NixOS · Mar 22, 2018 · Mar 22, 2018 · Mar 22, 2018 · Mar 22, 2018 · Mar 22, 2018
diff --git a/nixos/modules/services/logging/graylog.nix b/nixos/modules/services/logging/graylog.nix
@@ -141,7 +141,7 @@ in
         JAVA_HOME = jre;
         GRAYLOG_CONF = "${confFile}";
       };
-      path = [ pkgs.openjdk8 pkgs.which pkgs.procps ];
+      path = [ pkgs.jre_headless pkgs.which pkgs.procps ];
       preStart = ''
         mkdir -p /var/lib/graylog -m 755
 

diff --git a/nixos/modules/services/misc/defaultUnicornConfig.rb b/nixos/modules/services/misc/defaultUnicornConfig.rb
@@ -1,205 +1,69 @@
-# The following was taken from github.com/crohr/syslogger and is BSD
-# licensed.
-require 'syslog'
-require 'logger'
-require 'thread'
+worker_processes 3
 
-class Syslogger
-
-  VERSION = "1.6.0"
-
-  attr_reader :level, :ident, :options, :facility, :max_octets
-  attr_accessor :formatter
-
-  MAPPING = {
-    Logger::DEBUG => Syslog::LOG_DEBUG,
-    Logger::INFO => Syslog::LOG_INFO,
-    Logger::WARN => Syslog::LOG_WARNING,
-    Logger::ERROR => Syslog::LOG_ERR,
-    Logger::FATAL => Syslog::LOG_CRIT,
-    Logger::UNKNOWN => Syslog::LOG_ALERT
-  }
-
-  #
-  # Initializes default options for the logger
-  # <tt>ident</tt>:: the name of your program [default=$0].
-  # <tt>options</tt>::  syslog options [default=<tt>Syslog::LOG_PID | Syslog::LOG_CONS</tt>].
-  #                     Correct values are:
-  #                       LOG_CONS    : writes the message on the console if an error occurs when sending the message;
-  #                       LOG_NDELAY  : no delay before sending the message;
-  #                       LOG_PERROR  : messages will also be written on STDERR;
-  #                       LOG_PID     : adds the process number to the message (just after the program name)
-  # <tt>facility</tt>:: the syslog facility [default=nil] Correct values include:
-  #                       Syslog::LOG_DAEMON
-  #                       Syslog::LOG_USER
-  #                       Syslog::LOG_SYSLOG
-  #                       Syslog::LOG_LOCAL2
-  #                       Syslog::LOG_NEWS
-  #                       etc.
-  #
-  # Usage:
-  #   logger = Syslogger.new("my_app", Syslog::LOG_PID | Syslog::LOG_CONS, Syslog::LOG_LOCAL0)
-  #   logger.level = Logger::INFO # use Logger levels
-  #   logger.warn "warning message"
-  #   logger.debug "debug message"
-  #
-  def initialize(ident = $0, options = Syslog::LOG_PID | Syslog::LOG_CONS, facility = nil)
-    @ident = ident
-    @options = options || (Syslog::LOG_PID | Syslog::LOG_CONS)
-    @facility = facility
-    @level = Logger::INFO
-    @mutex = Mutex.new
-    @formatter = Logger::Formatter.new
-  end
-
-  %w{debug info warn error fatal unknown}.each do |logger_method|
-    # Accepting *args as message could be nil.
-    #  Default params not supported in ruby 1.8.7
-    define_method logger_method.to_sym do |*args, &block|
-      return true if @level > Logger.const_get(logger_method.upcase)
-      message = args.first || block && block.call
-      add(Logger.const_get(logger_method.upcase), message)
-    end
-
-    unless logger_method == 'unknown'
-      define_method "#{logger_method}?".to_sym do
-        @level <= Logger.const_get(logger_method.upcase)
-      end
-    end
-  end
-
-  # Log a message at the Logger::INFO level. Useful for use with Rack::CommonLogger
-  def write(msg)
-    add(Logger::INFO, msg)
-  end
-
-  # Logs a message at the Logger::INFO level.
-  def <<(msg)
-    add(Logger::INFO, msg)
-  end
-
-  # Low level method to add a message.
-  # +severity+::  the level of the message. One of Logger::DEBUG, Logger::INFO, Logger::WARN, Logger::ERROR, Logger::FATAL, Logger::UNKNOWN
-  # +message+:: the message string.
-  #             If nil, the method will call the block and use the result as the message string.
-  #             If both are nil or no block is given, it will use the progname as per the behaviour of both the standard Ruby logger, and the Rails BufferedLogger.
-  # +progname+:: optionally, overwrite the program name that appears in the log message.
-  def add(severity, message = nil, progname = nil, &block)
-    if message.nil? && block.nil? && !progname.nil?
-      message, progname = progname, nil
-    end
-    progname ||= @ident
-
-    @mutex.synchronize do
-      Syslog.open(progname, @options, @facility) do |s|
-        s.mask = Syslog::LOG_UPTO(MAPPING[@level])
-        communication = clean(message || block && block.call)
-        if self.max_octets
-          buffer = "#{tags_text}"
-          communication.bytes do |byte|
-            buffer.concat(byte)
-            # if the last byte we added is potentially part of an escape, we'll go ahead and add another byte
-            if buffer.bytesize >= self.max_octets && !['%'.ord,'\\'.ord].include?(byte)
-              s.log(MAPPING[severity],buffer)
-              buffer = ""
-            end
-          end
-          s.log(MAPPING[severity],buffer) unless buffer.empty?
-        else
-          s.log(MAPPING[severity],"#{tags_text}#{communication}")
-        end
-      end
-    end
-  end
-
-  # Set the max octets of the messages written to the log
-  def max_octets=(max_octets)
-    @max_octets = max_octets
-  end
-
-  # Sets the minimum level for messages to be written in the log.
-  # +level+:: one of <tt>Logger::DEBUG</tt>, <tt>Logger::INFO</tt>, <tt>Logger::WARN</tt>, <tt>Logger::ERROR</tt>, <tt>Logger::FATAL</tt>, <tt>Logger::UNKNOWN</tt>
-  def level=(level)
-    level = Logger.const_get(level.to_s.upcase) if level.is_a?(Symbol)
-
-    unless level.is_a?(Fixnum)
-      raise ArgumentError.new("Invalid logger level `#{level.inspect}`")
-    end
-
-    @level = level
-  end
-
-  # Sets the ident string passed along to Syslog
-  def ident=(ident)
-    @ident = ident
-  end
-
-  # Tagging code borrowed from ActiveSupport gem
-  def tagged(*tags)
-    new_tags = push_tags(*tags)
-    yield self
-  ensure
-    pop_tags(new_tags.size)
-  end
-
-  def push_tags(*tags)
-    tags.flatten.reject{ |i| i.respond_to?(:empty?) ? i.empty? : !i }.tap do |new_tags|
-      current_tags.concat new_tags
-    end
-  end
-
-  def pop_tags(size = 1)
-    current_tags.pop size
-  end
-
-  def clear_tags!
-    current_tags.clear
-  end
-
-  protected
-
-  # Borrowed from SyslogLogger.
-  def clean(message)
-    message = message.to_s.dup
-    message.strip! # remove whitespace
-    message.gsub!(/\n/, '\\n') # escape newlines
-    message.gsub!(/%/, '%%') # syslog(3) freaks on % (printf)
-    message.gsub!(/\e\[[^m]*m/, '') # remove useless ansi color codes
-    message
-  end
-
-  private
-
-  def tags_text
-    tags = current_tags
-    if tags.any?
-      tags.collect { |tag| "[#{tag}] " }.join
-    end
-  end
-
-  def current_tags
-    Thread.current[:syslogger_tagged_logging_tags] ||= []
-  end
-end
+listen ENV["UNICORN_PATH"] + "/tmp/sockets/gitlab.socket", :backlog => 1024
+listen "/run/gitlab/gitlab.socket", :backlog => 1024
 
-worker_processes 2
 working_directory ENV["GITLAB_PATH"]
-pid ENV["UNICORN_PATH"] + "/tmp/pids/unicorn.pid"
 
