gitlab/rack_attack.rb: Convert/integrate to slapos

Just another 2 simple parameters (attack detection tunables) conversion
to jinja2/slapos.

/cc @kazuhiko, @jerome

software/gitlab/gitlab-parameters.cfg

@@ -13,6 +13,10 @@
 # db advanced
 configuration.db_pool                   = 10
 
+# rack-attack
+configuration.rate_limit_requests_per_period    = 10
+configuration.rate_limit_period                 = 60
+
 
 # unicorn advanced
 configuration.unicorn_worker_memory_limit_min   = 200*(1024**2)

software/gitlab/template/rack_attack.rb.in

@@ -4,6 +4,8 @@
 # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/rack_attack.rb.erb
 # (last updated for omnibus-gitlab 8.2.3+ce.0-0-g8eda093)
 
+{% from 'macrolib.cfg.in' import cfg  with context %}
+
 # 1. Rename this file to rack_attack.rb
 # 2. Review the paths_to_be_protected and add any other path you need protecting
 #
@@ -24,7 +26,7 @@ paths_to_be_protected = [
 paths_regex = Regexp.union(paths_to_be_protected.map { |path| /\A#{Regexp.escape(path)}/ })
 
 unless Rails.env.test?
-  Rack::Attack.throttle('protected paths', limit: <%= @rate_limit_requests_per_period %>, period: <%= @rate_limit_period %>.seconds) do |req|
+  Rack::Attack.throttle('protected paths', limit: {{ cfg('rate_limit_requests_per_period') }}, period: {{ cfg('rate_limit_period') }}.seconds) do |req|
     if req.post? && req.path =~ paths_regex
       req.ip
     end