Gitlab

From NixOS Wiki
Revision as of 10:48, 25 April 2023 by imported>F2k1de (→‎Installation)

The GitLab web application offers git repository management, code reviews, issue tracking, activity feeds and wikis.

Installation

A minimal local installation of Gitlab might look like this 

services.gitlab = {
  enable = true;
  databasePasswordFile = pkgs.writeText "dbPassword" "test123";
  initialRootPasswordFile = pkgs.writeText "rootPassword" "test123";
  secrets = {
    secretFile = pkgs.writeText "secret" "Aig5zaic";
    otpFile = pkgs.writeText "otpsecret" "Riew9mue";
    dbFile = pkgs.writeText "dbsecret" "we2quaeZ";
    jwsFile = pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
  };
};

services.nginx = {
  enable = true;
  recommendedProxySettings = true;
  virtualHosts = {
    localhost = {
      locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
    };
  };
};

services.openssh.enable = true;

systemd.services.gitlab-backup.environment.BACKUP = "dump";

Even trough it is easy to provide the secrets in the configuration.nix with pkgs.writeText, keep in mind that it might not be the best method, because they get written to the word readable nix-store this way. A safer solution is to put them somewhere in the file system with the right chmod and owner set and include them using ./<filename> or to use a secret managment tool

Maintenance

Query info about your Gitlab instance 

gitlab-rake gitlab:env:info

Check for configuration errors 

gitlab-rake gitlab:check

Troubleshooting

Error 422 The change you requested was rejected on login

There might be different reasons for this error to show up after a failing login. One possible issue could be that your Gitlab instance is configured to be served with SSL encryption but running unencrypted behind a reverse proxy 

services.gitlab = {
  enable = true;
  port = 443;
  https = true;
[...]

To solve this, add following http headers to your upstream reverse proxy. In this example for the web server Caddy but it can be set for others too 

caddy = {
  enable = true;
  virtualHosts = {
    "git.example.org".extraConfig = ''
      reverse_proxy http://10.100.0.3 {
        header_up X-Forwarded-Proto https
        header_up X-Forwarded-Ssl on
      }
    '';
  };
};
Retrieved from "https://wiki.nixos.org/w/index.php?title=Gitlab&oldid=10180"