nixos: Add gitlab and gitlab-shell

I had to make several adjustments to make it work with nixos:

* Replace relative config file lookups with ENV variable.
* Modify gitlab-shell to not clear then environment when running
  pre-receive.
* Modify gitlab-shell to write some environment variables into
  the .authorized_keys file to make sure gitlab-shell reads the
  correct config file.
* Log unicorn output to syslog.
  I tried various ways of adding a syslog package but the bundler would
  not pick them up. Please fix in a better way if possible.
* Gitlab-runner program wrapper.
  This is useful to run e.g. backups etc. with the correct
  environment set up.

1 files changed, 59 insertions, 0 deletions

diff --git a/pkgs/applications/version-management/gitlab-shell/default.nix b/pkgs/applications/version-management/gitlab-shell/default.nix
new file mode 100644
index 000000000000..3d4ae689f6b6
--- /dev/null
+++ b/pkgs/applications/version-management/gitlab-shell/default.nix
@@ -0,0 +1,59 @@
+{ stdenv, ruby, rubyLibs, fetchgit }:
+
+stdenv.mkDerivation rec {
+  version = "2.1.0";
+  name = "gitlab-shell-${version}";
+  
+  srcs = fetchgit {
+    url = "https://gitlab.com/gitlab-org/gitlab-shell.git";
+    rev = "823aba63e444afa2f45477819770fec3cb5f0159";
+    sha256 = "0ppf547xs9pvmk49v4h043d0j93k5n4q0yx3b9ssrc4qf2smflgq";
+  };
+
+  buildInputs = [
+    ruby rubyLibs.bundler
+  ];
+
+  installPhase = ''
+    mkdir -p $out/
+    cp -R . $out/
+
+    # Nothing to install ATM for non-development but keeping the
+    # install command anyway in case that changes in the future:
+    export HOME=$(pwd)
+    bundle install -j4 --verbose --local --deployment --without development test
+  '';
+  
+  # gitlab-shell will try to read its config relative to the source
+  # code by default which doesn't work in nixos because it's a
+  # read-only filesystem
+  postPatch = ''
+    substituteInPlace lib/gitlab_config.rb --replace\
+       "File.join(ROOT_PATH, 'config.yml')"\
+       "ENV['GITLAB_SHELL_CONFIG_PATH']"
+    substituteInPlace lib/gitlab_net.rb --replace\
+       "File.read File.join(ROOT_PATH, '.gitlab_shell_secret')"\
+       "File.read ENV['GITLAB_SHELL_SECRET_PATH']"
+
+    # Note that we're running gitlab-shell from current-system/sw
+    # because otherwise updating gitlab-shell won't be reflected in
+    # the hardcoded path of the authorized-keys file:
+    substituteInPlace lib/gitlab_keys.rb --replace\
+        "auth_line = \"command=\\\"#{ROOT_PATH}/bin/gitlab-shell"\
+        "auth_line = \"command=\\\"GITLAB_SHELL_CONFIG_PATH=#{ENV['GITLAB_SHELL_CONFIG_PATH']} GITLAB_SHELL_SECRET_PATH=#{ENV['GITLAB_SHELL_SECRET_PATH']} /run/current-system/sw/bin/gitlab-shell"
+
+    # We're setting GITLAB_SHELL_CONFIG_PATH in the ssh authorized key
+    # environment because we need it in gitlab_configrb
+    # . unsetenv_others will remove that so we're not doing it for
+    # now.
+    #
+    # TODO: Are there any security implications? The commit adding
+    # unsetenv_others didn't mention anything...
+    # 
+    # Kernel::exec({'PATH' => ENV['PATH'], 'LD_LIBRARY_PATH' => ENV['LD_LIBRARY_PATH'], 'GL_ID' => ENV['GL_ID']}, *args, unsetenv_others: true)
+    substituteInPlace lib/gitlab_shell.rb --replace\
+        " *args, unsetenv_others: true)"\
+        " *args)"
+  '';
+
+}