{{ autogenerated }}
# see:
# https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/gitlab.yml.example
# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb
# (last updated for omnibus-gitlab 8.8.9+ce.0-g25376053)

{% from 'macrolib.cfg.in' import cfg, cfg_https, external_url  with context %}

production: &base
  #
  # 1. GitLab app settings
  # ==========================

  ## GitLab settings
  gitlab:
    ## Web server settings (note: host is the FQDN, do not include http://)
    {% set default_port = {'http': 80, 'https': 443} %}
    host: {{ external_url.hostname }}
    port: {{ external_url.port or default_port[external_url.scheme] }}
    https: {{ cfg_https }}
    # The maximum time unicorn/puma can spend on the request. This needs to be smaller than the worker timeout.
    # Default is 95% of the worker timeout.
    # max_request_duration_seconds: 57

    {# ssh is disabled completely in slapos version
    # Uncommment this line below if your ssh host is different from HTTP/HTTPS one
    # (you'd obviously need to replace ssh.host_example.com with your own host).
    # Otherwise, ssh host will be set to the `host:` value above
    ssh_host: <%= @gitlab_ssh_host %>
    #}

    # WARNING: See config/application.rb under "Relative url support" for the list of
    # other files that need to be changed for relative url support
    {# we do not support relative URL
    relative_url_root: <%= @gitlab_relative_url %>
    #}

    # Content Security Policy
    # See https://guides.rubyonrails.org/security.html#content-security-policy
    content_security_policy:
      enabled: true
      report_only: false
      directives:
        base_uri:
        child_src:
        connect_src: "'self' http://localhost:* ws://localhost:* wss://localhost:*"
        default_src: "'self'"
        font_src:
        form_action:
        frame_ancestors: "'self'"
        frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
        img_src: "* data: blob:"
        manifest_src:
        media_src:
        object_src: "'none'"
        script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
        style_src: "'self' 'unsafe-inline'"
        worker_src: "'self' blob:"
        report_uri:

    # Trusted Proxies
    # Customize if you have GitLab behind a reverse proxy which is running on a different machine.
    # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
    trusted_proxies:
    {% for proxy in cfg("nginx_real_ip_trusted_addresses").split() %}
      - {{ proxy }}
    {% endfor %}

    # Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
    user: {{ backend_info.user }}

    ## Date & Time settings
    time_zone: '{{ cfg("time_zone") }}'

    ## Email settings
    # Uncomment and set to false if you need to disable email sending from GitLab (default: true)
    email_enabled:      {{ cfg('email_enabled') }}
    # Email address used in the "From" field in mails sent by GitLab
    email_from:         {{ cfg('email_from') }}
    email_display_name: {{ cfg('email_display_name') }}
    email_reply_to:     {{ cfg('email_reply_to') }}
    email_subject_suffix: ''

    # Email server smtp settings are in [a separate file](initializers/smtp_settings.rb.sample).

    ## User settings
    default_can_create_group: {{ cfg('default_can_create_group') }}  # default: true
    username_changing_enabled: {{ cfg('username_changing_enabled') }} # default: true - User can change her username/namespace
    ## Default theme
    ##   1 - Graphite
    ##   2 - Charcoal
    ##   3 - Green
    ##   4 - Gray
    ##   5 - Violet
    ##   6 - Blue
    default_theme: {{ cfg('default_theme') }} # default: 2

    {# for now we are ok with default issue-closing pattern
    ## Automatic issue closing
    # If a commit message matches this regular expression, all issues referenced from the matched text will be closed.
    # This happens when the commit is pushed or merged into the default branch of a project.
    # When not specified the default issue_closing_pattern as specified below will be used.
    # Tip: you can test your closing pattern at http://rubular.com
    issue_closing_pattern: <%= single_quote(@gitlab_issue_closing_pattern) %>
    #}

    ## Default project features settings
    default_projects_features:
      issues:           {{ cfg('default_projects_features.issues') }}
      merge_requests:   {{ cfg('default_projects_features.merge_requests') }}
      wiki:             {{ cfg('default_projects_features.wiki') }}
      snippets:         {{ cfg('default_projects_features.snippets') }}
      builds:           {{ cfg('default_projects_features.builds') }}
      {# container_registry: <%= @gitlab_default_projects_features_container_registry %> #}

