{{ autogenerated }} # see: # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/gitlab.yml.example # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb # (last updated for omnibus-gitlab 8.8.9+ce.0-g25376053) {% from 'macrolib.cfg.in' import cfg, cfg_https, external_url with context %} production: &base # # 1. GitLab app settings # ========================== ## GitLab settings gitlab: ## Web server settings (note: host is the FQDN, do not include http://) {% set default_port = {'http': 80, 'https': 443} %} host: {{ external_url.hostname }} port: {{ external_url.port or default_port[external_url.scheme] }} https: {{ cfg_https }} # The maximum time unicorn/puma can spend on the request. This needs to be smaller than the worker timeout. # Default is 95% of the worker timeout. # max_request_duration_seconds: 57 {# ssh is disabled completely in slapos version # Uncommment this line below if your ssh host is different from HTTP/HTTPS one # (you'd obviously need to replace ssh.host_example.com with your own host). # Otherwise, ssh host will be set to the `host:` value above ssh_host: <%= @gitlab_ssh_host %> #} # WARNING: See config/application.rb under "Relative url support" for the list of # other files that need to be changed for relative url support {# we do not support relative URL relative_url_root: <%= @gitlab_relative_url %> #} # Content Security Policy # See https://guides.rubyonrails.org/security.html#content-security-policy content_security_policy: enabled: true report_only: false directives: base_uri: child_src: connect_src: "'self' http://localhost:* ws://localhost:* wss://localhost:*" default_src: "'self'" font_src: form_action: frame_ancestors: "'self'" frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com" img_src: "* data: blob:" manifest_src: media_src: object_src: "'none'" script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com" style_src: "'self' 'unsafe-inline'" worker_src: "'self' blob:" report_uri: # Trusted Proxies # Customize if you have GitLab behind a reverse proxy which is running on a different machine. # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address. trusted_proxies: {% for proxy in cfg("nginx_real_ip_trusted_addresses").split() %} - {{ proxy }} {% endfor %} # Uncomment and customize if you can't use the default user to run GitLab (default: 'git') user: {{ backend_info.user }} ## Date & Time settings time_zone: '{{ cfg("time_zone") }}' ## Email settings # Uncomment and set to false if you need to disable email sending from GitLab (default: true) email_enabled: {{ cfg('email_enabled') }} # Email address used in the "From" field in mails sent by GitLab email_from: {{ cfg('email_from') }} email_display_name: {{ cfg('email_display_name') }} email_reply_to: {{ cfg('email_reply_to') }} email_subject_suffix: '' # Email server smtp settings are in [a separate file](initializers/smtp_settings.rb.sample). ## User settings default_can_create_group: {{ cfg('default_can_create_group') }} # default: true username_changing_enabled: {{ cfg('username_changing_enabled') }} # default: true - User can change her username/namespace ## Default theme ## 1 - Graphite ## 2 - Charcoal ## 3 - Green ## 4 - Gray ## 5 - Violet ## 6 - Blue default_theme: {{ cfg('default_theme') }} # default: 2 {# for now we are ok with default issue-closing pattern ## Automatic issue closing # If a commit message matches this regular expression, all issues referenced from the matched text will be closed. # This happens when the commit is pushed or merged into the default branch of a project. # When not specified the default issue_closing_pattern as specified below will be used. # Tip: you can test your closing pattern at http://rubular.com issue_closing_pattern: <%= single_quote(@gitlab_issue_closing_pattern) %> #} ## Default project features settings default_projects_features: issues: {{ cfg('default_projects_features.issues') }} merge_requests: {{ cfg('default_projects_features.merge_requests') }} wiki: {{ cfg('default_projects_features.wiki') }} snippets: {{ cfg('default_projects_features.snippets') }} builds: {{ cfg('default_projects_features.builds') }} {# container_registry: <%= @gitlab_default_projects_features_container_registry %> #} ## Webhook settings # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10) webhook_timeout: {{ cfg('webhook_timeout') }} {# default is just ok ## Repository downloads directory # When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory. # The default is 'shared/cache/archive/' relative to the root of the Rails app. # repository_downloads_path: shared/cache/archive/ repository_downloads_path: <%= @gitlab_repository_downloads_path %> #} {# we do not support reply by email ## Reply by email # Allow users to comment on issues and merge requests by replying to notification emails. # For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html incoming_email: enabled: <%= @incoming_email_enabled %> # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to. # The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`). address: <%= single_quote(@incoming_email_address) %> # Email account username # With third party providers, this is usually the full email address. # With self-hosted email servers, this is usually the user part of the email address. user: <%= single_quote(@incoming_email_email) %> # Email account password password: <%= single_quote(@incoming_email_password) %> # IMAP server host host: <%= single_quote(@incoming_email_host) %> # IMAP server port port: <%= @incoming_email_port %> # Whether the IMAP server uses SSL ssl: <%= @incoming_email_ssl %> # Whether the IMAP server uses StartTLS start_tls: <%= @incoming_email_start_tls %> # The mailbox where incoming mail will end up. Usually "inbox". mailbox: <%= single_quote(@incoming_email_mailbox_name) %> # The IDLE command timeout. idle_timeout: 60 #} {# we do not support build artifacts ## Build Artifacts artifacts: enabled: <%= @artifacts_enabled %> # The location where Build Artifacts are stored (default: shared/artifacts). path: <%= @artifacts_path %> #} {# we do not support LFS ## Git LFS lfs: enabled: <%= @lfs_enabled %> # The location where LFS objects are stored (default: shared/lfs-objects). storage_path: <%= @lfs_storage_path %> #} ## Uploads uploads: # The location where uploads objects are stored (default: public/). storage_path: "{{ gitlab.var }}" # The location where uploads objects are stored (default: public/). # storage_path: public/ # base_dir: uploads/-/system object_store: enabled: false remote_directory: uploads # Bucket name {# we do not support container registry ## Container Registry registry: enabled: <%= @registry_enabled %> host: <%= @registry_host %> port: <%= @registry_port %> api_url: <%= @registry_api_url %> # internal address to the registry, will be used by GitLab to directly communicate with API path: <%= @registry_path %> key: <%= @registry_key_path %> issuer: <%= @registry_issuer %> #} {# we do not support Pages ## GitLab Pages (EE only) pages: enabled: <%= @pages_enabled %> path: <%= @pages_path %> host: <%= @pages_host %> port: <%= @pages_port %> https: <%= @pages_https %> external_http: <%= @pages_external_http %> external_https: <%= @pages_external_https %> #} {# we do not support Elasticsearch ## Elasticsearch (EE only) # Enable it if you are going to use elasticsearch instead of # regular database search elasticsearch: enabled: <%= @elasticsearch_enabled %> host: <%= @elasticsearch_host %> port: <%= @elasticsearch_port %> #} ## Gravatar ## For Libravatar see: http://doc.gitlab.com/ce/customization/libravatar.html gravatar: {# default is just ok # gravatar urls: possible placeholders: %{hash} %{size} %{email} plain_url: <%= single_quote(@gravatar_plain_url) %> # default: http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon ssl_url: <%= single_quote(@gravatar_ssl_url) %> # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon #} ## Sidekiq sidekiq: log_format: json # (default is the original format) {# XXX cron jobs are disabled for now - we do not support CI and EE features or we are ok with defaults ## Auxiliary jobs # Periodically executed jobs, to self-heal GitLab, do external synchronizations, etc. # Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job cron_jobs: # Flag stuck CI builds as failed stuck_ci_builds_worker: cron: <%= @stuck_ci_builds_worker_cron %> # Remove outdated repository archives repository_archive_cache_worker: cron: <%= @repository_archive_cache_worker_cron %> ## # GitLab EE only jobs: # Snapshot active users statistics historical_data_worker: cron: <%= @historical_data_worker_cron %> # Update mirrored repositories update_all_mirrors_worker: cron: <%= @update_all_mirrors_worker_cron %> # Update remote mirrors update_all_remote_mirrors_worker: cron: <%= @update_all_remote_mirrors_worker_cron %> # In addition to refreshing users when they log in, # periodically refresh LDAP users membership. # NOTE: This will only take effect if LDAP is enabled ldap_sync_worker: cron: <%= @ldap_sync_worker_cron %> # Gitlab Geo nodes notification worker # NOTE: This will only take effect if Geo is enabled geo_bulk_notify_worker: cron: <%= @geo_bulk_notify_worker_cron %> #} # # 2. GitLab CI settings # ========================== {# we do not support CI gitlab_ci: # Default project notifications settings: # # Send emails only on broken builds (default: true) all_broken_builds: <%= @gitlab_ci_all_broken_builds %> # # Add pusher to recipients list (default: false) add_pusher: <%= @gitlab_ci_add_pusher || @gitlab_ci_add_committer %> # The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root builds_path: <%= @builds_directory %> #} # # 3. Auth settings # ========================== ## LDAP settings # You can inspect a sample of the LDAP users with login access by running: # bundle exec rake gitlab:ldap:check RAILS_ENV=production ldap: enabled: false {# just disabled enabled: <%= @ldap_enabled %> sync_time: <%= @ldap_sync_time %> <% if @ldap_servers.any? %> servers: <% @ldap_servers.each do |provider_id, settings| %> <%= provider_id %>: <%= settings.to_json %> <% end %> <% else %> host: <%= single_quote(@ldap_host) %> port: <%= @ldap_port %> uid: <%= single_quote(@ldap_uid) %> method: <%= single_quote(@ldap_method) %> # "tls" or "ssl" or "plain" bind_dn: <%= single_quote(@ldap_bind_dn) %> password: <%= single_quote(@ldap_password) %> active_directory: <%= @ldap_active_directory %> allow_username_or_email_login: <%= @ldap_allow_username_or_email_login %> base: <%= single_quote(@ldap_base) %> user_filter: <%= single_quote(@ldap_user_filter) %> ## EE only group_base: <%= single_quote(@ldap_group_base) %> admin_group: <%= single_quote(@ldap_admin_group) %> sync_ssh_keys: <%= single_quote(@ldap_sync_ssh_keys) %> sync_time: <%= @ldap_sync_time %> <% end %> #} ## Kerberos settings kerberos: enabled: false {# just disabled # Allow the HTTP Negotiate authentication method for Git clients enabled: <%= @kerberos_enabled %> # Kerberos 5 keytab file. The keytab file must be readable by the GitLab user, # and should be different from other keytabs in the system. # (default: use default keytab from Krb5 config) keytab: <%= @kerberos_keytab %> # The Kerberos service name to be used by GitLab. # (default: accept any service name in keytab file) service_principal_name: <%= @kerberos_service_principal_name %> # Dedicated port: Git before 2.4 does not fall back to Basic authentication if Negotiate fails. # To support both Basic and Negotiate methods with older versions of Git, configure # nginx to proxy GitLab on an extra port (e.g. 8443) and uncomment the following lines # to dedicate this port to Kerberos authentication. (default: false) use_dedicated_port: <%= @kerberos_use_dedicated_port %> port: <%= @kerberos_port %> https: <%= @kerberos_https %> #} ## OmniAuth settings omniauth: enabled: false {# just disabled # Allow login via Twitter, Google, etc. using OmniAuth providers enabled: <%= @omniauth_enabled %> # Uncomment this to automatically sign in with a specific omniauth provider's without # showing GitLab's sign-in page (default: show the GitLab sign-in page) auto_sign_in_with_provider: <%= @omniauth_auto_sign_in_with_provider %> # CAUTION! # This allows users to login without having a user account first. Define the allowed # providers using an array, e.g. ["saml", "twitter"] # User accounts will be created automatically when authentication was successful. allow_single_sign_on: <%= @omniauth_allow_single_sign_on.to_json %> # Locks down those users until they have been cleared by the admin (default: true). block_auto_created_users: <%= @omniauth_block_auto_created_users %> # Look up new users in LDAP servers. If a match is found (same uid), automatically # link the omniauth identity with the LDAP account. (default: false) auto_link_ldap_user: <%= @omniauth_auto_link_ldap_user %> # Allow users with existing accounts to login and auto link their account via SAML # login, without having to do a manual login first and manually add SAML # (default: false) auto_link_saml_user: <%= @omniauth_auto_link_saml_user.to_json %> # Set different Omniauth providers as external so that all users creating accounts # via these providers will not be able to have access to internal projects. You # will need to use the full name of the provider, like `google_oauth2` for Google. # Refer to the examples below for the full names of the supported providers. # (default: []) external_providers: <%= @omniauth_external_providers.to_json %> ## Auth providers # Uncomment the following lines and fill in the data of the auth provider you want to use # If your favorite auth provider is not listed you can use others: # see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations # The 'app_id' and 'app_secret' parameters are always passed as the first two # arguments, followed by optional 'args' which can be either a hash or an array. # Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html providers: # - { name: 'google_oauth2', app_id: 'YOUR APP ID', # app_secret: 'YOUR APP SECRET', # args: { access_type: 'offline', approval_prompt: '' } } # - { name: 'twitter', app_id: 'YOUR APP ID', # app_secret: 'YOUR APP SECRET'} # - { name: 'github', app_id: 'YOUR APP ID', # app_secret: 'YOUR APP SECRET', # args: { scope: 'user:email' } } <% @omniauth_providers.each do |provider| %> - <%= provider.to_json %> <% end %> #} {# default ($RAILS_ROOT/shared/) is ok - we symlinked it to proper place # Shared file storage settings shared: path: <%= @shared_path %> #} # Gitaly settings # This setting controls whether GitLab uses Gitaly # Eventually Gitaly use will become mandatory and # this option will disappear. gitaly: client_path: {{ gitaly.location }} token: # # 4. Advanced settings # ========================== ## Repositories settings repositories: # Paths where repositories can be stored. Give the canonicalized absolute pathname. # IMPORTANT: None of the path components may be symlink, because # gitlab-shell invokes Dir.pwd inside the repository path and that results # real path not the symlink. storages: # You must have at least a `default` storage path. default: path: {{ gitlab.repositories }} gitaly_address: unix:{{ gitaly.socket }} # TCP connections are supported too (e.g. tcp://host:port). TLS connections are also supported using the system certificate pool (eg: tls://host:port). # gitaly_token: 'special token' # Optional: override global gitaly.token for this storage. ## Backup settings backup: path: "{{ gitlab.backup }}" # Relative paths are relative to Rails.root (default: tmp/backups/) {# default permission is ok archive_permissions: <%= @backup_archive_permissions %> # Permissions for the resulting backup.tar file (default: 0600) #} keep_time: {{ cfg('backup_keep_time') }} # default: 0 (forever) (in seconds) {# default to backup all schemas is just ok pg_schema: <%= @backup_pg_schema %> # default: nil, it means that all schemas will be backed up #} upload: {# we don't want to upload backup anywhere by gitlab builtin mechanisms # Fog storage connection settings, see http://fog.io/storage/ . connection: <%= @backup_upload_connection.to_json if @backup_upload_connection %> # The remote 'directory' to store your backups. For S3, this would be the bucket name. remote_directory: <%= single_quote(@backup_upload_remote_directory) %> multipart_chunk_size: <%= @backup_multipart_chunk_size %> encryption: <%= @backup_encryption %> #} ## GitLab Shell settings gitlab_shell: path: {{ gitlab_shell_work.location }} authorized_keys_file: {{ gitlab.var }}/sshkeys-notused repos_path: {{ gitlab.repositories }} hooks_path: {{ gitlab_shell_work.location }}/hooks/ secret_file: {{ gitlab_shell.secret }} # Git over HTTP upload_pack: true receive_pack: true # Git import/fetch timeout, in seconds. Defaults to 3 hours. # git_timeout: 10800 {# Git over SSH is disabled elsewhere (so we don't care about ssh_port) # If you use non-standard ssh port you need to specify it ssh_port: <%= @gitlab_shell_ssh_port %> #} # git-annex support (EE only) # If this setting is set to true, the same setting in config.yml of # gitlab-shell needs to be set to true git_annex_enabled: <%= @git_annex_enabled %> ## Git settings # CAUTION! # Use the default values unless you really know what you are doing git: bin_path: {{ git }} # The next value is the maximum memory size grit can use # Given in number of bytes per git object (e.g. a commit) # This value can be increased if you have very large commits max_size: {{ cfg('git_max_size') }} # Git timeout to read a commit, in seconds timeout: {{ cfg('git_timeout') }} # # 5. Extra customization # ========================== extra: {# we do not use google analytics <% if @extra_google_analytics_id %> ## Google analytics. Uncomment if you want it google_analytics_id: <%= single_quote(@extra_google_analytics_id) %> <% end %> #} {# we do not use piwik <% if @extra_piwik_url %> ## Piwik analytics. piwik_url: <%= single_quote(@extra_piwik_url) %> piwik_site_id: <%= single_quote(@extra_piwik_site_id) %> <% end %> #} {# we are ok (for now) with default rack-attack git settings rack_attack: git_basic_auth: <%= @rack_attack_git_basic_auth.to_json if @rack_attack_git_basic_auth %> #} ## Site ICP License # XXX unquote needed only for slapos.core earlier than # https://lab.nexedi.com/nexedi/slapos.core/commit/347d33d6 # for now we have a lot of old slapos.core deployed... {% if cfg('icp_license') != '' -%} ICP: {{ urllib.unquote_plus( str(cfg('icp_license')) ).decode('utf-8') }} {# ICP: '{{ cfg("icp_license") }}' #} {% endif %} development: <<: *base test: <<: *base gravatar: enabled: true gitlab: host: localhost port: 80 # When you run tests we clone and setup gitlab-shell # In order to setup it correctly you need to specify # your system username you use to run GitLab # user: YOUR_USERNAME satellites: path: tmp/tests/gitlab-satellites/ repositories: storages: default: tmp/tests/repositories/ gitlab_shell: path: tmp/tests/gitlab-shell/ repos_path: tmp/tests/repositories/ hooks_path: tmp/tests/gitlab-shell/hooks/ issues_tracker: redmine: title: "Redmine" project_url: "http://redmine/projects/:issues_tracker_id" issues_url: "http://redmine/:project_id/:issues_tracker_id/:id" new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new" ldap: enabled: false servers: main: label: ldap host: 127.0.0.1 port: 3890 uid: 'uid' method: 'plain' # "tls" or "ssl" or "plain" base: 'dc=example,dc=com' user_filter: '' group_base: 'ou=groups,dc=example,dc=com' admin_group: '' sync_ssh_keys: false staging: <<: *base