diff --git a/assets/runtime/config/gitaly/config.toml b/assets/runtime/config/gitaly/config.toml index 0b070505e..42c58b2a0 100644 --- a/assets/runtime/config/gitaly/config.toml +++ b/assets/runtime/config/gitaly/config.toml @@ -5,11 +5,16 @@ socket_path = "{{GITALY_SOCKET_PATH}}" # The directory where Gitaly's executables are stored -bin_dir = "/usr/local/bin/" +bin_dir = "/home/git/gitaly/_build/bin" + +# # Optional: The directory where Gitaly can create all files required to +# # properly operate at runtime. If not set, Gitaly will create a directory in +# # the global temporary directory. This directory must exist. +# runtime_dir = "/home/git/gitaly/run" # # Optional: listen on a TCP socket. This is insecure (no authentication) # listen_addr = "localhost:9999" -# tls_listen_addr = "localhost:8888 +# tls_listen_addr = "localhost:8888" # # Optional: export metrics via Prometheus # prometheus_listen_addr = "localhost:9236" @@ -32,6 +37,9 @@ bin_dir = "/usr/local/bin/" # [git] # bin_path = "/usr/bin/git" # catfile_cache_size = 100 +# [[git.config]] +# key = fetch.fsckObjects +# value = true [[storage]] name = "default" @@ -45,7 +53,7 @@ path = "{{GITLAB_REPOS_DIR}}" # # # You can optionally configure Gitaly to output JSON-formatted log messages to stdout -[logging] +# [logging] # # The directory where Gitaly stores extra log files dir = "{{GITLAB_LOG_DIR}}/gitaly" # format = "json" @@ -87,12 +95,54 @@ dir = "{{GITLAB_GITALY_INSTALL_DIR}}/ruby" # The directory where gitlab-shell is installed dir = "{{GITLAB_SHELL_INSTALL_DIR}}" -# # You can adjust the concurrency of each RPC endpoint -# [[concurrency]] -# rpc = "/gitaly.RepositoryService/GarbageCollect" -# max_per_repo = 1 +[hooks] +custom_hooks_dir = "/home/git/custom_hooks" [gitlab] secret_file = "/home/git/gitlab-shell/.gitlab_shell_secret" -url = "http://localhost:8181{{GITLAB_RELATIVE_URL_ROOT}}" +url = "http+unix://%2Fhome%2Fgit%2Fgitlab%2Ftmp%2Fsockets%2Fgitlab-workhorse.socket" +# Only needed if a UNIX socket is used in `url` and GitLab is configured to +# use a relative path (e.g. /gitlab). +relative_url_root = '{{GITLAB_RELATIVE_URL_ROOT}}' + +[gitlab.http-settings] +# read_timeout = 300 +# user = someone +# password = somepass +# ca_file = /etc/ssl/cert.pem +# ca_path = /etc/pki/tls/certs +self_signed_cert = {{SSL_SELF_SIGNED}} +# # You can adjust the concurrency of each RPC endpoint +# [[concurrency]] +# rpc = "/gitaly.RepositoryService/GarbageCollect" +# max_per_repo = 1 +# max_queue_wait = "1m" +# max_queue_size = 10 + +# [[rate_limiting]] +# rpc = "/gitaly.SmartHTTPService/PostUploadPackWithSidechannel" +# interval = "1m" +# burst = 5 + +# Daily maintenance designates time slots to run daily to optimize and maintain +# enabled storages. +# [daily_maintenance] +# start_hour = 23 +# start_minute = 30 +# duration = "45m" +# storages = ["default"] +# disabled = false + +# [cgroups] +# count = 10 +# mountpoint = "/sys/fs/cgroup" +# hierarchy_root = "gitaly" + +# [cgroups.memory] +# enabled = true +# limit = 1048576 + +# [cgroups.cpu] +# enabled = true +# shares = 512 diff --git a/assets/runtime/config/gitlab-pages/config b/assets/runtime/config/gitlab-pages/config index 409786090..13b13e026 100644 --- a/assets/runtime/config/gitlab-pages/config +++ b/assets/runtime/config/gitlab-pages/config @@ -2,7 +2,10 @@ auth-client-id={{GITLAB_PAGES_ACCESS_CLIENT_ID}} auth-client-secret={{GITLAB_PAGES_ACCESS_CLIENT_SECRET}} auth-redirect-uri={{GITLAB_PAGES_ACCESS_REDIRECT_URI}} auth-secret={{GITLAB_PAGES_ACCESS_SECRET}} +listen-http=:{{GITLAB_PAGES_PORT}} +pages-root={{GITLAB_SHARED_DIR}}/shared/pages +api-secret-key={{GITLAB_INSTALL_DIR}}/.gitlab_pages_secret +pages-domain={{GITLAB_PAGES_DOMAIN}} gitlab-server={{GITLAB_PAGES_ACCESS_CONTROL_SERVER}} artifacts-server={{GITLAB_PAGES_ARTIFACTS_SERVER_URL}} internal-gitlab-server=http://localhost:8181 -api-secret-key={{GITLAB_INSTALL_DIR}}/.gitlab_pages_secret diff --git a/assets/runtime/config/gitlab-shell/config.yml b/assets/runtime/config/gitlab-shell/config.yml index 5719b9357..bf2b8b1d8 100644 --- a/assets/runtime/config/gitlab-shell/config.yml +++ b/assets/runtime/config/gitlab-shell/config.yml @@ -13,7 +13,11 @@ user: git # only listen on a Unix domain socket. For Unix domain sockets use # "http+unix://", e.g. # "http+unix://%2Fpath%2Fto%2Fsocket" -gitlab_url: "http://localhost:8080{{GITLAB_RELATIVE_URL_ROOT}}" +gitlab_url: "http+unix://%2Fhome%2Fgit%2Fgitlab%2Ftmp%2Fsockets%2Fgitlab-workhorse.socket" + +# When a http+unix:// is used in gitlab_url, this is the relative URL root to GitLab. +# Not used if gitlab_url is http:// or https://. +# gitlab_relative_url_root: "/" # See installation.md#using-https for additional HTTPS configuration details. http_settings: @@ -22,18 +26,22 @@ http_settings: # password: somepass # ca_file: /etc/ssl/cert.pem # ca_path: /etc/pki/tls/certs - self_signed_cert: {{SSL_SELF_SIGNED}} +# # File used as authorized_keys for gitlab user auth_file: "{{GITLAB_HOME}}/.ssh/authorized_keys" +# SSL certificate dir where custom certificates can be placed +# https://golang.org/pkg/crypto/x509/ +# ssl_cert_dir: /opt/gitlab/embedded/ssl/certs/ + # File that contains the secret key for verifying access to GitLab. # Default is .gitlab_shell_secret in the gitlab-shell directory. secret_file: "{{GITLAB_SHELL_INSTALL_DIR}}/.gitlab_shell_secret" - -# Parent directory for global custom hook directories (pre-receive.d, update.d, post-receive.d) -# Default is hooks in the gitlab-shell directory. -custom_hooks_dir: "{{GITLAB_SHELL_INSTALL_DIR}}/hooks" +# +# The secret field supersedes the secret_file, and if set that +# file will not be read. +# secret: "supersecret" # Log file. # Default is gitlab-shell.log in the root directory. @@ -42,7 +50,7 @@ log_file: "{{GITLAB_LOG_DIR}}/gitlab-shell/gitlab-shell.log" # Log level. INFO by default log_level: INFO -# Log format. 'text' by default +# Log format. 'json' by default, can be changed to 'text' if needed # log_format: json # Audit usernames. @@ -53,3 +61,31 @@ audit_usernames: false # Distributed Tracing. GitLab-Shell has distributed tracing instrumentation. # For more details, visit https://docs.gitlab.com/ee/development/distributed_tracing.html # gitlab_tracing: opentracing://driver + +# This section configures the built-in SSH server. Ignored when running on OpenSSH. +sshd: + # Address which the SSH server listens on. Defaults to [::]:22. + listen: "[::]:22" + # Set to true if gitlab-sshd is being fronted by a load balancer that implements + # the PROXY protocol. + proxy_protocol: false + # Proxy protocol policy ("use", "require", "reject", "ignore"), "use" is the default value + # Values: https://github.com/pires/go-proxyproto/blob/195fedcfbfc1be163f3a0d507fac1709e9d81fed/policy.go#L20 + proxy_policy: "use" + # Address which the server listens on HTTP for monitoring/health checks. Defaults to localhost:9122. + web_listen: "localhost:9122" + # Maximum number of concurrent sessions allowed on a single SSH connection. Defaults to 10. + concurrent_sessions_limit: 10 + # Sets an interval after which server will send keepalive message to a client + client_alive_interval: 15 + # The server waits for this time (in seconds) for the ongoing connections to complete before shutting down. Defaults to 10. + grace_period: 10 + # The endpoint that returns 200 OK if the server is ready to receive incoming connections; otherwise, it returns 503 Service Unavailable. Defaults to "/start". + readiness_probe: "/start" + # The endpoint that returns 200 OK if the server is alive. Defaults to "/health". + liveness_probe: "/health" + # SSH host key files. + host_key_files: + - /run/secrets/ssh-hostkeys/ssh_host_rsa_key + - /run/secrets/ssh-hostkeys/ssh_host_ecdsa_key + - /run/secrets/ssh-hostkeys/ssh_host_ed25519_key diff --git a/assets/runtime/config/gitlabhq/database.yml b/assets/runtime/config/gitlabhq/database.yml index 0423a57c4..f08abbcf9 100644 --- a/assets/runtime/config/gitlabhq/database.yml +++ b/assets/runtime/config/gitlabhq/database.yml @@ -6,10 +6,15 @@ production: adapter: postgresql encoding: {{DB_ENCODING}} database: {{DB_NAME}} - host: {{DB_HOST}} - port: {{DB_PORT}} username: {{DB_USER}} password: "{{DB_PASS}}" - pool: {{DB_POOL}} - prepared_statements: {{DB_PREPARED_STATEMENTS}} - + host: {{DB_HOST}} + # load_balancing: + # hosts: + # - host1.example.com + # - host2.example.com + # discover: + # nameserver: 1.2.3.4 + # port: 8600 + # record: secondary.postgresql.service.consul + # interval: 300 diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index a0c478918..bc0921b53 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -6,9 +6,11 @@ # This file should not receive new settings. All configuration options # # * are being moved to ApplicationSetting model! # # If a setting requires an application restart say so in that screen. # -# If you change this file in a Merge Request, please also create # +# If you change this file in a merge request, please also create # # a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests. # # For more details see https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md # +# Be sure to create a MR against the GDK configuration # +# file (https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/support/templates/gitlab/config/gitlab.yml.erb) too. # ######################################################################## # # @@ -33,7 +35,11 @@ production: &base host: {{GITLAB_HOST}} port: {{GITLAB_PORT}} # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details https: {{GITLAB_HTTPS}} # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details - # The maximum time unicorn/puma can spend on the request. This needs to be smaller than the worker timeout. + + # Uncomment this line if you want to configure the Rails asset host for a CDN. + # cdn_host: localhost + + # The maximum time Puma can spend on the request. This needs to be smaller than the worker timeout. # Default is 95% of the worker timeout max_request_duration_seconds: 57 @@ -73,6 +79,8 @@ production: &base worker_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC}}" report_uri: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI}}" + allowed_hosts: [] + # Trusted Proxies # Customize if you have GitLab behind a reverse proxy which is running on a different machine. # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address. @@ -115,11 +123,11 @@ production: &base # ca_certs_file: /home/git/gitlab/.gitlab_smime_ca_certs # Email server smtp settings are in config/initializers/smtp_settings.rb.sample + # File location to read encrypted SMTP secrets from + # email_smtp_secret_file: /mnt/gitlab/smtp.yaml.enc # Default: shared/encrypted_settings/smtp.yaml.enc - default_projects_limit: {{GITLAB_PROJECTS_LIMIT}} - default_can_create_group: {{GITLAB_CREATE_GROUP}} # default: true + default_projects_limit: {{GITLAB_PROJECTS_LIMIT}} # default: true username_changing_enabled: {{GITLAB_USERNAME_CHANGE}} # default: true - User can change their username/namespace - signup_enabled: {{GITLAB_SIGNUP_ENABLED}} ## Default theme ID ## 1 - Indigo ## 2 - Dark @@ -156,7 +164,7 @@ production: &base ### GraphQL Settings # Tells the rails application how long it has to complete a GraphQL request. # We suggest this value to be higher than the database timeout value - # and lower than the worker timeout set in unicorn/puma. (default: 30) + # and lower than the worker timeout set in Puma. (default: 30) # graphql_timeout: 30 ## Repository downloads directory @@ -170,9 +178,17 @@ production: &base ## Disable jQuery and CSS animations # disable_animations: true + ## Application settings cache expiry in seconds (default: 60) + # application_settings_cache_seconds: 60 + + ## Print initial root password to stdout during initialization (default: false) + # WARNING: setting this to true means that the root password will be printed in + # plaintext. This can be a security risk. + # display_initial_root_password: false + ## Reply by email # Allow users to comment on issues and merge requests by replying to notification emails. - # For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html + # For documentation on how to set this up, see https://docs.gitlab.com/ee/administration/reply_by_email.html incoming_email: enabled: {{GITLAB_INCOMING_EMAIL_ENABLED}} @@ -199,7 +215,6 @@ production: &base # The mailbox where incoming mail will end up. Usually "inbox". mailbox: "{{IMAP_MAILBOX}}" - # The IDLE command timeout. idle_timeout: {{IMAP_TIMEOUT}} # The log file path for the structured log file. @@ -208,9 +223,66 @@ production: &base # # log_path: log/mail_room_json.log - # Whether to expunge (permanently remove) messages from the mailbox when they are deleted after delivery + # Whether to expunge (permanently remove) messages from the mailbox when they are marked as deleted after delivery expunge_deleted: false + # For Microsoft Graph support + # inbox_method: microsoft_graph + # inbox_options: + # tenant_id: "YOUR-TENANT-ID" + # client_id: "YOUR-CLIENT-ID" + # client_secret: "YOUR-CLIENT-SECRET" + + # How mailroom delivers email content to Rails. There are two methods at the moment: + # - sidekiq: mailroom pushes the email content to Sidekiq directly. This job + # is then picked up by Sidekiq. + # - webhook: mailroom triggers a HTTP POST request to Rails web server. The + # content is embedded into the request body. + # Default is sidekiq. + # delivery_method: sidekiq + + # When the delivery method is webhook, those configs tell the url that + # mailroom can contact to. Note that the combined url must not end with "/". + # At the moment, the webhook delivery method doesn't support HTTP/HTTPs via + # UNIX socket. + # gitlab_url: "http://gitlab.example" + + # When the delivery method is webhook, this config is the file that + # contains the shared secret key for verifying access for mailroom's + # incoming_email. + # Default is '.gitlab_mailroom_secret' relative to Rails.root (i.e. root of the GitLab app). + # secret_file: /home/git/gitlab/.gitlab_mailroom_secret + + ## Consolidated object store config + ## This will only take effect if the object_store sections are not defined + ## within the types (e.g. artifacts, lfs, etc.). + # object_store: + # enabled: false + # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage + # connection: + # provider: AWS # Only AWS supported at the moment + # aws_access_key_id: AWS_ACCESS_KEY_ID + # aws_secret_access_key: AWS_SECRET_ACCESS_KEY + # region: us-east-1 + # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. + # endpoint: 'https://s3.amazonaws.com' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces + # storage_options: + # server_side_encryption: AES256 # AES256, aws:kms + # server_side_encryption_kms_key_id: # Amazon Resource Name. See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html + # objects: + # artifacts: + # bucket: artifacts + # external_diffs: + # bucket: external-diffs + # lfs: + # bucket: lfs-objects + # uploads: + # bucket: uploads + # packages: + # bucket: packages + # dependency_proxy: + # bucket: dependency_proxy + ## Build Artifacts artifacts: enabled: {{GITLAB_ARTIFACTS_ENABLED}} @@ -219,8 +291,6 @@ production: &base object_store: enabled: {{GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED}} remote_directory: {{GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY}} # The bucket name - direct_upload: {{GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD}} # Set to true to enable direct upload of Artifacts without the need of local shared storage. - background_upload: {{GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD}} # Temporary option to limit automatic upload (Default: true) proxy_download: {{GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD}} # Passthrough all downloads via GitLab instead of using Redirects to Object Storage connection: provider: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER}} # Only AWS supported at the moment @@ -228,16 +298,8 @@ production: &base aws_access_key_id: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} aws_secret_access_key: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} region: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION}} - host: '{{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com aws_signature_version: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. endpoint: '{{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces - path_style: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' - #end-artifacts-aws - #start-artifacts-gcs - google_project: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}} - google_client_email: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}} - google_json_key_location: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}} - #end-artifacts-gcs ## Merge request external diff storage external_diffs: @@ -249,7 +311,6 @@ production: &base # object_store: # enabled: false # remote_directory: external-diffs - # background_upload: false # proxy_download: false # connection: # provider: AWS @@ -265,26 +326,13 @@ production: &base object_store: enabled: {{GITLAB_LFS_OBJECT_STORE_ENABLED}} remote_directory: {{GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY}} # Bucket name - direct_upload: {{GITLAB_LFS_OBJECT_STORE_DIRECT_UPLOAD}} # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false) - background_upload: {{GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD}} # Temporary option to limit automatic upload (Default: true) proxy_download: {{GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD}} # Passthrough all downloads via GitLab instead of using Redirects to Object Storage connection: provider: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER}} #start-lfs-aws aws_access_key_id: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} aws_secret_access_key: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} - aws_signature_version: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. region: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION}} - host: '{{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com - endpoint: '{{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil - path_style: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' - #end-lfs-aws - #start-lfs-gcs - google_project: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}} - google_client_email: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}} - google_json_key_location: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}} - #end-lfs-gcs - # Use the following options to configure an AWS compatible host # host: 'localhost' # default: s3.amazonaws.com # endpoint: 'http://127.0.0.1:9000' # default: nil @@ -299,55 +347,37 @@ production: &base object_store: enabled: {{GITLAB_UPLOADS_OBJECT_STORE_ENABLED}} remote_directory: {{GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY}} # Bucket name - direct_upload: {{GITLAB_UPLOADS_OBJECT_STORE_DIRECT_UPLOAD}} # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false) - background_upload: {{GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD}} # Temporary option to limit automatic upload (Default: true) proxy_download: {{GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD}} # Passthrough all downloads via GitLab instead of using Redirects to Object Storage connection: provider: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER}} - #start-uploads-aws - aws_access_key_id: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} - aws_secret_access_key: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} - aws_signature_version: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. - region: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION}} - host: '{{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com - endpoint: '{{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil - path_style: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' - #end-uploads-aws - #start-uploads-gcs - google_project: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}} - google_client_email: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}} - google_json_key_location: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}} - #end-uploads-gcs + aws_access_key_id: AWS_ACCESS_KEY_ID + aws_secret_access_key: AWS_SECRET_ACCESS_KEY + aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. + region: us-east-1 + # host: 'localhost' # default: s3.amazonaws.com + # endpoint: 'http://127.0.0.1:9000' # default: nil + # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' ## Packages (maven repository, npm registry, etc...) packages: enabled: {{GITLAB_PACKAGES_ENABLED}} + dpkg_deb_path: /usr/bin/dpkg-deb # The location where build packages are stored (default: shared/packages). - path: {{GITLAB_PACKAGES_DIR}} + storage_path: {{GITLAB_PACKAGES_DIR}} object_store: enabled: {{GITLAB_PACKAGES_OBJECT_STORE_ENABLED}} remote_directory: {{GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY}} # The bucket name - direct_upload: {{GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD}} # Set to true to enable direct upload of Packages without the need of local shared storage. - background_upload: {{GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD}} # Temporary option to limit automatic upload (Default: true) proxy_download: {{GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD}} # Passthrough all downloads via GitLab instead of using Redirects to Object Storage connection: - provider: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER}} # Only AWS supported at the moment - #start-packages-aws - aws_access_key_id: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} - aws_secret_access_key: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} - region: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION}} - host: '{{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com - aws_signature_version: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. - endpoint: '{{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces - path_style: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' - #end-packages-aws - #start-packages-gcs - google_project: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}} - google_client_email: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}} - google_json_key_location: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}} - #end-packages-gcs - - + provider: AWS + aws_access_key_id: AWS_ACCESS_KEY_ID + aws_secret_access_key: AWS_SECRET_ACCESS_KEY + region: us-east-1 + # host: 'localhost' # default: s3.amazonaws.com + # endpoint: 'http://127.0.0.1:9000' # default: nil + # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. + # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' + ## Dependency Proxy dependency_proxy: enabled: true @@ -356,8 +386,6 @@ production: &base object_store: enabled: false remote_directory: dependency_proxy # The bucket name - # direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false) - # background_upload: false # Temporary option to limit automatic upload (Default: true) # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage connection: provider: AWS @@ -371,28 +399,38 @@ production: &base ## Terraform state terraform_state: - enabled: {{GITLAB_TERRAFORM_STATE_ENABLED}} + enabled: true # The location where Terraform state files are stored (default: shared/terraform_state). - storage_path: {{GITLAB_TERRAFORM_STATE_STORAGE_PATH}} + # storage_path: shared/terraform_state object_store: - enabled: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED}} - remote_directory: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_REMOTE_DIRECTORY}} # The bucket name + enabled: false + remote_directory: terraform # The bucket name + connection: + provider: AWS + aws_access_key_id: AWS_ACCESS_KEY_ID + aws_secret_access_key: AWS_SECRET_ACCESS_KEY + region: us-east-1 + # host: 'localhost' # default: s3.amazonaws.com + # endpoint: 'http://127.0.0.1:9000' # default: nil + # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. + # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' + + ## CI Secure Files + ci_secure_files: + enabled: true + # storage_path: shared/ci_secure_files + object_store: + enabled: false + remote_directory: ci-secure-files # The bucket name connection: - provider: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER}} - #start-terraform_state-aws - aws_access_key_id: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} - aws_secret_access_key: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} - region: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION}} - host: '{{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com - endpoint: '{{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil - aws_signature_version: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. - path_style: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' - #end-terraform_state-aws - #start-terraform_state-gcs - google_project: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}} - google_client_email: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}} - google_json_key_location: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}} - #end-terraform_state-gcs + provider: AWS + aws_access_key_id: AWS_ACCESS_KEY_ID + aws_secret_access_key: AWS_SECRET_ACCESS_KEY + region: us-east-1 + # host: 'localhost' # default: s3.amazonaws.com + # endpoint: 'http://127.0.0.1:9000' # default: nil + # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. + # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' ## GitLab Pages pages: @@ -414,6 +452,18 @@ production: &base # File that contains the shared secret key for verifying access for gitlab-pages. # Default is '.gitlab_pages_secret' relative to Rails.root (i.e. root of the GitLab app). # secret_file: /home/git/gitlab/.gitlab_pages_secret + object_store: + enabled: false + remote_directory: pages # The bucket name + connection: + provider: AWS + aws_access_key_id: AWS_ACCESS_KEY_ID + aws_secret_access_key: AWS_SECRET_ACCESS_KEY + region: us-east-1 + local_store: + enabled: true + # The location where pages are stored (default: shared/pages). + # path: shared/pages ## Mattermost ## For enabling Add to Mattermost button @@ -424,9 +474,8 @@ production: &base ## Gravatar ## If using gravatar.com, there's nothing to change here. For Libravatar ## you'll need to provide the custom URLs. For more information, - ## see: https://docs.gitlab.com/ee/customization/libravatar.html + ## see: https://docs.gitlab.com/ee/administration/libravatar.html gravatar: - enabled: {{GITLAB_GRAVATAR_ENABLED}} # Gravatar/Libravatar URLs: possible placeholders: %{hash} %{size} %{email} %{username} plain_url: "{{GITLAB_GRAVATAR_HTTP_URL}}" # default: https://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon ssl_url: "{{GITLAB_GRAVATAR_HTTPS_URL}}" # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon @@ -434,6 +483,12 @@ production: &base ## Sidekiq sidekiq: log_format: {{GITLAB_SIDEKIQ_LOG_FORMAT}} # (default is the original format) + # An array of tuples indicating the rules for re-routing a worker to a + # desirable queue before scheduling. For example: + # routing_rules: + # - ["resource_boundary=cpu", "cpu_boundary"] + # - ["feature_category=pages", null] + # - ["*", "default"] ## Auxiliary jobs # Periodically executed jobs, to self-heal GitLab, do external synchronizations, etc. @@ -447,10 +502,19 @@ production: &base cron: "{{GITLAB_PIPELINE_SCHEDULE_WORKER_CRON}}" # Remove expired build artifacts expire_build_artifacts_worker: - cron: "50 * * * *" + cron: "*/7 * * * *" + # Remove expired pipeline artifacts + ci_pipelines_expire_artifacts_worker: + cron: "*/23 * * * *" + # Remove files from object storage + ci_schedule_delete_objects_worker: + cron: "*/16 * * * *" # Stop expired environments environments_auto_stop_cron_worker: cron: "24 * * * *" + # Delete stopped environments + environments_auto_delete_cron_worker: + cron: "34 * * * *" # Periodically run 'git fsck' on all repositories. If started more than # once per hour you will have concurrent 'git fsck' jobs. repository_check_worker: @@ -477,9 +541,17 @@ production: &base schedule_migrate_external_diffs_worker: cron: "15 * * * *" + # Update CI Platform Metrics daily + ci_platform_metrics_update_cron_worker: + cron: "47 9 * * *" + # GitLab EE only jobs. These jobs are automatically enabled for an EE # installation, and ignored for a CE installation. ee_cron_jobs: + # Schedule snapshots for all devops adoption segments + analytics_devops_adoption_create_all_snapshots_worker: + cron: 0 0 1 * * + # Snapshot active users statistics historical_data_worker: cron: "0 12 * * *" @@ -515,25 +587,30 @@ production: &base geo_secondary_registry_consistency_worker: cron: "* * * * *" - # GitLab Geo file download dispatch worker + # GitLab Geo registry sync worker (for backfilling) # NOTE: This will only take effect if Geo is enabled (secondary nodes only) - geo_file_download_dispatch_worker: + geo_registry_sync_worker: cron: "*/1 * * * *" - # GitLab Geo migrated local files clean up worker - # NOTE: This will only take effect if Geo is enabled (secondary nodes only) - geo_migrated_local_files_clean_up_worker: - cron: "15 */6 * * *" - - # Export pseudonymized data in CSV format for analysis - pseudonymizer_worker: - cron: "0 * * * *" - # Elasticsearch bulk updater for incremental updates. # NOTE: This will only take effect if elasticsearch is enabled. elastic_index_bulk_cron_worker: cron: "*/1 * * * *" + # Elasticsearch bulk updater for initial updates. + # NOTE: This will only take effect if elasticsearch is enabled. + elastic_index_initial_bulk_cron_worker: + cron: "*/1 * * * *" + + # Elasticsearch reindexing worker + # NOTE: This will only take effect if elasticsearch is enabled. + elastic_index_initial_bulk_cron_worker: + cron: "*/10 * * * *" + + # Periodically prune stale runners from namespaces having opted-in. + ci_runners_stale_group_runners_prune_worker_cron: + cron: "30 * * * *" + registry: enabled: {{GITLAB_REGISTRY_ENABLED}} host: {{GITLAB_REGISTRY_HOST}} @@ -575,7 +652,7 @@ production: &base # enabled: true # primary_api_url: http://localhost:5000/ # internal address to the primary registry, will be used by GitLab to directly communicate with primary registry API - ## Feature Flag https://docs.gitlab.com/ee/user/project/operations/feature_flags.html + ## Feature Flag https://docs.gitlab.com/ee/operations/feature_flags.html feature_flags: unleash: # enabled: false @@ -611,6 +688,9 @@ production: &base enabled: {{LDAP_ENABLED}} prevent_ldap_sign_in: {{LDAP_PREVENT_LDAP_SIGN_IN}} + # File location to read encrypted secrets from + # secret_file: /mnt/gitlab/ldap.yaml.enc # Default: shared/encrypted_settings/ldap.yaml.enc + # This setting controls the number of seconds between LDAP permission checks # for each user. After this time has expired for a given user, their next # interaction with GitLab (a click in the web UI, a git pull, etc.) will be @@ -788,6 +868,11 @@ production: &base # sync_ssh_keys: false + # Retry ldap search connection if got empty results with specified response code(s) + # + # Ex. [80] + # retry_empty_result_with_codes: [] + # LDAP attributes that GitLab will use to create an account for the LDAP user. # The specified attribute can either be the attribute name as a string (e.g. 'mail'), # or an array of attribute names to try in order (e.g. ['mail', 'email']). @@ -853,6 +938,12 @@ production: &base # (default: accept any service name in keytab file) # service_principal_name: HTTP/gitlab.example.com@EXAMPLE.COM + # Kerberos realms/domains that are allowed to automatically link LDAP identities. + # By default, GitLab accepts a realm that matches the domain derived from the + # LDAP `base` DN. For example, `ou=users,dc=example,dc=com` would allow users + # with a realm matching `example.com`. + # simple_ldap_linking_allowed_realms: ['example.com','kerberos.example.com'] + # Dedicated port: Git before 2.4 does not fall back to Basic authentication if Negotiate fails. # To support both Basic and Negotiate methods with older versions of Git, configure # nginx to proxy GitLab on an extra port (e.g. 8443) and uncomment the following lines @@ -899,10 +990,16 @@ production: &base # (default: false) auto_link_saml_user: {{OAUTH_AUTO_LINK_SAML_USER}} - # Allow users with existing accounts to login and auto link their account via the - # defined Omniauth providers login, without having to do a manual login first and - # manually connect their chosen provider. - # (default: []) + # CAUTION! + # Allows larger SAML messages to be received. Numeric value in bytes (default: 250000) + # Too high limits exposes instance to decompression DDoS attack type. + saml_message_max_byte_size: 250000 + + # Allow users with existing accounts to sign in and auto link their account via OmniAuth + # login, without having to do a manual login first and manually add OmniAuth. Links on email. + # Define the allowed providers using an array, e.g. ["saml", "twitter"], or as true/false to + # allow all providers or none. + # (default: false) auto_link_user: [{{OAUTH_AUTO_LINK_USER}}] # Set different Omniauth providers as external so that all users creating accounts @@ -918,7 +1015,7 @@ production: &base # This option should only be configured for providers which already have two factor. # This configration dose not apply to SAML. # (default: false) - allow_bypass_two_factor: null + allow_bypass_two_factor: ["twitter", 'google_oauth2'] ## Auth providers # Uncomment the following lines and fill in the data of the auth provider you want to use @@ -928,114 +1025,129 @@ production: &base # arguments, followed by optional 'args' which can be either a hash or an array. # Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html providers: + # - { name: 'alicloud', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET' } # See omniauth-cas3 for more configuration details - - { name: 'cas3', - label: '{{OAUTH_CAS3_LABEL}}', - args: { - url: '{{OAUTH_CAS3_SERVER}}', - disable_ssl_verification: {{OAUTH_CAS3_DISABLE_SSL_VERIFICATION}}, - login_url: '{{OAUTH_CAS3_LOGIN_URL}}', - service_validate_url: '{{OAUTH_CAS3_VALIDATE_URL}}', - logout_url: '{{OAUTH_CAS3_LOGOUT_URL}}'} } - - { name: 'authentiq', - app_id: '{{OAUTH_AUTHENTIQ_CLIENT_ID}}', - app_secret: 'OAUTH_AUTHENTIQ_CLIENT_SECRET', - args: { scope: {{OAUTH_AUTHENTIQ_SCOPE}}, redirect_uri: '{{OAUTH_AUTHENTIQ_REDIRECT_URI}}' } } - - { name: 'github', - label: 'GitHub', - app_id: '{{OAUTH_GITHUB_API_KEY}}', - app_secret: '{{OAUTH_GITHUB_APP_SECRET}}', - url: "{{OAUTH_GITHUB_URL}}", - verify_ssl: {{OAUTH_GITHUB_VERIFY_SSL}}, - args: { scope: '{{OAUTH_GITHUB_SCOPE}}' } } - - { name: 'bitbucket', - app_id: '{{OAUTH_BITBUCKET_API_KEY}}', - app_secret: '{{OAUTH_BITBUCKET_APP_SECRET}}', - url: '{{OAUTH_BITBUCKET_URL}}' } - - { name: 'gitlab', - label: 'GitLab.com', - app_id: '{{OAUTH_GITLAB_API_KEY}}', - app_secret: '{{OAUTH_GITLAB_APP_SECRET}}', - args: { scope: '{{OAUTH_GITLAB_SCOPE}}' } } - - { name: 'google_oauth2', - label: 'Google', - app_id: '{{OAUTH_GOOGLE_API_KEY}}', - app_secret: '{{OAUTH_GOOGLE_APP_SECRET}}', - args: { - access_type: 'offline', - approval_prompt: '{{OAUTH_GOOGLE_APPROVAL_PROMPT}}', - hd: [{{OAUTH_GOOGLE_RESTRICT_DOMAIN}}] } } - - { name: 'facebook', - app_id: '{{OAUTH_FACEBOOK_API_KEY}}', - app_secret: '{{OAUTH_FACEBOOK_APP_SECRET}}' } - - { name: 'twitter', - app_id: '{{OAUTH_TWITTER_API_KEY}}', - app_secret: '{{OAUTH_TWITTER_APP_SECRET}}' } - - { name: 'saml', - label: '{{OAUTH_SAML_LABEL}}', - groups_attribute: '{{OAUTH_SAML_GROUPS_ATTRIBUTE}}', - external_groups: [{{OAUTH_SAML_EXTERNAL_GROUPS}}], - args: { - assertion_consumer_service_url: '{{OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL}}', - idp_cert_fingerprint: '{{OAUTH_SAML_IDP_CERT_FINGERPRINT}}', - idp_sso_target_url: '{{OAUTH_SAML_IDP_SSO_TARGET_URL}}', - issuer: '{{OAUTH_SAML_ISSUER}}', - attribute_statements: { - first_name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME}}'], - last_name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME}}'], - username: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME}}'], - name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME}}'], - email: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL}}'] }, - name_identifier_format: '{{OAUTH_SAML_NAME_IDENTIFIER_FORMAT}}' } } - - { name: 'crowd', - args: { - crowd_server_url: '{{OAUTH_CROWD_SERVER_URL}}', - application_name: '{{OAUTH_CROWD_APP_NAME}}', - application_password: '{{OAUTH_CROWD_APP_PASSWORD}}' } } - - { name: 'auth0', - args: { - client_id: '{{OAUTH_AUTH0_CLIENT_ID}}', - client_secret: '{{OAUTH_AUTH0_CLIENT_SECRET}}', - domain: '{{OAUTH_AUTH0_DOMAIN}}', - scope: '{{OAUTH_AUTH0_SCOPE}}' } } - - { name: 'oauth2_generic', - app_id: '{{OAUTH2_GENERIC_APP_ID}}', - app_secret: '{{OAUTH2_GENERIC_APP_SECRET}}', - args: { - client_options: { - site: '{{OAUTH2_GENERIC_CLIENT_SITE}}', - user_info_url: '{{OAUTH2_GENERIC_CLIENT_USER_INFO_URL}}', - authorize_url: '{{OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL}}', - token_url: '{{OAUTH2_GENERIC_CLIENT_TOKEN_URL}}', - end_session_endpoint: '{{OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT}}', - }, - user_response_structure: { - id_path: '{{OAUTH2_GENERIC_ID_PATH}}', - attributes: { - uid: '{{OAUTH2_GENERIC_USER_UID}}', - name: '{{OAUTH2_GENERIC_USER_NAME}}', - email: '{{OAUTH2_GENERIC_USER_EMAIL}}' - } - }, - name: '{{OAUTH2_GENERIC_NAME}}' }} - - { name: 'azure_oauth2', - args: { - client_id: '{{OAUTH_AZURE_API_KEY}}', - client_secret: '{{OAUTH_AZURE_API_SECRET}}', - tenant_id: '{{OAUTH_AZURE_TENANT_ID}}' } } + # - { name: 'cas3', + # label: 'cas3', + # args: { + # url: 'https://sso.example.com', + # disable_ssl_verification: false, + # login_url: '/cas/login', + # service_validate_url: '/cas/p3/serviceValidate', + # logout_url: '/cas/logout'} } + # - { name: 'authentiq', + # # for client credentials (client ID and secret), go to https://www.authentiq.com/developers + # app_id: 'YOUR_CLIENT_ID', + # app_secret: 'YOUR_CLIENT_SECRET', + # args: { + # scope: 'aq:name email~rs address aq:push' + # # callback_url parameter is optional except when 'gitlab.host' in this file is set to 'localhost' + # # callback_url: 'YOUR_CALLBACK_URL' + # } + # } + # - { name: 'github', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET', + # url: "https://github.com/", + # verify_ssl: true, + # args: { scope: 'user:email' } } + # - { name: 'bitbucket', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET' } + # - { name: 'dingtalk', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET' } + # - { name: 'gitlab', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET', + # args: { scope: 'api' } } + # - { name: 'google_oauth2', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET', + # args: { access_type: 'offline', approval_prompt: '' } } + # - { name: 'facebook', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET' } + # - { name: 'twitter', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET' } + # - { name: 'jwt', + # args: { + # secret: 'YOUR_APP_SECRET', + # algorithm: 'HS256', # Supported algorithms: 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512' + # uid_claim: 'email', + # required_claims: ['name', 'email'], + # info_map: { name: 'name', email: 'email' }, + # auth_url: 'https://example.com/', + # valid_within: 3600 # 1 hour + # } + # } + # - { name: 'saml', + # label: 'Our SAML Provider', + # groups_attribute: 'Groups', + # external_groups: ['Contractors', 'Freelancers'], + # args: { + # assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback', + # idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8', + # idp_sso_target_url: 'https://login.example.com/idp', + # issuer: 'https://gitlab.example.com', + # name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' + # } } + # + # - { name: 'group_saml' } + # + # - { name: 'crowd', + # args: { + # crowd_server_url: 'CROWD SERVER URL', + # application_name: 'YOUR_APP_NAME', + # application_password: 'YOUR_APP_PASSWORD' } } + # + # - { name: 'auth0', + # args: { + # client_id: 'YOUR_AUTH0_CLIENT_ID', + # client_secret: 'YOUR_AUTH0_CLIENT_SECRET', + # namespace: 'YOUR_AUTH0_DOMAIN' } } # SSO maximum session duration in seconds. Defaults to CAS default of 8 hours. # cas3: # session_duration: 28800 + # FortiAuthenticator settings + forti_authenticator: + # Allow using FortiAuthenticator as OTP provider + enabled: false + + # Host and port of FortiAuthenticator instance + # host: forti_authenticator.example.com + # port: 443 + + # Username for accessing FortiAuthenticator API + # username: john + + # Access token for FortiAuthenticator API + # access_token: 123s3cr3t456 + + # FortiToken Cloud settings + forti_token_cloud: + # Allow using FortiToken Cloud as OTP provider + enabled: false + + # Client ID and Secret to access FortiToken Cloud API + # client_id: 'YOUR_FORTI_TOKEN_CLOUD_CLIENT_ID' + # client_secret: 'YOUR_FORTI_TOKEN_CLOUD_CLIENT_SECRET' + # Shared file storage settings shared: path: {{GITLAB_SHARED_DIR}} # Default: shared + # Encrypted Settings configuration + encrypted_settings: + # path: /mnt/gitlab/encrypted_settings # Default: shared/encrypted_settings + # Gitaly settings gitaly: - # Path to the directory containing Gitaly client executables. - client_path: {{GITALY_CLIENT_PATH}} # Default Gitaly authentication token. Can be overridden per storage. Can # be left blank when Gitaly is running locally on a Unix socket, which # is the normal way to deploy Gitaly. @@ -1060,60 +1172,41 @@ production: &base ## Backup settings backup: path: "{{GITLAB_BACKUP_DIR}}" # Relative paths are relative to Rails.root (default: tmp/backups/) + # gitaly_backup_path: /home/git/gitaly/_build/bin/gitaly-backup # Path of the gitaly-backup binary (default: searches $PATH) archive_permissions: {{GITLAB_BACKUP_ARCHIVE_PERMISSIONS}} # Permissions for the resulting backup.tar file (default: 0600) keep_time: {{GITLAB_BACKUP_EXPIRY}} # default: 0 (forever) (in seconds) pg_schema: {{GITLAB_BACKUP_PG_SCHEMA}} # default: nil, it means that all schemas will be backed up upload: # Fog storage connection settings, see http://fog.io/storage/ . - #start-aws connection: provider: AWS region: {{AWS_BACKUP_REGION}} - endpoint: {{AWS_BACKUP_ENDPOINT}} - path_style: {{AWS_BACKUP_PATH_STYLE}} aws_access_key_id: {{AWS_BACKUP_ACCESS_KEY_ID}} aws_secret_access_key: '{{AWS_BACKUP_SECRET_ACCESS_KEY}}' - aws_signature_version: {{AWS_BACKUP_SIGNATURE_VERSION}} # The remote 'directory' to store your backups. For S3, this would be the bucket name. remote_directory: '{{AWS_BACKUP_BUCKET}}' #start-multipart-aws # Use multipart uploads when file size reaches 100MB, see - # http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html + # http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html multipart_chunk_size: {{AWS_BACKUP_MULTIPART_CHUNK_SIZE}} #end-multipart-aws #start-encryption-aws - # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional - encryption: 'AES256' - # Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional - # This should be set to the 256-bit encryption key for Amazon S3 to use to encrypt or decrypt your data. - # 'encryption' must also be set in order for this to have any effect. - # encryption_key: '' - #end-encryption-aws # Specifies Amazon S3 storage class to use for backups, this is optional storage_class: '{{AWS_BACKUP_STORAGE_CLASS}}' - #end-aws - #start-gcs - # Fog storage connection settings, see http://fog.io/storage/ . - connection: - provider: Google - google_storage_access_key_id: {{GCS_BACKUP_ACCESS_KEY_ID}} - google_storage_secret_access_key: '{{GCS_BACKUP_SECRET_ACCESS_KEY}}' - remote_directory: '{{GCS_BACKUP_BUCKET}}' - #end-gcs - - ## Pseudonymizer exporter - pseudonymizer: - # Tables manifest that specifies the fields to extract and pseudonymize. - manifest: config/pseudonymizer.yml - upload: - remote_directory: 'gitlab-elt' - # Fog storage connection settings, see http://fog.io/storage/ . - connection: - # provider: AWS - # region: eu-west-1 - # aws_access_key_id: AKIAKIAKI - # aws_secret_access_key: 'secret123' - # # The remote 'directory' to store the CSV files. For S3, this would be the bucket name. + # Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional + # 'encryption' must be set in order for this to have any effect. + # 'encryption_key' should be set to the 256-bit encryption key for Amazon S3 to use to encrypt or decrypt your data. + # encryption: 'AES256' + # encryption_key: '' + # # + # # Turns on AWS Server-Side Encryption with Amazon S3-Managed keys (optional) + # # https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html + # # For SSE-S3, set 'server_side_encryption' to 'AES256'. + # # For SS3-KMS, set 'server_side_encryption' to 'aws:kms'. Set + # # 'server_side_encryption_kms_key_id' to the ARN of customer master key. + # # storage_options: + # # server_side_encryption: 'aws:kms' + # # server_side_encryption_kms_key_id: 'arn:aws:kms:YOUR-KEY-ID-HERE' ## GitLab Shell settings gitlab_shell: @@ -1139,6 +1232,21 @@ production: &base # Default is '.gitlab_workhorse_secret' relative to Rails.root (i.e. root of the GitLab app). # secret_file: /home/git/gitlab/.gitlab_workhorse_secret + gitlab_kas: + # enabled: true + # File that contains the secret key for verifying access for gitlab-kas. + # Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app). + # secret_file: /home/git/gitlab/.gitlab_kas_secret + + # The URL to the external KAS API (used by the Kubernetes agents) + # external_url: wss://kas.example.com + + # The URL to the internal KAS API (used by the GitLab backend) + # internal_url: grpc://localhost:8153 + + # The URL to the Kubernetes API proxy (used by GitLab users) + # external_k8s_proxy_url: https://localhost:8154 # default: nil + ## GitLab Elasticsearch settings elasticsearch: indexer_path: {{GITLAB_HOME}}/gitlab-elasticsearch-indexer/ @@ -1147,12 +1255,7 @@ production: &base # CAUTION! # Use the default values unless you really know what you are doing git: - bin_path: /usr/local/bin/git - - ## ActionCable settings - action_cable: - # Number of threads used to process ActionCable connection callbacks and channel actions - # worker_pool_size: 4 + bin_path: /usr/bin/git ## Webpack settings # If enabled, this will tell rails to serve frontend assets from the webpack-dev-server running @@ -1167,10 +1270,6 @@ production: &base ## Monitoring # Built in monitoring settings monitoring: - # Time between sampling of unicorn socket metrics, in seconds - unicorn_sampler_interval: {{GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL}} - # Time between sampling of Puma metrics, in seconds - # puma_sampler_interval: 5 # IP whitelist to access monitoring endpoints ip_whitelist: - 127.0.0.0/8 @@ -1178,11 +1277,17 @@ production: &base # Sidekiq exporter is webserver built in to Sidekiq to expose Prometheus metrics sidekiq_exporter: - enabled: {{GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED}} - address: {{GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS}} - port: {{GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT}} + enabled: {{GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED}} + log_enabled: false + address: {{GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS}} + port: {{GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT}} + + sidekiq_health_checks: + # enabled: true + # address: localhost + # port: 8092 - # Web exporter is webserver built in to Unicorn/Puma to expose Prometheus metrics + # Web exporter is a dedicated Rack server running alongside Puma to expose Prometheus metrics # It runs alongside the `/metrics` endpoints to ease the publish of metrics web_exporter: # enabled: true @@ -1196,8 +1301,12 @@ production: &base # yourself, and then update the values here. # https://docs.gitlab.com/ee/administration/monitoring/prometheus/ prometheus: - # enable: true - # listen_address: 'localhost:9090' + # enabled: true + # server_address: 'localhost:9090' + + ## Consul settings + consul: + # api_url: 'http://localhost:8500' shutdown: # # blackout_seconds: @@ -1215,9 +1324,23 @@ production: &base ## Google analytics. Uncomment if you want it google_analytics_id: '{{GOOGLE_ANALYTICS_ID}}' - ## Piwik analytics. - piwik_url: '{{PIWIK_URL}}' - piwik_site_id: '{{PIWIK_SITE_ID}}' + ## Google tag manager + # google_tag_manager_id: '_your_tracking_id' + + ## OneTrust + # one_trust_id: '_your_one_trust_id' + + ## Bizible. + # bizible: true + + ## Matomo analytics. + # matomo_url: '_your_matomo_url' + # matomo_site_id: '_your_matomo_site_id' + # matomo_disable_cookies: false + + ## Maximum file size for syntax highlighting + ## https://docs.gitlab.com/ee/user/project/highlighting.html + # maximum_text_highlight_size_kilobytes: 512 rack_attack: git_basic_auth: @@ -1265,7 +1388,7 @@ test: # has been pushed). # when: always # The location where external diffs are stored (default: shared/external-diffs). - # storage_path: shared/external-diffs + storage_path: tmp/tests/external-diffs object_store: enabled: false remote_directory: external-diffs # The bucket name @@ -1294,7 +1417,6 @@ test: object_store: enabled: false remote_directory: artifacts # The bucket name - background_upload: false connection: provider: AWS # Only AWS supported at the moment aws_access_key_id: AWS_ACCESS_KEY_ID @@ -1315,7 +1437,19 @@ test: storage_path: tmp/tests/terraform_state object_store: enabled: false - remote_directory: terraform_state + remote_directory: terraform + connection: + provider: AWS # Only AWS supported at the moment + aws_access_key_id: AWS_ACCESS_KEY_ID + aws_secret_access_key: AWS_SECRET_ACCESS_KEY + region: us-east-1 + + ci_secure_files: + enabled: true + storage_path: tmp/tests/ci_secure_files + object_store: + enabled: false + remote_directory: ci-secure-files connection: provider: AWS # Only AWS supported at the moment aws_access_key_id: AWS_ACCESS_KEY_ID @@ -1353,30 +1487,31 @@ test: # user: YOUR_USERNAME pages: path: tmp/tests/pages + object_store: + enabled: false + remote_directory: pages # The bucket name + connection: + provider: AWS + aws_access_key_id: AWS_ACCESS_KEY_ID + aws_secret_access_key: AWS_SECRET_ACCESS_KEY + region: us-east-1 + local_store: + enabled: true + path: tmp/tests/pages repositories: storages: default: path: tmp/tests/repositories/ - gitaly_address: unix:tmp/tests/gitaly/gitaly.socket + gitaly_address: unix:tmp/tests/gitaly/praefect.socket gitaly: - client_path: tmp/tests/gitaly + client_path: tmp/tests/gitaly/_build/bin token: secret workhorse: secret_file: tmp/gitlab_workhorse_test_secret backup: path: tmp/tests/backups - pseudonymizer: - manifest: config/pseudonymizer.yml - upload: - # The remote 'directory' to store the CSV files. For S3, this would be the bucket name. - remote_directory: gitlab-elt.test - # Fog storage connection settings, see http://fog.io/storage/ - connection: - provider: AWS # Only AWS supported at the moment - aws_access_key_id: AWS_ACCESS_KEY_ID - aws_secret_access_key: AWS_SECRET_ACCESS_KEY - region: us-east-1 + gitaly_backup_path: tmp/tests/gitaly/_build/bin/gitaly-backup gitlab_shell: path: tmp/tests/gitlab-shell/ authorized_keys_file: tmp/tests/authorized_keys @@ -1397,6 +1532,9 @@ test: external_providers: [] providers: + - { name: 'alicloud', + app_id: 'YOUR_APP_ID', + app_secret: 'YOUR_APP_SECRET' } - { name: 'cas3', label: 'cas3', args: { url: 'https://sso.example.com', @@ -1413,6 +1551,9 @@ test: - { name: 'bitbucket', app_id: 'YOUR_APP_ID', app_secret: 'YOUR_APP_SECRET' } + - { name: 'dingtalk', + app_id: 'YOUR_APP_ID', + app_secret: 