-listen ENV["UNICORN_PATH"] + "/tmp/sockets/gitlab.socket", :backlog => 1024
+pid ENV["UNICORN_PATH"] + "/tmp/pids/unicorn.pid"
 
 timeout 60
 
-logger Syslogger.new
-
+# combine Ruby 2.0.0dev or REE with "preload_app true" for memory savings
+# http://rubyenterpriseedition.com/faq.html#adapt_apps_for_cow
 preload_app true
-
 GC.respond_to?(:copy_on_write_friendly=) and
   GC.copy_on_write_friendly = true
 
 check_client_connection false
 
+before_fork do |server, worker|
+  # the following is highly recommended for Rails + "preload_app true"
+  # as there's no need for the master process to hold a connection
+  defined?(ActiveRecord::Base) and
+    ActiveRecord::Base.connection.disconnect!
+
+  # The following is only recommended for memory/DB-constrained
+  # installations.  It is not needed if your system can house
+  # twice as many worker_processes as you have configured.
+  #
+  # This allows a new master process to incrementally
+  # phase out the old master process with SIGTTOU to avoid a
+  # thundering herd (especially in the "preload_app false" case)
+  # when doing a transparent upgrade.  The last worker spawned
+  # will then kill off the old master process with a SIGQUIT.
+  old_pid = "#{server.config[:pid]}.oldbin"
+  if old_pid != server.pid
+    begin
+      sig = (worker.nr + 1) >= server.worker_processes ? :QUIT : :TTOU
+      Process.kill(sig, File.read(old_pid).to_i)
+    rescue Errno::ENOENT, Errno::ESRCH
+    end
+  end
+
+  # Throttle the master from forking too quickly by sleeping.  Due
+  # to the implementation of standard Unix signal handlers, this
+  # helps (but does not completely) prevent identical, repeated signals
+  # from being lost when the receiving process is busy.
+  # sleep 1
+end
+
 after_fork do |server, worker|
+  # per-process listener ports for debugging/admin/migrations
+  # addr = "127.0.0.1:#{9293 + worker.nr}"
+  # server.listen(addr, :tries => -1, :delay => 5, :tcp_nopush => true)
+
+  # the following is *required* for Rails + "preload_app true",
   defined?(ActiveRecord::Base) and
     ActiveRecord::Base.establish_connection
+
+  # reset prometheus client, this will cause any opened metrics files to be closed
+  defined?(::Prometheus::Client.reinitialize_on_pid_change) &&
+    Prometheus::Client.reinitialize_on_pid_change
+
+  # if preload_app is true, then you may also want to check and
+  # restart any other shared sockets/descriptors such as Memcached,
+  # and Redis.  TokyoCabinet file handles are safe to reuse
+  # between any number of forked children (assuming your kernel
+  # correctly implements pread()/pwrite() system calls)
 end
diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix
@@ -143,6 +143,7 @@ let
     GITLAB_PATH = "${cfg.packages.gitlab}/share/gitlab/";
     GITLAB_STATE_PATH = "${cfg.statePath}";
     GITLAB_UPLOADS_PATH = "${cfg.statePath}/uploads";
+    SCHEMA = "${cfg.statePath}/db/schema.rb";
     GITLAB_LOG_PATH = "${cfg.statePath}/log";
     GITLAB_SHELL_PATH = "${cfg.packages.gitlab-shell}";
     GITLAB_SHELL_CONFIG_PATH = "${cfg.statePath}/shell/config.yml";
@@ -500,7 +501,7 @@ in {
         Type = "simple";
         User = cfg.user;
         Group = cfg.group;
-        TimeoutSec = "300";
+        TimeoutSec = "infinity";
         Restart = "on-failure";
         WorkingDirectory = gitlabEnv.HOME;
         ExecStart = "${cfg.packages.gitaly}/bin/gitaly ${gitalyToml}";
@@ -566,6 +567,7 @@ in {
         mkdir -p ${cfg.statePath}/tmp/pids
         mkdir -p ${cfg.statePath}/tmp/sockets
         mkdir -p ${cfg.statePath}/shell
+        mkdir -p ${cfg.statePath}/db
 
         rm -rf ${cfg.statePath}/config ${cfg.statePath}/shell/hooks
         mkdir -p ${cfg.statePath}/config
@@ -580,13 +582,15 @@ in {
         ln -sf ${cfg.statePath}/log /run/gitlab/log
         ln -sf ${cfg.statePath}/uploads /run/gitlab/uploads
         ln -sf ${cfg.statePath}/tmp /run/gitlab/tmp
+        ln -sf $GITLAB_SHELL_CONFIG_PATH /run/gitlab/shell-config.yml
         chown -R ${cfg.user}:${cfg.group} /run/gitlab
 
         # Prepare home directory
         mkdir -p ${gitlabEnv.HOME}/.ssh
         touch ${gitlabEnv.HOME}/.ssh/authorized_keys
         chown -R ${cfg.user}:${cfg.group} ${gitlabEnv.HOME}/
 
+        cp -rf ${cfg.packages.gitlab}/share/gitlab/db/* ${cfg.statePath}/db
         cp -rf ${cfg.packages.gitlab}/share/gitlab/config.dist/* ${cfg.statePath}/config
         ${optionalString cfg.smtp.enable ''
           ln -sf ${smtpSettings} ${cfg.statePath}/config/initializers/smtp_settings.rb

diff --git a/pkgs/applications/version-management/gitaly/Gemfile b/pkgs/applications/version-management/gitaly/Gemfile
@@ -1,11 +1,18 @@
 source 'https://rubygems.org'
 
 gem 'github-linguist', '~> 4.7.0', require: 'linguist'
-gem 'gitaly-proto', '~> 0.59.0', require: 'gitaly'
-gem 'activesupport'
+gem 'gitlab-markup', '~> 1.6.2'
+gem 'gitaly-proto', '~> 0.83.0', require: 'gitaly'
+gem 'activesupport', '~> 5.0.2'
+gem 'rdoc', '~> 4.2'
 gem 'gollum-lib', '~> 4.2', require: false
 gem 'gollum-rugged_adapter', '~> 0.4.4', require: false
+gem 'grpc', '~> 1.8.0'
+
+# Locked until https://github.com/google/protobuf/issues/4210 is closed
+gem 'google-protobuf', '= 3.5.1'
 
 group :development, :test do
   gem 'gitlab-styles', '~> 2.0.0', require: false
+  gem 'rspec', require: false
 end
diff --git a/pkgs/applications/version-management/gitaly/Gemfile.lock b/pkgs/applications/version-management/gitaly/Gemfile.lock
@@ -1,23 +1,23 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (5.0.0.1)
+    activesupport (5.0.6)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (~> 0.7)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
-    addressable (2.5.1)
-      public_suffix (~> 2.0, >= 2.0.2)
+    addressable (2.5.2)
+      public_suffix (>= 2.0.2, < 4.0)
     ast (2.3.0)
     charlock_holmes (0.7.5)
     concurrent-ruby (1.0.5)
     diff-lcs (1.3)
     escape_utils (1.1.1)
-    faraday (0.12.2)
+    faraday (0.14.0)
       multipart-post (>= 1.2, < 3)
     gemojione (3.3.0)
       json
-    gitaly-proto (0.59.0)
+    gitaly-proto (0.83.0)
       google-protobuf (~> 3.1)
       grpc (~> 1.0)
     github-linguist (4.7.6)
@@ -31,6 +31,7 @@ GEM
       diff-lcs (~> 1.1)
       mime-types (>= 1.16)
       posix-spawn (~> 0.3)
+    gitlab-markup (1.6.3)
     gitlab-styles (2.0.0)
       rubocop (~> 0.49)
       rubocop-gitlab-security (~> 0.1.0)
@@ -48,21 +49,24 @@ GEM
     gollum-rugged_adapter (0.4.4)
       mime-types (>= 1.15)
       rugged (~> 0.25)
-    google-protobuf (3.4.0.2)
-    googleauth (0.5.3)
+    google-protobuf (3.5.1)
+    googleapis-common-protos-types (1.0.1)
+      google-protobuf (~> 3.0)
+    googleauth (0.6.2)
       faraday (~> 0.12)
-      jwt (~> 1.4)
+      jwt (>= 1.4, < 3.0)
       logging (~> 2.0)
       memoist (~> 0.12)
       multi_json (~> 1.11)
       os (~> 0.9)
       signet (~> 0.7)
-    grpc (1.6.0)
+    grpc (1.8.7)
       google-protobuf (~> 3.1)
-      googleauth (~> 0.5.1)
+      googleapis-common-protos-types (~> 1.0.0)
+      googleauth (>= 0.5.1, < 0.7)
     i18n (0.8.1)
     json (2.1.0)
-    jwt (1.5.6)
+    jwt (2.1.0)
     little-plugger (1.1.4)
     logging (2.2.2)
       little-plugger (~> 1.1)
@@ -73,7 +77,7 @@ GEM
     mime-types-data (3.2016.0521)
     mini_portile2 (2.3.0)
     minitest (5.9.1)
-    multi_json (1.12.1)
+    multi_json (1.13.1)
     multipart-post (2.0.0)
     nokogiri (1.8.1)
       mini_portile2 (~> 2.3.0)
@@ -83,11 +87,25 @@ GEM
       ast (~> 2.2)
     posix-spawn (0.3.13)
     powerpack (0.1.1)
-    public_suffix (2.0.5)
+    public_suffix (3.0.1)
     rainbow (2.2.2)
       rake
     rake (12.1.0)
+    rdoc (4.3.0)
     rouge (2.2.1)
+    rspec (3.6.0)
+      rspec-core (~> 3.6.0)
+      rspec-expectations (~> 3.6.0)
+      rspec-mocks (~> 3.6.0)
+    rspec-core (3.6.0)
+      rspec-support (~> 3.6.0)
+    rspec-expectations (3.6.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.6.0)
+    rspec-mocks (3.6.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.6.0)
+    rspec-support (3.6.0)
     rubocop (0.50.0)
       parallel (~> 1.10)
       parser (>= 2.3.3.1, < 3.0)
@@ -103,10 +121,10 @@ GEM
     rugged (0.26.0)
     sanitize (2.1.0)
       nokogiri (>= 1.4.4)
-    signet (0.7.3)
+    signet (0.8.1)
       addressable (~> 2.3)
       faraday (~> 0.9)
-      jwt (~> 1.5)
+      jwt (>= 1.5, < 3.0)
       multi_json (~> 1.10)
     stringex (2.7.1)
     thread_safe (0.3.6)
@@ -118,12 +136,17 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
-  activesupport
-  gitaly-proto (~> 0.59.0)
+  activesupport (~> 5.0.2)
+  gitaly-proto (~> 0.83.0)
   github-linguist (~> 4.7.0)
+  gitlab-markup (~> 1.6.2)
   gitlab-styles (~> 2.0.0)
   gollum-lib (~> 4.2)
   gollum-rugged_adapter (~> 0.4.4)
+  google-protobuf (= 3.5.1)
+  grpc (~> 1.8.0)
+  rdoc (~> 4.2)
+  rspec
 
