Skip to content

GitLab

Commit edb06ab2 authored by 徐豪's avatar 徐豪
Browse files

init

parents
Hide whitespace changes
Inline Side-by-side
Showing with 2837 additions and 0 deletions

Too many changes to show.

To preserve performance only 532 of 532+ files are displayed.
Plain diff Email patch
files/gitlab-cookbooks/gitlab/README.md 0 → 100644
View file @ edb06ab2
# gitlab Cookbook (CE)
Configures the different components needed for an Omnibus installation of GitLab
## Resources
### database_objects
Utility resource to configure user, database and resources for running GitLab
#### properties
* `pg_helper`: The helper object for interacting with the running database. Required
* `account_helper`: The helper object for handling OS accounts. Required
### puma_config
Generate puma.rb configuration file
#### properties
* `filename`: (name_property): Full path to the configuration file to be generated
* `tag`: Additonal text to display on process listing. Default: `gitlab-puma-worker`
* `rackup`: Name of the rackup configuration file. Default: `config.ru`
* `environment`: App server environment to run the app. Default: `production`
* `install_dir`: Base omnibus installation directory. Default: `node['package']['install-dir']`
* `listen_socket`: Full path of the socket to listen on. Optional
* `listen_tcp`: TCP address and port to listen on. Optional
* `working_directory`: Directory to run puma from. Optional
* `worker_timeout`: Puma worker timeout. Default: `60`
* `per_worker_max_memory_mb`: Puma max memory per worker (in MB). Optional
* `worker_processes, Integer`: Puma number of worker process. Default: `2`
* `min_threads`: Puma min number of threads. Default: `4`
* `max_threads`: Puma max number of threads. Default: `4`
* `pid`: Puma full path to create PID file. Optional
* `state_path`: Puma full path to where state files will be stored. Optional
* `stderr_path`: Puma stderr path. Optional
* `stdout_path`: Puma stdout path. Optional
* `owner`: User owning configuration files. Default: `root`
* `group`: Group owning configuration files. Default: `root`
* `mode`: Filesystem permission flags. Default: `0644`
* `dependent_services`: List of dependent services that will need to be restarted. Optional
* `cookbook`: Cookbook from where the template will be fetched
### sidekiq_service
Configure runit service for running sidekiq
#### properties
* `rails_app`: Rails app setting passed to runit options. Default: `gitlab-rails`
* `user`: System user who will own the runit service. Default: `node['gitlab']['user']['username']`
* `group`: System group who will own the runit service. Default: `node['gitlab']['user']['group']`
* `log_directory`: Path to where runit will store logs for this service. Optional
* `template_name`: Runit template name. Default: `sidekiq`
### rails_migration
#### properties
* `name` (name property): A descriptive and unique name that will be used as part of the bash resource name
* `logfile_prefix` A unique file prefix name that will be used to create migration log files. Required
* `rake_task` A rails task that will be executed to migrate/setup the application. Required
* `helper` RailsMigrationHelper instance or a subclass of it with its required customized attributes. Required.
* `environment` A hash of environmental variables that needs to be set when running the rake task. Optional
* `dependent_services` An array of chef resource references that will be notified for restart when successful. Optional
#### example
Run database migrations for example-product
```ruby
rails_migration 'rails-app' do
rake_task 'db:migrate'
logfile_prefix 'rails-app-db-migrate'
helper RailsAppMigrationHelper.new(node)
dependent_services ['runit_service[puma]']
end
```
files/gitlab-cookbooks/gitlab/attributes/default.rb 0 → 100644
View file @ edb06ab2
#
# Copyright:: Copyright (c) 2012 Opscode, Inc.
# Copyright:: Copyright (c) 2014 GitLab.com
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
####
# omnibus options
####
default['gitlab']['bootstrap']['enable'] = true
# Create users and groups needed for the package
default['gitlab']['manage_accounts']['enable'] = true
# Create directories with correct permissions and ownership required by the pkg
default['gitlab']['manage_storage_directories']['enable'] = true
default['gitlab']['manage_storage_directories']['manage_etc'] = true
# A tmpfs mount point directory for runtime files, actual default is located in libraries/gitlab_rails.rb.
default['gitlab']['runtime_dir'] = nil
####
# The Git User that services run as
####
# The username for the chef services user
default['gitlab']['user']['username'] = "git"
default['gitlab']['user']['group'] = "git"
default['gitlab']['user']['uid'] = nil
default['gitlab']['user']['gid'] = nil
# The shell for the chef services user
default['gitlab']['user']['shell'] = "/bin/sh"
# The home directory for the chef services user
default['gitlab']['user']['home'] = "/var/opt/gitlab"
default['gitlab']['user']['git_user_name'] = "GitLab"
default['gitlab']['user']['git_user_email'] = "gitlab@#{node['fqdn']}"
####
# GitLab Rails app
####
default['gitlab']['gitlab_rails']['enable'] = true
default['gitlab']['gitlab_rails']['dir'] = "/var/opt/gitlab/gitlab-rails"
default['gitlab']['gitlab_rails']['log_directory'] = "/var/log/gitlab/gitlab-rails"
default['gitlab']['gitlab_rails']['environment'] = 'production'
default['gitlab']['gitlab_rails']['env'] = {
'SIDEKIQ_MEMORY_KILLER_MAX_RSS' => '2000000',
# PATH to set on the environment
# defaults to /opt/gitlab/embedded/bin:/bin:/usr/bin. The install-dir path is set at build time
'PATH' => "#{node['package']['install-dir']}/bin:#{node['package']['install-dir']}/embedded/bin:/bin:/usr/bin",
# Charlock Holmes and libicu will report U_FILE_ACCESS_ERROR if this is not set to the right path
# See https://gitlab.com/gitlab-org/gitlab-foss/issues/17415#note_13868167
'ICU_DATA' => "#{node['package']['install-dir']}/embedded/share/icu/current",
'PYTHONPATH' => "#{node['package']['install-dir']}/embedded/lib/python3.9/site-packages",
# Prevent ExecJS from complaining that Node is not installed in production
'EXECJS_RUNTIME' => 'Disabled',
# Prevent excessive system calls: #3530,
# Details: https://blog.packagecloud.io/eng/2017/02/21/set-environment-variable-save-thousands-of-system-calls/
'TZ' => ':/etc/localtime',
'SSL_CERT_DIR' => "#{node['package']['install-dir']}/embedded/ssl/certs/",
'SSL_CERT_FILE' => "#{node['package']['install-dir']}/embedded/ssl/cert.pem"
}
default['gitlab']['gitlab_rails']['internal_api_url'] = nil
default['gitlab']['gitlab_rails']['uploads_directory'] = "/var/opt/gitlab/gitlab-rails/uploads"
default['gitlab']['gitlab_rails']['auto_migrate'] = true
default['gitlab']['gitlab_rails']['rake_cache_clear'] = true
default['gitlab']['gitlab_rails']['gitlab_host'] = node['fqdn']
default['gitlab']['gitlab_rails']['gitlab_port'] = 80
default['gitlab']['gitlab_rails']['gitlab_https'] = false
default['gitlab']['gitlab_rails']['gitlab_ssh_user'] = nil
default['gitlab']['gitlab_rails']['gitlab_ssh_host'] = nil
default['gitlab']['gitlab_rails']['time_zone'] = nil
default['gitlab']['gitlab_rails']['cdn_host'] = nil
default['gitlab']['gitlab_rails']['gitlab_email_from'] = nil
default['gitlab']['gitlab_rails']['gitlab_email_display_name'] = nil
default['gitlab']['gitlab_rails']['gitlab_email_subject_suffix'] = nil
default['gitlab']['gitlab_rails']['gitlab_email_smime_enabled'] = false
default['gitlab']['gitlab_rails']['gitlab_email_smime_key_file'] = '/etc/gitlab/ssl/gitlab_smime.key'
default['gitlab']['gitlab_rails']['gitlab_email_smime_cert_file'] = '/etc/gitlab/ssl/gitlab_smime.crt'
default['gitlab']['gitlab_rails']['gitlab_email_smime_ca_certs_file'] = nil
default['gitlab']['gitlab_rails']['gitlab_username_changing_enabled'] = nil
default['gitlab']['gitlab_rails']['gitlab_default_theme'] = nil
default['gitlab']['gitlab_rails']['custom_html_header_tags'] = nil
default['gitlab']['gitlab_rails']['gitlab_default_projects_features_issues'] = nil
default['gitlab']['gitlab_rails']['gitlab_default_projects_features_merge_requests'] = nil
default['gitlab']['gitlab_rails']['gitlab_default_projects_features_wiki'] = nil
default['gitlab']['gitlab_rails']['gitlab_default_projects_features_wall'] = nil
default['gitlab']['gitlab_rails']['gitlab_default_projects_features_snippets'] = nil
default['gitlab']['gitlab_rails']['gitlab_default_projects_features_builds'] = nil
default['gitlab']['gitlab_rails']['gitlab_default_projects_features_container_registry'] = nil
default['gitlab']['gitlab_rails']['gitlab_issue_closing_pattern'] = nil
default['gitlab']['gitlab_rails']['gitlab_repository_downloads_path'] = nil
default['gitlab']['gitlab_rails']['gravatar_plain_url'] = nil
default['gitlab']['gitlab_rails']['gravatar_ssl_url'] = nil
default['gitlab']['gitlab_rails']['stuck_ci_jobs_worker_cron'] = nil
default['gitlab']['gitlab_rails']['expire_build_artifacts_worker_cron'] = nil
default['gitlab']['gitlab_rails']['environments_auto_stop_cron_worker_cron'] = nil
default['gitlab']['gitlab_rails']['pipeline_schedule_worker_cron'] = nil
default['gitlab']['gitlab_rails']['repository_check_worker_cron'] = nil
default['gitlab']['gitlab_rails']['admin_email_worker_cron'] = nil
default['gitlab']['gitlab_rails']['personal_access_tokens_expiring_worker_cron'] = nil
default['gitlab']['gitlab_rails']['personal_access_tokens_expired_notification_worker_cron'] = nil
default['gitlab']['gitlab_rails']['repository_archive_cache_worker_cron'] = nil
default['gitlab']['gitlab_rails']['ci_archive_traces_cron_worker'] = nil
default['gitlab']['gitlab_rails']['pages_domain_verification_cron_worker'] = nil
default['gitlab']['gitlab_rails']['pages_domain_ssl_renewal_cron_worker'] = nil
default['gitlab']['gitlab_rails']['pages_domain_removal_cron_worker'] = nil
default['gitlab']['gitlab_rails']['remove_unaccepted_member_invites_cron_worker'] = nil
default['gitlab']['gitlab_rails']['schedule_migrate_external_diffs_worker_cron'] = nil
default['gitlab']['gitlab_rails']['ci_platform_metrics_update_cron_worker'] = nil
default['gitlab']['gitlab_rails']['historical_data_worker_cron'] = nil
default['gitlab']['gitlab_rails']['analytics_devops_adoption_create_all_snapshots_worker_cron'] = nil
default['gitlab']['gitlab_rails']['ldap_sync_worker_cron'] = nil
default['gitlab']['gitlab_rails']['ldap_group_sync_worker_cron'] = nil
default['gitlab']['gitlab_rails']['geo_repository_sync_worker_cron'] = nil
default['gitlab']['gitlab_rails']['geo_secondary_registry_consistency_worker'] = nil
default['gitlab']['gitlab_rails']['geo_secondary_usage_data_cron_worker'] = nil
default['gitlab']['gitlab_rails']['geo_prune_event_log_worker_cron'] = nil
default['gitlab']['gitlab_rails']['geo_repository_verification_primary_batch_worker_cron'] = nil
default['gitlab']['gitlab_rails']['geo_repository_verification_secondary_scheduler_worker_cron'] = nil
default['gitlab']['gitlab_rails']['analytics_usage_trends_count_job_trigger_worker_cron'] = nil
default['gitlab']['gitlab_rails']['member_invitation_reminder_emails_worker_cron'] = nil
default['gitlab']['gitlab_rails']['user_status_cleanup_batch_worker_cron'] = nil
default['gitlab']['gitlab_rails']['loose_foreign_keys_cleanup_worker_cron'] = nil
default['gitlab']['gitlab_rails']['elastic_index_bulk_cron'] = nil
default['gitlab']['gitlab_rails']['incoming_email_enabled'] = false
default['gitlab']['gitlab_rails']['incoming_email_address'] = nil
default['gitlab']['gitlab_rails']['incoming_email_host'] = nil
default['gitlab']['gitlab_rails']['incoming_email_port'] = nil
default['gitlab']['gitlab_rails']['incoming_email_ssl'] = nil
default['gitlab']['gitlab_rails']['incoming_email_start_tls'] = nil
default['gitlab']['gitlab_rails']['incoming_email_email'] = nil
default['gitlab']['gitlab_rails']['incoming_email_password'] = nil
default['gitlab']['gitlab_rails']['incoming_email_mailbox_name'] = "inbox"
default['gitlab']['gitlab_rails']['incoming_email_idle_timeout'] = nil
default['gitlab']['gitlab_rails']['incoming_email_log_file'] = "/var/log/gitlab/mailroom/mail_room_json.log" # file path of internal `mail_room` JSON logs
default['gitlab']['gitlab_rails']['incoming_email_delete_after_delivery'] = true
default['gitlab']['gitlab_rails']['incoming_email_expunge_deleted'] = nil
default['gitlab']['gitlab_rails']['incoming_email_inbox_method'] = "imap"
default['gitlab']['gitlab_rails']['incoming_email_inbox_options'] = nil
default['gitlab']['gitlab_rails']['incoming_email_delivery_method'] = "webhook"
default['gitlab']['gitlab_rails']['incoming_email_auth_token'] = nil
default['gitlab']['gitlab_rails']['click_house_ci_finished_builds_sync_worker_cron'] = nil
default['gitlab']['gitlab_rails']['click_house_ci_finished_builds_sync_worker_args'] = nil
default['gitlab']['gitlab_rails']['service_desk_email_enabled'] = false
default['gitlab']['gitlab_rails']['service_desk_email_address'] = nil
default['gitlab']['gitlab_rails']['service_desk_email_host'] = nil
default['gitlab']['gitlab_rails']['service_desk_email_port'] = nil
default['gitlab']['gitlab_rails']['service_desk_email_ssl'] = nil
default['gitlab']['gitlab_rails']['service_desk_email_start_tls'] = nil
default['gitlab']['gitlab_rails']['service_desk_email_email'] = nil
default['gitlab']['gitlab_rails']['service_desk_email_password'] = nil
default['gitlab']['gitlab_rails']['service_desk_email_mailbox_name'] = "inbox"
default['gitlab']['gitlab_rails']['service_desk_email_idle_timeout'] = nil
default['gitlab']['gitlab_rails']['service_desk_email_log_file'] = "/var/log/gitlab/mailroom/mail_room_json.log" # file path of internal `mail_room` JSON logs
default['gitlab']['gitlab_rails']['service_desk_email_inbox_method'] = "imap"
default['gitlab']['gitlab_rails']['service_desk_email_inbox_inbox_options'] = nil
default['gitlab']['gitlab_rails']['service_desk_email_delivery_method'] = "webhook"
default['gitlab']['gitlab_rails']['service_desk_email_auth_token'] = nil
default['gitlab']['gitlab_rails']['namespaces_in_product_marketing_emails_worker_cron'] = nil
default['gitlab']['gitlab_rails']['ssh_keys_expired_notification_worker_cron'] = nil
default['gitlab']['gitlab_rails']['ssh_keys_expiring_soon_notification_worker_cron'] = nil
default['gitlab']['gitlab_rails']['ci_runners_stale_group_runners_prune_worker_cron'] = nil
default['gitlab']['gitlab_rails']['ci_runner_versions_reconciliation_worker_cron'] = nil
default['gitlab']['gitlab_rails']['ci_runners_stale_machines_cleanup_worker_cron'] = nil
default['gitlab']['gitlab_rails']['ci_catalog_resources_process_sync_events_worker_cron'] = nil
# Consolidated object storage config
default['gitlab']['gitlab_rails']['object_store']['enabled'] = false
default['gitlab']['gitlab_rails']['object_store']['connection'] = {}
default['gitlab']['gitlab_rails']['object_store']['storage_options'] = {}
default['gitlab']['gitlab_rails']['object_store']['proxy_download'] = false
default['gitlab']['gitlab_rails']['object_store']['objects'] = {}
default['gitlab']['gitlab_rails']['object_store']['objects']['artifacts'] = {}
