2023-01-11 13:36:09 +00:00
|
|
|
#!/bin/sh
|
|
|
|
set -eu
|
|
|
|
|
|
|
|
group='git'
|
|
|
|
data_dir='/var/lib/gitlab'
|
|
|
|
secrets_file='/etc/gitlab/secrets.yml'
|
|
|
|
shell_secret_file='/etc/gitlab/gitlab_shell_secret'
|
|
|
|
workhorse_secret_file='/etc/gitlab/gitlab_workhorse_secret'
|
|
|
|
kas_secret_file='/etc/gitlab/gitlab_kas_secret'
|
|
|
|
|
|
|
|
gen_random_b64() {
|
|
|
|
local bits="$1"
|
|
|
|
ruby <<-EOF
|
|
|
|
require 'securerandom'
|
|
|
|
require 'base64'
|
|
|
|
puts Base64.strict_encode64(SecureRandom.random_bytes($bits))
|
|
|
|
EOF
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
echo "* Checking $secrets_file" >&2
|
|
|
|
|
|
|
|
ruby <<-EOF
|
|
|
|
require 'openssl'
|
|
|
|
require 'securerandom'
|
|
|
|
require 'yaml'
|
|
|
|
|
|
|
|
secrets_file = '$secrets_file'
|
|
|
|
changed = false
|
|
|
|
|
|
|
|
secrets = YAML.load_file(secrets_file) if File.exist?(secrets_file)
|
|
|
|
secrets ||= {}
|
|
|
|
prod = secrets['production'] ||= {}
|
|
|
|
prod['db_key_base'] ||= ( changed = true; SecureRandom.hex(64) )
|
|
|
|
prod['secret_key_base'] ||= ( changed = true; SecureRandom.hex(64) )
|
|
|
|
prod['otp_key_base'] ||= ( changed = true; SecureRandom.hex(64) )
|
|
|
|
prod['encrypted_settings_key_base'] ||= ( changed = true; SecureRandom.hex(64) )
|
|
|
|
prod['openid_connect_signing_key'] ||= begin
|
|
|
|
changed = true
|
|
|
|
prod.delete('jws_private_key') || OpenSSL::PKey::RSA.new(2048).to_pem
|
|
|
|
end
|
|
|
|
# db/fixtures/production/010_settings.rb
|
|
|
|
prod['ci_jwt_signing_key'] ||= ( changed = true; OpenSSL::PKey::RSA.new(2048).to_pem )
|
|
|
|
|
|
|
|
if changed
|
|
|
|
STDERR.puts "* Generating random secrets into #{secrets_file}"
|
|
|
|
File.write(secrets_file, YAML.dump(secrets), mode: 'w', perm: 0640)
|
|
|
|
end
|
|
|
|
EOF
|
|
|
|
chown root:$group "$secrets_file"
|
|
|
|
|
|
|
|
if [ ! -f "$shell_secret_file" ]; then
|
|
|
|
echo "* Generating random secret in $shell_secret_file" >&2
|
|
|
|
|
2023-01-14 15:04:48 +00:00
|
|
|
head -c 512 /dev/urandom | LC_CTYPE=C tr -cd 'a-zA-Z0-9' | head -c 64 > "$shell_secret_file"
|
2023-01-11 13:36:09 +00:00
|
|
|
chown root:$group "$shell_secret_file"
|
|
|
|
chmod 0640 "$shell_secret_file"
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ ! -f "$workhorse_secret_file" ]; then
|
|
|
|
echo "* Generating random secret in $workhorse_secret_file" >&2
|
|
|
|
|
|
|
|
# Sync with lib/gitlab/workhorse.rb.
|
|
|
|
gen_random_b64 32 > "$workhorse_secret_file"
|
|
|
|
chown root:$group "$workhorse_secret_file"
|
|
|
|
chmod 0640 "$workhorse_secret_file"
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ ! -f "$kas_secret_file" ]; then
|
|
|
|
echo "* Generating random secret in $kas_secret_file" >&2
|
|
|
|
|
|
|
|
# Sync with lib/gitlab/workhorse.rb.
|
|
|
|
gen_random_b64 32 > "$kas_secret_file"
|
|
|
|
chown root:$group "$kas_secret_file"
|
|
|
|
chmod 0640 "$kas_secret_file"
|
|
|
|
fi
|
|
|
|
|
|
|
|
# NOTE: We create this symlink in post-install script instead of APKBULD,
|
|
|
|
# so user can decide to have tmp dir inside $data_dir (e.g. it's on bigger disk).
|
|
|
|
if [ ! -e "$data_dir"/tmp ]; then
|
|
|
|
ln -s /var/tmp/gitlab "$data_dir"/tmp
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
if [ "${0##*.}" = 'post-upgrade' ]; then
|
|
|
|
cat >&2 <<-EOF
|
|
|
|
*
|
|
|
|
* To finish GitLab upgrade run:
|
|
|
|
*
|
|
|
|
* gitlab-rake gitlab:db:configure
|
|
|
|
*
|
|
|
|
EOF
|
|
|
|
else
|
|
|
|
cat >&2 <<-EOF
|
|
|
|
*
|
|
|
|
* 1. Adjust settings in /etc/gitlab/database.yml and gitlab.yml.
|
|
|
|
*
|
|
|
|
* 2. Create database for GitLab:
|
|
|
|
*
|
|
|
|
* psql -c "CREATE ROLE gitlab PASSWORD 'top-secret' INHERIT LOGIN;"
|
|
|
|
* psql -c "CREATE DATABASE gitlab OWNER gitlab ENCODING 'UTF-8';"
|
|
|
|
* psql -d gitlab -c "CREATE EXTENSION pg_trgm; CREATE EXTENSION btree_gist;"
|
|
|
|
*
|
|
|
|
* 3. Run "gitlab-rake gitlab:setup", or "gitlab-rake gitlab:db:configure" if
|
|
|
|
* you are updating existing database.
|
|
|
|
*
|
|
|
|
EOF
|
|
|
|
fi
|