-
Notifications
You must be signed in to change notification settings - Fork 306
/
config.yml.example
130 lines (115 loc) · 6.01 KB
/
config.yml.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#
# If you change this file in a Merge Request, please also create
# a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
#
# GitLab user. git by default
user: git
# URL to GitLab instance, used for API calls. Default: http://localhost:8080.
# For relative URL support read http://doc.gitlab.com/ce/install/relative_url.html
# You only have to change the default if you have configured Unicorn
# to listen on a custom port, or if you have configured Unicorn to
# only listen on a Unix domain socket. For Unix domain sockets use
# "http+unix://<urlquoted-path-to-socket>", e.g.
# "http+unix://%2Fpath%2Fto%2Fsocket"
gitlab_url: "http+unix://%2Fhome%2Fgit%2Fgitlab%2Ftmp%2Fsockets%2Fgitlab-workhorse.socket"
# When a http+unix:// is used in gitlab_url, this is the relative URL root to GitLab.
# Not used if gitlab_url is http:// or https://.
# gitlab_relative_url_root: "/"
# See installation.md#using-https for additional HTTPS configuration details.
http_settings:
# read_timeout: 300
# user: someone
# password: somepass
# ca_file: /etc/ssl/cert.pem
# ca_path: /etc/pki/tls/certs
#
# File used as authorized_keys for gitlab user
auth_file: "/home/git/.ssh/authorized_keys"
# SSL certificate dir where custom certificates can be placed
# https://golang.org/pkg/crypto/x509/
# ssl_cert_dir: /opt/gitlab/embedded/ssl/certs/
# File that contains the secret key for verifying access to GitLab.
# Default is .gitlab_shell_secret in the gitlab-shell directory.
# secret_file: "/home/git/gitlab-shell/.gitlab_shell_secret"
#
# The secret field supersedes the secret_file, and if set that
# file will not be read.
# secret: "supersecret"
# Log file.
# Default is gitlab-shell.log in the root directory.
# log_file: "/home/git/gitlab-shell/gitlab-shell.log"
# Log level. INFO by default
log_level: INFO
# Log format. 'json' by default, can be changed to 'text' if needed
# log_format: json
# Audit usernames.
# Set to true to see real usernames in the logs instead of key ids, which is easier to follow, but
# incurs an extra API call on every gitlab-shell command.
audit_usernames: false
# Distributed Tracing. GitLab-Shell has distributed tracing instrumentation.
# For more details, visit https://docs.gitlab.com/ee/development/distributed_tracing.html
# gitlab_tracing: opentracing://driver
# This section configures the built-in SSH server. Ignored when running on OpenSSH.
sshd:
# Address which the SSH server listens on. Defaults to [::]:22.
listen: "[::]:22"
# Set to true if gitlab-sshd is being fronted by a load balancer that implements
# the PROXY protocol.
proxy_protocol: false
# Proxy protocol policy ("use", "require", "reject", "ignore"), "use" is the default value
# Values: https://github.com/pires/go-proxyproto/blob/195fedcfbfc1be163f3a0d507fac1709e9d81fed/policy.go#L20
proxy_policy: "use"
# Proxy allowed IP addresses. Takes precedent over proxy_policy. Disabled by default.
# proxy_allowed:
# - "192.168.0.1"
# - "192.168.1.0/24"
# Address which the server listens on HTTP for monitoring/health checks. Defaults to localhost:9122.
web_listen: "localhost:9122"
# Maximum number of concurrent sessions allowed on a single SSH connection. Defaults to 10.
concurrent_sessions_limit: 10
# Sets an interval after which server will send keepalive message to a client. Defaults to 15s.
client_alive_interval: 15
# The server waits for this time for the ongoing connections to complete before shutting down. Defaults to 10s.
grace_period: 10
# The server disconnects after this time if the user has not successfully logged in. Defaults to 60s.
login_grace_time: 60
# A short timeout to decide to abort the connection if the protocol header is not seen within it. Defaults to 500ms
proxy_header_timeout: 500ms
# The endpoint that returns 200 OK if the server is ready to receive incoming connections; otherwise, it returns 503 Service Unavailable. Defaults to "/start".
readiness_probe: "/start"
# The endpoint that returns 200 OK if the server is alive. Defaults to "/health".
liveness_probe: "/health"
# Specifies the available message authentication code algorithms that are used for protecting data integrity
macs: [hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1]
# Specifies the available Key Exchange algorithms
kex_algorithms: [curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1]
# Specified the ciphers allowed
ciphers: [aes128-gcm@openssh.com, chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-ctr, aes192-ctr,aes256-ctr]
# Specified the available Public Key algorithms
public_key_algorithms: [ssh-rsa, ssh-dss, ecdsa-sha2-nistp256, sk-ecdsa-sha2-nistp256@openssh.com, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-ed25519, sk-ssh-ed25519@openssh.com, rsa-sha2-256, rsa-sha2-512]
# SSH host key files.
host_key_files:
- /run/secrets/ssh-hostkeys/ssh_host_rsa_key
- /run/secrets/ssh-hostkeys/ssh_host_ecdsa_key
- /run/secrets/ssh-hostkeys/ssh_host_ed25519_key
host_key_certs:
- /run/secrets/ssh-hostkeys/ssh_host_rsa_key-cert.pub
- /run/secrets/ssh-hostkeys/ssh_host_ecdsa_key-cert.pub
- /run/secrets/ssh-hostkeys/ssh_host_ed25519_key-cert.pub
# GSSAPI-related settings
gssapi:
# Enable the gssapi-with-mic authentication method. Defaults to false.
enabled: false
# Keytab path. Defaults to "", system default (usually /etc/krb5.keytab).
keytab: ""
# The Kerberos service name to be used by sshd. Defaults to "", accepts any service name in keytab file.
service_principal_name: ""
lfs:
# https://gitlab.com/groups/gitlab-org/-/epics/11872, disabled by default.
pure_ssh_protocol: false
# https://docs.gitlab.com/ee/development/gitlab_shell/features.html#personal-access-token
pat:
# Enable/disable creation of personal access tokens using SSH key
enabled: true
# Configure which PAT scopes are allowable to generate using an SSH key
# allowed_scopes: [read_repository]