    ## Webhook settings
    # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)
    webhook_timeout: {{ cfg('webhook_timeout') }}

    {# default is just ok
    ## Repository downloads directory
    # When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory.
    # The default is 'shared/cache/archive/' relative to the root of the Rails app.
    # repository_downloads_path: shared/cache/archive/
    repository_downloads_path: <%= @gitlab_repository_downloads_path %>
    #}

  {# we do not support reply by email
  ## Reply by email
  # Allow users to comment on issues and merge requests by replying to notification emails.
  # For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html
  incoming_email:
    enabled: <%= @incoming_email_enabled %>

    # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
    # The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`).
    address: <%= single_quote(@incoming_email_address) %>

    # Email account username
    # With third party providers, this is usually the full email address.
    # With self-hosted email servers, this is usually the user part of the email address.
    user: <%= single_quote(@incoming_email_email) %>
    # Email account password
    password: <%= single_quote(@incoming_email_password) %>

    # IMAP server host
    host: <%= single_quote(@incoming_email_host) %>
    # IMAP server port
    port: <%= @incoming_email_port %>
    # Whether the IMAP server uses SSL
    ssl: <%= @incoming_email_ssl %>
    # Whether the IMAP server uses StartTLS
    start_tls: <%= @incoming_email_start_tls %>

    # The mailbox where incoming mail will end up. Usually "inbox".
    mailbox: <%= single_quote(@incoming_email_mailbox_name) %>
    # The IDLE command timeout.
    idle_timeout: 60
  #}

  {# we do not support build artifacts
  ## Build Artifacts
  artifacts:
    enabled: <%= @artifacts_enabled %>
    # The location where Build Artifacts are stored (default: shared/artifacts).
    path: <%= @artifacts_path %>
  #}

  {# we do not support LFS
  ## Git LFS
  lfs:
    enabled: <%= @lfs_enabled %>
    # The location where LFS objects are stored (default: shared/lfs-objects).
    storage_path: <%= @lfs_storage_path %>
  #}

  ## Uploads
  uploads:
    # The location where uploads objects are stored (default: public/).
    storage_path: "{{ gitlab.var }}"
    # The location where uploads objects are stored (default: public/).
    # storage_path: public/
    # base_dir: uploads/-/system
    object_store:
      enabled: false
      remote_directory: uploads # Bucket name

  {# we do not support container registry
  ## Container Registry
  registry:
    enabled: <%= @registry_enabled %>
    host: <%= @registry_host %>
    port: <%= @registry_port %>
    api_url: <%= @registry_api_url %> # internal address to the registry, will be used by GitLab to directly communicate with API
    path: <%= @registry_path %>
    key: <%= @registry_key_path %>
    issuer: <%= @registry_issuer %>
  #}

  {# we do not support Pages
  ## GitLab Pages (EE only)
  pages:
    enabled: <%= @pages_enabled %>
    path: <%= @pages_path %>
    host: <%= @pages_host %>
    port: <%= @pages_port %>
    https: <%= @pages_https %>
    external_http: <%= @pages_external_http %>
    external_https: <%= @pages_external_https %>
  #}

  {# we do not support Elasticsearch
  ## Elasticsearch (EE only)
  # Enable it if you are going to use elasticsearch instead of
  # regular database search
  elasticsearch:
    enabled: <%= @elasticsearch_enabled %>
    host: <%= @elasticsearch_host %>
    port: <%= @elasticsearch_port %>
  #}

  ## Gravatar
  ## For Libravatar see: http://doc.gitlab.com/ce/customization/libravatar.html
  gravatar:
    {# default is just ok
    # gravatar urls: possible placeholders: %{hash} %{size} %{email}
    plain_url: <%= single_quote(@gravatar_plain_url) %>     # default: http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
    ssl_url:   <%= single_quote(@gravatar_ssl_url) %>    # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
    #}

  ## Sidekiq
  sidekiq:
    log_format: json # (default is the original format)

  {# XXX cron jobs are disabled for now - we do not support CI and EE features or we are ok with defaults
  ## Auxiliary jobs
  # Periodically executed jobs, to self-heal GitLab, do external synchronizations, etc.
  # Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job
  cron_jobs:
    # Flag stuck CI builds as failed
    stuck_ci_builds_worker:
      cron: <%= @stuck_ci_builds_worker_cron %>

