b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merge pull request #113201 from talyz/gitlab-db-key-base-patch

Browse source 
gitlab: Add patch for db_key_base length bug, fix descriptions
This commit is contained in:
Kim Lindberger 2021-04-27 19:25:43 +02:00 committed by GitHub
parent 8e1f3bcfa5 1215bd4ea9
commit e50164a7ce
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 16 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
nixos/modules/services/misc/gitlab.nix
View file

@ -588,7 +588,7 @@ in {
the DB. If you change or lose this key you will be unable to
access variables stored in database.
Make sure the secret is at least 30 characters and all random,
Make sure the secret is at least 32 characters and all random,
no regular words or you'll be exposed to dictionary attacks.
This should be a string, not a nix path, since nix paths are
@ -604,7 +604,7 @@ in {
the DB. If you change or lose this key you will be unable to
access variables stored in database.
Make sure the secret is at least 30 characters and all random,
Make sure the secret is at least 32 characters and all random,
no regular words or you'll be exposed to dictionary attacks.
This should be a string, not a nix path, since nix paths are
@ -620,7 +620,7 @@ in {
tokens. If you change or lose this key, users which have 2FA
enabled for login won't be able to login anymore.
Make sure the secret is at least 30 characters and all random,
Make sure the secret is at least 32 characters and all random,
no regular words or you'll be exposed to dictionary attacks.
This should be a string, not a nix path, since nix paths are

6
nixos/tests/gitlab.nix
View file

@ -57,9 +57,9 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : with lib; {
};
};
secrets = {
secretFile = pkgs.writeText "secret" "r8X9keSKynU7p4aKlh4GO1Bo77g5a7vj";
otpFile = pkgs.writeText "otpsecret" "Zu5hGx3YvQx40DvI8WoZJQpX2paSDOlG";
dbFile = pkgs.writeText "dbsecret" "lsGltKWTejOf6JxCVa7nLDenzkO9wPLR";
secretFile = pkgs.writeText "secret" "Aig5zaic";
otpFile = pkgs.writeText "otpsecret" "Riew9mue";
dbFile = pkgs.writeText "dbsecret" "we2quaeZ";
jwsFile = pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
};
};

11
pkgs/applications/version-management/gitlab/default.nix
View file

@ -1,4 +1,4 @@
{ stdenv, lib, fetchurl, fetchFromGitLab, bundlerEnv
{ stdenv, lib, fetchurl, fetchpatch, fetchFromGitLab, bundlerEnv
, ruby, tzdata, git, nettools, nixosTests, nodejs, openssl
, gitlabEnterprise ? false, callPackage, yarn
, fixup_yarn_lock, replace, file
@ -125,6 +125,15 @@ stdenv.mkDerivation {
patches = [
# Change hardcoded paths to the NixOS equivalent
./remove-hardcoded-locations.patch
# Use the exactly 32 byte long version of db_key_base with
# aes-256-gcm, see
# https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53602
(fetchpatch {
name = "secrets_db_key_base_length.patch";
url = "https://gitlab.com/gitlab-org/gitlab/-/commit/dea620633d446ca0f53a75674454ff0dd4bd8f99.patch";
sha256 = "19m4z4np3sai9kqqqgabl44xv7p8lkcyqr6s5471axfxmf9m2023";
})
];
postPatch = ''