Merge pull request #157519 from talyz/gitlab-error-handling

nixos/gitlab: Implement better script error handling
2022-02-03 22:19:03 +01:00 · 2022-02-03 22:19:03 +01:00 · 415b9c3b5a
commit 415b9c3b5a
parent b00ecd5e3d b65b9bf73c
2 changed files with 21 additions and 10 deletions
--- a/nixos/lib/utils.nix
+++ b/nixos/lib/utils.nix
@ -149,10 +149,16 @@ rec {
      if [[ -h '${output}' ]]; then
        rm '${output}'
      fi
+
+      inherit_errexit_restore=$(shopt -p inherit_errexit)
+      shopt -s inherit_errexit
    ''
    + concatStringsSep
        "\n"
-        (imap1 (index: name: "export secret${toString index}=$(<'${secrets.${name}}')")
+        (imap1 (index: name: ''
+                  secret${toString index}=$(<'${secrets.${name}}')
+                  export secret${toString index}
+                '')
               (attrNames secrets))
    + "\n"
    + "${pkgs.jq}/bin/jq >'${output}' '"
@ -164,6 +170,7 @@ rec {
      ' <<'EOF'
      ${builtins.toJSON set}
      EOF
+      $inherit_errexit_restore
    '';

  systemdUtils = {
--- a/nixos/modules/services/misc/gitlab.nix
+++ b/nixos/modules/services/misc/gitlab.nix
@ -1131,8 +1131,8 @@ in {

        ExecStartPre = let
          preStartFullPrivileges = ''
-            shopt -s dotglob nullglob
-            set -eu
+            set -o errexit -o pipefail -o nounset
+            shopt -s dotglob nullglob inherit_errexit

            chown --no-dereference '${cfg.user}':'${cfg.group}' '${cfg.statePath}'/*
            if [[ -n "$(ls -A '${cfg.statePath}'/config/)" ]]; then
@ -1142,7 +1142,8 @@ in {
        in "+${pkgs.writeShellScript "gitlab-pre-start-full-privileges" preStartFullPrivileges}";

        ExecStart = pkgs.writeShellScript "gitlab-config" ''
-          set -eu
+          set -o errexit -o pipefail -o nounset
+          shopt -s inherit_errexit

          umask u=rwx,g=rx,o=

@ -1171,7 +1172,8 @@ in {
            rm -f '${cfg.statePath}/config/database.yml'

            ${if cfg.databasePasswordFile != null then ''
-                export db_password="$(<'${cfg.databasePasswordFile}')"
+                db_password="$(<'${cfg.databasePasswordFile}')"
+                export db_password

                if [[ -z "$db_password" ]]; then
                  >&2 echo "Database password was an empty string!"
@ -1195,10 +1197,11 @@ in {

            rm -f '${cfg.statePath}/config/secrets.yml'

-            export secret="$(<'${cfg.secrets.secretFile}')"
-            export db="$(<'${cfg.secrets.dbFile}')"
-            export otp="$(<'${cfg.secrets.otpFile}')"
-            export jws="$(<'${cfg.secrets.jwsFile}')"
+            secret="$(<'${cfg.secrets.secretFile}')"
+            db="$(<'${cfg.secrets.dbFile}')"
+            otp="$(<'${cfg.secrets.otpFile}')"
+            jws="$(<'${cfg.secrets.jwsFile}')"
+            export secret db otp jws
            jq -n '{production: {secret_key_base: $ENV.secret,
                    otp_key_base: $ENV.otp,
                    db_key_base: $ENV.db,
@ -1232,7 +1235,8 @@ in {
        RemainAfterExit = true;

        ExecStart = pkgs.writeShellScript "gitlab-db-config" ''
-          set -eu
+          set -o errexit -o pipefail -o nounset
+          shopt -s inherit_errexit
          umask u=rwx,g=rx,o=

          initial_root_password="$(<'${cfg.initialRootPasswordFile}')"