init

files/gitlab-cookbooks/consul/recipes/watchers.rb

+#
+# Copyright:: Copyright (c) 2017 GitLab Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+account_helper = AccountHelper.new(node)
+watch_helper = WatchHelper::WatcherConfig.new(node)
+
+# Remove excess watcher configurations and handlers
+to_cleanup = watch_helper.excess_handler_scripts
+to_cleanup += watch_helper.excess_watcher_configs
+
+to_cleanup.each do |f|
+  file f do
+    action :delete
+  end
+end
+
+watch_helper.watchers.each do |watcher|
+  file watcher.consul_config_file do
+    content watcher.consul_config
+    owner account_helper.postgresql_user
+  end
+
+  # Create/update handler scripts
+  template watcher.handler_script do
+    source "watcher_scripts/#{watcher.handler_template}"
+    variables watcher.template_variables
+    mode 0555
+  end
+end
+
+# Watcher specific settings
+pg_service = node['consul']['internal']['postgresql_service_name']
+if node['consul']['watchers'].include?(pg_service)
+  node.default['pgbouncer']['databases_ini'] = '/var/opt/gitlab/consul/databases.ini'
+  node.default['pgbouncer']['databases_json'] = '/var/opt/gitlab/consul/databases.json'
+  node.default['pgbouncer']['databases_ini_user'] = 'gitlab-consul'
+end

files/gitlab-cookbooks/consul/resources/consul_service.rb

+resource_name :consul_service
+provides :consul_service
+
+unified_mode true
+
+property :service_name, String, name_property: true
+property :id, String, name_property: true
+property :ip_address, [String, nil], default: nil
+property :meta, [Hash, nil], default: nil
+property :port, [Integer, nil], default: nil
+property :reload_service, [TrueClass, FalseClass], default: true
+
+# Combined address plus port - 0.0.0.0:1234
+property :socket_address, [String, nil], default: nil
+
+action :create do
+  if property_is_set?(:socket_address)
+    ip_address, port = new_resource.socket_address.split(':')
+    ip_address = translate_address(ip_address)
+  elsif property_is_set?(:ip_address) && property_is_set?(:port)
+    ip_address = translate_address(new_resource.ip_address)
+    port = new_resource.port
+  else
+    raise "Missing required properties: `socket_address` or both `ip_address` and `port`."
+  end
+
+  service_name = sanitize_service_name(new_resource.service_name)
+  file_name = sanitize_service_name(new_resource.id)
+
+  content = {
+    'service' => {
+      'name' => service_name,
+      'address' => ip_address,
+      'port' => port.to_i
+    }
+  }
+
+  # Remove address if advertise_addr is set to allow service to use underlying advertise_addr
+  content['service'].delete('address') if node['consul']['configuration']['advertise_addr']
+
+  content['service']['meta'] = new_resource.meta if property_is_set?(:meta)
+
+  # Ensure the dir exists but leave permissions to `consul::enable`
+  directory node['consul']['config_dir'] do
+    recursive true
+  end
+
+  file "#{node['consul']['config_dir']}/#{file_name}-service.json" do
+    content content.to_json
+    notifies :run, 'execute[reload consul]' if new_resource.reload_service
+  end
+end
+
+action :delete do
+  file_name = sanitize_service_name(new_resource.id)
+
+  file "#{node['consul']['config_dir']}/#{file_name}-service.json" do
+    action :delete
+    notifies :run, 'execute[reload consul]' if new_resource.reload_service
+  end
+end
+
+# Consul allows dashes but not underscores for DNS service discovery.
+# Avoid logging errors by changing all underscores to dashes.
+def sanitize_service_name(name)
+  name.tr('_', '-')
+end
+
+# A listen address of 0.0.0.0 binds to all interfaces.
+# Translate that listen address to the node's actual
+# IP address so external services know where to connect.
+def translate_address(address)
+  return node['ipaddress'] if ['0.0.0.0', '*'].include?(address)
+
+  address
+end

files/gitlab-cookbooks/consul/templates/default/sv-consul-log-config.erb

+<%= "s#@svlogd_size" if @svlogd_size %>
+<%= "n#@svlogd_num" if @svlogd_num %>
+<%= "t#@svlogd_timeout" if @svlogd_timeout %>
+<%= "!#@svlogd_filter" if @svlogd_filter %>
+<%= "u#@svlogd_udp" if @svlogd_udp %>
+<%= "p#@svlogd_prefix" if @svlogd_prefix %>
+<% @logging_filters.each do |name, filter| %>
+# <%= name %>
+<%= filter %>
+<% end %>

