Configuration

如何為 GitLab NixOS 服務配置主機名?

  • December 23, 2021

我正在嘗試在 NixOS 20.09.1632.a6a3a368dda (Nightingale) 上部署一個新的 GitLab 實例。

我有這個相當小的configuration.nix:

{ modulesPath, ... }:
let
 host = "example.org";
 adminEmail = "admin@example.org";
in
{
 imports = [ "${modulesPath}/virtualisation/amazon-image.nix" ];
 ec2.hvm = true;

 services.gitlab = rec {
   enable = true;

   inherit host;
   port = 80;

   # You, dear sysadmin, have to make these files exist.
   initialRootPasswordFile = "/tmp/gitlab-secrets/initial-password";

   secrets = rec {
     # A file containing 30 "0" characters.
     secretFile = "/tmp/gitlab-secrets/zeros";
     dbFile = secretFile;
     otpFile = secretFile;
     # openssl genrsa 2048 > jws.rsa
     jwsFile = "/tmp/gitlab-secrets/jws.rsa";
   };
 };

 services.nginx = {
   enable = true;
   user = "gitlab";
   virtualHosts = {
     "${host}" = {
       locations."/" = {
         # http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
         proxyPass = "http://unix:/var/gitlab/state/tmp/sockets/gitlab.socket";
       };
     };
   };
 };

 networking.firewall = {
   enable = true;
   allowPing = false;
   allowedTCPPorts = [
     22
     80
   ];
 };
}

啟動此配置時,會啟動許多程序(redis、postgresql、sidekiq 等)。然而,nginx(感謝,我假設,GitLab 的 Rails HTTP 伺服器)用以下方式響應請求/

* Connected to example.org (X.X.X.X) port 80 (#0)
> GET / HTTP/1.1
> Host: example.org
> User-Agent: curl/7.72.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Server: nginx
< Date: Thu, 11 Feb 2021 19:38:40 GMT
< Content-Type: text/html; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Frame-Options: DENY
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Referrer-Policy: strict-origin-when-cross-origin
< X-UA-Compatible: IE=edge
< Location: http://localhost/users/sign_in
< Cache-Control: no-cache
< Set-Cookie: experimentation_subject_id=eyJfcmFpbHMiOnsibWVzc2FnZSI6IklqZGhabU0zWXpVNExUSmxNR1F0TkdZMlpTMWlZVEkwTFdKak1EVTFaREZoTURJd1ppST0iLCJleHAiOm51bGwsInB1ciI6ImNvb2tpZS5leHBlcmltZW50YXRpb25fc3ViamVjdF9pZCJ9fQ%3D%3D--cbf53392028ed41f7c582a64e643476a5c2aab6b; path=/; expires=Mon, 11 Feb 2041 19:38:40 -0000; HttpOnly
< X-Request-Id: 545cc04e-1689-4351-b5a9-ca171f1a85d4
< X-Runtime: 0.060596
< 
* Connection #0 to host example.org left intact
<html><body>You are being <a href="http://localhost/users/sign_in">redirected</a>.</body></html>

由於localhostis not example.org,因此失敗。

如何配置 GitLab 以了解其自己的主機名?

proxy_set_header 使用NGINX 指令可以實現所需的行為:

proxy_set_header Host       $host;

如果你在反向代理配置中包含這一行,NGINX 將localhost使用原始請求中的主機名(即)重寫從上游伺服器(即 GitLab)發回的主機頭(即example.org)。services.nginx.recommendedProxySettings在 NixOS 中啟用該選項將生成包含該指令的 NGINX 配置。

引用自:https://serverfault.com/questions/1053319