[ { "path": ".circleci/config.yml", "content": "version: 2.1\n\norbs:\n shellcheck: circleci/shellcheck@3.4.0\n docker: circleci/docker@2.8.2\n go: circleci/go@1.11.0\n\ncommands:\n docker-build:\n description: |\n Build and optionally deploy a Docker images\n parameters:\n dockerfile:\n default: Dockerfile\n description: 'Name of dockerfile to use, defaults to Dockerfile'\n type: string\n extra_build_args:\n default: ''\n description: >\n Extra flags to pass to docker build. For examples, see\n https://docs.docker.com/engine/reference/commandline/build\n type: string\n registry:\n default: docker.io\n description: |\n Comma separated list of registry to use, defaults to docker.io\n type: string\n image:\n description: Name of image to build\n type: string\n tag:\n default: $CIRCLE_SHA1\n description: 'Image tag, defaults to the value of $CIRCLE_SHA1'\n type: string\n path:\n default: .\n description: >\n Path to the directory containing your Dockerfile and build context,\n defaults to . (working directory)\n type: string\n cache_from:\n default: ''\n description: >\n Comma-separated list of images, images will first be pulled, then passed\n as the --cache-from build argument\n https://docs.docker.com/engine/reference/commandline/build/\n type: string\n no_output_timeout:\n default: 10m\n description: |\n No output timeout for build step\n type: string\n use-buildkit:\n default: false\n description: |\n Use buildkit to build the image. Available on Docker >= 18.09.0 https://docs.docker.com/develop/develop-images/build_enhancements/\n type: boolean\n steps:\n - when:\n condition: <>\n steps:\n - run:\n name: Build image for <>\n no_output_timeout: <>\n command: >\n echo \"<>\" | sed -n 1'p' | tr ',' '\\n' |\n while read image; do\n echo \"Pulling ${image}\";\n docker pull ${image} || true\n done\n\n docker_tag_args=\"\"\n\n IFS=\",\" read -ra DOCKER_REGISTRIES \\<<< \"<< parameters.registry >>\"\n\n for registry in \"${DOCKER_REGISTRIES[@]}\"; do\n IFS=\",\" read -ra DOCKER_TAGS \\<<< \"<< parameters.tag >>\"\n\n for tag in \"${DOCKER_TAGS[@]}\"; do\n docker_tag_args=\"$docker_tag_args -t $registry/<>:${tag}\"\n done\n done\n\n docker buildx build\n <<#parameters.extra_build_args>><><>\n \\\n --cache-from <> \\\n -f <>/<> \\\n $docker_tag_args \\\n <>\n - unless:\n condition: <>\n steps:\n - run:\n name: Building image for <>\n no_output_timeout: <>\n command: >\n docker_tag_args=\"\"\n\n IFS=\",\" read -ra DOCKER_REGISTRIES \\<<< \"<< parameters.registry >>\"\n\n for registry in \"${DOCKER_REGISTRIES[@]}\"; do\n IFS=\",\" read -ra DOCKER_TAGS \\<<< \"<< parameters.tag >>\"\n\n for tag in \"${DOCKER_TAGS[@]}\"; do\n docker_tag_args=\"$docker_tag_args -t $registry/<>:${tag}\"\n done\n done\n\n docker buildx build\n <<#parameters.extra_build_args>><><>\n \\\n -f <>/<> \\\n $docker_tag_args \\\n <>\n\n docker-save:\n description: |\n Save one or more images to a tar archive\n parameters:\n registry:\n default: docker.io\n description: |\n Comma separated list of registry to use, defaults to docker.io\n type: string\n image:\n description: Name of image to build\n type: string\n tag:\n default: $CIRCLE_SHA1\n description: 'Image tag, defaults to the value of $CIRCLE_SHA1'\n type: string\n steps:\n - run:\n name: Save image to tar archive\n command: >\n docker_images=\"\"\n\n IFS=\",\" read -ra DOCKER_REGISTRIES \\<<< \"<< parameters.registry >>\"\n\n for registry in \"${DOCKER_REGISTRIES[@]}\"; do\n IFS=\",\" read -ra DOCKER_TAGS \\<<< \"<< parameters.tag >>\"\n\n for tag in \"${DOCKER_TAGS[@]}\"; do\n docker_images=\"$docker_images $registry/<>:${tag}\"\n done\n done\n\n mkdir -p ~/docker/\n\n docker save -o ~/docker/docker-images.tar $docker_images\n - persist_to_workspace:\n root: ~/\n paths:\n - docker\n\n docker-load:\n description: |\n Load tar archive\n steps:\n - attach_workspace:\n at: ~/\n - run:\n name: Load images from tar archive\n command: >\n docker load -i ~/docker/docker-images.tar\n\n docker-publish:\n description: |\n Build and optionally deploy a Docker images\n parameters:\n pr:\n default: ''\n type: string\n registry:\n default: docker.io\n description: |\n Comma separated list of registry to use, defaults to docker.io\n type: string\n image:\n description: Name of image to build\n type: string\n tag:\n default: $CIRCLE_SHA1\n description: 'Image tag, defaults to the value of $CIRCLE_SHA1'\n type: string\n steps:\n - unless:\n condition: <>\n steps:\n - run:\n name: Publish image for <>\n command: >\n IFS=\",\" read -ra DOCKER_REGISTRIES \\<<< \"<< parameters.registry >>\"\n\n for registry in \"${DOCKER_REGISTRIES[@]}\"; do\n IFS=\",\" read -ra DOCKER_TAGS \\<<< \"<< parameters.tag >>\"\n\n for tag in \"${DOCKER_TAGS[@]}\"; do\n docker push $registry/<< parameters.image>>:${tag}\n done\n done\n\njobs:\n build:\n machine:\n image: ubuntu-2404:edge\n resource_class: large\n steps:\n - checkout\n - docker-build:\n registry: docker.io,quay.io\n image: sameersbn/gitlab\n tag: ${CIRCLE_TAG:-latest}\n cache_from: docker.io/sameersbn/gitlab:latest\n extra_build_args: '--build-arg VCS_REF=${CIRCLE_TAG:-${CIRCLE_SHA1}} --build-arg BUILD_DATE=\"$(date +\"%Y-%m-%d %H:%M:%S%:z\")\"'\n no_output_timeout: 45m\n use-buildkit: true\n - docker-save:\n registry: docker.io,quay.io\n image: sameersbn/gitlab\n tag: ${CIRCLE_TAG:-latest}\n\n test:\n executor: docker/machine\n steps:\n - checkout\n - docker-load\n - run:\n name: Update tag in docker-compose.yml\n command: |\n sed -i \"s|image: sameersbn/gitlab:.*|image: sameersbn/gitlab:${CIRCLE_TAG:-latest}|\" docker-compose.yml\n - run:\n name: Launch gitlab stack\n command: docker-compose up -d --quiet-pull\n - run:\n name: Container info\n command: docker ps\n - run:\n name: Wait for stack bootup\n command: sleep 90\n - run:\n name: Show logs\n command: docker-compose logs\n - run:\n name: Test image bootup\n command: |\n docker run --network container:$(docker-compose ps -q gitlab) \\\n curlimages/curl --ipv4 --retry 60 --retry-delay 5 --retry-connrefused -svf http://localhost/explore -o /dev/null\n\n publish-dockerhub:\n executor: docker/machine\n steps:\n - docker-load\n - docker/check:\n registry: docker.io\n docker-username: DOCKER_LOGIN\n docker-password: DOCKER_PASSWORD\n - docker-publish:\n registry: docker.io\n image: sameersbn/gitlab\n tag: ${CIRCLE_TAG:-latest}\n\n publish-quay:\n executor: docker/machine\n steps:\n - docker-load\n - docker/check:\n registry: quay.io\n docker-username: DOCKER_LOGIN\n docker-password: DOCKER_PASSWORD\n - docker-publish:\n registry: quay.io\n image: sameersbn/gitlab\n tag: ${CIRCLE_TAG:-latest}\n\n release:\n executor:\n name: go/default\n tag: '1.24'\n steps:\n - checkout\n - run:\n name: Installing github-release tool\n command: go install github.com/meterup/github-release@latest\n - run:\n name: Creating github release\n command: |\n PRE_RELEASE=${CIRCLE_TAG/${CIRCLE_TAG%-rc[0-9]*}/}\n github-release delete -u ${CIRCLE_PROJECT_USERNAME} -r ${CIRCLE_PROJECT_REPONAME} -t ${CIRCLE_TAG} 2>/dev/null ||:\n ./scripts/release-notes.sh ${CIRCLE_TAG} | github-release release ${PRE_RELEASE:+-p} -u ${CIRCLE_PROJECT_USERNAME} -r ${CIRCLE_PROJECT_REPONAME} -t ${CIRCLE_TAG} -d -\n for f in $(find /tmp/dist -type f); do github-release upload -u ${CIRCLE_PROJECT_USERNAME} -r ${CIRCLE_PROJECT_REPONAME} -t ${CIRCLE_TAG} -n $(basename ${f}) -f ${f} ; done\n\nworkflows:\n build-test-and-release:\n jobs:\n - shellcheck/check:\n name: shellcheck\n exclude: SC2086,SC2181\n external_sources: true\n filters:\n tags:\n only: /^([0-9]+)\\.([0-9]+)\\.([0-9]+)(?:-([0-9A-Za-z-]+(?:\\.[0-9A-Za-z-]+)*))?(?:\\+[0-9A-Za-z-]+)?$/\n - build:\n requires:\n - shellcheck\n filters:\n tags:\n only: /^([0-9]+)\\.([0-9]+)\\.([0-9]+)(?:-([0-9A-Za-z-]+(?:\\.[0-9A-Za-z-]+)*))?(?:\\+[0-9A-Za-z-]+)?$/\n - test:\n requires:\n - build\n filters:\n tags:\n only: /^([0-9]+)\\.([0-9]+)\\.([0-9]+)(?:-([0-9A-Za-z-]+(?:\\.[0-9A-Za-z-]+)*))?(?:\\+[0-9A-Za-z-]+)?$/\n - publish-dockerhub:\n context: dockerhub\n requires:\n - test\n filters:\n branches:\n only: master\n tags:\n only: /^([0-9]+)\\.([0-9]+)\\.([0-9]+)(?:-([0-9A-Za-z-]+(?:\\.[0-9A-Za-z-]+)*))?(?:\\+[0-9A-Za-z-]+)?$/\n - publish-quay:\n context: quay\n requires:\n - test\n filters:\n tags:\n only: /^([0-9]+)\\.([0-9]+)\\.([0-9]+)(?:-([0-9A-Za-z-]+(?:\\.[0-9A-Za-z-]+)*))?(?:\\+[0-9A-Za-z-]+)?$/\n branches:\n only: master\n - release:\n context: github\n requires:\n - publish-dockerhub\n - publish-quay\n filters:\n tags:\n only: /^([0-9]+)\\.([0-9]+)\\.([0-9]+)(?:-([0-9A-Za-z-]+(?:\\.[0-9A-Za-z-]+)*))?(?:\\+[0-9A-Za-z-]+)?$/\n branches:\n ignore: /.*/\n" }, { "path": ".dockerignore", "content": ".git\n.gitignore\nLICENSE\nVERSION\nREADME.md\nChangelog.md\nMakefile\ndocker-compose.yml\ndocs\n" }, { "path": ".github/stale.yml", "content": "# Number of days of inactivity before an issue becomes stale\ndaysUntilStale: 60\n# Number of days of inactivity before a stale issue is closed\ndaysUntilClose: 7\n# Issues with these labels will never be considered stale\nexemptLabels:\n - pinned\n - security\n - keep-alive\n# Label to use when marking an issue as stale\nstaleLabel: wontfix\n# Comment to post when marking an issue as stale. Set to `false` to disable\nmarkComment: >\n This issue has been automatically marked as stale because it has not had\n any activity for the last 60 days. It will be closed if no further activity\n occurs during the next 7 days. Thank you for your contributions.\n# Comment to post when closing a stale issue. Set to `false` to disable\ncloseComment: false\n" }, { "path": ".gitignore", "content": "*.gem\n*.tar.gz\n*.tar.bz2\n" }, { "path": ".gitlab-ci.yml", "content": "image: docker:18-git\n\nstages:\n - build\n\nbefore_script:\n - export VERSION=$(cat VERSION)\n - export CI_REGISTRY=${CI_REGISTRY:-hub.docker.com}\n - export CI_REGISTRY_USER=${CI_REGISTRY_USER:-gitlab-ci-token}\n - export CI_REGISTRY_PASSWORD=${CI_REGISTRY_PASSWORD:-${CI_JOB_TOKEN}}\n - export DOCKER_IMAGE=${DOCKER_IMAGE:-${CI_REGISTRY}/${CI_PROJECT_PATH}}\n - |\n if [ \"${DOCKER_IMAGE}\" = \"/\" ]; then\n export DOCKER_IMAGE=sameersbn/gitlab\n fi\n\ndocker:build:\n stage: build\n only:\n - master\n script:\n - docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY}\n - docker build\n --pull\n --cache-from=${DOCKER_IMAGE}\n --build-arg=VCS_REF=$(git rev-parse --short HEAD)\n --build-arg=BUILD_DATE=\"$(date +\"%Y-%m-%d %H:%M:%S%:z\")\"\n --tag ${DOCKER_IMAGE} .\n - docker push ${DOCKER_IMAGE}\n\ndocker:build:branches:\n stage: build\n only:\n - branches\n except:\n - master\n script:\n - docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY}\n - docker build\n --pull\n --cache-from=${DOCKER_IMAGE}:${CI_COMMIT_REF_SLUG}\n --build-arg=VCS_REF=$(git rev-parse --short HEAD)\n --build-arg=BUILD_DATE=\"$(date +\"%Y-%m-%d %H:%M:%S%:z\")\"\n --tag ${DOCKER_IMAGE}:${CI_COMMIT_REF_SLUG} .\n - docker push ${DOCKER_IMAGE}:${CI_COMMIT_REF_SLUG}\n\ndocker:build:release:\n stage: build\n only:\n - tags\n script:\n - docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY}\n - docker build\n --pull\n --cache-from=${DOCKER_IMAGE}:${VERSION}\n --build-arg=VCS_REF=$(git rev-parse --short HEAD)\n --build-arg=BUILD_DATE=\"$(date +\"%Y-%m-%d %H:%M:%S%:z\")\"\n --tag ${DOCKER_IMAGE}:${VERSION} .\n - docker push ${DOCKER_IMAGE}:${VERSION}\n" }, { "path": "CI_MIGRATION.md", "content": "# CI Migration Guide\n\nSince version `8.0.0`, CI is now a part of GitLab. You no longer need to run a separate instance of the CI server. This guide walks you through the procedure of migrating your existing CI data into GitLab.\n\nThis guide assumes that you are currently using `sameersbn/gitlab` and `sameersbn/gitlab-ci` for setting up your GitLab and CI requirements.\n\n> **Note:**\n>\n> If your CI server and your GitLab server use the same database adapter no special care is needed. If your CI server uses MySQL and your GitLab server uses PostgreSQL you need to pass a special option in **Step 4 - Upgrade CI > Create CI backup**. If your CI server uses PostgreSQL and your GitLab server uses MySQL you cannot migrate your CI data to GitLab `8.0`, Please refer to https://github.com/sameersbn/docker-gitlab/issues/429#issuecomment-152799995 for instructions to migrate from MySQL to PostgreSQL first.\n\n## Step 1 - Get Ready\n\nStop your GitLab and CI servers\n\n```bash\ndocker stop gitlab-ci gitlab\ndocker rm gitlab-ci gitlab\n```\n\n## Step 2 - Upgrade to the `7.14.3` releases\n\nMigration to GitLab `8.0` can only be done from version `7.14.3`. As a result we need to first migrate to the most recent versions of these images.\n\n### Upgrade to `sameersbn/gitlab:7.14.3`\n\n```bash\ndocker run -it --rm [OPTIONS] \\\n sameersbn/gitlab:7.14.3 app:init\n```\n\n### Upgrade to `sameersbn/gitlab-ci:7.14.3-1`\n\n```bash\ndocker run -it --rm [OPTIONS] \\\n sameersbn/gitlab-ci:7.14.3-1 app:init\n```\n\n## Step 3 - Generate Backups\n\nCreate backups to ensure that we can rollback in case you face issues during the migration\n\n### Create GitLab backup\n\n```bash\ndocker run -it --rm [OPTIONS] \\\n sameersbn/gitlab:7.14.3 app:rake gitlab:backup:create\n```\n\nMake a note of the backup archive `xxxxxxxxxx_gitlab_backup.tar` as it is the backup you will have to rollback to in case of errors.\n\n### Create GitLab CI backup\n\n```bash\ndocker run -it --rm [OPTIONS] \\\n sameersbn/gitlab-ci:7.14.3-1 app:rake backup:create\n```\n\nMake a note of the backup archive `xxxxxxxxxx_gitlab_ci_backup.tar.gz` as it is the backup you will have to rollback to in case of errors.\n\n> **Note**: From this point only `8.0.x` version images are used.\n\n## Step 4 - Upgrade CI\n\nCI `8.x.x` is only meant for the purpose of migrating to GitLab `8.0`. Here we need to upgrade to version `8.x.x` and generate a backup that will be imported into GitLab.\n\n### Upgrade to `sameersbn/gitlab-ci:8.0.5`\n\n```bash\ndocker run -it --rm [OPTIONS] \\\n sameersbn/gitlab-ci:8.0.5 app:init\n```\n\n### Create CI backup\n\n*If you are converting from MySQL to PostgreSQL, add `MYSQL_TO_POSTGRESQL=1` to the end of the below command.*\n\n```bash\ndocker run -it --rm [OPTIONS] \\\n sameersbn/gitlab-ci:8.0.5 app:rake backup:create\n```\n\nCopy the generated backup archive `xxxxxxxxxx_gitlab_ci_backup.tar` into the `backups/` directory of the GitLab server.\n\n```bash\ncp /backups/xxxxxxxxxx_gitlab_ci_backup.tar /backups/\n```\n\nWe are done with CI. If the rest of the migration goes was planned you will not need to start `sameersbn/gitlab-ci` ever again.\n\n## Step 5 - Upgrade GitLab\n\nBefore we can upgrade to `sameersbn/gitlab:8.0.5-1`, we need to assign the value of `GITLAB_CI_SECRETS_DB_KEY_BASE` (from CI) to `GITLAB_SECRETS_DB_KEY_BASE` in GitLab's environment.\n\nNext you also need to set the environment variable `GITLAB_CI_HOST` to the address of your CI server, eg. `ci.example.com`. This will make sure that your existing runners will be able to communicate to GitLab with the old url.\n\n### Upgrade to `sameersbn/gitlab:8.0.5-1`\n\n```bash\ndocker run -it --rm [OPTIONS] \\\n --env GITLAB_CI_HOST=ci.example.com --env GITLAB_SECRETS_DB_KEY_BASE=xxxxxx \\\n sameersbn/gitlab:8.0.5-1 app:init\n```\n\n### Migrate CI data\n\n```bash\ndocker run -it --rm [OPTIONS] \\\n --env GITLAB_CI_HOST=ci.example.com --env GITLAB_SECRETS_DB_KEY_BASE=xxxxxx \\\n sameersbn/gitlab:8.0.5-1 app:rake ci:migrate\n```\n\n## Step 6 - Fix DNS and reverse proxy configurations\n\nSince GitLab and CI are now one, update your DNS configuration to make sure `ci.example.com` points to your GitLab instance.\n\nIf you are using a reverse proxy, update the configuration such that `ci.example.com` interfaces with the GitLab server.\n\n>**Note**: The above changes results in connections from your runners redirect multiple times before ending up at the right location. If you want to avoid this redirection you can update the url in your runners configuration file to point to `http://git.example.com/ci` when using plain http, or `https://git.example.com/ci` if you are using SSL.\n>\n> If you change the url on the runners you can also do away with the `ci.example.com` domain name altogether.\n\n## Step 7 - Done!\n\nYou can now start the GitLab server normally. Make sure that `GITLAB_CI_HOST` and `GITLAB_SECRETS_DB_KEY_BASE` are defined in your containers environment.\n\n" }, { "path": "CONTRIBUTING.md", "content": "# GitLab-CI Configuration\n\nWhen using your own GitLab instance, the provided .gitlab-ci.yml will automatically be using the settings provided by the GitLab instance. If needed, several options can be overriden.\n\nOverrides for these values can be set within the project, under `Settings` -> `CI/CD` -> `Variables`.\n\n| Variable | Default Value | Description |\n| ---------------------- | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |\n| `CI_REGISTRY` | `hub.docker.com` | If available this will be automatically overriden by registry address which is configured within the GitLab instance |\n| `CI_REGISTRY_USER` | `gitlab-ci-token` | Username for the registry |\n| `CI_REGISTRY_PASSWORD` | `${CI_JOB_TOKEN}` | Password for the registry |\n| `DOCKER_IMAGE` | `sameersbn/gitlab` | Docker image name, will automatically be overriden by the running GitLab instance with the `${CI_PROJECT_PATH}` variable. This will cause the image to be uploaded to the local registry of the project within GitLab. |\n" }, { "path": "Changelog.md", "content": "# Changelog\n\nThis file only reflects the changes that are made in this image. Please refer to the upstream GitLab [CHANGELOG](https://\ngitlab.com/gitlab-org/gitlab-foss/blob/master/CHANGELOG.md) for the list of changes in GitLab.\n\n## 18.9.2\n\n- gitlab: upgrade CE to v18.9.2\n- gitaly: upgrade to v18.9.2\n- gitlab-pages: upgrade to v18.9.2\n- golang: upgrade to v1.25.8\n- rubygems: upgrade to v4.0.8\n\n## 18.9.1\n\n- gitlab: upgrade CE to v18.9.1\n- gitaly: upgrade to v18.9.1\n- gitlab-pages: upgrade to v18.9.1\n\n## 18.9.0\n\n- gitlab: upgrade CE to v18.9.0\n- gitaly: upgrade to v18.9.0\n- gitlab-pages: upgrade to v18.9.0\n- gitlab-shell: upgrade to v14.45.6\n- ruby: upgrade to v3.3.10\n- ubuntu: upgrade to noble-20260210.1\n\n## 18.8.4\n\n- gitlab: upgrade CE to v18.8.4\n- gitaly: upgrade to v18.8.4\n- gitlab-pages: upgrade to v18.8.4\n- golang: upgrade to v1.25.7\n- rubygems: upgrade to v4.0.6\n\n## 18.8.3\n\n- gitlab: upgrade CE to v18.8.3\n- gitaly: upgrade to v18.8.3\n- gitlab-pages: upgrade to v18.8.3\n\n## 18.8.2\n\n- gitlab: upgrade CE to v18.8.2\n- gitaly: upgrade to v18.8.2\n- gitlab-pages: upgrade to v18.8.2\n\n## 18.8.1\n\n- gitlab: upgrade CE to v18.8.1\n- gitaly: upgrade to v18.8.1\n- gitlab-pages: upgrade to v18.8.1\n\n## 18.8.0\n\n- gitlab: upgrade CE to v18.8.0\n- gitaly: upgrade to v18.8.0\n- gitlab-pages: upgrade to v18.8.0\n- golang: upgrade to v1.24.12\n- ruby: upgrade to v3.2.10\n- ubuntu: upgrade to noble-20260113\n\n## 18.7.1\n\n- gitlab: upgrade CE to v18.7.1\n- gitaly: upgrade to v18.7.1\n- gitlab-pages: upgrade to v18.7.1\n\n## 18.7.0\n\n- gitlab: upgrade CE to v18.7.0\n- gitaly: upgrade to v18.7.0\n- gitlab-pages: upgrade to v18.7.0\n- gitlab-shell: upgrade to v14.45.5\n\n## 18.6.2\n\n- gitlab: upgrade CE to v18.6.2\n- gitaly: upgrade to v18.6.2\n- gitlab-pages: upgrade to v18.6.2\n- golang: upgrade to v1.24.11\n\n## 18.6.1\n\n- gitlab: upgrade CE to v18.6.1\n- gitaly: upgrade to v18.6.1\n- gitlab-pages: upgrade to v18.6.1\n\n## 18.6.0\n\n- gitlab: upgrade CE to v18.6.0\n- gitaly: upgrade to v18.6.0\n- gitlab-pages: upgrade to v18.6.0\n- ubuntu: upgrade to noble-20251013\n\n## 18.5.2\n\n- gitlab: upgrade CE to v18.5.2\n- gitaly: upgrade to v18.5.2\n- gitlab-pages: upgrade to v18.5.2\n- golang: upgrade to v1.24.10\n\n## 18.5.1\n\n- gitlab: upgrade CE to v18.5.1\n- gitaly: upgrade to v18.5.1\n- gitlab-pages: upgrade to v18.5.1\n\n## 18.5.0\n\n- gitlab: upgrade CE to v18.5.0\n- gitaly: upgrade to v18.5.0\n- gitlab-pages: upgrade to v18.5.0\n- gitlab-shell: upgrade to v14.45.3\n- golang: upgrade to v1.24.9\n- ubuntu: upgrade to noble-20251001\n\n## 18.4.2\n\n- gitlab: upgrade CE to v18.4.2\n- gitaly: upgrade to v18.4.2\n- gitlab-pages: upgrade to v18.4.2\n- golang: upgrade to v1.24.8\n- ubuntu: upgrade to noble-20250925\n\n## 18.4.1\n\n- gitlab: upgrade CE to v18.4.1\n- gitaly: upgrade to v18.4.1\n- gitlab-pages: upgrade to v18.4.1\n- ubuntu: upgrade to noble-20250910\n\n## 18.4.0\n\n- gitlab: upgrade CE to v18.4.0\n- gitaly: upgrade to v18.4.0\n- gitlab-pages: upgrade to v18.4.0\n- ubuntu: upgrade to noble-20250910\n\n## 18.3.2\n\n- gitlab: upgrade CE to v18.3.2\n- gitaly: upgrade to v18.3.2\n- gitlab-pages: upgrade to v18.3.2\n- gitlab-shell: upgrade to v14.45.2\n- golang: upgrade to v1.24.7\n- rubygems: upgrade to v3.7.2\n- ubuntu: upgrade to noble-20250805\n\n## 18.3.1\n\n- gitlab: upgrade CE to v18.3.1\n- gitaly: upgrade to v18.3.1\n- gitlab-pages: upgrade to v18.3.1\n\n## 18.3.0\n\n- gitlab: upgrade CE to v18.3.0\n- gitaly: upgrade to v18.3.0\n- gitlab-pages: upgrade to v18.3.0\n\n## 18.2.4\n\n- gitlab: upgrade CE to v18.2.4\n- gitaly: upgrade to v18.2.4\n- gitlab-pages: upgrade to v18.2.4\n- gitlab-shell: upgrade to v14.44.0\n\n## 18.2.2\n\n- gitlab: upgrade CE to v18.2.2\n- gitaly: upgrade to v18.2.2\n- gitlab-pages: upgrade to v18.2.2\n- golang: upgrade to v1.24.6\n- ubuntu: upgrade to noble-20250716\n\n## 18.2.1\n\n- gitlab: upgrade CE to v18.2.1\n- gitaly: upgrade to v18.2.1\n- gitlab-pages: upgrade to v18.2.1\n- ruby: upgrade to v3.2.9\n- rubygems: upgrade to v3.7.1\n\n## 18.2.0\n\n- gitlab: upgrade CE to v18.2.0\n- gitaly: upgrade to v18.2.0\n- gitlab-pages: upgrade to v18.2.0\n- gitlab-shell: upgrade to v14.43.0\n- rubygems: upgrade to v3.7.0\n- ubuntu: upgrade to noble-20250714\n\n## 18.1.2\n\n- gitlab: upgrade CE to v18.1.2\n- gitaly: upgrade to v18.1.2\n- gitlab-pages: upgrade to v18.1.2\n- golang: upgrade to v1.24.5\n- ubuntu: upgrade to noble-20250619\n\n## 18.1.1\n\n- gitlab: upgrade CE to v18.1.1\n- gitaly: upgrade to v18.1.1\n- gitlab-pages: upgrade to v18.1.1\n\n## 18.1.0\n\n- gitlab: upgrade CE to v18.1.0\n- gitaly: upgrade to v18.1.0\n- gitlab-pages: upgrade to v18.1.0\n\n## 18.0.2\n\n- gitlab: upgrade CE to v18.0.2\n- gitaly: upgrade to v18.0.2\n- gitlab-pages: upgrade to v18.0.2\n- golang: upgrade to v1.24.4\n- ubuntu: upgrade to noble-20250529\n\n## 18.0.1\n\n- gitlab: upgrade CE to v18.0.1\n- gitaly: upgrade to v18.0.1\n- gitlab-pages: upgrade to v18.0.1\n- gitlab-shell: upgrade to v14.42.0\n\n## 18.0.0\n\n- gitlab: upgrade CE to v18.0.0\n- gitaly: upgrade to v18.0.0\n- gitlab-pages: upgrade to v18.0.0\n- redis: upgrade to v7\n- rubygems: upgrade to v3.6.9\n- ubuntu: upgrade to noble-20250415.1\n\n## 17.11.2\n\n- gitlab: upgrade CE to v17.11.2\n- gitaly: upgrade to v17.11.2\n- gitlab-pages: upgrade to v17.11.2\n- golang: upgrade to v1.24.3\n- ubuntu: upgrade to jammy-20250415.1\n\n## 17.11.1\n\n- gitlab: upgrade CE to v17.11.1\n- gitaly: upgrade to v17.11.1\n- gitlab-pages: upgrade to v17.11.1\n- rubygems: upgrade to v3.6.8\n\n## 17.11.0\n\n- gitlab: upgrade CE to v17.11.0\n- gitaly: upgrade to v17.11.0\n- gitlab-pages: upgrade to v17.11.0\n\n## 17.10.4\n\n- gitlab: upgrade CE to v17.10.4\n- gitaly: upgrade to v17.10.4\n- gitlab-pages: upgrade to v17.10.4\n- ubuntu: upgrade to jammy-20250404\n\n## 17.10.3\n\n- gitlab: upgrade CE to v17.10.3\n- gitaly: upgrade to v17.10.3\n- gitlab-pages: upgrade to v17.10.3\n- golang: upgrade to v1.24.2\n- ruby: upgrade to v3.2.8\n\n## 17.10.1\n\n- gitlab: upgrade CE to v17.10.1\n- gitaly: upgrade to v17.10.1\n- gitlab-pages: upgrade to v17.10.1\n\n## 17.10.0\n\n- gitlab: upgrade CE to v17.10.0\n- gitaly: upgrade to v17.10.0\n- gitlab-pages: upgrade to v17.10.0\n- golang: upgrade to v1.24.1\n- rubygems: upgrade to v3.6.6\n\n## 17.9.2\n\n- gitlab: upgrade CE to v17.9.2\n- gitaly: upgrade to v17.9.2\n- gitlab-pages: upgrade to v17.9.2\n\n## 17.9.1\n\n- gitlab: upgrade CE to v17.9.1\n- gitaly: upgrade to v17.9.1\n- gitlab-pages: upgrade to v17.9.1\n\n## 17.9.0\n\n- gitlab: upgrade CE to v17.9.0\n- gitaly: upgrade to v17.9.0\n- gitlab-pages: upgrade to v17.9.0\n- gitlab-shell: upgrade to v14.40.0\n- golang: upgrade to v1.24.0\n- rubygems: upgrade to v3.5.23\n- ubuntu: upgrade to jammy-20250126\n\n## 17.8.2\n\n- gitlab: upgrade CE to v17.8.2\n- gitaly: upgrade to v17.8.2\n- gitlab-pages: upgrade to v17.8.2\n- golang: upgrade to v1.23.6\n- ruby: upgrade to v3.2.7\n\n## 17.8.1\n\n- gitlab: upgrade CE to v17.8.1\n- gitaly: upgrade to v17.8.1\n- gitlab-pages: upgrade to v17.8.1\n\n## 17.8.0\n\n- gitlab: upgrade CE to v17.8.0\n- gitaly: upgrade to v17.8.0\n- gitlab-pages: upgrade to v17.8.0\n\n## 17.7.1\n\n- gitlab: upgrade CE to v17.7.1\n- gitaly: upgrade to v17.7.1\n- gitlab-pages: upgrade to v17.7.1\n\n## 17.7.0\n\n- gitlab: upgrade CE to v17.7.0\n- gitaly: upgrade to v17.7.0\n- gitlab-pages: upgrade to v17.7.0\n- ubuntu: upgrade to jammy-20240911.1\n- update healthcheck for postgresql\n\n## 17.6.3\n\n- gitlab: upgrade CE to v17.6.3\n- gitaly: upgrade to v17.6.3\n- gitlab-pages: upgrade to v17.6.3\n\n## 17.6.2\n\n- gitlab: upgrade CE to v17.6.2\n- gitaly: upgrade to v17.6.2\n- gitlab-pages: upgrade to v17.6.2\n\n## 17.6.1\n\n- gitlab: upgrade CE to v17.6.1\n- gitlab-pages: upgrade to v17.6.1\n- gitaly: upgrade to v17.6.1\n- golang: upgrade to v1.23.5\n\n## 17.6.0\n\n- gitlab: upgrade CE to v17.6.0\n- gitaly: upgrade to v17.6.0\n- gitlab-pages: upgrade to v17.6.0\n\n## 17.5.2\n\n- gitlab: upgrade CE to v17.5.2\n- gitaly: upgrade to v17.5.2\n- gitlab-pages: upgrade to v17.5.2\n- golang: upgrade to v1.23.2\n- ruby: upgrade to v3.2.6\n\n## 17.5.1\n\n- gitlab: upgrade CE to v17.5.1\n- gitaly: upgrade to v17.5.1\n- gitlab-pages: upgrade to v17.5.1\n\n## 17.5.0\n\n- gitlab: upgrade CE to v17.5.0\n- gitaly: upgrade to v17.5.0\n- gitlab-pages: upgrade to v17.5.0\n- ubuntu: upgrade to focal-20241011\n\n## 17.4.2\n\n- gitlab: upgrade CE to v17.4.2\n- gitaly: upgrade to v17.4.2\n- gitlab-pages: upgrade to v17.4.2\n- golang: upgrade to v1.23.2\n- ubuntu: upgrade to focal-20240918\n\n## 17.4.1\n\n- gitlab: upgrade CE to v17.4.1\n- gitaly: upgrade to v17.4.1\n- gitlab-pages: upgrade to v17.4.1\n\n## 17.4.0\n\n- gitlab: upgrade CE to v17.4.0\n- gitaly: upgrade to v17.4.0\n- gitlab-pages: upgrade to v17.4.0\n- gitlab-shell: upgrade to v14.39.0\n\n## 17.3.3\n\n- gitlab: upgrade CE to v17.3.3\n- gitaly: upgrade to v17.3.3\n- gitlab-pages: upgrade to v17.3.3\n\n## 17.3.2\n\n- gitlab: upgrade CE to v17.3.2\n- gitaly: upgrade to v17.3.2\n- gitlab-pages: upgrade to v17.3.2\n- golang: upgrade to v1.23.1\n\n## 17.3.1\n\n- gitlab: upgrade CE to v17.3.1\n- gitaly: upgrade to v17.3.1\n- gitlab-pages: upgrade to v17.3.1\n\n## 17.3.0\n\n- gitlab: upgrade CE to v17.3.0\n- gitaly: upgrade to v17.3.0\n- gitlab-pages: upgrade to v17.3.0\n- gitlab-shell: upgrade to v14.38.0\n- golang: upgrade to v1.23.0\n\n## 17.2.2\n\n- gitlab: upgrade CE to v17.2.2\n- gitaly: upgrade to v17.2.2\n- gitlab-pages: upgrade to v17.2.2\n- golang: upgrade to v1.22.6\n\n## 17.2.1\n\n- gitlab: upgrade CE to v17.2.1\n- gitaly: upgrade to v17.2.1\n- gitlab-pages: upgrade to v17.2.1\n- ruby: upgrade to v3.2.5\n\n## 17.2.0\n\n- gitlab: upgrade CE to v17.2.0\n- gitaly: upgrade to v17.2.0\n- gitlab-pages: upgrade to v17.2.0\n- gitlab-shell: upgrade to v14.37.0\n\n## 17.1.2\n\n- gitlab: upgrade CE to v17.1.2\n- gitaly: upgrade to v17.1.2\n- gitlab-pages: upgrade to v17.1.2\n- golang: upgrade to v1.22.5\n\n## 17.1.1\n\n- gitlab: upgrade CE to v17.1.1\n- gitaly: upgrade to v17.1.1\n- gitlab-pages: upgrade to v17.1.1\n\n## 17.1.0\n\n- gitlab: upgrade CE to v17.1.0\n- gitaly: upgrade to v17.1.0\n- gitlab-pages: upgrade to v17.1.0\n- gitlab-shell: upgrade to v14.36.0\n\n## 17.0.2\n\n- gitlab: upgrade CE to v17.0.2\n- gitaly: upgrade to v17.0.2\n- gitlab-pages: upgrade to v17.0.2\n- golang: upgrade to v1.22.4\n- ubuntu: upgrade to focal-20240530\n\n## 17.0.1\n\n- gitlab: upgrade CE to v17.0.1\n- gitaly: upgrade to v17.0.1\n- gitlab-pages: upgrade to v17.0.1\n\n## 17.0.0\n\n- gitlab: upgrade CE to v17.0.0\n- gitaly: upgrade to v17.0.0\n- gitlab-pages: upgrade to v17.0.0\n- gitlab-shell: upgrade to v14.35.0\n\n## 16.11.2\n\n- gitlab: upgrade CE to v16.11.2\n- gitaly: upgrade to v16.11.2\n- gitlab-pages: upgrade to v16.11.2\n- golang: upgrade to v1.22.3\n- ubuntu: upgrade to focal-20240427\n\n## 16.11.1\n\n- gitlab: upgrade CE to v16.11.1\n- gitaly: upgrade to v16.11.1\n- gitlab-pages: upgrade to v16.11.1\n- ruby: upgrade to v3.2.4\n- ubuntu: upgrade to focal-20240416\n\n## 16.11.0\n\n- gitlab: upgrade CE to v16.11.0\n- gitaly: upgrade to v16.11.0\n- gitlab-pages: upgrade to v16.11.0\n- gitlab-shell: upgrade to v14.35.0\n\n## 16.10.3\n\n- gitlab: upgrade CE to v16.10.3\n- gitaly: upgrade to v16.10.3\n- gitlab-pages: upgrade to v16.10.3\n- ubuntu: upgrade to focal-20240410\n\n## 16.10.2\n\n- gitlab: upgrade CE to v16.10.2\n- gitaly: upgrade to v16.10.2\n- gitlab-pages: upgrade to v16.10.2\n- golang: upgrade to v1.22.2\n\n## 16.10.1\n\n- gitlab: upgrade CE to v16.10.1\n- gitaly: upgrade to v16.10.1\n- gitlab-pages: upgrade to v16.10.1\n\n## 16.10.0\n\n- gitlab: upgrade CE to v16.10.0\n- gitaly: upgrade to v16.10.0\n- gitlab-pages: upgrade to v16.10.0\n- gitlab-shell: upgrade to v14.34.0\n\n## 16.9.2\n\n- gitlab: upgrade CE to v16.9.2\n- gitaly: upgrade to v16.9.2\n- gitlab-pages: upgrade to v16.9.2\n- golang: upgrade to v1.22.1\n- ubuntu: upgrade to focal-20240216\n\n## 16.9.1\n\n- gitlab: upgrade CE to v16.9.1\n- gitaly: upgrade to v16.9.1\n- gitlab-pages: upgrade to v16.9.1\n\n## 16.9.0\n\n- gitlab: upgrade CE to v16.9.0\n- gitaly: upgrade to v16.9.0\n- gitlab-pages: upgrade to v16.9.0\n\n## 16.8.2\n\n- gitlab: upgrade CE to v16.8.2\n- gitaly: upgrade to v16.8.2\n- gitlab-pages: upgrade to v16.8.2\n- golang: upgrade to v1.22.0\n- ubuntu: upgrade to focal-20240123\n\n## 16.8.1\n\n- gitlab: upgrade CE to v16.8.1\n- gitaly: upgrade to v16.8.1\n- gitlab-pages: upgrade to v16.8.1\n- gitlab-shell: upgrade to v14.33.0\n\n## 16.8.0\n\n- gitlab: upgrade CE to v16.8.0\n- gitaly: upgrade to v16.8.0\n- gitlab-pages: upgrade to v16.8.0\n\n## 16.7.3\n\n- gitlab: upgrade CE to v16.7.3\n- gitaly: upgrade to v16.7.3\n- gitlab-pages: upgrade to v16.7.3\n\n## 16.7.2\n\n- gitlab: upgrade CE to v16.7.2\n- gitaly: upgrade to v16.7.2\n- gitlab-pages: upgrade to v16.7.2\n- golang: upgrade to v1.21.6\n\n## 16.7.0\n\n- gitlab: upgrade CE to v16.7.0\n- gitaly: upgrade to v16.7.0\n- gitlab-pages: upgrade to v16.7.0\n- gitlab-shell: upgrade to v14.32.0\n- ruby: upgrade to v3.1.4\n\n## 16.6.2\n\n- gitlab: upgrade CE to v16.6.2\n- gitaly: upgrade to v16.6.2\n- gitlab-pages: upgrade to v16.6.2\n- golang: upgrade to v1.21.5\n- ubuntu: upgrade to focal-20231211\n\n## 16.6.1\n\n- gitlab: upgrade CE to v16.6.1\n- gitaly: upgrade to v16.6.1\n- gitlab-pages: upgrade to v16.6.1\n- ubuntu: upgrade to focal-20231128\n\n## 16.6.0\n\n- gitlab: upgrade CE to v16.6.0\n- gitaly: upgrade to v16.6.0\n- gitlab-pages: upgrade to v16.6.0\n- gitlab-shell: upgrade to v14.30.0\n- golang: upgrade to v1.21.4\n\n## 16.5.1\n\n- gitlab: upgrade CE to v16.5.1\n- gitaly: upgrade to v16.5.1\n- gitlab-pages: upgrade to v16.5.1\n\n## 16.5.0\n\n- gitlab: upgrade CE to v16.5.0\n- gitaly: upgrade to v16.5.0\n- gitlab-pages: upgrade to v16.5.0\n- gitlab-shell: upgrade to v14.29.0\n- golang: upgrade to v1.21.3\n- ubuntu: upgrade to focal-20231003\n\n## 16.4.1\n\n- gitlab: upgrade CE to v16.4.1\n- gitaly: upgrade to v16.4.1\n- gitlab-pages: upgrade to v16.4.1\n\n## 16.4.0\n\n- gitlab: upgrade CE to v16.4.0\n- gitaly: upgrade to v16.4.0\n- gitlab-pages: upgrade to v16.4.0\n- gitlab-shell: upgrade to v14.28.0\n\n## 16.3.4\n\n- gitlab: upgrade CE to v16.3.4\n- gitaly: upgrade to v16.3.4\n- gitlab-pages: upgrade to v16.3.4\n\n## 16.3.3\n\n- gitlab: upgrade CE to v16.3.3\n- gitaly: upgrade to v16.3.3\n- gitlab-pages: upgrade to v16.3.3\n\n## 16.3.2\n\n- gitlab: upgrade CE to v16.3.2\n- gitaly: upgrade to v16.3.2\n- gitlab-pages: upgrade to v16.3.2\n- golang: upgrade to v1.21.1\n\n## 16.3.1\n\n- gitlab: upgrade CE to v16.3.1\n- gitaly: upgrade to v16.3.1\n- gitlab-pages: upgrade to v16.3.1\n\n## 16.3.0\n\n- gitlab: upgrade CE to v16.3.0\n- gitaly: upgrade to v16.3.0\n- gitlab-pages: upgrade to v16.3.0\n\n## 16.2.4\n\n- gitlab: upgrade CE to v16.2.4\n- gitaly: upgrade to v16.2.4\n- gitlab-pages: upgrade to v16.2.4\n- golang: upgrade to v1.21.0\n\n## 16.2.3\n\n- gitlab: upgrade CE to v16.2.3\n- gitaly: upgrade to v16.2.3\n- gitlab-pages: upgrade to v16.2.3\n\n## 16.2.2\n\n- gitlab: upgrade CE to v16.2.2\n- gitaly: upgrade to v16.2.2\n- gitlab-pages: upgrade to v16.2.2\n- golang: upgrade to v1.20.7\n- ubuntu: upgrade to focal-20230801\n\n## 16.2.1\n\n- gitlab: upgrade CE to v16.2.1\n- gitaly: upgrade to v16.2.1\n- gitlab-pages: upgrade to v16.2.1\n\n## 16.2.0\n\n- gitlab: upgrade CE to v16.2.0\n- gitaly: upgrade to v16.2.0\n- gitlab-pages: upgrade to v16.2.0\n- golang: upgrade to v1.20.6\n\n## 16.1.2\n\n- gitlab: upgrade CE to v16.1.2\n- gitaly: upgrade to v16.1.2\n- gitlab-pages: upgrade to v16.1.2\n- ubuntu: upgrade to focal-20230624\n\n## 16.1.1\n\n- gitlab: upgrade CE to v16.1.1\n- gitaly: upgrade to v16.1.1\n- gitlab-pages: upgrade to v16.1.1\n\n## 16.1.0\n\n- gitlab: upgrade CE to v16.1.0\n- gitaly: upgrade to v16.1.0\n- gitlab-pages: upgrade to v16.1.0\n- gitlab-shell: upgrade to v14.23.0\n\n## 16.0.5\n\n- gitlab: upgrade CE to v16.0.5\n- gitaly: upgrade to v16.0.5\n- gitlab-pages: upgrade to v16.0.5\n- ubuntu: upgrade to focal-20230605\n\n## 16.0.4\n\n- gitlab: upgrade CE to v16.0.4\n- gitaly: upgrade to v16.0.4\n- gitlab-pages: upgrade to v16.0.4\n\n## 16.0.3\n\n- gitlab: upgrade CE to v16.0.3\n- gitaly: upgrade to v16.0.3\n- gitlab-pages: upgrade to v16.0.3\n\n## 16.0.2\n\n- gitlab: upgrade CE to v16.0.2\n- gitaly: upgrade to v16.0.2\n- gitlab-pages: upgrade to v16.0.2\n- golang: upgrade to v1.20.5\n\n## 16.0.1\n\n- gitlab: upgrade CE to v16.0.1\n- gitaly: upgrade to v16.0.1\n- gitlab-pages: upgrade to v16.0.1\n\n## 16.0.0\n\n- gitlab: upgrade CE to v16.0.0\n- gitaly: upgrade to v16.0.0\n- gitlab-pages: upgrade to v16.0.0\n- gitlab-shell: upgrade to v14.20.0\n\n## 15.11.5\n\n- gitlab: upgrade CE to v15.11.5\n- gitaly: upgrade to v15.11.5\n- gitlab-pages: upgrade to v15.11.5\n\n## 15.11.4\n\n- gitlab: upgrade CE to v15.11.4\n- gitaly: upgrade to v15.11.4\n- gitlab-pages: upgrade to v15.11.4\n\n## 15.11.3\n\n- gitlab: upgrade CE to v15.11.3\n- gitaly: upgrade to v15.11.3\n- gitlab-pages: upgrade to v15.11.3\n- ruby: upgrade to v3.0.6\n\n## 15.11.2\n\n- gitlab: upgrade CE to v15.11.2\n- gitaly: upgrade to v15.11.2\n- gitlab-pages: upgrade to v15.11.2\n\n## 15.11.1\n\n- gitlab: upgrade CE to v15.11.1\n- gitaly: upgrade to v15.11.1\n- gitlab-pages: upgrade to v15.11.1\n- golang: upgrade to v1.20.4\n\n## 15.11.0\n\n- gitlab: upgrade CE to v15.11.0\n- gitaly: upgrade to v15.11.0\n- gitlab-pages: upgrade to v15.11.0\n- ubuntu: upgrade to focal-20230412\n\n## 15.10.3\n\n- gitlab: upgrade CE to v15.10.3\n- gitaly: upgrade to v15.10.3\n- gitlab-pages: upgrade to v15.10.3\n\n## 15.10.2\n\n- gitlab: upgrade CE to v15.10.2\n- gitaly: upgrade to v15.10.2\n- gitlab-pages: upgrade to v15.10.2\n- golang: upgrade to v1.20.3\n\n## 15.10.1\n\n- gitlab: upgrade CE to v15.10.1\n- gitaly: upgrade to v15.10.1\n- gitlab-pages: upgrade to v15.10.1\n- ruby: upgrade to v2.7.8\n- ubuntu: upgrade to focal-20230308\n\n## 15.10.0\n\n- gitlab: upgrade CE to v15.10.0\n- gitaly: upgrade to v15.10.0\n- gitlab-pages: upgrade to v15.10.0\n- gitlab-shell: upgrade to v14.18.0\n- ubuntu: upgrade to focal-20230308\n\n## 15.9.3\n\n- gitlab: upgrade CE to v15.9.3\n- gitaly: upgrade to v15.9.3\n- gitlab-pages: upgrade to v15.9.3\n- golang: upgrade to v1.20.2\n\n## 15.9.2\n\n- gitlab: upgrade CE to v15.9.2\n- gitaly: upgrade to v15.9.2\n- gitlab-pages: upgrade to v15.9.2\n- ubuntu: upgrade to focal-20230301\n\n## 15.9.1\n\n- gitlab: upgrade CE to v15.9.1\n- gitaly: upgrade to v15.9.1\n- gitlab-pages: upgrade to v15.9.1\n\n## 15.9.0\n\n- gitlab: upgrade CE to v15.9.0\n- gitaly: upgrade to v15.9.0\n- gitlab-pages: upgrade to v15.9.0\n- gitlab-shell: upgrade to v14.17.0\n\n## 15.8.2\n\n- gitlab: upgrade CE to v15.8.2\n- gitaly: upgrade to v15.8.2\n- gitlab-pages: upgrade to v15.8.2\n- golang: upgrade to v1.19.6\n\n## 15.8.1\n\n- gitlab: upgrade CE to v15.8.1\n- gitaly: upgrade to v15.8.1\n- gitlab-pages: upgrade to v15.8.1\n- ubuntu: upgrade to focal-20230126\n\n## 15.8.0-1\n\n- ruby: rollback to v2.7.7\n\n## 15.8.0\n\n- gitlab: upgrade CE to v15.8.0\n- gitaly: upgrade to v15.8.0\n- gitlab-pages: upgrade to v15.8.0\n- gitlab-shell: upgrade to v14.15.0\n- golang: upgrade to v1.18.10\n\n## 15.7.5\n\n- gitlab: upgrade CE to v15.7.5\n- gitaly: upgrade to v15.7.5\n- gitlab-pages: upgrade to v15.7.5\n\n## 15.7.3\n\n- gitlab: upgrade CE to v15.7.3\n- gitaly: upgrade to v15.7.3\n- gitlab-pages: upgrade to v15.7.3\n\n## 15.7.2\n\n- gitlab: upgrade CE to v15.7.2\n- gitaly: upgrade to v15.7.2\n- gitlab-pages: upgrade to v15.7.2\n\n## 15.7.1\n\n- gitlab: upgrade CE to v15.7.1\n- gitaly: upgrade to v15.7.1\n- gitlab-pages: upgrade to v15.7.1\n\n## 15.7.0\n\n- gitlab: upgrade CE to v15.7.0\n- gitaly: upgrade to v15.7.0\n- gitlab-pages: upgrade to v15.7.0\n- gitlab-shell: upgrade to v14.14.0\n- ruby: upgrade to v3.0.5\n\n## 15.6.3\n\n- gitlab: upgrade CE to v15.6.3\n- gitaly: upgrade to v15.6.3\n- gitlab-pages: upgrade to v15.6.3\n- ubuntu: upgrade to focal-20221130\n- ruby: upgrade to v2.7.7\n- ruby: upgrade to v3.0.4\n\n## 15.6.2\n\n- gitlab: upgrade CE to v15.6.2\n- gitaly: upgrade to v15.6.2\n\n## 15.6.1\n\n- gitlab: upgrade CE to v15.6.1\n- gitaly: upgrade to v15.6.1\n\n## 15.6.0\n\n- gitlab: upgrade CE to v15.6.0\n- gitaly: upgrade to v15.6.0\n- gitlab-shell: upgrade to v14.13.0\n- gitlab-pages: upgrade to v1.63.0\n- golang: upgrade to v1.18.8\n\n## 15.5.4\n\n- gitlab: upgrade CE to v15.5.4\n- gitaly: upgrade to v15.5.4\n\n## 15.5.3\n\n- gitlab: upgrade CE to v15.5.3\n- gitaly: upgrade to v15.5.3\n\n## 15.5.2\n\n- gitlab: upgrade CE to v15.5.2\n- gitaly: upgrade to v15.5.2\n- ubuntu: upgrade to focal-20221019\n\n## 15.5.1\n\n- gitlab: upgrade CE to v15.5.1\n- gitaly: upgrade to v15.5.1\n\n## 15.5.0\n\n- gitlab: upgrade CE to v15.5.0\n- gitaly: upgrade to v15.5.0\n- gitlab-shell: upgrade to v14.12.0\n\n## 15.4.3\n\n- gitlab: upgrade CE to v15.4.3\n- gitaly: upgrade to v15.4.3\n- ubuntu: upgrade to focal-20220922\n\n## 15.4.2\n\n- gitlab: upgrade CE to v15.4.2\n- gitaly: upgrade to v15.4.2\n\n## 15.4.1\n\n- gitlab: upgrade CE to v15.4.1\n- gitaly: upgrade to v15.4.1\n\n## 15.4.0\n\n- gitlab: upgrade CE to v15.4.0\n- gitaly: upgrade to v15.4.0\n- ubuntu: upgrade tofocal-20220826\n\n## 15.3.3\n\n- gitlab: upgrade CE to v15.3.3\n- gitaly: upgrade to v15.3.3\n\n## 15.3.2\n\n- gitlab: upgrade CE to v15.3.2\n- gitaly: upgrade to v15.3.2\n\n## 15.3.1\n\n- gitlab: upgrade CE to v15.3.1\n- gitaly: upgrade to v15.3.1\n\n## 15.3.0\n\n- gitlab: upgrade CE to v15.3.0\n- gitaly: upgrade to v15.3.0\n- gitlab-shell: upgrade to v14.10.0\n- gitlab-pages: upgrade to v1.62.0\n- ubuntu: upgrade to focal-20220801\n\n## 15.2.2\n\n- gitlab: upgrade CE to v15.2.2\n- gitaly: upgrade to v15.2.2\n- golang: upgrade to v1.17.13\n\n## 15.2.1\n\n- gitlab: upgrade CE to v15.2.1\n- gitaly: upgrade to v15.2.1\n- gitlab-pages: upgrade to v1.61.1\n\n## 15.2.0\n\n- gitlab: upgrade CE to v15.2.0\n- gitaly: upgrade to v15.2.0\n- gitlab-shell: upgrade to v14.9.0\n- gitlab-pages: upgrade to v1.61.0\n- golang: upgrade to v1.17.12\n\n## 15.1.3\n\n- gitlab: upgrade CE to v15.1.3\n- gitaly: upgrade to v15.1.3\n\n## 15.1.2\n\n- gitlab: upgrade CE to v15.1.2\n- gitaly: upgrade to v15.1.2\n\n## 15.1.1\n\n- gitlab: upgrade CE to v15.1.1\n- gitaly: upgrade to v15.1.1\n\n## 15.1.0\n\n- gitlab: upgrade CE to v15.1.0\n- gitaly: upgrade to v15.1.0\n- gitlab-shell: upgrade to v14.7.4\n- gitlab-pages: upgrade to v1.59.0\n\n## 15.0.3\n\n- gitlab: upgrade CE to v15.0.3\n- gitaly: upgrade to v15.0.3\n\n## 15.0.2\n\n- gitlab: upgrade CE to v15.0.2\n- gitaly: upgrade to v15.0.2\n- ubuntu: upgrade to focal-20220531\n\n## 15.0.1\n\n- gitlab: upgrade CE to v15.0.1\n- gitaly: upgrade to v15.0.1\n- golang: upgrade to v1.17.11\n\n## 15.0.0\n\n- gitlab: upgrade CE to v15.0.0\n- gitaly: upgrade to v15.0.0\n- golang: upgrade to v1.17.10\n- gitlab-shell: upgrade to v14.3.0\n- gitlab-pages: upgrade to v1.58.0\n\n## 14.10.3\n\n- gitlab: upgrade CE to v14.10.3\n- gitaly: upgrade to v14.10.3\n\n## 14.10.2\n\n- gitlab: upgrade CE to v14.10.2\n- gitaly: upgrade to v14.10.2\n- ubuntu: upgrade to focal-20220426\n\n## 14.10.1\n\n- gitlab: upgrade CE to v14.10.1\n- gitaly: upgrade to v14.10.1\n- ubuntu: upgrade to focal-20220426\n\n## 14.10.0\n\n- gitlab: upgrade CE to v14.10.0\n- gitaly: upgrade to v14.10.0\n- gitlab-shell: upgrade to v13.25.1\n- ubuntu: upgrade to focal-20220415\n\n## 14.9.3\n\n- gitlab: upgrade CE to v14.9.3\n- gitaly: upgrade to v14.9.3\n- golang: upgrade to v1.17.9\n- ruby: upgrade to v2.7.6\n- ubuntu: upgrade to focal-20220404\n\n## 14.9.2\n\n- gitlab: upgrade CE to v14.9.2\n- gitaly: upgrade to v14.9.2\n- gitlab-pages: upgrade to v1.56.1\n\n## 14.9.1\n\n- gitlab: upgrade CE to v14.9.1\n- gitaly: upgrade to v14.9.1\n\n## 14.9.0\n\n- gitlab: upgrade CE to v14.9.0\n- gitaly: upgrade to v14.9.0\n- gitlab-pages: upgrade to v1.56.0\n- gitlab-shell: upgrade to v13.24.0\n\n## 14.8.4\n\n- gitlab: upgrade CE to v14.8.4\n- gitaly: upgrade to v14.8.4\n\n## 14.8.3\n\n- gitlab: upgrade CE to v14.8.3\n- gitaly: upgrade to v14.8.3\n- golang: upgrade to v1.17.8\n- ubuntu: upgrade to focal-20220316\n\n## 14.8.2\n\n- gitlab: upgrade CE to v14.8.2\n- gitaly: upgrade to v14.8.2\n\n## 14.8.1\n\n- gitlab: upgrade CE to v14.8.1\n- gitaly: upgrade to v14.8.1\n\n## 14.8.0\n\n- gitlab: upgrade CE to v14.8.0\n- gitaly: upgrade to v14.8.0\n- gitlab-pages: upgrade to v1.54.0\n- gitlab-shell: v13.23.2\n\n## 14.7.3\n\n- gitlab: upgrade CE to v14.7.3\n- gitaly: upgrade to v14.7.3\n- golang: upgrade to v1.17.7\n\n## 14.7.2\n\n- gitlab: upgrade CE to v14.7.2\n- gitaly: upgrade to v14.7.2\n- ubuntu: upgrade to focal-20220113\n\n## 14.7.1\n\n- gitlab: upgrade CE to v14.7.1\n- gitaly: upgrade to v14.7.1\n\n## 14.7.0\n\n- gitlab: upgrade CE to v14.7.0\n- gitaly: upgrade to v14.7.0\n- gitlab-shell: v13.22.2\n- gitlab-pages: upgrade to v1.51.0\n\n## 14.6.3\n\n- gitlab: upgrade CE to v14.6.3\n- gitaly: upgrade to v14.6.3\n\n## 14.6.2\n\n- gitlab: upgrade CE to v14.6.2\n- gitaly: upgrade to v14.6.2\n- golang: upgrade to v1.17.6\n- ubuntu: upgrade to focal-20220105\n\n## 14.6.1\n\n- gitlab: upgrade CE to v14.6.1\n- gitaly: upgrade to v14.6.1\n\n## 14.6.0\n\n- gitlab: upgrade CE to v14.6.0\n- gitaly: upgrade to v14.6.0\n- gitlab-pages: upgrade to v1.49.0\n\n## 14.5.2\n\n- gitlab: upgrade CE to v14.5.2\n- gitaly: upgrade to v14.5.2\n- golang: upgrade to v1.17.5\n\n## 14.5.1\n\n- gitlab: upgrade CE to v14.5.1\n- gitaly: upgrade to v14.5.1\n- gitlab-shell: v13.22.1\n\n## 14.5.0\n\n- gitlab: upgrade CE to v14.5.0\n- gitaly: upgrade to v14.5.0\n- gitlab-pages: upgrade to v1.48.0\n- gitlab-shell: v13.22.0\n\n## 14.4.4\n\n- gitlab: upgrade CE to v14.4.4\n- gitaly: upgrade to v14.4.4\n- ruby: upgrade to v2.7.5\n\n## 14.4.3\n\n- gitlab: upgrade CE to v14.4.3\n- gitaly: upgrade to v14.4.3\n- golang: upgrade to v1.17.4\n\n## 14.4.2\n\n- gitlab: upgrade CE to v14.4.2\n- gitaly: upgrade to v14.4.2\n- redis: upgrade to v6.2.6\n\n## 14.4.1\n\n- gitlab: upgrade CE to v14.4.1\n- gitaly: upgrade to v14.4.1\n\n## 14.4.0\n\n- gitlab: upgrade CE to v14.4.0\n- gitaly: upgrade to v14.4.0\n- gitlab-pages: upgrade to v1.46.0\n\n## 14.3.3\n\n- gitlab: upgrade CE to v14.3.3\n- gitaly: upgrade to v14.3.3\n\n## 14.3.2\n\n- gitlab: upgrade CE to v14.3.2\n- gitaly: upgrade to v14.3.2\n- gitlab-shell: v13.21.1\n\n## 14.3.1\n\n- gitlab: upgrade CE to v14.3.1\n- gitaly: upgrade to v14.3.1\n\n## 14.3.0\n\n- gitlab: upgrade CE to v14.3.0\n- gitaly: upgrade to v14.3.0\n- gitlab-shell: v13.21.0\n- gitlab-pages: upgrade to v1.44.0\n- ruby: compile ruby from source and use v2.7.4\n- ubuntu: upgrade to focal-20211006\n\n## 14.2.5\n\n- gitlab: upgrade CE to v14.2.5\n- gitaly: upgrade to v14.2.5\n\n## 14.2.4\n\n- gitlab: upgrade CE to v14.2.4\n- gitaly: upgrade to v14.2.4\n- golang: upgrade to v1.17.1\n\n## 14.2.3\n\n- gitlab: upgrade CE to v14.2.3\n- gitaly: upgrade to v14.2.3\n\n## 14.2.2\n\n- gitlab: upgrade CE to v14.2.2\n- gitaly: upgrade to v14.2.2\n- ubuntu: upgrade to focal-20210827\n\n## 14.2.1\n\n- gitlab: upgrade CE to v14.2.1\n- gitaly: upgrade to v14.2.1\n\n## 14.2.0\n\n- gitlab: upgrade CE to v14.2.0\n- gitaly: upgrade to v14.2.0\n- gitlab-pages: upgrade to v1.42.0\n- golang: upgrade to v1.17\n\n## 14.1.3\n\n- gitlab: upgrade CE to v14.1.3\n- gitaly: upgrade to v14.1.3\n- golang: upgrade to v1.16.7\n\n## 14.1.2\n\n- gitlab: upgrade CE to v14.1.2\n- gitaly: upgrade to v14.1.2\n- gitlab-shell: upgrade to v13.19.1\n\n## 14.1.1\n\n- gitlab: upgrade CE to v14.1.1\n- gitaly: upgrade to v14.1.1\n- ubuntu: upgrade to focal-20210723\n\n## 14.1.0\n\n- gitlab: upgrade CE to v14.1.0\n- gitaly: upgrade to v14.1.0\n\n## 14.0.6\n\n- gitlab: upgrade CE to v14.0.6\n- gitaly: upgrade to v14.0.6\n- golang: upgrade to v1.16.6\n\n## 14.0.5\n\n- gitlab: upgrade CE to v14.0.5\n- gitaly: upgrade to v14.0.5\n\n## 14.0.4\n\n- gitlab: upgrade CE to v14.0.4\n- gitaly: upgrade to v14.0.4\n\n## 14.0.3\n\n- gitlab: upgrade CE to v14.0.3\n- gitaly: upgrade to v14.0.3\n\n## 14.0.2\n\n- gitlab: upgrade CE to v14.0.2\n- gitaly: upgrade to v14.0.2\n\n## 14.0.1\n\n- gitlab: upgrade CE to v14.0.1\n- gitaly: upgrade to v14.0.1\n\n## 14.0.0\n\n- gitlab: upgrade CE to v14.0.0\n- gitaly: upgrade to v14.0.0\n- gitlab-shell: upgrade to v13.19.0\n- gitlab-pages: upgrade to v1.40.0\n\n## 13.12.5\n\n- gitlab: upgrade CE to v13.12.5\n- gitaly: upgrade to v13.12.5\n- ubuntu: upgrade to focal-20210609\n\n## 13.12.4\n\n- gitlab: upgrade CE to v13.12.4\n- gitaly: upgrade to v13.12.4\n\n## 13.12.3\n\n- gitlab: upgrade CE to v13.12.3\n- gitaly: upgrade to v13.12.3\n- golang: upgrade to v1.16.5\n\n## 13.12.2\n\n- gitlab: upgrade CE to v13.12.2\n- gitaly: upgrade to v13.12.2\n\n## 13.12.1\n\n- gitlab: upgrade CE to v13.12.1\n- gitaly: upgrade to v13.12.1\n\n## 13.12.0\n\n- gitlab: upgrade CE to v13.12.0\n- gitlab-shell: upgrade to v13.18.0\n- gitlab-pages: upgrade to v1.39.0\n- gitaly: upgrade to v13.12.0\n\n## 13.11.4\n\n- gitlab: upgrade CE to v13.11.4\n- gitaly: upgrade to v13.11.4\n- golang: upgrade to v1.16.4\n- ubuntu: upgrade to focal-20210416\n\n## 13.11.3\n\n- gitlab: upgrade CE to v13.11.3\n- gitaly: upgrade to v13.11.3\n\n## 13.11.2\n\n- gitlab: upgrade CE to v13.11.2\n- gitaly: upgrade to v13.11.2\n\n## 13.11.1\n\n- gitlab: upgrade CE to v13.11.1\n- gitaly: upgrade to v13.11.1\n\n## 13.11.0\n\n- gitlab: upgrade CE to v13.11.0\n- gitaly: upgrade to v13.11.0\n- gitlab-pages: upgrade to v1.38.0\n- ubuntu: upgrade to focal-20210401\n\n## 13.10.3\n\n- gitlab: upgrade CE to v13.10.3\n- gitaly: upgrade to v13.10.3\n\n## 13.10.2\n\n- gitlab: upgrade CE to v13.10.2\n- gitaly: upgrade to v13.10.2\n- golang: upgrade to v1.16.3\n- ubuntu: upgrade to bionic-20210325\n\n## 13.10.1\n\n- gitlab: upgrade CE to v13.10.1\n- gitaly: upgrade to v13.10.1\n- added libmagic1 to fit requirements of ruby-magic-static-0.3.4 (necessary for puma)\n\n## 13.10.0\n\n- gitlab: upgrade CE to v13.10.0\n- gitaly: upgrade to v13.10.0\n- gitlab-pages: upgrade to v1.36.0\n\n## 13.9.5\n\n- gitlab: upgrade CE to v13.9.5\n- gitaly: upgrade to v13.9.5\n\n## 13.9.4\n\n- gitlab: upgrade CE to v13.9.4\n- gitaly: upgrade to v13.9.4\n- golang: upgrade to v1.16.2\n- ubuntu: upgrade to bionic-20210222\n\n## 13.9.3\n\n- gitlab: upgrade CE to v13.9.3\n- gitaly: upgrade to v13.9.3\n- gitlab-shell: upgrade to v13.17.0\n\n## 13.9.2\n\n- gitlab: upgrade CE to v13.9.2\n- gitaly: upgrade to v13.9.2\n- gitlab-workhorse: upgrade to v8.63.2\n\n## 13.9.1\n\n- gitlab: upgrade CE to v13.9.1\n- gitaly: upgrade to v13.9.1\n\n## 13.9.0\n\n- gitlab: upgrade CE to v13.9.0\n- gitaly: upgrade to v13.9.0\n- gitlab-shell: upgrade to v13.16.1\n- gitlab-pages: upgrade to v1.35.0\n- gitlab-workhorse: upgrade to v8.63.0\n- golang: upgrade to v1.16\n\n## 13.8.4\n\n- added `SSL_PROTOCOLS` option to change protocols of the nginx\n- added `SSL_REGISTRY_CIPHERS`\n- added `SSL_REGISTRY_PROTOCOLS`\n- added `SSL_PAGES_CIPHERS`\n- added `SSL_PAGES_PROTOCOLS`\n- gitlab: upgrade CE to v13.8.4\n- gitaly: upgrade to v13.8.4\n- gitlab-shell: upgrade to v13.15.1\n\n## 13.8.3\n\n- gitlab: upgrade CE to v13.8.3\n- gitaly: upgrade to v13.8.3\n- golang: upgrade to v1.15.8\n\n## 13.8.2\n\n- gitlab: upgrade CE to v13.8.2\n- gitaly: upgrade to v13.8.2\n\n## 13.8.1\n\n- gitlab: upgrade CE to v13.8.1\n- gitaly: upgrade to v13.8.1\n\n## 13.8.0\n\n- gitlab: upgrade CE to v13.8.0\n- gitaly: upgrade to v13.8.0\n- gitlab-shell: upgrade to v13.15.0\n- gitlab-workhorse: upgrade to v8.59.0\n- gitlab-pages: upgrade to v1.34.0\n- golang: upgrade to v1.15.7\n- ubuntu: upgrade to bionic-20210118\n\n## 13.7.4\n\n- gitlab: upgrade CE to v13.7.4\n\n## 13.7.3\n\n- gitlab: upgrade CE to v13.7.3\n- gitlab-pages: upgrade to v1.34.0\n- gitlab-shell: upgrade to v13.7.3\n- gitlab-workhorse: upgrade to v8.58.2\n\n## 13.7.1\n\n- gitlab: upgrade CE to v13.7.1\n- gitaly: upgrade v13.7.1\n\n## 13.7.0\n\n- gitlab: upgrade CE to v13.7.0\n- gitaly: upgrade v13.7.0\n- gitlab-shell: upgrade to v13.14.0\n- gitlab-pages: upgrade to v1.32.0\n- gitlab-workhorse: upgrade to v8.58.0\n- ubuntu: upgrade to ubuntu bionic-20201119\n- postgresql: upgrade to postgresql 12\n\n## 13.6.3\n\n- gitlab: upgrade CE to v13.6.3\n- gitaly: upgrade v13.6.3\n\n## 13.6.2\n\n- gitlab: upgrade CE to v13.6.2\n- gitaly: upgrade v13.6.2\n\n## 13.6.1\n\n- gitlab: upgrade CE to v13.6.1\n- gitaly: upgrade v13.6.1\n\n## 13.6.0\n\n- gitlab: upgrade CE to v13.6.0\n- gitaly: upgrade v13.6.0\n- gitlab-shell: upgrade to v13.13.0\n- gitlab-pages: upgrade to v1.30.0\n- gitlab-workhorse: upgrade to v8.54.0\n- use bundler 2.1.4\n- use ruby 2.7\n\n## 13.5.4\n\n- gitlab: upgrade CE to v13.5.4\n- gitaly: upgrade v13.5.4\n\n## 13.5.3\n\n- gitlab: upgrade CE to v13.5.3\n- gitaly: upgrade v13.5.3\n\n## 13.5.2\n\n- gitlab: upgrade CE to v13.5.2\n- gitaly: upgrade v13.5.2\n\n## 13.5.1\n\n- gitlab: upgrade CE to v13.5.1\n- gitaly: upgrade v13.5.1\n- gitlab-shell: upgrade to v13.11.0\n- gitlab-pages: upgrade to v1.28.0\n- gitlab-workhorse: upgrade to v8.51.0\n\n## 13.4.4\n\n- gitlab: upgrade CE to v13.4.4\n- gitaly: upgrade to v13.4.4\n\n## 13.4.3\n\n- gitlab: upgrade CE to v13.4.3\n- gitaly: upgrade to v13.4.3\n\n## 13.4.2\n\n- gitlab: upgrade CE to v13.4.2\n- gitaly: upgrade to v13.4.2\n- gitlab-pages: upgrade to 1.25.0\n- gitlab-workhorse: upgrade to 8.46.0\n- gitlab-shell: uprade to 13.7.0\n- ubuntu: upgrade to bionic-20200921\n\n## 13.3.4\n\n- gitlab: upgrade CE to v13.3.4\n- gitaly: upgrade to v13.3.4\n\n## 13.3.1\n\n- gitlab: upgrade CE to v13.3.1\n- gitaly: upgrade to v13.3.1\n\n## 13.3.0\n\n- gitlab: upgrade CE to v13.3.0\n- gitaly: upgrade to v13.3.0\n- gitlab-pages: upgrade to v1.22.0\n- gitlab-shell: upgrade to v13.6.0\n- gitlab-workhorse: upgrade to v8.39.0\n\n## 13.2.6\n\n- gitlab: upgrade CE to v13.2.6\n\n## 13.2.4\n\n- gitlab: upgrade CE to v13.2.4\n- ubuntu: upgrade to bionic-20200713\n\n## 13.2.3\n\n- gitlab: upgrade CE to v13.2.3\n- golang: upgrade to 1.14.7\n- gitaly: upgrade to 13.2.3\n- postgresql: add btree_gist extension\n\n## 13.2.2\n\n- gitlab: upgrade CE to v13.2.2\n\n## 13.2.1\n\n- gitlab: upgrade CE to v13.2.1\n\n## 13.0.7\n\n- gitlab: upgrade CE to v13.0.7\n\n## 13.0.6\n\n- gitlab: upgrade CE to v13.0.6\n\n## 13.0.5\n\n- gitlab: upgrade CE to v13.0.5\n\n## 13.0.3\n\n- gitlab: upgrade CE to v13.0.3\n\n## 13.0.2\n\n- gitlab: upgrade CE to v13.0.2\n\n## 13.0.1\n\n- gitlab: upgrade CE to v13.0.1\n\n## 13.0.0\n\n- gitlab: upgrade CE to v13.0.0\n\n## 12.10.6\n\n- gitlab: upgrade CE to v12.10.6\n\n## 12.10.4\n\n- updated to ubuntu:bionic-20200403\n- gitlab-workhorse: update to 8.30.1\n- sync: upstream configs\n- gitlab: upgrade to 12.10.4\n\n## 12.9.5\n\n- gitlab: updated to 12.9.5\n- gitlab-shell: updated to 12.2.0\n- gitaly: updated to 12.10.0\n\n## 12.9.4\n\n- gitlab: upgrade CE to v12.9.4\n- Update gitlab-workhorse to 8.25.2\n- Update golang to 1.13.10\n\n## 12.9.2\n\n- gitlab: upgrade CE to v12.9.2\n\n## 12.9.1\n\n- gitlab: upgrade CE to v12.9.1\n\n## 12.9.0\n\n- gitlab: upgrade CE to v12.9.0\n- replaced unicorn with puma\n- Removed `UNICORN_WORKERS`\n- Removed `UNICORN_TIMEOUT`\n- Added `PUMA_THREADS_MIN`\n- Added `PUMA_THREADS_MAX`\n- Added `PUMA_WORKERS`\n- Added `PUMA_TIMEOUT`\n\n## 12.8.8\n\n- gitlab: upgrade CE to v12.8.8\n\n## 12.8.7\n\n- gitlab: upgrade CE to v12.8.7\n\n## 12.8.6\n\n- gitlab: upgrade CE to v12.8.6\n\n## 12.8.5\n\n- gitlab: upgrade CE to v12.8.5\n\n## 12.8.4\n\n- gitlab: upgrade CE to v12.8.4\n\n## 12.8.3\n\n- gitlab: upgrade CE to v12.8.3\n\n## 12.8.2\n\n- gitlab: upgrade CE to v12.8.2\n\n## 12.8.1\n\n- gitlab: upgrade CE to v12.8.1\n\n## 12.8.0\n\n- gitlab: upgrade CE to v12.8.0\n- fix: ArgumentError: 'import/{{oauth2_generic_name}}' is not supported [#2101](https://github.com/sameersbn/docker-gitlab/issues/2101)\n\n## 12.7.8\n\n- Upgrade GitLab CE to 12.7.8\n\n## 12.7.7\n\n- Upgrade GitLab CE to 12.7.7\n- Add Generic OAuth Provider PR#2070\n\n## 12.7.6\n\n- gitlab: upgrade CE to v12.7.6\n\n## 12.7.5\n\n- gitlab: upgrade CE to v12.7.5\n\n## 12.7.4\n\n- Upgrade GitLab CE to 12.7.4\n- Update golang to 1.13.7\n- Update gitlab-pages to 1.15.0\n- Update gitlab-workhorse to 8.20.0\n- Update gitaly to 1.85.0\n\n## 12.7.2\n\n- Upgrade GitLab CE to 12.7.2\n\n## 12.7.0\n\n- Update gitlab-shell to 11.0.0\n- Upgrade GitLab CE to 12.7.0\n- Update golang to 1.13.6\n- Update gitaly to 1.83.0\n- Update gitlab-pages to 1.14.0\n- Update gitlab-workhorse to 8.19.0\n\n## 12.6.4\n\n- gitlab: upgrade CE to v12.6.4\n\n## 12.6.3\n\n- gitlab: upgrade CE to v12.6.3\n\n## 12.6.2\n\n- gitlab: upgrade CE to v12.6.2\n\n## 12.6.1\n\n- gitlab: upgrade CE to v12.6.1\n\n## 12.6.0\n\n- gitlab: upgrade CE to v12.6.0\n\n## 12.5.7\n\n- gitlab: upgrade CE to v12.5.7\n\n## 12.5.6\n\n- gitlab: upgrade CE to v12.5.6\n\n## 12.5.5\n\n- gitlab: upgrade CE to v12.5.5\n\n## 12.5.4\n\n- gitlab: upgrade CE to v12.5.4\n- Update golang to 1.12.14\n\n## 12.5.3\n\n- gitlab: upgrade CE to v12.5.3\n\n## 12.5.2\n\n- gitlab: upgrade CE to v12.5.2\n\n## 12.5.1\n\n- gitlab: upgrade CE to v12.5.1\n\n## 12.5.0\n\n- gitlab: upgrade CE to v12.5.0\n\n## 12.4.3\n\n- gitlab: upgrade CE to v12.4.3\n\n## 12.4.2\n\n- gitlab: upgrade CE to v12.4.2\n\n## 12.4.1\n\n- gitlab: upgrade CE to v12.4.1\n\n## 12.4.0\n\n- gitlab: upgrade CE to v12.4.0\n\n## 12.3.5\n\n- gitlab: upgrade CE to v12.3.5\n\n## 12.3.4\n\n- gitlab: upgrade CE to v12.3.4\n\n## 12.3.3\n\n- gitlab: upgrade CE to v12.3.3\n\n## 12.3.2\n\n- gitlab: upgrade CE to v12.3.2\n\n## 12.3.1\n\n- gitlab: upgrade CE to v12.3.1\n\n## 12.3.0\n\n- gitlab: upgrade CE to v12.3.0\n\n## 12.2.5\n\n- gitlab: upgrade CE to v12.2.5\n\n## 12.2.4\n\n- gitlab: upgrade CE to v12.2.4\n\n## 12.2.3\n\n- gitlab: upgrade CE to v12.2.3\n\n## 12.2.1\n\n- gitlab: upgrade CE to v12.2.1\n\n## 12.2.0\n\n- gitlab: upgrade CE to v12.2.0\n- upgrade base image to ubuntu:bionic\n\n## 12.1.6\n\n- gitlab: upgrade CE to v12.1.6\n\n## 12.1.4\n\n- gitlab: upgrade CE to v12.1.4\n\n## 12.1.3\n\n- gitlab: upgrade CE to v12.1.3\n\n## 12.1.2\n\n- gitlab: upgrade CE to v12.1.2\n\n## 12.1.1\n\n- gitlab: upgrade CE to v12.1.1\n\n## 12.1.0\n\n- gitlab: upgrade CE to v12.1.0\n- Removed MySQL related information and packages. GitLab v12.1.X or greater requires only PostgreSQL. Do an Migration before upgrading to v12.1.X. For more Information have a look at the [Migration Guide](https://docs.gitlab.com/ce/update/mysql_to_postgresql.html)\n\n## 12.0.4\n\n- gitlab: upgrade CE to v12.0.4\n\n## 12.0.3\n\n- gitlab: upgrade CE to v12.0.3\n\n## 12.0.2\n\n- gitlab: upgrade CE to v12.0.2\n\n## 12.0.1\n\n- gitlab: upgrade CE to v12.0.1\n\n## 12.0.0\n\n- gitlab: upgrade CE to v12.0.0\n- Update gitaly to 1.47.0\n- Update gitlab-shell to 9.3.0\n- Update gitlab-pages to 1.6.1\n- ruby: update to 2.6\n- python: update to 3\n\n## 