Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
S
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Kirill Smelkov
slapos
Commits
8426aca3
Commit
8426aca3
authored
Nov 12, 2015
by
Kirill Smelkov
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
.
parent
e6b926f1
Changes
9
Show whitespace changes
Inline
Side-by-side
Showing
9 changed files
with
104 additions
and
48 deletions
+104
-48
software/gitlab/gitlab-parameters.cfg
software/gitlab/gitlab-parameters.cfg
+11
-6
software/gitlab/instance-gitlab.cfg.in
software/gitlab/instance-gitlab.cfg.in
+46
-7
software/gitlab/instance.cfg.in
software/gitlab/instance.cfg.in
+1
-0
software/gitlab/macrolib.cfg.in
software/gitlab/macrolib.cfg.in
+9
-0
software/gitlab/software.cfg
software/gitlab/software.cfg
+4
-5
software/gitlab/template/gitlab-shell-config.yml.in
software/gitlab/template/gitlab-shell-config.yml.in
+1
-2
software/gitlab/template/gitlab.yml.in
software/gitlab/template/gitlab.yml.in
+4
-7
software/gitlab/template/nginx-gitlab-http.conf.in
software/gitlab/template/nginx-gitlab-http.conf.in
+26
-20
software/gitlab/template/nginx.conf.in
software/gitlab/template/nginx.conf.in
+2
-1
No files found.
software/gitlab/gitlab-parameters.cfg
View file @
8426aca3
# Parameters (and defaults) for a GitLab instance
# TODO autogenerate from:
# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template
# XXX actual defaults:
# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/attributes/default.rb
#
# (last updated for omnibus-gitlab 8.1.0+rc1.ce.0-83-gf194960)
[gitlab-parameters]
# gitlab instance parameters
...
...
@@ -12,12 +16,6 @@
configuration.external_url = http://lab.example.com
# TODO move to proper place and merge related from omnibus
# XXX https can be deduces from schema in external_url, at least not in
# separate frontend case
configuration.https = false
configuration.rate_limit_requests_per_period = 10
configuration.rate_limit_period = 60
...
...
@@ -90,6 +88,13 @@ configuration.nginx_redirect_http_to_https = false
# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
# nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt" # Most root CA's are included by default
# we don't need - we talk directly to frontend only
configuration.nginx_ssl_ciphers = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
configuration.nginx_ssl_prefer_server_ciphers = no
configuration.nginx_ssl_protocols = TLSv1 TLSv1.1 TLSv1.2
# the following is not default
configuration.nginx_ssl_session_cache = builtin:1000 shared:SSL:10m
configuration.nginx_proxy_read_timeout = 300
configuration.nginx_proxy_connect_timeout = 300
...
...
software/gitlab/instance-gitlab.cfg.in
View file @
8426aca3
...
...
@@ -26,6 +26,8 @@ parts =
service-unicorn
service-sidekiq
certificate-authority
service-nginx
service-postgresql
service-redis
...
...
@@ -64,11 +66,15 @@ configuration.nginx_worker_processes = {{ multiprocessing.cpu_count() }}
# for convenience
[external-url]
recipe = slapos.cookbook:urlparse
url = ${instance-parameter:configuration.external_url}
[backend-info]
host = ${instance-parameter:ipv6-random}
port = 7777
#
TODO http -? https
url =
http
://[${:host}]:${:port}
#
whether to use http or https - determined by external url
url =
${external-url:scheme}
://[${:host}]:${:port}
# current slapuserX
user = {{ pwd.getpwuid(os.getuid())[0] }}
...
...
@@ -114,9 +120,9 @@ var = ${directory:var}/gitlab
tmp = ${:var}/tmp
uploads = ${:var}/uploads
assets = ${:var}/assets
repositories = ${directory:
srv
}/repositories
# XXX goes away (?) satellites = ${directory:
srv
}/satellites
backup = ${directory:
srv
}/backup
repositories = ${directory:
var
}/repositories
# XXX goes away (?) satellites = ${directory:
var
}/satellites
backup = ${directory:
var
}/backup
# gitlab-shell: etc/ log/ gitlab_shell_secret ...
...
