gitlab-sr: upgrade gitlab software to version 9.5.10

Previous gitlab version was 8.17.0, this commit upgrade gitlab to version 9.5.10, and update all configuration to work with this version according to the installation procedure, see: https://gitlab.com/gitlab-org/gitlab-foss/-/blob/v9.5.10/doc/install/installation.md

gitlab-sr: upgrade gitlab software to version 9.5.10
Previous gitlab version was 8.17.0, this commit upgrade gitlab to version 9.5.10, and update all configuration to work with this version according to the installation procedure, see: https://gitlab.com/gitlab-org/gitlab-foss/-/blob/v9.5.10/doc/install/installation.md
d853c6b7 · Alain Takoudjou · 7c462c93 · d853c6b7 · d853c6b7 · d853c6b7
Commit d853c6b7 authored Feb 28, 2020 by Alain Takoudjou
15 changed files
--- a/software/gitlab/buildout.hash.cfg
+++ b/software/gitlab/buildout.hash.cfg
@@ -14,7 +14,7 @@
 # not need these here).
 [instance.cfg]
 filename = instance.cfg.in
-md5sum = 36252abb4d857da08d62bf3eb26faae1
+md5sum = dc3f318e8a3aa7a59f9394118543e9e3

 [watcher]
 _update_hash_filename_ = watcher.in
@@ -34,27 +34,31 @@ md5sum = 7782f5c5d75663c2586e28d029c51e49

 [gitlab-parameters.cfg]
 _update_hash_filename_ = gitlab-parameters.cfg
-md5sum = 8f4537cb8a0c9a8e0058c30cb687681c
+md5sum = c2e23c0f7baa1633df0436ca4e728424

 [gitlab-shell-config.yml.in]
 _update_hash_filename_ = template/gitlab-shell-config.yml.in
-md5sum = 58c09b1e609f903e483a76fe9e57366c
+md5sum = 52d18b521b8cd16352fc88b1e1d79d53

 [gitlab-unicorn-startup.in]
 _update_hash_filename_ = gitlab-unicorn-startup.in
-md5sum = a9cb347f60aad3465932fd36cd4fe25d
+md5sum = aff91edaf9786c213db8ea703ab3571e

 [gitlab.yml.in]
 _update_hash_filename_ = template/gitlab.yml.in
-md5sum = 0ddf4093dcf4427e5a160707e6017950
+md5sum = f4cc0bc898b8d59010d61473e2adc53b
+
+[gitaly-config.toml.in]
+_update_hash_filename_ = template/gitaly-config.toml.in
+md5sum = 056d7ed09e1bf20d022d3ef6b9363e00

 [instance-gitlab.cfg.in]
 _update_hash_filename_ = instance-gitlab.cfg.in
-md5sum = 9dd764b3c90b3425b19b40da029b759c
+md5sum = f5e7f9717eaa999fbf11ce4b6c1abb1c

 [instance-gitlab-export.cfg.in]
 _update_hash_filename_ = instance-gitlab-export.cfg.in
-md5sum = 319d7dbe3ad9b260c1e292cfc0d13b11
+md5sum = 2af7dcf63f74e5edc53a3ff11fa4989b

 [instance-gitlab-test.cfg.in]
 _update_hash_filename_ = instance-gitlab-test.cfg.in
@@ -66,11 +70,11 @@ md5sum = a56a44e96f65f5ed20211bb6a54279f4

 [nginx-gitlab-http.conf.in]
 _update_hash_filename_ = template/nginx-gitlab-http.conf.in
-md5sum = e74695aa1be60f0ffac64ddbe1c8eaf1
+md5sum = 79d2b4e8a32abf7a74a3d4528844c593

 [nginx.conf.in]
 _update_hash_filename_ = template/nginx.conf.in
-md5sum = 1374f38ab6f295b850d45ea0019ec05d
+md5sum = 8c904510eb39dc212204f68f2b81b068

 [rack_attack.rb.in]
 _update_hash_filename_ = template/rack_attack.rb.in
@@ -82,7 +86,7 @@ md5sum = 7c89a730889e3224548d9abe51a2d719

 [smtp_settings.rb.in]
 _update_hash_filename_ = template/smtp_settings.rb.in
-md5sum = 4e1ced687a86e4cfff2dde91237e3942
+md5sum = e2144b03f7247636143c65dc81550d75

 [template-gitlab-resiliency-restore.sh.in]
 _update_hash_filename_ = template/template-gitlab-resiliency-restore.sh.in
@@ -90,4 +94,4 @@ md5sum = 590fcadf26085fdd17487175bc0a469d

 [unicorn.rb.in]
 _update_hash_filename_ = template/unicorn.rb.in
-md5sum = 83921db1835d9e81cbbe808631cc40a9
+md5sum = 67728235a2c4c9425c80f0c856749885
--- a/software/gitlab/gitlab-parameters.cfg
+++ b/software/gitlab/gitlab-parameters.cfg
@@ -45,7 +45,7 @@ configuration.default_projects_features.issues          = true
 configuration.default_projects_features.merge_requests  = true
 configuration.default_projects_features.wiki            = true
 configuration.default_projects_features.snippets        = true
-#configuration.default_projects_features.builds          = false
+configuration.default_projects_features.builds          = true

 configuration.webhook_timeout           = 10

@@ -102,6 +102,10 @@ configuration.nginx_gzip_proxied        = any
 configuration.nginx_gzip_types          = text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json
 configuration.nginx_keepalive_timeout   = 65
 configuration.nginx_header_allow_origin = $http_origin
+configuration.nginx_hsts_max_age        = 31536000
+configuration.nginx_hsts_include_subdomains = false
+configuration.nginx_gzip_enabled        = true
+