11.11.3\n\n- gitlab: upgrade CE to v11.11.3\n- Update gitaly to 1.42.4\n- Update golang to 1.12.6\n\n## 11.11.2\n\n- gitlab: upgrade CE to v11.11.2\n- Update gitaly to 1.42.3\n\n## 11.11.1\n\n- gitlab: upgrade CE to v11.11.1\n- Update gitaly to 1.42.2\n\n## 11.11.0\n\n- gitlab: upgrade CE to v11.11.0\n- Update gitaly to 1.42.0\n- Update gitlab-shell to 9.1.0\n- Update gitlab-workhorse to 8.7.0\n\n## 11.10.4\n\n- gitlab: upgrade CE to v11.10.4\n\n## 11.10.3\n\n- gitlab: upgrade CE to v11.10.3\n\n## 11.10.2\n\n- gitlab: upgrade CE to v11.10.2\n\n## 11.10.1\n\n- gitlab: upgrade CE to v11.10.1\n\n## 11.10.0\n\n- gitlab: upgrade CE to v11.10.0\n\n## 11.9.8\n\n- gitlab: upgrade CE to v11.9.8\n\n## 11.9.7\n\n- gitlab: upgrade CE to v11.9.7\n\n## 11.9.6\n\n- gitlab: upgrade CE to v11.9.6\n\n## 11.9.5\n\n- gitlab: upgrade CE to v11.9.5\n\n## 11.9.4\n\n- gitlab: upgrade CE to v11.9.4\n- Update gitlab-workhorse to 8.3.3\n\n## 11.9.1\n\n- gitlab: upgrade CE to v11.9.1\n- Update gitaly to 1.27.1\n\n## 11.9.0\n\n- gitlab: upgrade CE to v11.9.0\n\n## 11.8.3\n\n- gitlab: upgrade CE to v11.8.3\n\n## 11.8.2\n\n- gitlab: upgrade CE to v11.8.2\n\n## 11.8.1\n\n- gitlab: upgrade CE to v11.8.1\n\n## 11.8.0\n\n- gitlab: upgrade CE to v11.8.0\n- Update gitlab-workhorse to 8.3.1\n- Update gitaly to 1.20.0\n- Update gitlab-pages to 1.5.0\n\n## 11.7.5\n\n- gitlab: upgrade CE to v11.7.5\n\n## 11.7.4\n\n- gitlab: upgrade CE to v11.7.4\n\n## 11.7.3\n\n- gitlab: upgrade CE to v11.7.3\n- Update gitlab-workhorse to 8.1.1\n- Update gitaly to 1.13.0\n- Update gitlab-pages to 1.4.0\n\n## 11.7.0\n\n- gitlab: upgrade CE to v11.7.0\n\n## 11.6.5\n\n- gitlab: upgrade CE to v11.6.5\n\n## 11.6.4\n\n- gitlab: upgrade CE to v11.6.4\n\n## 11.6.3\n\n- gitlab: upgrade CE to v11.6.3\n\n## 11.6.2\n\n- gitlab: upgrade CE to v11.6.2\n\n## 11.6.1\n\n- gitlab: upgrade CE to v11.6.1\n- Added `GITLAB_IMPERSONATION_ENABLED`\n- Added `OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME`\n- Added `GITLAB_PAGES_ACCESS_CONTROL_SERVER`\n- Added `GITLAB_PAGES_ACCESS_CLIENT_ID`\n- Added `GITLAB_PAGES_ACCESS_CLIENT_SECRET`\n- Added `GITLAB_PAGES_ACCESS_SECRET`\n- Added `GITLAB_PAGES_ACCESS_REDIRECT_URI`\n\n## 11.6.0\n\n- gitlab: upgrade CE to v11.6.0\n- Update gitaly to 1.7.1\n- Update gitlab-shell to 8.4.3\n- Update gitlab-workhorse to 7.6.0\n- Update golang to 1.11.4\n- Added `LDAP_USER_ATTRIBUTE_USERNAME`\n- Added `LDAP_USER_ATTRIBUTE_MAIL`\n- Added `LDAP_USER_ATTRIBUTE_NAME`\n- Added `LDAP_USER_ATTRIBUTE_FIRSTNAME`\n- Added `LDAP_USER_ATTRIBUTE_LASTNAME`\n- Added `GITLAB_BACKUP_DIR_CHOWN`\n- Added `GITLAB_BACKUP_DIR_GROUP`\n- Added `GITLAB_PAGES_NGINX_PROXY`\n\n## 11.5.5\n\n- gitlab: upgrade CE to v11.5.5\n\n## 11.5.4\n\n- gitlab: upgrade CE to v11.5.4\n\n## 11.5.3\n\n- gitlab: upgrade CE to v11.5.3\n\n## 11.5.2\n\n- gitlab: upgrade CE to v11.5.2\n\n## 11.5.1-1\n\n- Fixed GitLab Dependencies\n\n## 11.5.1\n\n- gitlab: upgrade CE to v11.5.1\n\n## 11.5.0\n\n- gitlab: upgrade CE to v11.5.0\n\n## 11.4.7\n\n- gitlab: upgrade CE to v11.4.7\n\n## 11.4.6\n\n- gitlab: upgrade CE to v11.4.6\n\n## 11.4.5\n\n- gitlab: upgrade CE to v11.4.5\n\n## 11.4.4\n\n- gitlab: upgrade CE to v11.4.4\n- golang: update to 1.10.4\n\n## 11.4.3\n\n- gitlab: upgrade CE to v11.4.3\n\n## 11.4.2\n\n- gitlab: upgrade CE to v11.4.2\n\n## 11.4.1\n\n- gitlab: upgrade CE to v11.4.1\n- Add docs how to reuse ssh port [#1731](https://github.com/sameersbn/docker-gitlab/pull/1731)\n\n## 11.4.0\n\n- gitlab: upgrade CE to v11.4.0\n- baseimage: upgrade to xenial-20181005\n\n## 11.3.6\n\n- gitlab: upgrade CE to v11.3.6\n\n## 11.3.5\n\n- gitlab: upgrade CE to v11.3.5\n\n## 11.3.4\n\n- gitlab: upgrade CE to v11.3.4\n\n## 11.3.3\n\n- gitlab: upgrade CE to v11.3.3\n\n## 11.3.2\n\n- gitlab: upgrade CE to v11.3.2\n\n## 11.3.1\n\n- gitlab: upgrade CE to v11.3.1\n\n## 11.3.0\n\n- gitlab: upgrade CE to v11.3.0\n- Fix backup config stripping for when AWS & GCS backups are disabled [#1725](https://github.com/sameersbn/docker-gitlab/pull/1725)\n- Correct Backup Date format for selective backups [#1699](https://github.com/sameersbn/docker-gitlab/pull/1699)\n- Fix gitlay-ssh symlink to enable rebase/squash in forks\n\n## 11.2.3\n\n- gitlab: upgrade CE to v11.2.3\n\n## 11.2.2\n\n- gitlab: upgrade CE to v11.2.2\n\n## 11.2.1\n\n- gitlab: upgrade CE to v11.2.1\n\n## 11.2.0\n\n- gitlab: upgrade CE to v11.2.0\n- ADD `GITLAB_DEFAULT_THEME`\n\n## 11.1.4\n\n- gitlab: upgrade CE to v11.1.4\n\n## 11.1.3\n\n- gitlab: upgrade CE to v11.1.3\n- Upgrade redis to 4.0.9-1\n\n## 11.1.2\n\n- gitlab: upgrade CE to v11.1.2\n\n## 11.1.1\n\n- gitlab: upgrade CE to v11.1.1\n\n## 11.1.0\n\n- gitlab: upgrade CE to v11.1.0\n\n## 11.0.4\n\n- gitlab: upgrade CE to v11.0.4\n\n## 11.0.3\n\n- gitlab: upgrade CE to v11.0.3\n- ruby: update to 2.4\n\n## 11.0.2\n\n- gitlab: upgrade CE to v11.0.2\n\n## 11.0.1\n\n- gitlab: upgrade CE to v11.0.1\n\n## 11.0.0\n\n- gitlab: upgrade CE to v11.0.0\n\n## 10.8.4\n\n- gitlab: upgrade CE to v10.8.4\n\n## 10.8.3-1\n\n- Fix boot loops that were introduced during [#1621](https://github.com/sameersbn/docker-gitlab/pull/1621) and will be fixed with [#1628](https://github.com/sameersbn/docker-gitlab/pull/1628)\n\n## 10.8.3\n\n- gitlab: upgrade CE to v10.8.3\n- Fix potential boot problems on clean setups [#1621](https://github.com/sameersbn/docker-gitlab/pull/1621)\n\n## 10.8.2\n\n- gitlab: upgrade CE to v10.8.2\n\n## 10.8.1\n\n- gitlab: upgrade CE to v10.8.1\n\n## 10.8.0\n\n- gitlab: upgrade CE to v10.8.0\n- Add support for swarm mode with docker-configs and docker secrets ([#1540](https://github.com/sameersbn/docker-gitlab/pull/1540))\n\n## 10.7.4\n\n- gitlab: upgrade CE to v10.7.4\n- FIX `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT`\n\n## 10.7.3\n\n- gitlab: upgrade CE to v10.7.3\n\n## 10.7.2\n\n- gitlab: upgrade CE to v10.7.2\n\n## 10.7.1\n\n- gitlab: upgrade CE to v10.7.1\n\n## 10.7.0\n\n- gitlab: upgrade CE to v10.7.0\n- ADD `GITLAB_SIDEKIQ_LOG_FORMAT`\n- ADD `GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED`\n- ADD `GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY`\n- ADD `GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD`\n- ADD `GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD`\n- ADD `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER`\n- ADD `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID`\n- ADD `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY`\n- ADD `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION`\n- ADD `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST`\n- ADD `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT`\n- ADD `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE`\n\n- ADD `GITLAB_LFS_OBJECT_STORE_ENABLED`\n- ADD `GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY`\n- ADD `GITLAB_LFS_OBJECT_STORE_DIRECT_UPLOAD`\n- ADD `GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD`\n- ADD `GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD`\n- ADD `GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER`\n- ADD `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID`\n- ADD `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY`\n- ADD `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION`\n- ADD `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST`\n- ADD `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT`\n- ADD `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE`\n\n- ADD `GITLAB_UPLOADS_OBJECT_STORE_ENABLED`\n- ADD `GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY`\n- ADD `GITLAB_UPLOADS_OBJECT_STORE_DIRECT_UPLOAD`\n- ADD `GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD`\n- ADD `GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD`\n- ADD `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER`\n- ADD `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID`\n- ADD `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY`\n- ADD `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION`\n- ADD `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST`\n- ADD `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT`\n- ADD `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE`\n\n## 10.6.4\n\n- gitlab: upgrade CE to v10.6.4\n\n## 10.6.3\n\n- gitlab: upgrade CE to v10.6.3\n\n## 10.6.2\n\n- gitlab: upgrade CE to v10.6.2\n- golang: update to 1.9.5\n\n## 10.6.1\n\n- gitlab: upgrade CE to v10.6.1\n\n## 10.6.0\n\n- gitlab: upgrade CE to v10.6.0\n\n## 10.5.6\n\n- gitlab: security upgrade CE to v10.5.6\n\n## 10.5.5\n\n- gitlab: upgrade CE to v10.5.5\n\n## 10.5.4\n\n- gitlab: upgrade CE to v10.5.4\n\n## 10.5.3\n\n- gitlab: upgrade CE to v10.5.3\n\n## 10.5.2\n\n- gitlab: upgrade CE to v10.5.2\n- Fix `GITLAB_UPLOADS_STORAGE_PATH`\n\n## 10.5.1\n\n- gitlab: upgrade CE to v10.5.1\n\n## 10.5.0\n\n- gitlab: upgrade CE to v10.5.0\n- Add `GITLAB_UPLOADS_STORAGE_PATH`\n- Add `GITLAB_UPLOADS_BASE_DIR`\n- Add `LDAP_LOWERCASE_USERNAMES`\n\n## 10.4.4\n\n- gitlab: upgrade CE to v10.4.4\n\n## 10.4.3\n\n- gitlab: upgrade CE to v10.4.3\n\n## 10.4.2-1\n\n- FIXED SSH Host Key generation through dropping the support for rsa1\n\n## 10.4.2\n\n- gitlab: upgrade CE to v10.4.2\n\n## 10.4.1\n\n- gitlab: upgrade CE to v10.4.1\n\n## 10.4.0\n\n- gitlab: upgrade CE to v10.4.0\n- docker: upgrade to ubuntu xenial as baseimage\n- golang: update to 1.9.3\n\n## 10.3.6\n\n- gitlab: upgrade CE to v10.3.6\n\n## 10.3.5\n\n- gitlab: upgrade CE to v10.3.5\n\n## 10.3.4\n\n- gitlab: upgrade CE to v10.3.4\n\n## 10.3.3\n\n- gitlab: upgrade CE to v10.3.3\n- ADDED `AWS_BACKUP_ENCRYPTION` [1449](https://github.com/sameersbn/docker-gitlab/pull/1449/)\n- ADDED `AWS_BACKUP_STORAGE_CLASS` [1449](https://github.com/sameersbn/docker-gitlab/pull/1449/)\n- FIXED `AWS_BACKUP_MULTIPART_CHUNK_SIZE` [1449](https://github.com/sameersbn/docker-gitlab/pull/1449/)\n- Apply PaX mark to ruby [1458](https://github.com/sameersbn/docker-gitlab/pull/1458)\n\n## 10.3.2\n\n- gitlab: upgrade CE to v10.3.2\n\n## 10.3.1\n\n- gitlab: upgrade CE to v10.3.1\n\n## 10.3.0\n\n- gitlab: upgrade CE to v10.3.0\n- REMOVED `GITLAB_REPOSITORIES_STORAGES_DEFAULT_FAILURE_COUNT_THRESHOLD`\n- REMOVED `GITLAB_REPOSITORIES_STORAGES_DEFAULT_FAILURE_WAIT_TIME`\n- REMOVED `GITLAB_REPOSITORIES_STORAGES_DEFAULT_FAILURE_RESET_TIME`\n- REMOVED `GITLAB_REPOSITORIES_STORAGES_DEFAULT_STORAGE_TIMEOUT`\n- REMOVED `GITLAB_MAX_OBJECT_SIZE`\n- REMOVED `GITLAB_TIMEOUT`\n\n## 10.2.5\n\n- gitlab: upgrade CE to v10.2.5\n\n## 10.2.4\n\n- gitlab: upgrade to CE v10.2.4\n\n## 10.2.3\n\n- gitlab: upgrade to CE v10.2.3\n\n## 10.2.2\n\n- gitlab: upgrade to CE v10.2.2\n\n## 10.2.1\n\n- gitlab: upgrade to CE v10.2.1\n\n## 10.2.0\n\n- gitlab: upgrade to CE v10.2.0\n\n## 10.1.4\n\n- gitlab: upgrade to CE v10.1.4\n\n## 10.1.3\n\n- gitlab: upgrade to CE v10.1.3\n\n## 10.1.2\n\n- gitlab: upgrade to CE v10.1.2\n\n## 10.1.1\n\n- gitlab: upgrade to CE v10.1.1\n\n## 10.1.0\n\n- gitlab: upgrade to CE v10.1.0\n- REMOVED `GITALY_ENABLED``\n- ADDED `GITALY_ARTIFACTS_SERVER`\n- ADDED `GITALY_CLIENT_PATH`\n\n## 10.0.4\n\n- gitlab: upgrade to CE v10.0.4\n\n## 10.0.3\n\n- gitlab: upgrade to CE v10.0.3\n\n## 10.0.2\n\n- gitlab: upgrade to CE v10.0.2\n\n## 10.0.1\n\n- gitlab: upgrade to CE v10.0.1\n\n## 10.0.0\n\n- gitlab: upgrade to CE v10.0.0\n\n## 9.5.5\n\n- gitlab: upgrade to CE v9.5.5\n\n## 9.5.4\n\n- gitlab: upgrade to CE v9.5.4\n\n## 9.5.3\n\n- gitlab: upgrade to CE v9.5.3\n\n## 9.5.2\n\n- gitlab: upgrade to CE v9.5.2\n\n## 9.5.1\n\n- gitlab: upgrade to CE v9.5.1\n\n## 9.5.0\n\n- gitlab: upgrade to CE v9.5.0\n\n## 9.4.5\n\n- gitlab: upgrade to CE v9.4.5\n\n## 9.4.4\n\n- gitlab: upgrade to CE v9.4.4\n\n## 9.4.3\n\n- gitlab: upgrade to CE v9.4.3\n\n## 9.4.2\n\n- gitlab: upgrade to CE v9.4.2\n\n## 9.4.1\n\n- gitlab: upgrade to CE v9.4.1\n\n## 9.4.0-1\n\n- Fix asset compiling for missing translations\n\n## 9.4.0\n\n- gitlab: upgrade to CE v9.4.0\n- Added support for nginx_real_ip module ([#1137](https://github.com/sameersbn/docker-gitlab/pull/1137))\n- Added more security for regenerating certs ([#1288](https://github.com/sameersbn/docker-gitlab/pull/1288))\n\n## 9.3.9\n\n- gitlab: upgrade to CE v9.3.9\n\n## 9.3.8\n\n- gitlab: upgrade to CE v9.3.8\n- Added RE2 library to build dependencies ([issue 35342](https://gitlab.com/gitlab-org/gitlab-foss/issues/35342))\n\n## 9.3.7\n\n- gitlab: upgrade to CE v9.3.7\n\n## 9.3.6\n\n- gitlab: upgrade to CE v9.3.6\n\n## 9.3.5\n\n- gitlab: upgrade to CE v9.3.5\n\n## 9.3.4\n\n- gitlab: upgrade to CE v9.3.4\n\n## 9.3.3\n\n- gitlab: upgrade to CE v9.3.3\n\n## 9.3.2\n\n- gitlab: upgrade to CE v9.3.2\n\n## 9.3.1\n\n- gitlab: upgrade to CE v9.3.1\n\n## 9.3.0-1\n\n- Add the missing Gitaly config to let git commands over http/https working\n\n## 9.3.0\n\n- gitlab: upgrade to CE v9.3.0\n- update baseimage to `14.04.20170608`\n- Add `DB_COLLATION` (For MySQL related doesn't recognize by postgres)\n- Add `GITLAB_PIPELINE_SCHEDULE_WORKER_CRON`\n- Add `GITALY_ENABLED`\n- Add `GITALY_SOCKET_PATH`\n- Add `GITALY_ADDRESS`\n\n## 9.2.7\n\n- gitlab: upgrade to CE v9.2.7\n\n## 9.2.6\n\n- gitlab: upgrade to CE v9.2.6\n\n## 9.2.5\n\n- gitlab: upgrade to CE v9.2.5\n\n## 9.2.2\n\n- gitlab: upgrade to CE v9.2.2\n\n## 9.2.1\n\n- gitlab: upgrade to CE v9.2.1\n\n## 9.2.0\n\n- gitlab: upgrade to CE v9.2.0\n- Add flexibility to use versions committed into gitlab-ce\n\n## 9.1.4\n\n- gitlab: upgrade to CE v9.1.4\n\n## 9.1.3\n\n- gitlab: upgrade to CE v9.1.3\n\n## 9.1.2\n\n- gitlab: upgrade to CE v9.1.2\n- update baseimage to `14.04.20170503`\n\n## 9.1.1\n\n- gitlab: upgrade to CE v9.1.1\n\n## 9.1.0-1\n\n- Fix gitlab-workhorse version display\n\n## 9.1.0\n\n- gitlab: upgrade to CE v9.1.0\n- gitlab-shell: upgrade to 5.0.2\n- gitlab-workhorse: upgrade to 1.4.3\n\n## 9.0.6\n\n- gitlab: upgrade to CE v9.0.6\n\n## 9.0.5\n\n- gitlab: upgrade to CE v9.0.5\n\n## 9.0.4\n\n- gitlab: upgrade to CE v9.0.4\n\n## 9.0.3\n\n- gitlab: upgrade to CE v9.0.3\n\n## 9.0.2\n\n- gitlab: upgrade to CE v9.0.2\n\n## 9.0.1\n\n- gitlab: upgrade to CE v9.0.1\n- gitlab-workhorse 1.4.2\n\n## 9.0.0\n\n- gitlab: upgrade to CE v9.0.0\n- gitlab-shell 5.0.0\n- gitlab-workhorse 1.4.1\n- gitlab-pages 0.4.0\n\n## 8.17.4\n\n- gitlab: upgrade to CE v8.17.4\n\n## 8.17.3\n\n- gitlab: upgrade to CE v8.17.3\n\n## 8.17.2\n\n- gitlab: upgrade to CE v8.17.2\n\n## 8.17.1\n\n- gitlab: upgrade to CE v8.17.1\n- fixes first problems with gitlab-pages\n\n## 8.17.0\n\n- gitlab: upgrade to CE v8.17.0\n- added `GITLAB_PAGES_ENABLED`\n- added `GITLAB_PAGES_DOMAIN`\n- added `GITLAB_PAGES_DIR`\n- added `GITLAB_PAGES_PORT`\n- added `GITLAB_PAGES_HTTPS`\n- added `GITLAB_PAGES_EXTERNAL_HTTP`\n- added `GITLAB_PAGES_EXTERNAL_HTTPS`\n- added `SSL_PAGES_KEY_PATH`\n- added `SSL_PAGES_CERT_PATH`\n- added nodejs 7.x as core dependencies\n- added gitlab-pages daemon\n\n## 8.16.6\n\n- gitlab: upgrade to CE v8.16.6\n- Fix logical bug of Remote Backup\n\n## 8.16.5\n\n- gitlab: upgrade to CE v8.16.5\n\n## 8.16.4\n\n- gitlab: upgrade to CE v8.16.4\n\n## 8.16.3\n\n- gitlab: upgrade to CE v8.16.3\n\n## 8.16.2\n\n- gitlab: upgrade to CE v8.16.2\n\n## 8.16.1\n\n- gitlab: upgrade to CE v8.16.1\n\n## 8.16.0\n\n- gitlab: upgrade to CE v8.16.0\n\n## 8.15.4\n\n- gitlab: upgrade to CE v8.15.4\n\n## 8.15.3\n\n- gitlab: upgrade to CE v8.15.3\n\n## 8.15.2\n\n- gitlab: upgrade to CE v8.15.2\n\n## 8.15.1\n\n- gitlab: upgrade to CE v8.15.1\n\n## 8.15.0\n\n- gitlab: upgrade to CE v8.15.0\n- added `GITLAB_MATTERMOST_ENABLED`\n- added `GITLAB_MATTERMOST_URL`\n- added `OAUTH_AUTHENTIQ_CLIENT_ID`\n- added `OAUTH_AUTHENTIQ_CLIENT_SECRET`\n- added `OAUTH_AUTHENTIQ_SCOPE`\n- added `OAUTH_AUTHENTIQ_REDIRECT_URI`\n\n## 8.14.5\n\n- gitlab: upgrade to CE v8.14.5\n\n## 8.14.4\n\n- gitlab: upgrade to CE v8.14.4\n\n## 8.14.3\n\n- gitlab: upgrade to CE v8.14.3\n\n## 8.14.2\n\n- gitlab: upgrade to CE v8.14.2\n\n## 8.14.1\n\n- gitlab: upgrade to CE v8.14.1\n\n## 8.14.0\n\n- gitlab: upgrade to CE v8.14.0\n- added `IMAP_TIMEOUT`\n- update golang to 1.6.3\n\n## 8.13.6\n\n- gitlab: upgrade to CE v8.13.6\n\n## 8.13.5\n\n- gitlab: upgrade to CE v8.13.5\n\n## 8.13.4\n\n**Important:** We skipped `8.13.4` because it doesn't contain any changes. For more information [8.13.4 release](https://about.gitlab.com/2016/11/09/gitlab-8-dot-13-dot-5-released/).\n\n## 8.13.3\n\n- gitlab: upgrade to CE v8.13.3\n\n## 8.13.2\n\n- gitlab: upgrade to CE v8.13.2\n\n## 8.13.1\n\n- gitlab: upgrade to CE v8.13.1\n\n## 8.13.0\n\n- gitlab: upgrade to CE v8.13.0\n- added `GITLAB_EMAIL_SUBJECT_SUFFIX`\n\n## 8.12.7\n\n- gitlab: upgrade to CE v8.12.7\n\n## 8.12.6\n\n- gitlab: upgrade to CE v8.12.6\n\n## 8.12.5\n\n- gitlab: upgrade to CE v8.12.5\n\n## 8.12.4\n\n- gitlab: upgrade to CE v8.12.4\n\n## 8.12.3\n\n- gitlab: upgrade to CE v8.12.3\n\n## 8.12.2\n\n**Important:** We skipped `8.12.2` because it doesn't contain any changes. For more information [8.12.3 release](https://about.gitlab.com/2016/09/29/gitlab-8-12-3-released/).\n\n## 8.12.1\n\n- gitlab: upgrade to CE v8.12.1\n\n## 8.12.0\n\n- gitlab: upgrade to CE v8.12.0\n\n## 8.11.7\n\n- gitlab: upgrade to CE v8.11.7\n\n## 8.11.6\n\n- gitlab: upgrade to CE v8.11.6\n\n## 8.11.5\n\n- gitlab: upgrade to CE v8.11.5\n\n## 8.11.4\n\n- gitlab: upgrade to CE v8.11.4\n\n## 8.11.3\n\n- gitlab: upgrade to CE v8.11.3\n\n## 8.11.2\n\n- gitlab: upgrade to CE v8.11.2\n\n## 8.11.0\n\n- gitlab: upgrade to CE v8.11.0\n- added `GITLAB_SECRETS_SECRET_KEY_BASE`\n- added `GITLAB_SECRETS_OTP_KEY_BASE`\n\n## Important\n\nWhen you start to upgrade from `8.10-7` or below use the key of `/home/git/data/.secret` for `GITLAB_SECRETS_OTP_KEY_BASE` otherwise it will break your 2FA .\n\n## 8.10.7\n\n- gitlab: upgrade to CE v8.10.7\n\n## 8.10.6\n\n- gitlab: upgrade to CE v8.10.6\n\n## 8.10.5\n\n- gitlab: upgrade to CE v8.10.5\n\n## 8.10.4\n\n- gitlab: upgrade to CE v8.10.4\n\n## 8.10.3\n\n- gitlab: upgrade to CE v8.10.3\n\n## 8.10.2-1\n\n- Fix `OAUTH_GOOGLE_RESTRICT_DOMAIN`\n\n## 8.10.2\n\n- gitlab: upgrade to CE v8.10.2\n- Improve `OAUTH_GOOGLE_RESTRICT_DOMAIN` for multiple restricted domains\n\n## 8.10.1\n\n- gitlab: upgrade to CE v8.10.1\n\n## 8.10.0\n\n- gitlab: upgrade to CE v8.10.0\n\n## 8.9.6\n\n- gitlab: upgrade to CE v8.9.6\n\n## 8.9.5\n\n- gitlab: upgrade to CE v8.9.5\n\n## 8.9.4\n\n- gitlab: upgrade to CE v8.9.4\n\n## 8.9.3\n\n- gitlab: upgrade to CE v8.9.3\n\n## 8.9.2\n\n- gitlab: upgrade to CE v8.9.2\n\n## 8.9.1\n\n- gitlab: upgrade to CE v8.9.1\n\n## 8.9.0\n\n- gitlab: upgrade to CE v8.9.0\n\n## 8.8.5-1\n\n- added GitLab Container Registry support\n- added `SSL_CIPHERS` option to change ciphers of the nginx\n\n## 8.8.5\n\n- gitlab: upgrade to CE v8.8.5\n\n## 8.8.4\n\n- gitlab: upgrade to CE v8.8.4\n- added `GITLAB_PROJECTS_LIMIT` configuration option\n\n## 8.8.3\n\n- gitlab: upgrade to CE v8.8.3\n\n## 8.8.2\n\n- gitlab: upgrade to CE v8.8.2\n\n## 8.8.1\n\n- gitlab: upgrade to CE v8.8.1\n\n## 8.8.0\n\n- gitlab: upgrade to CE v8.8.0\n- oauth: exposed `OAUTH_GITHUB_URL` and `OAUTH_GITHUB_VERIFY_SSL` options for users for GitHub Enterprise.\n\n## 8.7.6\n\n- gitlab: upgrade to CE v8.7.6\n\n## 8.7.5\n\n- gitlab: upgrade to CE v8.7.5\n\n## 8.7.3\n\n- gitlab: upgrade to CE v8.7.3\n\n## 8.7.2\n\n- gitlab: upgrade to CE v8.7.2\n\n## 8.7.1\n\n- gitlab: upgrade to CE v8.7.1\n\n## 8.7.0\n\n- gitlab-shell: upgrade to v.2.7.2\n- gitlab: upgrade to CE v8.7.0\n- SSO: `OAUTH_ALLOW_SSO` now specifies a comma separated list of providers.\n- OAuth: Added `OAUTH_EXTERNAL_PROVIDERS` to specify external oauth providers.\n- Exposed `GITLAB_TRUSTED_PROXIES` configuration parameter\n\n## 8.6.7\n\n- added `GITLAB_SIGNUP_ENABLED` option to enable/disable signups\n- gitlab: upgrade to CE v8.6.7\n\n## 8.6.6\n\n- gitlab: upgrade to CE v8.6.6\n\n## 8.6.5\n\n- gitlab: upgrade to CE v8.6.5\n\n## 8.6.4\n\n- gitlab: upgrade to CE v8.6.4\n\n## 8.6.3\n\n- gitlab-shell: upgrade to v.2.6.12\n- gitlab: upgrade to CE v8.6.3\n\n## 8.6.2\n\n- gitlab: upgrade to CE v8.6.2\n\n## 8.6.1\n\n- gitlab: upgrade to CE v8.6.1\n\n## 8.6.0\n\n- gitlab-shell: upgrade to v.2.6.11\n- gitlab-workhorse: upgrade to v0.7.1\n- gitlab: upgrade to CE v8.6.0\n- exposed configuration parameters for auth0 OAUTH support\n- fixed relative_url support\n\n## 8.5.8\n\n- gitlab: upgrade to CE v8.5.8\n\n## 8.5.7\n\n- gitlab: upgrade to CE v8.5.7\n\n## 8.5.5\n\n- gitlab: upgrade to CE v8.5.5\n\n## 8.5.4\n\n- gitlab: upgrade to CE v8.5.4\n\n## 8.5.3\n\n- gitlab: upgrade to CE v8.5.3\n\n## 8.5.1\n\n- gitlab: upgrade to CE v8.5.1\n\n## 8.5.0\n\n- gitlab-workhorse: upgrade to v0.6.4\n- gitlab: upgrade to CE v8.5.0\n- firstrun: expose `GITLAB_ROOT_EMAIL` configuration option\n- expose `OAUTH_AUTO_LINK_SAML_USER` configuration parameter\n\n## 8.4.4\n\n- gitlab: upgrade to CE v8.4.4\n\n## 8.4.3\n\n- gitlab: upgrade to CE v8.4.3\n\n## 8.4.2\n\n- gitlab-workhorse: upgrade to v0.6.2\n- gitlab: upgrade to CE v8.4.2\n\n## 8.4.1\n\n- gitlab: upgrade to CE v8.4.1\n\n## 8.4.0-1\n\n- `assets:precompile` moved back to build time\n\n## 8.4.0\n\n- gitlab-shell: upgrade to v.2.6.10\n- gitlab-workhorse: upgrade to v0.6.1\n- gitlab: upgrade to CE v8.4.0\n- oauth: expose cas3 oauth configuration options\n- oauth: expose azure oauth configuration options\n- `assets:precompile` executed at runtime\n\n## 8.3.4\n\n- gitlab-workhorse: upgrade to v0.5.4\n- gitlab: upgrade to CE v8.3.4\n- expose `LDAP_TIMEOUT` configuration parameter\n\n## 8.3.2\n\n- gitlab: upgrade to CE v8.3.2\n\n## 8.3.1\n\n- gitlab: upgrade to CE v8.3.1\n\n## 8.3.0-1\n\n- fixed static asset routing when `GITLAB_RELATIVE_URL_ROOT` is used.\n\n## 8.3.0\n\n- `envsubst` is now used for updating the configurations\n- renamed config `CA_CERTIFICATES_PATH` to `SSL_CA_CERTIFICATES_PATH`\n- renamed config `GITLAB_HTTPS_HSTS_ENABLED` to `NGINX_HSTS_ENABLED`\n- renamed config `GITLAB_HTTPS_HSTS_MAXAGE` to `NGINX_HSTS_MAXAGE`\n- renamed config `GITLAB_BACKUPS` to `GITLAB_BACKUP_SCHEDULE`\n- gitlab-workhorse: upgrade to v0.5.1\n- gitlab: upgrade to CE v8.3.0\n- expose `GITLAB_MAX_OBJECT_SIZE` configuration parameter\n- removed `NGINX_MAX_UPLOAD_SIZE` configuration parameter\n- gitlab-shell: upgrade to v.2.6.9\n\n## 8.2.3\n\n- fixed static asset routing when `GITLAB_RELATIVE_URL_ROOT` is used.\n- added `GITLAB_BACKUP_PG_SCHEMA` configuration parameter\n- gitlab: upgrade to CE v8.2.3\n\n## 8.2.2\n\n- added `GITLAB_DOWNLOADS_DIR` configuration parameter\n- `DB_TYPE` parameter renamed to `DB_ADAPTER` with `mysql2` and `postgresql` as accepted values\n- exposed `DB_ENCODING` parameter\n- gitlab: upgrade to CE v8.2.2\n\n## 8.2.1-1\n\n- fixed typo while setting the value of `GITLAB_ARTIFACTS_DIR`\n\n## 8.2.1\n\n- expose rack_attack configuration options\n- gitlab-shell: upgrade to v.2.6.8\n- gitlab: upgrade to CE v8.2.1\n- added `GITLAB_ARTIFACTS_ENABLED` configuration parameter\n- added `GITLAB_ARTIFACTS_DIR` configuration parameter\n\n## 8.2.0\n\n- gitlab-shell: upgrade to v.2.6.7\n- gitlab-workhorse: upgrade to v.0.4.2\n- gitlab: upgrade to CE v8.2.0\n- added `GITLAB_SHARED_DIR` configuration parameter\n- added `GITLAB_LFS_OBJECTS_DIR` configuration parameter\n- added `GITLAB_PROJECTS_BUILDS` configuration parameter\n- added `GITLAB_LFS_ENABLED` configuration parameter\n\n## 8.1.4\n\n- gitlab: upgrade to CE v8.1.4\n\n## 8.1.3\n\n- proper long-term fix for http/https cloning when `GITLAB_RELATIVE_URL_ROOT` is used\n- gitlab: upgrade to CE v8.1.3\n- Expose Facebook OAUTH configuration parameters\n\n## 8.1.2\n\n- gitlab: upgrade to CE v8.1.2\n- removed `GITLAB_SATELLITES_TIMEOUT` configuration parameter\n\n## 8.1.0-2\n\n- Recompile assets when `GITLAB_RELATIVE_URL_ROOT` is used Fixes #481\n\n## 8.1.0-1\n\n- temporary fix for http/https cloning when `GITLAB_RELATIVE_URL_ROOT` is used\n\n## 8.1.0\n\n- gitlab: upgrade to CE v8.1.0\n- gitlab-git-http-server: upgrade to v0.3.0\n\n## 8.0.5-1\n\n- speed up container startup by compiling assets at image build time\n- test connection to redis-server\n\n## 8.0.5\n\n- gitlab: upgrade to CE v.8.0.5\n\n## 8.0.4-2\n\n- fix http/https cloning when `GITLAB_RELATIVE_URL_ROOT` is used\n- allow user to override `OAUTH_ENABLED` setting\n\n## 8.0.4-1\n\n- update baseimage to `sameersbn/ubuntu:14.04.20151011`\n\n## 8.0.4\n\n- gitlab: upgrade to CE v.8.0.4\n\n## 8.0.3\n\n- gitlab: upgrade to CE v.8.0.3\n\n## 8.0.2\n\n- gitlab: upgrade to CE v.8.0.2\n- added `IMAP_STARTTLS` parameter, defaults to `false`\n- expose oauth parameters for crowd server\n\n## 8.0.0\n\n- set default value of `DB_TYPE` to `postgres`\n- added sample Kubernetes rc and service description files\n- expose `GITLAB_BACKUP_ARCHIVE_PERMISSIONS` parameter\n- gitlab: upgrade to CE v.8.0.0\n- added `GITLAB_SECRETS_DB_KEY_BASE` parameter\n- added `GITLAB_NOTIFY_ON_BROKEN_BUILDS` and `GITLAB_NOTIFY_PUSHER` parameters\n- added options to email IMAP and reply by email feature\n- set value of `GITLAB_EMAIL` to `SMTP_USER` if defined, else default to `example@example.com`\n- removed `GITLAB_ROBOTS_OVERRIDE` parameter. Override default `robots.txt` if `GITLAB_ROBOTS_PATH` exists.\n- added CI redirection using `GITLAB_CI_HOST` parameter\n\n## 7.14.3\n\n- gitlab: upgrade to CE v.7.14.3\n\n## 7.14.2\n\n- Apply grsecurity policies to nodejs binary #394\n- Fix broken emojis post migration #196\n- gitlab-shell: upgrade to v.2.6.5\n- gitlab: upgrade to CE v.7.14.2\n\n## 7.14.1\n\n- gitlab: upgrade to CE v.7.14.1\n\n## 7.14.0\n\n- gitlab-shell: upgrade to v.2.6.4\n- gitlab: upgrade to CE v.7.14.0\n\n## 7.13.5\n\n- gitlab: upgrade to CE v.7.13.5\n\n## 7.13.4\n\n- gitlab: upgrade to CE v.7.13.4\n\n## 7.13.3\n\n- gitlab: upgrade to CE v.7.13.3\n\n## 7.13.2\n\n- gitlab: upgrade to CE v.7.13.2\n\n## 7.13.1\n\n- gitlab: upgrade to CE v.7.13.1\n\n## 7.13.0\n\n- expose SAML OAuth provider configuration\n- expose `OAUTH_AUTO_SIGN_IN_WITH_PROVIDER` configuration\n- gitlab: upgrade to CE v.7.13.0\n\n## 7.12.2-2\n\n- enable persistence `.secret` file used in 2FA\n\n## 7.12.2-1\n\n- fixed gitlab:backup:restore raketask\n\n## 7.12.2\n\n- gitlab: upgrade to CE v.7.12.2\n\n## 7.12.1\n\n- gitlab: upgrade to CE v.7.12.1\n\n## 7.12.0\n\n- added `SMTP_TLS` configuration parameter\n- gitlab: upgrade to CE v.7.12.0\n- added `OAUTH_AUTO_LINK_LDAP_USER` configuration parameter\n\n## 7.11.4-1\n\n- base image update to fix SSL vulnerability\n\n## 7.11.4\n\n- gitlab: upgrade to CE v.7.11.4\n\n## 7.11.3\n\n- gitlab: upgrade to CE v.7.11.3\n\n## 7.11.2\n\n- gitlab: upgrade to CE v.7.11.2\n\n## 7.11.0\n\n- init: added `SIDEKIQ_MEMORY_KILLER_MAX_RSS` configuration option\n- init: added `SIDEKIQ_SHUTDOWN_TIMEOUT` configuration option\n- gitlab-shell: upgrade to v.2.6.3\n- gitlab: upgrade to CE v.7.11.0\n- init: removed `GITLAB_PROJECTS_VISIBILITY` ENV parameter\n\n## 7.10.4\n\n- gitlab: upgrade to CE v.7.10.4\n\n## 7.10.3\n\n- gitlab: upgrade to CE v.7.10.3\n\n## 7.10.2\n\n- init: added support for remote AWS backups\n- gitlab: upgrade to CE v.7.10.2\n\n## 7.10.1\n\n- gitlab: upgrade to CE v.7.10.1\n\n## 7.10.0\n\n- gitlab-shell: upgrade to v.2.6.2\n- gitlab: upgrade to CE v.7.10.0\n- init: removed ENV variables to configure *External Issue Tracker* integration\n- init: added `GITLAB_EMAIL_REPLY_TO` configuration option\n- init: added `LDAP_BLOCK_AUTO_CREATED_USERS` configuration option\n\n## 7.9.4\n\n- gitlab: upgrade to CE v.7.9.4\n\n## 7.9.3\n\n- added `NGINX_PROXY_BUFFERING` option\n- added `NGINX_ACCEL_BUFFERING` option\n- added `GITLAB_GRAVATAR_ENABLED` option\n- added `GITLAB_GRAVATAR_HTTP_URL` option\n- added `GITLAB_GRAVATAR_HTTPS_URL` option\n- fixes: \"transfer closed with xxx bytes remaining to read\" error\n- gitlab: upgrade to CE v.7.9.3\n\n## 7.9.2\n\n- gitlab: upgrade to CE v.7.9.2\n\n## 7.9.1\n\n- init: set default value of `SMTP_OPENSSL_VERIFY_MODE` to `none`\n- gitlab: upgrade to CE v.7.9.1\n\n## 7.9.0\n\n- gitlab-shell: upgrade to v.2.6.0\n- gitlab: upgrade to CE v.7.9.0\n- init: set default value of `UNICORN_WORKERS` to `3`\n- init: set default value of `SMTP_OPENSSL_VERIFY_MODE` to `peer`\n- init: removed `GITLAB_RESTRICTED_VISIBILITY` configuration option, can be set from the UI\n- init: added BitBucket OAuth configuration support\n- init: added `GITLAB_EMAIL_DISPLAY_NAME` configuration option\n\n## 7.8.4\n\n- gitlab: upgrade to CE v.7.8.4\n\n## 7.8.2\n\n- gitlab: upgrade to CE v.7.8.2\n\n## 7.8.1\n\n- gitlab-shell: upgrade to v.2.5.4\n- gitlab: upgrade to CE v.7.8.1\n\n## 7.8.0\n\n- update postgresql client to the latest version, Closes #249\n- removed `GITLAB_SIGNUP` configuration option, can be set from gitlab ui\n- removed `GITLAB_SIGNIN` configuration option, can be set from gitlab ui\n- removed `GITLAB_PROJECTS_LIMIT` configuration option, can be set from gitlab ui\n- removed `GITLAB_GRAVATAR_ENABLED` configuration option, can be set from gitlab ui\n- gitlab-shell: upgrade to v.2.5.3\n- gitlab: upgrade to CE v.7.8.0\n- init: set `LDAP_PORT` default value to `389`\n- init: set `LDAP_METHOD` default value to `plain`\n- init: added gitlab oauth configuration support\n\n## 7.7.2\n\n- gitlab-shell: upgrade to v.2.4.2\n- gitlab: upgrade to CE v.7.7.2\n\n## 7.7.1\n\n- gitlab: upgrade to CE v.7.7.1\n\n## 7.7.0\n\n- init: added GOOGLE_ANALYTICS_ID configuration option\n- added support for mantis issue tracker\n- fixed log rotation configuration\n- gitlab-shell: upgrade to v.2.4.1\n- gitlab: upgrade to CE v.7.7.0\n\n## 7.6.2\n\n- gitlab: upgrade to CE v.7.6.2\n\n## 7.6.1\n\n- disable nginx ipv6 if host does not support it.\n- init: added GITLAB_BACKUP_TIME configuration option\n- gitlab: upgrade to CE v.7.6.1\n\n## 7.6.0\n\n- add support for configuring piwik\n- gitlab-shell: upgrade to v.2.4.0\n- gitlab: upgrade to CE v.7.6.0\n\n## 7.5.3\n\n- accept `BACKUP` parameter while running the restore rake task, closes #220\n- init: do not run `gitlab:satellites:create` rake task at startup\n- gitlab: upgrade to CE v.7.5.3\n\n## 7.5.2\n\n- gitlab: upgrade to CE v.7.5.2\n\n## 7.5.1\n\n- gitlab: upgrade to CE v.7.5.1\n- gitlab-shell to v2.2.0\n- added `GITLAB_TIMEZONE` configuration option\n- added `GITLAB_EMAIL_ENABLED` configuration option\n\n## 7.4.4\n\n- gitlab: upgrade to CE v.7.4.4\n- added `SSL_VERIFY_CLIENT` configuration option\n- added `NGINX_WORKERS` configuration option\n- added `USERMAP_UID` and `USERMAP_GID` configuration option\n\n## 7.4.3\n\n- gitlab: upgrade to CE v.7.4.3\n\n## 7.4.2\n\n- gitlab: upgrade to CE v.7.4.2\n\n## 7.4.0\n\n- gitlab: upgrade to CE v.7.4.0\n- config: added `LDAP_ACTIVE_DIRECTORY` configuration option\n- added SMTP_OPENSSL_VERIFY_MODE configuration option\n- feature: gitlab logs volume\n- automatically compile assets if relative_url is changed\n- launch all daemons via supervisord\n\n## 7.3.2-1\n\n- fix mysql status check\n\n## 7.3.2\n\n- upgrade to gitlab-ce 7.3.2\n- removed internal mysql server\n- added support for fetching `DB_NAME`, `DB_USER` and `DB_PASS` from the postgresql linkage\n- added support for fetching `DB_NAME`, `DB_USER` and `DB_PASS` from the mysql linkage\n- gitlab-shell: upgrade to v.2.0.1\n- added GITLAB_GRAVATAR_ENABLED configuration option\n- added fig.yml\n\n## 7.3.1-3\n\n- fix mysql command again!\n\n## 7.3.1-2\n\n- fix mysql server status check\n\n## 7.3.1-1\n\n- plug bash vulnerability by switching to dash shell\n- automatically run the `gitlab:setup` rake task for new installs\n\n## 7.3.1\n\n- upgrade to gitlab-ce 7.3.1\n\n## 7.3.0\n\n- upgrade to gitlab-ce 7.3.0\n- added GITLAB_WEBHOOK_TIMEOUT configuration option\n- upgrade to gitlab-shell 2.0.0\n- removed internal redis server\n- shutdown the container gracefully\n\n## 7.2.2\n\n- upgrade to gitlab-ce 7.2.2\n- added GITLAB_HTTPS_HSTS_ENABLED configuration option (advanced config)\n- added GITLAB_HTTPS_HSTS_MAXAGE configuration option (advanced config)\n- upgrade to gitlab-shell 1.9.8\n- purge development packages after install. shaves off ~300MB from the image.\n- rebase image on sameersbn/debian:jessie.20140918 base image\n- added GITLAB_SSH_HOST configuration option\n- added GITLAB_USERNAME_CHANGE configuration option\n\n## 7.2.1-1\n\n- removed the GITLAB_HTTPS_ONLY configuration option\n- added NGINX_X_FORWARDED_PROTO configuration option\n- optimization: talk directly to the unicorn worker from gitlab-shell\n\n## 7.2.1\n\n- upgrade to gitlab-ce 7.2.1\n- added new SMTP_ENABLED configuration option.\n\n## 7.2.0-1\n\n- fix nginx static route handling when GITLAB_RELATIVE_URL_ROOT is used.\n- fix relative root access without the trailing '/' character\n- added separate server block for http config in gitlab.https.permissive. Fixes #127\n- added OAUTH_GOOGLE_RESTRICT_DOMAIN config option.\n\n## 7.2.0\n\n- upgrade to gitlab-ce 7.2.0\n- update to the sameersbn/ubuntu:14.04.20140818 baseimage\n- remove /var/lib/apt/lists to optimize image size.\n- disable UsePrivilegeSeparation in sshd configuration, fixes #122\n- added OAUTH_BLOCK_AUTO_CREATED_USERS configuration option\n- added OAUTH_ALLOW_SSO configuration option\n- added github oauth configuration support\n- added twitter oauth configuration support\n- added google oauth configuration support\n- added support for jira issue tracker\n- added support for redmine issue tracker\n- update to gitlab-shell 1.9.7\n- update to the sameersbn/ubuntu:14.04.20140812 baseimage\n\n## 7.1.1\n\n- removed \"add_header X-Frame-Options DENY\" setting from the nginx config. fixes #110\n- upgrade to gitlab-ce 7.1.1\n- run /etc/init.d/gitlab as git user, plays nicely with selinux\n\n## 7.1.0\n\n- removed GITLAB_SUPPORT configuration option\n- upgrade to gitlab-ce 7.1.0\n- clone gitlab-ce and gitlab-shell sources from the git repo.\n- disable pam authentication module in sshd\n- update to the sameersbn/ubuntu:14.04.20140628 baseimage\n- no more root access over ssh, use nsenter instead\n- upgrade to nginx-1.6.x series from the nginx/stable ppa\n\n## 7.0.0\n\n- upgrade to gitlab-7.0.0\n- fix repository and gitlab-satellites directory permissions.\n- added GITLAB_RESTRICTED_VISIBILITY configuration option\n- fix backup restore operation\n- upgrade to gitlab-shell 1.9.6\n- added app:sanitize command\n- automatically migrate database when gitlab version is updated\n- upgrade to gitlab-shell 1.9.5\n\n## 6.9.2\n\n- upgrade to gitlab-ce 6.9.2\n\n## 6.9.1\n\n- upgrade to gitlab-ce 6.9.1\n\n## 6.9.0\n\n- upgrade to gitlab-ce 6.9.0\n- added GITLAB_RELATIVE_URL_ROOT configuration option\n- added NGINX_MAX_UPLOAD_SIZE configuration to specify the maximum acceptable size of attachments.\n\n## 6.8.2\n\n- upgrade to gitlab-ce 6.8.2\n- renamed configuration option GITLAB_SHELL_SSH_PORT to GITLAB_SSH_PORT\n- added GITLAB_PROJECTS_VISIBILITY configuration option to specify the default project visibility level.\n- generate and store ssh host keys at the data store.\n- default GITLAB_PROJECTS_LIMIT is now set to 100\n- use sameersbn/ubuntu:14.04.20140508 base image, the trusted build of sameersbn/ubuntu:14.04.20140505 seems to be broken\n- use sameersbn/ubuntu:14.04.20140505 base image\n- added CA_CERTIFICATES_PATH configuration option to specify trusted root certificates.\n- added SSL support\n- added SSL_DHPARAM_PATH configuration option to specify path of dhparam.pem file.\n- added SSL_KEY_PATH configuration option to specify path of ssl key.\n- added SSL_CERTIFICATE_PATH configuration option to specify path of ssl certificate\n- added GITLAB_HTTPS_ONLY configuration option to configure strict https only access\n- added SSL_SELF_SIGNED configuration option to specify use of self signed ssl certificates.\n- fix git over ssh when the default http/https ports are not used.\n- compile the assets only if it does not exist or if the gitlab version has changed.\n- upgrade gitlab-shell to version 1.9.4\n- cache compiled assets to boost application startup.\n- fix symlink to uploads directory\n\n## 6.8.1\n\n- upgrade to gitlab-ce 6.8.1\n\n## 6.8.0\n\n- upgrade to gitlab-shell 1.9.3\n- added GITLAB_SIGNIN setting to enable or disable standard login form\n- upgraded to gitlab-ce version 6.8.0\n- added support for linking with redis container.\n- use sameersbn/ubuntu as the base docker image\n- install postgresql-client to fix restoring backups when used with a postgresql database backend.\n\n## 6.7.5\n\n- upgrade gitlab to 6.7.5\n- support linking to mysql and postgresql containers\n- added DEFAULT_PROJECTS_LIMIT configuration option\n\n## 6.7.4\n\n- upgrade gitlab to 6.7.4\n- added SMTP_AUTHENTICATION configuration option, defaults to :login.\n- added LDAP configuration options.\n\n## 6.7.3\n\n- upgrade gitlab to 6.7.3\n- install ruby2.0 from ppa\n\n## 6.7.2\n\n- upgrade gitlab to 6.7.2\n- upgrade gitlab-shell to 1.9.1\n- reorganize repo\n- do not perform system upgrades ()\n\n## 6.6.5\n\n- upgraded to gitlab-6.6.5\n\n## v6.6.4\n\n- upgraded to gitlab-6.6.4\n- added changelog\n- removed postfix mail delivery\n- added SMTP_DOMAIN configuration option\n- added SMTP_STARTTLS configuration option\n- added SMTP_DOMAIN configuration option\n- added DB_PORT configuration option\n- changed backup time to 4am (UTC)\n\n## v6.6.2\n\n- upgraded to gitlab-6.6.2\n- added automated daily/monthly backups feature\n- documented ssh login details for maintenance tasks.\n- perform upgrade of git, nginx and other system packages\n- added GITLAB_SHELL_SSH_PORT configuration option\n- added app:rake command for executing gitlab rake tasks\n- documented hardware requirements\n\n## v6.6.1\n\n- upgraded to gitlabhq-6.6.1\n- reformatted README\n" }, { "path": "Dockerfile", "content": "FROM ubuntu:noble-20260210.1\n\nARG VERSION=18.9.2\n\nENV GITLAB_VERSION=${VERSION} \\\n RUBY_VERSION=3.3.10 \\\n RUBY_SOURCE_SHA256SUM=\"b555baa467a306cfc8e6c6ed24d0d27b27e9a1bed1d91d95509859eac6b0e928\" \\\n RUBYGEMS_VERSION=4.0.8 \\\n GOLANG_VERSION=1.25.8 \\\n GITLAB_SHELL_VERSION=14.45.6 \\\n GITLAB_PAGES_VERSION=18.9.2 \\\n GITALY_SERVER_VERSION=18.9.2 \\\n GITLAB_USER=\"git\" \\\n GITLAB_HOME=\"/home/git\" \\\n GITLAB_LOG_DIR=\"/var/log/gitlab\" \\\n GITLAB_CACHE_DIR=\"/etc/docker-gitlab\" \\\n RAILS_ENV=production \\\n NODE_ENV=production \\\n NO_SOURCEMAPS=true\n\nENV GITLAB_INSTALL_DIR=\"${GITLAB_HOME}/gitlab\" \\\n GITLAB_SHELL_INSTALL_DIR=\"${GITLAB_HOME}/gitlab-shell\" \\\n GITLAB_GITALY_INSTALL_DIR=\"${GITLAB_HOME}/gitaly\" \\\n GITLAB_DATA_DIR=\"${GITLAB_HOME}/data\" \\\n GITLAB_BUILD_DIR=\"${GITLAB_CACHE_DIR}/build\" \\\n GITLAB_RUNTIME_DIR=\"${GITLAB_CACHE_DIR}/runtime\"\n\nRUN apt-get update \\\n && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \\\n wget ca-certificates apt-transport-https gnupg2 \\\n && apt-get upgrade -y \\\n && rm -rf /var/lib/apt/lists/*\n\nRUN set -ex && \\\n mkdir -p /etc/apt/keyrings \\\n && wget --quiet -O - https://keyserver.ubuntu.com/pks/lookup?op=get\\&search=0xe1dd270288b4e6030699e45fa1715d88e1df1f24 | gpg --dearmor -o /etc/apt/keyrings/git-core.gpg \\\n && echo \"deb [signed-by=/etc/apt/keyrings/git-core.gpg] http://ppa.launchpad.net/git-core/ppa/ubuntu noble main\" >> /etc/apt/sources.list \\\n && wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor -o /etc/apt/keyrings/postgres.gpg \\\n && echo 'deb [signed-by=/etc/apt/keyrings/postgres.gpg] http://apt.postgresql.org/pub/repos/apt/ noble-pgdg main' > /etc/apt/sources.list.d/pgdg.list \\\n && wget --quiet -O - https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \\\n && echo 'deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main' > /etc/apt/sources.list.d/nodesource.list \\\n && wget --quiet -O - https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor -o /etc/apt/keyrings/yarn.gpg \\\n && echo 'deb [signed-by=/etc/apt/keyrings/yarn.gpg] https://dl.yarnpkg.com/debian/ stable main' > /etc/apt/sources.list.d/yarn.list \\\n && wget --quiet -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor -o /etc/apt/keyrings/nginx-archive-keyring.gpg \\\n && echo \"deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/ubuntu noble nginx\" >> /etc/apt/sources.list.d/nginx.list \\\n && printf \"Package: *\\nPin: origin nginx.org\\nPin: release o=nginx\\nPin-Priority: 900\\n\" >> /etc/apt/preferences.d/99nginx \\\n && set -ex \\\n && apt-get update \\\n && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \\\n sudo supervisor logrotate locales curl \\\n meson \\\n nginx openssh-server redis-tools \\\n postgresql-client-13 postgresql-client-14 postgresql-client-15 postgresql-client-16 postgresql-client-17 \\\n python3 python3-docutils nodejs yarn gettext-base graphicsmagick \\\n libpq5 zlib1g libyaml-dev libssl-dev libgdbm-dev libre2-dev \\\n libreadline-dev libncurses5-dev libffi-dev curl openssh-server libxml2-dev libxslt-dev \\\n libcurl4-openssl-dev libicu-dev libkrb5-dev rsync python3-docutils pkg-config cmake \\\n tzdata unzip libimage-exiftool-perl libmagic1 \\\n && update-locale LANG=C.UTF-8 LC_MESSAGES=POSIX \\\n && locale-gen en_US.UTF-8 \\\n && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales \\\n && rm -rf /var/lib/apt/lists/* /etc/nginx/conf.d/default.conf\n\nCOPY assets/build/ ${GITLAB_BUILD_DIR}/\nRUN bash ${GITLAB_BUILD_DIR}/install.sh\n\nCOPY assets/runtime/ ${GITLAB_RUNTIME_DIR}/\nCOPY entrypoint.sh /sbin/entrypoint.sh\nRUN chmod 755 /sbin/entrypoint.sh\n\nENV prometheus_multiproc_dir=\"/dev/shm\"\n\nARG BUILD_DATE\nARG VCS_REF\n\nLABEL \\\n maintainer=\"sameer@damagehead.com\" \\\n org.label-schema.schema-version=\"1.0\" \\\n org.label-schema.build-date=${BUILD_DATE} \\\n org.label-schema.name=gitlab \\\n org.label-schema.vendor=damagehead \\\n org.label-schema.url=\"https://github.com/sameersbn/docker-gitlab\" \\\n org.label-schema.vcs-url=\"https://github.com/sameersbn/docker-gitlab.git\" \\\n org.label-schema.vcs-ref=${VCS_REF} \\\n com.damagehead.gitlab.license=MIT\n\nEXPOSE 22/tcp 80/tcp 443/tcp\n\nVOLUME [\"${GITLAB_DATA_DIR}\", \"${GITLAB_LOG_DIR}\"]\nWORKDIR ${GITLAB_INSTALL_DIR}\nENTRYPOINT [\"/sbin/entrypoint.sh\"]\nCMD [\"app:start\"]\n" }, { "path": "LICENSE", "content": "The MIT License (MIT)\n\nCopyright (c) 2014 Sameer Naik\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "Makefile", "content": "all: build\n\nhelp:\n\t@echo \"\"\n\t@echo \"-- Help Menu\"\n\t@echo \"\"\n\t@echo \" 1. make build - build the gitlab image\"\n\t@echo \" 2. make quickstart - start gitlab\"\n\t@echo \" 3. make stop - stop gitlab\"\n\t@echo \" 4. make logs - view logs\"\n\t@echo \" 5. make purge - stop and remove the container\"\n\nbuild:\n\t@docker build --tag=sameersbn/gitlab . \\\n\t\t--build-arg BUILD_DATE=\"$(shell date +\"%Y-%m-%d %H:%M:%S%:z\")\" \\\n\t\t--build-arg VCS_REF=$(shell git rev-parse --short HEAD)\n\nrelease: build\n\t@docker build --tag=sameersbn/gitlab:$(shell cat VERSION) . \\\n\t\t--build-arg BUILD_DATE=\"$(shell date +\"%Y-%m-%d %H:%M:%S%:z\")\" \\\n\t\t--build-arg VCS_REF=$(git describe --tags --always)\n\nquickstart:\n\t@echo \"Starting postgresql container...\"\n\t@docker run --name=gitlab-postgresql -d \\\n\t\t--env='DB_NAME=gitlabhq_production' \\\n\t\t--env='DB_USER=gitlab' --env='DB_PASS=password' \\\n\t\tsameersbn/postgresql:latest\n\t@echo \"Starting redis container...\"\n\t@docker run --name=gitlab-redis -d \\\n\t\tsameersbn/redis:latest\n\t@echo \"Starting gitlab container...\"\n\t@docker run --name='gitlab-demo' -d \\\n\t\t--link=gitlab-postgresql:postgresql --link=gitlab-redis:redisio \\\n\t\t--publish=10022:22 --publish=10080:80 \\\n\t\t--env='GITLAB_PORT=10080' --env='GITLAB_SSH_PORT=10022' \\\n\t\tsameersbn/gitlab:latest\n\t@echo \"Please be patient. This could take a while...\"\n\t@echo \"GitLab will be available at http://localhost:10080\"\n\t@echo \"Type 'make logs' for the logs\"\n\nstop:\n\t@echo \"Stopping gitlab...\"\n\t@docker stop gitlab-demo >/dev/null\n\t@echo \"Stopping redis...\"\n\t@docker stop gitlab-redis >/dev/null\n\t@echo \"Stopping postgresql...\"\n\t@docker stop gitlab-postgresql >/dev/null\n\npurge: stop\n\t@echo \"Removing stopped containers...\"\n\t@docker rm -v gitlab-demo >/dev/null\n\t@docker rm -v gitlab-redis >/dev/null\n\t@docker rm -v gitlab-postgresql >/dev/null\n\nlogs:\n\t@docker logs -f gitlab-demo\n" }, { "path": "README.md", "content": "# sameersbn/gitlab:18.9.2\n\n[![CircleCI](https://circleci.com/gh/sameersbn/docker-gitlab/tree/master.svg?style=svg)](https://circleci.com/gh/sameersbn/docker-gitlab/tree/master)\n\n- [Introduction](#introduction)\n - [Changelog](Changelog.md)\n- [Contributing](#contributing)\n- [Team](#team)\n- [Issues](#issues)\n- [Announcements](https://github.com/sameersbn/docker-gitlab/issues/39)\n- [Prerequisites](#prerequisites)\n- [Installation](#installation)\n- [Quick Start](#quick-start)\n- [Configuration](#configuration)\n - [Data Store](#data-store)\n - [Database](#database)\n - [PostgreSQL (Recommended)](#postgresql)\n - [External PostgreSQL Server](#external-postgresql-server)\n - [Linking to PostgreSQL Container](#linking-to-postgresql-container)\n - [Upgrading PostgreSQL](#upgrading-postgresql)\n - [Redis](#redis)\n - [Internal Redis Server](#internal-redis-server)\n - [External Redis Server](#external-redis-server)\n - [Linking to Redis Container](#linking-to-redis-container)\n - [Mail](#mail)\n - [Reply by email](#reply-by-email)\n - [SSL](#ssl)\n - [Generation of a Self Signed Certificate](#generation-of-a-self-signed-certificate)\n - [Strengthening the server security](#strengthening-the-server-security)\n - [Installation of the SSL Certificates](#installation-of-the-ssl-certificates)\n - [Enabling HTTPS support](#enabling-https-support)\n - [Configuring HSTS](#configuring-hsts)\n - [Using HTTPS with a load balancer](#using-https-with-a-load-balancer)\n - [Establishing trust with your server](#establishing-trust-with-your-server)\n - [Installing Trusted SSL Server Certificates](#installing-trusted-ssl-server-certificates)\n - [Deploy to a subdirectory (relative url root)](#deploy-to-a-subdirectory-relative-url-root)\n - [OmniAuth Integration](#omniauth-integration)\n - [CAS3](#cas3)\n - [Authentiq](#authentiq)\n - [Google](#google)\n - [Twitter](#twitter)\n - [GitHub](#github)\n - [GitLab](#gitlab)\n - [BitBucket](#bitbucket)\n - [SAML](#saml)\n - [Crowd](#crowd)\n - [Microsoft Azure](#microsoft-azure)\n - [Generic OAuth2](#generic-oauth2)\n - [OpenID Connect](#openid-connect)\n - [JWT](#jwt)\n - [Gitlab Pages](#gitlab-pages)\n - [External Issue Trackers](#external-issue-trackers)\n - [Host UID / GID Mapping](#host-uid--gid-mapping)\n - [Piwik](#piwik)\n - [Feature flags](#feature-flags)\n - [Exposing ssh port in dockerized gitlab-ce](docs/exposing-ssh-port.md)\n - [Available Configuration Parameters](#available-configuration-parameters)\n- [Maintenance](#maintenance)\n - [Creating Backups](#creating-backups)\n - [Restoring Backups](#restoring-backups)\n - [Automated Backups](#automated-backups)\n - [Amazon Web Services (AWS) Remote Backups](#amazon-web-services-aws-remote-backups)\n - [Google Cloud Storage (GCS) Remote Backups](#google-cloud-storage-gcs-remote-backups)\n - [Rake Tasks](#rake-tasks)\n - [Import Repositories](#import-repositories)\n - [Upgrading](#upgrading)\n - [Shell Access](#shell-access)\n- [Monitoring](#monitoring)\n - [Health Check](#health-check)\n- [Container Registry](docs/container_registry.md)\n- [Deploy in Docker Swarm mode, with HTTPS handled by Traefik proxy and Docker Registry](docs/docker-swarm-traefik-registry.md)\n- [References](#references)\n\n## Introduction\n\nDockerfile to build a [GitLab](https://about.gitlab.com/) image for the [Docker](https://www.docker.com/products/docker-engine) open source container platform.\n\nGitLab CE is set up in the Docker image using the [install from source](https://docs.gitlab.com/ce/install/installation.html) method as documented in the official GitLab documentation.\n\nFor other methods to install GitLab please refer to the [Official GitLab Installation Guide](https://about.gitlab.com/install/) which includes a [GitLab image for Docker](https://docs.gitlab.com/omnibus/docker/).\n\n## Contributing\n\nIf you find this image useful here's how you can help:\n\n- Send a Pull Request with your awesome new features and bug fixes\n- Be a part of the community and help resolve [Issues](https://github.com/sameersbn/docker-gitlab/issues)\n- Support the development of this image with a [donation](http://www.damagehead.com/donate/)\n\n## Team\n\n- Niclas Mietz ([solidnerd](https://github.com/solidnerd))\n- Sameer Naik ([sameersbn](https://github.com/sameersbn))\n\nSee [Contributors](../../graphs/contributors) for the complete list developers that have contributed to this project.\n\n## Issues\n\nDocker is actively being developed and tested by a thriving community of developers and testers and every release of Docker features many enhancements and bugfixes.\n\nGiven the nature of the development and release cycle it is very important that you have the latest version of Docker installed because any issue that you encounter might have already been fixed with a newer Docker release.\n\nInstall the most recent version of the Docker Engine for your platform using the [official Docker releases](http://docs.docker.com/engine/installation/), which can also be installed using:\n\n```bash\nwget -qO- https://get.docker.com/ | sh\n```\n\nFedora and RHEL/CentOS users should try disabling selinux with `setenforce 0` and check if resolves the issue. If it does than there is not much that I can help you with. You can either stick with selinux disabled (not recommended by redhat) or switch to using ubuntu.\n\nYou may also set `DEBUG=true` to enable debugging of the entrypoint script, which could help you pinpoint any configuration issues.\n\nIf using the latest docker version and/or disabling selinux does not fix the issue then please file an issue request on the [issues](https://github.com/sameersbn/docker-gitlab/issues) page.\n\nIn your issue report please make sure you provide the following information:\n\n- The host distribution and release version.\n- Output of the `docker version` command\n- Output of the `docker info` command\n- The `docker run` command you used to run the image (mask out the sensitive bits).\n\n## Prerequisites\n\nYour docker host needs to have 1GB or more of available RAM to run GitLab. Please refer to the GitLab [hardware requirements](https://github.com/gitlabhq/gitlabhq/blob/master/doc/install/requirements.md#hardware-requirements) documentation for additional information.\n\n## Installation\n\nAutomated builds of the image are available on [Dockerhub](https://hub.docker.com/r/sameersbn/gitlab) and is the recommended method of installation.\n\n```bash\ndocker pull sameersbn/gitlab:18.9.2\n```\n\nYou can also pull the `latest` tag which is built from the repository *HEAD*\n\n```bash\ndocker pull sameersbn/gitlab:latest\n```\n\nAlternatively you can build the image locally.\n\n```bash\ndocker build -t sameersbn/gitlab github.com/sameersbn/docker-gitlab\n```\n\n## Quick Start\n\nThe quickest way to get started is using [docker-compose](https://docs.docker.com/compose/).\n\n```bash\nwget https://raw.githubusercontent.com/sameersbn/docker-gitlab/master/docker-compose.yml\n```\n\nGenerate random strings that are at least `64` characters long for each of `GITLAB_SECRETS_OTP_KEY_BASE`, `GITLAB_SECRETS_DB_KEY_BASE`, `GITLAB_SECRETS_SECRET_KEY_BASE`, `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE`. These values are used for the following:\n\n- `GITLAB_SECRETS_OTP_KEY_BASE` is used to encrypt 2FA secrets in the database. If you lose or rotate this secret, none of your users will be able to log in using 2FA.\n- `GITLAB_SECRETS_DB_KEY_BASE` is used to encrypt CI secret variables, as well as import credentials, in the database. If you lose or rotate this secret, you will not be able to use existing CI secrets.\n- `GITLAB_SECRETS_SECRET_KEY_BASE` is used for password reset links, and other 'standard' auth features. If you lose or rotate this secret, password reset tokens in emails will reset.\n- `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE` is used for reading settings from encrypted files such as SMTP or LDAP credentials.\n\n> **Tip**: You can generate a random string using `pwgen -Bsv1 64` and assign it as the value of `GITLAB_SECRETS_DB_KEY_BASE`.\n\nAlso generate random strings that are typically `32` characters long for each of:\n\n- `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY`\n- `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY`\n- `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT`\n\nThese values are used for `ActiveRecord::Encryption` encrypted columns. Details can be found under [Active Record Encryption](https://guides.rubyonrails.org/active_record_encryption.html).\n\nStart GitLab using:\n\n```bash\ndocker-compose up\n```\n\nAlternatively, you can manually launch the `gitlab` container and the supporting `postgresql` and `redis` containers by following this three step guide.\n\nStep 1. Launch a postgresql container\n\n```bash\ndocker run --name gitlab-postgresql -d \\\n --env 'DB_NAME=gitlabhq_production' \\\n --env 'DB_USER=gitlab' --env 'DB_PASS=password' \\\n --env 'DB_EXTENSION=pg_trgm,btree_gist' \\\n --volume /srv/docker/gitlab/postgresql:/var/lib/postgresql \\\n kkimurak/sameersbn-postgresql:16\n```\n\nStep 2. Launch a redis container\n\n```bash\ndocker run --name gitlab-redis -d \\\n --volume /srv/docker/gitlab/redis:/data \\\n redis:7\n```\n\nStep 3. Launch the gitlab container\n\n```bash\ndocker run --name gitlab -d \\\n --link gitlab-postgresql:postgresql --link gitlab-redis:redisio \\\n --publish 10022:22 --publish 10080:80 \\\n --env 'GITLAB_PORT=10080' --env 'GITLAB_SSH_PORT=10022' \\\n --env 'GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alpha-numeric-string' \\\n --env 'GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alpha-numeric-string' \\\n --env 'GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alpha-numeric-string' \\\n --env 'GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alpha-numeric-string' \\\n --env 'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=[\"long-and-random-alpha-numeric-string\"]' \\\n --env 'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=[\"long-and-random-alpha-numeric-string\"]' \\\n --env 'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=long-and-random-alpha-numeric-string' \\\n --volume /srv/docker/gitlab/gitlab:/home/git/data \\\n sameersbn/gitlab:18.9.2\n```\n\n*Please refer to [Available Configuration Parameters](#available-configuration-parameters) to understand `GITLAB_PORT` and other configuration options*\n\n**NOTE**: Please allow a couple of minutes for the GitLab application to start.\n\nPoint your browser to `http://localhost:10080` and set a password for the `root` user account.\n\nYou should now have the GitLab application up and ready for testing. If you want to use this image in production then please read on.\n\n*The rest of the document will use the docker command line. You can quite simply adapt your configuration into a `docker-compose.yml` file if you wish to do so.*\n\n## Configuration\n\n### Data Store\n\nGitLab is a code hosting software and as such you don't want to lose your code when the docker container is stopped/deleted. To avoid losing any data, you should mount a volume at,\n\n- `/home/git/data`\n\n*Note: that if you are using the `docker-compose` approach, you must \"inspect\" the volumes (```docker volume inspect```) to check the mounted path.*\n\nSELinux users are also required to change the security context of the mount point so that it plays nicely with selinux.\n\n```bash\nmkdir -p /srv/docker/gitlab/gitlab\nsudo chcon -Rt svirt_sandbox_file_t /srv/docker/gitlab/gitlab\n```\n\nVolumes can be mounted in docker by specifying the `-v` option in the docker run command.\n\n```bash\ndocker run --name gitlab -d \\\n --volume /srv/docker/gitlab/gitlab:/home/git/data \\\n sameersbn/gitlab:18.9.2\n```\n\n### Database\n\nGitLab uses a database backend to store its data. You can configure this image to use PostgreSQL.\n\n*Note:* GitLab requires PostgreSQL now. So use an older image < 12.1 or migrate to PostgresSQL\n\n#### PostgreSQL\n\n**Important note:** This image is shipped with different versions of the `postgresql-client`.