From 8fc419e273e4979e11e98d145693052e06bba211 Mon Sep 17 00:00:00 2001 From: Salt Date: Thu, 23 Jul 2020 21:37:49 -0500 Subject: [PATCH] Remove postfix, gitlab, and some defunct templates --- roles/gitlab/files/gitlab.yml | 1374 ----------------- roles/gitlab/files/puma.rb | 78 - roles/gitlab/files/rack_attack.rb | 29 - roles/gitlab/files/resque.yml | 34 - roles/gitlab/files/secrets.yml | 12 - roles/gitlab/meta/main.yml | 9 - roles/gitlab/tasks/main.yml | 161 -- roles/gitlab/templates/apache2-vhost-ssl.conf | 41 - roles/gitlab/templates/database.yml | 10 - roles/postfix-null/meta/main.yml | 2 - roles/postfix-null/tasks/main.yml | 14 - roles/postfix-null/templates/main.cf | 6 - roles/redis/templates/main.cf | 5 - 13 files changed, 1775 deletions(-) delete mode 100644 roles/gitlab/files/gitlab.yml delete mode 100644 roles/gitlab/files/puma.rb delete mode 100644 roles/gitlab/files/rack_attack.rb delete mode 100644 roles/gitlab/files/resque.yml delete mode 100644 roles/gitlab/files/secrets.yml delete mode 100644 roles/gitlab/meta/main.yml delete mode 100644 roles/gitlab/tasks/main.yml delete mode 100644 roles/gitlab/templates/apache2-vhost-ssl.conf delete mode 100644 roles/gitlab/templates/database.yml delete mode 100644 roles/postfix-null/meta/main.yml delete mode 100644 roles/postfix-null/tasks/main.yml delete mode 100644 roles/postfix-null/templates/main.cf delete mode 100644 roles/redis/templates/main.cf diff --git a/roles/gitlab/files/gitlab.yml b/roles/gitlab/files/gitlab.yml deleted file mode 100644 index 0edd835..0000000 --- a/roles/gitlab/files/gitlab.yml +++ /dev/null @@ -1,1374 +0,0 @@ -# # # # # # # # # # # # # # # # # # -# GitLab application config file # -# # # # # # # # # # # # # # # # # # -# -########################### NOTE ##################################### -# This file should not receive new settings. All configuration options # -# * are being moved to ApplicationSetting model! # -# If a setting requires an application restart say so in that screen. # -# If you change this file in a Merge Request, please also create # -# a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests. # -# For more details see https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md # -######################################################################## -# -# -# How to use: -# 1. Copy file as gitlab.yml -# 2. Update gitlab -> host with your fully qualified domain name -# 3. Update gitlab -> email_from -# 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git -# IMPORTANT: If Git was installed in a different location use that instead. -# You can check with `which git`. If a wrong path of Git is specified, it will -# result in various issues such as failures of GitLab CI builds. -# 5. Review this configuration file for other settings you may want to adjust - -production: &base - # - # 1. GitLab app settings - # ========================== - - ## GitLab settings - gitlab: - ## Web server settings (note: host is the FQDN, do not include http://) - host: localhost - port: 8086 # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details - https: false # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details - # The maximum time unicorn/puma can spend on the request. This needs to be smaller than the worker timeout. - # Default is 95% of the worker timeout - max_request_duration_seconds: 57 - - # Uncomment this line below if your ssh host is different from HTTP/HTTPS one - # (you'd obviously need to replace ssh.host_example.com with your own host). - # Otherwise, ssh host will be set to the `host:` value above - # ssh_host: ssh.host_example.com - - # Relative URL support - # WARNING: We recommend using an FQDN to host GitLab in a root path instead - # of using a relative URL. - # Documentation: http://doc.gitlab.com/ce/install/relative_url.html - # Uncomment and customize the following line to run in a non-root path - # - # relative_url_root: /gitlab - - # Content Security Policy - # See https://guides.rubyonrails.org/security.html#content-security-policy - content_security_policy: - enabled: true - report_only: false - directives: - base_uri: - child_src: - connect_src: "'self' http://localhost:* ws://localhost:* wss://localhost:*" - default_src: "'self'" - font_src: - form_action: - frame_ancestors: "'self'" - frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com" - img_src: "* data: blob:" - manifest_src: - media_src: - object_src: "'none'" - script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com" - style_src: "'self' 'unsafe-inline'" - worker_src: "'self' blob:" - report_uri: - - # Trusted Proxies - # Customize if you have GitLab behind a reverse proxy which is running on a different machine. - # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address. - trusted_proxies: - # Examples: - #- 192.168.1.0/24 - #- 192.168.2.1 - #- 2001:0db8::/32 - - # Uncomment and customize if you can't use the default user to run GitLab (default: 'git') - # user: git - - ## Date & Time settings - # Uncomment and customize if you want to change the default time zone of GitLab application. - # To see all available zones, run `bundle exec rake time:zones:all RAILS_ENV=production` - # time_zone: 'UTC' - - ## Email settings - # Uncomment and set to false if you need to disable email sending from GitLab (default: true) - # email_enabled: true - # Email address used in the "From" field in mails sent by GitLab - email_from: git@9iron.club - email_display_name: GitLab - email_reply_to: noreply@9iron.club - email_subject_suffix: '' - email_smime: - # Uncomment and set to true if you need to enable email S/MIME signing (default: false) - # enabled: false - # S/MIME private key file in PEM format, unencrypted - # Default is '.gitlab_smime_key' relative to Rails.root (i.e. root of the GitLab app). - # key_file: /home/git/gitlab/.gitlab_smime_key - # S/MIME public certificate key in PEM format, will be attached to signed messages - # Default is '.gitlab_smime_cert' relative to Rails.root (i.e. root of the GitLab app). - # cert_file: /home/git/gitlab/.gitlab_smime_cert - - # Email server smtp settings are in config/initializers/smtp_settings.rb.sample - - # default_can_create_group: false # default: true - # username_changing_enabled: false # default: true - User can change their username/namespace - ## Default theme ID - ## 1 - Indigo - ## 2 - Dark - ## 3 - Light - ## 4 - Blue - ## 5 - Green - ## 6 - Light Indigo - ## 7 - Light Blue - ## 8 - Light Green - ## 9 - Red - ## 10 - Light Red - # default_theme: 1 # default: 1 - - ## Automatic issue closing - # If a commit message matches this regular expression, all issues referenced from the matched text will be closed. - # This happens when the commit is pushed or merged into the default branch of a project. - # When not specified the default issue_closing_pattern as specified below will be used. - # Tip: you can test your closing pattern at http://rubular.com. - # issue_closing_pattern: '\b((?:[Cc]los(?:e[sd]?|ing)|\b[Ff]ix(?:e[sd]|ing)?|\b[Rr]esolv(?:e[sd]?|ing)|\b[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)' - - ## Default project features settings - default_projects_features: - issues: true - merge_requests: true - wiki: true - snippets: true - builds: true - container_registry: true - - ## Webhook settings - # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10) - # webhook_timeout: 10 - - ### GraphQL Settings - # Tells the rails application how long it has to complete a GraphQL request. - # We suggest this value to be higher than the database timeout value - # and lower than the worker timeout set in unicorn/puma. (default: 30) - # graphql_timeout: 30 - - ## Repository downloads directory - # When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory. - # The default is 'shared/cache/archive/' relative to the root of the Rails app. - # repository_downloads_path: shared/cache/archive/ - - ## Impersonation settings - impersonation_enabled: true - - ## Disable jQuery and CSS animations - # disable_animations: true - - ## Reply by email - # Allow users to comment on issues and merge requests by replying to notification emails. - # For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html - incoming_email: - enabled: false - - # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to. - # The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`). - # Please be aware that a placeholder is required for the Service Desk feature to work. - address: "gitlab-incoming+%{key}@gmail.com" - - # Email account username - # With third party providers, this is usually the full email address. - # With self-hosted email servers, this is usually the user part of the email address. - user: "gitlab-incoming@gmail.com" - # Email account password - password: "[REDACTED]" - - # IMAP server host - host: "imap.gmail.com" - # IMAP server port - port: 993 - # Whether the IMAP server uses SSL - ssl: true - # Whether the IMAP server uses StartTLS - start_tls: false - - # The mailbox where incoming mail will end up. Usually "inbox". - mailbox: "inbox" - # The IDLE command timeout. - idle_timeout: 60 - # The log file path for the structured log file. - # Since `mail_room` is run independently of Rails, an absolute path is preferred. - # The default is 'log/mail_room_json.log' relative to the root of the Rails app. - # - # log_path: log/mail_room_json.log - - ## Build Artifacts - artifacts: - enabled: true - # The location where build artifacts are stored (default: shared/artifacts). - # path: shared/artifacts - # object_store: - # enabled: false - # remote_directory: artifacts # The bucket name - # background_upload: false # Temporary option to limit automatic upload (Default: true) - # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage - # connection: - # provider: AWS # Only AWS supported at the moment - # aws_access_key_id: AWS_ACCESS_KEY_ID - # aws_secret_access_key: AWS_SECRET_ACCESS_KEY - # region: us-east-1 - # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. - # endpoint: 'https://s3.amazonaws.com' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces - - ## Merge request external diff storage - external_diffs: - # If disabled (the default), the diffs are in-database. Otherwise, they can - # be stored on disk, or in object storage - enabled: false - # The location where external diffs are stored (default: shared/lfs-external-diffs). - # storage_path: shared/external-diffs - # object_store: - # enabled: false - # remote_directory: external-diffs - # background_upload: false - # proxy_download: false - # connection: - # provider: AWS - # aws_access_key_id: AWS_ACCESS_KEY_ID - # aws_secret_access_key: AWS_SECRET_ACCESS_KEY - # region: us-east-1 - - ## Git LFS - lfs: - enabled: false - # The location where LFS objects are stored (default: shared/lfs-objects). - # storage_path: shared/lfs-objects - object_store: - enabled: false - remote_directory: lfs-objects # Bucket name - # direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false) - # background_upload: false # Temporary option to limit automatic upload (Default: true) - # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage - connection: - provider: AWS - aws_access_key_id: AWS_ACCESS_KEY_ID - aws_secret_access_key: AWS_SECRET_ACCESS_KEY - region: us-east-1 - # Use the following options to configure an AWS compatible host - # host: 'localhost' # default: s3.amazonaws.com - # endpoint: 'http://127.0.0.1:9000' # default: nil - # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. - # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' - - ## Uploads (attachments, avatars, etc...) - uploads: - # The location where uploads objects are stored (default: public/). - # storage_path: public/ - # base_dir: uploads/-/system - object_store: - enabled: false - remote_directory: uploads # Bucket name - # direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false) - # background_upload: false # Temporary option to limit automatic upload (Default: true) - # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage - connection: - provider: AWS - aws_access_key_id: AWS_ACCESS_KEY_ID - aws_secret_access_key: AWS_SECRET_ACCESS_KEY - aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. - region: us-east-1 - # host: 'localhost' # default: s3.amazonaws.com - # endpoint: 'http://127.0.0.1:9000' # default: nil - # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' - - ## Packages (maven repository, npm registry, etc...) - packages: - enabled: true - # The location where build packages are stored (default: shared/packages). - # storage_path: shared/packages - object_store: - enabled: false - remote_directory: packages # The bucket name - # direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false) - # background_upload: false # Temporary option to limit automatic upload (Default: true) - # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage - connection: - provider: AWS - aws_access_key_id: AWS_ACCESS_KEY_ID - aws_secret_access_key: AWS_SECRET_ACCESS_KEY - region: us-east-1 - # host: 'localhost' # default: s3.amazonaws.com - # endpoint: 'http://127.0.0.1:9000' # default: nil - # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. - # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' - - ## Dependency Proxy - dependency_proxy: - enabled: false - # The location where build packages are stored (default: shared/dependency_proxy). - # storage_path: shared/dependency_proxy - object_store: - enabled: false - remote_directory: dependency_proxy # The bucket name - # direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false) - # background_upload: false # Temporary option to limit automatic upload (Default: true) - # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage - connection: - provider: AWS - aws_access_key_id: AWS_ACCESS_KEY_ID - aws_secret_access_key: AWS_SECRET_ACCESS_KEY - region: us-east-1 - # host: 'localhost' # default: s3.amazonaws.com - # endpoint: 'http://127.0.0.1:9000' # default: nil - # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. - # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' - - ## Terraform state - terraform_state: - enabled: false - # The location where Terraform state files are stored (default: shared/terraform_state). - # storage_path: shared/terraform_state - object_store: - enabled: false - remote_directory: terraform_state # The bucket name - connection: - provider: AWS - aws_access_key_id: AWS_ACCESS_KEY_ID - aws_secret_access_key: AWS_SECRET_ACCESS_KEY - region: us-east-1 - # host: 'localhost' # default: s3.amazonaws.com - # endpoint: 'http://127.0.0.1:9000' # default: nil - # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. - # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' - - ## GitLab Pages - pages: - enabled: false - access_control: false - # The location where pages are stored (default: shared/pages). - # path: shared/pages - - # The domain under which the pages are served: - # http://group.example.com/project - # or project path can be a group page: group.example.com - host: example.com - port: 80 # Set to 443 if you serve the pages with HTTPS - https: false # Set to true if you serve the pages with HTTPS - artifacts_server: true # Set to false if you want to disable online view of HTML artifacts - # external_http: ["1.1.1.1:80", "[2001::1]:80"] # If defined, enables custom domain support in GitLab Pages - # external_https: ["1.1.1.1:443", "[2001::1]:443"] # If defined, enables custom domain and certificate support in GitLab Pages - - # File that contains the shared secret key for verifying access for gitlab-pages. - # Default is '.gitlab_pages_secret' relative to Rails.root (i.e. root of the GitLab app). - # secret_file: /home/git/gitlab/.gitlab_pages_secret - - ## Mattermost - ## For enabling Add to Mattermost button - mattermost: - enabled: false - host: 'https://mattermost.example.com' - - ## Gravatar - ## If using gravatar.com, there's nothing to change here. For Libravatar - ## you'll need to provide the custom URLs. For more information, - ## see: https://docs.gitlab.com/ee/customization/libravatar.html - gravatar: - # Gravatar/Libravatar URLs: possible placeholders: %{hash} %{size} %{email} %{username} - # plain_url: "http://..." # default: https://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon - # ssl_url: "https://..." # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon - - ## Sidekiq - sidekiq: - log_format: json # (default is the original format) - - ## Auxiliary jobs - # Periodically executed jobs, to self-heal GitLab, do external synchronizations, etc. - # Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job - cron_jobs: - # Flag stuck CI jobs as failed - stuck_ci_jobs_worker: - cron: "0 * * * *" - # Execute scheduled triggers - pipeline_schedule_worker: - cron: "19 * * * *" - # Remove expired build artifacts - expire_build_artifacts_worker: - cron: "50 * * * *" - # Stop expired environments - environments_auto_stop_cron_worker: - cron: "24 * * * *" - # Periodically run 'git fsck' on all repositories. If started more than - # once per hour you will have concurrent 'git fsck' jobs. - repository_check_worker: - cron: "20 * * * *" - # Archive live traces which have not been archived yet - ci_archive_traces_cron_worker: - cron: "17 * * * *" - # Send admin emails once a week - admin_email_worker: - cron: "0 0 * * 0" - # Send emails for personal tokens which are about to expire - personal_access_tokens_expiring_worker: - cron: "0 1 * * *" - - # Remove outdated repository archives - repository_archive_cache_worker: - cron: "0 * * * *" - - # Verify custom GitLab Pages domains - pages_domain_verification_cron_worker: - cron: "*/15 * * * *" - - # Periodically migrate diffs from the database to external storage - schedule_migrate_external_diffs_worker: - cron: "15 * * * *" - - # GitLab EE only jobs. These jobs are automatically enabled for an EE - # installation, and ignored for a CE installation. - ee_cron_jobs: - # Snapshot active users statistics - historical_data_worker: - cron: "0 12 * * *" - - # In addition to refreshing users when they log in, - # periodically refresh LDAP users membership. - # NOTE: This will only take effect if LDAP is enabled - ldap_sync_worker: - cron: "30 1 * * *" - - # Periodically refresh LDAP groups membership. - # NOTE: This will only take effect if LDAP is enabled - ldap_group_sync_worker: - cron: "0 * * * *" - - # GitLab Geo metrics update worker - # NOTE: This will only take effect if Geo is enabled - geo_metrics_update_worker: - cron: "*/1 * * * *" - - # GitLab Geo prune event log worker - # NOTE: This will only take effect if Geo is enabled (primary node only) - geo_prune_event_log_worker: - cron: "*/5 * * * *" - - # GitLab Geo repository sync worker - # NOTE: This will only take effect if Geo is enabled (secondary nodes only) - geo_repository_sync_worker: - cron: "*/1 * * * *" - - # GitLab Geo registry backfill worker - # NOTE: This will only take effect if Geo is enabled (secondary nodes only) - geo_secondary_registry_consistency_worker: - cron: "* * * * *" - - # GitLab Geo file download dispatch worker - # NOTE: This will only take effect if Geo is enabled (secondary nodes only) - geo_file_download_dispatch_worker: - cron: "*/1 * * * *" - - # GitLab Geo migrated local files clean up worker - # NOTE: This will only take effect if Geo is enabled (secondary nodes only) - geo_migrated_local_files_clean_up_worker: - cron: "15 */6 * * *" - - # Export pseudonymized data in CSV format for analysis - pseudonymizer_worker: - cron: "0 * * * *" - - # Elasticsearch bulk updater for incremental updates. - # NOTE: This will only take effect if elasticsearch is enabled. - elastic_index_bulk_cron_worker: - cron: "*/1 * * * *" - - # Elasticsearch metrics - # NOTE: This will only take effect if Elasticsearch is enabled. - elastic_metrics_update_worker: - cron: "*/1 * * * *" - - registry: - # enabled: true - # host: registry.example.com - # port: 5005 - # api_url: http://localhost:5000/ # internal address to the registry, will be used by GitLab to directly communicate with API - # key: config/registry.key - # path: shared/registry - # issuer: gitlab-issuer - # notification_secret: '' # only set it when you use Geo replication feature without built-in Registry - - # Add notification settings if you plan to use Geo Replication for the registry - # notifications: - # - name: geo_event - # url: https://example.com/api/v4/container_registry_event/events - # timeout: 2s - # threshold: 5 - # backoff: 1s - # headers: - # Authorization: secret_phrase - - ## Error Reporting and Logging with Sentry - sentry: - # enabled: false - # dsn: https://@sentry.io/ - # clientside_dsn: https://@sentry.io/ - # environment: 'production' # e.g. development, staging, production - - ## Geo - # NOTE: These settings will only take effect if Geo is enabled - geo: - # This is an optional identifier which Geo nodes can use to identify themselves. - # For example, if external_url is the same for two secondaries, you must specify - # a unique Geo node name for those secondaries. - # - # If it is blank, it defaults to external_url. - node_name: '' - - registry_replication: - # enabled: true - # primary_api_url: http://localhost:5000/ # internal address to the primary registry, will be used by GitLab to directly communicate with primary registry API - - ## Feature Flag https://docs.gitlab.com/ee/user/project/operations/feature_flags.html - feature_flags: - unleash: - # enabled: false - # url: https://gitlab.com/api/v4/feature_flags/unleash/ - # app_name: gitlab.com # Environment name of your GitLab instance - # instance_id: INSTANCE_ID - - # - # 2. GitLab CI settings - # ========================== - - gitlab_ci: - # Default project notifications settings: - # - # Send emails only on broken builds (default: true) - # all_broken_builds: true - # - # Add pusher to recipients list (default: false) - # add_pusher: true - - # The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root - # builds_path: builds/ - - # - # 3. Auth settings - # ========================== - - ## LDAP settings - # You can test connections and inspect a sample of the LDAP users with login - # access by running: - # bundle exec rake gitlab:ldap:check RAILS_ENV=production - ldap: - enabled: false - prevent_ldap_sign_in: false - - # This setting controls the number of seconds between LDAP permission checks - # for each user. After this time has expired for a given user, their next - # interaction with GitLab (a click in the web UI, a git pull, etc.) will be - # slower because the LDAP permission check is being performed. How much - # slower depends on your LDAP setup, but it is not uncommon for this check - # to add seconds of waiting time. The default value is to have a "slow - # click" once every 3600 seconds (i.e., once per hour). - # - # Warning: if you set this value too low, every click in GitLab will be a - # "slow click" for all of your LDAP users. - # sync_time: 3600 - - servers: - ########################################################################## - # - # Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab - # Enterprise Edition now supports connecting to multiple LDAP servers. - # - # If you are updating from the old (pre-7.4) syntax, you MUST give your - # old server the ID 'main'. - # - ########################################################################## - main: # 'main' is the GitLab 'provider ID' of this LDAP server - ## label - # - # A human-friendly name for your LDAP server. It is OK to change the label later, - # for instance if you find out it is too large to fit on the web page. - # - # Example: 'Paris' or 'Acme, Ltd.' - label: 'LDAP' - - # Example: 'ldap.mydomain.com' - host: '_your_ldap_server' - # This port is an example, it is sometimes different but it is always an integer and not a string - port: 389 # usually 636 for SSL - uid: 'sAMAccountName' # This should be the attribute, not the value that maps to uid. - - # Examples: 'america\\momo' or 'CN=Gitlab Git,CN=Users,DC=mydomain,DC=com' - bind_dn: '_the_full_dn_of_the_user_you_will_bind_with' - password: '_the_password_of_the_bind_user' - - # Encryption method. The "method" key is deprecated in favor of - # "encryption". - # - # Examples: "start_tls" or "simple_tls" or "plain" - # - # Deprecated values: "tls" was replaced with "start_tls" and "ssl" was - # replaced with "simple_tls". - # - encryption: 'plain' - - # Enables SSL certificate verification if encryption method is - # "start_tls" or "simple_tls". Defaults to true. - verify_certificates: true - - # OpenSSL::SSL::SSLContext options. - tls_options: - # Specifies the path to a file containing a PEM-format CA certificate, - # e.g. if you need to use an internal CA. - # - # Example: '/etc/ca.pem' - # - ca_file: '' - - # Specifies the SSL version for OpenSSL to use, if the OpenSSL default - # is not appropriate. - # - # Example: 'TLSv1_1' - # - ssl_version: '' - - # Specific SSL ciphers to use in communication with LDAP servers. - # - # Example: 'ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2' - ciphers: '' - - # Client certificate - # - # Example: - # cert: | - # -----BEGIN CERTIFICATE----- - # MIIDbDCCAlSgAwIBAgIGAWkJxLmKMA0GCSqGSIb3DQEBCwUAMHcxFDASBgNVBAoTC0dvb2dsZSBJ - # bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQDEwtMREFQIENsaWVudDEPMA0GA1UE - # CxMGR1N1aXRlMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTAeFw0xOTAyMjAwNzE4 - # rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl - # ... - # 4SbuJPAiJxC1LQ0t39dR6oMCAMab3hXQqhL56LrR6cRBp6Mtlphv7alu9xb/x51y2x+g2zWtsf80 - # Jrv/vKMsIh/sAyuogb7hqMtp55ecnKxceg== - # -----END CERTIFICATE ----- - cert: '' - - # Client private key - # key: | - # -----BEGIN PRIVATE KEY----- - # MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC3DmJtLRmJGY4xU1QtI3yjvxO6 - # bNuyE4z1NF6Xn7VSbcAaQtavWQ6GZi5uukMo+W5DHVtEkgDwh92ySZMuJdJogFbNvJvHAayheCdN - # 7mCQ2UUT9jGXIbmksUn9QMeJVXTZjgJWJzPXToeUdinx9G7+lpVa62UATEd1gaI3oyL72WmpDy/C - # rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl - # ... - # +9IhSYX+XIg7BZOVDeYqlPfxRvQh8vy3qjt/KUihmEPioAjLaGiihs1Fk5ctLk9A2hIUyP+sEQv9 - # l6RG+a/mW+0rCWn8JAd464Ps9hE= - # -----END PRIVATE KEY----- - key: '' - - # Set a timeout, in seconds, for LDAP queries. This helps avoid blocking - # a request if the LDAP server becomes unresponsive. - # A value of 0 means there is no timeout. - timeout: 10 - - # Enable smartcard authentication against the LDAP server. Valid values - # are "false", "optional", and "required". - smartcard_auth: false - - # This setting specifies if LDAP server is Active Directory LDAP server. - # For non AD servers it skips the AD specific queries. - # If your LDAP server is not AD, set this to false. - active_directory: true - - # If allow_username_or_email_login is enabled, GitLab will ignore everything - # after the first '@' in the LDAP username submitted by the user on login. - # - # Example: - # - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials; - # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'. - # - # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to - # disable this setting, because the userPrincipalName contains an '@'. - allow_username_or_email_login: false - - # To maintain tight control over the number of active users on your GitLab installation, - # enable this setting to keep new users blocked until they have been cleared by the admin - # (default: false). - block_auto_created_users: false - - # Base where we can search for users - # - # Ex. 'ou=People,dc=gitlab,dc=example' or 'DC=mydomain,DC=com' - # - base: '' - - # Filter LDAP users - # - # Format: RFC 4515 https://tools.ietf.org/search/rfc4515 - # Ex. (employeeType=developer) - # - # Note: GitLab does not support omniauth-ldap's custom filter syntax. - # - # Example for getting only specific users: - # '(&(objectclass=user)(|(samaccountname=momo)(samaccountname=toto)))' - # - user_filter: '' - - # Base where we can search for groups - # - # Ex. ou=Groups,dc=gitlab,dc=example - # - group_base: '' - - # LDAP group of users who should be admins in GitLab - # - # Ex. GLAdmins - # - admin_group: '' - - # LDAP group of users who should be marked as external users in GitLab - # - # Ex. ['Contractors', 'Interns'] - # - external_groups: [] - - # Name of attribute which holds a ssh public key of the user object. - # If false or nil, SSH key syncronisation will be disabled. - # - # Ex. sshpublickey - # - sync_ssh_keys: false - - # LDAP attributes that GitLab will use to create an account for the LDAP user. - # The specified attribute can either be the attribute name as a string (e.g. 'mail'), - # or an array of attribute names to try in order (e.g. ['mail', 'email']). - # Note that the user's LDAP login will always be the attribute specified as `uid` above. - attributes: - # The username will be used in paths for the user's own projects - # (like `gitlab.example.com/username/project`) and when mentioning - # them in issues, merge request and comments (like `@username`). - # If the attribute specified for `username` contains an email address, - # the GitLab username will be the part of the email address before the '@'. - username: ['uid', 'userid', 'sAMAccountName'] - email: ['mail', 'email', 'userPrincipalName'] - - # If no full name could be found at the attribute specified for `name`, - # the full name is determined using the attributes specified for - # `first_name` and `last_name`. - name: 'cn' - first_name: 'givenName' - last_name: 'sn' - - # If lowercase_usernames is enabled, GitLab will lower case the username. - lowercase_usernames: false - - # GitLab EE only: add more LDAP servers - # Choose an ID made of a-z and 0-9 . This ID will be stored in the database - # so that GitLab can remember which LDAP server a user belongs to. - # uswest2: - # label: - # host: - # .... - - ## Smartcard authentication settings - smartcard: - # Allow smartcard authentication - enabled: false - - # Path to a file containing a CA certificate - ca_file: '/etc/ssl/certs/CA.pem' - - # Host and port where the client side certificate is requested by the - # webserver (NGINX/Apache) - # client_certificate_required_host: smartcard.gitlab.example.com - # client_certificate_required_port: 3444 - - # Browser session with smartcard sign-in is required for Git access - # required_for_git_access: false - - # Use X.509 SAN extensions certificates to identify GitLab users - # Add a subjectAltName to your certificates like: email:user - # san_extensions: true - - ## Kerberos settings - kerberos: - # Allow the HTTP Negotiate authentication method for Git clients - enabled: false - - # Kerberos 5 keytab file. The keytab file must be readable by the GitLab user, - # and should be different from other keytabs in the system. - # (default: use default keytab from Krb5 config) - # keytab: /etc/http.keytab - - # The Kerberos service name to be used by GitLab. - # (default: accept any service name in keytab file) - # service_principal_name: HTTP/gitlab.example.com@EXAMPLE.COM - - # Dedicated port: Git before 2.4 does not fall back to Basic authentication if Negotiate fails. - # To support both Basic and Negotiate methods with older versions of Git, configure - # nginx to proxy GitLab on an extra port (e.g. 8443) and uncomment the following lines - # to dedicate this port to Kerberos authentication. (default: false) - # use_dedicated_port: true - # port: 8443 - # https: true - - ## OmniAuth settings - omniauth: - # Allow login via Twitter, Google, etc. using OmniAuth providers - # enabled: true - - # Uncomment this to automatically sign in with a specific omniauth provider's without - # showing GitLab's sign-in page (default: show the GitLab sign-in page) - # auto_sign_in_with_provider: saml - - # Sync user's profile from the specified Omniauth providers every time the user logs in (default: empty). - # Define the allowed providers using an array, e.g. ["cas3", "saml", "twitter"], - # or as true/false to allow all providers or none. - # When authenticating using LDAP, the user's email is always synced. - # sync_profile_from_provider: [] - - # Select which info to sync from the providers above. (default: email). - # Define the synced profile info using an array. Available options are "name", "email" and "location" - # e.g. ["name", "email", "location"] or as true to sync all available. - # This consequently will make the selected attributes read-only. - # sync_profile_attributes: true - - # CAUTION! - # This allows users to login without having a user account first. Define the allowed providers - # using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none. - # User accounts will be created automatically when authentication was successful. - allow_single_sign_on: ["saml"] - - # Locks down those users until they have been cleared by the admin (default: true). - block_auto_created_users: true - # Look up new users in LDAP servers. If a match is found (same uid), automatically - # link the omniauth identity with the LDAP account. (default: false) - auto_link_ldap_user: false - - # Allow users with existing accounts to login and auto link their account via SAML - # login, without having to do a manual login first and manually add SAML - # (default: false) - auto_link_saml_user: false - - # Set different Omniauth providers as external so that all users creating accounts - # via these providers will not be able to have access to internal projects. You - # will need to use the full name of the provider, like `google_oauth2` for Google. - # Refer to the examples below for the full names of the supported providers. - # (default: []) - external_providers: [] - - # CAUTION! - # This allows users to login with the specified providers without two factor. Define the allowed providers - # using an array, e.g. ["twitter", 'google_oauth2'], or as true/false to allow all providers or none. - # This option should only be configured for providers which already have two factor. - # This configration dose not apply to SAML. - # (default: false) - allow_bypass_two_factor: ["twitter", 'google_oauth2'] - - ## Auth providers - # Uncomment the following lines and fill in the data of the auth provider you want to use - # If your favorite auth provider is not listed you can use others: - # see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations - # The 'app_id' and 'app_secret' parameters are always passed as the first two - # arguments, followed by optional 'args' which can be either a hash or an array. - # Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html - providers: - # See omniauth-cas3 for more configuration details - # - { name: 'cas3', - # label: 'cas3', - # args: { - # url: 'https://sso.example.com', - # disable_ssl_verification: false, - # login_url: '/cas/login', - # service_validate_url: '/cas/p3/serviceValidate', - # logout_url: '/cas/logout'} } - # - { name: 'authentiq', - # # for client credentials (client ID and secret), go to https://www.authentiq.com/developers - # app_id: 'YOUR_CLIENT_ID', - # app_secret: 'YOUR_CLIENT_SECRET', - # args: { - # scope: 'aq:name email~rs address aq:push' - # # callback_url parameter is optional except when 'gitlab.host' in this file is set to 'localhost' - # # callback_url: 'YOUR_CALLBACK_URL' - # } - # } - # - { name: 'github', - # app_id: 'YOUR_APP_ID', - # app_secret: 'YOUR_APP_SECRET', - # url: "https://github.com/", - # verify_ssl: true, - # args: { scope: 'user:email' } } - # - { name: 'bitbucket', - # app_id: 'YOUR_APP_ID', - # app_secret: 'YOUR_APP_SECRET' } - # - { name: 'gitlab', - # app_id: 'YOUR_APP_ID', - # app_secret: 'YOUR_APP_SECRET', - # args: { scope: 'api' } } - # - { name: 'google_oauth2', - # app_id: 'YOUR_APP_ID', - # app_secret: 'YOUR_APP_SECRET', - # args: { access_type: 'offline', approval_prompt: '' } } - # - { name: 'facebook', - # app_id: 'YOUR_APP_ID', - # app_secret: 'YOUR_APP_SECRET' } - # - { name: 'twitter', - # app_id: 'YOUR_APP_ID', - # app_secret: 'YOUR_APP_SECRET' } - # - { name: 'jwt', - # args: { - # secret: 'YOUR_APP_SECRET', - # algorithm: 'HS256', # Supported algorithms: 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512' - # uid_claim: 'email', - # required_claims: ['name', 'email'], - # info_map: { name: 'name', email: 'email' }, - # auth_url: 'https://example.com/', - # valid_within: 3600 # 1 hour - # } - # } - # - { name: 'saml', - # label: 'Our SAML Provider', - # groups_attribute: 'Groups', - # external_groups: ['Contractors', 'Freelancers'], - # args: { - # assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback', - # idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8', - # idp_sso_target_url: 'https://login.example.com/idp', - # issuer: 'https://gitlab.example.com', - # name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' - # } } - # - # - { name: 'group_saml' } - # - # - { name: 'crowd', - # args: { - # crowd_server_url: 'CROWD SERVER URL', - # application_name: 'YOUR_APP_NAME', - # application_password: 'YOUR_APP_PASSWORD' } } - # - # - { name: 'auth0', - # args: { - # client_id: 'YOUR_AUTH0_CLIENT_ID', - # client_secret: 'YOUR_AUTH0_CLIENT_SECRET', - # namespace: 'YOUR_AUTH0_DOMAIN' } } - - # SSO maximum session duration in seconds. Defaults to CAS default of 8 hours. - # cas3: - # session_duration: 28800 - - # Shared file storage settings - shared: - # path: /mnt/gitlab # Default: shared - - # Gitaly settings - gitaly: - # Path to the directory containing Gitaly client executables. - client_path: /home/git/gitaly - # Default Gitaly authentication token. Can be overridden per storage. Can - # be left blank when Gitaly is running locally on a Unix socket, which - # is the normal way to deploy Gitaly. - token: - - # - # 4. Advanced settings - # ========================== - - ## Repositories settings - repositories: - # Paths where repositories can be stored. Give the canonicalized absolute pathname. - # IMPORTANT: None of the path components may be symlink, because - # gitlab-shell invokes Dir.pwd inside the repository path and that results - # real path not the symlink. - storages: # You must have at least a `default` storage path. - default: - path: /home/git/repositories/ - gitaly_address: unix:/home/git/gitlab/tmp/sockets/private/gitaly.socket # TCP connections are supported too (e.g. tcp://host:port). TLS connections are also supported using the system certificate pool (eg: tls://host:port). - # gitaly_token: 'special token' # Optional: override global gitaly.token for this storage. - - ## Backup settings - backup: - path: "tmp/backups" # Relative paths are relative to Rails.root (default: tmp/backups/) - # archive_permissions: 0640 # Permissions for the resulting backup.tar file (default: 0600) - # keep_time: 604800 # default: 0 (forever) (in seconds) - # pg_schema: public # default: nil, it means that all schemas will be backed up - # upload: - # # Fog storage connection settings, see http://fog.io/storage/ . - # connection: - # provider: AWS - # region: eu-west-1 - # aws_access_key_id: AKIAKIAKI - # aws_secret_access_key: 'secret123' - # # The remote 'directory' to store your backups. For S3, this would be the bucket name. - # remote_directory: 'my.s3.bucket' - # # Use multipart uploads when file size reaches 100MB, see - # # http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html - # multipart_chunk_size: 104857600 - # # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional - # # encryption: 'AES256' - # # Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional - # # This should be set to the 256-bit encryption key for Amazon S3 to use to encrypt or decrypt your data. - # # 'encryption' must also be set in order for this to have any effect. - # # encryption_key: '' - # # Specifies Amazon S3 storage class to use for backups, this is optional - # # storage_class: 'STANDARD' - - ## Pseudonymizer exporter - pseudonymizer: - # Tables manifest that specifies the fields to extract and pseudonymize. - manifest: config/pseudonymizer.yml - upload: - remote_directory: 'gitlab-elt' - # Fog storage connection settings, see http://fog.io/storage/ . - connection: - # provider: AWS - # region: eu-west-1 - # aws_access_key_id: AKIAKIAKI - # aws_secret_access_key: 'secret123' - # # The remote 'directory' to store the CSV files. For S3, this would be the bucket name. - - ## GitLab Shell settings - gitlab_shell: - path: /home/git/gitlab-shell/ - authorized_keys_file: /home/git/.ssh/authorized_keys - - # File that contains the secret key for verifying access for gitlab-shell. - # Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app). - # secret_file: /home/git/gitlab/.gitlab_shell_secret - - # Git over HTTP - upload_pack: true - receive_pack: true - - # Git import/fetch timeout, in seconds. Defaults to 3 hours. - # git_timeout: 10800 - - # If you use non-standard ssh port you need to specify it - # ssh_port: 22 - - workhorse: - # File that contains the secret key for verifying access for gitlab-workhorse. - # Default is '.gitlab_workhorse_secret' relative to Rails.root (i.e. root of the GitLab app). - # secret_file: /home/git/gitlab/.gitlab_workhorse_secret - - ## GitLab Elasticsearch settings - elasticsearch: - indexer_path: /home/git/gitlab-elasticsearch-indexer/ - - ## Git settings - # CAUTION! - # Use the default values unless you really know what you are doing - git: - bin_path: /usr/bin/git - - ## Webpack settings - # If enabled, this will tell rails to serve frontend assets from the webpack-dev-server running - # on a given port instead of serving directly from /assets/webpack. This is only indended for use - # in development. - webpack: - # dev_server: - # enabled: true - # host: localhost - # port: 3808 - - ## Monitoring - # Built in monitoring settings - monitoring: - # Time between sampling of unicorn socket metrics, in seconds - # unicorn_sampler_interval: 10 - # Time between sampling of Puma metrics, in seconds - # puma_sampler_interval: 5 - # IP whitelist to access monitoring endpoints - ip_whitelist: - - 127.0.0.0/8 - - # Sidekiq exporter is webserver built in to Sidekiq to expose Prometheus metrics - sidekiq_exporter: - # enabled: true - # address: localhost - # port: 8082 - - # Web exporter is webserver built in to Unicorn/Puma to expose Prometheus metrics - # It runs alongside the `/metrics` endpoints to ease the publish of metrics - web_exporter: - # enabled: true - # address: localhost - # port: 8083 - - ## Prometheus settings - # Do not modify these settings here. They should be modified in /etc/gitlab/gitlab.rb - # if you installed GitLab via Omnibus. - # If you installed from source, you need to install and configure Prometheus - # yourself, and then update the values here. - # https://docs.gitlab.com/ee/administration/monitoring/prometheus/ - prometheus: - # enable: true - # listen_address: 'localhost:9090' - - shutdown: - # # blackout_seconds: - # # defines an interval to block healthcheck, - # # but continue accepting application requests - # # this allows Load Balancer to notice service - # # being shutdown and not interrupt any of the clients - # blackout_seconds: 10 - - # - # 5. Extra customization - # ========================== - - extra: - ## Google analytics. Uncomment if you want it - # google_analytics_id: '_your_tracking_id' - - ## Piwik analytics. - # piwik_url: '_your_piwik_url' - # piwik_site_id: '_your_piwik_site_id' - - rack_attack: - git_basic_auth: - # Rack Attack IP banning enabled - # enabled: true - # - # Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers - # ip_whitelist: ["127.0.0.1"] - # - # Limit the number of Git HTTP authentication attempts per IP - # maxretry: 10 - # - # Reset the auth attempt counter per IP after 60 seconds - # findtime: 60 - # - # Ban an IP for one hour (3600s) after too many auth attempts - # bantime: 3600 - -development: - <<: *base - - # We want to run web/sidekiq exporters for devs - # to catch errors from using them. - # - # We use random port to not block ability to run - # multiple instances of the service - monitoring: - sidekiq_exporter: - enabled: true - address: 127.0.0.1 - port: 0 - web_exporter: - enabled: true - address: 127.0.0.1 - port: 0 - -test: - <<: *base - gravatar: - enabled: true - external_diffs: - enabled: false - # Diffs may be `always` external (the default), or they can be made external - # after they have become `outdated` (i.e., the MR is closed or a new version - # has been pushed). - # when: always - # The location where external diffs are stored (default: shared/external-diffs). - # storage_path: shared/external-diffs - object_store: - enabled: false - remote_directory: external-diffs # The bucket name - connection: - provider: AWS # Only AWS supported at the moment - aws_access_key_id: AWS_ACCESS_KEY_ID - aws_secret_access_key: AWS_SECRET_ACCESS_KEY - region: us-east-1 - lfs: - enabled: false - # The location where LFS objects are stored (default: shared/lfs-objects). - # storage_path: shared/lfs-objects - object_store: - enabled: false - remote_directory: lfs-objects # The bucket name - connection: - provider: AWS # Only AWS supported at the moment - aws_access_key_id: AWS_ACCESS_KEY_ID - aws_secret_access_key: AWS_SECRET_ACCESS_KEY - region: us-east-1 - artifacts: - path: tmp/tests/artifacts - enabled: true - # The location where build artifacts are stored (default: shared/artifacts). - # path: shared/artifacts - object_store: - enabled: false - remote_directory: artifacts # The bucket name - background_upload: false - connection: - provider: AWS # Only AWS supported at the moment - aws_access_key_id: AWS_ACCESS_KEY_ID - aws_secret_access_key: AWS_SECRET_ACCESS_KEY - region: us-east-1 - uploads: - storage_path: tmp/tests/public - object_store: - enabled: false - connection: - provider: AWS # Only AWS supported at the moment - aws_access_key_id: AWS_ACCESS_KEY_ID - aws_secret_access_key: AWS_SECRET_ACCESS_KEY - region: us-east-1 - - terraform_state: - enabled: true - storage_path: tmp/tests/terraform_state - object_store: - enabled: false - remote_directory: terraform_state - connection: - provider: AWS # Only AWS supported at the moment - aws_access_key_id: AWS_ACCESS_KEY_ID - aws_secret_access_key: AWS_SECRET_ACCESS_KEY - region: us-east-1 - - gitlab: - host: localhost - port: 80 - - content_security_policy: - enabled: true - report_only: false - directives: - base_uri: - child_src: - connect_src: - default_src: "'self'" - font_src: - form_action: - frame_ancestors: "'self'" - frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com" - img_src: "* data: blob:" - manifest_src: - media_src: - object_src: "'none'" - script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com" - style_src: "'self' 'unsafe-inline'" - worker_src: "'self' blob:" - report_uri: - - # When you run tests we clone and set up gitlab-shell - # In order to set it up correctly you need to specify - # your system username you use to run GitLab - # user: YOUR_USERNAME - pages: - path: tmp/tests/pages - repositories: - storages: - default: - path: tmp/tests/repositories/ - gitaly_address: unix:tmp/tests/gitaly/gitaly.socket - - gitaly: - client_path: tmp/tests/gitaly - token: secret - workhorse: - secret_file: tmp/gitlab_workhorse_test_secret - backup: - path: tmp/tests/backups - pseudonymizer: - manifest: config/pseudonymizer.yml - upload: - # The remote 'directory' to store the CSV files. For S3, this would be the bucket name. - remote_directory: gitlab-elt.test - # Fog storage connection settings, see http://fog.io/storage/ - connection: - provider: AWS # Only AWS supported at the moment - aws_access_key_id: AWS_ACCESS_KEY_ID - aws_secret_access_key: AWS_SECRET_ACCESS_KEY - region: us-east-1 - gitlab_shell: - path: tmp/tests/gitlab-shell/ - authorized_keys_file: tmp/tests/authorized_keys - issues_tracker: - redmine: - title: "Redmine" - project_url: "http://redmine/projects/:issues_tracker_id" - issues_url: "http://redmine/:project_id/:issues_tracker_id/:id" - new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new" - jira: - title: "Jira" - url: https://sample_company.atlassian.net - project_key: PROJECT - - omniauth: - # enabled: true - allow_single_sign_on: true - external_providers: [] - - providers: - - { name: 'cas3', - label: 'cas3', - args: { url: 'https://sso.example.com', - disable_ssl_verification: false, - login_url: '/cas/login', - service_validate_url: '/cas/p3/serviceValidate', - logout_url: '/cas/logout'} } - - { name: 'github', - app_id: 'YOUR_APP_ID', - app_secret: 'YOUR_APP_SECRET', - url: "https://github.com/", - verify_ssl: false, - args: { scope: 'user:email' } } - - { name: 'bitbucket', - app_id: 'YOUR_APP_ID', - app_secret: 'YOUR_APP_SECRET' } - - { name: 'gitlab', - app_id: 'YOUR_APP_ID', - app_secret: 'YOUR_APP_SECRET', - args: { scope: 'api' } } - - { name: 'google_oauth2', - app_id: 'YOUR_APP_ID', - app_secret: 'YOUR_APP_SECRET', - args: { access_type: 'offline', approval_prompt: '' } } - - { name: 'facebook', - app_id: 'YOUR_APP_ID', - app_secret: 'YOUR_APP_SECRET' } - - { name: 'twitter', - app_id: 'YOUR_APP_ID', - app_secret: 'YOUR_APP_SECRET' } - - { name: 'jwt', - app_secret: 'YOUR_APP_SECRET', - args: { - algorithm: 'HS256', - uid_claim: 'email', - required_claims: ["name", "email"], - info_map: { name: "name", email: "email" }, - auth_url: 'https://example.com/', - valid_within: null, - } - } - - { name: 'auth0', - args: { - client_id: 'YOUR_AUTH0_CLIENT_ID', - client_secret: 'YOUR_AUTH0_CLIENT_SECRET', - namespace: 'YOUR_AUTH0_DOMAIN' } } - - { name: 'authentiq', - app_id: 'YOUR_CLIENT_ID', - app_secret: 'YOUR_CLIENT_SECRET', - args: { scope: 'aq:name email~rs address aq:push' } } - - { name: 'salesforce', - app_id: 'YOUR_CLIENT_ID', - app_secret: 'YOUR_CLIENT_SECRET' - } - ldap: - enabled: false - servers: - main: - label: ldap - host: 127.0.0.1 - port: 3890 - uid: 'uid' - encryption: 'plain' # "start_tls" or "simple_tls" or "plain" - base: 'dc=example,dc=com' - user_filter: '' - group_base: 'ou=groups,dc=example,dc=com' - admin_group: '' - prometheus: - enable: true - listen_address: 'localhost:9090' - -staging: - <<: *base diff --git a/roles/gitlab/files/puma.rb b/roles/gitlab/files/puma.rb deleted file mode 100644 index cd7adca..0000000 --- a/roles/gitlab/files/puma.rb +++ /dev/null @@ -1,78 +0,0 @@ -# frozen_string_literal: true - -# Load "path" as a rackup file. -# -# The default is "config.ru". -# -rackup 'config.ru' -pidfile '/home/git/gitlab/tmp/pids/puma.pid' -state_path '/home/git/gitlab/tmp/pids/puma.state' - -stdout_redirect '/home/git/gitlab/log/puma.stdout.log', - '/home/git/gitlab/log/puma.stderr.log', - true - -# Configure "min" to be the minimum number of threads to use to answer -# requests and "max" the maximum. -# -# The default is "0, 16". -# -threads 1, 16 - -# By default, workers accept all requests and queue them to pass to handlers. -# When false, workers accept the number of simultaneous requests configured. -# -# Queueing requests generally improves performance, but can cause deadlocks if -# the app is waiting on a request to itself. See https://github.com/puma/puma/issues/612 -# -# When set to false this may require a reverse proxy to handle slow clients and -# queue requests before they reach puma. This is due to disabling HTTP keepalive -queue_requests false - -# Bind the server to "url". "tcp://", "unix://" and "ssl://" are the only -# accepted protocols. -bind 'unix:///home/git/gitlab/tmp/sockets/gitlab.socket' - -workers 3 - -require_relative "/home/git/gitlab/lib/gitlab/cluster/lifecycle_events" -require_relative "/home/git/gitlab/lib/gitlab/cluster/puma_worker_killer_initializer" - -on_restart do - # Signal application hooks that we're about to restart - Gitlab::Cluster::LifecycleEvents.do_before_master_restart -end - -before_fork do - # Signal to the puma killer - Gitlab::Cluster::PumaWorkerKillerInitializer.start @config.options unless ENV['DISABLE_PUMA_WORKER_KILLER'] - - # Signal application hooks that we're about to fork - Gitlab::Cluster::LifecycleEvents.do_before_fork -end - -Gitlab::Cluster::LifecycleEvents.set_puma_options @config.options -on_worker_boot do - # Signal application hooks of worker start - Gitlab::Cluster::LifecycleEvents.do_worker_start -end - -# Preload the application before starting the workers; this conflicts with -# phased restart feature. (off by default) -preload_app! - -tag 'gitlab-puma-worker' - -# Verifies that all workers have checked in to the master process within -# the given timeout. If not the worker process will be restarted. Default -# value is 60 seconds. -# -worker_timeout 60 - -# Use json formatter -require_relative "/home/git/gitlab/lib/gitlab/puma_logging/json_formatter" - -json_formatter = Gitlab::PumaLogging::JSONFormatter.new -log_formatter do |str| - json_formatter.call(str) -end \ No newline at end of file diff --git a/roles/gitlab/files/rack_attack.rb b/roles/gitlab/files/rack_attack.rb deleted file mode 100644 index 69052c0..0000000 --- a/roles/gitlab/files/rack_attack.rb +++ /dev/null @@ -1,29 +0,0 @@ -# 1. Rename this file to rack_attack.rb -# 2. Review the paths_to_be_protected and add any other path you need protecting -# -# If you change this file in a Merge Request, please also create a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests - -paths_to_be_protected = [ - "#{Rails.application.config.relative_url_root}/users/password", - "#{Rails.application.config.relative_url_root}/users/sign_in", - "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json", - "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session", - "#{Rails.application.config.relative_url_root}/users", - "#{Rails.application.config.relative_url_root}/users/confirmation", - "#{Rails.application.config.relative_url_root}/unsubscribes/", - "#{Rails.application.config.relative_url_root}/import/github/personal_access_token" - -] - -# Create one big regular expression that matches strings starting with any of -# the paths_to_be_protected. -paths_regex = Regexp.union(paths_to_be_protected.map { |path| /\A#{Regexp.escape(path)}/ }) -rack_attack_enabled = Gitlab.config.rack_attack.git_basic_auth['enabled'] - -unless Rails.env.test? || !rack_attack_enabled - Rack::Attack.throttle('protected paths', limit: 10, period: 60.seconds) do |req| - if req.post? && req.path =~ paths_regex - req.ip - end - end -end diff --git a/roles/gitlab/files/resque.yml b/roles/gitlab/files/resque.yml deleted file mode 100644 index 0c19d8b..0000000 --- a/roles/gitlab/files/resque.yml +++ /dev/null @@ -1,34 +0,0 @@ -# If you change this file in a Merge Request, please also create -# a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests -# -development: - url: redis://localhost:6379 - # sentinels: - # - - # host: localhost - # port: 26380 # point to sentinel, not to redis port - # - - # host: slave2 - # port: 26381 # point to sentinel, not to redis port -test: - url: redis://localhost:6379 -production: - # Redis (single instance) - url: unix:/var/run/redis/redis.sock - ## - # Redis + Sentinel (for HA) - # - # Please read instructions carefully before using it as you may lose data: - # http://redis.io/topics/sentinel - # - # You must specify a list of a few sentinels that will handle client connection - # please read here for more information: https://docs.gitlab.com/ce/administration/high_availability/redis.html - ## - # url: redis://master:6379 - # sentinels: - # - - # host: slave1 - # port: 26379 # point to sentinel, not to redis port - # - - # host: slave2 - # port: 26379 # point to sentinel, not to redis port diff --git a/roles/gitlab/files/secrets.yml b/roles/gitlab/files/secrets.yml deleted file mode 100644 index 6b408ac..0000000 --- a/roles/gitlab/files/secrets.yml +++ /dev/null @@ -1,12 +0,0 @@ -production: - # db_key_base is used to encrypt for Variables. Ensure that you don't lose it. - # If you change or lose this key you will be unable to access variables stored in database. - # Make sure the secret is at least 30 characters and all random, - # no regular words or you'll be exposed to dictionary attacks. - # db_key_base: - -development: - db_key_base: development - -test: - db_key_base: test diff --git a/roles/gitlab/meta/main.yml b/roles/gitlab/meta/main.yml deleted file mode 100644 index d2075b5..0000000 --- a/roles/gitlab/meta/main.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -allow_duplicates: no -dependencies: - - role: apache-php - - role: mysql - - role: redis - - role: postfix-null - vars: - postfix_hostname: "{{ gitlab_url }}" diff --git a/roles/gitlab/tasks/main.yml b/roles/gitlab/tasks/main.yml deleted file mode 100644 index 63768fe..0000000 --- a/roles/gitlab/tasks/main.yml +++ /dev/null @@ -1,161 +0,0 @@ -#!/usr/bin/ansible-playbook -# vim:ft=ansible: ---- -- name: Set up webroot for {{ gitlab_repo }} - block: - - name: Add repository keys - apt_key: - url: "{{ item }}" - loop: - - "https://dl.yarnpkg.com/debian/pubkey.gpg" - - name: Add repositories - apt_repository: - repo: "{{ item }}" - loop: - - "ppa:brightbox/ruby-ng" # Ruby version in 18.10 is out-of-date per GitLab 12.2 - - "deb https://dl.yarnpkg.com/debian/ stable main" - register: repo - - name: Update repos - apt: - upgrade: "yes" - update_cache: yes - when: repo is changed - - name: Install dependencies - apt: - name: - - build-essential - - checkinstall - - cmake - - curl - - git - - git-core - - golang - - graphicsmagick - - libcurl4-openssl-dev - - libffi-dev - - libgdbm-dev - - libicu-dev - - libncurses5-dev - - libre2-dev - - libreadline-dev - - libssl-dev - - libxml2-dev - - libxslt-dev - - libyaml-dev - - logrotate - - nodejs - - openssh-server - - pkg-config - - python-docutils - - rsync - - ruby - - runit - - yarn - - zlib1g-dev - - name: Add gitlab user - user: - name: git - home: "/home/git" - groups: - - "redis" - comment: "GitLab" - shell: "/usr/sbin/nologin" - - name: Set up MySQL - block: - - name: Create database - mysql_db: - name: gitlab - login_user: root - login_password: "{{ mysql_root_password }}" - state: present - - name: Create Gitlab user - mysql_user: - name: gitlab - host: localhost - password: "{{ gitlab_mysql_password }}" - priv: "gitlab.*:ALL,GRANT" - login_user: root - login_password: "{{ mysql_root_password }}" - - name: Clone and build GitLab - block: - - name: Clone GitLab - git: - depth: 1 - dest: "/home/git/gitlab" - force: yes - repo: "https://gitlab.com/gitlab-org/gitlab-foss.git" - version: 12-10-stable - - name: Create public directory - file: - path: "/home/git/public" - mode: "0755" - state: directory - - name: Create uploads directory - file: - path: "/home/git/public/uploads" - mode: "0700" - state: directory - - name: Copy secrets - copy: - src: "/home/git/gitlab/config/secrets.yml.example" - dest: "/home/git/gitlab/config/secrets.yml" - remote_src: yes - - name: Copy configs around - copy: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - loop: - - { src: "gitlab.yml", dest: "/home/git/gitlab/config/gitlab.yml" } - - { src: "pumba.rb", dest: "/home/git/gitlab/config/puma.rb" } - - { src: "rack_attack.rb", dest: "/home/git/gitlab/config/initializers/rack_attack.rb" } - - { src: "resque.yml", dest: "/home/git/gitlab/config/resque.yml" } - - name: Change permissions - file: - path: "{{ item.src }}" - state: touch - mode: "{{ item.mode }}" - loop: - - { src: "/home/git/gitlab/log", mode: "u+rwX,go-w" } - - { src: "/home/git/gitlab/tmp", mode: "u+rwX" } - - { src: "/home/git/gitlab/tmp/pids", mode: "u+rwX" } - - { src: "/home/git/gitlab/tmp/sockets", mode: "u+rwX" } - - { src: "/home/git/gitlab/builds", mode: "u+rwX" } - - { src: "/home/git/gitlab/shared/artifacts", mode: "u+rwX" } - - { src: "/home/git/gitlab/shared/pages", mode: "u+rwX" } - - name: Configure git - git_config: - name: "{{ item.name }}" - value: "{{ item.value }}" - loop: - - { name: "core.autocrlf", value: "input" } - - { name: "gc.auto", value: "0" } - - { name: "repack.writeBitmaps", value: "true" } - - { name: "receive.advertisePushOptions", value: "true" } - - { name: "core.fsyncObjectFiles", value: "true" } - become: yes - become_user: git - - name: Set up Apache - block: - - name: Create webroot - file: - path: "{{ gitlab_webroot }}" - src: "/home/git/public" - mode: "0755" - state: link - - name: Copy over virtual host configs - template: - src: apache2-vhost-ssl.conf - dest: "/etc/apache2/sites-available/{{ gitlab_url }}.conf" - notify: restart apache - - name: Enable config - command: - cmd: "a2ensite {{ gitlab_url }}.conf" - creates: "/etc/apache2/sites-enabled/{{ gitlab_url }}.conf" - notify: restart apache - - name: Generate certificate - include_role: - name: https - vars: - website_url: "{{ gitlab_url }}" - website_webroot: "{{ gitlab_webroot }}" - become: yes diff --git a/roles/gitlab/templates/apache2-vhost-ssl.conf b/roles/gitlab/templates/apache2-vhost-ssl.conf deleted file mode 100644 index 186af2d..0000000 --- a/roles/gitlab/templates/apache2-vhost-ssl.conf +++ /dev/null @@ -1,41 +0,0 @@ -# Configuration for {{ gitlab_url }} -# vim:ft=apache: - -# Accept connections from non-SNI clients -SSLStrictSNIVHostCheck off - -# Website configuration - - ServerName {{ gitlab_url }} - Redirect permanent / https://{{ gitlab_url }} - - - SSLEngine on - SSLCertificateFile /etc/pki/cert/crt/{{ gitlab_url }}.crt - SSLCertificateKeyFile /etc/pki/cert/private/{{ gitlab_url }}.key - SSLCertificateChainFile /etc/pki/cert/crt/{{ gitlab_url }}-fullchain.crt - SSLProtocol {{ ssl_protocol }} - SSLCipherSuite {{ ssl_cipher_suite }} - ServerName {{ gitlab_url }} - DocumentRoot {{ gitlab_webroot }} - - Require all granted - AllowOverride All - Options MultiViews FollowSymlinks - - - Require all granted - ProxyPassReverse http://127.0.0.1:8086 - ProxyPassReverse http://git.9iron.club/ - - - # Forward all requets to GL except error docs and ACME challenges - RewriteEngine on - RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR] - RewriteCond %{REQUEST_URI} ^/uploads/.* - RewriteCond %{REQUEST_URI} !\.well-known-acme-challenge - RewriteRule .* http://127.0.0.1:8086%{REQUEST_URI} [P,QSA,NE] - - RequestHeader set X_FORWARDED_PROTO 'https' - RequestHeader set X-Forwarded-Ssl on - diff --git a/roles/gitlab/templates/database.yml b/roles/gitlab/templates/database.yml deleted file mode 100644 index ebfb7af..0000000 --- a/roles/gitlab/templates/database.yml +++ /dev/null @@ -1,10 +0,0 @@ -production: - adapter: mysql2 - encoding: utf8 - collation: utf8_general_ci - reconnect: false - database: gitlab - pool: 10 - username: gitlab - password: {{ gitlab_mysql_password }} - host: localhost diff --git a/roles/postfix-null/meta/main.yml b/roles/postfix-null/meta/main.yml deleted file mode 100644 index d098f75..0000000 --- a/roles/postfix-null/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -allow_duplicates: no diff --git a/roles/postfix-null/tasks/main.yml b/roles/postfix-null/tasks/main.yml deleted file mode 100644 index 9fe372d..0000000 --- a/roles/postfix-null/tasks/main.yml +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/ansible-playbook -# vim:ft=ansible: ---- -- name: Set up Postfix - block: - - name: Install Postfix - apt: - name: - - postfix - - name: Install config - template: - src: "main.cf" - dest: "/etc/postfix/main.cf" - become: yes diff --git a/roles/postfix-null/templates/main.cf b/roles/postfix-null/templates/main.cf deleted file mode 100644 index ce771be..0000000 --- a/roles/postfix-null/templates/main.cf +++ /dev/null @@ -1,6 +0,0 @@ -myhostname = {{ postfix_hostname }} -mydomain = {{ postfix_domain }} -myorigin = $mydomain -#relayhost = $mydomain -inet_interfaces = loopback-only -mydestination = diff --git a/roles/redis/templates/main.cf b/roles/redis/templates/main.cf deleted file mode 100644 index c32ed78..0000000 --- a/roles/redis/templates/main.cf +++ /dev/null @@ -1,5 +0,0 @@ -myhostname = {{ postfix_hostname }} -myorigin = $mydomain -#relayhost = $mydomain -inet_interfaces = loopback-only -mydestination =