    # Remove outdated repository archives
    repository_archive_cache_worker:
      cron: <%= @repository_archive_cache_worker_cron %>

    ##
    # GitLab EE only jobs:

    # Snapshot active users statistics
    historical_data_worker:
      cron: <%= @historical_data_worker_cron %>

    # Update mirrored repositories
    update_all_mirrors_worker:
      cron: <%= @update_all_mirrors_worker_cron %>

    # Update remote mirrors
    update_all_remote_mirrors_worker:
      cron: <%= @update_all_remote_mirrors_worker_cron %>

    # In addition to refreshing users when they log in,
    # periodically refresh LDAP users membership.
    # NOTE: This will only take effect if LDAP is enabled
    ldap_sync_worker:
      cron: <%= @ldap_sync_worker_cron %>

    # Gitlab Geo nodes notification worker
    # NOTE: This will only take effect if Geo is enabled
    geo_bulk_notify_worker:
      cron: <%= @geo_bulk_notify_worker_cron %>
  #}

  #
  # 2. GitLab CI settings
  # ==========================

  {# we do not support CI
  gitlab_ci:
    # Default project notifications settings:
    #
    # Send emails only on broken builds (default: true)
    all_broken_builds: <%= @gitlab_ci_all_broken_builds %>
    #
    # Add pusher to recipients list (default: false)
    add_pusher: <%= @gitlab_ci_add_pusher || @gitlab_ci_add_committer %>

    # The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root
    builds_path: <%= @builds_directory %>
  #}

  #
  # 3. Auth settings
  # ==========================

  ## LDAP settings
  # You can inspect a sample of the LDAP users with login access by running:
  #   bundle exec rake gitlab:ldap:check RAILS_ENV=production
  ldap:
    enabled: false
    {# just disabled
    enabled: <%= @ldap_enabled %>
    sync_time: <%= @ldap_sync_time %>
  <% if @ldap_servers.any? %>
    servers:
    <% @ldap_servers.each do |provider_id, settings| %>
      <%= provider_id %>: <%= settings.to_json %>
    <% end %>
  <% else %>
    host: <%= single_quote(@ldap_host) %>
    port: <%= @ldap_port %>
    uid: <%= single_quote(@ldap_uid) %>
    method: <%= single_quote(@ldap_method) %> # "tls" or "ssl" or "plain"
    bind_dn: <%= single_quote(@ldap_bind_dn) %>
    password: <%= single_quote(@ldap_password) %>
    active_directory: <%= @ldap_active_directory %>
    allow_username_or_email_login: <%= @ldap_allow_username_or_email_login %>
    base: <%= single_quote(@ldap_base) %>
    user_filter: <%= single_quote(@ldap_user_filter) %>

    ## EE only
    group_base: <%= single_quote(@ldap_group_base) %>
    admin_group: <%= single_quote(@ldap_admin_group) %>
    sync_ssh_keys: <%= single_quote(@ldap_sync_ssh_keys) %>
    sync_time: <%= @ldap_sync_time %>
  <% end %>
  #}

  ## Kerberos settings
  kerberos:
    enabled: false
    {# just disabled
    # Allow the HTTP Negotiate authentication method for Git clients
    enabled: <%= @kerberos_enabled %>

    # Kerberos 5 keytab file. The keytab file must be readable by the GitLab user,
    # and should be different from other keytabs in the system.
    # (default: use default keytab from Krb5 config)
    keytab: <%= @kerberos_keytab %>

    # The Kerberos service name to be used by GitLab.
    # (default: accept any service name in keytab file)
    service_principal_name: <%= @kerberos_service_principal_name %>

    # Dedicated port: Git before 2.4 does not fall back to Basic authentication if Negotiate fails.
    # To support both Basic and Negotiate methods with older versions of Git, configure
    # nginx to proxy GitLab on an extra port (e.g. 8443) and uncomment the following lines
    # to dedicate this port to Kerberos authentication. (default: false)
    use_dedicated_port: <%= @kerberos_use_dedicated_port %>
    port: <%= @kerberos_port %>
    https: <%= @kerberos_https %>
    #}