 BUNDLED WITH
-   1.16.0
+   1.16.1
diff --git a/pkgs/applications/version-management/gitaly/default.nix b/pkgs/applications/version-management/gitaly/default.nix
@@ -7,14 +7,14 @@ let
     gemdir = ./.;
   };
 in buildGoPackage rec {
-  version = "0.59.2";
+  version = "0.81.0";
   name = "gitaly-${version}";
 
   src = fetchFromGitLab {
     owner = "gitlab-org";
     repo = "gitaly";
     rev = "v${version}";
-    sha256 = "08f109rw3qxdr93l0kl8wxmrvn846a6vdkssvrp2zr40yn9wif7m";
+    sha256 = "01sw5y201xbd21k9r7xmzqiiypb924ac95nqqfhzplqnssa98n9y";
   };
 
   goPackagePath = "gitlab.com/gitlab-org/gitaly";

diff --git a/pkgs/applications/version-management/gitaly/gemset.nix b/pkgs/applications/version-management/gitaly/gemset.nix
@@ -3,19 +3,19 @@
     dependencies = ["concurrent-ruby" "i18n" "minitest" "tzinfo"];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "1vgjr48yiynwf9rh2nsxa8w134na0805l40chf9g9scii9k70rj9";
+      sha256 = "0g85lqq0smj71g8a2dxb54ajjzw59c9snana4p61knryc83q3yg6";
       type = "gem";
     };
-    version = "5.0.0.1";
+    version = "5.0.6";
   };
   addressable = {
     dependencies = ["public_suffix"];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "1i8q32a4gr0zghxylpyy7jfqwxvwrivsxflg9mks6kx92frh75mh";
+      sha256 = "0viqszpkggqi8hq87pqp0xykhvz60g99nwmkwsb0v45kc2liwxvk";
       type = "gem";
     };
-    version = "2.5.1";
+    version = "2.5.2";
   };
   ast = {
     source = {
@@ -61,10 +61,10 @@
     dependencies = ["multipart-post"];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "157c4cmb5g1b3ny6k9qf9z57rfijl54fcq3hnqqf6g31g1m096b2";
+      sha256 = "1c3x3s8vb5nf7inyfvhdxwa4q3swmnacpxby6pish5fgmhws7zrr";
       type = "gem";
     };
-    version = "0.12.2";
+    version = "0.14.0";
   };
   gemojione = {
     dependencies = ["json"];
@@ -79,10 +79,10 @@
     dependencies = ["google-protobuf" "grpc"];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "0s86126iqhbmkix6zs357ixlc1syyxmwk2blaimsav7f0x9swy82";
+      sha256 = "0z3asy104q36sshq9zhmgcm32sg8qr8jvy0mi19nakkq7prrkwqv";
       type = "gem";
     };
-    version = "0.59.0";
+    version = "0.83.0";
   };
   github-linguist = {
     dependencies = ["charlock_holmes" "escape_utils" "mime-types" "rugged"];
@@ -110,6 +110,14 @@
     };
     version = "2.8.2";
   };
+  gitlab-markup = {
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "1pvx257azpr00yvb74lgjpgnj72nwyd29l9a18280rgmp4cjniki";
+      type = "gem";
+    };
+    version = "1.6.3";
+  };
   gitlab-styles = {
     dependencies = ["rubocop" "rubocop-gitlab-security" "rubocop-rspec"];
     source = {
@@ -149,28 +157,37 @@
   google-protobuf = {
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "1jh8axm5m75rvdf2i3s24pmi7p613armh9vk3p1d0ryfx159mqkl";
+      sha256 = "0s8ijd9wdrkqwsb6nasrsv7f9i5im2nyax7f7jlb5y9vh8nl98qi";
       type = "gem";
     };
-    version = "3.4.0.2";
+    version = "3.5.1";
+  };
+  googleapis-common-protos-types = {
+    dependencies = ["google-protobuf"];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "0yf10s7w8wpa49hc86z7z2fkn9yz7j2njz0n8xmqb24ji090z4ck";
+      type = "gem";
+    };
+    version = "1.0.1";
   };
   googleauth = {
     dependencies = ["faraday" "jwt" "logging" "memoist" "multi_json" "os" "signet"];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "1xpmvrzhczak25nm0k3r9aa083lmfnzi94mir3g1xyrgzz66vxli";
+      sha256 = "08z4zfj9cwry13y8c2w5p4xylyslxxjq4wahd95bk1ddl5pknd4f";
       type = "gem";
     };
-    version = "0.5.3";
+    version = "0.6.2";
   };
   grpc = {
-    dependencies = ["google-protobuf" "googleauth"];
+    dependencies = ["google-protobuf" "googleapis-common-protos-types" "googleauth"];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "056ipqai887x5jpbgcc215kdi0lfqjzcjbx3hx11cjrfww01zc52";
+      sha256 = "02b80pyg4rgkiafyh1jqnfh6xp9abpd1x0a9c2h98f0851scw28b";
       type = "gem";
     };
-    version = "1.6.0";
+    version = "1.8.7";
   };
   i18n = {
     source = {
@@ -191,10 +208,10 @@
   jwt = {
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "124zz1142bi2if7hl5pcrcamwchv4icyr5kaal9m2q6wqbdl6aw4";
+      sha256 = "1w0kaqrbl71cq9sbnixc20x5lqah3hs2i93xmhlfdg2y3by7yzky";
       type = "gem";
     };
-    version = "1.5.6";
+    version = "2.1.0";
   };
   little-plugger = {
     source = {
@@ -257,10 +274,10 @@
   multi_json = {
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "1wpc23ls6v2xbk3l1qncsbz16npvmw8p0b38l8czdzri18mp51xk";
+      sha256 = "1rl0qy4inf1mp8mybfk56dfga0mvx97zwpmq5xmiwl5r770171nv";
       type = "gem";
     };
-    version = "1.12.1";
+    version = "1.13.1";
   };
   multipart-post = {
     source = {
@@ -323,10 +340,10 @@
   public_suffix = {
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "040jf98jpp6w140ghkhw2hvc1qx41zvywx5gj7r2ylr1148qnj7q";
+      sha256 = "0mvzd9ycjw8ydb9qy3daq3kdzqs2vpqvac4dqss6ckk4rfcjc637";
       type = "gem";
     };
-    version = "2.0.5";
+    version = "3.0.1";
   };
   rainbow = {
     dependencies = ["rake"];
@@ -345,6 +362,14 @@
     };
     version = "12.1.0";
   };
+  rdoc = {
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "13ba2mhqqcsp3k97x3iz9x29xk26rv4561lfzzzibcy41vvj1n4c";
+      type = "gem";
+    };
+    version = "4.3.0";
+  };
   rouge = {
     source = {
       remotes = ["https://rubygems.org"];
@@ -353,6 +378,50 @@
     };
     version = "2.2.1";
   };
+  rspec = {
+    dependencies = ["rspec-core" "rspec-expectations" "rspec-mocks"];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "1nd50hycab2a2vdah9lxi585g8f63jxjvmzmxqyln51grxwx9hzb";
+      type = "gem";
+    };
+    version = "3.6.0";
+  };
+  rspec-core = {
+    dependencies = ["rspec-support"];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "18np8wyw2g79waclpaacba6nd7x60ixg07ncya0j0qj1z9b37grd";
+      type = "gem";
+    };
+    version = "3.6.0";
+  };
+  rspec-expectations = {
+    dependencies = ["diff-lcs" "rspec-support"];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "028ifzf9mqp3kxx40q1nbwj40g72g9zk0wr78l146phblkv96w0a";
+      type = "gem";
+    };
+    version = "3.6.0";
+  };
+  rspec-mocks = {
+    dependencies = ["diff-lcs" "rspec-support"];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "0nv6jkxy24sag1i9w9wi3850k6skk2fm6yhcrgnmlz6vmwxvizp8";
+      type = "gem";
+    };
+    version = "3.6.0";
+  };
+  rspec-support = {
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "050paqqpsml8w88nf4a15zbbj3vvm471zpv73sjfdnz7w21wnypb";
+      type = "gem";
+    };
+    version = "3.6.0";
+  };
   rubocop = {
     dependencies = ["parallel" "parser" "powerpack" "rainbow" "ruby-progressbar" "unicode-display_width"];
     source = {
@@ -409,10 +478,10 @@
     dependencies = ["addressable" "faraday" "jwt" "multi_json"];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "149668991xqibvm8kvl10kzy891yd6f994b4gwlx6c3vl24v5jq6";
+      sha256 = "0js81lxqirdza8gf2f6avh11fny49ygmxfi1qx7jp8l9wrhznbkv";
       type = "gem";
     };
-    version = "0.7.3";
+    version = "0.8.1";
   };
   stringex = {
     source = {