\n\nDuring the startup of the container, the major version of the database system is checked based on the specified connection destination. Only the version of the `postgresql-client`, that matches the major version of the Postgres database is used. If the major version of any version of the included clients does not match, the latest client is used (but may cause issues). All other versions of the `postgresql-client` are deleted at runtime.\n\nThis behavior can be checked using the command `docker logs` and an output like the following should be available:\n\n````sh\n…\nConfiguring gitlab::database\n- Installing postgresql client to avoid version mismatch on dumping\n-- Detected server version: 160009\n- Generating /home/git/.postgresqlrc\n16 postgresql:5432 gitlabhq_production\n- Uninstalling unused client(s): postgresql-client-13 postgresql-client-14 postgresql-client-15 postgresql-client-17\n…\n````\n\nPlease note furthermore, that only compatible versions of the `postgresql-client` to GitLab are shipped with this image. Currently, these belong to\n\n- `postgresql-client-13`,\n- `postgresql-client-14`,\n- `postgresql-client-15`,\n- `postgresql-client-16`,\n- and `postgresql-client-17`.\n\n***Notes:***\n\n- GitLab CE version 13.7.0 and later requires PostgreSQL version 12.x.\n- GitLab CE version 16.0.0 and later requires PostgreSQL version 13.x.\n- GitLab CE version 17.0.0 and later requires PostgreSQL version 14.x.\n- GitLab CE version 18.0.0 and later requires PostgreSQL version 16.x.\n\n##### External PostgreSQL Server\n\nThe image also supports using an external PostgreSQL Server. This is also controlled via environment variables.\n\n```sql\nCREATE ROLE gitlab with LOGIN CREATEDB PASSWORD 'password';\nCREATE DATABASE gitlabhq_production;\nGRANT ALL PRIVILEGES ON DATABASE gitlabhq_production to gitlab;\n```\n\nAdditionally, since GitLab `8.6.0` the `pg_trgm` extension should also be loaded for the `gitlabhq_production` database.\n\nWe are now ready to start the GitLab application.\n\n*Note:* The following applies assuming that the PostgreSQL server host is `192.168.1.100`.\n\n```bash\ndocker run --name gitlab -d \\\n --env 'DB_HOST=192.168.1.100' \\\n --env 'DB_NAME=gitlabhq_production' \\\n --env 'DB_USER=gitlab' --env 'DB_PASS=password' \\\n --volume /srv/docker/gitlab/gitlab:/home/git/data \\\n sameersbn/gitlab:18.9.2\n```\n\n##### Linking to PostgreSQL Container\n\nYou can link this image with a postgresql container for the database requirements. The alias of the postgresql server container should be set to **postgresql** while linking with the gitlab image.\n\nIf a postgresql container is linked, only the `DB_HOST` and `DB_PORT` settings are automatically retrieved using the linkage. You may still need to set other database connection parameters such as the `DB_NAME`, `DB_USER`, `DB_PASS` and so on.\n\nTo illustrate linking with a postgresql container, we will use the [sameersbn/postgresql](https://github.com/sameersbn/docker-postgresql) image. When using postgresql image in production you should mount a volume for the postgresql data store. Please refer the [README](https://github.com/sameersbn/docker-postgresql/blob/master/README.md) of docker-postgresql for details.\n\nFirst, let's pull the postgresql image from the docker index.\n\n```bash\ndocker pull kkimurak/sameersbn-postgresql:16\n```\n\nFor data persistence lets create a store for the postgresql and start the container.\n\nSELinux users are also required to change the security context of the mount point so that it plays nicely with selinux.\n\n```bash\nmkdir -p /srv/docker/gitlab/postgresql\nsudo chcon -Rt svirt_sandbox_file_t /srv/docker/gitlab/postgresql\n```\n\nThe run command looks like this.\n\n```bash\ndocker run --name gitlab-postgresql -d \\\n --env 'DB_NAME=gitlabhq_production' \\\n --env 'DB_USER=gitlab' --env 'DB_PASS=password' \\\n --env 'DB_EXTENSION=pg_trgm' \\\n --volume /srv/docker/gitlab/postgresql:/var/lib/postgresql \\\n kkimurak/sameersbn-postgresql:16\n```\n\nThe above command will create a database named `gitlabhq_production` and also create a user named `gitlab` with the password `password` with access to the `gitlabhq_production` database.\n\nWe are now ready to start the GitLab application.\n\n```bash\ndocker run --name gitlab -d --link gitlab-postgresql:postgresql \\\n --volume /srv/docker/gitlab/gitlab:/home/git/data \\\n sameersbn/gitlab:18.9.2\n```\n\nHere the image will also automatically fetch the `DB_NAME`, `DB_USER` and `DB_PASS` variables from the postgresql container as they are specified in the `docker run` command for the postgresql container. This is made possible using the magic of docker links and works with the following images:\n\n- [postgres](https://hub.docker.com/_/postgres/),\n- [kkimurak/sameersbn-postgresql](https://hub.docker.com/r/kkimurak/sameersbn-postgresql), or\n- [sameersbn/postgresql](https://quay.io/repository/sameersbn/postgresql/) .\n\n##### Upgrading PostgreSQL\n\nWhen this Gitlab image upgrades its dependency on specific version of PostgreSQL you will need to make sure to use corresponding version of PostgreSQL.\n\nIf you are setting a brand new install, there is no data migration involved. However, if you already have an existing setup, the PostgreSQL data will need to be migrated as you are upgrading the version of PostgreSQL.\n\nIf you are using PostgreSQL image other than [sameersbn/postgresql](https://quay.io/repository/sameersbn/postgresql/) you will need make sure that the image you are using can handle migration itself, **or**, you will need to migrate the data yourself before starting newer version of PostgreSQL.\n\nFollowing project provides Docker image that handles migration of PostgreSQL data: [tianon/postgres-upgrade](https://hub.docker.com/r/tianon/postgres-upgrade/)\n\nAfter migration of the data, verify that other PostgreSQL configuration files in its data folder are copied over as well. One such file is `pg_hba.conf`, it will need to be copied from old version data folder into new version data folder.\n\n### Redis\n\nGitLab uses the redis server for its key-value data store. The redis server connection details can be specified using environment variables.\n\n#### Internal Redis Server\n\nThe internal redis server has been removed from the image. Please use a [linked redis](#linking-to-redis-container) container or specify a [external redis](#external-redis-server) connection.\n\n#### External Redis Server\n\nThe image can be configured to use an external redis server. The configuration should be specified using environment variables while starting the GitLab image.\n\n*Note:* The following applies assuming that the redis server host is `192.168.1.100`.\n\n```bash\ndocker run --name gitlab -it --rm \\\n --env 'REDIS_HOST=192.168.1.100' --env 'REDIS_PORT=6379' \\\n sameersbn/gitlab:18.9.2\n```\n\n#### Linking to Redis Container\n\nYou can link this image with a redis container to satisfy gitlab's redis requirement. The alias of the redis server container should be set to **redisio** while linking with the gitlab image.\n\nTo illustrate linking with a redis container, we will use the [redis](https://github.com/docker-library/redis) image. Please refer the [README](https://github.com/docker-library/docs/blob/master/redis/README.md) for details.\n\nFirst, let's pull the redis image from the docker index.\n\n```bash\ndocker pull redis:7\n```\n\nLets start the redis container\n\n```bash\ndocker run --name gitlab-redis -d \\\n --volume /srv/docker/gitlab/redis:/data \\\n redis:7\n```\n\nWe are now ready to start the GitLab application.\n\n```bash\ndocker run --name gitlab -d --link gitlab-redis:redisio \\\n sameersbn/gitlab:18.9.2\n```\n\n#### Mail\n\nThe mail configuration should be specified using environment variables while starting the GitLab image. The configuration defaults to using gmail to send emails and requires the specification of a valid username and password to login to the gmail servers.\n\nIf you are using Gmail then all you need to do is:\n\n```bash\ndocker run --name gitlab -d \\\n --env 'SMTP_USER=USER@gmail.com' --env 'SMTP_PASS=PASSWORD' \\\n --volume /srv/docker/gitlab/gitlab:/home/git/data \\\n sameersbn/gitlab:18.9.2\n```\n\nPlease refer the [Available Configuration Parameters](#available-configuration-parameters) section for the list of SMTP parameters that can be specified.\n\n##### Reply by email\n\nSince version `8.0.0` GitLab adds support for commenting on issues by replying to emails.\n\nTo enable this feature you need to provide IMAP configuration parameters that will allow GitLab to connect to your mail server and read mails. Additionally, you may need to specify `GITLAB_INCOMING_EMAIL_ADDRESS` if your incoming email address is not the same as the `IMAP_USER`.\n\nIf your email provider supports email [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) then you should add the `+%{key}` placeholder after the user part of the email address, eg. `GITLAB_INCOMING_EMAIL_ADDRESS=reply+%{key}@example.com`. Please read the [documentation on reply by email](http://doc.gitlab.com/ce/incoming_email/README.html) to understand the requirements for this feature.\n\nIf you are using Gmail then all you need to do is:\n\n```bash\ndocker run --name gitlab -d \\\n --env 'IMAP_USER=USER@gmail.com' --env 'IMAP_PASS=PASSWORD' \\\n --env 'GITLAB_INCOMING_EMAIL_ADDRESS=USER+%{key}@gmail.com' \\\n --volume /srv/docker/gitlab/gitlab:/home/git/data \\\n sameersbn/gitlab:18.9.2\n```\n\nPlease refer the [Available Configuration Parameters](#available-configuration-parameters) section for the list of IMAP parameters that can be specified.\n\n#### SSL\n\nAccess to the gitlab application can be secured using SSL so as to prevent unauthorized access to the data in your repositories. While a CA certified SSL certificate allows for verification of trust via the CA, a self-signed certificate can also provide an equal level of trust verification as long as each client takes some additional steps to verify the identity of your website. I will provide instructions on achieving this towards the end of this section.\n\nJump to the [Using HTTPS with a load balancer](#using-https-with-a-load-balancer) section if you are using a load balancer such as hipache, haproxy or nginx.\n\nTo secure your application via SSL you basically need two things:\n\n- **Private key (.key)**\n- **SSL certificate (.crt)**\n\nWhen using CA certified certificates, these files are provided to you by the CA. When using self-signed certificates you need to generate these files yourself. Skip to [Strengthening the server security](#strengthening-the-server-security) section if you are armed with CA certified SSL certificates.\n\n##### Generation of a Self Signed Certificate\n\nGeneration of a self-signed SSL certificate involves a simple 3-step procedure:\n\n**STEP 1**: Create the server private key\n\n```bash\nopenssl genrsa -out gitlab.key 2048\n```\n\n**STEP 2**: Create the certificate signing request (CSR)\n\n```bash\nopenssl req -new -key gitlab.key -out gitlab.csr\n```\n\n**STEP 3**: Sign the certificate using the private key and CSR\n\n```bash\nopenssl x509 -req -days 3650 -in gitlab.csr -signkey gitlab.key -out gitlab.crt\n```\n\nCongratulations! You now have a self-signed SSL certificate valid for 10 years.\n\n##### Strengthening the server security\n\nThis section provides you with instructions to [strengthen your server security](https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html). To achieve this we need to generate stronger DHE parameters.\n\n```bash\nopenssl dhparam -out dhparam.pem 2048\n```\n\n##### Installation of the SSL Certificates\n\nOut of the four files generated above, we need to install the `gitlab.key`, `gitlab.crt` and `dhparam.pem` files at the gitlab server. The CSR file is not needed, but do make sure you safely backup the file (in case you ever need it again).\n\nThe default path that the gitlab application is configured to look for the SSL certificates is at `/home/git/data/certs`, this can however be changed using the `SSL_KEY_PATH`, `SSL_CERTIFICATE_PATH` and `SSL_DHPARAM_PATH` configuration options.\n\nIf you remember from above, the `/home/git/data` path is the path of the [data store](#data-store), which means that we have to create a folder named `certs/` inside the volume to where `/home/git/data` point and copy the files into it and as a measure of security we'll update the permission on the `gitlab.key` file to only be readable by the owner.\n\nIn case use of docker-compose ...\n\n```$>docker volume inspect```\n\nLook for \"< user >_gitlab-data\" and copy the \"certs\" directory into the \"Mountpoint\"\n\n```bash\nmkdir -p /srv/docker/gitlab/gitlab/certs\ncp gitlab.key /srv/docker/gitlab/gitlab/certs/\ncp gitlab.crt /srv/docker/gitlab/gitlab/certs/\ncp dhparam.pem /srv/docker/gitlab/gitlab/certs/\nchmod 400 /srv/docker/gitlab/gitlab/certs/gitlab.key\n```\n\nGreat! We are now just one step away from having our application secured.\n\n##### Enabling HTTPS support\n\nHTTPS support can be enabled by setting the `GITLAB_HTTPS` option to `true`. Additionally, when using self-signed SSL certificates you need to the set `SSL_SELF_SIGNED` option to `true` as well. Assuming we are using self-signed certificates\n\n```bash\ndocker run --name gitlab -d \\\n --publish 10022:22 --publish 10080:80 --publish 10443:443 \\\n --env 'GITLAB_SSH_PORT=10022' --env 'GITLAB_PORT=10443' \\\n --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \\\n --volume /srv/docker/gitlab/gitlab:/home/git/data \\\n sameersbn/gitlab:18.9.2\n```\n\nIn this configuration, any requests made over the plain http protocol will automatically be redirected to use the https protocol. However, this is not optimal when using a load balancer.\n\n##### Configuring HSTS\n\nHSTS if supported by the browsers makes sure that your users will only reach your sever via HTTPS. When the user comes for the first time it sees a header from the server which states for how long from now this site should only be reachable via HTTPS - that's the HSTS max-age value.\n\nWith `NGINX_HSTS_MAXAGE` you can configure that value. The default value is `31536000` seconds. If you want to disable an already sent HSTS MAXAGE value, set it to `0`.\n\n```bash\ndocker run --name gitlab -d \\\n --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \\\n --env 'NGINX_HSTS_MAXAGE=2592000' \\\n --volume /srv/docker/gitlab/gitlab:/home/git/data \\\n sameersbn/gitlab:18.9.2\n```\n\nIf you want to completely disable HSTS set `NGINX_HSTS_ENABLED` to `false`.\n\n##### Using HTTPS with a load balancer\n\nLoad balancers like nginx/haproxy/hipache talk to backend applications over plain http and as such the installation of ssl keys and certificates are not required and should **NOT** be installed in the container. The SSL configuration has to instead be done at the load balancer.\n\nHowever, when using a load balancer you **MUST** set `GITLAB_HTTPS` to `true`. Additionally, you will need to set the `SSL_SELF_SIGNED` option to `true` if self-signed SSL certificates are in use.\n\nWith this in place, you should configure the load balancer to support handling of https requests. But that is out of the scope of this document. Please refer to [Using SSL/HTTPS with HAProxy](http://seanmcgary.com/posts/using-sslhttps-with-haproxy) for information on the subject.\n\nWhen using a load balancer, you probably want to make sure the load balancer performs the automatic http to https redirection. Information on this can also be found in the link above.\n\nIn summation, when using a load balancer, the docker command would look for the most part something like this:\n\n```bash\ndocker run --name gitlab -d \\\n --publish 10022:22 --publish 10080:80 \\\n --env 'GITLAB_SSH_PORT=10022' --env 'GITLAB_PORT=443' \\\n --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \\\n --volume /srv/docker/gitlab/gitlab:/home/git/data \\\n sameersbn/gitlab:18.9.2\n```\n\nAgain, drop the `--env 'SSL_SELF_SIGNED=true'` option if you are using CA certified SSL certificates.\n\nIn case GitLab responds to any kind of POST request (login, OAUTH, changing settings etc.) with a 422 HTTP Error, consider adding this to your reverse proxy configuration:\n\n`proxy_set_header X-Forwarded-Ssl on;` (nginx format)\n\n##### Establishing trust with your server\n\nThis section deals will self-signed ssl certificates. If you are using CA certified certificates, you're done.\n\nThis section is more of a client side configuration so as to add a level of confidence at the client to be 100 percent sure they are communicating with whom they think they.\n\nThis is simply done by adding the servers certificate into their list of trusted certificates. On ubuntu, this is done by copying the `gitlab.crt` file to `/usr/local/share/ca-certificates/` and executing `update-ca-certificates`.\n\nAgain, this is a client side configuration which means that everyone who is going to communicate with the server should perform this configuration on their machine. In short, distribute the `gitlab.crt` file among your developers and ask them to add it to their list of trusted ssl certificates. Failure to do so will result in errors that look like this:\n\n```bash\ngit clone https://git.local.host/gitlab-foss.git\nfatal: unable to access 'https://git.local.host/gitlab-foss.git': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none\n```\n\nYou can do the same at the web browser. Instructions for installing the root certificate for firefox can be found [here](http://portal.threatpulse.com/docs/sol/Content/03Solutions/ManagePolicy/SSL/ssl_firefox_cert_ta.htm). You will find similar options chrome, just make sure you install the certificate under the authorities tab of the certificate manager dialog.\n\nThere you have it, that's all there is to it.\n\n##### Installing Trusted SSL Server Certificates\n\nIf your GitLab CI server is using self-signed SSL certificates then you should make sure the GitLab CI server certificate is trusted on the GitLab server for them to be able to talk to each other.\n\nThe default path image is configured to look for the trusted SSL certificates is at `/home/git/data/certs/ca.crt`, this can however be changed using the `SSL_CA_CERTIFICATES_PATH` configuration option.\n\nCopy the `ca.crt` file into the certs directory on the [datastore](#data-store). The `ca.crt` file should contain the root certificates of all the servers you want to trust. With respect to GitLab CI, this will be the contents of the gitlab_ci.crt file as described in the [README](https://github.com/sameersbn/docker-gitlab-ci/blob/master/README.md#ssl) of the [docker-gitlab-ci](https://github.com/sameersbn/docker-gitlab-ci) container.\n\nBy default, our own server certificate [gitlab.crt](#generation-of-a-self-signed-certificate) is added to the trusted certificates list.\n\n#### Deploy to a subdirectory (relative url root)\n\nBy default, GitLab expects that your application is running at the root (e.g.. /). This section explains how to run your application inside a directory.\n\nLet's assume we want to deploy our application to '/git'. GitLab needs to know this directory to generate the appropriate routes. This can be specified using the `GITLAB_RELATIVE_URL_ROOT` configuration option like so:\n\n```bash\ndocker run --name gitlab -it --rm \\\n --env 'GITLAB_RELATIVE_URL_ROOT=/git' \\\n --volume /srv/docker/gitlab/gitlab:/home/git/data \\\n sameersbn/gitlab:18.9.2\n```\n\nGitLab will now be accessible at the `/git` path, e.g. `http://www.example.com/git`.\n\n**Note**: *The `GITLAB_RELATIVE_URL_ROOT` parameter should always begin with a slash and* **SHOULD NOT** *have any trailing slashes.*\n\n#### OmniAuth Integration\n\nGitLab leverages OmniAuth to allow users to sign in using Twitter, GitHub, and other popular services. Configuring OmniAuth does not prevent standard GitLab authentication or LDAP (if configured) from continuing to work. Users can choose to sign in using any of the configured mechanisms.\n\nRefer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/omniauth.html) for additional information.\n\n##### CAS3\n\nTo enable the CAS OmniAuth provider you must register your application with your CAS instance. This requires the service URL GitLab will supply to CAS. It should be something like: `https://git.example.com:443/users/auth/cas3/callback?url`. By default handling for SLO is enabled, you only need to configure CAS for backchannel logout.\n\nFor example, if your cas server url is `https://sso.example.com`, then adding `--env 'OAUTH_CAS3_SERVER=https://sso.example.com'` to the docker run command enables support for CAS3 OAuth. Please refer to [Available Configuration Parameters](#available-configuration-parameters) for additional CAS3 configuration parameters.\n\n##### Authentiq\n\nTo enable the Authentiq OmniAuth provider for passwordless authentication you must register an application with [Authentiq](https://www.authentiq.com/). Please refer to the GitLab [documentation](https://docs.gitlab.com/ce/administration/auth/authentiq.html) for the procedure to generate the client ID and secret key with Authentiq.\n\nOnce you have the API client id and client secret generated, configure them using the `OAUTH_AUTHENTIQ_CLIENT_ID` and `OAUTH_AUTHENTIQ_CLIENT_SECRET` environment variables respectively.\n\nFor example, if your API key is `xxx` and the API secret key is `yyy`, then adding `--env 'OAUTH_AUTHENTIQ_CLIENT_ID=xxx' --env 'OAUTH_AUTHENTIQ_CLIENT_SECRET=yyy'` to the docker run command enables support for Authentiq OAuth.\n\nYou may want to specify `OAUTH_AUTHENTIQ_REDIRECT_URI` as well. The OAuth scope can be altered as well with `OAUTH_AUTHENTIQ_SCOPE` (defaults to `'aq:name email~rs address aq:push'`).\n\n##### Google\n\nTo enable the Google OAuth2 OmniAuth provider you must register your application with Google. Google will generate a client ID and secret key for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/google.html) for the procedure to generate the client ID and secret key with google.\n\nOnce you have the client ID and secret keys generated, configure them using the `OAUTH_GOOGLE_API_KEY` and `OAUTH_GOOGLE_APP_SECRET` environment variables respectively.\n\nFor example, if your client ID is `xxx.apps.googleusercontent.com` and client secret key is `yyy`, then adding `--env 'OAUTH_GOOGLE_API_KEY=xxx.apps.googleusercontent.com' --env 'OAUTH_GOOGLE_APP_SECRET=yyy'` to the docker run command enables support for Google OAuth.\n\nYou can also restrict logins to a single domain by adding `--env \"OAUTH_GOOGLE_RESTRICT_DOMAIN='example.com'\"`.\n\n##### Facebook\n\nTo enable the Facebook OAuth2 OmniAuth provider you must register your application with Facebook. Facebook will generate an API key and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/facebook.html) for the procedure to generate the API key and secret.\n\nOnce you have the API key and secret generated, configure them using the `OAUTH_FACEBOOK_API_KEY` and `OAUTH_FACEBOOK_APP_SECRET` environment variables respectively.\n\nFor example, if your API key is `xxx` and the API secret key is `yyy`, then adding `--env 'OAUTH_FACEBOOK_API_KEY=xxx' --env 'OAUTH_FACEBOOK_APP_SECRET=yyy'` to the docker run command enables support for Facebook OAuth.\n\n##### Twitter\n\nTo enable the Twitter OAuth2 OmniAuth provider you must register your application with Twitter. Twitter will generate an API key and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/twitter.html) for the procedure to generate the API key and secret with twitter.\n\nOnce you have the API key and secret generated, configure them using the `OAUTH_TWITTER_API_KEY` and `OAUTH_TWITTER_APP_SECRET` environment variables respectively.\n\nFor example, if your API key is `xxx` and the API secret key is `yyy`, then adding `--env 'OAUTH_TWITTER_API_KEY=xxx' --env 'OAUTH_TWITTER_APP_SECRET=yyy'` to the docker run command enables support for Twitter OAuth.\n\n##### GitHub\n\nTo enable the GitHub OAuth2 OmniAuth provider you must register your application with GitHub. GitHub will generate a Client ID and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/github.html) for the procedure to generate the Client ID and secret with github.\n\nOnce you have the Client ID and secret generated, configure them using the `OAUTH_GITHUB_API_KEY` and `OAUTH_GITHUB_APP_SECRET` environment variables respectively.\n\nFor example, if your Client ID is `xxx` and the Client secret is `yyy`, then adding `--env 'OAUTH_GITHUB_API_KEY=xxx' --env 'OAUTH_GITHUB_APP_SECRET=yyy'` to the docker run command enables support for GitHub OAuth.\n\nUsers of GitHub Enterprise may want to specify `OAUTH_GITHUB_URL` and `OAUTH_GITHUB_VERIFY_SSL` as well.\n\n##### GitLab\n\nTo enable the GitLab OAuth2 OmniAuth provider you must register your application with GitLab. GitLab will generate a Client ID and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/gitlab.html) for the procedure to generate the Client ID and secret with GitLab.\n\nOnce you have the Client ID and secret generated, configure them using the `OAUTH_GITLAB_API_KEY` and `OAUTH_GITLAB_APP_SECRET` environment variables respectively.\n\nFor example, if your Client ID is `xxx` and the Client secret is `yyy`, then adding `--env 'OAUTH_GITLAB_API_KEY=xxx' --env 'OAUTH_GITLAB_APP_SECRET=yyy'` to the docker run command enables support for GitLab OAuth.\n\n##### BitBucket\n\nTo enable the BitBucket OAuth2 OmniAuth provider you must register your application with BitBucket. BitBucket will generate a Client ID and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/bitbucket.html) for the procedure to generate the Client ID and secret with BitBucket.\n\nOnce you have the Client ID and secret generated, configure them using the `OAUTH_BITBUCKET_API_KEY` and `OAUTH_BITBUCKET_APP_SECRET` environment variables respectively.\n\nFor example, if your Client ID is `xxx` and the Client secret is `yyy`, then adding `--env 'OAUTH_BITBUCKET_API_KEY=xxx' --env 'OAUTH_BITBUCKET_APP_SECRET=yyy'` to the docker run command enables support for BitBucket OAuth.\n\n##### SAML\n\nGitLab can be configured to act as a SAML 2.0 Service Provider (SP). This allows GitLab to consume assertions from a SAML 2.0 Identity Provider (IdP) such as Microsoft ADFS to authenticate users. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/saml.html).\n\nThe following parameters have to be configured to enable SAML OAuth support in this image: `OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL`, `OAUTH_SAML_IDP_CERT_FINGERPRINT`, `OAUTH_SAML_IDP_SSO_TARGET_URL`, `OAUTH_SAML_ISSUER` and `OAUTH_SAML_NAME_IDENTIFIER_FORMAT`.\n\nYou can also override the default \"Sign in with\" button label with `OAUTH_SAML_LABEL`.\n\nPlease refer to [Available Configuration Parameters](#available-configuration-parameters) for the default configurations of these parameters.\n\n##### Crowd\n\nTo enable the Crowd server OAuth2 OmniAuth provider you must register your application with Crowd server.\n\nConfigure GitLab to enable access the Crowd server by specifying the `OAUTH_CROWD_SERVER_URL`, `OAUTH_CROWD_APP_NAME` and `OAUTH_CROWD_APP_PASSWORD` environment variables.\n\n##### Auth0\n\nTo enable the Auth0 OmniAuth provider you must register your application with [auth0](https://auth0.com/).\n\nConfigure the following environment variables `OAUTH_AUTH0_CLIENT_ID`, `OAUTH_AUTH0_CLIENT_SECRET` and `OAUTH_AUTH0_DOMAIN` to complete the integration.\n\n##### Microsoft Azure\n\nTo enable the Microsoft Azure OAuth2 OmniAuth provider you must register your application with Azure. Azure will generate a Client ID, Client secret and Tenant ID for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/azure.html) for the procedure.\n\nOnce you have the Client ID, Client secret and Tenant ID generated, configure them using the `OAUTH_AZURE_API_KEY`, `OAUTH_AZURE_API_SECRET` and `OAUTH_AZURE_TENANT_ID` environment variables respectively.\n\nFor example, if your Client ID is `xxx`, the Client secret is `yyy` and the Tenant ID is `zzz`, then adding `--env 'OAUTH_AZURE_API_KEY=xxx' --env 'OAUTH_AZURE_API_SECRET=yyy' --env 'OAUTH_AZURE_TENANT_ID=zzz'` to the docker run command enables support for Microsoft Azure OAuth.\n\nAlso you can configure v2 endpoint (`azure_activedirectory_v2`) by using `OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID`, `OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET` and `OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID` environment variables. Optionally you can change label of login button using the `OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL`.\n\n##### Generic OAuth2\n\nTo enable the Generic OAuth2 provider, you must register your application with your provider. You also need to confirm OAuth2 provider app's ID and secret, the client options and the user's response structure.\n\nAs an example this code has been tested with Keycloak, with the following variables: `OAUTH2_GENERIC_APP_ID`, `OAUTH2_GENERIC_APP_SECRET`, `OAUTH2_GENERIC_CLIENT_SITE`, `OAUTH2_GENERIC_CLIENT_USER_INFO_URL`, `OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL`, `OAUTH2_GENERIC_CLIENT_TOKEN_URL`, `OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT`, `OAUTH2_GENERIC_ID_PATH`, `OAUTH2_GENERIC_USER_UID`, `OAUTH2_GENERIC_USER_NAME`, `OAUTH2_GENERIC_USER_EMAIL`, `OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE`, `OAUTH2_GENERIC_LABEL` and `OAUTH2_GENERIC_NAME`.\n\nSee [GitLab documentation](https://docs.gitlab.com/ee/integration/oauth2_generic.html#sign-into-gitlab-with-almost-any-oauth2-provider) and [Omniauth-oauth2-generic documentation](https://gitlab.com/satorix/omniauth-oauth2-generic) for more details.\n\n##### OpenID Connect\n\nTo enable OpenID Connect provider, you must register your application with your provider. You also need to confirm OpenID Connect provider app's ID and secret, the client options and the user's response structure.\n\nTo use OIDC set at least `OAUTH_OIDC_ISSUER` and `OAUTH_OIDC_CLIENT_ID`.\n\n| GitLab setting | environment variable | default value |\n|--------------------------------|-------------------------------------|--------------------------------|\n| `label` | `OAUTH_OIDC_LABEL` | `OpenID Connect` |\n| `icon` | `OAUTH_OIDC_ICON` | |\n| `scope` | `OAUTH_OIDC_SCOPE` | `['openid','profile','email']` |\n| `response_type` | `OAUTH_OIDC_RESPONSE_TYPE` | `code` |\n| `issuer` | `OAUTH_OIDC_ISSUER` | |\n| `discovery` | `OAUTH_OIDC_DISCOVERY` | `true` |\n| `client_auth_method` | `OAUTH_OIDC_CLIENT_AUTH_METHOD` | `basic` |\n| `uid_field` | `OAUTH_OIDC_UID_FIELD` | `sub` |\n| `send_scope_to_token_endpoint` | `OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP` | `false` |\n| `pkce` | `OAUTH_OIDC_PKCE` | `true` |\n| `client_options.identifier` | `OAUTH_OIDC_CLIENT_ID` | |\n| `client_options.secret` | `OAUTH_OIDC_CLIENT_SECRET` | `secret` |\n| `client_options.redirect_uri` | `OAUTH_OIDC_REDIRECT_URI` | `http://${GITLAB_HOST}/users/auth/openid_connect/callback` or `https://${GITLAB_HOST}/users/auth/openid_connect/callback` depending on the value of `GITLAB_HTTPS` |\n\nSee [GitLab OIDC documentation](https://docs.gitlab.com/ee/administration/auth/oidc.html) and [OmniAuth OpenID Connect documentation](https://github.com/omniauth/omniauth_openid_connect/).\n\n##### JWT\n\nTo enable the JWT OmniAuth provider, you must register your application with JWT. JWT provides you with a secret key for you to use.\n\nTo use JWT set at least `OAUTH_JWT_SECRET` and `OAUTH_JWT_AUTH_URL`.\n\n| GitLab setting | environment variable | default value |\n| ------------------------------ | ----------------------------------- | -------------------------------|\n| `label` | `OAUTH_JWT_LABEL` | `Jwt` |\n| `secret` | `OAUTH_JWT_SECRET` | |\n| `algorithm` | `OAUTH_JWT_ALGORITHM` | `HS256` |\n| `uid_claim` | `OAUTH_JWT_UID_CLAIM` | `email` |\n| `required_claims` | `OAUTH_JWT_REQUIRED_CLAIMS` | `[\"name\", \"email\"]` |\n| `info_map.name` | `OAUTH_JWT_INFO_MAP_NAME` | `name` |\n| `info_map.email` | `OAUTH_JWT_INFO_MAP_EMAIL` | `email` |\n| `auth_url` | `OAUTH_JWT_AUTH_URL` | |\n| `valid_within` | `OAUTH_JWT_VALID_WITHIN` | `3600` |\n\n\nSee [OmniAuth JWT documentation](https://docs.gitlab.com/administration/auth/jwt/).\n\n#### Gitlab Pages\n\nGitlab Pages allows a user to host static websites from a project. Gitlab pages can be enabled with setting the environment variable `GITLAB_PAGES_ENABLED` to `true`.\n\n#### Gitlab Pages Access Control\n\nSince version `11.5.0` Gitlab pages supports access control. This allows only access to a published website if you are a project member, or have access to a certain project.\n\nGitlab pages access control requires additional configuration before activating it through the variable `GITLAB_PAGES_ACCESS_CONTROL`.\n\nGitLab pages access control makes use of the Gitlab OAuth Module.\n\n- Goto the Gitlab Admin area\n- Select `Applications` in the menu\n- Create `New Application`\n - Name: `Gitlab Pages`\n - Scopes:\n - api\n - Trusted: NO (Do not select)\n - Redirect URI: `https://projects./auth`\n\nNote about the `Redirect URI`; this can be tricky to configure or figure out, What needs to be achieved is the following, the redirect URI needs to end up at the `gitlab-pages` daemon with the `/auth` endpoint.\n\nThis means that if you run your gitlab pages at domain `pages.example.io` this will be a wildcard domain where your projects are created based on their namespace. The best trick is to enter a NON-Existing gitlab project pages URI as the redirect URI.\n\nIn the example above; the pages domain `projects` has been chosen. This will cause the nginx, either the built in or your own load balancer to redirect `*.` to the `gitlab-pages` daemon. Which will trigger the pages endpoint.\n\nMake sure to choose own which does not exist and make sure that the request is routed to the `gitlab-pages` daemon if you are using your own HTTP load balancer in front of Gitlab.\n\nAfter creating the OAuth application endpoint for the Gitlab Pages Daemon. Gitlab pages access control can now be enabled.\n\nAdd to following environment variables to your Gitlab Container.\n\n| Variable | R/O | Description |\n|----------|-----|-------------|\n| GITLAB_PAGES_ACCESS_CONTROL | Required | Set to `true` to enable access control. |\n| GITLAB_PAGES_ACCESS_SECRET | Optional | Secret Hash, minimal 32 characters, if omitted, it will be auto generated. |\n| GITLAB_PAGES_ACCESS_CONTROL_SERVER | Required | Gitlab instance URI, example: `https://gitlab.example.io` |\n| GITLAB_PAGES_ACCESS_CLIENT_ID | Required | Client ID from earlier generated OAuth application |\n| GITLAB_PAGES_ACCESS_CLIENT_SECRET | Required | Client Secret from earlier generated OAuth application |\n| GITLAB_PAGES_ACCESS_REDIRECT_URI | Required | Redirect URI, non existing pages domain to redirect to pages daemon, `https://projects.example.io` |\n\nAfter you have enabled the gitlab pages access control. When you go to a project `General Settings` -> `Permissions` you can choose the pages permission level for the project.\n\n#### External Issue Trackers\n\nSince version `7.10.0` support for external issue trackers can be enabled in the \"Service Templates\" section of the settings panel.\n\nIf you are using the [docker-redmine](https://github.com/sameersbn/docker-redmine) image, you can *one up* the gitlab integration with redmine by adding `--volumes-from=gitlab` flag to the docker run command while starting the redmine container.\n\nBy using the above option the `/home/git/data/repositories` directory will be accessible by the redmine container and now you can add your git repository path to your redmine project. If, for example, in your gitlab server you have a project named `opensource/gitlab`, the bare repository will be accessible at `/home/git/data/repositories/opensource/gitlab.git` in the redmine container.\n\n#### Host UID / GID Mapping\n\nPer default the container is configured to run gitlab as user and group `git` with `uid` and `gid` `1000`. The host possibly uses this ids for different purposes leading to unfavorable effects. From the host it appears as if the mounted data volumes are owned by the host's user/group `1000`.\n\nAlso the container processes seem to be executed as the host's user/group `1000`. The container can be configured to map the `uid` and `gid` of `git` to different ids on host by passing the environment variables `USERMAP_UID` and `USERMAP_GID`. The following command maps the ids to user and group `git` on the host.\n\n```bash\ndocker run --name gitlab -it --rm [options] \\\n --env \"USERMAP_UID=$(id -u git)\" --env \"USERMAP_GID=$(id -g git)\" \\\n sameersbn/gitlab:18.9.2\n```\n\nWhen changing this mapping, all files and directories in the mounted data volume `/home/git/data` have to be re-owned by the new ids. This can be achieved automatically using the following command:\n\n```bash\ndocker run --name gitlab -d [OPTIONS] \\\n sameersbn/gitlab:18.9.2 app:sanitize\n```\n\n#### Piwik\n\nIf you want to monitor your gitlab instance with [Piwik](http://piwik.org/), there are two options to setup: `PIWIK_URL` and `PIWIK_SITE_ID`.\nThese options should contain something like:\n\n- `PIWIK_URL=piwik.example.org`\n- `PIWIK_SITE_ID=42`\n\n#### Feature flags\n\nIn this section, we talk about feature flags that administrators can change the state (See ). If you are looking for documentation for \"Feature flags\" that configured on project deploy settings, see \n\nGitLab adopted feature flags strategies to deploy features in an early stage of development so that they can be incrementally rolled out. GitLab administrators with access to the [Rails console](https://docs.gitlab.com/ee/administration/feature_flags.html#how-to-enable-and-disable-features-behind-flags) or the [Feature flags API](https://docs.gitlab.com/ee/api/features.html) can control them (note that `sameersbn/gitlab` is a container image that provides GitLab installations from the source).\nYou can see all feature flags in GitLab at corresponding version of documentation: \n\nFor `sameersbn/gitlab`, you can control them via environment parameter [`GITLAB_FEATURE_FLAGS_DISABLE_TARGETS`](#gitlab_feature_flags_disable_targets) and [`GITLAB_FEATURE_FLAGS_ENABLE_TARGETS`](#gitlab_feature_flags_enable_targets) in addition to the above methods.\nThis image searches yml files in [`${GITLAB_INSTALL_DIR}/config/feature_flags`](https://gitlab.com/gitlab-org/gitlab-foss/-/tree/master/config/feature_flags) (typically `/home/git/gitlab/config/feature_flags/`) recursively and use the file list as a source of active feature flags.\n\nHere is a part of example `docker-compose.yml`:\n\n````yml\nservices:\n gitlab:\n image: sameersbn/gitlab:latest\n environment:\n - GITLAB_FEATURE_FLAGS_DISABLE_TARGETS=auto_devops_banner_disabled,ci_enable_live_trace\n - GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=git_push_create_all_pipelines,build_service_proxy\n````\n\nOnce the container up, you can see following messages in container log like below.\n\n````sh\n...\nConfiguring gitlab::feature_flags...\n- specified feature flags: {:to_be_disabled=>[\"auto_devops_banner_disabled\", \"ci_enable_live_trace\"], :to_be_enabled=>[\"git_push_create_all_pipelines\", \"build_service_proxy\"]}\n- auto_devops_banner_disabled : off\n- ci_enable_live_trace : off\n- git_push_create_all_pipelines : on\n- build_service_proxy : on\n...\n````\n\nIf specified flag names are not included in the list, they will be ignored and appears to container log like below:\n\n````sh\n...\nConfiguring gitlab::feature_flags...\n- specified feature flags: {:to_be_disabled=>[\"auto_devops_banner_disabled\", \"invalid_flag_name\"], :to_be_enabled=>[\"git_push_create_all_pipelines\", \"another_invalid_flag_name\"]}\n- Following flags are probably invalid and have been ignored: invalid_flag_name,another_invalid_flag_name\n- auto_devops_banner_disabled : off\n- git_push_create_all_pipelines : on\n...\n````\n\n#### Available Configuration Parameters\n\n*Please refer the docker run command options for the `--env-file` flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command. Alternatively you can use docker-compose. docker-compose users and Docker Swarm mode users can also use the [secrets and config file options](#docker-secrets-and-configs)*\n\nBelow is the complete list of available options that can be used to customize your gitlab installation.\n\n##### `DEBUG`\n\nSet this to `true` to enable entrypoint debugging.\n\n##### `TZ`\n\nSet the container timezone. Defaults to `UTC`. Values are expected to be in Canonical format. Example: `Europe/Amsterdam` See the list of [acceptable values](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). For configuring the timezone of gitlab see variable `GITLAB_TIMEZONE`.\n\n##### `GITLAB_HOST`\n\nThe hostname of the GitLab server. Defaults to `localhost`\n\n##### `GITLAB_CI_HOST`\n\nIf you are migrating from GitLab CI use this parameter to configure the redirection to the GitLab service so that your existing runners continue to work without any changes. No defaults.\n\n##### `GITLAB_PORT`\n\nThe port of the GitLab server. This value indicates the public port on which the GitLab application will be accessible on the network and appropriately configures GitLab to generate the correct urls. It does not affect the port on which the internal nginx server will be listening on. Defaults to `443` if `GITLAB_HTTPS=true`, else defaults to `80`.\n\n##### `GITLAB_SECRETS_DB_KEY_BASE`\n\nEncryption key for GitLab CI secret variables, as well as import credentials, in the database. Ensure that your key is at least 32 characters long and that you don't lose it. You can generate one using `pwgen -Bsv1 64`. If you are migrating from GitLab CI, you need to set this value to the value of `GITLAB_CI_SECRETS_DB_KEY_BASE`. No defaults.\n\n##### `GITLAB_SECRETS_SECRET_KEY_BASE`\n\nEncryption key for session secrets. Ensure that your key is at least 64 characters long and that you don't lose it. This secret can be rotated with minimal impact - the main effect is that previously-sent password reset emails will no longer work. You can generate one using `pwgen -Bsv1 64`. No defaults.\n\n##### `GITLAB_SECRETS_OTP_KEY_BASE`\n\n Encryption key for OTP related stuff with GitLab. Ensure that your key is at least 64 characters long and that you don't lose it. **If you lose or change this secret, 2FA will stop working for all users.** You can generate one using `pwgen -Bsv1 64`. No defaults.\n\n##### `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE`\n\n Encryption key for encrypted settings related stuff with GitLab. Ensure that your key is at least 64 characters long and that you don't lose it. **If you lose or change this secret, encrypted settings will not work and might cause errors in merge requests and so on** You can generate one using `pwgen -Bsv1 64`. No defaults.\n\n##### `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY`\n\nThe base key used to encrypt data for non-deterministic `ActiveRecord::Encryption` encrypted columns. This value is used to set `active_record_encryption_primary_key` in `config/secrets.yml`. Ensure that your key is an alphanumeric string. Preferred to be 32 characters long. If you need to set multiple keys, set this parameter in the format `[\"first_primary_key\",\"second_primary_key\"]`. In `docker-compose.yml`, the value must NOT have additional quotes! **If you lose or change this secret, encrypted settings will not work and might cause errors in the API and the web interface.** No defaults.\n\n##### `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY`\n\nThe base key used to encrypt data for deterministic `ActiveRecord::Encryption` encrypted columns. This value is used to set `active_record_encryption_deterministic_key` in `config/secrets.yml`. Ensure that your key is an alphanumeric string. Preferred to be 32 characters long. If you need to set multiple keys, set this parameter in the format `[\"first_deterministic_key\",\"second_deterministic_key\"]`. In `docker-compose.yml`, the value must NOT have additional quotes! **If you lose or change this secret, encrypted settings will not work and might cause errors in the API and the web interface.** No defaults.\n\n##### `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT`\n\nThe salt used to encrypt data for `ActiveRecord::Encryption` encrypted columns. This value is used to set `active_record_encryption_key_derivation_salt` in `config/secrets.yml`. Ensure that your salt is an alphanumeric string. Preferred to be 32 characters long. **If you lose or change this secret, encrypted settings will not work and might cause errors in the API and the web interface.** No defaults.\n\n##### `GITLAB_TIMEZONE`\n\nConfigure the timezone for the gitlab application. This configuration does not effect cron jobs. Defaults to `UTC`. See the list of [acceptable values](http://api.rubyonrails.org/classes/ActiveSupport/TimeZone.html). For settings the container timezone which will affect cron, see variable `TZ`\n\n##### `GITLAB_ROOT_PASSWORD`\n\nThe password for the root user on firstrun. Defaults to `5iveL!fe`. GitLab requires this to be at least **8 characters long**.\n\n##### `GITLAB_ROOT_EMAIL`\n\nThe email for the root user on firstrun. Defaults to `admin@example.com`\n\n##### `GITLAB_EMAIL`\n\nThe email address for the GitLab server. Defaults to value of `SMTP_USER`, else defaults to `example@example.com`.\n\n##### `GITLAB_EMAIL_DISPLAY_NAME`\n\nThe name displayed in emails sent out by the GitLab mailer. Defaults to `GitLab`.\n\n##### `GITLAB_EMAIL_REPLY_TO`\n\nThe reply-to address of emails sent out by GitLab. Defaults to value of `GITLAB_EMAIL`, else defaults to `noreply@example.com`.\n\n##### `GITLAB_EMAIL_SUBJECT_SUFFIX`\n\nThe e-mail subject suffix used in e-mails sent by GitLab. No defaults.\n\n##### `GITLAB_EMAIL_ENABLED`\n\nEnable or disable gitlab mailer. Defaults to the `SMTP_ENABLED` configuration.\n\n##### `GITLAB_EMAIL_SMIME_ENABLE`\n\nEnable or disable email S/MIME signing. Defaults is `false`.\n\n##### `GITLAB_EMAIL_SMIME_KEY_FILE`\n\nSpecifies the path to a S/MIME private key file in PEM format, unencrypted. Defaults to ``.\n\n##### `GITLAB_EMAIL_SMIME_CERT_FILE`\n\nSpecifies the path to a S/MIME public certificate key in PEM format. Defaults to ``.\n\n##### `GITLAB_DEFAULT_THEME`\n\nDefault theme ID, by default 2. (1 - Indigo, 2 - Dark, 3 - Light, 4 - Blue, 5 - Green, 6 - Light Indigo, 7 - Light Blue, 8 - Light Green, 9 - Red, 10 - Light Red)\n\n##### `GITLAB_ISSUE_CLOSING_PATTERN`\n\nIssue closing pattern regex. See [GitLab's documentation](https://docs.gitlab.com/ee/administration/issue_closing_pattern.html) for more detail. Defaults to ` \\b((?:[Cc]los(?:e[sd]?|ing)|\\b[Ff]ix(?:e[sd]|ing)?|\\b[Rr]esolv(?:e[sd]?|ing)|\\b[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\\d+))+) ` .\n\n##### `GITLAB_INCOMING_EMAIL_ADDRESS`\n\nThe incoming email address for reply by email. Defaults to the value of `IMAP_USER`, else defaults to `reply@example.com`. Please read the [reply by email](http://doc.gitlab.com/ce/incoming_email/README.html) documentation to currently set this parameter.\n\n##### `GITLAB_INCOMING_EMAIL_ENABLED`\n\nEnable or disable gitlab reply by email feature. Defaults to the value of `IMAP_ENABLED`.\n\n##### `GITLAB_SIGNUP_ENABLED`\n\nEnable or disable user signups (first run only). Default is `true`.\n\n##### `GITLAB_IMPERSONATION_ENABLED`\n\nEnable or disable impersonation. Defaults to `true`.\n\n##### `GITLAB_PROJECTS_LIMIT`\n\nSet default projects limit. Defaults to `100`.\n\n##### `GITLAB_USERNAME_CHANGE`\n\nEnable or disable ability for users to change their username. Defaults to `true`.\n\n##### `GITLAB_CREATE_GROUP`\n\nEnable or disable ability for users to create groups. Defaults to `true`.\n\n##### `GITLAB_PROJECTS_ISSUES`\n\nSet if *issues* feature should be enabled by default for new projects. Defaults to `true`.\n\n##### `GITLAB_PROJECTS_MERGE_REQUESTS`\n\nSet if *merge requests* feature should be enabled by default for new projects. Defaults to `true`.\n\n##### `GITLAB_PROJECTS_WIKI`\n\nSet if *wiki* feature should be enabled by default for new projects. Defaults to `true`.\n\n##### `GITLAB_PROJECTS_SNIPPETS`\n\nSet if *snippets* feature should be enabled by default for new projects. Defaults to `false`.\n\n##### `GITLAB_PROJECTS_BUILDS`\n\nSet if *builds* feature should be enabled by default for new projects. Defaults to `true`.\n\n##### `GITLAB_PROJECTS_CONTAINER_REGISTRY`\n\nSet if *container_registry* feature should be enabled by default for new projects. Defaults to `true`.\n\n##### `GITLAB_SHELL_CUSTOM_HOOKS_DIR`\n\nGlobal custom hooks directory. Defaults to `/home/git/gitlab-shell/hooks`.\n\n##### `GITLAB_WEBHOOK_TIMEOUT`\n\nSets the timeout for webhooks. Defaults to `10` seconds.\n\n##### `GITLAB_NOTIFY_ON_BROKEN_BUILDS`\n\nEnable or disable broken build notification emails. Defaults to `true`\n\n##### `GITLAB_NOTIFY_PUSHER`\n\nAdd pusher to recipients list of broken build notification emails. Defaults to `false`\n\n##### `GITLAB_REPOS_DIR`\n\nThe git repositories folder in the container. Defaults to `/home/git/data/repositories`\n\n##### `GITLAB_BACKUP_DIR`\n\nThe backup folder in the container. Defaults to `/home/git/data/backups`\n\n##### `GITLAB_BACKUP_DIR_CHOWN`\n\nOptionally change ownership of backup files on start-up. Defaults to `true`\n\n##### `GITLAB_BACKUP_DIR_GROUP`\n\nOptionally group backups into a subfolder. Can also be used to place backups in to a subfolder on remote storage. Not used by default.\n\n##### `GITLAB_BUILDS_DIR`\n\nThe build traces directory. Defaults to `/home/git/data/builds`\n\n##### `GITLAB_DOWNLOADS_DIR`\n\nThe repository downloads directory. A temporary zip is created in this directory when users click **Download Zip** on a project. Defaults to `/home/git/data/tmp/downloads`.\n\n##### `GITLAB_SHARED_DIR`\n\nThe directory to store the build artifacts. Defaults to `/home/git/data/shared`\n\n##### `GITLAB_ARTIFACTS_ENABLED`\n\nEnable/Disable GitLab artifacts support. Defaults to `true`.\n\n##### `GITLAB_ARTIFACTS_DIR`\n\nDirectory to store the artifacts. Defaults to `$GITLAB_SHARED_DIR/artifacts`\n\n##### `AWS_ACCESS_KEY_ID`\n\nDefault AWS access key to be used for object store. Defaults to `AWS_ACCESS_KEY_ID`\n\n##### `AWS_SECRET_ACCESS_KEY`\n\nDefault AWS access key to be used for object store. Defaults to `AWS_SECRET_ACCESS_KEY`\n\n##### `AWS_REGION`\n\nAWS Region. Defaults to `us-east-1`\n\n##### `AWS_HOST`\n\nConfigure this for an compatible AWS host like minio. Defaults to `$AWS_HOST`. Defaults to `s3.amazon.com`\n\n##### `AWS_ENDPOINT`\n\nAWS Endpoint like `http://127.0.0.1:9000`. Defaults to `nil`\n\n##### `AWS_PATH_STYLE`\n\nChanges AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `true`\n\n##### `AWS_SIGNATURE_VERSION`\n\nAWS signature version to use. 2 or 4 are valid options. Digital Ocean Spaces and other providers may need 2. Defaults to `4`\n\n##### `GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`\n\nDefault Google project to use for Object Store.\n\n##### `GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`\n\nDefault Google service account email to use for Object Store.\n\n##### `GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION`\n\nDefault Google key file Defaults to `/gcs/key.json`\n\n##### `GITLAB_OBJECT_STORE_CONNECTION_PROVIDER`\n\nDefault object store connection provider. Defaults to `AWS`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED`\n\nEnables Object Store for Artifacts that will be remote stored. Defaults to `false`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY`\n\nBucket name to store the artifacts. Defaults to `artifacts`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD`\n\nSet to true to enable direct upload of Artifacts without the need of local shared storage. Defaults to `false`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD`\n\nTemporary option to limit automatic upload. Defaults to `false`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD`\n\nPassthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults to `false`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER`\n\nConnection Provider for the Object Store. (`AWS` or `Google`) Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER` (`AWS`)\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID`\n\nAWS Access Key ID for the Bucket. Defaults to `$AWS_ACCESS_KEY_ID`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY`\n\nAWS Secret Access Key. Defaults to `$AWS_SECRET_ACCESS_KEY`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION`\n\nAWS Region. Defaults to `$AWS_REGION`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST`\n\nConfigure this for an compatible AWS host like minio. Defaults to `$AWS_HOST`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT`\n\nAWS Endpoint like `http://127.0.0.1:9000`. Defaults to `$AWS_ENDPOINT`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE`\n\nChanges AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `$AWS_PATH_STYLE`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION`\n\nAWS signature version to use. 2 or 4 are valid options. Digital Ocean Spaces and other providers may need 2. Defaults to `$AWS_SIGNATURE_VERSION`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`\n\nGoogle project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`\n\nGoogle service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION`\n\nDefault Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`)\n\n##### `GITLAB_PIPELINE_SCHEDULE_WORKER_CRON`\n\nCron notation for the GitLab pipeline schedule worker. Defaults to `'19 * * * *'`\n\n##### `GITLAB_LFS_ENABLED`\n\nEnable/Disable Git LFS support. Defaults to `true`.\n\n##### `GITLAB_LFS_OBJECTS_DIR`\n\nDirectory to store the lfs-objects. Defaults to `$GITLAB_SHARED_DIR/lfs-objects`\n\n##### `GITLAB_LFS_OBJECT_STORE_ENABLED`\n\nEnables Object Store for LFS that will be remote stored. Defaults to `false`\n\n##### `GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY`\n\nBucket name to store the LFS. Defaults to `lfs-object`\n\n##### `GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD`\n\nTemporary option to limit automatic upload. Defaults to `false`\n\n##### `GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD`\n\nPassthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults to `false`\n\n##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER`\n\nConnection Provider for the Object Store. (`AWS` or `Google`) Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER` (`AWS`)\n\n##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID`\n\nAWS Access Key ID for the Bucket. Defaults to `AWS_ACCESS_KEY_ID`\n\n##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY`\n\nAWS Secret Access Key. Defaults to `AWS_SECRET_ACCESS_KEY`\n\n##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION`\n\nAWS Region. Defaults to `$AWS_REGION`\n\n##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST`\n\nConfigure this for an compatible AWS host like minio. Defaults to `$AWS_HOST`\n\n##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT`\n\nAWS Endpoint like `http://127.0.0.1:9000`. Defaults to `$AWS_ENDPOINT`\n\n##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE`\n\nChanges AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `$AWS_PATH_STYLE`\n\n##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION`\n\nAWS signature version to use. 2 or 4 are valid options. Digital Ocean Spaces and other providers may need 2. Defaults to `$AWS_SIGNATURE_VERSION`\n\n##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`\n\nGoogle project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`\n\n##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`\n\nGoogle service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`\n\n##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION`\n\nDefault Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`)\n\n##### `GITLAB_PACKAGES_ENABLED`\n\nEnable/Disable Packages support. Defaults to `true`.