#! /bin/sh # postinst script for gitlab # copied from postinst script for hplip # $Id: hplip.postinst,v 1.1 2005/10/15 21:39:04 hmh Exp $ # # see: dh_installdeb(1) set -e # Setup variables # Now using gitlab-debian.defaults to override variables used only in # maintainer scripts. Earlier versions used gitlab-debian.conf for this. # Now gitlab-debian.conf will only have user/admin configurable variables # and variables required by systemd services. gitlab_debian_conf_example=/usr/lib/gitlab/templates/gitlab-debian.conf.example gitlab_debian_conf_private=/var/lib/gitlab/gitlab-debian.conf gitlab_debian_conf=/etc/gitlab/gitlab-debian.conf gitlab_debian_defaults=/usr/lib/gitlab/gitlab-debian.defaults gitlab_debian_defaults_copy=/var/lib/gitlab/gitlab-debian.defaults # Show debconf questions . /usr/share/debconf/confmodule # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-deconfigure' `in-favour' # `removing' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package # # quoting from the policy: # Any necessary prompting should almost always be confined to the # post-installation script, and should be protected with a conditional # so that unnecessary prompting doesn't happen if a package's # installation fails and the `postinst' is called with `abort-upgrade', # `abort-remove' or `abort-deconfigure'. ####################################################################### # Read and export debian specific configuration # Only exported variables will be passed on to gitlab app ####################################################################### # Bootstrap config file - first try export $(cat ${gitlab_debian_conf_example}) # second try test -f ${gitlab_debian_conf_private} || \ cp ${gitlab_debian_conf_example} ${gitlab_debian_conf_private} export $(cat ${gitlab_debian_conf_private}) # If /etc/gitlab/gitlab-debian.conf is already present, use it test -f ${gitlab_debian_conf} && export $(cat ${gitlab_debian_conf}) # Read default values (we cannot do this before gitlab-debian.conf is exported # as we want to override variables set by gitlab-debian.conf in earlier gitlab # versions with gitlab-debian.defaults) . ${gitlab_debian_defaults} # Copy defaults for use with postrm cp ${gitlab_debian_defaults} ${gitlab_debian_defaults_copy} # Read gitlab_user from debconf db db_get gitlab/user gitlab_user=${RET:-gitlab} >/dev/null if ! grep gitlab_user ${gitlab_debian_conf_private}; then echo "gitlab_user=${gitlab_user}" >> ${gitlab_debian_conf_private} fi # Create gitlab user . /usr/lib/gitlab/scripts/adduser.sh ####################################################################### # update Gemfile.lock, always ####################################################################### su ${gitlab_user} -s /bin/sh -c 'truncate -s 0 ${gitlab_data_dir}/Gemfile.lock' cd ${gitlab_app_root} if ! su ${gitlab_user} -s /bin/sh -c 'bundle --local --quiet'; then if [ "$1" = "triggered" ]; then # probably triggered in the middle of an system upgrade; ignore failure # but abort here echo "#########################################################################" echo "# Failed to detect gitlab dependencies; if you are in the middle of an #" echo "# upgrade, this is probably fine, there will be another attempt later. #" echo "# #" echo "# If you are NOT in the middle of an upgrade, there is probably a real #" echo "# issue. Please report a bug. #" echo "#########################################################################" exit 0 else # something is really broken exit 1 fi fi cd - >/dev/null case "$1" in configure) gitlab_builds_log=${gitlab_log_dir}/builds gitlab_repo_path=${gitlab_data_dir}/repositories gitlab_uploads_path=${gitlab_data_dir}/public/uploads # Create directories and change ownership echo "Creating runtime directories for gitlab..." # Setup ssh key file mkdir -p ${gitlab_data_dir}/.ssh touch ${gitlab_data_dir}/.ssh/authorized_keys chown -R ${gitlab_user}: ${gitlab_data_dir}/.ssh # Create .bundle for .bundle/config mkdir -p ${gitlab_data_dir}/.bundle chown -R ${gitlab_user}: ${gitlab_data_dir}/.bundle # Create more required directories for i in ${gitlab_repo_path} ${gitlab_cache_path} ${gitlab_uploads_path}\ ${gitlab_pid_path} ${gitlab_log_dir} ${gitlab_shell_log} ${gitlab_builds_log}; do mkdir -p $i chown -R ${gitlab_user}: $i done # nginx/httpd should be able to connect to gitlab-workhorse.socket and serve public chown ${gitlab_user}:${nginx_user} -R ${gitlab_uploads_path}/.. ${gitlab_pid_path} # Customize permissions echo "Updating file permissions..." chmod -R ug+rwX,o-rwx ${gitlab_repo_path}/ chmod -R ug-s ${gitlab_repo_path}/ find ${gitlab_repo_path}/ -type d -print0 | xargs -0 chmod g+s for i in ${gitlab_data_dir} ${gitlab_shell_root}; do chown -R ${gitlab_user}: $i done su ${gitlab_user} -s /bin/sh -c "chmod 700 ${gitlab_uploads_path}" su ${gitlab_user} -s /bin/sh -c 'git config --global core.autocrlf "input"' # Commands below needs to be run from gitlab_app_root cd ${gitlab_app_root} # Obtain hostname from debconf db db_get gitlab/fqdn if [ "${RET}" != "" ]; then if ! grep GITLAB_HOST ${gitlab_debian_conf_private}; then echo "Configuring hostname and email..." export GITLAB_HOST=${RET} # We need this to configure nginx below cat <> ${gitlab_debian_conf_private} GITLAB_HOST=${RET} GITLAB_EMAIL_FROM="no-reply@${RET}" GITLAB_EMAIL_DISPLAY_NAME="Gitlab" GITLAB_EMAIL_REPLY_TO="no-reply@${RET}" EOF fi # Check if ssl option is selected db_get gitlab/ssl gl_proto="http" # Copy example configurations test -f ${gitlab_yml_private} || \ cp ${gitlab_yml_example} ${gitlab_yml_private} test -f ${gitlab_shell_config_private} || \ cp ${gitlab_shell_config_example} ${gitlab_shell_config_private} sed -i "s/GITLAB_USER/${gitlab_user}/" ${gitlab_yml_private} if [ "${RET}" = "true" ]; then echo "Configuring nginx with HTTPS..." if ! grep GITLAB_HTTPS ${gitlab_debian_conf_private}; then echo GITLAB_HTTPS=${RET} >> ${gitlab_debian_conf_private} # Workaround for #813770 gl_proto="https" echo "Configuring gitlab with HTTPS..." sed -i "s/#port: 80/port: 443/" ${gitlab_yml_private} sed -i "s/https: false/https: true/" ${gitlab_yml_private} echo "Updating gitlab_url in gitlab-shell configuration..." sed -i \ "s/gitlab_url: http*:\/\/.*/gitlab_url: ${gl_proto}:\/\/${GITLAB_HOST}/"\ ${gitlab_shell_config_private} fi mkdir -p /etc/gitlab/ssl nginx_conf_example=${nginx_ssl_conf_example} # Check if letsencrypt option is selected db_get gitlab/letsencrypt if [ "${RET}" = "true" ]; then echo "Configuring letsencrypt..." ln -sf /etc/letsencrypt/live/${GITLAB_HOST}/fullchain.pem \ /etc/gitlab/ssl/gitlab.crt ln -sf /etc/letsencrypt/live/${GITLAB_HOST}/privkey.pem \ /etc/gitlab/ssl/gitlab.key # Check if certificate is already present if [ -e /etc/letsencrypt/live/${GITLAB_HOST}/fullchain.pem ]; then echo "Let's encrypt certificate already present." else # Port 80 and 443 should be available for letsencrypt if command -v nginx > /dev/null; then echo "Stopping nginx for letsencrypt..." invoke-rc.d nginx stop fi letsencrypt -d ${GITLAB_HOST} certonly || { echo "letsencrypt auto configuration failed..." echo "Stop your webserver and try running letsencrypt manually..." echo "letsencrypt -d ${GITLAB_HOST} certonly" } fi fi fi # Manage tmpfiles.d/gitlab.conf via ucf test -f ${gitlab_tmpfiles_private} || \ cp ${gitlab_tmpfiles_example} ${gitlab_tmpfiles_private} sed -i "s/GITLAB_USER/${gitlab_user}/" ${gitlab_tmpfiles_private} echo "Registering ${gitlab_tmpfiles} via ucf" ucf --debconf-ok --three-way ${gitlab_tmpfiles_private} ${gitlab_tmpfiles} ucfr gitlab ${gitlab_tmpfiles} # Override User for systemd services for service in mailroom unicorn sidekiq workhorse; do path=/etc/systemd/system/gitlab-${service}.service.d mkdir -p $path printf "[Service]\nUser=${gitlab_user}\n" > $path/override.conf done # Manage gitlab-shell's config.yml via ucf mkdir -p /etc/gitlab-shell echo "Registering ${gitlab_shell_config} via ucf" ucf --debconf-ok --three-way ${gitlab_shell_config_private} ${gitlab_shell_config} ucfr gitlab ${gitlab_shell_config} # Manage gitlab.yml via ucf echo "Registering ${gitlab_yml} via ucf" ucf --debconf-ok --three-way ${gitlab_yml_private} ${gitlab_yml} ucfr gitlab ${gitlab_yml} # Manage gitlab-debian.conf via ucf echo "Registering ${gitlab_debian_conf} via ucf" ucf --debconf-ok --three-way ${gitlab_debian_conf_private} ${gitlab_debian_conf} ucfr gitlab ${gitlab_debian_conf} # configure nginx site if test -d /etc/nginx/sites-available/; then if test -f ${nginx_conf_example}; then nginx_site="/etc/nginx/sites-available/${GITLAB_HOST}" sed -e "s/YOUR_SERVER_FQDN/${GITLAB_HOST}/"\ ${nginx_conf_example} >${nginx_site_private} ucf --debconf-ok --three-way ${nginx_site_private} ${nginx_site} ucfr gitlab ${nginx_site} ln -fs ${nginx_site} /etc/nginx/sites-enabled/ rm -f ${nginx_conf_example_tmp} else echo "nginx example configuration file not found" exit 1 fi fi # Reload nginx if command -v nginx > /dev/null; then echo "Reloading nginx configuration..." invoke-rc.d nginx reload fi else echo "Failed to retrieve fully qualified domain name" exit 1 fi db_stop echo "Create database if not present" if ! su postgres -s /bin/sh -c "psql gitlab_production -c ''"; then su postgres -c 'createdb -E unicode -T template0 gitlab_production' fi # Adjust database privileges . /usr/lib/gitlab/scripts/grantpriv.sh # Remove Gemfile.lock if present rm -f ${gitlab_data_dir}/Gemfile.lock # Create Gemfile.lock and .secret in /var/lib/gitlab su ${gitlab_user} -s /bin/sh -c "touch ${gitlab_data_dir}/Gemfile.lock" echo "Verifying we have all required libraries..." su ${gitlab_user} -s /bin/sh -c 'bundle install --without development test --local' echo "Running final rake tasks and tweaks..." . /usr/lib/gitlab/scripts/rake-tasks.sh ;; triggered) # Already handled ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; esac #DEBHELPER# case "$1" in configure) echo "Running rake checks..." . /usr/lib/gitlab/scripts/gitlab-check.sh ;; esac