.

8426aca3 · Kirill Smelkov · e6b926f1 · 8426aca3 · 8426aca3 · 8426aca3
Commit 8426aca3 authored Nov 12, 2015 by Kirill Smelkov
9 changed files
--- a/software/gitlab/gitlab-parameters.cfg
+++ b/software/gitlab/gitlab-parameters.cfg
 # Parameters (and defaults) for a GitLab instance
 # TODO autogenerate from:
 #   https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template
+# XXX actual defaults:
+# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/attributes/default.rb
+#
+# (last updated for omnibus-gitlab 8.1.0+rc1.ce.0-83-gf194960)

 [gitlab-parameters]
 # gitlab instance parameters
@@ -12,12 +16,6 @@

 configuration.external_url              = http://lab.example.com

-# TODO move to proper place and merge related from omnibus
-# XXX https can be deduces from schema in external_url, at least not in
-#     separate frontend case
-configuration.https = false
-
-
 configuration.rate_limit_requests_per_period    = 10
 configuration.rate_limit_period                 = 60

@@ -90,6 +88,13 @@ configuration.nginx_redirect_http_to_https  = false
 # nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
 # nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt" # Most root CA's are included by default

+# we don't need - we talk directly to frontend only
+configuration.nginx_ssl_ciphers             = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
+configuration.nginx_ssl_prefer_server_ciphers = no
+configuration.nginx_ssl_protocols           = TLSv1 TLSv1.1 TLSv1.2
+# the following is not default
+configuration.nginx_ssl_session_cache       = builtin:1000  shared:SSL:10m
+

 configuration.nginx_proxy_read_timeout      = 300
 configuration.nginx_proxy_connect_timeout   = 300

--- a/software/gitlab/instance-gitlab.cfg.in
+++ b/software/gitlab/instance-gitlab.cfg.in
@@ -26,6 +26,8 @@ parts =
    service-unicorn
    service-sidekiq

+    certificate-authority
+
    service-nginx
    service-postgresql
    service-redis
@@ -64,11 +66,15 @@ configuration.nginx_worker_processes    = {{ multiprocessing.cpu_count() }}


 # for convenience
+[external-url]
+recipe  = slapos.cookbook:urlparse
+url     = ${instance-parameter:configuration.external_url}
+
 [backend-info]
 host    = ${instance-parameter:ipv6-random}
 port    = 7777
-# TODO http -? https
-url     = http://[${:host}]:${:port}
+# whether to use http or https - determined by external url
+url     = ${external-url:scheme}://[${:host}]:${:port}

 # current slapuserX
 user    = {{ pwd.getpwuid(os.getuid())[0] }}
@@ -114,9 +120,9 @@ var     = ${directory:var}/gitlab
 tmp     = ${:var}/tmp
 uploads = ${:var}/uploads
 assets  = ${:var}/assets
-repositories    = ${directory:srv}/repositories
-# XXX goes away (?) satellites      = ${directory:srv}/satellites
-backup  = ${directory:srv}/backup
+repositories    = ${directory:var}/repositories
+# XXX goes away (?) satellites      = ${directory:var}/satellites
+backup  = ${directory:var}/backup


 # gitlab-shell: etc/ log/ gitlab_shell_secret ...
@@ -134,7 +140,7 @@ secret  = ${secrets:secrets}/gitlab_shell_secret
 # place to keep all secrets
 [secrets]
 recipe  = slapos.cookbook:mkdirectory
-secrets = ${directory:srv}/secrets
+secrets = ${directory:var}/secrets
 mode    = 0700


@@ -151,6 +157,7 @@ context =
    raw     autogenerated       # This file was autogenerated. (DO NOT EDIT - changes will be lost)
    section instance_parameter  instance-parameter
    section backend_info        backend-info
+    import  urlparse  urlparse
    ${:context-extra}
 context-extra =

@@ -175,7 +182,6 @@ context-extra =
    section gitlab                  gitlab
    section gitlab_shell            gitlab-shell
    section gitlab_shell_work       gitlab-shell-work
-    import  urlparse  urlparse

 [resque.yml]
 <= gitlab-etc-template
@@ -186,6 +192,8 @@ context-extra =
 [smtp_settings.rb]
 <= gitlab-etc-template
 template= {{ smtp_settings_rb_in }}
+# contains smtp password
+mode    = 0600

