X secure secrets (and move them all into 1 place)

software/gitlab/instance-gitlab.cfg.in

 # GitLab instance
 # NOTE instance/software layout is inspired by gitlab omnibus
 # NOTE all services are interconnected via unix sockets - because of easier
-#      security and performance reasons.
+#      security and performance reasons (unix has 2x less latency and more
+#      throughput compared to tcp over loopback).
 [buildout]
 extends = {{ gitlab_parameters_cfg }}
 parts =
@@ -16,7 +17,7 @@ parts =
     gitlab-{{ prog }}
 {% endfor %}
 
-# TODO gitlab-shell - since compiled shell picks up /usr/bin/env ruby ...
+# TODO gitlab-shell - since compiled shell picks up /usr/bin/env ruby ... ?
 
     gitlab-root-shadow
     gitlab-shell-root-shadow
@@ -116,7 +117,7 @@ repositories    = ${directory:srv}/repositories
 backup  = ${directory:srv}/backup
 
 
-# gitlab-shell: etc/ log/ gitlab_shell_secrete ...
+# gitlab-shell: etc/ log/ gitlab_shell_secret ...
 [gitlab-shell-dir]
 recipe  = slapos.cookbook:mkdirectory
 etc     = ${directory:etc}/gitlab-shell
@@ -125,7 +126,14 @@ log     = ${directory:log}/gitlab-shell
 [gitlab-shell]
 etc     = ${gitlab-shell-dir:etc}
 log     = ${gitlab-shell-dir:log}
-secret  = ${:etc}/gitlab_shell_secret
+secret  = ${secrets:secrets}/gitlab_shell_secret
+
+
+
+[secrets]
+recipe  = slapos.cookbook:mkdirectory
+secrets = ${directory:srv}/secrets
+mode    = 0700
 
 
 
@@ -293,6 +301,7 @@ update-command =
     ${:tune-command}
 
 
+# XXX store
 # NOTE there is no need to link/create .gitlab_shell_secret - we set path to it
 # in gitlab & gitlab-shell configs, and gitlab creates it on its first start
 [gitlab-root-shadow]
@@ -302,7 +311,7 @@ tune-command =
 # secret* tmp/ log/
     rm -f .secret &&
     rm -rf log tmp                      &&
-    ln -sf ${gitlab:etc}/secret .secret  &&
+    ln -sf ${secrets:secrets}/gitlab_rails_secret .secret  &&
     ln -sf ${gitlab:log} log             &&
     ln -sf ${gitlab:tmp} tmp             &&
 # config/
@@ -311,6 +320,7 @@ tune-command =
     ln -sf ${gitlab.yml:rendered} gitlab.yml &&
     ln -sf ${database.yml:rendered} database.yml &&
     ln -sf ${resque.yml:rendered} resque.yml &&
+    ln -sf ${secrets:secrets}/gitlab_secrets.yml secrets.yml &&
 # config/initializers/
     cd initializers     &&
     ln -sf ${rack_attack.rb:rendered} rack_attack.rb &&
@@ -333,12 +343,7 @@ tune-command =
 
 
 
-# etc/
-
-# service/
-#   unicorn
-#   sidekiq
-
+# 4. services
 
 #####################
 #   Postgresql db   #
@@ -384,7 +389,6 @@ port    =
 #############
 #   Redis   #
 #############
-
 [redis]
 recipe  = slapos.cookbook:mkdirectory
 srv     = ${directory:srv}/redis

software/gitlab/instance.cfg.in

@@ -12,11 +12,9 @@ offline = true
 [switch-softwaretype]
 recipe = slapos.cookbook:softwaretype
 default = $${instance-gitlab.cfg:rendered}
-#single-default = $${dynamic-template-powerdns:rendered}
 
 
 [instance-gitlab.cfg]
-#<= jinja2-template-base
 recipe  = slapos.recipe.template:jinja2
 mode    = 0644
 template= ${instance-gitlab.cfg.in:target}

software/gitlab/software.cfg

@@ -83,7 +83,7 @@ git-executable = ${git:location}/bin/git
 [gitlab-repository]
 <= git-repository
 repository = https://gitlab.com/gitlab-org/gitlab-ce.git
-revision = v8.1.2-5-ge6e4aa04dc464717ef929a453af0eea11dbc8a03
+revision = v8.1.3-9-g0350a36f28bfb19fddf570c9f77e181e32efc149
 location = ${buildout:parts-directory}/gitlab
 
 [gitlab-shell-repository]