\n\n##### `GITLAB_PACKAGES_DIR`\n\nDirectory to store the packages data. Defaults to `$GITLAB_SHARED_DIR/packages`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_ENABLED`\n\nEnables Object Store for Packages that will be remote stored. Defaults to `false`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY`\n\nBucket name to store the packages. Defaults to `packages`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD`\n\nSet to true to enable direct upload of Packages without the need of local shared storage. Defaults to `false`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD`\n\nTemporary option to limit automatic upload. Defaults to `false`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD`\n\nPassthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults to `false`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER`\n\nConnection Provider for the Object Store. (`AWS` or `Google`) Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER` (`AWS`)\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID`\n\nAWS Access Key ID for the Bucket. Defaults to `$AWS_ACCESS_KEY_ID`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY`\n\nAWS Secret Access Key. Defaults to `$AWS_SECRET_ACCESS_KEY`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION`\n\nAWS Region. Defaults to `$AWS_REGION`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST`\n\nConfigure this for an compatible AWS host like minio. Defaults to `$AWS_HOST`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT`\n\nAWS Endpoint like `http://127.0.0.1:9000`. Defaults to `$AWS_ENDPOINT`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE`\n\nChanges AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `AWS_PATH_STYLE`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`\n\nGoogle project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`\n\nGoogle service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION`\n\nDefault Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`)\n\n##### `GITLAB_TERRAFORM_STATE_ENABLED`\n\nEnable/Disable Terraform State support. Defaults to `true`.\n\n##### `GITLAB_TERRAFORM_STATE_STORAGE_PATH`\n\nDirectory to store the terraform state data. Defaults to `$GITLAB_SHARED_DIR/terraform_state`\n\n##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED`\n\nEnables Object Store for Terraform state that will be remote stored. Defaults to `false`\n\n##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_REMOTE_DIRECTORY`\n\nBucket name to store the Terraform state. Defaults to `terraform_state`\n\n##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER`\n\nConnection Provider for the Object Store (AWS or Google). Defaults to $GITLAB_OBJECT_STORE_CONNECTION_PROVIDER (i.e. AWS).\n\n##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID`\n\nAWS Access Key ID for the Bucket. Defaults to `$AWS_ACCESS_KEY_ID`\n\n##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY`\n\nAWS Secret Access Key. Defaults to `$AWS_SECRET_ACCESS_KEY`\n\n##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION`\n\nAWS Region. Defaults to `$AWS_REGION`\n\n##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST`\n\nConfigure this for an compatible AWS host like minio. Defaults to `$AWS_HOST`\n\n##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT`\n\nAWS Endpoint like `http://127.0.0.1:9000`. Defaults to `$AWS_ENDPOINT`\n\n##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE`\n\nChanges AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `AWS_PATH_STYLE`\n\n##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`\n\nGoogle project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`\n\n##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`\n\nGoogle service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`\n\n##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION`\n\nDefault Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`)\n\n##### `GITLAB_UPLOADS_STORAGE_PATH`\n\nThe location where uploads objects are stored. Defaults to `$GITLAB_SHARED_DIR/public`.\n\n##### `GITLAB_UPLOADS_BASE_DIR`\n\nMapping for the `GITLAB_UPLOADS_STORAGE_PATH`. Defaults to `uploads/-/system`\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_ENABLED`\n\nEnables Object Store for UPLOADS that will be remote stored. Defaults to `false`\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY`\n\nBucket name to store the UPLOADS. Defaults to `uploads`\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD`\n\nTemporary option to limit automatic upload. Defaults to `false`\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD`\n\nPassthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults to `false`\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER`\n\nConnection Provider for the Object Store. (`AWS` or `Google`) Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER` (`AWS`)\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID`\n\nAWS Access Key ID for the Bucket. Defaults to `AWS_ACCESS_KEY_ID`\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY`\n\nAWS Secret Access Key. Defaults to `AWS_SECRET_ACCESS_KEY`\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION`\n\nAWS Region. Defaults to `$AWS_REGION`\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST`\n\nConfigure this for an compatible AWS host like minio. Defaults to `$AWS_HOST`\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT`\n\nAWS Endpoint like `http://127.0.0.1:9000`. Defaults to `$AWS_ENDPOINT`\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE`\n\nChanges AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `AWS_PATH_STYLE`\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`\n\nGoogle project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`\n\nGoogle service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION`\n\nDefault Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`)\n\n##### `GITLAB_MATTERMOST_ENABLED`\n\nEnable/Disable GitLab Mattermost for *Add Mattermost button*. Defaults to `false`.\n\n##### `GITLAB_MATTERMOST_URL`\n\nSets Mattermost URL. Defaults to `https://mattermost.example.com`.\n\n##### `GITLAB_BACKUP_SCHEDULE`\n\nSetup cron job to automatic backups. Possible values `disable`, `daily`, `weekly` or `monthly`. Disabled by default\n\n##### `GITLAB_BACKUP_EXPIRY`\n\nConfigure how long (in seconds) to keep backups before they are deleted. By default when automated backups are disabled backups are kept forever (0 seconds), else the backups expire in 7 days (604800 seconds).\n\n##### `GITLAB_BACKUP_PG_SCHEMA`\n\nSpecify the PostgreSQL schema for the backups. No defaults, which means that all schemas will be backed up. see #524\n\n##### `GITLAB_BACKUP_ARCHIVE_PERMISSIONS`\n\nSets the permissions of the backup archives. Defaults to `0600`. [See](http://doc.gitlab.com/ce/raketasks/backup_restore.html#backup-archive-permissions)\n\n##### `GITLAB_BACKUP_TIME`\n\nSet a time for the automatic backups in `HH:MM` format. Defaults to `04:00`.\n\n##### `GITLAB_BACKUP_SKIP`\n\nSpecified sections are skipped by the backups. Defaults to empty, i.e. `lfs,uploads`. [See](http://doc.gitlab.com/ce/raketasks/backup_restore.html#create-a-backup-of-the-gitlab-system)\n\n##### `GITLAB_SSH_HOST`\n\nThe ssh host. Defaults to **GITLAB_HOST**.\n\n##### `GITLAB_SSH_LISTEN_PORT`\n\nThe ssh port for SSHD to listen on. Defaults to `22`\n\n##### `GITLAB_SSH_MAXSTARTUPS`\n\nThe ssh \"MaxStartups\" parameter, defaults to `10:30:60`.\n\n##### `GITLAB_SSH_PORT`\n\nThe ssh port number. Defaults to `$GITLAB_SSH_LISTEN_PORT`.\n\n##### `GITLAB_RELATIVE_URL_ROOT`\n\nThe relative url of the GitLab server, e.g. `/git`. No default.\n\n##### `GITLAB_TRUSTED_PROXIES`\n\nAdd IP address reverse proxy to trusted proxy list, otherwise users will appear signed in from that address. Currently only a single entry is permitted. No defaults.\n\n##### `GITLAB_REGISTRY_ENABLED`\n\nEnables the GitLab Container Registry. Defaults to `false`.\n\n##### `GITLAB_REGISTRY_HOST`\n\nSets the GitLab Registry Host. Defaults to `registry.example.com`\n\n##### `GITLAB_REGISTRY_PORT`\n\nSets the GitLab Registry Port. Defaults to `443`.\n\n##### `GITLAB_REGISTRY_API_URL`\n\nSets the GitLab Registry API URL. Defaults to `http://localhost:5000`\n\n##### `GITLAB_REGISTRY_KEY_PATH`\n\nSets the GitLab Registry Key Path. Defaults to `config/registry.key`\n\n##### `GITLAB_REGISTRY_DIR`\n\nDirectory to store the container images will be shared with registry. Defaults to `$GITLAB_SHARED_DIR/registry`\n\n##### `GITLAB_REGISTRY_ISSUER`\n\nSets the GitLab Registry Issuer. Defaults to `gitlab-issuer`.\n\n##### `GITLAB_REGISTRY_GENERATE_INTERNAL_CERTIFICATES`\n\nSet to `true` to generate SSL internal Registry keys. Used to communicate between a Docker Registry and GitLab. It will generate a self-signed certificate key at the location given by `$GITLAB_REGISTRY_KEY_PATH`, e.g. `/certs/registry.key`. And will generate the certificate file at the same location, with the same name, but changing the extension from `key` to `crt`, e.g. `/certs/registry.crt`\n\n##### `GITLAB_PAGES_ENABLED`\n\nEnables the GitLab Pages. Defaults to `false`.\n\n##### `GITLAB_PAGES_DOMAIN`\n\nSets the GitLab Pages Domain. Defaults to `example.com`\n\n##### `GITLAB_PAGES_DIR`\n\nSets GitLab Pages directory where all pages will be stored. Defaults to `$GITLAB_SHARED_DIR/pages`\n\n##### `GITLAB_PAGES_PORT`\n\nSets GitLab Pages Port that will be used in NGINX. Defaults to `80`\n\n##### `GITLAB_PAGES_HTTPS`\n\nSets GitLab Pages to HTTPS and the gitlab-pages-ssl config will be used. Defaults to `false`\n\n##### `GITLAB_PAGES_ARTIFACTS_SERVER`\n\nSet to `true` to enable pages artifacts server, enabled by default.\n\n##### `GITLAB_PAGES_ARTIFACTS_SERVER_URL`\n\nIf `GITLAB_PAGES_ARTIFACTS_SERVER` is enabled, set to API endpoint for GitLab Pages (e.g. `https://example.com/api/v4`). No default.\n\n##### `GITLAB_PAGES_EXTERNAL_HTTP`\n\nSets GitLab Pages external http to receive request on an independent port. Disabled by default\n\n##### `GITLAB_PAGES_EXTERNAL_HTTPS`\n\nSets GitLab Pages external https to receive request on an independent port. Disabled by default\n\n##### `GITLAB_PAGES_ACCESS_CONTROL`\n\nSet to `true` to enable access control for pages. Allows access to a Pages site to be controlled based on a user’s membership to that project. Disabled by default.\n\n##### `GITLAB_PAGES_NGINX_PROXY`\n\nDisable the nginx proxy for gitlab pages, defaults to `true`. When set to `false` this will turn off the nginx proxy to the gitlab pages daemon, used when the user provides their own http load balancer in combination with a gitlab pages custom domain setup.\n\n##### `GITLAB_PAGES_ACCESS_SECRET`\n\nSecret Hash, minimal 32 characters, if omitted, it will be auto generated.\n\n##### `GITLAB_PAGES_ACCESS_CONTROL_SERVER`\n\nGitlab instance URI, example: `https://gitlab.example.io`\n\n##### `GITLAB_PAGES_ACCESS_CLIENT_ID`\n\nClient ID from earlier generated OAuth application\n\n##### `GITLAB_PAGES_ACCESS_CLIENT_SECRET`\n\nClient Secret from earlier generated OAuth application\n\n##### `GITLAB_PAGES_ACCESS_REDIRECT_URI`\n\nRedirect URI, non existing pages domain to redirect to pages daemon, `https://projects.example.io/auth`\n\n##### `GITLAB_PAGES_NAMESPACE_IN_PATH`\n\nEnable namespace-in-path option for gitlab pages, defaults to `false`.\n\n##### `GITLAB_PAGES_LOG_VERBOSE`\n\nEnable verbose logging for gitlab pages, defaults to `false`.\n\n##### `GITLAB_HTTPS`\n\nSet to `true` to enable https support, disabled by default.\n\n##### `GITALY_CLIENT_PATH`\n\nSet default path for gitaly. defaults to `/home/git/gitaly`\n\n##### `GITALY_TOKEN`\n\nSet a gitaly token, blank by default.\n\n##### `GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL`\n\nTime between sampling of unicorn socket metrics, in seconds, defaults to `10`\n\n##### `GITLAB_MONITORING_IP_WHITELIST`\n\nIP whitelist to access monitoring endpoints. No defaults.\n\n##### `GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED`\n\nSet to `true` to enable the sidekiq exporter, enabled by default.\n\n##### `GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS`\n\nSidekiq exporter address, defaults to `0.0.0.0`\n\n##### `GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT`\n\nSidekiq exporter port, defaults to `3807`\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_ENABLED`\n\nSet to `true` to enable [Content Security Policy](https://guides.rubyonrails.org/security.html#content-security-policy), enabled by default.\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY`\n\nSet to `true` to set `Content-Security-Policy-Report-Only` header, disabled by default\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI`\n\nThe value of the `base-uri` directive in the `Content-Security-Policy` header\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC`\n\nThe value of the `child-src` directive in the `Content-Security-Policy` header\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC`\n\nThe value of the `connect-src` directive in the `Content-Security-Policy` header. Default to `'self' http://localhost:* ws://localhost:* wss://localhost:*`\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC`\n\nThe value of the `default-src` directive in the `Content-Security-Policy` header. Default to `'self'`\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC`\n\nThe value of the `font-src` directive in the `Content-Security-Policy` header\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION`\n\nThe value of the `form-action` directive in the `Content-Security-Policy` header\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS`\n\nThe value of the `frame-ancestors` directive in the `Content-Security-Policy` header. Default to `'self'`\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC`\n\nThe value of the `frame-src` directive in the `Content-Security-Policy` header. Default to `'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com`\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC`\n\nThe value of the `img-src` directive in the `Content-Security-Policy` header. Default to `* data: blob:`\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC`\n\nThe value of the `manifest-src` directive in the `Content-Security-Policy` header\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC`\n\nThe value of the `media-src` directive in the `Content-Security-Policy` header\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC`\n\nThe value of the `object-src` directive in the `Content-Security-Policy` header. Default to `'none'`\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC`\n\nThe value of the `script-src` directive in the `Content-Security-Policy` header. Default to `'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com`\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC`\n\nThe value of the `style-src` directive in the `Content-Security-Policy` header. Default to `'self' 'unsafe-inline'`\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC`\n\nThe value of the `worker-src` directive in the `Content-Security-Policy` header. Default to `'self' blob:`\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI`\n\nThe value of the `report-uri` directive in the `Content-Security-Policy` header\n\n##### `GITLAB_FEATURE_FLAGS_DISABLE_TARGETS`\n\nComma separated list of feature flag names to be disabled. No whitespace is allowed.\nYou can see all feature flags in GitLab at corresponding version of documentation: \nFeature flags name and its statement will be appear to container log. Note that some of the feature flags are implicitly enabled or disabled by GitLab itself, and are not appear to container log.\nNo defaults.\n\n##### `GITLAB_FEATURE_FLAGS_ENABLE_TARGETS`\n\nThis parameter is the same as [`GITLAB_FEATURE_FLAGS_DISABLE_TARGETS`](#gitlab_feature_flags_enable_targets), except its purpose is to enable the feature flag. No defaults.\n\n##### `SSL_SELF_SIGNED`\n\nSet to `true` when using self-signed ssl certificates. `false` by default.\n\n##### `SSL_CERTIFICATE_PATH`\n\nLocation of the ssl certificate. Defaults to `/home/git/data/certs/gitlab.crt`\n\n##### `SSL_KEY_PATH`\n\nLocation of the ssl private key. Defaults to `/home/git/data/certs/gitlab.key`\n\n##### `SSL_DHPARAM_PATH`\n\nLocation of the dhparam file. Defaults to `/home/git/data/certs/dhparam.pem`\n\n##### `SSL_VERIFY_CLIENT`\n\nEnable verification of client certificates using the `SSL_CA_CERTIFICATES_PATH` file or setting this variable to `on`. Defaults to `off`\n\n##### `SSL_CA_CERTIFICATES_PATH`\n\nList of SSL certificates to trust. Defaults to `/home/git/data/certs/ca.crt`.\n\n##### `SSL_REGISTRY_KEY_PATH`\n\nLocation of the ssl private key for gitlab container registry. Defaults to `/home/git/data/certs/registry.key`\n\n##### `SSL_REGISTRY_CERT_PATH`\n\nLocation of the ssl certificate for the gitlab container registry. Defaults to `/home/git/data/certs/registry.crt`\n\n##### `SSL_PAGES_KEY_PATH`\n\nLocation of the ssl private key for gitlab pages. Defaults to `/home/git/data/certs/pages.key`\n\n##### `SSL_PAGES_CERT_PATH`\n\nLocation of the ssl certificate for the gitlab pages. Defaults to `/home/git/data/certs/pages.crt`\n\n##### `SSL_CIPHERS`\n\nList of supported SSL ciphers: Defaults to `ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4`\n\n##### `SSL_PROTOCOLS`\n\nList of supported SSL protocols: Defaults to `TLSv1 TLSv1.1 TLSv1.2 TLSv1.3`\n\n##### `SSL_PAGES_CIPHERS`\n\nList of supported SSL ciphers for the gitlab pages: Defaults to `SSL_CIPHERS`\n\n##### `SSL_PAGES_PROTOCOLS`\n\nList of supported SSL protocols for the gitlab pages: Defaults to `SSL_PROTOCOLS`\n\n##### `SSL_REGISTRY_CIPHERS`\n\nList of supported SSL ciphers for gitlab container registry: Defaults to `SSL_CIPHERS`\n\n##### `SSL_REGISTRY_PROTOCOLS`\n\nList of supported SSL protocols for gitlab container registry: Defaults to `SSL_PROTOCOLS`\n\n##### `NGINX_WORKERS`\n\nThe number of nginx workers to start. Defaults to `1`.\n\n##### `NGINX_SERVER_NAMES_HASH_BUCKET_SIZE`\n\nSets the bucket size for the server names hash tables. This is needed when you have long server_names or your an error message from nginx like *nginx: [emerg] could not build server_names_hash, you should increase server_names_hash_bucket_size:..*. It should be only increment by a power of 2. Defaults to `32`.\n\n##### `NGINX_HSTS_ENABLED`\n\nAdvanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to `true`. See [#138](https://github.com/sameersbn/docker-gitlab/issues/138) for use case scenario.\n\n##### `NGINX_HSTS_MAXAGE`\n\nAdvanced configuration option for setting the HSTS max-age in the gitlab nginx vHost configuration. Applicable only when SSL is in use. Defaults to `31536000`.\n\n##### `NGINX_PROXY_BUFFERING`\n\nEnable `proxy_buffering`. Defaults to `off`.\n\n##### `NGINX_ACCEL_BUFFERING`\n\nEnable `X-Accel-Buffering` header. Default to `no`\n\n##### `NGINX_X_FORWARDED_PROTO`\n\nAdvanced configuration option for the `proxy_set_header X-Forwarded-Proto` setting in the gitlab nginx vHost configuration. Defaults to `https` when `GITLAB_HTTPS` is `true`, else defaults to `$scheme`.\n\n##### `NGINX_REAL_IP_RECURSIVE`\n\nset to `on` if docker container runs behind a reverse proxy,you may not want the IP address of the proxy to show up as the client address. `off` by default.\n\n##### `NGINX_REAL_IP_TRUSTED_ADDRESSES`\n\nYou can have NGINX look for a different address to use by adding your reverse proxy to the `NGINX_REAL_IP_TRUSTED_ADDRESSES`. Currently only a single entry is permitted. No defaults.\n\n##### `NGINX_CUSTOM_GITLAB_SERVER_CONFIG`\n\nAdvanced configuration option. You can add custom configuration for nginx as you like (e.g. custom location proxy). This is similar to setting `nginx['custom_gitlab_server_config']` to `gitlab.rb` for gitlab-omnibus. No defaults.\n\n##### `REDIS_HOST`\n\nThe hostname of the redis server. Defaults to `localhost`\n\n##### `REDIS_PORT`\n\nThe connection port of the redis server. Defaults to `6379`.\n\n##### `REDIS_DB_NUMBER`\n\nThe redis database number. Defaults to '0'.\n\n##### `PUMA_WORKERS`\n\nThe number of puma workers to start. Defaults to `3`.\n\n##### `PUMA_TIMEOUT`\n\nSets the timeout of puma worker processes. Defaults to `60` seconds.\n\n##### `PUMA_THREADS_MIN`\n\nThe number of puma minimum threads. Defaults to `1`.\n\n##### `PUMA_THREADS_MAX`\n\nThe number of puma maximum threads. Defaults to `16`.\n\n##### `PUMA_PER_WORKER_MAX_MEMORY_MB`\n\nMaximum memory size of per puma worker process. Defaults to `1024`.\n\n##### `PUMA_MASTER_MAX_MEMORY_MB`\n\nMaximum memory size of puma master process. Defaults to `800`.\n\n##### `SIDEKIQ_CONCURRENCY`\n\nThe number of concurrent sidekiq jobs to run. Defaults to `25`\n\n##### `SIDEKIQ_SHUTDOWN_TIMEOUT`\n\nTimeout for sidekiq shutdown. Defaults to `4`\n\n##### `SIDEKIQ_MEMORY_KILLER_MAX_RSS`\n\nNon-zero value enables the SidekiqMemoryKiller. Defaults to `2000000`. For additional options refer [Configuring the MemoryKiller](http://doc.gitlab.com/ce/operations/sidekiq_memory_killer.html)\n\n##### `GITLAB_SIDEKIQ_LOG_FORMAT`\n\nSidekiq log format that will be used. Defaults to `json`\n\n##### `DB_ADAPTER`\n\nThe database type. Currently only postgresql is supported. Possible values: `postgresql`. Defaults to `postgresql`.\n\n##### `DB_ENCODING`\n\nThe database encoding. For `DB_ADAPTER` values `postgresql` this parameter defaults and `utf8` respectively.\n\n##### `DB_HOST`\n\nThe database server hostname. Defaults to `localhost`.\n\n##### `DB_PORT`\n\nThe database server port. Defaults to `5432` for postgresql.\n\n##### `DB_NAME`\n\nThe database database name. Defaults to `gitlabhq_production`\n\n##### `DB_USER`\n\nThe database database user. Defaults to `root`\n\n##### `DB_PASS`\n\nThe database database password. Defaults to no password\n\n##### `DB_POOL`\n\nThe database database connection pool count. Defaults to `10`.\n\n##### `DB_PREPARED_STATEMENTS`\n\nWhether to use database prepared statements. No defaults. But set to `false` if you want to use with [PgBouncer](https://pgbouncer.github.io/)\n\n##### `SMTP_ENABLED`\n\nEnable mail delivery via SMTP. Defaults to `true` if `SMTP_USER` is defined, else defaults to `false`.\n\n##### `SMTP_DOMAIN`\n\nSMTP domain. Defaults to `www.gmail.com`\n\n##### `SMTP_HOST`\n\nSMTP server host. Defaults to `smtp.gmail.com`.\n\n##### `SMTP_PORT`\n\nSMTP server port. Defaults to `587`.\n\n##### `SMTP_USER`\n\nSMTP username.\n\n##### `SMTP_PASS`\n\nSMTP password.\n\n##### `SMTP_STARTTLS`\n\nEnable STARTTLS. Defaults to `true`.\n\n##### `SMTP_TLS`\n\nEnable SSL/TLS. Defaults to `false`.\n\n##### `SMTP_OPENSSL_VERIFY_MODE`\n\nSMTP openssl verification mode. Accepted values are `none`, `peer`, `client_once` and `fail_if_no_peer_cert`. Defaults to `none`.\n\n##### `SMTP_AUTHENTICATION`\n\nSpecify the SMTP authentication method. Defaults to `login` if `SMTP_USER` is set.\n\n##### `SMTP_CA_ENABLED`\n\nEnable custom CA certificates for SMTP email configuration. Defaults to `false`.\n\n##### `SMTP_CA_PATH`\n\nSpecify the `ca_path` parameter for SMTP email configuration. Defaults to `/home/git/data/certs`.\n\n##### `SMTP_CA_FILE`\n\nSpecify the `ca_file` parameter for SMTP email configuration. Defaults to `/home/git/data/certs/ca.crt`.\n\n##### `IMAP_ENABLED`\n\nEnable mail delivery via IMAP. Defaults to `true` if `IMAP_USER` is defined, else defaults to `false`.\n\n##### `IMAP_HOST`\n\nIMAP server host. Defaults to `imap.gmail.com`.\n\n##### `IMAP_PORT`\n\nIMAP server port. Defaults to `993`.\n\n##### `IMAP_USER`\n\nIMAP username.\n\n##### `IMAP_PASS`\n\nIMAP password.\n\n##### `IMAP_SSL`\n\nEnable SSL. Defaults to `true`.\n\n##### `IMAP_STARTTLS`\n\nEnable STARTTLS. Defaults to `false`.\n\n##### `IMAP_MAILBOX`\n\nThe name of the mailbox where incoming mail will end up. Defaults to `inbox`.\n\n##### `LDAP_ENABLED`\n\nEnable LDAP. Defaults to `false`\n\n##### `LDAP_LABEL`\n\nLabel to show on login tab for LDAP server. Defaults to 'LDAP'\n\n##### `LDAP_HOST`\n\nLDAP Host\n\n##### `LDAP_PORT`\n\nLDAP Port. Defaults to `389`\n\n##### `LDAP_UID`\n\nLDAP UID. Defaults to `sAMAccountName`\n\n##### `LDAP_METHOD`\n\nLDAP method, Possible values are `simple_tls`, `start_tls` and `plain`. Defaults to `plain`\n\n##### `LDAP_VERIFY_SSL`\n\nLDAP verify ssl certificate for installations that are using `LDAP_METHOD: 'simple_tls'` or `LDAP_METHOD: 'start_tls'`. Defaults to `true`\n\n##### `LDAP_CA_FILE`\n\nSpecifies the path to a file containing a PEM-format CA certificate. Defaults to ``\n\n##### `LDAP_SSL_VERSION`\n\nSpecifies the SSL version for OpenSSL to use, if the OpenSSL default is not appropriate. Example: 'TLSv1_1'. Defaults to ``\n\n##### `LDAP_BIND_DN`\n\nNo default.\n\n##### `LDAP_PASS`\n\nLDAP password\n\n##### `LDAP_TIMEOUT`\n\nTimeout, in seconds, for LDAP queries. Defaults to `10`.\n\n##### `LDAP_ACTIVE_DIRECTORY`\n\nSpecifies if LDAP server is Active Directory LDAP server. If your LDAP server is not AD, set this to `false`. Defaults to `true`,\n\n##### `LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN`\n\nIf enabled, GitLab will ignore everything after the first '@' in the LDAP username submitted by the user on login. Defaults to `false` if `LDAP_UID` is `userPrincipalName`, else `true`.\n\n##### `LDAP_BLOCK_AUTO_CREATED_USERS`\n\nLocks down those users until they have been cleared by the admin. Defaults to `false`.\n\n##### `LDAP_BASE`\n\nBase where we can search for users. No default.\n\n##### `LDAP_USER_FILTER`\n\nFilter LDAP users. No default.\n\n##### `LDAP_USER_ATTRIBUTE_USERNAME`\n\nAttribute fields for the identification of a user. Default to `['uid', 'userid', 'sAMAccountName']`\n\n##### `LDAP_USER_ATTRIBUTE_MAIL`\n\nAttribute fields for the shown mail address. Default to `['mail', 'email', 'userPrincipalName']`\n\n##### `LDAP_USER_ATTRIBUTE_NAME`\n\nAttribute field for the used username of a user. Defaults to `cn`.\n\n##### `LDAP_USER_ATTRIBUTE_FIRSTNAME`\n\nAttribute field for the forename of a user. Default to `givenName`\n\n##### `LDAP_USER_ATTRIBUTE_LASTNAME`\n\n Attribute field for the surname of a user. Default to `sn`\n\n##### `LDAP_LOWERCASE_USERNAMES`\n\nGitLab will lower case the username for the LDAP Server. Defaults to `false`\n\n##### `LDAP_PREVENT_LDAP_SIGN_IN`\n\nSet to `true` to [Disable LDAP web sign in](https://docs.gitlab.com/ce/administration/auth/ldap/#disable-ldap-web-sign-in), defaults to `false`\n\n##### `OAUTH_ENABLED`\n\nEnable OAuth support. Defaults to `true` if any of the support OAuth providers is configured, else defaults to `false`.\n\n##### `OAUTH_AUTO_SIGN_IN_WITH_PROVIDER`\n\nAutomatically sign in with a specific OAuth provider without showing GitLab sign-in page. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default.\n\n##### `OAUTH_ALLOW_SSO`\n\nComma separated list of oauth providers for single sign-on. This allows users to login without having a user account. The account is created automatically when authentication is successful. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default.\n\n##### `OAUTH_BLOCK_AUTO_CREATED_USERS`\n\nLocks down those users until they have been cleared by the admin. Defaults to `true`.\n\n##### `OAUTH_AUTO_LINK_LDAP_USER`\n\nLook up new users in LDAP servers. If a match is found (same uid), automatically link the omniauth identity with the LDAP account. Defaults to `false`.\n\n##### `OAUTH_AUTO_LINK_SAML_USER`\n\nAllow users with existing accounts to login and auto link their account via SAML login, without having to do a manual login first and manually add SAML. Defaults to `false`.\n\n##### `OAUTH_AUTO_LINK_USER`\n\nAllow users with existing accounts to login and auto link their account via the defined Omniauth providers login, without having to do a manual login first and manually connect their chosen provider. Defaults to `[]`.\n\n##### `OAUTH_EXTERNAL_PROVIDERS`\n\nComma separated list if oauth providers to disallow access to `internal` projects. Users creating accounts via these providers will have access internal projects. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default.\n\n##### `OAUTH_ALLOW_BYPASS_TWO_FACTOR`\n\nSpecify oauth providers where users can sign in without using two-factor authentication (2FA). You can define this using an array of providers like `[\"twitter\", \"google_oauth2\"]`. Setting this to `true` or `false` applies to all - allow all or none. Defaults to `false`.\n\n##### `OAUTH_CAS3_LABEL`\n\nThe \"Sign in with\" button label. Defaults to \"cas3\".\n\n##### `OAUTH_CAS3_SERVER`\n\nCAS3 server URL. No defaults.\n\n##### `OAUTH_CAS3_DISABLE_SSL_VERIFICATION`\n\nDisable CAS3 SSL verification. Defaults to `false`.\n\n##### `OAUTH_CAS3_LOGIN_URL`\n\nCAS3 login URL. Defaults to `/cas/login`\n\n##### `OAUTH_CAS3_VALIDATE_URL`\n\nCAS3 validation URL. Defaults to `/cas/p3/serviceValidate`\n\n##### `OAUTH_CAS3_LOGOUT_URL`\n\nCAS3 logout URL. Defaults to `/cas/logout`\n\n##### `OAUTH_GOOGLE_API_KEY`\n\nGoogle App Client ID. No defaults.\n\n##### `OAUTH_GOOGLE_APP_SECRET`\n\nGoogle App Client Secret. No defaults.\n\n##### `OAUTH_GOOGLE_RESTRICT_DOMAIN`\n\nList of Google App restricted domains. Value is comma separated list of single quoted groups. Example: `'exemple.com','exemple2.com'`. No defaults.\n\n##### `OAUTH_FACEBOOK_API_KEY`\n\nFacebook App API key. No defaults.\n\n##### `OAUTH_FACEBOOK_APP_SECRET`\n\nFacebook App API secret. No defaults.\n\n##### `OAUTH_TWITTER_API_KEY`\n\nTwitter App API key. No defaults.\n\n##### `OAUTH_TWITTER_APP_SECRET`\n\nTwitter App API secret. No defaults.\n\n##### `OAUTH_AUTHENTIQ_CLIENT_ID`\n\nauthentiq Client ID. No defaults.\n\n##### `OAUTH_AUTHENTIQ_CLIENT_SECRET`\n\nauthentiq Client secret. No defaults.\n\n##### `OAUTH_AUTHENTIQ_SCOPE`\n\nScope of Authentiq Application Defaults to `'aq:name email~rs address aq:push'`\n\n##### `OAUTH_AUTHENTIQ_REDIRECT_URI`\n\n Callback URL for Authentiq. No defaults.\n\n##### `OAUTH_GITHUB_API_KEY`\n\nGitHub App Client ID. No defaults.\n\n##### `OAUTH_GITHUB_APP_SECRET`\n\nGitHub App Client secret. No defaults.\n\n##### `OAUTH_GITHUB_URL`\n\nUrl to the GitHub Enterprise server. Defaults to `https://github.com`\n\n##### `OAUTH_GITHUB_VERIFY_SSL`\n\nEnable SSL verification while communicating with the GitHub server. Defaults to `true`.\n\n##### `OAUTH_GITLAB_API_KEY`\n\nGitLab App Client ID. No defaults.\n\n##### `OAUTH_GITLAB_APP_SECRET`\n\nGitLab App Client secret. No defaults.\n\n##### `OAUTH_BITBUCKET_API_KEY`\n\nBitBucket App Client ID. No defaults.\n\n##### `OAUTH_BITBUCKET_APP_SECRET`\n\nBitBucket App Client secret. No defaults.\n\n##### `OAUTH_BITBUCKET_URL`\n\nBitbucket URL. Defaults: `https://bitbucket.org/`\n\n##### `OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL`\n\nThe URL at which the SAML assertion should be received. When `GITLAB_HTTPS=true`, defaults to `https://${GITLAB_HOST}/users/auth/saml/callback` else defaults to `http://${GITLAB_HOST}/users/auth/saml/callback`.\n\n##### `OAUTH_SAML_IDP_CERT_FINGERPRINT`\n\nThe SHA1 fingerprint of the certificate. No Defaults.\n\n##### `OAUTH_SAML_IDP_SSO_TARGET_URL`\n\nThe URL to which the authentication request should be sent. No defaults.\n\n##### `OAUTH_SAML_ISSUER`\n\nThe name of your application. When `GITLAB_HTTPS=true`, defaults to `https://${GITLAB_HOST}` else defaults to `http://${GITLAB_HOST}`.\n\n##### `OAUTH_SAML_LABEL`\n\nThe \"Sign in with\" button label. Defaults to \"Our SAML Provider\".\n\n##### `OAUTH_SAML_NAME_IDENTIFIER_FORMAT`\n\nDescribes the format of the username required by GitLab, Defaults to `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`\n\n##### `OAUTH_SAML_GROUPS_ATTRIBUTE`\n\nMap groups attribute in a SAMLResponse to external groups. No defaults.\n\n##### `OAUTH_SAML_EXTERNAL_GROUPS`\n\nList of external groups in a SAMLResponse. Value is comma separated list of single quoted groups. Example: `'group1','group2'`. No defaults.\n\n##### `OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL`\n\nMap 'email' attribute name in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details.\n\n##### `OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME`\n\nMap 'username' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details.\n\n##### `OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME`\n\nMap 'name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details.\n\n##### `OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME`\n\nMap 'first_name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details.\n\n##### `OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME`\n\nMap 'last_name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details.\n\n##### `OAUTH_CROWD_SERVER_URL`\n\nCrowd server url. No defaults.\n\n##### `OAUTH_CROWD_APP_NAME`\n\nCrowd server application name. No defaults.\n\n##### `OAUTH_CROWD_APP_PASSWORD`\n\nCrowd server application password. No defaults.\n\n##### `OAUTH_AUTH0_CLIENT_ID`\n\nAuth0 Client ID. No defaults.\n\n##### `OAUTH_AUTH0_CLIENT_SECRET`\n\nAuth0 Client secret. No defaults.\n\n##### `OAUTH_AUTH0_DOMAIN`\n\nAuth0 Domain. No defaults.\n\n##### `OAUTH_AUTH0_SCOPE`\n\nAuth0 Scope. Defaults to `openid profile email`.\n\n##### `OAUTH_AZURE_API_KEY`\n\nAzure Client ID. No defaults.\n\n##### `OAUTH_AZURE_API_SECRET`\n\nAzure Client secret. No defaults.\n\n##### `OAUTH_AZURE_TENANT_ID`\n\nAzure Tenant ID. No defaults.\n\n#### `OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID`\n\nClient ID for oauth provider `azure_activedirectory_v2`. If not set, corresponding oauth provider configuration will be removed from `gitlab.yml` during container startup. No defaults.\n\n#### `OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET`\n\nClient secret for oauth provider `azure_activedirectory_v2`. If not set, corresponding oauth provider configuration will be removed from `gitlab.yml` during container startup. No defaults.\n\n#### `OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID`\n\nTenant ID for oauth provider `azure_activedirectory_v2`. If not set, corresponding oauth provider configuration will be removed from `gitlab.yml` during container startup. No defaults.\n\n#### `OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL`\n\nOptional label for login button for `azure_activedirectory_v2`. Defaults to `Azure AD v2`\n\n##### `OAUTH2_GENERIC_APP_ID`\n\nYour OAuth2 App ID. No defaults.\n\n##### `OAUTH2_GENERIC_APP_SECRET`\n\nYour OAuth2 App Secret. No defaults.\n\n##### `OAUTH2_GENERIC_CLIENT_SITE`\n\nThe OAuth2 generic client site. No defaults\n\n##### `OAUTH2_GENERIC_CLIENT_USER_INFO_URL`\n\nThe OAuth2 generic client user info url. No defaults\n\n##### `OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL`\n\nThe OAuth2 generic client authorize url. No defaults\n\n##### `OAUTH2_GENERIC_CLIENT_TOKEN_URL`\n\nThe OAuth2 generic client token url. No defaults\n\n##### `OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT`\n\nThe OAuth2 generic client end session endpoint. No defaults\n\n##### `OAUTH2_GENERIC_ID_PATH`\n\nThe OAuth2 generic id path. No defaults\n\n##### `OAUTH2_GENERIC_USER_UID`\n\nThe OAuth2 generic user id path. No defaults\n\n##### `OAUTH2_GENERIC_USER_NAME`\n\nThe OAuth2 generic user name. No defaults\n\n##### `OAUTH2_GENERIC_USER_EMAIL`\n\nThe OAuth2 generic user email. No defaults\n\n##### `OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE`\n\nThe scope of your OAuth2 provider. No defaults\n\n##### `OAUTH2_GENERIC_LABEL`\n\nThe label of your OAuth2 provider. No defaults\n\n##### `OAUTH2_GENERIC_NAME`\n\nThe name of your OAuth2 provider. No defaults\n\n##### `GITLAB_GRAVATAR_ENABLED`\n\nEnables gravatar integration. Defaults to `true`.\n\n##### `GITLAB_GRAVATAR_HTTP_URL`\n\nSets a custom gravatar url. Defaults to `http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon`. This can be used for [Libravatar integration](http://doc.gitlab.com/ce/customization/libravatar.html).\n\n##### `GITLAB_GRAVATAR_HTTPS_URL`\n\nSame as above, but for https. Defaults to `https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon`.\n\n##### `USERMAP_UID`\n\nSets the uid for user `git` to the specified uid. Defaults to `1000`.\n\n##### `USERMAP_GID`\n\nSets the gid for group `git` to the specified gid. Defaults to `USERMAP_UID` if defined, else defaults to `1000`.\n\n##### `GOOGLE_ANALYTICS_ID`\n\nGoogle Analytics ID. No defaults.\n\n##### `PIWIK_URL`\n\nSets the Piwik URL. No defaults.\n\n##### `PIWIK_SITE_ID`\n\nSets the Piwik site ID. No defaults.\n\n##### `AWS_BACKUPS`\n\nEnables automatic uploads to an Amazon S3 instance. Defaults to `false`.\n\n##### `AWS_BACKUP_REGION`\n\nAWS region. No defaults.\n\n##### `AWS_BACKUP_ENDPOINT`\n\nAWS endpoint. No defaults.\n\n##### `AWS_BACKUP_ACCESS_KEY_ID`\n\nAWS access key id. No defaults.\n\n##### `AWS_BACKUP_SECRET_ACCESS_KEY`\n\nAWS secret access key. No defaults.\n\n##### `AWS_BACKUP_BUCKET`\n\nAWS bucket for backup uploads. No defaults.\n\n##### `AWS_BACKUP_MULTIPART_CHUNK_SIZE`\n\nEnables multipart uploads when file size reaches a defined size. See at [AWS S3 Docs](http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html)\n\n##### `AWS_BACKUP_ENCRYPTION`\n\nTurns on AWS Server-Side Encryption. Defaults to `false`. See at [AWS S3 Docs](http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html)\n\n##### `AWS_BACKUP_STORAGE_CLASS`\n\nConfigure the storage class for the item. Defaults to `STANDARD` See at [AWS S3 Docs](http://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html)\n\n##### `AWS_BACKUP_SIGNATURE_VERSION`\n\nConfigure the storage signature version. Defaults to `4` See at [AWS S3 Docs](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version)\n\n##### `GCS_BACKUPS`\n\nEnables automatic uploads to an Google Cloud Storage (GCS) instance. Defaults to `false`.\n\n##### `GCS_BACKUP_ACCESS_KEY_ID`\n\nGCS access key id. No defaults\n\n##### `GCS_BACKUP_SECRET_ACCESS_KEY`\n\nGCS secret access key. No defaults\n\n##### `GCS_BACKUP_BUCKET`\n\nGCS bucket for backup uploads. No defaults\n\n##### `GITLAB_ROBOTS_PATH`\n\nLocation of custom `robots.txt`. Uses GitLab's default `robots.txt` configuration by default. See [www.robotstxt.org](http://www.robotstxt.org) for examples.\n\n##### `RACK_ATTACK_ENABLED`\n\nEnable/disable rack middleware for blocking & throttling abusive requests Defaults to `true`.\n\n##### `RACK_ATTACK_WHITELIST`\n\nAlways allow requests from whitelisted host.\nThis should be a valid yaml sequence of host address. Each host address string must be a valid IP address that can be passed to `IPAddr.new` of ruby. See [ruby-lang reference](https://docs.ruby-lang.org/en/3.0/IPAddr.html#method-c-new) for detail.\nIf you need to set multiple hosts, set this parameter like `[\"1.1.1.1\",\"192.168.0.0/24\"]` for example.\n\n````yaml\nenvironment:\n# pattern 1: `- key=value` style : you can specify array of hosts as is\n- RACK_ATTACK_WHITELIST=[\"1.1.1.1\",\"192.168.0.0/24\"]\n# pattern 2: `key: value` style : you must surround with quote, as the value of environment variable must not be an array\n RACK_ATTACK_WHITELIST: \"['1.1.1.1','192.168.0.0/24']\"\n````\n\nDefaults to `[\"127.0.0.1\"]`\n\n##### `RACK_ATTACK_MAXRETRY`\n\nNumber of failed auth attempts before which an IP should be banned. Defaults to `10`\n\n##### `RACK_ATTACK_FINDTIME`\n\nNumber of seconds before resetting the per IP auth attempt counter. Defaults to `60`.\n\n##### `RACK_ATTACK_BANTIME`\n\nNumber of seconds an IP should be banned after too many auth attempts. Defaults to `3600`.\n\n##### `GITLAB_WORKHORSE_TIMEOUT`\n\nTimeout for gitlab workhorse http proxy. Defaults to `5m0s`.\n\n##### `SENTRY_ENABLED`\n\nEnables Error Reporting and Logging with Sentry. Defaults to `false`.\n\n##### `SENTRY_DSN`\n\nSentry DSN. No defaults.\n\n##### `SENTRY_CLIENTSIDE_DSN`\n\nSentry client side DSN. No defaults.\n\n##### `SENTRY_ENVIRONMENT`\n\nSentry environment. Defaults to `production`.\n\n#### Docker secrets and configs\n\nAll the above environment variables can be put into a [secrets](https://docs.docker.com/compose/compose-file/#secrets) or [config](https://docs.docker.com/compose/compose-file/#configs) file\nand then both docker-compose and Docker Swarm can import them into your gitlab container.\n\nOn startup, the gitlab container will source env vars from a config file labeled `gitlab-config`, and then a secrets file labeled `gitlab-secrets` (both mounted in the default locations).\n\nSee the example [`contrib/docker-swarm/docker-compose.yml`](./contrib/docker-swarm/docker-compose.yml) file, and the\nexample `gitlab.configs` and `gitlab.secrets` file.\nYou may as well choose file names other than the example source files (`gitlab.configs` and `gitlab.secrets`) and update\nthe `file: ./gitlab.configs` and `file: ./gitlab.secrets` references accordingly. But do not alter the config\nkeys [`gitlab-configs`](contrib/docker-swarm/docker-compose.yml#L158) and\n[`gitlab-secrets`](contrib/docker-swarm/docker-compose.yml#L162) as they are currently\n[hardcoded](./assets/runtime/functions#L4:L9) and thus must be kept as in the example.\n\nIf you're not using one of these files, then don't include its entry in the docker-compose file.\n\n## Maintenance\n\n### Creating backups\n\nGitLab defines a rake task to take a backup of your gitlab installation. The backup consists of all git repositories, uploaded files and as you might expect, the sql database.\n\nBefore taking a backup make sure the container is stopped and removed to avoid container name conflicts.\n\n```bash\ndocker stop gitlab && docker rm gitlab\n```\n\nExecute the rake task to create a backup.\n\n```bash\ndocker run --name gitlab -it --rm [OPTIONS] \\\n sameersbn/gitlab:18.9.2 app:rake gitlab:backup:create\n```\n\nA backup will be created in the backups folder of the [Data Store](#data-store). You can change the location of the backups using the `GITLAB_BACKUP_DIR` configuration parameter.\n\n*P.S. Backups can also be generated on a running instance using `docker exec` as described in the [Rake Tasks](#rake-tasks) section. However, to avoid undesired side-effects, I advice against running backup and restore operations on a running instance.*\n\nWhen using `docker-compose` you may use the following command to execute the backup.\n\n```bash\ndocker-compose rm -sf gitlab\ndocker-compose run --rm gitlab app:rake gitlab:backup:create\n```\n\nAfterwards you can bring your Instance back with the following command:\n\n```bash\ndocker-compose up -d\n```\n\n### Restoring Backups\n\nGitLab also defines a rake task to restore a backup.\n\nBefore performing a restore make sure the container is stopped and removed to avoid container name conflicts.\n\n```bash\ndocker stop gitlab && docker rm gitlab\n```\n\nIf this is a fresh database that you're doing the restore on, first\nyou need to prepare the database:\n\n```bash\ndocker run --name gitlab -it --rm [OPTIONS] \\\n sameersbn/gitlab:18.9.2 app:rake db:setup\n```\n\nExecute the rake task to restore a backup. Make sure you run the container in interactive mode `-it`.\n\n```bash\ndocker run --name gitlab -it --rm [OPTIONS] \\\n sameersbn/gitlab:18.9.2 app:rake gitlab:backup:restore\n```\n\nThe list of all available backups will be displayed in reverse chronological order. Select the backup you want to restore and continue.\n\nTo avoid user interaction in the restore operation, specify the timestamp, date and version of the backup using the `BACKUP` argument to the rake task.\n\n```bash\ndocker run --name gitlab -it --rm [OPTIONS] \\\n sameersbn/gitlab:18.9.2 app:rake gitlab:backup:restore BACKUP=1515629493_2020_12_06_13.0.6\n```\n\nWhen using `docker-compose` you may use the following command to execute the restore.\n\n```bash\ndocker-compose run --rm gitlab app:rake gitlab:backup:restore # List available backups\ndocker-compose run --rm gitlab app:rake gitlab:backup:restore BACKUP=1515629493_2020_12_06_13.10.0 # Choose to restore from 1515629493\n```\n\n### Host Key Backups (ssh)\n\nSSH keys are not backed up in the normal gitlab backup process. You\nwill need to backup the `ssh/` directory in the data volume by hand\nand you will want to restore it prior to doing a gitlab restore.\n\n### Automated Backups\n\nThe image can be configured to automatically take backups `daily`, `weekly` or `monthly` using the `GITLAB_BACKUP_SCHEDULE` configuration option.\n\nDaily backups are created at `GITLAB_BACKUP_TIME` which defaults to `04:00` everyday. Weekly backups are created every Sunday at the same time as the daily backups. Monthly backups are created on the 1st of every month at the same time as the daily backups.\n\nBy default, when automated backups are enabled, backups are held for a period of 7 days. While when automated backups are disabled, the backups are held for an infinite period of time. This behavior can be configured via the `GITLAB_BACKUP_EXPIRY` option.\n\n#### Amazon Web Services (AWS) Remote Backups\n\nThe image can be configured to automatically upload the backups to an AWS S3 bucket. To enable automatic AWS backups first add `--env 'AWS_BACKUPS=true'` to the docker run command. In addition `AWS_BACKUP_REGION` and `AWS_BACKUP_BUCKET` must be properly configured to point to the desired AWS location. Finally an IAM user must be configured with appropriate access permission and their AWS keys exposed through `AWS_BACKUP_ACCESS_KEY_ID` and `AWS_BACKUP_SECRET_ACCESS_KEY`.\n\nMore details about the appropriate IAM user properties can found on [doc.gitlab.com](http://doc.gitlab.com/ce/raketasks/backup_restore.html#upload-backups-to-remote-cloud-storage)\n\nFor remote backup to self-hosted s3 compatible storage, use `AWS_BACKUP_ENDPOINT`.\n\nAWS uploads are performed alongside normal backups, both through the appropriate `app:rake` command and when an automatic backup is performed.\n\n#### Google Cloud Storage (GCS) Remote Backups\n\nThe image can be configured to automatically upload the backups to an Google Cloud Storage bucket. To enable automatic GCS backups first add `--env 'GCS_BACKUPS=true'` to the docker run command. In addition `GCS_BACKUP_BUCKET` must be properly configured to point to the desired GCS location.\nFinally a couple of `Interoperable storage access keys` user must be created and their keys exposed through `GCS_BACKUP_ACCESS_KEY_ID` and `GCS_BACKUP_SECRET_ACCESS_KEY`.\n\nMore details about the Cloud storage interoperability properties can found on [cloud.google.com/storage](https://cloud.google.com/storage/docs/interoperability)\n\nGCS uploads are performed alongside normal backups, both through the appropriate `app:rake` command and when an automatic backup is performed.\n\n### Rake Tasks\n\nThe `app:rake` command allows you to run gitlab rake tasks. To run a rake task simply specify the task to be executed to the `app:rake` command. For example, if you want to gather information about GitLab and the system it runs on.\n\n```bash\ndocker run --name gitlab -it --rm [OPTIONS] \\\n sameersbn/gitlab:18.9.2 app:rake gitlab:env:info\n```\n\nYou can also use `docker exec` to run rake tasks on running gitlab instance. For example,\n\n```bash\ndocker exec --user git -it gitlab bundle exec rake gitlab:env:info RAILS_ENV=production\n```\n\nSimilarly, to import bare repositories into GitLab project instance\n\n```bash\ndocker run --name gitlab -it --rm [OPTIONS] \\\n sameersbn/gitlab:18.9.2 app:rake gitlab:import:repos\n```\n\nOr\n\n```bash\ndocker exec -it gitlab sudo -HEu git bundle exec rake gitlab:import:repos RAILS_ENV=production\n```\n\nFor a complete list of available rake tasks please refer or the help section of your gitlab installation.\n\n*P.S. Please avoid running the rake tasks for backup and restore operations on a running gitlab instance.*\n\nTo use the `app:rake` command with `docker-compose` use the following command.\n\n```bash\n## For stopped instances\ndocker-compose run --rm gitlab app:rake gitlab:env:info\ndocker-compose run --rm gitlab app:rake gitlab:import:repos\n\n## For running instances\ndocker-compose exec --user git gitlab bundle exec rake gitlab:env:info RAILS_ENV=production\ndocker-compose exec gitlab sudo -HEu git bundle exec rake gitlab:import:repos RAILS_ENV=production\n```\n\n### Import Repositories\n\nCopy all the **bare** git repositories to the `repositories/` directory of the [data store](#data-store) and execute the `gitlab:import:repos` rake task like so:\n\n```bash\ndocker run --name gitlab -it --rm [OPTIONS] \\\n sameersbn/gitlab:18.9.2 app:rake gitlab:import:repos\n```\n\nWatch the logs and your repositories should be available into your new gitlab container.\n\nSee [Rake Tasks](#rake-tasks) for more information on executing rake tasks.\nUsage when using `docker-compose` can also be found there.\n\n### Upgrading\n\n> **Important Notice**\n>\n> Since GitLab release `8.6.0` PostgreSQL users should enable `pg_trgm` extension on the GitLab database. Refer to GitLab's [Postgresql Requirements](http://doc.gitlab.com/ce/install/requirements.html#postgresql-requirements) for more information\n>\n> If you're using `sameersbn/postgresql` then please upgrade to `kkimurak/sameersbn-postgresql:16` or later and add `DB_EXTENSION=pg_trgm,btree_gist` to the environment of the PostgreSQL container (see: ).\n>\n> Please keep in mind that:\n>\n> - As of version 13.7.0, the required PostgreSQL version is 12.x.\n> - As of version 16.0.0, the required PostgreSQL version is 13.x.\n> - As of version 17.0.0, the required PostgreSQL version is 14.x.\n> - As of version 18.0.0, the required PostgreSQL version is 16.x.\n>\n> If you're using PostgreSQL image other than the above, please review section [Upgrading PostgreSQL](#upgrading-postgresql).\n\nGitLabHQ releases new versions on the 22nd of every month, bugfix releases immediately follow. I update this project almost immediately when a release is made (at least it has been the case so far). If you are using the image in production environments I recommend that you delay updates by a couple of days after the gitlab release, allowing some time for the dust to settle down.\n\nTo upgrade to newer gitlab releases, simply follow this 4 step upgrade procedure.\n\n> **Note**\n>\n> Upgrading to `sameersbn/gitlab:18.9.2` from `sameersbn/gitlab:7.x.x` can cause issues. It is therefore required that you first upgrade to `sameersbn/gitlab:8.0.5-1` before upgrading to `sameersbn/gitlab:8.1.0` or higher.\n\n- **Step 1**: Update the docker image.\n\n```bash\ndocker pull sameersbn/gitlab:18.9.2\n```\n\n- **Step 2**: Stop and remove the currently running image\n\n```bash\ndocker stop gitlab\ndocker rm gitlab\n```\n\n- **Step 3**: Create a backup\n\n```bash\ndocker run --name gitlab -it --rm [OPTIONS] \\\n sameersbn/gitlab:x.x.x app:rake gitlab:backup:create\n```\n\nReplace `x.x.x` with the version you are upgrading from. For example, if you are upgrading from version `6.0.0`, set `x.x.x` to `6.0.0`\n\n- **Step 4**: Start the image\n\n> **Note**: Since GitLab `8.0.0` you need to provide the `GITLAB_SECRETS_DB_KEY_BASE` parameter while starting the image.\n\n> **Note**: Since GitLab `8.11.0` you need to provide the `GITLAB_SECRETS_SECRET_KEY_BASE` and `GITLAB_SECRETS_OTP_KEY_BASE` parameters while starting the image. These should initially both have the same value as the contents of the `/home/git/data/.secret` file. See [Available Configuration Parameters](#available-configuration-parameters) for more information on these parameters.\n\n> **Note**: Since Gitlab 13.7 you need to provide the `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE` parameter while starting the image. If not provided, the key will be generated by gitlab. So you can start the image without setting this parameter. But you will lose the key when you shutting down the container without taking a backup of `secrets.yml`.\n\n> **Note**: Since Gitlab 17.8 you need to provide `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY`,`GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY` and `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT`. If not provided, these keys will be generated by gitlab. The image can be started without setting these parameters, **but you will lose the settings when you shutting down the container without taking a backup of `secrets.yml` and settings stored securely (such as the Dependency Proxy) will be unusable and unrecoverable.**\n\n```bash\ndocker run --name gitlab -d [OPTIONS] sameersbn/gitlab:18.9.2\n```\n\n### Shell Access\n\nFor debugging and maintenance purposes you may want access the containers shell. If you are using docker version `1.3.0` or higher you can access a running containers shell using `docker exec` command.\n\n```bash\ndocker exec -it gitlab bash\n```\n\n## Monitoring\n\nYou can monitor your GitLab instance status as described in the [official documentation](https://docs.gitlab.com/ee/user/admin_area/monitoring/health_check.html), for example:\n\n```bash\ncurl 'https://gitlab.example.com/-/liveness'\n```\n\nOn success, the endpoint will return a `200` HTTP status code, and a response like below.\n\n```bash\n{\n \"status\": \"ok\"\n}\n```\n\nTo do that you will need to set the environment variable `GITLAB_MONITORING_IP_WHITELIST` to allow your IP or subnet to make requests to your GitLab instance.\n\n### Health Check\n\nYou can also set your `docker-compose.yml` [healthcheck](https://docs.docker.com/compose/compose-file/compose-file-v2/#healthcheck) configuration to make periodic checks:\n\n```yml\nservices:\n gitlab:\n image: sameersbn/gitlab:18.9.2\n healthcheck:\n test: [\"CMD\", \"/usr/local/sbin/healthcheck\"]\n interval: 1m\n timeout: 5s\n retries: 5\n start_period: 2m\n```\n\nThen you will be able to consult the health check log by executing:\n\n```bash\ndocker inspect --format \"{{json .State.Health }}\" $(docker-compose ps -q gitlab) | jq\n```\n\n## References\n\n- \n- \n- \n- \n- \n- \n- \n" }, { "path": "VERSION", "content": "18.9.2\n" }, { "path": "assets/build/config/database.yml.postgresql", "content": "# HINT: This file is identical to the corresponding configuration file from the\n# upstream repository, where the additional defined entries for `geo` had to be\n# removed. Otherwise, it is not possible to build the image, since the build\n# will fail with the error message:\n#\n# > rake aborted!\n# > ERROR: This installation of GitLab uses unsupported database names in 'config/database.yml': geo. The only supported ones are main, ci.\n#\n# This adjustment is hopefully only a temporary workaround (see \n# ).\n\n#\n# PRODUCTION\n#\nproduction:\n main:\n adapter: postgresql\n encoding: unicode\n database: gitlabhq_production\n username: git\n password: \"secure password\"\n host: localhost\n # load_balancing:\n # hosts:\n # - host1.example.com\n # - host2.example.com\n # discover:\n # nameserver: 1.2.3.4\n # port: 8600\n # record: secondary.postgresql.service.consul\n # interval: 300\n ci:\n adapter: postgresql\n encoding: unicode\n database: gitlabhq_production\n database_tasks: false\n username: git\n password: \"secure password\"\n host: localhost\n# geo:\n# adapter: postgresql\n# encoding: unicode\n# database: gitlabhq_geo_production\n# username: git\n# password: \"secure password\"\n# host: localhost\n\n#\n# Development specific\n#\ndevelopment:\n main:\n adapter: postgresql\n encoding: unicode\n database: gitlabhq_development\n username: postgres\n password: \"secure password\"\n host: localhost\n variables:\n statement_timeout: 15s\n ci:\n adapter: postgresql\n encoding: unicode\n database: gitlabhq_development\n database_tasks: false\n username: postgres\n password: \"secure password\"\n host: localhost\n variables:\n statement_timeout: 15s\n# geo:\n# adapter: postgresql\n# encoding: unicode\n# database: gitlabhq_geo_development\n# username: postgres\n# password: \"secure password\"\n# host: localhost\n\n#\n# Staging specific\n#\nstaging:\n main:\n adapter: postgresql\n encoding: unicode\n database: gitlabhq_staging\n username: git\n password: \"secure password\"\n host: localhost\n ci:\n adapter: postgresql\n encoding: unicode\n database: gitlabhq_staging\n database_tasks: false\n username: git\n password: \"secure password\"\n host: localhost\n# geo:\n# adapter: postgresql\n# encoding: unicode\n# database: gitlabhq_geo_staging\n# username: git\n# password: \"secure password\"\n# host: localhost\n\n# Warning: The database defined as \"test\" will be erased and\n# re-generated from your development database when you run \"rake\".