Official NixOS Wiki

Gitlab: Difference between revisions

← Older edit
KMalone42 (talk | contribs)
4 edits
VisualWikitext
Almin17 (talk | contribs)
2 edits
Added a troubleshooting tip / workaround
m Correcting the owner + group here to match gitlab runner.
 
(7 intermediate revisions by 5 users not shown)
Line 5: Line 5:
== Installation ==
== Installation ==


A minimal local installation of Gitlab might look like this
=== Generate Secrets ===
<syntaxhighlight lang="bash">
sudo install -d -m 0700 /var/lib/gitlab/secrets
sudo sh -c 'openssl rand -hex 32 > /var/lib/gitlab/secrets/activeRecordPrimaryKey'
sudo sh -c 'openssl rand -hex 32 > /var/lib/gitlab/secrets/activeRecordDeterministicKey'
sudo sh -c 'openssl rand -hex 32 > /var/lib/gitlab/secrets/activeRecordSalt'
sudo chown -R gitlab:gitlab /var/lib/gitlab/secrets
sudo chmod 700 /var/lib/gitlab/secrets
sudo chmod 0600 /var/lib/gitlab/secrets/*
</syntaxhighlight>


<syntaxHighlight lang="nix">
=== Nix Configuration ===
services.gitlab = {
<syntaxhighlight lang="nix">services.gitlab = {
   enable = true;
   enable = true;
   databasePasswordFile = pkgs.writeText "dbPassword" "zgvcyfwsxzcwr85l";
   databasePasswordFile = pkgs.writeText "dbPassword" "zgvcyfwsxzcwr85l";
Line 17: Line 26:
     dbFile = pkgs.writeText "dbsecret" "we2quaeZ";
     dbFile = pkgs.writeText "dbsecret" "we2quaeZ";
     jwsFile = pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
     jwsFile = pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
    activeRecordPrimaryKeyFile      = "/var/lib/gitlab/secrets/activeRecordPrimaryKey";
    activeRecordDeterministicKeyFile = "/var/lib/gitlab/secrets/activeRecordDeterministicKey";
    activeRecordSaltFile            = "/var/lib/gitlab/secrets/activeRecordSalt";
   };
   };
};
};
Line 32: Line 44:
services.openssh.enable = true;
services.openssh.enable = true;


systemd.services.gitlab-backup.environment.BACKUP = "dump";
systemd.services.gitlab-backup.environment.BACKUP = "dump";</syntaxhighlight>
</syntaxHighlight>


After applying the configuration head to http://localhost and login with username <code>root</code> and the password specified in <code>initialRootPasswordFile</code>.
After applying the configuration head to http://localhost and login with username <code>root</code> and the password specified in <code>initialRootPasswordFile</code>.
Line 40: Line 51:
A safer solution is to put them somewhere in the file system with the right chmod and owner set and include them using <code>./<filename></code> or to use a [[Comparison of secret managing schemes|secret managment tool]]
A safer solution is to put them somewhere in the file system with the right chmod and owner set and include them using <code>./<filename></code> or to use a [[Comparison of secret managing schemes|secret managment tool]]


{{Note|Since the version 15.7 GitLab blocks weak passwords<ref>https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/user/profile/user_passwords.md#block-weak-passwords</ref> on self-managed instances by default and providing one in initialRootPasswordFile results in a silent failure to create root user.}}  
{{Note|Since the version 15.7 GitLab blocks weak passwords<ref>https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/user/profile/user_passwords.md#block-weak-passwords</ref> on self-managed instances by default and providing one in initialRootPasswordFile results in a silent failure to create root user.}}{{Note|Depending on the setup, access from another system than localhost might be required. In that case, it's necessary to open the ports, since NixOS defaults to having all ports closed. Look up networking.firewall.allowedTCPPorts.}}


== Maintenance ==
== Maintenance ==
Line 66: Line 77:
   host = "git.example.org";
   host = "git.example.org";
};
};
</syntaxhighlight>
=== Feature Flags ===
You can declaratively enable [https://gitlab-docs-d6a9bb.gitlab.io/ee/user/feature_flags.html Gitlab Feature Flags] using <code>extraGitlabRb</code>:<syntaxhighlight lang="nix">
{
  services.gitlab = {
    enable = true;
    extraGitlabRb = ''
      Feature.enable(:issue_date_filter)
    '';
    # Other configuration...
  };
}
</syntaxhighlight>
</syntaxhighlight>


=== Migrating an existing Gitlab to a Nixos installation ===
=== Migrating an existing Gitlab to a Nixos installation ===
Make a backup on the on the old installation following the [https://docs.gitlab.com/ee/raketasks/backup_gitlab.html Gitlab backup guide]. It is important to be on the same version and edition that you want to install on your new server.
Make a backup on the old installation following the [https://docs.gitlab.com/administration/backup_restore/backup_gitlab/ Gitlab backup guide]. It is important to be on the same version and edition that you want to install on your new server.


Then install a Gitlab on the NixOS. Make sure you set the same secrets like on the old installation.
Then install a Gitlab on the NixOS. Make sure you set the same secrets like on the old installation.
Line 145: Line 169:


<references />
<references />
== See also ==
* [[Gitea]], a web app, Git development repository and project management.
* [[Forgejo]], a web application offers Git development repositories and project management. Community fork of Gitea.


[[Category:Server]]
[[Category:Server]]
[[Category:Web Applications]]
[[Category:Web Applications]]
[[Category:NixOS Manual]]
[[Category:NixOS Manual]]
Retrieved from "https://wiki.nixos.org/wiki/Gitlab"