init

files/gitlab-cookbooks/gitaly/recipes/git_data_dirs.rb

+#
+# Copyright:: Copyright (c) 2024 GitLab Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+account_helper = AccountHelper.new(node)
+gitlab_user = account_helper.gitlab_user
+gitlab_group = account_helper.gitlab_group
+
+# Holds git-data, by default one shard at /var/opt/gitlab/git-data
+# Can be changed by user using git_data_dirs option
+Mash.new(Gitlab['git_data_dirs']).each do |_name, git_data_directory|
+  storage_directory git_data_directory['path'] do
+    owner gitlab_user
+    group gitlab_group
+    mode "2770"
+  end
+end
+
+# Holds git repositories, by default at /var/opt/gitlab/git-data/repositories
+# Should not be changed by user. Different permissions to git_data_dir set.
+repositories_storages = node['gitlab']['gitlab_rails']['repositories_storages']
+repositories_storages.each do |_name, repositories_storage|
+  storage_directory repositories_storage['path'] do
+    owner gitlab_user
+    group gitlab_group
+    mode "2770"
+  end
+end

files/gitlab-cookbooks/gitaly/templates/default/gitaly-config.toml.erb

+# Gitaly configuration file
+# This file is managed by gitlab-ctl. Manual changes will be
+# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
+# and run:
+# sudo gitlab-ctl reconfigure
+
+<%= Tomlib.dump(@configuration) %>

files/gitlab-cookbooks/gitaly/templates/default/sv-gitaly-log-config.erb

+<%= "s#@svlogd_size" if @svlogd_size %>
+<%= "n#@svlogd_num" if @svlogd_num %>
+<%= "t#@svlogd_timeout" if @svlogd_timeout %>
+<%= "!#@svlogd_filter" if @svlogd_filter %>
+<%= "u#@svlogd_udp" if @svlogd_udp %>
+<%= "p#@svlogd_prefix" if @svlogd_prefix %>

files/gitlab-cookbooks/gitaly/templates/default/sv-gitaly-log-run.erb

+#!/bin/sh
+exec chpst -P \
+  -U root:<%= @options[:log_group] || 'root' %> \
+  -u root:<%= @options[:log_group] || 'root' %> \
+  svlogd <% unless @options[:json_logging] %>-tt <% end %><%= @options[:log_directory] %>

files/gitlab-cookbooks/gitaly/templates/default/sv-gitaly-run.erb

+#!/bin/sh
+
+<% if @options[:open_files_ulimit] %>
+# Attempt to change ulimit before the set -e flag, ignore failures
+ulimit -n <%= @options[:open_files_ulimit] %>
+<% end %>
+
+set -e # fail on errors
+
+# Redirect stderr -> stdout
+exec 2>&1
+
+<%= render("mount_point_check.erb", cookbook: 'gitlab') %>
+
+<% if @options[:cgroups_mountpoint] && @options[:cgroups_hierarchy_root] %>
+<% %w(cpu memory).each do |resource| %>
+mkdir -m 0700 -p <%= File.join(@options[:cgroups_mountpoint], resource, @options[:cgroups_hierarchy_root]) %>
+chown <%= @options[:user] %>:<%= @options[:groupname] %> <%= File.join(@options[:cgroups_mountpoint], resource, @options[:cgroups_hierarchy_root]) %>
+<% end %>
+<% end %>
+
+cd <%= @options[:working_dir] %>
+
+exec chpst -e <%= @options[:env_dir] %> -P \
+  -U <%= @options[:user] %>:<%= @options[:groupname] %> \
+  -u <%= @options[:user] %>:<%= @options[:groupname] %> \
+<% if @options[:use_wrapper] %>
+  <%= @options[:wrapper_path] %> <%= @options[:bin_path] %> serve <%= @options[:config_path] %>
+<% else %>
+  <%= @options[:bin_path] %> serve <%= @options[:config_path] %>
+<% end %>