\n# Do not set this db to the same as development or production.\ntest: &test\n main:\n adapter: postgresql\n encoding: unicode\n database: gitlabhq_test\n username: postgres\n password:\n host: localhost\n prepared_statements: false\n variables:\n statement_timeout: 15s\n ci:\n adapter: postgresql\n encoding: unicode\n database: gitlabhq_test\n database_tasks: false\n username: postgres\n password:\n host: localhost\n prepared_statements: false\n variables:\n statement_timeout: 15s\n# geo:\n# adapter: postgresql\n# encoding: unicode\n# database: gitlabhq_geo_test\n# username: postgres\n# password:\n# host: localhost\n# embedding:\n# adapter: postgresql\n# encoding: unicode\n# database: gitlabhq_embedding_test\n# username: postgres\n# password:\n# host: localhost\n" }, { "path": "assets/build/install.sh", "content": "#!/bin/bash\nset -e\n\nGITLAB_CLONE_URL=https://gitlab.com/gitlab-org/gitlab-foss.git\nGITLAB_SHELL_URL=https://gitlab.com/gitlab-org/gitlab-shell/-/archive/v${GITLAB_SHELL_VERSION}/gitlab-shell-v${GITLAB_SHELL_VERSION}.tar.bz2\nGITLAB_PAGES_URL=https://gitlab.com/gitlab-org/gitlab-pages.git\nGITLAB_GITALY_URL=https://gitlab.com/gitlab-org/gitaly.git\n\nGITLAB_WORKHORSE_BUILD_DIR=${GITLAB_INSTALL_DIR}/workhorse\nGITLAB_PAGES_BUILD_DIR=/tmp/gitlab-pages\nGITLAB_GITALY_BUILD_DIR=/tmp/gitaly\n\nRUBY_SRC_URL=https://cache.ruby-lang.org/pub/ruby/${RUBY_VERSION%.*}/ruby-${RUBY_VERSION}.tar.gz\n\nGEM_CACHE_DIR=\"${GITLAB_BUILD_DIR}/cache\"\n\nGOROOT=/tmp/go\nPATH=${GOROOT}/bin:$PATH\n\nexport GOROOT PATH\n\n# TODO Verify, if this is necessary or not.\n# BUILD_DEPENDENCIES=\"gcc g++ make patch pkg-config cmake paxctl \\\nBUILD_DEPENDENCIES=\"gcc g++ make patch pkg-config cmake \\\n libc6-dev \\\n libpq-dev zlib1g-dev libssl-dev \\\n libgdbm-dev libreadline-dev libncurses5-dev libffi-dev \\\n libxml2-dev libxslt-dev libcurl4-openssl-dev libicu-dev \\\n gettext libkrb5-dev \\\n libexpat1-dev libz-dev libpcre2-dev build-essential git\"\n\n## Execute a command as GITLAB_USER\nexec_as_git() {\n if [[ $(whoami) == \"${GITLAB_USER}\" ]]; then\n \"$@\"\n else\n sudo -HEu ${GITLAB_USER} \"$@\"\n fi\n}\n\n# install build dependencies for gem installation\napt-get update\nDEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y ${BUILD_DEPENDENCIES}\n\n# build ruby from source\necho \"Building ruby v${RUBY_VERSION} from source...\"\nPWD_ORG=\"$PWD\"\nmkdir /tmp/ruby && cd /tmp/ruby\ncurl --remote-name -Ss \"${RUBY_SRC_URL}\"\nprintf '%s ruby-%s.tar.gz' \"${RUBY_SOURCE_SHA256SUM}\" \"${RUBY_VERSION}\" | sha256sum -c -\ntar xzf ruby-\"${RUBY_VERSION}\".tar.gz && cd ruby-\"${RUBY_VERSION}\"\nfind \"${GITLAB_BUILD_DIR}/patches/ruby\" -name \"*.patch\" | while read -r patch_file; do\n echo \"Applying patch ${patch_file}\"\n patch -p1 -i \"${patch_file}\"\ndone\n./configure --disable-install-rdoc --enable-shared\nmake -j\"$(nproc)\"\nmake install\ncd \"$PWD_ORG\" && rm -rf /tmp/ruby\n\n# upgrade rubygems on demand\ngem update --no-document --system \"${RUBYGEMS_VERSION}\"\n\n# TODO Verify, if this is necessary or not.\n# # PaX-mark ruby\n# # Applying the mark late here does make the build usable on PaX kernels, but\n# # still the build itself must be executed on a non-PaX kernel. It's done here\n# # only for simplicity.\n# paxctl -cvm \"$(command -v ruby)\"\n# # https://en.wikibooks.org/wiki/Grsecurity/Application-specific_Settings#Node.js\n# paxctl -cvm \"$(command -v node)\"\n\n# remove the host keys generated during openssh-server installation\nrm -rf /etc/ssh/ssh_host_*_key /etc/ssh/ssh_host_*_key.pub\n\n# add ${GITLAB_USER} user\ndeluser --remove-home ubuntu\naddgroup --gid 1000 git\nadduser --uid 1000 --gid 1000 --disabled-password --gecos 'GitLab' ${GITLAB_USER}\npasswd -d ${GITLAB_USER}\n\n# set PATH (fixes cron job PATH issues)\ncat >> ${GITLAB_HOME}/.profile < and \n# there seems to\n# be some attempts to remove ruby from gitaly.\n#\n# cp -a ${GITLAB_GITALY_BUILD_DIR}/ruby ${GITLAB_GITALY_INSTALL_DIR}/\ncp -a ${GITLAB_GITALY_BUILD_DIR}/config.toml.example ${GITLAB_GITALY_INSTALL_DIR}/config.toml\nrm -rf ${GITLAB_GITALY_INSTALL_DIR}/ruby/vendor/bundle/ruby/**/cache\nchown -R ${GITLAB_USER}: ${GITLAB_GITALY_INSTALL_DIR}\n\n# install git bundled with gitaly.\nmake -C ${GITLAB_GITALY_BUILD_DIR} git GIT_PREFIX=/usr/local\n\n# clean up\nrm -rf ${GITLAB_GITALY_BUILD_DIR}\n\n# remove go\ngo clean --modcache\nrm -rf ${GITLAB_BUILD_DIR}/go${GOLANG_VERSION}.linux-amd64.tar.gz ${GOROOT}\n\n# revert `rake gitlab:setup` changes from gitlabhq/gitlabhq@a54af831bae023770bf9b2633cc45ec0d5f5a66a\nexec_as_git sed -i 's/db:reset/db:setup/' ${GITLAB_INSTALL_DIR}/lib/tasks/gitlab/setup.rake\n\n# change SSH_ALGORITHM_PATH - we have moved host keys in ${GITLAB_DATA_DIR}/ssh/ to persist them\nexec_as_git sed -i \"s:/etc/ssh/:/${GITLAB_DATA_DIR}/ssh/:g\" ${GITLAB_INSTALL_DIR}/app/models/instance_configuration.rb\n\ncd ${GITLAB_INSTALL_DIR}\n\n# install gems, use local cache if available\nif [[ -d ${GEM_CACHE_DIR} ]]; then\n echo \"Found local npm package cache...\"\n mv ${GEM_CACHE_DIR} ${GITLAB_INSTALL_DIR}/vendor/cache\n chown -R ${GITLAB_USER}: ${GITLAB_INSTALL_DIR}/vendor/cache\nfi\n\nexec_as_git bundle config set --local deployment 'true'\nexec_as_git bundle config set --local without 'development test mysql aws'\nexec_as_git bundle install -j\"$(nproc)\"\n\n# make sure everything in ${GITLAB_HOME} is owned by ${GITLAB_USER} user\nchown -R ${GITLAB_USER}: ${GITLAB_HOME}\n\n# gitlab.yml and database.yml are required for `assets:precompile`\nexec_as_git cp ${GITLAB_INSTALL_DIR}/config/resque.yml.example ${GITLAB_INSTALL_DIR}/config/resque.yml\nexec_as_git cp ${GITLAB_INSTALL_DIR}/config/gitlab.yml.example ${GITLAB_INSTALL_DIR}/config/gitlab.yml\n#\n# Temporary workaround, see \n#\n# exec_as_git cp ${GITLAB_INSTALL_DIR}/config/database.yml.postgresql ${GITLAB_INSTALL_DIR}/config/database.yml\ncp ${GITLAB_BUILD_DIR}/config/database.yml.postgresql ${GITLAB_INSTALL_DIR}/config/database.yml\nchown ${GITLAB_USER}: ${GITLAB_INSTALL_DIR}/config/database.yml\n\n# Installs nodejs packages required to compile webpack\nexec_as_git yarn install --production --pure-lockfile\n\necho \"Compiling assets. Please be patient, this could take a while...\"\nexec_as_git bundle exec rake gitlab:assets:compile USE_DB=false SKIP_STORAGE_VALIDATION=true NODE_OPTIONS=\"--max-old-space-size=8192\"\n\n# remove auto generated ${GITLAB_DATA_DIR}/config/secrets.yml\nrm -rf ${GITLAB_DATA_DIR}/config/secrets.yml\n\n# remove gitlab shell and workhorse secrets\nrm -f ${GITLAB_INSTALL_DIR}/.gitlab_shell_secret ${GITLAB_INSTALL_DIR}/.gitlab_workhorse_secret\n\nexec_as_git mkdir -p ${GITLAB_INSTALL_DIR}/tmp/pids/ ${GITLAB_INSTALL_DIR}/tmp/sockets/\nchmod -R u+rwX ${GITLAB_INSTALL_DIR}/tmp\n\n# symlink ${GITLAB_HOME}/.ssh -> ${GITLAB_LOG_DIR}/gitlab\nrm -rf ${GITLAB_HOME}/.ssh\nexec_as_git ln -sf ${GITLAB_DATA_DIR}/.ssh ${GITLAB_HOME}/.ssh\n\n# symlink ${GITLAB_INSTALL_DIR}/log -> ${GITLAB_LOG_DIR}/gitlab\nrm -rf ${GITLAB_INSTALL_DIR}/log\nln -sf ${GITLAB_LOG_DIR}/gitlab ${GITLAB_INSTALL_DIR}/log\n\n# symlink ${GITLAB_INSTALL_DIR}/public/uploads -> ${GITLAB_DATA_DIR}/uploads\nrm -rf ${GITLAB_INSTALL_DIR}/public/uploads\nexec_as_git ln -sf ${GITLAB_DATA_DIR}/uploads ${GITLAB_INSTALL_DIR}/public/uploads\n\n# symlink ${GITLAB_INSTALL_DIR}/.secret -> ${GITLAB_DATA_DIR}/.secret\nrm -rf ${GITLAB_INSTALL_DIR}/.secret\nexec_as_git ln -sf ${GITLAB_DATA_DIR}/.secret ${GITLAB_INSTALL_DIR}/.secret\n\n# WORKAROUND for https://github.com/sameersbn/docker-gitlab/issues/509\nrm -rf ${GITLAB_INSTALL_DIR}/builds\nrm -rf ${GITLAB_INSTALL_DIR}/shared\n\n# install gitlab bootscript, to silence gitlab:check warnings\ncp ${GITLAB_INSTALL_DIR}/lib/support/init.d/gitlab /etc/init.d/gitlab\nchmod +x /etc/init.d/gitlab\n\n# disable default nginx configuration and enable gitlab's nginx configuration\nrm -rf /etc/nginx/sites-enabled/default\n\n# configure sshd\nsed -i \\\n -e \"s|^[#]*UsePAM yes|UsePAM no|\" \\\n -e \"s|^[#]*UsePrivilegeSeparation yes|UsePrivilegeSeparation no|\" \\\n -e \"s|^[#]*PasswordAuthentication yes|PasswordAuthentication no|\" \\\n -e \"s|^[#]*LogLevel INFO|LogLevel VERBOSE|\" \\\n -e \"s|^[#]*AuthorizedKeysFile.*|AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys_proxy|\" \\\n /etc/ssh/sshd_config\necho \"AcceptEnv GIT_PROTOCOL\" >> /etc/ssh/sshd_config # Allow clients to explicitly set the Git transfer protocol, e.g. to enable version 2.\necho \"UseDNS no\" >> /etc/ssh/sshd_config\n\n# move supervisord.log file to ${GITLAB_LOG_DIR}/supervisor/\nsed -i \"s|^[#]*logfile=.*|logfile=${GITLAB_LOG_DIR}/supervisor/supervisord.log ;|\" /etc/supervisor/supervisord.conf\n\n# silence \"CRIT Server 'unix_http_server' running without any HTTP authentication checking\" message\n# https://github.com/Supervisor/supervisor/issues/717\nsed -i '/\\.sock/a password=dummy' /etc/supervisor/supervisord.conf\nsed -i '/\\.sock/a username=dummy' /etc/supervisor/supervisord.conf\n# prevent confusing warning \"CRIT Supervisor running as root\" by clarify run as root\n# user not defined in supervisord.conf by default, so just append it after [supervisord] block\nsed -i \"/\\[supervisord\\]/a user=root\" /etc/supervisor/supervisord.conf\n\n# move nginx logs to ${GITLAB_LOG_DIR}/nginx\nsed -i \\\n -e \"s|access_log /var/log/nginx/access.log;|access_log ${GITLAB_LOG_DIR}/nginx/access.log;|\" \\\n -e \"s|error_log /var/log/nginx/error.log;|error_log ${GITLAB_LOG_DIR}/nginx/error.log;|\" \\\n /etc/nginx/nginx.conf\n\n# fix \"unknown group 'syslog'\" error preventing logrotate from functioning\nsed -i \"s|^su root syslog$|su root root|\" /etc/logrotate.conf\n\n# configure supervisord log rotation\ncat > /etc/logrotate.d/supervisord < /etc/logrotate.d/gitlab < /etc/logrotate.d/gitlab-shell < /etc/logrotate.d/gitaly < /etc/logrotate.d/gitlab-nginx < /etc/supervisor/conf.d/puma.conf < /etc/supervisor/conf.d/sidekiq.conf < /etc/supervisor/conf.d/gitlab-workhorse.conf < /etc/supervisor/conf.d/gitaly.conf < /etc/supervisor/conf.d/mail_room.conf < /etc/supervisor/conf.d/sshd.conf < /etc/supervisor/conf.d/nginx.conf < /etc/supervisor/conf.d/cron.conf < /etc/supervisor/conf.d/groups.conf < stat.isDirectory()).catch(() => false);\n+ if(isDirectory) {\n+ for (const dir_ent of await readdir(NODE_MODULES, { withFileTypes: true})) {\n+ const to_remove = join(NODE_MODULES, dir_ent.name);\n+ await rm(to_remove, { recursive: true, force: true });\n+ }\n+ }\n }\n" }, { "path": "assets/build/patches/gitlabhq/0004-fix-raketask-gitlab-assets-compile.patch.bak", "content": "diff --git a/lib/tasks/gitlab/assets.rake b/lib/tasks/gitlab/assets.rake\nindex b8a6e7018767..5096d81ea63f 100644\n--- a/lib/tasks/gitlab/assets.rake\n+++ b/lib/tasks/gitlab/assets.rake\n@@ -96,7 +96,14 @@ namespace :gitlab do\n puts \"Assets SHA256 for `HEAD`: #{Tasks::Gitlab::Assets.head_assets_sha256.inspect}\"\n \n if Tasks::Gitlab::Assets.head_assets_sha256 != Tasks::Gitlab::Assets.master_assets_sha256\n- FileUtils.rm_rf([Tasks::Gitlab::Assets::PUBLIC_ASSETS_DIR] + Dir.glob('app/assets/javascripts/locale/**/app.js'))\n+ # sameersbn/gitlab takes a cache of public_assets_dir by symlinking to volume to speedup relaunch (if relative url is used)\n+ # so do not remove the directory directly, empty instead\n+ # Dir.glob(\"*\") ignores dotfiles (even it is fine to remove here), so list up children manually\n+ removal_targets = Dir.glob('app/assets/javascripts/locale/**/app.js')\n+ if Dir.exist?(Tasks::Gitlab::Assets::PUBLIC_ASSETS_DIR)\n+ removal_targets += Dir.children(Tasks::Gitlab::Assets::PUBLIC_ASSETS_DIR).map {|child| File.join(Tasks::Gitlab::Assets::PUBLIC_ASSETS_DIR, child)}\n+ end\n+ FileUtils.rm_rf(removal_targets, secure: true)\n \n # gettext:compile needs to run before rake:assets:precompile because\n # app/assets/javascripts/locale/**/app.js are pre-compiled by Sprockets\n" }, { "path": "assets/build/patches/gitlabhq/0005_fix-gitlab-setup-mr225503.patch", "content": "From a39aef6cf81149d940061d56f358d220dbf90159 Mon Sep 17 00:00:00 2001\nFrom: Vasilii Iakliushin \nDate: Mon, 2 Mar 2026 15:21:34 +0100\nSubject: [PATCH 1/2] Fix gitlab:setup failure on fresh database\n\nContributes to https://gitlab.com/gitlab-org/gitlab/-/issues/591292\n\n**Problem**\n\nRunning `gitlab:setup` on a fresh PostgreSQL database fails with\n`PG::UndefinedTable: ERROR: relation \"feature_gates\" does not exist`.\n\nThis regression was introduced in 18.9 by\nhttps://gitlab.com/gitlab-org/gitlab/-/merge_requests/220200 which added\na circuit breaker to the Gitaly client. The `CircuitBreaker#enabled?`\nmethod calls `Feature.enabled?` before the database schema is\ninitialized, causing Flipper to query the non-existent `feature_gates`\ntable.\n\n**Solution**\n\nCheck `Feature::FlipperFeature.table_exists?` before calling\n`Feature.enabled?` in `CircuitBreaker#enabled?`. This follows the\nestablished pattern used in `lib/feature/gitaly.rb`.\n\nChangelog: fixed\n---\n lib/gitlab/gitaly_client/circuit_breaker.rb | 2 ++\n .../gitaly_client/circuit_breaker_spec.rb | 17 +++++++++++++++++\n 2 files changed, 19 insertions(+)\n\ndiff --git a/lib/gitlab/gitaly_client/circuit_breaker.rb b/lib/gitlab/gitaly_client/circuit_breaker.rb\nindex f7f2a79b5d7a..05924b641581 100644\n--- a/lib/gitlab/gitaly_client/circuit_breaker.rb\n+++ b/lib/gitlab/gitaly_client/circuit_breaker.rb\n@@ -39,6 +39,8 @@ def check!\n attr_reader :service, :rpc, :storage\n \n def enabled?\n+ return false unless Feature::FlipperFeature.table_exists?\n+\n Feature.enabled?(:add_circuit_breaker_to_gitaly, Feature.current_request)\n end\n \n\n" }, { "path": "assets/build/patches/ruby/0001-avoid-seeding_until-ruby3.3.0.bak", "content": "From 64e503eb62aff0952b655e9a86217e355f786146 Mon Sep 17 00:00:00 2001\nFrom: =?UTF-8?q?=E5=8D=9C=E9=83=A8=E6=98=8C=E5=B9=B3?=\n \nDate: Thu, 13 Apr 2023 15:36:24 +0900\nSubject: [PATCH] avoid seeding\n\nOpenSSL's man page previously stated that \"the application is\nresponsible for seeding the PRNG by calling RAND_add\" (see [1]).\nSo we had this code. However things changed. They no longer\nsay so, instead \"manual (re-)seeding of the default OpenSSL\nrandom generator is not necessary\" now (see [2]). It seems all\nOpenSSL versions that we support now already behaves like this.\nLet's follow that.\n\n[1]: https://www.openssl.org/docs/man1.0.2/man3/RAND_add.html\n[2]: https://www.openssl.org/docs/manmaster/man3/RAND_add.html\n---\n lib/securerandom.rb | 11 -----------\n 1 file changed, 11 deletions(-)\n\ndiff --git a/lib/securerandom.rb b/lib/securerandom.rb\nindex 07ae048634..c5be6ce734 100644\n--- a/lib/securerandom.rb\n+++ b/lib/securerandom.rb\n@@ -47,17 +47,6 @@ def bytes(n)\n private\n \n def gen_random_openssl(n)\n- @pid = 0 unless defined?(@pid)\n- pid = $$\n- unless @pid == pid\n- now = Process.clock_gettime(Process::CLOCK_REALTIME, :nanosecond)\n- OpenSSL::Random.random_add([now, @pid, pid].join(\"\"), 0.0)\n- seed = Random.urandom(16)\n- if (seed)\n- OpenSSL::Random.random_add(seed, 16)\n- end\n- @pid = pid\n- end\n return OpenSSL::Random.random_bytes(n)\n end\n \n-- \n2.43.0.windows.1\n\n" }, { "path": "assets/runtime/config/gitaly/config.toml", "content": "# Example Gitaly configuration file\n# Documentation lives at https://docs.gitlab.com/ee/administration/gitaly/ and\n# https://docs.gitlab.com/ee//administration/gitaly/reference\n\nsocket_path = \"{{GITALY_SOCKET_PATH}}\"\n\n# The directory where Gitaly's executables are stored\nbin_dir = \"/usr/local/bin/\"\n\n# # Optional: listen on a TCP socket. This is insecure (no authentication)\n# listen_addr = \"localhost:9999\"\n# tls_listen_addr = \"localhost:8888\n\n# # Optional: export metrics via Prometheus\n# prometheus_listen_addr = \"localhost:9236\"\n\n# # Optional: configure where the Gitaly creates the sockets for internal connections. If unset, Gitaly will create a randomly\n# # named temp directory each time it boots.\n# # Non Gitaly clients should never connect to these sockets.\n# internal_socket_dir = \"/home/git/gitlab/tmp/sockets/private/internal\"\n\n# # Optional: authenticate Gitaly requests using a shared secret\n# [auth]\n# token = 'abc123secret'\n# transitioning = false # Set `transitioning` to true to temporarily allow unauthenticated while rolling out authentication.\n\n# [tls]\n# certificate_path = '/home/git/cert.cert'\n# key_path = '/home/git/key.pem'\n\n# # Git settings\n# [git]\n# bin_path = \"/usr/bin/git\"\n# catfile_cache_size = 100\n\n[[storage]]\nname = \"default\"\npath = \"{{GITLAB_REPOS_DIR}}\"\n\n# # You can optionally configure more storages for this Gitaly instance to serve up\n#\n# [[storage]]\n# name = \"other_storage\"\n# path = \"/mnt/other_storage/repositories\"\n#\n\n# # You can optionally configure Gitaly to output JSON-formatted log messages to stdout\n[logging]\n# # The directory where Gitaly stores extra log files\ndir = \"{{GITLAB_LOG_DIR}}/gitaly\"\n# format = \"json\"\n# # Optional: Set log level to only log entries with that severity or above\n# # One of, in order: debug, info, warn, errror, fatal, panic\n# # Defaults to \"info\"\n# level = \"warn\"\n#\n# # Additionally exceptions from the Go server can be reported to Sentry\n# sentry_dsn = \"https://:@sentry.io/\"\n# # Exceptions from gitaly-ruby can also be reported to Sentry\n# ruby_sentry_dsn = \"https://:@sentry.io/\"\n\n# # You can optionally configure Gitaly to record histogram latencies on GRPC method calls\n# [prometheus]\n# grpc_latency_buckets = [0.001, 0.005, 0.025, 0.1, 0.5, 1.0, 10.0, 30.0, 60.0, 300.0, 1500.0]\n\n[gitaly-ruby]\n# The directory where gitaly-ruby is installed\ndir = \"{{GITLAB_GITALY_INSTALL_DIR}}/ruby\"\n\n# # Gitaly-ruby resident set size (RSS) that triggers a memory restart (bytes)\n# max_rss = 200000000\n#\n# # Grace period before a gitaly-ruby process is forcibly terminated after exceeding max_rss (seconds)\n# graceful_restart_timeout = \"10m\"\n#\n# # Time that gitaly-ruby memory must remain high before a restart (seconds)\n# restart_delay = \"5m\"\n#\n# # Number of gitaly-ruby worker processes\n# num_workers = 2\n#\n# # Search path for system gitconfig file (e.g. /etc, /opt/gitlab/embedded/etc)\n# # NOTE: This only affects RPCs that use Rugged.\n# rugged_git_config_search_path = \"/etc\"\n\n[gitlab-shell]\n# The directory where gitlab-shell is installed\ndir = \"{{GITLAB_SHELL_INSTALL_DIR}}\"\n\n# # You can adjust the concurrency of each RPC endpoint\n# [[concurrency]]\n# rpc = \"/gitaly.RepositoryService/GarbageCollect\"\n# max_per_repo = 1\n\n[gitlab]\nsecret_file = \"/home/git/gitlab-shell/.gitlab_shell_secret\"\nurl = \"http://127.0.0.1:8181{{GITLAB_RELATIVE_URL_ROOT}}\"\n\n" }, { "path": "assets/runtime/config/gitlab-pages/config", "content": "auth-client-id={{GITLAB_PAGES_ACCESS_CLIENT_ID}}\nauth-client-secret={{GITLAB_PAGES_ACCESS_CLIENT_SECRET}}\nauth-redirect-uri={{GITLAB_PAGES_ACCESS_REDIRECT_URI}}\nauth-secret={{GITLAB_PAGES_ACCESS_SECRET}}\ngitlab-server={{GITLAB_PAGES_ACCESS_CONTROL_SERVER}}\nartifacts-server={{GITLAB_PAGES_ARTIFACTS_SERVER_URL}}\ninternal-gitlab-server=http://127.0.0.1:8080{{GITLAB_RELATIVE_URL_ROOT}}\napi-secret-key={{GITLAB_INSTALL_DIR}}/.gitlab_pages_secret\nlog-verbose={{GITLAB_PAGES_LOG_VERBOSE}}\nnamespace-in-path={{GITLAB_PAGES_NAMESPACE_IN_PATH}}\n" }, { "path": "assets/runtime/config/gitlab-shell/config.yml", "content": "#\n# If you change this file in a Merge Request, please also create\n# a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests\n#\n\n# GitLab user. git by default\nuser: git\n\n# URL to GitLab instance, used for API calls. Default: http://localhost:8080.\n# For relative URL support read http://doc.gitlab.com/ce/install/relative_url.html\n# You only have to change the default if you have configured Unicorn\n# to listen on a custom port, or if you have configured Unicorn to\n# only listen on a Unix domain socket. For Unix domain sockets use\n# \"http+unix://\", e.g.\n# \"http+unix://%2Fpath%2Fto%2Fsocket\"\ngitlab_url: \"http://localhost:8080{{GITLAB_RELATIVE_URL_ROOT}}\"\n\n# See installation.md#using-https for additional HTTPS configuration details.\nhttp_settings:\n# read_timeout: 300\n# user: someone\n# password: somepass\n# ca_file: /etc/ssl/cert.pem\n# ca_path: /etc/pki/tls/certs\n self_signed_cert: {{SSL_SELF_SIGNED}}\n\n# File used as authorized_keys for gitlab user\nauth_file: \"{{GITLAB_HOME}}/.ssh/authorized_keys\"\n\n# File that contains the secret key for verifying access to GitLab.\n# Default is .gitlab_shell_secret in the gitlab-shell directory.\nsecret_file: \"{{GITLAB_SHELL_INSTALL_DIR}}/.gitlab_shell_secret\"\n\n# Parent directory for global custom hook directories (pre-receive.d, update.d, post-receive.d)\n# Default is hooks in the gitlab-shell directory.\ncustom_hooks_dir: \"{{GITLAB_SHELL_INSTALL_DIR}}/hooks\"\n\n# Log file.\n# Default is gitlab-shell.log in the root directory.\nlog_file: \"{{GITLAB_LOG_DIR}}/gitlab-shell/gitlab-shell.log\"\n\n# Log level. INFO by default\nlog_level: INFO\n\n# Log format. 'text' by default\n# log_format: json\n\n# Audit usernames.\n# Set to true to see real usernames in the logs instead of key ids, which is easier to follow, but\n# incurs an extra API call on every gitlab-shell command.\naudit_usernames: false\n\n# Distributed Tracing. GitLab-Shell has distributed tracing instrumentation.\n# For more details, visit https://docs.gitlab.com/ee/development/distributed_tracing.html\n# gitlab_tracing: opentracing://driver\n" }, { "path": "assets/runtime/config/gitlabhq/cable.yml", "content": "# This is a template taken from here:\n# https://gitlab.com/gitlab-org/gitlab/-/blob/master/config/cable.yml.example\ndevelopment:\n adapter: redis\n url: redis://127.0.0.1:6379\n channel_prefix: gitlab_development\ntest:\n adapter: redis\n url: redis://127.0.0.1:6379\n channel_prefix: gitlab_test\nproduction:\n adapter: redis\n url: redis://{{REDIS_HOST}}:{{REDIS_PORT}}/{{REDIS_DB_NUMBER}}\n channel_prefix: gitlab_production\n" }, { "path": "assets/runtime/config/gitlabhq/database.yml", "content": "#\n# PRODUCTION (here: non-decomposed database)\n#\nproduction:\n main:\n adapter: postgresql\n encoding: {{DB_ENCODING}}\n database: {{DB_NAME}}\n host: {{DB_HOST}}\n port: {{DB_PORT}}\n username: {{DB_USER}}\n password: \"{{DB_PASS}}\"\n pool: {{DB_POOL}}\n prepared_statements: {{DB_PREPARED_STATEMENTS}}\n ci:\n adapter: postgresql\n encoding: {{DB_ENCODING}}\n database: {{DB_NAME}}\n database_tasks: false\n host: {{DB_HOST}}\n port: {{DB_PORT}}\n username: {{DB_USER}}\n password: \"{{DB_PASS}}\"\n pool: {{DB_POOL}}\n" }, { "path": "assets/runtime/config/gitlabhq/gitlab.yml", "content": "# # # # # # # # # # # # # # # # # #\n# GitLab application config file #\n# # # # # # # # # # # # # # # # # #\n#\n########################### NOTE #####################################\n# This file should not receive new settings. All configuration options #\n# * are being moved to ApplicationSetting model! #\n# If a setting requires an application restart say so in that screen. #\n# If you change this file in a Merge Request, please also create #\n# a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests. #\n# For more details see https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md #\n########################################################################\n#\n#\n# How to use:\n# 1. Copy file as gitlab.yml\n# 2. Update gitlab -> host with your fully qualified domain name\n# 3. Update gitlab -> email_from\n# 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git\n# IMPORTANT: If Git was installed in a different location use that instead.\n# You can check with `which git`. If a wrong path of Git is specified, it will\n# result in various issues such as failures of GitLab CI builds.\n# 5. Review this configuration file for other settings you may want to adjust\n\nproduction: &base\n #\n # 1. GitLab app settings\n # ==========================\n\n ## GitLab settings\n gitlab:\n ## Web server settings (note: host is the FQDN, do not include http://)\n host: {{GITLAB_HOST}}\n port: {{GITLAB_PORT}} # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details\n https: {{GITLAB_HTTPS}} # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details\n # The maximum time unicorn/puma can spend on the request. This needs to be smaller than the worker timeout.\n # Default is 95% of the worker timeout\n max_request_duration_seconds: 57\n\n # Uncomment this line below if your ssh host is different from HTTP/HTTPS one\n # (you'd obviously need to replace ssh.host_example.com with your own host).\n # Otherwise, ssh host will be set to the `host:` value above\n ssh_host: {{GITLAB_SSH_HOST}}\n\n # Relative URL support\n # WARNING: We recommend using an FQDN to host GitLab in a root path instead\n # of using a relative URL.\n # Documentation: http://doc.gitlab.com/ce/install/relative_url.html\n # Uncomment and customize the following line to run in a non-root path\n #\n relative_url_root: {{GITLAB_RELATIVE_URL_ROOT}}\n\n # Content Security Policy\n # See https://guides.rubyonrails.org/security.html#content-security-policy\n content_security_policy:\n enabled: {{GITLAB_CONTENT_SECURITY_POLICY_ENABLED}}\n report_only: {{GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY}}\n directives:\n base_uri: \"{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI}}\"\n child_src: \"{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC}}\"\n connect_src: \"{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC}}\"\n default_src: \"{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC}}\"\n font_src: \"{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC}}\"\n form_action: \"{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION}}\"\n frame_ancestors: \"{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS}}\"\n frame_src: \"{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC}}\"\n img_src: \"{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC}}\"\n manifest_src: \"{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC}}\"\n media_src: \"{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC}}\"\n object_src: \"{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC}}\"\n script_src: \"{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC}}\"\n style_src: \"{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC}}\"\n worker_src: \"{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC}}\"\n report_uri: \"{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI}}\"\n\n # Trusted Proxies\n # Customize if you have GitLab behind a reverse proxy which is running on a different machine.\n # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.\n trusted_proxies:\n - {{GITLAB_TRUSTED_PROXIES}}\n # Examples:\n #- 192.168.1.0/24\n #- 192.168.2.1\n #- 2001:0db8::/32\n\n # Uncomment and customize if you can't use the default user to run GitLab (default: 'git')\n # user: git\n\n ## Date & Time settings\n # Uncomment and customize if you want to change the default time zone of GitLab application.\n # To see all available zones, run `bundle exec rake time:zones:all RAILS_ENV=production`\n time_zone: '{{GITLAB_TIMEZONE}}'\n\n ## Email settings\n # Uncomment and set to false if you need to disable email sending from GitLab (default: true)\n email_enabled: {{GITLAB_EMAIL_ENABLED}}\n # Email address used in the \"From\" field in mails sent by GitLab\n email_from: {{GITLAB_EMAIL}}\n email_display_name: {{GITLAB_EMAIL_DISPLAY_NAME}}\n email_reply_to: {{GITLAB_EMAIL_REPLY_TO}}\n email_subject_suffix: '{{GITLAB_EMAIL_SUBJECT_SUFFIX}}'\n #start-email-smime\n email_smime:\n # Uncomment and set to true if you need to enable email S/MIME signing (default: false)\n enabled: {{GITLAB_EMAIL_SMIME_ENABLE}}\n # S/MIME private key file in PEM format, unencrypted\n # Default is '.gitlab_smime_key' relative to Rails.root (i.e. root of the GitLab app).\n key_file: {{GITLAB_EMAIL_SMIME_KEY_FILE}}\n # S/MIME public certificate key in PEM format, will be attached to signed messages\n # Default is '.gitlab_smime_cert' relative to Rails.root (i.e. root of the GitLab app).\n cert_file: {{GITLAB_EMAIL_SMIME_CERT_FILE}}\n #end-email-smime\n # S/MIME extra CA public certificates in PEM format, will be attached to signed messages\n # Optional\n # ca_certs_file: /home/git/gitlab/.gitlab_smime_ca_certs\n\n # Email server smtp settings are in config/initializers/smtp_settings.rb.sample\n\n default_projects_limit: {{GITLAB_PROJECTS_LIMIT}}\n default_can_create_group: {{GITLAB_CREATE_GROUP}} # default: true\n username_changing_enabled: {{GITLAB_USERNAME_CHANGE}} # default: true - User can change their username/namespace\n signup_enabled: {{GITLAB_SIGNUP_ENABLED}}\n ## Default theme ID\n ## 1 - Indigo\n ## 2 - Dark\n ## 3 - Light\n ## 4 - Blue\n ## 5 - Green\n ## 6 - Light Indigo\n ## 7 - Light Blue\n ## 8 - Light Green\n ## 9 - Red\n ## 10 - Light Red\n default_theme: {{GITLAB_DEFAULT_THEME}} # default: 1\n\n ## Automatic issue closing\n # If a commit message matches this regular expression, all issues referenced from the matched text will be closed.\n # This happens when the commit is pushed or merged into the default branch of a project.\n # When not specified the default issue_closing_pattern as specified below will be used.\n # Tip: you can test your closing pattern at http://rubular.com.\n issue_closing_pattern: '{{GITLAB_ISSUE_CLOSING_PATTERN}}'\n\n ## Default project features settings\n default_projects_features:\n issues: {{GITLAB_PROJECTS_ISSUES}}\n merge_requests: {{GITLAB_PROJECTS_MERGE_REQUESTS}}\n wiki: {{GITLAB_PROJECTS_WIKI}}\n snippets: {{GITLAB_PROJECTS_SNIPPETS}}\n builds: {{GITLAB_PROJECTS_BUILDS}}\n container_registry: {{GITLAB_PROJECTS_CONTAINER_REGISTRY}}\n\n ## Webhook settings\n # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)\n webhook_timeout: {{GITLAB_WEBHOOK_TIMEOUT}}\n\n ### GraphQL Settings\n # Tells the rails application how long it has to complete a GraphQL request.\n # We suggest this value to be higher than the database timeout value\n # and lower than the worker timeout set in unicorn/puma. (default: 30)\n # graphql_timeout: 30\n\n ## Repository downloads directory\n # When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory.\n # The default is 'shared/cache/archive/' relative to the root of the Rails app.\n repository_downloads_path: {{GITLAB_DOWNLOADS_DIR}}\n\n ## Impersonation settings\n impersonation_enabled: {{GITLAB_IMPERSONATION_ENABLED}}\n\n ## Disable jQuery and CSS animations\n # disable_animations: true\n\n ## Reply by email\n # Allow users to comment on issues and merge requests by replying to notification emails.\n # For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html\n incoming_email:\n enabled: {{GITLAB_INCOMING_EMAIL_ENABLED}}\n\n # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.\n # The placeholder can be omitted but if present, it must appear in the \"user\" part of the address (before the `@`).\n # Please be aware that a placeholder is required for the Service Desk feature to work.\n address: \"{{GITLAB_INCOMING_EMAIL_ADDRESS}}\"\n\n # Email account username\n # With third party providers, this is usually the full email address.\n # With self-hosted email servers, this is usually the user part of the email address.\n user: \"{{IMAP_USER}}\"\n # Email account password\n password: \"{{IMAP_PASS}}\"\n\n # IMAP server host\n host: \"{{IMAP_HOST}}\"\n # IMAP server port\n port: {{IMAP_PORT}}\n # Whether the IMAP server uses SSL\n ssl: {{IMAP_SSL}}\n # Whether the IMAP server uses StartTLS\n start_tls: {{IMAP_STARTTLS}}\n\n # The mailbox where incoming mail will end up. Usually \"inbox\".\n mailbox: \"{{IMAP_MAILBOX}}\"\n\n # The IDLE command timeout.\n idle_timeout: {{IMAP_TIMEOUT}}\n # The log file path for the structured log file.\n # Since `mail_room` is run independently of Rails, an absolute path is preferred.\n # The default is 'log/mail_room_json.log' relative to the root of the Rails app.\n #\n # log_path: log/mail_room_json.log\n\n # Whether to expunge (permanently remove) messages from the mailbox when they are deleted after delivery\n expunge_deleted: false\n\n ## Build Artifacts\n artifacts:\n enabled: {{GITLAB_ARTIFACTS_ENABLED}}\n # The location where build artifacts are stored (default: shared/artifacts).\n path: {{GITLAB_ARTIFACTS_DIR}}\n object_store:\n enabled: {{GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED}}\n remote_directory: {{GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY}} # The bucket name\n direct_upload: {{GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD}} # Set to true to enable direct upload of Artifacts without the need of local shared storage.\n background_upload: {{GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD}} # Temporary option to limit automatic upload (Default: true)\n proxy_download: {{GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD}} # Passthrough all downloads via GitLab instead of using Redirects to Object Storage\n connection:\n provider: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER}} # Only AWS supported at the moment\n #start-artifacts-aws\n aws_access_key_id: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}}\n aws_secret_access_key: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}}\n region: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION}}\n host: '{{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com\n aws_signature_version: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4.\n endpoint: '{{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces\n path_style: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'\n #end-artifacts-aws\n #start-artifacts-gcs\n google_project: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}}\n google_client_email: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}}\n google_json_key_location: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}}\n #end-artifacts-gcs\n\n ## Merge request external diff storage\n external_diffs:\n # If disabled (the default), the diffs are in-database. Otherwise, they can\n # be stored on disk, or in object storage\n enabled: false\n # The location where external diffs are stored (default: shared/lfs-external-diffs).\n # storage_path: shared/external-diffs\n # object_store:\n # enabled: false\n # remote_directory: external-diffs\n # background_upload: false\n # proxy_download: false\n # connection:\n # provider: AWS\n # aws_access_key_id: AWS_ACCESS_KEY_ID\n # aws_secret_access_key: AWS_SECRET_ACCESS_KEY\n # region: us-east-1\n\n ## Git LFS\n lfs:\n enabled: {{GITLAB_LFS_ENABLED}}\n # The location where LFS objects are stored (default: shared/lfs-objects).\n storage_path: {{GITLAB_LFS_OBJECTS_DIR}}\n object_store:\n enabled: {{GITLAB_LFS_OBJECT_STORE_ENABLED}}\n remote_directory: {{GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY}} # Bucket name\n direct_upload: {{GITLAB_LFS_OBJECT_STORE_DIRECT_UPLOAD}} # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false)\n background_upload: {{GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD}} # Temporary option to limit automatic upload (Default: true)\n proxy_download: {{GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD}} # Passthrough all downloads via GitLab instead of using Redirects to Object Storage\n connection:\n provider: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER}}\n #start-lfs-aws\n aws_access_key_id: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}}\n aws_secret_access_key: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}}\n aws_signature_version: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4.\n region: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION}}\n host: '{{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com\n endpoint: '{{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil\n path_style: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'\n #end-lfs-aws\n #start-lfs-gcs\n google_project: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}}\n google_client_email: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}}\n google_json_key_location: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}}\n #end-lfs-gcs\n\n # Use the following options to configure an AWS compatible host\n # host: 'localhost' # default: s3.amazonaws.com\n # endpoint: 'http://127.0.0.1:9000' # default: nil\n # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.\n # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'\n\n ## Uploads (attachments, avatars, etc...)\n uploads:\n # The location where uploads objects are stored (default: public/).\n storage_path: {{GITLAB_UPLOADS_STORAGE_PATH}}\n base_dir: {{GITLAB_UPLOADS_BASE_DIR}}\n object_store:\n enabled: {{GITLAB_UPLOADS_OBJECT_STORE_ENABLED}}\n remote_directory: {{GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY}} # Bucket name\n direct_upload: {{GITLAB_UPLOADS_OBJECT_STORE_DIRECT_UPLOAD}} # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false)\n background_upload: {{GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD}} # Temporary option to limit automatic upload (Default: true)\n proxy_download: {{GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD}} # Passthrough all downloads via GitLab instead of using Redirects to Object Storage\n connection:\n provider: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER}}\n #start-uploads-aws\n aws_access_key_id: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}}\n aws_secret_access_key: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}}\n aws_signature_version: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4.\n region: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION}}\n host: '{{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com\n endpoint: '{{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil\n path_style: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'\n #end-uploads-aws\n #start-uploads-gcs\n google_project: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}}\n google_client_email: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}}\n google_json_key_location: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}}\n #end-uploads-gcs\n\n ## Packages (maven repository, npm registry, etc...)\n packages:\n enabled: {{GITLAB_PACKAGES_ENABLED}}\n # The location where build packages are stored (default: shared/packages).\n path: {{GITLAB_PACKAGES_DIR}}\n object_store:\n enabled: {{GITLAB_PACKAGES_OBJECT_STORE_ENABLED}}\n remote_directory: {{GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY}} # The bucket name\n direct_upload: {{GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD}} # Set to true to enable direct upload of Packages without the need of local shared storage.\n background_upload: {{GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD}} # Temporary option to limit automatic upload (Default: true)\n proxy_download: {{GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD}} # Passthrough all downloads via GitLab instead of using Redirects to Object Storage\n connection:\n provider: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER}} # Only AWS supported at the moment\n #start-packages-aws\n aws_access_key_id: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}}\n aws_secret_access_key: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}}\n region: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION}}\n host: '{{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com\n aws_signature_version: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4.\n endpoint: '{{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces\n path_style: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'\n #end-packages-aws\n #start-packages-gcs\n google_project: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}}\n google_client_email: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}}\n google_json_key_location: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}}\n #end-packages-gcs\n\n \n ## Dependency Proxy\n dependency_proxy:\n enabled: true\n # The location where build packages are stored (default: shared/dependency_proxy).\n # storage_path: shared/dependency_proxy\n object_store:\n enabled: false\n remote_directory: dependency_proxy # The bucket name\n # direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false)\n # background_upload: false # Temporary option to limit automatic upload (Default: true)\n # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage\n connection:\n provider: AWS\n aws_access_key_id: AWS_ACCESS_KEY_ID\n aws_secret_access_key: AWS_SECRET_ACCESS_KEY\n region: us-east-1\n # host: 'localhost' # default: s3.amazonaws.com\n # endpoint: 'http://127.0.0.1:9000' # default: nil\n # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.\n # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'\n\n ## Terraform state\n terraform_state:\n enabled: {{GITLAB_TERRAFORM_STATE_ENABLED}}\n # The location where Terraform state files are stored (default: shared/terraform_state).\n storage_path: {{GITLAB_TERRAFORM_STATE_STORAGE_PATH}}\n object_store:\n enabled: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED}}\n remote_directory: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_REMOTE_DIRECTORY}} # The bucket name\n connection:\n provider: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER}}\n #start-terraform_state-aws\n aws_access_key_id: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}}\n aws_secret_access_key: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}}\n region: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION}}\n host: '{{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com\n endpoint: '{{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil\n aws_signature_version: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4.\n path_style: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'\n #end-terraform_state-aws\n #start-terraform_state-gcs\n google_project: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}}\n google_client_email: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}}\n google_json_key_location: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}}\n #end-terraform_state-gcs\n\n ## GitLab Pages\n pages:\n enabled: {{GITLAB_PAGES_ENABLED}}\n access_control: {{GITLAB_PAGES_ACCESS_CONTROL}}\n # The location where pages are stored (default: shared/pages).\n # path: shared/pages\n\n # The domain under which the pages are served:\n # http://group.example.com/project\n # or project path can be a group page: group.example.com\n host: {{GITLAB_PAGES_DOMAIN}}\n port: {{GITLAB_PAGES_PORT}} # Set to 443 if you serve the pages with HTTPS\n https: {{GITLAB_PAGES_HTTPS}} # Set to true if you serve the pages with HTTPS\n artifacts_server: {{GITLAB_PAGES_ARTIFACTS_SERVER}} # Set to false if you want to disable online view of HTML artifacts\n external_http: {{GITLAB_PAGES_EXTERNAL_HTTP}} # If defined, enables custom domain support in GitLab Pages\n external_https: {{GITLAB_PAGES_EXTERNAL_HTTPS}} # If defined, enables custom domain and certificate support in GitLab Pages\n namespace_in_path: {{GITLAB_PAGES_NAMESPACE_IN_PATH}}\n\n # File that contains the shared secret key for verifying access for gitlab-pages.\n # Default is '.gitlab_pages_secret' relative to Rails.root (i.e. root of the GitLab app).\n # secret_file: /home/git/gitlab/.gitlab_pages_secret\n\n ## Mattermost\n ## For enabling Add to Mattermost button\n mattermost:\n enabled: {{GITLAB_MATTERMOST_ENABLED}}\n host: '{{GITLAB_MATTERMOST_URL}}'\n\n ## Gravatar\n ## If using gravatar.com, there's nothing to change here. For Libravatar\n ## you'll need to provide the custom URLs. For more information,\n ## see: https://docs.gitlab.com/ee/customization/libravatar.html\n gravatar:\n enabled: {{GITLAB_GRAVATAR_ENABLED}}\n # Gravatar/Libravatar URLs: possible placeholders: %{hash} %{size} %{email} %{username}\n plain_url: \"{{GITLAB_GRAVATAR_HTTP_URL}}\" # default: https://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon\n ssl_url: \"{{GITLAB_GRAVATAR_HTTPS_URL}}\" # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon\n\n ## Sidekiq\n sidekiq:\n log_format: {{GITLAB_SIDEKIQ_LOG_FORMAT}} # (default is the original format)\n\n ## Auxiliary jobs\n # Periodically executed jobs, to self-heal GitLab, do external synchronizations, etc.\n # Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job\n cron_jobs:\n # Flag stuck CI jobs as failed\n stuck_ci_jobs_worker:\n cron: \"0 * * * *\"\n # Execute scheduled triggers\n pipeline_schedule_worker:\n cron: \"{{GITLAB_PIPELINE_SCHEDULE_WORKER_CRON}}\"\n # Remove expired build artifacts\n expire_build_artifacts_worker:\n cron: \"50 * * * *\"\n # Stop expired environments\n environments_auto_stop_cron_worker:\n cron: \"24 * * * *\"\n # Periodically run 'git fsck' on all repositories. If started more than\n # once per hour you will have concurrent 'git fsck' jobs.\n repository_check_worker:\n cron: \"20 * * * *\"\n # Archive live traces which have not been archived yet\n ci_archive_traces_cron_worker:\n cron: \"17 * * * *\"\n # Send admin emails once a week\n admin_email_worker:\n cron: \"0 0 * * 0\"\n # Send emails for personal tokens which are about to expire\n personal_access_tokens_expiring_worker:\n cron: \"0 1 * * *\"\n\n # Remove outdated repository archives\n repository_archive_cache_worker:\n cron: \"0 * * * *\"\n\n # Verify custom GitLab Pages domains\n pages_domain_verification_cron_worker:\n cron: \"*/15 * * * *\"\n\n # Periodically migrate diffs from the database to external storage\n schedule_migrate_external_diffs_worker:\n cron: \"15 * * * *\"\n\n # GitLab EE only jobs. These jobs are automatically enabled for an EE\n # installation, and ignored for a CE installation.\n ee_cron_jobs:\n # Snapshot active users statistics\n historical_data_worker:\n cron: \"0 12 * * *\"\n\n # In addition to refreshing users when they log in,\n # periodically refresh LDAP users membership.\n # NOTE: This will only take effect if LDAP is enabled\n ldap_sync_worker:\n cron: \"30 1 * * *\"\n\n # Periodically refresh LDAP groups membership.\n # NOTE: This will only take effect if LDAP is enabled\n ldap_group_sync_worker:\n cron: \"0 * * * *\"\n\n # GitLab Geo metrics update worker\n # NOTE: This will only take effect if Geo is enabled\n geo_metrics_update_worker:\n cron: \"*/1 * * * *\"\n\n # GitLab Geo prune event log worker\n # NOTE: This will only take effect if Geo is enabled (primary node only)\n geo_prune_event_log_worker:\n cron: \"*/5 * * * *\"\n\n # GitLab Geo repository sync worker\n # NOTE: This will only take effect if Geo is enabled (secondary nodes only)\n geo_repository_sync_worker:\n cron: \"*/1 * * * *\"\n\n # GitLab Geo registry backfill worker\n # NOTE: This will only take effect if Geo is enabled (secondary nodes only)\n geo_secondary_registry_consistency_worker:\n cron: \"* * * * *\"\n\n # GitLab Geo file download dispatch worker\n # NOTE: This will only take effect if Geo is enabled (secondary nodes only)\n geo_file_download_dispatch_worker:\n cron: \"*/1 * * * *\"\n\n # GitLab Geo migrated local files clean up worker\n # NOTE: This will only take effect if Geo is enabled (secondary nodes only)\n geo_migrated_local_files_clean_up_worker:\n cron: \"15 */6 * * *\"\n\n # Export pseudonymized data in CSV format for analysis\n pseudonymizer_worker:\n cron: \"0 * * * *\"\n\n # Elasticsearch bulk updater for incremental updates.\n # NOTE: This will only take effect if elasticsearch is enabled.\n elastic_index_bulk_cron_worker:\n cron: \"*/1 * * * *\"\n\n registry:\n enabled: {{GITLAB_REGISTRY_ENABLED}}\n host: {{GITLAB_REGISTRY_HOST}}\n port: {{GITLAB_REGISTRY_PORT}}\n api_url: {{GITLAB_REGISTRY_API_URL}} # internal address to the registry, will be used by GitLab to directly communicate with API\n key: {{GITLAB_REGISTRY_KEY_PATH}}\n path: {{GITLAB_REGISTRY_DIR}}\n issuer: {{GITLAB_REGISTRY_ISSUER}}\n # notification_secret: '' # only set it when you use Geo replication feature without built-in Registry\n\n # Add notification settings if you plan to use Geo Replication for the registry\n # notifications:\n # - name: geo_event\n # url: https://example.com/api/v4/container_registry_event/events\n # timeout: 2s\n # threshold: 5\n # backoff: 1s\n # headers:\n # Authorization: secret_phrase\n\n ## Error Reporting and Logging with Sentry\n sentry:\n enabled: {{SENTRY_ENABLED}}\n dsn: {{SENTRY_DSN}}\n clientside_dsn: {{SENTRY_CLIENTSIDE_DSN}}\n environment: '{{SENTRY_ENVIRONMENT}}' # e.g. development, staging, production\n\n ## Geo\n # NOTE: These settings will only take effect if Geo is enabled\n geo:\n # This is an optional identifier which Geo nodes can use to identify themselves.\n # For example, if external_url is the same for two secondaries, you must specify\n # a unique Geo node name for those secondaries.\n #\n # If it is blank, it defaults to external_url.\n node_name: ''\n\n registry_replication:\n # enabled: true\n # primary_api_url: http://localhost:5000/ # internal address to the primary registry, will be used by GitLab to directly communicate with primary registry API\n\n ## Feature Flag https://docs.gitlab.com/ee/user/project/operations/feature_flags.html\n feature_flags:\n unleash:\n # enabled: false\n # url: https://gitlab.com/api/v4/feature_flags/unleash/\n # app_name: gitlab.com # Environment name of your GitLab instance\n # instance_id: INSTANCE_ID\n\n #\n # 2. GitLab CI settings\n # ==========================\n\n gitlab_ci:\n # Default project notifications settings:\n #\n # Send emails only on broken builds (default: true)\n all_broken_builds: {{GITLAB_NOTIFY_ON_BROKEN_BUILDS}}\n #\n # Add pusher to recipients list (default: false)\n add_pusher: {{GITLAB_NOTIFY_PUSHER}}\n\n # The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root\n builds_path: {{GITLAB_BUILDS_DIR}}\n\n #\n # 3. Auth settings\n # ==========================\n\n ## LDAP settings\n # You can test connections and inspect a sample of the LDAP users with login\n # access by running:\n # bundle exec rake gitlab:ldap:check RAILS_ENV=production\n ldap:\n enabled: {{LDAP_ENABLED}}\n prevent_ldap_sign_in: {{LDAP_PREVENT_LDAP_SIGN_IN}}\n\n # This setting controls the number of seconds between LDAP permission checks\n # for each user. After this time has expired for a given user, their next\n # interaction with GitLab (a click in the web UI, a git pull, etc.) will be\n # slower because the LDAP permission check is being performed. How much\n # slower depends on your LDAP setup, but it is not uncommon for this check\n # to add seconds of waiting time. The default value is to have a \"slow\n # click\" once every 3600 seconds (i.e., once per hour).\n #\n # Warning: if you set this value too low, every click in GitLab will be a\n # \"slow click\" for all of your LDAP users.\n # sync_time: 3600\n\n servers:\n ##########################################################################\n #\n # Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab\n # Enterprise Edition now supports connecting to multiple LDAP servers.\n #\n # If you are updating from the old (pre-7.4) syntax, you MUST give your\n # old server the ID 'main'.\n #\n ##########################################################################\n main: # 'main' is the GitLab 'provider ID' of this LDAP server\n ## label\n #\n # A human-friendly name for your LDAP server. It is OK to change the label later,\n # for instance if you find out it is too large to fit on the web page.\n #\n # Example: 'Paris' or 'Acme, Ltd.'\n label: '{{LDAP_LABEL}}'\n\n # Example: 'ldap.mydomain.com'\n host: '{{LDAP_HOST}}'\n # This port is an example, it is sometimes different but it is always an integer and not a string\n port: {{LDAP_PORT}} # usually 636 for SSL\n uid: '{{LDAP_UID}}' # This should be the attribute, not the value that maps to uid.\n\n # Examples: 'america\\\\momo' or 'CN=Gitlab Git,CN=Users,DC=mydomain,DC=com'\n bind_dn: '{{LDAP_BIND_DN}}'\n password: '{{LDAP_PASS}}'\n\n # Encryption method. The \"method\" key is deprecated in favor of\n # \"encryption\".\n #\n # Examples: \"start_tls\" or \"simple_tls\" or \"plain\"\n #\n # Deprecated values: \"tls\" was replaced with \"start_tls\" and \"ssl\" was\n # replaced with \"simple_tls\".\n #\n encryption: '{{LDAP_METHOD}}'\n\n # Enables SSL certificate verification if encryption method is\n # \"start_tls\" or \"simple_tls\". Defaults to true.\n verify_certificates: {{LDAP_VERIFY_SSL}}\n\n # OpenSSL::SSL::SSLContext options.\n tls_options:\n # Specifies the path to a file containing a PEM-format CA certificate,\n # e.g. if you need to use an internal CA.\n #\n # Example: '/etc/ca.pem'\n #\n ca_file: '{{LDAP_CA_FILE}}'\n\n # Specifies the SSL version for OpenSSL to use, if the OpenSSL default\n # is not appropriate.\n #\n # Example: 'TLSv1_1'\n #\n ssl_version: '{{LDAP_SSL_VERSION}}'\n\n # Specific SSL ciphers to use in communication with LDAP servers.\n #\n # Example: 'ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2'\n ciphers: ''\n\n # Client certificate\n #\n # Example:\n # cert: |\n # -----BEGIN CERTIFICATE-----\n # MIIDbDCCAlSgAwIBAgIGAWkJxLmKMA0GCSqGSIb3DQEBCwUAMHcxFDASBgNVBAoTC0dvb2dsZSBJ\n # bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQDEwtMREFQIENsaWVudDEPMA0GA1UE\n # CxMGR1N1aXRlMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTAeFw0xOTAyMjAwNzE4\n # rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl\n # ...\n # 4SbuJPAiJxC1LQ0t39dR6oMCAMab3hXQqhL56LrR6cRBp6Mtlphv7alu9xb/x51y2x+g2zWtsf80\n # Jrv/vKMsIh/sAyuogb7hqMtp55ecnKxceg==\n # -----END CERTIFICATE -----\n cert: ''\n\n # Client private key\n # key: |\n # -----BEGIN PRIVATE KEY-----\n # MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC3DmJtLRmJGY4xU1QtI3yjvxO6\n # bNuyE4z1NF6Xn7VSbcAaQtavWQ6GZi5uukMo+W5DHVtEkgDwh92ySZMuJdJogFbNvJvHAayheCdN\n # 7mCQ2UUT9jGXIbmksUn9QMeJVXTZjgJWJzPXToeUdinx9G7+lpVa62UATEd1gaI3oyL72WmpDy/C\n # rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl\n # ...\n # +9IhSYX+XIg7BZOVDeYqlPfxRvQh8vy3qjt/KUihmEPioAjLaGiihs1Fk5ctLk9A2hIUyP+sEQv9\n # l6RG+a/mW+0rCWn8JAd464Ps9hE=\n # -----END PRIVATE KEY-----\n key: ''\n\n # Set a timeout, in seconds, for LDAP queries. This helps avoid blocking\n # a request if the LDAP server becomes unresponsive.\n # A value of 0 means there is no timeout.\n timeout: {{LDAP_TIMEOUT}}\n\n # Enable smartcard authentication against the LDAP server. Valid values\n # are \"false\", \"optional\", and \"required\".\n smartcard_auth: false\n\n # This setting specifies if LDAP server is Active Directory LDAP server.\n # For non AD servers it skips the AD specific queries.\n # If your LDAP server is not AD, set this to false.\n active_directory: {{LDAP_ACTIVE_DIRECTORY}}\n\n # If allow_username_or_email_login is enabled, GitLab will ignore everything\n # after the first '@' in the LDAP username submitted by the user on login.\n #\n # Example:\n # - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials;\n # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'.\n #\n # If you are using \"uid: 'userPrincipalName'\" on ActiveDirectory you need to\n # disable this setting, because the userPrincipalName contains an '@'.\n allow_username_or_email_login: {{LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN}}\n\n # To maintain tight control over the number of active users on your GitLab installation,\n # enable this setting to keep new users blocked until they have been cleared by the admin\n # (default: false).\n block_auto_created_users: {{LDAP_BLOCK_AUTO_CREATED_USERS}}\n\n # Base where we can search for users\n #\n # Ex. 'ou=People,dc=gitlab,dc=example' or 'DC=mydomain,DC=com'\n #\n base: '{{LDAP_BASE}}'\n\n # Filter LDAP users\n #\n # Format: RFC 4515 https://tools.ietf.org/search/rfc4515\n # Ex. (employeeType=developer)\n #\n # Note: GitLab does not support omniauth-ldap's custom filter syntax.