From 7e325c2251cd9d21f5d7010add19c14f6b7badae Mon Sep 17 00:00:00 2001 From: talyz Date: Fri, 20 Sep 2019 18:00:36 +0200 Subject: nixos/gitlab: Mention secret option transition in release notes Document the breaking secret option transition from literal secrets to file-based ones. --- nixos/doc/manual/release-notes/rl-1909.xml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml index 58ab7207f533..19062bbc9d80 100644 --- a/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixos/doc/manual/release-notes/rl-1909.xml @@ -484,6 +484,28 @@ (citrix_workspace). + + + The services.gitlab module has had its literal secret options (, + , + , + , + , + and + ) replaced by file-based versions (, + , + , + , + , + and + ). This was done so that secrets aren't stored + in the world-readable nix store, but means that for each option you'll have to create a file with + the same exact string, add "File" to the end of the option name, and change the definition to a + string pointing to the corresponding file; e.g. services.gitlab.databasePassword = "supersecurepassword" + becomes services.gitlab.databasePasswordFile = "/path/to/secret_file" where the + file secret_file contains the string supersecurepassword. + + -- cgit 1.4.1 From dfc43f7d0a6c22417b4522f42d9c4e196fdbe7f7 Mon Sep 17 00:00:00 2001 From: talyz Date: Fri, 20 Sep 2019 18:04:03 +0200 Subject: nixos/gitlab: Document the restriction introduced on statePath The state path now, since the transition from initialization in preStart to using systemd-tmpfiles, has the following restriction: no parent directory can be owned by any other user than root or the user specified in services.gitlab.user. This is a potentially breaking change and the cause of the error isn't immediately obvious, so document it both in the release notes and statePath description. --- nixos/doc/manual/release-notes/rl-1909.xml | 7 +++++++ nixos/modules/services/misc/gitlab.nix | 10 +++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) (limited to 'nixos/doc') diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml index 19062bbc9d80..e4dcc90cdd30 100644 --- a/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixos/doc/manual/release-notes/rl-1909.xml @@ -505,6 +505,13 @@ becomes services.gitlab.databasePasswordFile = "/path/to/secret_file" where the file secret_file contains the string supersecurepassword. + + The state path () now has the following restriction: + no parent directory can be owned by any other user than root or the user + specified in ; i.e. if + is set to /var/lib/gitlab/state, gitlab and all parent directories + must be owned by either root or the user specified in . + diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index 1e1eb0fd9a11..4c1ffead00c8 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -223,7 +223,15 @@ in { statePath = mkOption { type = types.str; default = "/var/gitlab/state"; - description = "Gitlab state directory, logs are stored here."; + description = '' + Gitlab state directory. Configuration, repositories and + logs, among other things, are stored here. + + The directory will be created automatically if it doesn't + exist already. Its parent directories must be owned by + either root or the user set in + . + ''; }; backupPath = mkOption { -- cgit 1.4.1