gitlab.yml.in 20.1 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538
{{ autogenerated }}
# see:
# https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/gitlab.yml.example
# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb
# (last updated for omnibus-gitlab 8.8.9+ce.0-g25376053)

{% from 'macrolib.cfg.in' import cfg, cfg_https, external_url  with context %}

production: &base
  #
  # 1. GitLab app settings
  # ==========================

  ## GitLab settings
  gitlab:
    ## Web server settings (note: host is the FQDN, do not include http://)
    {% set default_port = {'http': 80, 'https': 443} %}
    host: {{ external_url.hostname }}
    port: {{ external_url.port or default_port[external_url.scheme] }}
    https: {{ cfg_https }}

    {# ssh is disabled completely in slapos version
    # Uncommment this line below if your ssh host is different from HTTP/HTTPS one
    # (you'd obviously need to replace ssh.host_example.com with your own host).
    # Otherwise, ssh host will be set to the `host:` value above
    ssh_host: <%= @gitlab_ssh_host %>
    #}

    # WARNING: See config/application.rb under "Relative url support" for the list of
    # other files that need to be changed for relative url support
    {# we do not support relative URL
    relative_url_root: <%= @gitlab_relative_url %>
    #}

    # Trusted Proxies
    # Customize if you have GitLab behind a reverse proxy which is running on a different machine.
    # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
    trusted_proxies:
    {% for proxy in cfg("nginx_real_ip_trusted_addresses").split() %}
      - {{ proxy }}
    {% endfor %}

    # Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
    user: {{ backend_info.user }}

    ## Date & Time settings
    time_zone: '{{ cfg("time_zone") }}'

    ## Email settings
    # Uncomment and set to false if you need to disable email sending from GitLab (default: true)
    email_enabled:      {{ cfg('email_enabled') }}
    # Email address used in the "From" field in mails sent by GitLab
    email_from:         {{ cfg('email_from') }}
    email_display_name: {{ cfg('email_display_name') }}
    email_reply_to:     {{ cfg('email_reply_to') }}
    email_subject_suffix: ''

    # Email server smtp settings are in [a separate file](initializers/smtp_settings.rb.sample).

    ## User settings
    default_can_create_group: {{ cfg('default_can_create_group') }}  # default: true
    username_changing_enabled: {{ cfg('username_changing_enabled') }} # default: true - User can change her username/namespace
    ## Default theme
    ##   1 - Graphite
    ##   2 - Charcoal
    ##   3 - Green
    ##   4 - Gray
    ##   5 - Violet
    ##   6 - Blue
    default_theme: {{ cfg('default_theme') }} # default: 2

    {# for now we are ok with default issue-closing pattern
    ## Automatic issue closing
    # If a commit message matches this regular expression, all issues referenced from the matched text will be closed.
    # This happens when the commit is pushed or merged into the default branch of a project.
    # When not specified the default issue_closing_pattern as specified below will be used.
    # Tip: you can test your closing pattern at http://rubular.com
    issue_closing_pattern: <%= single_quote(@gitlab_issue_closing_pattern) %>
    #}

    ## Default project features settings
    default_projects_features:
      issues:           {{ cfg('default_projects_features.issues') }}
      merge_requests:   {{ cfg('default_projects_features.merge_requests') }}
      wiki:             {{ cfg('default_projects_features.wiki') }}
      snippets:         {{ cfg('default_projects_features.snippets') }}
      builds: false {# builds not supported yet <%= @gitlab_default_projects_features_builds %> #}
      {# container_registry: <%= @gitlab_default_projects_features_container_registry %> #}

    ## Webhook settings
    # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)
    webhook_timeout: {{ cfg('webhook_timeout') }}

    {# default is just ok
    ## Repository downloads directory
    # When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory.
    # The default is 'shared/cache/archive/' relative to the root of the Rails app.
    # repository_downloads_path: shared/cache/archive/
    repository_downloads_path: <%= @gitlab_repository_downloads_path %>
    #}

  {# we do not support reply by email
  ## Reply by email
  # Allow users to comment on issues and merge requests by replying to notification emails.
  # For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html
  incoming_email:
    enabled: <%= @incoming_email_enabled %>

    # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
    # The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`).
    address: <%= single_quote(@incoming_email_address) %>

    # Email account username
    # With third party providers, this is usually the full email address.
    # With self-hosted email servers, this is usually the user part of the email address.
    user: <%= single_quote(@incoming_email_email) %>
    # Email account password
    password: <%= single_quote(@incoming_email_password) %>

    # IMAP server host
    host: <%= single_quote(@incoming_email_host) %>
    # IMAP server port
    port: <%= @incoming_email_port %>
    # Whether the IMAP server uses SSL
    ssl: <%= @incoming_email_ssl %>
    # Whether the IMAP server uses StartTLS
    start_tls: <%= @incoming_email_start_tls %>

    # The mailbox where incoming mail will end up. Usually "inbox".
    mailbox: <%= single_quote(@incoming_email_mailbox_name) %>
    # The IDLE command timeout.
    idle_timeout: 60
  #}

  {# we do not support build artifacts
  ## Build Artifacts
  artifacts:
    enabled: <%= @artifacts_enabled %>
    # The location where Build Artifacts are stored (default: shared/artifacts).
    path: <%= @artifacts_path %>
  #}

  {# we do not support LFS
  ## Git LFS
  lfs:
    enabled: <%= @lfs_enabled %>
    # The location where LFS objects are stored (default: shared/lfs-objects).
    storage_path: <%= @lfs_storage_path %>
  #}

  {# we do not support container registry
  ## Container Registry
  registry:
    enabled: <%= @registry_enabled %>
    host: <%= @registry_host %>
    port: <%= @registry_port %>
    api_url: <%= @registry_api_url %> # internal address to the registry, will be used by GitLab to directly communicate with API
    path: <%= @registry_path %>
    key: <%= @registry_key_path %>
    issuer: <%= @registry_issuer %>
  #}

  {# we do not support Pages
  ## GitLab Pages (EE only)
  pages:
    enabled: <%= @pages_enabled %>
    path: <%= @pages_path %>
    host: <%= @pages_host %>
    port: <%= @pages_port %>
    https: <%= @pages_https %>
    external_http: <%= @pages_external_http %>
    external_https: <%= @pages_external_https %>
  #}

  {# we do not support Elasticsearch
  ## Elasticsearch (EE only)
  # Enable it if you are going to use elasticsearch instead of
  # regular database search
  elasticsearch:
    enabled: <%= @elasticsearch_enabled %>
    host: <%= @elasticsearch_host %>
    port: <%= @elasticsearch_port %>
  #}

  ## Gravatar
  ## For Libravatar see: http://doc.gitlab.com/ce/customization/libravatar.html
  gravatar:
    {# default is just ok
    # gravatar urls: possible placeholders: %{hash} %{size} %{email}
    plain_url: <%= single_quote(@gravatar_plain_url) %>     # default: http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
    ssl_url:   <%= single_quote(@gravatar_ssl_url) %>    # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
    #}


  {# XXX cron jobs are disabled for now - we do not support CI and EE features or we are ok with defaults
  ## Auxiliary jobs
  # Periodically executed jobs, to self-heal GitLab, do external synchronizations, etc.
  # Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job
  cron_jobs:
    # Flag stuck CI builds as failed
    stuck_ci_builds_worker:
      cron: <%= @stuck_ci_builds_worker_cron %>

    # Remove outdated repository archives
    repository_archive_cache_worker:
      cron: <%= @repository_archive_cache_worker_cron %>

    ##
    # GitLab EE only jobs:

    # Snapshot active users statistics
    historical_data_worker:
      cron: <%= @historical_data_worker_cron %>

    # Update mirrored repositories
    update_all_mirrors_worker:
      cron: <%= @update_all_mirrors_worker_cron %>

    # Update remote mirrors
    update_all_remote_mirrors_worker:
      cron: <%= @update_all_remote_mirrors_worker_cron %>

    # In addition to refreshing users when they log in,
    # periodically refresh LDAP users membership.
    # NOTE: This will only take effect if LDAP is enabled
    ldap_sync_worker:
      cron: <%= @ldap_sync_worker_cron %>

    # Gitlab Geo nodes notification worker
    # NOTE: This will only take effect if Geo is enabled
    geo_bulk_notify_worker:
      cron: <%= @geo_bulk_notify_worker_cron %>
  #}

  #
  # 2. GitLab CI settings
  # ==========================

  {# we do not support CI
  gitlab_ci:
    # Default project notifications settings:
    #
    # Send emails only on broken builds (default: true)
    all_broken_builds: <%= @gitlab_ci_all_broken_builds %>
    #
    # Add pusher to recipients list (default: false)
    add_pusher: <%= @gitlab_ci_add_pusher || @gitlab_ci_add_committer %>

    # The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root
    builds_path: <%= @builds_directory %>
  #}

  #
  # 3. Auth settings
  # ==========================

  ## LDAP settings
  # You can inspect a sample of the LDAP users with login access by running:
  #   bundle exec rake gitlab:ldap:check RAILS_ENV=production
  ldap:
    enabled: false
    {# just disabled
    enabled: <%= @ldap_enabled %>
    sync_time: <%= @ldap_sync_time %>
  <% if @ldap_servers.any? %>
    servers:
    <% @ldap_servers.each do |provider_id, settings| %>
      <%= provider_id %>: <%= settings.to_json %>
    <% end %>
  <% else %>
    host: <%= single_quote(@ldap_host) %>
    port: <%= @ldap_port %>
    uid: <%= single_quote(@ldap_uid) %>
    method: <%= single_quote(@ldap_method) %> # "tls" or "ssl" or "plain"
    bind_dn: <%= single_quote(@ldap_bind_dn) %>
    password: <%= single_quote(@ldap_password) %>
    active_directory: <%= @ldap_active_directory %>
    allow_username_or_email_login: <%= @ldap_allow_username_or_email_login %>
    base: <%= single_quote(@ldap_base) %>
    user_filter: <%= single_quote(@ldap_user_filter) %>

    ## EE only
    group_base: <%= single_quote(@ldap_group_base) %>
    admin_group: <%= single_quote(@ldap_admin_group) %>
    sync_ssh_keys: <%= single_quote(@ldap_sync_ssh_keys) %>
    sync_time: <%= @ldap_sync_time %>
  <% end %>
  #}

  ## Kerberos settings
  kerberos:
    enabled: false
    {# just disabled
    # Allow the HTTP Negotiate authentication method for Git clients
    enabled: <%= @kerberos_enabled %>

    # Kerberos 5 keytab file. The keytab file must be readable by the GitLab user,
    # and should be different from other keytabs in the system.
    # (default: use default keytab from Krb5 config)
    keytab: <%= @kerberos_keytab %>

    # The Kerberos service name to be used by GitLab.
    # (default: accept any service name in keytab file)
    service_principal_name: <%= @kerberos_service_principal_name %>

    # Dedicated port: Git before 2.4 does not fall back to Basic authentication if Negotiate fails.
    # To support both Basic and Negotiate methods with older versions of Git, configure
    # nginx to proxy GitLab on an extra port (e.g. 8443) and uncomment the following lines
    # to dedicate this port to Kerberos authentication. (default: false)
    use_dedicated_port: <%= @kerberos_use_dedicated_port %>
    port: <%= @kerberos_port %>
    https: <%= @kerberos_https %>
    #}


  ## OmniAuth settings
  omniauth:
    enabled: false
    {# just disabled
    # Allow login via Twitter, Google, etc. using OmniAuth providers
    enabled: <%= @omniauth_enabled %>

    # Uncomment this to automatically sign in with a specific omniauth provider's without
    # showing GitLab's sign-in page (default: show the GitLab sign-in page)
    auto_sign_in_with_provider: <%= @omniauth_auto_sign_in_with_provider %>

    # CAUTION!
    # This allows users to login without having a user account first. Define the allowed
    # providers using an array, e.g. ["saml", "twitter"]
    # User accounts will be created automatically when authentication was successful.
    allow_single_sign_on: <%= @omniauth_allow_single_sign_on.to_json %>

    # Locks down those users until they have been cleared by the admin (default: true).
    block_auto_created_users: <%= @omniauth_block_auto_created_users %>
    # Look up new users in LDAP servers. If a match is found (same uid), automatically
    # link the omniauth identity with the LDAP account. (default: false)
    auto_link_ldap_user: <%= @omniauth_auto_link_ldap_user %>

    # Allow users with existing accounts to login and auto link their account via SAML
    # login, without having to do a manual login first and manually add SAML
    # (default: false)
    auto_link_saml_user: <%= @omniauth_auto_link_saml_user.to_json %>

    # Set different Omniauth providers as external so that all users creating accounts
    # via these providers will not be able to have access to internal projects. You
    # will need to use the full name of the provider, like `google_oauth2` for Google.
    # Refer to the examples below for the full names of the supported providers.
    # (default: [])
    external_providers: <%= @omniauth_external_providers.to_json %>

    ## Auth providers
    # Uncomment the following lines and fill in the data of the auth provider you want to use
    # If your favorite auth provider is not listed you can use others:
    # see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations
    # The 'app_id' and 'app_secret' parameters are always passed as the first two
    # arguments, followed by optional 'args' which can be either a hash or an array.
    # Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html
    providers:
      # - { name: 'google_oauth2', app_id: 'YOUR APP ID',
      #     app_secret: 'YOUR APP SECRET',
      #     args: { access_type: 'offline', approval_prompt: '' } }
      # - { name: 'twitter', app_id: 'YOUR APP ID',
      #     app_secret: 'YOUR APP SECRET'}
      # - { name: 'github', app_id: 'YOUR APP ID',
      #     app_secret: 'YOUR APP SECRET',
      #     args: { scope: 'user:email' } }
<% @omniauth_providers.each do |provider| %>
      - <%= provider.to_json %>
<% end %>
    #}

  {# default ($RAILS_ROOT/shared/) is ok - we symlinked it to proper place
  # Shared file storage settings
  shared:
    path: <%= @shared_path %>
  #}

  #
  # 4. Advanced settings
  # ==========================

  # GitLab Satellites
  # Important: keep the satellites.path setting until GitLab 9.0 at
  # least. This setting is fed to 'rm -rf' in
  # db/migrate/20151023144219_remove_satellites.rb
  satellites:
    # Relative paths are relative to Rails.root (default: tmp/repo_satellites/)
    path: /dev/null
    timeout: 0

  ## Repositories settings
  repositories:
    # Paths where repositories can be stored. Give the canonicalized absolute pathname.
    # IMPORTANT: None of the path components may be symlink, because
    # gitlab-shell invokes Dir.pwd inside the repository path and that results
    # real path not the symlink.
    storages: # You must have at least a `default` storage path.
      default: {{ gitlab.repositories }}

  ## Backup settings
  backup:
    path: "{{ gitlab.backup }}"   # Relative paths are relative to Rails.root (default: tmp/backups/)
    {# default permission is ok
    archive_permissions: <%= @backup_archive_permissions %> # Permissions for the resulting backup.tar file (default: 0600)
    #}
    keep_time: {{ cfg('backup_keep_time') }}   # default: 0 (forever) (in seconds)
    {# default to backup all schemas is just ok
    pg_schema: <%= @backup_pg_schema %>   # default: nil, it means that all schemas will be backed up
    #}
    upload:
      {# we don't want to upload backup anywhere by gitlab builtin mechanisms
      # Fog storage connection settings, see http://fog.io/storage/ .
      connection: <%= @backup_upload_connection.to_json if @backup_upload_connection %>
      # The remote 'directory' to store your backups. For S3, this would be the bucket name.
      remote_directory: <%= single_quote(@backup_upload_remote_directory) %>
      multipart_chunk_size: <%= @backup_multipart_chunk_size %>
      encryption: <%= @backup_encryption %>
      #}

  ## GitLab Shell settings
  gitlab_shell:
    path: {{ gitlab_shell_work.location }}

    # REPOS_PATH MUST NOT BE A SYMLINK!!!
    repos_path: {{ gitlab.repositories }}
    hooks_path: {{ gitlab_shell_work.location }}/hooks/
    secret_file: {{ gitlab_shell.secret }}

    # Git over HTTP
    upload_pack: true
    receive_pack: true

    {# Git over SSH is disabled elsewhere (so we don't care about ssh_port)
    # If you use non-standard ssh port you need to specify it
    ssh_port: <%= @gitlab_shell_ssh_port %>
    #}

    # git-annex support (EE only)
    # If this setting is set to true, the same setting in config.yml of
    # gitlab-shell needs to be set to true
    git_annex_enabled: <%= @git_annex_enabled %>

  ## Git settings
  # CAUTION!
  # Use the default values unless you really know what you are doing
  git:
    bin_path: {{ git }}
    # The next value is the maximum memory size grit can use
    # Given in number of bytes per git object (e.g. a commit)
    # This value can be increased if you have very large commits
    max_size: {{ cfg('git_max_size') }}
    # Git timeout to read a commit, in seconds
    timeout: {{ cfg('git_timeout') }}


  #
  # 5. Extra customization
  # ==========================

  extra:
    {# we do not use google analytics
    <% if @extra_google_analytics_id %>
    ## Google analytics. Uncomment if you want it
    google_analytics_id: <%= single_quote(@extra_google_analytics_id) %>
    <% end %>
    #}

    {# we do not use piwik
    <% if @extra_piwik_url %>
    ## Piwik analytics.
    piwik_url: <%= single_quote(@extra_piwik_url) %>
    piwik_site_id: <%= single_quote(@extra_piwik_site_id) %>
    <% end %>
    #}

    {# we are ok (for now) with default rack-attack git settings
    rack_attack:
      git_basic_auth: <%= @rack_attack_git_basic_auth.to_json if @rack_attack_git_basic_auth %>
    #}


    ## Site ICP License
    # XXX unquote needed only for slapos.core earlier than
    #   https://lab.nexedi.com/nexedi/slapos.core/commit/347d33d6
    # for now we have a lot of old slapos.core deployed...
    {% if cfg('icp_license') != '' -%}
    ICP: {{ urllib.unquote_plus( str(cfg('icp_license')) ).decode('utf-8') }}
    {# ICP: '{{ cfg("icp_license") }}' #}
    {% endif %}


development:
  <<: *base

test:
  <<: *base
  gravatar:
    enabled: true
  gitlab:
    host: localhost
    port: 80

    # When you run tests we clone and setup gitlab-shell
    # In order to setup it correctly you need to specify
    # your system username you use to run GitLab
    # user: YOUR_USERNAME
  satellites:
    path: tmp/tests/gitlab-satellites/
  repositories:
    storages:
      default: tmp/tests/repositories/
  gitlab_shell:
    path: tmp/tests/gitlab-shell/
    repos_path: tmp/tests/repositories/
    hooks_path: tmp/tests/gitlab-shell/hooks/
  issues_tracker:
    redmine:
      title: "Redmine"
      project_url: "http://redmine/projects/:issues_tracker_id"
      issues_url: "http://redmine/:project_id/:issues_tracker_id/:id"
      new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new"
  ldap:
    enabled: false
    servers:
      main:
        label: ldap
        host: 127.0.0.1
        port: 3890
        uid: 'uid'
        method: 'plain' # "tls" or "ssl" or "plain"
        base: 'dc=example,dc=com'
        user_filter: ''
        group_base: 'ou=groups,dc=example,dc=com'
        admin_group: ''
        sync_ssh_keys: false

staging:
  <<: *base