files/gitlab-cookbooks/gitlab-ee/attributes/default.rb

+#
+# Copyright:: Copyright (c) 2016 GitLab Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+default['gitlab']['sentinel']['enable'] = false
+default['gitlab']['sentinel']['bind'] = '0.0.0.0'
+default['gitlab']['sentinel']['dir'] = '/var/opt/gitlab/sentinel'
+default['gitlab']['sentinel']['log_directory'] = '/var/log/gitlab/sentinel'
+default['gitlab']['sentinel']['ha'] = false
+default['gitlab']['sentinel']['port'] = 26379
+default['gitlab']['sentinel']['password'] = nil
+default['gitlab']['sentinel']['quorum'] = 1
+default['gitlab']['sentinel']['announce_ip'] = nil
+default['gitlab']['sentinel']['announce_port'] = nil
+default['gitlab']['sentinel']['down_after_milliseconds'] = 10000
+default['gitlab']['sentinel']['failover_timeout'] = 60000
+default['gitlab']['sentinel']['myid'] = nil
+default['gitlab']['sentinel']['tls_port'] = nil
+default['gitlab']['sentinel']['tls_cert_file'] = nil
+default['gitlab']['sentinel']['tls_key_file'] = nil
+default['gitlab']['sentinel']['tls_dh_params_file'] = nil
+default['gitlab']['sentinel']['tls_ca_cert_file'] = "#{node['package']['install-dir']}/embedded/ssl/certs/cacert.pem"
+default['gitlab']['sentinel']['tls_ca_cert_dir'] = "#{node['package']['install-dir']}/embedded/ssl/certs/"
+default['gitlab']['sentinel']['tls_auth_clients'] = 'optional'
+default['gitlab']['sentinel']['tls_replication'] = nil
+default['gitlab']['sentinel']['tls_cluster'] = nil
+default['gitlab']['sentinel']['tls_protocols'] = nil
+default['gitlab']['sentinel']['tls_ciphers'] = nil
+default['gitlab']['sentinel']['tls_ciphersuites'] = nil
+default['gitlab']['sentinel']['tls_prefer_server_ciphers'] = nil
+default['gitlab']['sentinel']['tls_session_caching'] = nil
+default['gitlab']['sentinel']['tls_session_cache_size'] = nil
+default['gitlab']['sentinel']['tls_session_cache_timeout'] = nil
+default['gitlab']['sentinel']['use_hostnames'] = nil
+
+###
+# Geo: Common (primary or secondary) node configuration
+###
+default['gitlab']['gitlab_rails']['geo_node_name'] = nil
+default['gitlab']['gitlab_rails']['geo_registry_replication_enabled'] = false
+default['gitlab']['gitlab_rails']['geo_registry_replication_primary_api_url'] = nil
+
+###
+# Geo: Secondary node configuration
+###
+default['gitlab']['geo_secondary']['enable'] = false
+default['gitlab']['geo_secondary']['auto_migrate'] = true
+default['gitlab']['geo_secondary']['db_adapter'] = "postgresql"
+default['gitlab']['geo_secondary']['db_encoding'] = "unicode"
+default['gitlab']['geo_secondary']['db_collation'] = nil
+default['gitlab']['geo_secondary']['db_database'] = "gitlabhq_geo_production"
+default['gitlab']['geo_secondary']['db_username'] = "gitlab_geo"
+default['gitlab']['geo_secondary']['db_password'] = nil
+default['gitlab']['geo_secondary']['db_load_balancing'] = { 'hosts' => [] }
+# Path to postgresql socket directory
+default['gitlab']['geo_secondary']['db_host'] = nil # when `nil` - value is set from geo_postgresql['dir']
+default['gitlab']['geo_secondary']['db_port'] = 5431
+default['gitlab']['geo_secondary']['db_socket'] = nil
+default['gitlab']['geo_secondary']['db_sslmode'] = nil
+default['gitlab']['geo_secondary']['db_sslcompression'] = 0
+default['gitlab']['geo_secondary']['db_sslrootcert'] = nil
+default['gitlab']['geo_secondary']['db_sslca'] = nil
+default['gitlab']['geo_secondary']['db_prepared_statements'] = false
+default['gitlab']['geo_secondary']['db_database_tasks'] = true
+
+###
+# Geo: PostgreSQL (Tracking database)
+###
+
+default['gitlab']['geo_postgresql'] = default['postgresql'].dup
+# We are inheriting default attributes from postgresql and changing below what should be different
+default['gitlab']['geo_postgresql']['enable'] = false
+default['gitlab']['geo_postgresql']['dir'] = '/var/opt/gitlab/geo-postgresql'
+default['gitlab']['geo_postgresql']['log_directory'] = '/var/log/gitlab/geo-postgresql'
+default['gitlab']['geo_postgresql']['unix_socket_directory'] = nil
+default['gitlab']['geo_postgresql']['ssl'] = 'off'
+# Postgres User's Environment Path
+default['gitlab']['geo_postgresql']['sql_user'] = 'gitlab_geo'
+default['gitlab']['geo_postgresql']['sql_mattermost_user'] = nil
+default['gitlab']['geo_postgresql']['port'] = 5431
+
+# Mininum of 1/8 of total memory and Maximum of 1024MB as sane defaults
+default['gitlab']['geo_postgresql']['shared_buffers'] = "#{[(node['memory']['total'].to_i / 8) / 1024, 1024].max}MB"
+
+default['gitlab']['geo_postgresql']['work_mem'] = '16MB'
+default['gitlab']['geo_postgresql']['maintenance_work_mem'] = '16MB'