files/gitlab-cookbooks/consul/templates/default/sv-consul-log-run.erb

+#!/bin/sh
+exec chpst -P \
+  -U root:<%= @options[:log_group] || 'root' %> \
+  -u root:<%= @options[:log_group] || 'root' %> \
+  svlogd <% unless node['consul']['configuration']['log_json'] %>-tt <% end %><%= @options[:log_directory] %>

files/gitlab-cookbooks/consul/templates/default/sv-consul-run.erb

+#!/bin/bash
+set -e # fail on errors
+
+# Redirect stderr -> stdout
+exec 2>&1
+
+cd <%= @options[:dir] %>
+
+exec chpst -P -e <%= @options[:env_dir] %> \
+-U <%= @options[:user] %>:<%= @options[:groupname] %> \
+-u <%= @options[:user] %>:<%= @options[:groupname] %> \
+<%= @options[:binary_path] %> \
+  agent \
+  -config-file <%= @options[:config_file] %> \
+  -config-dir <%= @options[:config_dir] %> \
+  <% unless @options[:custom_config_dir].nil? -%>
+  -config-dir <%= @options[:custom_config_dir] %> \
+  <% end -%>
+  -data-dir <%= @options[:data_dir] %>

files/gitlab-cookbooks/consul/templates/default/watcher_scripts/failover_pgbouncer.erb

+#!/opt/gitlab/embedded/bin/ruby
+
+require '/opt/gitlab/embedded/cookbooks/consul/libraries/failover_helper'
+require 'open3'
+require 'logger'
+
+@log = Logger.new('<%= @log_directory %>/failover_pgbouncer.log')
+@log.level = Logger::INFO
+
+def run_command(command)
+  exit_status = 0
+
+  Open3.popen3(command) do |stdin, stdout, stderr, wait_thr|
+    @log.info("Running: #{command}")
+    while line = stdout.gets
+      @log.info("STDOUT: #{line}")
+    end
+
+    while line = stderr.gets
+      @log.error("STDERR: #{line}")
+    end
+
+    exit_status = wait_thr.value
+  end
+
+  exit_status.to_i
+end
+
+service_data = FailoverHelper::ServiceData.new
+service_data.service_name = "<%= @watcher_service_name %>"
+service_data.check_field = "Status"
+service_data.leader_value = "passing"
+
+begin
+  failover = FailoverHelper::LeaderFinder.new($stdin.gets, service_data)
+  new_primary = failover.primary_node_address
+  @log.info("Found primary: #{new_primary}")
+
+  Kernel.exit run_command("gitlab-ctl pgb-notify --pg-database <%= @database_name %> --newhost #{new_primary} --user pgbouncer --hostuser gitlab-consul")
+rescue JSON::ParserError => jparser_error
+  @log.error(jparser_error.message)
+  Kernel.exit 2
+rescue FailoverHelper::SplitBrain => splitbrain_error
+  @log.error(splitbrain_error.message)
+  splitbrain_error.primary_nodes.each do |primary|
+    @log.error("    Node: #{primary.name}")
+  end
+  @log.error('Stopping pgbouncer to prevent issues. Once the error is cleared, consul will reload pgbouncer')
+  results = run_command('gitlab-ctl pgb-kill --pg-database <%= @database_name %> --user pgbouncer --hostuser gitlab-consul')
+  Kernel.exit 3 + results
+rescue FailoverHelper::PrimaryMissing => no_primary_error
+  @log.error(no_primary_error.message)
+  Kernel.exit 4
+end

files/gitlab-cookbooks/crond/attributes/default.rb

+default['crond']['enable'] = false
+default['crond']['log_directory'] = '/var/log/gitlab/crond'
+default['crond']['cron_d'] = '/var/opt/gitlab/crond'
+default['crond']['flags'] = {}

files/gitlab-cookbooks/crond/libraries/crond_helper.rb

+require 'shellwords'
+
+class CrondHelper
+  attr_reader :node
+
+  def initialize(node)
+    @node = node
+  end
+
+  def flags
+    config = []
+
+    node['crond']['flags'].each do |flag_key, flag_value|
+      next if flag_key == 'include' || flag_value == false
+
+      config << if flag_value == true
+                  "--#{flag_key}"
+                elsif !flag_value.empty?
+                  "--#{flag_key}=#{Shellwords.escape(flag_value)}"
+                end
+    end
+
+    config << "--include=#{Shellwords.escape(node['crond']['cron_d'])}"
+
+    config.join(" ")
+  end
+end

files/gitlab-cookbooks/crond/metadata.rb

+name 'crond'
+maintainer 'GitLab.com'
+maintainer_email 'support@gitlab.com'
+license 'Apache-2.0'
+description 'Installs/Configures go-crond for GitLab'
+long_description 'Installs/Configures go-crond for GitLab'
+version '0.1.0'
+chef_version '>= 12.1' if respond_to?(:chef_version)
+
+depends 'package'
+depends 'gitlab'
+
+issues_url 'https://gitlab.com/gitlab-org/omnibus-gitlab/issues'
+source_url 'https://gitlab.com/gitlab-org/omnibus-gitlab'

files/gitlab-cookbooks/crond/recipes/disable.rb

+runit_service "crond" do
+  action :disable
+end

files/gitlab-cookbooks/crond/recipes/enable.rb

+# When this recipe is used directly, set the attribute, so the crond_job type
+# knows we have been enabled.
+logfiles_helper = LogfilesHelper.new(node)
+logging_settings = logfiles_helper.logging_settings('crond')
+
+node.default['crond']['enable'] = true
+
+# Create log_directory
+directory logging_settings[:log_directory] do
+  owner logging_settings[:log_directory_owner]
+  mode logging_settings[:log_directory_mode]
+  if log_group = logging_settings[:log_directory_group]
+    group log_group
+  end
+  recursive true
+end
+
+directory node["crond"]["cron_d"] do
+  recursive true
+  owner "root"
+end
+
+crond_flags = CrondHelper.new(node).flags
+
+runit_service "crond" do
+  owner "root"
+  group "root"
+  options({
+    flags: crond_flags,
+    log_directory: logging_settings[:log_directory],
+    log_user: logging_settings[:runit_owner],
+    log_group: logging_settings[:runit_group]
+  }.merge(params))
+  log_options logging_settings[:options]
+end

files/gitlab-cookbooks/crond/resources/job.rb

+unified_mode true
+
+property :title, String, name_property: true
+property :user, String, required: true
+property :minute, [String, Integer], default: "*"
+property :hour, [String, Integer], default: "*"
+property :day_of_month, [String, Integer], default: "*"
+property :month, [String, Integer], default: "*"
+property :day_of_week, [String, Integer], default: "*"
+property :command, String, required: true
+
+action :create do
+  schedule = [
+    new_resource.minute,
+    new_resource.hour,
+    new_resource.day_of_month,
+    new_resource.month,
+    new_resource.day_of_week,
+  ].join(" ")
+
+  file "#{node['crond']['cron_d']}/#{new_resource.title}" do
+    owner "root"
+    group "root"
+    content "#{schedule} #{new_resource.user} #{new_resource.command}\n"
+    notifies :restart, 'runit_service[crond]' if node['crond']['enable']
+    only_if { node['crond']['enable'] }
+  end
+end
+
+action :delete do
+  file "#{node['crond']['cron_d']}/#{new_resource.title}" do
+    action :delete
+    notifies :restart, 'runit_service[crond]' if node['crond']['enable']
+  end
+end

files/gitlab-cookbooks/crond/templates/default/sv-crond-log-config.erb

+<%= "s#@svlogd_size" if @svlogd_size %>
+<%= "n#@svlogd_num" if @svlogd_num %>
+<%= "t#@svlogd_timeout" if @svlogd_timeout %>
+<%= "!#@svlogd_filter" if @svlogd_filter %>
+<%= "u#@svlogd_udp" if @svlogd_udp %>
+<%= "p#@svlogd_prefix" if @svlogd_prefix %>

files/gitlab-cookbooks/crond/templates/default/sv-crond-log-run.erb

+#!/bin/sh
+exec chpst -P \
+  -U root:<%= @options[:log_group] || 'root' %> \
+  -u root:<%= @options[:log_group] || 'root' %> \
+  svlogd -tt <%= @options[:log_directory] %>

files/gitlab-cookbooks/crond/templates/default/sv-crond-run.erb

+#!/bin/bash
+set -e # fail on errors
+
+# Redirect stderr -> stdout
+exec 2>&1
+
+exec chpst -P \
+  /opt/gitlab/embedded/bin/go-crond \
+    <%= @options[:flags] %>

files/gitlab-cookbooks/gitaly/attributes/default.rb

+default['gitaly']['enable'] = false
+default['gitaly']['ha'] = false
+default['gitaly']['dir'] = "/var/opt/gitlab/gitaly"
+default['gitaly']['env_directory'] = "/opt/gitlab/etc/gitaly/env"
+# default['gitaly']['env'] is set in ../recipes/enable.rb
+default['gitaly']['bin_path'] = "/opt/gitlab/embedded/bin/gitaly"
+default['gitaly']['open_files_ulimit'] = 15000
+default['gitaly']['consul_service_name'] = 'gitaly'
+default['gitaly']['consul_service_meta'] = nil
+default['gitaly']['log_group'] = nil
+default['gitaly']['use_wrapper'] = true
+
+default['gitaly']['configuration'] = {
+  runtime_dir: "#{node['gitaly']['dir']}/run",
+  socket_path: "#{node['gitaly']['dir']}/gitaly.socket",
+  prometheus_listen_addr: 'localhost:9236',
+  logging: {
+    dir: '/var/log/gitlab/gitaly',
+    format: 'json'
+  },
+  git: {
+    use_bundled_binaries: true,
+    bin_path: "#{node['package']['install-dir']}/embedded/bin/git"
+  },
+  storage: []
+}

files/gitlab-cookbooks/gitaly/libraries/gitaly.rb

+#
+# Copyright:: Copyright (c) 2017 GitLab Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/mash'
+require 'tomlib'
+require_relative '../../package/libraries/helpers/output_helper.rb'
+
+module Gitaly
+  class << self
+    include OutputHelper
+
+    def parse_variables
+      parse_git_data_dirs
+      parse_gitaly_storages
+      parse_gitconfig
+      check_duplicate_storage_paths
+    end
+
+    def gitaly_address
+      listen_addr = user_config.dig('configuration', 'listen_addr')         || package_default.dig('configuration', 'listen_addr')
+      socket_path = user_config.dig('configuration', 'socket_path')         || package_default.dig('configuration', 'socket_path')
+      tls_listen_addr = user_config.dig('configuration', 'tls_listen_addr') || package_default.dig('configuration', 'tls_listen_addr')
+
+      # Default to using socket path if available
+      if tls_listen_addr && !tls_listen_addr.empty?
+        "tls://#{tls_listen_addr}"
+      elsif socket_path && !socket_path.empty?
+        "unix:#{socket_path}"
+      elsif listen_addr && !listen_addr.empty?
+        "tcp://#{listen_addr}"
+      end
+    end
+
+    def parse_git_data_dirs
+      Gitlab['git_data_dirs'] = { "default" => { "path" => "/var/opt/gitlab/git-data" } } if Gitlab['git_data_dirs'].empty?
+
+      Gitlab['git_data_dirs'].map do |name, details|
+        Gitlab['git_data_dirs'][name]['path'] = details[:path] || details['path'] || '/var/opt/gitlab/git-data'
+      end
+
+      Gitlab['gitlab_rails']['repositories_storages'] =
+        Hash[Mash.new(Gitlab['git_data_dirs']).map do |name, data_directory|
+          shard_gitaly_address = data_directory['gitaly_address'] || gitaly_address
+
+          defaults = { 'path' => File.join(data_directory['path'], 'repositories'), 'gitaly_address' => shard_gitaly_address }
+          params = data_directory.merge(defaults)
+
+          [name, params]
+        end]
+    end
+
+    def parse_gitaly_storages
+      return unless Gitlab['gitaly'].dig('configuration', 'storage').nil?
+
+      storages = []
+      Gitlab['gitlab_rails']['repositories_storages'].each do |key, value|
+        storages << {
+          'name' => key,
+          'path' => value['path']
+        }
+      end
+      Gitlab['gitaly']['configuration'] ||= {}
+      Gitlab['gitaly']['configuration']['storage'] = storages
+    end
+
+    # Compute the default gitconfig from the old Omnibus gitconfig setting.
+    # This depends on the Gitlab cookbook having been parsed already.
+    def parse_gitconfig
+      # If the administrator has set `gitaly[:configuration][:git][:config]` then we do not add a
+      # fallback gitconfig.
+      return unless Gitlab['gitaly'].dig('configuration', 'git', 'config').nil?
+
+      # Furthermore, if the administrator has not overridden the
+      # `omnibus_gitconfig` we do not have to migrate anything either. Most
+      # importantly, we are _not_ interested in migrating defaults.
+      return if Gitlab['omnibus_gitconfig']['system'].nil?
+
+      # We use the old system-level Omnibus gitconfig as the default value...
+      omnibus_gitconfig = Gitlab['omnibus_gitconfig']['system'].flat_map do |section, entries|
+        entries.map do |entry|
+          key, value = entry.split('=', 2)
+
+          raise "Invalid entry detected in omnibus_gitconfig['system']: '#{entry}' should be in the form key=value" if key.nil? || value.nil?
+
+          "#{section}.#{key.strip}=#{value.strip}"
+        end
+      end
+
+      # ... but remove any of its values that had been part of the default
+      # configuration when introducing the Gitaly gitconfig. We do not want to
+      # inject our old default values into Gitaly anymore given that it is
+      # setting its own defaults nowadays. Furthermore, we must not inject the
+      # `core.fsyncObjectFiles` config entry, which has been deprecated in Git.
+      omnibus_gitconfig -= [
+        'pack.threads=1',
+        'receive.advertisePushOptions=true',
+        'receive.fsckObjects=true',
+        'repack.writeBitmaps=true',
+        'transfer.hideRefs=^refs/tmp/',
+        'transfer.hideRefs=^refs/keep-around/',
+        'transfer.hideRefs=^refs/remotes/',
+        'core.alternateRefsCommand="exit 0 #"',
+        'core.fsyncObjectFiles=true',
+        'fetch.writeCommitGraph=true'
+      ]
+
+      # The configuration format has changed. Previously, we had a map of
+      # top-level config entry keys to their sublevel entry keys which also
+      # included a value. The new format is an array of hashes with key and
+      # value entries.
+      gitaly_gitconfig = omnibus_gitconfig.map do |config|
+        # Split up the `foo.bar=value` to obtain the left-hand and right-hand sides of the assignment
+        section_subsection_and_key, value = config.split('=', 2)
+
+        # We need to split up the left-hand side. This can either be of the
+        # form `core.gc`, or of the form `http "http://example.com".insteadOf`.
+        # We thus split from the right side at the first dot we see.
+        key, section_and_subsection = section_subsection_and_key.reverse.split('.', 2)
+        key.reverse!
+
+        # And then we need to potentially split the section/subsection if we
+        # have `http "http://example.com"` now.
+        section, subsection = section_and_subsection.reverse!.split(' ', 2)
+        subsection&.gsub!(/\A"|"\Z/, '')
+
+        # So that we have finally split up the section, subsection, key and
+        # value. It is fine for the `subsection` to be `nil` here in case there
+        # is none.
+        { 'section' => section, 'subsection' => subsection, 'key' => key, 'value' => value }
+      end
+
+      return unless gitaly_gitconfig.any?
+
+      tmp_source_hash = {
+        configuration: {
+          git: {
+            config: gitaly_gitconfig.map do |entry|
+              {
+                key: [entry['section'], entry['subsection'], entry['key']].compact.join('.'),
+                value: entry['value']
+              }
+            end
+          }
+        }
+      }
+
+      Chef::Mixin::DeepMerge.deep_merge!(tmp_source_hash, Gitlab['gitaly'])
+    end
+
+    # Validate that no storages are sharing the same path.
+    def check_duplicate_storage_paths
+      # If Gitaly isn't running, there is no need to do this check.
+      return unless Services.enabled?('gitaly')
+
+      # Deep copy storages to avoid mutating the original.
+      storages = Marshal.load(Marshal.dump(Gitlab['gitaly']['configuration']['storage']))
+
+      storages.each do |storage|
+        storage[:realpath] =
+          begin
+            File.realpath(storage[:path])
+          rescue Errno::ENOENT
+            storage[:path]
+          end
+      end
+
+      realpath_duplicates = storages.group_by { |storage| storage[:realpath] }.select { |_, entries| entries.size > 1 }
+
+      return if realpath_duplicates.empty?
+
+      output = realpath_duplicates.map do |realpath, entries|
+        names = entries.map { |s| s[:name] }.join(', ')
+        "#{realpath}: #{names}"
+      end
+
+      raise "Multiple Gitaly storages are sharing the same filesystem path:\n  #{output.join('\n  ')}"
+    end
+
+    private
+
+    def user_config
+      Gitlab['gitaly']
+    end
+
+    def package_default
+      Gitlab['node']['gitaly'].to_hash
+    end
+  end
+end

files/gitlab-cookbooks/gitaly/metadata.rb

+name 'gitaly'
+maintainer 'GitLab.com'
+maintainer_email 'support@gitlab.com'
+license 'Apache 2.0'
+description 'Installs/Configures Gitaly'
+long_description 'Installs/Configures Gitaly'
+version '0.1.0'
+chef_version '>= 12.1' if respond_to?(:chef_version)
+
+issues_url 'https://gitlab.com/gitlab-org/omnibus-gitlab/issues'
+source_url 'https://gitlab.com/gitlab-org/omnibus-gitlab'
+
+depends 'package'

files/gitlab-cookbooks/gitaly/recipes/disable.rb

+#
+# Copyright:: Copyright (c) 2016 GitLab B.V.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+runit_service "gitaly" do
+  action :disable
+end
+
+consul_service node['gitaly']['consul_service_name'] do
+  id 'gitaly'
+  action :delete
+  reload_service false unless Services.enabled?('consul')
+end

files/gitlab-cookbooks/gitaly/recipes/enable.rb

+#
+# Copyright:: Copyright (c) 2017 GitLab Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+account_helper = AccountHelper.new(node)
+omnibus_helper = OmnibusHelper.new(node)
+logfiles_helper = LogfilesHelper.new(node)
+logging_settings = logfiles_helper.logging_settings('gitaly')
+
+working_dir = node['gitaly']['dir']
+env_directory = node['gitaly']['env_directory']
+config_path = File.join(working_dir, "config.toml")
+gitaly_path = node['gitaly']['bin_path']
+wrapper_path = "#{gitaly_path}-wrapper"
+pid_file = File.join(working_dir, "gitaly.pid")
+json_logging = node.dig('gitaly', 'configuration', 'logging', 'format').eql?('json')
+open_files_ulimit = node['gitaly']['open_files_ulimit']
+runtime_dir = node.dig('gitaly', 'configuration', 'runtime_dir')
+cgroups_mountpoint = node.dig('gitaly', 'configuration', 'cgroups', 'mountpoint')
+cgroups_hierarchy_root = node.dig('gitaly', 'configuration', 'cgroups', 'hierarchy_root')
+use_wrapper = node['gitaly']['use_wrapper']
+
+include_recipe 'gitaly::git_data_dirs'
+
+directory working_dir do
+  owner account_helper.gitlab_user
+  mode '0700'
+  recursive true
+end
+
+directory runtime_dir do
+  owner account_helper.gitlab_user
+  mode '0700'
+  recursive true
+end
+
+directory logging_settings[:log_directory] do
+  owner logging_settings[:log_directory_owner]
+  mode logging_settings[:log_directory_mode]
+  if log_group = logging_settings[:log_directory_group]
+    group log_group
+  end
+  recursive true
+end
+
+# Support for the internal socket directory was removed in v15.0. If the old
+# default internal socket directory still exists we can thus remove it.
+directory File.join(node['gitaly']['dir'], 'internal_sockets') do
+  action :delete
+  recursive true
+end
+
+# Doing this in attributes/default.rb will need gitlab cookbook to be loaded
+# before gitaly cookbook. This means gitaly cookbook has to depend on gitlab
+# cookbook.  Since gitlab cookbook already depends on gitaly cookbook, this
+# causes a circular dependency. To avoid it, the default value is set in the
+# recipe itself.
+node.default['gitaly']['env'] = {
+  'HOME' => node['gitlab']['user']['home'],
+  'PATH' => "#{node['package']['install-dir']}/bin:#{node['package']['install-dir']}/embedded/bin:/bin:/usr/bin",
+  'TZ' => ':/etc/localtime',
+  # This is needed by gitlab-markup to import Python docutils
+  'PYTHONPATH' => "#{node['package']['install-dir']}/embedded/lib/python3.9/site-packages",
+  # Charlock Holmes and libicu will report U_FILE_ACCESS_ERROR if this is not set to the right path
+  # See https://gitlab.com/gitlab-org/gitlab-foss/issues/17415#note_13868167
+  'ICU_DATA' => "#{node['package']['install-dir']}/embedded/share/icu/current",
