init

files/gitlab-cookbooks/gitlab-ee/recipes/geo-secondary.rb

+#
+# Copyright:: Copyright (c) 2016 GitLab Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+account_helper = AccountHelper.new(node)
+omnibus_helper = OmnibusHelper.new(node)
+
+pg_helper = PgHelper.new(node)
+
+gitlab_user = account_helper.gitlab_user
+postgresql_username = account_helper.postgresql_user
+postgresql_group = account_helper.postgresql_group
+
+gitlab_rails_source_dir = '/opt/gitlab/embedded/service/gitlab-rails'
+gitlab_rails_dir = node['gitlab']['gitlab_rails']['dir']
+gitlab_rails_etc_dir = File.join(gitlab_rails_dir, 'etc')
+
+dependent_services = %w(puma geo-logcursor sidekiq)
+
+templatesymlink 'Add the geo database settings to database.yml and create a symlink to Rails root' do
+  link_from File.join(gitlab_rails_source_dir, 'config/database.yml')
+  link_to File.join(gitlab_rails_etc_dir, 'database.yml')
+  source 'database.yml.erb'
+  cookbook 'gitlab'
+  owner 'root'
+  group account_helper.gitlab_group
+  mode '0640'
+  variables node['gitlab']['gitlab_rails'].to_hash
+  notifies :run, 'ruby_block[Restart geo-secondary dependent services]'
+end
+
+ruby_block 'Restart geo-secondary dependent services' do
+  block do
+    dependent_services.each do |svc|
+      notifies :restart, omnibus_helper.restart_service_resource(svc) if omnibus_helper.should_notify?(svc)
+    end
+  end
+  action :nothing
+end
+
+# Make structure.sql writable for when we run `rake db:migrate:geo`
+file '/opt/gitlab/embedded/service/gitlab-rails/ee/db/geo/structure.sql' do
+  owner gitlab_user
+end
+
+# This is included by postgresql.conf for replication settings in PostgreSQL 12 and higher
+if node['postgresql']['enable']
+  file pg_helper.geo_config do
+    owner postgresql_username
+    group postgresql_group
+    mode 0640
+  end
+end

files/gitlab-cookbooks/gitlab-ee/recipes/geo-secondary_disable.rb

+#
+# Copyright:: Copyright (c) 2018 GitLab Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+account_helper = AccountHelper.new(node)
+omnibus_helper = OmnibusHelper.new(node)
+
+gitlab_rails_source_dir = '/opt/gitlab/embedded/service/gitlab-rails'
+gitlab_rails_dir = node['gitlab']['gitlab_rails']['dir']
+gitlab_rails_etc_dir = File.join(gitlab_rails_dir, "etc")
+
+dependent_services = %w(puma sidekiq)
+
+templatesymlink 'Removes the geo database settings from database.yml and create a symlink to Rails root' do
+  link_from File.join(gitlab_rails_source_dir, 'config/database.yml')
+  link_to File.join(gitlab_rails_etc_dir, 'database.yml')
+  source 'database.yml.erb'
+  cookbook 'gitlab'
+  owner 'root'
+  group account_helper.gitlab_group
+  mode '0640'
+  variables node['gitlab']['gitlab_rails'].to_hash
+  dependent_services.each do |svc|
+    notifies :restart, omnibus_helper.restart_service_resource(svc) if omnibus_helper.should_notify?(svc)
+  end
+  only_if { node['gitlab']['gitlab_rails']['enable'] }
+end

files/gitlab-cookbooks/gitlab-ee/recipes/geo_database_migrations.rb

+#
+# Copyright:: Copyright (c) 2016 GitLab Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+omnibus_helper = OmnibusHelper.new(node)
+migration_helper = GitlabGeoHelper.new(node)
+
+dependent_services = []
+dependent_services << "runit_service[puma]" if omnibus_helper.should_notify?("puma")
+dependent_services << "sidekiq_service[sidekiq]" if omnibus_helper.should_notify?("sidekiq")
+
+rails_migration "gitlab-geo tracking" do
+  rake_task 'db:migrate:geo'
+  logfile_prefix 'gitlab-geo-db-migrate'
+  helper migration_helper
+
+  dependent_services dependent_services
+  notifies :run, 'execute[start geo-postgresql]', :before if omnibus_helper.service_enabled?('geo-postgresql') && omnibus_helper.not_listening?('geo-postgresql')
+
+  only_if { migration_helper.attributes_node['auto_migrate'] }
+end