...
@@ -134,7 +140,7 @@ secret = ${secrets:secrets}/gitlab_shell_secret
# place to keep all secrets
[secrets]
recipe = slapos.cookbook:mkdirectory
secrets = ${directory:
srv
}/secrets
secrets = ${directory:
var
}/secrets
mode = 0700
...
...
@@ -151,6 +157,7 @@ context =
raw autogenerated # This file was autogenerated. (DO NOT EDIT - changes will be lost)
section instance_parameter instance-parameter
section backend_info backend-info
import urlparse urlparse
${:context-extra}
context-extra =
...
...
@@ -175,7 +182,6 @@ context-extra =
section gitlab gitlab
section gitlab_shell gitlab-shell
section gitlab_shell_work gitlab-shell-work
import urlparse urlparse
[resque.yml]
<= gitlab-etc-template
...
...
@@ -186,6 +192,8 @@ context-extra =
[smtp_settings.rb]
<= gitlab-etc-template
template= {{ smtp_settings_rb_in }}
# contains smtp password
mode = 0600
[rack_attack.rb]
<= gitlab-etc-template
...
...
@@ -210,6 +218,7 @@ context-extra =
section unicorn unicorn
section service_redis service-redis
raw redis_bin {{ redis_bin }}
import urllib urllib
[nginx-etc-template]
...
...
@@ -509,6 +518,36 @@ command-line = ${gitlab-sidekiq:wrapper-path}
# Nginx frontend #
######################
# self-signed certificate, if we use https
[ssl]
recipe = slapos.cookbook:mkdirectory
ssl = ${directory:srv}/ssl
requests= ${:ssl}/requests
private = ${:ssl}/private
certs = ${:ssl}/certs
newcerts= ${:ssl}/newcerts
crl = ${:ssl}/crl
[certificate-authority]
recipe = slapos.cookbook:certificate_authority
wrapper = ${directory:service}/certificate_authority
openssl-binary = {{ openssl_bin }}
ca-dir = ${ssl:ssl}
requests-directory = ${ssl:requests}
ca-private = ${ssl:private}
ca-certs = ${ssl:certs}
ca-newcerts = ${ssl:newcerts}
ca-crl = ${ssl:crl}
email = ${instance-parameter:configuration.email_from}
#[ca-nginx]
#recipe = slapos.cookbook:certificate_authority.request
#key-file=
#cert-file=
name = <domain-name>
# srv/nginx/ prefix + etc/ log/ ...
[nginx]
recipe = slapos.cookbook:mkdirectory
...
...
software/gitlab/instance.cfg.in
View file @
8426aca3
...
...
@@ -34,6 +34,7 @@ context =
# XXX git vs git_location
raw git_location ${git:location}
raw ruby_location ${bundler-4gitlab:ruby-location}
raw openssl_bin ${openssl-output:openssl}
raw nginx_bin ${nginx-output:nginx}
raw mime_types ${nginx-output:mime}
raw postgresql_location ${postgresql92:location}
...
...
software/gitlab/macrolib.cfg.in
View file @
8426aca3
...
...
@@ -7,3 +7,12 @@
NOTE macros can return only strings - that's why '' is used for false #}
{% macro cfg_bool(name) %}{{ 'true' if (cfg(name).lower() in ('true', 'yes')) else '' }}{% endmacro %}
{# deduce whether to use https from external url
( here - becasue we cannot use jinja2 logic in instance-gitlab.cfg.in to
process instance parameters ) #}
{% set external_url = urlparse.urlparse(cfg('external_url')) %}
{% set cfg_https = (true if external_url.scheme == 'https' else false) %}
{# for convenience #}
{% set fqdn = external_url.hostname %}
software/gitlab/software.cfg
View file @
8426aca3
...
...
@@ -10,6 +10,7 @@ extends =
../../component/icu/buildout.cfg
../../component/pkgconfig/buildout.cfg
../../component/nodejs/buildout.cfg
../../component/openssl/buildout.cfg
../../component/nginx/buildout.cfg
parts =
...
...
@@ -83,16 +84,14 @@ git-executable = ${git:location}/bin/git
[gitlab-repository]
<= git-repository
repository = https://gitlab.com/gitlab-org/gitlab-ce.git
revision = v8.1.
3-9-g0350a36f28bfb19fddf570c9f77e181e32efc149
revision = v8.1.
4-1-g4d7216aa3c8b950521ed9b7aea44debaa0c3afd4
location = ${buildout:parts-directory}/gitlab
[gitlab-shell-repository]
<= git-repository
repository = https://lab.nexedi.com/kirr/gitlab-shell.git
# FIXME pin gitlab-shell version properly (wrt gitlab) ?
#revision = v2.6.5-8-g6add33352316af566cec5d827981f1783c59b7f4
#branch = next
revision = 2ad30257
#revision = v2.6.6-11-g9f53a532d4a0a565f591c62b5e62a2fb698a0fbe
revision = 8b6db0f7
location = ${buildout:parts-directory}/gitlab-shell
[gitlab-workhorse-repository]
...
...
software/gitlab/template/gitlab-shell-config.yml.in
View file @
8426aca3
...
...
@@ -8,8 +8,7 @@
user: {{ backend_info.user }}
# Url to gitlab instance. Used for api calls. Should end with a slash.
#gitlab_url: "http://127.0.0.1:8888"
gitlab_socket: {{ unicorn.socket }}
gitlab_url: "http+unix://{{ urllib.quote_plus(unicorn.socket) }}/"
http_settings:
{# we don't need any
...
...
software/gitlab/template/gitlab.yml.in
View file @
8426aca3
...
...
@@ -4,7 +4,7 @@
# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb
# (last updated for omnibus-gitlab <version> XXX)
{% from 'macrolib.cfg.in' import cfg with context %}
{% from 'macrolib.cfg.in' import cfg
, cfg_https, external_url
with context %}
production: &base
#
...
...
@@ -14,13 +14,10 @@ production: &base
## GitLab settings
gitlab:
## Web server settings (note: host is the FQDN, do not include http://)
{% set url = urlparse.urlparse(cfg('external_url')) %}
{% set default_port = {'http': 80, 'https': 443} %}
host: {{ url.hostname }}
port: {{ url.port or default_port[url.scheme] }}
# TODO
#https: <%= @gitlab_https %>
https: false
host: {{ external_url.hostname }}
port: {{ external_url.port or default_port[external_url.scheme] }}
https: {{ cfg_https }}
# XXX temp workaround for gitlab not building correct url for host being ipv6 addr
url: {{ backend_info.url }}
...
...
software/gitlab/template/nginx-gitlab-http.conf.in
View file @
8426aca3
...
...
@@ -3,7 +3,8 @@
# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
# (last updated for omnibus-gitlab 8.1.0+rc1.ce.0-24-g3021ed9)
{% from 'macrolib.cfg.in' import cfg, cfg_bool with context %}
{% from 'macrolib.cfg.in' import cfg, cfg_bool, cfg_https, fqdn with context %}
upstream gitlab {
server unix:{{ unicorn.socket }} fail_timeout=0;
...
...
@@ -13,7 +14,10 @@ upstream gitlab-git-http-server {
server unix:{{ gitlab_workhorse.socket }};
}
{% if cfg_bool('https') and cfg_bool('nginx_redirect_http_to_https') %}
{# not needed for us - the frontend can do the redirection and also
gitlab/nginx speaks HSTS on https port so when we access https port via http
protocol, it gets redirected to https
{% if cfg_https and cfg_bool('nginx_redirect_http_to_https') %}
## Redirects all HTTP traffic to the HTTPS host
server {
<% @listen_addresses.each do |listen_address| %>
...
...
@@ -26,9 +30,10 @@ server {
error_log <%= @log_directory %>/gitlab_error.log;
}
{% endif %}
#}
server {
listen [{{ backend_info.host }}]:{{ backend_info.port }}{% if cfg_
bool('https')
%} ssl spdy{% endif %};
listen [{{ backend_info.host }}]:{{ backend_info.port }}{% if cfg_
https
%} ssl spdy{% endif %};
{# we don't use: kerbeeros
<% if @kerberos_enabled && @kerberos_use_dedicated_port %>
...
