Commit 6fd7b987 authored by Kirill Smelkov's avatar Kirill Smelkov

gitlab: Import gitlab-ce & gitlab-shell configs from omnibus-gitlab

Pristine import of template configuration files from omnibus GitLab
package. All files were imported as-is in their ERB form and filenames
from omnibus-gitlab 8.2.3+ce.0-0-g8eda093 from here:

    https://gitlab.com/gitlab-org/omnibus-gitlab/tree/8eda093/files/gitlab-cookbooks/gitlab/templates/default

We will convert the templates to jinja2 and adjust them to slapos
version in the following patches.

Scheme for synchronizing with future upstream changes is envisioned as this:

    - checkout latest commit which updated pristine erb files
    - copy updated files from omnibus-gitlab, and commit the updates
    - checkout slapos master
    - merge commit that updated erb

That should reasonably work with not too-many conflicts and even those
should be not hard to resolve (with `git mergetool` e.g. in kdiff3)

/cc @kazuhiko, @jerome
parent 2ddc5b0c
# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.
production:
adapter: <%= @db_adapter %>
encoding: <%= @db_encoding %>
collation: <%= @db_collation %>
database: <%= @db_database %>
pool: <%= @db_pool %>
username: <%= single_quote(@db_username) %>
password: <%= single_quote(@db_password) %>
host: <%= single_quote(@db_host) %>
port: <%= @db_port %>
socket: <%= single_quote(@db_socket) %>
sslmode: <%= single_quote(@db_sslmode) %>
sslrootcert: <%= single_quote(@db_sslrootcert) %>
# This file is used by Rack-based servers to start the application.
if defined?(Unicorn)
require 'unicorn'
if ENV['RAILS_ENV'] == 'production' || ENV['RAILS_ENV'] == 'staging'
# Unicorn self-process killer
require 'unicorn/worker_killer'
# Max memory size (RSS) per worker
use Unicorn::WorkerKiller::Oom, (<%= @worker_memory_limit_min %>), (<%= @worker_memory_limit_max %>)
end
end
require ::File.expand_path('../config/environment', __FILE__)
map ENV['RAILS_RELATIVE_URL_ROOT'] || "/" do
run Gitlab::Application
end
# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.
# GitLab user. git by default
user: <%= @user %>
# Url to gitlab instance. Used for api calls. Should end with a slash.
gitlab_url: "<%= @api_url %>"
http_settings:
<%= @http_settings.to_json if @http_settings %>
# user: someone
# password: somepass
# ca_file: /etc/ssl/cert.pem
# ca_path: /etc/pki/tls/certs
# self_signed_cert: false
# Repositories path
# Give the canonicalized absolute pathname,
# REPOS_PATH MUST NOT CONTAIN ANY SYMLINK!!!
# Check twice that none of the components is a symlink, including "/home".
repos_path: "<%= @repositories_path %>"
# File used as authorized_keys for gitlab user
auth_file: "<%= @authorized_keys %>"
# Redis settings used for pushing commit notices to gitlab
redis:
bin: /opt/gitlab/embedded/bin/redis-cli
host: <%= @redis_host %>
port: <%= @redis_port %>
<% if @redis_socket %>
socket: <%= @redis_socket %>
<% end %>
<% if @redis_password %>
pass: <%= @redis_password %>
<% end %>
database: <%= @redis_database %>
namespace: resque:gitlab
# Log file.
# Default is gitlab-shell.log in the root directory.
log_file: "<%= @log_file %>"
# Log level. INFO by default
log_level: <%= @log_level %>
# Audit usernames.
# Set to true to see real usernames in the logs instead of key ids, which is easier to follow, but
# incurs an extra API call on every gitlab-shell command.
audit_usernames: <%= @audit_usernames %>
# Enable git-annex support
# git-annex allows managing files with git, without checking the file contents into git
# See https://git-annex.branchable.com/ for documentation
# If enabled, git-annex needs to be installed on the server where gitlab-shell is setup
# For Debian and Ubuntu systems this can be done with: sudo apt-get install git-annex
# For CentOS: sudo yum install epel-release && sudo yum install git-annex
git_annex_enabled: <%= @git_annex_enabled %>
# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.