 [rack_attack.rb]
 <= gitlab-etc-template
@@ -210,6 +218,7 @@ context-extra =
    section unicorn                     unicorn
    section service_redis               service-redis
    raw     redis_bin                   {{ redis_bin }}
+    import  urllib  urllib


 [nginx-etc-template]
@@ -509,6 +518,36 @@ command-line    = ${gitlab-sidekiq:wrapper-path}
 #   Nginx frontend   #
 ######################

+# self-signed certificate, if we use https
+[ssl]
+recipe  = slapos.cookbook:mkdirectory
+ssl     = ${directory:srv}/ssl
+requests= ${:ssl}/requests
+private = ${:ssl}/private
+certs   = ${:ssl}/certs
+newcerts= ${:ssl}/newcerts
+crl     = ${:ssl}/crl
+
+[certificate-authority]
+recipe  = slapos.cookbook:certificate_authority
+wrapper = ${directory:service}/certificate_authority
+openssl-binary  = {{ openssl_bin }}
+ca-dir  = ${ssl:ssl}
+requests-directory      = ${ssl:requests}
+ca-private      = ${ssl:private}
+ca-certs        = ${ssl:certs}
+ca-newcerts     = ${ssl:newcerts}
+ca-crl          = ${ssl:crl}
+email           = ${instance-parameter:configuration.email_from}
+
+#[ca-nginx]
+#recipe  = slapos.cookbook:certificate_authority.request
+#key-file=
+#cert-file=
+
+name    = <domain-name>
+
+
 # srv/nginx/ prefix  +  etc/ log/ ...
 [nginx]
 recipe  = slapos.cookbook:mkdirectory

--- a/software/gitlab/instance.cfg.in
+++ b/software/gitlab/instance.cfg.in
@@ -34,6 +34,7 @@ context =
 # XXX git vs git_location
    raw git_location                ${git:location}
    raw ruby_location               ${bundler-4gitlab:ruby-location}
+    raw openssl_bin                 ${openssl-output:openssl}
    raw nginx_bin                   ${nginx-output:nginx}
    raw mime_types                  ${nginx-output:mime}
    raw postgresql_location         ${postgresql92:location}

--- a/software/gitlab/macrolib.cfg.in
+++ b/software/gitlab/macrolib.cfg.in
@@ -7,3 +7,12 @@
   NOTE macros can return only strings - that's why '' is used for false #}
 {% macro cfg_bool(name) %}{{ 'true' if (cfg(name).lower() in ('true', 'yes')) else '' }}{% endmacro %}

+
+{# deduce whether to use https from external url
+   ( here - becasue we cannot use jinja2 logic in instance-gitlab.cfg.in to
+     process instance parameters ) #}
+{% set external_url = urlparse.urlparse(cfg('external_url')) %}
+{% set cfg_https = (true if external_url.scheme == 'https' else false) %}
+
+{# for convenience #}
+{% set fqdn = external_url.hostname %}
--- a/software/gitlab/software.cfg
+++ b/software/gitlab/software.cfg
@@ -10,6 +10,7 @@ extends =
    ../../component/icu/buildout.cfg
    ../../component/pkgconfig/buildout.cfg
    ../../component/nodejs/buildout.cfg
+    ../../component/openssl/buildout.cfg
    ../../component/nginx/buildout.cfg

 parts =
@@ -83,16 +84,14 @@ git-executable = ${git:location}/bin/git
 [gitlab-repository]
 <= git-repository
 repository = https://gitlab.com/gitlab-org/gitlab-ce.git
-revision = v8.1.3-9-g0350a36f28bfb19fddf570c9f77e181e32efc149
+revision = v8.1.4-1-g4d7216aa3c8b950521ed9b7aea44debaa0c3afd4
 location = ${buildout:parts-directory}/gitlab

 [gitlab-shell-repository]
 <= git-repository
 repository = https://lab.nexedi.com/kirr/gitlab-shell.git
-# FIXME pin gitlab-shell version properly (wrt gitlab) ?
-#revision = v2.6.5-8-g6add33352316af566cec5d827981f1783c59b7f4
-#branch = next
-revision = 2ad30257
+#revision = v2.6.6-11-g9f53a532d4a0a565f591c62b5e62a2fb698a0fbe
+revision = 8b6db0f7
 location = ${buildout:parts-directory}/gitlab-shell