default['gitlab']['gitlab_rails']['object_store']['objects']['artifacts']['bucket'] = nil
default['gitlab']['gitlab_rails']['object_store']['objects']['external_diffs'] = {}
default['gitlab']['gitlab_rails']['object_store']['objects']['external_diffs']['bucket'] = false
default['gitlab']['gitlab_rails']['object_store']['objects']['lfs'] = {}
default['gitlab']['gitlab_rails']['object_store']['objects']['lfs']['bucket'] = nil
default['gitlab']['gitlab_rails']['object_store']['objects']['uploads'] = {}
default['gitlab']['gitlab_rails']['object_store']['objects']['uploads']['bucket'] = nil
default['gitlab']['gitlab_rails']['object_store']['objects']['packages'] = {}
default['gitlab']['gitlab_rails']['object_store']['objects']['packages']['bucket'] = nil
default['gitlab']['gitlab_rails']['object_store']['objects']['dependency_proxy'] = {}
default['gitlab']['gitlab_rails']['object_store']['objects']['dependency_proxy']['bucket'] = nil
default['gitlab']['gitlab_rails']['object_store']['objects']['terraform_state'] = {}
default['gitlab']['gitlab_rails']['object_store']['objects']['terraform_state']['bucket'] = nil
default['gitlab']['gitlab_rails']['object_store']['objects']['ci_secure_files'] = {}
default['gitlab']['gitlab_rails']['object_store']['objects']['ci_secure_files']['bucket'] = nil
default['gitlab']['gitlab_rails']['object_store']['objects']['pages'] = {}
default['gitlab']['gitlab_rails']['object_store']['objects']['pages']['bucket'] = nil
default['gitlab']['gitlab_rails']['artifacts_enabled'] = true
default['gitlab']['gitlab_rails']['artifacts_path'] = nil
default['gitlab']['gitlab_rails']['artifacts_object_store_enabled'] = false
default['gitlab']['gitlab_rails']['artifacts_object_store_proxy_download'] = false
default['gitlab']['gitlab_rails']['artifacts_object_store_remote_directory'] = 'artifacts'
default['gitlab']['gitlab_rails']['artifacts_object_store_connection'] = {}
default['gitlab']['gitlab_rails']['external_diffs_enabled'] = nil
default['gitlab']['gitlab_rails']['external_diffs_when'] = nil
default['gitlab']['gitlab_rails']['external_diffs_storage_path'] = nil
default['gitlab']['gitlab_rails']['external_diffs_object_store_enabled'] = false
default['gitlab']['gitlab_rails']['external_diffs_object_store_proxy_download'] = false
default['gitlab']['gitlab_rails']['external_diffs_object_store_remote_directory'] = 'external-diffs'
default['gitlab']['gitlab_rails']['external_diffs_object_store_connection'] = {}
default['gitlab']['gitlab_rails']['lfs_enabled'] = nil
default['gitlab']['gitlab_rails']['lfs_storage_path'] = nil
default['gitlab']['gitlab_rails']['lfs_object_store_enabled'] = false
default['gitlab']['gitlab_rails']['lfs_object_store_proxy_download'] = false
default['gitlab']['gitlab_rails']['lfs_object_store_remote_directory'] = 'lfs-objects'
default['gitlab']['gitlab_rails']['lfs_object_store_connection'] = {}
default['gitlab']['gitlab_rails']['uploads_storage_path'] = nil
default['gitlab']['gitlab_rails']['uploads_base_dir'] = nil
default['gitlab']['gitlab_rails']['uploads_object_store_enabled'] = false
default['gitlab']['gitlab_rails']['uploads_object_store_proxy_download'] = false
default['gitlab']['gitlab_rails']['uploads_object_store_remote_directory'] = 'uploads'
default['gitlab']['gitlab_rails']['uploads_object_store_connection'] = {}
default['gitlab']['gitlab_rails']['packages_enabled'] = nil
default['gitlab']['gitlab_rails']['packages_storage_path'] = nil
default['gitlab']['gitlab_rails']['packages_object_store_enabled'] = false
default['gitlab']['gitlab_rails']['packages_object_store_proxy_download'] = false
default['gitlab']['gitlab_rails']['packages_object_store_remote_directory'] = 'packages'
default['gitlab']['gitlab_rails']['packages_object_store_connection'] = {}
default['gitlab']['gitlab_rails']['dependency_proxy_enabled'] = nil
default['gitlab']['gitlab_rails']['dependency_proxy_storage_path'] = nil
default['gitlab']['gitlab_rails']['dependency_proxy_object_store_enabled'] = false
default['gitlab']['gitlab_rails']['dependency_proxy_object_store_proxy_download'] = false
default['gitlab']['gitlab_rails']['dependency_proxy_object_store_remote_directory'] = 'dependency_proxy'
default['gitlab']['gitlab_rails']['dependency_proxy_object_store_connection'] = {}
default['gitlab']['gitlab_rails']['terraform_state_enabled'] = nil
default['gitlab']['gitlab_rails']['terraform_state_storage_path'] = nil
default['gitlab']['gitlab_rails']['terraform_state_object_store_enabled'] = false
default['gitlab']['gitlab_rails']['terraform_state_object_store_remote_directory'] = 'terraform'
default['gitlab']['gitlab_rails']['terraform_state_object_store_connection'] = {}
default['gitlab']['gitlab_rails']['ci_secure_files_enabled'] = nil
default['gitlab']['gitlab_rails']['ci_secure_files_storage_path'] = nil
default['gitlab']['gitlab_rails']['ci_secure_files_object_store_enabled'] = false
default['gitlab']['gitlab_rails']['ci_secure_files_object_store_remote_directory'] = 'ci-secure-files'
default['gitlab']['gitlab_rails']['ci_secure_files_object_store_connection'] = {}
default['gitlab']['gitlab_rails']['ldap_enabled'] = false
default['gitlab']['gitlab_rails']['prevent_ldap_sign_in'] = false
default['gitlab']['gitlab_rails']['ldap_servers'] = []
default['gitlab']['gitlab_rails']['pages_enabled'] = false
default['gitlab']['gitlab_rails']['pages_host'] = nil
default['gitlab']['gitlab_rails']['pages_port'] = nil
default['gitlab']['gitlab_rails']['pages_https'] = false
default['gitlab']['gitlab_rails']['pages_path'] = nil
default['gitlab']['gitlab_rails']['pages_object_store_enabled'] = false
default['gitlab']['gitlab_rails']['pages_object_store_remote_directory'] = 'pages'
default['gitlab']['gitlab_rails']['pages_object_store_connection'] = {}
default['gitlab']['gitlab_rails']['pages_local_store_enabled'] = true
default['gitlab']['gitlab_rails']['pages_local_store_path'] = nil
default['gitlab']['gitlab_rails']['registry_enabled'] = false
default['gitlab']['gitlab_rails']['registry_host'] = nil
default['gitlab']['gitlab_rails']['registry_port'] = nil
default['gitlab']['gitlab_rails']['registry_api_url'] = nil
default['gitlab']['gitlab_rails']['registry_key_path'] = nil
default['gitlab']['gitlab_rails']['registry_path'] = nil
default['gitlab']['gitlab_rails']['registry_issuer'] = "omnibus-gitlab-issuer"
default['gitlab']['gitlab_rails']['registry_notification_secret'] = nil
default['gitlab']['gitlab_rails']['impersonation_enabled'] = nil
default['gitlab']['gitlab_rails']['disable_animations'] = false
default['gitlab']['gitlab_rails']['application_settings_cache_seconds'] = nil
default['gitlab']['gitlab_rails']['sentry_enabled'] = false
default['gitlab']['gitlab_rails']['sentry_dsn'] = nil
default['gitlab']['gitlab_rails']['sentry_clientside_dsn'] = nil
default['gitlab']['gitlab_rails']['sentry_environment'] = nil
default['gitlab']['gitlab_rails']['usage_ping_enabled'] = nil
# Defaults set in libraries/gitlab_rails.rb
default['gitlab']['gitlab_rails']['repositories_storages'] = {}
####
# These LDAP settings are deprecated in favor of the new syntax. They are kept here for backwards compatibility.
# Check
# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/935ab9e1700bfe8db6ba084e3687658d8921716f/README.md#setting-up-ldap-sign-in
# for the new syntax.
default['gitlab']['gitlab_rails']['ldap_host'] = nil
default['gitlab']['gitlab_rails']['ldap_base'] = nil
default['gitlab']['gitlab_rails']['ldap_port'] = nil
default['gitlab']['gitlab_rails']['ldap_uid'] = nil
default['gitlab']['gitlab_rails']['ldap_method'] = nil
default['gitlab']['gitlab_rails']['ldap_bind_dn'] = nil
default['gitlab']['gitlab_rails']['ldap_password'] = nil
default['gitlab']['gitlab_rails']['ldap_allow_username_or_email_login'] = nil
default['gitlab']['gitlab_rails']['ldap_lowercase_usernames'] = nil
default['gitlab']['gitlab_rails']['ldap_user_filter'] = nil
default['gitlab']['gitlab_rails']['ldap_group_base'] = nil
default['gitlab']['gitlab_rails']['ldap_admin_group'] = nil
default['gitlab']['gitlab_rails']['ldap_sync_ssh_keys'] = nil
default['gitlab']['gitlab_rails']['ldap_sync_time'] = nil
default['gitlab']['gitlab_rails']['ldap_active_directory'] = nil
default['gitlab']['gitlab_rails']['ldap_smartcard_ad_cert_field'] = nil
default['gitlab']['gitlab_rails']['ldap_smartcard_ad_cert_format'] = nil
####
default['gitlab']['gitlab_rails']['smartcard_enabled'] = false
default['gitlab']['gitlab_rails']['smartcard_ca_file'] = "/etc/gitlab/ssl/CA.pem"
default['gitlab']['gitlab_rails']['smartcard_client_certificate_required_host'] = nil
default['gitlab']['gitlab_rails']['smartcard_client_certificate_required_port'] = 3444
default['gitlab']['gitlab_rails']['smartcard_required_for_git_access'] = false
default['gitlab']['gitlab_rails']['smartcard_san_extensions'] = false
default['gitlab']['gitlab_rails']['microsoft_graph_mailer_enabled'] = false
default['gitlab']['gitlab_rails']['microsoft_graph_mailer_user_id'] = nil
default['gitlab']['gitlab_rails']['microsoft_graph_mailer_tenant'] = nil
default['gitlab']['gitlab_rails']['microsoft_graph_mailer_client_id'] = nil
default['gitlab']['gitlab_rails']['microsoft_graph_mailer_client_secret'] = nil
default['gitlab']['gitlab_rails']['microsoft_graph_mailer_azure_ad_endpoint'] = nil
default['gitlab']['gitlab_rails']['microsoft_graph_mailer_graph_endpoint'] = nil
default['gitlab']['gitlab_rails']['kerberos_enabled'] = nil
default['gitlab']['gitlab_rails']['kerberos_keytab'] = nil
default['gitlab']['gitlab_rails']['kerberos_service_principal_name'] = nil
default['gitlab']['gitlab_rails']['kerberos_simple_ldap_linking_allowed_realms'] = nil
default['gitlab']['gitlab_rails']['kerberos_use_dedicated_port'] = nil
default['gitlab']['gitlab_rails']['kerberos_port'] = nil
default['gitlab']['gitlab_rails']['kerberos_https'] = nil
default['gitlab']['gitlab_rails']['omniauth_enabled'] = nil
default['gitlab']['gitlab_rails']['omniauth_allow_single_sign_on'] = ['saml']
default['gitlab']['gitlab_rails']['omniauth_sync_email_from_provider'] = nil
default['gitlab']['gitlab_rails']['omniauth_sync_profile_from_provider'] = nil
default['gitlab']['gitlab_rails']['omniauth_sync_profile_attributes'] = nil
default['gitlab']['gitlab_rails']['omniauth_auto_sign_in_with_provider'] = nil
default['gitlab']['gitlab_rails']['omniauth_block_auto_created_users'] = nil
default['gitlab']['gitlab_rails']['omniauth_auto_link_ldap_user'] = nil
default['gitlab']['gitlab_rails']['omniauth_auto_link_saml_user'] = nil
default['gitlab']['gitlab_rails']['omniauth_auto_link_user'] = nil
default['gitlab']['gitlab_rails']['omniauth_external_providers'] = nil
default['gitlab']['gitlab_rails']['omniauth_providers'] = []
default['gitlab']['gitlab_rails']['omniauth_cas3_session_duration'] = nil
default['gitlab']['gitlab_rails']['omniauth_allow_bypass_two_factor'] = nil
default['gitlab']['gitlab_rails']['omniauth_saml_message_max_byte_size'] = nil
default['gitlab']['gitlab_rails']['forti_authenticator_enabled'] = false
default['gitlab']['gitlab_rails']['forti_authenticator_host'] = nil
default['gitlab']['gitlab_rails']['forti_authenticator_port'] = 443
default['gitlab']['gitlab_rails']['forti_authenticator_username'] = nil
default['gitlab']['gitlab_rails']['forti_authenticator_access_token'] = nil
default['gitlab']['gitlab_rails']['duo_auth_enabled'] = false
default['gitlab']['gitlab_rails']['duo_auth_integration_key'] = nil
default['gitlab']['gitlab_rails']['duo_auth_secret_key'] = nil
default['gitlab']['gitlab_rails']['duo_auth_hostname'] = nil
default['gitlab']['gitlab_rails']['forti_token_cloud_enabled'] = false
default['gitlab']['gitlab_rails']['forti_token_cloud_client_id'] = nil
default['gitlab']['gitlab_rails']['forti_token_cloud_client_secret'] = nil
default['gitlab']['gitlab_rails']['shared_path'] = "/var/opt/gitlab/gitlab-rails/shared"
default['gitlab']['gitlab_rails']['encrypted_settings_path'] = nil
default['gitlab']['gitlab_rails']['backup_path'] = "/var/opt/gitlab/backups"
default['gitlab']['gitlab_rails']['backup_gitaly_backup_path'] = "/opt/gitlab/embedded/bin/gitaly-backup"
default['gitlab']['gitlab_rails']['manage_backup_path'] = true
default['gitlab']['gitlab_rails']['backup_archive_permissions'] = nil
default['gitlab']['gitlab_rails']['backup_pg_schema'] = nil
default['gitlab']['gitlab_rails']['backup_keep_time'] = nil
default['gitlab']['gitlab_rails']['backup_upload_connection'] = nil
default['gitlab']['gitlab_rails']['backup_upload_remote_directory'] = nil
default['gitlab']['gitlab_rails']['backup_upload_storage_options'] = {}
default['gitlab']['gitlab_rails']['backup_multipart_chunk_size'] = nil
default['gitlab']['gitlab_rails']['backup_encryption'] = nil
default['gitlab']['gitlab_rails']['backup_encryption_key'] = nil
default['gitlab']['gitlab_rails']['backup_storage_class'] = nil
# Path to the GitLab Shell installation
# defaults to /opt/gitlab/embedded/service/gitlab-shell/. The install-dir path is set at build time
default['gitlab']['gitlab_rails']['gitlab_shell_path'] = "#{node['package']['install-dir']}/embedded/service/gitlab-shell/"
# Path to the git hooks used by GitLab Shell
# defaults to /opt/gitlab/embedded/service/gitlab-shell/hooks/. The install-dir path is set at build time
default['gitlab']['gitlab_rails']['gitlab_shell_hooks_path'] = "#{node['package']['install-dir']}/embedded/service/gitlab-shell/hooks/"
default['gitlab']['gitlab_rails']['gitlab_shell_upload_pack'] = nil
default['gitlab']['gitlab_rails']['gitlab_shell_receive_pack'] = nil
default['gitlab']['gitlab_rails']['gitlab_shell_ssh_port'] = nil
default['gitlab']['gitlab_rails']['gitlab_shell_git_timeout'] = 10800
# Path to the Git Executable
# defaults to /opt/gitlab/embedded/bin/git. The install-dir path is set at build time
default['gitlab']['gitlab_rails']['git_bin_path'] = "#{node['package']['install-dir']}/embedded/bin/git"
default['gitlab']['gitlab_rails']['extra_google_analytics_id'] = nil
default['gitlab']['gitlab_rails']['extra_google_tag_manager_id'] = nil
default['gitlab']['gitlab_rails']['extra_one_trust_id'] = nil
default['gitlab']['gitlab_rails']['extra_google_tag_manager_nonce_id'] = nil
default['gitlab']['gitlab_rails']['extra_bizible'] = false
default['gitlab']['gitlab_rails']['extra_matomo_url'] = nil
default['gitlab']['gitlab_rails']['extra_matomo_site_id'] = nil
default['gitlab']['gitlab_rails']['extra_matomo_disable_cookies'] = nil
default['gitlab']['gitlab_rails']['extra_maximum_text_highlight_size_kilobytes'] = nil
default['gitlab']['gitlab_rails']['rack_attack_git_basic_auth'] = nil
default['gitlab']['gitlab_rails']['db_adapter'] = "postgresql"
default['gitlab']['gitlab_rails']['db_encoding'] = "unicode"
default['gitlab']['gitlab_rails']['db_collation'] = nil
default['gitlab']['gitlab_rails']['db_database'] = "gitlabhq_production"
default['gitlab']['gitlab_rails']['db_username'] = "gitlab"
default['gitlab']['gitlab_rails']['db_password'] = nil
default['gitlab']['gitlab_rails']['db_load_balancing'] = { 'hosts' => [] }
# Path to postgresql socket directory
default['gitlab']['gitlab_rails']['db_host'] = nil
default['gitlab']['gitlab_rails']['db_port'] = 5432
default['gitlab']['gitlab_rails']['db_socket'] = nil
default['gitlab']['gitlab_rails']['db_sslmode'] = nil
default['gitlab']['gitlab_rails']['db_sslcompression'] = 0
default['gitlab']['gitlab_rails']['db_sslrootcert'] = nil
default['gitlab']['gitlab_rails']['db_sslcert'] = nil
default['gitlab']['gitlab_rails']['db_sslkey'] = nil
default['gitlab']['gitlab_rails']['db_sslca'] = nil
default['gitlab']['gitlab_rails']['db_prepared_statements'] = false
default['gitlab']['gitlab_rails']['db_database_tasks'] = true
default['gitlab']['gitlab_rails']['db_statements_limit'] = 1000
default['gitlab']['gitlab_rails']['db_statement_timeout'] = nil
default['gitlab']['gitlab_rails']['db_connect_timeout'] = nil
default['gitlab']['gitlab_rails']['db_keepalives'] = nil
default['gitlab']['gitlab_rails']['db_keepalives_idle'] = nil
default['gitlab']['gitlab_rails']['db_keepalives_interval'] = nil
default['gitlab']['gitlab_rails']['db_keepalives_count'] = nil
default['gitlab']['gitlab_rails']['db_tcp_user_timeout'] = nil
default['gitlab']['gitlab_rails']['db_application_name'] = nil
default['gitlab']['gitlab_rails']['db_extra_config_command'] = nil
default['gitlab']['gitlab_rails']['databases'] = {}
default['gitlab']['gitlab_rails']['clickhouse_databases'] = {}
# Automatic Database Reindexing
# See https://docs.gitlab.com/omnibus/settings/database.html#automatic-database-reindexing
default['gitlab']['gitlab_rails']['database_reindexing']['enable'] = false
default['gitlab']['gitlab_rails']['database_reindexing']['hour'] = '*'
default['gitlab']['gitlab_rails']['database_reindexing']['minute'] = 0
default['gitlab']['gitlab_rails']['database_reindexing']['month'] = '*'
default['gitlab']['gitlab_rails']['database_reindexing']['day_of_month'] = '*'
default['gitlab']['gitlab_rails']['database_reindexing']['day_of_week'] = '0,6'
default['gitlab']['gitlab_rails']['redis_host'] = "127.0.0.1"
default['gitlab']['gitlab_rails']['redis_port'] = nil
default['gitlab']['gitlab_rails']['redis_ssl'] = false
default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'] = "#{node['package']['install-dir']}/embedded/ssl/certs/"
default['gitlab']['gitlab_rails']['redis_tls_ca_cert_file'] = "#{node['package']['install-dir']}/embedded/ssl/certs/cacert.pem"
default['gitlab']['gitlab_rails']['redis_tls_client_cert_file'] = nil
default['gitlab']['gitlab_rails']['redis_tls_client_key_file'] = nil
default['gitlab']['gitlab_rails']['redis_password'] = nil
default['gitlab']['gitlab_rails']['redis_extra_config_command'] = nil
default['gitlab']['gitlab_rails']['redis_encrypted_settings_file'] = nil
default['gitlab']['gitlab_rails']['redis_socket'] = "/var/opt/gitlab/redis/redis.socket"
default['gitlab']['gitlab_rails']['redis_enable_client'] = true
default['gitlab']['gitlab_rails']['redis_sentinels'] = []
default['gitlab']['gitlab_rails']['redis_sentinels_password'] = nil
default['gitlab']['gitlab_rails']['redis_sentinel_master'] = nil
default['gitlab']['gitlab_rails']['redis_sentinel_master_ip'] = nil
default['gitlab']['gitlab_rails']['redis_sentinel_master_port'] = nil
default['gitlab']['gitlab_rails']['redis_cache_instance'] = nil
default['gitlab']['gitlab_rails']['redis_cache_sentinels'] = []
default['gitlab']['gitlab_rails']['redis_cache_sentinels_password'] = nil
default['gitlab']['gitlab_rails']['redis_cache_username'] = nil
default['gitlab']['gitlab_rails']['redis_cache_password'] = nil
default['gitlab']['gitlab_rails']['redis_cache_encrypted_settings_file'] = nil
default['gitlab']['gitlab_rails']['redis_cache_extra_config_command'] = nil
default['gitlab']['gitlab_rails']['redis_cache_cluster_nodes'] = []
default['gitlab']['gitlab_rails']['redis_cache_ssl'] = false
default['gitlab']['gitlab_rails']['redis_cache_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
default['gitlab']['gitlab_rails']['redis_cache_tls_ca_cert_file'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_file'].dup
default['gitlab']['gitlab_rails']['redis_cache_tls_client_cert_file'] = nil
default['gitlab']['gitlab_rails']['redis_cache_tls_client_key_file'] = nil
default['gitlab']['gitlab_rails']['redis_queues_instance'] = nil
default['gitlab']['gitlab_rails']['redis_queues_username'] = nil
default['gitlab']['gitlab_rails']['redis_queues_password'] = nil
default['gitlab']['gitlab_rails']['redis_queues_encrypted_settings_file'] = nil
default['gitlab']['gitlab_rails']['redis_queues_extra_config_command'] = nil
default['gitlab']['gitlab_rails']['redis_queues_sentinels'] = []
default['gitlab']['gitlab_rails']['redis_queues_sentinels_password'] = nil
default['gitlab']['gitlab_rails']['redis_queues_cluster_nodes'] = []
default['gitlab']['gitlab_rails']['redis_queues_ssl'] = false
default['gitlab']['gitlab_rails']['redis_queues_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
default['gitlab']['gitlab_rails']['redis_queues_tls_ca_cert_file'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_file'].dup
default['gitlab']['gitlab_rails']['redis_queues_tls_client_cert_file'] = nil
default['gitlab']['gitlab_rails']['redis_queues_tls_client_key_file'] = nil
default['gitlab']['gitlab_rails']['redis_shared_state_instance'] = nil
default['gitlab']['gitlab_rails']['redis_shared_state_sentinels'] = []
default['gitlab']['gitlab_rails']['redis_shared_state_sentinels_password'] = nil
default['gitlab']['gitlab_rails']['redis_shared_state_username'] = nil
default['gitlab']['gitlab_rails']['redis_shared_state_password'] = nil
default['gitlab']['gitlab_rails']['redis_shared_state_encrypted_settings_file'] = nil
default['gitlab']['gitlab_rails']['redis_shared_state_extra_config_command'] = nil
default['gitlab']['gitlab_rails']['redis_shared_state_cluster_nodes'] = []
default['gitlab']['gitlab_rails']['redis_shared_state_ssl'] = false
default['gitlab']['gitlab_rails']['redis_shared_state_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
default['gitlab']['gitlab_rails']['redis_shared_state_tls_ca_cert_file'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_file'].dup
default['gitlab']['gitlab_rails']['redis_shared_state_tls_client_cert_file'] = nil
default['gitlab']['gitlab_rails']['redis_shared_state_tls_client_key_file'] = nil
default['gitlab']['gitlab_rails']['redis_trace_chunks_instance'] = nil
default['gitlab']['gitlab_rails']['redis_trace_chunks_sentinels'] = []
default['gitlab']['gitlab_rails']['redis_trace_chunks_sentinels_password'] = nil
default['gitlab']['gitlab_rails']['redis_trace_chunks_username'] = nil
default['gitlab']['gitlab_rails']['redis_trace_chunks_password'] = nil
default['gitlab']['gitlab_rails']['redis_trace_chunks_encrypted_settings_file'] = nil
default['gitlab']['gitlab_rails']['redis_trace_chunks_extra_config_command'] = nil
default['gitlab']['gitlab_rails']['redis_trace_chunks_cluster_nodes'] = []
default['gitlab']['gitlab_rails']['redis_trace_chunks_ssl'] = false
default['gitlab']['gitlab_rails']['redis_trace_chunks_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
default['gitlab']['gitlab_rails']['redis_trace_chunks_tls_ca_cert_file'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_file'].dup
default['gitlab']['gitlab_rails']['redis_trace_chunks_tls_client_cert_file'] = nil
default['gitlab']['gitlab_rails']['redis_trace_chunks_tls_client_key_file'] = nil
default['gitlab']['gitlab_rails']['redis_actioncable_instance'] = nil
default['gitlab']['gitlab_rails']['redis_actioncable_sentinels'] = []
default['gitlab']['gitlab_rails']['redis_actioncable_sentinels_password'] = nil
default['gitlab']['gitlab_rails']['redis_actioncable_username'] = nil
default['gitlab']['gitlab_rails']['redis_actioncable_password'] = nil
default['gitlab']['gitlab_rails']['redis_actioncable_encrypted_settings_file'] = nil
default['gitlab']['gitlab_rails']['redis_actioncable_extra_config_command'] = nil
default['gitlab']['gitlab_rails']['redis_actioncable_cluster_nodes'] = []
default['gitlab']['gitlab_rails']['redis_actioncable_ssl'] = false
default['gitlab']['gitlab_rails']['redis_actioncable_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
default['gitlab']['gitlab_rails']['redis_actioncable_tls_ca_cert_file'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_file'].dup
default['gitlab']['gitlab_rails']['redis_actioncable_tls_client_cert_file'] = nil
default['gitlab']['gitlab_rails']['redis_actioncable_tls_client_key_file'] = nil
default['gitlab']['gitlab_rails']['redis_rate_limiting_instance'] = nil
default['gitlab']['gitlab_rails']['redis_rate_limiting_sentinels'] = []
default['gitlab']['gitlab_rails']['redis_rate_limiting_sentinels_password'] = nil
default['gitlab']['gitlab_rails']['redis_rate_limiting_username'] = nil
default['gitlab']['gitlab_rails']['redis_rate_limiting_password'] = nil
default['gitlab']['gitlab_rails']['redis_rate_limiting_encrypted_settings_file'] = nil
default['gitlab']['gitlab_rails']['redis_rate_limiting_extra_config_command'] = nil
default['gitlab']['gitlab_rails']['redis_rate_limiting_cluster_nodes'] = []
default['gitlab']['gitlab_rails']['redis_rate_limiting_ssl'] = false
default['gitlab']['gitlab_rails']['redis_rate_limiting_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
default['gitlab']['gitlab_rails']['redis_rate_limiting_tls_ca_cert_file'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_file'].dup
default['gitlab']['gitlab_rails']['redis_rate_limiting_tls_client_cert_file'] = nil
default['gitlab']['gitlab_rails']['redis_rate_limiting_tls_client_key_file'] = nil
default['gitlab']['gitlab_rails']['redis_sessions_instance'] = nil
default['gitlab']['gitlab_rails']['redis_sessions_sentinels'] = []
default['gitlab']['gitlab_rails']['redis_sessions_sentinels_password'] = nil
default['gitlab']['gitlab_rails']['redis_sessions_username'] = nil
default['gitlab']['gitlab_rails']['redis_sessions_password'] = nil
default['gitlab']['gitlab_rails']['redis_sessions_encrypted_settings_file'] = nil
default['gitlab']['gitlab_rails']['redis_sessions_extra_config_command'] = nil
default['gitlab']['gitlab_rails']['redis_sessions_cluster_nodes'] = []
default['gitlab']['gitlab_rails']['redis_sessions_ssl'] = false
default['gitlab']['gitlab_rails']['redis_sessions_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
default['gitlab']['gitlab_rails']['redis_sessions_tls_ca_cert_file'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_file'].dup
default['gitlab']['gitlab_rails']['redis_sessions_tls_client_cert_file'] = nil
default['gitlab']['gitlab_rails']['redis_sessions_tls_client_key_file'] = nil
default['gitlab']['gitlab_rails']['redis_repository_cache_instance'] = nil
default['gitlab']['gitlab_rails']['redis_repository_cache_sentinels'] = []
default['gitlab']['gitlab_rails']['redis_repository_cache_sentinels_password'] = nil
default['gitlab']['gitlab_rails']['redis_repository_cache_username'] = nil
default['gitlab']['gitlab_rails']['redis_repository_cache_password'] = nil
default['gitlab']['gitlab_rails']['redis_repository_cache_encrypted_settings_file'] = nil
default['gitlab']['gitlab_rails']['redis_repository_cache_extra_config_command'] = nil
default['gitlab']['gitlab_rails']['redis_repository_cache_cluster_nodes'] = []
default['gitlab']['gitlab_rails']['redis_repository_cache_ssl'] = false
default['gitlab']['gitlab_rails']['redis_repository_cache_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
default['gitlab']['gitlab_rails']['redis_repository_cache_tls_ca_cert_file'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_file'].dup
default['gitlab']['gitlab_rails']['redis_repository_cache_tls_client_cert_file'] = nil
default['gitlab']['gitlab_rails']['redis_repository_cache_tls_client_key_file'] = nil
default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_instance'] = nil
default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_sentinels'] = []
default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_sentinels_password'] = nil
default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_username'] = nil
default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_password'] = nil
default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_encrypted_settings_file'] = nil
default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_extra_config_command'] = nil
default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_cluster_nodes'] = []
default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_ssl'] = false
default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_tls_ca_cert_file'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_file'].dup
default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_tls_client_cert_file'] = nil
default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_tls_client_key_file'] = nil
default['gitlab']['gitlab_rails']['redis_workhorse_instance'] = nil
default['gitlab']['gitlab_rails']['redis_workhorse_sentinels'] = []
default['gitlab']['gitlab_rails']['redis_workhorse_sentinels_password'] = nil
default['gitlab']['gitlab_rails']['redis_workhorse_username'] = nil
default['gitlab']['gitlab_rails']['redis_workhorse_password'] = nil
default['gitlab']['gitlab_rails']['redis_workhorse_cluster_nodes'] = []
default['gitlab']['gitlab_rails']['redis_workhorse_extra_config_command'] = nil
default['gitlab']['gitlab_rails']['redis_workhorse_ssl'] = false
default['gitlab']['gitlab_rails']['redis_workhorse_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
default['gitlab']['gitlab_rails']['redis_workhorse_tls_ca_cert_file'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_file'].dup
default['gitlab']['gitlab_rails']['redis_workhorse_tls_client_cert_file'] = nil
default['gitlab']['gitlab_rails']['redis_workhorse_tls_client_key_file'] = nil
# used by workhorse to connect to a separate external redis instead of the omnibus-gitlab redis
default['gitlab']['gitlab_rails']['redis_workhorse_sentinel_master'] = nil
default['gitlab']['gitlab_rails']['session_store_session_cookie_token_prefix'] = ''
default['gitlab']['gitlab_rails']['redis_yml_override'] = nil
default['gitlab']['gitlab_rails']['smtp_enable'] = false
default['gitlab']['gitlab_rails']['smtp_address'] = nil
default['gitlab']['gitlab_rails']['smtp_port'] = nil
default['gitlab']['gitlab_rails']['smtp_user_name'] = nil
default['gitlab']['gitlab_rails']['smtp_password'] = nil
default['gitlab']['gitlab_rails']['smtp_domain'] = nil
default['gitlab']['gitlab_rails']['smtp_authentication'] = nil
default['gitlab']['gitlab_rails']['smtp_enable_starttls_auto'] = nil
default['gitlab']['gitlab_rails']['smtp_tls'] = nil
default['gitlab']['gitlab_rails']['smtp_openssl_verify_mode'] = nil
default['gitlab']['gitlab_rails']['smtp_ca_path'] = nil
default['gitlab']['gitlab_rails']['smtp_pool'] = false
# Path to the public Certificate Authority file
# defaults to /opt/gitlab/embedded/ssl/certs/cacert.pem. The install-dir path is set at build time
default['gitlab']['gitlab_rails']['smtp_ca_file'] = "#{node['package']['install-dir']}/embedded/ssl/certs/cacert.pem"
# These are defaults from Net::SMTP: https://ruby-doc.org/stdlib-3.0.0/libdoc/net/smtp/rdoc/Net/SMTP.html
default['gitlab']['gitlab_rails']['smtp_open_timeout'] = 30
default['gitlab']['gitlab_rails']['smtp_read_timeout'] = 60
# Path to directory that contains (ca) certificates that should also be trusted (e.g. on
# outgoing Webhooks connections). For these certificates symlinks will be created in
# /opt/gitlab/embedded/ssl/certs/.
default['gitlab']['gitlab_rails']['trusted_certs_dir'] = "/etc/gitlab/trusted-certs"
default['gitlab']['gitlab_rails']['webhook_timeout'] = nil
default['gitlab']['gitlab_rails']['http_client'] = {}
default['gitlab']['gitlab_rails']['graphql_timeout'] = nil
default['gitlab']['gitlab_rails']['initial_root_password'] = nil
default['gitlab']['gitlab_rails']['initial_license_file'] = nil
default['gitlab']['gitlab_rails']['initial_shared_runners_registration_token'] = nil
default['gitlab']['gitlab_rails']['display_initial_root_password'] = false
default['gitlab']['gitlab_rails']['store_initial_root_password'] = false
default['gitlab']['gitlab_rails']['trusted_proxies'] = []
default['gitlab']['gitlab_rails']['content_security_policy'] = nil
default['gitlab']['gitlab_rails']['allowed_hosts'] = []
# List of ips and subnets that are allowed to access Gitlab monitoring endpoints
default['gitlab']['gitlab_rails']['monitoring_whitelist'] = ['127.0.0.0/8', '::1/128']
default['gitlab']['gitlab_rails']['shutdown_blackout_seconds'] = 10
# Default dependent services to restart in the event that files-of-interest change
default['gitlab']['gitlab_rails']['dependent_services'] = %w{puma}
###
# Unleash
###
default['gitlab']['gitlab_rails']['feature_flags_unleash_enabled'] = false
default['gitlab']['gitlab_rails']['feature_flags_unleash_url'] = nil
default['gitlab']['gitlab_rails']['feature_flags_unleash_app_name'] = nil
default['gitlab']['gitlab_rails']['feature_flags_unleash_instance_id'] = nil
###
# Prometheus
###
default['gitlab']['gitlab_rails']['prometheus_address'] = nil
###
# GitLab KAS
###
default['gitlab']['gitlab_rails']['gitlab_kas_enabled'] = nil
default['gitlab']['gitlab_rails']['gitlab_kas_external_url'] = nil
default['gitlab']['gitlab_rails']['gitlab_kas_internal_url'] = nil
default['gitlab']['gitlab_rails']['gitlab_kas_external_k8s_proxy_url'] = nil
####
# Puma
####
default['gitlab']['puma']['enable'] = false
default['gitlab']['puma']['ha'] = false
default['gitlab']['puma']['log_directory'] = "/var/log/gitlab/puma"
default['gitlab']['puma']['listen'] = nil
default['gitlab']['puma']['port'] = 8080
default['gitlab']['puma']['socket'] = '/var/opt/gitlab/gitlab-rails/sockets/gitlab.socket'
default['gitlab']['puma']['ssl_listen'] = nil
default['gitlab']['puma']['ssl_port'] = nil
default['gitlab']['puma']['ssl_certificate'] = nil
default['gitlab']['puma']['ssl_certificate_key'] = nil
default['gitlab']['puma']['ssl_client_certificate'] = nil
default['gitlab']['puma']['ssl_cipher_filter'] = nil
default['gitlab']['puma']['ssl_key_password_command'] = nil
default['gitlab']['puma']['ssl_verify_mode'] = 'none'
default['gitlab']['puma']['prometheus_scrape_scheme'] = 'http'
default['gitlab']['puma']['prometheus_scrape_tls_server_name'] = nil
default['gitlab']['puma']['prometheus_scrape_tls_skip_verification'] = false
default['gitlab']['puma']['somaxconn'] = 2048
# Path to the puma server Process ID file
# defaults to /opt/gitlab/var/puma/puma.pid. The install-dir path is set at build time
default['gitlab']['puma']['pidfile'] = "#{node['package']['install-dir']}/var/puma/puma.pid"
default['gitlab']['puma']['state_path'] = "#{node['package']['install-dir']}/var/puma/puma.state"
default['gitlab']['puma']['worker_timeout'] = 60
default['gitlab']['puma']['per_worker_max_memory_mb'] = nil
default['gitlab']['puma']['worker_processes'] = nil
default['gitlab']['puma']['min_threads'] = 4
default['gitlab']['puma']['max_threads'] = 4
default['gitlab']['puma']['exporter_enabled'] = false
default['gitlab']['puma']['exporter_address'] = "127.0.0.1"
default['gitlab']['puma']['exporter_port'] = 8083
default['gitlab']['puma']['exporter_tls_enabled'] = false
default['gitlab']['puma']['exporter_tls_cert_path'] = nil
default['gitlab']['puma']['exporter_tls_key_path'] = nil
default['gitlab']['puma']['consul_service_name'] = 'rails'
default['gitlab']['puma']['consul_service_meta'] = nil
####
# ActionCable
####
default['gitlab']['actioncable']['worker_pool_size'] = 4
####
# Sidekiq
####
default['gitlab']['sidekiq']['enable'] = false
default['gitlab']['sidekiq']['ha'] = false
default['gitlab']['sidekiq']['log_directory'] = "/var/log/gitlab/sidekiq"
default['gitlab']['sidekiq']['log_format'] = "json"
default['gitlab']['sidekiq']['shutdown_timeout'] = 25
default['gitlab']['sidekiq']['routing_rules'] = []
# Sidekiq metrics server defaults
default['gitlab']['sidekiq']['metrics_enabled'] = true
default['gitlab']['sidekiq']['exporter_log_enabled'] = false
default['gitlab']['sidekiq']['exporter_tls_enabled'] = false
default['gitlab']['sidekiq']['exporter_tls_cert_path'] = nil
default['gitlab']['sidekiq']['exporter_tls_key_path'] = nil
default['gitlab']['sidekiq']['listen_address'] = "127.0.0.1"
default['gitlab']['sidekiq']['listen_port'] = 8082
# Sidekiq health-check server defaults
default['gitlab']['sidekiq']['health_checks_enabled'] = true
default['gitlab']['sidekiq']['health_checks_listen_address'] = "127.0.0.1"
default['gitlab']['sidekiq']['health_checks_listen_port'] = 8092
# Cluster specific settings
default['gitlab']['sidekiq']['interval'] = nil
default['gitlab']['sidekiq']['concurrency'] = 20
default['gitlab']['sidekiq']['queue_groups'] = ['*']
default['gitlab']['sidekiq']['consul_service_name'] = 'sidekiq'
default['gitlab']['sidekiq']['consul_service_meta'] = nil
###
# gitlab-shell
###
default['gitlab']['gitlab_shell']['dir'] = "/var/opt/gitlab/gitlab-shell"
default['gitlab']['gitlab_shell']['log_directory'] = "/var/log/gitlab/gitlab-shell"
default['gitlab']['gitlab_shell']['log_level'] = nil
default['gitlab']['gitlab_shell']['log_format'] = "json"
default['gitlab']['gitlab_shell']['audit_usernames'] = nil
default['gitlab']['gitlab_shell']['http_settings'] = nil
default['gitlab']['gitlab_shell']['auth_file'] = nil
default['gitlab']['gitlab_shell']['git_trace_log_file'] = nil
default['gitlab']['gitlab_shell']['migration'] = { enabled: true, features: [] }
default['gitlab']['gitlab_shell']['ssl_cert_dir'] = "#{node['package']['install-dir']}/embedded/ssl/certs/"
# DEPRECATED! Not used by gitlab-shell
default['gitlab']['gitlab_shell']['git_data_directories'] = {
"default" => { "path" => "/var/opt/gitlab/git-data" }
}
###
# gitlab-sshd
###
default['gitlab']['gitlab_sshd']['enable'] = false
default['gitlab']['gitlab_sshd']['generate_host_keys'] = true
default['gitlab']['gitlab_sshd']['dir'] = "/var/opt/gitlab/gitlab-sshd"
# gitlab-sshd outputs most logs to /var/log/gitlab/gitlab-shell/gitlab-shell.log.
# This directory only stores any stdout/stderr output from the daemon.
default['gitlab']['gitlab_sshd']['log_directory'] = "/var/log/gitlab/gitlab-sshd"
default['gitlab']['gitlab_sshd']['env_directory'] = '/opt/gitlab/etc/gitlab-sshd/env'
default['gitlab']['gitlab_sshd']['listen_address'] = 'localhost:2222'
default['gitlab']['gitlab_sshd']['metrics_address'] = 'localhost:9122'
default['gitlab']['gitlab_sshd']['concurrent_sessions_limit'] = 100
default['gitlab']['gitlab_sshd']['proxy_protocol'] = false
default['gitlab']['gitlab_sshd']['proxy_policy'] = 'use'
default['gitlab']['gitlab_sshd']['proxy_header_timeout'] = '500ms'
default['gitlab']['gitlab_sshd']['grace_period'] = 55
default['gitlab']['gitlab_sshd']['client_alive_interval'] = nil
default['gitlab']['gitlab_sshd']['ciphers'] = nil
default['gitlab']['gitlab_sshd']['kex_algorithms'] = nil
default['gitlab']['gitlab_sshd']['macs'] = nil
default['gitlab']['gitlab_sshd']['public_key_algorithms'] = nil
default['gitlab']['gitlab_sshd']['login_grace_time'] = 60
default['gitlab']['gitlab_sshd']['host_keys_dir'] = '/var/opt/gitlab/gitlab-sshd'
default['gitlab']['gitlab_sshd']['host_keys_glob'] = 'ssh_host_*_key'
default['gitlab']['gitlab_sshd']['host_certs_dir'] = '/var/opt/gitlab/gitlab-sshd'
default['gitlab']['gitlab_sshd']['host_certs_glob'] = 'ssh_host_*-cert.pub'
####
# Web server
####
# Username for the webserver user
default['gitlab']['web_server']['username'] = 'gitlab-www'
default['gitlab']['web_server']['group'] = 'gitlab-www'
default['gitlab']['web_server']['uid'] = nil
default['gitlab']['web_server']['gid'] = nil
default['gitlab']['web_server']['shell'] = '/bin/false'
default['gitlab']['web_server']['home'] = '/var/opt/gitlab/nginx'
# When bundled nginx is disabled we need to add the external webserver user to the GitLab webserver group
default['gitlab']['web_server']['external_users'] = []
####
# gitlab-workhorse
####
default['gitlab']['gitlab_workhorse']['enable'] = false
default['gitlab']['gitlab_workhorse']['ha'] = false
default['gitlab']['gitlab_workhorse']['alt_document_root'] = nil
default['gitlab']['gitlab_workhorse']['shutdown_timeout'] = nil
default['gitlab']['gitlab_workhorse']['workhorse_keywatcher'] = true
default['gitlab']['gitlab_workhorse']['listen_network'] = "unix"
default['gitlab']['gitlab_workhorse']['listen_umask'] = 000
default['gitlab']['gitlab_workhorse']['sockets_directory'] = nil
default['gitlab']['gitlab_workhorse']['listen_addr'] = nil
default['gitlab']['gitlab_workhorse']['auth_backend'] = "http://localhost:8080"
default['gitlab']['gitlab_workhorse']['auth_socket'] = nil
default['gitlab']['gitlab_workhorse']['pprof_listen_addr'] = "''" # put an empty string on the command line
default['gitlab']['gitlab_workhorse']['prometheus_listen_addr'] = "localhost:9229"
default['gitlab']['gitlab_workhorse']['dir'] = "/var/opt/gitlab/gitlab-workhorse"
default['gitlab']['gitlab_workhorse']['log_directory'] = "/var/log/gitlab/gitlab-workhorse"
default['gitlab']['gitlab_workhorse']['proxy_headers_timeout'] = nil
default['gitlab']['gitlab_workhorse']['api_limit'] = nil
default['gitlab']['gitlab_workhorse']['api_queue_duration'] = nil
default['gitlab']['gitlab_workhorse']['api_queue_limit'] = nil
default['gitlab']['gitlab_workhorse']['api_ci_long_polling_duration'] = nil
default['gitlab']['gitlab_workhorse']['propagate_correlation_id'] = false
default['gitlab']['gitlab_workhorse']['trusted_cidrs_for_x_forwarded_for'] = nil
default['gitlab']['gitlab_workhorse']['trusted_cidrs_for_propagation'] = nil
default['gitlab']['gitlab_workhorse']['log_format'] = "json"
default['gitlab']['gitlab_workhorse']['env_directory'] = '/opt/gitlab/etc/gitlab-workhorse/env'
default['gitlab']['gitlab_workhorse']['env'] = {
'PATH' => "#{node['package']['install-dir']}/bin:#{node['package']['install-dir']}/embedded/bin:/bin:/usr/bin",
'HOME' => node['gitlab']['user']['home'],
'SSL_CERT_DIR' => "#{node['package']['install-dir']}/embedded/ssl/certs/"
}
default['gitlab']['gitlab_workhorse']['image_scaler_max_procs'] = [2, node.dig('cpu', 'total').to_i / 2, node.dig('cpu', 'real').to_i / 2].max
default['gitlab']['gitlab_workhorse']['image_scaler_max_filesize'] = 250_000
default['gitlab']['gitlab_workhorse']['consul_service_name'] = 'workhorse'
default['gitlab']['gitlab_workhorse']['consul_service_meta'] = nil
default['gitlab']['gitlab_workhorse']['redis_socket'] = "/var/opt/gitlab/redis/redis.socket"
default['gitlab']['gitlab_workhorse']['redis_host'] = "127.0.0.1"
default['gitlab']['gitlab_workhorse']['redis_port'] = nil
default['gitlab']['gitlab_workhorse']['redis_database'] = nil
default['gitlab']['gitlab_workhorse']['redis_username'] = nil
default['gitlab']['gitlab_workhorse']['redis_password'] = nil
default['gitlab']['gitlab_workhorse']['redis_ssl'] = false
default['gitlab']['gitlab_workhorse']['redis_cluster_nodes'] = []
default['gitlab']['gitlab_workhorse']['redis_sentinels'] = []
default['gitlab']['gitlab_workhorse']['redis_sentinels_password'] = nil
default['gitlab']['gitlab_workhorse']['redis_sentinel_master'] = nil
default['gitlab']['gitlab_workhorse']['redis_sentinel_master_ip'] = nil
default['gitlab']['gitlab_workhorse']['redis_sentinel_master_port'] = nil
default['gitlab']['gitlab_workhorse']['extra_config_command'] = nil
default['gitlab']['gitlab_workhorse']['metadata_zip_reader_limit_bytes'] = nil
####
# mailroom
####
default['gitlab']['mailroom']['enable'] = false
default['gitlab']['mailroom']['ha'] = false
default['gitlab']['mailroom']['log_directory'] = "/var/log/gitlab/mailroom"
default['gitlab']['mailroom']['exit_log_format'] = "plain" # If mail_room crashes, the structure of the final exception message
default['gitlab']['mailroom']['incoming_email_auth_token'] = nil
default['gitlab']['mailroom']['service_desk_email_auth_token'] = nil
####
# Nginx
####
default['gitlab']['nginx']['enable'] = false
default['gitlab']['nginx']['ha'] = false
default['gitlab']['nginx']['dir'] = "/var/opt/gitlab/nginx"
default['gitlab']['nginx']['log_directory'] = "/var/log/gitlab/nginx"
default['gitlab']['nginx']['error_log_level'] = "error"
default['gitlab']['nginx']['worker_processes'] = [1, node.dig('cpu', 'total').to_i, node.dig('cpu', 'real').to_i].max
default['gitlab']['nginx']['worker_connections'] = 10240
default['gitlab']['nginx']['log_format'] = '$remote_addr - $remote_user [$time_local] "$request_method $filtered_request_uri $server_protocol" $status $body_bytes_sent "$filtered_http_referer" "$http_user_agent" $gzip_ratio' # NGINX 'combined' format without query strings
default['gitlab']['nginx']['sendfile'] = 'on'
default['gitlab']['nginx']['tcp_nopush'] = 'on'
default['gitlab']['nginx']['tcp_nodelay'] = 'on'
default['gitlab']['nginx']['hide_server_tokens'] = 'off'
default['gitlab']['nginx']['gzip_http_version'] = "1.1"
default['gitlab']['nginx']['gzip_comp_level'] = "2"
default['gitlab']['nginx']['gzip_proxied'] = "no-cache no-store private expired auth"
default['gitlab']['nginx']['gzip_types'] = ["text/plain", "text/css", "application/x-javascript", "text/xml", "application/xml", "application/xml+rss", "text/javascript", "application/json"]
default['gitlab']['nginx']['keepalive_timeout'] = 65
default['gitlab']['nginx']['keepalive_time'] = '1h'
default['gitlab']['nginx']['client_max_body_size'] = 0
default['gitlab']['nginx']['cache_max_size'] = '5000m'
default['gitlab']['nginx']['redirect_http_to_https'] = false
default['gitlab']['nginx']['redirect_http_to_https_port'] = 80
# The following matched paths will set proxy_request_buffering to off
default['gitlab']['nginx']['request_buffering_off_path_regex'] = "/api/v\\d/jobs/\\d+/artifacts$|/import/gitlab_project$|\\.git/git-receive-pack$|\\.git/ssh-receive-pack$|\\.git/ssh-upload-pack$|\\.git/gitlab-lfs/objects|\\.git/info/lfs/objects/batch$"
default['gitlab']['nginx']['ssl_client_certificate'] = nil # Most root CA's will be included by default
default['gitlab']['nginx']['ssl_verify_client'] = nil # do not enable 2-way SSL client authentication
default['gitlab']['nginx']['ssl_verify_depth'] = "1" # n/a if ssl_verify_client off
default['gitlab']['nginx']['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
default['gitlab']['nginx']['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
default['gitlab']['nginx']['ssl_ciphers'] = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" # settings from by https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&ocsp=false&guideline=5.6
default['gitlab']['nginx']['ssl_prefer_server_ciphers'] = "off" # settings from by https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&ocsp=false&guideline=5.6
default['gitlab']['nginx']['ssl_protocols'] = "TLSv1.2 TLSv1.3" # recommended by https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
default['gitlab']['nginx']['ssl_session_cache'] = "shared:SSL:10m"
default['gitlab']['nginx']['ssl_session_tickets'] = "off"
default['gitlab']['nginx']['ssl_session_timeout'] = "1d" # settings from by https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&ocsp=false&guideline=5.6
default['gitlab']['nginx']['ssl_dhparam'] = nil # Path to dhparam.pem
default['gitlab']['nginx']['ssl_password_file'] = nil
default['gitlab']['nginx']['listen_addresses'] = ['*']
default['gitlab']['nginx']['listen_port'] = nil # override only if you have a reverse proxy
default['gitlab']['nginx']['listen_https'] = nil # override only if your reverse proxy internally communicates over HTTP
default['gitlab']['nginx']['custom_gitlab_server_config'] = nil
default['gitlab']['nginx']['custom_nginx_config'] = nil
default['gitlab']['nginx']['proxy_read_timeout'] = 3600
default['gitlab']['nginx']['proxy_connect_timeout'] = 300
default['gitlab']['nginx']['proxy_set_headers'] = {
"Host" => "$http_host_with_default",
"X-Real-IP" => "$remote_addr",
"X-Forwarded-For" => "$proxy_add_x_forwarded_for",
"Upgrade" => "$http_upgrade",
"Connection" => "$connection_upgrade"
}
default['gitlab']['nginx']['proxy_protocol'] = false
default['gitlab']['nginx']['proxy_custom_buffer_size'] = nil
default['gitlab']['nginx']['referrer_policy'] = 'strict-origin-when-cross-origin'
default['gitlab']['nginx']['http2_enabled'] = true
# Cache up to 1GB of HTTP responses from GitLab on disk
default['gitlab']['nginx']['proxy_cache_path'] = 'proxy_cache keys_zone=gitlab:10m max_size=1g levels=1:2'
# Set to 'off' to disable proxy caching.
default['gitlab']['nginx']['proxy_cache'] = 'gitlab'
# Config for the http_realip_module http://nginx.org/en/docs/http/ngx_http_realip_module.html
default['gitlab']['nginx']['real_ip_trusted_addresses'] = [] # Each entry creates a set_real_ip_from directive
default['gitlab']['nginx']['real_ip_header'] = nil
default['gitlab']['nginx']['real_ip_recursive'] = nil
default['gitlab']['nginx']['server_names_hash_bucket_size'] = 64
# HSTS
default['gitlab']['nginx']['hsts_max_age'] = 63072000 # settings from by https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&ocsp=false&guideline=5.6
default['gitlab']['nginx']['hsts_include_subdomains'] = false
# Compression
default['gitlab']['nginx']['gzip_enabled'] = true
# Consul
default['gitlab']['nginx']['consul_service_name'] = 'nginx'
default['gitlab']['nginx']['consul_service_meta'] = nil
###
# Nginx status
###
default['gitlab']['nginx']['status']['enable'] = true
default['gitlab']['nginx']['status']['listen_addresses'] = ['*']
default['gitlab']['nginx']['status']['fqdn'] = "localhost"
default['gitlab']['nginx']['status']['port'] = 8060
default['gitlab']['nginx']['status']['vts_enable'] = true
default['gitlab']['nginx']['status']['options'] = {
"server_tokens" => "off",
"access_log" => "off",
"allow" => "127.0.0.1",
"deny" => "all",
}
###
# Logging
###
default['gitlab']['logging']['svlogd_size'] = 200 * 1024 * 1024 # rotate after 200 MB of log data
default['gitlab']['logging']['svlogd_num'] = 30 # keep 30 rotated log files
default['gitlab']['logging']['svlogd_timeout'] = 24 * 60 * 60 # rotate after 24 hours
default['gitlab']['logging']['svlogd_filter'] = "gzip" # compress logs with gzip
default['gitlab']['logging']['svlogd_udp'] = nil # transmit log messages via UDP
default['gitlab']['logging']['svlogd_prefix'] = nil # custom prefix for log messages
default['gitlab']['logging']['udp_log_shipping_host'] = nil # remote host to ship log messages to via UDP
default['gitlab']['logging']['udp_log_shipping_hostname'] = nil # set the hostname for log messages shipped via UDP
default['gitlab']['logging']['udp_log_shipping_port'] = 514 # remote port to ship log messages to via UDP
default['gitlab']['logging']['logrotate_frequency'] = "daily" # rotate logs daily
default['gitlab']['logging']['logrotate_maxsize'] = nil # rotate logs when they grow bigger than size bytes even before the specified time interval (daily, weekly, monthly, or yearly)
default['gitlab']['logging']['logrotate_size'] = nil # do not rotate by size by default
default['gitlab']['logging']['logrotate_rotate'] = 30 # keep 30 rotated logs
default['gitlab']['logging']['logrotate_compress'] = "compress" # see 'man logrotate'
default['gitlab']['logging']['logrotate_method'] = "copytruncate" # see 'man logrotate'
default['gitlab']['logging']['logrotate_postrotate'] = nil # no postrotate command by default
default['gitlab']['logging']['logrotate_dateformat'] = nil # use date extensions for rotated files rather than numbers e.g. a value of "-%Y-%m-%d" would give rotated files like production.log-2016-03-09.gz
default['gitlab']['logging']['log_group'] = nil # log group for logs (svlogd only at this time)
###
# Remote syslog
###
default['gitlab']['remote_syslog']['enable'] = false
default['gitlab']['remote_syslog']['ha'] = false
default['gitlab']['remote_syslog']['dir'] = "/var/opt/gitlab/remote-syslog"
default['gitlab']['remote_syslog']['log_directory'] = "/var/log/gitlab/remote-syslog"
default['gitlab']['remote_syslog']['destination_host'] = "localhost"
default['gitlab']['remote_syslog']['destination_port'] = 514
default['gitlab']['remote_syslog']['services'] = %w(redis nginx puma gitlab-rails gitlab-shell postgresql sidekiq gitlab-workhorse gitlab-pages praefect gitlab-kas)
###
# High Availability
###
default['gitlab']['high_availability']['mountpoint'] = nil
####
# GitLab CI Rails app
####
default['gitlab']['gitlab_ci']['dir'] = "/var/opt/gitlab/gitlab-ci"
default['gitlab']['gitlab_ci']['builds_directory'] = "/var/opt/gitlab/gitlab-ci/builds"
default['gitlab']['gitlab_ci']['schedule_builds_minute'] = "0"
default['gitlab']['gitlab_ci']['gitlab_ci_all_broken_builds'] = nil
default['gitlab']['gitlab_ci']['gitlab_ci_add_pusher'] = nil
####
# Mattermost NGINX
####
default['gitlab']['mattermost_nginx'] = default['gitlab']['nginx'].dup
default['gitlab']['mattermost_nginx']['enable'] = false
default['gitlab']['mattermost_nginx']['proxy_set_headers'] = {
"Host" => "$http_host",
"X-Real-IP" => "$remote_addr",
"X-Forwarded-For" => "$proxy_add_x_forwarded_for",
"X-Forwarded-Proto" => "$scheme",
"X-Frame-Options" => "SAMEORIGIN",
"Upgrade" => "$http_upgrade",
"Connection" => "$connection_upgrade"
}
default['gitlab']['mattermost_nginx']['referrer_policy'] = 'strict-origin-when-cross-origin'
####
# GitLab Pages NGINX
####
default['gitlab']['pages_nginx'] = default['gitlab']['nginx'].dup
default['gitlab']['pages_nginx']['enable'] = true
default['gitlab']['pages_nginx']['proxy_set_headers'] = {
"Host" => "$http_host",
"X-Real-IP" => "$remote_addr",
"X-Forwarded-For" => "$proxy_add_x_forwarded_for",
"X-Forwarded-Proto" => "$scheme"
}
####
# GitLab Registry NGINX
####
default['gitlab']['registry_nginx'] = default['gitlab']['nginx'].dup
default['gitlab']['registry_nginx']['enable'] = true
default['gitlab']['registry_nginx']['https'] = false
default['gitlab']['registry_nginx']['http2_enabled'] = false
default['gitlab']['registry_nginx']['proxy_set_headers'] = {
"Host" => "$http_host",
"X-Real-IP" => "$remote_addr",
"X-Forwarded-For" => "$proxy_add_x_forwarded_for",
"X-Forwarded-Proto" => "$scheme"
}
####
# GitLab KAS NGINX
####
default['gitlab']['gitlab_kas_nginx'] = default['gitlab']['nginx'].dup
default['gitlab']['gitlab_kas_nginx']['enable'] = false
default['gitlab']['gitlab_kas_nginx']['https'] = false
default['gitlab']['gitlab_kas_nginx']['port'] = 80
default['gitlab']['gitlab_kas_nginx']['host'] = "kas.gitlab.example.com"
default['gitlab']['gitlab_kas_nginx']['proxy_set_headers'] = {
"Host" => "$http_host",
"Upgrade" => "$http_upgrade",
"Connection" => "$connection_upgrade",
"X-Real-IP" => "$remote_addr",
"X-Forwarded-For" => "$remote_addr",
"X-Forwarded-Proto" => "$scheme",
"X-Forwarded-Scheme" => "$scheme",
"X-Scheme" => "$scheme",
"X-Original-Forwarded-For" => "$http_x_forwarded_for"
}
####
# Storage check
####
default['gitlab']['storage_check']['enable'] = false
default['gitlab']['storage_check']['target'] = nil
default['gitlab']['storage_check']['log_directory'] = '/var/log/gitlab/storage-check'
default['gitlab']['gitlab-shell'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab']['gitlab_shell'].to_h }, "node['gitlab']['gitlab-shell']", "node['gitlab']['gitlab_shell']")
default['gitlab']['remote-syslog'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab']['remote_syslog'].to_h }, "node['gitlab']['remote-syslog']", "node['gitlab']['remote_syslog']")
default['gitlab']['gitlab-workhorse'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab']['gitlab_workhorse'].to_h }, "node['gitlab']['gitlab-workhorse']", "node['gitlab']['gitlab_workhorse']")
default['gitlab']['mattermost-nginx'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab']['mattermost_nginx'].to_h }, "node['gitlab']['mattermost-nginx']", "node['gitlab']['mattermost_nginx']")
default['gitlab']['pages-nginx'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab']['pages_nginx'].to_h }, "node['gitlab']['pages-nginx']", "node['gitlab']['pages_nginx']")
default['gitlab']['registry-nginx'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab']['registry_nginx'].to_h }, "node['gitlab']['registry-nginx']", "node['gitlab']['registry_nginx']")
default['gitlab']['gitlab-kas-nginx'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab']['gitlab_kas_nginx'].to_h }, "node['gitlab']['gitlab-kas-nginx']", "node['gitlab']['gitlab_kas_nginx']")
default['gitlab']['gitlab-rails'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab']['gitlab_rails'].to_h }, "node['gitlab']['gitlab-rails']", "node['gitlab']['gitlab_rails']")
default['gitlab']['external-url'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab']['external_url'] }, "node['gitlab']['external-url']", "node['gitlab']['external_url']")
default['gitlab']['gitlab-kas-external-url'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab']['gitlab_kas_external_url'] }, "node['gitlab']['gitlab-kas-external-url']", "node['gitlab']['gitlab_kas_external_url']")
default['gitlab']['mattermost-external-url'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab']['mattermost_external_url'] }, "node['gitlab']['mattermost-external-url']", "node['gitlab']['mattermost_external_url']")
default['gitlab']['pages-external-url'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab']['pages_external_url'] }, "node['gitlab']['pages-external-url']", "node['gitlab']['pages_external_url']")
default['gitlab']['registry-external-url'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab']['registry_external_url'] }, "node['gitlab']['registry-external-url']", "node['gitlab']['registry_external_url']")
default['gitlab']['gitlab-ci'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab']['gitlab_ci'].to_h }, "node['gitlab']['gitlab-ci']", "node['gitlab']['gitlab_ci']")
default['gitlab']['high-availability'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab']['high_availability'].to_h }, "node['gitlab']['high-availability']", "node['gitlab']['high_availability']")
default['gitlab']['manage-accounts'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab']['manage_accounts'].to_h }, "node['gitlab']['manage-accounts']", "node['gitlab']['manage_accounts']")
default['gitlab']['manage-storage-directories'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab']['manage_storage_directories'].to_h }, "node['gitlab']['manage-storage-directories']", "node['gitlab']['manage_storage_directories']")
default['gitlab']['omnibus-gitconfig'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab']['omnibus_gitconfig'].to_h }, "node['gitlab']['omnibus-gitconfig']", "node['gitlab']['omnibus_gitconfig']")
default['gitlab']['runtime-dir'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab']['runtime_dir'] }, "node['gitlab']['runtime-dir']", "node['gitlab']['runtime_dir']")
default['gitlab']['storage-check'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab']['storage_check'].to_h }, "node['gitlab']['storage-check']", "node['gitlab']['storage_check']")
default['gitlab']['web-server'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab']['web_server'].to_h }, "node['gitlab']['web-server']", "node['gitlab']['web_server']")
####
# gitlab-backup-cli settings
####
default['gitlab']['gitlab_backup_cli']['enable'] = false
default['gitlab']['gitlab_backup_cli']['user'] = 'gitlab-backup'
default['gitlab']['gitlab_backup_cli']['group'] = 'gitlab-backup'
default['gitlab']['gitlab_backup_cli']['dir'] = '/var/opt/gitlab/backups'
default['gitlab']['gitlab_backup_cli']['additional_groups'] = %w[git gitlab-psql registry]
files/gitlab-cookbooks/gitlab/libraries/account_helper.rb 0 → 100644
View file @ edb06ab2
#
# Copyright:: Copyright (c) 2015 GitLab B.V.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class AccountHelper
attr_reader :node
def initialize(node)
@node = node
end
def gitlab_user
node['gitlab']['user']['username']
end
def gitlab_group
node['gitlab']['user']['group']
end
def web_server_user
node['gitlab']['web_server']['username']
end
def web_server_group
node['gitlab']['web_server']['group']
end
def redis_user
node['redis']['username']
end
def redis_group
node['redis']['group']
end
def postgresql_user
node['postgresql']['username']
end
def postgresql_group
node['postgresql']['group']
end
def mattermost_user
node['mattermost']['username']
end
def mattermost_group
node['mattermost']['group']
end
def registry_user
node['registry']['username']
end
def registry_group
node['registry']['group']
end
def prometheus_user
node['monitoring']['prometheus']['username']
end
def prometheus_group
node['monitoring']['prometheus']['group']
end
def consul_user
node['consul']['username']
end
def consul_group
node['consul']['group']
end
def users
%W(
#{gitlab_user}
#{web_server_user}
#{redis_user}
#{postgresql_user}
#{mattermost_user}
#{registry_user}
#{prometheus_user}
#{consul_user}
)
end
def groups
%W(
#{gitlab_group}
#{web_server_group}
#{redis_group}
#{postgresql_group}
#{mattermost_group}
#{registry_group}
#{consul_group}
#{prometheus_group}
)
end
end
files/gitlab-cookbooks/gitlab/libraries/bash_hide_env.rb 0 → 100644
View file @ edb06ab2
# By default, Chef's bash resource prints out the environment variables
# upon failure, but the environment may contain sensitive information. This
# resource suppresses that output.
require 'chef/resource'
require 'chef/resource/script'
class Chef
class Resource
class BashHideEnv < Chef::Resource::Bash
provides :bash_hide_env
property :environment, Hash, sensitive: true,
description: "A Hash of environment variables in the form of `({'ENV_VARIABLE' => 'VALUE'})`. **Note**: These variables must exist for a command to be run successfully."
end
end
end
Chef::Provider::Script.provides(:bash_hide_env)
files/gitlab-cookbooks/gitlab/libraries/gitlab_exporter.rb 0 → 100644
View file @ edb06ab2
#
# Copyright:: Copyright (c) 2018 GitLab Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require_relative 'redis_uri.rb'
require_relative '../../package/libraries/helpers/new_redis_helper/base'
module GitlabExporter
class << self
def parse_variables
parse_gitlab_exporter_settings
validate_tls_config
end
def parse_gitlab_exporter_settings
# By default, disable sidekiq probe of gitlab-exporter if Redis sentinels
# are found. If user has explicitly specified something in gitlab.rb, use
# that.
return if Gitlab['gitlab_exporter'].key?('probe_sidekiq') && !Gitlab['gitlab_exporter']['probe_sidekiq'].nil?
Gitlab['gitlab_exporter']['probe_sidekiq'] = !NewRedisHelper::Base.has_sentinels?(config: Gitlab['gitlab_rails'])
end
def validate_tls_config
return unless Gitlab['gitlab_exporter']['tls_enabled']
%i[tls_cert_path tls_key_path].each do |key|
raise "TLS enabled for GitLab Exporter, but #{key} not specified in config" unless Gitlab['gitlab_exporter'].key?(key)
raise "File specified via gitlab_exporter['#{key}'] not found: #{Gitlab['gitlab_exporter'][key]}" unless File.exist?(Gitlab['gitlab_exporter'][key])
end
end
end
end
files/gitlab-cookbooks/gitlab/libraries/gitlab_mattermost.rb 0 → 100644
View file @ edb06ab2
#
# Copyright:: Copyright (c) 2016 GitLab Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require_relative 'nginx.rb'
require_relative '../../package/libraries/deprecations'
require_relative '../../package/libraries/helpers/logging_helper'
require_relative '../../letsencrypt/libraries/helper'
module GitlabMattermost
class << self
def parse_variables
parse_mattermost_external_url
parse_gitlab_mattermost
parse_automatic_oauth_registration
end
def parse_secrets
Gitlab['mattermost']['email_invite_salt'] ||= SecretsHelper.generate_hex(16)
Gitlab['mattermost']['file_public_link_salt'] ||= SecretsHelper.generate_hex(16)
Gitlab['mattermost']['sql_at_rest_encrypt_key'] ||= SecretsHelper.generate_hex(16)
Gitlab['mattermost']['gitlab_id'] ||= SecretsHelper.generate_urlsafe_base64
Gitlab['mattermost']['gitlab_secret'] ||= SecretsHelper.generate_urlsafe_base64
end
def parse_mattermost_external_url
return unless Gitlab['mattermost_external_url']
Gitlab['mattermost']['enable'] = true if Gitlab['mattermost']['enable'].nil?
uri = URI(Gitlab['mattermost_external_url'].to_s)
raise "GitLab Mattermost external URL must include a schema and FQDN, e.g. http://mattermost.example.com/" unless uri.host
Gitlab['mattermost']['host'] = uri.host
Gitlab['mattermost']['service_site_url'] ||= Gitlab['mattermost_external_url']
# setup gitlab auth endpoints if GitLab's external url has been provided
if Gitlab['external_url']
gitlab_url = Gitlab['external_url'].chomp("/")
Gitlab['mattermost']['gitlab_auth_endpoint'] ||= "#{gitlab_url}/oauth/authorize"
Gitlab['mattermost']['gitlab_token_endpoint'] ||= "#{gitlab_url}/oauth/token"
Gitlab['mattermost']['gitlab_user_api_endpoint'] ||= "#{gitlab_url}/api/v4/user"
# If mattermost is running on the same box as puma, allow it to communicate locally
if Services.enabled?('puma')
Gitlab['mattermost']['service_allowed_untrusted_internal_connections'] ||= ''
Gitlab['mattermost']['service_allowed_untrusted_internal_connections'] << " #{URI(gitlab_url.to_s).host}"
end
end
set_ssl
end
def set_ssl
uri = URI(Gitlab['mattermost_external_url'].to_s)
case uri.scheme
when "http"
Gitlab['mattermost']['service_use_ssl'] = false
Nginx.parse_proxy_headers('mattermost_nginx', false)
when "https"
Gitlab['mattermost']['service_use_ssl'] = true
Gitlab['mattermost_nginx']['ssl_certificate'] ||= "/etc/gitlab/ssl/#{uri.host}.crt"
Gitlab['mattermost_nginx']['ssl_certificate_key'] ||= "/etc/gitlab/ssl/#{uri.host}.key"
LetsEncryptHelper.add_service_alt_name("mattermost")
Nginx.parse_proxy_headers('mattermost_nginx', true)
else
raise "Unsupported external URL scheme: #{uri.scheme}"
end
raise "Unsupported CI external URL path: #{uri.path}" unless ["", "/"].include?(uri.path)
Gitlab['mattermost']['port'] = uri.port
end
def parse_gitlab_mattermost
return unless Gitlab['mattermost']['enable']
Gitlab['mattermost_nginx']['enable'] = true if Gitlab['mattermost_nginx']['enable'].nil?
end
def parse_automatic_oauth_registration
# If Mattermost isn't enabled, do nothing.
return unless Gitlab['mattermost']['enable']
# If writing to gitlab-secrets.json file is not explicitly disabled, do
# nothing.
return if Gitlab['package']['generate_secrets_json_file'] != false
Gitlab['mattermost']['register_as_oauth_app'] = false
LoggingHelper.warning("Writing secrets to `gitlab-secrets.json` file is disabled. Hence, not automatically registering Mattermost as an Oauth App. So, GitLab SSO will not be available as a login option.")
end
end
end
files/gitlab-cookbooks/gitlab/libraries/gitlab_rails.rb 0 → 100644
View file @ edb06ab2
# Copyright:: Copyright (c) 2016 GitLab Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require_relative 'nginx.rb'
require_relative '../../gitaly/libraries/gitaly.rb'
require_relative '../../package/libraries/settings_dsl.rb'
require_relative '../../package/libraries/helpers/new_redis_helper/gitlab_rails'
module GitlabRails
ALLOWED_DATABASES = %w[main ci geo embedding].freeze
MAIN_DATABASES = %w[main geo].freeze
SHARED_DATABASE_ATTRIBUTES = %w[db_host db_port db_database].freeze
class << self
def parse_variables
parse_database_adapter
parse_database_settings
parse_databases
parse_external_url
parse_directories
parse_gitlab_trusted_proxies
parse_incoming_email_logfile
parse_service_desk_email_logfile
parse_maximum_request_duration
parse_redis_settings
parse_redis_extra_config_command
validate_smtp_settings!
validate_ssh_settings!
end
def parse_directories
parse_runtime_dir
parse_shared_dir
parse_artifacts_dir
parse_external_diffs_dir
parse_lfs_objects_dir
parse_uploads_dir
parse_packages_dir
parse_dependency_proxy_dir
parse_terraform_state_dir
parse_ci_secure_files_dir
parse_encrypted_settings_path
parse_pages_dir
parse_repository_storage
end
def transform_secrets
# Transform legacy key names to new key names
Gitlab['gitlab_rails']['db_key_base'] ||= Gitlab['gitlab_ci']['db_key_base'] # Changed in 8.11
Gitlab['gitlab_rails']['secret_key_base'] ||= Gitlab['gitlab_ci']['db_key_base'] # Changed in 8.11
Gitlab['gitlab_rails']['otp_key_base'] ||= Gitlab['gitlab_rails']['secret_token']
Gitlab['gitlab_rails']['openid_connect_signing_key'] ||= Gitlab['gitlab_rails']['jws_private_key'] # Changed in 10.1
# Environment variable gets priority over gitlab.rb setting
Gitlab['gitlab_rails']['initial_root_password'] = ENV['GITLAB_ROOT_PASSWORD'] || Gitlab['gitlab_rails']['initial_root_password']
end
def parse_secrets
transform_secrets
# Note: If you add another secret to generate here make sure it gets written to disk in SecretsHelper.write_to_gitlab_secrets
Gitlab['gitlab_rails']['db_key_base'] ||= SecretsHelper.generate_hex(64)
Gitlab['gitlab_rails']['secret_key_base'] ||= SecretsHelper.generate_hex(64)
Gitlab['gitlab_rails']['otp_key_base'] ||= SecretsHelper.generate_hex(64)
Gitlab['gitlab_rails']['encrypted_settings_key_base'] ||= SecretsHelper.generate_hex(64)
Gitlab['gitlab_rails']['openid_connect_signing_key'] ||= SecretsHelper.generate_rsa(4096).to_pem
Gitlab['gitlab_rails']['ci_jwt_signing_key'] ||= SecretsHelper.generate_rsa(4096).to_pem
return unless Gitlab['gitlab_rails']['initial_root_password'].nil?
Gitlab['gitlab_rails']['initial_root_password'] = SecretsHelper.generate_base64(32)
Gitlab['gitlab_rails']['store_initial_root_password'] = true if Gitlab['gitlab_rails']['store_initial_root_password'].nil?
end
def validate_secrets
transform_secrets
# Blow up when the existing configuration is ambiguous, so we don't accidentally throw away important secrets
ci_db_key_base = Gitlab['gitlab_ci']['db_key_base']
rails_db_key_base = Gitlab['gitlab_rails']['db_key_base']
if ci_db_key_base && rails_db_key_base && ci_db_key_base != rails_db_key_base
message = [
"The value of Gitlab['gitlab_ci']['db_key_base'] (#{ci_db_key_base}) does not match the value of Gitlab['gitlab_rails']['db_key_base'] (#{rails_db_key_base}).",
"Please back up both secrets, set Gitlab['gitlab_rails']['db_key_base'] to the value of Gitlab['gitlab_ci']['db_key_base'], and try again.",
"For more information, see <https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/update/README.md#migrating-legacy-secrets>"
]
raise message.join("\n\n")
end
raise 'initial_root_password: Length is too short, minimum is 8 characters' if Gitlab['gitlab_rails']['initial_root_password'] && Gitlab['gitlab_rails']['initial_root_password'].length < 8
return unless Gitlab['gitlab_rails']['ci_jwt_signing_key']
begin
key = OpenSSL::PKey::RSA.new(Gitlab['gitlab_rails']['ci_jwt_signing_key'])
raise 'ci_jwt_signing_key: The provided key is not private RSA key' unless key.private?
rescue OpenSSL::PKey::RSAError
raise 'ci_jwt_signing_key: The provided key is not valid RSA key'
end
end
def parse_external_url
return unless Gitlab['external_url']
uri = URI(Gitlab['external_url'].to_s)
raise "GitLab external URL must include a schema and FQDN, e.g. http://gitlab.example.com/" unless uri.host
Gitlab['gitlab_rails']['gitlab_url'] = uri.to_s.chomp("/")
Gitlab['user']['git_user_email'] ||= "gitlab@#{uri.host}"
Gitlab['gitlab_rails']['gitlab_host'] = uri.host
Gitlab['gitlab_rails']['gitlab_email_from'] ||= "gitlab@#{uri.host}"
case uri.scheme
when "http"
Gitlab['gitlab_rails']['gitlab_https'] = false
Nginx.parse_proxy_headers('nginx', false)
when "https"
Gitlab['gitlab_rails']['gitlab_https'] = true
Gitlab['nginx']['ssl_certificate'] ||= "/etc/gitlab/ssl/#{uri.host}.crt"
Gitlab['nginx']['ssl_certificate_key'] ||= "/etc/gitlab/ssl/#{uri.host}.key"
Nginx.parse_proxy_headers('nginx', true)
else
raise "Unsupported external URL scheme: #{uri.scheme}"
end
unless ["", "/"].include?(uri.path)
relative_url = uri.path.chomp("/")
Gitlab['gitlab_rails']['gitlab_relative_url'] ||= relative_url
Gitlab[WebServerHelper.service_name]['relative_url'] ||= relative_url
Gitlab['gitlab_workhorse']['relative_url'] ||= relative_url
end
Gitlab['gitlab_rails']['gitlab_port'] = uri.port
end
def parse_database_adapter
# TODO: Remove in GitLab 13
adapter = Gitlab['gitlab_rails']['db_adapter']
error_message = <<~MSG
PostgreSQL is the only supported DBMS starting from GitLab 12.1 and you are using #{adapter}.
Please refer https://docs.gitlab.com/omnibus/update/convert_to_omnibus.html#upgrading-from-non-omnibus-mysql-to-an-omnibus-installation-version-68
to migrate to a PostgreSQL based installation.
MSG
raise error_message if adapter && adapter != 'postgresql'
end
def parse_database_settings
[
[%w(gitlab_rails db_username), %w(postgresql sql_user)],
[%w(gitlab_rails db_host), %w(postgresql listen_address)],
[%w(gitlab_rails db_port), %w(postgresql port)],
].each do |left, right|
next unless Gitlab[left.first][left.last].nil?
better_value_from_gitlab_rb = Gitlab[right.first][right.last]
default_from_attributes = Gitlab['node']['gitlab'][SettingsDSL::Utils.node_attribute_key(left.first)][left.last]
Gitlab[left.first][left.last] = better_value_from_gitlab_rb || default_from_attributes
end
# Postgres allow multiple listen addresses, comma-separated values
# In case of multi listen_address, will use the first address from list
db_host = Gitlab['gitlab_rails']['db_host']
if db_host&.include?(',')
Gitlab['gitlab_rails']['db_host'] = db_host.split(',')[0]
warning = [
"Received gitlab_rails['db_host'] value was: #{db_host.to_json}.",
"First listen_address '#{Gitlab['gitlab_rails']['db_host']}' will be used."
].join("\n ")
warn(warning)
end
# In case no other setting was provided for db_host, we use the socket
# directory
Gitlab['gitlab_rails']['db_host'] ||= Gitlab['postgresql']['dir'] || Gitlab['node']['postgresql']['dir']
end
def database_attributes
Gitlab['node']['gitlab']['gitlab_rails'].keys.select { |k| k.start_with?('db_') }
end
def generate_main_database
# If user hasn't specified a main database, for now, we will use the top
# level `db_*` keys to populate one. In the future, when we are confident
# in decomposition, we can deprecate top level `gitlab_rails['db_*']`
# keys and ask users to explicitly set
# `gitlab_rails['databases']['main']['db_*']` settings instead.
Gitlab['gitlab_rails']['databases'] ||= {}
Gitlab['gitlab_rails']['databases']['main'] ||= { 'enable' => true }
# Set default value for attributes of main database based on top level
# `gitlab_rails['db_*']` settings.
database_attributes.each do |attribute|
next unless Gitlab['gitlab_rails']['databases']['main'][attribute].nil?
Gitlab['gitlab_rails']['databases']['main'][attribute] =
[Gitlab['gitlab_rails'][attribute], Gitlab['node']['gitlab']['gitlab_rails'][attribute]].compact.first
end
end
def default_ci_connection_to_main
# If there's an explicit configuration to disable the ci connection or
# have a different config for ci we should respect that.
Gitlab['gitlab_rails']['databases']['ci'] ||= { 'enable' => true }
end
def parse_databases
# TODO: Remove when we want to deprecate top level `gitlab_rails['db_*']`
# settings
generate_main_database
default_ci_connection_to_main
# Weed out the databases that are either not allowed or not enabled explicitly (except for main and geo)
Gitlab['gitlab_rails']['databases'].to_h.each do |database, settings|
if !MAIN_DATABASES.include?(database) && settings['enable'] != true
Gitlab['gitlab_rails']['databases'].delete(database)
next
end
unless ALLOWED_DATABASES.include?(database)
Gitlab['gitlab_rails']['databases'].delete(database)
LoggingHelper.warning("Additional database `#{database}` not supported in Rails application. It will be ignored.")
end
end
# Set default value of settings for other databases based on values used in `main` database.
Gitlab['gitlab_rails']['databases'].each_key do |database|
next if MAIN_DATABASES.include?(database)
database_attributes.each do |attribute|
next unless Gitlab['gitlab_rails']['databases'][database][attribute].nil?
Gitlab['gitlab_rails']['databases'][database][attribute] = Gitlab['gitlab_rails']['databases']['main'][attribute]
end
# If additional database shares attributes with main
# it should be skipped from database_tasks (running migrations)
database_same_as_main = SHARED_DATABASE_ATTRIBUTES.all? { |attribute| Gitlab['gitlab_rails']['databases'][database][attribute] == Gitlab['gitlab_rails']['databases']['main'][attribute] }
Gitlab['gitlab_rails']['databases'][database]['db_database_tasks'] = false if database_same_as_main
end
end
def parse_runtime_dir
if Gitlab['node']['filesystem'].nil?
Chef::Log.warn 'No filesystem variables in Ohai, disabling runtime_dir'
Gitlab['runtime_dir'] = nil
return
end
return if Gitlab['runtime_dir']
search_dirs = ['/run', '/dev/shm']
search_dirs.each do |run_dir|
fs = Gitlab['node']['filesystem']['by_mountpoint'][run_dir]
if fs && fs['fs_type'] == 'tmpfs'
Gitlab['runtime_dir'] = run_dir
break
end
end
Chef::Log.warn "Could not find a tmpfs in #{search_dirs}" if Gitlab['runtime_dir'].nil?
Gitlab['runtime_dir']
end
def parse_shared_dir
Gitlab['gitlab_rails']['shared_path'] ||= Gitlab['node']['gitlab']['gitlab_rails']['shared_path']
end
def parse_artifacts_dir
# This requires the parse_shared_dir to be executed before
Gitlab['gitlab_rails']['artifacts_path'] ||= File.join(Gitlab['gitlab_rails']['shared_path'], 'artifacts')
end
def parse_external_diffs_dir
# This requires the parse_shared_dir to be executed before
Gitlab['gitlab_rails']['external_diffs_storage_path'] ||= File.join(Gitlab['gitlab_rails']['shared_path'], 'external-diffs')
end
def parse_lfs_objects_dir
# This requires the parse_shared_dir to be executed before
Gitlab['gitlab_rails']['lfs_storage_path'] ||= File.join(Gitlab['gitlab_rails']['shared_path'], 'lfs-objects')
end
def parse_uploads_dir
Gitlab['gitlab_rails']['uploads_storage_path'] ||= public_path
end
def parse_packages_dir
# This requires the parse_shared_dir to be executed before
Gitlab['gitlab_rails']['packages_storage_path'] ||= File.join(Gitlab['gitlab_rails']['shared_path'], 'packages')
end
def parse_dependency_proxy_dir
# This requires the parse_shared_dir to be executed before
Gitlab['gitlab_rails']['dependency_proxy_storage_path'] ||= File.join(Gitlab['gitlab_rails']['shared_path'], 'dependency_proxy')
end
def parse_terraform_state_dir
# This requires the parse_shared_dir to be executed before
Gitlab['gitlab_rails']['terraform_state_storage_path'] ||= File.join(Gitlab['gitlab_rails']['shared_path'], 'terraform_state')
end
def parse_ci_secure_files_dir
# This requires the parse_shared_dir to be executed before
Gitlab['gitlab_rails']['ci_secure_files_storage_path'] ||= File.join(Gitlab['gitlab_rails']['shared_path'], 'ci_secure_files')
end
def parse_encrypted_settings_path
# This requires the parse_shared_dir to be executed before
encrypted_settings_path = Gitlab['gitlab_rails']['encrypted_settings_path'] ||= File.join(Gitlab['gitlab_rails']['shared_path'], 'encrypted_settings')
NewRedisHelper::GitlabRails::REDIS_INSTANCES.each do |instance|
Gitlab['gitlab_rails']["redis_#{instance}_encrypted_settings_file"] ||= Gitlab['gitlab_rails']['redis_encrypted_settings_file'] || File.join(encrypted_settings_path, "redis.#{instance}.yml.enc")
end
# NOTE: The default value of `redis_encrypted_settings_file` should be
# set only after the instance-specific ones are handled, or this default
# value will get used for the instance-specific settings.
Gitlab['gitlab_rails']['redis_encrypted_settings_file'] ||= File.join(encrypted_settings_path, 'redis.yml.enc')
end
def parse_redis_settings
Gitlab['gitlab_rails']['redis_sentinel_master'] ||= Gitlab['redis']['master_name'] || Gitlab[:node]['redis']['master_name']
Gitlab['gitlab_rails']['redis_sentinel_master_ip'] ||= Gitlab['redis']['master_ip'] || Gitlab[:node]['redis']['master_ip']
Gitlab['gitlab_rails']['redis_sentinel_master_port'] ||= Gitlab['redis']['master_port'] || Gitlab[:node]['redis']['master_port']
Gitlab['gitlab_rails']['redis_password'] ||= Gitlab['redis']['master_password'] || Gitlab[:node]['redis']['master_password']
end
def parse_redis_extra_config_command
NewRedisHelper::GitlabRails::REDIS_INSTANCES.each do |instance|
Gitlab['gitlab_rails']["redis_#{instance}_extra_config_command"] ||= Gitlab['gitlab_rails']['redis_extra_config_command']
end
end
def parse_pages_dir
# This requires the parse_shared_dir to be executed before
Gitlab['gitlab_rails']['pages_path'] ||= File.join(Gitlab['gitlab_rails']['shared_path'], 'pages')
Gitlab['gitlab_rails']['pages_local_store_path'] ||= Gitlab['gitlab_rails']['pages_path']
end
def parse_repository_storage
return if Gitlab['gitlab_rails']['repositories_storages']
gitaly_address = Gitaly.gitaly_address
Gitlab['gitlab_rails']['repositories_storages'] ||= {
"default" => {
"path" => "/var/opt/gitlab/git-data/repositories",
"gitaly_address" => gitaly_address
}
}
end
def parse_gitlab_trusted_proxies
Gitlab['nginx']['real_ip_trusted_addresses'] ||= Gitlab['node']['gitlab']['nginx']['real_ip_trusted_addresses']
Gitlab['gitlab_rails']['trusted_proxies'] = Gitlab['nginx']['real_ip_trusted_addresses'] if Gitlab['gitlab_rails']['trusted_proxies'].nil?
end
def parse_incoming_email_logfile
log_directory = Gitlab['mailroom']['log_directory'] || Gitlab[:node]['gitlab']['mailroom']['log_directory']
return unless log_directory
Gitlab['gitlab_rails']['incoming_email_log_file'] ||= File.join(log_directory, 'mail_room_json.log')
end
def parse_service_desk_email_logfile
log_directory = Gitlab['mailroom']['log_directory'] || Gitlab[:node]['gitlab']['mailroom']['log_directory']
return unless log_directory
Gitlab['gitlab_rails']['service_desk_email_log_file'] ||= File.join(log_directory, 'mail_room_json.log')
end
def parse_maximum_request_duration
Gitlab['gitlab_rails']['max_request_duration_seconds'] ||= (worker_timeout * 0.95).ceil
return if Gitlab['gitlab_rails']['max_request_duration_seconds'] < worker_timeout
raise "The maximum request duration needs to be smaller than the worker timeout (#{worker_timeout}s)"
end
def validate_smtp_settings!
SmtpHelper.validate_smtp_settings!(Gitlab['gitlab_rails'])
end
def validate_ssh_settings!
host = Gitlab['gitlab_rails']['gitlab_ssh_host']
return unless host
URI::Generic.build(scheme: 'ssh', host: host)
rescue URI::InvalidComponentError
msg = <<~MSG
gitlab_rails['gitlab_ssh_host'] is set to #{host}, but it must only contain a valid hostname.
If you wish to use a custom SSH port (such as 2222), in /etc/gitlab/gitlab.rb set the hostname and port separately:
gitlab_rails['gitlab_ssh_host'] = 'gitlab.example.com'
gitlab_rails['gitlab_shell_ssh_port'] = 2222
MSG
raise msg
end
def public_path
"#{Gitlab['node']['package']['install-dir']}/embedded/service/gitlab-rails/public"
end
def worker_timeout
service = WebServerHelper.service_name
user_config = Gitlab[service]
service_config = Gitlab['node']['gitlab'][service]
(user_config['worker_timeout'] || service_config['worker_timeout']).to_i
end
end
end
files/gitlab-cookbooks/gitlab/libraries/gitlab_shell.rb 0 → 100644
View file @ edb06ab2
#
# Copyright:: Copyright (c) 2016 GitLab Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require_relative '../../gitaly/libraries/gitaly.rb'
module GitlabShell
class << self
def parse_variables
parse_auth_file
end
def parse_secrets
Gitlab['gitlab_shell']['secret_token'] ||= SecretsHelper.generate_hex(64)
end
def parse_auth_file
Gitlab['user']['home'] ||= Gitlab['node']['gitlab']['user']['home']
Gitlab['gitlab_shell']['auth_file'] ||= File.join(Gitlab['user']['home'], '.ssh', 'authorized_keys')
end
end
end
files/gitlab-cookbooks/gitlab/libraries/gitlab_sshd_helper.rb 0 → 100644
View file @ edb06ab2
class GitlabSshdHelper
OMNIBUS_KEYS = %w[enable dir generate_host_keys log_directory env_directory host_keys_dir host_keys_glob host_certs_dir host_certs_glob].freeze
def initialize(node)
@node = node
end
# This returns the configuration needed to start gitlab-sshd inside the gitlab-shell
# configuration file.
#
# We purposely don't memoize this call since find_host_keys! and find_host_certs!
# may change if new host keys are created.
def json_config
config = @node['gitlab']['gitlab_sshd'].dup
find_host_keys!(config)
find_host_certs!(config)
config['listen'] = config.delete('listen_address')
config['web_listen'] = config.delete('metrics_address')
OMNIBUS_KEYS.each { |key| config.delete(key) }
config
end
def no_host_keys?
json_config['host_key_files'].empty?
end
private
def find_host_keys!(config)
host_keys_dir = config['host_keys_dir']
host_keys_glob = config['host_keys_glob']
return unless host_keys_glob && host_keys_dir
path = File.join(host_keys_dir, host_keys_glob)
host_keys = Dir[path]
config['host_key_files'] = host_keys
end
def find_host_certs!(config)
host_certs_dir = config['host_certs_dir']
host_certs_glob = config['host_certs_glob']
return unless host_certs_glob && host_certs_dir
path = File.join(host_certs_dir, host_certs_glob)
host_certs = Dir[path]
config['host_key_certs'] = host_certs
end
end
files/gitlab-cookbooks/gitlab/libraries/gitlab_workhorse.rb 0 → 100644
View file @ edb06ab2
#
# Copyright:: Copyright (c) 2016 GitLab Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require_relative './redis_uri'
require_relative '../../package/libraries/helpers/new_redis_helper'
module GitlabWorkhorse
class << self
def parse_variables
Gitlab['gitlab_workhorse']['auth_socket'] = nil if !auth_socket_specified? && auth_backend_specified?
user_listen_addr = Gitlab['gitlab_workhorse']['listen_addr']
Gitlab['gitlab_workhorse']['sockets_directory'] ||= '/var/opt/gitlab/gitlab-workhorse/sockets' if user_listen_addr.nil?
sockets_dir = Gitlab['gitlab_workhorse']['sockets_directory']
default_network = Gitlab['node']['gitlab']['gitlab_workhorse']['listen_network']
user_network = Gitlab['gitlab_workhorse']['listen_network']
network = user_network || default_network
Gitlab['gitlab_workhorse']['listen_addr'] ||= File.join(sockets_dir, 'socket') if network == "unix"
parse_redis_settings
end
def parse_secrets
# gitlab-workhorse expects exactly 32 bytes, encoded with base64
Gitlab['gitlab_workhorse']['secret_token'] ||= SecureRandom.base64(32)
end
def parse_redis_settings
gitlab_workhorse_redis_configured = Gitlab['gitlab_workhorse'].key?('redis_socket') ||
Gitlab['gitlab_workhorse'].key?('redis_host')
rails_workhorse_redis_configured =
Gitlab['gitlab_rails']['redis_workhorse_instance'] ||
(Gitlab['gitlab_rails']['redis_workhorse_sentinels'] &&
!Gitlab['gitlab_rails']['redis_workhorse_sentinels'].empty?)
if gitlab_workhorse_redis_configured
# Parse settings from `redis['master_*']` first.
parse_redis_master_settings
# If gitlab_workhorse settings are specified, populate
# gitlab_rails['redis_workhorse_*'] settings from it.
update_separate_redis_instance_settings
elsif rails_workhorse_redis_configured
# If user has specified a separate Redis host for Workhorse via
# `gitlab_rails['redis_workhorse_*']` settings, copy them to
# `gitlab_workhorse['redis_*']`.
parse_separate_redis_instance_settings
parse_redis_master_settings
else
# If user hasn't specified any separate Redis settings for Workhorse,
# copy the global settings from GitLab Rails
parse_global_rails_redis_settings
parse_redis_master_settings
end
end
# rubocop:disable Metrics/CyclomaticComplexity
# rubocop:disable Metrics/AbcSize
# rubocop:disable Metrics/PerceivedComplexity
def update_separate_redis_instance_settings
if Gitlab['gitlab_workhorse']['redis_host']
uri_from_workhorse = NewRedisHelper.build_redis_url(
ssl: Gitlab['gitlab_workhorse']['redis_ssl'] || Gitlab['node']['gitlab']['gitlab_workhorse']['redis_ssl'],
host: Gitlab['gitlab_workhorse']['redis_host'] || Gitlab['node']['gitlab']['gitlab_workhorse']['redis_host'],
port: Gitlab['gitlab_workhorse']['redis_port'] || Gitlab['node']['gitlab']['gitlab_workhorse']['redis_port'],
password: Gitlab['gitlab_workhorse']['redis_password'] || Gitlab['node']['gitlab']['gitlab_workhorse']['redis_password'],
path: Gitlab['gitlab_workhorse']['redis_database'] || Gitlab['node']['gitlab']['gitlab_workhorse']['redis_database']
).to_s
uri_from_rails = NewRedisHelper.build_redis_url(
ssl: Gitlab['gitlab_rails']['redis_ssl'] || Gitlab['node']['gitlab']['gitlab_rails']['redis_ssl'],
host: Gitlab['gitlab_rails']['redis_host'] || Gitlab['node']['gitlab']['gitlab_rails']['redis_host'],
port: Gitlab['gitlab_rails']['redis_port'] || Gitlab['node']['gitlab']['gitlab_rails']['redis_port'],
password: Gitlab['gitlab_rails']['redis_password'] || Gitlab['node']['gitlab']['gitlab_rails']['redis_password'],
path: Gitlab['gitlab_rails']['redis_database'] || Gitlab['node']['gitlab']['gitlab_rails']['redis_database']
).to_s
Gitlab['gitlab_rails']['redis_workhorse_instance'] = uri_from_workhorse if uri_from_workhorse != uri_from_rails
else
workhorse_redis_socket = Gitlab['gitlab_workhorse']['redis_socket'] || Gitlab['node']['gitlab']['gitlab_workhorse']['redis_socket']
rails_redis_socket = Gitlab['gitlab_rails']['redis_socket'] || Gitlab['node']['gitlab']['gitlab_rails']['redis_socket']
Gitlab['gitlab_rails']['redis_workhorse_instance'] = "unix://#{workhorse_redis_socket}" if workhorse_redis_socket != rails_redis_socket
end
%w[username password cluster_nodes sentinels sentinel_master sentinels_password].each do |setting|
Gitlab['gitlab_rails']["redis_workhorse_#{setting}"] ||= Gitlab['gitlab_workhorse']["redis_#{setting}"]
end
end
# rubocop:enable Metrics/CyclomaticComplexity
# rubocop:enable Metrics/AbcSize
# rubocop:enable Metrics/PerceivedComplexity
def parse_global_rails_redis_settings
%w[ssl host socket port password database sentinels sentinels_password].each do |setting|
Gitlab['gitlab_workhorse']["redis_#{setting}"] ||= Gitlab['gitlab_rails']["redis_#{setting}"]
end
end
def parse_separate_redis_instance_settings
# If an individual Redis instance is specified for Workhorse, figure out
# host, port, password, etc. from it
if Gitlab['gitlab_rails']['redis_workhorse_instance']
uri = URI(Gitlab['gitlab_rails']['redis_workhorse_instance'])
Gitlab['gitlab_workhorse']['redis_ssl'] = uri.scheme == 'rediss' unless Gitlab['gitlab_workhorse'].key?('redis_ssl')
if uri.scheme == 'unix'
Gitlab['gitlab_workhorse']['redis_socket'] = uri.path
else
Gitlab['gitlab_workhorse']['redis_host'] ||= if uri.path.start_with?('/')
uri.host
else
uri.path
end
Gitlab['gitlab_workhorse']['redis_port'] ||= uri.port
Gitlab['gitlab_workhorse']['redis_password'] ||= uri.password
Gitlab['gitlab_workhorse']['redis_database'] ||= uri.path.delete_prefix('/') if uri.path.start_with?('/')
end
end
%w[username password cluster_nodes sentinels sentinel_master sentinels_password].each do |setting|
Gitlab['gitlab_workhorse']["redis_#{setting}"] ||= Gitlab['gitlab_rails']["redis_workhorse_#{setting}"]
end
end
def parse_redis_master_settings
# TODO: When GitLab rails gets it's own set if `redis_sentinel_master_*`
# settings, update the following to use them instead of
# `Gitlab['redis'][*]` settings. It can be then merged with
# `parse_rails_redis_settings` method
Gitlab['gitlab_workhorse']['redis_sentinel_master'] ||= Gitlab['redis']['master_name'] || Gitlab[:node]['redis']['master_name']
Gitlab['gitlab_workhorse']['redis_sentinel_master_ip'] ||= Gitlab['redis']['master_ip'] || Gitlab[:node]['redis']['master_ip']
Gitlab['gitlab_workhorse']['redis_sentinel_master_port'] ||= Gitlab['redis']['master_port'] || Gitlab[:node]['redis']['master_port']
Gitlab['gitlab_workhorse']['redis_password'] ||= Gitlab['redis']['master_password'] || Gitlab[:node]['redis']['master_password']
end
private
def auth_socket_specified?
auth_socket = Gitlab['gitlab_workhorse']['auth_socket']
!auth_socket&.empty?
end
def auth_backend_specified?
auth_backend = Gitlab['gitlab_workhorse']['auth_backend']
!auth_backend&.empty?
end
end
end
files/gitlab-cookbooks/gitlab/libraries/helper.rb 0 → 100644
View file @ edb06ab2
#
# Copyright:: Copyright (c) 2012 Opscode, Inc.
# Copyright:: Copyright (c) 2014 GitLab.com
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require_relative 'helpers/pg_helper'
require_relative 'helpers/geo_pg_helper'
files/gitlab-cookbooks/gitlab/libraries/helpers/authorizer_helper.rb 0 → 100644
View file @ edb06ab2
module AuthorizeHelper
def query_gitlab_rails(uri, name, oauth_uid, oauth_secret)
warn("Connecting to GitLab to generate new app_id and app_secret for #{name}.")
runner_cmd = create_or_find_authorization(uri, name, oauth_uid, oauth_secret)
cmd = execute_rails_runner(runner_cmd)
do_shell_out(cmd)
end
def create_or_find_authorization(uri, name, oauth_uid, oauth_secret)
args = %(redirect_uri: "#{uri}", name: "#{name}")
app = %(
app = Doorkeeper::Application.where(#{args}).by_uid_and_secret("#{oauth_uid}", "#{oauth_secret}");
app ||= Doorkeeper::Application.where({ redirect_uri: "#{uri}", name: "#{name}", uid: "#{oauth_uid}", secret: "#{oauth_secret}" }).create!
)
output = %(puts app.uid.concat(" ").concat(app.secret);)
%W(
#{app}
#{output}
).join
end
def execute_rails_runner(cmd)
%W(
/opt/gitlab/bin/gitlab-rails
runner
-e production
'#{cmd}'
).join(" ")
end
def warn(msg)
Chef::Log.warn(msg)
end
def info(msg)
Chef::Log.info(msg)
end
end
files/gitlab-cookbooks/gitlab/libraries/helpers/base_helper.rb 0 → 100644
View file @ edb06ab2
#
# Copyright:: Copyright (c) 2018 GitLab Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class BaseHelper
def initialize(node)
@node = node
end
def self.descendants
ObjectSpace.each_object(Class).select { |klass| klass < self }
end
# Returns the attributes this helper wants to be made public. Implement in your subclass.
#
# @return [Hash] the attributes that this helper wants to make public
def public_attributes
{}
end
end
files/gitlab-cookbooks/gitlab/libraries/helpers/base_pg_helper.rb 0 → 100644
View file @ edb06ab2
# This is a base class to be inherited by PG Helpers
require_relative 'base_helper'
require_relative '../pg_version'
class BasePgHelper < BaseHelper
include ShellOutHelper
attr_reader :node
attr_reader :built_connection_info
ConnectionInfo = Struct.new(:dbname, :dbhost, :port, :pguser)
PG_HASH_PATTERN ||= /\{(.*)\}/.freeze
PG_HASH_PAIR_SEPARATOR ||= ','.freeze
PG_HASH_PAIR_ESCAPED_PATTERN ||= /^"|"$/.freeze
PG_HASH_KEY_VALUE_SEPARATOR ||= '='.freeze
PG_ESCAPED_DOUBLE_QUOTE_PATTERN ||= /\\"/.freeze
PG_ESCAPED_BACKSLASH_PATTERN ||= /\\{2}/.freeze
def is_running?
omnibus_helper = OmnibusHelper.new(node)
omnibus_helper.service_up?(service_name)
end
def is_ready?
status = PgStatusHelper.new(connection_info, node)
status.ready?
end
def connection_info
raise NotImplementedError
end
def build_connection_info(dbname, dbhost, port, pguser)
@built_connection_info ||= ConnectionInfo.new(dbname, dbhost, port, pguser)
end
def is_managed_and_offline?
OmnibusHelper.new(node).is_managed_and_offline?(service_name)
end
def database_exists?(db_name)
psql_cmd(["-d 'template1'",
"-c 'select datname from pg_database' -A",
"| grep -x #{db_name}"])
end
def database_empty?(db_name)
psql_cmd(["-d '#{db_name}'",
"-c '\\dt' -A",
"| grep -x 'No relations found.'"])
end
def extension_exists?(extension_name)
psql_cmd(["-d 'template1'",
"-c 'select name from pg_available_extensions' -A",
"| grep -x #{extension_name}"])
end
def extension_enabled?(extension_name, db_name)
psql_cmd(["-d '#{db_name}'",
"-c 'select extname from pg_extension' -A",
"| grep -x #{extension_name}"])
end
def extension_can_be_enabled?(extension_name, db_name)
is_running? &&
!is_standby? &&
extension_exists?(extension_name) &&
database_exists?(db_name) &&
!extension_enabled?(extension_name, db_name)
end
def user_exists?(db_user)
psql_cmd(["-d 'template1'",
"-c 'select usename from pg_user' -A",
"|grep -x #{db_user}"])
end
def user_options(db_user)
query = "SELECT usecreatedb, usesuper, userepl, usebypassrls FROM pg_shadow WHERE usename='#{db_user}'"
values = do_shell_out(
%(/opt/gitlab/bin/#{service_cmd} -d template1 -c "#{query}" -tA)
).stdout.chomp.split('|').map { |v| v == 't' }
options = %w(CREATEDB SUPERUSER REPLICATION BYPASSRLS)
Hash[options.zip(values)]
end
def user_options_set?(db_user, options)
active_options = user_options(db_user)
options.map(&:upcase).each do |option|
if option =~ /^NO(.*)/
return false if active_options[Regexp.last_match(1)]
else
return false unless active_options[option]
end
end
true
end
# Check if database schema exists for specified database
#
# @param [Object] schema_name database schema name
# @param [Object] db_name database name
def schema_exists?(schema_name, db_name)
psql_cmd(["-d '#{db_name}'",
"-c 'select schema_name from information_schema.schemata' -A",
"| grep -x #{schema_name}"])
end
# Check if database user is owner of specified schema
#
# You need to check if schema exists before running this
#
# @param [String] schema_name database schema name
# @param [String] db_name database name
# @param [String] owner the database user to be checked as owner
# @return [Boolean] whether specified database user is the owner
def schema_owner?(schema_name, db_name, owner)
psql_cmd(["-d '#{db_name}'",
%(-c "select schema_owner from information_schema.schemata where schema_name='#{schema_name}'" -A),
"| grep -x #{owner}"])
end
# Used to compare schema with foreign schema, to determine if foreign tables
# need to be refreshed
def retrieve_schema_tables(schema_name, db_name)
sql = <<~SQL
SELECT table_name, column_name, data_type
FROM information_schema.columns
WHERE table_catalog = '#{db_name}'
AND table_schema = '#{schema_name}'
AND table_name NOT LIKE 'pg_%'
ORDER BY table_name, column_name, data_type
SQL
psql_query(db_name, sql)
end
def user_hashed_password(db_user)
db_user_safe = db_user.scan(/[a-z_][a-z0-9_-]*[$]?/).first
psql_query('template1', "SELECT passwd FROM pg_shadow WHERE usename='#{db_user_safe}'")
end
def user_password_match?(db_user, db_pass)
if db_pass.nil? || /^md5.{32}$/.match(db_pass)
# if the password is in the MD5 hashed format or is empty, do a simple compare
db_pass.to_s == user_hashed_password(db_user)
else
# if password is in plain-text, convert to MD5 format before doing comparison
hashed = Digest::MD5.hexdigest("#{db_pass}#{db_user}")
"md5#{hashed}" == user_hashed_password(db_user)
end
end
# Parses hash type content from PostgreSQL and return a ruby hash
#
# @param [String] raw_content from command-line output
# @return [Hash] hash with key and values from parsed content
def parse_pghash(raw_content)
parse_pghash_pairs(raw_content).each_with_object({}) do |pair, hash|
key, value = parse_pghash_key_value(pair)
hash[key.to_sym] = value
end
end
def node_attributes
node_attribute_key = SettingsDSL::Utils.node_attribute_key(service_name)
return node['gitlab'][node_attribute_key] if node['gitlab'].key?(node_attribute_key)
node[node_attribute_key]
end
def is_standby?
%w(recovery.signal standby.signal).each do |standby_file|
return true if ::File.exist?(::File.join(node_attributes['dir'], 'data', standby_file))
end
false
end
alias_method :replica?, :is_standby?
def is_offline_or_readonly?
!is_running? || is_standby?
end
# Returns an array of function names for the given database
#
# Uses the `\df` PostgreSQL command to generate a list of functions and their
# attributes, then cuts out only the function names.
#
# @param database [String] the name of the database
# @return [Array] the list of functions associated with the database
def list_functions(database)
do_shell_out(
%(/opt/gitlab/bin/#{service_cmd} -d #{database} -c '\\df' -tA -F, | cut -d, -f2)
).stdout.split("\n")
end
def has_function?(database, function)
list_functions(database).include?(function)
end
def bootstrapped?
node_attribute_key = SettingsDSL::Utils.node_attribute_key(service_name)
# As part of https://gitlab.com/gitlab-org/omnibus-gitlab/issues/2078 services are
# being split to their own dedicated cookbooks, and attributes are being moved from
# node['gitlab'][service_name] to node[service_name]. Until they've been moved, we
# need to check both.
return File.exist?(File.join(node['gitlab'][node_attribute_key]['dir'], 'data', 'PG_VERSION')) if node['gitlab'].key?(node_attribute_key)
File.exist?(File.join(node[node_attribute_key]['dir'], 'data', 'PG_VERSION'))
end
def psql_cmd(cmd_list)
cmd = ["/opt/gitlab/bin/#{service_cmd}", cmd_list.join(' ')].join(' ')
success?(cmd)
end
# Return the results of a psql query
# - db_name: Name of the database to query
# - query: SQL query to run
def psql_query(db_name, query)
psql_query_raw(db_name, query).stdout.chomp
end
# Get the Mixlib::Shellout object containing the command results.
# Allows for more fine grained error handling
# - db_name: Name of the database to query
# - query: SQL query to run
def psql_query_raw(db_name, query)
do_shell_out(
%(/opt/gitlab/bin/#{service_cmd} -d '#{db_name}' -c "#{query}" -tA)
)
end
def version
PGVersion.parse(VersionHelper.version('/opt/gitlab/embedded/bin/psql --version').split.last)
end
def running_version
PGVersion.parse(psql_query('template1', 'SHOW SERVER_VERSION'))
end
def database_version
node_attribute_key = SettingsDSL::Utils.node_attribute_key(service_name)
# As part of https://gitlab.com/gitlab-org/omnibus-gitlab/issues/2078 services are
# being split to their own dedicated cookbooks, and attributes are being moved from
# node['gitlab'][service_name] to node[service_name]. Until they've been moved, we
# need to check both.
version_file = node['gitlab'].key?(node_attribute_key) ? "#{@node['gitlab'][node_attribute_key]['dir']}/data/PG_VERSION" : "#{@node[node_attribute_key]['dir']}/data/PG_VERSION"
PGVersion.new(File.read(version_file).chomp) if File.exist?(version_file)
end
def pg_shadow_lookup
<<-EOF
CREATE OR REPLACE FUNCTION public.pg_shadow_lookup(in i_username text, out username text, out password text) RETURNS record AS $$
BEGIN
SELECT usename, passwd FROM pg_catalog.pg_shadow
WHERE usename = i_username INTO username, password;
RETURN;
END;
$$ LANGUAGE plpgsql SECURITY DEFINER;
REVOKE ALL ON FUNCTION public.pg_shadow_lookup(text) FROM public, pgbouncer;
GRANT EXECUTE ON FUNCTION public.pg_shadow_lookup(text) TO pgbouncer;
EOF
end
def service_name
raise NotImplementedError
end
def service_cmd
raise NotImplementedError
end
def delegate_service_name
'patroni'
end
def delegated?
# When Patroni is enabled, the configuration of PostgreSQL instance must be delegated to it.
# PostgreSQL cookbook skips some of the steps that are must be done either during or after
# Patroni bootstraping.
node['patroni']['enable']
end
def config_dir
::File.join(node['patroni']['enable'] ? node['patroni']['dir'] : node['postgresql']['dir'], 'data')
end
def postgresql_config
::File.join(config_dir, "postgresql#{node['patroni']['enable'] ? '.base' : ''}.conf")
end
def postgresql_runtime_config
::File.join(config_dir, 'runtime.conf')
end
def pg_hba_config
::File.join(config_dir, 'pg_hba.conf')
end
def pg_ident_config
::File.join(config_dir, 'pg_ident.conf')
end
def geo_config
::File.join(config_dir, 'gitlab-geo.conf')
end
def ssl_cert_file
::File.absolute_path(node['postgresql']['ssl_cert_file'], config_dir)
end
def ssl_key_file
::File.absolute_path(node['postgresql']['ssl_key_file'], config_dir)
end
private
def stringify_hash_values(options)
options.each_with_object({}) { |(k, v), hash| hash[k] = v.to_s }
end
def parse_pghash_pairs(raw_content)
raw_content.gsub(PG_HASH_PATTERN) { Regexp.last_match(1) }
.split(PG_HASH_PAIR_SEPARATOR)
end
def parse_pghash_key_value(pair)
pair.gsub(PG_HASH_PAIR_ESCAPED_PATTERN, '')
.gsub(PG_ESCAPED_DOUBLE_QUOTE_PATTERN, '"')
.gsub(PG_ESCAPED_BACKSLASH_PATTERN, '')
.split(PG_HASH_KEY_VALUE_SEPARATOR)
end
end
files/gitlab-cookbooks/gitlab/libraries/helpers/geo_pg_helper.rb 0 → 100644
View file @ edb06ab2
require_relative 'base_pg_helper'
# Helper class to interact with bundled Geo PostgreSQL instance
class GeoPgHelper < BasePgHelper
# internal name for the service (node[service_name])
def service_name
'geo-postgresql'
end
# command wrapper name
def service_cmd
'gitlab-geo-psql'
end
private
def connection_info
build_connection_info(
node['gitlab']['geo_secondary']['db_database'],
node['gitlab']['geo_postgresql']['unix_socket_directory'],
node['gitlab']['geo_postgresql']['port'],
node['gitlab']['geo_postgresql']['sql_user']
)
end
end
files/gitlab-cookbooks/gitlab/libraries/helpers/gitlab_rails.rb 0 → 100644
View file @ edb06ab2
require_relative 'base_helper'
class GitlabRailsHelper < BaseHelper
attr_accessor :node
def public_attributes
{
'gitlab' => {
'gitlab_rails' => node['gitlab']['gitlab_rails'].select do |key, value|
%w(db_database).include?(key)
end.merge(
'databases' => node['gitlab']['gitlab_rails']['databases'].transform_values do |value|
value['db_database']
end
)
}
}
end
end
files/gitlab-cookbooks/gitlab/libraries/helpers/gitlab_rails_env_helper.rb 0 → 100644
View file @ edb06ab2
class GitlabRailsEnvHelper
class << self
# Get the db version from the rails environment
def db_version
PGVersion.parse(execute_rails_ruby(db_version_command).lines.last.chomp)
end
def db_version_command
%w(
require "yaml";
require "active_record";
ActiveRecord::Base.establish_connection(YAML.load_file("config/database.yml")["production"]["main"]);
version_row = ActiveRecord::Base.connection.execute("SELECT VERSION()").first;
puts version_row["version"].match(Regexp.new("\\\A(?:PostgreSQL |)([^\\\s]+).*\\\z"))[1];
).join(' ')
end
# Get the path to Gemfile from bundle config file which is generated at build time
def bundle_gemfile(source_dir)
gemfile = "#{source_dir}/Gemfile"
pattern = /BUNDLE_GEMFILE: "(.*)"/
begin
File.open("#{source_dir}/.bundle/config") do |config_file|
config_file.each do |line|
if line.match(pattern)
gemfile = "#{source_dir}/#{line[pattern, 1]}"
break
end
end
end
rescue Errno::ENOENT
gemfile
end
gemfile
end
def execute_rails_ruby(cmd)
run_shell = Mixlib::ShellOut.new(%W(
/opt/gitlab/bin/gitlab-ruby
-e '#{cmd}'
).join(" "))
run_shell.run_command
run_shell.error!
run_shell.stdout
end
end
end
files/gitlab-cookbooks/gitlab/libraries/helpers/gitlab_workhorse_helper.rb 0 → 100644
View file @ edb06ab2
require_relative 'base_helper'
class GitlabWorkhorseHelper < BaseHelper
attr_reader :node
def unix_socket?
node['gitlab']['gitlab_workhorse']['listen_network'] == "unix"
end
def object_store_toml
object_store = node['gitlab']['gitlab_rails']['object_store']
return unless object_store['enabled']
case object_store.dig('connection', 'provider')
when 'AWS'
<<~AWSCFG
[object_storage]
provider = "AWS"
[object_storage.s3]
aws_access_key_id = #{toml_string(object_store.dig('connection', 'aws_access_key_id'))}
aws_secret_access_key = #{toml_string(object_store.dig('connection', 'aws_secret_access_key'))}
AWSCFG
when 'AzureRM'
<<~AZURECFG
[object_storage]
provider = "AzureRM"
[object_storage.azurerm]
azure_storage_account_name = #{toml_string(object_store.dig('connection', 'azure_storage_account_name'))}
azure_storage_access_key = #{toml_string(object_store.dig('connection', 'azure_storage_access_key'))}
AZURECFG
when 'Google'
google_config_from(object_store)
end
end
private
def toml_string(str)
(str || '').to_json
end
def google_config_from(object_store)
connection = object_store['connection']
return unless connection['google_application_default'] ||
connection['google_json_key_string'] ||
connection['google_json_key_location']
result = <<~GOOGLECFG
[object_storage]
provider = "Google"
GOOGLECFG
if connection['google_application_default']
value = connection['google_application_default']
result << <<~GOOGLECFG
[object_storage.google]
google_application_default = #{toml_string(value)}
GOOGLECFG
elsif connection['google_json_key_string']
value = connection['google_json_key_string']
result << <<~GOOGLECFG
[object_storage.google]
google_json_key_string = '''#{value}'''
GOOGLECFG
elsif connection['google_json_key_location']
value = connection['google_json_key_location']
result << <<~GOOGLECFG
[object_storage.google]
google_json_key_location = #{toml_string(value)}
GOOGLECFG
end
result
end
end
files/gitlab-cookbooks/gitlab/libraries/helpers/metrics_exporter_helper.rb 0 → 100644
View file @ edb06ab2
module MetricsExporterHelper
def check_consistent_exporter_tls_settings(target)
return unless metrics_enabled? && metrics_tls_enabled?
%w(exporter_tls_cert_path exporter_tls_key_path).each do |required_setting|
raise "#{target.capitalize} exporter_tls_enabled is true, but #{required_setting} is not set" unless user_config_or_default(required_setting)
end
end
def metrics_tls_enabled?
user_config_or_default('exporter_tls_enabled')
end
def user_config_or_default(key)
# Note that we must not use an `a || b`` truthiness check here since that would mean a `false`
# user setting would fail over to the default, which is not what we want.
user_config[key].nil? ? default_config[key] : user_config[key]
end
end
files/gitlab-cookbooks/gitlab/libraries/helpers/pg_helper.rb 0 → 100644
View file @ edb06ab2
require_relative 'base_pg_helper'
# Helper class to interact with bundled PostgreSQL instance
class PgHelper < BasePgHelper
# internal name for the service (node[service_name])
def service_name
'postgresql'
end
# command wrapper name
def service_cmd
'gitlab-psql'
end
def public_attributes
# Attributes which should be considered ok for other services to know
attributes = %w(
dir
unix_socket_directory
port
)
{
service_name => node[service_name].select do |key, value|
attributes.include?(key)
end
}
end
# Overridden the definition in BasePgHelper to handle scenarios where
# PostgreSQL is delegated to Patroni.
def is_running?
omnibus_helper = OmnibusHelper.new(node)
omnibus_helper.service_up?(service_name) || (delegated? && omnibus_helper.service_up?(delegate_service_name) && is_ready?)
end
private
def connection_info
build_connection_info(
node['gitlab']['gitlab_rails']['db_database'],
node['postgresql']['unix_socket_directory'],
node['postgresql']['port'],
node['postgresql']['sql_user']
)
end
end
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment