diff --git a/manifests/config.pp b/manifests/config.pp index 149c660..03a0269 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -9,6 +9,10 @@ $socket_path = "${git_home}/gitlab/tmp/sockets/gitlab.socket" $root_path = "${git_home}/gitlab/public" + + if $gitlab_workhorse_branch { + $gitlab_workhorse_socket_path="${git_home}/gitlab/tmp/sockets/gitlab-workhorse.socket" + } # gitlab if $gitlab_manage_nginx { @@ -41,7 +45,7 @@ file { '/etc/logrotate.d/gitlab': ensure => file, - source => "${git_home}/gitlab/lib/support/logrotate/gitlab", + content => template('gitlab/gitlab_logrotate.erb'), owner => root, group => root, mode => '0644'; @@ -52,13 +56,25 @@ "${git_home}/gitlab/tmp", "${git_home}/gitlab/tmp/pids", "${git_home}/gitlab/tmp/sockets", - "${git_home}/gitlab/public", - "${git_home}/gitlab/public/uploads", + "${git_home}/gitlab/public", ]: ensure => directory, mode => '0755', } - + + #gitlab does not provide an option to configure the uploads directory location, so create a symlink to + #the desired folder if specified (otherwise, simply ensure the default uploads folder is there) + $gitlab_uploads_path_type = $gitlab_uploads_folder ? { + undef => 'directory', + default => 'link', + } + file { "${git_home}/gitlab/public/uploads": + ensure => $gitlab_uploads_path_type, + target => $gitlab_uploads_folder, + mode => '0750', + force => true, #for the conversion to link + } + #gitlab does not provide an option to configure a log directory, so create a symlink to #the desired folder if specified (otherwise, simply ensure the default log folder is there) $gitlab_log_path_type = $gitlab_log_folder ? { diff --git a/manifests/init.pp b/manifests/init.pp index 5456ca1..fe8c7d7 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -34,7 +34,7 @@ # # [*git_max_size*] # Maximum memory size grit can use, given in number of bytes per git object (e.g. a commit) -# default: 5242880 (5MB) +# default: 20971520 (20MB) # # [*git_timeout*] # Git timeout to read a commit, in seconds @@ -56,6 +56,15 @@ # Gitlab branch # default: 7-12-stable # +# [*gitlab_workhorse_sources*] +# gitlab-workhorse sources (required for GitLab 8+) +# default: git://github.com/gitlabhq/gitlabhq.git +# +# [*gitlab_workhorse_branch*] +# gitlab-workhorse branch (required GitLab 8+). If not specified, gitlab-workhorse will +# not be installed. +# default: undef +# # [*gitlabshell_sources*] # Gitlab-shell sources # default: git://github.com/gitlabhq/gitlab-shell.git @@ -72,6 +81,10 @@ # Gitlab rails log folder # default: ${git_home}/gitlab/log # +# [*gitlab_uploads_folder*] +# Folder for user uploads (if specified, it will be symlinked from the default location) +# default: ${git_home}/gitlab/public/uploads +# # [*proxy_name*] # The name of the Nginx proxy # default: 'gitlab' @@ -81,6 +94,14 @@ # configuration; set to false to manage separately # default: true # +# [*nginx_access_log*] +# Nginx access_log path (and any log options). +# default: /var/log/nginx/gitlab_access.log +# +# [*nginx_error_log*] +# Nginx error_log file (and any log options). +# default: /var/log/nginx/gitlab_error.log +# # [*gitlab_http_port*] # Port that NGINX listens on for HTTP traffic # default: 80 @@ -163,6 +184,10 @@ # Path to one or more shell scripts to be executed after the backup # default: false # +# [*gitlab_backup_archive_permissions*] +# Permissions for the resulting backup.tar file +# default: '0600' +# # [*gitlab_relative_url_root*] # run in a non-root path # default: / @@ -177,11 +202,6 @@ # created in the following directory (relative to the root of the Rails app) # default: tmp/repositories # -# [*gitlab_restricted_visibility_levels*] -# Restrict setting visibility levels for non-admin users. -# Specify as an array of one or more of "private" | "internal" | "public" -# default: nil -# # [*gitlab_default_projects_features_issues*] # Default project features setting for issues. # default: true @@ -194,18 +214,10 @@ # Default project features settings for wiki. # default: true # -# [*gitlab_default_projects_features_wall*] -# Default project features setting for wall. -# default: false -# # [*gitlab_default_projects_features_snippets*] # Default project features setting for snippets. # default: false # -# [*gitlab_default_projects_features_visibility_level*] -# Default project features settings for visibility level. ("private" | "internal" | "public") -# default: private -# # [*gitlab_email_enabled*] # Set to false if you need to disable email sending from GitLab # default: true @@ -218,10 +230,6 @@ # Sender display name for emails sent by GitLab # default: GitLab # -# [*gitlab_support_email*] -# Email address of your support contact -# default: support@local.host -# # [*gitlab_time_zone*] # Default time zone of GitLab application # default: UTC @@ -250,10 +258,6 @@ # Set true if your SSL Cert is self signed # default: false # -# [*gitlab_projects*] -# GitLab default number of projects for new users -# default: 10 -# # [*gitlab_repodir*] # Gitlab repository directory # default: $git_home @@ -267,6 +271,10 @@ # indicate whether the GitLab database has already been initialized. # default: $git_home # +# [*gitlab_default_can_create_group*] +# Whether users are allowed to create groups by default. +# default: true +# # [*gitlab_username_change*] # Gitlab username changing # default: true @@ -308,6 +316,10 @@ # The default PATH passed to all exec ressources (this path include rbenv shims) # default: '${git_home}/.rbenv/shims:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' # +# [*exec_environment*] +# The environment passed to all exec resources +# default: undef +# # [*gitlab_bundler_jobs*] # Number of jobs to use while installing gems. Should match number of # procs on your system (default: 1) @@ -369,27 +381,68 @@ # enable this setting to keep new users blocked until they have been cleared by the admin # default: false # +# [*ldap_allow_username_or_email_login*] +# If allow_username_or_email_login is enabled, GitLab will ignore everything +# after the first '@' in the LDAP username submitted by the user on login. +# default: false +# +# [*ldap_attributes_username*] +# LDAP attributes that GitLab will use to create an account for the LDAP user. +# Note that the user's LDAP login will always be the attribute specified as `uid` above. +# default: ['uid', 'userid', 'sAMAccountName'] +# +# [*ldap_attributes_email*] +# LDAP attributes that GitLab will use to create an account for the LDAP user. +# default: ['mail', 'email', 'userPrincipalName'] +# +# [*ldap_attributes_name*] +# LDAP attributes that GitLab will use to create an account for the LDAP user. +# If no full name could be found at the attribute specified for `name`, +# the full name is determined using the attributes specified for +# `first_name` and `last_name`. +# default: ['cn'] +# +# [*ldap_attributes_first_name*] +# LDAP attributes that GitLab will use to create an account for the LDAP user. +# default: ['givenName'] +# +# [*ldap_attributes_last_name*] +# LDAP attributes that GitLab will use to create an account for the LDAP user. +# default: ['sn'] +# # [*ldap_sync_time*] # This setting controls the amount of time between LDAP permission checks for each user. -# default: nil +# default: 3600 +# +# [*ldap_schedule_sync_hour*] +# In addition to refreshing users when they log in, +# refresh LDAP user membership once a day. +# Hour of the day. Value from 0-23. (EE only) +# default: 1 +# +# [*ldap_schedule_sync_minute*] +# In addition to refreshing users when they log in, +# refresh LDAP user membership once a day. +# Minute of the hour. Value from 0-59. (EE only) +# default: 30 # # [*ldap_group_base*] -# Base where we can search for groups. +# Base where we can search for groups. (EE only) # default: nil # # [*ldap_sync_ssh_keys*] # Name of attribute which holds a ssh public key of the user object. -# If false or nil, SSH key syncronisation will be disabled. +# If false or nil, SSH key syncronisation will be disabled. (EE only) # default: nil # # [*ldap_admin_group*] -# LDAP group of users who should be admins in GitLab. +# LDAP group of users who should be admins in GitLab. (EE only) # default: nil # -# [*issues_tracker*] -# External issues trackers. Provide a hash with all issues_tracker configuration as would -# appear in gitlab.yaml. E.g. { redmine => { title => "Redmine", project_url => ... } } -# default: nil +# [*nginx_client_max_body_size*] +# Increase this if you want to upload large attachments +# Or if you want to accept large git objects over http +# default: 20m # # [*omniauth*] # Omniauth configuration. Provide a hash with all omniauth configuration as would @@ -412,18 +465,6 @@ # Proxy for git access # default: '' # -# [*company_logo_url*] -# Url to the company logo to be diplayed at the bottom of the sign_in page -# default: '' -# -# [*company_link*] -# Link to the company displayed under the logo of the company -# default: '' -# -# [*company_name*] -# Name of the company displayed under the logo of the company -# default: '' -# # [*gravatar_enabled*] # Use user avatar image from Gravatar.com # default: true @@ -436,6 +477,52 @@ # Name of webserver service (nginx, apache2) # default: nginx # +# [*incoming_email_enabled*] +# Allow users to comment on issues and merge requests by replying to notification emails. +# default: false +# +# [*incoming_email_address*] +# For documentation on how to set this up, see http://doc.gitlab.com/ce/incoming_email/README.html +# default: 'incoming+%{key}@gitlab.example.com' +# +# [*gitlab_ci_all_broken_builds*] +# CI: Send emails only on broken builds +# default: true +# +# [*gitlab_ci_add_pusher*] +# CI: Add pusher to recipients list +# default: false +# +# [*gitlab_ci_builds_path*] +# CI: The location where build traces are stored. Relative paths are relative to Rails.root +# default: builds/ +# +# [*kerberos_enabled*] +# Allow the HTTP Negotiate authentication method for Git clients (EE only) +# default: false +# +# [*kerberos_keytab*] +# Kerberos 5 keytab file. The keytab file must be readable by the GitLab user, +# and should be different from other keytabs in the system. (EE only) +# default: use default keytab from Krb5 config +# +# [*kerberos_service_principal_name*] +# The Kerberos service name to be used by GitLab. (EE only) +# default: accept any service name in keytab file +# +# [*kerberos_use_dedicated_port*] +# Dedicated port: Git before 2.4 does not fall back to Basic authentication if Negotiate fails. +# See http://doc.gitlab.com/ee/integration/kerberos.html (EE only) +# default: false +# +# [*kerberos_port*] +# Port when using a dedicated port for Kerberos. (EE only) +# default: 8443 +# +# [*kerberos_https*] +# Whether to use https on the dedicated port for Kerberos. (EE only) +# default: use value of gitlab_ssl +# # [*system_packages*] # Packages that Gitlab needs to work, and that will be managed by the Gitlab module # default: $gitlab::params::system_packages @@ -474,12 +561,17 @@ $gitlab_manage_home = $gitlab::params::gitlab_manage_home, $gitlab_sources = $gitlab::params::gitlab_sources, $gitlab_branch = $gitlab::params::gitlab_branch, + $gitlab_workhorse_sources = $gitlab::params::gitlab_workhorse_sources, + $gitlab_workhorse_branch = $gitlab::params::gitlab_workhorse_branch, $gitlabshell_branch = $gitlab::params::gitlabshell_branch, $gitlabshell_sources = $gitlab::params::gitlabshell_sources, $gitlabshell_log_folder = $gitlab::params::gitlabshell_log_folder, $gitlab_log_folder = $gitlab::params::gitlab_log_folder, + $gitlab_uploads_folder = $gitlab::params::gitlab_uploads_folder, $gitlab_manage_nginx = $gitlab::params::gitlab_manage_nginx, $proxy_name = 'gitlab', + $nginx_access_log = "/var/log/nginx/${proxy_name}_access.log", + $nginx_error_log = "/var/log/nginx/${proxy_name}_error.log", $gitlab_http_port = $gitlab::params::gitlab_http_port, $gitlab_ssl_port = $gitlab::params::gitlab_ssl_port, $gitlab_http_timeout = $gitlab::params::gitlab_http_timeout, @@ -493,7 +585,7 @@ $gitlab_dbport = $gitlab::params::gitlab_dbport, $gitlab_domain = $gitlab::params::gitlab_domain, $gitlab_domain_alias = $gitlab::params::gitlab_domain_alias, - $gitlab_repodir = $gitlab::params::gitlab_repodir, + $gitlab_repodir = $git_home, $gitlab_satellitedir = $git_home, $gitlab_setup_status_dir = $git_home, $gitlab_backup = $gitlab::params::gitlab_backup, @@ -501,28 +593,25 @@ $gitlab_backup_keep_time = $gitlab::params::gitlab_backup_keep_time, $gitlab_backup_time = $gitlab::params::gitlab_backup_time, $gitlab_backup_postscript = $gitlab::params::gitlab_backup_postscript, + $gitlab_backup_archive_permissions = '0600', $gitlab_relative_url_root = $gitlab::params::gitlab_relative_url_root, $gitlab_issue_closing_pattern = $gitlab::params::gitlab_issue_closing_pattern, $gitlab_repository_downloads_path = $gitlab::params::gitlab_repository_downloads_path, - $gitlab_restricted_visibility_levels = $gitlab::params::gitlab_restricted_visibility_levels, $gitlab_default_projects_features_issues = $gitlab::params::gitlab_default_projects_features_issues, $gitlab_default_projects_features_merge_requests = $gitlab::params::gitlab_default_projects_features_merge_requests, $gitlab_default_projects_features_wiki = $gitlab::params::gitlab_default_projects_features_wiki, - $gitlab_default_projects_features_wall = $gitlab::params::gitlab_default_projects_features_wall, $gitlab_default_projects_features_snippets = $gitlab::params::gitlab_default_projects_features_snippets, - $gitlab_default_projects_features_visibility_level = $gitlab::params::gitlab_default_projects_features_visibility_level, $gitlab_time_zone = $gitlab::params::gitlab_time_zone, $gitlab_email_enabled = $gitlab::params::gitlab_email_enabled, $gitlab_email_reply_to = "noreply@${gitlab_domain}", $gitlab_email_display_name= $gitlab::params::gitlab_email_display_name, - $gitlab_support_email = $gitlab::params::gitlab_support_email, $gitlab_ssl = $gitlab::params::gitlab_ssl, $gitlab_ssl_cert = $gitlab::params::gitlab_ssl_cert, $gitlab_ssl_key = $gitlab::params::gitlab_ssl_key, $gitlab_ssl_protocols = $gitlab::params::gitlab_ssl_protocols, $gitlab_ssl_ciphers = $gitlab::params::gitlab_ssl_ciphers, $gitlab_ssl_self_signed = $gitlab::params::gitlab_ssl_self_signed, - $gitlab_projects = $gitlab::params::gitlab_projects, + $gitlab_default_can_create_group = true, $gitlab_username_change = $gitlab::params::gitlab_username_change, $gitlab_unicorn_listen = $gitlab::params::gitlab_unicorn_listen, $gitlab_unicorn_port = $gitlab::params::gitlab_unicorn_port, @@ -536,6 +625,7 @@ $gitlab_secret_file = $gitlab::params::gitlab_secret_file, $gitlab_auth_file = "${git_home}/.ssh/authorized_keys", $exec_path = $gitlab::params::exec_path, + $exec_environment = $gitlab::params::exec_environment, $ldap_enabled = $gitlab::params::ldap_enabled, $ldap_host = $gitlab::params::ldap_host, $ldap_base = $gitlab::params::ldap_base, @@ -548,21 +638,37 @@ $ldap_active_directory = $gitlab::params::ldap_active_directory, $ldap_block_auto_created_users = $gitlab::params::ldap_block_auto_created_users, $ldap_sync_time = $gitlab::params::ldap_sync_time, + $ldap_allow_username_or_email_login = false, + $ldap_attributes_username = ['uid', 'userid', 'sAMAccountName'], + $ldap_attributes_email = ['mail', 'email', 'userPrincipalName'], + $ldap_attributes_name = ['cn'], + $ldap_attributes_first_name = ['givenName'], + $ldap_attributes_last_name = ['sn'], + $ldap_schedule_sync_hour = 1, + $ldap_schedule_sync_minute= 30, $ldap_group_base = $gitlab::params::ldap_group_base, $ldap_sync_ssh_keys = $gitlab::params::ldap_sync_ssh_keys, $ldap_admin_group = $gitlab::params::ldap_admin_group, - $issues_tracker = $gitlab::params::issues_tracker, + $nginx_client_max_body_size = $gitlab::params::nginx_client_max_body_size, $omniauth = $gitlab::params::omniauth, $ssh_port = $gitlab::params::ssh_port, $google_analytics_id = $gitlab::params::google_analytics_id, $git_proxy = $gitlab::params::git_proxy, $webserver_service_name = $gitlab::params::webserver_service_name, + $incoming_email_enabled = false, + $incoming_email_address = 'incoming+%{key}@gitlab.example.com', + $gitlab_ci_all_broken_builds = true, + $gitlab_ci_add_pusher = false, + $gitlab_ci_builds_path = 'builds/', + $kerberos_enabled = false, + $kerberos_keytab = undef, + $kerberos_service_principal_name = undef, + $kerberos_use_dedicated_port = false, + $kerberos_port = 8443, + $kerberos_https = $gitlab_ssl, $system_packages = $gitlab::params::system_packages, # Deprecated params $git_package_name = undef, - $company_logo_url = $gitlab::params::company_logo_url, - $company_link = $gitlab::params::company_link, - $company_name = $gitlab::params::company_name, $gravatar_enabled = $gitlab::params::gravatar_enabled, $use_exim = $gitlab::params::use_exim, ) inherits gitlab::params { @@ -589,7 +695,6 @@ validate_bool($gitlab_default_projects_features_issues) validate_bool($gitlab_default_projects_features_merge_requests) validate_bool($gitlab_default_projects_features_wiki) - validate_bool($gitlab_default_projects_features_wall) validate_bool($gitlab_default_projects_features_snippets) validate_re($gitlab_dbtype, '(mysql|pgsql)', 'gitlab_dbtype is not supported') @@ -600,27 +705,19 @@ validate_re("${gitlab_http_timeout}", '^\d+$', 'gitlab_http_timeout is not a number') validate_re("${gitlab_redisport}", '^\d+$', 'gitlab_redisport is not a valid port') validate_re($ldap_method, '(ssl|tls|plain)', 'ldap_method is not supported (ssl, tls or plain)') - validate_re("${gitlab_projects}", '^\d+$', 'gitlab_projects is not valid') validate_re("${gitlab_unicorn_port}", '^\d+$', 'gitlab_unicorn_port is not valid') validate_re("${gitlab_unicorn_worker}", '^\d+$', 'gitlab_unicorn_worker is not valid') validate_re("${gitlab_bundler_jobs}", '^\d+$', 'gitlab_bundler_jobs is not valid') validate_re($ensure, '(present|latest)', 'ensure is not valid (present|latest)') validate_re("${ssh_port}", '^\d+$', 'ssh_port is not a valid port') - validate_re($gitlab_default_projects_features_visibility_level, 'private|internal|public','gitlab_default_projects_features_visibility_level is not valid') if !is_ip_address($gitlab_unicorn_listen){ fail("${gitlab_unicorn_listen} is not a valid IP address") } - if $gitlab_restricted_visibility_levels { - validate_array($gitlab_restricted_visibility_levels) - } if $omniauth { validate_hash($omniauth) } - if $issues_tracker { - validate_hash($issues_tracker) - } validate_string($git_user) validate_string($git_email) @@ -638,9 +735,6 @@ validate_string($ldap_uid) validate_string($ldap_host) validate_string($google_analytics_id) - validate_string($company_logo_url) - validate_string($company_link) - validate_string($company_name) anchor { 'gitlab::begin': } -> class { '::gitlab::setup': } -> diff --git a/manifests/install.pp b/manifests/install.pp index cd8d9ec..46264ff 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -13,6 +13,7 @@ Exec { user => $git_user, path => $exec_path, + environment => $exec_environment, } File { @@ -91,9 +92,10 @@ $gitlab_bundler_jobs_flag = " -j${gitlab_bundler_jobs}" } exec { 'install gitlab': - command => "bundle install${gitlab_bundler_jobs_flag} --without development aws test ${gitlab_without_gems} ${gitlab_bundler_flags}", + command => "bundle install${gitlab_bundler_jobs_flag} --without development aws test ${gitlab_without_gems} ${gitlab_with_gems} ${gitlab_bundler_flags}", cwd => "${git_home}/gitlab", - unless => 'bundle check', + subscribe => Vcsrepo["${git_home}/gitlab"], + refreshonly => true, timeout => 0, require => [ Gitlab::Config::Database['gitlab'], @@ -101,7 +103,7 @@ File["${git_home}/gitlab/config/gitlab.yml"], Gitlab::Config::Resque['gitlab'], ], - notify => Exec['run migrations'], + notify => [ Exec['run migrations'], Exec['run gitlab-ci schedules'] ], } exec { 'setup gitlab database': @@ -113,7 +115,7 @@ Exec['install gitlab'], ], notify => Exec['precompile assets'], - before => Exec['run migrations'], + before => [ Exec['run migrations'], Exec['run gitlab-ci schedules'] ], } exec { 'precompile assets': @@ -129,6 +131,14 @@ notify => Exec['precompile assets'], } + # this installs cron jobs defined in config/schedule.rb for gitlab-ci + exec { 'run gitlab-ci schedules': + command => 'bundle exec whenever -w RAILS_ENV=production', + cwd => "${git_home}/gitlab", + refreshonly => true, + onlyif => "test -e '${git_home}/gitlab/config/schedule.rb'", + } + file { "${gitlab_setup_status_dir}/.gitlab_setup_done": ensure => file, diff --git a/manifests/package.pp b/manifests/package.pp index 6d7c6bc..e08dbec 100644 --- a/manifests/package.pp +++ b/manifests/package.pp @@ -11,9 +11,47 @@ vcsrepo { "${git_home}/gitlab": source => $gitlab_sources, revision => $gitlab_branch, + notify => Service['gitlab'], # restart service if code has been updated } vcsrepo { "${git_home}/gitlab-shell": source => $gitlabshell_sources, revision => $gitlabshell_branch, } + + # Download and build gitlab-workhorse. + # Not everything belongs here, but it seems better to keep everything together for now, while + # we still support GitLab 7.x installation (which won't want this) + if $gitlab_workhorse_branch { + ensure_packages(['golang']) + + vcsrepo { "${git_home}/gitlab-workhorse": + source => $gitlab_workhorse_sources, + revision => $gitlab_workhorse_branch, + } + + exec { "Build gitlab-workhorse": + command => "make", + cwd => "${git_home}/gitlab-workhorse", + user => $git_user, + path => $exec_path, + environment => $exec_environment, + refreshonly => true, + require => Package['golang'], + subscribe => Vcsrepo["${git_home}/gitlab-workhorse"], + notify => Service['gitlab'], # restart service if code has been updated + } + + #Gitlab 8.0 and 8.1 expect gitlab-git-http-server instead + file { + "${git_home}/gitlab-git-http-server": + ensure => "directory", + owner => $git_user, + group => $git_group; + "${git_home}/gitlab-git-http-server/gitlab-git-http-server": + ensure => "link", + target => "${git_home}/gitlab-workhorse/gitlab-workhorse", + owner => $git_user, + group => $git_group; + } + } } diff --git a/manifests/params.pp b/manifests/params.pp index 48f875a..c4651b2 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -12,19 +12,22 @@ $git_email = 'git@someserver.net' $git_comment = 'GitLab' $git_bin_path = '/usr/bin/git' - $git_max_size = 5242880 + $git_max_size = 20971520 $git_timeout = 10 $gitlab_webhook_timeout = 10 $gitlab_sources = 'git://github.com/gitlabhq/gitlabhq.git' $gitlab_branch = '7-12-stable' + $gitlab_workhorse_sources = 'https://gitlab.com/gitlab-org/gitlab-workhorse.git' + $gitlab_workhorse_branch = undef # specify a value here when gitlab_branch updated to 8-x $gitlabshell_sources = 'git://github.com/gitlabhq/gitlab-shell.git' $gitlabshell_branch = 'v2.6.3' $gitlabshell_log_folder = undef $gitlab_log_folder = undef + $gitlab_uploads_folder = undef $gitlab_manage_nginx = true $gitlab_http_port = '80' $gitlab_ssl_port = '443' - $gitlab_http_timeout = '60' + $gitlab_http_timeout = '300' $gitlab_redishost = '127.0.0.1' $gitlab_redisport = '6379' $gitlab_dbtype = 'mysql' @@ -46,25 +49,20 @@ $gitlab_relative_url_root = false $gitlab_issue_closing_pattern = undef $gitlab_repository_downloads_path = 'tmp/repositories' - $gitlab_restricted_visibility_levels = undef $gitlab_default_projects_features_issues = true $gitlab_default_projects_features_merge_requests = true $gitlab_default_projects_features_wiki = true - $gitlab_default_projects_features_wall = false $gitlab_default_projects_features_snippets = false - $gitlab_default_projects_features_visibility_level = 'private' $gitlab_time_zone = false $gitlab_email_enabled = true $gitlab_email_reply_to = "noreply@${gitlab_domain}" $gitlab_email_display_name= 'GitLab' - $gitlab_support_email = 'support@localhost' $gitlab_ssl = false $gitlab_ssl_protocols = 'TLSv1.2 TLSv1.1 TLSv1' - $gitlab_ssl_ciphers = 'AES:HIGH:!aNULL:!RC4:!MD5:!ADH:!MDF' + $gitlab_ssl_ciphers = 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4' $gitlab_ssl_cert = '/etc/ssl/certs/ssl-cert-snakeoil.pem' $gitlab_ssl_key = '/etc/ssl/private/ssl-cert-snakeoil.key' $gitlab_ssl_self_signed = false - $gitlab_projects = '10' $gitlab_username_change = true $gitlab_unicorn_listen = '127.0.0.1' $gitlab_unicorn_port = '8080' @@ -78,6 +76,7 @@ $gitlab_auth_file = "${git_home}/.ssh/authorized_keys" $gitlab_secret_file = undef $exec_path = "${git_home}/.rbenv/shims:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + $exec_environment = undef $ldap_enabled = false $ldap_host = 'ldap.domain.com' $ldap_base = 'dc=domain,dc=com' @@ -89,18 +88,15 @@ $ldap_bind_password = '' $ldap_active_directory = true $ldap_block_auto_created_users = false - $ldap_sync_time = '' + $ldap_sync_time = 3600 $ldap_group_base = '' $ldap_sync_ssh_keys = '' $ldap_admin_group = '' - $issues_tracker = undef + $nginx_client_max_body_size = '20m' $omniauth = undef $ssh_port = '22' $google_analytics_id = '' $git_proxy = undef - $company_logo_url = '' - $company_link = '' - $company_name = '' $gravatar_enabled = true $use_exim = false $webserver_service_name = 'nginx' diff --git a/templates/gitlab.default.erb b/templates/gitlab.default.erb index 6b4c1de..7e1324b 100644 --- a/templates/gitlab.default.erb +++ b/templates/gitlab.default.erb @@ -32,3 +32,37 @@ web_server_pid_path="$pid_path/unicorn.pid" # sidekiq_pid_path defines the path in which to create the pid file for sidekiq # The default is "$pid_path/sidekiq.pid" sidekiq_pid_path="$pid_path/sidekiq.pid" + +gitlab_workhorse_pid_path="$pid_path/gitlab-workhorse.pid" +# The -listenXxx settings determine where gitlab-workhorse +# listens for connections from NGINX. To listen on localhost:8181, write +# '-listenNetwork tcp -listenAddr localhost:8181'. +# The -authBackend setting tells gitlab-workhorse where it can reach +# Unicorn. +gitlab_workhorse_options="-listenUmask 0 -listenNetwork unix -listenAddr $socket_path/gitlab-workhorse.socket -authBackend http://<%= @gitlab_unicorn_listen %>:<%= @gitlab_unicorn_port%>" +gitlab_workhorse_log="<%= @gitlab_log_folder ? @gitlab_log_folder : '$app_root/log' %>/gitlab-workhorse.log" + +### GitLab 8.0 and 8.1 use 'gitlab-git-http-server' instead of 'gitlab-workhorse' +gitlab_git_http_server_pid_path="$pid_path/gitlab-git-http-server.pid" +# The -listenXxx settings determine where gitlab-git-http-server +# listens for connections from NGINX. To listen on localhost:8181, write +# '-listenNetwork tcp -listenAddr localhost:8181'. +# The -authBackend setting tells gitlab-git-http-server where it can reach +# Unicorn. +gitlab_git_http_server_options="-listenUmask 0 -listenNetwork unix -listenAddr $socket_path/gitlab-workhorse.socket -authBackend http://<%= @gitlab_unicorn_listen %>:<%= @gitlab_unicorn_port%>" +gitlab_git_http_server_repo_root="<%= @gitlab_repodir %>/repositories" +gitlab_git_http_server_log="<%= @gitlab_log_folder ? @gitlab_log_folder : '$app_root/log' %>/gitlab-git-http-server.log" + +# mail_room_enabled specifies whether mail_room, which is used to process incoming email, is enabled. +# This is required for the Reply by email feature. +# The default is "false" +mail_room_enabled=<%= @incoming_email_enabled %> + +# mail_room_pid_path defines the path in which to create the pid file for mail_room +# The default is "$pid_path/mail_room.pid" +mail_room_pid_path="$pid_path/mail_room.pid" + +# shell_path defines the path of shell for "$app_user" in case you are using +# shell other than "bash" +# The default is "/bin/bash" +shell_path="/bin/bash" diff --git a/templates/gitlab.yml.erb b/templates/gitlab.yml.erb index e70e44b..cd56df4 100644 --- a/templates/gitlab.yml.erb +++ b/templates/gitlab.yml.erb @@ -1,14 +1,27 @@ # Managed by Puppet # Module gitlab -# # # # # # # # # # # # # # # # # # # # GitLab application config file # # # # # # # # # # # # # # # # # # # # +########################### NOTE ##################################### +# This file should not receive new settings. All configuration options # +# that do not require an application restart are being moved to # +# ApplicationSetting model! # +# If you change this file in a Merge Request, please also create # +# a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests # +######################################################################## +# +# # How to use: -# 1. copy file as gitlab.yml -# 2. Replace gitlab -> host with your domain -# 3. Replace gitlab -> email_from +# 1. Copy file as gitlab.yml +# 2. Update gitlab -> host with your fully qualified domain name +# 3. Update gitlab -> email_from +# 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git +# IMPORTANT: If Git was installed in a different location use that instead. +# You can check with `which git`. If a wrong path of Git is specified, it will +# result in various issues such as failures of GitLab CI builds. +# 5. Review this configuration file for other settings you may want to adjust production: &base # @@ -35,8 +48,9 @@ production: &base <%- end %> # Uncomment and customize if you can't use the default user to run GitLab (default: 'git') - # user: git + user: <%= @git_user %> + ## Date & Time settings # Uncomment and customize if you want to change the default time zone of GitLab application. # To see all available zones, run `bundle exec rake time:zones:all RAILS_ENV=production` <%- if @gitlab_time_zone %> @@ -53,46 +67,23 @@ production: &base # Email server smtp settings are in config/initializers/smtp_settings.rb.sample - # Email address of your support contact (default: same as email_from) - support_email: <%= @gitlab_support_email %> - - ## User settings - default_projects_limit: <%= @gitlab_projects %> - # default_can_create_group: false # default: true - # default: true - User can change her username/namespace + default_can_create_group: <%= @gitlab_default_can_create_group ? 'true' : 'false' %> username_changing_enabled: <%= @gitlab_username_change ? 'true' : 'false' %> - ## Default theme - ## BASIC = 1 - ## MARS = 2 - ## MODERN = 3 - ## GRAY = 4 - ## COLOR = 5 + ## Default theme ID + ## 1 - Graphite + ## 2 - Charcoal + ## 3 - Green + ## 4 - Gray + ## 5 - Violet + ## 6 - Blue # default_theme: 2 # default: 2 - - ## Users management - # default: false - Account passwords are not sent via the email if signup is enabled. - # signup_enabled: true - # - # default: true - If set to false, standard login form won't be shown on the sign-in page - # signin_enabled: false - - # Restrict setting visibility levels for non-admin users. - # The default is to allow all levels. -<% if @restricted_visibility_levels %> - restricted_visibility_levels: -<% @restricted_visibility_levels.each do |level| %> - - <%= level %> -<% end %> -<% else %> - #restricted_visibility_levels: [ "public" ] -<% end %> - ## Automatic issue closing # If a commit message matches this regular expression, all issues referenced from the matched text will be closed. # This happens when the commit is pushed or merged into the default branch of a project. # When not specified the default issue_closing_pattern as specified below will be used. - # issue_closing_pattern: '([Cc]lose[sd]|[Ff]ixe[sd]) #(\d+)' + # Tip: you can test your closing pattern at http://rubular.com. + # issue_closing_pattern: '((?:[Cc]los(?:e[sd]?|ing)|[Ff]ix(?:e[sd]|ing)?) +(?:(?:issues? +)?#\d+(?:(?:, *| +and +)?))+)' <% if @gitlab_issue_closing_pattern -%> issue_closing_pattern: '<%= @gitlab_issue_closing_pattern.gsub("'","''") %>' <% end -%> @@ -102,11 +93,8 @@ production: &base issues: <%= @gitlab_default_projects_features_issues %> merge_requests: <%= @gitlab_default_projects_features_merge_requests %> wiki: <%= @gitlab_default_projects_features_wiki %> - wall: <%= @gitlab_default_projects_features_wall %> snippets: <%= @gitlab_default_projects_features_snippets %> - # can be "private" | "internal" | "public" - visibility_level: <%= @gitlab_default_projects_features_visibility_level %> - + ## Webhook settings # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10) webhook_timeout: <%= @gitlab_webhook_timeout %> @@ -116,119 +104,194 @@ production: &base # The default is 'tmp/repositories' relative to the root of the Rails app. repository_downloads_path: <%= @gitlab_repository_downloads_path %> - ## External issues trackers - issues_tracker: -<% if @issues_tracker %> -<% @issues_tracker.keys.sort.each do |name| %> - <%= name %>: -<% @issues_tracker[name].keys.sort.each do |k| %> - <%= k %>: <%= @issues_tracker[name][k] -%> -<% end -%> -<% end -%> -<% else %> - # redmine: - # title: "Redmine" - # ## If not nil, link 'Issues' on project page will be replaced with this - # ## Use placeholders: - # ## :project_id - GitLab project identifier - # ## :issues_tracker_id - Project Name or Id in external issue tracker - # project_url: "http://redmine.sample/projects/:issues_tracker_id" - # - # ## If not nil, links from /#\d/ entities from commit messages will replaced with this - # ## Use placeholders: - # ## :project_id - GitLab project identifier - # ## :issues_tracker_id - Project Name or Id in external issue tracker - # ## :id - Issue id (from commit messages) - # issues_url: "http://redmine.sample/issues/:id" - # - # ## If not nil, links to creating new issues will be replaced with this - # ## Use placeholders: - # ## :project_id - GitLab project identifier - # ## :issues_tracker_id - Project Name or Id in external issue tracker - # new_issue_url: "http://redmine.sample/projects/:issues_tracker_id/issues/new" - # - # jira: - # title: "Atlassian Jira" - # project_url: "http://jira.sample/issues/?jql=project=:issues_tracker_id" - # issues_url: "http://jira.sample/browse/:id" - # new_issue_url: "http://jira.sample/secure/CreateIssue.jspa" -<% end %> + ## Reply by email + # Allow users to comment on issues and merge requests by replying to notification emails. + # For documentation on how to set this up, see http://doc.gitlab.com/ce/incoming_email/README.html + incoming_email: + enabled: <%= @incoming_email_enabled %> + address: <%= @incoming_email_address %> ## Gravatar + ## For Libravatar see: http://doc.gitlab.com/ce/customization/libravatar.html gravatar: - enabled: <%= @gravatar_enabled %> # Use user avatar image from Gravatar.com (default: true) + enabled: <%= @gravatar_enabled %> # Use user avatar image from Gravatar.com (default: true) # gravatar urls: possible placeholders: %{hash} %{size} %{email} - # plain_url: "http://..." # default: http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=mm - # ssl_url: "https://..." # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm + # plain_url: "http://..." # default: http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon + # ssl_url: "https://..." # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon # - # 2. Auth settings + # 2. GitLab CI settings # ========================== - ## LDAP settings - # You can inspect a sample of the LDAP users with login access by running: - # bundle exec rake gitlab:ldap:check RAILS_ENV=production - ldap: - enabled: <%= @ldap_enabled %> - host: '<%= @ldap_host %>' - port: <%= @ldap_port %> - uid: '<%= @ldap_uid %>' - # "tls" or "ssl" or "plain" - method: '<%= @ldap_method %>' -<% if @ldap_bind_dn != '' -%> - bind_dn: '<%= @ldap_bind_dn %>' - password: '<%= @ldap_bind_password %>' -<% end -%> - - # This setting specifies if LDAP server is Active Directory LDAP server. - # For non AD servers it skips the AD specific queries. - # If your LDAP server is not AD, set this to false. - active_directory: <%= @ldap_active_directory %> - - # If allow_username_or_email_login is enabled, GitLab will ignore everything - # after the first '@' in the LDAP username submitted by the user on login. + gitlab_ci: + # Default project notifications settings: # - # Example: - # - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials; - # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'. + # Send emails only on broken builds (default: true) + all_broken_builds: <%= @gitlab_ci_all_broken_builds %> # - # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to - # disable this setting, because the userPrincipalName contains an '@'. - allow_username_or_email_login: true + # Add pusher to recipients list (default: false) + add_pusher: <%= @gitlab_ci_add_pusher %> + # The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root + builds_path: <%= @gitlab_ci_builds_path %> - # To maintain tight control over the number of active users on your GitLab installation, - # enable this setting to keep new users blocked until they have been cleared by the admin - # (default: false). - block_auto_created_users: <%= @ldap_block_auto_created_users %> + # + # 3. Auth settings + # ========================== - # Base where we can search for users - # - # Ex. ou=People,dc=gitlab,dc=example - # - base: '<%= @ldap_base %>' + ## LDAP settings + # You can inspect a sample of the LDAP users with login access by running: + # bundle exec rake gitlab:ldap:check RAILS_ENV=production + ldap: + enabled: <%= @ldap_enabled %> - # Filter LDAP users - # - # Format: RFC 4515 - # Ex. (employeeType=developer) - # - user_filter: '<%= @ldap_user_filter -%>' - - # EE settings -<% if @ldap_sync_time!= '' -%> - sync_time: <%=@ldap_sync_time%> -<% end -%> -<% if @ldap_group_base!= '' -%> - group_base: <%=@ldap_group_base%> -<% end -%> -<% if @ldap_sync_ssh_keys!= '' -%> - sync_ssh_keys: <%=@ldap_sync_ssh_keys%> -<% end -%> -<% if @ldap_admin_group!= '' -%> - admin_group: <%=@ldap_admin_group%> + # GitLab EE only. + # In addition to refreshing users when they log in, + # enabling this setting will refresh LDAP user membership once a day. + # Default time of the day when this will happen is at 1:30am server time. + schedule_sync_hour: <%= @ldap_schedule_sync_hour %> # Hour of the day. Value from 0-23. + schedule_sync_minute: <%= @ldap_schedule_sync_minute %> # Minute of the hour. Value from 0-59. + + servers: + ########################################################################## + # + # Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab + # Enterprise Edition now supports connecting to multiple LDAP servers. + # + # If you are updating from the old (pre-7.4) syntax, you MUST give your + # old server the ID 'main'. + # + ########################################################################## + main: # 'main' is the GitLab 'provider ID' of this LDAP server + ## label + # + # A human-friendly name for your LDAP server. It is OK to change the label later, + # for instance if you find out it is too large to fit on the web page. + # + # Example: 'Paris' or 'Acme, Ltd.' + label: 'LDAP' + + host: '<%= @ldap_host %>' + port: <%= @ldap_port %> + uid: '<%= @ldap_uid %>' + method: '<%= @ldap_method %>' # "tls" or "ssl" or "plain" +<% if @ldap_bind_dn != '' -%> + bind_dn: '<%= @ldap_bind_dn %>' + password: '<%= @ldap_bind_password %>' <% end -%> + # This setting specifies if LDAP server is Active Directory LDAP server. + # For non AD servers it skips the AD specific queries. + # If your LDAP server is not AD, set this to false. + active_directory: <%= @ldap_active_directory %> + + # If allow_username_or_email_login is enabled, GitLab will ignore everything + # after the first '@' in the LDAP username submitted by the user on login. + # + # Example: + # - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials; + # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'. + # + # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to + # disable this setting, because the userPrincipalName contains an '@'. + allow_username_or_email_login: <%= @ldap_allow_username_or_email_login %> + + # To maintain tight control over the number of active users on your GitLab installation, + # enable this setting to keep new users blocked until they have been cleared by the admin + # (default: false). + block_auto_created_users: <%= @ldap_block_auto_created_users %> + + # Base where we can search for users + # + # Ex. ou=People,dc=gitlab,dc=example + # + base: '<%= @ldap_base %>' + + # Filter LDAP users + # + # Format: RFC 4515 http://tools.ietf.org/search/rfc4515 + # Ex. (employeeType=developer) + # + # Note: GitLab does not support omniauth-ldap's custom filter syntax. + # + user_filter: '<%= @ldap_user_filter -%>' + + # This setting controls the amount of time between LDAP permission checks for each user. + # After this time has expired for a given user, their next interaction with GitLab (a click in the web UI, a git pull etc.) will be slower because the LDAP permission check is being performed. + # How much slower depends on your LDAP setup, but it is not uncommon for this check to add seconds of waiting time. + # The default value is to have a 'slow click' once every 3600 seconds, i.e. once per hour. + # + # Warning: if you set this value too low, every click in GitLab will be a 'slow click' for all of your LDAP users. + sync_time: <%=@ldap_sync_time%> + + # Base where we can search for groups + # + # Ex. ou=Groups,dc=gitlab,dc=example + # + group_base: <%=@ldap_group_base%> + + # LDAP group of users who should be admins in GitLab + # + # Ex. GLAdmins + # + admin_group: <%=@ldap_admin_group%> + + # Name of attribute which holds a ssh public key of the user object. + # If false or nil, SSH key syncronisation will be disabled. + # + # Ex. sshpublickey + # + sync_ssh_keys: <%=@ldap_sync_ssh_keys%> + + # LDAP attributes that GitLab will use to create an account for the LDAP user. + # The specified attribute can either be the attribute name as a string (e.g. 'mail'), + # or an array of attribute names to try in order (e.g. ['mail', 'email']). + # Note that the user's LDAP login will always be the attribute specified as `uid` above. + attributes: + # The username will be used in paths for the user's own projects + # (like `gitlab.example.com/username/project`) and when mentioning + # them in issues, merge request and comments (like `@username`). + # If the attribute specified for `username` contains an email address, + # the GitLab username will be the part of the email address before the '@'. + username: <%= require 'json'; @ldap_attributes_username.to_json %> + email: <%= require 'json'; @ldap_attributes_email.to_json %> + + # If no full name could be found at the attribute specified for `name`, + # the full name is determined using the attributes specified for + # `first_name` and `last_name`. + name: <%= require 'json'; @ldap_attributes_name.to_json %> + first_name: <%= require 'json'; @ldap_attributes_first_name.to_json %> + last_name: <%= require 'json'; @ldap_attributes_last_name.to_json %> + + # GitLab EE only: add more LDAP servers + # Choose an ID made of a-z and 0-9 . This ID will be stored in the database + # so that GitLab can remember which LDAP server a user belongs to. + # uswest2: + # label: + # host: + # .... + + ## Kerberos settings + kerberos: + # Allow the HTTP Negotiate authentication method for Git clients + enabled: <%= @kerberos_enabled %> + + # Kerberos 5 keytab file. The keytab file must be readable by the GitLab user, + # and should be different from other keytabs in the system. + # (default: use default keytab from Krb5 config) + keytab: <%= @kerberos_keytab %> + + # The Kerberos service name to be used by GitLab. + # (default: accept any service name in keytab file) + service_principal_name: <%= @kerberos_service_principal_name %> + + # Dedicated port: Git before 2.4 does not fall back to Basic authentication if Negotiate fails. + # To support both Basic and Negotiate methods with older versions of Git, configure + # nginx to proxy GitLab on an extra port (e.g. 8443) and uncomment the following lines + # to dedicate this port to Kerberos authentication. (default: false) + use_dedicated_port: <%= @kerberos_use_dedicated_port %> + port: <%= @kerberos_port %> + https: <%= @kerberos_https %> ## OmniAuth settings omniauth: @@ -240,23 +303,30 @@ production: &base <% @omniauth["providers"] && @omniauth["providers"].each do |provider| -%> - <% provider.keys.reject{|key| key=="args"}.sort.each do |key| -%> - <%= key %>: <%= provider[key] %> + <%= key %>: <%= require 'json'; provider[key].to_json %> <% end -%> args: <% provider["args"] && provider["args"].keys.sort.each do |arg| -%> - <%= arg %>: <%= provider["args"][arg] %> + <%= arg %>: <%= require 'json'; provider["args"][arg].to_json %> <% end -%> <% end -%> <% else %> # Allow login via Twitter, Google, etc. using OmniAuth providers enabled: false + # Uncomment this to automatically sign in with a specific omniauth provider's without + # showing GitLab's sign-in page (default: show the GitLab sign-in page) + # auto_sign_in_with_provider: saml + # CAUTION! # This allows users to login without having a user account first (default: false). # User accounts will be created automatically when authentication was successful. allow_single_sign_on: false # Locks down those users until they have been cleared by the admin (default: true). block_auto_created_users: true + # Look up new users in LDAP servers. If a match is found (same uid), automatically + # link the omniauth identity with the LDAP account. (default: false) + auto_link_ldap_user: false ## Auth providers # Uncomment the following lines and fill in the data of the auth provider you want to use @@ -266,32 +336,74 @@ production: &base # arguments, followed by optional 'args' which can be either a hash or an array. # Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html providers: - # - { name: 'google_oauth2', app_id: 'YOUR APP ID', - # app_secret: 'YOUR APP SECRET', + # - { name: 'google_oauth2', + # label: 'Google', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET', # args: { access_type: 'offline', approval_prompt: '' } } - # - { name: 'twitter', app_id: 'YOUR APP ID', - # app_secret: 'YOUR APP SECRET'} - # - { name: 'github', app_id: 'YOUR APP ID', - # app_secret: 'YOUR APP SECRET', + # - { name: 'twitter', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET' } + # - { name: 'github', + # label: 'GitHub', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET', + # url: "https://github.com/", # args: { scope: 'user:email' } } + # - { name: 'gitlab', + # label: 'GitLab.com', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET', + # args: { scope: 'api' } } + # - { name: 'bitbucket', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET' } + # - { name: 'saml', + # label: 'Our SAML Provider', + # args: { + # assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback', + # idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8', + # idp_sso_target_url: 'https://login.example.com/idp', + # issuer: 'https://gitlab.example.com', + # name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' + # } } + # - { name: 'crowd', + # args: { + # crowd_server_url: 'CROWD SERVER URL', + # application_name: 'YOUR_APP_NAME', + # application_password: 'YOUR_APP_PASSWORD' } } <% end %> + # - # 3. Advanced settings + # 4. Advanced settings # ========================== # GitLab Satellites satellites: # Relative paths are relative to Rails.root (default: tmp/repo_satellites/) path: <%= @gitlab_satellitedir %>/gitlab-satellites/ + timeout: 30 ## Backup settings backup: - # Relative paths are relative to Rails.root (default: tmp/backups/) - path: <%= @gitlab_backup_path %> - # default: 0 (forever) (in seconds) - keep_time: <%= @gitlab_backup_keep_time %> + path: <%= @gitlab_backup_path %> # Relative paths are relative to Rails.root (default: tmp/backups/) + archive_permissions: <%= @gitlab_backup_archive_permissions %> # Permissions for the resulting backup.tar file (default: 0600) + keep_time: <%= @gitlab_backup_keep_time %> # default: 0 (forever) (in seconds) + # pg_schema: public # default: nil, it means that all schemas will be backed up + # upload: + # # Fog storage connection settings, see http://fog.io/storage/ . + # connection: + # provider: AWS + # region: eu-west-1 + # aws_access_key_id: AKIAKIAKI + # aws_secret_access_key: 'secret123' + # # The remote 'directory' to store your backups. For S3, this would be the bucket name. + # remote_directory: 'my.s3.bucket' + # # Use multipart uploads when file size reaches 100MB, see + # # http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html + # multipart_chunk_size: 104857600 ## GitLab Shell settings gitlab_shell: @@ -303,12 +415,8 @@ production: &base # File that contains the secret key for verifying access for gitlab-shell. # Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app). -<% if @gitlab_secret_file -%> secret_file: <%= @gitlab_secret_file %> -<% else -%> - # secret_file: /home/git/gitlab/.gitlab_shell_secret -<% end -%> - + # Git over HTTP upload_pack: true receive_pack: true @@ -324,13 +432,12 @@ production: &base # The next value is the maximum memory size grit can use # Given in number of bytes per git object (e.g. a commit) # This value can be increased if you have very large commits - # 5.megabytes - max_size: <%= @git_max_size %> + max_size: <%= @git_max_size %> # 20.megabytes # Git timeout to read a commit, in seconds timeout: <%= @git_timeout %> # - # 4. Extra customization + # 5. Extra customization # ========================== extra: @@ -345,24 +452,22 @@ production: &base # piwik_url: '_your_piwik_url' # piwik_site_id: '_your_piwik_site_id' - ## Text under sign-in page (Markdown enabled) -<% if @company_logo_url != '' or @company_link != '' or @company_name != '' %> - sign_in_text: | - <% if @company_logo_url != '' %> - ![Company Logo](<%= @company_logo_url %>) - <% end %> - <% if @company_name != '' and @company_link != '' %> - [Learn more about <%= @company_name %>](<%= @company_link %>) - <% elsif @company_name != '' %> - <%= @company_name %> - <% else %> - <%= @company_link %> - <% end %> -<% else %> - # sign_in_text: | - # ![Company Logo](http://www.companydomain.com/logo.png) - # [Learn more about CompanyName](http://www.companydomain.com/) -<% end %> + rack_attack: + git_basic_auth: + # Rack Attack IP banning enabled + # enabled: true + # + # Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers + # ip_whitelist: ["127.0.0.1"] + # + # Limit the number of Git HTTP authentication attempts per IP + # maxretry: 10 + # + # Reset the auth attempt counter per IP after 60 seconds + # findtime: 60 + # + # Ban an IP for one hour (3600s) after too many auth attempts + # bantime: 3600 development: <<: *base @@ -374,12 +479,39 @@ test: gitlab: host: localhost port: 80 + + # When you run tests we clone and setup gitlab-shell + # In order to setup it correctly you need to specify + # your system username you use to run GitLab + # user: YOUR_USERNAME + satellites: + path: tmp/tests/gitlab-satellites/ + backup: + path: tmp/tests/backups + gitlab_shell: + path: tmp/tests/gitlab-shell/ + repos_path: tmp/tests/repositories/ + hooks_path: tmp/tests/gitlab-shell/hooks/ issues_tracker: redmine: title: "Redmine" project_url: "http://redmine/projects/:issues_tracker_id" issues_url: "http://redmine/:project_id/:issues_tracker_id/:id" new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new" + ldap: + enabled: false + servers: + main: + label: ldap + host: 127.0.0.1 + port: 3890 + uid: 'uid' + method: 'plain' # "tls" or "ssl" or "plain" + base: 'dc=example,dc=com' + user_filter: '' + group_base: 'ou=groups,dc=example,dc=com' + admin_group: '' + sync_ssh_keys: false staging: <<: *base diff --git a/templates/gitlab_logrotate.erb b/templates/gitlab_logrotate.erb new file mode 100644 index 0000000..a3beec3 --- /dev/null +++ b/templates/gitlab_logrotate.erb @@ -0,0 +1,23 @@ +#Managed by Puppet +# GitLab logrotate settings +# based on: http://stackoverflow.com/a/4883967 + +<%= @gitlab_log_folder ? @gitlab_log_folder : (@git_home + "/gitlab/log") %>/*.log { + daily + missingok + rotate 90 + compress + notifempty + copytruncate +} + +<% unless @gitlabshell_log_folder && @gitlab_log_folder && @gitlabshell_log_folder == @gitlab_log_folder %> +<%= @gitlabshell_log_folder ? @gitlabshell_log_folder : (@git_home + "/gitlab-shell") %>/gitlab-shell.log { + daily + missingok + rotate 90 + compress + notifempty + copytruncate +} +<% end %> \ No newline at end of file diff --git a/templates/nginx-gitlab.conf.erb b/templates/nginx-gitlab.conf.erb index 58be709..7a9816c 100644 --- a/templates/nginx-gitlab.conf.erb +++ b/templates/nginx-gitlab.conf.erb @@ -1,99 +1,231 @@ -# GITLAB -# Maintainer: @randx - -# CHUNKED TRANSFER -# It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] which is not -# supported by Nginx < 1.3.9 [1]. As a result, pushing a large object with Git (i.e. a single large file) -# can lead to a 411 error. In theory you can get around this by tweaking this configuration file and either -# - installing an old version of Nginx with the chunkin module [2] compiled in, or -# - using a newer version of Nginx. -# -# At the time of writing we do not know if either of these theoretical solutions works. As a workaround -# users can use Git over SSH to push large files. -# -# [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99 -# [1] https://github.com/agentzh/chunkin-nginx-module#status -# [2] https://github.com/agentzh/chunkin-nginx-module +## GitLab +## +## Modified from nginx http version +## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/ +## Modified from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html +## +## Lines starting with two hashes (##) are comments with information. +## Lines starting with one hash (#) are configuration parameters that can be uncommented. +## +################################## +## CONTRIBUTING ## +################################## +## +## If you change this file in a Merge Request, please also create +## a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests +## +################################## +## CHUNKED TRANSFER ## +################################## +## +## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] +## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object +## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get +## around this by tweaking this configuration file and either: +## - installing an old version of Nginx with the chunkin module [2] compiled in, or +## - using a newer version of Nginx. +## +## At the time of writing we do not know if either of these theoretical solutions works. +## As a workaround users can use Git over SSH to push large files. +## +## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99 +## [1] https://github.com/agentzh/chunkin-nginx-module#status +## [2] https://github.com/agentzh/chunkin-nginx-module +## +################################### +## configuration ## +################################### +## +## See installation.md#using-https for additional HTTPS configuration details. upstream <%= @proxy_name %> { - server unix:<%= @socket_path %>; + server unix:<%= @socket_path %> fail_timeout=0; } +<% if @gitlab_workhorse_socket_path %> +upstream gitlab-workhorse { + server unix:<%= @gitlab_workhorse_socket_path %> fail_timeout=0; +} +<% end %> + <% if @gitlab_ssl %> +## Redirects all HTTP traffic to the HTTPS host server { - listen <%= @gitlab_http_port %>; - listen [::]:<%= @gitlab_http_port %> ipv6only=on; - server_name <%= @gitlab_domain_alias ? @gitlab_domain+' '+@gitlab_domain_alias : @gitlab_domain %>; - server_tokens off; - root /nowhere; - rewrite ^ https://$server_name$request_uri permanent; + ## Either remove "default_server" from the listen line below, + ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab + ## to be served if you visit any address that your server responds to, eg. + ## the ip address of the server (http://x.x.x.x/) + listen 0.0.0.0:<%= @gitlab_http_port %>; + listen [::]:<%= @gitlab_http_port %> ipv6only=on default_server; + server_name <%= @gitlab_domain_alias ? @gitlab_domain+' '+@gitlab_domain_alias : @gitlab_domain %>; ## Replace this with something like gitlab.example.com + server_tokens off; ## Don't show the nginx version number, a security best practice + return 301 https://$server_name$request_uri; + access_log <%= @nginx_access_log %>; + error_log <%= @nginx_error_log %>; } <% end %> +## HTTPS host server { - # e.g., listen 192.168.1.1:80; - listen <%= @gitlab_ssl ? @gitlab_ssl_port : @gitlab_http_port %>; - listen [::]:<%= @gitlab_ssl ? @gitlab_ssl_port : @gitlab_http_port %> ipv6only=on; - # e.g., server_name source.example.com; - server_name <%= @gitlab_domain_alias ? @gitlab_domain+' '+@gitlab_domain_alias : @gitlab_domain %>; - server_tokens off; + listen 0.0.0.0:<%= @gitlab_ssl ? @gitlab_ssl_port : @gitlab_http_port %><%= @gitlab_ssl ? ' ssl' : '' %>; + listen [::]:<%= @gitlab_ssl ? @gitlab_ssl_port : @gitlab_http_port %> ipv6only=on<%= @gitlab_ssl ? ' ssl' : '' %> default_server; +<% if @kerberos_use_dedicated_port %> + listen 0.0.0.0:<%= @kerberos_port %><%= @kerberos_https ? ' ssl' : '' %>; + listen [::]:<%= @kerberos_port %> ipv6only=on<%= @kerberos_https ? ' ssl' : '' %> default_server; +<% end %> + server_name <%= @gitlab_domain_alias ? @gitlab_domain+' '+@gitlab_domain_alias : @gitlab_domain %>; ## Replace this with something like gitlab.example.com + server_tokens off; ## Don't show the nginx version number, a security best practice root <%= @root_path %>; - # Increase this if you want to upload large attachments - # Or if you want to accept large git objects over http - client_max_body_size 20m; + ## Increase this if you want to upload large attachments + ## Or if you want to accept large git objects over http + client_max_body_size <%= @nginx_client_max_body_size %>; <% if @gitlab_ssl %> - gzip off; - ssl on; - ssl_certificate <%= @gitlab_ssl_cert %>; - ssl_certificate_key <%= @gitlab_ssl_key %>; - # please see https://github.com/sbadia/puppet-gitlab/pull/104 - # ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - # ssl_ciphers AES:HIGH:!aNULL:!RC4:!MD5:!ADH:!MDF; - ssl_prefer_server_ciphers on; - ssl_protocols <%= @gitlab_ssl_protocols %>; - ssl_ciphers <%= @gitlab_ssl_ciphers %>; + ## Strong SSL Security + ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ + ssl on; + ssl_certificate <%= @gitlab_ssl_cert %>; + ssl_certificate_key <%= @gitlab_ssl_key %>; + + # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs + ssl_ciphers <%= @gitlab_ssl_ciphers %>; + ssl_protocols <%= @gitlab_ssl_protocols %>; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 5m; <% end %> + ## See app/controllers/application_controller.rb for headers set - # individual nginx logs for this gitlab vhost - access_log /var/log/nginx/<%= @proxy_name %>_access.log; - error_log /var/log/nginx/<%= @proxy_name %>_error.log; + ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. + ## Replace with your ssl_trusted_certificate. For more info see: + ## - https://medium.com/devops-programming/4445f4862461 + ## - https://www.ruby-forum.com/topic/4419319 + ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx + # ssl_stapling on; + # ssl_stapling_verify on; + # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; + # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired + # resolver_timeout 5s; + + ## [Optional] Generate a stronger DHE parameter: + ## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 + ## + # ssl_dhparam /etc/ssl/certs/dhparam.pem; + + ## Individual nginx logs for this GitLab vhost + access_log <%= @nginx_access_log %>; + error_log <%= @nginx_error_log %>; location / { - # serve static files from defined root folder;. - # @gitlab is a named location for the upstream fallback, see below + ## Serve static files from defined root folder. + ## @gitlab is a named location for the upstream fallback, see below. try_files $uri $uri/index.html $uri.html @<%= @proxy_name %>; } - # Enable gzip compression as per rails guide: http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression - location ~ ^/(assets)/ { - root <%= @root_path %>; - gzip_static on; # to serve pre-gzipped version - expires max; - add_header Cache-Control public; + ## We route uploads through GitLab to prevent XSS and enforce access control. + location /uploads/ { + ## If you use HTTPS make sure you disable gzip compression + ## to be safe against BREACH attack. + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://<%= @proxy_name %>; } - # if a file, which is not found in the root folder is requested, - # then the proxy pass the request to the upsteam (gitlab unicorn) + ## If a file, which is not found in the root folder is requested, + ## then the proxy passes the request to the upsteam (gitlab unicorn). location @<%= @proxy_name %> { - # https://github.com/gitlabhq/gitlabhq/issues/694 - proxy_read_timeout <%= @gitlab_http_timeout %>; - # https://github.com/gitlabhq/gitlabhq/issues/694 - proxy_connect_timeout <%= @gitlab_http_timeout %>; - proxy_redirect off; + ## If you use HTTPS make sure you disable gzip compression + ## to be safe against BREACH attack. + gzip off; - proxy_set_header X-Forwarded-Proto $scheme; -<% if @gitlab_ssl %> - proxy_set_header X-Forwarded-Ssl on; -<% end %> - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout <%= @gitlab_http_timeout %>; + proxy_connect_timeout <%= @gitlab_http_timeout %>; + proxy_redirect off; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; proxy_pass http://<%= @proxy_name %>; } +<% if @gitlab_workhorse_socket_path %> + location ~ ^/[\w\.-]+/[\w\.-]+/(info/refs|git-upload-pack|git-receive-pack)$ { + # 'Error' 418 is a hack to re-use the @gitlab-workhorse block + error_page 418 = @gitlab-workhorse; + return 418; + } + + location ~ ^/[\w\.-]+/[\w\.-]+/repository/archive { + # 'Error' 418 is a hack to re-use the @gitlab-workhorse block + error_page 418 = @gitlab-workhorse; + return 418; + } + + location ~ ^/api/v3/projects/.*/repository/archive { + # 'Error' 418 is a hack to re-use the @gitlab-workhorse block + error_page 418 = @gitlab-workhorse; + return 418; + } + + location @gitlab-workhorse { + ## If you use HTTPS make sure you disable gzip compression + ## to be safe against BREACH attack. + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + + # Do not buffer Git HTTP responses + proxy_buffering off; + + # The following settings only work with NGINX 1.7.11 or newer + # + # # Pass chunked request bodies to gitlab-workhorse as-is + # proxy_request_buffering off; + # proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://gitlab-workhorse; + } +<% end %> + ## Enable gzip compression as per rails guide: + ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression + ## WARNING: If you are using relative urls remove the block below + ## See config/application.rb under "Relative url support" for the list of + ## other files that need to be changed for relative url support + location ~ ^/(assets)/ { + root <%= @git_home %>/gitlab/public; + gzip_static on; # to serve pre-gzipped version + expires max; + add_header Cache-Control public; + } + error_page 502 /502.html; } -