diff --git a/pkgs/applications/version-management/gitlab-shell/default.nix b/pkgs/applications/version-management/gitlab-shell/default.nix
@@ -1,14 +1,14 @@
 { stdenv, ruby, bundler, fetchFromGitLab, go }:
 
 stdenv.mkDerivation rec {
-  version = "5.10.2";
+  version = "6.0.3";
   name = "gitlab-shell-${version}";
 
   srcs = fetchFromGitLab {
     owner = "gitlab-org";
     repo = "gitlab-shell";
     rev = "v${version}";
-    sha256 = "16lwnzsppql7pkf8fka6cwkghdr57g225zvln9ii29w7nzz1hvaf";
+    sha256 = "073y41d9sqy6l6dxbiml6c13fq98qcb0jf86w9slld1mcw19cmrk";
   };
 
   buildInputs = [ ruby bundler go ];
@@ -30,29 +30,9 @@ stdenv.mkDerivation rec {
   # code by default which doesn't work in nixos because it's a
   # read-only filesystem
   postPatch = ''
-    substituteInPlace lib/gitlab_config.rb --replace\
-       "File.join(ROOT_PATH, 'config.yml')"\
-       "ENV['GITLAB_SHELL_CONFIG_PATH']"
-
-    # Note that we're running gitlab-shell from current-system/sw
-    # because otherwise updating gitlab-shell won't be reflected in
-    # the hardcoded path of the authorized-keys file:
-    substituteInPlace lib/gitlab_keys.rb --replace\
-        "\"#{ROOT_PATH}/bin/gitlab-shell"\
-        "\"GITLAB_SHELL_CONFIG_PATH=#{ENV['GITLAB_SHELL_CONFIG_PATH']} /run/current-system/sw/bin/gitlab-shell"
-
-    # We're setting GITLAB_SHELL_CONFIG_PATH in the ssh authorized key
-    # environment because we need it in gitlab_configrb
-    # . unsetenv_others will remove that so we're not doing it for
-    # now.
-    #
-    # TODO: Are there any security implications? The commit adding
-    # unsetenv_others didn't mention anything...
-    #
-    # Kernel::exec({'PATH' => ENV['PATH'], 'LD_LIBRARY_PATH' => ENV['LD_LIBRARY_PATH'], 'GL_ID' => ENV['GL_ID']}, *args, unsetenv_others: true)
-    substituteInPlace lib/gitlab_shell.rb --replace\
-        " *args, unsetenv_others: true)"\
-        " *args)"
+    substituteInPlace lib/gitlab_config.rb --replace \
+       "File.join(ROOT_PATH, 'config.yml')" \
+       "'/run/gitlab/shell-config.yml'"
   '';
 
   meta = with stdenv.lib; {

diff --git a/pkgs/applications/version-management/gitlab-shell/fixes.patch b/pkgs/applications/version-management/gitlab-shell/fixes.patch
@@ -1,12 +1,11 @@
 diff --git a/support/go_build.rb b/support/go_build.rb
-index 82f94d2..40ba35e 100644
+index 30a6b71..46b4dfa 100644
 --- a/support/go_build.rb
 +++ b/support/go_build.rb
-@@ -25,9 +25,8 @@ module GoBuild
-   def run!(env, cmd)
+@@ -26,8 +26,8 @@ module GoBuild
      raise "env must be a hash" unless env.is_a?(Hash)
      raise "cmd must be an array" unless cmd.is_a?(Array)
--  
+   
 -    if !system(env, *cmd)
 -      abort "command failed: #{env.inspect} #{cmd.join(' ')}"
 -    end

diff --git a/pkgs/applications/version-management/gitlab-shell/remove-hardcoded-locations.patch b/pkgs/applications/version-management/gitlab-shell/remove-hardcoded-locations.patch
@@ -1,30 +1,3 @@
-diff --git a/lib/gitlab_projects.rb b/lib/gitlab_projects.rb
-index 0b11ce3..ffc3faf 100644
---- a/lib/gitlab_projects.rb
-+++ b/lib/gitlab_projects.rb
-@@ -8,7 +8,7 @@ require_relative 'gitlab_metrics'
- require_relative 'gitlab_metrics'
-
- class GitlabProjects
--  GLOBAL_HOOKS_DIRECTORY = File.join(ROOT_PATH, 'hooks')
-+  GLOBAL_HOOKS_DIRECTORY = ENV['GITLAB_SHELL_HOOKS_PATH'] || File.join(ROOT_PATH, 'hooks')
-
-   # Project name is a directory name for repository with .git at the end
-   # It may be namespaced or not. Like repo.git or gitlab/repo.git
-diff --git a/lib/gitlab_shell.rb b/lib/gitlab_shell.rb
-index e7d0254..181ec8a 100644
---- a/lib/gitlab_shell.rb
-+++ b/lib/gitlab_shell.rb
-@@ -188,7 +188,8 @@ class GitlabShell
-     end
-
-     # We use 'chdir: ROOT_PATH' to let the next executable know where config.yml is.
--    Kernel::exec(env, *args, unsetenv_others: true, chdir: ROOT_PATH)
-+    # Except we don't, because we're already in the right directory on nixos !
-+    Kernel::exec(env, *args, unsetenv_others: true)
-   end
-
-   def api
 diff --git a/go/internal/config/config.go b/go/internal/config/config.go
 index c57b4de..88cfc95 100644
 --- a/go/internal/config/config.go
@@ -34,7 +7,21 @@ index c57b4de..88cfc95 100644
  	cfg.RootDir = dir
 
