archives/gitlab-foss: new aport

archives/gitlab-foss/gitlab-foss.post-install

@@ -0,0 +1,108 @@
+#!/bin/sh
+set -eu
+
+group='git'
+data_dir='/var/lib/gitlab'
+secrets_file='/etc/gitlab/secrets.yml'
+shell_secret_file='/etc/gitlab/gitlab_shell_secret'
+workhorse_secret_file='/etc/gitlab/gitlab_workhorse_secret'
+kas_secret_file='/etc/gitlab/gitlab_kas_secret'
+
+gen_random_b64() {
+	local bits="$1"
+	ruby <<-EOF
+		require 'securerandom'
+		require 'base64'
+		puts Base64.strict_encode64(SecureRandom.random_bytes($bits))
+	EOF
+}
+
+
+echo "* Checking $secrets_file" >&2
+
+ruby <<-EOF
+	require 'openssl'
+	require 'securerandom'
+	require 'yaml'
+
+	secrets_file = '$secrets_file'
+	changed = false
+
+	secrets = YAML.load_file(secrets_file) if File.exist?(secrets_file)
+	secrets ||= {}
+	prod = secrets['production'] ||= {}
+	prod['db_key_base'] ||= ( changed = true; SecureRandom.hex(64) )
+	prod['secret_key_base'] ||= ( changed = true; SecureRandom.hex(64) )
+	prod['otp_key_base'] ||= ( changed = true; SecureRandom.hex(64) )
+	prod['encrypted_settings_key_base'] ||= ( changed = true; SecureRandom.hex(64) )
+	prod['openid_connect_signing_key'] ||= begin
+	  changed = true
+	  prod.delete('jws_private_key') || OpenSSL::PKey::RSA.new(2048).to_pem
+	end
+	# db/fixtures/production/010_settings.rb
+	prod['ci_jwt_signing_key'] ||= ( changed = true; OpenSSL::PKey::RSA.new(2048).to_pem )
+
+	if changed
+	  STDERR.puts "* Generating random secrets into #{secrets_file}"
+	  File.write(secrets_file, YAML.dump(secrets), mode: 'w', perm: 0640)
+	end
+EOF
+chown root:$group "$secrets_file"
+
+if [ ! -f "$shell_secret_file" ]; then
+	echo "* Generating random secret in $shell_secret_file" >&2
+
+	head -c 512 /dev/urandom | LC_CTYPE=C tr -cd 'a-zA-Z0-9' | head -c 64 > "$shell_secret_file"
+	chown root:$group "$shell_secret_file"
+	chmod 0640 "$shell_secret_file"
+fi
+
+if [ ! -f "$workhorse_secret_file" ]; then
+	echo "* Generating random secret in $workhorse_secret_file" >&2
+
+	# Sync with lib/gitlab/workhorse.rb.
+	gen_random_b64 32 > "$workhorse_secret_file"
+	chown root:$group "$workhorse_secret_file"
+	chmod 0640 "$workhorse_secret_file"
+fi
+
+if [ ! -f "$kas_secret_file" ]; then
+	echo "* Generating random secret in $kas_secret_file" >&2
+
+	# Sync with lib/gitlab/workhorse.rb.
+	gen_random_b64 32 > "$kas_secret_file"
+	chown root:$group "$kas_secret_file"
+	chmod 0640 "$kas_secret_file"
+fi
+
+# NOTE: We create this symlink in post-install script instead of APKBULD,
+# so user can decide to have tmp dir inside $data_dir (e.g. it's on bigger disk).
+if [ ! -e "$data_dir"/tmp ]; then
+	ln -s /var/tmp/gitlab "$data_dir"/tmp
+fi
+
+
+if [ "${0##*.}" = 'post-upgrade' ]; then
+	cat >&2 <<-EOF
+	*
+	* To finish GitLab upgrade run:
+	*
+	*     gitlab-rake gitlab:db:configure
+	*
+	EOF
+else
+	cat >&2 <<-EOF
+	*
+	* 1. Adjust settings in /etc/gitlab/database.yml and gitlab.yml.
+	*
+	* 2. Create database for GitLab:
+	*
+	*     psql -c "CREATE ROLE gitlab PASSWORD 'top-secret' INHERIT LOGIN;"
+	*     psql -c "CREATE DATABASE gitlab OWNER gitlab ENCODING 'UTF-8';"
+	*     psql -d gitlab -c "CREATE EXTENSION pg_trgm; CREATE EXTENSION btree_gist;"
+	*
+	* 3. Run "gitlab-rake gitlab:setup", or "gitlab-rake gitlab:db:configure" if
+	*    you are updating existing database.
+	*
+	EOF
+fi