WIP: Sync upstream config based on gitlab-foss v15.0.0

required versions of components are:
- gitaly: v15.0.0
- gitlab-shell: v14.3.0
- gitlab-pages: v1.58.0

TODO:
- [ ]add update process to assets/runtime/function
- [ ] parameterize
- [ ] re-check
- [ ] check compatibility for renamed parameter

assets/runtime/config/gitaly/config.toml

@@ -5,11 +5,16 @@
 socket_path = "{{GITALY_SOCKET_PATH}}"
 
 # The directory where Gitaly's executables are stored
-bin_dir = "/usr/local/bin/"
+bin_dir = "/home/git/gitaly/_build/bin"
+
+# # Optional: The directory where Gitaly can create all files required to
+# # properly operate at runtime. If not set, Gitaly will create a directory in
+# # the global temporary directory. This directory must exist.
+# runtime_dir = "/home/git/gitaly/run"
 
 # # Optional: listen on a TCP socket. This is insecure (no authentication)
 # listen_addr = "localhost:9999"
-# tls_listen_addr = "localhost:8888
+# tls_listen_addr = "localhost:8888"
 
 # # Optional: export metrics via Prometheus
 # prometheus_listen_addr = "localhost:9236"
@@ -32,6 +37,9 @@ bin_dir = "/usr/local/bin/"
 # [git]
 # bin_path = "/usr/bin/git"
 # catfile_cache_size = 100
+# [[git.config]]
+# key = fetch.fsckObjects
+# value = true
 
 [[storage]]
 name = "default"
@@ -45,7 +53,7 @@ path = "{{GITLAB_REPOS_DIR}}"
 #
 
 # # You can optionally configure Gitaly to output JSON-formatted log messages to stdout
-[logging]
+# [logging]
 # # The directory where Gitaly stores extra log files
 dir = "{{GITLAB_LOG_DIR}}/gitaly"
 # format = "json"
@@ -87,12 +95,54 @@ dir = "{{GITLAB_GITALY_INSTALL_DIR}}/ruby"
 # The directory where gitlab-shell is installed
 dir = "{{GITLAB_SHELL_INSTALL_DIR}}"
 
-# # You can adjust the concurrency of each RPC endpoint
-# [[concurrency]]
-# rpc = "/gitaly.RepositoryService/GarbageCollect"
-# max_per_repo = 1
+[hooks]
+custom_hooks_dir = "/home/git/custom_hooks"
 
 [gitlab]
 secret_file = "/home/git/gitlab-shell/.gitlab_shell_secret"
-url = "http://localhost:8181{{GITLAB_RELATIVE_URL_ROOT}}"
+url = "http+unix://%2Fhome%2Fgit%2Fgitlab%2Ftmp%2Fsockets%2Fgitlab-workhorse.socket"
+# Only needed if a UNIX socket is used in `url` and GitLab is configured to
+# use a relative path (e.g. /gitlab).
+relative_url_root = '{{GITLAB_RELATIVE_URL_ROOT}}'
+
+[gitlab.http-settings]
+# read_timeout = 300
+# user = someone
+# password = somepass
+# ca_file = /etc/ssl/cert.pem
+# ca_path = /etc/pki/tls/certs
+self_signed_cert = {{SSL_SELF_SIGNED}}
 
+# # You can adjust the concurrency of each RPC endpoint
+# [[concurrency]]
+# rpc = "/gitaly.RepositoryService/GarbageCollect"
+# max_per_repo = 1
+# max_queue_wait = "1m"
+# max_queue_size = 10
+
+# [[rate_limiting]]
+# rpc = "/gitaly.SmartHTTPService/PostUploadPackWithSidechannel"
+# interval = "1m"
+# burst = 5
+
+# Daily maintenance designates time slots to run daily to optimize and maintain
+# enabled storages.
+# [daily_maintenance]
+# start_hour = 23
+# start_minute = 30
+# duration = "45m"
+# storages = ["default"]
+# disabled = false
+
+# [cgroups]
+# count = 10
+# mountpoint = "/sys/fs/cgroup"
+# hierarchy_root = "gitaly"
+
+# [cgroups.memory]
+# enabled = true
+# limit = 1048576
+
+# [cgroups.cpu]
+# enabled = true
+# shares = 512

assets/runtime/config/gitlab-pages/config

@@ -2,7 +2,10 @@ auth-client-id={{GITLAB_PAGES_ACCESS_CLIENT_ID}}
 auth-client-secret={{GITLAB_PAGES_ACCESS_CLIENT_SECRET}}
 auth-redirect-uri={{GITLAB_PAGES_ACCESS_REDIRECT_URI}}
 auth-secret={{GITLAB_PAGES_ACCESS_SECRET}}
+listen-http=:{{GITLAB_PAGES_PORT}}
+pages-root={{GITLAB_SHARED_DIR}}/shared/pages
+api-secret-key={{GITLAB_INSTALL_DIR}}/.gitlab_pages_secret
+pages-domain={{GITLAB_PAGES_DOMAIN}}
 gitlab-server={{GITLAB_PAGES_ACCESS_CONTROL_SERVER}}
 artifacts-server={{GITLAB_PAGES_ARTIFACTS_SERVER_URL}}
 internal-gitlab-server=http://localhost:8181
-api-secret-key={{GITLAB_INSTALL_DIR}}/.gitlab_pages_secret