 -	configBytes, err := ioutil.ReadFile(path.Join(cfg.RootDir, configFile))
-+	configBytes, err := ioutil.ReadFile(os.Getenv("GITLAB_SHELL_CONFIG_PATH"))
++	configBytes, err := ioutil.ReadFile("/run/gitlab/shell-config.yml")
  	if err != nil {
  		return nil, err
  	}
+diff --git a/lib/gitlab_shell.rb b/lib/gitlab_shell.rb
+index 1452f95..2b40327 100644
+--- a/lib/gitlab_shell.rb
++++ b/lib/gitlab_shell.rb
+@@ -180,7 +180,8 @@ class GitlabShell
+     end
+
+     # We use 'chdir: ROOT_PATH' to let the next executable know where config.yml is.
+-    Kernel::exec(env, *args, unsetenv_others: true, chdir: ROOT_PATH)
++    # Except we don't, because we're already in the right directory on nixos!
++    Kernel::exec(env, *args, unsetenv_others: true)
+   end
+
+   def api
diff --git a/pkgs/applications/version-management/gitlab-workhorse/default.nix b/pkgs/applications/version-management/gitlab-workhorse/default.nix
@@ -1,14 +1,14 @@
 { stdenv, fetchFromGitLab, git, go }:
 
 stdenv.mkDerivation rec {
-  version = "3.3.1";
+  version = "3.6.0";
   name = "gitlab-workhorse-${version}";
 
   srcs = fetchFromGitLab {
     owner = "gitlab-org";
     repo = "gitlab-workhorse";
     rev = "v${version}";
-    sha256 = "19x9ryp99xygj39kq2r756rahh9mxp6j83hxvv09y33vgz64y8xh";
+    sha256 = "1vcxm9m82m1dcc86r29k5v8cp3zvpby4kszbkavl3frm3ws0w9lz";
   };
 
   buildInputs = [ git go ];

diff --git a/pkgs/applications/version-management/gitlab/Gemfile b/pkgs/applications/version-management/gitlab/Gemfile
@@ -12,7 +12,7 @@ gem 'sprockets', '~> 3.7.0'
 gem 'default_value_for', '~> 3.0.0'
 
 # Supported DBs
-gem 'mysql2', '~> 0.4.5', group: :mysql
+gem 'mysql2', '~> 0.4.10', group: :mysql
 gem 'pg', '~> 0.18.2', group: :postgres
 
 gem 'rugged', '~> 0.26.0'
@@ -25,7 +25,7 @@ gem 'devise', '~> 4.2'
 gem 'doorkeeper', '~> 4.2.0'
 gem 'doorkeeper-openid_connect', '~> 1.2.0'
 gem 'omniauth', '~> 1.4.2'
-gem 'omniauth-auth0', '~> 1.4.1'
+gem 'omniauth-auth0', '~> 2.0.0'
 gem 'omniauth-azure-oauth2', '~> 0.0.9'
 gem 'omniauth-cas3', '~> 1.1.4'
 gem 'omniauth-facebook', '~> 4.0.0'
@@ -69,7 +69,15 @@ gem 'net-ldap'
 
 # Git Wiki
 # Required manually in config/initializers/gollum.rb to control load order
+# Before updating this gem, check if
+# https://github.com/gollum/gollum-lib/pull/292 has been merged.
+# If it has, then remove the monkey patch for update_page, rename_page and raw_data_in_committer
+# in config/initializers/gollum.rb
 gem 'gollum-lib', '~> 4.2', require: false
+
+# Before updating this gem, check if
+# https://github.com/gollum/rugged_adapter/pull/28 has been merged.
+# If it has, then remove the monkey patch for tree_entry in config/initializers/gollum.rb
 gem 'gollum-rugged_adapter', '~> 0.4.4', require: false
 
 # Language detection
@@ -78,7 +86,7 @@ gem 'github-linguist', '~> 4.7.0', require: 'linguist'
 # API
 gem 'grape', '~> 1.0'
 gem 'grape-entity', '~> 0.6.0'
-gem 'rack-cors', '~> 0.4.0', require: 'rack/cors'
+gem 'rack-cors', '~> 1.0.0', require: 'rack/cors'
 
 # Disable strong_params so that Mash does not respond to :permitted?
 gem 'hashie-forbidden_attributes'
@@ -111,7 +119,7 @@ gem 'google-api-client', '~> 0.13.6'
 gem 'unf', '~> 0.1.4'
 
 # Seed data
-gem 'seed-fu', '2.3.6' # Upgrade to > 2.3.7 once https://github.com/mbleigh/seed-fu/issues/123 is solved
+gem 'seed-fu', '~> 2.3.7'
 
 # Markdown and HTML processing
 gem 'html-pipeline', '~> 1.11.0'
@@ -128,7 +136,7 @@ gem 'asciidoctor-plantuml', '0.0.7'
 gem 'rouge', '~> 2.0'
 gem 'truncato', '~> 0.7.9'
 gem 'bootstrap_form', '~> 2.7.0'
-gem 'nokogiri', '~> 1.8.1'
+gem 'nokogiri', '~> 1.8.2'
 
 # Diffs
 gem 'diffy', '~> 3.1.0'
@@ -229,6 +237,9 @@ gem 'charlock_holmes', '~> 0.7.5'
 # Faster JSON
 gem 'oj', '~> 2.17.4'
 
+# Faster blank
+gem 'fast_blank'
+
 # Parse time & duration
 gem 'chronic', '~> 0.10.2'
 gem 'chronic_duration', '~> 0.10.6'
@@ -263,7 +274,7 @@ gem 'gettext_i18n_rails', '~> 1.8.0'
 gem 'gettext_i18n_rails_js', '~> 1.2.0'
 gem 'gettext', '~> 3.2.2', require: false, group: :development
 
-gem 'batch-loader'
+gem 'batch-loader', '~> 1.2.1'
 
 # Perf bar
 gem 'peek', '~> 1.0.1'
@@ -283,7 +294,7 @@ group :metrics do
   gem 'influxdb', '~> 0.2', require: false
 
   # Prometheus
-  gem 'prometheus-client-mmap', '~> 0.7.0.beta43'
+  gem 'prometheus-client-mmap', '~> 0.9.1'
   gem 'raindrops', '~> 0.18'
 end
 
@@ -311,14 +322,14 @@ group :development, :test do
   gem 'fuubar', '~> 2.2.0'
 
   gem 'database_cleaner', '~> 1.5.0'
-  gem 'factory_girl_rails', '~> 4.7.0'
+  gem 'factory_bot_rails', '~> 4.8.2'
   gem 'rspec-rails', '~> 3.6.0'
   gem 'rspec-retry', '~> 0.4.5'
   gem 'spinach-rails', '~> 0.2.1'
   gem 'spinach-rerun-reporter', '~> 0.0.2'
   gem 'rspec_profiling', '~> 0.0.5'
   gem 'rspec-set', '~> 0.1.3'
-  gem 'rspec-parameterized'
+  gem 'rspec-parameterized', require: false
 
   # Prevent occasions where minitest is not bundled in packaged versions of ruby (see #3826)
   gem 'minitest', '~> 5.7.0'
@@ -334,13 +345,15 @@ group :development, :test do
   gem 'spring-commands-rspec', '~> 1.0.4'
   gem 'spring-commands-spinach', '~> 1.1.0'
 
-  gem 'rubocop', '~> 0.49.1', require: false
-  gem 'rubocop-rspec', '~> 1.15.1', require: false
-  gem 'rubocop-gitlab-security', '~> 0.1.0', require: false
-  gem 'scss_lint', '~> 0.54.0', require: false
+  gem 'gitlab-styles', '~> 2.3', require: false
+  # Pin these dependencies, otherwise a new rule could break the CI pipelines
+  gem 'rubocop', '~> 0.52.1'
+  gem 'rubocop-rspec', '~> 1.22.1'
+
+  gem 'scss_lint', '~> 0.56.0', require: false
   gem 'haml_lint', '~> 0.26.0', require: false
   gem 'simplecov', '~> 0.14.0', require: false
-  gem 'flay', '~> 2.8.0', require: false
+  gem 'flay', '~> 2.10.0', require: false
   gem 'bundler-audit', '~> 0.5.0', require: false
 
   gem 'benchmark-ips', '~> 2.3.0', require: false
@@ -379,9 +392,6 @@ gem 'ruby-prof', '~> 0.16.2'
 # OAuth
 gem 'oauth2', '~> 1.4'
 
-# Soft deletion
-gem 'paranoia', '~> 2.3.1'
-
 # Health check
 gem 'health_check', '~> 2.6.0'
 
@@ -400,16 +410,20 @@ group :ed25519 do
 end
 
 # Gitaly GRPC client
-gem 'gitaly-proto', '~> 0.59.0', require: 'gitaly'
+gem 'gitaly-proto', '~> 0.84.0', require: 'gitaly'
+# Locked until https://github.com/google/protobuf/issues/4210 is closed
+gem 'google-protobuf', '= 3.5.1'
 
 gem 'toml-rb', '~> 0.3.15', require: false
 
 # Feature toggles
-gem 'flipper', '~> 0.10.2'
-gem 'flipper-active_record', '~> 0.10.2'
+gem 'flipper', '~> 0.11.0'
+gem 'flipper-active_record', '~> 0.11.0'
+gem 'flipper-active_support_cache_store', '~> 0.11.0'
 