 [gitlab-workhorse-repository]

--- a/software/gitlab/template/gitlab-shell-config.yml.in
+++ b/software/gitlab/template/gitlab-shell-config.yml.in
@@ -8,8 +8,7 @@
 user: {{ backend_info.user }}

 # Url to gitlab instance. Used for api calls. Should end with a slash.
-#gitlab_url: "http://127.0.0.1:8888"
-gitlab_socket: {{ unicorn.socket }}
+gitlab_url: "http+unix://{{ urllib.quote_plus(unicorn.socket) }}/"

 http_settings:
 {# we don't need any

--- a/software/gitlab/template/gitlab.yml.in
+++ b/software/gitlab/template/gitlab.yml.in
@@ -4,7 +4,7 @@
 # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb
 # (last updated for omnibus-gitlab <version> XXX)

-{% from 'macrolib.cfg.in' import cfg  with context %}
+{% from 'macrolib.cfg.in' import cfg, cfg_https, external_url  with context %}

 production: &base
  #
@@ -14,13 +14,10 @@ production: &base
  ## GitLab settings
  gitlab:
    ## Web server settings (note: host is the FQDN, do not include http://)
-    {% set url = urlparse.urlparse(cfg('external_url')) %}
    {% set default_port = {'http': 80, 'https': 443} %}
-    host: {{ url.hostname }}
-    port: {{ url.port or default_port[url.scheme] }}
-    # TODO
-    #https: <%= @gitlab_https %>
-    https: false
+    host: {{ external_url.hostname }}
+    port: {{ external_url.port or default_port[external_url.scheme] }}
+    https: {{ cfg_https }}

    # XXX temp workaround for gitlab not building correct url for host being ipv6 addr
    url: {{ backend_info.url }}

--- a/software/gitlab/template/nginx-gitlab-http.conf.in
+++ b/software/gitlab/template/nginx-gitlab-http.conf.in
@@ -3,7 +3,8 @@
 # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
 # (last updated for omnibus-gitlab 8.1.0+rc1.ce.0-24-g3021ed9)

-{% from 'macrolib.cfg.in' import cfg, cfg_bool  with context %}
+{% from 'macrolib.cfg.in' import cfg, cfg_bool, cfg_https, fqdn  with context %}
+

 upstream gitlab {
  server unix:{{ unicorn.socket }} fail_timeout=0;
@@ -13,7 +14,10 @@ upstream gitlab-git-http-server {
  server unix:{{ gitlab_workhorse.socket }};
 }

-{% if cfg_bool('https') and cfg_bool('nginx_redirect_http_to_https') %}
+{# not needed for us - the frontend can do the redirection and also
+   gitlab/nginx speaks HSTS on https port so when we access https port via http
+   protocol, it gets redirected to https
+{% if cfg_https and cfg_bool('nginx_redirect_http_to_https') %}
 ## Redirects all HTTP traffic to the HTTPS host
 server {
 <% @listen_addresses.each do |listen_address| %>
@@ -26,9 +30,10 @@ server {
  error_log   <%= @log_directory %>/gitlab_error.log;
 }
 {% endif %}
+#}

 server {
-  listen [{{ backend_info.host }}]:{{ backend_info.port }}{% if cfg_bool('https') %} ssl spdy{% endif %};
+  listen [{{ backend_info.host }}]:{{ backend_info.port }}{% if cfg_https %} ssl spdy{% endif %};

  {# we don't use: kerbeeros
  <% if @kerberos_enabled && @kerberos_use_dedicated_port %>
@@ -36,8 +41,7 @@ server {
  <% end %>
  #}

-  # XXX fqdn
-  server_name <%= @fqdn %>;
+  server_name {{ fqdn }};
  server_tokens off; ## Don't show the nginx version number, a security best practice
  root {{ gitlab_work.location }}/public;

@@ -45,7 +49,7 @@ server {
  ## Or if you want to accept large git objects over http
  client_max_body_size {{ cfg('nginx_client_max_body_size') }};

-  {% if cfg_bool('https') %}
+  {% if cfg_https %}
  ## Strong SSL Security
  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
  ssl on;
@@ -60,11 +64,13 @@ server {
  #}

  # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
-  ssl_ciphers '<%= @ssl_ciphers %>';
-  ssl_protocols  <%= @ssl_protocols %>;
-  ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
-  ssl_session_cache  <%= @ssl_session_cache %>;
-  ssl_session_timeout  <%= @ssl_session_timeout %>;
+  # XXX the above isnot relevant for us - we are begind frontend and clients
+  #     directly connects to frontend
+  ssl_ciphers '{{ cfg("nginx_ssl_ciphers") }}';
+  ssl_protocols  {{ cfg('nginx_ssl_protocols') }};
+  ssl_prefer_server_ciphers {{ cfg('nginx_ssl_prefer_server_ciphers') }};
+  ssl_session_cache  {{ cfg('nginx_ssl_session_cache') }};
+  ssl_session_timeout  {{ cfg('ssl_session_timeout') }};

  {# XXX do we need ssl_dharm ?
  {% if cfg_bool('ssl_dhparam') %}
@@ -86,7 +92,7 @@ server {
  location /uploads/ {
    ## If you use HTTPS make sure you disable gzip compression
    ## to be safe against BREACH attack.
-    {{ 'gzip off' if cfg_bool('https')  else ''}}
+    {{ 'gzip off' if cfg_https else ''}}

    ## https://github.com/gitlabhq/gitlabhq/issues/694
    ## Some requests take more than 30 seconds.
@@ -96,11 +102,11 @@ server {

    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
-    {% if cfg_bool('https') %}
+    {% if cfg_https %}
    proxy_set_header    X-Forwarded-Ssl     on;
    {% endif %}
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-    proxy_set_header    X-Forwarded-Proto   {{ "https" if cfg_bool('https') else "http" }};
+    proxy_set_header    X-Forwarded-Proto   {{ "https" if cfg_https else "http" }};
    proxy_set_header    X-Frame-Options     SAMEORIGIN;

    proxy_pass http://gitlab;
@@ -111,7 +117,7 @@ server {
  location @gitlab {
    ## If you use HTTPS make sure you disable gzip compression
    ## to be safe against BREACH attack.
-    {{ 'gzip off' if cfg_bool('https')  else ''}}
+    {{ 'gzip off' if cfg_https else ''}}

    ## https://github.com/gitlabhq/gitlabhq/issues/694
    ## Some requests take more than 30 seconds.
@@ -121,11 +127,11 @@ server {

    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
-    {% if cfg_bool('https') %}
+    {% if cfg_https %}
    proxy_set_header    X-Forwarded-Ssl     on;
    {% endif %}
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-    proxy_set_header    X-Forwarded-Proto   {{ "https" if cfg_bool('https') else "http" }};
+    proxy_set_header    X-Forwarded-Proto   {{ "https" if cfg_https else "http" }};
    proxy_set_header    X-Frame-Options     SAMEORIGIN;

    proxy_pass http://gitlab;
@@ -152,7 +158,7 @@ server {
  location @gitlab-git-http-server {
    ## If you use HTTPS make sure you disable gzip compression
    ## to be safe against BREACH attack.
-    {{ 'gzip off' if cfg_bool('https')  else ''}}
+    {{ 'gzip off' if cfg_https else ''}}

    ## https://github.com/gitlabhq/gitlabhq/issues/694
    ## Some requests take more than 30 seconds.
@@ -162,11 +168,11 @@ server {

    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
-    {% if cfg_bool('https') %}
+    {% if cfg_https %}
    proxy_set_header    X-Forwarded-Ssl     on;
    {% endif %}
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-    proxy_set_header    X-Forwarded-Proto   {{ "https" if cfg_bool('https') else "http" }};
+    proxy_set_header    X-Forwarded-Proto   {{ "https" if cfg_https else "http" }};

    proxy_pass http://gitlab-git-http-server;
  }

--- a/software/gitlab/template/nginx.conf.in
+++ b/software/gitlab/template/nginx.conf.in
@@ -6,7 +6,8 @@

 {% from 'macrolib.cfg.in' import cfg  with context %}

-# user directive makes sense only when running initially as root (and nginx will complain if not)
+# user directive makes sense only when running initially as root
+# (and nginx will complain if not and directive give)
 # user {{ backend_info.user }};

 worker_processes {{ cfg('nginx_worker_processes') }};