# see:
# (last updated for omnibus-gitlab 8.5.1+ce.0-1-ge732b39)

{% from '' import cfg, cfg_https, external_url  with context %}

production: &base
  # 1. GitLab app settings
  # ==========================

  ## GitLab settings
    ## Web server settings (note: host is the FQDN, do not include http://)
    {% set default_port = {'http': 80, 'https': 443} %}
    host: {{ external_url.hostname }}
    port: {{ external_url.port or default_port[external_url.scheme] }}
    https: {{ cfg_https }}

    {# ssh is disabled completely in slapos version
    # Uncommment this line below if your ssh host is different from HTTP/HTTPS one
    # (you'd obviously need to replace with your own host).
    # Otherwise, ssh host will be set to the `host:` value above
    ssh_host: <%= @gitlab_ssh_host %>

    # WARNING: See config/application.rb under "Relative url support" for the list of
    # other files that need to be changed for relative url support
    {# we do not support relative URL
    relative_url_root: <%= @gitlab_relative_url %>

    # Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
    user: {{ backend_info.user }}

    ## Date & Time settings
    time_zone: '{{ cfg("time_zone") }}'

    ## Email settings
    # Uncomment and set to false if you need to disable email sending from GitLab (default: true)
    email_enabled:      {{ cfg('email_enabled') }}
    # Email address used in the "From" field in mails sent by GitLab
    email_from:         {{ cfg('email_from') }}
    email_display_name: {{ cfg('email_display_name') }}
    email_reply_to:     {{ cfg('email_reply_to') }}

    # Email server smtp settings are in [a separate file](initializers/smtp_settings.rb.sample).

    ## User settings
    default_can_create_group: {{ cfg('default_can_create_group') }}  # default: true
    username_changing_enabled: {{ cfg('username_changing_enabled') }} # default: true - User can change her username/namespace
    ## Default theme
    ##   1 - Graphite
    ##   2 - Charcoal
    ##   3 - Green
    ##   4 - Gray
    ##   5 - Violet
    ##   6 - Blue
    default_theme: {{ cfg('default_theme') }} # default: 2

    {# for now we are ok with default issue-closing pattern
    ## Automatic issue closing
    # If a commit message matches this regular expression, all issues referenced from the matched text will be closed.
    # This happens when the commit is pushed or merged into the default branch of a project.
    # When not specified the default issue_closing_pattern as specified below will be used.
    # Tip: you can test your closing pattern at
    issue_closing_pattern: <%= single_quote(@gitlab_issue_closing_pattern) %>

    ## Default project features settings
      issues:           {{ cfg('default_projects_features.issues') }}
      merge_requests:   {{ cfg('default_projects_features.merge_requests') }}
      wiki:             {{ cfg('') }}
      snippets:         {{ cfg('default_projects_features.snippets') }}
      builds: false {# builds not supported yet <%= @gitlab_default_projects_features_builds %> #}

    ## Webhook settings
    # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)
    webhook_timeout: {{ cfg('webhook_timeout') }}

    {# default is just ok
    ## Repository downloads directory
    # When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory.
    # The default is 'tmp/repositories' relative to the root of the Rails app.
    repository_downloads_path: <%= @gitlab_repository_downloads_path %>

  {# we do not support reply by email
  ## Reply by email
  # Allow users to comment on issues and merge requests by replying to notification emails.
  # For documentation on how to set this up, see
    enabled: <%= @incoming_email_enabled %>

    # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
    # The `%{key}` placeholder is added after the user part, after a `+` character, before the `@`.
    address: <%= single_quote(@incoming_email_address) %>

    # Email account username
    # With third party providers, this is usually the full email address.
    # With self-hosted email servers, this is usually the user part of the email address.
    user: <%= single_quote(@incoming_email_email) %>
    # Email account password
    password: <%= single_quote(@incoming_email_password) %>

    # IMAP server host
    host: <%= single_quote(@incoming_email_host) %>
    # IMAP server port
    port: <%= @incoming_email_port %>
    # Whether the IMAP server uses SSL
    ssl: <%= @incoming_email_ssl %>
    # Whether the IMAP server uses StartTLS
    start_tls: <%= @incoming_email_start_tls %>

    # The mailbox where incoming mail will end up. Usually "inbox".
    mailbox: <%= single_quote(@incoming_email_mailbox_name) %>

  {# we do not support build artifacts
  ## Build Artifacts
    enabled: <%= @artifacts_enabled %>
    # The location where Build Artifacts are stored (default: shared/artifacts).
    storage_path: <%= @artifacts_path %>

  {# we do not support LFS
  ## Git LFS
    enabled: <%= @lfs_enabled %>
    # The location where LFS objects are stored (default: shared/lfs-objects).
    storage_path: <%= @lfs_storage_path %>

  {# we do not support Pages
  ## GitLab Pages (EE only)
    enabled: <%= @pages_enabled %>
    path: <%= @pages_path %>
    host: <%= @pages_host %>
    port: <%= @pages_port %>
    https: <%= @pages_https %>
    external_http: <%= @pages_external_http %>
    external_https: <%= @pages_external_https %>

  {# we do not support Elasticsearch
  ## Elasticsearch (EE only)
  # Enable it if you are going to use elasticsearch instead of
  # regular database search
    enabled: <%= @elasticsearch_enabled %>
    host: <%= @elasticsearch_host %>
    port: <%= @elasticsearch_port %>

  ## Gravatar
  ## For Libravatar see:
    {# default is just ok
    # gravatar urls: possible placeholders: %{hash} %{size} %{email}
    plain_url: <%= single_quote(@gravatar_plain_url) %>     # default:{hash}?s=%{size}&d=identicon
    ssl_url:   <%= single_quote(@gravatar_ssl_url) %>    # default:{hash}?s=%{size}&d=identicon

  {# XXX cron jobs are disabled for now - we do not support CI and EE features
  ## Auxiliary jobs
  # Periodically executed jobs, to self-heal GitLab, do external synchronizations, etc.
  # Please read here for more information:
    # Flag stuck CI builds as failed
      cron: <%= @stuck_ci_builds_worker_cron %>

    # GitLab EE only jobs:

    # Snapshot active users statistics
      cron: <%= @historical_data_worker_cron %>

    # Update mirrored repositories
      cron: <%= @update_all_mirrors_worker_cron %>

    # In addition to refreshing users when they log in,
    # periodically refresh LDAP users membership.
    # NOTE: This will only take effect if LDAP is enabled
      cron: <%= @ldap_sync_worker_cron %>

  # 2. GitLab CI settings
  # ==========================

  {# we do not support CI
    # Default project notifications settings:
    # Send emails only on broken builds (default: true)
    all_broken_builds: <%= @gitlab_ci_all_broken_builds %>
    # Add pusher to recipients list (default: false)
    add_pusher: <%= @gitlab_ci_add_pusher || @gitlab_ci_add_committer %>

    # The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root
    builds_path: <%= @builds_directory %>

  # 3. Auth settings
  # ==========================

  ## LDAP settings
  # You can inspect a sample of the LDAP users with login access by running:
  #   bundle exec rake gitlab:ldap:check RAILS_ENV=production
    enabled: false
    {# just disabled
    enabled: <%= @ldap_enabled %>
  <% if @ldap_servers.any? %>
    <% @ldap_servers.each do |provider_id, settings| %>
      <%= provider_id %>: <%= settings.to_json %>
    <% end %>
  <% else %>
    host: <%= single_quote(@ldap_host) %>
    port: <%= @ldap_port %>
    uid: <%= single_quote(@ldap_uid) %>
    method: <%= single_quote(@ldap_method) %> # "tls" or "ssl" or "plain"
    bind_dn: <%= single_quote(@ldap_bind_dn) %>
    password: <%= single_quote(@ldap_password) %>
    active_directory: <%= @ldap_active_directory %>
    allow_username_or_email_login: <%= @ldap_allow_username_or_email_login %>
    base: <%= single_quote(@ldap_base) %>
    user_filter: <%= single_quote(@ldap_user_filter) %>

    ## EE only
    group_base: <%= single_quote(@ldap_group_base) %>
    admin_group: <%= single_quote(@ldap_admin_group) %>
    sync_ssh_keys: <%= single_quote(@ldap_sync_ssh_keys) %>
    sync_time: <%= @ldap_sync_time %>
  <% end %>

  ## Kerberos settings
    enabled: false
    {# just disabled
    # Allow the HTTP Negotiate authentication method for Git clients
    enabled: <%= @kerberos_enabled %>

    # Kerberos 5 keytab file. The keytab file must be readable by the GitLab user,
    # and should be different from other keytabs in the system.
    # (default: use default keytab from Krb5 config)
    keytab: <%= @kerberos_keytab %>

    # The Kerberos service name to be used by GitLab.
    # (default: accept any service name in keytab file)
    service_principal_name: <%= @kerberos_service_principal_name %>

    # Dedicated port: Git before 2.4 does not fall back to Basic authentication if Negotiate fails.
    # To support both Basic and Negotiate methods with older versions of Git, configure
    # nginx to proxy GitLab on an extra port (e.g. 8443) and uncomment the following lines
    # to dedicate this port to Kerberos authentication. (default: false)
    use_dedicated_port: <%= @kerberos_use_dedicated_port %>
    port: <%= @kerberos_port %>
    https: <%= @kerberos_https %>

  ## OmniAuth settings
    enabled: false
    {# just disabled
    # Allow login via Twitter, Google, etc. using OmniAuth providers
    enabled: <%= @omniauth_enabled %>

    # Uncomment this to automatically sign in with a specific omniauth provider's without
    # showing GitLab's sign-in page (default: show the GitLab sign-in page)
    auto_sign_in_with_provider: <%= @omniauth_auto_sign_in_with_provider %>

    # CAUTION!
    # This allows users to login without having a user account first. Define the allowed
    # providers using an array, e.g. ["saml", "twitter"]
    # User accounts will be created automatically when authentication was successful.
    allow_single_sign_on: <%= @omniauth_allow_single_sign_on.to_json %>

    # Locks down those users until they have been cleared by the admin (default: true).
    block_auto_created_users: <%= @omniauth_block_auto_created_users %>
    # Look up new users in LDAP servers. If a match is found (same uid), automatically
    # link the omniauth identity with the LDAP account. (default: false)
    auto_link_ldap_user: <%= @omniauth_auto_link_ldap_user %>

    # Allow users with existing accounts to login and auto link their account via SAML
    # login, without having to do a manual login first and manually add SAML
    # (default: false)
    auto_link_saml_user: <%= @omniauth_auto_link_saml_user.to_json %>

    ## Auth providers
    # Uncomment the following lines and fill in the data of the auth provider you want to use
    # If your favorite auth provider is not listed you can use others:
    # see
    # The 'app_id' and 'app_secret' parameters are always passed as the first two
    # arguments, followed by optional 'args' which can be either a hash or an array.
    # Documentation for this is available at
      # - { name: 'google_oauth2', app_id: 'YOUR APP ID',
      #     app_secret: 'YOUR APP SECRET',
      #     args: { access_type: 'offline', approval_prompt: '' } }
      # - { name: 'twitter', app_id: 'YOUR APP ID',
      #     app_secret: 'YOUR APP SECRET'}
      # - { name: 'github', app_id: 'YOUR APP ID',
      #     app_secret: 'YOUR APP SECRET',
      #     args: { scope: 'user:email' } }
<% @omniauth_providers.each do |provider| %>
      - <%= provider.to_json %>
<% end %>

  {# default ($RAILS_ROOT/shared/) is ok - we symlinked it to proper place
  # Shared file storage settings
    path: <%= @shared_path %>

  # 4. Advanced settings
  # ==========================

  # GitLab Satellites
  # Important: keep the satellites.path setting until GitLab 9.0 at
  # least. This setting is fed to 'rm -rf' in
  # db/migrate/20151023144219_remove_satellites.rb
    # Relative paths are relative to Rails.root (default: tmp/repo_satellites/)
    path: /dev/null
    timeout: 0

  ## Backup settings
    path: "{{ gitlab.backup }}"   # Relative paths are relative to Rails.root (default: tmp/backups/)
    {# default permission is ok
    archive_permissions: <%= @backup_archive_permissions %> # Permissions for the resulting backup.tar file (default: 0600)
    keep_time: {{ cfg('backup_keep_time') }}   # default: 0 (forever) (in seconds)
    {# default to backup all schemas is just ok
    pg_schema: <%= @backup_pg_schema %>   # default: nil, it means that all schemas will be backed up
      {# we don't want to upload backup anywhere by gitlab builtin mechanisms
      # Fog storage connection settings, see .
      connection: <%= @backup_upload_connection.to_json if @backup_upload_connection %>
      # The remote 'directory' to store your backups. For S3, this would be the bucket name.
      remote_directory: <%= single_quote(@backup_upload_remote_directory) %>
      multipart_chunk_size: <%= @backup_multipart_chunk_size %>
      encryption: <%= @backup_encryption %>

  ## GitLab Shell settings
    path: {{ gitlab_shell_work.location }}

    repos_path: {{ gitlab.repositories }}
    hooks_path: {{ gitlab_shell_work.location }}/hooks/
    secret_file: {{ gitlab_shell.secret }}

    # Git over HTTP
    upload_pack: true
    receive_pack: true

    {# Git over SSH is disabled elsewhere (so we don't care about ssh_port)
    # If you use non-standard ssh port you need to specify it
    ssh_port: <%= @gitlab_shell_ssh_port %>

    # git-annex support (EE only)
    # If this setting is set to true, the same setting in config.yml of
    # gitlab-shell needs to be set to true
    git_annex_enabled: <%= @git_annex_enabled %>

  ## Git settings
  # Use the default values unless you really know what you are doing
    bin_path: {{ git }}
    # The next value is the maximum memory size grit can use
    # Given in number of bytes per git object (e.g. a commit)
    # This value can be increased if you have very large commits
    max_size: {{ cfg('git_max_size') }}
    # Git timeout to read a commit, in seconds
    timeout: {{ cfg('git_timeout') }}

  # 5. Extra customization
  # ==========================

    {# we do not use google analytics
    <% if @extra_google_analytics_id %>
    ## Google analytics. Uncomment if you want it
    google_analytics_id: <%= single_quote(@extra_google_analytics_id) %>
    <% end %>

    {# we do not use piwik
    <% if @extra_piwik_url %>
    ## Piwik analytics.
    piwik_url: <%= single_quote(@extra_piwik_url) %>
    piwik_site_id: <%= single_quote(@extra_piwik_site_id) %>
    <% end %>

    {# we are ok (for now) with default rack-attack git settings
      git_basic_auth: <%= @rack_attack_git_basic_auth.to_json if @rack_attack_git_basic_auth %>

    ## Site ICP License
    # XXX unquote needed only for slapos.core earlier than
    # for now we have a lot of old slapos.core deployed...
    {% if cfg('icp_license') != '' -%}
    ICP: {{ urllib.unquote_plus( str(cfg('icp_license')) ).decode('utf-8') }}
    {# ICP: '{{ cfg("icp_license") }}' #}
    {% endif %}

  <<: *base

  <<: *base
    enabled: true
    host: localhost
    port: 80

    # When you run tests we clone and setup gitlab-shell
    # In order to setup it correctly you need to specify
    # your system username you use to run GitLab
    # user: YOUR_USERNAME
    path: tmp/tests/gitlab-satellites/
    path: tmp/tests/gitlab-shell/
    repos_path: tmp/tests/repositories/
    hooks_path: tmp/tests/gitlab-shell/hooks/
      title: "Redmine"
      project_url: "http://redmine/projects/:issues_tracker_id"
      issues_url: "http://redmine/:project_id/:issues_tracker_id/:id"
      new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new"
    enabled: false
        label: ldap
        port: 3890
        uid: 'uid'
        method: 'plain' # "tls" or "ssl" or "plain"
        base: 'dc=example,dc=com'
        user_filter: ''
        group_base: 'ou=groups,dc=example,dc=com'
        admin_group: ''
        sync_ssh_keys: false

  <<: *base