X Separate parameters + buildout -> jinja2

software/gitlab/gitlab-parameters.cfg

+[gitlab-parameters]
+# gitlab instance parameters
+# ( parameter names and advanced defaults taken from omnibus-gitlab
+#   files/gitlab-config-template/gitlab.rb.template.
+#
+#   last updated for omnibus-gitlab 8.1.0+rc1.ce.0-24-g3021ed9
+#   TODO recheck )
+
+configuration.rate_limit_requests_per_period    = 10
+configuration.rate_limit_period                 = 60
+
+# XXX not used yet
+configuration.initial_root_password     = password
+
+configuration.email_enabled             = true
+configuration.email_from                = lab@example.com
+configuration.email_display_name        = GitLab
+configuration.email_reply_to            = noreply@example.com
+
+# FIXME XXX smtp_enable not used yet
+configuration.smtp_enable               = true
+configuration.smtp_address              = smtp.server
+configuration.smtp_port                 = 456
+configuration.smtp_user_name            = smtp user
+configuration.smtp_password             = smtp password
+configuration.smtp_domain               = lab.example.com
+configuration.smtp_authentication       = login
+configuration.smtp_enable_starttls_auto = true
+configuration.smtp_openssl_verify_mode  = peer
+
+configuration.default_can_create_group  = true
+configuration.username_changing_enabled = true
+configuration.default_theme             = 2
+
+configuration.default_projects_features.issues          = true
+configuration.default_projects_features.merge_requests  = true
+configuration.default_projects_features.wiki            = true
+configuration.default_projects_features.snippets        = true
+# NOTE can be public|private|internal
+configuration.default_projects_features.visibility_level= public
+
+configuration.webhook_timeout           = 10
+
+# # XXX empty ok (gitlab substitutes its own default ?)
+# # XXX or better explicitly make it 30 (omnibus default) ?
+# # TODO -> remove
+# configuration.satellites_timeout        =
+
+# 0 means forever (seconds)
+configuration.backup_keep_time          = 0
+
+# NOTE empty = default gitlab limits
+configuration.git_max_size              =
+configuration.git_timeout               =
+
+# unicorn
+configuration.unicorn_worker_timeout    = 60
+configuration.unicorn_worker_processes  = 2
+
+
+# unicorn advanced
+configuration.unicorn_tcp_nopush        = true
+
+# nginx
+configuration.nginx_proxy_read_timeout  = 300
+configuration.nginx_proxy_connect_timeout  = 300
+
+# nginx advanced
+configuration.nginx_worker_processes    = 4
+configuration.nginx_worker_connections  = 10240
+configuration.nginx_sendfile            = on
+configuration.nginx_tcp_nopush          = on
+configuration.nginx_tcp_nodelay         = on
+configuration.nginx_gzip                = on
+configuration.nginx_gzip_http_version   = 1.0
+configuration.nginx_gzip_comp_level     = 2
+configuration.nginx_gzip_proxied        = any
+configuration.nginx_gzip_types          = text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json
+configuration.nginx_keepalive_timeout   = 65
+

software/gitlab/instance-gitlab.cfg.in

@@ -2,6 +2,7 @@
 # NOTE instance/software layout is inspired by gitlab omnibus
 # TODO last updated for gitlab-omnibus vXXXX
 [buildout]
+extends = {{ gitlab_parameters_cfg }}
 parts =
     directory
 #   promise     TODO
@@ -35,85 +36,11 @@ url     = ${slap-connection:server-url}
 key     = ${slap-connection:key-file}
 cert    = ${slap-connection:cert-file}
 
-# gitlab instance parameters
-# ( parameter names and advanced defaults taken from omnibus-gitlab
-#   files/gitlab-config-template/gitlab.rb.template.
-#
-#   last updated for omnibus-gitlab 8.1.0+rc1.ce.0-24-g3021ed9
-#   TODO recheck )
-
-configuration.rate_limit_requests_per_period    = 10
-configuration.rate_limit_period                 = 60
-
-# XXX not used yet
-configuration.initial_root_password     = "password"
-
-configuration.email_enabled             = true
-configuration.email_from                = lab@example.com
-configuration.email_display_name        = GitLab
-configuration.email_reply_to            = noreply@example.com
-
-# FIXME XXX smtp_enable not used yet
-configuration.smtp_enable               = true
-configuration.smtp_address              = smtp.server
-configuration.smtp_port                 = 456
-configuration.smtp_user_name            = smtp user
-configuration.smtp_password             = smtp password
-configuration.smtp_domain               = lab.example.com
-configuration.smtp_authentication       = login
-configuration.smtp_enable_starttls_auto = true
-configuration.smtp_openssl_verify_mode  = peer
-
-configuration.default_can_create_group  = true
-configuration.username_changing_enabled = true
-configuration.default_theme             = 2
-
-configuration.default_projects_features.issues          = true
-configuration.default_projects_features.merge_requests  = true
-configuration.default_projects_features.wiki            = true
-configuration.default_projects_features.snippets        = true
-# NOTE can be public|private|internal
-configuration.default_projects_features.visibility_level= public
-
-configuration.webhook_timeout           = 10
-
-# # XXX empty ok (gitlab substitutes its own default ?)
-# # XXX or better explicitly make it 30 (omnibus default) ?
-# # TODO -> remove
-# configuration.satellites_timeout        =
-
-# 0 means forever (seconds)
-configuration.backup_keep_time          = 0
-
-# NOTE empty = default gitlab limits
-configuration.git_max_size              =
-configuration.git_timeout               =
-
-# unicorn
-configuration.unicorn_worker_timeout    = 60
-configuration.unicorn_worker_processes  = {{ multiprocessing.cpu_count() + 1 }}
-
-
-# unicorn advanced
-configuration.unicorn_tcp_nopush        = true
-
-# nginx
-configuration.nginx_proxy_read_timeout  = 300
-configuration.nginx_proxy_connect_timeout  = 300
-
-# nginx advanced
-configuration.nginx_worker_processes    = 4
-configuration.nginx_worker_connections  = 10240
-configuration.nginx_sendfile            = on
-configuration.nginx_tcp_nopush          = on
-configuration.nginx_tcp_nodelay         = on
-configuration.nginx_gzip                = on
-configuration.nginx_gzip_http_version   = 1.0
-configuration.nginx_gzip_comp_level     = 2
-configuration.nginx_gzip_proxied        = any
-configuration.nginx_gzip_types          = text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json
-configuration.nginx_keepalive_timeout   = 65
+# autogenerated gitlab instance parameters
+<= gitlab-parameters
 
+# adjust/override some default settings
+configuration.unicorn_worker_processes  = {{ multiprocessing.cpu_count() + 1 }}
 
 
 # for convenience

software/gitlab/instance.cfg.in

@@ -28,6 +28,7 @@ context =
     key eggs_directory          buildout:eggs-directory
     key develop_eggs_directory  buildout:develop-eggs-directory
     key software_release_url    slap-connection:software-release-url
+    raw gitlab_parameters_cfg       ${gitlab-parameters.cfg:target}
     raw gitlab_repository_location  ${gitlab-repository:location}
     raw bundler_4gitlab             ${bundler-4gitlab:bundle}
     raw git                         ${git:location}/bin/git

software/gitlab/software.cfg

@@ -173,6 +173,10 @@ url     = ${:_profile_base_location_}/template/${:_buildout_section_name_}
 <= download-file
 # md5sum = TODO
 
+[gitlab-parameters.cfg]
+<= download-file
+# md5sum = TODO
+
 [instance-nginx.cfg.in]
 <= download-file
 # md5sum = TODO

software/gitlab/template/nginx-gitlab-http.conf.in

@@ -13,8 +13,8 @@ upstream gitlab-git-http-server {
   server unix:<%= node['gitlab']['gitlab-git-http-server']['listen_addr'] %>;
 }
 
-# TODO do always
-<% if @https && @redirect_http_to_https %>
+# TODO -> conf parameters
+{% if cfg('https') && cfg('redirect_http_to_https') %}
 ## Redirects all HTTP traffic to the HTTPS host
 server {
 <% @listen_addresses.each do |listen_address| %>
@@ -26,10 +26,10 @@ server {
   access_log  <%= @log_directory %>/gitlab_access.log gitlab_access;
   error_log   <%= @log_directory %>/gitlab_error.log;
 }
-<% end %>
+{% endif %}
 
 server {
-  listen ${gitlab-backend:host}:${gitlab-backend:port}<% if @https %> ssl spdy<% end %>;
+  listen {{ gitlab_backend.host }}:{{ gitlab_backend.port }}{% if cfg('https') %} ssl spdy{% endif %};
 
   # we don't use: kerbeeros
   # <% if @kerberos_enabled && @kerberos_use_dedicated_port %>
@@ -41,37 +41,35 @@ server {
   server_tokens off; ## Don't show the nginx version number, a security best practice
   root ${gitlab-root-shadow:location}/public;
 
-  # XXX max body size
   ## Increase this if you want to upload large attachments
   ## Or if you want to accept large git objects over http
-  client_max_body_size <%= @client_max_body_size %>;
-
-  # TODO ssl
-  # <% if @https %>
-  # ## Strong SSL Security
-  # ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
-  # ssl on;
-  # ssl_certificate <%= @ssl_certificate %>;
-  # ssl_certificate_key <%= @ssl_certificate_key %>;
-  # <% if @ssl_client_certificate %>
-  # ssl_client_certificate <%= @ssl_client_certificate%>;
-  #       <% end %>
-  #
-  # # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
-  # ssl_ciphers '<%= @ssl_ciphers %>';
-  # ssl_protocols  <%= @ssl_protocols %>;
-  # ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
-  # ssl_session_cache  <%= @ssl_session_cache %>;
-  # ssl_session_timeout  <%= @ssl_session_timeout %>;
-  #
-  # <% if @ssl_dhparam %>
-  # ssl_dhparam <%= @ssl_dhparam %>;
-  # <% end %>
-  # <% end %>
+  client_max_body_size {{ cfg('client_max_body_size') }};
+
+  {% if cfg('https') %}
+  ## Strong SSL Security
+  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
+  ssl on;
+  ssl_certificate {{ cfg('ssl_certificate') }};
+  ssl_certificate_key <%= @ssl_certificate_key %>;
+  {% if cfg('ssl_client_certificate') %}
+  ssl_client_certificate <%= @ssl_client_certificate%>;
+        <% end %>
+
+  # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
+  ssl_ciphers '<%= @ssl_ciphers %>';
+  ssl_protocols  <%= @ssl_protocols %>;
+  ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
+  ssl_session_cache  <%= @ssl_session_cache %>;
+  ssl_session_timeout  <%= @ssl_session_timeout %>;
+
+  <% if @ssl_dhparam %>
+  ssl_dhparam <%= @ssl_dhparam %>;
+  {% endif %}
+  {% endif %}
 
   ## Individual nginx logs for this GitLab vhost
-  access_log  ${nginx:log}/gitlab_access.log gitlab_access;
-  error_log   ${nginx:log}/gitlab_error.log;
+  access_log  {{ nginx.log }}/gitlab_access.log gitlab_access;
+  error_log   {{ nginx.log }}/gitlab_error.log;
 
   location / {
     ## Serve static files from defined root folder.
@@ -82,22 +80,21 @@ server {
   location /uploads/ {
     ## If you use HTTPS make sure you disable gzip compression
     ## to be safe against BREACH attack.
-    #<%= 'gzip off;' if @https %>    # TODO
+    {{ 'gzip off' if cfg('https') }}
 
     ## https://github.com/gitlabhq/gitlabhq/issues/694
     ## Some requests take more than 30 seconds.
-    proxy_read_timeout      ${instance-parameter:nginx_proxy_read_timeout};
-    proxy_connect_timeout   ${instance-parameter:nginx_proxy_connect_timeout};
+    proxy_read_timeout      {{ cfg('nginx_proxy_read_timeout') }};
+    proxy_connect_timeout   {{ cfg('nginx_proxy_connect_timeout') }};
     proxy_redirect          off;
 
     proxy_set_header    Host                $http_host;
     proxy_set_header    X-Real-IP           $remote_addr;
-    # TODO https
-    #<% if @https %>
-    #proxy_set_header    X-Forwarded-Ssl     on;
-    #<% end %>
+    {% if cfg('https') %}
+    proxy_set_header    X-Forwarded-Ssl     on;
+    {% endif %}
     proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-    proxy_set_header    X-Forwarded-Proto   http;   # TODO <%= @https ? "https" : "http" %>;
+    proxy_set_header    X-Forwarded-Proto   {{ "https" if cfg('https') else "http" }};
     proxy_set_header    X-Frame-Options     SAMEORIGIN;
 
     proxy_pass http://gitlab;
@@ -108,22 +105,21 @@ server {
   location @gitlab {
     ## If you use HTTPS make sure you disable gzip compression
     ## to be safe against BREACH attack.
-    # <%= 'gzip off;' if @https %>  # TODO
+    {{ 'gzip off' if cfg('https') }}
 
     ## https://github.com/gitlabhq/gitlabhq/issues/694
     ## Some requests take more than 30 seconds.
-    proxy_read_timeout      ${instance-parameter:nginx_proxy_read_timeout};
-    proxy_connect_timeout   ${instance-parameter:nginx_proxy_connect_timeout};
+    proxy_read_timeout      {{ cfg('nginx_proxy_read_timeout') }};
+    proxy_connect_timeout   {{ cfg('nginx_proxy_connect_timeout') }};
     proxy_redirect          off;
 
     proxy_set_header    Host                $http_host;
     proxy_set_header    X-Real-IP           $remote_addr;
-    # TODO https
-    #<% if @https %>
-    #proxy_set_header    X-Forwarded-Ssl     on;
-    #<% end %>
+    {% if cfg('https') %}
+    proxy_set_header    X-Forwarded-Ssl     on;
+    {% endif %}
     proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-    proxy_set_header    X-Forwarded-Proto   http;   # TODO <%= @https ? "https" : "http" %>;
+    proxy_set_header    X-Forwarded-Proto   {{ "https" if cfg('https') else "http" }};
     proxy_set_header    X-Frame-Options     SAMEORIGIN;
 
     proxy_pass http://gitlab;
@@ -150,23 +146,21 @@ server {
   location @gitlab-git-http-server {
     ## If you use HTTPS make sure you disable gzip compression
     ## to be safe against BREACH attack.
-    # TODO
-    # <%= 'gzip off;' if @https %>
+    {{ 'gzip off' if cfg('https') }}
 
     ## https://github.com/gitlabhq/gitlabhq/issues/694
     ## Some requests take more than 30 seconds.
-    proxy_read_timeout      ${instance-parameter:nginx_proxy_read_timeout};
-    proxy_connect_timeout   ${instance-parameter:nginx_proxy_connect_timeout};
+    proxy_read_timeout      {{ cfg('nginx_proxy_read_timeout') }};
+    proxy_connect_timeout   {{ cfg('nginx_proxy_connect_timeout') }};
     proxy_redirect          off;
 
     proxy_set_header    Host                $http_host;
     proxy_set_header    X-Real-IP           $remote_addr;
-    # TODO
-    # <% if @https %>
-    # proxy_set_header    X-Forwarded-Ssl     on;
-    # <% end %>
+    {% if cfg('https') %}
+    proxy_set_header    X-Forwarded-Ssl     on;
+    {% endif %}
     proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-    proxy_set_header    X-Forwarded-Proto   http;   # TODO <%= @https ? "https" : "http" %>;
+    proxy_set_header    X-Forwarded-Proto   {{ "https" if cfg('https') else "http" }};
 
     proxy_pass http://gitlab-git-http-server;
   }
@@ -177,7 +171,7 @@ server {
   ## See config/application.rb under "Relative url support" for the list of
   ## other files that need to be changed for relative url support
   location ~ ^/(assets)/ {
-    root ${gitlab-root-shadow:location}/public;
+    root {{ gitlab_root_shadow.location }}/public;
     gzip_static on; # to serve pre-gzipped version
     expires max;
     add_header Cache-Control public;

software/gitlab/template/nginx.conf.in

@@ -4,15 +4,19 @@
 # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb
 # (last updated for omnibus-gitlab 8.1.0+rc1.ce.0-24-g3021ed9)
 
-user ${gitlab-backend:user};
-worker_processes ${instance-parameter:configuration.nginx_worker_processes}
+{# cfg(name) -> instance_parameter:configuration.<name> #}
+{# XXX dup -> import from gitlab.yml.in ? #}
+{% macro cfg(name) %}{{ instance_parameter[str("configuration." + name)] }}{% endmacro %}
+
+user {{ gitlab_backend.user }};
+worker_processes {{ cfg('nginx_worker_processes') }}
 error_log stderr;
 pid nginx.pid;
 
 daemon off;
 
 events {
-  worker_connections ${instance-parameter:configuration.nginx_worker_connections};
+  worker_connections {{ cfg('nginx_worker_connections') }};
 }
 
 http {
@@ -21,19 +25,19 @@ http {
   # log_format gitlab_ci_access '<%= @gitlab_ci_access_log_format %>';
   # log_format gitlab_mattermost_access '<%= @gitlab_mattermost_access_log_format %>';
 
-  sendfile    ${instance-parameter:configuration.nginx_sendfile};
-  tcp_nopush  ${instance-parameter:configuration.nginx_tcp_nopush};
-  tcp_nodelay ${instance-parameter:configuration.nginx_tcp_nodelay};
+  sendfile    {{ cfg('nginx_sendfile') }};
+  tcp_nopush  {{ cfg('nginx_tcp_nopush') }};
+  tcp_nodelay {{ cfg('nginx_tcp_nodelay') }};
 
-  keepalive_timeout ${instance-parameter:configuration.nginx_keepalive_timeout};
+  keepalive_timeout {{ cfg('nginx_keepalive_timeout') }};
 
-  gzip              ${instance-parameter:configuration.nginx_gzip};
-  gzip_http_version ${instance-parameter:configuration.nginx_http_version};
-  gzip_comp_level   ${instance-parameter:configuration.nginx_gzip_comp_level};
-  gzip_proxied      ${instance-parameter:configuration.nginx_gzip_proxied};
-  gzip_types        ${instance-parameter:configuration.nginx_gzip_types};
+  gzip              {{ cfg('nginx_gzip') }};
+  gzip_http_version {{ cfg('nginx_http_version') }};
+  gzip_comp_level   {{ cfg('nginx_gzip_comp_level') }};
+  gzip_proxied      {{ cfg('nginx_gzip_proxied') }};
+  gzip_types        {{ cfg('nginx_gzip_types') }};
 
-  include ${nginx-output:mime}
+  include {{ nginx_output.mime }}
 
   include <gitlab_http_config>