 # configuring trusted proxies
 # GitLab is behind a reverse proxy, so we don't want the IP address of the proxy

--- a/software/gitlab/gitlab-unicorn-startup.in
+++ b/software/gitlab/gitlab-unicorn-startup.in
@@ -27,7 +27,7 @@ psql() {
 # ( first quering PG several times waiting a bit till postgresql is started and ready )
 tpgwait=5
 while true; do
-    pgtables="$(psql -c '\d')" && break
+    pgtables="$(psql -c '\d' 2>&1)" && break
    tpgwait=$(( $tpgwait - 1 ))
    test $tpgwait = 0 && die "pg query problem"
    echo "I: PostgreSQL is not ready (yet ?); will retry $tpgwait times..." 1>&2
@@ -38,10 +38,11 @@ echo "I: PostgreSQL ready." 1>&2
 # make sure pg_trgm extension is enabled for gitlab db
 psql -c 'CREATE EXTENSION IF NOT EXISTS pg_trgm;'   || die "pg_trgm setup failed"

-if echo "$pgtables" | grep -q '^No relations found' ; then
+if echo "$pgtables" | grep -q '^Did not find any relations' ; then
    $RAKE db:schema:load db:seed_fu  || die "initial db setup failed"
 fi

+
 # re-build ssh keys
 # (we do not use them - just for cleannes)
 force=yes $RAKE gitlab:shell:setup   || die "gitlab:shell:setup failed"

--- a/software/gitlab/gowork.cfg
+++ b/software/gitlab/gowork.cfg
@@ -6,7 +6,6 @@ depends_gitfetch  =
    ${go_github.com_pkg_errors:recipe}
    ${go_lab.nexedi.com_kirr_git-backup:recipe}
    ${go_lab.nexedi.com_kirr_go123:recipe}
-    ${go_gitlab.com_gitlab-org_gitlab-workhorse:recipe}


 [go_github.com_libgit2_git2go]
@@ -26,16 +25,10 @@ revision      = v0.8.0-12-g816c908556
 <= go-git-package
 go.importpath = lab.nexedi.com/kirr/git-backup
 repository    = https://lab.nexedi.com/kirr/git-backup.git
-revision = 9791c04ecc2555a519321905efa734a1b5f3c4e6
+revision      = 3f6c4deec8834bdcd2c28c7c5eeacd8211e759b5

 [go_lab.nexedi.com_kirr_go123]
 <= go-git-package
 go.importpath = lab.nexedi.com/kirr/go123
 repository    = https://lab.nexedi.com/kirr/go123.git
-revision      = d9250d6332
-
-[go_gitlab.com_gitlab-org_gitlab-workhorse]
-<= go-git-package
-go.importpath = gitlab.com/gitlab-org/gitlab-workhorse
-repository    = https://lab.nexedi.com/nexedi/gitlab-workhorse.git
-revision      = v1.3.0-8-g5f44f59cbb
\ No newline at end of file
+revision      = 56bf8f815a
\ No newline at end of file
--- a/software/gitlab/instance-gitlab-export.cfg.in
+++ b/software/gitlab/instance-gitlab-export.cfg.in
@@ -44,6 +44,7 @@ command	= ${exporter:wrapper-path}
 recipe = collective.recipe.template
 input = inline: gitlab-shell-work*
  gitlab-work*
+  var/log/**
  var/backup/**
  var/repositories*
  var/repositories/**

--- a/software/gitlab/instance-gitlab.cfg.in
+++ b/software/gitlab/instance-gitlab.cfg.in
--- a/software/gitlab/instance.cfg.in
+++ b/software/gitlab/instance.cfg.in
@@ -27,6 +27,7 @@ context =
    import pwd pwd
    import multiprocessing multiprocessing

+    key bin_directory           buildout:bin-directory
    key eggs_directory          buildout:eggs-directory
    key develop_eggs_directory  buildout:develop-eggs-directory
    raw gitlab_repository_location          ${gitlab-repository:location}
@@ -36,11 +37,13 @@ context =
    raw bash_bin                    ${bash:location}/bin/bash
    raw bzip2_location              ${bzip2:location}
    raw bundler_4gitlab             ${bundler-4gitlab:bundle}
+    raw bundler_1_17_3_dir          ${bundler-4gitlab:bundle1.17.3}
    raw coreutils_location          ${coreutils:location}
    raw curl_bin                    ${curl:location}/bin/curl
    raw dcron_bin                   ${dcron-output:crond}
    raw git                         ${git:location}/bin/git
    raw git_location                ${git:location}
+    raw gitaly_location             ${gitaly-repository:location}
    raw gitlab_export               ${gitlab-export:rendered}
    raw gitlab_workhorse            ${gowork:bin}/gitlab-workhorse
    raw gopath_bin                  ${gowork:bin}
@@ -51,14 +54,15 @@ context =
    raw logrotate_bin               ${logrotate:location}/usr/sbin/logrotate
    raw nginx_bin                   ${nginx-output:nginx}
    raw nginx_mime_types            ${nginx-output:mime}
-    raw node_bin_location           ${nodejs-8.6.0:location}/bin/
+    raw node_bin_location           ${nodejs-8.12.0:location}/bin/
    raw openssl_bin                 ${openssl-output:openssl}
-    raw postgresql_location         ${postgresql92:location}
+    raw postgresql_location         ${postgresql10:location}
    raw redis_binprefix             ${redis28:location}/bin
    raw ruby_location               ${bundler-4gitlab:ruby-location}
    raw tar_location                ${tar:location}
    raw watcher                     ${watcher:rendered}
    raw xnice_repository_location   ${xnice-repository:location}
+    raw yarn_location               ${yarn:location}

 # config files
    raw database_yml_in             ${database.yml.in:target}
@@ -68,6 +72,7 @@ context =
    raw gitlab_shell_config_yml_in  ${gitlab-shell-config.yml.in:target}
    raw gitlab_unicorn_startup_in   ${gitlab-unicorn-startup.in:target}
    raw gitlab_yml_in               ${gitlab.yml.in:target}
+    raw gitaly_config_toml_in       ${gitaly-config.toml.in:target}
    raw macrolib_cfg_in             ${macrolib.cfg.in:target}
    raw nginx_conf_in               ${nginx.conf.in:target}
    raw nginx_gitlab_http_conf_in   ${nginx-gitlab-http.conf.in:target}

--- a/software/gitlab/software.cfg
+++ b/software/gitlab/software.cfg
@@ -15,6 +15,7 @@ extends =
    ../../component/openssl/buildout.cfg
    ../../component/nginx/buildout.cfg
    ../../component/zlib/buildout.cfg
+    ../../component/icu/buildout.cfg
    gowork.cfg

 #   for instance
@@ -29,10 +30,10 @@ extends =
    ../../component/logrotate/buildout.cfg

 parts =
-    ruby2.1
+    ruby2.3
    golang1.12
    git
-    postgresql92
+    postgresql10
    redis28
    cmake
    icu
@@ -40,6 +41,8 @@ parts =
    nginx-output

    gowork
+    gitlab-workhorse
+    gitaly-build
    python-4gitlab
    gitlab-shell/vendor
    gitlab/vendor/bundle
@@ -64,6 +67,13 @@ parts =
 [slapos.cookbook-repository]
 revision = 571d6514f7290e8faa9439c4b86aa2f6c87df261

+
+[yarn]
+# need this version of Yarn
+recipe = slapos.recipe.build:download-unpacked
+url = https://github.com/yarnpkg/yarn/releases/download/v1.3.2/yarn-v1.3.2.tar.gz
+md5sum = db82fa09c996e9318f2f1d2ab99228f9
+
 ############################
 #   Software compilation   #
 ############################
@@ -78,20 +88,22 @@ eggs    =
 # rubygemsrecipe with fixed url and this way pinned rubygems version
 [rubygemsrecipe]
 recipe  = rubygemsrecipe
-url     = https://rubygems.org/rubygems/rubygems-2.5.2.zip
-
+url     = https://rubygems.org/rubygems/rubygems-3.1.2.zip

 # bundler, that we'll use to
 # - install gems for gitlab
 # - run gitlab services / jobs  (via `bundle exec ...`)
 [bundler-4gitlab]
 <= rubygemsrecipe
-ruby-location = ${ruby2.1:location}
+ruby-location = ${ruby2.3:location}
 ruby-executable = ${:ruby-location}/bin/ruby
-gems    = bundler==1.11.2
+gems    =
+  bundler==1.17.3

 # bin installed here
 bundle  = ${buildout:bin-directory}/bundle
+# Gitaly need bundler 1.17.3 which is not the default version at the end
+bundle1.17.3 = ${buildout:parts-directory}/${:_buildout_section_name_}/lib/ruby/gems/1.8/gems/bundler-1.17.3/exe/

 # install together with dependencies of gitlab, which we cannot specify using
 #   --with-... gem option
@@ -109,7 +121,8 @@ bundle  = ${buildout:bin-directory}/bundle
 # gitlab (via github-markup) wants to convert rst -> html via running: python2 (with docutils egg)
 # (python-4gitlab puts interpreter into ${buildout:bin-directory})
 environment =
-  PATH    = ${:ruby-location}/bin:${cmake:location}/bin:${pkgconfig:location}/bin:${nodejs-8.6.0:location}/bin:${postgresql92:location}/bin:${redis28:location}/bin:${git:location}/bin:${buildout:bin-directory}:%(PATH)s
+
+  PATH    = ${yarn:location}/bin:${:ruby-location}/bin:${cmake:location}/bin:${pkgconfig:location}/bin:${nodejs-8.12.0:location}/bin:${postgresql10:location}/bin:${redis28:location}/bin:${git:location}/bin:${buildout:bin-directory}:%(PATH)s


 # gitlab, gitlab-shell & gitlab-workhorse checked out as git repositories
@@ -120,21 +133,31 @@ git-executable = ${git:location}/bin/git