'YOUR_APP_SECRET' } - { name: 'gitlab', app_id: 'YOUR_APP_ID', app_secret: 'YOUR_APP_SECRET', @@ -1451,6 +1592,11 @@ test: app_id: 'YOUR_CLIENT_ID', app_secret: 'YOUR_CLIENT_SECRET' } + - { name: 'atlassian_oauth2', + app_id: 'YOUR_CLIENT_ID', + app_secret: 'YOUR_CLIENT_SECRET', + args: { scope: 'offline_access read:jira-user read:jira-work', prompt: 'consent' } + } ldap: enabled: false servers: @@ -1465,8 +1611,8 @@ test: group_base: 'ou=groups,dc=example,dc=com' admin_group: '' prometheus: - enable: true - listen_address: 'localhost:9090' + enabled: true + server_address: 'localhost:9090' staging: <<: *base diff --git a/assets/runtime/config/gitlabhq/puma.rb b/assets/runtime/config/gitlabhq/puma.rb index f48ff788a..34b0ee787 100644 --- a/assets/runtime/config/gitlabhq/puma.rb +++ b/assets/runtime/config/gitlabhq/puma.rb @@ -1,5 +1,3 @@ -ENV['RAILS_RELATIVE_URL_ROOT'] = "{{GITLAB_RELATIVE_URL_ROOT}}" - # frozen_string_literal: true # Load "path" as a rackup file. @@ -34,7 +32,6 @@ # Bind the server to "url". "tcp://", "unix://" and "ssl://" are the only # accepted protocols. bind 'unix:///home/git/gitlab/tmp/sockets/gitlab.socket' -bind 'tcp://127.0.0.1:8080' workers {{PUMA_WORKERS}} @@ -48,7 +45,7 @@ before_fork do # Signal to the puma killer - Gitlab::Cluster::PumaWorkerKillerInitializer.start(@config.options, puma_per_worker_max_memory_mb: {{PUMA_PER_WORKER_MAX_MEMORY_MB}}, puma_master_max_memory_mb: {{PUMA_MASTER_MAX_MEMORY_MB}}) unless ENV['DISABLE_PUMA_WORKER_KILLER'] + Gitlab::Cluster::PumaWorkerKillerInitializer.start @config.options unless ENV['DISABLE_PUMA_WORKER_KILLER'] # Signal application hooks that we're about to fork Gitlab::Cluster::LifecycleEvents.do_before_fork @@ -72,6 +69,12 @@ # worker_timeout {{PUMA_TIMEOUT}} +# https://github.com/puma/puma/blob/master/5.0-Upgrade.md#lower-latency-better-throughput +wait_for_less_busy_worker ENV.fetch('PUMA_WAIT_FOR_LESS_BUSY_WORKER', 0.001).to_f + +# https://github.com/puma/puma/blob/master/5.0-Upgrade.md#nakayoshi_fork +nakayoshi_fork unless ENV['DISABLE_PUMA_NAKAYOSHI_FORK'] == 'true' + # Use json formatter require_relative "{{GITLAB_INSTALL_DIR}}/lib/gitlab/puma_logging/json_formatter" @@ -79,3 +82,12 @@ log_formatter do |str| json_formatter.call(str) end + +lowlevel_error_handler do |ex, env| + if Raven.configuration.capture_allowed? + Raven.capture_exception(ex, tags: { 'handler': 'puma_low_level' }, extra: { puma_env: env }) + end + + # note the below is just a Rack response + [500, {}, ["An error has occurred and reported in the system's low-level error handler."]] +end diff --git a/assets/runtime/config/gitlabhq/resque.yml b/assets/runtime/config/gitlabhq/resque.yml index 7a6681536..20b4bab7f 100644 --- a/assets/runtime/config/gitlabhq/resque.yml +++ b/assets/runtime/config/gitlabhq/resque.yml @@ -1,5 +1,5 @@ -# If you change this file in a Merge Request, please also create -# a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests +# If you change this file in a merge request, please also create +# a merge request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests # development: url: redis://localhost:6379 @@ -8,7 +8,7 @@ development: # host: localhost # port: 26380 # point to sentinel, not to redis port # - - # host: slave2 + # host: replica2 # port: 26381 # point to sentinel, not to redis port test: url: redis://localhost:6379 @@ -22,13 +22,13 @@ production: # http://redis.io/topics/sentinel # # You must specify a list of a few sentinels that will handle client connection - # please read here for more information: https://docs.gitlab.com/ce/administration/high_availability/redis.html + # please read here for more information: https://docs.gitlab.com/ee/administration/redis/index.html ## # url: redis://master:6379 # sentinels: # - - # host: slave1 + # host: replica1 # port: 26379 # point to sentinel, not to redis port # - - # host: slave2 + # host: replica2 # port: 26379 # point to sentinel, not to redis port diff --git a/assets/runtime/config/gitlabhq/secrets.yml b/assets/runtime/config/gitlabhq/secrets.yml index 769d956a2..ffb5096d5 100644 --- a/assets/runtime/config/gitlabhq/secrets.yml +++ b/assets/runtime/config/gitlabhq/secrets.yml @@ -1,11 +1,9 @@ production: # db_key_base is used to encrypt for Variables. Ensure that you don't lose it. # If you change or lose this key you will be unable to access variables stored in database. - # Make sure the secret is at least 30 characters and all random, + # Make sure the secret is at least 32 characters and all random, # no regular words or you'll be exposed to dictionary attacks. db_key_base: {{GITLAB_SECRETS_DB_KEY_BASE}} - secret_key_base: {{GITLAB_SECRETS_SECRET_KEY_BASE}} - otp_key_base: {{GITLAB_SECRETS_OTP_KEY_BASE}} development: db_key_base: development diff --git a/assets/runtime/config/gitlabhq/smtp_settings.rb b/assets/runtime/config/gitlabhq/smtp_settings.rb index d7dffbde0..be128b7a6 100644 --- a/assets/runtime/config/gitlabhq/smtp_settings.rb +++ b/assets/runtime/config/gitlabhq/smtp_settings.rb @@ -5,10 +5,11 @@ # # For full list of options and their values see http://api.rubyonrails.org/classes/ActionMailer/Base.html # -# If you change this file in a Merge Request, please also create a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests +# If you change this file in a merge request, please also create a merge request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests if Rails.env.production? Rails.application.config.action_mailer.delivery_method = :smtp + secrets = Gitlab::Email::SmtpConfig.secrets ActionMailer::Base.delivery_method = :smtp ActionMailer::Base.smtp_settings = { @@ -16,12 +17,46 @@ port: {{SMTP_PORT}}, user_name: "{{SMTP_USER}}", password: "{{SMTP_PASS}}", + ## If you are using encrypted smtp credentials then you should instead use the secrets user_name/password + ## See: https://docs.gitlab.com/ee/administration/raketasks/smtp.html#secrets + # user_name: secrets.username, + # password: secrets.password, domain: "{{SMTP_DOMAIN}}", authentication: "{{SMTP_AUTHENTICATION}}", enable_starttls_auto: {{SMTP_STARTTLS}}, - openssl_verify_mode: '{{SMTP_OPENSSL_VERIFY_MODE}}', + openssl_verify_mode: '{{SMTP_OPENSSL_VERIFY_MODE}}', # See ActionMailer documentation for other possible options ca_path: "{{SMTP_CA_PATH}}", ca_file: "{{SMTP_CA_FILE}}", tls: {{SMTP_TLS}} } end + +# To use an SMTP connection pool, uncomment the following section: +# +# require 'mail/smtp_pool' +# +# ActionMailer::Base.add_delivery_method :smtp_pool, Mail::SMTPPool +# +# if Rails.env.production? +# Rails.application.config.action_mailer.delivery_method = :smtp_pool +# secrets = Gitlab::Email::SmtpConfig.secrets +# +# ActionMailer::Base.delivery_method = :smtp_pool +# ActionMailer::Base.smtp_pool_settings = { +# pool: Mail::SMTPPool.create_pool( +# pool_size: Gitlab::Runtime.max_threads, +# address: "email.server.com", +# port: 465, +# user_name: "smtp", +# password: "123456", +# ## If you are using encrypted smtp credentials then you should instead use the secrets user_name/password +# ## See: https://docs.gitlab.com/ee/administration/raketasks/smtp.html#secrets +# # user_name: secrets.username, +# # password: secrets.password, +# domain: "gitlab.company.com", +# authentication: :login, +# enable_starttls_auto: true, +# openssl_verify_mode: 'peer' # See ActionMailer documentation for other possible options +# ) +# } +# end