diff --git a/group_vars/all b/group_vars/all index 17f388f860d59db39c3db89845d50b099cd01709..c18974a26736db64a95ca09a7fe0c83fc029a8e5 100644 --- a/group_vars/all +++ b/group_vars/all @@ -5,21 +5,4 @@ ansible_python_interpreter: /usr/bin/python3 # Globale Variablen für alle Server # Letsencrypt notification mail -letsencrypt_mail: verwaltung@warpzone.ms - - - -# Zentrale InfluxDb für Systemmonitoring -influxdb_sysmon: - url: "http://192.168.0.201:18086" - db: "influx" - user: "influx" - password: "influx" - -# Zentrale InfluxDb für Snmp Daten -influxdb_snmp: - url: "http://192.168.0.201:28086" - db: "influx" - user: "influx" - password: "influx" - +letsencrypt_mail: verwaltung@warpzone.ms \ No newline at end of file diff --git a/group_vars/test b/group_vars/test index a8e9915c10004e98755d5fb3130f8d8d56d8101d..619f3b5801e25aa106e82c6f9435c066cd50ae92 100644 --- a/group_vars/test +++ b/group_vars/test @@ -1,9 +1,42 @@ -# Globale Variablen für alle produktiven Server - - # SMTP Settings -smtp_domain: enteentelos.com -smtp_host: mailserver.enteentelos.com +smtp_domain: test-warpzone.de +smtp_host: mailserver.test-warpzone.de smtp_port: 587 -noreply_email_user: noreply@enteentelos.com +noreply_email_user: noreply@test-warpzone.de + +# Globale Domains +global_domains: + warpzonems: + domain: test-warpzone.de + +# Globale Mail konfiguration +mail_domains: + warpzonems: + maildomain: "test-warpzone.de" + mxserver: "mailserver.test-warpzone.de" + mxhostname: "webserver" + spf: "v=spf1 mx a:mailserver.test-warpzone.de ip4:{{ hostvars['webserver'].ext_ip4 }} ip6:{{ hostvars['webserver'].ext_ip6 }} -all" + dmarc: "v=DMARC1; p=none;" + dkim: + - { selector: "dkim", value: "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxNnNZElbWq9EonFULbr8vWWykKmZEylRwjo4lYx/lXsGDFWBuNh2s6gFF10OuHWtavokjvh/7sFidNaRYQkn3uwHmylBWFn7Jr2lPWY8PBEoIeAZZx5qHaDWxJVgzE7maFyXAswDGXcR/DRTn2xR6osNXOovjGeYXq/atR/45iwfgkhqAaXaV1uP/K9y\" \"y2sZ2dRtGEwCKsWbP26cOZ6MUcADszgUTEp59iKey79m0uwi0IpA8WjEKVwbMcf/6fBw1ejIEjVUX+bami2fQ6RPl4uEyloco4paV3w/vww2hh4VchCFLYAEKMkZOZs/eTDGsjaMguwHbPeVJjkpX2T6WQIDAQAB" } + member_warpzonems: + maildomain: "member.test-warpzone.de" + mxserver: "mailserver.test-warpzone.de" + mxhostname: "webserver" + spf: "v=spf1 mx a:mailserver.test-warpzone.de ip4:{{ hostvars['webserver'].ext_ip4 }} ip6:{{ hostvars['webserver'].ext_ip6 }} -all" + dkim: + - { selector: "dkim", value: "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu334a+uJ5b7D8UTz3Up6A8EjZhEnXaIpiIcKAGPXXD2ZBGmkWfUNcwDcfMoDErH6ntXzf0uH2VMvaajB/wdKLyly1irDKoyjLA3hJb5wnF9Gh0anL1qxY6UA189vWsw+2JlZJWyQ3IcaQ720SM3OrrK4AL3gRItieSEQ+23m5aW0P6sgUuMXTmmKLbd4\" \"DzZ14Emw293TD2p4gJtgxW/6EfIfcUU+/jP1NNm9gksyzynH1pJXPwVruo9u4QujEQiPqtVsVtrtUm1kbnW+pexj3eKOLLEHGZ+p5AZ/jtALk9pJfNumm/XHFK5PTZDBIipXOYvuG8RdwsaCQRezGKy04QIDAQAB" } + lists_warpzonems: + maildomain: "lists.test-warpzone.de" + mxserver: "mailserver.test-warpzone.de" + mxhostname: "webserver" + spf: "v=spf1 mx a:mailserver.test-warpzone.de ip4:{{ hostvars['webserver'].ext_ip4 }} ip6:{{ hostvars['webserver'].ext_ip6 }} -all" + dkim: + - { selector: "dkim", value: "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoO7SXkUkM17Y1Vi/cvO48IJmlReGWSaYHY+wEldLHt80TiXP0AGZ8nG+DshXi1J2D5xjn8cJu4VqgDrLFnsRJyGYKmi7yVukANVg6gjYlET4y5+UU7Vk2W3xhN2U/8F0rcyynALzQa8i4Y/wEI0qkgHyE6+lITmglJvlj6tgp4YYK2TBH3Zo//PukOmU\" \"6gG/qu0+6p+CepvqzfGT2l1duov5a2+DJJzlJTULJ5D5Blsmg/0GeC81gZ4QDC3S8aaM5Pw3I3lQCSJT4Q4Ge6Ues4ccagNrdnZhtHNaVFGdL1mR1k+G784gpMZphPj5MylNEpA3V4bD7/Ygf4GuAvHdMwIDAQAB" } +# Monitoring +monitoring: + external_dns_servers: + - { ip: "1.1.1.1", name: "Cloudflare" } + - { ip: "8.8.8.8", name: "Google" } + - { ip: "9.9.9.9", name: "Quad9" } diff --git a/host_vars/test-warpzone-de b/host_vars/test-warpzone-de new file mode 100644 index 0000000000000000000000000000000000000000..a00479198185e8e4f897e1021a95d1a46b2c1642 --- /dev/null +++ b/host_vars/test-warpzone-de @@ -0,0 +1,196 @@ + +# Host spezifische Variablen + +motd_lines: + - "Testserver" + - "Öffentliche IPs: {{ansible_eth0.ipv4.address}} / {{ansible_eth0.ipv6[0].address}}" + +debian_sources: + - "deb http://ftp2.de.debian.org/debian/ bookworm main contrib non-free" + - "deb http://ftp.debian.org/debian bookworm-updates main contrib non-free" + - "deb http://security.debian.org/ bookworm-security main contrib non-free" + - "deb https://download.docker.com/linux/debian bookworm stable" + +debian_keys_id: + +debian_keys_url: + - "https://download.docker.com/linux/debian/gpg" + + +# Primäre IP Adressen des Hosts +ext_ip4: 159.69.57.56 +ext_ip6: 2a01:4f8:231:8a1:159:69:57:56 +int_ip4: 127.0.0.1 + +# Art des Hosts: physical, vm, docker +host_type: "lxc" + +# SSL aktivieren +webserver_ssl: true + +# Liste der gehosteten Domänen +webserver_domains: + - "test-warpzone.de" +# - "api.test-warpzone.de" +# - "auth.test-warpzone.de" + - "gitlab.test-warpzone.de" +# - "matrix.test-warpzone.de" +# - "mailserver.test-warpzone.de" +# - "ldap.test-warpzone.de" +# - "keycloak.test-warpzone.de" +# - "md.test-warpzone.de" +# - "turn.test-warpzone.de" + - "wiki.test-warpzone.de" + - "www.test-warpzone.de" +# - "workadventure.test-warpzone.de" +# - "play.workadventure.test-warpzone.de" +# - "pusher.workadventure.test-warpzone.de" +# - "api.workadventure.test-warpzone.de" +# - "icon.workadventure.test-warpzone.de" + + +# #OpenVPN Konfigurationen +# openvpn_server: +# - "server-zone" +# - "server-verwaltung" + +administratorenteam: + - "void" + - "sandhome" + - "jabertwo" + +# Docker konfigurationen +docker: + # Interne Docker-Netzwerke + internal_networks: + - web + +# Monitoring aktivieren +alert: + load: + warn: 5 + crit: 10 + containers: + #- { name: "coturn_coturn_1" } + - { name: "dockerstats-app-1" } + #- { name: "dokuwiki_app_1" } + - { name: "gitlab-app-1" } + - { name: "gitlab-dind-1" } + - { name: "gitlab-runner-1" } + #- { name: "hackmd_app_1" } + #- { name: "hackmd_db_1" } + #- { name: "icinga_app_1" } + #- { name: "icinga_db_1" } + #- { name: "icinga_graphite_1" } + #- { name: "keycloak_app_1" } + #- { name: "keycloak_db_1" } + #- { name: "keycloak_sync-group-active_1" } + #- { name: "ldap_openldap_1" } + #- { name: "ldap_phpldapadmin_1" } + #- { name: "mail_admin_1" } + #- { name: "mail_antispam_1" } + #- { name: "mail_certdumper_1" } + #- { name: "mail_db_1" } + #- { name: "mail_front_1" } + #- { name: "mail_imap_1" } + #- { name: "mail_oletools_1" } + #- { name: "mail_redis_1" } + #- { name: "mail_resolver_1" } + #- { name: "mail_smtp_1" } + #- { name: "mail_webmail_1" } + #- { name: "mail_mailman-core_1" } + #- { name: "mail_mailman-web_1" } + #- { name: "mail_mailman-nginx_1" } + #- { name: "matrix_ma1sd_1" } + #- { name: "matrix_db_1" } + #- { name: "matrix_purgemediacache_1" } + #- { name: "matrix_synapse_1" } + #- { name: "matterbridge_cw_1" } + #- { name: "matterbridge_wz_1" } + #- { name: "matterbridge_web_1" } + #- { name: "matterbridge_restarter_1" } + - { name: "traefik-app-1" } + #- { name: "vpnserver_app_1" } + #- { name: "warpapi_app_1" } + #- { name: "watchtower_app_1" } + - { name: "wordpress-app-1" } + - { name: "wordpress-db-1" } + #- { name: "workadventure_back_1" } + #- { name: "workadventure_front_1" } + #- { name: "workadventure_icon_1" } + #- { name: "workadventure_pusher_1" } + #- { name: "workadventure_redis_1" } + disks: + - { mountpoint: "/", warn: "5 GB", crit: "1 GB" } + - { mountpoint: "/srv", warn: "5 GB", crit: "1 GB" } + + +# # Definition von Borgbackup Repositories +# borgbackup_repos: + +# # warpsrvint: + +# # # URL des Repos +# # repo: "ssh://warpzone@192.168.0.201:22/data/warpzone/webserver" + +# # # Repo-spezifische Optionen zum Aufruf von Borgbackup +# # # z.B. bei Sicherungen zu rsync.net ist --remote-path=borg1 erforderlich +# # options: "" + +# # # Compression Options, z,b. "zlib,5, "zstd,5" +# # compression: "zlib,5" + +# # # Prune Optionen +# # prune: "--keep-within=2d --keep-daily=7 --keep-weekly=4 --keep-monthly=6" + +# # # Backup Schedule +# # weekday: "*" +# # hour: "6" +# # minute: "0" + +# # # Zusätzliche Verzeichnisse, die nur in diesem Backup gesichtert werden sollen +# # # directories: + +# # # Monitoring +# # alert: true +# # warning_age: 26 +# # critical_age: 50 +# # warning_count: 10 +# # critical_count: 5 + +# borgbase: + +# # URL des Repos +# repo: "ani9ve0q@ani9ve0q.repo.borgbase.com:repo" + +# # Repo-spezifische Optionen zum Aufruf von Borgbackup +# # z.B. bei Sicherungen zu rsync.net ist --remote-path=borg1 erforderlich +# options: "" + +# # Compression Options, z,b. "zlib,5, "zstd,5" +# compression: "zlib,5" + +# # Prune Optionen +# prune: "--keep-within=2d --keep-daily=7 --keep-weekly=4 --keep-monthly=6" + +# # Backup Schedule +# weekday: "*" +# hour: "4" +# minute: "10" + +# # Zusätzliche Verzeichnisse, die nur in diesem Backup gesichtert werden sollen +# # directories: + +# # Monitoring +# alert: true +# warning_age: 26 +# critical_age: 50 +# warning_count: 10 +# critical_count: 5 + + +# # Definition der Verzeichnisse, die in allen Borgbackup Repos gesichert werden sollen +# borgbackup_directories: +# - "/etc/" +# - "/srv/" + diff --git a/hosts.yml b/hosts.yml index f9fe361e7f7d478037623cf673926e179214e142..61673c1ba4f4d5a41f4ef8e88069ec5181bdbe6e 100644 --- a/hosts.yml +++ b/hosts.yml @@ -70,4 +70,12 @@ event: # Wichtige Optionen: Nesting = Yes, keyctl = enabled hix: ansible_ssh_host: 10.111.10.101 + ansible_user: root + +test: + children: + vms: + hosts: + test-warpzone-de: + ansible_ssh_host: 2a01:4f8:231:8a1:159:69:57:56 ansible_user: root \ No newline at end of file diff --git a/site.yml b/site.yml index 813938bfa5262a43307896c3c1918445e0499c30..28d6a3824733c04de964ada6eee8bba6393285d5 100644 --- a/site.yml +++ b/site.yml @@ -14,6 +14,44 @@ # Test Server ################################################## +- hosts: test-warpzone-de + remote_user: root + roles: + - { role: common/cronapt, tags: cronapt } + - { role: common/docker, tags: docker } + # - { + # role: testserver/docker_dockerstats, tags: dockerstats, + # servicename: dockerstats, + # basedir: /srv/dockerstats + # } + - { + role: testserver/docker_traefik, tags: traefik, + servicename: traefik, + basedir: /srv/traefik, + domain: "test-warpzone.de", + domain_default: "www.test-warpzone.de", + } + - { + role: testserver/docker_dokuwiki, tags: dokuwiki, + servicename: "dokuwiki", + domain: "wiki.test-warpzone.de", + basedir: /srv/dokuwiki, + # healthchecks_url: "https://hc-ping.com/038adcfe-05bf-45b4-919b-88b69aab8844" + } + - { + role: testserver/docker_gitlab, tags: gitlab, + servicename: "gitlab", + domain: "gitlab.test-warpzone.de", + domain_registry: "gitlab-registry.test-warpzone.de" + } + - { + role: testserver/docker_wordpress, tags: wordpress, + servicename: "wordpress", + basedir: /srv/wordpress, + domain: "www.test-warpzone.de" + } + + ################################################## # Produktive Server ################################################## diff --git a/testserver/docker_dockerstats/tasks/main.yml b/testserver/docker_dockerstats/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..673605687d98f958504626d9aa673af1a70d1e21 --- /dev/null +++ b/testserver/docker_dockerstats/tasks/main.yml @@ -0,0 +1,27 @@ +--- +- name: "create folder struct for {{ servicename }}" + file: + path: "{{ item }}" + state: "directory" + with_items: + - "{{ basedir }}" + + +- name: Konfig-Dateien erstellen + template: + src: "{{ item }}" + dest: "{{ basedir }}/{{ item }}" + with_items: + - Dockerfile + - docker-compose.yml + register: config + +- name: "stop {{ servicename }} docker" + community.docker.docker_compose_v2: + project_src: "{{ basedir }}" + state: absent + +- name: "start {{ servicename }} docker" + community.docker.docker_compose_v2: + project_src: "{{ basedir }}" + state: present diff --git a/testserver/docker_dockerstats/templates/Dockerfile b/testserver/docker_dockerstats/templates/Dockerfile new file mode 100644 index 0000000000000000000000000000000000000000..793b7781f16e3c35b0213babc1185e883d014aba --- /dev/null +++ b/testserver/docker_dockerstats/templates/Dockerfile @@ -0,0 +1,19 @@ +FROM node:21-alpine + +RUN apk update \ + && apk upgrade \ + && apk add --no-cache git + +RUN mkdir -p /usr/src/app \ + && cd /usr/src/app \ + && git clone https://github.com/elberfeld/docker_stats_exporter.git \ + && cd /usr/src/app/docker_stats_exporter \ + && git checkout 2020.07.30.1 \ + && npm install + +WORKDIR /usr/src/app/docker_stats_exporter + +EXPOSE 9487 +ENV DOCKERSTATS_PORT=9487 DOCKERSTATS_INTERVAL=15 DEBUG=0 + +ENTRYPOINT [ "npm", "start" ] diff --git a/testserver/docker_dockerstats/templates/docker-compose.yml b/testserver/docker_dockerstats/templates/docker-compose.yml new file mode 100644 index 0000000000000000000000000000000000000000..248d813dc7baedae29c85d340edd83749fa77712 --- /dev/null +++ b/testserver/docker_dockerstats/templates/docker-compose.yml @@ -0,0 +1,14 @@ +version: "3" + +services: + + app: + + build: . + restart: always + ports: + - "{{ int_ip4 }}:9487:9487" + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - /usr/bin/docker:/usr/bin/docker + diff --git a/testserver/docker_dokuwiki/tasks/main.yml b/testserver/docker_dokuwiki/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..bff9f952efb8c7fa85cb98508d7066c8b49fd9ac --- /dev/null +++ b/testserver/docker_dokuwiki/tasks/main.yml @@ -0,0 +1,43 @@ +--- + +- include_tasks: ../functions/get_secret.yml + with_items: + - { path: /srv/shared/noreply_email_pass, length: -1 } + +- name: create folder struct for dokuwiki + file: + path: "{{item}}" + state: "directory" + with_items: + - "{{ basedir }}" + - "{{ basedir }}/data" + - "{{ basedir }}/pdftemplate" + +- name: Docker Compose Konfig-Datei erstellen + template: + src: "{{item}}" + dest: "{{ basedir }}/{{item}}" + with_items: + - docker-compose.yml + - Dockerfile + register: config + +# - name: Cronjob für Mailversand Plenumsmail +# cron: +# name: "sendmail_plenum" +# weekday: "0" +# hour: "20" +# minute: "0" +# job: "/usr/bin/python3 {{ basedir }}/sendmail_plenum.py" +# disabled: false + +- name: "stop {{ servicename}} docker" + community.docker.docker_compose_v2: + project_src: "{{ basedir }}" + state: absent + when: config.changed + +- name: "start {{ servicename}} docker" + community.docker.docker_compose_v2: + project_src: "{{ basedir }}" + state: present diff --git a/testserver/docker_dokuwiki/templates/Dockerfile b/testserver/docker_dokuwiki/templates/Dockerfile new file mode 100644 index 0000000000000000000000000000000000000000..fd13f5c69738aaa9f9c00df667d5a02a633bf085 --- /dev/null +++ b/testserver/docker_dokuwiki/templates/Dockerfile @@ -0,0 +1,32 @@ +FROM php:8.3.2-apache-bookworm + +# php-gd modul für dw2pdf plugin +RUN apt-get update && apt-get install -y \ + libfreetype6-dev \ + libjpeg62-turbo-dev \ + libpng-dev \ + && docker-php-ext-configure gd --with-freetype --with-jpeg \ + && docker-php-ext-install -j$(nproc) gd + + +# Upload-Limits hoch setzen (Edit by Parad0x) +RUN touch /usr/local/etc/php/conf.d/uploads.ini \ + && echo "upload_max_filesize = 10M;" >> /usr/local/etc/php/conf.d/uploads.ini \ + && echo "post_max_size = 10M;" >> /usr/local/etc/php/conf.d/uploads.ini + + +# Configure LDAP. +RUN apt-get update \ + && apt-get install libldap2-dev -y \ + && docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu/ \ + && docker-php-ext-install ldap + + +# Change apache settings +RUN a2enmod rewrite + +# Expose ports +EXPOSE 80 + +# startup +CMD ["apache2-foreground"] diff --git a/testserver/docker_dokuwiki/templates/docker-compose.yml b/testserver/docker_dokuwiki/templates/docker-compose.yml new file mode 100644 index 0000000000000000000000000000000000000000..5cef278a9f4c605e335f12b1948fd30ebd3df9f9 --- /dev/null +++ b/testserver/docker_dokuwiki/templates/docker-compose.yml @@ -0,0 +1,24 @@ +version: "3" + +services: + + app: + # values set in configuration: noreply_email_user - noreply_email_pass - smtp_host - smtp_port + build: . + image: "dokuwiki--{{ ansible_date_time.date }}--{{ ansible_date_time.hour }}-{{ ansible_date_time.minute }}-{{ ansible_date_time.second }}" + restart: always + volumes: + - /srv/dokuwiki/data/:/var/www/html + - /srv/dokuwiki/pdftemplate/:/var/www/html/lib/plugins/dw2pdf/tpl/warpzone/ + labels: + - traefik.enable=true + - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`) + - traefik.http.routers.{{ servicename }}.entrypoints=websecure + - traefik.http.services.{{ servicename }}.loadbalancer.server.port=80 + networks: + - default + - web + +networks: + web: + external: true diff --git a/testserver/docker_gitlab/tasks/main.yml b/testserver/docker_gitlab/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..36dbab8ee61499229f7655c0705cd10408984979 --- /dev/null +++ b/testserver/docker_gitlab/tasks/main.yml @@ -0,0 +1,45 @@ +--- + +- include_tasks: ../functions/get_secret.yml + with_items: + - { path: /srv/shared/noreply_email_pass, length: -1 } + - { path: /srv/ldap/secret/ldap_readonly_pass, length: -1 } + - { path: /srv/gitlab/runner_registration_token, length: -1 } + +# Benötigte Verzeichnisstrukturen erstellen + +- name: create folder structur for gitlab + file: + path: "{{ item }}" + state: directory + owner: root + group: root + with_items: + - "/srv/gitlab/" + - "/srv/gitlab/conf/" + - "/srv/gitlab/data/" + - "/srv/gitlab/log" + - "/srv/gitlab/runner" + +# Konfigurationsdateien erstellen + +- name: Konfig-Datei Gitlab + template: + src: "{{ item }}" + dest: "/srv/gitlab/{{ item }}" + with_items: + - "conf/gitlab.rb" + - "docker-compose.yml" + register: configs + + +- name: stop gitlab docker + community.docker.docker_compose_v2: + project_src: /srv/gitlab/ + state: absent + when: configs.changed + +- name: start gitlab docker + community.docker.docker_compose_v2: + project_src: /srv/gitlab/ + state: present diff --git a/testserver/docker_gitlab/templates/conf/gitlab.rb b/testserver/docker_gitlab/templates/conf/gitlab.rb new file mode 100644 index 0000000000000000000000000000000000000000..d893132b7e40b1b6d1d19676ffb80a6c440a2661 --- /dev/null +++ b/testserver/docker_gitlab/templates/conf/gitlab.rb @@ -0,0 +1,2716 @@ +## GitLab configuration settings +##! This file is generated during initial installation and **is not** modified +##! during upgrades. +##! Check out the latest version of this file to know about the different +##! settings that can be configured, when they were introduced and why: +##! https://gitlab.com/gitlab-org/omnibus-gitlab/blame/master/files/gitlab-config-template/gitlab.rb.template + +##! Locally, the complete template corresponding to the installed version can be found at: +##! /opt/gitlab/etc/gitlab.rb.template + +##! You can run `gitlab-ctl diff-config` to compare the contents of the current gitlab.rb with +##! the gitlab.rb.template from the currently running version. + +##! You can run `gitlab-ctl show-config` to display the configuration that will be generated by +##! running `gitlab-ctl reconfigure` + +##! In general, the values specified here should reflect what the default value of the attribute will be. +##! There are instances where this behavior is not possible or desired. For example, when providing passwords, +##! or connecting to third party services. +##! In those instances, we endeavour to provide an example configuration. + +## GitLab URL +##! URL on which GitLab will be reachable. +##! For more details on configuring external_url see: +##! https://docs.gitlab.com/omnibus/settings/configuration.html#configuring-the-external-url-for-gitlab +##! +##! Note: During installation/upgrades, the value of the environment variable +##! EXTERNAL_URL will be used to populate/replace this value. +##! On AWS EC2 instances, we also attempt to fetch the public hostname/IP +##! address from AWS. For more details, see: +##! https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html +external_url 'https://{{ domain }}/' + +## Roles for multi-instance GitLab +##! The default is to have no roles enabled, which results in GitLab running as an all-in-one instance. +##! Options: +##! redis_sentinel_role redis_master_role redis_replica_role geo_primary_role geo_secondary_role +##! postgres_role consul_role application_role monitoring_role +##! For more details on each role, see: +##! https://docs.gitlab.com/omnibus/roles/README.html#roles +##! +# roles ['redis_sentinel_role', 'redis_master_role'] + +## Legend +##! The following notations at the beginning of each line may be used to +##! differentiate between components of this file and to easily select them using +##! a regex. +##! ## Titles, subtitles etc +##! ##! More information - Description, Docs, Links, Issues etc. +##! Configuration settings have a single # followed by a single space at the +##! beginning; Remove them to enable the setting. + +##! **Configuration settings below are optional.