 [gitlab-repository]
 <= git-repository
-#repository = https://gitlab.com/gitlab-org/gitlab-ce.git
 repository = https://lab.nexedi.com/nexedi/gitlab-ce.git
-# 8.17.X + NXD patches:
-revision = v8.17.8-12-g611cf13b90
+# 9.5.10 + NXD patches:
+revision = v9.5.10-8-gc290e22a08cb
 location = ${buildout:parts-directory}/gitlab

 [gitlab-shell-repository]
 <= git-repository
-#repository = https://gitlab.com/gitlab-org/gitlab-shell.git
-repository = https://lab.nexedi.com/nexedi/gitlab-shell.git
-# gitlab 8.17 wants gitlab-shell 4.1.1
-# 4.1.1 + NXD patches
-revision = v4.1.1-1-g64603b4da2
+#repository = https://lab.nexedi.com/nexedi/gitlab-shell.git
+repository = https://gitlab.com/gitlab-org/gitlab-shell.git
+# gitlab 9.5.10 wants gitlab-shell 5.6.1
+revision = v5.6.1-10-g1e587d3b7f
 location = ${buildout:parts-directory}/gitlab-shell

+[gitaly-repository]
+<= git-repository
+repository = https://gitlab.com/gitlab-org/gitaly.git
+# for version v0.35.0 (gitlab 9.5.10)
+revision = v0.35.0-0-gf99a57b19a
+location = ${buildout:parts-directory}/gitaly
+
+[gitlab-workhorse-repository]
+<= git-repository
+repository = https://lab.nexedi.com/nexedi/gitlab-workhorse.git
+revision = v3.0.0-8-g74793ad3cc
+
 # Patch github markup to not call "python2 -S /path/to/rest2html" but only "python2 /path/to/rest2html"
 # NOTE github-markup invokes it as `python2`, that's why we are naming it this way
 # https://github.com/github/markup/blob/5393ae93/lib/github/markups.rb#L36
@@ -158,11 +181,23 @@ bundle  = ${bundler-4gitlab:bundle}

 configure-command = cd ${:path} &&
    ${:bundle} config --local build.charlock_holmes --with-icu-dir=${icu:location}  &&
-    ${:bundle} config --local build.pg --with-pg-config=${postgresql92:location}/bin/pg_config
+    ${:bundle} config --local build.pg --with-pg-config=${postgresql10:location}/bin/pg_config &&
+    ${:bundle} config --local build.re2 --with-re2-dir=${re2:location}

 make-binary =
 make-targets= cd ${:path} &&
-    ${:bundle} install --deployment  --without development test  mysql kerberos
+    ${:bundle} install --deployment  --without development test mysql aws kerberos
+environment =
+  PKG_CONFIG_PATH=${openssl-1.0:location}/lib/pkgconfig:${re2:location}/lib/pkgconfig
+  PATH=${pkgconfig:location}/bin:%(PATH)s
+
+################## Google re2
+[re2]
+recipe = slapos.recipe.cmmi
+url = https://github.com/google/re2/archive/2019-12-01.tar.gz
+md5sum = 527eab0c75d6a1a0044c6eefd816b2fb
+configure-command = :
+

 [gitlab_npm]
 recipe  = slapos.recipe.cmmi
@@ -173,7 +208,7 @@ make-binary =
 make-targets= cd ${:path} && npm install

 environment =
-  PATH=${nodejs-8.6.0:location}/bin/:%(PATH)s
+  PATH=${nodejs-8.12.0:location}/bin/:%(PATH)s

 #our go infrastructure not currently supporting submodules, IIRC
 # https://lab.nexedi.com/nexedi/slapos/merge_requests/337
@@ -193,27 +228,52 @@ environment =

 [gowork.goinstall]
 git2go = ${go_github.com_libgit2_git2go_prepare:path}/vendor/libgit2/install
-command = bash -c ". ${gowork:env.sh} && CGO_CFLAGS=-I${:git2go}/include CGO_LDFLAGS=-L${:git2go}/lib go install ${gowork:buildflags} -v $(echo -n '${gowork:install}' |tr '\n' ' ')"
+command = bash -c ". ${gowork:env.sh} && CGO_CFLAGS=-I${:git2go}/include CGO_LDFLAGS='-L${:git2go}/lib -lgit2' go install ${gowork:buildflags} -v $(echo -n '${gowork:install}' |tr '\n' ' ')"

 [gowork]
 golang  = ${golang1.12:location}
+gcc-bin-directory = ${golang1.12:gcc-bin-directory}
+# gitlab.com/gitlab-org/gitlab-workhorse
+# gitlab.com/gitlab-org/gitlab-workhorse/cmd/gitlab-zip-cat
+# gitlab.com/gitlab-org/gitlab-workhorse/cmd/gitlab-zip-metadata
 install =
  lab.nexedi.com/kirr/git-backup
-  gitlab.com/gitlab-org/gitlab-workhorse
-  gitlab.com/gitlab-org/gitlab-workhorse/cmd/gitlab-zip-cat
-  gitlab.com/gitlab-org/gitlab-workhorse/cmd/gitlab-zip-metadata
 cpkgpath =
    ${openssl-1.0:location}/lib/pkgconfig
    ${zlib:location}/lib/pkgconfig
    ${go_github.com_libgit2_git2go_prepare:path}/vendor/libgit2/install/lib/pkgconfig
 buildflags = --tags "static"

+[gitlab-workhorse]
+recipe = slapos.recipe.cmmi
+path = ${gitlab-workhorse-repository:location}
+md5sum = 2988c944d58c4a08880498c4981cc7b7
+configure-command = :
+make-binary =
+make-targets = 
+  . ${gowork:env.sh} && make install PREFIX=${gowork:directory}
+
 [gitlab-backup]
 recipe = plone.recipe.command
 command =
  cp -a ${go_lab.nexedi.com_kirr_git-backup:location}/contrib/gitlab-backup ${gowork:bin}
 update-command = ${:command}

+[gitaly-build]
+recipe = slapos.recipe.cmmi
+path = ${gitaly-repository:location}
+bundle  = ${bundler-4gitlab:bundle}
+
+configure-command = cd ${:path}/ruby &&
+    ${:bundle} config --local build.charlock_holmes --with-icu-dir=${icu:location}
+make-binary =
+make-targets =
+  . ${gowork:env.sh} && make
+environment =
+  PKG_CONFIG_PATH=${openssl-1.0:location}/lib/pkgconfig:${icu:location}/lib/pkgconfig
+  PATH=${pkgconfig:location}/bin:${ruby2.3:location}/bin:%(PATH)s
+
+
 [xnice-repository]
 # to get kirr's misc repo containing xnice script for executing processes
 # with lower priority (used for backup script inside the cron)
@@ -235,6 +295,7 @@ make-binary =
 make-targets= cd ${:path} &&
    ${:bundle} install --deployment  --without development test

+
 ###############################
 #   Trampoline for instance   #
 ###############################
@@ -297,6 +358,9 @@ destination = ${buildout:directory}/${:_buildout_section_name_}
 [gitlab.yml.in]
 <= download-file

+[gitaly-config.toml.in]
+<= download-file
+
 [instance-gitlab.cfg.in]
 <= download-file

@@ -340,6 +404,6 @@ strip-top-level-dir = true
 cns.recipe.symlink = 0.2.3
 docutils = 0.12
 plone.recipe.command = 1.1
-rubygemsrecipe  = 0.2.2+slapos001
-slapos.recipe.template = 4.4
+rubygemsrecipe = 0.2.2+slapos002
+slapos.recipe.template = 4.3
 z3c.recipe.scripts = 1.0.1
--- a/software/gitlab/template/gitaly-config.toml.in
+++ b/software/gitlab/template/gitaly-config.toml.in
+# Example Gitaly configuration file
+# Documentation lives at https://docs.gitlab.com/ee/administration/gitaly/ and
+# https://docs.gitlab.com/ee//administration/gitaly/reference
+
+socket_path = "{{ gitaly.socket }}"
+
+# The directory where Gitaly's executables are stored
+bin_dir = "{{ gitaly.location }}"
+
+# # Optional: listen on a TCP socket. This is insecure (no authentication)
+# listen_addr = "localhost:9999"
+# tls_listen_addr = "localhost:8888
+
+# # Optional: export metrics via Prometheus
+# prometheus_listen_addr = "localhost:9236"
+
+
+# # Git settings
+[git]
+bin_path = "{{ git }}"
+
+[[storage]]
+name = "default"
+path = "{{ gitlab.repositories }}"
+
+# # You can optionally configure more storages for this Gitaly instance to serve up
+#
+# [[storage]]
+# name = "other_storage"
+# path = "/mnt/other_storage/repositories"
+#
+
+# # You can optionally configure Gitaly to output JSON-formatted log messages to stdout
+# [logging]
+# format = "json"
+# # Additionally exceptions can be reported to Sentry
+# sentry_dsn = "https://<key>:<secret>@sentry.io/<project>
+
+
+# # You can optionally configure Gitaly to record histogram latencies on GRPC method calls
+# [prometheus]
+# grpc_latency_buckets = [0.001, 0.005, 0.025, 0.1, 0.5, 1.0, 10.0, 30.0, 60.0, 300.0, 1500.0]
+
+[gitaly-ruby]
+# The directory where gitaly-ruby is installed
+dir = "{{ gitaly.location }}/ruby"
+
+
+[gitlab-shell]
+# The directory where gitlab-shell is installed
+dir = "{{ gitlab_shell_work.location }}"
+
--- a/software/gitlab/template/gitlab-shell-config.yml.in
+++ b/software/gitlab/template/gitlab-shell-config.yml.in
@@ -24,7 +24,7 @@ http_settings:
 # Give the canonicalized absolute pathname,
 # REPOS_PATH MUST NOT CONTAIN ANY SYMLINK!!!
 # Check twice that none of the components is a symlink, including "/home".
-repos_path: "{{ gitlab.repositories }}"
+# repos_path: "{{ gitlab.repositories }}"

 # File used as authorized_keys for gitlab user
 # NOTE not used in slapos version (all access via https only)
@@ -34,6 +34,9 @@ auth_file: "{{ gitlab.var }}/sshkeys-notused"
 # Default is .gitlab_shell_secret in the root directory.
 secret_file: "{{ gitlab_shell.secret }}"

+# Parent directory for global custom hook directories (pre-receive.d, update.d, post-receive.d)
+# Default is hooks in the gitlab-shell directory.
+custom_hooks_dir: "{{ gitlab_shell_work.location }}/hooks/"

 # Redis settings used for pushing commit notices to gitlab
 redis:
@@ -41,11 +44,6 @@ redis:
  host: {# <%= @redis_host %> #}
  port: {# <%= @redis_port %> #}
  socket: {{ service_redis.unixsocket }}
-{# we don't use password for redis
-<% if @redis_password %>
-  pass: <%= @redis_password %>
-<% end %>
-#}
  database: {# <%= @redis_database %> #}
  namespace: resque:gitlab


--- a/software/gitlab/template/gitlab.yml.in
+++ b/software/gitlab/template/gitlab.yml.in
@@ -32,6 +32,29 @@ production: &base
    relative_url_root: <%= @gitlab_relative_url %>
    #}

+    # Content Security Policy
+    # See https://guides.rubyonrails.org/security.html#content-security-policy
+    content_security_policy:
+      enabled: true
+      report_only: false
+      directives:
+        base_uri:
+        child_src:
+        connect_src: "'self' http://localhost:* ws://localhost:* wss://localhost:*"
+        default_src: "'self'"
+        font_src:
+        form_action:
+        frame_ancestors: "'self'"
+        frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
+        img_src: "* data: blob:"
+        manifest_src:
+        media_src:
+        object_src: "'none'"
+        script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
+        style_src: "'self' 'unsafe-inline'"
+        worker_src: "'self' blob:"
+        report_uri:
+
    # Trusted Proxies
    # Customize if you have GitLab behind a reverse proxy which is running on a different machine.
    # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
@@ -84,7 +107,7 @@ production: &base
      merge_requests:   {{ cfg('default_projects_features.merge_requests') }}
      wiki:             {{ cfg('default_projects_features.wiki') }}
      snippets:         {{ cfg('default_projects_features.snippets') }}
-      builds: false {# builds not supported yet <%= @gitlab_default_projects_features_builds %> #}
+      builds:           {{ cfg('default_projects_features.builds') }}
      {# container_registry: <%= @gitlab_default_projects_features_container_registry %> #}

    ## Webhook settings
@@ -148,6 +171,7 @@ production: &base
    storage_path: <%= @lfs_storage_path %>
  #}

+
  {# we do not support container registry
  ## Container Registry
  registry:
@@ -191,6 +215,9 @@ production: &base
    ssl_url:   <%= single_quote(@gravatar_ssl_url) %>    # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
    #}

+  ## Sidekiq
+  sidekiq:
+    log_format: json # (default is the original format)

  {# XXX cron jobs are disabled for now - we do not support CI and EE features or we are ok with defaults
  ## Auxiliary jobs
@@ -375,19 +402,18 @@ production: &base
    path: <%= @shared_path %>
  #}

+  # Gitaly settings
+  gitaly:
+    # Default Gitaly authentication token. Can be overriden per storage. Can
+    # be left blank when Gitaly is running locally on a Unix socket, which
+    # is the normal way to deploy Gitaly.
+    token:
+
+
  #
  # 4. Advanced settings
  # ==========================

-  # GitLab Satellites
-  # Important: keep the satellites.path setting until GitLab 9.0 at
-  # least. This setting is fed to 'rm -rf' in
-  # db/migrate/20151023144219_remove_satellites.rb
-  satellites:
-    # Relative paths are relative to Rails.root (default: tmp/repo_satellites/)
-    path: /dev/null
-    timeout: 0
-
  ## Repositories settings
  repositories:
    # Paths where repositories can be stored. Give the canonicalized absolute pathname.
@@ -395,7 +421,11 @@ production: &base
    # gitlab-shell invokes Dir.pwd inside the repository path and that results
    # real path not the symlink.
    storages: # You must have at least a `default` storage path.
-      default: {{ gitlab.repositories }}
+      default:
+        path: {{ gitlab.repositories }}
+        gitaly_address: unix:{{ gitaly.socket }} # TCP connections are supported too (e.g. tcp://host:port). TLS connections are also supported using the system certificate pool (eg: tls://host:port).
+        # gitaly_token: 'special token' # Optional: override global gitaly.token for this storage.
+

  ## Backup settings
  backup:
@@ -420,8 +450,8 @@ production: &base
  ## GitLab Shell settings
  gitlab_shell:
    path: {{ gitlab_shell_work.location }}
+    authorized_keys_file: {{ gitlab.var }}/sshkeys-notused

-    # REPOS_PATH MUST NOT BE A SYMLINK!!!
    repos_path: {{ gitlab.repositories }}
    hooks_path: {{ gitlab_shell_work.location }}/hooks/
    secret_file: {{ gitlab_shell.secret }}
@@ -430,6 +460,9 @@ production: &base
    upload_pack: true
    receive_pack: true

