Gitlab: Difference between revisions
imported>Onny Add notes about maintenance tasks |
imported>F2k1de |
||
Line 32: | Line 32: | ||
systemd.services.gitlab-backup.environment.BACKUP = "dump"; | systemd.services.gitlab-backup.environment.BACKUP = "dump"; | ||
</syntaxHighlight> | </syntaxHighlight> | ||
Even trough it is easy to provide the secrets in the <code>configuration.nix</code> with <code>pkgs.writeText</code>, keep in mind that it might not be the best method, because they get written to the word readable [[Nix_package_manager#Nix_store|nix-store]] this way. | |||
A safer solution is to put them somewhere in the file system with the right chmod and owner set and include them using <code>./<filename></code> or to use a [[Comparison of secret managing schemes|secret managment tool]] | |||
== Maintenance == | == Maintenance == |
Revision as of 10:48, 25 April 2023
The GitLab web application offers git repository management, code reviews, issue tracking, activity feeds and wikis.
Installation
A minimal local installation of Gitlab might look like this
services.gitlab = {
enable = true;
databasePasswordFile = pkgs.writeText "dbPassword" "test123";
initialRootPasswordFile = pkgs.writeText "rootPassword" "test123";
secrets = {
secretFile = pkgs.writeText "secret" "Aig5zaic";
otpFile = pkgs.writeText "otpsecret" "Riew9mue";
dbFile = pkgs.writeText "dbsecret" "we2quaeZ";
jwsFile = pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
};
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts = {
localhost = {
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
};
};
};
services.openssh.enable = true;
systemd.services.gitlab-backup.environment.BACKUP = "dump";
Even trough it is easy to provide the secrets in the configuration.nix
with pkgs.writeText
, keep in mind that it might not be the best method, because they get written to the word readable nix-store this way.
A safer solution is to put them somewhere in the file system with the right chmod and owner set and include them using ./<filename>
or to use a secret managment tool
Maintenance
Query info about your Gitlab instance
gitlab-rake gitlab:env:info
Check for configuration errors
gitlab-rake gitlab:check
Troubleshooting
Error 422 The change you requested was rejected on login
There might be different reasons for this error to show up after a failing login. One possible issue could be that your Gitlab instance is configured to be served with SSL encryption but running unencrypted behind a reverse proxy
services.gitlab = {
enable = true;
port = 443;
https = true;
[...]
To solve this, add following http headers to your upstream reverse proxy. In this example for the web server Caddy but it can be set for others too
caddy = {
enable = true;
virtualHosts = {
"git.example.org".extraConfig = ''
reverse_proxy http://10.100.0.3 {
header_up X-Forwarded-Proto https
header_up X-Forwarded-Ssl on
}
'';
};
};