** + + +################################################################################ +################################################################################ +## Configuration Settings for GitLab CE and EE ## +################################################################################ +################################################################################ + +################################################################################ +## gitlab.yml configuration +##! Docs: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md +################################################################################ +# gitlab_rails['gitlab_ssh_host'] = 'ssh.host_example.com' +# gitlab_rails['gitlab_ssh_user'] = '' +# gitlab_rails['time_zone'] = 'UTC' +gitlab_rails['gitlab_ssh_host'] = 'gitlab.warpzone.ms' +gitlab_rails['time_zone'] = 'Europe/Berlin' + +### Request duration +###! Tells the rails application how long it has to complete a request +###! This value needs to be lower than the worker timeout set in unicorn/puma. +###! By default, we'll allow 95% of the the worker timeout +# gitlab_rails['max_request_duration_seconds'] = 57 + +### GitLab email server settings +###! Docs: https://docs.gitlab.com/omnibus/settings/smtp.html +###! **Use smtp instead of sendmail/postfix.** + +# gitlab_rails['smtp_enable'] = true +# gitlab_rails['smtp_address'] = "smtp.server" +# gitlab_rails['smtp_port'] = 465 +# gitlab_rails['smtp_user_name'] = "smtp user" +# gitlab_rails['smtp_password'] = "smtp password" +# gitlab_rails['smtp_domain'] = "example.com" +# gitlab_rails['smtp_authentication'] = "login" +# gitlab_rails['smtp_enable_starttls_auto'] = true +# gitlab_rails['smtp_tls'] = false +gitlab_rails['smtp_enable'] = true +gitlab_rails['smtp_address'] = "{{ smtp_host }}" +gitlab_rails['smtp_port'] = {{ smtp_port }} +gitlab_rails['smtp_user_name'] = "{{ noreply_email_user }}" +gitlab_rails['smtp_password'] = "{{ noreply_email_pass }}" +gitlab_rails['smtp_domain'] = "{{ smtp_domain }}" +gitlab_rails['smtp_authentication'] = "plain" +gitlab_rails['smtp_enable_starttls_auto'] = true +# gitlab_rails['smtp_tls'] = false +# TODO: Update with new mail server +gitlab_rails['smtp_openssl_verify_mode'] = 'none' + + +### Email Settings + +# gitlab_rails['gitlab_email_enabled'] = true +gitlab_rails['gitlab_email_enabled'] = true + +##! If your SMTP server does not like the default 'From: gitlab@gitlab.example.com' +##! can change the 'From' with this setting. +# gitlab_rails['gitlab_email_from'] = 'example@example.com' +# gitlab_rails['gitlab_email_display_name'] = 'Example' +# gitlab_rails['gitlab_email_reply_to'] = 'noreply@example.com' +# gitlab_rails['gitlab_email_subject_suffix'] = '' +# gitlab_rails['gitlab_email_smime_enabled'] = false +# gitlab_rails['gitlab_email_smime_key_file'] = '/etc/gitlab/ssl/gitlab_smime.key' +# gitlab_rails['gitlab_email_smime_cert_file'] = '/etc/gitlab/ssl/gitlab_smime.crt' +# gitlab_rails['gitlab_email_smime_ca_certs_file'] = '/etc/gitlab/ssl/gitlab_smime_cas.crt' +gitlab_rails['gitlab_email_from'] = 'gitlab@{{ smtp_domain }}' +gitlab_rails['gitlab_email_display_name'] = 'Warpzone Gitlab' +gitlab_rails['gitlab_email_reply_to'] = '{{ noreply_email_user }}' + +### GitLab user privileges +# gitlab_rails['gitlab_username_changing_enabled'] = true +gitlab_rails['gitlab_username_changing_enabled'] = false + +### Default Theme +### Available values: +##! `1` for Indigo +##! `2` for Dark +##! `3` for Light +##! `4` for Blue +##! `5` for Green +##! `6` for Light Indigo +##! `7` for Light Blue +##! `8` for Light Green +##! `9` for Red +##! `10` for Light Red +# gitlab_rails['gitlab_default_theme'] = 2 + +### Default project feature settings +# gitlab_rails['gitlab_default_projects_features_issues'] = true +# gitlab_rails['gitlab_default_projects_features_merge_requests'] = true +# gitlab_rails['gitlab_default_projects_features_wiki'] = true +# gitlab_rails['gitlab_default_projects_features_snippets'] = true +# gitlab_rails['gitlab_default_projects_features_builds'] = true +# gitlab_rails['gitlab_default_projects_features_container_registry'] = true + +gitlab_rails['gitlab_default_projects_features_issues'] = false +gitlab_rails['gitlab_default_projects_features_merge_requests'] = true +gitlab_rails['gitlab_default_projects_features_wiki'] = false +gitlab_rails['gitlab_default_projects_features_snippets'] = false +gitlab_rails['gitlab_default_projects_features_builds'] = false +gitlab_rails['gitlab_default_projects_features_container_registry'] = false + +### Automatic issue closing +###! See https://docs.gitlab.com/ee/customization/issue_closing.html for more +###! information about this pattern. +# gitlab_rails['gitlab_issue_closing_pattern'] = "\b((?:[Cc]los(?:e[sd]?|ing)|\b[Ff]ix(?:e[sd]|ing)?|\b[Rr]esolv(?:e[sd]?|ing)|\b[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)" + +### Download location +###! When a user clicks e.g. 'Download zip' on a project, a temporary zip file +###! is created in the following directory. +###! Should not be the same path, or a sub directory of any of the `git_data_dirs` +# gitlab_rails['gitlab_repository_downloads_path'] = 'tmp/repositories' + +### Gravatar Settings +# gitlab_rails['gravatar_plain_url'] = 'http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon' +# gitlab_rails['gravatar_ssl_url'] = 'https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon' + +### Auxiliary jobs +###! Periodically executed jobs, to self-heal Gitlab, do external +###! synchronizations, etc. +###! Docs: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job +###! https://docs.gitlab.com/ee/ci/yaml/README.html#artifactsexpire_in +# gitlab_rails['stuck_ci_jobs_worker_cron'] = "0 0 * * *" +# gitlab_rails['expire_build_artifacts_worker_cron'] = "50 * * * *" +# gitlab_rails['environments_auto_stop_cron_worker_cron'] = "24 * * * *" +# gitlab_rails['pipeline_schedule_worker_cron'] = "19 * * * *" +# gitlab_rails['ci_archive_traces_cron_worker_cron'] = "17 * * * *" +# gitlab_rails['repository_check_worker_cron'] = "20 * * * *" +# gitlab_rails['admin_email_worker_cron'] = "0 0 * * 0" +# gitlab_rails['personal_access_tokens_expiring_worker_cron'] = "0 1 * * *" +# gitlab_rails['personal_access_tokens_expired_notification_worker_cron'] = "0 2 * * *" +# gitlab_rails['repository_archive_cache_worker_cron'] = "0 * * * *" +# gitlab_rails['pages_domain_verification_cron_worker'] = "*/15 * * * *" +# gitlab_rails['pages_domain_ssl_renewal_cron_worker'] = "*/10 * * * *" +# gitlab_rails['pages_domain_removal_cron_worker'] = "47 0 * * *" +# gitlab_rails['remove_unaccepted_member_invites_cron_worker'] = "10 15 * * *" +# gitlab_rails['schedule_migrate_external_diffs_worker_cron'] = "15 * * * *" +# gitlab_rails['ci_platform_metrics_update_cron_worker'] = '47 9 * * *' +# gitlab_rails['analytics_instance_statistics_count_job_trigger_worker_cron'] = "50 23 */1 * *" +# gitlab_rails['member_invitation_reminder_emails_worker_cron'] = "0 0 * * *" + +### Webhook Settings +###! Number of seconds to wait for HTTP response after sending webhook HTTP POST +###! request (default: 10) +# gitlab_rails['webhook_timeout'] = 10 + +### GraphQL Settings +###! Tells the rails application how long it has to complete a GraphQL request. +###! We suggest this value to be higher than the database timeout value +###! and lower than the worker timeout set in unicorn/puma. (default: 30) +# gitlab_rails['graphql_timeout'] = 30 + +### Trusted proxies +###! Customize if you have GitLab behind a reverse proxy which is running on a +###! different machine. +###! **Add the IP address for your reverse proxy to the list, otherwise users +###! will appear signed in from that address.** +# gitlab_rails['trusted_proxies'] = [] + +### Content Security Policy +####! Customize if you want to enable the Content-Security-Policy header, which +####! can help thwart JavaScript cross-site scripting (XSS) attacks. +####! See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP +# gitlab_rails['content_security_policy'] = { +# 'enabled' => false, +# 'report_only' => false, +# # Each directive is a String (e.g. "'self'"). +# 'directives' => { +# 'base_uri' => nil, +# 'child_src' => nil, +# 'connect_src' => nil, +# 'default_src' => nil, +# 'font_src' => nil, +# 'form_action' => nil, +# 'frame_ancestors' => nil, +# 'frame_src' => nil, +# 'img_src' => nil, +# 'manifest_src' => nil, +# 'media_src' => nil, +# 'object_src' => nil, +# 'script_src' => nil, +# 'style_src' => nil, +# 'worker_src' => nil, +# 'report_uri' => nil, +# } +# } + +### Monitoring settings +###! IP whitelist controlling access to monitoring endpoints +# gitlab_rails['monitoring_whitelist'] = ['127.0.0.0/8', '::1/128'] +###! Time between sampling of unicorn socket metrics, in seconds +# gitlab_rails['monitoring_unicorn_sampler_interval'] = 10 + +### Shutdown settings +###! Defines an interval to block healthcheck, +###! but continue accepting application requests. +# gitlab_rails['shutdown_blackout_seconds'] = 10 + +### Reply by email +###! Allow users to comment on issues and merge requests by replying to +###! notification emails. +###! Docs: https://docs.gitlab.com/ee/administration/reply_by_email.html +# gitlab_rails['incoming_email_enabled'] = true + +#### Incoming Email Address +####! The email address including the `%{key}` placeholder that will be replaced +####! to reference the item being replied to. +####! **The placeholder can be omitted but if present, it must appear in the +####! "user" part of the address (before the `@`).** +# gitlab_rails['incoming_email_address'] = "gitlab-incoming+%{key}@gmail.com" + +#### Email account username +####! **With third party providers, this is usually the full email address.** +####! **With self-hosted email servers, this is usually the user part of the +####! email address.** +# gitlab_rails['incoming_email_email'] = "gitlab-incoming@gmail.com" + +#### Email account password +# gitlab_rails['incoming_email_password'] = "[REDACTED]" + +#### IMAP Settings +# gitlab_rails['incoming_email_host'] = "imap.gmail.com" +# gitlab_rails['incoming_email_port'] = 993 +# gitlab_rails['incoming_email_ssl'] = true +# gitlab_rails['incoming_email_start_tls'] = false + +#### Incoming Mailbox Settings (via `mail_room`) +####! The mailbox where incoming mail will end up. Usually "inbox". +# gitlab_rails['incoming_email_mailbox_name'] = "inbox" +####! The IDLE command timeout. +# gitlab_rails['incoming_email_idle_timeout'] = 60 +####! The file name for internal `mail_room` JSON logfile +# gitlab_rails['incoming_email_log_file'] = "/var/log/gitlab/mailroom/mail_room_json.log" +####! Permanently remove messages from the mailbox when they are deleted after delivery +# gitlab_rails['incoming_email_expunge_deleted'] = false + +####! The format of mail_room crash logs +# mailroom['exit_log_format'] = "plain" + +### Consolidated (simplified) object storage configuration +###! This uses a single credential for object storage with multiple buckets. +###! It also enables Workhorse to upload files directly with its own S3 client +###! instead of using pre-signed URLs. +###! +###! This configuration will only take effect if the object_store +###! sections are not defined within the types. For example, enabling +###! gitlab_rails['artifacts_object_store_enabled'] or +###! gitlab_rails['lfs_object_store_enabled'] will prevent the +###! consolidated settings from being used. +###! +###! Be sure to use different buckets for each type of object. +###! Docs: https://docs.gitlab.com/ee/administration/object_storage.html +gitlab_rails['object_store']['enabled'] = false +gitlab_rails['object_store']['connection'] = {} +gitlab_rails['object_store']['storage_options'] = {} +gitlab_rails['object_store']['proxy_download'] = false +gitlab_rails['object_store']['objects']['artifacts']['bucket'] = nil +gitlab_rails['object_store']['objects']['external_diffs']['bucket'] = nil +gitlab_rails['object_store']['objects']['lfs']['bucket'] = nil +gitlab_rails['object_store']['objects']['uploads']['bucket'] = nil +gitlab_rails['object_store']['objects']['packages']['bucket'] = nil +gitlab_rails['object_store']['objects']['dependency_proxy']['bucket'] = nil +gitlab_rails['object_store']['objects']['terraform_state']['bucket'] = nil +gitlab_rails['object_store']['objects']['pages']['bucket'] = nil + +### Job Artifacts +# gitlab_rails['artifacts_enabled'] = true +# gitlab_rails['artifacts_path'] = "/var/opt/gitlab/gitlab-rails/shared/artifacts" +####! Job artifacts Object Store +####! Docs: https://docs.gitlab.com/ee/administration/job_artifacts.html#using-object-storage +# gitlab_rails['artifacts_object_store_enabled'] = false +# gitlab_rails['artifacts_object_store_direct_upload'] = false +# gitlab_rails['artifacts_object_store_background_upload'] = true +# gitlab_rails['artifacts_object_store_proxy_download'] = false +# gitlab_rails['artifacts_object_store_remote_directory'] = "artifacts" +# gitlab_rails['artifacts_object_store_connection'] = { +# 'provider' => 'AWS', +# 'region' => 'eu-west-1', +# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID', +# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY', +# # # The below options configure an S3 compatible host instead of AWS +# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4. +# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces +# # 'host' => 's3.amazonaws.com', +# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' +# } + +### External merge request diffs +# gitlab_rails['external_diffs_enabled'] = false +# gitlab_rails['external_diffs_when'] = nil +# gitlab_rails['external_diffs_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/external-diffs" +# gitlab_rails['external_diffs_object_store_enabled'] = false +# gitlab_rails['external_diffs_object_store_direct_upload'] = false +# gitlab_rails['external_diffs_object_store_background_upload'] = false +# gitlab_rails['external_diffs_object_store_proxy_download'] = false +# gitlab_rails['external_diffs_object_store_remote_directory'] = "external-diffs" +# gitlab_rails['external_diffs_object_store_connection'] = { +# 'provider' => 'AWS', +# 'region' => 'eu-west-1', +# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID', +# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY', +# # # The below options configure an S3 compatible host instead of AWS +# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4. +# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces +# # 'host' => 's3.amazonaws.com', +# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' +# } + +### Git LFS +# gitlab_rails['lfs_enabled'] = true +# gitlab_rails['lfs_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/lfs-objects" +# gitlab_rails['lfs_object_store_enabled'] = false +# gitlab_rails['lfs_object_store_direct_upload'] = false +# gitlab_rails['lfs_object_store_background_upload'] = true +# gitlab_rails['lfs_object_store_proxy_download'] = false +# gitlab_rails['lfs_object_store_remote_directory'] = "lfs-objects" +# gitlab_rails['lfs_object_store_connection'] = { +# 'provider' => 'AWS', +# 'region' => 'eu-west-1', +# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID', +# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY', +# # # The below options configure an S3 compatible host instead of AWS +# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4. +# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces +# # 'host' => 's3.amazonaws.com', +# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' +# } + +### GitLab uploads +###! Docs: https://docs.gitlab.com/ee/administration/uploads.html +# gitlab_rails['uploads_storage_path'] = "/opt/gitlab/embedded/service/gitlab-rails/public" +# gitlab_rails['uploads_base_dir'] = "uploads/-/system" +# gitlab_rails['uploads_object_store_enabled'] = false +# gitlab_rails['uploads_object_store_direct_upload'] = false +# gitlab_rails['uploads_object_store_background_upload'] = true +# gitlab_rails['uploads_object_store_proxy_download'] = false +# gitlab_rails['uploads_object_store_remote_directory'] = "uploads" +# gitlab_rails['uploads_object_store_connection'] = { +# 'provider' => 'AWS', +# 'region' => 'eu-west-1', +# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID', +# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY', +# # # The below options configure an S3 compatible host instead of AWS +# # 'host' => 's3.amazonaws.com', +# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4. +# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces +# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' +# } + +### Terraform state +###! Docs: https://docs.gitlab.com/ee/administration/terraform_state +# gitlab_rails['terraform_state_enabled'] = true +# gitlab_rails['terraform_state_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/terraform_state" +# gitlab_rails['terraform_state_object_store_enabled'] = false +# gitlab_rails['terraform_state_object_store_remote_directory'] = "terraform" +# gitlab_rails['terraform_state_object_store_connection'] = { +# 'provider' => 'AWS', +# 'region' => 'eu-west-1', +# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID', +# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY', +# # # The below options configure an S3 compatible host instead of AWS +# # 'host' => 's3.amazonaws.com', +# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4. +# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces +# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' +# } + +### GitLab Pages +# gitlab_rails['pages_object_store_enabled'] = false +# gitlab_rails['pages_object_store_remote_directory'] = "pages" +# gitlab_rails['pages_object_store_connection'] = { +# 'provider' => 'AWS', +# 'region' => 'eu-west-1', +# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID', +# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY', +# # # The below options configure an S3 compatible host instead of AWS +# # 'host' => 's3.amazonaws.com', +# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4. +# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces +# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' +# } + +### Impersonation settings +# gitlab_rails['impersonation_enabled'] = true + +### Usage Statistics +# gitlab_rails['usage_ping_enabled'] = true + +### Seat Link setting +###! Docs: https://docs.gitlab.com/ee/subscriptions/index.html#seat-link +# gitlab_rails['seat_link_enabled'] = true + +### GitLab Mattermost +###! These settings are void if Mattermost is installed on the same omnibus +###! install +# gitlab_rails['mattermost_host'] = "https://mattermost.example.com" + +### LDAP Settings +###! Docs: https://docs.gitlab.com/omnibus/settings/ldap.html +###! **Be careful not to break the indentation in the ldap_servers block. It is +###! in yaml format and the spaces must be retained. Using tabs will not work.