gitlab: Merge in upstream config updates

This does almost(*) only pure merge. We will slaposify / adjust config
and corresponding md5sum in the following patches.

(*) smtp ssl option is only added as comment.

software/gitlab/template/config.ru.in

-{{ autogenerated }}
-# see:
-# https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config.ru
-# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/gitlab-rails-config.ru.erb
-# (last updated for omnibus-gitlab 8.6.5+ce.0-0-g342f8be)
-
-# This file is used by Rack-based servers to start the application.
-
-{% from 'macrolib.cfg.in' import cfg  with context %}
-
-if defined?(Unicorn)
-  require 'unicorn'
-
-  if ENV['RAILS_ENV'] == 'production' || ENV['RAILS_ENV'] == 'staging'
-    # Unicorn self-process killer
-    require 'unicorn/worker_killer'
-
-    # Max memory size (RSS) per worker
-    use Unicorn::WorkerKiller::Oom, ({{ cfg('unicorn_worker_memory_limit_min') }}), ({{ cfg('unicorn_worker_memory_limit_max') }})
-  end
-end
-
-require ::File.expand_path('../config/environment',  __FILE__)
-
-map ENV['RAILS_RELATIVE_URL_ROOT'] || "/" do
-  run Gitlab::Application
-end

software/gitlab/template/database.yml.in

@@ -23,5 +23,6 @@ production:
   socket:
   {# not needed for unix socket
   sslmode: <%= single_quote(@db_sslmode) %>
-  sslrootcert: <%= single_quote(@db_sslrootcert) %>
+  sslrootcert: <%= single_quote(@db_sslrootcert) || single_quote(@db_sslca) %>
+  sslca: <%= single_quote(@db_sslca) || single_quote(@db_sslrootcert) %>
   #}

software/gitlab/template/gitconfig.in

@@ -22,3 +22,5 @@
         email = {{ cfg('email_from') }}
 [core]
         autocrlf = input
+[gc]
+        auto = 0

software/gitlab/template/gitlab.yml.in

@@ -32,6 +32,14 @@ production: &base
     relative_url_root: <%= @gitlab_relative_url %>
     #}
 
+    # Trusted Proxies
+    # Customize if you have GitLab behind a reverse proxy which is running on a different machine.
+    # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
+    trusted_proxies:
+<% @trusted_proxies.each do |proxy| %>
+      - <%= proxy %>
+<% end %>
+
     # Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
     user: {{ backend_info.user }}
 
@@ -96,7 +104,7 @@ production: &base
     enabled: <%= @incoming_email_enabled %>
 
     # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
-    # The `%{key}` placeholder is added after the user part, after a `+` character, before the `@`.
+    # The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`).
     address: <%= single_quote(@incoming_email_address) %>
 
     # Email account username
@@ -176,6 +184,10 @@ production: &base
     stuck_ci_builds_worker:
       cron: <%= @stuck_ci_builds_worker_cron %>
 
+    # Remove outdated repository archives
+    repository_archive_cache_worker:
+      cron: <%= @repository_archive_cache_worker_cron %>
+
     ##
     # GitLab EE only jobs:
 
@@ -187,11 +199,20 @@ production: &base
     update_all_mirrors_worker:
       cron: <%= @update_all_mirrors_worker_cron %>
 
+    # Update remote mirrors
+    update_all_remote_mirrors_worker:
+      cron: <%= @update_all_remote_mirrors_worker_cron %>
+
     # In addition to refreshing users when they log in,
     # periodically refresh LDAP users membership.
     # NOTE: This will only take effect if LDAP is enabled
     ldap_sync_worker:
       cron: <%= @ldap_sync_worker_cron %>
+
+    # Gitlab Geo nodes notification worker
+    # NOTE: This will only take effect if Geo is enabled
+    geo_bulk_notify_worker:
+      cron: <%= @geo_bulk_notify_worker_cron %>
   #}
 
   #
@@ -303,6 +324,12 @@ production: &base
     # (default: false)
     auto_link_saml_user: <%= @omniauth_auto_link_saml_user.to_json %>
 
+    # Set different Omniauth providers as external so that all users creating accounts
+    # via these providers will not be able to have access to internal projects. You
+    # will need to use the full name of the provider, like `google_oauth2` for Google.
+    # Refer to the examples below for the full names of the supported providers.
+    # (default: [])
+    external_providers: <%= @omniauth_external_providers.to_json %>
 
     ## Auth providers
     # Uncomment the following lines and fill in the data of the auth provider you want to use

software/gitlab/template/nginx-gitlab-http.conf.in

@@ -99,6 +99,18 @@ server {
   #}
   {% endif %}
 
+  ## Real IP Module Config
+  ## http://nginx.org/en/docs/http/ngx_http_realip_module.html
+  <% if @real_ip_header %>
+  real_ip_header <%= @real_ip_header %>;
+  <% end %>
+  <% if @real_ip_recursive %>
+  real_ip_recursive <%= @real_ip_recursive %>;
+  <% end %>
+  <% @real_ip_trusted_addresses.each do |trusted_address| %>
+  set_real_ip_from <%= trusted_address %>;
+  <% end %>
+
   ## Individual nginx logs for this GitLab vhost
   access_log  {{ nginx.log }}/gitlab_access.log gitlab_access;
   error_log   {{ nginx.log }}/gitlab_error.log;

software/gitlab/template/smtp_settings.rb.in

@@ -18,6 +18,7 @@ if Rails.env.production?
     domain:                 "{{ cfg('smtp_domain') }}",
     authentication:         :{{ cfg('smtp_authentication') }},
     enable_starttls_auto:   {{ cfg('smtp_enable_starttls_auto') }},
+    # ssl:
     openssl_verify_mode:    '{{ cfg("smtp_openssl_verify_mode") }}'
     # ca_path:
     # ca_file:

software/gitlab/template/unicorn.rb.in

@@ -79,3 +79,14 @@ ENV['RAILS_RELATIVE_URL_ROOT'] = "<%= @relative_url %>"
 
 <%- end %>
 #}
+
+<%- if @worker_memory_limit_min %>
+# Min memory size (RSS) per worker
+ENV['GITLAB_UNICORN_MEMORY_MIN'] = (<%= @worker_memory_limit_min %>).to_s
+
+<%- end %>
+<%- if @worker_memory_limit_max %>
+# Max memory size (RSS) per worker
+ENV['GITLAB_UNICORN_MEMORY_MAX'] = (<%= @worker_memory_limit_max %>).to_s
+
+<%- end %>