Gitlab: Difference between revisions
Add notes on Gitlab behind reverse proxy |
Add example for setting feature flags declaratively |
||
| (8 intermediate revisions by 5 users not shown) | |||
| Line 37: | Line 37: | ||
After applying the configuration head to http://localhost and login with username <code>root</code> and the password specified in <code>initialRootPasswordFile</code>. | After applying the configuration head to http://localhost and login with username <code>root</code> and the password specified in <code>initialRootPasswordFile</code>. | ||
Even though it is easy to provide the secrets in the <code>configuration.nix</code> with <code>pkgs.writeText</code>, keep in mind that it might not be the best method, because they get written to the | Even though it is easy to provide the secrets in the <code>configuration.nix</code> with <code>pkgs.writeText</code>, keep in mind that it might not be the best method, because they get written to the world readable [[Nix_package_manager#Nix_store|nix-store]] this way. | ||
A safer solution is to put them somewhere in the file system with the right chmod and owner set and include them using <code>./<filename></code> or to use a [[Comparison of secret managing schemes|secret managment tool]] | A safer solution is to put them somewhere in the file system with the right chmod and owner set and include them using <code>./<filename></code> or to use a [[Comparison of secret managing schemes|secret managment tool]] | ||
{{Note|Since the version 15.7 GitLab blocks weak passwords<ref>https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/user/profile/user_passwords.md#block-weak-passwords</ref> on self-managed instances by default and providing one in initialRootPasswordFile results in a silent failure to create root user.}} | {{Note|Since the version 15.7 GitLab blocks weak passwords<ref>https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/user/profile/user_passwords.md#block-weak-passwords</ref> on self-managed instances by default and providing one in initialRootPasswordFile results in a silent failure to create root user.}}{{Note|Depending on the setup, access from another system than localhost might be required. In that case, it's necessary to open the ports, since NixOS defaults to having all ports closed. Look up networking.firewall.allowedTCPPorts.}} | ||
== Maintenance == | == Maintenance == | ||
| Line 66: | Line 66: | ||
host = "git.example.org"; | host = "git.example.org"; | ||
}; | }; | ||
</syntaxhighlight> | |||
=== Feature Flags === | |||
You can declaratively enable [https://gitlab-docs-d6a9bb.gitlab.io/ee/user/feature_flags.html Gitlab Feature Flags] using <code>extraGitlabRb</code>:<syntaxhighlight lang="nix"> | |||
{ | |||
services.gitlab = { | |||
enable = true; | |||
extraGitlabRb = '' | |||
Feature.enable(:issue_date_filter) | |||
''; | |||
# Other configuration... | |||
}; | |||
} | |||
</syntaxhighlight> | </syntaxhighlight> | ||
=== Migrating an existing Gitlab to a Nixos installation === | === Migrating an existing Gitlab to a Nixos installation === | ||
Make a backup | Make a backup on the old installation following the [https://docs.gitlab.com/administration/backup_restore/backup_gitlab/ Gitlab backup guide]. It is important to be on the same version and edition that you want to install on your new server. | ||
Then install a Gitlab on the NixOS. Make sure you set the same secrets like on the old installation. | Then install a Gitlab on the NixOS. Make sure you set the same secrets like on the old installation. | ||
After a successful deploy | After a successful deploy: | ||
# Stop the Gitlab service using <code>systemctl stop gitlab.service</code>. | |||
# Start Gitaly <code>systemctl start gitaly.service</code> | |||
#* It gets stopped when gitlab.service stops. | |||
# Then copy the backup *_gitlab_backup.tar to the backup folder | |||
#* <code>cp 1719619965_2024_06_29_16.11.4_gitlab_backup.tar /var/gitlab/state/backup</code> | |||
# Run <code>sudo -u gitlab gitlab-rake gitlab:backup:restore BACKUP=<name before the _gitlab_backup.tar></code> . | |||
#* For example <code>sudo -u gitlab gitlab-rake gitlab:backup:restore BACKUP=1719619965_2024_06_29_16.11.4</code> | |||
# You will be interactively asked what should be done. | |||
#* You will most likely be saying yes hrtr | |||
# Start the Gitlab Service again using <code>systemctl start gitlab.service</code>. | |||
You may need to rebuild the system for everything to properly come up. | |||
== Troubleshooting == | == Troubleshooting == | ||
| Line 108: | Line 131: | ||
</syntaxHighlight> | </syntaxHighlight> | ||
=== Login page accessible, but root login fails after fresh install === | |||
Apparently, it can happen that no root user is created (or at least not fully created in the database) when building the system with a newly configured Gitlab service. | |||
In this case, it can help to stop the Gitlab service, drop the postgres database and reboot the system. This sequence instantiates the Gitlab root user. With that, it's possible to log in with user "root" and the password configured in "initialRootPasswordFile".<syntaxhighlight lang="bash"> | |||
# stop the gitlab stack | |||
systemctl stop gitlab.service | |||
# drop the database | |||
sudo -u postgres dropdb gitlab | |||
# reboot (just starting the gitlab service again seems not to be sufficient) | |||
sudo reboot | |||
</syntaxhighlight> | |||
==Notes== | ==Notes== | ||
Gitlab will add a user "gitlab" to your NixOS, many tutorials online point to using git over ssh with the user "git", which in our case will not match since there is no user "git". If you configure your SSH hosts with ~/.ssh/config this should work: | |||
Host your.selfhosted.com | |||
HostName your.selfhosted.com | |||
User gitlab | |||
IdentityFile /path/to/your/ssh/private/key | |||
# The following are optional: | |||
IdentitiesOnly yes | |||
PreferredAuthentications publickey | |||
<references /> | <references /> | ||