** + +# gitlab_rails['ldap_enabled'] = false +# gitlab_rails['prevent_ldap_sign_in'] = false +gitlab_rails['ldap_enabled'] = true + + +###! **remember to close this block with 'EOS' below** +# gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' +# main: # 'main' is the GitLab 'provider ID' of this LDAP server +# label: 'LDAP' +# host: '_your_ldap_server' +# port: 389 +# uid: 'sAMAccountName' +# bind_dn: '_the_full_dn_of_the_user_you_will_bind_with' +# password: '_the_password_of_the_bind_user' +# encryption: 'plain' # "start_tls" or "simple_tls" or "plain" +# verify_certificates: true +# smartcard_auth: false +# active_directory: true +# allow_username_or_email_login: false +# lowercase_usernames: false +# block_auto_created_users: false +# base: '' +# user_filter: '' +# ## EE only +# group_base: '' +# admin_group: '' +# sync_ssh_keys: false +# +# secondary: # 'secondary' is the GitLab 'provider ID' of second LDAP server +# label: 'LDAP' +# host: '_your_ldap_server' +# port: 389 +# uid: 'sAMAccountName' +# bind_dn: '_the_full_dn_of_the_user_you_will_bind_with' +# password: '_the_password_of_the_bind_user' +# encryption: 'plain' # "start_tls" or "simple_tls" or "plain" +# verify_certificates: true +# smartcard_auth: false +# active_directory: true +# allow_username_or_email_login: false +# lowercase_usernames: false +# block_auto_created_users: false +# base: '' +# user_filter: '' +# ## EE only +# group_base: '' +# admin_group: '' +# sync_ssh_keys: false +# EOS + +gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' + main: + label: 'LDAP' + host: '{{ ldap_ip_ext }}' + port: 389 + uid: 'uid' + method: 'plain' + bind_dn: '{{ ldap_readonly_bind_dn }}' + password: '{{ ldap_readonly_pass }}' + base: '{{ ldap_base_dn }}' + user_filter: '(&(objectClass=inetOrgPerson)(memberof=CN=active,OU=groups,DC=warpzone,DC=ms))' + attributes: + username: ['uid', 'cn'] + email: ['mail', 'email'] + name: 'cn' + first_name: 'givenName' + last_name: 'sn' +EOS + + +### Smartcard authentication settings +###! Docs: https://docs.gitlab.com/ee/administration/auth/smartcard.html +# gitlab_rails['smartcard_enabled'] = false +# gitlab_rails['smartcard_ca_file'] = "/etc/gitlab/ssl/CA.pem" +# gitlab_rails['smartcard_client_certificate_required_host'] = 'smartcard.gitlab.example.com' +# gitlab_rails['smartcard_client_certificate_required_port'] = 3444 +# gitlab_rails['smartcard_required_for_git_access'] = false +# gitlab_rails['smartcard_san_extensions'] = false + +### OmniAuth Settings +###! Docs: https://docs.gitlab.com/ee/integration/omniauth.html +# gitlab_rails['omniauth_enabled'] = nil +# gitlab_rails['omniauth_allow_single_sign_on'] = ['saml'] +# gitlab_rails['omniauth_sync_email_from_provider'] = 'saml' +# gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml'] +# gitlab_rails['omniauth_sync_profile_attributes'] = ['email'] +# gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml' +# gitlab_rails['omniauth_block_auto_created_users'] = true +# gitlab_rails['omniauth_auto_link_ldap_user'] = false +# gitlab_rails['omniauth_auto_link_saml_user'] = false +# gitlab_rails['omniauth_auto_link_user'] = ['saml'] +# gitlab_rails['omniauth_external_providers'] = ['twitter', 'google_oauth2'] +# gitlab_rails['omniauth_allow_bypass_two_factor'] = ['google_oauth2'] +# gitlab_rails['omniauth_providers'] = [ +# { +# "name" => "google_oauth2", +# "app_id" => "YOUR APP ID", +# "app_secret" => "YOUR APP SECRET", +# "args" => { "access_type" => "offline", "approval_prompt" => "" } +# } +# ] + +### Backup Settings +###! Docs: https://docs.gitlab.com/omnibus/settings/backups.html + +# gitlab_rails['manage_backup_path'] = true +# gitlab_rails['backup_path'] = "/var/opt/gitlab/backups" + +###! Docs: https://docs.gitlab.com/ee/raketasks/backup_restore.html#backup-archive-permissions +# gitlab_rails['backup_archive_permissions'] = 0644 + +# gitlab_rails['backup_pg_schema'] = 'public' + +###! The duration in seconds to keep backups before they are allowed to be deleted +# gitlab_rails['backup_keep_time'] = 604800 + +# gitlab_rails['backup_upload_connection'] = { +# 'provider' => 'AWS', +# 'region' => 'eu-west-1', +# 'aws_access_key_id' => 'AKIAKIAKI', +# 'aws_secret_access_key' => 'secret123', +# # # If IAM profile use is enabled, remove aws_access_key_id and aws_secret_access_key +# 'use_iam_profile' => false +# } +# gitlab_rails['backup_upload_remote_directory'] = 'my.s3.bucket' +# gitlab_rails['backup_multipart_chunk_size'] = 104857600 + +###! **Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for +###! backups** +# gitlab_rails['backup_encryption'] = 'AES256' +###! The encryption key to use with AWS Server-Side Encryption. +###! Setting this value will enable Server-Side Encryption with customer provided keys; +###! otherwise S3-managed keys are used. +# gitlab_rails['backup_encryption_key'] = '<base64-encoded encryption key>' + +###! **Specifies Amazon S3 storage class to use for backups. Valid values +###! include 'STANDARD', 'STANDARD_IA', and 'REDUCED_REDUNDANCY'** +# gitlab_rails['backup_storage_class'] = 'STANDARD' + +###! Skip parts of the backup. Comma separated. +###! Docs: https://docs.gitlab.com/ee/raketasks/backup_restore.html#excluding-specific-directories-from-the-backup +#gitlab_rails['env'] = { +# "SKIP" => "db,uploads,repositories,builds,artifacts,lfs,registry,pages" +#} + +### Pseudonymizer Settings +# gitlab_rails['pseudonymizer_manifest'] = 'config/pseudonymizer.yml' +# gitlab_rails['pseudonymizer_upload_remote_directory'] = 'gitlab-elt' +# gitlab_rails['pseudonymizer_upload_connection'] = { +# 'provider' => 'AWS', +# 'region' => 'eu-west-1', +# 'aws_access_key_id' => 'AKIAKIAKI', +# 'aws_secret_access_key' => 'secret123' +# } + + +### For setting up different data storing directory +###! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#storing-git-data-in-an-alternative-directory +###! **If you want to use a single non-default directory to store git data use a +###! path that doesn't contain symlinks.** +# git_data_dirs({ +# "default" => { +# "path" => "/mnt/nfs-01/git-data" +# } +# }) + +### Gitaly settings +# gitlab_rails['gitaly_token'] = 'secret token' + +### For storing GitLab application uploads, eg. LFS objects, build artifacts +###! Docs: https://docs.gitlab.com/ee/development/shared_files.html +# gitlab_rails['shared_path'] = '/var/opt/gitlab/gitlab-rails/shared' + +### Wait for file system to be mounted +###! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#only-start-omnibus-gitlab-services-after-a-given-filesystem-is-mounted +# high_availability['mountpoint'] = ["/var/opt/gitlab/git-data", "/var/opt/gitlab/gitlab-rails/shared"] + +### GitLab Shell settings for GitLab +# gitlab_rails['gitlab_shell_ssh_port'] = 22 +# gitlab_rails['gitlab_shell_git_timeout'] = 800 +gitlab_rails['gitlab_shell_ssh_port'] = 444 + +### Extra customization +# gitlab_rails['extra_google_analytics_id'] = '_your_tracking_id' +# gitlab_rails['extra_piwik_url'] = '_your_piwik_url' +# gitlab_rails['extra_piwik_site_id'] = '_your_piwik_site_id' + +##! Docs: https://docs.gitlab.com/omnibus/settings/environment-variables.html +# gitlab_rails['env'] = { +# 'BUNDLE_GEMFILE' => "/opt/gitlab/embedded/service/gitlab-rails/Gemfile", +# 'PATH' => "/opt/gitlab/bin:/opt/gitlab/embedded/bin:/bin:/usr/bin" +# } + +# gitlab_rails['rack_attack_git_basic_auth'] = { +# 'enabled' => false, +# 'ip_whitelist' => ["127.0.0.1"], +# 'maxretry' => 10, +# 'findtime' => 60, +# 'bantime' => 3600 +# } + +###! **We do not recommend changing these directories.** +# gitlab_rails['dir'] = "/var/opt/gitlab/gitlab-rails" +# gitlab_rails['log_directory'] = "/var/log/gitlab/gitlab-rails" + +### GitLab application settings +# gitlab_rails['uploads_directory'] = "/var/opt/gitlab/gitlab-rails/uploads" + +#### Change the initial default admin password and shared runner registration tokens. +####! **Only applicable on initial setup, changing these settings after database +####! is created and seeded won't yield any change.** +# gitlab_rails['initial_root_password'] = "password" +# gitlab_rails['initial_shared_runners_registration_token'] = "token" + +#### Set path to an initial license to be used while bootstrapping GitLab. +####! **Only applicable on initial setup, future license updations need to be done via UI. +####! Updating the file specified in this path won't yield any change after the first reconfigure run. +# gitlab_rails['initial_license_file'] = '/etc/gitlab/company.gitlab-license' + +#### Enable or disable automatic database migrations +# gitlab_rails['auto_migrate'] = true + +#### This is advanced feature used by large gitlab deployments where loading +#### whole RAILS env takes a lot of time. +# gitlab_rails['rake_cache_clear'] = true + +### GitLab database settings +###! Docs: https://docs.gitlab.com/omnibus/settings/database.html +###! **Only needed if you use an external database.** +# gitlab_rails['db_adapter'] = "postgresql" +# gitlab_rails['db_encoding'] = "unicode" +# gitlab_rails['db_collation'] = nil +# gitlab_rails['db_database'] = "gitlabhq_production" +# gitlab_rails['db_username'] = "gitlab" +# gitlab_rails['db_password'] = nil +# gitlab_rails['db_host'] = nil +# gitlab_rails['db_port'] = 5432 +# gitlab_rails['db_socket'] = nil +# gitlab_rails['db_sslmode'] = nil +# gitlab_rails['db_sslcompression'] = 0 +# gitlab_rails['db_sslrootcert'] = nil +# gitlab_rails['db_sslcert'] = nil +# gitlab_rails['db_sslkey'] = nil +# gitlab_rails['db_prepared_statements'] = false +# gitlab_rails['db_statements_limit'] = 1000 +# gitlab_rails['db_connect_timeout'] = nil + + +### GitLab Redis settings +###! Connect to your own Redis instance +###! Docs: https://docs.gitlab.com/omnibus/settings/redis.html + +#### Redis TCP connection +# gitlab_rails['redis_host'] = "127.0.0.1" +# gitlab_rails['redis_port'] = 6379 +# gitlab_rails['redis_ssl'] = false +# gitlab_rails['redis_password'] = nil +# gitlab_rails['redis_database'] = 0 +# gitlab_rails['redis_enable_client'] = true + +#### Redis local UNIX socket (will be disabled if TCP method is used) +# gitlab_rails['redis_socket'] = "/var/opt/gitlab/redis/redis.socket" + +#### Sentinel support +####! To have Sentinel working, you must enable Redis TCP connection support +####! above and define a few Sentinel hosts below (to get a reliable setup +####! at least 3 hosts). +####! **You don't need to list every sentinel host, but the ones not listed will +####! not be used in a fail-over situation to query for the new master.** +# gitlab_rails['redis_sentinels'] = [ +# {'host' => '127.0.0.1', 'port' => 26379}, +# ] + +#### Separate instances support +###! Docs: https://docs.gitlab.com/omnibus/settings/redis.html#running-with-multiple-redis-instances +# gitlab_rails['redis_cache_instance'] = nil +# gitlab_rails['redis_cache_sentinels'] = nil +# gitlab_rails['redis_queues_instance'] = nil +# gitlab_rails['redis_queues_sentinels'] = nil +# gitlab_rails['redis_shared_state_instance'] = nil +# gitlab_rails['redis_shared_sentinels'] = nil +# gitlab_rails['redis_actioncable_instance'] = nil +# gitlab_rails['redis_actioncable_sentinels'] = nil + +###! **Can be: 'none', 'peer', 'client_once', 'fail_if_no_peer_cert'** +###! Docs: http://api.rubyonrails.org/classes/ActionMailer/Base.html +# gitlab_rails['smtp_openssl_verify_mode'] = 'none' + +# gitlab_rails['smtp_ca_path'] = "/etc/ssl/certs" +# gitlab_rails['smtp_ca_file'] = "/etc/ssl/certs/ca-certificates.crt" + +################################################################################ +## Container Registry settings +##! Docs: https://docs.gitlab.com/ee/administration/container_registry.html +################################################################################ + +registry_external_url 'https://{{ domain_registry }}' + +### Settings used by GitLab application +# gitlab_rails['registry_enabled'] = true +# gitlab_rails['registry_host'] = "registry.gitlab.example.com" +# gitlab_rails['registry_port'] = "5005" +# gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry" +gitlab_rails['registry_enabled'] = true + +# Notification secret, it's used to authenticate notification requests to GitLab application +# You only need to change this when you use external Registry service, otherwise +# it will be taken directly from notification settings of your Registry +# gitlab_rails['registry_notification_secret'] = nil + +###! **Do not change the following 3 settings unless you know what you are +###! doing** +# gitlab_rails['registry_api_url'] = "http://localhost:5000" +# gitlab_rails['registry_key_path'] = "/var/opt/gitlab/gitlab-rails/certificate.key" +# gitlab_rails['registry_issuer'] = "omnibus-gitlab-issuer" + +### Settings used by Registry application +registry['enable'] = true +# registry['username'] = "registry" +# registry['group'] = "registry" +# registry['uid'] = nil +# registry['gid'] = nil +# registry['dir'] = "/var/opt/gitlab/registry" +# registry['registry_http_addr'] = "localhost:5000" +# registry['debug_addr'] = "localhost:5001" +# registry['log_directory'] = "/var/log/gitlab/registry" +# registry['env_directory'] = "/opt/gitlab/etc/registry/env" +# registry['env'] = { +# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/" +# } +# registry['log_level'] = "info" +# registry['log_formatter'] = "text" +# registry['rootcertbundle'] = "/var/opt/gitlab/registry/certificate.crt" +# registry['health_storagedriver_enabled'] = true +# registry['storage_delete_enabled'] = true +# registry['validation_enabled'] = false +# registry['autoredirect'] = false +# registry['compatibility_schema1_enabled'] = false + +### Registry backend storage +###! Docs: https://docs.gitlab.com/ee/administration/packages/container_registry.html#configure-storage-for-the-container-registry +# registry['storage'] = { +# 's3' => { +# 'accesskey' => 's3-access-key', +# 'secretkey' => 's3-secret-key-for-access-key', +# 'bucket' => 'your-s3-bucket', +# 'region' => 'your-s3-region', +# 'regionendpoint' => 'your-s3-regionendpoint' +# }, +# 'redirect' => { +# 'disable' => false +# } +# } + +### Registry notifications endpoints +# registry['notifications'] = [ +# { +# 'name' => 'test_endpoint', +# 'url' => 'https://gitlab.example.com/notify2', +# 'timeout' => '500ms', +# 'threshold' => 5, +# 'backoff' => '1s', +# 'headers' => { +# "Authorization" => ["AUTHORIZATION_EXAMPLE_TOKEN"] +# } +# } +# ] +### Default registry notifications +# registry['default_notifications_timeout'] = "500ms" +# registry['default_notifications_threshold'] = 5 +# registry['default_notifications_backoff'] = "1s" +# registry['default_notifications_headers'] = {} + +################################################################################ +## Error Reporting and Logging with Sentry +################################################################################ +# gitlab_rails['sentry_enabled'] = false +# gitlab_rails['sentry_dsn'] = 'https://<key>@sentry.io/<project>' +# gitlab_rails['sentry_clientside_dsn'] = 'https://<key>@sentry.io/<project>' +# gitlab_rails['sentry_environment'] = 'production' + +################################################################################ +## CI_JOB_JWT +################################################################################ +##! RSA private key used to sign CI_JOB_JWT +# gitlab_rails['ci_jwt_signing_key'] = nil # Will be generated if not set. + +################################################################################ +## GitLab Workhorse +##! Docs: https://gitlab.com/gitlab-org/gitlab-workhorse/blob/master/README.md +################################################################################ + +# gitlab_workhorse['enable'] = true +# gitlab_workhorse['ha'] = false +# gitlab_workhorse['listen_network'] = "unix" +# gitlab_workhorse['listen_umask'] = 000 +# gitlab_workhorse['listen_addr'] = "/var/opt/gitlab/gitlab-workhorse/sockets/socket" +# gitlab_workhorse['auth_backend'] = "http://localhost:8080" + +##! the empty string is the default in gitlab-workhorse option parser +# gitlab_workhorse['auth_socket'] = "''" + +##! put an empty string on the command line +# gitlab_workhorse['pprof_listen_addr'] = "''" + +# gitlab_workhorse['prometheus_listen_addr'] = "localhost:9229" + +# gitlab_workhorse['dir'] = "/var/opt/gitlab/gitlab-workhorse" +# gitlab_workhorse['log_directory'] = "/var/log/gitlab/gitlab-workhorse" +# gitlab_workhorse['proxy_headers_timeout'] = "1m0s" + +##! limit number of concurrent API requests, defaults to 0 which is unlimited +# gitlab_workhorse['api_limit'] = 0 + +##! limit number of API requests allowed to be queued, defaults to 0 which +##! disables queuing +# gitlab_workhorse['api_queue_limit'] = 0 + +##! duration after which we timeout requests if they sit too long in the queue +# gitlab_workhorse['api_queue_duration'] = "30s" + +##! Long polling duration for job requesting for runners +# gitlab_workhorse['api_ci_long_polling_duration'] = "60s" + +##! Log format: default is json, can also be text or none. +# gitlab_workhorse['log_format'] = "json" + +# gitlab_workhorse['env_directory'] = "/opt/gitlab/etc/gitlab-workhorse/env" +# gitlab_workhorse['env'] = { +# 'PATH' => "/opt/gitlab/bin:/opt/gitlab/embedded/bin:/bin:/usr/bin", +# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/" +# } + +################################################################################ +## GitLab User Settings +##! Modify default git user. +##! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#changing-the-name-of-the-git-user-group +################################################################################ + +# user['username'] = "git" +# user['group'] = "git" +# user['uid'] = nil +# user['gid'] = nil + +##! The shell for the git user +# user['shell'] = "/bin/sh" + +##! The home directory for the git user +# user['home'] = "/var/opt/gitlab" + +# user['git_user_name'] = "GitLab" +# user['git_user_email'] = "gitlab@#{node['fqdn']}" + +################################################################################ +## GitLab Unicorn +##! Tweak unicorn settings. +##! Docs: https://docs.gitlab.com/omnibus/settings/unicorn.html +################################################################################ + +# unicorn['enable'] = false +# unicorn['worker_timeout'] = 60 +###! Minimum worker_processes is 2 at this moment +###! See https://gitlab.com/gitlab-org/gitlab-foss/issues/18771 +# unicorn['worker_processes'] = 2 + +### Advanced settings +# unicorn['listen'] = 'localhost' +# unicorn['port'] = 8080 +# unicorn['socket'] = '/var/opt/gitlab/gitlab-rails/sockets/gitlab.socket' +# unicorn['pidfile'] = '/opt/gitlab/var/unicorn/unicorn.pid' +# unicorn['tcp_nopush'] = true +# unicorn['backlog_socket'] = 1024 + +###! **Make sure somaxconn is equal or higher then backlog_socket** +# unicorn['somaxconn'] = 1024 + +###! **We do not recommend changing this setting** +# unicorn['log_directory'] = "/var/log/gitlab/unicorn" + +### **Only change these settings if you understand well what they mean** +###! Docs: https://docs.gitlab.com/ee/administration/operations/unicorn.html#unicorn-worker-killer +###! https://github.com/kzk/unicorn-worker-killer +# unicorn['worker_memory_limit_min'] = "1024 * 1 << 20" +# unicorn['worker_memory_limit_max'] = "1280 * 1 << 20" + +# unicorn['exporter_enabled'] = false +# unicorn['exporter_address'] = "127.0.0.1" +# unicorn['exporter_port'] = 8083 + +################################################################################ +## GitLab Puma +##! Tweak puma settings. You should only use Unicorn or Puma, not both. +##! Docs: https://docs.gitlab.com/omnibus/settings/puma.html +################################################################################ + +# puma['enable'] = true +# puma['ha'] = false +# puma['worker_timeout'] = 60 +# puma['worker_processes'] = 2 +# puma['min_threads'] = 4 +# puma['max_threads'] = 4 + +### Advanced settings +# puma['listen'] = '127.0.0.1' +# puma['port'] = 8080 +# puma['socket'] = '/var/opt/gitlab/gitlab-rails/sockets/gitlab.socket' +# puma['pidfile'] = '/opt/gitlab/var/puma/puma.pid' +# puma['state_path'] = '/opt/gitlab/var/puma/puma.state' + +###! **We do not recommend changing this setting** +# puma['log_directory'] = "/var/log/gitlab/puma" + +### **Only change these settings if you understand well what they mean** +###! Docs: https://github.com/schneems/puma_worker_killer +# puma['per_worker_max_memory_mb'] = 850 + +# puma['exporter_enabled'] = false +# puma['exporter_address'] = "127.0.0.1" +# puma['exporter_port'] = 8083 + +################################################################################ +## GitLab Sidekiq +################################################################################ + +##! GitLab allows one to start multiple sidekiq processes. These +##! processes can be used to consume a dedicated set of queues. This +##! can be used to ensure certain queues are able to handle additional workload. +##! https://docs.gitlab.com/ee/administration/operations/extra_sidekiq_processes.html + +# sidekiq['log_directory'] = "/var/log/gitlab/sidekiq" +# sidekiq['log_format'] = "json" +# sidekiq['shutdown_timeout'] = 4 +# sidekiq['cluster'] = true +# sidekiq['experimental_queue_selector'] = false +# sidekiq['interval'] = nil +# sidekiq['max_concurrency'] = 50 +# sidekiq['min_concurrency'] = nil + +##! Each entry in the queue_groups array denotes a group of queues that have to be processed by a +##! Sidekiq process. Multiple queues can be processed by the same process by +##! separating them with a comma within the group entry, a `*` will process all queues + +# sidekiq['queue_groups'] = ['*'] + +##! If negate is enabled then sidekiq-cluster will process all the queues that +##! don't match those in queue_groups. + +# sidekiq['negate'] = false + +# sidekiq['metrics_enabled'] = true +# sidekiq['exporter_log_enabled'] = false +# sidekiq['listen_address'] = "localhost" +# sidekiq['listen_port'] = 8082 + +################################################################################ +## gitlab-shell +################################################################################ + +# gitlab_shell['audit_usernames'] = false +# gitlab_shell['log_level'] = 'INFO' +# gitlab_shell['log_format'] = 'json' +# gitlab_shell['http_settings'] = { user: 'username', password: 'password', ca_file: '/etc/ssl/cert.pem', ca_path: '/etc/pki/tls/certs', self_signed_cert: false} +# gitlab_shell['log_directory'] = "/var/log/gitlab/gitlab-shell/" +# gitlab_shell['custom_hooks_dir'] = "/opt/gitlab/embedded/service/gitlab-shell/hooks" + +# gitlab_shell['auth_file'] = "/var/opt/gitlab/.ssh/authorized_keys" + +### Migration to Go feature flags +###! Docs: https://gitlab.com/gitlab-org/gitlab-shell#migration-to-go-feature-flags +# gitlab_shell['migration'] = { enabled: true, features: [] } + +### Git trace log file. +###! If set, git commands receive GIT_TRACE* environment variables +###! Docs: https://git-scm.com/book/es/v2/Git-Internals-Environment-Variables#Debugging +###! An absolute path starting with / – the trace output will be appended to +###! that file. It needs to exist so we can check permissions and avoid +###! throwing warnings to the users. +# gitlab_shell['git_trace_log_file'] = "/var/log/gitlab/gitlab-shell/gitlab-shell-git-trace.log" + +##! **We do not recommend changing this directory.** +# gitlab_shell['dir'] = "/var/opt/gitlab/gitlab-shell" + +################################################################ +## GitLab PostgreSQL +################################################################ + +###! Changing any of these settings requires a restart of postgresql. +###! By default, reconfigure reloads postgresql if it is running. If you +###! change any of these settings, be sure to run `gitlab-ctl restart postgresql` +###! after reconfigure in order for the changes to take effect. +# postgresql['enable'] = true +# postgresql['listen_address'] = nil +# postgresql['port'] = 5432 + +## Only used when Patroni is enabled. This is the port that PostgreSQL responds to other +## cluster members. This port is used by Patroni to advertize the PostgreSQL connection +## endpoint to the cluster. By default it is the same as postgresql['port']. +# postgresql['connect_port'] = 5432 + +# postgresql['data_dir'] = "/var/opt/gitlab/postgresql/data" + +##! **recommend value is 1/4 of total RAM, up to 14GB.** +# postgresql['shared_buffers'] = "256MB" + +### Advanced settings +# postgresql['ha'] = false +# postgresql['dir'] = "/var/opt/gitlab/postgresql" +# postgresql['log_directory'] = "/var/log/gitlab/postgresql" +# postgresql['log_destination'] = nil +# postgresql['logging_collector'] = nil +# postgresql['log_truncate_on_rotation'] = nil +# postgresql['log_rotation_age'] = nil +# postgresql['log_rotation_size'] = nil +# postgresql['username'] = "gitlab-psql" +# postgresql['group'] = "gitlab-psql" +##! `SQL_USER_PASSWORD_HASH` can be generated using the command `gitlab-ctl pg-password-md5 gitlab` +# postgresql['sql_user_password'] = 'SQL_USER_PASSWORD_HASH' +# postgresql['uid'] = nil +# postgresql['gid'] = nil +# postgresql['shell'] = "/bin/sh" +# postgresql['home'] = "/var/opt/gitlab/postgresql" +# postgresql['user_path'] = "/opt/gitlab/embedded/bin:/opt/gitlab/bin:$PATH" +# postgresql['sql_user'] = "gitlab" +# postgresql['max_connections'] = 200 +# postgresql['md5_auth_cidr_addresses'] = [] +# postgresql['trust_auth_cidr_addresses'] = [] +# postgresql['wal_buffers'] = "-1" +# postgresql['autovacuum_max_workers'] = "3" +# postgresql['autovacuum_freeze_max_age'] = "200000000" +# postgresql['log_statement'] = nil +# postgresql['track_activity_query_size'] = "1024" +# postgresql['shared_preload_libraries'] = nil +# postgresql['dynamic_shared_memory_type'] = nil +# postgresql['hot_standby'] = "off" + +### SSL settings +# See https://www.postgresql.org/docs/11/static/runtime-config-connection.html#GUC-SSL-CERT-FILE for more details +# postgresql['ssl'] = 'on' +# postgresql['hostssl'] = false +# postgresql['ssl_ciphers'] = 'HIGH:MEDIUM:+3DES:!aNULL:!SSLv3:!TLSv1' +# postgresql['ssl_cert_file'] = 'server.crt' +# postgresql['ssl_key_file'] = 'server.key' +# postgresql['ssl_ca_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem' +# postgresql['ssl_crl_file'] = nil +# postgresql['cert_auth_addresses'] = { +# 'ADDRESS' => { +# database: 'gitlabhq_production', +# user: 'gitlab' +# } +# } + +### Replication settings +###! Note, some replication settings do not require a full restart. They are documented below. +# postgresql['wal_level'] = "hot_standby" +# postgresql['wal_log_hints'] = 'off' +# postgresql['max_wal_senders'] = 5 +# postgresql['max_replication_slots'] = 0 +# postgresql['max_locks_per_transaction'] = 128 + +# Backup/Archive settings +# postgresql['archive_mode'] = "off" + +###! Changing any of these settings only requires a reload of postgresql. You do not need to +###! restart postgresql if you change any of these and run reconfigure. +# postgresql['work_mem'] = "16MB" +# postgresql['maintenance_work_mem'] = "16MB" +# postgresql['checkpoint_segments'] = 10 +# postgresql['checkpoint_timeout'] = "5min" +# postgresql['checkpoint_completion_target'] = 0.9 +# postgresql['effective_io_concurrency'] = 1 +# postgresql['checkpoint_warning'] = "30s" +# postgresql['effective_cache_size'] = "1MB" +# postgresql['shmmax'] = 17179869184 # or 4294967295 +# postgresql['shmall'] = 4194304 # or 1048575 +# postgresql['autovacuum'] = "on" +# postgresql['log_autovacuum_min_duration'] = "-1" +# postgresql['autovacuum_naptime'] = "1min" +# postgresql['autovacuum_vacuum_threshold'] = "50" +# postgresql['autovacuum_analyze_threshold'] = "50" +# postgresql['autovacuum_vacuum_scale_factor'] = "0.02" +# postgresql['autovacuum_analyze_scale_factor'] = "0.01" +# postgresql['autovacuum_vacuum_cost_delay'] = "20ms" +# postgresql['autovacuum_vacuum_cost_limit'] = "-1" +# postgresql['statement_timeout'] = "60000" +# postgresql['idle_in_transaction_session_timeout'] = "60000" +# postgresql['log_line_prefix'] = "%a" +# postgresql['max_worker_processes'] = 8 +# postgresql['max_parallel_workers_per_gather'] = 0 +# postgresql['log_lock_waits'] = 1 +# postgresql['deadlock_timeout'] = '5s' +# postgresql['track_io_timing'] = 0 +# postgresql['default_statistics_target'] = 1000 + +### Available in PostgreSQL 9.6 and later +# postgresql['min_wal_size'] = 80MB +# postgresql['max_wal_size'] = 1GB + +# Backup/Archive settings +# postgresql['archive_command'] = nil +# postgresql['archive_timeout'] = "0" + +### Replication settings +# postgresql['sql_replication_user'] = "gitlab_replicator" +# postgresql['sql_replication_password'] = "md5 hash of postgresql password" # You can generate with `gitlab-ctl pg-password-md5 <dbuser>` +# postgresql['wal_keep_segments'] = 10 +# postgresql['max_standby_archive_delay'] = "30s" +# postgresql['max_standby_streaming_delay'] = "30s" +# postgresql['synchronous_commit'] = on +# postgresql['synchronous_standby_names'] = '' +# postgresql['hot_standby_feedback'] = 'off' +# postgresql['random_page_cost'] = 2.0 +# postgresql['log_temp_files'] = -1 +# postgresql['log_checkpoints'] = 'off' +# To add custom entries to pg_hba.conf use the following +# postgresql['custom_pg_hba_entries'] = { +# APPLICATION: [ # APPLICATION should identify what the settings are used for +# { +# type: example, +# database: example, +# user: example, +# cidr: example, +# method: example, +# option: example +# } +# ] +# } +# See https://www.postgresql.org/docs/11/static/auth-pg-hba-conf.html for an explanation +# of the values + +### Version settings +# Set this if you have disabled the bundled PostgreSQL but still want to use the backup rake tasks +# postgresql['version'] = 10 + +################################################################################ +## GitLab Redis +##! **Can be disabled if you are using your own Redis instance.** +##! Docs: https://docs.gitlab.com/omnibus/settings/redis.html +################################################################################ + +# redis['enable'] = true +# redis['ha'] = false +# redis['hz'] = 10 +# redis['dir'] = "/var/opt/gitlab/redis" +# redis['log_directory'] = "/var/log/gitlab/redis" +# redis['username'] = "gitlab-redis" +# redis['group'] = "gitlab-redis" +# redis['maxclients'] = "10000" +# redis['maxmemory'] = "0" +# redis['maxmemory_policy'] = "noeviction" +# redis['maxmemory_samples'] = "5" +# redis['tcp_backlog'] = 511 +# redis['tcp_timeout'] = "60" +# redis['tcp_keepalive'] = "300" +# redis['uid'] = nil +# redis['gid'] = nil + +### Disable or obfuscate unnecessary redis command names +### Uncomment and edit this block to add or remove entries. +### See https://docs.gitlab.com/omnibus/settings/redis.html#renamed-commands +### for detailed usage +### +# redis['rename_commands'] = { +# 'KEYS': '' +#} +# + +###! **To enable only Redis service in this machine, uncomment +###! one of the lines below (choose master or replica instance types).** +###! Docs: https://docs.gitlab.com/omnibus/settings/redis.html +###! https://docs.gitlab.com/ee/administration/high_availability/redis.html +# redis_master_role['enable'] = true +# redis_replica_role['enable'] = true + +### Redis TCP support (will disable UNIX socket transport) +# redis['bind'] = '0.0.0.0' # or specify an IP to bind to a single one +# redis['port'] = 6379 +# redis['password'] = 'redis-password-goes-here' + +### Redis Sentinel support +###! **You need a master replica Redis replication to be able to do failover** +###! **Please read the documentation before enabling it to understand the +###! caveats:** +###! Docs: https://docs.gitlab.com/ee/administration/high_availability/redis.html + +### Replication support +#### Replica Redis instance +# redis['master'] = false # by default this is true + +#### Replica and Sentinel shared configuration +####! **Both need to point to the master Redis instance to get replication and +####! heartbeat monitoring** +# redis['master_name'] = 'gitlab-redis' +# redis['master_ip'] = nil +# redis['master_port'] = 6379 + +#### Support to run redis replicas in a Docker or NAT environment +####! Docs: https://redis.io/topics/replication#configuring-replication-in-docker-and-nat +# redis['announce_ip'] = nil +# redis['announce_port'] = nil + +####! **Master password should have the same value defined in +####! redis['password'] to enable the instance to transition to/from +####! master/replica in a failover event.** +# redis['master_password'] = 'redis-password-goes-here' + +####! Increase these values when your replicas can't catch up with master +# redis['client_output_buffer_limit_normal'] = '0 0 0' +# redis['client_output_buffer_limit_replica'] = '256mb 64mb 60' +# redis['client_output_buffer_limit_pubsub'] = '32mb 8mb 60' + +#####! Redis snapshotting frequency +#####! Set to [] to disable +#####! Set to [''] to clear previously set values +# redis['save'] = [ '900 1', '300 10', '60 10000' ] + +#####! Redis lazy freeing +#####! Defaults to false +# redis['lazyfree_lazy_eviction'] = true +# redis['lazyfree_lazy_expire'] = true +# redis['lazyfree_lazy_server_del'] = true +# redis['replica_lazy_flush'] = true + +################################################################################ +## GitLab Web server +##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#using-a-non-bundled-web-server +################################################################################ + +##! When bundled nginx is disabled we need to add the external webserver user to +##! the GitLab webserver group. +# web_server['external_users'] = [] +# web_server['username'] = 'gitlab-www' +# web_server['group'] = 'gitlab-www' +# web_server['uid'] = nil +# web_server['gid'] = nil +# web_server['shell'] = '/bin/false' +# web_server['home'] = '/var/opt/gitlab/nginx' + +################################################################################ +## GitLab NGINX +##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html +################################################################################ + +# nginx['enable'] = true +# nginx['client_max_body_size'] = '250m' +# nginx['redirect_http_to_https'] = false +# nginx['redirect_http_to_https_port'] = 80 + +##! Most root CA's are included by default +# nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt" + +##! enable/disable 2-way SSL client authentication +# nginx['ssl_verify_client'] = "off" + +##! if ssl_verify_client on, verification depth in the client certificates chain +# nginx['ssl_verify_depth'] = "1" + +# nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt" +# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key" +# nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256" +# nginx['ssl_prefer_server_ciphers'] = "on" + +##! **Recommended by: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html +##! https://cipherli.st/** +# nginx['ssl_protocols'] = "TLSv1.2 TLSv1.3" + +##! **Recommended in: https://nginx.org/en/docs/http/ngx_http_ssl_module.html** +# nginx['ssl_session_cache'] = "builtin:1000 shared:SSL:10m" + +##! **Default according to https://nginx.org/en/docs/http/ngx_http_ssl_module.html** +# nginx['ssl_session_timeout'] = "5m" + +# nginx['ssl_dhparam'] = nil # Path to dhparams.pem, eg. /etc/gitlab/ssl/dhparams.pem +# nginx['listen_addresses'] = ['*', '[::]'] + +##! **Defaults to forcing web browsers to always communicate using only HTTPS** +##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-http-strict-transport-security +# nginx['hsts_max_age'] = 31536000 +# nginx['hsts_include_subdomains'] = false + +##! Defaults to stripping path information when making cross-origin requests +# nginx['referrer_policy'] = 'strict-origin-when-cross-origin' + +##! **Docs: http://nginx.org/en/docs/http/ngx_http_gzip_module.html** +# nginx['gzip_enabled'] = true + +##! **Override only if you use a reverse proxy** +##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-the-nginx-listen-port +# nginx['listen_port'] = nil +nginx['listen_port'] = 80 + +##! **Override only if your reverse proxy internally communicates over HTTP** +##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#supporting-proxied-ssl +# nginx['listen_https'] = nil +nginx['listen_https'] = false + +# nginx['custom_gitlab_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n" +# nginx['custom_nginx_config'] = "include /etc/nginx/conf.d/example.conf;" +# nginx['proxy_read_timeout'] = 3600 +# nginx['proxy_connect_timeout'] = 300 +# nginx['proxy_set_headers'] = { +# "Host" => "$http_host_with_default", +# "X-Real-IP" => "$remote_addr", +# "X-Forwarded-For" => "$proxy_add_x_forwarded_for", +# "X-Forwarded-Proto" => "https", +# "X-Forwarded-Ssl" => "on", +# "Upgrade" => "$http_upgrade", +# "Connection" => "$connection_upgrade" +# } +nginx['proxy_set_headers'] = { + "Host" => "$http_host", + "X-Real-IP" => "$remote_addr", + "X-Forwarded-For" => "$proxy_add_x_forwarded_for", + "X-Forwarded-Proto" => "https", + "X-Forwarded-Ssl" => "on" +} + +# nginx['proxy_cache_path'] = 'proxy_cache keys_zone=gitlab:10m max_size=1g levels=1:2' +# nginx['proxy_cache'] = 'gitlab' +# nginx['http2_enabled'] = true +# nginx['real_ip_trusted_addresses'] = [] +# nginx['real_ip_header'] = nil +# nginx['real_ip_recursive'] = nil +# nginx['custom_error_pages'] = { +# '404' => { +# 'title' => 'Example title', +# 'header' => 'Example header', +# 'message' => 'Example message' +# } +# } + +### Advanced settings +# nginx['dir'] = "/var/opt/gitlab/nginx" +# nginx['log_directory'] = "/var/log/gitlab/nginx" +# nginx['worker_processes'] = 4 +# nginx['worker_connections'] = 10240 +# nginx['log_format'] = '$remote_addr - $remote_user [$time_local] "$request_method $filtered_request_uri $server_protocol" $status $body_bytes_sent "$filtered_http_referer" "$http_user_agent" $gzip_ratio' +# nginx['sendfile'] = 'on' +# nginx['tcp_nopush'] = 'on' +# nginx['tcp_nodelay'] = 'on' +# nginx['gzip'] = "on" +# nginx['gzip_http_version'] = "1.0" +# nginx['gzip_comp_level'] = "2" +# nginx['gzip_proxied'] = "any" +# nginx['gzip_types'] = [ "text/plain", "text/css", "application/x-javascript", "text/xml", "application/xml", "application/xml+rss", "text/javascript", "application/json" ] +# nginx['keepalive_timeout'] = 65 +# nginx['cache_max_size'] = '5000m' +# nginx['server_names_hash_bucket_size'] = 64 +##! These paths have proxy_request_buffering disabled +# nginx['request_buffering_off_path_regex'] = "/api/v\\d/jobs/\\d+/artifacts$|\\.git/git-receive-pack$|\\.git/gitlab-lfs/objects|\\.git/info/lfs/objects/batch$" + +### Nginx