files/gitlab-cookbooks/gitlab-ee/recipes/sentinel.rb

+#
+# Copyright:: Copyright (c) 2016 GitLab Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+sentinel_helper = SentinelHelper.new(node)
+logfiles_helper = LogfilesHelper.new(node)
+logging_settings = logfiles_helper.logging_settings('sentinel')
+
+sentinel_cfg = node['gitlab']['sentinel'].to_hash.merge(
+  {
+    'myid' => sentinel_helper.myid,
+    'use_hostnames' => sentinel_helper.use_hostnames,
+    'log_directory' => logging_settings[:log_directory],
+    'log_directory_mode' => logging_settings[:log_directory_mode],
+    'log_directory_owner' => logging_settings[:log_directory_owner],
+    'log_directory_group' => logging_settings[:log_directory_group],
+    'log_user' => logging_settings[:runit_owner],
+    'log_group' => logging_settings[:runit_group],
+  }
+)
+
+sentinel_service 'redis' do
+  config_path File.join(node['gitlab']['sentinel']['dir'], 'sentinel.conf')
+  redis_configuration node['redis'].to_hash.merge(
+    master_password: node['redis']['extracted_master_password'] || node['redis']['master_password']
+  )
+  sentinel_configuration sentinel_cfg
+  logging_configuration node['gitlab']['logging']
+end

files/gitlab-cookbooks/gitlab-ee/recipes/sentinel_disable.rb

+#
+# Copyright:: Copyright (c) 2016 GitLab Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+sentinel_service 'redis' do
+  config_path File.join(node['gitlab']['sentinel']['dir'], 'sentinel.conf')
+  redis_configuration node['redis']
+  sentinel_configuration node['gitlab']['sentinel']
+  logging_configuration node['gitlab']['logging']
+  action :disable
+end

files/gitlab-cookbooks/gitlab-ee/recipes/suggested_reviewers.rb

+#
+# Copyright:: Copyright (c) 2022 GitLab Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+omnibus_helper = OmnibusHelper.new(node)
+
+gitlab_rails_source_dir = "/opt/gitlab/embedded/service/gitlab-rails"
+gitlab_rails_dir = node['gitlab']['gitlab_rails']['dir']
+gitlab_rails_etc_dir = File.join(gitlab_rails_dir, "etc")
+
+dependent_services = []
+node['gitlab']['gitlab_rails']['dependent_services'].each do |name|
+  dependent_services << "runit_service[#{name}]" if omnibus_helper.should_notify?(name)
+end
+dependent_services << "sidekiq_service[sidekiq]" if omnibus_helper.should_notify?('sidekiq')
+
+templatesymlink 'Create a gitlab_suggested_reviewers_secret and create a symlink to Rails root' do
+  link_from File.join(gitlab_rails_source_dir, '.gitlab_suggested_reviewers_secret')
+  link_to File.join(gitlab_rails_etc_dir, 'gitlab_suggested_reviewers_secret')
+  source 'secret_token.erb'
+  cookbook 'gitlab'
+  owner 'root'
+  group 'root'
+  mode '0644'
+  sensitive true
+  variables(secret_token: node['gitlab']['suggested_reviewers']['api_secret_key'])
+  dependent_services.each { |svc| notifies :restart, svc }
+  only_if { node['gitlab']['suggested_reviewers']['api_secret_key'] }
+end