+default['gitlab']['geo_postgresql']['effective_cache_size'] = "#{[(node['memory']['total'].to_i / 8) / 1024, 2048].max}MB" # double of shared_buffers estimation
+default['gitlab']['geo_postgresql']['log_min_duration_statement'] = 1000
+default['gitlab']['geo_postgresql']['min_wal_size'] = '80MB'
+default['gitlab']['geo_postgresql']['max_wal_size'] = '1GB'
+default['gitlab']['geo_postgresql']['checkpoint_timeout'] = '5min'
+default['gitlab']['geo_postgresql']['checkpoint_completion_target'] = 0.9
+default['gitlab']['geo_postgresql']['checkpoint_warning'] = '30s'
+default['gitlab']['geo_postgresql']['wal_buffers'] = '-1'
+default['gitlab']['geo_postgresql']['autovacuum'] = 'on'
+default['gitlab']['geo_postgresql']['log_autovacuum_min_duration'] = '-1'
+default['gitlab']['geo_postgresql']['autovacuum_max_workers'] = '3'
+default['gitlab']['geo_postgresql']['autovacuum_naptime'] = '1min'
+default['gitlab']['geo_postgresql']['autovacuum_vacuum_threshold'] = '50'
+default['gitlab']['geo_postgresql']['autovacuum_analyze_threshold'] = '50'
+default['gitlab']['geo_postgresql']['autovacuum_vacuum_scale_factor'] = '0.02' # 10x lower than PG defaults
+default['gitlab']['geo_postgresql']['autovacuum_analyze_scale_factor'] = '0.01' # 10x lower than PG defaults
+default['gitlab']['geo_postgresql']['autovacuum_freeze_max_age'] = '200000000'
+default['gitlab']['geo_postgresql']['autovacuum_vacuum_cost_delay'] = '20ms'
+default['gitlab']['geo_postgresql']['autovacuum_vacuum_cost_limit'] = '-1'
+default['gitlab']['geo_postgresql']['statement_timeout'] = '60000'
+default['gitlab']['geo_postgresql']['idle_in_transaction_session_timeout'] = '60000'
+default['gitlab']['geo_postgresql']['log_line_prefix'] = nil
+default['gitlab']['geo_postgresql']['track_activity_query_size'] = '1024'
+default['gitlab']['geo_postgresql']['effective_io_concurrency'] = 1
+default['gitlab']['geo_postgresql']['max_worker_processes'] = 8
+default['gitlab']['geo_postgresql']['max_parallel_workers_per_gather'] = 0
+default['gitlab']['geo_postgresql']['log_lock_waits'] = 1
+default['gitlab']['geo_postgresql']['deadlock_timeout'] = '5s'
+default['gitlab']['geo_postgresql']['track_io_timing'] = 'off'
+default['gitlab']['geo_postgresql']['custom_pg_hba_entries'] = {}
+default['gitlab']['geo_postgresql']['default_statistics_target'] = 1000
+
+# Replication settings
+default['gitlab']['geo_postgresql']['wal_level'] = 'minimal'
+default['gitlab']['geo_postgresql']['wal_log_hints'] = 'off'
+default['gitlab']['geo_postgresql']['max_wal_senders'] = 0
+default['gitlab']['geo_postgresql']['wal_keep_segments'] = 10
+default['gitlab']['geo_postgresql']['wal_keep_size'] = nil
+default['gitlab']['geo_postgresql']['hot_standby'] = 'off'
+default['gitlab']['geo_postgresql']['max_standby_archive_delay'] = '30s'
+default['gitlab']['geo_postgresql']['max_standby_streaming_delay'] = '30s'
+default['gitlab']['geo_postgresql']['max_replication_slots'] = 0
+default['gitlab']['geo_postgresql']['synchronous_commit'] = 'on'
+default['gitlab']['geo_postgresql']['synchronous_standby_names'] = ''
+default['gitlab']['geo_postgresql']['hot_standby_feedback'] = 'off'
+
+# Backup/Archive settings
+default['gitlab']['geo_postgresql']['archive_mode'] = 'off'
+default['gitlab']['geo_postgresql']['archive_command'] = nil
+default['gitlab']['geo_postgresql']['archive_timeout'] = '0'
+
+# pgbouncer settings
+default['gitlab']['geo_postgresql']['pgbouncer_user'] = 'pgbouncer'
+default['gitlab']['geo_postgresql']['pgbouncer_user_password'] = nil
+
+# Automatically restart on version changes
+default['gitlab']['geo_postgresql']['auto_restart_on_version_change'] = true
+
+###
+# Geo: LogCursor (replication)
+###
+
+default['gitlab']['geo_logcursor']['ha'] = false
+default['gitlab']['geo_logcursor']['log_directory'] = '/var/log/gitlab/geo-logcursor'
+default['gitlab']['geo_logcursor']['env_directory'] = '/opt/gitlab/etc/geo-logcursor/env'
+
+default['gitlab']['suggested-reviewers'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab']['suggested_reviewers'].to_h }, "node['gitlab']['suggested-reviewers']", "node['gitlab']['suggested_reviewers']")
+default['gitlab']['geo-secondary'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab']['geo_secondary'].to_h }, "node['gitlab']['geo-secondary']", "node['gitlab']['geo_secondary']")
+default['gitlab']['geo-logcursor'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab']['geo_logcursor'].to_h }, "node['gitlab']['geo-logcursor']", "node['gitlab']['geo_logcursor']")
+default['gitlab']['geo-postgresql'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab']['geo_postgresql'].to_h }, "node['gitlab']['geo-postgresql']", "node['gitlab']['geo_postgresql']")

