From 7a67a2d1a890eb1b3d98a4c98ce9283be2fe4e10 Mon Sep 17 00:00:00 2001 From: talyz Date: Wed, 10 Feb 2021 18:42:07 +0100 Subject: [PATCH] gitlab: Add patch for db_key_base length bug, fix descriptions The upstream recommended minimum length for db_key_base is 30 bytes, which our option descriptions repeated. Recently, however, upstream has, in many places, moved to using aes-256-gcm, which requires a key of exactly 32 bytes. To allow for shorter keys, the upstream code pads the key in some places. However, in many others, it just truncates the key if it's too long, leaving it too short if it was to begin with. This adds a patch that fixes this and updates the descriptions to recommend a key of at least 32 characters. See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53602 --- nixos/modules/services/misc/gitlab.nix | 6 +++--- .../version-management/gitlab/default.nix | 11 ++++++++++- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index f86653f3ead..38a541485e5 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -588,7 +588,7 @@ in { the DB. If you change or lose this key you will be unable to access variables stored in database. - Make sure the secret is at least 30 characters and all random, + Make sure the secret is at least 32 characters and all random, no regular words or you'll be exposed to dictionary attacks. This should be a string, not a nix path, since nix paths are @@ -604,7 +604,7 @@ in { the DB. If you change or lose this key you will be unable to access variables stored in database. - Make sure the secret is at least 30 characters and all random, + Make sure the secret is at least 32 characters and all random, no regular words or you'll be exposed to dictionary attacks. This should be a string, not a nix path, since nix paths are @@ -620,7 +620,7 @@ in { tokens. If you change or lose this key, users which have 2FA enabled for login won't be able to login anymore. - Make sure the secret is at least 30 characters and all random, + Make sure the secret is at least 32 characters and all random, no regular words or you'll be exposed to dictionary attacks. This should be a string, not a nix path, since nix paths are diff --git a/pkgs/applications/version-management/gitlab/default.nix b/pkgs/applications/version-management/gitlab/default.nix index 5d2b923628b..89a2ac6ec95 100644 --- a/pkgs/applications/version-management/gitlab/default.nix +++ b/pkgs/applications/version-management/gitlab/default.nix @@ -1,4 +1,4 @@ -{ stdenv, lib, fetchurl, fetchFromGitLab, bundlerEnv +{ stdenv, lib, fetchurl, fetchpatch, fetchFromGitLab, bundlerEnv , ruby, tzdata, git, nettools, nixosTests, nodejs, openssl , gitlabEnterprise ? false, callPackage, yarn , fixup_yarn_lock, replace, file @@ -125,6 +125,15 @@ stdenv.mkDerivation { patches = [ # Change hardcoded paths to the NixOS equivalent ./remove-hardcoded-locations.patch + + # Use the exactly 32 byte long version of db_key_base with + # aes-256-gcm, see + # https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53602 + (fetchpatch { + name = "secrets_db_key_base_length.patch"; + url = "https://gitlab.com/gitlab-org/gitlab/-/commit/dea620633d446ca0f53a75674454ff0dd4bd8f99.patch"; + sha256 = "19m4z4np3sai9kqqqgabl44xv7p8lkcyqr6s5471axfxmf9m2023"; + }) ]; postPatch = ''