cbdf94c0f3
Add support for storing secrets in files outside the nix store, since files in the nix store are world-readable and secrets therefore can't be stored safely there. The old string options are kept, since they can potentially be handy for testing purposes, but their descriptions now state that they shouldn't be used in production. The manual section is updated to use the file options rather than the string options and the tests now test both.
83 lines
3.4 KiB
Nix
83 lines
3.4 KiB
Nix
# This test runs gitlab and checks if it works
|
|
|
|
let
|
|
initialRootPassword = "notproduction";
|
|
in
|
|
import ./make-test.nix ({ pkgs, lib, ...} : with lib; {
|
|
name = "gitlab";
|
|
meta = with pkgs.stdenv.lib.maintainers; {
|
|
maintainers = [ globin ];
|
|
};
|
|
|
|
nodes = {
|
|
gitlab = { ... }: {
|
|
virtualisation.memorySize = if pkgs.stdenv.is64bit then 4096 else 2047;
|
|
systemd.services.gitlab.serviceConfig.Restart = mkForce "no";
|
|
systemd.services.gitlab-workhorse.serviceConfig.Restart = mkForce "no";
|
|
systemd.services.gitaly.serviceConfig.Restart = mkForce "no";
|
|
systemd.services.gitlab-sidekiq.serviceConfig.Restart = mkForce "no";
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
recommendedProxySettings = true;
|
|
virtualHosts = {
|
|
"localhost" = {
|
|
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
|
|
};
|
|
};
|
|
};
|
|
|
|
services.gitlab = {
|
|
enable = true;
|
|
databasePasswordFile = pkgs.writeText "dbPassword" "xo0daiF4";
|
|
initialRootPasswordFile = pkgs.writeText "rootPassword" initialRootPassword;
|
|
smtp.enable = true;
|
|
secrets = {
|
|
secretFile = pkgs.writeText "secret" "Aig5zaic";
|
|
otpFile = pkgs.writeText "otpsecret" "Riew9mue";
|
|
dbFile = pkgs.writeText "dbsecret" "we2quaeZ";
|
|
jwsFile = pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
testScript =
|
|
let
|
|
auth = pkgs.writeText "auth.json" (builtins.toJSON {
|
|
grant_type = "password";
|
|
username = "root";
|
|
password = initialRootPassword;
|
|
});
|
|
|
|
createProject = pkgs.writeText "create-project.json" (builtins.toJSON {
|
|
name = "test";
|
|
});
|
|
|
|
putFile = pkgs.writeText "put-file.json" (builtins.toJSON {
|
|
branch = "master";
|
|
author_email = "author@example.com";
|
|
author_name = "Firstname Lastname";
|
|
content = "some content";
|
|
commit_message = "create a new file";
|
|
});
|
|
in
|
|
''
|
|
$gitlab->start();
|
|
$gitlab->waitForUnit("gitaly.service");
|
|
$gitlab->waitForUnit("gitlab-workhorse.service");
|
|
$gitlab->waitForUnit("gitlab.service");
|
|
$gitlab->waitForUnit("gitlab-sidekiq.service");
|
|
$gitlab->waitForFile("/var/gitlab/state/tmp/sockets/gitlab.socket");
|
|
$gitlab->waitUntilSucceeds("curl -sSf http://gitlab/users/sign_in");
|
|
$gitlab->succeed("curl -isSf http://gitlab | grep -i location | grep -q http://gitlab/users/sign_in");
|
|
$gitlab->succeed("${pkgs.sudo}/bin/sudo -u gitlab -H gitlab-rake gitlab:check 1>&2");
|
|
$gitlab->succeed("echo \"Authorization: Bearer \$(curl -X POST -H 'Content-Type: application/json' -d @${auth} http://gitlab/oauth/token | ${pkgs.jq}/bin/jq -r '.access_token')\" >/tmp/headers");
|
|
$gitlab->succeed("curl -X POST -H 'Content-Type: application/json' -H @/tmp/headers -d @${createProject} http://gitlab/api/v4/projects");
|
|
$gitlab->succeed("curl -X POST -H 'Content-Type: application/json' -H @/tmp/headers -d @${putFile} http://gitlab/api/v4/projects/1/repository/files/some-file.txt");
|
|
$gitlab->succeed("curl -H @/tmp/headers http://gitlab/api/v4/projects/1/repository/archive.tar.gz > /tmp/archive.tar.gz");
|
|
$gitlab->succeed("curl -H @/tmp/headers http://gitlab/api/v4/projects/1/repository/archive.tar.bz2 > /tmp/archive.tar.bz2");
|
|
$gitlab->succeed("test -s /tmp/archive.tar.gz");
|
|
$gitlab->succeed("test -s /tmp/archive.tar.bz2");
|
|
'';
|
|
})
|