files/gitlab-cookbooks/gitlab-ee/resources/sentinel_service.rb

+resource_name :sentinel_service
+provides :sentinel_service
+
+unified_mode true
+
+property :config_path, String
+property :redis_configuration, Hash
+property :sentinel_configuration, Hash
+property :logging_configuration, Hash
+property :sentinel_service_name, String, default: 'sentinel'
+
+action :enable do
+  sentinel_log_dir = new_resource.sentinel_configuration['log_directory']
+  sentinel_log_user = new_resource.sentinel_configuration['log_user']
+  sentinel_log_group = new_resource.sentinel_configuration['log_group']
+  sentinel_log_dir_mode = new_resource.sentinel_configuration['log_directory_mode']
+  sentinel_log_dir_group = new_resource.sentinel_configuration['log_directory_group']
+  sentinel_log_dir_owner = new_resource.sentinel_configuration['log_directory_owner']
+
+  redis_user = AccountHelper.new(node).redis_user
+  redis_group = AccountHelper.new(node).redis_group
+
+  omnibus_helper = OmnibusHelper.new(node)
+  sentinel_helper = SentinelHelper.new(node)
+
+  account 'user and group for sentinel' do
+    username redis_user
+    uid node['redis']['uid']
+    ugid redis_group
+    groupname redis_group
+    gid node['redis']['gid']
+    shell node['redis']['shell']
+    home node['redis']['home']
+    manage node['gitlab']['manage_accounts']['enable']
+  end
+
+  directory new_resource.sentinel_configuration['dir'] do
+    owner new_resource.redis_configuration['username']
+    group new_resource.redis_configuration['group']
+    mode '0750'
+  end
+
+  # Create log_directory
+  directory sentinel_log_dir do
+    owner sentinel_log_dir_owner
+    mode sentinel_log_dir_mode
+    group sentinel_log_dir_group if sentinel_log_dir_group
+    recursive true
+  end
+
+  runit_service new_resource.sentinel_service_name do
+    start_down new_resource.redis_configuration['ha']
+    template_name new_resource.sentinel_service_name
+    options(
+      {
+        user: new_resource.redis_configuration['username'],
+        groupname: new_resource.redis_configuration['group'],
+        config_path: new_resource.config_path,
+        log_directory: sentinel_log_dir,
+        log_user: sentinel_log_user,
+        log_group: sentinel_log_group
+      }.merge(new_resource)
+    )
+    log_options new_resource.redis_configuration.to_hash.merge(new_resource.logging_configuration.to_hash)
+  end
+
+  template new_resource.config_path do
+    source 'sentinel.conf.erb'
+    owner new_resource.redis_configuration['username']
+    mode '0644'
+    variables(
+      {
+        redis: new_resource.redis_configuration.to_hash,
+        sentinel: new_resource.sentinel_configuration.to_hash
+      }
+    )
+    notifies :restart, 'runit_service[sentinel]', :immediately if omnibus_helper.should_notify?('redis')
+    only_if { new_resource.config_path }
+    sensitive true
+  end
+
+  ruby_block 'warn pending sentinel restart' do
+    block do
+      message = <<~MESSAGE
+        The version of the running sentinel service is different than what is installed.
+        Please restart sentinel to start the new version.
+
+        sudo gitlab-ctl restart sentinel
+      MESSAGE
+      LoggingHelper.warning(message)
+    end
+    only_if { sentinel_helper.running_version != sentinel_helper.installed_version }
+  end
+end
+
+action :disable do
+  runit_service new_resource.sentinel_service_name do
+    action :disable
+  end
+
+  file new_resource.config_path do
+    action :delete
+  end
+
+  directory new_resource.sentinel_configuration['dir'] do
+    action :delete
+  end
+end

files/gitlab-cookbooks/gitlab-ee/templates/default/gitlab-geo-psql-rc.erb

+psql_user='<%= node['postgresql']['username'] %>'
+psql_group='<%= node['postgresql']['group'] %>'
+psql_host='<%= node['gitlab']['geo_postgresql']['unix_socket_directory'] %>'
+psql_port='<%= node['gitlab']['geo_postgresql']['port'] %>'
+psql_dbname='<%= node['gitlab']['geo_secondary']['db_database'] %>'

files/gitlab-cookbooks/gitlab-ee/templates/default/mount_point_check.erb

+<% [node['gitlab']['high_availability']['mountpoint']].flatten.compact.each do |mountpoint| %>
+if ! mountpoint -q '<%= mountpoint %>' ; then
+  echo 'Refusing to start because <%= mountpoint %> is not a mountpoint.'
+  exit 1
+fi
+<% end %>

