This avoids restarting the postgresql server, when only ensureDatabases
or ensureUsers have been changed. It will also allow to properly wait
for recovery to finish later.
To wait for "postgresql is ready" in other services, we now provide a
postgresql.target.
Resolves#400018
Co-authored-by: Marcel <me@m4rc3l.de>
GitLab 17.11 started using rails activeRecord encryption for some values.
Introduce new key files. This is breaking for unstable/25.05.
Also add a test to prevent this from happening unnoticed in the future.
For the future there should also be an option to set multiple activeRecord
keys for rotation.
Format all Nix files using the officially approved formatter,
making the CI check introduced in the previous commit succeed:
nix-build ci -A fmt.check
This is the next step of the of the [implementation](https://github.com/NixOS/nixfmt/issues/153)
of the accepted [RFC 166](https://github.com/NixOS/rfcs/pull/166).
This commit will lead to merge conflicts for a number of PRs,
up to an estimated ~1100 (~33%) among the PRs with activity in the past 2
months, but that should be lower than what it would be without the previous
[partial treewide format](https://github.com/NixOS/nixpkgs/pull/322537).
Merge conflicts caused by this commit can now automatically be resolved while rebasing using the
[auto-rebase script](8616af08d9/maintainers/scripts/auto-rebase).
If you run into any problems regarding any of this, please reach out to the
[formatting team](https://nixos.org/community/teams/formatting/) by
pinging @NixOS/nix-formatting.
docker-registry.service has a `After` dependency on gitlab-registry-cert.
On the first start, docker-registry.service fails to start as it already
runs when gitlab-registry-cert.service starts up, and not when it finished.
Previously some modules used `config.environment.etc."ssl/certs/ca-certificates.crt".source`, some used `"/etc/ssl/certs/ca-certificates.crt"`, and some used `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"`. These were all bad in one way or another:
- `config.environment.etc."ssl/certs/ca-certificates.crt".source` relies on `source` being set; if `text` is set instead this breaks, introducing a weird undocumented requirement
- `"/etc/ssl/certs/ca-certificates.crt"` is probably okay but very un-nix. It's a magic string, and the path doesn't change when the file changes (and so you can't trigger service reloads, for example, when the contents change in a new system activation)
- `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"` silently doesn't include the options from `security.pki`
Co-authored-by: Shelvacu <git@shelvacu.com>
This commit switches gitaly's git package from `pkgs.git` to the bundled
`git` package in order to maintain compatibility with the supported git
release by gitaly.
these changes were generated with nixq 0.0.2, by running
nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix
two mentions of the mdDoc function remain in nixos/, both of which
are inside of comments.
Since lib.mdDoc is already defined as just id, this commit is a no-op as
far as Nix (and the built manual) is concerned.
This commit adds an option to configure the amount of threads to use
with sidekiq-cluster. The GitLab default is currently set to 20 threads. In
space constrained environments this may become a problem with running
out of memory as a result.
Gitlab stays running at redis and postgresql restarts as if these
components were on a different host anyways. Handling reconnetctions is
part of the application logic.
Co-authored-by: Kim Lindberger <kim.lindberger@gmail.com>
for formatting fixes and test failure debugging.
In commit 41ca9c1, the database config got an additional config entry
for a separate CI database connection [1]. Unfortunately, the main connection
must always be the first entry. The fix for this was only applied when
databasePasswordFile has been set.
This commit fixes the order of the config for deployments without a databasePasswordFile.
[1] https://docs.gitlab.com/ee/update/deprecations.html#single-database-connection-is-deprecated
When a dependency, like postgresql.service or redis-gitlab.service, had
been stopped and started at switch-to-configuration time, gitlab.service
and its helper units had been stopped but not started again.
`multi-user.target` only has a `Wants` relation to gitlab.target, but
once gitlab.target has been successfully started once and is not stopped/
restarted again, it does not cause all its dependencies to stay activated
the whole time.
This commit fixes this by upgrading the dependy relationship of
gitlab.service towards gitlab.target from a "Wants" to a "Requires". It
should be enough to do this for this single unit part of gitlab.target
only, as all other units wantedBy gitlab.target are pulled in by
gitlab.service as well or have bindsTo relations.
Support for gitlab-container-registry has been added in 014816cbe4.
However, when enabling the registry it will throw an error as it can't
find a `package` attribute.
This commit fixes the registry configuration by adding the missing
`registry` part.
Support for external container registries (namely
`pkgs.docker-distribution`) has ended in GitLab 16.0 [1] and is
scheduled for removal in a future release. [2]
This commit adds a new registry package option, defaulting to
`pkgs.docker-distribution` and `pkgs.gitlab-container-registry` for
system state versions >= 23.11.
While it is still possible to use the docker container registry, module
users should switch to gitlab's container registry fork soon. A warning
message will be added in a future commit to advise affected users to
back up their state and then switch to the new container registry
package.
[1]: https://gitlab.com/gitlab-org/gitlab/-/issues/376217
[2]: https://gitlab.com/gitlab-org/gitlab/-/issues/403322
From my understanding, procps was added to the gitlay systemd service
path in #58487 to fix gitaly-ruby's internal memory leak detection.
Now that the last ruby remnants have been removed in gitaly 16.0.0,
this should not be necessary anymore.