 # Structured logging
 gem 'lograge', '~> 0.5'
 gem 'grape_logging', '~> 1.7'
 
-gem 'activerecord-nulldb-adapter'
+# Asset synchronization
+gem 'asset_sync', '~> 2.2.0'
diff --git a/pkgs/applications/version-management/gitlab/Gemfile.lock b/pkgs/applications/version-management/gitlab/Gemfile.lock
@@ -33,8 +33,6 @@ GEM
       activemodel (= 4.2.10)
       activesupport (= 4.2.10)
       arel (~> 6.0)
-    activerecord-nulldb-adapter (0.3.7)
-      activerecord (>= 2.0.0)
     activerecord_sane_schema_dumper (0.2)
       rails (>= 4, < 5)
     activesupport (4.2.10)
@@ -60,6 +58,11 @@ GEM
     asciidoctor (1.5.3)
     asciidoctor-plantuml (0.0.7)
       asciidoctor (~> 1.5)
+    asset_sync (2.2.0)
+      activemodel (>= 4.1.0)
+      fog-core
+      mime-types (>= 2.99)
+      unf
     ast (2.3.0)
     atomic (1.1.99)
     attr_encrypted (3.0.3)
@@ -75,7 +78,7 @@ GEM
       thread_safe (~> 0.3, >= 0.3.1)
     babosa (1.0.2)
     base32 (0.3.2)
-    batch-loader (1.1.1)
+    batch-loader (1.2.1)
     bcrypt (3.1.11)
     bcrypt_pbkdf (1.0.0)
     benchmark-ips (2.3.0)
@@ -192,10 +195,10 @@ GEM
     excon (0.57.1)
     execjs (2.6.0)
     expression_parser (0.9.0)
-    factory_girl (4.7.0)
+    factory_bot (4.8.2)
       activesupport (>= 3.0.0)
-    factory_girl_rails (4.7.0)
-      factory_girl (~> 4.7.0)
+    factory_bot_rails (4.8.2)
+      factory_bot (~> 4.8.2)
       railties (>= 3.0.0)
     faraday (0.12.2)
       multipart-post (>= 1.2, < 3)
@@ -204,18 +207,22 @@ GEM
     faraday_middleware-multi_json (0.0.6)
       faraday_middleware
       multi_json
+    fast_blank (1.0.0)
     fast_gettext (1.4.0)
     ffaker (2.4.0)
     ffi (1.9.18)
-    flay (2.8.1)
+    flay (2.10.0)
       erubis (~> 2.7.0)
       path_expander (~> 1.0)
       ruby_parser (~> 3.0)
       sexp_processor (~> 4.0)
-    flipper (0.10.2)
-    flipper-active_record (0.10.2)
+    flipper (0.11.0)
+    flipper-active_record (0.11.0)
       activerecord (>= 3.2, < 6)
-      flipper (~> 0.10.2)
+      flipper (~> 0.11.0)
+    flipper-active_support_cache_store (0.11.0)
+      activesupport (>= 3.2, < 6)
+      flipper (~> 0.11.0)
     flowdock (0.7.1)
       httparty (~> 0.7)
       multi_json
@@ -278,7 +285,7 @@ GEM
       po_to_json (>= 1.0.0)
       rails (>= 3.2.0)
     gherkin-ruby (0.3.2)
-    gitaly-proto (0.59.0)
+    gitaly-proto (0.84.0)
       google-protobuf (~> 3.1)
       grpc (~> 1.0)
     github-linguist (4.7.6)
@@ -297,6 +304,10 @@ GEM
       mime-types (>= 1.16)
       posix-spawn (~> 0.3)
     gitlab-markup (1.6.3)
+    gitlab-styles (2.3.2)
+      rubocop (~> 0.51)
+      rubocop-gitlab-security (~> 0.1.0)
+      rubocop-rspec (~> 1.19)
     gitlab_omniauth-ldap (2.0.4)
       net-ldap (~> 0.16)
       omniauth (~> 1.3)
@@ -329,7 +340,9 @@ GEM
       mime-types (~> 3.0)
       representable (~> 3.0)
       retriable (>= 2.0, < 4.0)
-    google-protobuf (3.4.1.1)
+    google-protobuf (3.5.1)
+    googleapis-common-protos-types (1.0.1)
+      google-protobuf (~> 3.0)
     googleauth (0.5.3)
       faraday (~> 0.12)
       jwt (~> 1.4)
@@ -356,9 +369,10 @@ GEM
       rake
     grape_logging (1.7.0)
       grape
-    grpc (1.4.5)
+    grpc (1.8.3)
       google-protobuf (~> 3.1)
-      googleauth (~> 0.5.1)
+      googleapis-common-protos-types (~> 1.0.0)
+      googleauth (>= 0.5.1, < 0.7)
     haml (4.0.7)
       tilt
     haml_lint (0.26.0)
@@ -495,11 +509,11 @@ GEM
     mustermann (1.0.0)
     mustermann-grape (1.0.0)
       mustermann (~> 1.0.0)
-    mysql2 (0.4.5)
+    mysql2 (0.4.10)
     net-ldap (0.16.0)
     net-ssh (4.1.0)
     netrc (0.11.0)
-    nokogiri (1.8.1)
+    nokogiri (1.8.2)
       mini_portile2 (~> 2.3.0)
     numerizer (0.1.1)
     oauth (0.5.1)
@@ -515,8 +529,8 @@ GEM
     omniauth (1.4.2)
       hashie (>= 1.2, < 4)
       rack (>= 1.0, < 3)
-    omniauth-auth0 (1.4.1)
-      omniauth-oauth2 (~> 1.1)
+    omniauth-auth0 (2.0.0)
+      omniauth-oauth2 (~> 1.4)
     omniauth-authentiq (0.3.1)
       omniauth-oauth2 (~> 1.3, >= 1.3.1)
     omniauth-azure-oauth2 (0.0.9)
@@ -569,14 +583,12 @@ GEM
       rubypants (~> 0.2)
     orm_adapter (0.5.0)
     os (0.9.6)
-    parallel (1.12.0)
-    paranoia (2.3.1)
-      activerecord (>= 4.0, < 5.2)
+    parallel (1.12.1)
     parser (2.4.0.2)
       ast (~> 2.3)
     parslet (1.5.0)
       blankslate (~> 2.0)
-    path_expander (1.0.1)
+    path_expander (1.0.2)
     peek (1.0.1)
       concurrent-ruby (>= 0.9.0)
       concurrent-ruby-ext (>= 0.9.0)
@@ -624,7 +636,7 @@ GEM
       parser
       unparser
     procto (0.0.3)
-    prometheus-client-mmap (0.7.0.beta43)
+    prometheus-client-mmap (0.9.1)
     pry (0.10.4)
       coderay (~> 1.1.0)
       method_source (~> 0.8.1)
@@ -641,7 +653,7 @@ GEM
       rack (>= 0.4)
     rack-attack (4.4.1)
       rack
-    rack-cors (0.4.0)
+    rack-cors (1.0.2)
     rack-oauth2 (1.2.3)
       activesupport (>= 2.3)
       attr_required (>= 0.0.5)
@@ -685,6 +697,9 @@ GEM
       rake
     raindrops (0.18.0)
     rake (12.3.0)
+    rb-fsevent (0.10.2)
+    rb-inotify (0.9.10)
+      ffi (>= 0.5.0, < 2)
     rblineprof (0.3.6)
       debugger-ruby_core_source (~> 1.3)
     rbnacl (4.0.2)
@@ -698,7 +713,7 @@ GEM
       json
     recursive-open-struct (1.0.0)
     redcarpet (3.4.0)
-    redis (3.3.3)
+    redis (3.3.5)
     redis-actionpack (5.0.2)
       actionpack (>= 4.0, < 6)
       redis-rack (>= 1, < 3)
@@ -771,21 +786,21 @@ GEM
       pg
       rails
       sqlite3
-    rubocop (0.49.1)
+    rubocop (0.52.1)
       parallel (~> 1.10)
-      parser (>= 2.3.3.1, < 3.0)
+      parser (>= 2.4.0.2, < 3.0)
       powerpack (~> 0.1)
-      rainbow (>= 1.99.1, < 3.0)
+      rainbow (>= 2.2.2, < 4.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (~> 1.0, >= 1.0.1)
-    rubocop-gitlab-security (0.1.0)
-      rubocop (>= 0.47.1)
-    rubocop-rspec (1.15.1)
-      rubocop (>= 0.42.0)
+    rubocop-gitlab-security (0.1.1)
+      rubocop (>= 0.51)
+    rubocop-rspec (1.22.1)
+      rubocop (>= 0.52.1)
     ruby-fogbugz (0.2.1)
       crack (~> 0.4)
     ruby-prof (0.16.2)
-    ruby-progressbar (1.8.1)
+    ruby-progressbar (1.9.0)
     ruby-saml (1.4.1)
       nokogiri (>= 1.5.10)
     ruby_parser (3.9.0)
@@ -799,7 +814,11 @@ GEM
     safe_yaml (1.0.4)
     sanitize (2.1.0)
       nokogiri (>= 1.4.4)
-    sass (3.4.22)
+    sass (3.5.5)
+      sass-listen (~> 4.0.0)
+    sass-listen (4.0.0)
+      rb-fsevent (~> 0.9, >= 0.9.4)
+      rb-inotify (~> 0.9, >= 0.9.7)
     sass-rails (5.0.6)
       railties (>= 4.0.0, < 6)
       sass (~> 3.1)
@@ -809,11 +828,11 @@ GEM
     sawyer (0.8.1)
       addressable (>= 2.3.5, < 2.6)
       faraday (~> 0.8, < 1.0)
-    scss_lint (0.54.0)
+    scss_lint (0.56.0)
       rake (>= 0.9, < 13)
-      sass (~> 3.4.20)
+      sass (~> 3.5.3)
     securecompare (1.0.0)
-    seed-fu (2.3.6)
+    seed-fu (2.3.7)
       activerecord (>= 3.1)
       activesupport (>= 3.1)
     select2-rails (3.5.9.3)
@@ -829,11 +848,11 @@ GEM
       rack
     shoulda-matchers (3.1.2)
       activesupport (>= 4.0.0)
-    sidekiq (5.0.4)
+    sidekiq (5.0.5)
       concurrent-ruby (~> 1.0)
       connection_pool (~> 2.2, >= 2.2.0)
       rack-protection (>= 1.5.0)
-      redis (~> 3.3, >= 3.3.3)
+      redis (>= 3.3.4, < 5)
     sidekiq-cron (0.6.0)
       rufus-scheduler (>= 3.3.0)
       sidekiq (>= 4.2.1)
@@ -969,7 +988,6 @@ PLATFORMS
 DEPENDENCIES
   RedCloth (~> 4.3.2)
   ace-rails-ap (~> 4.1.0)
-  activerecord-nulldb-adapter
   activerecord_sane_schema_dumper (= 0.2)
   acts-as-taggable-on (~> 4.0)
   addressable (~> 2.5.2)
@@ -978,11 +996,12 @@ DEPENDENCIES
   asana (~> 0.6.0)
   asciidoctor (~> 1.5.2)
   asciidoctor-plantuml (= 0.0.7)
+  asset_sync (~> 2.2.0)
   attr_encrypted (~> 3.0.0)
   awesome_print (~> 1.2.0)
   babosa (~> 1.0.2)
   base32 (~> 0.3.0)
-  batch-loader
+  batch-loader (~> 1.2.1)
   bcrypt_pbkdf (~> 1.0)
   benchmark-ips (~> 2.3.0)
   better_errors (~> 2.1.0)
@@ -1014,12 +1033,14 @@ DEPENDENCIES
   dropzonejs-rails (~> 0.7.1)
   email_reply_trimmer (~> 0.1)
   email_spec (~> 1.6.0)
-  factory_girl_rails (~> 4.7.0)
+  factory_bot_rails (~> 4.8.2)
   faraday (~> 0.12)
+  fast_blank
   ffaker (~> 2.4)
-  flay (~> 2.8.0)
-  flipper (~> 0.10.2)
-  flipper-active_record (~> 0.10.2)
+  flay (~> 2.10.0)
+  flipper (~> 0.11.0)
+  flipper-active_record (~> 0.11.0)
+  flipper-active_support_cache_store (~> 0.11.0)
   fog-aliyun (~> 0.2.0)
   fog-aws (~> 1.4)
   fog-core (~> 1.44)
@@ -1035,15 +1056,17 @@ DEPENDENCIES
   gettext (~> 3.2.2)
   gettext_i18n_rails (~> 1.8.0)
   gettext_i18n_rails_js (~> 1.2.0)
-  gitaly-proto (~> 0.59.0)
+  gitaly-proto (~> 0.84.0)
   github-linguist (~> 4.7.0)
   gitlab-flowdock-git-hook (~> 1.0.1)
   gitlab-markup (~> 1.6.2)
+  gitlab-styles (~> 2.3)
   gitlab_omniauth-ldap (~> 2.0.4)
   gollum-lib (~> 4.2)
   gollum-rugged_adapter (~> 0.4.4)
   gon (~> 6.1.0)
   google-api-client (~> 0.13.6)
+  google-protobuf (= 3.5.1)
   gpgme
   grape (~> 1.0)
   grape-entity (~> 0.6.0)
@@ -1075,15 +1098,15 @@ DEPENDENCIES
   method_source (~> 0.8)
   minitest (~> 5.7.0)
   mousetrap-rails (~> 1.4.6)
-  mysql2 (~> 0.4.5)
+  mysql2 (~> 0.4.10)
   net-ldap
   net-ssh (~> 4.1.0)
-  nokogiri (~> 1.8.1)
+  nokogiri (~> 1.8.2)
   oauth2 (~> 1.4)
   octokit (~> 4.6.2)
   oj (~> 2.17.4)
   omniauth (~> 1.4.2)
-  omniauth-auth0 (~> 1.4.1)
+  omniauth-auth0 (~> 2.0.0)
   omniauth-authentiq (~> 0.3.1)
   omniauth-azure-oauth2 (~> 0.0.9)
   omniauth-cas3 (~> 1.1.4)
@@ -1098,7 +1121,6 @@ DEPENDENCIES
   omniauth-twitter (~> 1.2.0)
   omniauth_crowd (~> 2.2.0)
   org-ruby (~> 0.9.12)
-  paranoia (~> 2.3.1)
   peek (~> 1.0.1)
   peek-gc (~> 0.0.2)
   peek-host (~> 1.0.0)
@@ -1110,11 +1132,11 @@ DEPENDENCIES
   peek-sidekiq (~> 1.0.3)
   pg (~> 0.18.2)
   premailer-rails (~> 1.9.7)
-  prometheus-client-mmap (~> 0.7.0.beta43)
+  prometheus-client-mmap (~> 0.9.1)
   pry-byebug (~> 3.4.1)
   pry-rails (~> 0.3.4)
   rack-attack (~> 4.4.1)
-  rack-cors (~> 0.4.0)
+  rack-cors (~> 1.0.0)
   rack-oauth2 (~> 1.2.1)
   rack-proxy (~> 0.6.0)
   rails (= 4.2.10)
@@ -1141,18 +1163,17 @@ DEPENDENCIES
   rspec-retry (~> 0.4.5)
   rspec-set (~> 0.1.3)
   rspec_profiling (~> 0.0.5)
-  rubocop (~> 0.49.1)
-  rubocop-gitlab-security (~> 0.1.0)
-  rubocop-rspec (~> 1.15.1)
+  rubocop (~> 0.52.1)
+  rubocop-rspec (~> 1.22.1)
   ruby-fogbugz (~> 0.2.1)
   ruby-prof (~> 0.16.2)
   ruby_parser (~> 3.8)
   rufus-scheduler (~> 3.4)
   rugged (~> 0.26.0)
   sanitize (~> 2.0)
   sass-rails (~> 5.0.6)
-  scss_lint (~> 0.54.0)
-  seed-fu (= 2.3.6)
+  scss_lint (~> 0.56.0)
+  seed-fu (~> 2.3.7)
   select2-rails (~> 3.5.9)
   selenium-webdriver (~> 3.5)
   sentry-raven (~> 2.5.3)
@@ -1194,4 +1215,4 @@ DEPENDENCIES
   wikicloth (= 0.8.1)
 
 BUNDLED WITH
-   1.16.0
+   1.16.1
diff --git a/pkgs/applications/version-management/gitlab/default.nix b/pkgs/applications/version-management/gitlab/default.nix
@@ -18,11 +18,11 @@ let
     };
   };
 
-  version = "10.3.4";
+  version = "10.5.6";
 
   gitlabDeb = fetchurl {
     url = "https://packages.gitlab.com/gitlab/gitlab-ce/packages/debian/jessie/gitlab-ce_${version}-ce.0_amd64.deb/download";
-    sha256 = "0b6508hcahvhfpxyrqs05kz9a7c1wv658asm6a7ccish6hnwcica";
+    sha256 = "1kml7iz4q9g5gcfqqarivlnkmkmq9250wgm95yi4rgzynb5jndd0";
   };
 
 in
@@ -34,7 +34,7 @@ stdenv.mkDerivation rec {
     owner = "gitlabhq";
     repo = "gitlabhq";
     rev = "v${version}";
-    sha256 = "0cvp4wwkc04qffsq738867j31igwzj7zlmahdl24yddbmpa5x8r1";
+    sha256 = "059h63jn552fcir2dgsjv85zv1ihbyiwzws4h2j15mwj2cdpjkh0";
   };
 
   buildInputs = [
@@ -43,7 +43,6 @@ stdenv.mkDerivation rec {
 
   patches = [
     ./remove-hardcoded-locations.patch
-    ./nulladapter.patch
     ./fix-36783.patch
   ];
 
@@ -59,6 +58,8 @@ stdenv.mkDerivation rec {
     substituteInPlace app/controllers/admin/background_jobs_controller.rb \
         --replace "ps -U" "${procps}/bin/ps -U"
 
+    sed -i '/ask_to_continue/d' lib/tasks/gitlab/two_factor.rake
+
     # required for some gems:
     cat > config/database.yml <<EOF
       production:

diff --git a/pkgs/applications/version-management/gitlab/gemset.nix b/pkgs/applications/version-management/gitlab/gemset.nix
diff --git a/pkgs/applications/version-management/gitlab/nulladapter.patch b/pkgs/applications/version-management/gitlab/nulladapter.patch
diff --git a/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch b/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch
@@ -1,8 +1,8 @@
 diff --git a/config/environments/production.rb b/config/environments/production.rb
-index c5cbfcf64c..e40f10e25f 100644
+index c5cbfcf64c..4d01f6fab8 100644
 --- a/config/environments/production.rb
 +++ b/config/environments/production.rb
-@@ -70,14 +70,16 @@ Rails.application.configure do
+@@ -70,10 +70,10 @@ Rails.application.configure do
 
    config.action_mailer.delivery_method = :sendmail
    # Defaults to:
@@ -11,23 +11,17 @@ index c5cbfcf64c..e40f10e25f 100644
 -  # #   arguments: '-i -t'
 -  # # }
 +  config.action_mailer.sendmail_settings = {
-+    location: '/run/wrappers/bin/sendmail',
++    location: '/usr/sbin/sendmail',
 +    arguments: '-i -t'
 +  }
    config.action_mailer.perform_deliveries = true
    config.action_mailer.raise_delivery_errors = true
 
-   config.eager_load = true
-
-   config.allow_concurrency = false
-+
-+  config.active_record.dump_schema_after_migration = false
- end
 diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
-index 0b33783869..cd4e41d9bd 100644
+index bd696a7f2c..44e3863736 100644
 --- a/config/gitlab.yml.example
 +++ b/config/gitlab.yml.example
-@@ -574,7 +574,7 @@ production: &base
+@@ -590,7 +590,7 @@ production: &base
    # CAUTION!
    # Use the default values unless you really know what you are doing
    git:
@@ -37,10 +31,10 @@ index 0b33783869..cd4e41d9bd 100644
    ## Webpack settings
    # If enabled, this will tell rails to serve frontend assets from the webpack-dev-server running
 diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
-index 8ddf8e4d2e..559cf9adf7 100644
+index 0bea8a4f4b..290248547b 100644
 --- a/config/initializers/1_settings.rb
 +++ b/config/initializers/1_settings.rb
-@@ -252,7 +252,7 @@ Settings.gitlab['user']       ||= 'git'
+@@ -255,7 +255,7 @@ Settings.gitlab['user']       ||= 'git'
  Settings.gitlab['user_home']  ||= begin
    Etc.getpwnam(Settings.gitlab['user']).dir
  rescue ArgumentError # no user configured
@@ -49,7 +43,7 @@ index 8ddf8e4d2e..559cf9adf7 100644
  end
  Settings.gitlab['time_zone'] ||= nil
  Settings.gitlab['signup_enabled'] ||= true if Settings.gitlab['signup_enabled'].nil?
-@@ -491,7 +491,7 @@ Settings.backup['upload']['storage_class'] ||= nil
+@@ -507,7 +507,7 @@ Settings.backup['upload']['storage_class'] ||= nil
  # Git
  #
  Settings['git'] ||= Settingslogic.new({})
@@ -58,29 +52,42 @@ index 8ddf8e4d2e..559cf9adf7 100644
 
  # Important: keep the satellites.path setting until GitLab 9.0 at
  # least. This setting is fed to 'rm -rf' in
+diff --git a/lib/api/api.rb b/lib/api/api.rb
+index e953f3d2ec..3a8d9f076b 100644
+--- a/lib/api/api.rb
++++ b/lib/api/api.rb
+@@ -2,7 +2,7 @@ module API
+   class API < Grape::API
+     include APIGuard
+
+-    LOG_FILENAME = Rails.root.join("log", "api_json.log")
++    LOG_FILENAME = File.join(ENV["GITLAB_LOG_PATH"], "api_json.log")
+
+     NO_SLASH_URL_PART_REGEX = %r{[^/]+}
+     PROJECT_ENDPOINT_REQUIREMENTS = { id: NO_SLASH_URL_PART_REGEX }.freeze
 diff --git a/lib/gitlab/logger.rb b/lib/gitlab/logger.rb
-index 59b21149a9..4f4a39a06c 100644
+index a42e312b5d..ccaab9229e 100644
 --- a/lib/gitlab/logger.rb
 +++ b/lib/gitlab/logger.rb
-@@ -26,7 +26,7 @@
+@@ -26,7 +26,7 @@ module Gitlab
      end
 
      def self.full_log_path
 -      Rails.root.join("log", file_name)
-+      File.join(ENV["GITLAB_LOG_PATH"], file_name)
++        File.join(ENV["GITLAB_LOG_PATH"], file_name)
      end
 
      def self.cache_key
 diff --git a/lib/gitlab/uploads_transfer.rb b/lib/gitlab/uploads_transfer.rb
-index b5f4124052..f72c556983 100644
+index 7d7400bdab..cb25211d44 100644
 --- a/lib/gitlab/uploads_transfer.rb
 +++ b/lib/gitlab/uploads_transfer.rb
 @@ -1,7 +1,7 @@
  module Gitlab
    class UploadsTransfer < ProjectTransfer
      def root_dir
--      File.join(CarrierWave.root, FileUploader.base_dir)
-+      ENV['GITLAB_UPLOADS_PATH'] || File.join(CarrierWave.root, FileUploader.base_dir)
+-      FileUploader.root
++      ENV['GITLAB_UPLOADS_PATH'] || FileUploader.root
      end
    end
  end
@@ -98,7 +105,7 @@ index 3e0c436d6e..28cefc5514 100644
      end
    end
 diff --git a/lib/system_check/app/uploads_directory_exists_check.rb b/lib/system_check/app/uploads_directory_exists_check.rb
-index 7026d0ba07..6d88b8b9fb 100644
+index 7026d0ba07..c56e1f7ed9 100644
 --- a/lib/system_check/app/uploads_directory_exists_check.rb
 +++ b/lib/system_check/app/uploads_directory_exists_check.rb
 @@ -4,12 +4,13 @@ module SystemCheck
@@ -113,7 +120,7 @@ index 7026d0ba07..6d88b8b9fb 100644
 +        uploads_dir = ENV['GITLAB_UPLOADS_PATH'] || Rails.root.join('public/uploads')
          try_fixing_it(
 -          "sudo -u #{gitlab_user} mkdir #{Rails.root}/public/uploads"
-+          "sudo -u #{gitlab_user} mkdir #{uploads_dir}"
++            "sudo -u #{gitlab_user} mkdir #{uploads_dir}"
          )
          for_more_information(
            see_installation_guide_section 'GitLab'
@@ -143,14 +150,3 @@ index b276a81eac..070e3ebd81 100644
        end
      end
    end
---- a/lib/api/api.rb	1970-01-01 01:00:01.000000000 +0100
-+++ b/lib/api/api.rb	2017-09-28 19:37:24.953605705 +0200
-@@ -2,7 +2,7 @@
-   class API < Grape::API
-     include APIGuard
-
--    LOG_FILENAME = Rails.root.join("log", "api_json.log")
-+    LOG_FILENAME = File.join(ENV["GITLAB_LOG_PATH"], "api_json.log")
-
-     use GrapeLogging::Middleware::RequestLogger,
-         logger: Logger.new(LOG_FILENAME),