...
@@ -36,8 +41,7 @@ server {
<% end %>
#}
# XXX fqdn
server_name <%= @fqdn %>;
server_name {{ fqdn }};
server_tokens off; ## Don't show the nginx version number, a security best practice
root {{ gitlab_work.location }}/public;
...
...
@@ -45,7 +49,7 @@ server {
## Or if you want to accept large git objects over http
client_max_body_size {{ cfg('nginx_client_max_body_size') }};
{% if cfg_
bool('https')
%}
{% if cfg_
https
%}
## Strong SSL Security
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
ssl on;
...
...
@@ -60,11 +64,13 @@ server {
#}
# GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
ssl_ciphers '<%= @ssl_ciphers %>';
ssl_protocols <%= @ssl_protocols %>;
ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
ssl_session_cache <%= @ssl_session_cache %>;
ssl_session_timeout <%= @ssl_session_timeout %>;
# XXX the above isnot relevant for us - we are begind frontend and clients
# directly connects to frontend
ssl_ciphers '{{ cfg("nginx_ssl_ciphers") }}';
ssl_protocols {{ cfg('nginx_ssl_protocols') }};
ssl_prefer_server_ciphers {{ cfg('nginx_ssl_prefer_server_ciphers') }};
ssl_session_cache {{ cfg('nginx_ssl_session_cache') }};
ssl_session_timeout {{ cfg('ssl_session_timeout') }};
{# XXX do we need ssl_dharm ?
{% if cfg_bool('ssl_dhparam') %}
...
...
@@ -86,7 +92,7 @@ server {
location /uploads/ {
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
{{ 'gzip off' if cfg_
bool('https')
else ''}}
{{ 'gzip off' if cfg_
https
else ''}}
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
...
...
@@ -96,11 +102,11 @@ server {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
{% if cfg_
bool('https')
%}
{% if cfg_
https
%}
proxy_set_header X-Forwarded-Ssl on;
{% endif %}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto {{ "https" if cfg_
bool('https')
else "http" }};
proxy_set_header X-Forwarded-Proto {{ "https" if cfg_
https
else "http" }};
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass http://gitlab;
...
...
@@ -111,7 +117,7 @@ server {
location @gitlab {
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
{{ 'gzip off' if cfg_
bool('https')
else ''}}
{{ 'gzip off' if cfg_
https
else ''}}
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
...
...
@@ -121,11 +127,11 @@ server {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
{% if cfg_
bool('https')
%}
{% if cfg_
https
%}
proxy_set_header X-Forwarded-Ssl on;
{% endif %}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto {{ "https" if cfg_
bool('https')
else "http" }};
proxy_set_header X-Forwarded-Proto {{ "https" if cfg_
https
else "http" }};
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass http://gitlab;
...
...
@@ -152,7 +158,7 @@ server {
location @gitlab-git-http-server {
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
{{ 'gzip off' if cfg_
bool('https')
else ''}}
{{ 'gzip off' if cfg_
https
else ''}}
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
...
...
@@ -162,11 +168,11 @@ server {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
{% if cfg_
bool('https')
%}
{% if cfg_
https
%}
proxy_set_header X-Forwarded-Ssl on;
{% endif %}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto {{ "https" if cfg_
bool('https')
else "http" }};
proxy_set_header X-Forwarded-Proto {{ "https" if cfg_
https
else "http" }};
proxy_pass http://gitlab-git-http-server;
}
...
...
software/gitlab/template/nginx.conf.in
View file @
8426aca3
...
...
@@ -6,7 +6,8 @@
{% from 'macrolib.cfg.in' import cfg with context %}
# user directive makes sense only when running initially as root (and nginx will complain if not)
# user directive makes sense only when running initially as root
# (and nginx will complain if not and directive give)
# user {{ backend_info.user }};
worker_processes {{ cfg('nginx_worker_processes') }};
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment