Gitlab: Difference between revisions

From NixOS Wiki
imported>Onny
Add troubleshooting section for running behind reverse proxy
imported>Onny
mNo edit summary
Line 35: Line 35:
== Troubleshooting ==
== Troubleshooting ==


=== Error 422 The change you requested was rejected on login ====
=== Error 422 The change you requested was rejected on login ===


There might be different reasons for this error to show up after a failing login. One possible issue could be that your Gitlab instance is configured to be served with SSL encryption but running unencrypted behind a reverse proxy
There might be different reasons for this error to show up after a failing login. One possible issue could be that your Gitlab instance is configured to be served with SSL encryption but running unencrypted behind a reverse proxy

Revision as of 20:46, 24 November 2022

The GitLab web application offers git repository management, code reviews, issue tracking, activity feeds and wikis.

Installation

A minimal local installation of Gitlab might look like this

services.gitlab = {
  enable = true;
  databasePasswordFile = pkgs.writeText "dbPassword" "test123";
  initialRootPasswordFile = pkgs.writeText "rootPassword" "test123";
  secrets = {
    secretFile = pkgs.writeText "secret" "Aig5zaic";
    otpFile = pkgs.writeText "otpsecret" "Riew9mue";
    dbFile = pkgs.writeText "dbsecret" "we2quaeZ";
    jwsFile = pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
  };
};

services.nginx = {
  enable = true;
  recommendedProxySettings = true;
  virtualHosts = {
    localhost = {
      locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
    };
  };
};

services.openssh.enable = true;

systemd.services.gitlab-backup.environment.BACKUP = "dump";

Troubleshooting

Error 422 The change you requested was rejected on login

There might be different reasons for this error to show up after a failing login. One possible issue could be that your Gitlab instance is configured to be served with SSL encryption but running unencrypted behind a reverse proxy

services.gitlab = {
  enable = true;
  port = 443;
  https = true;
[...]

To solve this, add following http headers to your upstream reverse proxy. In this example for the web server Caddy but it can be set for others too

caddy = {
  enable = true;
  virtualHosts = {
    "git.example.org".extraConfig = ''
      reverse_proxy http://10.100.0.3 {
        header_up X-Forwarded-Proto https
        header_up X-Forwarded-Ssl on
      }
    '';
  };
};