+  'SSL_CERT_DIR' => "#{node['package']['install-dir']}/embedded/ssl/certs/",
+  # wrapper script parameters
+  'GITALY_PID_FILE' => pid_file,
+  'WRAPPER_JSON_LOGGING' => json_logging.to_s
+}
+
+env_dir env_directory do
+  variables node['gitaly']['env']
+  notifies :restart, "runit_service[gitaly]" if omnibus_helper.should_notify?('gitaly')
+end
+
+gitlab_url, gitlab_relative_path = WebServerHelper.internal_api_url(node)
+
+template "Create Gitaly config.toml" do
+  path config_path
+  source "gitaly-config.toml.erb"
+  owner "root"
+  group account_helper.gitlab_group
+  mode "0640"
+  variables node['gitaly'].to_hash.merge(
+    {
+      configuration: node.dig('gitaly', 'configuration').merge(
+        {
+          # The gitlab section is not configured by the user directly. Its values are derived
+          # from other configuration.
+          gitlab: {
+            url: gitlab_url,
+            relative_url_root: gitlab_relative_path,
+            'http-settings': node.dig('gitlab', 'gitlab_shell', 'http_settings')
+          }.merge(node.dig('gitaly', 'configuration', 'gitlab') || {}).compact,
+
+          # These options below were historically hard coded values in the template. They
+          # are set here to retain the behavior of them not being overridable by the user.
+          bin_dir: '/opt/gitlab/embedded/bin',
+          git: (node.dig('gitaly', 'configuration', 'git') || {}).merge(
+            {
+              # Ignore gitconfig files so that the only source of truth for how Git commands
+              # are configured are Gitaly's own defaults and the Git configuration injected
+              # in this file.
+              ignore_gitconfig: true
+            }
+          ),
+          'gitlab-shell': (node.dig('gitaly', 'configuration', 'gitlab-shell') || {}).merge(
+            {
+              dir: '/opt/gitlab/embedded/service/gitlab-shell'
+            }
+          ),
+        }
+      )
+    }
+  )
+  notifies :hup, "runit_service[gitaly]" if omnibus_helper.should_notify?('gitaly')
+  sensitive true
+end
+
+runit_service 'gitaly' do
+  start_down node['gitaly']['ha']
+  options({
+    user: account_helper.gitlab_user,
+    groupname: account_helper.gitlab_group,
+    working_dir: working_dir,
+    env_dir: env_directory,
+    bin_path: gitaly_path,
+    wrapper_path: wrapper_path,
+    config_path: config_path,
+    log_directory: logging_settings[:log_directory],
+    log_user: logging_settings[:runit_owner],
+    log_group: logging_settings[:runit_group],
+    json_logging: json_logging,
+    open_files_ulimit: open_files_ulimit,
+    cgroups_mountpoint: cgroups_mountpoint,
+    cgroups_hierarchy_root: cgroups_hierarchy_root,
+    use_wrapper: use_wrapper,
+  }.merge(params))
+  log_options logging_settings[:options]
+end
+
+if node['gitlab']['bootstrap']['enable']
+  execute "/opt/gitlab/bin/gitlab-ctl start gitaly" do
+    retries 20
+  end
+end
+
+version_file 'Create version file for Gitaly' do
+  version_file_path File.join(working_dir, 'VERSION')
+  version_check_cmd "/opt/gitlab/embedded/bin/ruby -rdigest/sha2 -e 'puts %(sha256:) + Digest::SHA256.file(%(/opt/gitlab/embedded/bin/gitaly)).hexdigest'"
+  notifies :hup, "runit_service[gitaly]"
+end
+
+consul_service node['gitaly']['consul_service_name'] do
+  id 'gitaly'
+  meta node['gitaly']['consul_service_meta']
+  action Prometheus.service_discovery_action
+  socket_address node.dig('gitaly', 'configuration', 'prometheus_listen_addr')
+  reload_service false unless Services.enabled?('consul')
+end