ayaports/user/gitlab-foss/gitlab-foss.post-install

109 lines
3 KiB
Text
Raw Normal View History

2023-01-11 13:36:09 +00:00
#!/bin/sh
set -eu
group='git'
data_dir='/var/lib/gitlab'
secrets_file='/etc/gitlab/secrets.yml'
shell_secret_file='/etc/gitlab/gitlab_shell_secret'
workhorse_secret_file='/etc/gitlab/gitlab_workhorse_secret'
kas_secret_file='/etc/gitlab/gitlab_kas_secret'
gen_random_b64() {
local bits="$1"
ruby <<-EOF
require 'securerandom'
require 'base64'
puts Base64.strict_encode64(SecureRandom.random_bytes($bits))
EOF
}
echo "* Checking $secrets_file" >&2
ruby <<-EOF
require 'openssl'
require 'securerandom'
require 'yaml'
secrets_file = '$secrets_file'
changed = false
secrets = YAML.load_file(secrets_file) if File.exist?(secrets_file)
secrets ||= {}
prod = secrets['production'] ||= {}
prod['db_key_base'] ||= ( changed = true; SecureRandom.hex(64) )
prod['secret_key_base'] ||= ( changed = true; SecureRandom.hex(64) )
prod['otp_key_base'] ||= ( changed = true; SecureRandom.hex(64) )
prod['encrypted_settings_key_base'] ||= ( changed = true; SecureRandom.hex(64) )
prod['openid_connect_signing_key'] ||= begin
changed = true
prod.delete('jws_private_key') || OpenSSL::PKey::RSA.new(2048).to_pem
end
# db/fixtures/production/010_settings.rb
prod['ci_jwt_signing_key'] ||= ( changed = true; OpenSSL::PKey::RSA.new(2048).to_pem )
if changed
STDERR.puts "* Generating random secrets into #{secrets_file}"
File.write(secrets_file, YAML.dump(secrets), mode: 'w', perm: 0640)
end
EOF
chown root:$group "$secrets_file"
if [ ! -f "$shell_secret_file" ]; then
echo "* Generating random secret in $shell_secret_file" >&2
head -c 512 /dev/urandom | LC_CTYPE=C tr -cd 'a-zA-Z0-9' | head -c 64 > "$shell_secret_file"
2023-01-11 13:36:09 +00:00
chown root:$group "$shell_secret_file"
chmod 0640 "$shell_secret_file"
fi
if [ ! -f "$workhorse_secret_file" ]; then
echo "* Generating random secret in $workhorse_secret_file" >&2
# Sync with lib/gitlab/workhorse.rb.
gen_random_b64 32 > "$workhorse_secret_file"
chown root:$group "$workhorse_secret_file"
chmod 0640 "$workhorse_secret_file"
fi
if [ ! -f "$kas_secret_file" ]; then
echo "* Generating random secret in $kas_secret_file" >&2
# Sync with lib/gitlab/workhorse.rb.
gen_random_b64 32 > "$kas_secret_file"
chown root:$group "$kas_secret_file"
chmod 0640 "$kas_secret_file"
fi
# NOTE: We create this symlink in post-install script instead of APKBULD,
# so user can decide to have tmp dir inside $data_dir (e.g. it's on bigger disk).
if [ ! -e "$data_dir"/tmp ]; then
ln -s /var/tmp/gitlab "$data_dir"/tmp
fi
if [ "${0##*.}" = 'post-upgrade' ]; then
cat >&2 <<-EOF
*
* To finish GitLab upgrade run:
*
* gitlab-rake gitlab:db:configure
*
EOF
else
cat >&2 <<-EOF
*
* 1. Adjust settings in /etc/gitlab/database.yml and gitlab.yml.
*
* 2. Create database for GitLab:
*
* psql -c "CREATE ROLE gitlab PASSWORD 'top-secret' INHERIT LOGIN;"
* psql -c "CREATE DATABASE gitlab OWNER gitlab ENCODING 'UTF-8';"
* psql -d gitlab -c "CREATE EXTENSION pg_trgm; CREATE EXTENSION btree_gist;"
*
* 3. Run "gitlab-rake gitlab:setup", or "gitlab-rake gitlab:db:configure" if
* you are updating existing database.
*
EOF
fi