files/gitlab-cookbooks/gitlab-ee/templates/default/sentinel.conf.erb

+# This file is managed by gitlab-ctl. Manual changes will be
+# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
+# and run `sudo gitlab-ctl reconfigure`.
+
+# *** IMPORTANT ***
+#
+# By default Sentinel will not be reachable from interfaces different than
+# localhost, either use the 'bind' directive to bind to a list of network
+# interfaces, or disable protected mode with "protected-mode no" by
+# adding it to this configuration file.
+#
+# Before doing that MAKE SURE the instance is protected from the outside
+# world via firewalling or other means.
+#
+# For example you may use one of the following:
+#
+# bind 127.0.0.1 192.168.1.1
+#
+# protected-mode no
+bind <%= @sentinel['bind'] %>
+
+# port <sentinel-port>
+# The port that this sentinel instance will run on
+port <%= @sentinel['port'] %>
+
+<%= "sentinel announce-ip #{@sentinel['announce_ip']}" if @sentinel['announce_ip'] %>
+<%= "sentinel announce-port #{@sentinel['announce_port']}" if @sentinel['announce_port'] %>
+#
+# The above two configuration directives are useful in environments where,
+# because of NAT, Sentinel is reachable from outside via a non-local address.
+#
+# When announce-ip is provided, the Sentinel will claim the specified IP address
+# in HELLO messages used to gossip its presence, instead of auto-detecting the
+# local address as it usually does.
+#
+# Similarly when announce-port is provided and is valid and non-zero, Sentinel
+# will announce the specified TCP port.
+#
+# The two options don't need to be used together, if only announce-ip is
+# provided, the Sentinel will announce the specified IP and the server port
+# as specified by the "port" option. If only announce-port is provided, the
+# Sentinel will announce the auto-detected local IP and the specified port.
+#
+# Example:
+#
+# sentinel announce-ip 1.2.3.4
+
+# dir <working-directory>
+# Every long running process should have a well-defined working directory.
+# For Redis Sentinel to chdir to /tmp at startup is the simplest thing
+# for the process to don't interfere with administrative tasks such as
+# unmounting filesystems.
+dir <%= %Q("#{@sentinel['dir']}") %>
+
+# sentinel myid <id>
+#
+# Unique 40 hex-characters long identification of the instance in the cluster
+# This value is spread across all sentinels and each instance keep a list of
+# "known" instances to calculate majority in a failover consensus voting.
+<%= "sentinel myid #{@sentinel['myid']}" if @sentinel['myid'] %>
+
+# sentinel monitor <master-name> <ip> <redis-port> <quorum>
+#
+# Tells Sentinel to monitor this master, and to consider it in O_DOWN
+# (Objectively Down) state only if at least <quorum> sentinels agree.
+#
+# Note that whatever is the ODOWN quorum, a Sentinel will require to
+# be elected by the majority of the known Sentinels in order to
+# start a failover, so no failover can be performed in minority.
+#
+# Replicas are auto-discovered, so you don't need to specify replicas in
+# any way. Sentinel itself will rewrite this configuration file adding
+# the replicas using additional configuration options.
+# Also note that the configuration file is rewritten when a
+# replica is promoted to master.
+#
+# Note: master name should not include special characters or spaces.
+# The valid charset is A-z 0-9 and the three characters ".-_".
+sentinel monitor <%= @redis['master_name'] %> <%= @redis['master_ip'] %> <%= @redis['master_port'] %> <%= @sentinel['quorum'] %>
+
+# sentinel down-after-milliseconds <master-name> <milliseconds>
+#
+# Number of milliseconds the master (or any attached replica or sentinel) should
+# be unreachable (as in, not acceptable reply to PING, continuously, for the
+# specified period) in order to consider it in S_DOWN state (Subjectively
+# Down).
+#