files/gitlab-cookbooks/gitlab-ee/libraries/geo_postgresql.rb

+module GeoPostgresql
+  class << self
+    def parse_variables
+      postgresql_dir = Gitlab['geo_postgresql']['dir'] || node['gitlab']['geo_postgresql']['dir']
+
+      Gitlab['geo_postgresql']['unix_socket_directory'] ||= postgresql_dir
+      Gitlab['geo_postgresql']['home'] ||= postgresql_dir
+
+      parse_wal_keep_size
+    end
+
+    def node
+      Gitlab[:node]
+    end
+
+    private
+
+    def parse_wal_keep_size
+      wal_segment_size = 16
+      wal_keep_segments = Gitlab['geo_postgresql']['wal_keep_segments'] || node['gitlab']['geo_postgresql']['wal_keep_segments']
+      wal_keep_size = Gitlab['geo_postgresql']['wal_keep_size'] || node['gitlab']['geo_postgresql']['wal_keep_size']
+
+      Gitlab['geo_postgresql']['wal_keep_size'] = if wal_keep_size.nil?
+                                                    wal_keep_segments.to_i * wal_segment_size
+                                                  else
+                                                    wal_keep_size
+                                                  end
+    end
+  end
+end

files/gitlab-cookbooks/gitlab-ee/libraries/geo_secondary.rb

+module GeoSecondary
+  GEO_DB_MIGRATIONS_PATH = 'ee/db/geo/migrate'.freeze
+  GEO_SCHEMA_MIGRATIONS_PATH = 'ee/db/geo/schema_migrations'.freeze
+
+  class << self
+    def parse_variables
+      parse_database
+      parse_geo_secondary_db_host
+    end
+
+    def node
+      Gitlab[:node]
+    end
+
+    private
+
+    def parse_database
+      # If user hasn't specified a geo database, for now, we will use the
+      # geo_secondary[`db_*`] keys to populate one. In the future, we can
+      # deprecate geo_secondary[`db_*`] keys and ask users to  explicitly
+      # set `gitlab_rails['databases']['geo']['db_*']` settings instead.
+      Gitlab['gitlab_rails']['databases'] ||= {}
+      Gitlab['gitlab_rails']['databases']['geo'] ||= { 'enable' => true }
+
+      if geo_secondary_enabled? && geo_database_enabled?
+        # Set default value for attributes of geo database based on
+        # geo_secondary[`db_*`] settings.
+        geo_database_attributes.each do |attribute|
+          Gitlab['gitlab_rails']['databases']['geo'][attribute] ||= Gitlab['geo_secondary'][attribute] || node['gitlab']['geo_secondary'][attribute]
+        end
+
+        # Set db_migrations_path since Geo migration lives in a non-default place
+        Gitlab['gitlab_rails']['databases']['geo']['db_migrations_paths'] = GEO_DB_MIGRATIONS_PATH
+        Gitlab['gitlab_rails']['databases']['geo']['db_schema_migrations_path'] = GEO_SCHEMA_MIGRATIONS_PATH
+      else
+        # Weed out the geo database settings if both Geo and database is not enabled
+        Gitlab['gitlab_rails']['databases'].delete('geo')
+      end
+    end
+
+    def geo_secondary_enabled?
+      Gitlab['geo_secondary_role']['enable'] || Gitlab['geo_secondary']['enable']
+    end
+
+    def geo_database_attributes
+      node['gitlab']['geo_secondary'].to_h.keys.select { |k| k.start_with?('db_') }
+    end
+
+    def parse_geo_secondary_db_host
+      return unless geo_secondary_enabled? && geo_database_enabled?
+
+      db_host = Gitlab['gitlab_rails']['databases']['geo']['db_host']
+      if db_host&.include?(',')
+        Gitlab['gitlab_rails']['databases']['geo']['db_host'] = db_host.split(',')[0]
+        warning = [
+          "Received multiple geo_secondary['db_host'] values: #{db_host.to_json}.",
+          "First listen_address '#{Gitlab['gitlab_rails']['databases']['geo']['db_host']}' will be used."
+        ].join("\n  ")
+        warn(warning)
+      end
+
+      # In case no other setting was provided for db_host,
+      # we use the socket directory
+      Gitlab['gitlab_rails']['databases']['geo']['db_host'] ||= Gitlab['geo_postgresql']['unix_socket_directory']
+    end
+
+    def geo_database_enabled?
+      Gitlab['gitlab_rails'].dig('databases', 'geo', 'enable') == true
+    end
+  end
+end

files/gitlab-cookbooks/gitlab-ee/libraries/gitlab-ee.rb

+#
+# Copyright:: Copyright (c) 2016 GitLab B.V.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# Override the GitLab edition to be EE
+module Gitlab
+  edition :ee
+end

