movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-12 04:35:41 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/gitlab: add activeRecord key files

Browse source 
GitLab 17.11 started using rails activeRecord encryption for some values.
Introduce new key files. This is breaking for unstable/25.05.

Also add a test to prevent this from happening unnoticed in the future.

For the future there should also be an option to set multiple activeRecord
keys for rotation.
This commit is contained in:
Leona Maroni 2025-05-07 17:29:50 +02:00
parent 2e2cab7847
commit a95a530883
No known key found for this signature in database
GPG key ID: D5B08ADFC75E3605
3 changed files with 76 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

10
nixos/tests/gitlab.nix
View file

@ -106,6 +106,9 @@ in
otpFile = pkgs.writeText "otpsecret" "Riew9mue";
dbFile = pkgs.writeText "dbsecret" "we2quaeZ";
jwsFile = pkgs.runCommand "oidcKeyBase" { } "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
activeRecordPrimaryKeyFile = pkgs.writeText "arprimary" "vsaYPZjTRxcbG7W6gNr95AwBmzFUd4Eu";
activeRecordDeterministicKeyFile = pkgs.writeText "ardeterministic" "kQarv9wb2JVP7XzLTh5f6DFcMHms4nEC";
activeRecordSaltFile = pkgs.writeText "arsalt" "QkgR9CfFU3MXEWGqa7LbP24AntK5ZeYw";
};
registry = {
@ -477,6 +480,9 @@ in
gitlab.start()
''
+ waitForServices
+ ''
gitlab.succeed("cp /var/gitlab/state/config/secrets.yml /root/gitlab-secrets.yml")
''
+ test true
+ ''
gitlab.systemctl("start gitlab-backup.service")
@ -496,5 +502,9 @@ in
gitlab.systemctl("start gitlab.target")
''
+ waitForServices
+ ''
with subtest("Check that no secrets were auto-generated as these would be non-persistent"):
gitlab.succeed("diff -u /root/gitlab-secrets.yml /var/gitlab/state/config/secrets.yml")
''
+ test false;
}