assets/runtime/config/gitlab-shell/config.yml

@@ -13,7 +13,11 @@ user: git
 # only listen on a Unix domain socket. For Unix domain sockets use
 # "http+unix://<urlquoted-path-to-socket>", e.g.
 # "http+unix://%2Fpath%2Fto%2Fsocket"
-gitlab_url: "http://localhost:8080{{GITLAB_RELATIVE_URL_ROOT}}"
+gitlab_url: "http+unix://%2Fhome%2Fgit%2Fgitlab%2Ftmp%2Fsockets%2Fgitlab-workhorse.socket"
+
+# When a http+unix:// is used in gitlab_url, this is the relative URL root to GitLab.
+# Not used if gitlab_url is http:// or https://.
+# gitlab_relative_url_root: "/"
 
 # See installation.md#using-https for additional HTTPS configuration details.
 http_settings:
@@ -22,18 +26,22 @@ http_settings:
 #  password: somepass
 #  ca_file: /etc/ssl/cert.pem
 #  ca_path: /etc/pki/tls/certs
-  self_signed_cert: {{SSL_SELF_SIGNED}}
+#
 
 # File used as authorized_keys for gitlab user
 auth_file: "{{GITLAB_HOME}}/.ssh/authorized_keys"
 
+# SSL certificate dir where custom certificates can be placed
+# https://golang.org/pkg/crypto/x509/
+# ssl_cert_dir: /opt/gitlab/embedded/ssl/certs/
+
 # File that contains the secret key for verifying access to GitLab.
 # Default is .gitlab_shell_secret in the gitlab-shell directory.
 secret_file: "{{GITLAB_SHELL_INSTALL_DIR}}/.gitlab_shell_secret"
-
-# Parent directory for global custom hook directories (pre-receive.d, update.d, post-receive.d)
-# Default is hooks in the gitlab-shell directory.
-custom_hooks_dir: "{{GITLAB_SHELL_INSTALL_DIR}}/hooks"
+#
+# The secret field supersedes the secret_file, and if set that
+# file will not be read.
+# secret: "supersecret"
 
 # Log file.
 # Default is gitlab-shell.log in the root directory.
@@ -42,7 +50,7 @@ log_file: "{{GITLAB_LOG_DIR}}/gitlab-shell/gitlab-shell.log"
 # Log level. INFO by default
 log_level: INFO
 
-# Log format. 'text' by default
+# Log format. 'json' by default, can be changed to 'text' if needed
 # log_format: json
 
 # Audit usernames.
@@ -53,3 +61,31 @@ audit_usernames: false
 # Distributed Tracing. GitLab-Shell has distributed tracing instrumentation.
 # For more details, visit https://docs.gitlab.com/ee/development/distributed_tracing.html
 # gitlab_tracing: opentracing://driver
+
+# This section configures the built-in SSH server. Ignored when running on OpenSSH.
+sshd:
+  # Address which the SSH server listens on. Defaults to [::]:22.
+  listen: "[::]:22"
+  # Set to true if gitlab-sshd is being fronted by a load balancer that implements
+  # the PROXY protocol.
+  proxy_protocol: false
+  # Proxy protocol policy ("use", "require", "reject", "ignore"), "use" is the default value
+  # Values: https://github.com/pires/go-proxyproto/blob/195fedcfbfc1be163f3a0d507fac1709e9d81fed/policy.go#L20
+  proxy_policy: "use"
+  # Address which the server listens on HTTP for monitoring/health checks. Defaults to localhost:9122.
+  web_listen: "localhost:9122"
+  # Maximum number of concurrent sessions allowed on a single SSH connection. Defaults to 10.
+  concurrent_sessions_limit: 10
+  # Sets an interval after which server will send keepalive message to a client
+  client_alive_interval: 15
+  # The server waits for this time (in seconds) for the ongoing connections to complete before shutting down. Defaults to 10.
+  grace_period: 10
+  # The endpoint that returns 200 OK if the server is ready to receive incoming connections; otherwise, it returns 503 Service Unavailable. Defaults to "/start".
+  readiness_probe: "/start"
+  # The endpoint that returns 200 OK if the server is alive. Defaults to "/health".
+  liveness_probe: "/health"
+  # SSH host key files.
+  host_key_files:
+    - /run/secrets/ssh-hostkeys/ssh_host_rsa_key
+    - /run/secrets/ssh-hostkeys/ssh_host_ecdsa_key
+    - /run/secrets/ssh-hostkeys/ssh_host_ed25519_key

assets/runtime/config/gitlabhq/database.yml

@@ -6,10 +6,15 @@ production:
     adapter: postgresql
     encoding: {{DB_ENCODING}}
     database: {{DB_NAME}}
-    host: {{DB_HOST}}
-    port: {{DB_PORT}}
     username: {{DB_USER}}
     password: "{{DB_PASS}}"
-    pool: {{DB_POOL}}
-    prepared_statements: {{DB_PREPARED_STATEMENTS}}
-
+    host: {{DB_HOST}}
+    # load_balancing:
+    #   hosts:
+    #     - host1.example.com
+    #     - host2.example.com
+    #   discover:
+    #     nameserver: 1.2.3.4
+    #     port: 8600
+    #     record: secondary.postgresql.service.consul
+    #     interval: 300