production: &base
#
# 1. GitLab app settings
# ==========================
## GitLab settings
gitlab:
## Web server settings (note: host is the FQDN, do not include http://)
host: <%= @gitlab_host %>
port: <%= @gitlab_port %>
https: <%= @gitlab_https %>
# Uncommment this line below if your ssh host is different from HTTP/HTTPS one
# (you'd obviously need to replace ssh.host_example.com with your own host).
# Otherwise, ssh host will be set to the `host:` value above
ssh_host: <%= @gitlab_ssh_host %>
# WARNING: See config/application.rb under "Relative url support" for the list of
# other files that need to be changed for relative url support
# relative_url_root: /gitlab
# Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
user: <%= node['gitlab']['user']['username'] %>
## Date & Time settings
time_zone: <%= single_quote(@time_zone) %>
## Email settings
# Uncomment and set to false if you need to disable email sending from GitLab (default: true)
email_enabled: <%= @gitlab_email_enabled %>
# Email address used in the "From" field in mails sent by GitLab
email_from: <%= @gitlab_email_from %>
email_display_name: <%= @gitlab_email_display_name %>
email_reply_to: <%= @gitlab_email_reply_to %>
# Email server smtp settings are in [a separate file](initializers/smtp_settings.rb.sample).
## User settings
default_can_create_group: <%= @gitlab_default_can_create_group %> # default: true
username_changing_enabled: <%= @gitlab_username_changing_enabled %> # default: true - User can change her username/namespace
## Default theme
## BASIC = 1
## MARS = 2
## MODERN = 3
## GRAY = 4
## COLOR = 5
default_theme: <%= @gitlab_default_theme %> # default: 2
# Restrict setting visibility levels for non-admin users.
# The default is to allow all levels.
restricted_visibility_levels: <%= @gitlab_restricted_visibility_levels unless @gitlab_restricted_visibility_levels.nil? %>
## Automatic issue closing
# If a commit message matches this regular expression, all issues referenced from the matched text will be closed.
# This happens when the commit is pushed or merged into the default branch of a project.
# When not specified the default issue_closing_pattern as specified below will be used.
# Tip: you can test your closing pattern at http://rubular.com
issue_closing_pattern: <%= single_quote(@gitlab_issue_closing_pattern) %>
## Default project features settings
default_projects_features:
issues: <%= @gitlab_default_projects_features_issues %>
merge_requests: <%= @gitlab_default_projects_features_merge_requests %>
wiki: <%= @gitlab_default_projects_features_wiki %>
snippets: <%= @gitlab_default_projects_features_snippets %>
visibility_level: <%= single_quote(@gitlab_default_projects_features_visibility_level) %> # can be "private" | "internal" | "public"
builds: <%= @gitlab_default_projects_features_builds %>
## Webhook settings
# Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)
webhook_timeout: <%= @webhook_timeout %>
## Repository downloads directory
# When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory.
# The default is 'tmp/repositories' relative to the root of the Rails app.
repository_downloads_path: <%= @gitlab_repository_downloads_path %>
## Reply by email
# Allow users to comment on issues and merge requests by replying to notification emails.
# For documentation on how to set this up, see http://doc.gitlab.com/ce/incoming_email/README.html
incoming_email:
enabled: <%= @incoming_email_enabled %>
# The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
# The `%{key}` placeholder is added after the user part, after a `+` character, before the `@`.
address: <%= single_quote(@incoming_email_address) %>
# Email account username
# With third party providers, this is usually the full email address.
# With self-hosted email servers, this is usually the user part of the email address.
user: <%= single_quote(@incoming_email_email) %>
# Email account password
password: <%= single_quote(@incoming_email_password) %>
# IMAP server host
host: <%= single_quote(@incoming_email_host) %>
# IMAP server port
port: <%= @incoming_email_port %>
# Whether the IMAP server uses SSL
ssl: <%= @incoming_email_ssl %>
# Whether the IMAP server uses StartTLS
start_tls: <%= @incoming_email_start_tls %>
# The mailbox where incoming mail will end up. Usually "inbox".
mailbox: <%= single_quote(@incoming_email_mailbox_name) %>
## Build Artifacts
artifacts:
enabled: <%= @artifacts_enabled %>
# The location where Build Artifacts are stored (default: shared/artifacts).
storage_path: <%= @artifacts_path %>
## Git LFS
lfs:
enabled: <%= @lfs_enabled %>
# The location where LFS objects are stored (default: shared/lfs-objects).
storage_path: <%= @lfs_storage_path %>
## Gravatar
## For Libravatar see: http://doc.gitlab.com/ce/customization/libravatar.html
gravatar:
# gravatar urls: possible placeholders: %{hash} %{size} %{email}
plain_url: <%= single_quote(@gravatar_plain_url) %> # default: http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
ssl_url: <%= single_quote(@gravatar_ssl_url) %> # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
#
# 2. GitLab CI settings
# ==========================
gitlab_ci:
# Default project notifications settings:
#
# Send emails only on broken builds (default: true)
all_broken_builds: <%= @gitlab_ci_all_broken_builds %>
#
# Add pusher to recipients list (default: false)
add_pusher: <%= @gitlab_ci_add_pusher || @gitlab_ci_add_committer %>
# The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root
builds_path: <%= @builds_directory %>
#
# 3. Auth settings
# ==========================
## LDAP settings
# You can inspect a sample of the LDAP users with login access by running:
# bundle exec rake gitlab:ldap:check RAILS_ENV=production
ldap:
enabled: <%= @ldap_enabled %>
<% if @ldap_servers.any? %>
servers:
<% @ldap_servers.each do |provider_id, settings| %>
<%= provider_id %>: <%= settings.to_json %>
<% end %>
<% else %>
host: <%= single_quote(@ldap_host) %>
port: <%= @ldap_port %>
uid: <%= single_quote(@ldap_uid) %>
method: <%= single_quote(@ldap_method) %> # "tls" or "ssl" or "plain"
bind_dn: <%= single_quote(@ldap_bind_dn) %>
password: <%= single_quote(@ldap_password) %>
active_directory: <%= @ldap_active_directory %>
allow_username_or_email_login: <%= @ldap_allow_username_or_email_login %>
base: <%= single_quote(@ldap_base) %>
user_filter: <%= single_quote(@ldap_user_filter) %>
## EE only
group_base: <%= single_quote(@ldap_group_base) %>
admin_group: <%= single_quote(@ldap_admin_group) %>
sync_ssh_keys: <%= single_quote(@ldap_sync_ssh_keys) %>
sync_time: <%= @ldap_sync_time %>
<% end %>
## Kerberos settings
kerberos:
# Allow the HTTP Negotiate authentication method for Git clients
enabled: <%= @kerberos_enabled %>
# Kerberos 5 keytab file. The keytab file must be readable by the GitLab user,
# and should be different from other keytabs in the system.
# (default: use default keytab from Krb5 config)
keytab: <%= @kerberos_keytab %>
# The Kerberos service name to be used by GitLab.
# (default: accept any service name in keytab file)
service_principal_name: <%= @kerberos_service_principal_name %>
# Dedicated port: Git before 2.4 does not fall back to Basic authentication if Negotiate fails.
# To support both Basic and Negotiate methods with older versions of Git, configure
# nginx to proxy GitLab on an extra port (e.g. 8443) and uncomment the following lines
# to dedicate this port to Kerberos authentication. (default: false)
use_dedicated_port: <%= @kerberos_use_dedicated_port %>
port: <%= @kerberos_port %>
https: <%= @kerberos_https %>
## OmniAuth settings
omniauth:
# Allow login via Twitter, Google, etc. using OmniAuth providers
enabled: <%= @omniauth_enabled %>
# Uncomment this to automatically sign in with a specific omniauth provider's without
# showing GitLab's sign-in page (default: show the GitLab sign-in page)
auto_sign_in_with_provider: <%= @omniauth_auto_sign_in_with_provider %>
# CAUTION!
# This allows users to login without having a user account first (default: false).
# User accounts will be created automatically when authentication was successful.
allow_single_sign_on: <%= @omniauth_allow_single_sign_on %>
# Locks down those users until they have been cleared by the admin (default: true).
block_auto_created_users: <%= @omniauth_block_auto_created_users %>
# Look up new users in LDAP servers. If a match is found (same uid), automatically
# link the omniauth identity with the LDAP account. (default: false)
auto_link_ldap_user: <%= @omniauth_auto_link_ldap_user %>
## Auth providers
# Uncomment the following lines and fill in the data of the auth provider you want to use
# If your favorite auth provider is not listed you can use others:
# see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations
# The 'app_id' and 'app_secret' parameters are always passed as the first two
# arguments, followed by optional 'args' which can be either a hash or an array.
# Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html
providers:
# - { name: 'google_oauth2', app_id: 'YOUR APP ID',
# app_secret: 'YOUR APP SECRET',
# args: { access_type: 'offline', approval_prompt: '' } }
# - { name: 'twitter', app_id: 'YOUR APP ID',
# app_secret: 'YOUR APP SECRET'}
# - { name: 'github', app_id: 'YOUR APP ID',
# app_secret: 'YOUR APP SECRET',
# args: { scope: 'user:email' } }
<% @omniauth_providers.each do |provider| %>
- <%= provider.to_json %>
<% end %>
# Shared file storage settings
shared:
path: <%= @shared_path %>
#
# 4. Advanced settings
# ==========================
# GitLab Satellites
# Important: keep the satellites.path setting until GitLab 9.0 at
# least. This setting is fed to 'rm -rf' in
# db/migrate/20151023144219_remove_satellites.rb
satellites:
# Relative paths are relative to Rails.root (default: tmp/repo_satellites/)
path: <%= @satellites_path %>
timeout: <%= @satellites_timeout %>
## Backup settings
backup:
path: "<%= @backup_path %>" # Relative paths are relative to Rails.root (default: tmp/backups/)
archive_permissions: <%= @backup_archive_permissions %> # Permissions for the resulting backup.tar file (default: 0600)
keep_time: <%= @backup_keep_time %> # default: 0 (forever) (in seconds)
pg_schema: <%= @backup_pg_schema %> # default: nil, it means that all schemas will be backed up
upload:
# Fog storage connection settings, see http://fog.io/storage/ .
connection: <%= @backup_upload_connection.to_json if @backup_upload_connection %>
# The remote 'directory' to store your backups. For S3, this would be the bucket name.
remote_directory: <%= single_quote(@backup_upload_remote_directory) %>
multipart_chunk_size: <%= @backup_multipart_chunk_size %>
encryption: <%= @backup_encryption %>
## GitLab Shell settings
gitlab_shell:
path: <%= @gitlab_shell_path %>
# REPOS_PATH MUST NOT BE A SYMLINK!!!
repos_path: <%= @gitlab_shell_repos_path %>
hooks_path: <%= @gitlab_shell_hooks_path %>
# Git over HTTP
upload_pack: <%= @gitlab_shell_upload_pack %>
receive_pack: <%= @gitlab_shell_receive_pack %>
# If you use non-standard ssh port you need to specify it
ssh_port: <%= @gitlab_shell_ssh_port %>
## Git settings
# CAUTION!
# Use the default values unless you really know what you are doing
git:
bin_path: <%= @git_bin_path %>
# The next value is the maximum memory size grit can use
# Given in number of bytes per git object (e.g. a commit)
# This value can be increased if you have very large commits
max_size: <%= @git_max_size %>
# Git timeout to read a commit, in seconds
timeout: <%= @git_timeout %>
#
# 5. Extra customization
# ==========================
extra:
<% if @extra_google_analytics_id %>
## Google analytics. Uncomment if you want it
google_analytics_id: <%= single_quote(@extra_google_analytics_id) %>
<% end %>
<% if @extra_piwik_url %>
## Piwik analytics.
piwik_url: <%= single_quote(@extra_piwik_url) %>
piwik_site_id: <%= single_quote(@extra_piwik_site_id) %>
<% end %>
rack_attack:
git_basic_auth: <%= @rack_attack_git_basic_auth.to_json if @rack_attack_git_basic_auth %>
development:
<<: *base
test:
<<: *base
gravatar:
enabled: true
gitlab:
host: localhost
port: 80
# When you run tests we clone and setup gitlab-shell
# In order to setup it correctly you need to specify
# your system username you use to run GitLab
# user: YOUR_USERNAME
satellites:
path: tmp/tests/gitlab-satellites/
gitlab_shell:
path: tmp/tests/gitlab-shell/
repos_path: tmp/tests/repositories/
hooks_path: tmp/tests/gitlab-shell/hooks/
issues_tracker:
redmine:
title: "Redmine"
project_url: "http://redmine/projects/:issues_tracker_id"
issues_url: "http://redmine/:project_id/:issues_tracker_id/:id"
new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new"
ldap:
enabled: false
servers:
main:
label: ldap
host: 127.0.0.1
port: 3890
uid: 'uid'
method: 'plain' # "tls" or "ssl" or "plain"
base: 'dc=example,dc=com'
user_filter: ''
group_base: 'ou=groups,dc=example,dc=com'
admin_group: ''
sync_ssh_keys: false
staging:
<<: *base
# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.
# 1. Rename this file to rack_attack.rb
# 2. Review the paths_to_be_protected and add any other path you need protecting
#
paths_to_be_protected = [
"#{Rails.application.config.relative_url_root}/users/password",
"#{Rails.application.config.relative_url_root}/users/sign_in",
"#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json",
"#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session",
"#{Rails.application.config.relative_url_root}/users",
"#{Rails.application.config.relative_url_root}/users/confirmation",
"#{Rails.application.config.relative_url_root}/unsubscribes/"
]
# Create one big regular expression that matches strings starting with any of
# the paths_to_be_protected.
paths_regex = Regexp.union(paths_to_be_protected.map { |path| /\A#{Regexp.escape(path)}/ })
unless Rails.env.test?
Rack::Attack.throttle('protected paths', limit: <%= @rate_limit_requests_per_period %>, period: <%= @rate_limit_period %>.seconds) do |req|
if req.post? && req.path =~ paths_regex
req.ip
end
end
end
production: <%= @redis_url %>
# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.
<% rails_app = @app == 'gitlab' ? 'Gitlab' : 'GitlabCi' %>
<% container = @app == 'gitlab' ? 'gitlab-rails' : 'gitlab-ci' %>
if Rails.env.production?
<%= rails_app %>::Application.config.action_mailer.delivery_method = :smtp
ActionMailer::Base.smtp_settings = {
authentication: <%= @smtp_authentication.to_s.to_sym.inspect %>,
<% %w{ address port user_name password domain enable_starttls_auto tls openssl_verify_mode ca_path ca_file }.each do |key| %>
<% value = node['gitlab'][container]["smtp_#{key}"] %>
<%= "#{key}: #{value.inspect}," unless value.nil? %>
<% end %>
}
end
# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.
# What ports/sockets to listen on, and what options for them.
<%- @listen.each do |port, options| %>
listen "<%= port %>", <%= options %>
<%- end %>
<%- if @working_directory %>
working_directory '<%= @working_directory %>'
<%- end %>
# What the timeout for killing busy workers is, in seconds
timeout <%= @worker_timeout %>
# Whether the app should be pre-loaded
preload_app <%= @preload_app %>
# How many worker processes
worker_processes <%= @worker_processes %>
<%- if @before_fork %>
# What to do before we fork a worker
before_fork do |server, worker|
<%= @before_fork %>
end
<%- end %>
<%- if @after_fork %>
# What to do after we fork a worker
after_fork do |server, worker|
<%= @after_fork %>
end
<%- end %>
<%- if @pid %>
# Where to drop a pidfile
pid '<%= @pid %>'
<%- end %>
<%- if @stderr_path %>
# Where stderr gets logged
stderr_path '<%= @stderr_path %>'
<%- end %>
<%- if @stdout_path %>
# Where stdout gets logged
stdout_path '<%= @stdout_path %>'
<%- end %>
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment