diff --git a/software/gitlab/buildout.hash.cfg b/software/gitlab/buildout.hash.cfg
index 7325d50e6273129fc5d15995214ad9a356398bbe..a3fe115b5e27982ac6879a04313b98993ca41274 100644
--- a/software/gitlab/buildout.hash.cfg
+++ b/software/gitlab/buildout.hash.cfg
@@ -34,7 +34,7 @@ md5sum = 7782f5c5d75663c2586e28d029c51e49
 
 [gitlab-parameters.cfg]
 _update_hash_filename_ = gitlab-parameters.cfg
-md5sum = c2e23c0f7baa1633df0436ca4e728424
+md5sum = cfda6d959bb90bf0b9c947383f45ce0a
 
 [gitlab-shell-config.yml.in]
 _update_hash_filename_ = template/gitlab-shell-config.yml.in
@@ -42,11 +42,11 @@ md5sum = 9920d10442604f5d8a736825f20ebd2a
 
 [gitlab-unicorn-startup.in]
 _update_hash_filename_ = gitlab-unicorn-startup.in
-md5sum = 79310724640dcc385e627b33334f4877
+md5sum = 649342a015e9dcd84c3ce45da616fee4
 
 [gitlab.yml.in]
 _update_hash_filename_ = template/gitlab.yml.in
-md5sum = bedbfc03eaf3560a93cfde1f497e99f6
+md5sum = 7729388b0939a785e2cd20f6e623660c
 
 [gitaly-config.toml.in]
 _update_hash_filename_ = template/gitaly-config.toml.in
@@ -54,7 +54,7 @@ md5sum = 96d597d5f344dadfe9fb4bdc5ae1f2b2
 
 [instance-gitlab.cfg.in]
 _update_hash_filename_ = instance-gitlab.cfg.in
-md5sum = 1b96d49767f925afc53df6960614eebb
+md5sum = a7e6f2e557bc177b402f45d3c0ffca6e
 
 [instance-gitlab-export.cfg.in]
 _update_hash_filename_ = instance-gitlab-export.cfg.in
@@ -62,7 +62,7 @@ md5sum = 6ba5b3157a4c89edf280e32e84db6ac2
 
 [instance-gitlab-test.cfg.in]
 _update_hash_filename_ = instance-gitlab-test.cfg.in
-md5sum = 60714fb4e6c869c41bd5e9fada1b6e40
+md5sum = 6c24bbc5b74cb1a6c1c78a9d160ac78c
 
 [macrolib.cfg.in]
 _update_hash_filename_ = macrolib.cfg.in
@@ -94,4 +94,4 @@ md5sum = f85c5bf252b8756558f40c8b110731cf
 
 [unicorn.rb.in]
 _update_hash_filename_ = template/unicorn.rb.in
-md5sum = 046cee1a8a024e55f8e64078b1fd5cb2
+md5sum = ed1fb75d937613356388f62898166a47
diff --git a/software/gitlab/gitlab-parameters.cfg b/software/gitlab/gitlab-parameters.cfg
index 5f5c73b6976101ac5e570cfe5bc63196e54bfaec..1f84fabc1fc483fdc185572c6dd4c8cfb9f50882 100644
--- a/software/gitlab/gitlab-parameters.cfg
+++ b/software/gitlab/gitlab-parameters.cfg
@@ -9,7 +9,7 @@
 # (last updated for omnibus-gitlab 8.8.9+ce.0-g25376053)
 
 [gitlab-parameters]
-configuration.external_url              = http://lab.example.com
+configuration.external_url              = https://lab.example.com
 
 # db advanced
 configuration.db_pool                   = 10
diff --git a/software/gitlab/gitlab-unicorn-startup.in b/software/gitlab/gitlab-unicorn-startup.in
index 646c998b6d3ef0ed6c3941d0a981bbd2d98303e7..396196d6f4fade5cc0bd062a451371894db425a3 100644
--- a/software/gitlab/gitlab-unicorn-startup.in
+++ b/software/gitlab/gitlab-unicorn-startup.in
@@ -57,7 +57,7 @@ $RAKE db:migrate >$migrate_log 2>&1  || die "db:migrate failed"
 # if it was a no-op "migration" - we don't need info about that - only keep
 # logs of actual migration run.
 test -s $migrate_log || rm $migrate_log
-
+touch {{ var_dir }}/gitlab_db_ok
 
 # clear cache
 $RAKE cache:clear   || die "cache:clear failed"
diff --git a/software/gitlab/instance-gitlab-test.cfg.in b/software/gitlab/instance-gitlab-test.cfg.in
index a2f8d5a08a39ea87bf6527e094254341671abb32..8bb9d061743683a490ed28f30a9f687a8441d715 100644
--- a/software/gitlab/instance-gitlab-test.cfg.in
+++ b/software/gitlab/instance-gitlab-test.cfg.in
@@ -31,9 +31,9 @@ socket  = ${:srv}/unc.socket
 password = ${root-password:passwd}
 # token for default.user user in gitlab demo backup
 # Edit this token if needed
-private-token = SLurtnxPscPsU-SDm4oN
+private-token = 7zdiC6VrZYnUD3yuvna3
 # raw URL for latest commit on setup.py in gitlab demo backup.
-latest-file-uri = ${:backend_url}/open/slapos/raw/94c96d42c22e16836dadddac7c8061f4a8c6ca7a/setup.py
+latest-file-uri = ${:backend_url}/open/slapos/-/blob/4c2fa97791a2b7530b2d71e8760cb11d287d4e53/setup.py
 
 [instance-parameter]
 # backup more often, 10 minutes seems the minimal
@@ -47,14 +47,18 @@ command =
   if [ -f "${:backup-done}" ]; then
     echo "Demo backup installed."
   else
-    rm -rf ${secrets:secrets} ${directory:var}/backup/* &&
-    mkdir -p ${secrets:secrets} ${directory:var}/tmp &&
-    cp -r {{ gitlab_demo_backup_path }}/secrets/* ${secrets:secrets} &&
-    cp -rf {{ gitlab_demo_backup_path }}/backup-gitlab.git/ ${directory:var}/tmp &&
-    cd ${directory:var}/tmp/backup-gitlab.git/
-    PATH=${directory:bin}:{{ gopath_bin }}:{{ git_location }}/bin:$PATH
-    gitlab-backup restore -vupok -go HEAD &&
-    touch ${:backup-done}
+    if [ ! -f "${directory:var}/gitlab_db_ok" ]; then
+      echo "Not ready to start restoration now..."
+    else
+      rm -rf ${secrets:secrets} ${directory:var}/backup/* &&
+      mkdir -p ${secrets:secrets} ${directory:var}/tmp &&
+      cp -r {{ gitlab_demo_backup_path }}/secrets/* ${secrets:secrets} &&
+      cp -rf {{ gitlab_demo_backup_path }}/backup-gitlab.git/ ${directory:var}/tmp &&
+      cd ${directory:var}/tmp/backup-gitlab.git/
+      PATH=${directory:bin}:{{ gopath_bin }}:{{ git_location }}/bin:$PATH
+      gitlab-backup restore -vupok -go HEAD &&
+      touch ${:backup-done}
+    fi
   fi
 update-command = ${:command}
 
diff --git a/software/gitlab/instance-gitlab.cfg.in b/software/gitlab/instance-gitlab.cfg.in
index c81a7b1867f3ab3c079eb5d42db54050ae4aa6b8..fbc65f3acc759527bbd94b182d74a6df4b100eee 100644
--- a/software/gitlab/instance-gitlab.cfg.in
+++ b/software/gitlab/instance-gitlab.cfg.in
@@ -342,6 +342,7 @@ context =
     raw     psql_bin                {{ postgresql_location }}/bin/psql
     section pgsql                   service-postgresql
     raw     log_dir                 ${gitlab:log}
+    raw     var_dir                 ${directory:var}
     section unicorn_rb              unicorn.rb
     section gitlab_work             gitlab-work
 
@@ -401,13 +402,13 @@ tune-command =
 # secret* tmp/ log/ shared/ builds/ node_modules/
     rm -f .secret  &&
     rm -rf log tmp shared builds node_modules  &&
-    ln -sf ${secrets:secrets}/gitlab_rails_secret .secret  &&
+#    ln -sf ${secrets:secrets}/gitlab_rails_secret .secret  &&
     ln -sf ${gitlab:log} log  &&
     ln -sf ${gitlab:tmp} tmp  &&
     ln -sf ${gitlab:shared} shared  &&
     ln -sf ${gitlab:builds} builds  &&
     ln -sf {{ gitlab_repository_location }}/node_modules node_modules &&
-    ln -sf ${gitlab-workhorse:secret} .gitlab_workhorse_secret
+    ln -sf ${gitlab-workhorse:secret} .gitlab_workhorse_secret &&
 # config/
     cd config  &&
     ln -sf ${unicorn.rb:rendered} unicorn.rb  &&
@@ -417,7 +418,7 @@ tune-command =
     ln -sf ${secrets:secrets}/gitlab_secrets.yml secrets.yml  &&
 # config/initializers/
     cd initializers  &&
-    ln -sf ${rack_attack.rb:rendered} rack_attack.rb  &&
+#    ln -sf ${rack_attack.rb:rendered} rack_attack.rb  &&
     ln -sf ${smtp_settings.rb:rendered} smtp_settings.rb  &&
 # public/
     cd ../../public  &&
@@ -542,6 +543,7 @@ name = redis
 truncate = true
 
 
+
 ########################
 #   gitlab-workhorse   #
 ########################
@@ -586,7 +588,7 @@ depend  =
 [promise-gitlab-workhorse]
 <= promise-byurl
 # http://localhost/users/statics.css will not redirect to /users/sign_in anymore because of this commit:
-#  https://lab.nexedi.com/nexedi/gitlab-workhorse/commit/c81f109a62fecf2a847fb17ceed012b380dab49f#c1215002e6d745f05eaaf9ee1dad7752e85d866f_318_331
+# https://lab.nexedi.com/nexedi/gitlab-workhorse/commit/c81f109a62fecf2a847fb17ceed012b380dab49f#c1215002e6d745f05eaaf9ee1dad7752e85d866f_318_331
 config-command     = {{ curl_bin }} --unix-socket ${gitlab-workhorse:socket}  http://localhost/users/sign_in
 
 
@@ -714,6 +716,8 @@ command-line    =
 depend  =
     ${promise-sidekiq:recipe}
     ${logrotate-entry-sidekiq:recipe}
+wait-for-files =
+  ${directory:var}/gitlab_db_ok
 
 [promise-sidekiq]
 <= promise-rakebase
@@ -836,8 +840,6 @@ rake    = ${gitlab-rake:wrapper-path}
 # run command on every reinstantiation
 update-command = ${:command}
 
-# https://gitlab.com/gitlab-org/gitlab-foss/issues/38457
-# we need to manually install ajv@^4.0.0 with yarn to fix the bug 'yarn check failed!'
 command =
     ${:rake} gitlab:assets:clean  &&
     ${:rake} gettext:compile RAILS_ENV=production &&
diff --git a/software/gitlab/software.cfg b/software/gitlab/software.cfg
index 4762140a6c6dbcc8ddbc7485f58caf183c7f6bb6..d2dea8ce9fbe66395f9528d57e98d7f614ba2771 100644
--- a/software/gitlab/software.cfg
+++ b/software/gitlab/software.cfg
@@ -143,7 +143,8 @@ git-executable = ${git:location}/bin/git
 repository = https://gitlab.com/gitlab-org/gitlab-foss.git
 # 11.11.8 + NXD patches:
 #revision = v11.11.8-7-g193b94c3e2
-revision = v13.0.3-0-ge2397fc
+revision = 5aa982e01ea9793c71f9f1a6ac0146f4ffe52879
+#branch = v13.1.0
 location = ${buildout:parts-directory}/gitlab
 
 [gitlab-shell-repository]
@@ -401,8 +402,8 @@ destination = ${buildout:directory}/${:_buildout_section_name_}
 
 [gitlab-demo-backup.git]
 recipe = hexagonit.recipe.download
-url = https://lab.nexedi.com/alain.takoudjou/labdemo.backup/repository/archive.tar.gz?ref=master
-md5sum = d40e5e211dc9a4e5ada9c0250377c639
+url = https://lab.nexedi.com/alain.takoudjou/labdemo.backup/-/archive/version-13/labdemo.backup-version-13.tar.bz2
+md5sum = 80fb5fd25c6368b1615af5191f176bca
 strip-top-level-dir = true
 
 [versions]
diff --git a/software/gitlab/template/gitlab.yml.in b/software/gitlab/template/gitlab.yml.in
index 0a5912c61c4353f97eabf9e8d5ad6731c2a38f5d..b659adf7021ee16c9d806e61ef671da01080de5a 100644
--- a/software/gitlab/template/gitlab.yml.in
+++ b/software/gitlab/template/gitlab.yml.in
@@ -18,6 +18,9 @@ production: &base
     host: {{ external_url.hostname }}
     port: {{ external_url.port or default_port[external_url.scheme] }}
     https: {{ cfg_https }}
+    # The maximum time unicorn/puma can spend on the request. This needs to be smaller than the worker timeout.
+    # Default is 95% of the worker timeout.
+    # max_request_duration_seconds: 57
 
     {# ssh is disabled completely in slapos version
     # Uncommment this line below if your ssh host is different from HTTP/HTTPS one
@@ -413,10 +416,11 @@ production: &base
   #}
 
   # Gitaly settings
+  # This setting controls whether GitLab uses Gitaly
+  # Eventually Gitaly use will become mandatory and
+  # this option will disappear.
   gitaly:
-    # Default Gitaly authentication token. Can be overriden per storage. Can
-    # be left blank when Gitaly is running locally on a Unix socket, which
-    # is the normal way to deploy Gitaly.
+    client_path: {{ gitaly.location }}
     token:
 
 
diff --git a/software/gitlab/template/unicorn.rb.in b/software/gitlab/template/unicorn.rb.in
index c1bb07409de1b18aa74ffb9f30757e0087dc3ddb..2d722706f49d49c285ca2b30af3ece26936e418b 100644
--- a/software/gitlab/template/unicorn.rb.in
+++ b/software/gitlab/template/unicorn.rb.in
@@ -31,12 +31,15 @@ preload_app true
 check_client_connection false
 
 require_relative '{{ gitlab_work.location }}/lib/gitlab/cluster/lifecycle_events'
+require_relative '{{ gitlab_work.location }}/lib/gitlab/log_timestamp_formatter.rb'
 
 before_exec do |server|
   # Signal application hooks that we're about to restart
   Gitlab::Cluster::LifecycleEvents.do_before_master_restart
 end
 
+run_once = true
+
 # How many worker processes
 worker_processes {{ cfg('unicorn_worker_processes') }}
 
@@ -86,7 +89,6 @@ after_fork do |server, worker|
 end
 
 
-
 # Where to drop a pidfile
 pid '{{ directory.run }}/unicorn.pid'
 
@@ -109,3 +111,7 @@ ENV['GITLAB_UNICORN_MEMORY_MIN'] = ({{ cfg('unicorn_worker_memory_limit_min') }}
 
 # Max memory size (RSS) per worker
 ENV['GITLAB_UNICORN_MEMORY_MAX'] = ({{ cfg('unicorn_worker_memory_limit_max') }}).to_s
+
+# Configure the default logger to use a custom formatter that formats the
+# timestamps to be in UTC and in ISO8601.3 format
+Configurator::DEFAULTS[:logger].formatter = Gitlab::LogTimestampFormatter.new