files/gitlab-cookbooks/gitlab-ee/libraries/gitlab_geo_helper.rb

+# frozen_string_literal: true
+
+class GitlabGeoHelper < RailsMigrationHelper
+  def initialize(node)
+    @node = node
+    @status_file_prefix = 'geo-db-migrate'
+    @attributes_node = node['gitlab']['geo_secondary']
+  end
+end

files/gitlab-cookbooks/gitlab-ee/libraries/sentinel.rb

+#
+# Copyright:: Copyright (c) 2016 GitLab Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+module Sentinel
+  class << self
+    def parse_variables
+      parse_sentinel_settings if sentinel_enabled?
+    end
+
+    def parse_sentinel_settings
+      # If sentinel['announce_ip'] is not defined, we infer the value from redis['announce_ip']
+      Gitlab['sentinel']['announce_ip'] ||= Gitlab['redis']['announce_ip']
+      # If sentinel['announce_port'] is not defined, we infer the value from sentinel['port']
+      Gitlab['sentinel']['announce_port'] ||= Gitlab['sentinel']['port']
+    end
+
+    private
+
+    def sentinel_enabled?
+      Gitlab['redis_sentinel_role']['enable']
+    end
+
+    def node
+      Gitlab[:node]
+    end
+  end
+end

files/gitlab-cookbooks/gitlab-ee/libraries/sentinel_helper.rb

+class SentinelHelper
+  MYID_PATTERN ||= /^[0-9a-f]{40}$/.freeze
+  JSON_FILE ||= '/etc/gitlab/gitlab-sentinel.json'.freeze
+
+  def initialize(node)
+    @node = node
+  end
+
+  def myid
+    if sentinel.key?('myid') && sentinel['myid']
+      restore_from_node
+    else
+      restore_or_generate_from_file
+    end
+  end
+
+  def use_hostnames
+    # Detect if user is overriding what we want to calculate here
+    return sentinel['use_hostnames'] ? 'yes' : 'no' unless sentinel['use_hostnames'].nil?
+
+    return 'yes' if redis['announce_ip_from_hostname']
+
+    # Enable hostnames if a non-IP address value is provided in announce_ip
+    return 'yes' if sentinel['announce_ip'] && !Regexp.union([Resolv::IPv4::Regex, Resolv::IPv6::Regex]).match(sentinel['announce_ip'])
+
+    'no'
+  end
+
+  def running_version
+    return unless OmnibusHelper.new(@node).service_up?('sentinel')
+
+    command = "/opt/gitlab/embedded/bin/redis-cli #{redis_cli_connect_options} INFO"
+    env =
+      if sentinel['password']
+        { 'REDISCLI_AUTH' => sentinel['password'] }
+      else
+        {}
+      end
+
+    command_output = VersionHelper.version(command, env: env)
+
+    raise "Execution of the command `#{command}` failed" unless command_output
+
+    version_match = command_output.match(/redis_version:(?<redis_version>\d*\.\d*\.\d*)/)
+    raise "Execution of the command `#{command}` generated unexpected output `#{command_output.strip}`" unless version_match
+
+    version_match['redis_version']
+  end
+
+  def installed_version
+    return unless OmnibusHelper.new(@node).service_up?('sentinel')
+
+    command = '/opt/gitlab/embedded/bin/redis-sentinel --version'
+
+    command_output = VersionHelper.version(command)
+    raise "Execution of the command `#{command}` failed" unless command_output
+
+    version_match = command_output.match(/Redis server v=(?<redis_version>\d*\.\d*\.\d*)/)
+    raise "Execution of the command `#{command}` generated unexpected output `#{command_output.strip}`" unless version_match
+
+    version_match['redis_version']
+  end
+
+  private
+
+  # Restore from node definition (gitlab.rb)
+  def restore_from_node
+    raise 'Sentinel myid must be exactly 40 hex-characters lowercase' unless MYID_PATTERN.match?(sentinel['myid'])
+
+    sentinel['myid']
+  end
+
+  # Restore from local JSON file or create a new myid
+  def restore_or_generate_from_file
+    existing_data = load_from_file
+    if existing_data && existing_data['myid']
+      existing_data['myid']
+    else
+      myid = generate_myid
+      save_to_file({ 'myid' => myid })
+
+      myid
+    end
+  end
+
+  def sentinel
+    @node['gitlab']['sentinel']
+  end
+
+  def redis
+    @node['redis']
+  end
+
+  # Load from local JSON file
+  def load_from_file
+    Chef::JSONCompat.from_json(File.read(JSON_FILE)) if File.exist?(JSON_FILE)
+  end
+
+  # Save to local JSON file
+  def save_to_file(data)
+    return unless File.directory?('/etc/gitlab')
+
+    File.open(JSON_FILE, 'w', 0600) do |f|
+      f.puts(Chef::JSONCompat.to_json_pretty(data))
+      f.chmod(0600) # update existing file
+    end
+  end
+
+  def generate_myid
+    SecureRandom.hex(20) # size will be n*2 -> 40 characters
+  end
+
+  def redis_cli_connect_options
+    args = ["-h #{sentinel['bind']}"]
+    port = sentinel['port'].to_i
+
+    if port.zero?
+      redis_cli_tls_options(args)
+    else
+      args << "-p #{port}"
+    end
+
+    args.join(' ')
+  end
+
+  def redis_cli_tls_options(args)
+    tls_port = sentinel['tls_port'].to_i
+
+    raise "No Sentinel port available: sentinel['port'] or sentinel['tls_port'] must be non-zero" if tls_port.zero?
+
+    args << "--tls"
+    args << "-p #{tls_port}"
+    args << "--cacert '#{sentinel['tls_ca_cert_file']}'" if sentinel['tls_ca_cert_file']
+    args << "--cacertdir '#{sentinel['tls_ca_cert_dir']}'" if sentinel['tls_ca_cert_dir']
+
+    return unless client_certs_required?
+
+    raise "Sentinel TLS client authentication requires sentinel['tls_cert_file'] and sentinel['tls_key_file'] options" unless client_cert_and_key_available?
+
+    args << "--cert '#{sentinel['tls_cert_file']}'"
+    args << "--key '#{sentinel['tls_key_file']}'"
+  end
+
+  def client_certs_required?
+    sentinel['tls_auth_clients'] == 'yes'
+  end
+
+  def client_cert_and_key_available?
+    sentinel['tls_cert_file'] && !sentinel['tls_cert_file'].empty? &&
+      sentinel['tls_key_file'] && !sentinel['tls_key_file'].empty?
+  end
+end

files/gitlab-cookbooks/gitlab-ee/libraries/suggested_reviewers.rb

+module SuggestedReviewers
+  class << self
+    def parse_secrets
+      Gitlab['suggested_reviewers']['api_secret_key'] ||= Base64.strict_encode64(SecretsHelper.generate_hex(16))
+    end
+
+    def validate_secrets
+      return unless Gitlab['suggested_reviewers']['api_secret_key']
+
+      # Suggested Reviewers and GitLab expects exactly 32 bytes, encoded with base64
+      api_secret_key = Base64.strict_decode64(Gitlab['suggested_reviewers']['api_secret_key'])
+      raise "suggested_reviewers['api_secret_key'] should be exactly 32 bytes" if api_secret_key.length != 32
+    end
+  end
+end

files/gitlab-cookbooks/gitlab-ee/metadata.rb

+name "gitlab-ee"
+maintainer "GitLab Inc"
+maintainer_email "support@gitlab.com"
+license "Apache 2.0"
+description "Install and configure GitLab EE from Omnibus"
+long_description "Install and configure GitLab EE from Omnibus"
+version "0.0.1"
+recipe "gitlab", "Configures GitLab EE from Omnibus"
+
+supports "ubuntu"
+supports "centos"
+
+depends "package"
+depends "gitlab"
+depends 'consul'
+depends 'patroni'
+depends 'pgbouncer'
+depends 'spamcheck'

files/gitlab-cookbooks/gitlab-ee/recipes/config.rb

+#
+# Copyright:: Copyright (c) 2017 GitLab Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# Add the EE specific services. Useful when `gitlab-ee::config` is called
+# directly, like via `GitlabCtl::Util.chef_run` calls.  For regular reconfigure
+# runs, this is already done in `gitlab-ee::default` recipe.
+Services.add_services('gitlab-ee', Services::EEServices.list)
+
+# Use the gitlab cookbook config
+include_recipe 'gitlab::config'

files/gitlab-cookbooks/gitlab-ee/recipes/default.rb

+#
+# Copyright:: Copyright (c) 2016 GitLab Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# Add the EE specific services to the services list. Common services will be
+# added in the `gitlab::config` recipe.
+Services.add_services('gitlab-ee', Services::EEServices.list)
+
+include_recipe 'gitlab::default'
+
+%w[
+  sentinel
+  geo-postgresql
+  geo-logcursor
+].each do |service|
+  node_attribute_key = SettingsDSL::Utils.node_attribute_key(service)
+  if node['gitlab'][node_attribute_key]['enable']
+    include_recipe "gitlab-ee::#{service}"
+  else
+    include_recipe "gitlab-ee::#{service}_disable"
+  end
+end
+
+%w(
+  consul
+  pgbouncer
+  patroni
+  spamcheck
+).each do |service|
+  if node[service]['enable']
+    include_recipe "#{service}::enable"
+  else
+    include_recipe "#{service}::disable"
+  end
+end
+
+rails_enable = node['gitlab']['gitlab_rails']['enable']
+
+# Geo secondary
+if node['gitlab']['geo_secondary']['enable']
+  if rails_enable
+    include_recipe 'gitlab-ee::geo-secondary'
+    include_recipe 'gitlab-ee::geo_database_migrations'
+  end
+else
+  include_recipe 'gitlab-ee::geo-secondary_disable'
+end
+
+# Suggested Reviewers
+include_recipe 'gitlab-ee::suggested_reviewers' if rails_enable
+
+# Create the pgbouncer users
+include_recipe 'pgbouncer::user'

files/gitlab-cookbooks/gitlab-ee/recipes/geo-logcursor.rb

+#
+# Copyright:: Copyright (c) 2017 GitLab Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+account_helper = AccountHelper.new(node)
+omnibus_helper = OmnibusHelper.new(node)
+logfiles_helper = LogfilesHelper.new(node)
+logging_settings = logfiles_helper.logging_settings('geo-logcursor')
+
+working_dir = "#{node['package']['install-dir']}/embedded/service/gitlab-rails"
+env_directory = node['gitlab']['geo_logcursor']['env_directory']
+
+rails_env = {
+  'HOME' => node['gitlab']['user']['home'],
+  'RAILS_ENV' => node['gitlab']['gitlab_rails']['environment'],
+  'BUNDLE_GEMFILE' => GitlabRailsEnvHelper.bundle_gemfile(working_dir),
+}
+
+env_dir env_directory do
+  variables(
+    rails_env.merge(node['gitlab']['gitlab_rails']['env'])
+  )
+  notifies :restart, 'runit_service[geo-logcursor]'
+end
+
+# Create log_directory
+directory logging_settings[:log_directory] do
+  owner logging_settings[:log_directory_owner]
+  mode logging_settings[:log_directory_mode]
+  if log_group = logging_settings[:log_directory_group]
+    group log_group
+  end
+  recursive true
+end
+
+runit_service 'geo-logcursor' do
+  start_down node['gitlab']['geo_logcursor']['ha']
+  options({
+    user: account_helper.gitlab_user,
+    groupname: account_helper.gitlab_group,
+    working_dir: working_dir,
+    env_dir: env_directory,
+    log_directory: logging_settings[:log_directory],
+    log_user: logging_settings[:runit_owner],
+    log_group: logging_settings[:runit_group]
+  }.merge(params))
+  log_options logging_settings[:options]
+end
+
+dependent_services = node['gitlab']['gitlab_rails']['dependent_services']
+
+# This approach was taken to avoid the need to alter the runit service provider
+#
+execute 'restart geo-logcursor' do
+  command '/opt/gitlab/bin/gitlab-ctl restart geo-logcursor'
+  action :nothing
+  dependent_services.map { |svc| subscribes :run, "runit_service[#{svc}]" }
+  notifies :restart, "runit_service[puma]" if omnibus_helper.should_notify?('puma')
+end

files/gitlab-cookbooks/gitlab-ee/recipes/geo-logcursor_disable.rb

+#
+# Copyright:: Copyright (c) 2017 GitLab Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+runit_service 'geo-logcursor' do
+  action :disable
+end

