gitlabEnterprise ? false, callPackage, yarn
 , fixup_yarn_lock, replace, file
@ -125,6 +125,15 @@ stdenv.mkDerivation {
  patches = [
    # Change hardcoded paths to the NixOS equivalent
    ./remove-hardcoded-locations.patch
+
+    # Use the exactly 32 byte long version of db_key_base with
+    # aes-256-gcm, see
+    # https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53602
+    (fetchpatch {
+      name = "secrets_db_key_base_length.patch";
+      url = "https://gitlab.com/gitlab-org/gitlab/-/commit/dea620633d446ca0f53a75674454ff0dd4bd8f99.patch";
+      sha256 = "19m4z4np3sai9kqqqgabl44xv7p8lkcyqr6s5471axfxmf9m2023";
+    })
  ];

  postPatch = ''