+    # Git import/fetch timeout, in seconds. Defaults to 3 hours.
+    # git_timeout: 10800
+
    {# Git over SSH is disabled elsewhere (so we don't care about ssh_port)
    # If you use non-standard ssh port you need to specify it
    ssh_port: <%= @gitlab_shell_ssh_port %>
@@ -452,7 +485,6 @@ production: &base
    # Git timeout to read a commit, in seconds
    timeout: {{ cfg('git_timeout') }}

-
  #
  # 5. Extra customization
  # ==========================

--- a/software/gitlab/template/nginx-gitlab-http.conf.in
+++ b/software/gitlab/template/nginx-gitlab-http.conf.in
@@ -111,16 +111,71 @@ server {
  set_real_ip_from {{ trusted_address }};
  {% endfor %}

+  ## HSTS Config
+  ## https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
+  {% if cfg("nginx_hsts_max_age") > 0 -%}
+  {%   if '{{ cfg("nginx_hsts_include_subdomains") }}' == 'true' -%}
+  add_header Strict-Transport-Security "max-age={{ cfg('nginx_hsts_max_age') }}; includeSubDomains"
+  {%   else -%}
+  add_header Strict-Transport-Security "max-age={{ cfg('nginx_hsts_max_age') }}";
+  {%   endif -%}
+  {% endif -%}
+
  ## Individual nginx logs for this GitLab vhost
  access_log  {{ nginx.log }}/gitlab_access.log gitlab_access;
  error_log   {{ nginx.log }}/gitlab_error.log;
+  
+  # Set CORS header
+  add_header 'Access-Control-Allow-Origin' {{ cfg('nginx_header_allow_origin') }};
+  add_header 'Access-Control-Allow-Credentials' true;
+  #{{ 'gzip off;' if cfg_https else ''}}
+  {% if '{{ cfg("nginx_gzip_enabled") }}' == 'true' -%}
+  gzip on;
+  gzip_static on;
+  gzip_comp_level 2;
+  gzip_http_version 1.1;
+  gzip_vary on;
+  gzip_disable "msie6";
+  gzip_min_length 10240;
+  gzip_proxied no-cache no-store private expired auth;
+  gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/json application/xml application/rss+xml;
+  {% endif -%}
+
+  ## https://github.com/gitlabhq/gitlabhq/issues/694
+  ## Some requests take more than 30 seconds.
+  proxy_read_timeout      {{ cfg('nginx_proxy_read_timeout') }};
+  proxy_connect_timeout   {{ cfg('nginx_proxy_connect_timeout') }};
+  proxy_redirect          off;
+
+  proxy_http_version 1.1;

  {# we do not support relative URL - path is always "/" #}
  {% set path = "/" %}
+  
+  #if ($http_host = "") {
+  #  set $http_host_with_default "<%= default_host %>";
+  #}
+  #if ($http_host != "") {
+  #  set $http_host_with_default $http_host;
+  #}
+  location ~ (\.git/gitlab-lfs/objects|\.git/info/lfs/objects/batch$) {
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    {% if cfg_https %}
+    proxy_set_header    X-Forwarded-Ssl     on;
+    {% endif %}
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   {{ "https" if cfg_https else "http" }};
+
+    proxy_pass http://gitlab-workhorse;
+  }
+
  location {{ path }} {
-    # Set CORS header
-    add_header 'Access-Control-Allow-Origin' {{ cfg('nginx_header_allow_origin') }};
-    add_header 'Access-Control-Allow-Credentials' true;
+    # NOTE(slapos) proxy headers are defined upstream in omnibus-gitlab in:
+    #   - files/gitlab-config-template/gitlab.rb.template       nginx['proxy_set_headers']
+    #   - files/gitlab-cookbooks/gitlab/attributes/default.rb   default['gitlab']['nginx']['proxy_set_headers']
+    #   - files/gitlab-cookbooks/gitlab/libraries/gitlab.rb     parse_nginx_proxy_headers()
+    # (last updated for omnibus-gitlab 8.5.1+ce.0-1-ge732b39)
    if ($request_method = OPTIONS ) {
        add_header Allow "GET, OPTIONS";
        add_header Content-Type text/plain;
@@ -128,23 +183,7 @@ server {
        add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Authorization, Content-Type, Accept";
        return 200;
    }
-    ## If you use HTTPS make sure you disable gzip compression
-    ## to be safe against BREACH attack.
-    {{ 'gzip off;' if cfg_https else ''}}
-
-    ## https://github.com/gitlabhq/gitlabhq/issues/694
-    ## Some requests take more than 30 seconds.
-    proxy_read_timeout      {{ cfg('nginx_proxy_read_timeout') }};
-    proxy_connect_timeout   {{ cfg('nginx_proxy_connect_timeout') }};
-    proxy_redirect          off;
-
-    proxy_http_version 1.1;
-
-    # NOTE(slapos) proxy headers are defined upstream in omnibus-gitlab in:
-    #   - files/gitlab-config-template/gitlab.rb.template       nginx['proxy_set_headers']
-    #   - files/gitlab-cookbooks/gitlab/attributes/default.rb   default['gitlab']['nginx']['proxy_set_headers']
-    #   - files/gitlab-cookbooks/gitlab/libraries/gitlab.rb     parse_nginx_proxy_headers()
-    # (last updated for omnibus-gitlab 8.5.1+ce.0-1-ge732b39)
+    proxy_cache off;
    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    {% if cfg_https %}
@@ -153,7 +192,12 @@ server {
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   {{ "https" if cfg_https else "http" }};

-    proxy_pass http://gitlab-workhorse;
+    proxy_pass  http://gitlab-workhorse;
+  }
+
+  location ~ ^/(assets)/ {
+    proxy_cache off;
+    proxy_pass  http://gitlab-workhorse;
  }

  error_page 404 /404.html;
@@ -169,3 +213,4 @@ server {
  <%= @custom_gitlab_server_config %>
  #}
 }
+
--- a/software/gitlab/template/nginx.conf.in
+++ b/software/gitlab/template/nginx.conf.in
@@ -50,6 +50,42 @@ http {

  include {{ nginx_gitlab_http_conf }};

+  map $http_upgrade $connection_upgrade {
+      default upgrade;
+      ''      close;
+  }
+
+  # Remove private_token from the request URI
+  # In:  /foo?private_token=unfiltered&authenticity_token=unfiltered&rss_token=unfiltered&...
+  # Out: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&...
+  map $request_uri $temp_request_uri_1 {
+    default $request_uri;
+    ~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
+  }
+
+  # Remove authenticity_token from the request URI
+  # In:  /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&...
+  # Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&...
+  map $temp_request_uri_1 $temp_request_uri_2 {
+    default $temp_request_uri_1;
+    ~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
+  }
+
+  # Remove rss_token from the request URI
+  # In:  /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&...
+  # Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=[FILTERED]&...
+  map $temp_request_uri_2 $filtered_request_uri {
+    default $temp_request_uri_2;
+    ~(?i)^(?<start>.*)(?<temp>[\?&]rss[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
+  }
+
+  # A version of the referer without the query string
+  map $http_referer $filtered_http_referer {
+    default $http_referer;
+    ~^(?<temp>.*)\? $temp;
+  }
+
+
  {# we don't need: ci, pages, mattermost, registry
  include <%= @gitlab_ci_http_config %>
  include <%= @gitlab_pages_http_config %>;

--- a/software/gitlab/template/smtp_settings.rb.in
+++ b/software/gitlab/template/smtp_settings.rb.in
@@ -29,3 +29,4 @@ end
 # SMTP disabled in instance configuration (see `smtp_enable` parameter).
 # Mail sending, if enabled (see `email_enabled`), will be done via sendmail.
 {% endif %}
+
--- a/software/gitlab/template/unicorn.rb.in
+++ b/software/gitlab/template/unicorn.rb.in
@@ -17,8 +17,20 @@ working_directory '{{ gitlab_work.location }}'
 # What the timeout for killing busy workers is, in seconds
 timeout {{ cfg('unicorn_worker_timeout') }}

-# Whether the app should be pre-loaded
+# combine Ruby 2.0.0dev or REE with "preload_app true" for memory savings
+# http://rubyenterpriseedition.com/faq.html#adapt_apps_for_cow
 preload_app true
+GC.respond_to?(:copy_on_write_friendly=) and
+  GC.copy_on_write_friendly = true
+
+
+# Enable this flag to have unicorn test client connections by writing the
+# beginning of the HTTP headers before calling the application.  This
+# prevents calling the application for connections that have disconnected
+# while queued.  This is only guaranteed to detect clients on the same
+# host unicorn runs on, and unlikely to detect disconnects even on a
+# fast LAN.
+check_client_connection false

 # How many worker processes
 worker_processes {{ cfg('unicorn_worker_processes') }}
@@ -35,6 +47,10 @@ before_fork do |server, worker|
  # defined?(ActiveRecord::Base) and
  #   ActiveRecord::Base.connection.disconnect!

+  # The following is only recommended for memory/DB-constrained
+  # installations.  It is not needed if your system can house
+  # twice as many worker_processes as you have configured.
+  #
  # This allows a new master process to incrementally
  # phase out the old master process with SIGTTOU to avoid a
  # thundering herd (especially in the "preload_app false" case)
@@ -48,8 +64,15 @@ before_fork do |server, worker|
    rescue Errno::ENOENT, Errno::ESRCH
    end
  end
+  #
+  # Throttle the master from forking too quickly by sleeping.  Due
+  # to the implementation of standard Unix signal handlers, this
+  # helps (but does not completely) prevent identical, repeated signals
+  # from being lost when the receiving process is busy.
+  # sleep 1
 end

+
 # What to do after we fork a worker
 after_fork do |server, worker|
  # per-process listener ports for debugging/admin/migrations
@@ -60,6 +83,17 @@ after_fork do |server, worker|
  # # the following is *required* for Rails + "preload_app true",
  # defined?(ActiveRecord::Base) and
  #   ActiveRecord::Base.establish_connection
+  
+  # reset prometheus client, this will cause any opened metrics files to be closed
+  #defined?(::Prometheus::Client.reinitialize_on_pid_change) &&
+  #  Prometheus::Client.reinitialize_on_pid_change
+
+  # if preload_app is true, then you may also want to check and
+  # restart any other shared sockets/descriptors such as Memcached,
+  # and Redis.  TokyoCabinet file handles are safe to reuse
+  # between any number of forked children (assuming your kernel
+  # correctly implements pread()/pwrite() system calls)
+
 end