From f39d13cd3e577d546445df4bcd6cbe2905b655c1 Mon Sep 17 00:00:00 2001
From: Joachim Fasting <joachifm@fastmail.fm>
Date: Wed, 7 Dec 2016 04:53:55 +0100
Subject: [PATCH] grsecurity doc: describe work-around for gitlab

Fixes https://github.com/NixOS/nixpkgs/issues/20959
---
 nixos/modules/security/grsecurity.xml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/nixos/modules/security/grsecurity.xml b/nixos/modules/security/grsecurity.xml
index 5b3e4db03a13..a7bcf4924f01 100644
--- a/nixos/modules/security/grsecurity.xml
+++ b/nixos/modules/security/grsecurity.xml
@@ -325,6 +325,19 @@
       </programlisting>
     </para></listitem>
 
+    <listitem><para>
+      The gitlab service (<xref linkend="module-services-gitlab" />)
+      requires a variant of the <literal>ruby</literal> interpreter
+      built without `mprotect()` hardening, as in
+      <programlisting>
+        services.gitlab.packages.gitlab = pkgs.gitlab.override {
+          ruby = pkgs.ruby.overrideAttrs (attrs: {
+            postFixup = "paxmark m $out/bin/ruby";
+          });
+        };
+      </programlisting>
+    </para></listitem>
+
   </itemizedlist>
 
   </sect1>