+# Default is 30 seconds.
+sentinel down-after-milliseconds <%= @redis['master_name'] %> <%= @sentinel['down_after_milliseconds'] %>
+
+# requirepass <password>
+#
+# You can configure Sentinel itself to require a password, however when doing
+# so Sentinel will try to authenticate with the same password to all the
+# other Sentinels. So you need to configure all your Sentinels in a given
+# group with the same "requirepass" password. Check the following documentation
+# for more info: https://redis.io/topics/sentinel
+#
+# IMPORTANT NOTE: starting with Redis 6.2 "requirepass" is a compatibility
+# layer on top of the ACL system. The option effect will be just setting
+# the password for the default user. Clients will still authenticate using
+# AUTH <password> as usually, or more explicitly with AUTH default <password>
+# if they follow the new protocol: both will work.
+<%= %Q(requirepass "#{@sentinel['password']}") if @sentinel['password'] %>
+
+# sentinel parallel-syncs <master-name> <numreplicas>
+#
+# How many replicas we can reconfigure to point to the new replica simultaneously
+# during the failover. Use a low number if you use the replicas to serve query
+# to avoid that all the replicas will be unreachable at about the same
+# time while performing the synchronization with the master.
+# sentinel parallel-syncs localhost 1
+
+# sentinel failover-timeout <master-name> <milliseconds>
+#
+# Specifies the failover timeout in milliseconds. It is used in many ways:
+#
+# - The time needed to re-start a failover after a previous failover was
+#   already tried against the same master by a given Sentinel, is two
+#   times the failover timeout.
+#
+# - The time needed for a replica replicating to a wrong master according
+#   to a Sentinel current configuration, to be forced to replicate
+#   with the right master, is exactly the failover timeout (counting since
+#   the moment a Sentinel detected the misconfiguration).
+#
+# - The time needed to cancel a failover that is already in progress but
+#   did not produced any configuration change (REPLICAOF NO ONE yet not
+#   acknowledged by the promoted replica).
+#
+# - The maximum time a failover in progress waits for all the replicas to be
+#   reconfigured as replicas of the new master. However even after this time
+#   the replicas will be reconfigured by the Sentinels anyway, but not with
+#   the exact parallel-syncs progression as specified.
+#
+# Default is 3 minutes.
+sentinel failover-timeout <%= @redis['master_name'] %> <%= @sentinel['failover_timeout'] %>
+
+# sentinel auth-pass <master-name> <password>
+#
+# Set the password to use to authenticate with the master and replicas.
+# Useful if there is a password set in the Redis instances to monitor.
+#
+# Note that the master password is also used for replicas, so it is not
+# possible to set a different password in masters and replicas instances
+# if you want to be able to monitor these instances with Sentinel.
+#
+# However you can have Redis instances without the authentication enabled
+# mixed with Redis instances requiring the authentication (as long as the
+# password set is the same for all the instances requiring the password) as
+# the AUTH command will have no effect in Redis instances with authentication
+# switched off.
+#
+# Example:
+#
+sentinel auth-pass <%= @redis['master_name'] %> <%= @redis['master_password'] %>
+
+# SCRIPTS EXECUTION
+#
+# sentinel notification-script and sentinel reconfig-script are used in order
+# to configure scripts that are called to notify the system administrator
+# or to reconfigure clients after a failover. The scripts are executed
+# with the following rules for error handling:
+#
+# If script exits with "1" the execution is retried later (up to a maximum
+# number of times currently set to 10).
+#
+# If script exits with "2" (or an higher value) the script execution is
+# not retried.
+#
+# If script terminates because it receives a signal the behavior is the same
+# as exit code 1.
+#
+# A script has a maximum running time of 60 seconds. After this limit is
+# reached the script is terminated with a SIGKILL and the execution retried.
+
+# NOTIFICATION SCRIPT
+#
+# sentinel notification-script <master-name> <script-path>
+#
+# Call the specified notification script for any sentinel event that is
+# generated in the WARNING level (for instance -sdown, -odown, and so forth).
+# This script should notify the system administrator via email, SMS, or any
+# other messaging system, that there is something wrong with the monitored
+# Redis systems.
+#
+# The script is called with just two arguments: the first is the event type
+# and the second the event description.
+#
+# The script must exist and be executable in order for sentinel to start if
+# this option is provided.
+#
+# Example:
+#
+# sentinel notification-script mymaster /var/redis/notify.sh
+
+# CLIENTS RECONFIGURATION SCRIPT
+#
+# sentinel client-reconfig-script <master-name> <script-path>
+#
+# When the master changed because of a failover a script can be called in
+# order to perform application-specific tasks to notify the clients that the
+# configuration has changed and the master is at a different address.
+#
+# The following arguments are passed to the script:
+#
+# <master-name> <role> <state> <from-ip> <from-port> <to-ip> <to-port>
+#
+# <state> is currently always "failover"
+# <role> is either "leader" or "observer"
+#
+# The arguments from-ip, from-port, to-ip, to-port are used to communicate
+# the old address of the master and the new address of the elected replica
+# (now a master).
+#
+# This script should be resistant to multiple invocations.
+#
+# Example:
+#
+# sentinel client-reconfig-script mymaster /var/redis/reconfig.sh
+
+################################# TLS/SSL #####################################
+
+# By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration
+# directive can be used to define TLS-listening ports. To enable TLS on the
+# default port, use:
+#
+# port 0
+# tls-port 6379
+# We enable TLS related settings only if tls_port is defined
+<% unless @sentinel['tls_port'].nil? %>
+tls-port <%= @sentinel['tls_port'] %>
+
+# Configure a X.509 certificate and private key to use for authenticating the
+# server to connected clients, masters or cluster peers.  These files should be
+# PEM formatted.
+#
+# tls-cert-file redis.crt
+<% unless @sentinel['tls_cert_file'].nil? %>
+tls-cert-file <%= @sentinel['tls_cert_file'] %>
+<% end %>
+# tls-key-file redis.key
+<% unless @sentinel['tls_key_file'].nil? %>
+tls-key-file <%= @sentinel['tls_key_file'] %>
+<% end %>
+
+# Configure a DH parameters file to enable Diffie-Hellman (DH) key exchange:
+#
+# tls-dh-params-file redis.dh
+<% unless @sentinel['tls_dh_params_file'].nil? %>
+tls-dh-params-file <%= @sentinel['tls_dh_params_file'] %>
+<% end %>
+
+# Configure a CA certificate(s) bundle or directory to authenticate TLS/SSL
+# clients and peers.  Redis requires an explicit configuration of at least one
+# of these, and will not implicitly use the system wide configuration.
+#
+# tls-ca-cert-file ca.crt
+<% unless @sentinel['tls_ca_cert_file'].nil? %>
+tls-ca-cert-file <%= @sentinel['tls_ca_cert_file'] %>
+<% end %>
+# tls-ca-cert-dir /etc/ssl/certs
+<% unless @sentinel['tls_ca_cert_dir'].nil? %>
+tls-ca-cert-dir <%= @sentinel['tls_ca_cert_dir'] %>
+<% end %>
+
+# By default, clients (including replica servers) on a TLS port are required
+# to authenticate using valid client side certificates.
+#
+# If "no" is specified, client certificates are not required and not accepted.
+# If "optional" is specified, client certificates are accepted and must be
+# valid if provided, but are not required.
+#
+# tls-auth-clients no
+# tls-auth-clients optional
+<% unless @sentinel['tls_auth_clients'].nil? %>
+tls-auth-clients <%= @sentinel['tls_auth_clients'] %>
+<% end %>
+
+# By default, a Redis replica does not attempt to establish a TLS connection
+# with its master.
+#
+# Use the following directive to enable TLS on replication links.
+#
+# tls-replication yes
+<% unless @sentinel['tls_replication'].nil? %>
+tls-replication <%= @sentinel['tls_replication'] %>
+<% end %>
+
+# By default, the Redis Cluster bus uses a plain TCP connection. To enable
+# TLS for the bus protocol, use the following directive:
+#
+# tls-cluster yes
+<% unless @sentinel['tls_cluster'].nil? %>
+tls-cluster <%= @sentinel['tls_cluster'] %>
+<% end %>
+
+# Explicitly specify TLS versions to support. Allowed values are case insensitive
+# and include "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3" (OpenSSL >= 1.1.1) or
+# any combination. To enable only TLSv1.2 and TLSv1.3, use:
+#
+# tls-protocols "TLSv1.2 TLSv1.3"
+<% unless @sentinel['tls_protocols'].nil? %>
+tls-protocols "<%= @sentinel['tls_protocols'] %>"
+<% end %>
+
+# Configure allowed ciphers.  See the ciphers(1ssl) manpage for more information
+# about the syntax of this string.
+#
+# Note: this configuration applies only to <= TLSv1.2.
+#
+# tls-ciphers DEFAULT:!MEDIUM
+<% unless @sentinel['tls_ciphers'].nil? %>
+tls-ciphers <%= @sentinel['tls_ciphers'] %>
+<% end %>
+
+# Configure allowed TLSv1.3 ciphersuites.  See the ciphers(1ssl) manpage for more
+# information about the syntax of this string, and specifically for TLSv1.3
+# ciphersuites.
+#
+# tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256
+<% unless @sentinel['tls_ciphersuites'].nil? %>
+tls-ciphersuites <%= @sentinel['tls_ciphersuites'] %>
+<% end %>
+
+# When choosing a cipher, use the server's preference instead of the client
+# preference. By default, the server follows the client's preference.
+#
+# tls-prefer-server-ciphers yes
+<% unless @sentinel['tls_prefer_server_ciphers'].nil? %>
+tls-prefer-server-ciphers <%= @sentinel['tls_prefer_server_ciphers'] %>
+<% end %>
+
+# By default, TLS session caching is enabled to allow faster and less expensive
+# reconnections by clients that support it. Use the following directive to disable
+# caching.
+#
+# tls-session-caching no
+<% unless @sentinel['tls_session_caching'].nil? %>
+tls-session-caching <%= @sentinel['tls_session_caching'] %>
+<% end %>
+
+# Change the default number of TLS sessions cached. A zero value sets the cache
+# to unlimited size. The default size is 20480.
+#
+# tls-session-cache-size 5000
+<% unless @sentinel['tls_session_cache_size'].nil? %>
+tls-session-cache-size <%= @sentinel['tls_session_cache_size'] %>
+<% end %>
+
+# Change the default timeout of cached TLS sessions. The default timeout is 300
+# seconds.
+#
+# tls-session-cache-timeout 60
+<% unless @sentinel['tls_session_cache_timeout'].nil? %>
+tls-session-cache-timeout <%= @sentinel['tls_session_cache_timeout'] %>
+<% end %>
+<% end %>
+
+# HOSTNAMES SUPPORT
+#
+# Normally Sentinel uses only IP addresses and requires SENTINEL MONITOR
+# to specify an IP address. Also, it requires the Redis replica-announce-ip
+# keyword to specify only IP addresses.
+#
+# You may enable hostnames support by enabling resolve-hostnames. Note
+# that you must make sure your DNS is configured properly and that DNS
+# resolution does not introduce very long delays.
+#
+SENTINEL resolve-hostnames <%= @sentinel['use_hostnames'] %>
+
+# When resolve-hostnames is enabled, Sentinel still uses IP addresses
+# when exposing instances to users, configuration files, etc. If you want
+# to retain the hostnames when announced, enable announce-hostnames below.
+#
+SENTINEL announce-hostnames <%= @sentinel['use_hostnames'] %>

files/gitlab-cookbooks/gitlab-ee/templates/default/sv-geo-logcursor-log-config.erb

+<%= "s#@svlogd_size" if @svlogd_size %>
+<%= "n#@svlogd_num" if @svlogd_num %>
+<%= "t#@svlogd_timeout" if @svlogd_timeout %>
+<%= "!#@svlogd_filter" if @svlogd_filter %>
+<%= "u#@svlogd_udp" if @svlogd_udp %>
+<%= "p#@svlogd_prefix" if @svlogd_prefix %>

files/gitlab-cookbooks/gitlab-ee/templates/default/sv-geo-logcursor-log-run.erb

+#!/bin/sh
+exec chpst -P \
+  -U root:<%= @options[:log_group] || 'root' %> \
+  -u root:<%= @options[:log_group] || 'root' %> \
+  svlogd -tt <%= @options[:log_directory] %>

files/gitlab-cookbooks/gitlab-ee/templates/default/sv-geo-logcursor-run.erb

+#!/bin/sh
+set -e # fail on errors
+
+# Redirect stderr -> stdout
+exec 2>&1
+
+cd <%= @options[:working_dir] %>
+
+exec chpst -P \
+-U <%= @options[:user] %>:<%= @options[:groupname] %> \
+-u <%= @options[:user] %>:<%= @options[:groupname] %> \
+-e <%= @options[:env_dir] %> \
+<%= File.join(@options[:working_dir], 'ee', 'bin', 'geo_log_cursor') %>

files/gitlab-cookbooks/gitlab-ee/templates/default/sv-geo-postgresql-log-config.erb

+<%= "s#@svlogd_size" if @svlogd_size %>
+<%= "n#@svlogd_num" if @svlogd_num %>
+<%= "t#@svlogd_timeout" if @svlogd_timeout %>
+<%= "!#@svlogd_filter" if @svlogd_filter %>
+<%= "u#@svlogd_udp" if @svlogd_udp %>
+<%= "p#@svlogd_prefix" if @svlogd_prefix %>

files/gitlab-cookbooks/gitlab-ee/templates/default/sv-geo-postgresql-log-run.erb

+#!/bin/sh
+exec chpst -P \
+  -U root:<%= @options[:log_group] || 'root' %> \
+  -u root:<%= @options[:log_group] || 'root' %> \
+  svlogd -tt <%= @options[:log_directory] %>

files/gitlab-cookbooks/gitlab-ee/templates/default/sv-geo-postgresql-run.erb

+#!/bin/sh
+exec 2>&1
+<%= render('mount_point_check.erb') %>
+exec chpst -P -U <%= node['postgresql']['username'] %>:<%= node['postgresql']['group'] %> \
+   -u <%= node['postgresql']['username'] %>:<%= node['postgresql']['group'] %> \
+   /opt/gitlab/embedded/postgresql/<%= @options[:database_version] %>/bin/postgres \
+   -D <%= File.join(node['gitlab']['geo_postgresql']['dir'], 'data') %>

files/gitlab-cookbooks/gitlab-ee/templates/default/sv-geo-postgresql-t.erb

+#!/bin/sh
+echo "received TERM from runit, sending INT instead to force quit connections"
+/opt/gitlab/embedded/bin/sv interrupt geo-postgresql

files/gitlab-cookbooks/gitlab-ee/templates/default/sv-sentinel-log-config.erb

+<%= "s#@svlogd_size" if @svlogd_size %>
+<%= "n#@svlogd_num" if @svlogd_num %>
+<%= "t#@svlogd_timeout" if @svlogd_timeout %>
+<%= "!#@svlogd_filter" if @svlogd_filter %>
+<%= "u#@svlogd_udp" if @svlogd_udp %>
+<%= "p#@svlogd_prefix" if @svlogd_prefix %>

files/gitlab-cookbooks/gitlab-ee/templates/default/sv-sentinel-log-run.erb

+#!/bin/sh
+exec chpst -P \
+  -U root:<%= @options[:log_group] || 'root' %> \
+  -u root:<%= @options[:log_group] || 'root' %> \
+  svlogd -tt <%= @options[:log_directory] %>

files/gitlab-cookbooks/gitlab-ee/templates/default/sv-sentinel-run.erb

+#!/bin/sh
+exec 2>&1
+<%= render('mount_point_check.erb', cookbook: 'gitlab') %>
+umask 077
+
+<% user = @options[:user] %>
+<% group = @options[:groupname] %>
+exec chpst -P \
+  -U <%= user %>:<%= group %> \
+  -u <%= user %>:<%= group %> \
+  /opt/gitlab/embedded/bin/redis-sentinel \
+  <%= @options[:config_path] %><% if node['redis']['announce_ip_from_hostname'] %> \
+  '--sentinel announce-ip' "$(hostname -f)"<% end %>