files/gitlab-cookbooks/gitlab-ee/recipes/geo-postgresql.rb

+#
+# Copyright:: Copyright (c) 2012 Opscode, Inc.
+# Copyright:: Copyright (c) 2017 GitLab Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+include_recipe 'postgresql::bin'
+include_recipe 'postgresql::user'
+include_recipe 'postgresql::sysctl'
+
+account_helper = AccountHelper.new(node)
+omnibus_helper = OmnibusHelper.new(node)
+logfiles_helper = LogfilesHelper.new(node)
+logging_settings = logfiles_helper.logging_settings('geo-postgresql')
+
+postgresql_username = account_helper.postgresql_user
+postgresql_data_dir = File.join(node['gitlab']['geo_postgresql']['dir'], 'data')
+
+geo_pg_helper = GeoPgHelper.new(node)
+
+database_version = geo_pg_helper.database_version || geo_pg_helper.version
+
+directory node['gitlab']['geo_postgresql']['dir'] do
+  owner postgresql_username
+  mode '0755'
+  recursive true
+end
+
+directory postgresql_data_dir do
+  owner postgresql_username
+  mode '0700'
+  recursive true
+end
+
+# Create log_directory
+directory logging_settings[:log_directory] do
+  owner logging_settings[:log_directory_owner]
+  mode logging_settings[:log_directory_mode]
+  if log_group = logging_settings[:log_directory_group]
+    group log_group
+  end
+  recursive true
+end
+
+execute "/opt/gitlab/embedded/bin/initdb -D #{postgresql_data_dir} -E UTF8" do
+  user postgresql_username
+  not_if { geo_pg_helper.bootstrapped? }
+end
+
+postgresql_config = File.join(postgresql_data_dir, 'postgresql.conf')
+postgresql_runtime_config = File.join(postgresql_data_dir, 'runtime.conf')
+bootstrapping = !geo_pg_helper.bootstrapped?
+should_notify = omnibus_helper.should_notify?('geo-postgresql') && !bootstrapping
+
+template postgresql_config do
+  source 'postgresql.conf.erb'
+  owner postgresql_username
+  mode '0644'
+  helper(:pg_helper) { geo_pg_helper }
+  variables(node['gitlab']['geo_postgresql'].to_hash)
+  cookbook 'postgresql'
+  notifies :restart, 'runit_service[geo-postgresql]', :immediately if should_notify
+end
+
+template postgresql_runtime_config do
+  source 'postgresql-runtime.conf.erb'
+  owner postgresql_username
+  mode '0644'
+  helper(:pg_helper) { geo_pg_helper }
+  variables(node['gitlab']['geo_postgresql'].to_hash)
+  cookbook 'postgresql'
+  notifies :run, 'execute[reload geo-postgresql]', :immediately if should_notify
+end
+
+pg_hba_config = File.join(postgresql_data_dir, 'pg_hba.conf')
+
+template pg_hba_config do
+  source 'pg_hba.conf.erb'
+  owner postgresql_username
+  mode '0644'
+  variables(lazy { node['gitlab']['geo_postgresql'].to_hash })
+  cookbook 'postgresql'
+  notifies :restart, 'runit_service[geo-postgresql]', :immediately if should_notify
+end
+
+template File.join(postgresql_data_dir, 'pg_ident.conf') do
+  owner postgresql_username
+  mode '0644'
+  variables(node['gitlab']['geo_postgresql'].to_hash)
+  cookbook 'postgresql'
+  notifies :restart, 'runit_service[geo-postgresql]', :immediately if should_notify
+end
+
+runit_service 'geo-postgresql' do
+  start_down node['gitlab']['geo_postgresql']['ha']
+  restart_on_update false
+  control(['t'])
+  options({
+    log_directory: logging_settings[:log_directory],
+    log_user: logging_settings[:runit_owner],
+    log_group: logging_settings[:runit_group],
+    database_version: database_version.major
+  }.merge(params))
+  log_options logging_settings[:options]
+end
+
+execute 'start geo-postgresql' do
+  command '/opt/gitlab/bin/gitlab-ctl start geo-postgresql'
+  retries 20
+  action :nothing unless bootstrapping
+end
+
+###
+# Create the database, migrate it, and create the users we need, and grant them
+# privileges.
+###
+
+# This template is needed to make the gitlab-geo-psql script and GeoPgHelper work
+template '/opt/gitlab/etc/gitlab-geo-psql-rc' do
+  owner 'root'
+  group 'root'
+end
+
+geo_pg_port = node['gitlab']['geo_postgresql']['port']
+geo_pg_user = node['gitlab']['geo_postgresql']['sql_user']
+geo_pg_user_password = node['gitlab']['geo_postgresql']['sql_user_password']
+geo_database_name = node['gitlab']['geo_secondary']['db_database']
+
+if node['gitlab']['geo_postgresql']['enable']
+  postgresql_user geo_pg_user do
+    password "md5#{geo_pg_user_password}" unless geo_pg_user_password.nil?
+    helper geo_pg_helper
+    action :create
+  end
+
+  postgresql_database geo_database_name do
+    owner geo_pg_user
+    database_port geo_pg_port
+    database_socket node['gitlab']['geo_postgresql']['unix_socket_directory']
+    helper geo_pg_helper
+    action :create
+  end
+
+  postgresql_extension 'pg_trgm' do
+    database geo_database_name
+    helper geo_pg_helper
+    action :enable
+  end
+
+  version_file 'Create version file for PostgreSQL' do
+    version_file_path File.join(node['gitlab']['geo_postgresql']['dir'], 'VERSION')
+    version_check_cmd "/opt/gitlab/embedded/bin/postgres --version"
+    notifies :restart, 'runit_service[geo-postgresql]', :immediately if node['gitlab']['geo_postgresql']['auto_restart_on_version_change'] && geo_pg_helper.is_running? && should_notify
+  end
+
+  ruby_block 'warn pending geo-postgresql restart' do
+    block do
+      message = <<~MESSAGE
+        The version of the running geo-postgresql service is different than what is installed.
+        Please restart geo-postgresql to start the new version.
+
+        sudo gitlab-ctl restart geo-postgresql
+      MESSAGE
+      LoggingHelper.warning(message)
+    end
+    only_if { geo_pg_helper.is_running? && geo_pg_helper.running_version != geo_pg_helper.version }
+    not_if { node['gitlab']['geo_postgresql']['auto_restart_on_version_change'] }
+  end
+end
+
+execute 'reload geo-postgresql' do
+  command %(/opt/gitlab/bin/gitlab-ctl hup geo-postgresql)
+  retries 20
+  action :nothing
+  only_if { geo_pg_helper.is_running? }
+end
+
+execute 'start geo-postgresql again' do
+  command %(/opt/gitlab/bin/gitlab-ctl start geo-postgresql)
+  retries 20
+  action :nothing
+  not_if { geo_pg_helper.is_running? }
+end

files/gitlab-cookbooks/gitlab-ee/recipes/geo-postgresql_disable.rb

+#
+# Copyright:: Copyright (c) 2012 Opscode, Inc.
+# Copyright:: Copyright (c) 2017 GitLab Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+runit_service 'geo-postgresql' do
+  action :disable
+end