status +# nginx['status'] = { +# "enable" => true, +# "listen_addresses" => ["127.0.0.1"], +# "fqdn" => "dev.example.com", +# "port" => 9999, +# "vts_enable" => true, +# "options" => { +# "server_tokens" => "off", # Don't show the version of NGINX +# "access_log" => "off", # Disable logs for stats +# "allow" => "127.0.0.1", # Only allow access from localhost +# "deny" => "all" # Deny access to anyone else +# } +# } + +################################################################################ +## GitLab Logging +##! Docs: https://docs.gitlab.com/omnibus/settings/logs.html +################################################################################ + +# logging['svlogd_size'] = 200 * 1024 * 1024 # rotate after 200 MB of log data +logging['svlogd_size'] = 200 * 1024 * 1024 +# logging['svlogd_num'] = 30 # keep 30 rotated log files +logging['svlogd_num'] = 30 +# logging['svlogd_timeout'] = 24 * 60 * 60 # rotate after 24 hours +logging['svlogd_timeout'] = 24 * 60 * 60 +# logging['svlogd_filter'] = "gzip" # compress logs with gzip +logging['svlogd_filter'] = "gzip" +# logging['svlogd_udp'] = nil # transmit log messages via UDP +# logging['svlogd_prefix'] = nil # custom prefix for log messages +# logging['logrotate_frequency'] = "daily" # rotate logs daily +logging['logrotate_frequency'] = "daily" +# logging['logrotate_maxsize'] = nil # rotate logs when they grow bigger than size bytes even before the specified time interval (daily, weekly, monthly, or yearly) +logging['logrotate_maxsize'] = "200M" +# logging['logrotate_size'] = nil # do not rotate by size by default +logging['logrotate_size'] = "50M" +# logging['logrotate_rotate'] = 30 # keep 30 rotated logs +logging['logrotate_rotate'] = 30 +# logging['logrotate_compress'] = "compress" # see 'man logrotate' +logging['logrotate_compress'] = "compress" +# logging['logrotate_method'] = "copytruncate" # see 'man logrotate' +logging['logrotate_method'] = "copytruncate" +# logging['logrotate_postrotate'] = nil # no postrotate command by default +# logging['logrotate_dateformat'] = nil # use date extensions for rotated files rather than numbers e.g. a value of "-%Y-%m-%d" would give rotated files like production.log-2016-03-09.gz + +### UDP log forwarding +##! Docs: http://docs.gitlab.com/omnibus/settings/logs.html#udp-log-forwarding + +##! remote host to ship log messages to via UDP +# logging['udp_log_shipping_host'] = nil + +##! override the hostname used when logs are shipped via UDP, +## by default the system hostname will be used. +# logging['udp_log_shipping_hostname'] = nil + +##! remote port to ship log messages to via UDP +# logging['udp_log_shipping_port'] = 514 + +################################################################################ +## Logrotate +##! Docs: https://docs.gitlab.com/omnibus/settings/logs.html#logrotate +##! You can disable built in logrotate feature. +################################################################################ +logrotate['enable'] = true +# logrotate['log_directory'] = "/var/log/gitlab/logrotate" + +################################################################################ +## Users and groups accounts +##! Disable management of users and groups accounts. +##! **Set only if creating accounts manually** +##! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#disable-user-and-group-account-management +################################################################################ + +# manage_accounts['enable'] = false + +################################################################################ +## Storage directories +##! Disable managing storage directories +##! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#disable-storage-directories-management +################################################################################ + +##! **Set only if the select directories are created manually** +# manage_storage_directories['enable'] = false +# manage_storage_directories['manage_etc'] = false + +################################################################################ +## Runtime directory +##! Docs: https://docs.gitlab.com//omnibus/settings/configuration.html#configuring-runtime-directory +################################################################################ + +# runtime_dir '/run' + +################################################################################ +## Git +##! Advanced setting for configuring git system settings for omnibus-gitlab +##! internal git +################################################################################ + +##! For multiple options under one header use array of comma separated values, +##! eg.: +##! { "receive" => ["fsckObjects = true"], "alias" => ["st = status", "co = checkout"] } + +# omnibus_gitconfig['system'] = { +# "pack" => ["threads = 1", "useSparse = true"], +# "receive" => ["fsckObjects = true", "advertisePushOptions = true"], +# "repack" => ["writeBitmaps = true"], +# "transfer" => ["hideRefs=^refs/tmp/", "hideRefs=^refs/keep-around/", "hideRefs=^refs/remotes/"], +# "core" => [ +# 'alternateRefsCommand="exit 0 #"', +# "fsyncObjectFiles = true" +# ], +# "fetch" => ["writeCommitGraph = true"] +# } + +################################################################################ +## GitLab Pages +##! Docs: https://docs.gitlab.com/ee/pages/administration.html +################################################################################ + +##! Define to enable GitLab Pages +# pages_external_url "http://pages.example.com/" +# gitlab_pages['enable'] = false + +##! Configure to expose GitLab Pages on external IP address, serving the HTTP +# gitlab_pages['external_http'] = [] + +##! Configure to expose GitLab Pages on external IP address, serving the HTTPS +# gitlab_pages['external_https'] = [] + +##! Configure to use the default list of cipher suites +# gitlab_pages['insecure_ciphers'] = false + +##! Configure to enable health check endpoint on GitLab Pages +# gitlab_pages['status_uri'] = "/@status" + +##! Tune the maximum number of concurrent connections GitLab Pages will handle. +##! This should be in the range 1 - 10000, defaulting to 5000. +# gitlab_pages['max_connections'] = 5000 + +##! Configure to use JSON structured logging in GitLab Pages +# gitlab_pages['log_format'] = "json" + +##! Configure verbose logging for GitLab Pages +# gitlab_pages['log_verbose'] = false + +##! Error Reporting and Logging with Sentry +# gitlab_pages['sentry_enabled'] = false +# gitlab_pages['sentry_dsn'] = 'https://<key>@sentry.io/<project>' +# gitlab_pages['sentry_environment'] = 'production' + +##! Listen for requests forwarded by reverse proxy +# gitlab_pages['listen_proxy'] = "localhost:8090" + +# gitlab_pages['redirect_http'] = true +# gitlab_pages['use_http2'] = true +# gitlab_pages['dir'] = "/var/opt/gitlab/gitlab-pages" +# gitlab_pages['log_directory'] = "/var/log/gitlab/gitlab-pages" + +# gitlab_pages['artifacts_server'] = true +# gitlab_pages['artifacts_server_url'] = nil # Defaults to external_url + '/api/v4' +# gitlab_pages['artifacts_server_timeout'] = 10 + +##! Environments that do not support bind-mounting should set this parameter to +##! true. This is incompatible with the artifacts server +# gitlab_pages['inplace_chroot'] = false + +##! Prometheus metrics for Pages docs: https://gitlab.com/gitlab-org/gitlab-pages/#enable-prometheus-metrics +# gitlab_pages['metrics_address'] = ":9235" + +##! Specifies the minimum SSL/TLS version ("ssl3", "tls1.0", "tls1.1" or "tls1.2") +# gitlab_pages['tls_min_version'] = "ssl3" + +##! Specifies the maximum SSL/TLS version ("ssl3", "tls1.0", "tls1.1" or "tls1.2") +# gitlab_pages['tls_max_version'] = "tls1.2" + +##! Pages access control +# gitlab_pages['access_control'] = false +# gitlab_pages['gitlab_id'] = nil # Automatically generated if not present +# gitlab_pages['gitlab_secret'] = nil # Generated if not present +# gitlab_pages['auth_redirect_uri'] = nil # Defaults to projects subdomain of pages_external_url and + '/auth' +# gitlab_pages['gitlab_server'] = nil # Defaults to external_url +# gitlab_pages['internal_gitlab_server'] = nil # defaults to gitlab_server, can be changed to internal load balancer +# gitlab_pages['auth_secret'] = nil # Generated if not present + +##! GitLab API HTTP client connection timeout +# gitlab_pages['gitlab_client_http_timeout'] = "10s" + +##! GitLab API JWT Token expiry time +# gitlab_pages['gitlab_client_jwt_expiry'] = "30s" + +##! Domain configuration source, defaults to disk if set to nil +# gitlab_pages['domain_config_source'] = nil + +##! Define custom gitlab-pages HTTP headers for the whole instance +# gitlab_pages['headers'] = [] + +##! Shared secret used for authentication between Pages and GitLab +# gitlab_pages['api_secret_key'] = nil # Will be generated if not set. Base64 encoded and exactly 32 bytes long. + +# gitlab_pages['env_directory'] = "/opt/gitlab/etc/gitlab-pages/env" +# gitlab_pages['env'] = { +# 'SSL_CERT_DIR' => "#{node['package']['install-dir']}/embedded/ssl/certs/" +# } + +################################################################################ +## GitLab Pages NGINX +################################################################################ + +# All the settings defined in the "GitLab Nginx" section are also available in +# this "GitLab Pages NGINX" section, using the key `pages_nginx`. However, +# those settings should be explicitly set. That is, settings given as +# `nginx['some_setting']` WILL NOT be automatically replicated as +# `pages_nginx['some_setting']` and should be set separately. + +# Below you can find settings that are exclusive to "GitLab Pages NGINX" +# pages_nginx['enable'] = false + +# gitlab_rails['pages_path'] = "/var/opt/gitlab/gitlab-rails/shared/pages" + +################################################################################ +## GitLab CI +##! Docs: https://docs.gitlab.com/ee/ci/quick_start/README.html +################################################################################ + +# gitlab_ci['gitlab_ci_all_broken_builds'] = true +# gitlab_ci['gitlab_ci_add_pusher'] = true +# gitlab_ci['builds_directory'] = '/var/opt/gitlab/gitlab-ci/builds' + +################################################################################ +## GitLab Kubernetes Agent Server +##! Docs: https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/blob/master/README.md +################################################################################ + +##! Enable GitLab KAS +# gitlab_kas['enable'] = true + +##! Agent configuration for GitLab KAS +# gitlab_kas['agent_configuration_poll_period'] = 20 +# gitlab_kas['agent_gitops_poll_period'] = 20 +# gitlab_kas['agent_gitops_project_info_cache_ttl'] = 300 +# gitlab_kas['agent_gitops_project_info_cache_error_ttl'] = 60 +# gitlab_kas['agent_info_cache_ttl'] = 300 +# gitlab_kas['agent_info_cache_error_ttl'] = 60 + +##! Shared secret used for authentication between KAS and GitLab +# gitlab_kas['api_secret_key'] = nil # Will be generated if not set. Base64 encoded and exactly 32 bytes long. + +##! Listen configuration for GitLab KAS +# gitlab_kas['listen_address'] = 'localhost:8150' +# gitlab_kas['listen_network'] = 'tcp' +# gitlab_kas['listen_websocket'] = true + +##! Metrics configuration for GitLab KAS +# gitlab_kas['metrics_usage_reporting_period'] = 60 + +##! Directories for GitLab KAS +# gitlab_kas['dir'] = '/var/opt/gitlab/gitlab-kas' +# gitlab_kas['log_directory'] = '/var/log/gitlab/gitlab-kas' +# gitlab_kas['env_directory'] = '/opt/gitlab/etc/gitlab-kas/env' + +################################################################################ +## GitLab Mattermost +##! Docs: https://docs.gitlab.com/omnibus/gitlab-mattermost +################################################################################ + +# mattermost_external_url 'http://mattermost.example.com' + +# mattermost['enable'] = false +mattermost['enable'] = false +# mattermost['username'] = 'mattermost' +# mattermost['group'] = 'mattermost' +# mattermost['uid'] = nil +# mattermost['gid'] = nil +# mattermost['home'] = '/var/opt/gitlab/mattermost' +# mattermost['database_name'] = 'mattermost_production' +# mattermost['env'] = { +# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/" +# } +# mattermost['service_address'] = "127.0.0.1" +# mattermost['service_port'] = "8065" +# mattermost['service_site_url'] = nil +# mattermost['service_allowed_untrusted_internal_connections'] = "" +# mattermost['service_enable_api_team_deletion'] = true +# mattermost['team_site_name'] = "GitLab Mattermost" +# mattermost['sql_driver_name'] = 'mysql' +# mattermost['sql_data_source'] = "mmuser:mostest@tcp(dockerhost:3306)/mattermost_test?charset=utf8mb4,utf8" +# mattermost['log_file_directory'] = '/var/log/gitlab/mattermost/' +# mattermost['gitlab_enable'] = false +# mattermost['gitlab_id'] = "12345656" +# mattermost['gitlab_secret'] = "123456789" +# mattermost['gitlab_scope'] = "" +# mattermost['gitlab_auth_endpoint'] = "http://gitlab.example.com/oauth/authorize" +# mattermost['gitlab_token_endpoint'] = "http://gitlab.example.com/oauth/token" +# mattermost['gitlab_user_api_endpoint'] = "http://gitlab.example.com/api/v4/user" +# mattermost['file_directory'] = "/var/opt/gitlab/mattermost/data" +# mattermost['plugin_directory'] = "/var/opt/gitlab/mattermost/plugins" +# mattermost['plugin_client_directory'] = "/var/opt/gitlab/mattermost/client-plugins" + +################################################################################ +## Mattermost NGINX +################################################################################ + +# All the settings defined in the "GitLab Nginx" section are also available in +# this "Mattermost NGINX" section, using the key `mattermost_nginx`. However, +# those settings should be explicitly set. That is, settings given as +# `nginx['some_setting']` WILL NOT be automatically replicated as +# `mattermost_nginx['some_setting']` and should be set separately. + +# Below you can find settings that are exclusive to "Mattermost NGINX" +# mattermost_nginx['enable'] = false + +# mattermost_nginx['custom_gitlab_mattermost_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n" +# mattermost_nginx['proxy_set_headers'] = { +# "Host" => "$http_host", +# "X-Real-IP" => "$remote_addr", +# "X-Forwarded-For" => "$proxy_add_x_forwarded_for", +# "X-Frame-Options" => "SAMEORIGIN", +# "X-Forwarded-Proto" => "https", +# "X-Forwarded-Ssl" => "on", +# "Upgrade" => "$http_upgrade", +# "Connection" => "$connection_upgrade" +# } + + +################################################################################ +## Registry NGINX +################################################################################ + +# All the settings defined in the "GitLab Nginx" section are also available in +# this "Registry NGINX" section, using the key `registry_nginx`. However, those +# settings should be explicitly set. That is, settings given as +# `nginx['some_setting']` WILL NOT be automatically replicated as +# `registry_nginx['some_setting']` and should be set separately. + +# Below you can find settings that are exclusive to "Registry NGINX" +# registry_nginx['enable'] = false +registry_nginx['enable'] = true + +# registry_nginx['proxy_set_headers'] = { +# "Host" => "$http_host", +# "X-Real-IP" => "$remote_addr", +# "X-Forwarded-For" => "$proxy_add_x_forwarded_for", +# "X-Forwarded-Proto" => "https", +# "X-Forwarded-Ssl" => "on" +# } + +# When the registry is automatically enabled using the same domain as `external_url`, +# it listens on this port +# registry_nginx['listen_port'] = 5050 + +registry_nginx['listen_port'] = 5005 +registry_nginx['listen_https'] = false + +registry_nginx['proxy_set_headers'] = { + "Host" => "$http_host", + "X-Real-IP" => "$remote_addr", + "X-Forwarded-For" => "$proxy_add_x_forwarded_for", + "X-Forwarded-Proto" => "https", + "X-Forwarded-Ssl" => "on" +} + +################################################################################ +## Prometheus +##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/ +################################################################################ + +###! **To enable only Monitoring service in this machine, uncomment +###! the line below.** +###! Docs: https://docs.gitlab.com/ee/administration/high_availability +# monitoring_role['enable'] = true + +# prometheus['enable'] = true +prometheus['enable'] = false +# prometheus['monitor_kubernetes'] = true +# prometheus['username'] = 'gitlab-prometheus' +# prometheus['group'] = 'gitlab-prometheus' +# prometheus['uid'] = nil +# prometheus['gid'] = nil +# prometheus['shell'] = '/bin/sh' +# prometheus['home'] = '/var/opt/gitlab/prometheus' +# prometheus['log_directory'] = '/var/log/gitlab/prometheus' +# prometheus['rules_files'] = ['/var/opt/gitlab/prometheus/rules/*.rules'] +# prometheus['scrape_interval'] = 15 +# prometheus['scrape_timeout'] = 15 +# prometheus['external_labels'] = { } +# prometheus['env_directory'] = '/opt/gitlab/etc/prometheus/env' +# prometheus['env'] = { +# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/" +# } +# +### Custom scrape configs +# +# Prometheus can scrape additional jobs via scrape_configs. The default automatically +# includes all of the exporters supported by the omnibus config. +# +# See: https://prometheus.io/docs/operating/configuration/#<scrape_config> +# +# Example: +# +# prometheus['scrape_configs'] = [ +# { +# 'job_name': 'example', +# 'static_configs' => [ +# 'targets' => ['hostname:port'], +# ], +# }, +# ] +# +### Custom alertmanager config +# +# To configure external alertmanagers, create an alertmanager config. +# +# See: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config +# +# prometheus['alertmanagers'] = [ +# { +# 'static_configs' => [ +# { +# 'targets' => [ +# 'hostname:port' +# ] +# } +# ] +# } +# ] +# +### Custom Prometheus flags +# +# prometheus['flags'] = { +# 'storage.tsdb.path' => "/var/opt/gitlab/prometheus/data", +# 'storage.tsdb.retention.time' => "15d", +# 'config.file' => "/var/opt/gitlab/prometheus/prometheus.yml" +# } + +##! Advanced settings. Should be changed only if absolutely needed. +# prometheus['listen_address'] = 'localhost:9090' +# + +################################################################################ +###! **Only needed if Prometheus and Rails are not on the same server.