  ## OmniAuth settings
  omniauth:
    enabled: false
    {# just disabled
    # Allow login via Twitter, Google, etc. using OmniAuth providers
    enabled: <%= @omniauth_enabled %>

    # Uncomment this to automatically sign in with a specific omniauth provider's without
    # showing GitLab's sign-in page (default: show the GitLab sign-in page)
    auto_sign_in_with_provider: <%= @omniauth_auto_sign_in_with_provider %>

    # CAUTION!
    # This allows users to login without having a user account first. Define the allowed
    # providers using an array, e.g. ["saml", "twitter"]
    # User accounts will be created automatically when authentication was successful.
    allow_single_sign_on: <%= @omniauth_allow_single_sign_on.to_json %>

    # Locks down those users until they have been cleared by the admin (default: true).
    block_auto_created_users: <%= @omniauth_block_auto_created_users %>
    # Look up new users in LDAP servers. If a match is found (same uid), automatically
    # link the omniauth identity with the LDAP account. (default: false)
    auto_link_ldap_user: <%= @omniauth_auto_link_ldap_user %>

    # Allow users with existing accounts to login and auto link their account via SAML
    # login, without having to do a manual login first and manually add SAML
    # (default: false)
    auto_link_saml_user: <%= @omniauth_auto_link_saml_user.to_json %>

    # Set different Omniauth providers as external so that all users creating accounts
    # via these providers will not be able to have access to internal projects. You
    # will need to use the full name of the provider, like `google_oauth2` for Google.
    # Refer to the examples below for the full names of the supported providers.
    # (default: [])
    external_providers: <%= @omniauth_external_providers.to_json %>

    ## Auth providers
    # Uncomment the following lines and fill in the data of the auth provider you want to use
    # If your favorite auth provider is not listed you can use others:
    # see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations
    # The 'app_id' and 'app_secret' parameters are always passed as the first two
    # arguments, followed by optional 'args' which can be either a hash or an array.
    # Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html
    providers:
      # - { name: 'google_oauth2', app_id: 'YOUR APP ID',
      #     app_secret: 'YOUR APP SECRET',
      #     args: { access_type: 'offline', approval_prompt: '' } }
      # - { name: 'twitter', app_id: 'YOUR APP ID',
      #     app_secret: 'YOUR APP SECRET'}
      # - { name: 'github', app_id: 'YOUR APP ID',
      #     app_secret: 'YOUR APP SECRET',
      #     args: { scope: 'user:email' } }
<% @omniauth_providers.each do |provider| %>
      - <%= provider.to_json %>
<% end %>
    #}

  {# default ($RAILS_ROOT/shared/) is ok - we symlinked it to proper place
  # Shared file storage settings
  shared:
    path: <%= @shared_path %>
  #}

  # Gitaly settings
  # This setting controls whether GitLab uses Gitaly
  # Eventually Gitaly use will become mandatory and
  # this option will disappear.
  gitaly:
    client_path: {{ gitaly.location }}
    token:


  #
  # 4. Advanced settings
  # ==========================

  ## Repositories settings
  repositories:
    # Paths where repositories can be stored. Give the canonicalized absolute pathname.
    # IMPORTANT: None of the path components may be symlink, because
    # gitlab-shell invokes Dir.pwd inside the repository path and that results
    # real path not the symlink.
    storages: # You must have at least a `default` storage path.
      default:
        path: {{ gitlab.repositories }}
        gitaly_address: unix:{{ gitaly.socket }} # TCP connections are supported too (e.g. tcp://host:port). TLS connections are also supported using the system certificate pool (eg: tls://host:port).
        # gitaly_token: 'special token' # Optional: override global gitaly.token for this storage.


  ## Backup settings
  backup:
    path: "{{ gitlab.backup }}"   # Relative paths are relative to Rails.root (default: tmp/backups/)
    {# default permission is ok
    archive_permissions: <%= @backup_archive_permissions %> # Permissions for the resulting backup.tar file (default: 0600)
    #}
    keep_time: {{ cfg('backup_keep_time') }}   # default: 0 (forever) (in seconds)
    {# default to backup all schemas is just ok
    pg_schema: <%= @backup_pg_schema %>   # default: nil, it means that all schemas will be backed up
    #}
    upload:
      {# we don't want to upload backup anywhere by gitlab builtin mechanisms
      # Fog storage connection settings, see http://fog.io/storage/ .
      connection: <%= @backup_upload_connection.to_json if @backup_upload_connection %>
      # The remote 'directory' to store your backups. For S3, this would be the bucket name.
      remote_directory: <%= single_quote(@backup_upload_remote_directory) %>
      multipart_chunk_size: <%= @backup_multipart_chunk_size %>
      encryption: <%= @backup_encryption %>
      #}

  ## GitLab Shell settings
  gitlab_shell:
    path: {{ gitlab_shell_work.location }}
    authorized_keys_file: {{ gitlab.var }}/sshkeys-notused

    repos_path: {{ gitlab.repositories }}
    hooks_path: {{ gitlab_shell_work.location }}/hooks/
    secret_file: {{ gitlab_shell.secret }}

    # Git over HTTP
    upload_pack: true
    receive_pack: true

    # Git import/fetch timeout, in seconds. Defaults to 3 hours.
    # git_timeout: 10800

    {# Git over SSH is disabled elsewhere (so we don't care about ssh_port)
    # If you use non-standard ssh port you need to specify it
    ssh_port: <%= @gitlab_shell_ssh_port %>
    #}

    # git-annex support (EE only)
    # If this setting is set to true, the same setting in config.yml of
    # gitlab-shell needs to be set to true
    git_annex_enabled: <%= @git_annex_enabled %>

  ## Git settings
  # CAUTION!
  # Use the default values unless you really know what you are doing
  git:
    bin_path: {{ git }}
    # The next value is the maximum memory size grit can use
    # Given in number of bytes per git object (e.g. a commit)
    # This value can be increased if you have very large commits
    max_size: {{ cfg('git_max_size') }}
    # Git timeout to read a commit, in seconds
    timeout: {{ cfg('git_timeout') }}

  #
  # 5. Extra customization
  # ==========================

  extra:
    {# we do not use google analytics
    <% if @extra_google_analytics_id %>
    ## Google analytics. Uncomment if you want it
    google_analytics_id: <%= single_quote(@extra_google_analytics_id) %>
    <% end %>
    #}

    {# we do not use piwik
    <% if @extra_piwik_url %>
    ## Piwik analytics.
    piwik_url: <%= single_quote(@extra_piwik_url) %>
    piwik_site_id: <%= single_quote(@extra_piwik_site_id) %>
    <% end %>
    #}

    {# we are ok (for now) with default rack-attack git settings
    rack_attack:
      git_basic_auth: <%= @rack_attack_git_basic_auth.to_json if @rack_attack_git_basic_auth %>
    #}


    ## Site ICP License
    # XXX unquote needed only for slapos.core earlier than
    #   https://lab.nexedi.com/nexedi/slapos.core/commit/347d33d6
    # for now we have a lot of old slapos.core deployed...
    {% if cfg('icp_license') != '' -%}
    ICP: {{ urllib.unquote_plus( str(cfg('icp_license')) ).decode('utf-8') }}
    {# ICP: '{{ cfg("icp_license") }}' #}
    {% endif %}


development:
  <<: *base

test:
  <<: *base
  gravatar:
    enabled: true
  gitlab:
    host: localhost
    port: 80

    # When you run tests we clone and setup gitlab-shell
    # In order to setup it correctly you need to specify
    # your system username you use to run GitLab
    # user: YOUR_USERNAME
  satellites:
    path: tmp/tests/gitlab-satellites/
  repositories:
    storages:
      default: tmp/tests/repositories/
  gitlab_shell:
    path: tmp/tests/gitlab-shell/
    repos_path: tmp/tests/repositories/
    hooks_path: tmp/tests/gitlab-shell/hooks/
  issues_tracker:
    redmine:
      title: "Redmine"
      project_url: "http://redmine/projects/:issues_tracker_id"
      issues_url: "http://redmine/:project_id/:issues_tracker_id/:id"
      new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new"
  ldap:
    enabled: false
    servers:
      main:
        label: ldap
        host: 127.0.0.1
        port: 3890
        uid: 'uid'
        method: 'plain' # "tls" or "ssl" or "plain"
        base: 'dc=example,dc=com'
        user_filter: ''
        group_base: 'ou=groups,dc=example,dc=com'
        admin_group: ''
        sync_ssh_keys: false

staging:
  <<: *base