** +### For example, in a multi-node architecture, Prometheus will be installed on the monitoring node, while Rails will be on the Rails node. +### https://docs.gitlab.com/ee/administration/monitoring/prometheus/index.html#using-an-external-prometheus-server +### This value should be the address at which Prometheus is available to GitLab Rails(Puma/Unicorn, Sidekiq) node. +################################################################################ +# gitlab_rails['prometheus_address'] = 'your.prom:9090' + +################################################################################ +## Prometheus Alertmanager +################################################################################ + +# alertmanager['enable'] = true +alertmanager['enable'] = false +# alertmanager['home'] = '/var/opt/gitlab/alertmanager' +# alertmanager['log_directory'] = '/var/log/gitlab/alertmanager' +# alertmanager['admin_email'] = 'admin@example.com' +# alertmanager['flags'] = { +# 'web.listen-address' => "localhost:9093", +# 'storage.path' => "/var/opt/gitlab/alertmanager/data", +# 'config.file' => "/var/opt/gitlab/alertmanager/alertmanager.yml" +# } +# alertmanager['env_directory'] = '/opt/gitlab/etc/alertmanager/env' +# alertmanager['env'] = { +# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/" +# } + +##! Advanced settings. Should be changed only if absolutely needed. +# alertmanager['listen_address'] = 'localhost:9093' +# alertmanager['global'] = {} + +################################################################################ +## Prometheus Node Exporter +##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/node_exporter.html +################################################################################ + +# node_exporter['enable'] = true +node_exporter['enable'] = false +# node_exporter['home'] = '/var/opt/gitlab/node-exporter' +# node_exporter['log_directory'] = '/var/log/gitlab/node-exporter' +# node_exporter['flags'] = { +# 'collector.textfile.directory' => "/var/opt/gitlab/node-exporter/textfile_collector" +# } +# node_exporter['env_directory'] = '/opt/gitlab/etc/node-exporter/env' +# node_exporter['env'] = { +# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/" +# } + +##! Advanced settings. Should be changed only if absolutely needed. +# node_exporter['listen_address'] = 'localhost:9100' + +################################################################################ +## Prometheus Redis exporter +##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/redis_exporter.html +################################################################################ + +# redis_exporter['enable'] = true +redis_exporter['enable'] = false +# redis_exporter['log_directory'] = '/var/log/gitlab/redis-exporter' +# redis_exporter['flags'] = { +# 'redis.addr' => "unix:///var/opt/gitlab/redis/redis.socket", +# } +# redis_exporter['env_directory'] = '/opt/gitlab/etc/redis-exporter/env' +# redis_exporter['env'] = { +# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/" +# } + +##! Advanced settings. Should be changed only if absolutely needed. +# redis_exporter['listen_address'] = 'localhost:9121' + +################################################################################ +## Prometheus Postgres exporter +##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/postgres_exporter.html +################################################################################ + +# postgres_exporter['enable'] = true +postgres_exporter['enable'] = false +# postgres_exporter['home'] = '/var/opt/gitlab/postgres-exporter' +# postgres_exporter['log_directory'] = '/var/log/gitlab/postgres-exporter' +# postgres_exporter['flags'] = {} +# postgres_exporter['listen_address'] = 'localhost:9187' +# postgres_exporter['env_directory'] = '/opt/gitlab/etc/postgres-exporter/env' +# postgres_exporter['env'] = { +# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/" +# } +# postgres_exporter['sslmode'] = nil + +################################################################################ +## Prometheus PgBouncer exporter (EE only) +##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/pgbouncer_exporter.html +################################################################################ + +# pgbouncer_exporter['enable'] = false +# pgbouncer_exporter['log_directory'] = "/var/log/gitlab/pgbouncer-exporter" +# pgbouncer_exporter['listen_address'] = 'localhost:9188' +# pgbouncer_exporter['env_directory'] = '/opt/gitlab/etc/pgbouncer-exporter/env' +# pgbouncer_exporter['env'] = { +# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/" +# } + +################################################################################ +## Prometheus Gitlab exporter +##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/gitlab_exporter.html +################################################################################ + + +# gitlab_exporter['enable'] = true +gitlab_exporter['enable'] = false +# gitlab_exporter['log_directory'] = "/var/log/gitlab/gitlab-exporter" +# gitlab_exporter['home'] = "/var/opt/gitlab/gitlab-exporter" + +##! Advanced settings. Should be changed only if absolutely needed. +# gitlab_exporter['listen_address'] = 'localhost' +# gitlab_exporter['listen_port'] = '9168' + +##! Manage gitlab-exporter sidekiq probes. false by default when Sentinels are +##! found. +# gitlab_exporter['probe_sidekiq'] = true + +# To completely disable prometheus, and all of it's exporters, set to false +# prometheus_monitoring['enable'] = true +prometheus_monitoring['enable'] = false + +################################################################################ +## Grafana Dashboards +##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/#prometheus-as-a-grafana-data-source +################################################################################ + +# grafana['enable'] = true +grafana['enable'] = false +# grafana['log_directory'] = '/var/log/gitlab/grafana' +# grafana['home'] = '/var/opt/gitlab/grafana' +# grafana['admin_password'] = 'admin' +# grafana['allow_user_sign_up'] = false +# grafana['basic_auth_enabled'] = false +# grafana['disable_login_form'] = true +# grafana['gitlab_application_id'] = 'GITLAB_APPLICATION_ID' +# grafana['gitlab_secret'] = 'GITLAB_SECRET' +# grafana['env_directory'] = '/opt/gitlab/etc/grafana/env' +# grafana['allowed_groups'] = [] +# grafana['gitlab_auth_sign_up'] = true +# grafana['env'] = { +# 'SSL_CERT_DIR' => "#{node['package']['install-dir']}/embedded/ssl/certs/" +# } +# grafana['metrics_enabled'] = false +# grafana['metrics_basic_auth_username'] = 'grafana_metrics' # default: nil +# grafana['metrics_basic_auth_password'] = 'please_set_a_unique_password' # default: nil +# grafana['alerting_enabled'] = false + +### Dashboards +# +# See: http://docs.grafana.org/administration/provisioning/#dashboards +# +# NOTE: Setting this will override the default. +# +# grafana['dashboards'] = [ +# { +# 'name' => 'GitLab Omnibus', +# 'orgId' => 1, +# 'folder' => 'GitLab Omnibus', +# 'type' => 'file', +# 'disableDeletion' => true, +# 'updateIntervalSeconds' => 600, +# 'options' => { +# 'path' => '/opt/gitlab/embedded/service/grafana-dashboards', +# } +# } +# ] + +### Datasources +# +# See: http://docs.grafana.org/administration/provisioning/#example-datasource-config-file +# +# NOTE: Setting this will override the default. +# +# grafana['datasources'] = [ +# { +# 'name' => 'GitLab Omnibus', +# 'type' => 'prometheus', +# 'access' => 'proxy', +# 'url' => 'http://localhost:9090' +# } +# ] + +##! Advanced settings. Should be changed only if absolutely needed. +# grafana['http_addr'] = 'localhost' +# grafana['http_port'] = 3000 + +################################################################################ +## Gitaly +##! Docs: +################################################################################ + +# The gitaly['enable'] option exists for the purpose of cluster +# deployments, see https://docs.gitlab.com/ee/administration/gitaly/index.html . +# gitaly['enable'] = true +# gitaly['dir'] = "/var/opt/gitlab/gitaly" +# gitaly['log_directory'] = "/var/log/gitlab/gitaly" +# gitaly['bin_path'] = "/opt/gitlab/embedded/bin/gitaly" +# gitaly['env_directory'] = "/opt/gitlab/etc/gitaly/env" +# gitaly['env'] = { +# 'PATH' => "/opt/gitlab/bin:/opt/gitlab/embedded/bin:/bin:/usr/bin", +# 'HOME' => '/var/opt/gitlab', +# 'TZ' => ':/etc/localtime', +# 'PYTHONPATH' => "/opt/gitlab/embedded/lib/python3.7/site-packages", +# 'ICU_DATA' => "/opt/gitlab/embedded/share/icu/current", +# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/", +# 'WRAPPER_JSON_LOGGING' => true +# } + +##! internal_socket_dir is the directory that will contain internal gitaly sockets, +##! separate from socket_path which is the socket that external clients listen on + +# gitaly['internal_socket_dir'] = "/var/opt/gitlab/gitaly" +# gitaly['socket_path'] = "/var/opt/gitlab/gitaly/gitaly.socket" +# gitaly['listen_addr'] = "localhost:8075" +# gitaly['tls_listen_addr'] = "localhost:9075" +# gitaly['certificate_path'] = "/var/opt/gitlab/gitaly/certificate.pem" +# gitaly['key_path'] = "/var/opt/gitlab/gitaly/key.pem" +# gitaly['prometheus_listen_addr'] = "localhost:9236" +# gitaly['logging_level'] = "warn" +# gitaly['logging_format'] = "json" +# gitaly['logging_sentry_dsn'] = "https://<key>:<secret>@sentry.io/<project>" +# gitaly['logging_ruby_sentry_dsn'] = "https://<key>:<secret>@sentry.io/<project>" +# gitaly['logging_sentry_environment'] = "production" +# gitaly['prometheus_grpc_latency_buckets'] = "[0.001, 0.005, 0.025, 0.1, 0.5, 1.0, 10.0, 30.0, 60.0, 300.0, 1500.0]" +# gitaly['auth_token'] = '<secret>' +# gitaly['auth_transitioning'] = false # When true, auth is logged to Prometheus but NOT enforced +# gitaly['graceful_restart_timeout'] = '1m' # Grace time for a gitaly process to finish ongoing requests +# gitaly['git_catfile_cache_size'] = 100 # Number of 'git cat-file' processes kept around for re-use +# gitaly['open_files_ulimit'] = 15000 # Maximum number of open files allowed for the gitaly process +# gitaly['ruby_max_rss'] = 300000000 # RSS threshold in bytes for triggering a gitaly-ruby restart +# gitaly['ruby_graceful_restart_timeout'] = '10m' # Grace time for a gitaly-ruby process to finish ongoing requests +# gitaly['ruby_restart_delay'] = '5m' # Period of sustained high RSS that needs to be observed before restarting gitaly-ruby +# gitaly['ruby_rugged_git_config_search_path'] = "/opt/gitlab/embedded/etc" # Location of system-wide gitconfig file +# gitaly['ruby_num_workers'] = 3 # Number of gitaly-ruby worker processes. Minimum 2, default 2. +# gitaly['concurrency'] = [ +# { +# 'rpc' => "/gitaly.SmartHTTPService/PostReceivePack", +# 'max_per_repo' => 20 +# }, { +# 'rpc' => "/gitaly.SSHService/SSHUploadPack", +# 'max_per_repo' => 5 +# } +# ] +# +# gitaly['daily_maintenance_start_hour'] = 22 +# gitaly['daily_maintenance_start_minute'] = 30 +# gitaly['daily_maintenance_duration'] = '30m' +# gitaly['daily_maintenance_storages'] = ["default"] + +################################################################################ +## Praefect +##! Docs: https://gitlab.com/gitlab-org/gitaly/blob/master/doc/design_ha.md +################################################################################ + +# praefect['enable'] = false +# praefect['dir'] = "/var/opt/gitlab/praefect" +# praefect['log_directory'] = "/var/log/gitlab/praefect" +# praefect['env_directory'] = "/opt/gitlab/etc/praefect/env" +# praefect['env'] = { +# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/", +# 'GITALY_PID_FILE' => "/var/opt/gitlab/praefect/praefect.pid", +# 'WRAPPER_JSON_LOGGING' => true +# } +# praefect['wrapper_path'] = "/opt/gitlab/embedded/bin/gitaly-wrapper" +# praefect['virtual_storage_name'] = "praefect" +# praefect['failover_enabled'] = false +# praefect['failover_election_strategy'] = 'sql' +# praefect['auth_token'] = "" +# praefect['auth_transitioning'] = false +# praefect['listen_addr'] = "localhost:2305" +# praefect['tls_listen_addr'] = "localhost:3305" +# praefect['certificate_path'] = "/var/opt/gitlab/prafect/certificate.pem" +# praefect['key_path'] = "/var/opt/gitlab/prafect/key.pem" +# praefect['prometheus_listen_addr'] = "localhost:9652" +# praefect['prometheus_grpc_latency_buckets'] = "[0.001, 0.005, 0.025, 0.1, 0.5, 1.0, 10.0, 30.0, 60.0, 300.0, 1500.0]" +# praefect['logging_level'] = "warn" +# praefect['logging_format'] = "json" +# praefect['virtual_storages'] = { +# 'default' => { +# 'praefect-internal-0' => { +# 'address' => 'tcp://10.23.56.78:8075', +# 'token' => 'abc123' +# }, +# 'praefect-internal-1' => { +# 'address' => 'tcp://10.76.23.31:8075', +# 'token' => 'xyz456' +# } +# }, +# 'alternative' => { +# 'praefect-internal-2' => { +# 'address' => 'tcp://10.34.1.16:8075', +# 'token' => 'abc321' +# }, +# 'praefect-internal-3' => { +# 'address' => 'tcp://10.23.18.6:8075', +# 'token' => 'xyz890' +# } +# } +# } +# praefect['sentry_dsn'] = "https://<key>:<secret>@sentry.io/<project>" +# praefect['sentry_environment'] = "production" +# praefect['auto_migrate'] = true +# praefect['database_host'] = 'postgres.external' +# praefect['database_port'] = 6432 +# praefect['database_user'] = 'praefect' +# praefect['database_password'] = 'secret' +# praefect['database_dbname'] = 'praefect_production' +# praefect['database_sslmode'] = 'disable' +# praefect['database_sslcert'] = '/path/to/client-cert' +# praefect['database_sslkey'] = '/path/to/client-key' +# praefect['database_sslrootcert'] = '/path/to/rootcert' +# praefect['reconciliation_scheduling_interval'] = '5m' +# praefect['reconciliation_histogram_buckets'] = '[0.001, 0.005, 0.025, 0.1, 0.5, 1.0, 10.0]' +# praefect['database_host_no_proxy'] = 'postgres.internal' +# praefect['database_port_no_proxy'] = 5432 + +################################################################################ +# Storage check +################################################################################ +# storage_check['enable'] = false +# storage_check['target'] = 'unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket' +# storage_check['log_directory'] = '/var/log/gitlab/storage-check' + +################################################################################ +# Let's Encrypt integration +################################################################################ +# letsencrypt['enable'] = nil +# letsencrypt['contact_emails'] = [] # This should be an array of email addresses to add as contacts +# letsencrypt['group'] = 'root' +# letsencrypt['key_size'] = 2048 +# letsencrypt['owner'] = 'root' +# letsencrypt['wwwroot'] = '/var/opt/gitlab/nginx/www' +# See http://docs.gitlab.com/omnibus/settings/ssl.html#automatic-renewal for more on these sesttings +# letsencrypt['auto_renew'] = true +# letsencrypt['auto_renew_hour'] = 0 +# letsencrypt['auto_renew_minute'] = nil # Should be a number or cron expression, if specified. +# letsencrypt['auto_renew_day_of_month'] = "*/4" + +##! Turn off automatic init system detection. To skip init detection in +##! non-docker containers. Recommended not to change. +# package['detect_init'] = true + +##! Specify maximum number of tasks that can be created by the systemd unit +##! Will be populated as TasksMax value to the unit file if user is on a systemd +##! version that supports it (>= 227). Will be a no-op if user is not on systemd. +# package['systemd_tasks_max'] = 4915 + +##! Settings to configure order of GitLab's systemd unit. +##! Note: We do not recommend changing these values unless absolutely necessary +# package['systemd_after'] = 'multi-user.target' +# package['systemd_wanted_by'] = 'multi-user.target' +################################################################################ +################################################################################ +## Configuration Settings for GitLab EE only ## +################################################################################ +################################################################################ + + +################################################################################ +## Auxiliary cron jobs applicable to GitLab EE only +################################################################################ +# +# gitlab_rails['geo_file_download_dispatch_worker_cron'] = "*/10 * * * *" +# gitlab_rails['geo_repository_sync_worker_cron'] = "*/5 * * * *" +# gitlab_rails['geo_secondary_registry_consistency_worker'] = "* * * * *" +# gitlab_rails['geo_prune_event_log_worker_cron'] = "*/5 * * * *" +# gitlab_rails['geo_repository_verification_primary_batch_worker_cron'] = "*/5 * * * *" +# gitlab_rails['geo_repository_verification_secondary_scheduler_worker_cron'] = "*/5 * * * *" +# gitlab_rails['ldap_sync_worker_cron'] = "30 1 * * *" +# gitlab_rails['ldap_group_sync_worker_cron'] = "0 * * * *" +# gitlab_rails['historical_data_worker_cron'] = "0 12 * * *" +# gitlab_rails['pseudonymizer_worker_cron'] = "0 23 * * *" +# gitlab_rails['elastic_index_bulk_cron'] = "*/1 * * * *" + +################################################################################ +## Kerberos (EE Only) +##! Docs: https://docs.gitlab.com/ee/integration/kerberos.html#http-git-access +################################################################################ + +# gitlab_rails['kerberos_enabled'] = true +# gitlab_rails['kerberos_keytab'] = /etc/http.keytab +# gitlab_rails['kerberos_service_principal_name'] = HTTP/gitlab.example.com@EXAMPLE.COM +# gitlab_rails['kerberos_simple_ldap_linking_allowed_realms'] = ['example.com','kerberos.example.com'] +# gitlab_rails['kerberos_use_dedicated_port'] = true +# gitlab_rails['kerberos_port'] = 8443 +# gitlab_rails['kerberos_https'] = true + +################################################################################ +## Package repository (EE Only) +##! Docs: https://docs.gitlab.com/ee/administration/maven_packages.md +################################################################################ + +# gitlab_rails['packages_enabled'] = true +# gitlab_rails['packages_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/packages" +# gitlab_rails['packages_object_store_enabled'] = false +# gitlab_rails['packages_object_store_direct_upload'] = false +# gitlab_rails['packages_object_store_background_upload'] = true +# gitlab_rails['packages_object_store_proxy_download'] = false +# gitlab_rails['packages_object_store_remote_directory'] = "packages" +# gitlab_rails['packages_object_store_connection'] = { +# 'provider' => 'AWS', +# 'region' => 'eu-west-1', +# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID', +# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY', +# # # The below options configure an S3 compatible host instead of AWS +# # 'host' => 's3.amazonaws.com', +# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4. +# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces +# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' +# } + +################################################################################ +## Dependency proxy (EE Only) +##! Docs: https://docs.gitlab.com/ee/administration/dependency_proxy.md +################################################################################ + +# gitlab_rails['dependency_proxy_enabled'] = true +# gitlab_rails['dependency_proxy_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/dependency_proxy" +# gitlab_rails['dependency_proxy_object_store_enabled'] = false +# gitlab_rails['dependency_proxy_object_store_direct_upload'] = false +# gitlab_rails['dependency_proxy_object_store_background_upload'] = true +# gitlab_rails['dependency_proxy_object_store_proxy_download'] = false +# gitlab_rails['dependency_proxy_object_store_remote_directory'] = "dependency_proxy" +# gitlab_rails['dependency_proxy_object_store_connection'] = { +# 'provider' => 'AWS', +# 'region' => 'eu-west-1', +# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID', +# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY', +# # # The below options configure an S3 compatible host instead of AWS +# # 'host' => 's3.amazonaws.com', +# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4. +# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces +# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' +# } + +################################################################################ +## GitLab Sentinel (EE Only) +##! Docs: http://docs.gitlab.com/ce/administration/high_availability/redis.html#high-availability-with-sentinel +################################################################################ + +##! **Make sure you configured all redis['master_*'] keys above before +##! continuing.** + +##! To enable Sentinel and disable all other services in this machine, +##! uncomment the line below (if you've enabled Redis role, it will keep it). +##! Docs: https://docs.gitlab.com/ee/administration/high_availability/redis.html +# redis_sentinel_role['enable'] = true + +# sentinel['enable'] = true + +##! Bind to all interfaces, uncomment to specify an IP and bind to a single one +# sentinel['bind'] = '0.0.0.0' + +##! Uncomment to change default port +# sentinel['port'] = 26379 + +#### Support to run sentinels in a Docker or NAT environment +#####! Docs: https://redis.io/topics/sentinel#sentinel-docker-nat-and-possible-issues +# In an standard case, Sentinel will run in the same network service as Redis, so the same IP will be announce for Redis and Sentinel +# Only define these values if it is needed to announce for Sentinel a differen IP service than Redis +# sentinel['announce_ip'] = nil # If not defined, its value will be taken from redis['announce_ip'] or nil if not present +# sentinel['announce_port'] = nil # If not defined, its value will be taken from sentinel['port'] or nil if redis['announce_ip'] not present + +##! Quorum must reflect the amount of voting sentinels it take to start a +##! failover. +##! **Value must NOT be greater then the amount of sentinels.** +##! The quorum can be used to tune Sentinel in two ways: +##! 1. If a the quorum is set to a value smaller than the majority of Sentinels +##! we deploy, we are basically making Sentinel more sensible to master +##! failures, triggering a failover as soon as even just a minority of +##! Sentinels is no longer able to talk with the master. +##! 2. If a quorum is set to a value greater than the majority of Sentinels, we +##! are making Sentinel able to failover only when there are a very large +##! number (larger than majority) of well connected Sentinels which agree +##! about the master being down. +# sentinel['quorum'] = 1 + +### Consider unresponsive server down after x amount of ms. +# sentinel['down_after_milliseconds'] = 10000 + +### Specifies the failover timeout in milliseconds. +##! It is used in many ways: +##! +##! - The time needed to re-start a failover after a previous failover was +##! already tried against the same master by a given Sentinel, is two +##! times the failover timeout. +##! +##! - The time needed for a replica replicating to a wrong master according +##! to a Sentinel current configuration, to be forced to replicate +##! with the right master, is exactly the failover timeout (counting since +##! the moment a Sentinel detected the misconfiguration). +##! +##! - The time needed to cancel a failover that is already in progress but +##! did not produced any configuration change (REPLICAOF NO ONE yet not +##! acknowledged by the promoted replica). +##! +##! - The maximum time a failover in progress waits for all the replicas to be +##! reconfigured as replicas of the new master. However even after this time +##! the replicas will be reconfigured by the Sentinels anyway, but not with +##! the exact parallel-syncs progression as specified. +# sentinel['failover_timeout'] = 60000 + +################################################################################ +## Additional Database Settings (EE only) +##! Docs: https://docs.gitlab.com/ee/administration/database_load_balancing.html +################################################################################ +# gitlab_rails['db_load_balancing'] = { 'hosts' => ['secondary1.example.com'] } + +################################################################################ +## GitLab Geo +##! Docs: https://docs.gitlab.com/ee/gitlab-geo +################################################################################ +##! Geo roles 'geo_primary_role' and 'geo_secondary_role' are set above with +##! other roles. For more information, see: https://docs.gitlab.com/omnibus/roles/README.html#roles. + +# This is an optional identifier which Geo nodes can use to identify themselves. +# For example, if external_url is the same for two secondaries, you must specify +# a unique Geo node name for those secondaries. +# +# If it is blank, it defaults to external_url. +# gitlab_rails['geo_node_name'] = nil + +# gitlab_rails['geo_registry_replication_enabled'] = true +# gitlab_rails['geo_registry_replication_primary_api_url'] = 'https://example.com:5050' + + +################################################################################ +## GitLab Geo Secondary (EE only) +################################################################################ +# geo_secondary['auto_migrate'] = true +# geo_secondary['db_adapter'] = "postgresql" +# geo_secondary['db_encoding'] = "unicode" +# geo_secondary['db_collation'] = nil +# geo_secondary['db_database'] = "gitlabhq_geo_production" +# geo_secondary['db_username'] = "gitlab_geo" +# geo_secondary['db_password'] = nil +# geo_secondary['db_host'] = "/var/opt/gitlab/geo-postgresql" +# geo_secondary['db_port'] = 5431 +# geo_secondary['db_socket'] = nil +# geo_secondary['db_sslmode'] = nil +# geo_secondary['db_sslcompression'] = 0 +# geo_secondary['db_sslrootcert'] = nil +# geo_secondary['db_sslca'] = nil + +################################################################################ +## GitLab Geo Secondary Tracking Database (EE only) +################################################################################ + +# geo_postgresql['enable'] = false +# geo_postgresql['ha'] = false +# geo_postgresql['dir'] = '/var/opt/gitlab/geo-postgresql' +# geo_postgresql['data_dir'] = '/var/opt/gitlab/geo-postgresql/data' +# geo_postgresql['pgbouncer_user'] = nil +# geo_postgresql['pgbouncer_user_password'] = nil +##! `SQL_USER_PASSWORD_HASH` can be generated using the command `gitlab-ctl pg-password-md5 gitlab` +# geo_postgresql['sql_user_password'] = 'SQL_USER_PASSWORD_HASH' + +################################################################################ +## Unleash +##! These settings are for GitLab internal use. +##! They are used to control feature flags during GitLab development. +##! Docs: https://docs.gitlab.com/ee/development/feature_flags +################################################################################ +# gitlab_rails['feature_flags_unleash_enabled'] = false +# gitlab_rails['feature_flags_unleash_url'] = nil +# gitlab_rails['feature_flags_unleash_app_name'] = nil +# gitlab_rails['feature_flags_unleash_instance_id'] = nil + +################################################################################ +# Pgbouncer (EE only) +# See [GitLab PgBouncer documentation](http://docs.gitlab.com/omnibus/settings/database.html#enabling-pgbouncer-ee-only) +# See the [PgBouncer page](https://pgbouncer.github.io/config.html) for details +################################################################################ +# pgbouncer['enable'] = false +# pgbouncer['log_directory'] = '/var/log/gitlab/pgbouncer' +# pgbouncer['data_directory'] = '/var/opt/gitlab/pgbouncer' +# pgbouncer['env_directory'] = '/opt/gitlab/etc/pgbouncer/env' +# pgbouncer['env'] = { +# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/" +# } +# pgbouncer['listen_addr'] = '0.0.0.0' +# pgbouncer['listen_port'] = '6432' +# pgbouncer['pool_mode'] = 'transaction' +# pgbouncer['server_reset_query'] = 'DISCARD ALL' +# pgbouncer['application_name_add_host'] = '1' +# pgbouncer['max_client_conn'] = '2048' +# pgbouncer['default_pool_size'] = '100' +# pgbouncer['min_pool_size'] = '0' +# pgbouncer['reserve_pool_size'] = '5' +# pgbouncer['reserve_pool_timeout'] = '5.0' +# pgbouncer['server_round_robin'] = '0' +# pgbouncer['log_connections'] = '0' +# pgbouncer['server_idle_timeout'] = '30' +# pgbouncer['dns_max_ttl'] = '15.0' +# pgbouncer['dns_zone_check_period'] = '0' +# pgbouncer['dns_nxdomain_ttl'] = '15.0' +# pgbouncer['admin_users'] = %w(gitlab-psql postgres pgbouncer) +# pgbouncer['stats_users'] = %w(gitlab-psql postgres pgbouncer) +# pgbouncer['ignore_startup_parameters'] = 'extra_float_digits' +# pgbouncer['databases'] = { +# DATABASE_NAME: { +# host: HOSTNAME, +# port: PORT +# user: USERNAME, +# password: PASSWORD +###! generate this with `echo -n '$password + $username' | md5sum` +# } +# ... +# } +# pgbouncer['logfile'] = nil +# pgbouncer['unix_socket_dir'] = nil +# pgbouncer['unix_socket_mode'] = '0777' +# pgbouncer['unix_socket_group'] = nil +# pgbouncer['auth_type'] = 'md5' +# pgbouncer['auth_hba_file'] = nil +# pgbouncer['auth_query'] = 'SELECT username, password FROM public.pg_shadow_lookup($1)' +# pgbouncer['users'] = { +# { +# name: USERNAME, +# password: MD5_PASSWORD_HASH +# } +# } +# postgresql['pgbouncer_user'] = nil +# postgresql['pgbouncer_user_password'] = nil +# pgbouncer['server_reset_query_always'] = 0 +# pgbouncer['server_check_query'] = 'select 1' +# pgbouncer['server_check_delay'] = 30 +# pgbouncer['max_db_connections'] = nil +# pgbouncer['max_user_connections'] = nil +# pgbouncer['syslog'] = 0 +# pgbouncer['syslog_facility'] = 'daemon' +# pgbouncer['syslog_ident'] = 'pgbouncer' +# pgbouncer['log_disconnections'] = 1 +# pgbouncer['log_pooler_errors'] = 1 +# pgbouncer['stats_period'] = 60 +# pgbouncer['verbose'] = 0 +# pgbouncer['server_lifetime'] = 3600 +# pgbouncer['server_connect_timeout'] = 15 +# pgbouncer['server_login_retry'] = 15 +# pgbouncer['query_timeout'] = 0 +# pgbouncer['query_wait_timeout'] = 120 +# pgbouncer['client_idle_timeout'] = 0 +# pgbouncer['client_login_timeout'] = 60 +# pgbouncer['autodb_idle_timeout'] = 3600 +# pgbouncer['suspend_timeout'] = 10 +# pgbouncer['idle_transaction_timeout'] = 0 +# pgbouncer['pkt_buf'] = 4096 +# pgbouncer['listen_backlog'] = 128 +# pgbouncer['sbuf_loopcnt'] = 5 +# pgbouncer['max_packet_size'] = 2147483647 +# pgbouncer['tcp_defer_accept'] = 0 +# pgbouncer['tcp_socket_buffer'] = 0 +# pgbouncer['tcp_keepalive'] = 1 +# pgbouncer['tcp_keepcnt'] = 0 +# pgbouncer['tcp_keepidle'] = 0 +# pgbouncer['tcp_keepintvl'] = 0 +# pgbouncer['disable_pqexec'] = 0 + +## Pgbouncer client TLS options +# pgbouncer['client_tls_sslmode'] = 'disable' +# pgbouncer['client_tls_ca_file'] = nil +# pgbouncer['client_tls_key_file'] = nil +# pgbouncer['client_tls_cert_file'] = nil +# pgbouncer['client_tls_protocols'] = 'all' +# pgbouncer['client_tls_dheparams'] = 'auto' +# pgbouncer['client_tls_ecdhcurve'] = 'auto' +# +## Pgbouncer server TLS options +# pgbouncer['server_tls_sslmode'] = 'disable' +# pgbouncer['server_tls_ca_file'] = nil +# pgbouncer['server_tls_key_file'] = nil +# pgbouncer['server_tls_cert_file'] = nil +# pgbouncer['server_tls_protocols'] = 'all' +# pgbouncer['server_tls_ciphers'] = 'fast' + +################################################################################ +# Repmgr (EE only) +################################################################################ +# repmgr['enable'] = false +# repmgr['cluster'] = 'gitlab_cluster' +# repmgr['database'] = 'gitlab_repmgr' +# repmgr['host'] = nil +# repmgr['node_number'] = nil +# repmgr['port'] = 5432 +# repmgr['trust_auth_cidr_addresses'] = [] +# repmgr['username'] = 'gitlab_repmgr' +# repmgr['sslmode'] = 'prefer' +# repmgr['sslcompression'] = 0 +# repmgr['failover'] = 'automatic' +# repmgr['log_directory'] = '/var/log/gitlab/repmgrd' +# repmgr['node_name'] = nil +# repmgr['pg_bindir'] = '/opt/gitlab/embedded/bin' +# repmgr['service_start_command'] = '/opt/gitlab/bin/gitlab-ctl start postgresql' +# repmgr['service_stop_command'] = '/opt/gitlab/bin/gitlab-ctl stop postgresql' +# repmgr['service_reload_command'] = '/opt/gitlab/bin/gitlab-ctl hup postgresql' +# repmgr['service_restart_command'] = '/opt/gitlab/bin/gitlab-ctl restart postgresql' +# repmgr['service_promote_command'] = nil +# repmgr['promote_command'] = '/opt/gitlab/embedded/bin/repmgr standby promote -f /var/opt/gitlab/postgresql/repmgr.conf' +# repmgr['follow_command'] = '/opt/gitlab/embedded/bin/repmgr standby follow -f /var/opt/gitlab/postgresql/repmgr.conf' + +# repmgr['upstream_node'] = nil +# repmgr['use_replication_slots'] = false +# repmgr['loglevel'] = 'INFO' +# repmgr['logfacility'] = 'STDERR' +# repmgr['logfile'] = nil + +# repmgr['event_notification_command'] = nil +# repmgr['event_notifications'] = nil + +# repmgr['rsync_options'] = nil +# repmgr['ssh_options'] = nil +# repmgr['priority'] = nil +# +# HA setting to specify if a node should attempt to be master on initialization +# repmgr['master_on_initialization'] = true + +# repmgr['retry_promote_interval_secs'] = 300 +# repmgr['witness_repl_nodes_sync_interval_secs'] = 15 +# repmgr['reconnect_attempts'] = 6 +# repmgr['reconnect_interval'] = 10 +# repmgr['monitor_interval_secs'] = 2 +# repmgr['master_response_timeout'] = 60 +# repmgr['daemon'] = true +# repmgrd['enable'] = true + +################################################################################ +# Patroni (EE only) +# +# NOTICE: Patroni is an experimental feature and subject to change. +# +################################################################################ +# patroni['enable'] = false + +# patroni['dir'] = '/var/opt/gitlab/patroni' +# patroni['data_dir'] = '/var/opt/gitlab/patroni/data' +# patroni['ctl_command'] = '/opt/gitlab/embedded/bin/patronictl' + +# patroni['scope'] = 'gitlab-postgresql-ha' +# patroni['name'] = nil + +# patroni['log_directory'] = '/var/log/gitlab/patroni' +# patroni['log_level'] = 'INFO' + +# patroni['consul']['url'] = 'http://127.0.0.1:8500' +# patroni['consul']['service_check_interval'] = '10s' +# patroni['consul']['register_service'] = false +# patroni['consul']['checks'] = [] + +## Bootstrap settings +# patroni['loop_wait'] = 10 +# patroni['ttl'] = 30 +# patroni['retry_timeout'] = 10 +# patroni['maximum_lag_on_failover'] = 1_048_576 +# patroni['max_timelines_history'] = 0 +# patroni['master_start_timeout'] = 300 + +## PostgreSQL configuration override +# patroni['postgresql']['wal_level'] = 'replica' +# patroni['postgresql']['hot_standby'] = 'on' +# patroni['postgresql']['wal_keep_segments'] = 8 +# patroni['postgresql']['max_wal_senders'] = 5 +# patroni['postgresql']['max_replication_slots'] = 5 +# patroni['postgresql']['checkpoint_timeout'] = 30 + +# patroni['use_pg_rewind'] = false +# patroni['use_slots'] = true + +## Permanent replication slots for Streaming Replication +# patroni['replication_slots'] = { +# 'geo_secondary' => { 'type' => 'physical' } +# } + +## The address and port that Patroni API binds to and listens on. +# patroni['listen_address'] = nil +# patroni['port'] = '8008' + +## The address of the Patroni node that is advertized to other cluster +## members to communicate with its API and PostgreSQL. If it is not specified, +## it tries to use the first available private IP and falls back to the default +## network interface. +# patroni['connect_address'] = nil + +## The port that Patroni API responds to other cluster members. This port is +## advertized and by default is the same as patroni['port']. +# patroni['connect_port'] = '8008' + + +################################################################################ +# Consul (EEP only) +################################################################################ +# consul['enable'] = false +# consul['dir'] = '/var/opt/gitlab/consul' +# consul['username'] = 'gitlab-consul' +# consul['group'] = 'gitlab-consul' +# consul['config_file'] = '/var/opt/gitlab/consul/config.json' +# consul['config_dir'] = '/var/opt/gitlab/consul/config.d' +# consul['data_dir'] = '/var/opt/gitlab/consul/data' +# consul['log_directory'] = '/var/log/gitlab/consul' +# consul['env_directory'] = '/opt/gitlab/etc/consul/env' +# consul['env'] = { +# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/" +# } +# consul['monitoring_service_discovery'] = false +# consul['node_name'] = nil +# consul['script_directory'] = '/var/opt/gitlab/consul/scripts' +# consul['configuration'] = { +# 'client_addr' => nil, +# 'datacenter' => 'gitlab_consul', +# 'enable_script_checks' => true, +# 'server' => false +# } +# consul['services'] = [] +# consul['service_config'] = { +# 'postgresql' => { +# 'service' => { +# 'name' => "postgresql", +# 'address' => '', +# 'port' => 5432, +# 'checks' => [ +# { +# 'script' => "/var/opt/gitlab/consul/scripts/check_postgresql", +# 'interval' => "10s" +# } +# ] +# } +# } +# } +# consul['watchers'] = { +# 'postgresql' => { +# enable: false, +# handler: 'failover_pgbouncer' +# } +# } +################################################################################ +# Service desk email settings (EEP only) +################################################################################ +### Service desk email +###! Allow users to create new service desk issues by sending an email to +###! service desk address. +###! Docs: https://docs.gitlab.com/ee/administration/reply_by_email.html +# gitlab_rails['service_desk_email_enabled'] = false + +#### Service Desk Mailbox Settings (via `mail_room`) +#### Service Desk Email Address +####! The email address including the `%{key}` placeholder that will be replaced +####! to reference the item being replied to. +####! **The placeholder can be omitted but if present, it must appear in the +####! "user" part of the address (before the `@`).** +# gitlab_rails['service_desk_email_address'] = "contact_project+%{key}@gmail.com" + +#### Service Desk Email account username +####! **With third party providers, this is usually the full email address.** +####! **With self-hosted email servers, this is usually the user part of the +####! email address.** +# gitlab_rails['service_desk_email_email'] = "contact_project@gmail.com" + +#### Service Desk Email account password +# gitlab_rails['service_desk_email_password'] = "[REDACTED]" + +####! The mailbox where service desk mail will end up. Usually "inbox". +# gitlab_rails['service_desk_email_mailbox_name'] = "inbox" +####! The IDLE command timeout. +# gitlab_rails['service_desk_email_idle_timeout'] = 60 +####! The file name for internal `mail_room` JSON logfile +# gitlab_rails['service_desk_email_log_file'] = "/var/log/gitlab/mailroom/mail_room_json.log" + +#### Service Desk IMAP Settings +# gitlab_rails['service_desk_email_host'] = "imap.gmail.com" +# gitlab_rails['service_desk_email_port'] = 993 +# gitlab_rails['service_desk_email_ssl'] = true +# gitlab_rails['service_desk_email_start_tls'] = false diff --git a/testserver/docker_gitlab/templates/docker-compose.yml b/testserver/docker_gitlab/templates/docker-compose.yml new file mode 100644 index 0000000000000000000000000000000000000000..161ba773edd750a8e943ed9564bbe1cfeb5b9b76 --- /dev/null +++ b/testserver/docker_gitlab/templates/docker-compose.yml @@ -0,0 +1,101 @@ + +version: "2.4" + +services: + + app: + + image: gitlab/gitlab-ce:16.7.4-ce.0 + restart: always + ports: + - "444:22" + volumes: + - /srv/gitlab/conf:/etc/gitlab + - /srv/gitlab/log:/var/log/gitlab + - /srv/gitlab/data:/var/opt/gitlab + labels: + - traefik.enable=true + - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`) + - traefik.http.routers.{{ servicename }}.entrypoints=websecure + - traefik.http.routers.{{ servicename }}.service={{ servicename }} + - traefik.http.services.{{ servicename }}.loadbalancer.server.port=80 + - traefik.http.routers.{{ servicename }}.middlewares={{ servicename }}-cors-headers + - traefik.http.middlewares.{{ servicename }}-cors-headers.headers.accesscontrolalloworiginlist=* + - traefik.http.routers.{{ servicename }}_registry.rule=Host(`{{ domain_registry }}`) + - traefik.http.routers.{{ servicename }}_registry.entrypoints=websecure + - traefik.http.routers.{{ servicename }}_registry.service={{ servicename }}_registry + - traefik.http.services.{{ servicename }}_registry.loadbalancer.server.port=5005 + networks: + - default + - web + + + # Docker in Docker for Gitlab-Runner execution + # see https://forum.gitlab.com/t/example-gitlab-runner-docker-compose-configuration/67344 + + dind: + + image: docker:25-dind + restart: always + privileged: true + environment: + DOCKER_TLS_CERTDIR: "" + command: + - --storage-driver=overlay2 + networks: + - default + + + runner: + + restart: always + image: registry.gitlab.com/gitlab-org/gitlab-runner:alpine + depends_on: + - dind + - app + environment: + - DOCKER_HOST=tcp://dind:2375 + volumes: + - "/srv/gitlab/runner:/etc/gitlab-runner:z" + networks: + - default + + + # Runner Registration + # Excecute once when Gitlab is running + + # register-runner: + + # restart: 'no' + # image: registry.gitlab.com/gitlab-org/gitlab-runner:alpine + # depends_on: + # - dind + # - app + # environment: + # - CI_SERVER_URL=https://{{ domain }} + # - REGISTRATION_TOKEN={{ runner_registration_token }} + # command: + # - register + # - --non-interactive + # - --locked=false + # - --name=warpzone-webserver + # - --executor=docker + # - --docker-image=docker:20-dind + # - --docker-volumes=/var/run/docker.sock:/var/run/docker.sock + # volumes: + # - "/srv/gitlab/runner:/etc/gitlab-runner:z" + # networks: + # - default + + +networks: + web: + external: true + default: + driver: bridge + enable_ipv6: true + ipam: + driver: default + config: + # must be a ULA range + - subnet: fd00:dead:beef:444::/64 diff --git a/testserver/docker_traefik/tasks/certificate.yml b/testserver/docker_traefik/tasks/certificate.yml new file mode 100644 index 0000000000000000000000000000000000000000..599d43c64fab3d9228d0e0ffa672beca36b41d08 --- /dev/null +++ b/testserver/docker_traefik/tasks/certificate.yml @@ -0,0 +1,98 @@ + +# Eigene CA und Server Zertifikat erstellen, falls diese noch nicht existiert + +- name: "Install Packages" + apt: + name: "{{ packages }}" + state: present + vars: + packages: + - python3-cryptography + + +- name: "Check if SelfSigned CA key exists" + stat: + path: "{{ basedir }}/ca.key" + register: ca_key_stat_result + +- name: "Create SelfSigned CA key" + community.crypto.openssl_privatekey: + path: "{{ basedir }}/ca.key" + when: not ca_key_stat_result.stat.exists + +- name: "Check if SelfSigned CA cert exists" + stat: + path: "{{ basedir }}/ca.pem" + register: ca_cert_stat_result + +- name: "Check if SelfSigned CA cert CSR" + community.crypto.openssl_csr_pipe: + privatekey_path: "{{ basedir }}/ca.key" + common_name: "{{ selfSignedCN }} CA" + use_common_name_for_san: false # since we do not specify SANs, don't use CN as a SAN + basic_constraints: + - 'CA:TRUE' + basic_constraints_critical: true + key_usage: + - keyCertSign + key_usage_critical: true + register: ca_csr + when: not ca_cert_stat_result.stat.exists + +- name: "Create SelfSigned CA cert from CSR" + community.crypto.x509_certificate: + path: "{{ basedir }}/ca.pem" + csr_content: "{{ ca_csr.csr }}" + privatekey_path: "{{ basedir }}/ca.key" + provider: selfsigned + when: not ca_cert_stat_result.stat.exists + + +- name: "Check if ServerCert key exists" + stat: + path: "{{ basedir }}/cert.key" + register: cert_key_stat_result + +- name: "Create ServerCert key" + community.crypto.openssl_privatekey: + path: "{{ basedir }}/cert.key" + when: not cert_key_stat_result.stat.exists + +- name: "Check if ServerCert cert exists" + stat: + path: "{{ basedir }}/cert.pem" + register: cert_cert_stat_result + +- name: "Create ServerCert CSR" + community.crypto.openssl_csr_pipe: + privatekey_path: "{{ basedir }}/cert.key" + subject_alt_name: + - "DNS:{{ selfSignedDomain }}" + - "DNS:{{ domain }}" + register: cert_csr + when: not cert_cert_stat_result.stat.exists + +- name: "Create ServerCert from CSR" + community.crypto.x509_certificate_pipe: + csr_content: "{{ cert_csr.csr }}" + provider: ownca + ownca_path: "{{ basedir }}/ca.pem" + ownca_privatekey_path: "{{ basedir }}/ca.key" + ownca_not_after: +9999d # long lifetime + ownca_not_before: "-1d" # valid since yesterday + register: cert + when: not cert_cert_stat_result.stat.exists + +- name: "Create ServerCert chain" + community.crypto.certificate_complete_chain: + input_chain: "{{ cert.certificate }}" + root_certificates: + - "{{ basedir }}/ca.pem" + register: cert_chain + when: not cert_cert_stat_result.stat.exists + +- name: "Create ServerCert chain" + copy: + dest: "{{ basedir }}/cert.pem" + content: "{{ ''.join(cert_chain.complete_chain) }}" + when: not cert_cert_stat_result.stat.exists diff --git a/testserver/docker_traefik/tasks/main.yml b/testserver/docker_traefik/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..54b26f8b8ee7a38f8965c45229d0f8514931a5ab --- /dev/null +++ b/testserver/docker_traefik/tasks/main.yml @@ -0,0 +1,63 @@ + +- include_tasks: ../functions/get_secret.yml + with_items: + - { path: "{{ basedir }}/letsencrypt_notification_email", length: -1 } + when: selfSignedCN is not defined + +- name: "create folder struct for {{ servicename }}" + file: + path: "{{ item }}" + state: "directory" + with_items: + - "{{ basedir }}" + - "{{ basedir }}/dynamic" + +- name: "Check if CertStore exists" + stat: + path: "{{ basedir }}/acme.json" + register: acme_stat_result + +- name: "Create CertStore if needed and set permissions" + file: + path: "{{ basedir }}/acme.json" + owner: root + group: root + mode: '600' + state: touch + when: not acme_stat_result.stat.exists + +- name: "Create SelfSigned CA and Cert" + ansible.builtin.include_tasks: certificate.yml + when: selfSignedCN is defined + + +- name: Docker Compose Konfig-Datei erstellen + template: + src: "{{ item }}" + dest: "{{ basedir }}/{{ item }}" + with_items: + - docker-compose.yml + - traefik.yml + - dynamic/tls.yml + register: config + +- name: redirect-default ersstellen, wenn domain_default definiert ist + template: + src: "{{ item }}" + dest: "{{ basedir }}/{{ item }}" + with_items: + - dynamic/redirect-default.yml + when: domain_default is defined + register: config + +- name: "stop {{ servicename}} docker" + community.docker.docker_compose_v2: + project_src: "{{ basedir }}" + state: absent + when: config.changed + +- name: "start {{ servicename}} docker" + community.docker.docker_compose_v2: + project_src: "{{ basedir }}" + state: present + diff --git a/testserver/docker_traefik/templates/docker-compose.yml b/testserver/docker_traefik/templates/docker-compose.yml new file mode 100644 index 0000000000000000000000000000000000000000..865cd732d00d06602531b3703a9b684eafa02672 --- /dev/null +++ b/testserver/docker_traefik/templates/docker-compose.yml @@ -0,0 +1,53 @@ +version: '2.4' + +services: + + app: + image: traefik:v3.0.0-beta5 + restart: always + ports: + - "80:80" + - "443:443" +{% if matrix_federation is defined and matrix_federation == true %} - "8448:8448" +{% endif %} + - "{{ int_ip4 }}:8081:8080" + volumes: + - "/srv/traefik/traefik.yml:/etc/traefik/traefik.yml:ro" + - "/srv/traefik/dynamic:/etc/traefik/dynamic:ro" + - "/srv/traefik/acme.json:/acme.json" + - "/var/run/docker.sock:/var/run/docker.sock" +{% if selfSignedCN is defined %} + - "{{ basedir }}/cert.pem:/cert.pem:ro" + - "{{ basedir }}/cert.key:/cert.key:ro" +{% endif %} + networks: + - default + - web + healthcheck: + test: ['CMD', 'traefik', 'healthcheck'] + interval: 30s + timeout: 10s + retries: 3 + +# for debugging only +# whoami: +# image: containous/whoami +# labels: +# - traefik.enable=true +# - traefik.http.routers.{{ servicename }}.rule=Host(`{ domain }`) +# - traefik.http.routers.{{ servicename }}.entrypoints=websecure +# - traefik.http.services.{{ servicename }}.loadbalancer.server.port=80 +# networks: +# - web + +networks: + web: + external: true + default: + driver: bridge + enable_ipv6: true + ipam: + driver: default + config: + # must be a ULA range + - subnet: fd00:dead:beef:80::/64 diff --git a/testserver/docker_traefik/templates/dynamic/redirect-default.yml b/testserver/docker_traefik/templates/dynamic/redirect-default.yml new file mode 100644 index 0000000000000000000000000000000000000000..c196f5253ff07ef89bf00db022e7fe416081fe4c --- /dev/null +++ b/testserver/docker_traefik/templates/dynamic/redirect-default.yml @@ -0,0 +1,22 @@ +http: + routers: + router-default: + entrypoints: + - websecure + rule: "Host(`{{ domain }}`)" + middlewares: + - redirect-default + service: service-default + + services: + service-default: + loadBalancer: + servers: + - url: http://noop-dummy + + middlewares: + redirect-default: + redirectRegex: + regex: "^https://{{ domain }}/(.*)" + replacement: "https://{{ domain_default }}/$1" + diff --git a/testserver/docker_traefik/templates/dynamic/tls.yml b/testserver/docker_traefik/templates/dynamic/tls.yml new file mode 100644 index 0000000000000000000000000000000000000000..0909bb1f47c3e55aa47b46aec72a3e4f9dbca74d --- /dev/null +++ b/testserver/docker_traefik/templates/dynamic/tls.yml @@ -0,0 +1,28 @@ + +# TLS Options +tls: + +{% if selfSignedCN is defined %} + + # use local certificate + certificates: + - certFile: "/cert.pem" + keyFile: "/cert.key" + +{% endif %} + + options: + default: + sniStrict: true + minVersion: "VersionTLS12" + curvePreferences: + - "secp521r1" + - "secp384r1" + cipherSuites: + - "TLS_AES_128_GCM_SHA256" + - "TLS_AES_256_GCM_SHA384" + - "TLS_CHACHA20_POLY1305_SHA256" + - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" + - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" + - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" + diff --git a/testserver/docker_traefik/templates/traefik.yml b/testserver/docker_traefik/templates/traefik.yml new file mode 100644 index 0000000000000000000000000000000000000000..f96aa28efd39719a39e535b1b9244189693bb7db --- /dev/null +++ b/testserver/docker_traefik/templates/traefik.yml @@ -0,0 +1,86 @@ + +# Global settings +global: + checkNewVersion: true + + +# Entrypoints +entryPoints: + + # HTTP, redirect all to HTTPS + web: + address: ":80" + http: + redirections: + entryPoint: + to: "websecure" + scheme: "https" + permanent: true + + # HTTPS, get certificates from letsencrypt + websecure: + address: ":443" + http: + tls: + certResolver: "letsencrypt" + + +{% if matrix_federation is defined and matrix_federation == true %} + + # additional entrypoint for matrix-federation + matrix_federation: + address: ":8448" + http: + tls: + certResolver: "letsencrypt" + +{% endif %} + +# Discover configuration via docker +# use network 'web' for interconnect +providers: + docker: + watch: true + endpoint: "unix:///var/run/docker.sock" + network: "web" + exposedByDefault: false + file: + directory: "/etc/traefik/dynamic" + watch: true + + +# Traefik API and dashboard +api: + insecure: true + dashboard: true + debug: false + + +# Enable Ping endpoint for docker healthcheck +ping: {} + + +# Enable prometheus metrics +metrics: + prometheus: + addEntryPointsLabels: true + addServicesLabels: true + + +# Logging +log: + level: "INFO" + format: "common" + + +{% if selfSignedCN is not defined %} + +# get certificates from letsEncrypt +certificatesResolvers: + letsencrypt: + acme: + email: "{{ letsencrypt_notification_email }}" + storage: "/acme.json" + tlsChallenge: true + +{% endif %} diff --git a/testserver/docker_wordpress/tasks/main.yml b/testserver/docker_wordpress/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..88007627a0e5ceaa77ae8ecb84364ffdea3673a8 --- /dev/null +++ b/testserver/docker_wordpress/tasks/main.yml @@ -0,0 +1,44 @@ +--- + +- include_tasks: ../functions/get_secret.yml + with_items: + - { path: /srv/shared/noreply_email_pass, length: -1 } + - { path: "{{ basedir }}/mysql_root_pass", length: 24 } + - { path: "{{ basedir }}/mysql_user_pass", length: 12 } + +- name: "create folder struct for {{ servicename }}" + file: + path: "{{ item }}" + state: "directory" + owner: www-data + group: www-data + with_items: + - "{{ basedir }}/" + - "{{ basedir }}/config" + - "{{ basedir }}/data/" + - "{{ basedir }}/db/" + - "{{ basedir }}/data/wp-content/" + - "{{ basedir }}/data/wp-content/plugins" + - "{{ basedir }}/data/wp-content/plugins/wz-status/" + +- name: create config file + template: + src: "{{ item }}" + dest: "{{ basedir }}/{{ item }}" + with_items: + - Dockerfile + - docker-compose.yml + - config/uploads.ini + - data/wp-content/plugins/wz-status/wz-status.php + register: config + +- name: "stop {{ servicename }} docker" + community.docker.docker_compose_v2: + project_src: "{{ basedir }}" + state: absent + when: config.changed + +- name: "start {{ servicename }} docker" + community.docker.docker_compose_v2: + project_src: "{{ basedir }}" + state: present diff --git a/testserver/docker_wordpress/templates/Dockerfile b/testserver/docker_wordpress/templates/Dockerfile new file mode 100644 index 0000000000000000000000000000000000000000..1c41da02f4c43761b8e7f8e4639d7314a7390b4a --- /dev/null +++ b/testserver/docker_wordpress/templates/Dockerfile @@ -0,0 +1,10 @@ +FROM wordpress:6.4.2-apache + +# install the PHP extensions we need +RUN set -x \ + && apt-get update \ + && apt-get install -y libldap2-dev \ + && rm -rf /var/lib/apt/lists/* \ + && docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu/ \ + && docker-php-ext-install ldap \ + && apt-get purge -y --auto-remove libldap2-dev diff --git a/testserver/docker_wordpress/templates/config/uploads.ini b/testserver/docker_wordpress/templates/config/uploads.ini new file mode 100644 index 0000000000000000000000000000000000000000..c32c80ec4475ac54fb2ce2c7deb03677be062942 --- /dev/null +++ b/testserver/docker_wordpress/templates/config/uploads.ini @@ -0,0 +1,6 @@ + +file_uploads = On +memory_limit = 64M +upload_max_filesize = 64M +post_max_size = 64M +max_execution_time = 600 diff --git a/testserver/docker_wordpress/templates/data/wp-content/plugins/wz-status/wz-status.php b/testserver/docker_wordpress/templates/data/wp-content/plugins/wz-status/wz-status.php new file mode 100644 index 0000000000000000000000000000000000000000..36b3bf0a09affb3d2a6345d314291b8d84c4659d --- /dev/null +++ b/testserver/docker_wordpress/templates/data/wp-content/plugins/wz-status/wz-status.php @@ -0,0 +1,152 @@ +<?php +/* +Plugin Name: WZ Status +Plugin URI: http://www.warpzone.ms +Description: This plugin adds a custom widget. +Version: 1.0 +Author: Christian <void> Elberfeld +Author URI: http://www.warpzone.ms +License: GPL2 +Original Source: https://github.com/wpexplorer/my-widget-plugin +*/ + +// The widget class +class WZ_Status_Widget extends WP_Widget { + + // Main constructor + public function __construct() { + parent::__construct( + 'wz_status_widget', + __( 'WZ Status Widget', 'text_domain' ), + array( + 'customize_selective_refresh' => true, + ) + ); + } + + // The widget form (for the backend ) + public function form( $instance ) { + + // Set widget defaults + $defaults = array( + 'title' => '', + 'api_url' => '', + ); + + // Parse current settings with defaults + extract( wp_parse_args( ( array ) $instance, $defaults ) ); ?> + + <?php // Widget Title ?> + <p> + <label for="<?php echo esc_attr( $this->get_field_id( 'title' ) ); ?>"><?php _e( 'Widget Title', 'text_domain' ); ?></label> + <input class="widefat" id="<?php echo esc_attr( $this->get_field_id( 'title' ) ); ?>" name="<?php echo esc_attr( $this->get_field_name( 'title' ) ); ?>" type="text" value="<?php echo esc_attr( $title ); ?>" /> + </p> + + <?php // Api Url ?> + <p> + <label for="<?php echo esc_attr( $this->get_field_id( 'api_url' ) ); ?>"><?php _e( 'Api Url:', 'api_url' ); ?></label> + <input class="widefat" id="<?php echo esc_attr( $this->get_field_id( 'api_url' ) ); ?>" name="<?php echo esc_attr( $this->get_field_name( 'api_url' ) ); ?>" type="text" value="<?php echo esc_attr( $text ); ?>" /> + </p> + + + <?php } + + // Update widget settings + public function update( $new_instance, $old_instance ) { + $instance = $old_instance; + $instance['title'] = isset( $new_instance['title'] ) ? wp_strip_all_tags( $new_instance['title'] ) : ''; + $instance['api_url'] = isset( $new_instance['api_url'] ) ? wp_strip_all_tags( $new_instance['api_url'] ) : ''; + return $instance; + } + + // Display the widget + public function widget( $args, $instance ) { + + extract( $args ); + + // Check the widget options + $title = isset( $instance['title'] ) ? apply_filters( 'widget_title', $instance['title'] ) : ''; + $api_url = isset( $instance['api_url'] ) ? $instance['api_url'] : ''; + + $zone_status = "UNBEKANNT"; + $zone_status_text = "Unbekannt"; + $zone_status_color = "#000000"; + + // WordPress core before_widget hook (always include ) + echo $before_widget; + + // Display the widget + echo '<div class="widget-text wp_widget_plugin_box">'; + + // Display widget title if defined + if ( $title ) { + echo $before_title . $title . $after_title; + } + + + // Zone Status abrufen + + $curl = curl_init(); + + curl_setopt_array($curl, array( + CURLOPT_URL => "https://api.warpzone.ms/statuswidget", + CURLOPT_RETURNTRANSFER => true, + CURLOPT_FOLLOWLOCATION => true, + CURLOPT_ENCODING => "", + CURLOPT_MAXREDIRS => 3, + CURLOPT_TIMEOUT => 5, + CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, + CURLOPT_CUSTOMREQUEST => "GET" + )); + + $response = curl_exec($curl); + $err = curl_error($curl); + + curl_close($curl); + + if ($err) { + + $zone_status = $err; + + } else { + + $responseObj = json_decode($response,true); + $zone_status = $responseObj['zone_door_status']; + + if ($zone_status == "OPEN") { + + $zone_status_text = "Offen"; + $zone_status_color = "#00cc00"; + } + + if ($zone_status == "CLOSED") { + + $zone_status_text = "Geschlossen"; + $zone_status_color = "#cc0000"; + } + + } + + + // Anzeige Status im Widget + echo "<span style='font-weight: bold; color:" . $zone_status_color . ";'>" . $zone_status_text . "</span>"; + + // Status mit in die Menueleiste fuer Mobilgeraete + echo "<script type='text/javascript'>jQuery(document).ready(function() { jQuery('#mainnav-toggle').text('MENU | Status: " . $zone_status_text . "'); });</script>"; + + + echo '</div>'; + + // WordPress core after_widget hook (always include ) + echo $after_widget; + + } + +} + +// Register the widget +function my_register_wz_status_widget() { + register_widget( 'WZ_Status_Widget' ); +} +add_action( 'widgets_init', 'my_register_wz_status_widget' ); + diff --git a/testserver/docker_wordpress/templates/docker-compose.yml b/testserver/docker_wordpress/templates/docker-compose.yml new file mode 100644 index 0000000000000000000000000000000000000000..bd06cf593ae32bb2a4796b9599d661889ebe1e0a --- /dev/null +++ b/testserver/docker_wordpress/templates/docker-compose.yml @@ -0,0 +1,42 @@ + +version: "3" + +services: + + db: + + image: mariadb:11.2.2 + restart: always + volumes: + - /srv/wordpress/db/:/var/lib/mysql + environment: + MYSQL_ROOT_PASSWORD: "{{ mysql_root_pass }}" + MYSQL_PASSWORD: "{{ mysql_user_pass }}" + MYSQL_DATABASE: wordpress + MYSQL_USER: wordpress + networks: + - default + + app: + # values set in configuration: noreply_email_user - noreply_email_pass - smtp_host - smtp_port + build: . + restart: always + volumes: + - /srv/wordpress/config/uploads.ini:/usr/local/etc/php/conf.d/uploads.ini + - /srv/wordpress/data:/var/www/html + environment: + WORDPRESS_DB_HOST: db + WORDPRESS_DB_USER: wordpress + WORDPRESS_DB_PASSWORD: "{{ mysql_user_pass }}" + labels: + - traefik.enable=true + - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`) + - traefik.http.routers.{{ servicename }}.entrypoints=websecure + - traefik.http.services.{{ servicename }}.loadbalancer.server.port=80 + networks: + - default + - web + +networks: + web: + external: true