\n #\n # Example for getting only specific users:\n # '(&(objectclass=user)(|(samaccountname=momo)(samaccountname=toto)))'\n #\n user_filter: '{{LDAP_USER_FILTER}}'\n\n # Base where we can search for groups\n #\n # Ex. ou=Groups,dc=gitlab,dc=example\n #\n group_base: ''\n\n # LDAP group of users who should be admins in GitLab\n #\n # Ex. GLAdmins\n #\n admin_group: ''\n\n # LDAP group of users who should be marked as external users in GitLab\n #\n # Ex. ['Contractors', 'Interns']\n #\n external_groups: []\n\n # Name of attribute which holds a ssh public key of the user object.\n # If false or nil, SSH key syncronisation will be disabled.\n #\n # Ex. sshpublickey\n #\n sync_ssh_keys: false\n\n # LDAP attributes that GitLab will use to create an account for the LDAP user.\n # The specified attribute can either be the attribute name as a string (e.g. 'mail'),\n # or an array of attribute names to try in order (e.g. ['mail', 'email']).\n # Note that the user's LDAP login will always be the attribute specified as `uid` above.\n attributes:\n # The username will be used in paths for the user's own projects\n # (like `gitlab.example.com/username/project`) and when mentioning\n # them in issues, merge request and comments (like `@username`).\n # If the attribute specified for `username` contains an email address,\n # the GitLab username will be the part of the email address before the '@'.\n username: {{LDAP_USER_ATTRIBUTE_USERNAME}}\n email: {{LDAP_USER_ATTRIBUTE_MAIL}}\n\n # If no full name could be found at the attribute specified for `name`,\n # the full name is determined using the attributes specified for\n # `first_name` and `last_name`.\n name: '{{LDAP_USER_ATTRIBUTE_NAME}}'\n first_name: '{{LDAP_USER_ATTRIBUTE_FIRSTNAME}}'\n last_name: '{{LDAP_USER_ATTRIBUTE_LASTNAME}}'\n\n # If lowercase_usernames is enabled, GitLab will lower case the username.\n lowercase_usernames: {{LDAP_LOWERCASE_USERNAMES}}\n\n # GitLab EE only: add more LDAP servers\n # Choose an ID made of a-z and 0-9 . This ID will be stored in the database\n # so that GitLab can remember which LDAP server a user belongs to.\n # uswest2:\n # label:\n # host:\n # ....\n\n ## Smartcard authentication settings\n smartcard:\n # Allow smartcard authentication\n enabled: false\n\n # Path to a file containing a CA certificate bundle\n ca_file: '/etc/ssl/certs/CA.pem'\n\n # Host and port where the client side certificate is requested by the\n # webserver (NGINX/Apache)\n # client_certificate_required_host: smartcard.gitlab.example.com\n # client_certificate_required_port: 3444\n\n # Browser session with smartcard sign-in is required for Git access\n # required_for_git_access: false\n\n # Use X.509 SAN extensions certificates to identify GitLab users\n # Add a subjectAltName to your certificates like: email:user\n # san_extensions: true\n\n ## Kerberos settings\n kerberos:\n # Allow the HTTP Negotiate authentication method for Git clients\n enabled: false\n\n # Kerberos 5 keytab file. The keytab file must be readable by the GitLab user,\n # and should be different from other keytabs in the system.\n # (default: use default keytab from Krb5 config)\n # keytab: /etc/http.keytab\n\n # The Kerberos service name to be used by GitLab.\n # (default: accept any service name in keytab file)\n # service_principal_name: HTTP/gitlab.example.com@EXAMPLE.COM\n\n # Dedicated port: Git before 2.4 does not fall back to Basic authentication if Negotiate fails.\n # To support both Basic and Negotiate methods with older versions of Git, configure\n # nginx to proxy GitLab on an extra port (e.g. 8443) and uncomment the following lines\n # to dedicate this port to Kerberos authentication. (default: false)\n # use_dedicated_port: true\n # port: 8443\n # https: true\n\n ## OmniAuth settings\n omniauth:\n # Allow login via Twitter, Google, etc. using OmniAuth providers\n enabled: {{OAUTH_ENABLED}}\n\n # Uncomment this to automatically sign in with a specific omniauth provider's without\n # showing GitLab's sign-in page (default: show the GitLab sign-in page)\n auto_sign_in_with_provider: {{OAUTH_AUTO_SIGN_IN_WITH_PROVIDER}}\n\n # Sync user's profile from the specified Omniauth providers every time the user logs in (default: empty).\n # Define the allowed providers using an array, e.g. [\"cas3\", \"saml\", \"twitter\"],\n # or as true/false to allow all providers or none.\n # When authenticating using LDAP, the user's email is always synced.\n # sync_profile_from_provider: []\n\n # Select which info to sync from the providers above. (default: email).\n # Define the synced profile info using an array. Available options are \"name\", \"email\" and \"location\"\n # e.g. [\"name\", \"email\", \"location\"] or as true to sync all available.\n # This consequently will make the selected attributes read-only.\n # sync_profile_attributes: true\n\n # CAUTION!\n # This allows users to login without having a user account first. Define the allowed providers\n # using an array, e.g. [\"saml\", \"twitter\"], or as true/false to allow all providers or none.\n # User accounts will be created automatically when authentication was successful.\n allow_single_sign_on: [\"{{OAUTH_ALLOW_SSO}}\"]\n\n # Locks down those users until they have been cleared by the admin (default: true).\n block_auto_created_users: {{OAUTH_BLOCK_AUTO_CREATED_USERS}}\n # Look up new users in LDAP servers. If a match is found (same uid), automatically\n # link the omniauth identity with the LDAP account. (default: false)\n auto_link_ldap_user: {{OAUTH_AUTO_LINK_LDAP_USER}}\n\n # Allow users with existing accounts to login and auto link their account via SAML\n # login, without having to do a manual login first and manually add SAML\n # (default: false)\n auto_link_saml_user: {{OAUTH_AUTO_LINK_SAML_USER}}\n\n # Allow users with existing accounts to login and auto link their account via the\n # defined Omniauth providers login, without having to do a manual login first and\n # manually connect their chosen provider.\n # (default: [])\n auto_link_user: [{{OAUTH_AUTO_LINK_USER}}]\n\n # Set different Omniauth providers as external so that all users creating accounts\n # via these providers will not be able to have access to internal projects. You\n # will need to use the full name of the provider, like `google_oauth2` for Google.\n # Refer to the examples below for the full names of the supported providers.\n # (default: [])\n external_providers: [{{OAUTH_EXTERNAL_PROVIDERS}}]\n\n # CAUTION!\n # This allows users to login with the specified providers without two factor. Define the allowed providers\n # using an array, e.g. [\"twitter\", 'google_oauth2'], or as true/false to allow all providers or none.\n # This option should only be configured for providers which already have two factor.\n # This configration dose not apply to SAML.\n # (default: false)\n allow_bypass_two_factor: {{OAUTH_ALLOW_BYPASS_TWO_FACTOR}}\n\n ## Auth providers\n # Uncomment the following lines and fill in the data of the auth provider you want to use\n # If your favorite auth provider is not listed you can use others:\n # see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations\n # The 'app_id' and 'app_secret' parameters are always passed as the first two\n # arguments, followed by optional 'args' which can be either a hash or an array.\n # Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html\n providers:\n # See omniauth-cas3 for more configuration details\n - { name: 'cas3',\n label: '{{OAUTH_CAS3_LABEL}}',\n args: {\n url: '{{OAUTH_CAS3_SERVER}}',\n disable_ssl_verification: {{OAUTH_CAS3_DISABLE_SSL_VERIFICATION}},\n login_url: '{{OAUTH_CAS3_LOGIN_URL}}',\n service_validate_url: '{{OAUTH_CAS3_VALIDATE_URL}}',\n logout_url: '{{OAUTH_CAS3_LOGOUT_URL}}'} }\n - { name: 'authentiq',\n app_id: '{{OAUTH_AUTHENTIQ_CLIENT_ID}}',\n app_secret: 'OAUTH_AUTHENTIQ_CLIENT_SECRET',\n args: { scope: {{OAUTH_AUTHENTIQ_SCOPE}}, redirect_uri: '{{OAUTH_AUTHENTIQ_REDIRECT_URI}}' } }\n - { name: 'github',\n label: 'GitHub',\n app_id: '{{OAUTH_GITHUB_API_KEY}}',\n app_secret: '{{OAUTH_GITHUB_APP_SECRET}}',\n url: \"{{OAUTH_GITHUB_URL}}\",\n verify_ssl: {{OAUTH_GITHUB_VERIFY_SSL}},\n args: { scope: '{{OAUTH_GITHUB_SCOPE}}' } }\n - { name: 'bitbucket',\n app_id: '{{OAUTH_BITBUCKET_API_KEY}}',\n app_secret: '{{OAUTH_BITBUCKET_APP_SECRET}}',\n url: '{{OAUTH_BITBUCKET_URL}}' }\n - { name: 'gitlab',\n label: 'GitLab.com',\n app_id: '{{OAUTH_GITLAB_API_KEY}}',\n app_secret: '{{OAUTH_GITLAB_APP_SECRET}}',\n args: { scope: '{{OAUTH_GITLAB_SCOPE}}' } }\n - { name: 'google_oauth2',\n label: 'Google',\n app_id: '{{OAUTH_GOOGLE_API_KEY}}',\n app_secret: '{{OAUTH_GOOGLE_APP_SECRET}}',\n args: {\n access_type: 'offline',\n approval_prompt: '{{OAUTH_GOOGLE_APPROVAL_PROMPT}}',\n hd: [{{OAUTH_GOOGLE_RESTRICT_DOMAIN}}] } }\n - { name: 'facebook',\n app_id: '{{OAUTH_FACEBOOK_API_KEY}}',\n app_secret: '{{OAUTH_FACEBOOK_APP_SECRET}}' }\n - { name: 'twitter',\n app_id: '{{OAUTH_TWITTER_API_KEY}}',\n app_secret: '{{OAUTH_TWITTER_APP_SECRET}}' }\n - { name: 'saml',\n label: '{{OAUTH_SAML_LABEL}}',\n groups_attribute: '{{OAUTH_SAML_GROUPS_ATTRIBUTE}}',\n external_groups: [{{OAUTH_SAML_EXTERNAL_GROUPS}}],\n args: {\n assertion_consumer_service_url: '{{OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL}}',\n idp_cert_fingerprint: '{{OAUTH_SAML_IDP_CERT_FINGERPRINT}}',\n idp_sso_target_url: '{{OAUTH_SAML_IDP_SSO_TARGET_URL}}',\n issuer: '{{OAUTH_SAML_ISSUER}}',\n attribute_statements: {\n first_name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME}}'],\n last_name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME}}'],\n username: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME}}'],\n name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME}}'],\n email: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL}}'] },\n name_identifier_format: '{{OAUTH_SAML_NAME_IDENTIFIER_FORMAT}}' } }\n - { name: 'crowd',\n args: {\n crowd_server_url: '{{OAUTH_CROWD_SERVER_URL}}',\n application_name: '{{OAUTH_CROWD_APP_NAME}}',\n application_password: '{{OAUTH_CROWD_APP_PASSWORD}}' } }\n - { name: 'auth0',\n args: {\n client_id: '{{OAUTH_AUTH0_CLIENT_ID}}',\n client_secret: '{{OAUTH_AUTH0_CLIENT_SECRET}}',\n domain: '{{OAUTH_AUTH0_DOMAIN}}',\n scope: '{{OAUTH_AUTH0_SCOPE}}' } }\n - { name: 'oauth2_generic',\n app_id: '{{OAUTH2_GENERIC_APP_ID}}',\n app_secret: '{{OAUTH2_GENERIC_APP_SECRET}}',\n args: {\n client_options: {\n site: '{{OAUTH2_GENERIC_CLIENT_SITE}}',\n user_info_url: '{{OAUTH2_GENERIC_CLIENT_USER_INFO_URL}}',\n authorize_url: '{{OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL}}',\n token_url: '{{OAUTH2_GENERIC_CLIENT_TOKEN_URL}}',\n end_session_endpoint: '{{OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT}}',\n },\n user_response_structure: {\n id_path: '{{OAUTH2_GENERIC_ID_PATH}}',\n attributes: {\n uid: '{{OAUTH2_GENERIC_USER_UID}}',\n name: '{{OAUTH2_GENERIC_USER_NAME}}',\n email: '{{OAUTH2_GENERIC_USER_EMAIL}}'\n }\n },\n authorize_params: { scope: \"{{OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE}}\" },\n label: '{{OAUTH2_GENERIC_LABEL}}',\n name: '{{OAUTH2_GENERIC_NAME}}' }}\n - { name: 'azure_oauth2',\n args: {\n client_id: '{{OAUTH_AZURE_API_KEY}}',\n client_secret: '{{OAUTH_AZURE_API_SECRET}}',\n tenant_id: '{{OAUTH_AZURE_TENANT_ID}}' } }\n - { name: 'azure_activedirectory_v2',\n label: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL}}',\n args: {\n client_id: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID}}',\n client_secret: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET}}',\n tenant_id: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID}}' } }\n - { name: 'openid_connect',\n label: '{{OAUTH_OIDC_LABEL}}',\n icon: '{{OAUTH_OIDC_ICON}}',\n args: {\n name: 'openid_connect',\n scope: {{OAUTH_OIDC_SCOPE}},\n response_type: '{{OAUTH_OIDC_RESPONSE_TYPE}}',\n issuer: '{{OAUTH_OIDC_ISSUER}}',\n discovery: {{OAUTH_OIDC_DISCOVERY}},\n client_auth_method: '{{OAUTH_OIDC_CLIENT_AUTH_METHOD}}',\n uid_field: '{{OAUTH_OIDC_UID_FIELD}}',\n send_scope_to_token_endpoint: {{OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP}},\n pkce: {{OAUTH_OIDC_PKCE}},\n client_options: {\n identifier: '{{OAUTH_OIDC_CLIENT_ID}}',\n secret: '{{OAUTH_OIDC_CLIENT_SECRET}}',\n redirect_uri: '{{OAUTH_OIDC_REDIRECT_URI}}' } } }\n - { name: 'jwt',\n label: '{{OAUTH_JWT_LABEL}}',\n args: {\n secret: '{{OAUTH_JWT_SECRET}}',\n algorithm: '{{OAUTH_JWT_ALGORITHM}}',\n uid_claim: '{{OAUTH_JWT_UID_CLAIM}}',\n required_claims: {{OAUTH_JWT_REQUIRED_CLAIMS}},\n info_map: { name: '{{OAUTH_JWT_INFO_MAP_NAME}}', email: '{{OAUTH_JWT_INFO_MAP_EMAIL}}' },\n auth_url: '{{OAUTH_JWT_AUTH_URL}}',\n valid_within: {{OAUTH_JWT_VALID_WITHIN}} } }\n # SSO maximum session duration in seconds. Defaults to CAS default of 8 hours.\n # cas3:\n # session_duration: 28800\n\n # Shared file storage settings\n shared:\n path: {{GITLAB_SHARED_DIR}} # Default: shared\n\n # Gitaly settings\n gitaly:\n # Path to the directory containing Gitaly client executables.\n client_path: {{GITALY_CLIENT_PATH}}\n # Default Gitaly authentication token. Can be overridden per storage. Can\n # be left blank when Gitaly is running locally on a Unix socket, which\n # is the normal way to deploy Gitaly.\n token: {{GITALY_TOKEN}}\n\n #\n # 4. Advanced settings\n # ==========================\n\n ## Repositories settings\n repositories:\n # Paths where repositories can be stored. Give the canonicalized absolute pathname.\n # IMPORTANT: None of the path components may be symlink, because\n # gitlab-shell invokes Dir.pwd inside the repository path and that results\n # real path not the symlink.\n storages: # You must have at least a `default` storage path.\n default:\n path: {{GITLAB_REPOS_DIR}}/\n gitaly_address: unix:{{GITLAB_INSTALL_DIR}}/tmp/sockets/private/gitaly.socket # TCP connections are supported too (e.g. tcp://host:port). TLS connections are also supported using the system certificate pool (eg: tls://host:port).\n # gitaly_token: 'special token' # Optional: override global gitaly.token for this storage.\n\n ## Backup settings\n backup:\n path: \"{{GITLAB_BACKUP_DIR}}\" # Relative paths are relative to Rails.root (default: tmp/backups/)\n archive_permissions: {{GITLAB_BACKUP_ARCHIVE_PERMISSIONS}} # Permissions for the resulting backup.tar file (default: 0600)\n keep_time: {{GITLAB_BACKUP_EXPIRY}} # default: 0 (forever) (in seconds)\n pg_schema: {{GITLAB_BACKUP_PG_SCHEMA}} # default: nil, it means that all schemas will be backed up\n upload:\n # Fog storage connection settings, see http://fog.io/storage/ .\n #start-aws\n connection:\n provider: AWS\n region: {{AWS_BACKUP_REGION}}\n endpoint: {{AWS_BACKUP_ENDPOINT}}\n path_style: {{AWS_BACKUP_PATH_STYLE}}\n aws_access_key_id: {{AWS_BACKUP_ACCESS_KEY_ID}}\n aws_secret_access_key: '{{AWS_BACKUP_SECRET_ACCESS_KEY}}'\n aws_signature_version: {{AWS_BACKUP_SIGNATURE_VERSION}}\n # The remote 'directory' to store your backups. For S3, this would be the bucket name.\n remote_directory: '{{AWS_BACKUP_BUCKET}}'\n #start-multipart-aws\n # Use multipart uploads when file size reaches 100MB, see\n # http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html\n multipart_chunk_size: {{AWS_BACKUP_MULTIPART_CHUNK_SIZE}}\n #end-multipart-aws\n #start-encryption-aws\n # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional\n encryption: 'AES256'\n # Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional\n # This should be set to the 256-bit encryption key for Amazon S3 to use to encrypt or decrypt your data.\n # 'encryption' must also be set in order for this to have any effect.\n # encryption_key: ''\n #end-encryption-aws\n # Specifies Amazon S3 storage class to use for backups, this is optional\n storage_class: '{{AWS_BACKUP_STORAGE_CLASS}}'\n #end-aws\n #start-gcs\n # Fog storage connection settings, see http://fog.io/storage/ .\n connection:\n provider: Google\n google_storage_access_key_id: {{GCS_BACKUP_ACCESS_KEY_ID}}\n google_storage_secret_access_key: '{{GCS_BACKUP_SECRET_ACCESS_KEY}}'\n remote_directory: '{{GCS_BACKUP_BUCKET}}'\n #end-gcs\n\n ## Pseudonymizer exporter\n pseudonymizer:\n # Tables manifest that specifies the fields to extract and pseudonymize.\n manifest: config/pseudonymizer.yml\n upload:\n remote_directory: 'gitlab-elt'\n # Fog storage connection settings, see http://fog.io/storage/ .\n connection:\n # provider: AWS\n # region: eu-west-1\n # aws_access_key_id: AKIAKIAKI\n # aws_secret_access_key: 'secret123'\n # # The remote 'directory' to store the CSV files. For S3, this would be the bucket name.\n\n ## GitLab Shell settings\n gitlab_shell:\n path: {{GITLAB_SHELL_INSTALL_DIR}}/\n authorized_keys_file: {{GITLAB_HOME}}/.ssh/authorized_keys\n\n # File that contains the secret key for verifying access for gitlab-shell.\n # Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app).\n secret_file: {{GITLAB_INSTALL_DIR}}/.gitlab_shell_secret\n\n # Git over HTTP\n upload_pack: true\n receive_pack: true\n\n # Git import/fetch timeout, in seconds. Defaults to 3 hours.\n # git_timeout: 10800\n\n # If you use non-standard ssh port you need to specify it\n ssh_port: {{GITLAB_SSH_PORT}}\n\n workhorse:\n # File that contains the secret key for verifying access for gitlab-workhorse.\n # Default is '.gitlab_workhorse_secret' relative to Rails.root (i.e. root of the GitLab app).\n # secret_file: /home/git/gitlab/.gitlab_workhorse_secret\n\n ## GitLab Elasticsearch settings\n elasticsearch:\n indexer_path: {{GITLAB_HOME}}/gitlab-elasticsearch-indexer/\n\n ## Git settings\n # CAUTION!\n # Use the default values unless you really know what you are doing\n git:\n bin_path: /usr/local/bin/git\n\n ## ActionCable settings\n action_cable:\n # Number of threads used to process ActionCable connection callbacks and channel actions\n # worker_pool_size: 4\n\n ## Webpack settings\n # If enabled, this will tell rails to serve frontend assets from the webpack-dev-server running\n # on a given port instead of serving directly from /assets/webpack. This is only indended for use\n # in development.\n webpack:\n # dev_server:\n # enabled: true\n # host: localhost\n # port: 3808\n\n ## Monitoring\n # Built in monitoring settings\n monitoring:\n # Time between sampling of unicorn socket metrics, in seconds\n unicorn_sampler_interval: {{GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL}}\n # Time between sampling of Puma metrics, in seconds\n # puma_sampler_interval: 5\n # IP whitelist to access monitoring endpoints\n ip_whitelist:\n - 127.0.0.0/8\n - {{GITLAB_MONITORING_IP_WHITELIST}}\n\n # Sidekiq exporter is webserver built in to Sidekiq to expose Prometheus metrics\n sidekiq_exporter:\n enabled: {{GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED}}\n address: {{GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS}}\n port: {{GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT}}\n\n # Web exporter is webserver built in to Unicorn/Puma to expose Prometheus metrics\n # It runs alongside the `/metrics` endpoints to ease the publish of metrics\n web_exporter:\n # enabled: true\n # address: localhost\n # port: 8083\n\n ## Prometheus settings\n # Do not modify these settings here. They should be modified in /etc/gitlab/gitlab.rb\n # if you installed GitLab via Omnibus.\n # If you installed from source, you need to install and configure Prometheus\n # yourself, and then update the values here.\n # https://docs.gitlab.com/ee/administration/monitoring/prometheus/\n prometheus:\n # enable: true\n # listen_address: 'localhost:9090'\n\n shutdown:\n # # blackout_seconds:\n # # defines an interval to block healthcheck,\n # # but continue accepting application requests\n # # this allows Load Balancer to notice service\n # # being shutdown and not interrupt any of the clients\n # blackout_seconds: 10\n\n #\n # 5. Extra customization\n # ==========================\n\n extra:\n ## Google analytics. Uncomment if you want it\n google_analytics_id: '{{GOOGLE_ANALYTICS_ID}}'\n\n ## Piwik analytics.\n piwik_url: '{{PIWIK_URL}}'\n piwik_site_id: '{{PIWIK_SITE_ID}}'\n\n rack_attack:\n git_basic_auth:\n # Rack Attack IP banning enabled\n enabled: {{RACK_ATTACK_ENABLED}}\n #\n # Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers\n ip_whitelist: {{RACK_ATTACK_WHITELIST}}\n #\n # Limit the number of Git HTTP authentication attempts per IP\n maxretry: {{RACK_ATTACK_MAXRETRY}}\n #\n # Reset the auth attempt counter per IP after 60 seconds\n findtime: {{RACK_ATTACK_FINDTIME}}\n #\n # Ban an IP for one hour (3600s) after too many auth attempts\n bantime: {{RACK_ATTACK_BANTIME}}\n\ndevelopment:\n <<: *base\n\n # We want to run web/sidekiq exporters for devs\n # to catch errors from using them.\n #\n # We use random port to not block ability to run\n # multiple instances of the service\n monitoring:\n sidekiq_exporter:\n enabled: true\n address: 127.0.0.1\n port: 0\n web_exporter:\n enabled: true\n address: 127.0.0.1\n port: 0\n\ntest:\n <<: *base\n gravatar:\n enabled: true\n external_diffs:\n enabled: false\n # Diffs may be `always` external (the default), or they can be made external\n # after they have become `outdated` (i.e., the MR is closed or a new version\n # has been pushed).\n # when: always\n # The location where external diffs are stored (default: shared/external-diffs).\n # storage_path: shared/external-diffs\n object_store:\n enabled: false\n remote_directory: external-diffs # The bucket name\n connection:\n provider: AWS # Only AWS supported at the moment\n aws_access_key_id: AWS_ACCESS_KEY_ID\n aws_secret_access_key: AWS_SECRET_ACCESS_KEY\n region: us-east-1\n lfs:\n enabled: false\n # The location where LFS objects are stored (default: shared/lfs-objects).\n # storage_path: shared/lfs-objects\n object_store:\n enabled: false\n remote_directory: lfs-objects # The bucket name\n connection:\n provider: AWS # Only AWS supported at the moment\n aws_access_key_id: AWS_ACCESS_KEY_ID\n aws_secret_access_key: AWS_SECRET_ACCESS_KEY\n region: us-east-1\n artifacts:\n path: tmp/tests/artifacts\n enabled: true\n # The location where build artifacts are stored (default: shared/artifacts).\n # path: shared/artifacts\n object_store:\n enabled: false\n remote_directory: artifacts # The bucket name\n background_upload: false\n connection:\n provider: AWS # Only AWS supported at the moment\n aws_access_key_id: AWS_ACCESS_KEY_ID\n aws_secret_access_key: AWS_SECRET_ACCESS_KEY\n region: us-east-1\n uploads:\n storage_path: tmp/tests/public\n object_store:\n enabled: false\n connection:\n provider: AWS # Only AWS supported at the moment\n aws_access_key_id: AWS_ACCESS_KEY_ID\n aws_secret_access_key: AWS_SECRET_ACCESS_KEY\n region: us-east-1\n\n terraform_state:\n enabled: true\n storage_path: tmp/tests/terraform_state\n object_store:\n enabled: false\n remote_directory: terraform_state\n connection:\n provider: AWS # Only AWS supported at the moment\n aws_access_key_id: AWS_ACCESS_KEY_ID\n aws_secret_access_key: AWS_SECRET_ACCESS_KEY\n region: us-east-1\n\n gitlab:\n host: localhost\n port: 80\n\n content_security_policy:\n enabled: true\n report_only: false\n directives:\n base_uri:\n child_src:\n connect_src:\n default_src: \"'self'\"\n font_src:\n form_action:\n frame_ancestors: \"'self'\"\n frame_src: \"'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com\"\n img_src: \"* data: blob:\"\n manifest_src:\n media_src:\n object_src: \"'none'\"\n script_src: \"'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com\"\n style_src: \"'self' 'unsafe-inline'\"\n worker_src: \"'self' blob:\"\n report_uri:\n\n # When you run tests we clone and set up gitlab-shell\n # In order to set it up correctly you need to specify\n # your system username you use to run GitLab\n # user: YOUR_USERNAME\n pages:\n path: tmp/tests/pages\n repositories:\n storages:\n default:\n path: tmp/tests/repositories/\n gitaly_address: unix:tmp/tests/gitaly/gitaly.socket\n\n gitaly:\n client_path: tmp/tests/gitaly\n token: secret\n workhorse:\n secret_file: tmp/gitlab_workhorse_test_secret\n backup:\n path: tmp/tests/backups\n pseudonymizer:\n manifest: config/pseudonymizer.yml\n upload:\n # The remote 'directory' to store the CSV files. For S3, this would be the bucket name.\n remote_directory: gitlab-elt.test\n # Fog storage connection settings, see http://fog.io/storage/\n connection:\n provider: AWS # Only AWS supported at the moment\n aws_access_key_id: AWS_ACCESS_KEY_ID\n aws_secret_access_key: AWS_SECRET_ACCESS_KEY\n region: us-east-1\n gitlab_shell:\n path: tmp/tests/gitlab-shell/\n authorized_keys_file: tmp/tests/authorized_keys\n issues_tracker:\n redmine:\n title: \"Redmine\"\n project_url: \"http://redmine/projects/:issues_tracker_id\"\n issues_url: \"http://redmine/:project_id/:issues_tracker_id/:id\"\n new_issue_url: \"http://redmine/projects/:issues_tracker_id/issues/new\"\n jira:\n title: \"Jira\"\n url: https://sample_company.atlassian.net\n project_key: PROJECT\n\n omniauth:\n # enabled: true\n allow_single_sign_on: true\n external_providers: []\n\n providers:\n - { name: 'cas3',\n label: 'cas3',\n args: { url: 'https://sso.example.com',\n disable_ssl_verification: false,\n login_url: '/cas/login',\n service_validate_url: '/cas/p3/serviceValidate',\n logout_url: '/cas/logout'} }\n - { name: 'github',\n app_id: 'YOUR_APP_ID',\n app_secret: 'YOUR_APP_SECRET',\n url: \"https://github.com/\",\n verify_ssl: false,\n args: { scope: 'user:email' } }\n - { name: 'bitbucket',\n app_id: 'YOUR_APP_ID',\n app_secret: 'YOUR_APP_SECRET' }\n - { name: 'gitlab',\n app_id: 'YOUR_APP_ID',\n app_secret: 'YOUR_APP_SECRET',\n args: { scope: 'api' } }\n - { name: 'google_oauth2',\n app_id: 'YOUR_APP_ID',\n app_secret: 'YOUR_APP_SECRET',\n args: { access_type: 'offline', approval_prompt: '' } }\n - { name: 'facebook',\n app_id: 'YOUR_APP_ID',\n app_secret: 'YOUR_APP_SECRET' }\n - { name: 'twitter',\n app_id: 'YOUR_APP_ID',\n app_secret: 'YOUR_APP_SECRET' }\n - { name: 'jwt',\n app_secret: 'YOUR_APP_SECRET',\n args: {\n algorithm: 'HS256',\n uid_claim: 'email',\n required_claims: [\"name\", \"email\"],\n info_map: { name: \"name\", email: \"email\" },\n auth_url: 'https://example.com/',\n valid_within: null,\n }\n }\n - { name: 'auth0',\n args: {\n client_id: 'YOUR_AUTH0_CLIENT_ID',\n client_secret: 'YOUR_AUTH0_CLIENT_SECRET',\n namespace: 'YOUR_AUTH0_DOMAIN' } }\n - { name: 'authentiq',\n app_id: 'YOUR_CLIENT_ID',\n app_secret: 'YOUR_CLIENT_SECRET',\n args: { scope: 'aq:name email~rs address aq:push' } }\n - { name: 'salesforce',\n app_id: 'YOUR_CLIENT_ID',\n app_secret: 'YOUR_CLIENT_SECRET'\n }\n ldap:\n enabled: false\n servers:\n main:\n label: ldap\n host: 127.0.0.1\n port: 3890\n uid: 'uid'\n encryption: 'plain' # \"start_tls\" or \"simple_tls\" or \"plain\"\n base: 'dc=example,dc=com'\n user_filter: ''\n group_base: 'ou=groups,dc=example,dc=com'\n admin_group: ''\n prometheus:\n enable: true\n listen_address: 'localhost:9090'\n\nstaging:\n <<: *base\n" }, { "path": "assets/runtime/config/gitlabhq/puma.rb", "content": "ENV['RAILS_RELATIVE_URL_ROOT'] = \"{{GITLAB_RELATIVE_URL_ROOT}}\"\n\n# frozen_string_literal: true\n\n# Load \"path\" as a rackup file.\n#\n# The default is \"config.ru\".\n#\nrackup 'config.ru'\npidfile '{{GITLAB_INSTALL_DIR}}/tmp/pids/puma.pid'\nstate_path '{{GITLAB_INSTALL_DIR}}/tmp/pids/puma.state'\n\nstdout_redirect '{{GITLAB_INSTALL_DIR}}/log/puma.stdout.log',\n '{{GITLAB_INSTALL_DIR}}/log/puma.stderr.log',\n true\n\n# Configure \"min\" to be the minimum number of threads to use to answer\n# requests and \"max\" the maximum.\n#\n# The default is \"0, 16\".\n#\nthreads {{PUMA_THREADS_MIN}}, {{PUMA_THREADS_MAX}}\n\n# By default, workers accept all requests and queue them to pass to handlers.\n# When false, workers accept the number of simultaneous requests configured.\n#\n# Queueing requests generally improves performance, but can cause deadlocks if\n# the app is waiting on a request to itself. See https://github.com/puma/puma/issues/612\n#\n# When set to false this may require a reverse proxy to handle slow clients and\n# queue requests before they reach puma. This is due to disabling HTTP keepalive\nqueue_requests false\n\n# Bind the server to \"url\". \"tcp://\", \"unix://\" and \"ssl://\" are the only\n# accepted protocols.\nbind 'unix:///home/git/gitlab/tmp/sockets/gitlab.socket'\nbind 'tcp://127.0.0.1:8080'\n\nworkers {{PUMA_WORKERS}}\n\nrequire_relative \"{{GITLAB_INSTALL_DIR}}/lib/gitlab/cluster/lifecycle_events\"\n\nif Gem::Version.new(Puma::Const::PUMA_VERSION) < Gem::Version.new('7.0')\n Gitlab::Cluster::LifecycleEvents.set_puma_options @config.options\n\n on_restart do\n # Signal application hooks that we're about to restart\n Gitlab::Cluster::LifecycleEvents.do_before_master_restart\n end\n\n on_worker_boot do\n # Signal application hooks of worker start\n Gitlab::Cluster::LifecycleEvents.do_worker_start\n end\n\n on_worker_shutdown do\n # Signal application hooks that a worker is shutting down\n Gitlab::Cluster::LifecycleEvents.do_worker_stop\n end\nelse\n Gitlab::Cluster::LifecycleEvents.set_puma_worker_count(3)\n\n before_restart do\n # Signal application hooks that we're about to restart\n Gitlab::Cluster::LifecycleEvents.do_before_master_restart\n end\n\n before_worker_boot do\n # Signal application hooks of worker start\n Gitlab::Cluster::LifecycleEvents.do_worker_start\n end\n\n before_worker_shutdown do\n # Signal application hooks that a worker is shutting down\n Gitlab::Cluster::LifecycleEvents.do_worker_stop\n end\nend\n\nbefore_fork do\n # Signal application hooks that we're about to fork\n Gitlab::Cluster::LifecycleEvents.do_before_fork\nend\n\n# Preload the application before starting the workers; this conflicts with\n# phased restart feature. (off by default)\npreload_app!\n\ntag 'gitlab-puma-worker'\n\n# Verifies that all workers have checked in to the master process within\n# the given timeout. If not the worker process will be restarted. Default\n# value is 60 seconds.\n#\nworker_timeout {{PUMA_TIMEOUT}}\n\n# https://github.com/puma/puma/blob/master/5.0-Upgrade.md#lower-latency-better-throughput\nwait_for_less_busy_worker ENV.fetch('PUMA_WAIT_FOR_LESS_BUSY_WORKER', 0.001).to_f\n\n# Use json formatter\nrequire_relative \"{{GITLAB_INSTALL_DIR}}/lib/gitlab/puma_logging/json_formatter\"\n\njson_formatter = Gitlab::PumaLogging::JSONFormatter.new\nlog_formatter do |str|\n json_formatter.call(str)\nend\n\nrequire_relative \"{{GITLAB_INSTALL_DIR}}/lib/gitlab/puma/error_handler\"\n\nerror_handler = Gitlab::Puma::ErrorHandler.new(ENV['RAILS_ENV'] == 'production')\n\nlowlevel_error_handler do |ex, env, status_code|\n error_handler.execute(ex, env, status_code)\nend\n" }, { "path": "assets/runtime/config/gitlabhq/relative_url.rb", "content": "# Relative URL support\n# WARNING: We recommend using an FQDN to host GitLab in a root path instead\n# of using a relative URL.\n# Documentation: http://doc.gitlab.com/ce/install/relative_url.html\n# Copy this file to relative_url.rb and customize it to run in a non-root path\n#\n\nRails.application.configure do\n config.relative_url_root = \"{{GITLAB_RELATIVE_URL_ROOT}}\"\nend\n" }, { "path": "assets/runtime/config/gitlabhq/resque.yml", "content": "# If you change this file in a Merge Request, please also create\n# a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests\n#\ndevelopment:\n url: redis://127.0.0.1:6379\n # sentinels:\n # -\n # host: localhost\n # port: 26380 # point to sentinel, not to redis port\n # -\n # host: slave2\n # port: 26381 # point to sentinel, not to redis port\ntest:\n url: redis://127.0.0.1:6379\nproduction:\n # Redis (single instance)\n url: redis://{{REDIS_HOST}}:{{REDIS_PORT}}/{{REDIS_DB_NUMBER}}\n ##\n # Redis + Sentinel (for HA)\n #\n # Please read instructions carefully before using it as you may lose data:\n # http://redis.io/topics/sentinel\n #\n # You must specify a list of a few sentinels that will handle client connection\n # please read here for more information: https://docs.gitlab.com/ce/administration/high_availability/redis.html\n ##\n # url: redis://master:6379\n # sentinels:\n # -\n # host: slave1\n # port: 26379 # point to sentinel, not to redis port\n # -\n # host: slave2\n # port: 26379 # point to sentinel, not to redis port\n" }, { "path": "assets/runtime/config/gitlabhq/secrets.yml", "content": "production:\n # db_key_base is used to encrypt for Variables. Ensure that you don't lose it.\n # If you change or lose this key you will be unable to access variables stored in database.\n # Make sure the secret is at least 30 characters and all random,\n # no regular words or you'll be exposed to dictionary attacks.\n db_key_base: {{GITLAB_SECRETS_DB_KEY_BASE}}\n secret_key_base: {{GITLAB_SECRETS_SECRET_KEY_BASE}}\n otp_key_base: {{GITLAB_SECRETS_OTP_KEY_BASE}}\n encrypted_settings_key_base: {{GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE}}\n active_record_encryption_primary_key: {{GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY}}\n active_record_encryption_deterministic_key: {{GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY}}\n active_record_encryption_key_derivation_salt: {{GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT}}\n\ndevelopment:\n db_key_base: development\n\ntest:\n db_key_base: test\n" }, { "path": "assets/runtime/config/gitlabhq/smtp_settings.rb", "content": "# To enable smtp email delivery for your GitLab instance do the following:\n# 1. Rename this file to smtp_settings.rb\n# 2. Edit settings inside this file\n# 3. Restart GitLab instance\n#\n# For full list of options and their values see http://api.rubyonrails.org/classes/ActionMailer/Base.html\n#\n# If you change this file in a Merge Request, please also create a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests\n\nif Rails.env.production?\n Rails.application.config.action_mailer.delivery_method = :smtp\n\n ActionMailer::Base.delivery_method = :smtp\n ActionMailer::Base.smtp_settings = {\n address: \"{{SMTP_HOST}}\",\n port: {{SMTP_PORT}},\n user_name: \"{{SMTP_USER}}\",\n password: \"{{SMTP_PASS}}\",\n domain: \"{{SMTP_DOMAIN}}\",\n authentication: \"{{SMTP_AUTHENTICATION}}\",\n enable_starttls_auto: {{SMTP_STARTTLS}},\n openssl_verify_mode: '{{SMTP_OPENSSL_VERIFY_MODE}}',\n ca_path: \"{{SMTP_CA_PATH}}\",\n ca_file: \"{{SMTP_CA_FILE}}\",\n tls: {{SMTP_TLS}}\n }\nend\n" }, { "path": "assets/runtime/config/nginx/gitlab", "content": "## GitLab\n##\n## Lines starting with two hashes (##) are comments with information.\n## Lines starting with one hash (#) are configuration parameters that can be uncommented.\n##\n##################################\n## CONTRIBUTING ##\n##################################\n##\n## If you change this file in a Merge Request, please also create\n## a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests\n##\n###################################\n## configuration ##\n###################################\n##\n## See installation.md#using-https for additional HTTPS configuration details.\n\nupstream gitlab-workhorse {\n server 127.0.0.1:8181 fail_timeout=0;\n}\n\nmap $http_upgrade $connection_upgrade_gitlab {\n default upgrade;\n '' close;\n}\n\n## Obfuscate access_token and private_token in access log\nmap $request_uri $obfuscated_request_uri {\n ~(.+\\?)(.*&)?(private_token=|access_token=)[^&]*(&.*|$) $1$2$3****$4;\n default $request_uri;\n}\nlog_format gitlab_access '$remote_addr - $remote_user [$time_local] '\n '\"$request_method $obfuscated_request_uri $server_protocol\" $status $body_bytes_sent '\n '\"$http_referer\" \"$http_user_agent\"';\n\n## Normal HTTP host\nserver {\n ## Either remove \"default_server\" from the listen line below,\n ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab\n ## to be served if you visit any address that your server responds to, eg.\n ## the ip address of the server (http://x.x.x.x/)n 0.0.0.0:80 default_server;\n listen 0.0.0.0:80 default_server;\n listen [::]:80 default_server;\n server_name {{GITLAB_HOST}}; ## Replace this with something like gitlab.example.com\n server_tokens off; ## Don't show the nginx version number, a security best practice\n\n ## See app/controllers/application_controller.rb for headers set\n\n ## Real IP Module Config\n ## http://nginx.org/en/docs/http/ngx_http_realip_module.html\n real_ip_header X-Real-IP; ## X-Real-IP or X-Forwarded-For or proxy_protocol\n real_ip_recursive {{NGINX_REAL_IP_RECURSIVE}}; ## If you enable 'on'\n ## If you have a trusted IP address, uncomment it and set it\n set_real_ip_from {{NGINX_REAL_IP_TRUSTED_ADDRESSES}}; ## Replace this with something like 192.168.1.0/24\n\n add_header X-Accel-Buffering {{NGINX_ACCEL_BUFFERING}};\n add_header Strict-Transport-Security \"max-age={{NGINX_HSTS_MAXAGE}};\";\n\n ## Individual nginx logs for this GitLab vhost\n access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log gitlab_access;\n error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log;\n\n location / {\n client_max_body_size 0;\n gzip off;\n\n ## https://github.com/gitlabhq/gitlabhq/issues/694\n ## Some requests take more than 30 seconds.\n proxy_read_timeout 300;\n proxy_connect_timeout 300;\n proxy_redirect off;\n proxy_buffering {{NGINX_PROXY_BUFFERING}};\n\n proxy_http_version 1.1;\n\n proxy_set_header Host $http_host;\n proxy_set_header X-Real-IP $remote_addr;\n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}};\n proxy_set_header Upgrade $http_upgrade;\n proxy_set_header Connection $connection_upgrade_gitlab;\n\n proxy_pass http://gitlab-workhorse;\n }\n\n error_page 404 /404.html;\n error_page 422 /422.html;\n error_page 500 /500.html;\n error_page 502 /502.html;\n error_page 503 /503.html;\n location ~ ^/(404|422|500|502|503)\\.html$ {\n root {{GITLAB_INSTALL_DIR}}/public;\n internal;\n }\n\n {{NGINX_CUSTOM_GITLAB_SERVER_CONFIG}}\n}\n" }, { "path": "assets/runtime/config/nginx/gitlab-pages", "content": "## GitLab\n##\n## Pages serving host\nserver {\n listen 0.0.0.0:80;\n listen [::]:80;\n ## Replace this with something like pages.gitlab.com\n server_name ~^.*{{GITLAB_PAGES_DOMAIN}};\n ## Individual nginx logs for GitLab pages\n access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_access.log;\n error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_error.log;\n location / {\n proxy_set_header Host $http_host;\n proxy_set_header X-Real-IP $remote_addr;\n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n proxy_set_header X-Forwarded-Proto $scheme;\n # The same address as passed to GitLab Pages: `-listen-proxy`\n proxy_pass http://127.0.0.1:8090/;\n }\n # Define custom error pages\n error_page 403 /403.html;\n error_page 404 /404.html;\n}\n" }, { "path": "assets/runtime/config/nginx/gitlab-pages-ssl", "content": "## GitLab\n##\n\n## Redirects all HTTP traffic to the HTTPS host\nserver {\n ## Either remove \"default_server\" from the listen line below,\n ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab\n ## to be served if you visit any address that your server responds to, eg.\n ## the ip address of the server (http://x.x.x.x/)\n listen 0.0.0.0:80;\n listen [::]:80;\n\n ## Replace this with something like pages.gitlab.com\n server_name ~^.*{{GITLAB_PAGES_DOMAIN}};\n server_tokens off; ## Don't show the nginx version number, a security best practice\n\n return 301 https://$host:{{GITLAB_PORT}}$request_uri;\n\n access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_access.log;\n error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_error.log;\n}\n\n## Pages serving host\nserver {\n listen 0.0.0.0:443 ssl;\n listen [::]:443 ssl;\n http2 on;\n\n ## Replace this with something like pages.gitlab.com\n server_name ~^.*{{GITLAB_PAGES_DOMAIN}};\n server_tokens off; ## Don't show the nginx version number, a security best practice\n\n ## Strong SSL Security\n ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/\n ssl_certificate {{SSL_PAGES_CERT_PATH}};\n ssl_certificate_key {{SSL_PAGES_KEY_PATH}};\n\n # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs\n ssl_ciphers \"{{SSL_PAGES_CIPHERS}}\";\n ssl_protocols {{SSL_PAGES_PROTOCOLS}};\n ssl_prefer_server_ciphers on;\n ssl_session_cache shared:SSL:10m;\n ssl_session_timeout 5m;\n\n ## See app/controllers/application_controller.rb for headers set\n\n ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.\n ## Replace with your ssl_trusted_certificate. For more info see:\n ## - https://medium.com/devops-programming/4445f4862461\n ## - https://www.ruby-forum.com/topic/4419319\n ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx\n # ssl_stapling on;\n # ssl_stapling_verify on;\n # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;\n\n ## [Optional] Generate a stronger DHE parameter:\n ## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096\n ##\n ssl_dhparam {{SSL_DHPARAM_PATH}};\n\n ## Individual nginx logs for this GitLab vhost\n access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_access.log;\n error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_error.log;\n\n location / {\n proxy_set_header Host $http_host;\n proxy_set_header X-Real-IP $remote_addr;\n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n proxy_set_header X-Forwarded-Proto $scheme;\n # The same address as passed to GitLab Pages: `-listen-proxy`\n proxy_pass http://localhost:8090/;\n }\n\n # Define custom error pages\n error_page 403 /403.html;\n error_page 404 /404.html;\n}\n" }, { "path": "assets/runtime/config/nginx/gitlab-registry", "content": "## Lines starting with two hashes (##) are comments with information.\n## Lines starting with one hash (#) are configuration parameters that can be uncommented.\n##\n###################################\n## configuration ##\n###################################\n\n## Redirects all HTTP traffic to the HTTPS host\nserver {\n listen *:80;\n server_name {{GITLAB_REGISTRY_HOST}};\n server_tokens off; ## Don't show the nginx version number, a security best practice\n return 301 https://$http_host$request_uri;\n access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_access.log;\n error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_error.log;\n}\n\nserver {\n # If a different port is specified in https://gitlab.com/gitlab-org/gitlab-foss/blob/8-8-stable/config/gitlab.yml.example#L182,\n # it should be declared here as well\n listen *:{{GITLAB_REGISTRY_PORT}} ssl;\n http2 on;\n server_name {{GITLAB_REGISTRY_HOST}};\n server_tokens off; ## Don't show the nginx version number, a security best practice\n\n client_max_body_size 0;\n chunked_transfer_encoding on;\n\n ## Strong SSL Security\n ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/\n ssl_certificate {{SSL_REGISTRY_CERT_PATH}};\n ssl_certificate_key {{SSL_REGISTRY_KEY_PATH}};\n\n ssl_ciphers \"{{SSL_REGISTRY_CIPHERS}}\";\n ssl_protocols {{SSL_REGISTRY_PROTOCOLS}};\n ssl_prefer_server_ciphers on;\n ssl_session_cache builtin:1000 shared:SSL:10m;\n ssl_session_timeout 5m;\n\n access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_access.log;\n error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_error.log;\n\n location / {\n proxy_set_header Host $http_host; # required for docker client's sake\n proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP\n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n proxy_set_header X-Forwarded-Proto $scheme;\n proxy_read_timeout 900;\n\n proxy_pass {{GITLAB_REGISTRY_API_URL}};\n }\n\n}\n" }, { "path": "assets/runtime/config/nginx/gitlab-ssl", "content": "## GitLab\n##\n## Modified from nginx http version\n## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/\n## Modified from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html\n##\n## Lines starting with two hashes (##) are comments with information.\n## Lines starting with one hash (#) are configuration parameters that can be uncommented.\n##\n##################################\n## CONTRIBUTING ##\n##################################\n##\n## If you change this file in a Merge Request, please also create\n## a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests\n##\n###################################\n## configuration ##\n###################################\n##\n## See installation.md#using-https for additional HTTPS configuration details.\n\nupstream gitlab-workhorse {\n server 127.0.0.1:8181 fail_timeout=0;\n}\n\nmap $http_upgrade $connection_upgrade_gitlab_ssl {\n default upgrade;\n '' close;\n}\n\n## Obfuscate access_token and private_token in access log\nmap $request_uri $obfuscated_request_uri {\n ~(.+\\?)(.*&)?(private_token=|access_token=)[^&]*(&.*|$) $1$2$3****$4;\n default $request_uri;\n}\nlog_format gitlab_ssl_access '$remote_addr - $remote_user [$time_local] '\n '\"$request_method $obfuscated_request_uri $server_protocol\" $status $body_bytes_sent '\n '\"$http_referer\" \"$http_user_agent\"';\n\n## Redirects all HTTP traffic to the HTTPS host\nserver {\n ## Either remove \"default_server\" from the listen line below,\n ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab\n ## to be served if you visit any address that your server responds to, eg.\n ## the ip address of the server (http://x.x.x.x/)\n listen 0.0.0.0:80;\n listen [::]:80 ipv6only=on default_server;\n server_name _; ## Replace this with something like gitlab.example.com\n server_tokens off; ## Don't show the nginx version number, a security best practice\n return 301 https://$host:{{GITLAB_PORT}}$request_uri;\n access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log gitlab_ssl_access;\n error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log;\n}\n\n## HTTPS host\nserver {\n listen 0.0.0.0:443 ssl;\n listen [::]:443 ipv6only=on ssl default_server;\n http2 on;\n server_name {{GITLAB_HOST}}; ## Replace this with something like gitlab.example.com\n server_tokens off; ## Don't show the nginx version number, a security best practice\n\n ## Strong SSL Security\n ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/\n ssl_certificate {{SSL_CERTIFICATE_PATH}};\n ssl_certificate_key {{SSL_KEY_PATH}};\n ssl_verify_client {{SSL_VERIFY_CLIENT}};\n ssl_client_certificate {{SSL_CA_CERTIFICATES_PATH}};\n\n # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs\n ssl_ciphers \"{{SSL_CIPHERS}}\";\n ssl_protocols {{SSL_PROTOCOLS}};\n ssl_prefer_server_ciphers on;\n ssl_session_cache shared:SSL:10m;\n ssl_session_timeout 5m;\n\n ## See app/controllers/application_controller.rb for headers set\n\n ## Real IP Module Config\n ## http://nginx.org/en/docs/http/ngx_http_realip_module.html\n real_ip_header X-Real-IP; ## X-Real-IP or X-Forwarded-For or proxy_protocol\n real_ip_recursive {{NGINX_REAL_IP_RECURSIVE}}; ## If you enable 'on'\n ## If you have a trusted IP address, uncomment it and set it\n set_real_ip_from {{NGINX_REAL_IP_TRUSTED_ADDRESSES}}; ## Replace this with something like 192.168.1.0/24\n\n add_header X-Accel-Buffering {{NGINX_ACCEL_BUFFERING}};\n add_header Strict-Transport-Security \"max-age={{NGINX_HSTS_MAXAGE}};\";\n\n ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.\n ## Replace with your ssl_trusted_certificate. For more info see:\n ## - https://medium.com/devops-programming/4445f4862461\n ## - https://www.ruby-forum.com/topic/4419319\n ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx\n # ssl_stapling on;\n # ssl_stapling_verify on;\n # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;\n # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired\n # resolver_timeout 5s;\n\n ## [Optional] Generate a stronger DHE parameter:\n ## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096\n ##\n ssl_dhparam {{SSL_DHPARAM_PATH}};\n\n ## Individual nginx logs for this GitLab vhost\n access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log gitlab_ssl_access;\n error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log;\n\n location / {\n client_max_body_size 0;\n gzip off;\n\n ## https://github.com/gitlabhq/gitlabhq/issues/694\n ## Some requests take more than 30 seconds.\n proxy_read_timeout 300;\n proxy_connect_timeout 300;\n proxy_redirect off;\n proxy_buffering {{NGINX_PROXY_BUFFERING}};\n\n proxy_http_version 1.1;\n\n proxy_set_header Host $http_host;\n proxy_set_header X-Real-IP $remote_addr;\n proxy_set_header X-Forwarded-Ssl on;\n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}};\n proxy_set_header Upgrade $http_upgrade;\n proxy_set_header Connection $connection_upgrade_gitlab_ssl;\n\n proxy_pass http://gitlab-workhorse;\n }\n\n error_page 404 /404.html;\n error_page 422 /422.html;\n error_page 500 /500.html;\n error_page 502 /502.html;\n error_page 503 /503.html;\n location ~ ^/(404|422|500|502|503)\\.html$ {\n root {{GITLAB_INSTALL_DIR}}/public;\n internal;\n }\n\n {{NGINX_CUSTOM_GITLAB_SERVER_CONFIG}}\n}\n" }, { "path": "assets/runtime/config/nginx/gitlab_ci", "content": "# GITLAB CI\nserver {\n listen 80; # e.g., listen 192.168.1.1:80;\n server_name {{GITLAB_CI_HOST}}; # e.g., server_name source.example.com;\n\n access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_ci_access.log;\n error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_ci_error.log;\n\n # expose API to fix runners\n location /api {\n proxy_read_timeout 300;\n proxy_connect_timeout 300;\n proxy_redirect off;\n proxy_set_header X-Real-IP $remote_addr;\n\n resolver {{DNS_RESOLVERS}};\n proxy_pass $scheme://{{GITLAB_HOST}}/ci$request_uri;\n }\n\n # redirect all other CI requests\n location / {\n return 301 $scheme://{{GITLAB_HOST}}/ci$request_uri;\n }\n\n # adjust this to match the largest build log your runners might submit,\n # set to 0 to disable limit\n client_max_body_size 0;\n}\n" }, { "path": "assets/runtime/env-defaults", "content": "#!/bin/bash\n\n# CONTAINER\nDEBUG=${DEBUG:-$DEBUG_ENTRYPOINT}\nTIMEZONE=${TZ:-UTC}\n\n## GITLAB CORE\nGITLAB_TEMP_DIR=\"${GITLAB_DATA_DIR}/tmp\"\nGITLAB_BACKUP_DIR=\"${GITLAB_BACKUP_DIR:-$GITLAB_DATA_DIR/backups}\"\nGITLAB_BACKUP_DIR_CHOWN=${GITLAB_BACKUP_DIR_CHOWN:-true}\nGITLAB_BACKUP_DIR_GROUP=${GITLAB_BACKUP_DIR_GROUP:-}\nGITLAB_REPOS_DIR=\"${GITLAB_REPOS_DIR:-$GITLAB_DATA_DIR/repositories}\"\nGITLAB_BUILDS_DIR=\"${GITLAB_BUILDS_DIR:-$GITLAB_DATA_DIR/builds}\"\nGITLAB_DOWNLOADS_DIR=\"${GITLAB_DOWNLOADS_DIR:-$GITLAB_TEMP_DIR/downloads}\"\nGITLAB_SHARED_DIR=\"${GITLAB_SHARED_DIR:-$GITLAB_DATA_DIR/shared}\"\nGITLAB_DEFAULT_THEME=${GITLAB_DEFAULT_THEME:-2}\nGITLAB_HTTPS=${GITLAB_HTTPS:-false}\nGITLAB_HOST=${GITLAB_HOST:-127.0.0.1}\nGITLAB_CI_HOST=${GITLAB_CI_HOST:-}\nGITLAB_PORT=${GITLAB_PORT:-}\nGITLAB_IMPERSONATION_ENABLED=${GITLAB_IMPERSONATION_ENABLED:-true}\nif [[ $GITLAB_HTTPS == true ]]; then\n GITLAB_PORT=${GITLAB_PORT:-443}\nelse\n GITLAB_PORT=${GITLAB_PORT:-80}\nfi\n\n## SSH\nGITLAB_SSH_HOST=${GITLAB_SSH_HOST:-$GITLAB_HOST}\nGITLAB_SSH_PORT=${GITLAB_SSH_PORT:-$GITLAB_SHELL_SSH_PORT} # for backwards compatibility\nGITLAB_SSH_LISTEN_PORT=${GITLAB_SSH_LISTEN_PORT:-22}\nGITLAB_SSH_PORT=${GITLAB_SSH_PORT:-$GITLAB_SSH_LISTEN_PORT}\nGITLAB_SSH_MAXSTARTUPS=${GITLAB_SSH_MAXSTARTUPS:-10:30:60}\n\nNGINX_HSTS_ENABLED=${NGINX_HSTS_ENABLED:-$GITLAB_HTTPS_HSTS_ENABLED} # backward compatibility\nNGINX_HSTS_ENABLED=${NGINX_HSTS_ENABLED:-true}\n\nNGINX_HSTS_MAXAGE=${NGINX_HSTS_MAXAGE:-$GITLAB_HTTPS_HSTS_MAXAGE} # backward compatibility\nNGINX_HSTS_MAXAGE=${NGINX_HSTS_MAXAGE:-31536000}\n\n## DATABASE\nDB_ADAPTER=${DB_ADAPTER:-postgresql}\nDB_ENCODING=${DB_ENCODING:-}\nDB_HOST=${DB_HOST:-}\nDB_PORT=${DB_PORT:-}\nDB_NAME=${DB_NAME:-}\nDB_USER=${DB_USER:-}\nDB_PASS=${DB_PASS:-}\nDB_POOL=${DB_POOL:-10}\nDB_PREPARED_STATEMENTS=${DB_PREPARED_STATEMENTS:-true}\n\n# backward compatibility\ncase ${DB_TYPE} in\n postgres) DB_ADAPTER=${DB_ADAPTER:-postgresql} ;;\nesac\n\n## REDIS\nREDIS_HOST=${REDIS_HOST:-}\nREDIS_PORT=${REDIS_PORT:-}\nREDIS_DB_NUMBER=${REDIS_DB_NUMBER:-0}\n\n## SIDEKIQ\nSIDEKIQ_SHUTDOWN_TIMEOUT=${SIDEKIQ_SHUTDOWN_TIMEOUT:-4}\nSIDEKIQ_CONCURRENCY=${SIDEKIQ_CONCURRENCY:-25}\nSIDEKIQ_MEMORY_KILLER_MAX_RSS=${SIDEKIQ_MEMORY_KILLER_MAX_RSS:-2000000}\nGITLAB_SIDEKIQ_LOG_FORMAT=${GITLAB_SIDEKIQ_LOG_FORMAT:-json}\n\n## PUMA\nPUMA_THREADS_MIN=${PUMA_THREADS_MIN:-1}\nPUMA_THREADS_MAX=${PUMA_THREADS_MAX:-16}\nPUMA_WORKERS=${PUMA_WORKERS:-3}\nPUMA_TIMEOUT=${PUMA_TIMEOUT:-60}\nPUMA_PER_WORKER_MAX_MEMORY_MB=${PUMA_PER_WORKER_MAX_MEMORY_MB:-1024}\nPUMA_MASTER_MAX_MEMORY_MB=${PUMA_MASTER_MAX_MEMORY_MB:-800}\n\n# Set Default values according to the documentation\n# https://docs.gitlab.com/ee/administration/operations/unicorn.html#unicorn-worker-killer\nGITLAB_UNICORN_MEMORY_MIN=${GITLAB_UNICORN_MEMORY_MIN:-1073741824}\nGITLAB_UNICORN_MEMORY_MAX=${GITLAB_UNICORN_MEMORY_MAX:-1342177280}\n\n\n##\nGITLAB_TIMEZONE=${GITLAB_TIMEZONE:-UTC}\nGITLAB_SIGNUP_ENABLED=${GITLAB_SIGNUP_ENABLED:-true}\nGITLAB_ISSUE_CLOSING_PATTERN=${GITLAB_ISSUE_CLOSING_PATTERN:-'\\b((?:[Cc]los(?:e[sd]?|ing)|\\b[Ff]ix(?:e[sd]|ing)?|\\b[Rr]esolv(?:e[sd]?|ing)|\\b[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\\d+))+)'}\nGITLAB_PROJECTS_LIMIT=${GITLAB_PROJECTS_LIMIT:-100}\nGITLAB_USERNAME_CHANGE=${GITLAB_USERNAME_CHANGE:-true}\nGITLAB_CREATE_GROUP=${GITLAB_CREATE_GROUP:-true}\nGITLAB_PROJECTS_ISSUES=${GITLAB_PROJECTS_ISSUES:-true}\nGITLAB_PROJECTS_MERGE_REQUESTS=${GITLAB_PROJECTS_MERGE_REQUESTS:-true}\nGITLAB_PROJECTS_WIKI=${GITLAB_PROJECTS_WIKI:-true}\nGITLAB_PROJECTS_SNIPPETS=${GITLAB_PROJECTS_SNIPPETS:-true}\nGITLAB_PROJECTS_BUILDS=${GITLAB_PROJECTS_BUILDS:-true}\nGITLAB_PROJECTS_CONTAINER_REGISTRY=${GITLAB_PROJECTS_CONTAINER_REGISTRY:-true}\nGITLAB_RELATIVE_URL_ROOT=${GITLAB_RELATIVE_URL_ROOT:-}\nGITLAB_TRUSTED_PROXIES=${GITLAB_TRUSTED_PROXIES:-}\nif [[ -z ${GITLAB_RELATIVE_URL_ROOT} || ${GITLAB_RELATIVE_URL_ROOT} == / ]]; then # should not be set to `/`\n GITLAB_RELATIVE_URL_ROOT=\nfi\n\nGITLAB_WEBHOOK_TIMEOUT=${GITLAB_WEBHOOK_TIMEOUT:-10}\n\nGITLAB_WORKHORSE_TIMEOUT=${GITLAB_WORKHORSE_TIMEOUT:-5m0s}\n\n# OBJECTSTORE\nGITLAB_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_OBJECT_STORE_CONNECTION_PROVIDER:-AWS}\n\n#-- AWS\nAWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID:-AWS_ACCESS_KEY_ID}\nAWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY:-AWS_SECRET_ACCESS_KEY}\nAWS_REGION=${AWS_REGION:-us-east-1}\nAWS_HOST=${AWS_HOST:-s3.amazonaws.com}\nAWS_ENDPOINT=${AWS_ENDPOINT:-nil}\nAWS_PATH_STYLE=${AWS_PATH_STYLE:-true}\nAWS_SIGNATURE_VERSION=${AWS_SIGNATURE_VERSION:-4}\n\n#-- Google\nGITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT=${GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}\nGITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL=${GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}\nGITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION=${GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION:-\"/gcs/key.json\"}\n\n## ARTIFACTS\nGITLAB_ARTIFACTS_ENABLED=${GITLAB_ARTIFACTS_ENABLED:-true}\nGITLAB_ARTIFACTS_DIR=\"${GITLAB_ARTIFACTS_DIR:-$GITLAB_SHARED_DIR/artifacts}\"\n\n\nGITLAB_ARTIFACTS_OBJECT_STORE_ENABLED=${GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED:-false}\nGITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY=${GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY:-artifacts}\nGITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD=${GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD:-false}\nGITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD=${GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD:-false}\nGITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD=${GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD:-false}\nGITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER:-$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER}\n\n# ARTIFACTS:AWS\nGITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID}\nGITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY}\nGITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION}\nGITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST}\nGITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT}\nGITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE:-$AWS_PATH_STYLE}\nGITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION:-$AWS_SIGNATURE_VERSION}\n\n# ARTIFACTS:Google\nGITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}\nGITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}\nGITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}\n\n## PACKAGES\nGITLAB_PACKAGES_ENABLED=${GITLAB_PACKAGES_ENABLED:-true}\nGITLAB_PACKAGES_DIR=\"${GITLAB_PACKAGES_DIR:-$GITLAB_SHARED_DIR/packages}\"\n\n\nGITLAB_PACKAGES_OBJECT_STORE_ENABLED=${GITLAB_PACKAGES_OBJECT_STORE_ENABLED:-false}\nGITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY=${GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY:-packages}\nGITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD=${GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD:-false}\nGITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD=${GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD:-false}\nGITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD=${GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD:-false}\nGITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER:-$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER}\n\n# PACKAGES:AWS\nGITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID}\nGITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY}\nGITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION}\nGITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST}\nGITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT}\nGITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE:-$AWS_PATH_STYLE}\nGITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION:-$AWS_SIGNATURE_VERSION}\n\n# PACKAGES:Google\nGITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}\nGITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}\nGITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}\n\n## TERRAFORM STATE\nGITLAB_TERRAFORM_STATE_ENABLED=${GITLAB_TERRAFORM_STATE_ENABLED:-true}\nGITLAB_TERRAFORM_STATE_STORAGE_PATH=\"${GITLAB_TERRAFORM_STATE_STORAGE_PATH:-$GITLAB_SHARED_DIR/terraform_state}\"\n\nGITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED:-false}\nGITLAB_TERRAFORM_STATE_OBJECT_STORE_REMOTE_DIRECTORY=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_REMOTE_DIRECTORY:-terraform_state}\nGITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER:-$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER}\n\n# TERRAFORM STATE:AWS\nGITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID}\nGITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY}\nGITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION}\nGITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST}\nGITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT}\nGITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE:-$AWS_PATH_STYLE}\nGITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION:-$AWS_SIGNATURE_VERSION}\n\n# TERRAFORM STATE:Google\nGITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}\nGITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}\nGITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}\n\n## Cron Jobs\nGITLAB_PIPELINE_SCHEDULE_WORKER_CRON=${GITLAB_PIPELINE_SCHEDULE_WORKER_CRON:-\"19 * * * *\"}\n\n## LFS\nGITLAB_LFS_ENABLED=${GITLAB_LFS_ENABLED:-true}\nGITLAB_LFS_OBJECTS_DIR=\"${GITLAB_LFS_OBJECTS_DIR:-$GITLAB_SHARED_DIR/lfs-objects}\"\n\nGITLAB_LFS_OBJECT_STORE_ENABLED=${GITLAB_LFS_OBJECT_STORE_ENABLED:-false}\nGITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY=${GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY:-lfs-objects}\nGITLAB_LFS_OBJECT_STORE_DIRECT_UPLOAD=${GITLAB_LFS_OBJECT_STORE_DIRECT_UPLOAD:-false}\nGITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD=${GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD:-false}\nGITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD=${GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD:-false}\nGITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER:-$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER}\n\n# LFS:AWS\nGITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID}\nGITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY}\nGITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION}\nGITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST}\nGITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT}\nGITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE:-$AWS_PATH_STYLE}\nGITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION:-$AWS_SIGNATURE_VERSION}\n\n# LFS:Google\nGITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT=${GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}\nGITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL=${GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}\nGITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION=${GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}\n\n## Uploads\nGITLAB_UPLOADS_STORAGE_PATH=\"${GITLAB_UPLOADS_STORAGE_PATH:-$GITLAB_INSTALL_DIR/public}\"\nGITLAB_UPLOADS_BASE_DIR=\"${GITLAB_UPLOADS_BASE_DIR:-uploads/-/system}\"\n\nGITLAB_UPLOADS_OBJECT_STORE_ENABLED=${GITLAB_UPLOADS_OBJECT_STORE_ENABLED:-false}\nGITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY=${GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY:-uploads}\nGITLAB_UPLOADS_OBJECT_STORE_DIRECT_UPLOAD=${GITLAB_UPLOADS_OBJECT_STORE_DIRECT_UPLOAD:-false}\nGITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD=${GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD:-false}\nGITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD=${GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD:-false}\nGITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER:-$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER}\n\n# Uploads:AWS\nGITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID}\nGITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY}\nGITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION}\nGITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST}\nGITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT}\nGITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE:-$AWS_PATH_STYLE}\nGITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION:-$AWS_SIGNATURE_VERSION}\n\n# Uploads:Google\nGITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}\nGITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}\nGITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}\n\n\n## Mattermost\nGITLAB_MATTERMOST_ENABLED=${GITLAB_MATTERMOST_ENABLED:-false}\nGITLAB_MATTERMOST_URL=${GITLAB_MATTERMOST_URL:-https://mattermost.example.com}\n\n# secrets\nGITLAB_SECRETS_DB_KEY_BASE=${GITLAB_SECRETS_DB_KEY_BASE:-}\nGITLAB_SECRETS_SECRET_KEY_BASE=${GITLAB_SECRETS_SECRET_KEY_BASE:-}\nGITLAB_SECRETS_OTP_KEY_BASE=${GITLAB_SECRETS_OTP_KEY_BASE:-}\nGITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=${GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE:-}\nGITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=${GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY:-}\nGITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=${GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY:-}\nGITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=${GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT:-}\n\nGITLAB_NOTIFY_ON_BROKEN_BUILDS=${GITLAB_NOTIFY_ON_BROKEN_BUILDS:-true}\nGITLAB_NOTIFY_PUSHER=${GITLAB_NOTIFY_PUSHER:-false}\n\nGITLAB_ROBOTS_PATH=${GITLAB_ROBOTS_PATH:-${USERCONF_TEMPLATES_DIR}/gitlabhq/robots.txt}\n\n## REGISTRY\nGITLAB_REGISTRY_ENABLED=${GITLAB_REGISTRY_ENABLED:-false}\nGITLAB_REGISTRY_DIR=\"${GITLAB_REGISTRY_DIR:-$GITLAB_SHARED_DIR/registry}\"\nGITLAB_REGISTRY_HOST=${GITLAB_REGISTRY_HOST:-registry.example.com}\nGITLAB_REGISTRY_PORT=${GITLAB_REGISTRY_PORT:-443}\nGITLAB_REGISTRY_API_URL=${GITLAB_REGISTRY_API_URL:-http://127.0.0.1:5000/}\nGITLAB_REGISTRY_KEY_PATH=${GITLAB_REGISTRY_KEY_PATH:-config/registry.key}\nGITLAB_REGISTRY_ISSUER=${GITLAB_REGISTRY_ISSUER:-gitlab-issuer}\nGITLAB_REGISTRY_GENERATE_INTERNAL_CERTIFICATES=${GITLAB_REGISTRY_GENERATE_INTERNAL_CERTIFICATES:-false}\n\n## SSL\nSSL_SELF_SIGNED=${SSL_SELF_SIGNED:-false}\nSSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-$GITLAB_DATA_DIR/certs/gitlab.crt}\nSSL_KEY_PATH=${SSL_KEY_PATH:-$GITLAB_DATA_DIR/certs/gitlab.key}\nSSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-$GITLAB_DATA_DIR/certs/dhparam.pem}\nSSL_VERIFY_CLIENT=${SSL_VERIFY_CLIENT:-off}\nSSL_CIPHERS=${SSL_CIPHERS:-'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'}\nSSL_PROTOCOLS=${SSL_PROTOCOLS:-'TLSv1 TLSv1.1 TLSv1.2 TLSv1.3'}\n\nSSL_REGISTRY_KEY_PATH=${SSL_REGISTRY_KEY_PATH:-$GITLAB_REGISTRY_KEY_PATH}\nSSL_REGISTRY_KEY_PATH=${SSL_REGISTRY_KEY_PATH:-$GITLAB_DATA_DIR/certs/registry.key}\nSSL_REGISTRY_CERT_PATH=${SSL_REGISTRY_CERT_PATH:-$GITLAB_REGISTRY_CERT_PATH}\nSSL_REGISTRY_CERT_PATH=${SSL_REGISTRY_CERT_PATH:-$GITLAB_DATA_DIR/certs/registry.crt}\nSSL_REGISTRY_CIPHERS=${SSL_REGISTRY_CIPHERS:-$SSL_CIPHERS}\nSSL_REGISTRY_PROTOCOLS=${SSL_REGISTRY_PROTOCOLS:-$SSL_PROTOCOLS}\n\nSSL_PAGES_KEY_PATH=${SSL_PAGES_KEY_PATH:-$GITLAB_DATA_DIR/certs/pages.key}\nSSL_PAGES_CERT_PATH=${SSL_PAGES_CERT_PATH:-$GITLAB_DATA_DIR/certs/pages.crt}\nSSL_PAGES_CIPHERS=${SSL_PAGES_CIPHERS:-$SSL_CIPHERS}\nSSL_PAGES_PROTOCOLS=${SSL_PAGES_PROTOCOLS:-$SSL_PROTOCOLS}\n\nSSL_CA_CERTIFICATES_PATH=${SSL_CA_CERTIFICATES_PATH:-$CA_CERTIFICATES_PATH} # backward compatibility\nSSL_CA_CERTIFICATES_PATH=${SSL_CA_CERTIFICATES_PATH:-$GITLAB_DATA_DIR/certs/ca.crt}\n\n## BACKUPS\nGITLAB_BACKUP_SCHEDULE=${GITLAB_BACKUP_SCHEDULE:-$GITLAB_BACKUPS} # backward compatibility\nGITLAB_BACKUP_SCHEDULE=${GITLAB_BACKUP_SCHEDULE:-disable}\nGITLAB_BACKUP_TIME=${GITLAB_BACKUP_TIME:-04:00}\nGITLAB_BACKUP_EXPIRY=${GITLAB_BACKUP_EXPIRY:-}\nGITLAB_BACKUP_PG_SCHEMA=${GITLAB_BACKUP_PG_SCHEMA:-}\nGITLAB_BACKUP_ARCHIVE_PERMISSIONS=${GITLAB_BACKUP_ARCHIVE_PERMISSIONS:-0600}\ncase ${GITLAB_BACKUP_SCHEDULE} in\n daily|weekly|monthly) GITLAB_BACKUP_EXPIRY=${GITLAB_BACKUP_EXPIRY:-604800} ;;\n disable|*) GITLAB_BACKUP_EXPIRY=${GITLAB_BACKUP_EXPIRY:-0} ;;\nesac\n\n### AWS BACKUPS\nAWS_BACKUPS=${AWS_BACKUPS:-false}\nAWS_BACKUP_REGION=${AWS_BACKUP_REGION}\nAWS_BACKUP_ENDPOINT=${AWS_BACKUP_ENDPOINT}\nAWS_BACKUP_PATH_STYLE=${AWS_BACKUP_PATH_STYLE:-false}\nAWS_BACKUP_ACCESS_KEY_ID=${AWS_BACKUP_ACCESS_KEY_ID}\nAWS_BACKUP_SECRET_ACCESS_KEY=${AWS_BACKUP_SECRET_ACCESS_KEY}\nAWS_BACKUP_BUCKET=${AWS_BACKUP_BUCKET}\nAWS_BACKUP_MULTIPART_CHUNK_SIZE=${AWS_BACKUP_MULTIPART_CHUNK_SIZE}\nAWS_BACKUP_ENCRYPTION=${AWS_BACKUP_ENCRYPTION}\nAWS_BACKUP_STORAGE_CLASS=${AWS_BACKUP_STORAGE_CLASS:-STANDARD}\nAWS_BACKUP_SIGNATURE_VERSION=${AWS_BACKUP_SIGNATURE_VERSION:-4}\n\n### GCS BACKUPS\nGCS_BACKUPS=${GCS_BACKUPS:-false}\nGCS_BACKUP_ACCESS_KEY_ID=${GCS_BACKUP_ACCESS_KEY_ID}\nGCS_BACKUP_SECRET_ACCESS_KEY=${GCS_BACKUP_SECRET_ACCESS_KEY}\nGCS_BACKUP_BUCKET=${GCS_BACKUP_BUCKET}\n\n## NGINX\nNGINX_SERVER_NAMES_HASH_BUCKET_SIZE=${NGINX_SERVER_NAMES_HASH_BUCKET_SIZE:-32};\nNGINX_WORKERS=${NGINX_WORKERS:-1}\nNGINX_ACCEL_BUFFERING=${NGINX_ACCEL_BUFFERING:-no}\nNGINX_PROXY_BUFFERING=${NGINX_PROXY_BUFFERING:-off}\nNGINX_REAL_IP_RECURSIVE=${NGINX_REAL_IP_RECURSIVE:-off}\nNGINX_REAL_IP_TRUSTED_ADDRESSES=${NGINX_REAL_IP_TRUSTED_ADDRESSES:-}\ncase ${GITLAB_HTTPS} in\n true) NGINX_X_FORWARDED_PROTO=${NGINX_X_FORWARDED_PROTO:-https} ;;\n *) NGINX_X_FORWARDED_PROTO=${NGINX_X_FORWARDED_PROTO:-\\$scheme} ;;\nesac\nNGINX_CUSTOM_GITLAB_SERVER_CONFIG=${NGINX_CUSTOM_GITLAB_SERVER_CONFIG:-}\n\n## MAIL DELIVERY\nSMTP_DOMAIN=${SMTP_DOMAIN:-www.gmail.com}\nSMTP_HOST=${SMTP_HOST:-smtp.gmail.com}\nSMTP_PORT=${SMTP_PORT:-587}\nSMTP_USER=${SMTP_USER:-}\nSMTP_PASS=${SMTP_PASS:-}\nSMTP_OPENSSL_VERIFY_MODE=${SMTP_OPENSSL_VERIFY_MODE:-none}\nSMTP_STARTTLS=${SMTP_STARTTLS:-true}\nSMTP_TLS=${SMTP_TLS:-false}\nSMTP_CA_ENABLED=${SMTP_CA_ENABLED:-false}\nSMTP_CA_PATH=${SMTP_CA_PATH:-$GITLAB_DATA_DIR/certs}\nSMTP_CA_FILE=${SMTP_CA_FILE:-$GITLAB_DATA_DIR/certs/ca.crt}\nif [[ -n ${SMTP_USER} ]]; then\n SMTP_ENABLED=${SMTP_ENABLED:-true}\n SMTP_AUTHENTICATION=${SMTP_AUTHENTICATION:-login}\nfi\nSMTP_ENABLED=${SMTP_ENABLED:-false}\nGITLAB_EMAIL_ENABLED=${GITLAB_EMAIL_ENABLED:-${SMTP_ENABLED}}\nGITLAB_EMAIL=${GITLAB_EMAIL:-${SMTP_USER}}\nGITLAB_EMAIL_REPLY_TO=${GITLAB_EMAIL_REPLY_TO:-${GITLAB_EMAIL}}\nGITLAB_EMAIL_SUBJECT_SUFFIX=${GITLAB_EMAIL_SUBJECT_SUFFIX:-}\nGITLAB_EMAIL=${GITLAB_EMAIL:-example@example.com}\nGITLAB_EMAIL_REPLY_TO=${GITLAB_EMAIL_REPLY_TO:-noreply@example.com}\nGITLAB_EMAIL_DISPLAY_NAME=${GITLAB_EMAIL_DISPLAY_NAME:-GitLab}\nGITLAB_EMAIL_SMIME_ENABLE=${GITLAB_EMAIL_SMIME_ENABLE:-false}\nGITLAB_EMAIL_SMIME_KEY_FILE=${GITLAB_EMAIL_SMIME_KEY_FILE:-}\nGITLAB_EMAIL_SMIME_CERT_FILE=${GITLAB_EMAIL_SMIME_CERT_FILE:-}\n\n## INCOMING MAIL\nIMAP_HOST=${IMAP_HOST:-imap.gmail.com}\nIMAP_PORT=${IMAP_PORT:-993}\nIMAP_USER=${IMAP_USER:-}\nIMAP_PASS=${IMAP_PASS:-}\nIMAP_SSL=${IMAP_SSL:-true}\nIMAP_STARTTLS=${IMAP_STARTTLS:-false}\nIMAP_MAILBOX=${IMAP_MAILBOX:-inbox}\nIMAP_TIMEOUT=${IMAP_TIMEOUT:-60}\n\nif [[ -n ${IMAP_USER} ]]; then\n IMAP_ENABLED=${IMAP_ENABLED:-true}\nfi\nIMAP_ENABLED=${IMAP_ENABLED:-false}\nGITLAB_INCOMING_EMAIL_ENABLED=${GITLAB_INCOMING_EMAIL_ENABLED:-${IMAP_ENABLED}}\nGITLAB_INCOMING_EMAIL_ADDRESS=${GITLAB_INCOMING_EMAIL_ADDRESS:-${IMAP_USER}}\nGITLAB_INCOMING_EMAIL_ADDRESS=${GITLAB_INCOMING_EMAIL_ADDRESS:-reply@example.com}\n\n## LDAP\nLDAP_ENABLED=${LDAP_ENABLED:-false}\nLDAP_HOST=${LDAP_HOST:-}\nLDAP_PORT=${LDAP_PORT:-389}\nLDAP_UID=${LDAP_UID:-sAMAccountName}\nLDAP_METHOD=${LDAP_METHOD:-plain}\nLDAP_VERIFY_SSL=${LDAP_VERIFY_SSL:-true}\nLDAP_CA_FILE=${LDAP_CA_FILE:-}\nLDAP_SSL_VERSION=${LDAP_SSL_VERSION:-}\nLDAP_BIND_DN=${LDAP_BIND_DN:-}\nLDAP_PASS=${LDAP_PASS:-}\nLDAP_TIMEOUT=${LDAP_TIMEOUT:-10}\nLDAP_ACTIVE_DIRECTORY=${LDAP_ACTIVE_DIRECTORY:-true}\nLDAP_BLOCK_AUTO_CREATED_USERS=${LDAP_BLOCK_AUTO_CREATED_USERS:-false}\nLDAP_BASE=${LDAP_BASE:-}\nLDAP_USER_FILTER=${LDAP_USER_FILTER:-}\nLDAP_USER_ATTRIBUTE_USERNAME=${LDAP_USER_ATTRIBUTE_USERNAME:-['uid', 'userid', 'sAMAccountName']}\nLDAP_USER_ATTRIBUTE_MAIL=${LDAP_USER_ATTRIBUTE_MAIL:-['mail', 'email', 'userPrincipalName']}\nLDAP_USER_ATTRIBUTE_NAME=${LDAP_USER_ATTRIBUTE_NAME:-cn}\nLDAP_USER_ATTRIBUTE_FIRSTNAME=${LDAP_USER_ATTRIBUTE_FIRSTNAME:-givenName}\nLDAP_USER_ATTRIBUTE_LASTNAME=${LDAP_USER_ATTRIBUTE_LASTNAME:-sn}\nLDAP_LOWERCASE_USERNAMES=\"${LDAP_LOWERCASE_USERNAMES:-false}\"\nLDAP_LABEL=${LDAP_LABEL:-LDAP}\nLDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN=${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN:-}\nLDAP_PREVENT_LDAP_SIGN_IN=${LDAP_PREVENT_LDAP_SIGN_IN:-false}\ncase ${LDAP_UID} in\n userPrincipalName) LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN=${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN:-false} ;;\n *) LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN=${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN:-true}\nesac\n\n## GRAVATAR\nGITLAB_GRAVATAR_ENABLED=${GITLAB_GRAVATAR_ENABLED:-true}\nGITLAB_GRAVATAR_HTTP_URL=${GITLAB_GRAVATAR_HTTP_URL:-}\nGITLAB_GRAVATAR_HTTPS_URL=${GITLAB_GRAVATAR_HTTPS_URL:-}\n\n## OAUTH\nOAUTH_ENABLED=${OAUTH_ENABLED:-}\nOAUTH_AUTO_SIGN_IN_WITH_PROVIDER=${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER:-}\nOAUTH_ALLOW_SSO=${OAUTH_ALLOW_SSO:-}\nOAUTH_BLOCK_AUTO_CREATED_USERS=${OAUTH_BLOCK_AUTO_CREATED_USERS:-true}\nOAUTH_AUTO_LINK_LDAP_USER=${OAUTH_AUTO_LINK_LDAP_USER:-false}\nOAUTH_AUTO_LINK_SAML_USER=${OAUTH_AUTO_LINK_SAML_USER:-false}\nOAUTH_EXTERNAL_PROVIDERS=${OAUTH_EXTERNAL_PROVIDERS:-}\nOAUTH_ALLOW_BYPASS_TWO_FACTOR=${OAUTH_ALLOW_BYPASS_TWO_FACTOR:-false}\n\n### GOOGLE\nOAUTH_GOOGLE_API_KEY=${OAUTH_GOOGLE_API_KEY:-}\nOAUTH_GOOGLE_APP_SECRET=${OAUTH_GOOGLE_APP_SECRET:-}\nOAUTH_GOOGLE_APPROVAL_PROMPT=${OAUTH_GOOGLE_APPROVAL_PROMPT:-}\nOAUTH_GOOGLE_RESTRICT_DOMAIN=${OAUTH_GOOGLE_RESTRICT_DOMAIN:-}\nif [[ -n ${OAUTH_GOOGLE_RESTRICT_DOMAIN} ]]; then # backward compatibility\n if [[ ${OAUTH_GOOGLE_RESTRICT_DOMAIN} != \"'\"* ]]; then\n OAUTH_GOOGLE_RESTRICT_DOMAIN=\"'${OAUTH_GOOGLE_RESTRICT_DOMAIN}'\"\n fi\nfi\n\n### FACEBOOK\nOAUTH_FACEBOOK_API_KEY=${OAUTH_FACEBOOK_API_KEY:-}\nOAUTH_FACEBOOK_APP_SECRET=${OAUTH_FACEBOOK_APP_SECRET:-}\n\n### TWITTER\nOAUTH_TWITTER_API_KEY=${OAUTH_TWITTER_API_KEY:-}\nOAUTH_TWITTER_APP_SECRET=${OAUTH_TWITTER_APP_SECRET:-}\n\n## Authentiq\nOAUTH_AUTHENTIQ_CLIENT_ID=${OAUTH_AUTHENTIQ_CLIENT_ID:-}\nOAUTH_AUTHENTIQ_CLIENT_SECRET=${OAUTH_AUTHENTIQ_CLIENT_SECRET:-}\nOAUTH_AUTHENTIQ_SCOPE=${OAUTH_AUTHENTIQ_SCOPE:-'aq:name email~rs address aq:push'}\nOAUTH_AUTHENTIQ_REDIRECT_URI=${OAUTH_AUTHENTIQ_REDIRECT_URI:-}\n\n### GITHUB\nOAUTH_GITHUB_API_KEY=${OAUTH_GITHUB_API_KEY:-}\nOAUTH_GITHUB_APP_SECRET=${OAUTH_GITHUB_APP_SECRET:-}\nOAUTH_GITHUB_URL=${OAUTH_GITHUB_URL:-https://github.com/}\nOAUTH_GITHUB_VERIFY_SSL=${OAUTH_GITHUB_VERIFY_SSL:-true}\nOAUTH_GITHUB_SCOPE=${OAUTH_GITHUB_SCOPE:-user:email}\n\n### GITLAB\nOAUTH_GITLAB_API_KEY=${OAUTH_GITLAB_API_KEY:-}\nOAUTH_GITLAB_APP_SECRET=${OAUTH_GITLAB_APP_SECRET:-}\nOAUTH_GITLAB_SCOPE=${OAUTH_GITLAB_SCOPE:-api}\n\n### BITBUCKET\nOAUTH_BITBUCKET_API_KEY=${OAUTH_BITBUCKET_API_KEY:-}\nOAUTH_BITBUCKET_APP_SECRET=${OAUTH_BITBUCKET_APP_SECRET:-}\nOAUTH_BITBUCKET_URL=${OAUTH_BITBUCKET_URL:-https://bitbucket.org/}\n\n### CROWD\nOAUTH_CROWD_SERVER_URL=${OAUTH_CROWD_SERVER_URL:-}\nOAUTH_CROWD_APP_NAME=${OAUTH_CROWD_APP_NAME:-}\nOAUTH_CROWD_APP_PASSWORD=${OAUTH_CROWD_APP_PASSWORD:-}\n\n## AZURE\nOAUTH_AZURE_API_KEY=${OAUTH_AZURE_API_KEY:-}\nOAUTH_AZURE_API_SECRET=${OAUTH_AZURE_API_SECRET:-}\nOAUTH_AZURE_TENANT_ID=${OAUTH_AZURE_TENANT_ID:-}\n\n## AZURE Active Directory V2 endpoint\nOAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL=${OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL:-'Azure AD v2'}\nOAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID=${OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID:-}\nOAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET=${OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET:-}\nOAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID=${OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID:-}\n\n### SAML\ncase $GITLAB_HTTPS in\n true)\n OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL=${OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL:-https://${GITLAB_HOST}/users/auth/saml/callback}\n OAUTH_SAML_ISSUER=${OAUTH_SAML_ISSUER:-https://${GITLAB_HOST}}\n ;;\n false)\n OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL=${OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL:-http://${GITLAB_HOST}/users/auth/saml/callback}\n OAUTH_SAML_ISSUER=${OAUTH_SAML_ISSUER:-http://${GITLAB_HOST}}\n ;;\nesac\nOAUTH_SAML_LABEL=${OAUTH_SAML_LABEL:-'Our SAML Provider'}\nOAUTH_SAML_IDP_CERT_FINGERPRINT=${OAUTH_SAML_IDP_CERT_FINGERPRINT:-}\nOAUTH_SAML_IDP_SSO_TARGET_URL=${OAUTH_SAML_IDP_SSO_TARGET_URL:-}\nOAUTH_SAML_NAME_IDENTIFIER_FORMAT=${OAUTH_SAML_NAME_IDENTIFIER_FORMAT:-urn:oasis:names:tc:SAML:2.0:nameid-format:transient}\nOAUTH_SAML_GROUPS_ATTRIBUTE=${OAUTH_SAML_GROUPS_ATTRIBUTE:-}\nOAUTH_SAML_EXTERNAL_GROUPS=${OAUTH_SAML_EXTERNAL_GROUPS:-}\nOAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL=${OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL:-}\nOAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME=${OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME:-}\nOAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME=${OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME:-}\nOAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME=${OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME:-}\nOAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME=${OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME:-}\n\n### CAS3\nOAUTH_CAS3_LABEL=${OAUTH_CAS3_LABEL:-cas3}\nOAUTH_CAS3_SERVER=${OAUTH_CAS3_SERVER:-}\nOAUTH_CAS3_DISABLE_SSL_VERIFICATION=${OAUTH_CAS3_DISABLE_SSL_VERIFICATION:-false}\nOAUTH_CAS3_LOGIN_URL=${OAUTH_CAS3_LOGIN_URL:-/cas/login}\nOAUTH_CAS3_VALIDATE_URL=${OAUTH_CAS3_VALIDATE_URL:-/cas/p3/serviceValidate}\nOAUTH_CAS3_LOGOUT_URL=${OAUTH_CAS3_LOGOUT_URL:-/cas/logout}\n\n### AUTH0\nOAUTH_AUTH0_SCOPE=${OAUTH_AUTH0_SCOPE:-openid profile email}\n\n## OAUTH2 GENERIC\nOAUTH2_GENERIC_APP_ID=${OAUTH2_GENERIC_APP_ID:-}\nOAUTH2_GENERIC_APP_SECRET=${OAUTH2_GENERIC_APP_SECRET:-}\nOAUTH2_GENERIC_CLIENT_SITE=${OAUTH2_GENERIC_CLIENT_SITE:-}\nOAUTH2_GENERIC_CLIENT_USER_INFO_URL=${OAUTH2_GENERIC_CLIENT_USER_INFO_URL:-}\nOAUTH2_GENERIC_CLIENT_AUTHORIZE_URL=${OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL:-}\nOAUTH2_GENERIC_CLIENT_TOKEN_URL=${OAUTH2_GENERIC_CLIENT_TOKEN_URL:-}\nOAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT=${OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT:-}\nOAUTH2_GENERIC_ID_PATH=${OAUTH2_GENERIC_ID_PATH:-}\nOAUTH2_GENERIC_USER_UID=${OAUTH2_GENERIC_USER_UID:-}\nOAUTH2_GENERIC_USER_NAME=${OAUTH2_GENERIC_USER_NAME:-}\nOAUTH2_GENERIC_USER_EMAIL=${OAUTH2_GENERIC_USER_EMAIL:-}\nOAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE=${OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE:-}\nOAUTH2_GENERIC_LABEL=${OAUTH2_GENERIC_LABEL:-}\nOAUTH2_GENERIC_NAME=${OAUTH2_GENERIC_NAME:-}\n\n### OpenID Connect\nOAUTH_OIDC_LABEL=${OAUTH_OIDC_LABEL:-'OpenID Connect'}\nOAUTH_OIDC_ICON=${OAUTH_OIDC_ICON:-}\nOAUTH_OIDC_SCOPE=${OAUTH_OIDC_SCOPE:-\"['openid','profile','email']\"}\nOAUTH_OIDC_RESPONSE_TYPE=${OAUTH_OIDC_RESPONSE_TYPE:-'code'}\nOAUTH_OIDC_ISSUER=${OAUTH_OIDC_ISSUER:-}\nOAUTH_OIDC_DISCOVERY=${OAUTH_OIDC_DISCOVERY:-true}\nOAUTH_OIDC_CLIENT_AUTH_METHOD=${OAUTH_OIDC_CLIENT_AUTH_METHOD:-'basic'}\nOAUTH_OIDC_UID_FIELD=${OAUTH_OIDC_UID_FIELD:-sub}\nOAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP=${OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP:-false}\nOAUTH_OIDC_PKCE=${OAUTH_OIDC_PKCE:-true}\nOAUTH_OIDC_CLIENT_ID=${OAUTH_OIDC_CLIENT_ID:-}\nOAUTH_OIDC_CLIENT_SECRET=${OAUTH_OIDC_CLIENT_SECRET:-'secret'}\ncase $GITLAB_HTTPS in\n true)\n OAUTH_OIDC_REDIRECT_URI=${OAUTH_OIDC_REDIRECT_URI:-https://${GITLAB_HOST}/users/auth/openid_connect/callback}\n ;;\n false)\n OAUTH_OIDC_REDIRECT_URI=${OAUTH_OIDC_REDIRECT_URI:-http://${GITLAB_HOST}/users/auth/openid_connect/callback}\n ;;\nesac\n\n### JWT\nOAUTH_JWT_LABEL=${OAUTH_JWT_LABEL:-'Jwt'}\nOAUTH_JWT_SECRET=${OAUTH_JWT_SECRET:-}\nOAUTH_JWT_ALGORITHM=${OAUTH_JWT_ALGORITHM:-'HS256'}\nOAUTH_JWT_UID_CLAIM=${OAUTH_JWT_UID_CLAIM:-'email'}\nOAUTH_JWT_REQUIRED_CLAIMS=${OAUTH_JWT_REQUIRED_CLAIMS:-'[\"name\", \"email\"]'}\nOAUTH_JWT_INFO_MAP_NAME=${OAUTH_JWT_INFO_MAP_NAME:-'name'}\nOAUTH_JWT_INFO_MAP_EMAIL=${OAUTH_JWT_INFO_MAP_EMAIL:-'email'}\nOAUTH_JWT_AUTH_URL=${OAUTH_JWT_AUTH_URL:-}\nOAUTH_JWT_VALID_WITHIN=${OAUTH_JWT_VALID_WITHIN:-3600}\n\n## ANALYTICS\n\n### GOOGLE\nGOOGLE_ANALYTICS_ID=${GOOGLE_ANALYTICS_ID:-}\n\n### PIWIK\nPIWIK_URL=${PIWIK_URL:-}\nPIWIK_SITE_ID=${PIWIK_SITE_ID:-}\n\n## RACK ATTACK\nRACK_ATTACK_ENABLED=${RACK_ATTACK_ENABLED:-true}\nRACK_ATTACK_WHITELIST=${RACK_ATTACK_WHITELIST:-'[\"127.0.0.1\"]'}\nRACK_ATTACK_WHITELIST=${RACK_ATTACK_WHITELIST// /}\n# Backward compatibility : See sameersbn/docker-gitlab#2828\n# Pre-check: each host is surrounded by single / double quotation\n# if not, generated string will be [127.0.0.1] for example and ruby raises error\nRACK_ATTACK_WHITELIST_ORIGIN=${RACK_ATTACK_WHITELIST}\n# remove [], then iterate entries\nRACK_ATTACK_WHITELIST=${RACK_ATTACK_WHITELIST#\"[\"}\nRACK_ATTACK_WHITELIST=${RACK_ATTACK_WHITELIST%\"]\"}\nIFS_ORG=${IFS}\nIFS=,\nfor host in ${RACK_ATTACK_WHITELIST}; do\n # Both single / double quotation may be used\n if ! [[ ${host} =~ ^(\\\"|\\').*(\\\"|\\')$ ]]; then\n RACK_ATTACK_WHITELIST=${RACK_ATTACK_WHITELIST/${host}/\\\"${host//(\\'|\\\")/}\\\"}\n fi\ndone\nIFS=$IFS_ORG\n# surround with []\nRACK_ATTACK_WHITELIST=\"[${RACK_ATTACK_WHITELIST}]\"\nif [[ \"${RACK_ATTACK_WHITELIST}\" != \"${RACK_ATTACK_WHITELIST_ORIGIN}\" ]]; then\n printf \"[warning] RACK_ATTACK_WHITELIST must be a yaml sequence of hosts.\\nFixing from %s to %s\\n\" \\\n \"${RACK_ATTACK_WHITELIST_ORIGIN}\" \\\n \"${RACK_ATTACK_WHITELIST}\"\nfi\nRACK_ATTACK_MAXRETRY=${RACK_ATTACK_MAXRETRY:-10}\nRACK_ATTACK_FINDTIME=${RACK_ATTACK_FINDTIME:-60}\nRACK_ATTACK_BANTIME=${RACK_ATTACK_BANTIME:-3600}\n\n\n## GitLab Pages\nGITLAB_PAGES_ENABLED=${GITLAB_PAGES_ENABLED:-false}\nGITLAB_PAGES_DOMAIN=${GITLAB_PAGES_DOMAIN:-\"example.com\"}\nGITLAB_PAGES_DIR=\"${GITLAB_PAGES_DIR:-$GITLAB_SHARED_DIR/pages}\"\nGITLAB_PAGES_PORT=${GITLAB_PAGES_PORT:-80}\nGITLAB_PAGES_ARTIFACTS_SERVER=${GITLAB_PAGES_ARTIFACTS_SERVER:-true}\nGITLAB_PAGES_ARTIFACTS_SERVER_URL=${GITLAB_PAGES_ARTIFACTS_SERVER_URL:-}\nGITLAB_PAGES_HTTPS=${GITLAB_PAGES_HTTPS:-false}\nGITLAB_PAGES_EXTERNAL_HTTP=${GITLAB_PAGES_EXTERNAL_HTTP:-}\nGITLAB_PAGES_EXTERNAL_HTTPS=${GITLAB_PAGES_EXTERNAL_HTTPS:-}\nGITLAB_PAGES_ACCESS_CONTROL=${GITLAB_PAGES_ACCESS_CONTROL:-false}\nGITLAB_PAGES_ACCESS_CONTROL_SERVER=${GITLAB_PAGES_ACCESS_CONTROL_SERVER:-}\nGITLAB_PAGES_ACCESS_SECRET=${GITLAB_PAGES_ACCESS_SECRET:-}\nGITLAB_PAGES_ACCESS_CLIENT_ID=${GITLAB_PAGES_ACCESS_CLIENT_ID:-}\nGITLAB_PAGES_ACCESS_CLIENT_SECRET=${GITLAB_PAGES_ACCESS_CLIENT_SECRET:-}\nGITLAB_PAGES_ACCESS_REDIRECT_URI=${GITLAB_PAGES_ACCESS_REDIRECT_URI:-}\nGITLAB_PAGES_NGINX_PROXY=${GITLAB_PAGES_NGINX_PROXY:-true}\nGITLAB_PAGES_NAMESPACE_IN_PATH=${GITLAB_PAGES_NAMESPACE_IN_PATH:-false}\nGITLAB_PAGES_LOG_VERBOSE=${GITLAB_PAGES_LOG_VERBOSE:-false}\n\n## Gitaly\nGITALY_CLIENT_PATH=${GITALY_CLIENT_PATH:-$GITLAB_GITALY_INSTALL_DIR}\nGITALY_TOKEN=${GITALY_TOKEN:-}\nGITALY_SOCKET_PATH=${GITLAB_INSTALL_DIR}/tmp/sockets/private/gitaly.socket\nGITALY_ADDRESS=${GITALY_ADDRESS:-unix:$GITALY_SOCKET_PATH}\n\n## GitLab Shell\nGITLAB_SHELL_CUSTOM_HOOKS_DIR=${GITLAB_SHELL_CUSTOM_HOOKS_DIR:-\"$GITLAB_SHELL_INSTALL_DIR/hooks\"}\n\n## MONITORING\nGITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL=${GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL:-10}\nGITLAB_MONITORING_IP_WHITELIST=${GITLAB_MONITORING_IP_WHITELIST:-}\nGITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED=${GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED:-true}\nGITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS=${GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS:-\"0.0.0.0\"}\nGITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT=${GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT:-3807}\n\n## Sentry\nSENTRY_ENABLED=${SENTRY_ENABLED:-false}\nSENTRY_DSN=${SENTRY_DSN:-}\nSENTRY_CLIENTSIDE_DSN=${SENTRY_CLIENTSIDE_DSN:-}\nSENTRY_ENVIRONMENT=${SENTRY_ENVIRONMENT:-production}\n\n## Content Security Policy\n# See https://guides.rubyonrails.org/security.html#content-security-policy\nGITLAB_CONTENT_SECURITY_POLICY_ENABLED=${GITLAB_CONTENT_SECURITY_POLICY_ENABLED:-true}\nGITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY=${GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY:-false}\nGITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI:-}\nGITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC:-}\nGITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC:-\"'self' http://localhost:* ws://localhost:* wss://localhost:*\"}\nGITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC:-\"'self'\"}\nGITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC:-}\nGITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION:-}\nGITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS:-\"'self'\"}\nGITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC:-\"'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com\"}\nGITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC:-\"* data: blob:\"}\nGITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC:-}\nGITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC:-}\nGITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC:-\"'none'\"}\nGITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC:-\"'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com\"}\nGITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC:-\"'self' 'unsafe-inline'\"}\nGITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC:-\"'self' blob:\"}\nGITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI:-}\n\n## Feature Flags\nGITLAB_FEATURE_FLAGS_DISABLE_TARGETS=${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS:-}\nGITLAB_FEATURE_FLAGS_ENABLE_TARGETS=${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS:-}\n" }, { "path": "assets/runtime/functions", "content": "#!/bin/bash\nset -e\n\nfor file in /gitlab-configs /run/secrets/gitlab-secrets; do\n\tif [[ -e \"$file\" ]]; then\n\t\techo \"Loading $file\"\n\t\tsource \"$file\"\n\tfi\ndone\necho \"Loading ${GITLAB_RUNTIME_DIR}/env-defaults\"\nsource ${GITLAB_RUNTIME_DIR}/env-defaults\n\nSYSCONF_TEMPLATES_DIR=\"${GITLAB_RUNTIME_DIR}/config\"\nUSERCONF_TEMPLATES_DIR=\"${GITLAB_DATA_DIR}/config\"\n\nGITLAB_CONFIG=\"${GITLAB_INSTALL_DIR}/config/gitlab.yml\"\nGITLAB_DATABASE_CONFIG=\"${GITLAB_INSTALL_DIR}/config/database.yml\"\nGITLAB_PUMA_CONFIG=\"${GITLAB_INSTALL_DIR}/config/puma.rb\"\nGITLAB_RELATIVE_URL_CONFIG=\"${GITLAB_INSTALL_DIR}/config/initializers/relative_url.rb\"\nGITLAB_SMTP_CONFIG=\"${GITLAB_INSTALL_DIR}/config/initializers/smtp_settings.rb\"\nGITLAB_RESQUE_CONFIG=\"${GITLAB_INSTALL_DIR}/config/resque.yml\"\nGITLAB_ACTIONCABLE_CONFIG=\"${GITLAB_INSTALL_DIR}/config/cable.yml\"\nGITLAB_SECRETS_CONFIG=\"${GITLAB_INSTALL_DIR}/config/secrets.yml\"\nGITLAB_ROBOTS_CONFIG=\"${GITLAB_INSTALL_DIR}/public/robots.txt\"\nGITLAB_SHELL_CONFIG=\"${GITLAB_SHELL_INSTALL_DIR}/config.yml\"\nGITLAB_NGINX_CONFIG=\"/etc/nginx/conf.d/gitlab.conf\"\nGITLAB_CI_NGINX_CONFIG=\"/etc/nginx/conf.d/gitlab_ci.conf\"\nGITLAB_REGISTRY_NGINX_CONFIG=\"/etc/nginx/conf.d/gitlab-registry.conf\"\nGITLAB_PAGES_NGINX_CONFIG=\"/etc/nginx/conf.d/gitlab-pages.conf\"\nGITLAB_PAGES_CONFIG=\"${GITLAB_INSTALL_DIR}/gitlab-pages-config\"\nGITLAB_GITALY_CONFIG=\"${GITLAB_GITALY_INSTALL_DIR}/config.toml\"\n\n# Compares two version strings `a` and `b`\n# Returns\n# - negative integer, if `a` is less than `b`\n# - 0, if `a` and `b` are equal\n# - non-negative integer, if `a` is greater than `b`\nvercmp() {\n expr '(' \"$1\" : '\\([^.]*\\)' ')' '-' '(' \"$2\" : '\\([^.]*\\)' ')' '|' \\\n '(' \"$1.0\" : '[^.]*[.]\\([^.]*\\)' ')' '-' '(' \"$2.0\" : '[^.]*[.]\\([^.]*\\)' ')' '|' \\\n '(' \"$1.0.0\" : '[^.]*[.][^.]*[.]\\([^.]*\\)' ')' '-' '(' \"$2.0.0\" : '[^.]*[.][^.]*[.]\\([^.]*\\)' ')' '|' \\\n '(' \"$1.0.0.0\" : '[^.]*[.][^.]*[.][^.]*[.]\\([^.]*\\)' ')' '-' '(' \"$2.0.0.0\" : '[^.]*[.][^.]*[.][^.]*[.]\\([^.]*\\)' ')'\n}\n\n## Execute a command as GITLAB_USER\nexec_as_git() {\n if [[ $(whoami) == ${GITLAB_USER} ]]; then\n $@\n else\n sudo -HEu ${GITLAB_USER} \"$@\"\n fi\n}\n\n## Copies configuration template to the destination as the specified USER\n### Looks up for overrides in ${USERCONF_TEMPLATES_DIR} before using the defaults from ${SYSCONF_TEMPLATES_DIR}\n# $1: copy-as user\n# $2: source file\n# $3: destination location\n# $4: mode of destination\ninstall_template() {\n local OWNERSHIP=${1}\n local SRC=${2}\n local DEST=${3}\n local MODE=${4:-0644}\n if [[ -f ${USERCONF_TEMPLATES_DIR}/${SRC} ]]; then\n cp ${USERCONF_TEMPLATES_DIR}/${SRC} ${DEST}\n elif [[ -f ${SYSCONF_TEMPLATES_DIR}/${SRC} ]]; then\n cp ${SYSCONF_TEMPLATES_DIR}/${SRC} ${DEST}\n fi\n chmod ${MODE} ${DEST}\n chown ${OWNERSHIP} ${DEST}\n}\n\n## Replace placeholders with values\n# $1: file with placeholders to replace\n# $x: placeholders to replace\nupdate_template() {\n local FILE=${1?missing argument}\n shift\n\n [[ ! -f ${FILE} ]] && return 1\n\n local VARIABLES=($@)\n local USR=$(stat -c %U ${FILE})\n local tmp_file=$(mktemp)\n cp -a \"${FILE}\" ${tmp_file}\n\n local variable\n for variable in ${VARIABLES[@]}; do\n # Keep the compatibilty: {{VAR}} => ${VAR}\n sed -ri \"s/[{]{2}$variable[}]{2}/\\${$variable}/g\" ${tmp_file}\n done\n\n # Replace placeholders\n (\n export ${VARIABLES[@]}\n local IFS=\":\"; sudo -HEu ${USR} envsubst \"${VARIABLES[*]/#/$}\" < ${tmp_file} > ${FILE}\n )\n rm -f ${tmp_file}\n}\n\ngitlab_finalize_database_parameters() {\n # is a postgresql database linked?\n # requires that the postgresql containers have exposed port 5432.\n DB_HOST=${DB_HOST:-${POSTGRESQL_PORT_5432_TCP_ADDR}}\n DB_PORT=${DB_PORT:-${POSTGRESQL_PORT_5432_TCP_PORT}}\n\n # support for linked official postgres image\n DB_USER=${DB_USER:-${POSTGRESQL_ENV_POSTGRES_USER}}\n DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_POSTGRES_PASSWORD}}\n DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_POSTGRES_DB}}\n DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_POSTGRES_USER}}\n\n # support for linked sameersbn/postgresql image\n DB_USER=${DB_USER:-${POSTGRESQL_ENV_DB_USER}}\n DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_DB_PASS}}\n DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_DB_NAME}}\n\n # support for linked orchardup/postgresql image\n DB_USER=${DB_USER:-${POSTGRESQL_ENV_POSTGRESQL_USER}}\n DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_POSTGRESQL_PASS}}\n DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_POSTGRESQL_DB}}\n\n # support for linked paintedfox/postgresql image\n DB_USER=${DB_USER:-${POSTGRESQL_ENV_USER}}\n DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_PASS}}\n DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_DB}}\n\n\n if [[ -z ${DB_HOST} ]]; then\n echo\n echo \"ERROR: \"\n echo \" Please configure the database connection.\"\n echo \" Refer http://git.io/wkYhyA for more information.\"\n echo \" Cannot continue without a database. Aborting...\"\n echo\n return 1\n fi\n\n # set default port number if not specified\n DB_PORT=${DB_PORT:-5432}\n\n DB_ENCODING=${DB_ENCODING:-unicode}\n\n # set default user and database\n DB_USER=${DB_USER:-root}\n DB_NAME=${DB_NAME:-gitlabhq_production}\n}\n\ngitlab_check_database_connection() {\n\n prog=$(command -v pg_isready)\n prog=\"${prog} -h ${DB_HOST} -p ${DB_PORT} -U ${DB_USER} -d ${DB_NAME} -t 1\"\n\n timeout=60\n while ! ${prog} >/dev/null 2>&1\n do\n timeout=$(expr $timeout - 1)\n if [[ $timeout -eq 0 ]]; then\n echo\n echo \"Could not connect to database server. Aborting...\"\n return 1\n fi\n echo -n \".\"\n sleep 1\n done\n echo\n}\n\ngitlab_generate_postgresqlrc() {\n echo \"Configuring /home/${GITLAB_USER}/.postgresqlrc to avoid version mismatch on dumping\"\n # server_version_num property is a number built from version string:\n # https://www.postgresql.org/docs/15/libpq-status.html#LIBPQ-PQSERVERVERSION \n # > The result is formed by multiplying the server's major version number by 10000 and adding the minor version number. \n # > For example, version 10.1 will be returned as 100001, and version 11.0 will be returned as 110000. Zero is returned if the connection is bad.\n # >\n # > Prior to major version 10, PostgreSQL used three-part version numbers in which the first two parts together represented the major version.\n # > For those versions, PQserverVersion uses two digits for each part;\n # > for example version 9.1.5 will be returned as 90105, and version 9.2.0 will be returned as 90200.\n #\n # This difference also appends to apt package name.\n # For example, in ubuntu:focal, postgresql-client-{8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, 9.5, 9.6, 10, 11, 12, 13, 14, 15} are available.\n # \n DB_SERVER_VERSION=$(PGPASSWORD=${DB_PASS} psql -h \"${DB_HOST}\" -p \"${DB_PORT}\" -U \"${DB_USER}\" -d \"${DB_NAME}\" -Atw -c \"SHOW server_version_num\")\n if [[ \"${DB_SERVER_VERSION}\" -eq 0 ]]; then\n echo\n echo \"Could not retrieve database server version correctly. Aborting...\"\n return 1\n fi\n\n echo \"- Detected server version: ${DB_SERVER_VERSION}\"\n\n # Anyway, we can get major version (8, 9, 10 and so on) by dividing by 10000.\n # DB_SERVER_VERSION_MAJOR=${DB_SERVER_VERSION%%.*}\n DB_SERVER_VERSION_MAJOR=$((DB_SERVER_VERSION/10000))\n DB_CLIENT_VERSION_PACKAGE_NAME=\n\n if [[ \"${DB_SERVER_VERSION_MAJOR}\" -ge 10 ]]; then\n # v10 or later: use \"rought major version\" as version number in package name\n DB_CLIENT_VERSION_PACKAGE_NAME=${DB_SERVER_VERSION_MAJOR}\n else\n # prior to v10: convert\n # FIXME: rough implementation\n # It exploits the fact that there is no version such as 9.10, and it lacks versatility.\n # divide by 100, then replace first 0 to comma\n DB_CLIENT_VERSION_PACKAGE_NAME=$((DB_SERVER_VERSION/100))\n DB_CLIENT_VERSION_PACKAGE_NAME=${DB_CLIENT_VERSION_PACKAGE_NAME/0/.}\n fi\n\n # if exact-match client not found, select latest version from installed clients\n if [[ \"$(apt-cache pkgnames postgresql-client | grep -e \"-${DB_CLIENT_VERSION_PACKAGE_NAME}\" | wc -l)\" -ne 1 ]]; then\n LATEST_CLIENT=\"$(apt-cache pkgnames postgresql-client | grep -v -e \"-common\" | sort --version-sort | tail -n1)\"\n DB_CLIENT_VERSION_PACKAGE_NAME=${LATEST_CLIENT/postgresql-client-/}\n echo \"gitlab_generate_postgresqlrc(): WARNING - Suitable client not installed. postgresql-client-${DB_CLIENT_VERSION_PACKAGE_NAME} will be used but you may face issue (database in backup will be empty, for example)\"\n fi\n\n # generate ~/.postgresqlrc to switch client version\n GITLAB_USER_POSTGRESQLRC=\"/home/${GITLAB_USER}/.postgresqlrc\"\n echo \"- Generating ${GITLAB_USER_POSTGRESQLRC}\"\n echo \"${DB_CLIENT_VERSION_PACKAGE_NAME} ${DB_HOST}:${DB_PORT} ${DB_NAME}\" | exec_as_git tee \"${GITLAB_USER_POSTGRESQLRC}\"\n}\n\ngitlab_uninstall_unused_database_client() {\n if [[ -f \"/home/${GITLAB_USER}/.postgresqlrc\" ]]; then\n # refer /home/${GITLAB_USER}/.postgresqlrc and pick up versions in use\n # .postgresqlrc contains following information per line\n # database_major_version host:port database_name\n # - ignore lines starts with # by specifying pattern /^[^#]/\n # - first field is the version number in use.\n # - cocnat whole lines into single string. convert newline to \\|\n # this is escaped regex \"OR\"\n # now we got the following regex that can be used as an option to grep:\n # \\|-12\\|-13\n DB_CLIENT_VERSIONS_IN_USE=\"$(awk '/^[^#]/ {printf(\"\\|-%s\",$1)}' \"/home/${GITLAB_USER}/.postgresqlrc\")\"\n\n # we also need to keep postgresql-client-common package to switch based on ~/.postgresqlrc\n REGEX_DB_CLIENT_VERSIONS_IN_USE=\"-common${DB_CLIENT_VERSIONS_IN_USE}\"\n\n # remove unused client using regex above\n # grep may return non-zero code on mo match, so fake the exit code with the `|| true` to swallow that\n UNUSED_DB_CLIENTS=$(apt-cache pkgnames postgresql-client | grep -v -e \"${REGEX_DB_CLIENT_VERSIONS_IN_USE}\" || true)\n if [[ \"${UNUSED_DB_CLIENTS}\" == \"\" ]]; then\n echo \"- All installed version of clients are in use. Did not uninstalled any client...\"\n return\n fi\n\n # just to get clean log, convert newline (package name delimiter) to single whitespace\n UNUSED_DB_CLIENTS=$(echo ${UNUSED_DB_CLIENTS} | tr '\\n' ' ')\n\n echo \"- Uninstalling unused client(s): ${UNUSED_DB_CLIENTS}\"\n DEBIAN_FRONTEND=noninteractive apt-get -qq -y purge -- ${UNUSED_DB_CLIENTS} >/dev/null\n fi\n}\n\ngitlab_configure_database() {\n echo -n \"Configuring gitlab::database\"\n\n gitlab_finalize_database_parameters\n gitlab_check_database_connection\n gitlab_generate_postgresqlrc\n gitlab_uninstall_unused_database_client\n\n update_template ${GITLAB_DATABASE_CONFIG} \\\n DB_ENCODING \\\n DB_HOST \\\n DB_PORT \\\n DB_NAME \\\n DB_USER \\\n DB_PASS \\\n DB_POOL \\\n DB_PREPARED_STATEMENTS\n}\n\ngitlab_finalize_redis_parameters() {\n # is a redis container linked?\n if [[ -n ${REDISIO_PORT_6379_TCP_ADDR} ]]; then\n REDIS_HOST=${REDIS_HOST:-${REDISIO_PORT_6379_TCP_ADDR}}\n REDIS_PORT=${REDIS_PORT:-${REDISIO_PORT_6379_TCP_PORT}}\n fi\n\n # set default redis port if not specified\n REDIS_PORT=${REDIS_PORT:-6379}\n\n if [[ -z ${REDIS_HOST} ]]; then\n echo\n echo \"ERROR: \"\n echo \" Please configure the redis connection.\"\n echo \" Refer http://git.io/PMnRSw for more information.\"\n echo \" Cannot continue without a redis connection. Aborting...\"\n echo\n return 1\n fi\n}\n\ngitlab_check_redis_connection() {\n timeout=60\n while ! redis-cli -h ${REDIS_HOST} -p ${REDIS_PORT} -n ${REDIS_DB_NUMBER} ping >/dev/null 2>&1\n do\n timeout=$(expr $timeout - 1)\n if [[ $timeout -eq 0 ]]; then\n echo \"\"\n echo \"Could not connect to redis server. Aborting...\"\n return 1\n fi\n echo -n \".\"\n sleep 1\n done\n echo\n}\n\ngitlab_configure_redis() {\n echo -n \"Configuring gitlab::redis\"\n\n gitlab_finalize_redis_parameters\n gitlab_check_redis_connection\n\n update_template ${GITLAB_RESQUE_CONFIG} \\\n REDIS_HOST \\\n REDIS_PORT \\\n REDIS_DB_NUMBER\n}\n\ngitlab_configure_actioncable() {\n echo -n \"Configuring gitlab::actioncable\"\n\n gitlab_finalize_redis_parameters\n gitlab_check_redis_connection\n\n update_template ${GITLAB_ACTIONCABLE_CONFIG} \\\n REDIS_HOST \\\n REDIS_PORT \\\n REDIS_DB_NUMBER\n}\n\ngitlab_configure_gitaly() {\n echo \"Configuring gitlab::gitaly...\"\n update_template ${GITLAB_GITALY_CONFIG} \\\n GITALY_SOCKET_PATH \\\n GITLAB_GITALY_INSTALL_DIR \\\n GITLAB_LOG_DIR \\\n GITLAB_REPOS_DIR \\\n GITLAB_SHELL_INSTALL_DIR \\\n GITLAB_RELATIVE_URL_ROOT\n\n update_template ${GITLAB_CONFIG} \\\n GITALY_CLIENT_PATH \\\n GITALY_TOKEN\n\n}\n\ngitlab_configure_monitoring() {\n echo \"Configuring gitlab::monitoring...\"\n\n if [ \"${GITLAB_MONITORING_IP_WHITELIST}\" == \"\" ]; then\n exec_as_git sed -i \"/{{GITLAB_MONITORING_IP_WHITELIST}}/d\" ${GITLAB_CONFIG}\n fi\n\n update_template ${GITLAB_CONFIG} \\\n GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL \\\n GITLAB_MONITORING_IP_WHITELIST \\\n GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED \\\n GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS \\\n GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT\n}\n\ngitlab_configure_gitlab_workhorse() {\n echo \"Configuring gitlab::gitlab-workhorse...\"\n update_template /etc/supervisor/conf.d/gitlab-workhorse.conf \\\n GITLAB_RELATIVE_URL_ROOT \\\n GITLAB_WORKHORSE_TIMEOUT\n}\n\ngitlab_configure_puma() {\n echo \"Configuring gitlab::puma...\"\n if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then\n update_template ${GITLAB_PUMA_CONFIG} GITLAB_RELATIVE_URL_ROOT\n else\n exec_as_git sed -i \"/{{GITLAB_RELATIVE_URL_ROOT}}/d\" ${GITLAB_PUMA_CONFIG}\n fi\n\n update_template ${GITLAB_PUMA_CONFIG} \\\n GITLAB_INSTALL_DIR \\\n PUMA_THREADS_MIN \\\n PUMA_THREADS_MAX \\\n PUMA_WORKERS \\\n PUMA_PER_WORKER_MAX_MEMORY_MB \\\n PUMA_MASTER_MAX_MEMORY_MB \\\n PUMA_TIMEOUT\n}\n\ngitlab_configure_relative_url() {\n if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then\n echo \"Configuring gitlab::relative_url...\"\n update_template ${GITLAB_RELATIVE_URL_CONFIG} GITLAB_RELATIVE_URL_ROOT\n fi\n}\n\ngitlab_configure_trusted_proxies() {\n if [[ -n ${GITLAB_TRUSTED_PROXIES} ]]; then\n echo \"Configuring gitlab::trusted_proxies...\"\n update_template ${GITLAB_CONFIG} GITLAB_TRUSTED_PROXIES\n else\n exec_as_git sed -i \"/{{GITLAB_TRUSTED_PROXIES}}/d\" ${GITLAB_CONFIG}\n fi\n}\n\ngitlab_configure_timezone() {\n echo \"Configuring gitlab::timezone...\"\n update_template ${GITLAB_CONFIG} GITLAB_TIMEZONE\n}\n\ngitlab_configure_mail_delivery() {\n if [[ ${SMTP_ENABLED} == true ]]; then\n echo \"Configuring gitlab::smtp_settings...\"\n\n if [[ -z \"${SMTP_USER}\" ]]; then\n exec_as_git sed -i \\\n -e '/{{SMTP_USER}}/d' \\\n -e '/{{SMTP_PASS}}/d' \\\n ${GITLAB_SMTP_CONFIG}\n else\n if [[ -z \"${SMTP_PASS}\" ]]; then\n exec_as_git sed -i '/{{SMTP_PASS}}/d' ${GITLAB_SMTP_CONFIG}\n fi\n fi\n\n update_template ${GITLAB_SMTP_CONFIG} \\\n SMTP_USER \\\n SMTP_PASS \\\n SMTP_HOST \\\n SMTP_PORT \\\n SMTP_DOMAIN \\\n SMTP_STARTTLS \\\n SMTP_TLS \\\n SMTP_OPENSSL_VERIFY_MODE\n\n case ${SMTP_AUTHENTICATION} in\n \"\") exec_as_git sed -i \"/{{SMTP_AUTHENTICATION}}/d\" ${GITLAB_SMTP_CONFIG} ;;\n *) update_template ${GITLAB_SMTP_CONFIG} SMTP_AUTHENTICATION ;;\n esac\n\n if [[ ${SMTP_CA_ENABLED} == true ]]; then\n if [[ -d ${SMTP_CA_PATH} ]]; then\n update_template ${GITLAB_SMTP_CONFIG} SMTP_CA_PATH\n fi\n if [[ -f ${SMTP_CA_FILE} ]]; then\n update_template ${GITLAB_SMTP_CONFIG} SMTP_CA_FILE\n fi\n else\n exec_as_git sed -i \\\n -e \"/{{SMTP_CA_PATH}}/d\" \\\n -e \"/{{SMTP_CA_FILE}}/d\" \\\n ${GITLAB_SMTP_CONFIG}\n fi\n fi\n\n update_template ${GITLAB_CONFIG} \\\n GITLAB_EMAIL_ENABLED \\\n GITLAB_EMAIL \\\n GITLAB_EMAIL_DISPLAY_NAME \\\n GITLAB_EMAIL_REPLY_TO \\\n GITLAB_EMAIL_SUBJECT_SUFFIX\n\n if [[ ${GITLAB_EMAIL_SMIME_ENABLE} == true ]]; then\n exec_as_git sed -i \"/#start-email-smime/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/#end-email-smime/d\" ${GITLAB_CONFIG}\n update_template ${GITLAB_CONFIG} \\\n GITLAB_EMAIL_SMIME_ENABLE \\\n GITLAB_EMAIL_SMIME_KEY_FILE \\\n GITLAB_EMAIL_SMIME_CERT_FILE\n else\n exec_as_git sed -i \"/#start-email-smime/,/#end-email-smime/d\" ${GITLAB_CONFIG}\n fi\n}\n\ngitlab_configure_mailroom() {\n if [[ ${IMAP_ENABLED} == true ]]; then\n echo \"Configuring gitlab::incoming_email...\"\n\n if [[ -z \"${IMAP_USER}\" ]]; then\n exec_as_git sed -i \\\n -e '/{{IMAP_USER}}/d' \\\n -e '/{{IMAP_PASS}}/d' \\\n ${GITLAB_CONFIG}\n else\n if [[ -z \"${IMAP_PASS}\" ]]; then\n exec_as_git sed -i '/{{IMAP_PASS}}/d' ${GITLAB_CONFIG}\n fi\n fi\n else\n exec_as_git sed -i \\\n -e \"/{{IMAP_USER}}/d\" \\\n -e \"/{{IMAP_PASS}}/d\" \\\n -e \"/{{IMAP_HOST}}/d\" \\\n -e \"/{{IMAP_PORT}}/d\" \\\n -e \"/{{IMAP_SSL}}/d\" \\\n -e \"/{{IMAP_STARTTLS}}/d\" \\\n -e \"/{{IMAP_MAILBOX}}/d\" \\\n -e \"/{{IMAP_TIMEOUT}}/d\" \\\n ${GITLAB_CONFIG}\n fi\n\n update_template ${GITLAB_CONFIG} \\\n GITLAB_INCOMING_EMAIL_ADDRESS \\\n GITLAB_INCOMING_EMAIL_ENABLED \\\n IMAP_USER \\\n IMAP_PASS \\\n IMAP_HOST \\\n IMAP_PORT \\\n IMAP_SSL \\\n IMAP_STARTTLS \\\n IMAP_MAILBOX \\\n IMAP_TIMEOUT\n\n # enable/disable startup of mailroom\n echo \"mail_room_enabled=${GITLAB_INCOMING_EMAIL_ENABLED}\" >> /etc/default/gitlab\n update_template /etc/supervisor/conf.d/mail_room.conf GITLAB_INCOMING_EMAIL_ENABLED\n}\n\ngitlab_configure_ldap() {\n echo \"Configuring gitlab::ldap...\"\n update_template ${GITLAB_CONFIG} \\\n LDAP_ENABLED \\\n LDAP_HOST \\\n LDAP_PORT \\\n LDAP_UID \\\n LDAP_METHOD \\\n LDAP_VERIFY_SSL \\\n LDAP_CA_FILE \\\n LDAP_SSL_VERSION \\\n LDAP_BIND_DN \\\n LDAP_PASS \\\n LDAP_TIMEOUT \\\n LDAP_ACTIVE_DIRECTORY \\\n LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN \\\n LDAP_BLOCK_AUTO_CREATED_USERS \\\n LDAP_BASE \\\n LDAP_USER_FILTER \\\n LDAP_LOWERCASE_USERNAMES \\\n LDAP_USER_ATTRIBUTE_USERNAME \\\n LDAP_USER_ATTRIBUTE_MAIL \\\n LDAP_USER_ATTRIBUTE_NAME \\\n LDAP_USER_ATTRIBUTE_FIRSTNAME \\\n LDAP_USER_ATTRIBUTE_LASTNAME \\\n LDAP_LABEL \\\n LDAP_PREVENT_LDAP_SIGN_IN\n}\n\ngitlab_configure_oauth_cas3() {\n if [[ -n ${OAUTH_CAS3_SERVER} ]]; then\n echo \"Configuring gitlab::oauth::cas3...\"\n OAUTH_ENABLED=${OAUTH_ENABLED:-true}\n update_template ${GITLAB_CONFIG} \\\n OAUTH_CAS3_LABEL \\\n OAUTH_CAS3_SERVER \\\n OAUTH_CAS3_DISABLE_SSL_VERIFICATION \\\n OAUTH_CAS3_LOGIN_URL \\\n OAUTH_CAS3_VALIDATE_URL \\\n OAUTH_CAS3_LOGOUT_URL\n else\n exec_as_git sed -i \"/name: 'cas3'/,/{{OAUTH_CAS3_LOGOUT_URL}}/d\" ${GITLAB_CONFIG}\n fi\n}\n\ngitlab_configure_oauth_google() {\n if [[ -n ${OAUTH_GOOGLE_API_KEY} && -n ${OAUTH_GOOGLE_APP_SECRET} ]]; then\n echo \"Configuring gitlab::oauth::google...\"\n OAUTH_ENABLED=${OAUTH_ENABLED:-true}\n if [[ -n ${OAUTH_GOOGLE_RESTRICT_DOMAIN} ]]; then\n update_template ${GITLAB_CONFIG} \\\n OAUTH_GOOGLE_API_KEY \\\n OAUTH_GOOGLE_APP_SECRET \\\n OAUTH_GOOGLE_RESTRICT_DOMAIN \\\n OAUTH_GOOGLE_APPROVAL_PROMPT\n else\n exec_as_git sed -i \"/ hd\\: \\[{{OAUTH_GOOGLE_RESTRICT_DOMAIN}}\\]/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"s/approval_prompt: '{{OAUTH_GOOGLE_APPROVAL_PROMPT}}',/approval_prompt: '{{OAUTH_GOOGLE_APPROVAL_PROMPT}}' } }/\" ${GITLAB_CONFIG}\n update_template ${GITLAB_CONFIG} \\\n OAUTH_GOOGLE_API_KEY \\\n OAUTH_GOOGLE_APP_SECRET \\\n OAUTH_GOOGLE_APPROVAL_PROMPT\n fi\n else\n exec_as_git sed -i \"/name: 'google_oauth2'/,/{{OAUTH_GOOGLE_RESTRICT_DOMAIN}}/d\" ${GITLAB_CONFIG}\n fi\n}\n\ngitlab_configure_oauth_facebook() {\n if [[ -n ${OAUTH_FACEBOOK_API_KEY} && -n ${OAUTH_FACEBOOK_APP_SECRET} ]]; then\n echo \"Configuring gitlab::oauth::facebook...\"\n OAUTH_ENABLED=${OAUTH_ENABLED:-true}\n update_template ${GITLAB_CONFIG} \\\n OAUTH_FACEBOOK_API_KEY \\\n OAUTH_FACEBOOK_APP_SECRET\n else\n exec_as_git sed -i \"/name: 'facebook'/,/{{OAUTH_FACEBOOK_APP_SECRET}}/d\" ${GITLAB_CONFIG}\n fi\n}\n\ngitlab_configure_oauth_twitter() {\n if [[ -n ${OAUTH_TWITTER_API_KEY} && -n ${OAUTH_TWITTER_APP_SECRET} ]]; then\n echo \"Configuring gitlab::oauth::twitter...\"\n OAUTH_ENABLED=${OAUTH_ENABLED:-true}\n update_template ${GITLAB_CONFIG} \\\n OAUTH_TWITTER_API_KEY \\\n OAUTH_TWITTER_APP_SECRET\n else\n exec_as_git sed -i \"/name: 'twitter'/,/{{OAUTH_TWITTER_APP_SECRET}}/d\" ${GITLAB_CONFIG}\n fi\n}\n\ngitlab_configure_oauth_authentiq() {\n if [[ -n ${OAUTH_AUTHENTIQ_CLIENT_ID} && -n ${OAUTH_AUTHENTIQ_CLIENT_SECRET} ]]; then\n echo \"Configuring gitlab::oauth::authentiq...\"\n OAUTH_ENABLED=${OAUTH_ENABLED:-true}\n update_template ${GITLAB_CONFIG} \\\n OAUTH_AUTHENTIQ_CLIENT_ID \\\n OAUTH_AUTHENTIQ_CLIENT_SECRET \\\n OAUTH_AUTHENTIQ_SCOPE \\\n OAUTH_AUTHENTIQ_REDIRECT_URI\n else\n exec_as_git sed -i \"/name: 'authentiq'/,/{{OAUTH_AUTHENTIQ_SCOPE}}/d\" ${GITLAB_CONFIG}\n fi\n}\n\ngitlab_configure_oauth_github() {\n if [[ -n ${OAUTH_GITHUB_API_KEY} && -n ${OAUTH_GITHUB_APP_SECRET} ]]; then\n echo \"Configuring gitlab::oauth::github...\"\n OAUTH_ENABLED=${OAUTH_ENABLED:-true}\n update_template ${GITLAB_CONFIG} \\\n OAUTH_GITHUB_API_KEY \\\n OAUTH_GITHUB_APP_SECRET \\\n OAUTH_GITHUB_URL \\\n OAUTH_GITHUB_VERIFY_SSL \\\n OAUTH_GITHUB_SCOPE\n else\n exec_as_git sed -i \"/name: 'github'/,/{{OAUTH_GITHUB_SCOPE}}/d\" ${GITLAB_CONFIG}\n fi\n}\n\ngitlab_configure_oauth_gitlab() {\n if [[ -n ${OAUTH_GITLAB_API_KEY} && -n ${OAUTH_GITLAB_APP_SECRET} ]]; then\n echo \"Configuring gitlab::oauth::gitlab...\"\n OAUTH_ENABLED=${OAUTH_ENABLED:-true}\n update_template ${GITLAB_CONFIG} \\\n OAUTH_GITLAB_API_KEY \\\n OAUTH_GITLAB_APP_SECRET \\\n OAUTH_GITLAB_SCOPE\n else\n exec_as_git sed -i \"/name: 'gitlab'/,/{{OAUTH_GITLAB_SCOPE}}/d\" ${GITLAB_CONFIG}\n fi\n}\n\ngitlab_configure_oauth_bitbucket() {\n if [[ -n ${OAUTH_BITBUCKET_API_KEY} && -n ${OAUTH_BITBUCKET_APP_SECRET} ]]; then\n echo \"Configuring gitlab::oauth::bitbucket...\"\n OAUTH_ENABLED=${OAUTH_ENABLED:-true}\n update_template ${GITLAB_CONFIG} \\\n OAUTH_BITBUCKET_API_KEY \\\n OAUTH_BITBUCKET_APP_SECRET \\\n OAUTH_BITBUCKET_URL\n else\n exec_as_git sed -i \"/name: 'bitbucket'/,/{{OAUTH_BITBUCKET_URL}}/d\" ${GITLAB_CONFIG}\n fi\n}\n\ngitlab_configure_oauth_saml_attribute_statements() {\n if [[ -n ${OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL} ]]; then\n echo \"Configuring gitlab::oauth::saml::attribute_statements...\"\n update_template ${GITLAB_CONFIG} \\\n OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL \\\n OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME \\\n OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME \\\n OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME \\\n OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME\n # Remove undefined optional attributes\n exec_as_git sed -i \"/email: \\\\[''\\\\],/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/name: \\\\[''\\\\],/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/username: \\\\[''\\\\],/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/first_name: \\\\[''\\\\],/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/last_name: \\\\[''\\\\],/d\" ${GITLAB_CONFIG}\n else\n exec_as_git sed -i \"/attribute_statements:/,/{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL}}/d\" ${GITLAB_CONFIG}\n fi\n}\n\ngitlab_configure_oauth_saml() {\n if [[ -n ${OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL} && \\\n -n ${OAUTH_SAML_IDP_CERT_FINGERPRINT} && \\\n -n ${OAUTH_SAML_IDP_SSO_TARGET_URL} && \\\n -n ${OAUTH_SAML_ISSUER} && \\\n -n ${OAUTH_SAML_NAME_IDENTIFIER_FORMAT} ]]; then\n echo \"Configuring gitlab::oauth::saml...\"\n OAUTH_ENABLED=${OAUTH_ENABLED:-true}\n update_template ${GITLAB_CONFIG} \\\n OAUTH_SAML_LABEL \\\n OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL \\\n OAUTH_SAML_IDP_CERT_FINGERPRINT \\\n OAUTH_SAML_IDP_SSO_TARGET_URL \\\n OAUTH_SAML_ISSUER \\\n OAUTH_SAML_NAME_IDENTIFIER_FORMAT \\\n OAUTH_SAML_GROUPS_ATTRIBUTE \\\n OAUTH_SAML_EXTERNAL_GROUPS\n exec_as_git sed -i \"/groups_attribute: '',/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/external_groups: \\\\[\\\\],/d\" ${GITLAB_CONFIG}\n gitlab_configure_oauth_saml_attribute_statements\n else\n exec_as_git sed -i \"/name: 'saml'/,/{{OAUTH_SAML_NAME_IDENTIFIER_FORMAT}}/d\" ${GITLAB_CONFIG}\n fi\n}\n\ngitlab_configure_oauth2_generic() {\n if [[ -n ${OAUTH2_GENERIC_APP_ID} && \\\n -n ${OAUTH2_GENERIC_APP_SECRET} ]]; then\n echo \"Configuring gitlab::oauth::generic...\"\n OAUTH_ENABLED=${OAUTH_ENABLED:-true}\n update_template ${GITLAB_CONFIG} \\\n OAUTH2_GENERIC_APP_ID \\\n OAUTH2_GENERIC_APP_SECRET \\\n OAUTH2_GENERIC_CLIENT_SITE \\\n OAUTH2_GENERIC_CLIENT_USER_INFO_URL \\\n OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL \\\n OAUTH2_GENERIC_CLIENT_TOKEN_URL \\\n OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT \\\n OAUTH2_GENERIC_ID_PATH \\\n OAUTH2_GENERIC_USER_UID \\\n OAUTH2_GENERIC_USER_NAME \\\n OAUTH2_GENERIC_USER_EMAIL \\\n OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE \\\n OAUTH2_GENERIC_LABEL \\\n OAUTH2_GENERIC_NAME\n else\n exec_as_git sed -i \"/name: 'oauth2_generic'/,/{{OAUTH2_GENERIC_NAME}}/d\" ${GITLAB_CONFIG}\n fi\n}\n\ngitlab_configure_oauth_crowd() {\n if [[ -n ${OAUTH_CROWD_SERVER_URL} && \\\n -n ${OAUTH_CROWD_APP_NAME} && \\\n -n ${OAUTH_CROWD_APP_PASSWORD} ]]; then\n echo \"Configuring gitlab::oauth::crowd...\"\n OAUTH_ENABLED=${OAUTH_ENABLED:-true}\n update_template ${GITLAB_CONFIG} \\\n OAUTH_CROWD_SERVER_URL \\\n OAUTH_CROWD_APP_NAME \\\n OAUTH_CROWD_APP_PASSWORD\n else\n exec_as_git sed -i \"/name: 'crowd'/,/{{OAUTH_CROWD_APP_PASSWORD}}/d\" ${GITLAB_CONFIG}\n fi\n}\n\ngitlab_configure_oauth_auth0() {\n if [[ -n ${OAUTH_AUTH0_CLIENT_ID} && \\\n -n ${OAUTH_AUTH0_CLIENT_SECRET} && \\\n\t-n ${OAUTH_AUTH0_SCOPE} && \\\n -n ${OAUTH_AUTH0_DOMAIN} ]]; then\n echo \"Configuring gitlab::oauth::auth0...\"\n OAUTH_ENABLED=${OAUTH_ENABLED:-true}\n update_template ${GITLAB_CONFIG} \\\n OAUTH_AUTH0_CLIENT_ID \\\n OAUTH_AUTH0_CLIENT_SECRET \\\n OAUTH_AUTH0_DOMAIN \\\n OAUTH_AUTH0_SCOPE\n else\n exec_as_git sed -i \"/name: 'auth0'/,/{{OAUTH_AUTH0_SCOPE}}/d\" ${GITLAB_CONFIG}\n fi\n}\n\ngitlab_configure_oauth_azure() {\n if [[ -n ${OAUTH_AZURE_API_KEY} && \\\n -n ${OAUTH_AZURE_API_SECRET} && \\\n -n ${OAUTH_AZURE_TENANT_ID} ]]; then\n echo \"Configuring gitlab::oauth::azure...\"\n OAUTH_ENABLED=${OAUTH_ENABLED:-true}\n update_template ${GITLAB_CONFIG} \\\n OAUTH_AZURE_API_KEY \\\n OAUTH_AZURE_API_SECRET \\\n OAUTH_AZURE_TENANT_ID\n else\n exec_as_git sed -i \"/name: 'azure_oauth2'/,/{{OAUTH_AZURE_TENANT_ID}}/d\" ${GITLAB_CONFIG}\n fi\n}\n\ngitlab_configure_oauth_azure_ad_v2() {\n # we don't check if OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL because it is optional\n if [[ -n ${OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID} && \\\n -n ${OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET} && \\\n -n ${OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID} ]]; then\n echo \"Configuring gitlab::oauth::azure_activedirectory_v2...\"\n update_template ${GITLAB_CONFIG} \\\n OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL \\\n OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID \\\n OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET \\\n OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID\n else\n exec_as_git sed -i \"/name: 'azure_activedirectory_v2'/,/{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID}}/d\" ${GITLAB_CONFIG}\n fi\n}\n\ngitlab_configure_oauth_oidc() {\n if [[ -n ${OAUTH_OIDC_ISSUER} && \\\n -n ${OAUTH_OIDC_CLIENT_ID} ]]; then\n echo \"Configuring gitlab::oauth::oidc...\"\n OAUTH_ENABLED=${OAUTH_ENABLED:-true}\n update_template ${GITLAB_CONFIG} \\\n OAUTH_OIDC_LABEL \\\n OAUTH_OIDC_ICON \\\n OAUTH_OIDC_SCOPE \\\n OAUTH_OIDC_RESPONSE_TYPE \\\n OAUTH_OIDC_ISSUER \\\n OAUTH_OIDC_DISCOVERY \\\n OAUTH_OIDC_CLIENT_AUTH_METHOD \\\n OAUTH_OIDC_UID_FIELD \\\n OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP \\\n OAUTH_OIDC_PKCE \\\n OAUTH_OIDC_CLIENT_ID \\\n OAUTH_OIDC_CLIENT_SECRET \\\n OAUTH_OIDC_REDIRECT_URI\n else\n exec_as_git sed -i \"/name: 'openid_connect'/,/{{OAUTH_OIDC_REDIRECT_URI}}/d\" ${GITLAB_CONFIG}\n fi\n}\n\ngitlab_configure_oauth_jwt() {\n if [[ -n ${OAUTH_JWT_SECRET} && \\\n -n ${OAUTH_JWT_AUTH_URL} ]]; then\n echo \"Configuring gitlab::oauth::jwt...\"\n OAUTH_ENABLED=${OAUTH_ENABLED:-true}\n update_template ${GITLAB_CONFIG} \\\n OAUTH_JWT_LABEL \\\n OAUTH_JWT_SECRET \\\n OAUTH_JWT_ALGORITHM \\\n OAUTH_JWT_UID_CLAIM \\\n OAUTH_JWT_REQUIRED_CLAIMS \\\n OAUTH_JWT_INFO_MAP_NAME \\\n OAUTH_JWT_INFO_MAP_EMAIL \\\n OAUTH_JWT_AUTH_URL \\\n OAUTH_JWT_VALID_WITHIN\n else\n exec_as_git sed -i \"/name: 'jwt'/,/{{OAUTH_JWT_VALID_WITHIN}}/d\" ${GITLAB_CONFIG}\n fi\n}\n\ngitlab_configure_oauth() {\n echo \"Configuring gitlab::oauth...\"\n\n gitlab_configure_oauth_cas3\n gitlab_configure_oauth_google\n gitlab_configure_oauth_facebook\n gitlab_configure_oauth_twitter\n gitlab_configure_oauth_authentiq\n gitlab_configure_oauth_github\n gitlab_configure_oauth_gitlab\n gitlab_configure_oauth_bitbucket\n gitlab_configure_oauth_saml\n gitlab_configure_oauth2_generic\n gitlab_configure_oauth_crowd\n gitlab_configure_oauth_auth0\n gitlab_configure_oauth_azure\n gitlab_configure_oauth_azure_ad_v2\n gitlab_configure_oauth_oidc\n gitlab_configure_oauth_jwt\n\n OAUTH_ENABLED=${OAUTH_ENABLED:-false}\n update_template ${GITLAB_CONFIG} \\\n OAUTH_ENABLED \\\n OAUTH_ALLOW_SSO \\\n OAUTH_BLOCK_AUTO_CREATED_USERS \\\n OAUTH_AUTO_LINK_LDAP_USER \\\n OAUTH_AUTO_LINK_SAML_USER \\\n OAUTH_AUTO_LINK_USER \\\n OAUTH_EXTERNAL_PROVIDERS \\\n OAUTH_ALLOW_BYPASS_TWO_FACTOR\n\n case ${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER} in\n cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd|azure_oauth2|azure_activedirectory_v2|oauth2_generic|$OAUTH2_GENERIC_NAME|oidc|jwt)\n update_template ${GITLAB_CONFIG} OAUTH_AUTO_SIGN_IN_WITH_PROVIDER\n ;;\n *)\n exec_as_git sed -i \"/{{OAUTH_AUTO_SIGN_IN_WITH_PROVIDER}}/d\" ${GITLAB_CONFIG}\n ;;\n esac\n}\n\ngitlab_configure_secrets() {\n echo \"Configuring gitlab::secrets...\"\n if [[ -z $GITLAB_SECRETS_DB_KEY_BASE ]]; then\n echo \"ERROR: \"\n echo \" Please configure the GITLAB_SECRETS_DB_KEY_BASE parameter.\"\n echo \" Cannot continue. Aborting...\"\n return 1\n fi\n\n if [[ -z $GITLAB_SECRETS_SECRET_KEY_BASE ]]; then\n echo \"ERROR: \"\n echo \" Please configure the GITLAB_SECRETS_SECRET_KEY_BASE parameter.\"\n echo \" Cannot continue. Aborting...\"\n return 1\n fi\n\n if [[ -z $GITLAB_SECRETS_OTP_KEY_BASE ]]; then\n echo \"ERROR: \"\n echo \" Please configure the GITLAB_SECRETS_OTP_KEY_BASE parameter.\"\n echo \" Cannot continue. Aborting...\"\n return 1\n fi\n\n update_template ${GITLAB_SECRETS_CONFIG} \\\n GITLAB_SECRETS_DB_KEY_BASE \\\n GITLAB_SECRETS_SECRET_KEY_BASE \\\n GITLAB_SECRETS_OTP_KEY_BASE \\\n GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE \\\n GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY \\\n GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY \\\n GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT\n\n local shell_secret=\"${GITLAB_INSTALL_DIR}/.gitlab_shell_secret\"\n if [[ ! -f \"${shell_secret}\" ]]; then\n exec_as_git openssl rand -hex -out \"${shell_secret}\" 16\n chmod 600 \"${shell_secret}\"\n fi\n\n local workhorse_secret=\"${GITLAB_INSTALL_DIR}/.gitlab_workhorse_secret\"\n if [[ ! -f \"${workhorse_secret}\" ]]; then\n exec_as_git openssl rand -base64 -out \"${workhorse_secret}\" 32\n chmod 600 \"${workhorse_secret}\"\n fi\n\n local pages_secret=\"${GITLAB_INSTALL_DIR}/.gitlab_pages_secret\"\n if [[ ! -f \"${pages_secret}\" ]]; then\n exec_as_git openssl rand -base64 -out \"${pages_secret}\" 32\n chmod 600 \"${pages_secret}\"\n fi\n}\n\ngitlab_configure_sidekiq() {\n echo \"Configuring gitlab::sidekiq...\"\n\n # configure gitlab sidekiq log format\n update_template ${GITLAB_CONFIG} \\\n GITLAB_SIDEKIQ_LOG_FORMAT\n\n # configure sidekiq\n update_template /etc/supervisor/conf.d/sidekiq.conf \\\n SIDEKIQ_CONCURRENCY \\\n SIDEKIQ_SHUTDOWN_TIMEOUT\n\n # enable SidekiqMemoryKiller\n ## The MemoryKiller is enabled by gitlab if the `SIDEKIQ_MEMORY_KILLER_MAX_RSS` is\n ## defined in the programs environment and has a non-zero value.\n ##\n ## Simply exporting the variable makes it available in the programs environment and\n ## therefore should enable the MemoryKiller.\n ##\n ## Every other MemoryKiller option specified in the docker env will automatically\n ## be exported, so why bother\n export SIDEKIQ_MEMORY_KILLER_MAX_RSS\n}\n\ngitlab_configure_backups_schedule() {\n case ${GITLAB_BACKUP_SCHEDULE} in\n daily|weekly|monthly)\n if ! crontab -u ${GITLAB_USER} -l >/tmp/cron.${GITLAB_USER} 2>/dev/null || ! grep -q 'bundle exec rake gitlab:backup:create' /tmp/cron.${GITLAB_USER}; then\n echo \"Configuring gitlab::backups::schedule...\"\n gitlab_backup_log=\"${GITLAB_LOG_DIR}/gitlab/gitlab-backup.log\"\n read -r hour min <<< \"${GITLAB_BACKUP_TIME//[:]/ }\"\n day_of_month=\"*\"\n month=\"*\"\n day_of_week=\"*\"\n case ${GITLAB_BACKUP_SCHEDULE} in\n daily) ;;\n weekly) day_of_week=0 ;;\n monthly) day_of_month=01 ;;\n esac\n if [[ -n ${GITLAB_BACKUP_DIR_GROUP} ]]; then\n echo \"$min $hour $day_of_month $month $day_of_week /bin/bash -l -c 'cd ${GITLAB_INSTALL_DIR} && bundle exec rake gitlab:backup:create SKIP=${GITLAB_BACKUP_SKIP} DIRECTORY=${GITLAB_BACKUP_DIR_GROUP} RAILS_ENV=${RAILS_ENV}' >> ${gitlab_backup_log} 2>&1\" >> \"/tmp/cron.${GITLAB_USER}\"\n else\n echo \"$min $hour $day_of_month $month $day_of_week /bin/bash -l -c 'cd ${GITLAB_INSTALL_DIR} && bundle exec rake gitlab:backup:create SKIP=${GITLAB_BACKUP_SKIP} RAILS_ENV=${RAILS_ENV}' >> ${gitlab_backup_log} 2>&1\" >> \"/tmp/cron.${GITLAB_USER}\"\n fi\n crontab -u ${GITLAB_USER} /tmp/cron.${GITLAB_USER}\n fi\n rm -rf /tmp/cron.${GITLAB_USER}\n ;;\n esac\n}\n\ngitlab_configure_backups_aws() {\n echo \"Configuring gitlab::backups::aws...\"\n exec_as_git sed -i \"/#start-gcs/,/#end-gcs/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/#start-aws/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/#end-aws/d\" ${GITLAB_CONFIG}\n\n if [[ -z ${AWS_BACKUP_MULTIPART_CHUNK_SIZE} ]]; then\n exec_as_git sed -i \"/#start-multipart/,/#end-multipart/d\" ${GITLAB_CONFIG}\n fi\n\n if [[ -z ${AWS_BACKUP_MULTIPART_CHUNK_SIZE} ]]; then\n exec_as_git sed -i \"/#start-multipart-aws/,/#end-multipart-aws/d\" ${GITLAB_CONFIG}\n fi\n\n if [[ ${AWS_BACKUP_ENCRYPTION} != true ]]; then\n exec_as_git sed -i \"/#start-encryption-aws/,/#end-encryption-aws/d\" ${GITLAB_CONFIG}\n fi\n\n if [[ -z ${AWS_BACKUP_REGION} && -z ${AWS_BACKUP_ENDPOINT} ]]; then\n echo \"\\nMissing AWS region or endpoint. Aborting...\\n\"\n return 1\n fi\n\n if [[ ! -z ${AWS_BACKUP_ENDPOINT} ]]; then\n AWS_BACKUP_PATH_STYLE=\"true\"\n fi\n\n if [[ -z ${AWS_BACKUP_ACCESS_KEY_ID} || -z ${AWS_BACKUP_SECRET_ACCESS_KEY} || -z ${AWS_BACKUP_BUCKET} ]]; then\n echo \"\\nMissing AWS options. Aborting...\\n\"\n return 1\n fi\n\n update_template ${GITLAB_CONFIG} \\\n AWS_BACKUP_REGION \\\n AWS_BACKUP_ENDPOINT \\\n AWS_BACKUP_PATH_STYLE \\\n AWS_BACKUP_ACCESS_KEY_ID \\\n AWS_BACKUP_SECRET_ACCESS_KEY \\\n AWS_BACKUP_BUCKET \\\n AWS_BACKUP_MULTIPART_CHUNK_SIZE \\\n AWS_BACKUP_STORAGE_CLASS \\\n AWS_BACKUP_SIGNATURE_VERSION\n}\n\ngitlab_configure_backup_gcs() {\n echo \"Configuring gitlab::backups::gcs...\"\n exec_as_git sed -i \"/#start-aws/,/#end-aws/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/#start-gcs/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/#end-gcs/d\" ${GITLAB_CONFIG}\n if [[ -z ${GCS_BACKUP_ACCESS_KEY_ID} || -z ${GCS_BACKUP_SECRET_ACCESS_KEY} || -z ${GCS_BACKUP_BUCKET} ]]; then\n printf \"\\nMissing GCS options. Aborting...\\n\"\n return 1\n fi\n update_template ${GITLAB_CONFIG} \\\n GCS_BACKUP_ACCESS_KEY_ID \\\n GCS_BACKUP_SECRET_ACCESS_KEY \\\n GCS_BACKUP_BUCKET\n}\n\ngitlab_configure_backups() {\n echo \"Configuring gitlab::backups...\"\n update_template ${GITLAB_CONFIG} \\\n GITLAB_BACKUP_DIR \\\n GITLAB_BACKUP_EXPIRY \\\n GITLAB_BACKUP_PG_SCHEMA \\\n GITLAB_BACKUP_ARCHIVE_PERMISSIONS\n gitlab_configure_backups_schedule\n if [[ ${AWS_BACKUPS} != true && ${GCS_BACKUPS} != true ]]; then\n exec_as_git sed -i \"/\\s\\+#start-aws/,/#end-gcs/d\" ${GITLAB_CONFIG}\n return 0\n fi\n if [[ ${AWS_BACKUPS} == true && ${GCS_BACKUPS} == true ]]; then\n printf \"\\nAWS and GCE cannot be enabled together, please choose one...\\n\"\n return 1\n fi\n if [[ ${AWS_BACKUPS} == true ]]; then\n gitlab_configure_backups_aws\n fi\n if [[ ${GCS_BACKUPS} == true ]]; then\n gitlab_configure_backup_gcs\n fi\n}\n\ngitlab_configure_gravatar() {\n update_template ${GITLAB_CONFIG} GITLAB_GRAVATAR_ENABLED\n\n if [[ -n ${GITLAB_GRAVATAR_HTTP_URL} ]]; then\n echo \"Configuring gitlab::gravatar::http...\"\n update_template ${GITLAB_CONFIG} GITLAB_GRAVATAR_HTTP_URL\n else\n exec_as_git sed -i \"/{{GITLAB_GRAVATAR_HTTP_URL}}/d\" ${GITLAB_CONFIG}\n fi\n\n if [[ -n ${GITLAB_GRAVATAR_HTTPS_URL} ]]; then\n echo \"Configuring gitlab::gravatar::https...\"\n update_template ${GITLAB_CONFIG} GITLAB_GRAVATAR_HTTPS_URL\n else\n exec_as_git sed -i \"/{{GITLAB_GRAVATAR_HTTPS_URL}}/d\" ${GITLAB_CONFIG}\n fi\n}\n\ngitlab_configure_cron_jobs() {\n echo \"Configuring gitlab::cron_jobs...\"\n\n if [[ -n \"${GITLAB_PIPELINE_SCHEDULE_WORKER_CRON}\" ]]; then\n update_template ${GITLAB_CONFIG} GITLAB_PIPELINE_SCHEDULE_WORKER_CRON\n else\n exec_as_git sed -i \"/{{GITLAB_PIPELINE_SCHEDULE_WORKER_CRON}}/d\" ${GITLAB_CONFIG}\n fi\n}\n\ngitlab_configure_analytics_google() {\n if [[ -n ${GOOGLE_ANALYTICS_ID} ]]; then\n echo \"Configuring gitlab::analytics:google...\"\n update_template ${GITLAB_CONFIG} GOOGLE_ANALYTICS_ID\n else\n exec_as_git sed -i \"/{{GOOGLE_ANALYTICS_ID}}/d\" ${GITLAB_CONFIG}\n fi\n}\n\ngitlab_configure_analytics_piwik() {\n if [[ -n ${PIWIK_URL} && -n ${PIWIK_SITE_ID} ]]; then\n echo \"Configuring gitlab::analytics:piwik...\"\n update_template ${GITLAB_CONFIG} \\\n PIWIK_URL \\\n PIWIK_SITE_ID\n else\n exec_as_git sed -i \\\n -e \"/{{PIWIK_URL}}/d\" \\\n -e \"/{{PIWIK_SITE_ID}}/d\" \\\n ${GITLAB_CONFIG}\n fi\n}\n\ngitlab_configure_analytics() {\n gitlab_configure_analytics_google\n gitlab_configure_analytics_piwik\n}\n\ngitlab_configure_rack_attack() {\n echo \"Configuring gitlab::rack_attack...\"\n\n # validity check : RACK_ATTACK_WHITELIST should be an array of valid IP Address string\n echo \" Validating RACK_ATTACK_WHITELIST...\"\n /usr/bin/env ruby << SCRIPT\n require 'ipaddr'\n ${RACK_ATTACK_WHITELIST}.each do |host|\n begin\n printf(\" input=%s, to_range=%s\\n\", host, IPAddr.new(host).to_range)\n rescue IPAddr::InvalidAddressError => e\n p e\n exit 1\n rescue => e\n put \"Unexpected error\", e\n exit 1\n end\n end\nSCRIPT\n\n update_template ${GITLAB_CONFIG} \\\n RACK_ATTACK_ENABLED \\\n RACK_ATTACK_WHITELIST \\\n RACK_ATTACK_MAXRETRY \\\n RACK_ATTACK_FINDTIME \\\n RACK_ATTACK_BANTIME\n}\n\ngitlab_configure_ci() {\n echo \"Configuring gitlab::ci...\"\n update_template ${GITLAB_CONFIG} \\\n GITLAB_NOTIFY_ON_BROKEN_BUILDS \\\n GITLAB_NOTIFY_PUSHER GITLAB_BUILDS_DIR\n}\n\ngitlab_configure_artifacts() {\n update_template ${GITLAB_CONFIG} \\\n GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED\n\n if [[ ${GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED} == true ]]; then\n echo \"Configuring gitlab::artifacts:object_store\"\n\n if [[ \"${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER}\" == \"Google\" ]]; then\n echo \" -> Google ARTIFACTS provider selected removing aws config\"\n exec_as_git sed -i \"/#start-artifacts-aws/,/#end-artifacts-aws/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/#start-artifacts-gcs/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/#end-artifacts-gcs/d\" ${GITLAB_CONFIG}\n fi\n if [[ \"${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER}\" == \"AWS\" ]]; then\n echo \" -> AWS ARTIFACTS provider selected removing Google config\"\n exec_as_git sed -i \"/#start-artifacts-gcs/,/#end-artifacts-gcs/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/#start-artifacts-aws/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/#end-artifacts-aws/d\" ${GITLAB_CONFIG}\n fi\n\n update_template ${GITLAB_CONFIG} \\\n GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY \\\n GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD \\\n GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD \\\n GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD \\\n GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER \\\n GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \\\n GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \\\n GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION \\\n GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST \\\n GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \\\n GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \\\n GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \\\n GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \\\n GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \\\n GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION\n else\n exec_as_git sed -i -e \"/path: {{GITLAB_ARTIFACTS_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}\" ${GITLAB_CONFIG}\n fi\n\n echo \"Configuring gitlab::artifacts...\"\n update_template ${GITLAB_CONFIG} \\\n GITLAB_ARTIFACTS_ENABLED \\\n GITLAB_ARTIFACTS_DIR\n}\n\n\ngitlab_configure_packages() {\n update_template ${GITLAB_CONFIG} \\\n GITLAB_PACKAGES_OBJECT_STORE_ENABLED\n\n if [[ ${GITLAB_PACKAGES_OBJECT_STORE_ENABLED} == true ]]; then\n echo \"Configuring gitlab::packages:object_store\"\n\n if [[ \"${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER}\" == \"Google\" ]]; then\n echo \" -> Google PACKAGES provider selected removing aws config\"\n exec_as_git sed -i \"/#start-packages-aws/,/#end-packages-aws/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/#start-packages-gcs/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/#end-packages-gcs/d\" ${GITLAB_CONFIG}\n fi\n if [[ \"${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER}\" == \"AWS\" ]]; then\n echo \" -> AWS PACKAGES provider selected removing Google config\"\n exec_as_git sed -i \"/#start-packages-gcs/,/#end-packages-gcs/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/#start-packages-aws/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/#end-packages-aws/d\" ${GITLAB_CONFIG}\n fi\n\n update_template ${GITLAB_CONFIG} \\\n GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY \\\n GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD \\\n GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD \\\n GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD \\\n GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER \\\n GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \\\n GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \\\n GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION \\\n GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST \\\n GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \\\n GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \\\n GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \\\n GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \\\n GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \\\n GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION\n else\n exec_as_git sed -i -e \"/path: {{GITLAB_PACKAGES_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}\" ${GITLAB_CONFIG}\n fi\n\n echo \"Configuring gitlab::packages...\"\n update_template ${GITLAB_CONFIG} \\\n GITLAB_PACKAGES_ENABLED \\\n GITLAB_PACKAGES_DIR\n}\n\ngitlab_configure_terraform_state() {\n update_template ${GITLAB_CONFIG} \\\n GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED\n \n if [[ ${GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED} == true ]]; then\n echo \"Configuring gitlab::terraform_state:object_store\"\n\n if [[ \"${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER}\" == \"Google\" ]]; then\n echo \" -> Google TERRAFORM STATE provider selected removing aws config\"\n exec_as_git sed -i \"/#start-terraform_state-aws/,/#end-terraform_state-aws/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/#start-terraform_state-gcs/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/#end-terraform_state-gcs/d\" ${GITLAB_CONFIG}\n fi\n if [[ \"${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER}\" == \"AWS\" ]]; then\n echo \" -> AWS TERRAFORM STATE provider selected removing Google config\"\n exec_as_git sed -i \"/#start-terraform_state-gcs/,/#end-terraform_state-gcs/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/#start-terraform_state-aws/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/#end-terraform_state-aws/d\" ${GITLAB_CONFIG}\n fi\n\n update_template ${GITLAB_CONFIG} \\\n GITLAB_TERRAFORM_STATE_OBJECT_STORE_REMOTE_DIRECTORY \\\n GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER \\\n GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \\\n GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \\\n GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION \\\n GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST \\\n GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \\\n GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \\\n GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \\\n GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \\\n GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \\\n GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION\n else\n exec_as_git sed -i -e \"/storage_path: {{GITLAB_TERRAFORM_STATE_STORAGE_PATH}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}\" ${GITLAB_CONFIG}\n fi\n\n echo \"Configuring gitlab::terraform_state...\"\n update_template ${GITLAB_CONFIG} \\\n GITLAB_TERRAFORM_STATE_ENABLED \\\n GITLAB_TERRAFORM_STATE_STORAGE_PATH\n}\n\ngitlab_configure_lfs() {\n update_template ${GITLAB_CONFIG} \\\n GITLAB_LFS_OBJECT_STORE_ENABLED \\\n \n if [[ ${GITLAB_LFS_OBJECT_STORE_ENABLED} == true ]]; then\n echo \"Configuring gitlab::lfs:object_store\"\n\n if [[ \"${GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER}\" == \"Google\" ]]; then\n echo \" -> Google LFS provider selected removing aws config\"\n exec_as_git sed -i \"/#start-lfs-aws/,/#end-lfs-aws/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/#start-lfs-gcs/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/#end-lfs-gcs/d\" ${GITLAB_CONFIG}\n fi\n if [[ \"${GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER}\" == \"AWS\" ]]; then\n echo \" -> AWS LFS provider selected removing Google config\"\n exec_as_git sed -i \"/#start-lfs-gcs/,/#end-lfs-gcs/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/#start-lfs-aws/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/#end-lfs-aws/d\" ${GITLAB_CONFIG}\n fi\n\n update_template ${GITLAB_CONFIG} \\\n GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY \\\n GITLAB_LFS_OBJECT_STORE_DIRECT_UPLOAD \\\n GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD \\\n GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD \\\n GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER \\\n GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \\\n GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \\\n GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION \\\n GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST \\\n GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \\\n GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \\\n GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \\\n GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \\\n GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \\\n GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION\n else\n exec_as_git sed -i -e \"/path: {{GITLAB_LFS_OBJECTS_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}\" ${GITLAB_CONFIG}\n fi\n\n echo \"Configuring gitlab::lfs...\"\n update_template ${GITLAB_CONFIG} \\\n GITLAB_LFS_ENABLED \\\n GITLAB_LFS_OBJECTS_DIR\n}\n\ngitlab_configure_uploads() {\n update_template ${GITLAB_CONFIG} \\\n GITLAB_UPLOADS_OBJECT_STORE_ENABLED\n\n if [[ ${GITLAB_UPLOADS_OBJECT_STORE_ENABLED} == true ]]; then\n echo \"Configuring gitlab::uploads:object_store\"\n\n if [[ \"${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER}\" == \"Google\" ]]; then\n echo \" -> Google UPLOADS provider selected removing aws config\"\n exec_as_git sed -i \"/#start-uploads-aws/,/#end-uploads-aws/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/#start-uploads-gcs/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/#end-uploads-gcs/d\" ${GITLAB_CONFIG}\n fi\n if [[ \"${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER}\" == \"AWS\" ]]; then\n echo \" -> AWS UPLOADS provider selected removing Google config\"\n exec_as_git sed -i \"/#start-uploads-gcs/,/#end-uploads-gcs/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/#start-uploads-aws/d\" ${GITLAB_CONFIG}\n exec_as_git sed -i \"/#end-uploads-aws/d\" ${GITLAB_CONFIG}\n fi\n\n update_template ${GITLAB_CONFIG} \\\n GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY \\\n GITLAB_UPLOADS_OBJECT_STORE_DIRECT_UPLOAD \\\n GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD \\\n GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD \\\n GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER \\\n GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \\\n GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \\\n GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION \\\n GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST \\\n GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \\\n GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \\\n GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \\\n GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \\\n GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \\\n GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION\n\n else\n exec_as_git sed -i -e \"/base_dir: {{GITLAB_UPLOADS_BASE_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}\" ${GITLAB_CONFIG}\n fi\n\n echo \"Configuring gitlab::uploads...\"\n update_template ${GITLAB_CONFIG} \\\n GITLAB_UPLOADS_STORAGE_PATH \\\n GITLAB_UPLOADS_BASE_DIR\n}\n\ngitlab_configure_mattermost() {\n echo \"Configuring gitlab::mattermost...\"\n update_template ${GITLAB_CONFIG} \\\n GITLAB_MATTERMOST_ENABLED \\\n GITLAB_MATTERMOST_URL\n}\n\ngitlab_configure_project_features() {\n echo \"Configuring gitlab::project_features...\"\n update_template ${GITLAB_CONFIG} \\\n GITLAB_PROJECTS_ISSUES \\\n GITLAB_PROJECTS_MERGE_REQUESTS \\\n GITLAB_PROJECTS_WIKI \\\n GITLAB_PROJECTS_SNIPPETS \\\n GITLAB_PROJECTS_BUILDS \\\n GITLAB_PROJECTS_CONTAINER_REGISTRY \\\n GITLAB_WEBHOOK_TIMEOUT\n}\n\ngitlab_configure_registry(){\n echo \"Configuring gitlab::registry...\"\n\n if [[ ${GITLAB_REGISTRY_PORT} == 443 ]]; then\n # Sets GITLAB_REGISTRY_PORT empty for the scope of this function.\n # This helps us to add an empty key to `.gitlab-ci.yml`.\n # Because 443 is the default https port it doesn't need to be included in docker push/pull commands\n # and shouldn't be displayed on the gitlab ui.\n # Example: `docker pull registry:443/some/image` is the same as `docker pull registry/some/image`\n local GITLAB_REGISTRY_PORT=\"\"\n fi\n\n update_template ${GITLAB_CONFIG} \\\n GITLAB_REGISTRY_ENABLED \\\n GITLAB_REGISTRY_DIR \\\n GITLAB_REGISTRY_HOST \\\n GITLAB_REGISTRY_PORT \\\n GITLAB_REGISTRY_API_URL \\\n GITLAB_REGISTRY_KEY_PATH \\\n GITLAB_REGISTRY_ISSUER\n}\n\ngitlab_configure_pages(){\n echo \"Configuring gitlab::pages...\"\n update_template ${GITLAB_CONFIG} \\\n GITLAB_PAGES_ENABLED \\\n GITLAB_PAGES_DOMAIN \\\n GITLAB_PAGES_PORT \\\n GITLAB_PAGES_HTTPS \\\n GITLAB_PAGES_ARTIFACTS_SERVER \\\n GITLAB_PAGES_ACCESS_CONTROL \\\n GITLAB_PAGES_NAMESPACE_IN_PATH\n\n if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTP} ]]; then\n update_template ${GITLAB_CONFIG} \\\n GITLAB_PAGES_EXTERNAL_HTTP\n else\n exec_as_git sed -ie \"/{{GITLAB_PAGES_EXTERNAL_HTTP}}/d\" ${GITLAB_CONFIG}\n fi\n\n if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTPS} ]]; then\n update_template ${GITLAB_CONFIG} \\\n GITLAB_PAGES_EXTERNAL_HTTPS\n else\n exec_as_git sed -ie \"/{{GITLAB_PAGES_EXTERNAL_HTTPS}}/d\" ${GITLAB_CONFIG}\n fi\n}\n\ngitlab_configure_sentry(){\n echo \"Configuring gitlab::sentry...\"\n update_template ${GITLAB_CONFIG} \\\n SENTRY_ENABLED \\\n SENTRY_DSN \\\n SENTRY_CLIENTSIDE_DSN \\\n SENTRY_ENVIRONMENT\n}\n\ngitlab_configure_content_security_policy(){\n echo \"Configuring gitlab::content_security_policy...\"\n update_template ${GITLAB_CONFIG} \\\n GITLAB_CONTENT_SECURITY_POLICY_ENABLED \\\n GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY \\\n GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI \\\n GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC \\\n GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC \\\n GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC \\\n GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC \\\n GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION \\\n GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS \\\n GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC \\\n GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC \\\n GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC \\\n GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC \\\n GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC \\\n GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC \\\n GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC \\\n GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC \\\n GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI\n}\n\nnginx_configure_gitlab_ssl() {\n if [[ ${GITLAB_HTTPS} == true && -f ${SSL_CERTIFICATE_PATH} && -f ${SSL_KEY_PATH} && -f ${SSL_DHPARAM_PATH} ]]; then\n echo \"Configuring nginx::gitlab::ssl...\"\n\n if [[ ! -f ${SSL_CA_CERTIFICATES_PATH} ]]; then\n sed -i \"/{{SSL_CA_CERTIFICATES_PATH}}/d\" ${GITLAB_NGINX_CONFIG}\n fi\n update_template ${GITLAB_NGINX_CONFIG} \\\n SSL_CERTIFICATE_PATH \\\n SSL_KEY_PATH \\\n SSL_DHPARAM_PATH \\\n SSL_VERIFY_CLIENT \\\n SSL_CA_CERTIFICATES_PATH \\\n SSL_CIPHERS \\\n SSL_PROTOCOLS\n fi\n}\n\nnginx_configure_gitlab_hsts() {\n if [[ ${GITLAB_HTTPS} == true ]]; then\n echo \"Configuring nginx::gitlab::hsts...\"\n if [[ ${NGINX_HSTS_ENABLED} != true ]]; then\n sed -i \"/{{NGINX_HSTS_MAXAGE}}/d\" ${GITLAB_NGINX_CONFIG}\n fi\n update_template ${GITLAB_NGINX_CONFIG} NGINX_HSTS_MAXAGE\n else\n sed -i \"/{{NGINX_HSTS_MAXAGE}}/d\" ${GITLAB_NGINX_CONFIG}\n fi\n}\n\nnginx_configure_gitlab_ipv6() {\n if [[ ! -f /proc/net/if_inet6 ]]; then\n # disable ipv6 support in nginx for gitlab\n sed -i \\\n -e \"/listen \\[::\\]:80/d\" \\\n -e \"/listen \\[::\\]:443/d\" \\\n ${GITLAB_NGINX_CONFIG}\n # disable ipv6 support in nginx for pages\n if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then\n if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then\n sed -i \\\n -e \"/listen \\[::\\]:80/d\" \\\n -e \"/listen \\[::\\]:443/d\" \\\n ${GITLAB_PAGES_NGINX_CONFIG}\n fi\n fi\n fi\n}\n\nnginx_configure_gitlab_real_ip() {\n if [[ ${NGINX_REAL_IP_RECURSIVE} == on && \\\n -n ${NGINX_REAL_IP_TRUSTED_ADDRESSES} ]]; then\n echo \"Configuring nginx::gitlab::real_ip...\"\n update_template ${GITLAB_NGINX_CONFIG} \\\n NGINX_REAL_IP_RECURSIVE \\\n NGINX_REAL_IP_TRUSTED_ADDRESSES\n else\n NGINX_REAL_IP_RECURSIVE=\"off\"\n update_template ${GITLAB_NGINX_CONFIG} \\\n NGINX_REAL_IP_RECURSIVE\n sed -i \"/{{NGINX_REAL_IP_TRUSTED_ADDRESSES}}/d\" ${GITLAB_NGINX_CONFIG}\n fi\n}\n\nnginx_configure_gitlab() {\n echo \"Configuring nginx::gitlab...\"\n update_template ${GITLAB_NGINX_CONFIG} \\\n GITLAB_HOME \\\n GITLAB_INSTALL_DIR \\\n GITLAB_LOG_DIR \\\n GITLAB_HOST \\\n GITLAB_PORT \\\n NGINX_PROXY_BUFFERING \\\n NGINX_ACCEL_BUFFERING \\\n NGINX_X_FORWARDED_PROTO \\\n NGINX_CUSTOM_GITLAB_SERVER_CONFIG\n\n nginx_configure_gitlab_ssl\n nginx_configure_gitlab_hsts\n nginx_configure_gitlab_ipv6\n nginx_configure_gitlab_real_ip\n}\n\nnginx_configure_gitlab_ci() {\n if [[ -n $GITLAB_CI_HOST ]]; then\n echo \"Configuring nginx::gitlab_ci...\"\n DNS_RESOLVERS=$(cat /etc/resolv.conf | grep '^\\s*nameserver' | awk '{print $2}' ORS=' ')\n update_template ${GITLAB_CI_NGINX_CONFIG} \\\n GITLAB_LOG_DIR \\\n GITLAB_HOST \\\n GITLAB_CI_HOST \\\n DNS_RESOLVERS\n fi\n}\n\nnginx_configure_gitlab_registry() {\n if [[ $GITLAB_REGISTRY_ENABLED == true && -f ${SSL_REGISTRY_CERT_PATH} && -f ${SSL_REGISTRY_KEY_PATH} ]]; then\n echo \"Configuring nginx::gitlab-registry...\"\n update_template ${GITLAB_REGISTRY_NGINX_CONFIG} \\\n GITLAB_LOG_DIR \\\n GITLAB_REGISTRY_PORT \\\n GITLAB_REGISTRY_HOST \\\n GITLAB_REGISTRY_API_URL \\\n SSL_REGISTRY_KEY_PATH \\\n SSL_REGISTRY_CERT_PATH \\\n SSL_REGISTRY_CIPHERS \\\n SSL_REGISTRY_PROTOCOLS\n fi\n}\n\nnginx_configure_pages(){\n local GITLAB_PAGES_DOMAIN=$(echo $GITLAB_PAGES_DOMAIN | sed 's/\\./\\\\\\\\./g')\n if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then\n echo \"Configuring nginx::gitlab-pages...\"\n if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then\n if [[ ${GITLAB_PAGES_HTTPS} == true ]]; then\n update_template ${GITLAB_PAGES_NGINX_CONFIG} \\\n GITLAB_PORT \\\n GITLAB_PAGES_DOMAIN \\\n GITLAB_PAGES_PORT \\\n GITLAB_LOG_DIR \\\n GITLAB_PAGES_DOMAIN \\\n SSL_PAGES_CERT_PATH \\\n SSL_PAGES_KEY_PATH \\\n SSL_PAGES_CIPHERS \\\n SSL_PAGES_PROTOCOLS \\\n SSL_DHPARAM_PATH \\\n GITLAB_LOG_DIR\n else\n update_template ${GITLAB_PAGES_NGINX_CONFIG} \\\n GITLAB_PAGES_DOMAIN \\\n GITLAB_LOG_DIR\n fi\n else\n echo \"Gitlab pages nginx proxy disabled\"\n echo \"Assuming custom domain setup with own HTTP(S) load balancer'\"\n fi\n fi\n}\n\n\n# _|_|_| _| _| _|\n# _| _| _| _| _|_|_| _| _|_|_|\n# _|_|_| _| _| _| _| _| _| _|\n# _| _| _| _| _| _| _| _|\n# _| _|_|_| _|_|_| _| _| _|_|_|\n\nmap_uidgid() {\n USERMAP_ORIG_UID=$(id -u ${GITLAB_USER})\n USERMAP_ORIG_GID=$(id -g ${GITLAB_USER})\n USERMAP_GID=${USERMAP_GID:-${USERMAP_UID:-$USERMAP_ORIG_GID}}\n USERMAP_UID=${USERMAP_UID:-$USERMAP_ORIG_UID}\n if [[ ${USERMAP_UID} != ${USERMAP_ORIG_UID} ]] || [[ ${USERMAP_GID} != ${USERMAP_ORIG_GID} ]]; then\n echo \"Mapping UID and GID for ${GITLAB_USER}:${GITLAB_USER} to $USERMAP_UID:$USERMAP_GID\"\n groupmod -o -g ${USERMAP_GID} ${GITLAB_USER}\n sed -i -e \"s|:${USERMAP_ORIG_UID}:${USERMAP_GID}:|:${USERMAP_UID}:${USERMAP_GID}:|\" /etc/passwd\n find ${GITLAB_HOME} -path ${GITLAB_DATA_DIR}/\\* -prune -o -print0 | xargs -0 chown -h ${GITLAB_USER}:\n fi\n}\n\nupdate_ca_certificates() {\n if [[ -f ${SSL_CERTIFICATE_PATH} || -f ${SSL_CA_CERTIFICATES_PATH} || -f ${SSL_REGISTRY_CERT_PATH} ]]; then\n echo \"Updating CA certificates...\"\n [[ -f ${SSL_CERTIFICATE_PATH} ]] && cp \"${SSL_CERTIFICATE_PATH}\" /usr/local/share/ca-certificates/gitlab.crt\n [[ -f ${SSL_CA_CERTIFICATES_PATH} ]] && cp \"${SSL_CA_CERTIFICATES_PATH}\" /usr/local/share/ca-certificates/ca.crt\n [[ -f ${SSL_REGISTRY_CERT_PATH} ]] && cp \"${SSL_REGISTRY_CERT_PATH}\" /usr/local/share/ca-certificates/registry-ca.crt\n update-ca-certificates --fresh >/dev/null\n fi\n}\n\ninitialize_logdir() {\n echo \"Initializing logdir...\"\n mkdir -p ${GITLAB_LOG_DIR}/supervisor\n chmod -R 0755 ${GITLAB_LOG_DIR}/supervisor\n chown -R root: ${GITLAB_LOG_DIR}/supervisor\n\n mkdir -p ${GITLAB_LOG_DIR}/nginx\n chmod -R 0755 ${GITLAB_LOG_DIR}/nginx\n chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/nginx\n\n mkdir -p ${GITLAB_LOG_DIR}/gitlab\n chmod -R 0755 ${GITLAB_LOG_DIR}/gitlab\n chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/gitlab\n\n mkdir -p ${GITLAB_LOG_DIR}/gitlab-shell\n chmod -R 0755 ${GITLAB_LOG_DIR}/gitlab-shell\n chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/gitlab-shell\n\n mkdir -p ${GITLAB_LOG_DIR}/gitaly\n chmod -R 0755 ${GITLAB_LOG_DIR}/gitaly\n chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/gitaly\n}\n\ninitialize_datadir() {\n echo \"Initializing datadir...\"\n chmod 755 ${GITLAB_DATA_DIR}\n chown ${GITLAB_USER}: ${GITLAB_DATA_DIR}\n\n # create the ssh directory for server keys\n mkdir -p ${GITLAB_DATA_DIR}/ssh\n chown -R root: ${GITLAB_DATA_DIR}/ssh\n\n # create the repositories directory and make sure it has the right permissions\n mkdir -p ${GITLAB_REPOS_DIR}\n chown ${GITLAB_USER}: ${GITLAB_REPOS_DIR}\n chmod ug+rwX,o-rwx ${GITLAB_REPOS_DIR}\n exec_as_git chmod g+s ${GITLAB_REPOS_DIR}\n\n # create build traces directory\n mkdir -p ${GITLAB_BUILDS_DIR}\n chmod u+rwX ${GITLAB_BUILDS_DIR}\n chown ${GITLAB_USER}: ${GITLAB_BUILDS_DIR}\n\n # gitlab:backup:create does not respect the builds_path configuration, so we\n # symlink ${GITLAB_INSTALL_DIR}/builds -> ${GITLAB_BUILDS_DIR}\n rm -rf ${GITLAB_INSTALL_DIR}/builds\n ln -sf ${GITLAB_BUILDS_DIR} ${GITLAB_INSTALL_DIR}/builds\n\n # create downloads directory\n mkdir -p ${GITLAB_DOWNLOADS_DIR}\n chmod u+rwX ${GITLAB_DOWNLOADS_DIR}\n chown ${GITLAB_USER}: ${GITLAB_DOWNLOADS_DIR}\n\n # create shared directory\n mkdir -p ${GITLAB_SHARED_DIR}\n chmod u+rwX ${GITLAB_SHARED_DIR}\n chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}\n\n # create the ci_secure_files directory\n mkdir -p ${GITLAB_SHARED_DIR}/ci_secure_files\n chmod u+rwX ${GITLAB_SHARED_DIR}/ci_secure_files\n chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}/ci_secure_files\n\n # create external-diffs dir\n mkdir -p ${GITLAB_SHARED_DIR}/external-diffs\n chmod u+rwX ${GITLAB_SHARED_DIR}/external-diffs\n chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}/external-diffs\n\n # create artifacts dir\n mkdir -p ${GITLAB_ARTIFACTS_DIR}\n chmod u+rwX ${GITLAB_ARTIFACTS_DIR}\n chown ${GITLAB_USER}: ${GITLAB_ARTIFACTS_DIR}\n\n # create pages dir\n mkdir -p ${GITLAB_PAGES_DIR}\n chmod u+rwX ${GITLAB_PAGES_DIR}\n chown ${GITLAB_USER}: ${GITLAB_PAGES_DIR}\n\n # symlink ${GITLAB_INSTALL_DIR}/shared -> ${GITLAB_DATA_DIR}/shared\n rm -rf ${GITLAB_INSTALL_DIR}/shared\n ln -sf ${GITLAB_SHARED_DIR} ${GITLAB_INSTALL_DIR}/shared\n\n # create lfs-objects directory\n mkdir -p ${GITLAB_LFS_OBJECTS_DIR}\n chmod u+rwX ${GITLAB_LFS_OBJECTS_DIR}\n chown ${GITLAB_USER}: ${GITLAB_LFS_OBJECTS_DIR}\n\n # create terraform_state directory\n if [[ ${GITLAB_TERRAFORM_STATE_ENABLED} == true ]]; then\n mkdir -p ${GITLAB_TERRAFORM_STATE_STORAGE_PATH}\n chmod u+rwX ${GITLAB_TERRAFORM_STATE_STORAGE_PATH}\n chown ${GITLAB_USER}: ${GITLAB_TERRAFORM_STATE_STORAGE_PATH}\n fi\n\n # create registry dir\n if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then\n mkdir -p ${GITLAB_REGISTRY_DIR}\n chmod u+rwX ${GITLAB_REGISTRY_DIR}\n chown ${GITLAB_USER}: ${GITLAB_REGISTRY_DIR}\n fi\n\n # create packages directory\n if [[ ${GITLAB_PACKAGES_ENABLED} == true ]]; then\n mkdir -p ${GITLAB_PACKAGES_DIR}\n chmod u+rwX ${GITLAB_PACKAGES_DIR}\n chown ${GITLAB_USER}: ${GITLAB_PACKAGES_DIR}\n fi\n\n # create the backups directory\n mkdir -p ${GITLAB_BACKUP_DIR}\n if [[ ${GITLAB_BACKUP_DIR_CHOWN} == true ]]; then\n chown ${GITLAB_USER}: ${GITLAB_BACKUP_DIR}\n fi\n\n # create the uploads directory\n mkdir -p ${GITLAB_DATA_DIR}/uploads\n chmod 0700 ${GITLAB_DATA_DIR}/uploads\n chown ${GITLAB_USER}: ${GITLAB_DATA_DIR}/uploads\n\n # create the .ssh directory\n mkdir -p ${GITLAB_DATA_DIR}/.ssh\n touch ${GITLAB_DATA_DIR}/.ssh/authorized_keys\n chmod 700 ${GITLAB_DATA_DIR}/.ssh\n chmod 600 ${GITLAB_DATA_DIR}/.ssh/authorized_keys\n chown -R ${GITLAB_USER}: ${GITLAB_DATA_DIR}/.ssh\n}\n\nsanitize_datadir() {\n echo \"Sanitizing datadir. Please be patient...\"\n chmod -R ug+rwX,o-rwx ${GITLAB_REPOS_DIR}/\n chmod -R ug-s ${GITLAB_REPOS_DIR}/\n find ${GITLAB_REPOS_DIR}/ -type d -print0 | xargs -0 chmod g+s\n chown -R ${GITLAB_USER}: ${GITLAB_REPOS_DIR}\n\n chmod -R u+rwX ${GITLAB_BUILDS_DIR}\n chown -R ${GITLAB_USER}: ${GITLAB_BUILDS_DIR}\n\n chmod -R u+rwX ${GITLAB_DOWNLOADS_DIR}\n chown -R ${GITLAB_USER}: ${GITLAB_DOWNLOADS_DIR}\n\n chmod -R u+rwX ${GITLAB_TEMP_DIR}\n chown -R ${GITLAB_USER}: ${GITLAB_TEMP_DIR}\n\n chmod -R u+rwX ${GITLAB_SHARED_DIR}\n chown -R ${GITLAB_USER}: ${GITLAB_SHARED_DIR}\n\n chmod -R u+rwX ${GITLAB_ARTIFACTS_DIR}\n chown -R ${GITLAB_USER}: ${GITLAB_ARTIFACTS_DIR}\n\n chmod -R u+rwX ${GITLAB_PAGES_DIR}\n chown -R ${GITLAB_USER}: ${GITLAB_PAGES_DIR}\n\n chmod -R u+rwX ${GITLAB_LFS_OBJECTS_DIR}\n chown -R ${GITLAB_USER}: ${GITLAB_LFS_OBJECTS_DIR}\n\n # create terraform_state directory\n # TODO : wrap with \"if [[ _ENABLED ]]\" condition\n chmod u+rwX ${GITLAB_SHARED_DIR}/terraform_state\n chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}/terraform_state\n\n if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then\n chmod -R u+rwX ${GITLAB_REGISTRY_DIR}\n chown -R ${GITLAB_USER}: ${GITLAB_REGISTRY_DIR}\n fi\n\n if [[ ${GITLAB_PACKAGES_ENABLED} ]]; then\n chmod u+rwX ${GITLAB_PACKAGES_DIR}\n chown ${GITLAB_USER}: ${GITLAB_PACKAGES_DIR}\n fi\n\n find ${GITLAB_DATA_DIR}/uploads -type f -exec chmod 0644 {} \\;\n find ${GITLAB_DATA_DIR}/uploads -type d -not -path ${GITLAB_DATA_DIR}/uploads -exec chmod 0755 {} \\;\n chmod 0700 ${GITLAB_DATA_DIR}/uploads/\n chown ${GITLAB_USER}: ${GITLAB_DATA_DIR}/uploads/\n\n echo \"Creating gitlab-shell hooks...\"\n exec_as_git ${GITLAB_SHELL_INSTALL_DIR}/bin/create-hooks\n}\n\ngenerate_ssh_key() {\n echo -n \"${1^^} \"\n ssh-keygen -qt ${1} -N '' -f ${2}\n}\n\ngenerate_ssh_host_keys() {\n sed -i \"s|^[#]*MaxStartups[^$]*|MaxStartups ${GITLAB_SSH_MAXSTARTUPS}|\" /etc/ssh/sshd_config\n sed -i \"s|#HostKey /etc/ssh/|HostKey ${GITLAB_DATA_DIR}/ssh/|g\" /etc/ssh/sshd_config\n if [[ ! -e ${GITLAB_DATA_DIR}/ssh/ssh_host_rsa_key ]]; then\n echo -n \"Generating OpenSSH host keys... \"\n generate_ssh_key rsa ${GITLAB_DATA_DIR}/ssh/ssh_host_rsa_key\n generate_ssh_key dsa ${GITLAB_DATA_DIR}/ssh/ssh_host_dsa_key\n generate_ssh_key ecdsa ${GITLAB_DATA_DIR}/ssh/ssh_host_ecdsa_key\n generate_ssh_key ed25519 ${GITLAB_DATA_DIR}/ssh/ssh_host_ed25519_key\n echo\n fi\n\n # ensure existing host keys have the right permissions\n chmod 0600 ${GITLAB_DATA_DIR}/ssh/*_key\n chmod 0644 ${GITLAB_DATA_DIR}/ssh/*.pub\n}\n\nupdate_ssh_listen_port() {\n sed -i \"s|#Port 22|Port ${GITLAB_SSH_LISTEN_PORT}|g\" /etc/ssh/sshd_config\n}\n\ngenerate_healthcheck_script() {\n # configure healthcheck script\n ## https://docs.gitlab.com/ee/user/admin_area/monitoring/health_check.html\n local HEALTHCHECK_PROTOCOL=\"http\"\n if [[ \"${GITLAB_HTTPS}\" == true && \"${SSL_SELF_SIGNED}\" == false ]]; then\n HEALTHCHECK_PROTOCOL=\"${HEALTHCHECK_PROTOCOL}s\"\n fi\ncat > /usr/local/sbin/healthcheck < /etc/timezone\n\n echo \"Container TimeZone -> ${TIMEZONE}\"\n fi\n}\n\ninitialize_system() {\n map_uidgid\n initialize_logdir\n initialize_datadir\n update_ca_certificates\n generate_ssh_host_keys\n update_ssh_listen_port\n configure_container_timezone\n install_configuration_templates\n rm -rf /var/run/supervisor.sock\n}\n\ninstall_configuration_templates() {\n echo \"Installing configuration templates...\"\n install_template ${GITLAB_USER}: gitlabhq/gitlab.yml ${GITLAB_CONFIG} 0640\n install_template ${GITLAB_USER}: gitlabhq/database.yml ${GITLAB_DATABASE_CONFIG} 0640\n install_template ${GITLAB_USER}: gitlabhq/puma.rb ${GITLAB_PUMA_CONFIG} 0644\n install_template ${GITLAB_USER}: gitlabhq/resque.yml ${GITLAB_RESQUE_CONFIG} 0640\n install_template ${GITLAB_USER}: gitlabhq/secrets.yml ${GITLAB_SECRETS_CONFIG} 0600\n install_template ${GITLAB_USER}: gitlab-shell/config.yml ${GITLAB_SHELL_CONFIG} 0640\n install_template ${GITLAB_USER}: gitlabhq/cable.yml ${GITLAB_ACTIONCABLE_CONFIG} 0640\n\n if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then\n install_template ${GITLAB_USER}: gitlabhq/relative_url.rb ${GITLAB_RELATIVE_URL_CONFIG} 0644\n fi\n\n if [[ ${SMTP_ENABLED} == true ]]; then\n install_template ${GITLAB_USER}: gitlabhq/smtp_settings.rb ${GITLAB_SMTP_CONFIG}\n fi\n\n # custom user specified robots.txt\n if [[ -f ${GITLAB_ROBOTS_PATH} ]]; then\n exec_as_git cp ${GITLAB_ROBOTS_PATH} ${GITLAB_ROBOTS_CONFIG}\n fi\n\n ## ${GITLAB_NGINX_CONFIG}\n if [[ ${GITLAB_HTTPS} == true ]]; then\n if [[ -f ${SSL_CERTIFICATE_PATH} && -f ${SSL_KEY_PATH} && -f ${SSL_DHPARAM_PATH} ]]; then\n install_template root: nginx/gitlab-ssl ${GITLAB_NGINX_CONFIG}\n else\n echo \"SSL Key, SSL Certificate and DHParam were not found.\"\n echo \"Assuming that the container is running behind a HTTPS enabled load balancer.\"\n install_template root: nginx/gitlab ${GITLAB_NGINX_CONFIG}\n fi\n else\n install_template root: nginx/gitlab ${GITLAB_NGINX_CONFIG}\n fi\n\n\n ## ${GITLAB_PAGES_NGINX_CONFIG}\n if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then\n install_template ${GITLAB_USER}: gitlab-pages/config ${GITLAB_PAGES_CONFIG} 0640\n if [[ ${GITLAB_PAGES_HTTPS} == true && -f ${SSL_PAGES_CERT_PATH} && -f ${SSL_PAGES_KEY_PATH} ]]; then\n if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then\n install_template root: nginx/gitlab-pages-ssl ${GITLAB_PAGES_NGINX_CONFIG}\n else\n echo \"Gitlab pages nginx proxy disabled\"\n echo \"Assuming custom domain setup with own HTTP(S) load balancer'\"\n fi\n else\n if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then\n echo \"SSL Key, SSL Certificate were not found.\"\n echo \"Assuming that the container is running behind a HTTPS enabled load balancer.\"\n install_template root: nginx/gitlab-pages ${GITLAB_PAGES_NGINX_CONFIG}\n else\n echo \"Gitlab pages nginx proxy disabled\"\n echo \"Assuming custom domain setup with own HTTP(S) load balancer'\"\n fi\n fi\n fi\n\n\n\n if [[ -n $GITLAB_CI_HOST ]]; then\n install_template root: nginx/gitlab_ci ${GITLAB_CI_NGINX_CONFIG}\n fi\n\n if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then\n if [[ -f ${SSL_REGISTRY_CERT_PATH} && -f ${SSL_REGISTRY_KEY_PATH} ]]; then\n install_template root: nginx/gitlab-registry ${GITLAB_REGISTRY_NGINX_CONFIG}\n else\n echo \"SSL key and certificates for Registry were not found\"\n echo \"Assuming that the Registry is running behind a HTTPS enabled load balancer.\"\n fi\n fi\n\n install_template ${GITLAB_USER}: gitaly/config.toml ${GITLAB_GITALY_CONFIG}\n}\n\nconfigure_gitlab() {\n echo \"Configuring gitlab...\"\n update_template ${GITLAB_CONFIG} \\\n GITLAB_INSTALL_DIR \\\n GITLAB_SHELL_INSTALL_DIR \\\n GITLAB_DATA_DIR \\\n GITLAB_REPOS_DIR \\\n GITLAB_DOWNLOADS_DIR \\\n GITLAB_SHARED_DIR \\\n GITLAB_HOME \\\n GITLAB_HOST \\\n GITLAB_PORT \\\n GITLAB_RELATIVE_URL_ROOT \\\n GITLAB_HTTPS \\\n GITLAB_SSH_HOST \\\n GITLAB_SSH_LISTEN_PORT \\\n GITLAB_SSH_PORT \\\n GITLAB_SIGNUP_ENABLED \\\n GITLAB_IMPERSONATION_ENABLED \\\n GITLAB_PROJECTS_LIMIT \\\n GITLAB_USERNAME_CHANGE \\\n GITLAB_DEFAULT_THEME \\\n GITLAB_CREATE_GROUP \\\n GITLAB_ISSUE_CLOSING_PATTERN\n\n gitlab_configure_database\n gitlab_configure_redis\n gitlab_configure_actioncable\n gitlab_configure_secrets\n gitlab_configure_sidekiq\n gitlab_configure_gitaly\n gitlab_configure_monitoring\n gitlab_configure_gitlab_workhorse\n gitlab_configure_relative_url\n gitlab_configure_trusted_proxies\n gitlab_configure_puma\n gitlab_configure_timezone\n gitlab_configure_rack_attack\n gitlab_configure_ci\n gitlab_configure_artifacts\n gitlab_configure_packages\n gitlab_configure_terraform_state\n gitlab_configure_lfs\n gitlab_configure_uploads\n gitlab_configure_mattermost\n gitlab_configure_project_features\n gitlab_configure_mail_delivery\n gitlab_configure_mailroom\n gitlab_configure_oauth\n gitlab_configure_ldap\n gitlab_configure_gravatar\n gitlab_configure_cron_jobs\n gitlab_configure_analytics\n gitlab_configure_backups\n generate_registry_certificates\n gitlab_configure_registry\n gitlab_configure_pages\n gitlab_configure_sentry\n generate_healthcheck_script\n gitlab_configure_content_security_policy\n\n # remove stale gitlab.socket\n rm -rf ${GITLAB_INSTALL_DIR}/tmp/sockets/gitlab.socket\n}\n\n# feature flags are recorded to database (schema \"application_settings\") so requires DB is (at least) initialized\ngitlab_configure_feature_flags() { \n echo \"Configuring gitlab::feature_flags...\"\n\n if [[ -z \"${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}\" && -z \"${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}\" ]]; then\n # Do nothing and reports no error if no targets specified\n echo \"- No targets specified. skipping...\"\n return 0\n fi\n\n # Build command line argument for script only when target is specified\n # If not, scripts fails because option specifier is recognized as feature flags for example\n # like \"--disable --enable\" : for this case, --disable is recognized as a value of option \"--enable\"\n if [[ -n \"${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS}\" ]]; then\n GITLAB_FEATURE_FLAGS_DISABLE_TARGETS=\"--disable ${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS}\"\n fi\n # The same goes for --enable (this is the last option passed to \"rails runner\" that will be run below)\n # For this case (final option), it throws \"missing argument\" error for execution like:\n # like \"--disable feature1,feature2 --enable\"\n if [[ -n \"${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}\" ]]; then\n GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=\"--enable ${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}\"\n fi\n\n PWD_ORG=${PWD}\n cd \"${GITLAB_INSTALL_DIR}\"\n\n # copy the script to temporal directory : to avoid permission issue\n cp \"${GITLAB_RUNTIME_DIR}/scripts/configure_feature_flags.rb\" \"${GITLAB_TEMP_DIR}/\"\n chown \"${GITLAB_USER}:\" \"${GITLAB_TEMP_DIR}/configure_feature_flags.rb\"\n\n echo \"- Launching rails runner to set feature flags. This will take some time....\"\n\n # If arguments are empty, the script will do nothing and print object dump like below:\n # - specified feature flags: {:to_be_disabled=>[], :to_be_enabled=>[]}\n # DO NOT qupte variables : word splitting must be enabled.\n # If disabled, whole string like '--disable feature_name_1,feature_name_2'\n # will be recognized as single option and results to invalid argument error\n #\n # shellcheck disable=SC2086\n exec_as_git bundle exec rails runner \"${GITLAB_TEMP_DIR}/configure_feature_flags.rb\" \\\n ${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS} \\\n ${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}\n\n rm \"${GITLAB_TEMP_DIR}/configure_feature_flags.rb\"\n cd \"${PWD_ORG}\"\n}\n\nconfigure_gitlab_requires_db() {\n gitlab_configure_feature_flags\n}\n\nconfigure_gitlab_shell() {\n echo \"Configuring gitlab-shell...\"\n update_template ${GITLAB_SHELL_CONFIG} \\\n GITLAB_RELATIVE_URL_ROOT \\\n GITLAB_HOME \\\n GITLAB_LOG_DIR \\\n GITLAB_SHELL_INSTALL_DIR \\\n SSL_SELF_SIGNED \\\n REDIS_HOST \\\n REDIS_PORT \\\n REDIS_DB_NUMBER\n\n # update custom_hooks_dir if set $GITLAB_SHELL_CUSTOM_HOOKS_DIR\n if [[ -n ${GITLAB_SHELL_CUSTOM_HOOKS_DIR} ]]; then\n exec_as_git sed -i \\\n \"s|custom_hooks_dir:.*|custom_hooks_dir: $GITLAB_SHELL_CUSTOM_HOOKS_DIR|g\" \\\n ${GITLAB_SHELL_CONFIG}\n fi\n}\n\n\nconfigure_gitlab_pages() {\n if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then\n echo \"Configuring gitlab-pages...\"\ncat > /etc/supervisor/conf.d/gitlab-pages.conf <> /etc/supervisor/conf.d/gitlab-pages.conf <> /etc/supervisor/conf.d/gitlab-pages.conf <> /etc/supervisor/conf.d/gitlab-pages.conf <> /etc/supervisor/conf.d/gitlab-pages.conf </dev/null\n fi\n\n # migrate database if the gitlab version has changed.\n CACHE_VERSION=\n [[ -f ${GITLAB_TEMP_DIR}/VERSION ]] && CACHE_VERSION=$(cat ${GITLAB_TEMP_DIR}/VERSION)\n if [[ ${GITLAB_VERSION} != ${CACHE_VERSION} ]]; then\n ## version check, only upgrades are allowed\n if [[ -n ${CACHE_VERSION} && $(vercmp ${GITLAB_VERSION} ${CACHE_VERSION}) -lt 0 ]]; then\n echo\n echo \"ERROR: \"\n echo \" Cannot downgrade from GitLab version ${CACHE_VERSION} to ${GITLAB_VERSION}.\"\n echo \" Only upgrades are allowed. Please use sameersbn/gitlab:${CACHE_VERSION} or higher.\"\n echo \" Cannot continue. Aborting!\"\n echo\n return 1\n fi\n\n if [[ $(vercmp ${GITLAB_VERSION} 8.0.0) -gt 0 ]]; then\n if [[ -n ${CACHE_VERSION} && $(vercmp ${CACHE_VERSION} 8.0.0) -lt 0 ]]; then\n echo\n echo \"ABORT: \"\n echo \" Upgrading to GitLab ${GITLAB_VERSION} from ${CACHE_VERSION} is not recommended.\"\n echo \" Please upgrade to version 8.0.5-1 before upgrading to 8.1.0 or higher.\"\n echo \" Refer to https://git.io/vur4j for CI migration instructions.\"\n echo \" Aborting for your own safety!\"\n echo\n return 1\n fi\n fi\n\n echo \"Migrating database...\"\n exec_as_git bundle exec rake db:migrate >/dev/null\n\n echo \"${GITLAB_VERSION}\" > ${GITLAB_TEMP_DIR}/VERSION\n rm -rf ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT # force cache cleanup\n fi\n\n # clear cache if relative_url has changed.\n [[ -f ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT ]] && CACHE_GITLAB_RELATIVE_URL_ROOT=$(cat ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT)\n if [[ ! -f ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT || ${GITLAB_RELATIVE_URL_ROOT} != ${CACHE_GITLAB_RELATIVE_URL_ROOT} ]]; then\n echo \"Clearing cache...\"\n exec_as_git bundle exec rake cache:clear >/dev/null 2>&1\n echo \"${GITLAB_RELATIVE_URL_ROOT}\" > ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT\n fi\n}\n\nexecute_raketask() {\n if [[ -z ${1} ]]; then\n echo \"Please specify the rake task to execute. See https://github.com/gitlabhq/gitlabhq/tree/master/doc/raketasks\"\n return 1\n fi\n\n if [[ ${1} == gitlab:backup:create ]]; then\n /usr/bin/supervisord -c /etc/supervisor/supervisord.conf\n supervisorctl stop gitlab_extensions:*\n supervisorctl stop gitlab:*\n fi\n\n if [[ ${1} == gitlab:backup:restore ]]; then\n /usr/bin/supervisord -c /etc/supervisor/supervisord.conf\n supervisorctl stop gitlab_extensions:*\n supervisorctl stop gitlab:*\n interactive=true\n for arg in $@\n do\n if [[ $arg == BACKUP=* ]]; then\n interactive=false\n break\n fi\n done\n\n # user needs to select the backup to restore\n if [[ $interactive == true ]]; then\n nBackups=$(ls ${GITLAB_BACKUP_DIR}/*_gitlab_backup.tar | wc -l)\n if [[ $nBackups -eq 0 ]]; then\n echo \"No backup present. Cannot continue restore process.\".\n return 1\n fi\n\n echo\n for b in $(ls ${GITLAB_BACKUP_DIR} | grep _gitlab_backup | sort -r)\n do\n echo \"‣ $b (created at $(date --date=\"@${b%%_*_gitlab_backup.tar}\" +'%d %b, %G - %H:%M:%S %Z'))\"\n done\n echo\n\n read -p \"Select a backup to restore: \" file\n\n if [[ -z ${file} ]]; then\n echo \"Backup not specified. Exiting...\"\n return 1\n fi\n\n if [[ ! -f ${GITLAB_BACKUP_DIR}/${file} ]]; then\n echo \"Specified backup does not exist. Aborting...\"\n return 1\n fi\n\n BACKUP=${file%%_gitlab_backup.tar}\n fi\n elif [[ ${1} == gitlab:import:repos ]]; then\n # sanitize the datadir to avoid permission issues\n sanitize_datadir\n fi\n echo \"Running raketask ${1}...\"\n exec_as_git bundle exec rake $@ ${BACKUP:+BACKUP=$BACKUP}\n}\n\ngenerate_registry_certificates() {\n if [[ ${GITLAB_REGISTRY_GENERATE_INTERNAL_CERTIFICATES} == true ]]; then\n echo 'Generating GitLab Registry internal certificates for communication between Gitlab and a Docker Registry'\n PREVIOUS_DIRECTORY=$(pwd)\n # Get directory from cert file path\n if [[ -z $GITLAB_REGISTRY_KEY_PATH ]]; then\n echo \"\\$GITLAB_REGISTRY_KEY_PATH is empty\"\n return 1\n fi\n DIRECTORY=$(dirname \"$GITLAB_REGISTRY_KEY_PATH\")\n echo \"Registry internal certificates will be generated in directory: $DIRECTORY\"\n # Make certs directory if it doesn't exists\n mkdir -p \"$DIRECTORY\"\n # Go to the temporary directory\n cd \"$DIRECTORY\" || return\n # Get key filename\n KEY_FILENAME=$(basename \"$GITLAB_REGISTRY_KEY_PATH\")\n echo \"Registry internal key filename: $KEY_FILENAME\"\n # Generate cert filename, by default, in same directory as $KEY_FILENAME, with same name, but with extension .crt\n CERT_FILENAME=$(echo \"$KEY_FILENAME\" | sed \"s|key|crt|\" -)\n echo \"Registry internal cert filename: $CERT_FILENAME\"\n # Generate a random password password_file used in the next commands\n if [[ -f password_file ]] ; then\n echo \"password_file exists\"\n else\n openssl rand -hex -out password_file 32\n fi\n # Create a PKCS#10 certificate request\n echo \"Generating internal certificate request\"\n if [[ -f registry.csr ]] ; then\n echo \"registry.csr exists\"\n else\n openssl req -new -passout file:password_file -newkey rsa:4096 -batch > registry.csr\n fi\n # Process RSA key\n echo \"Processing RSA internal key\"\n if [[ -f $KEY_FILENAME ]] ; then\n echo \"$KEY_FILENAME exists\"\n else\n openssl rsa -passin file:password_file -in privkey.pem -out \"$KEY_FILENAME\"\n fi\n\n # Generate certificate\n echo \"Generating internal certificate\"\n if [[ -f $CERT_FILENAME ]] ; then\n echo \"$CERT_FILENAME exists\"\n else\n openssl x509 -in registry.csr -out \"$CERT_FILENAME\" -req -signkey \"$KEY_FILENAME\" -days 10000\n fi\n chown -R ${GITLAB_USER}: ${DIRECTORY}\n cd ${PREVIOUS_DIRECTORY}\n fi\n}\n" }, { "path": "assets/runtime/scripts/configure_feature_flags.rb", "content": "#!/usr/bin/env ruby\r\n\r\nrequire \"optparse\"\r\nrequire \"set\"\r\n\r\n# sameersbn/docker-gitlab\r\n# Ruby script to configure feature flags via CLI\r\n# Intended to be executed in the context of Rails Runner of Gitlab application\r\n# (to get valid \"Feature\" module, defined in (gitlab root)/lib/feature.rb)\r\n# https://guides.rubyonrails.org/command_line.html#bin-rails-runner\r\n# bundle exec rails runner -- --enable --disable \r\n\r\nclass FeatureFlagCLI\r\n def available_feature_flags()\r\n # Feature flag lists are stored in (Gitlab root directory)/config/feature_flags/\r\n # We can get the directory by accessing \"root\" property of \"Gitlab\" Module\r\n # (may returns /home/git/gitlab for sameersbn/docker-gitlab)\r\n feature_flag_yamls = Dir.glob(\"#{Gitlab.root}/config/feature_flags/**/*.yml\")\r\n\r\n if Gitlab.ee?\r\n feature_flag_yamls.concat(Dir.glob(\"#{Gitlab.root}/ee/config/feature_flags/**/*.yml\"))\r\n end if\r\n\r\n list = feature_flag_yamls.map { |p| File.basename(p, File.extname(p)) }\r\n list\r\n end\r\n\r\n def parse_options(argv = ARGV)\r\n op = OptionParser.new\r\n\r\n opts = {\r\n to_be_disabled: [],\r\n to_be_enabled: [],\r\n # TODO support \"opt out\", \"opt out removed\"\r\n # to_be_opted_out: [],\r\n # opt_out_removed: [],\r\n }\r\n\r\n op.on(\"-d\", \"--disable feature_a,feature_b,feature_c\", Array, \"comma-separated list of feature flags to be disabled (defaults: ${opts[:to_be_disabled]})\") { |v|\r\n opts[:to_be_disabled] = v.uniq\r\n puts \"- Specified feature flags to be disabled\"\r\n puts opts[:to_be_disabled].map { |f| format(\"--- %s\", opt: f) }\r\n }\r\n op.on(\"-e\", \"--enable feature_a,feature_b,feature_c\", Array, \"comma-separated list of feature flags to be enabled (defaults: ${opts[:to_be_enabled]})\") { |v|\r\n opts[:to_be_enabled] = v.uniq\r\n puts \"- Specified feature flags to be enabled\"\r\n puts opts[:to_be_enabled].map { |f| format(\"--- %s\", opt: f) }\r\n }\r\n\r\n begin\r\n args = op.parse(argv)\r\n succeed = true\r\n rescue OptionParser::InvalidOption, OptionParser::MissingArgument => e\r\n puts e.message\r\n puts op.help\r\n succeed = false\r\n end\r\n\r\n [succeed, opts, args]\r\n end\r\n\r\n def run\r\n succeed, opts, args = parse_options\r\n if succeed\r\n available_flags = self.available_feature_flags\r\n disable_targets = available_flags & opts[:to_be_disabled]\r\n enable_targets = available_flags & opts[:to_be_enabled]\r\n\r\n disable_targets.each do |feature|\r\n Feature.disable(feature)\r\n end\r\n\r\n enable_targets.each do |feature|\r\n Feature.enable(feature)\r\n end\r\n\r\n invalid_enable_targets = opts[:to_be_enabled] - enable_targets\r\n invalid_disable_targets = opts[:to_be_disabled] - disable_targets\r\n invalid_targets = invalid_disable_targets | invalid_enable_targets\r\n if invalid_targets.length > 0\r\n puts \"- Following flags are probably invalid and have been ignored\"\r\n puts invalid_targets.map { |f| format(\"--- %s\", name: f) }\r\n end\r\n end\r\n\r\n Feature.all\r\n end\r\nend\r\n\r\nfeatures = FeatureFlagCLI.new.run\r\nputs features.map { |f|\r\n format(\"- feature %s : %s\", name: f.name, state: f.state)\r\n}\r\n" }, { "path": "contrib/docker-swarm/docker-compose.yml", "content": "services:\n redis:\n restart: always\n image: redis:7\n command:\n - --loglevel warning\n volumes:\n - /srv/docker/gitlab/redis:/var/lib/redis:Z\n\n postgresql:\n restart: always\n image: kkimurak/sameersbn-postgresql:16\n volumes:\n - /srv/docker/gitlab/postgresql:/var/lib/postgresql:Z\n environment:\n - DB_USER=gitlab\n - DB_PASS=password\n - DB_NAME=gitlabhq_production\n - DB_EXTENSION=pg_trgm\n\n gitlab:\n restart: always\n image: sameersbn/gitlab:18.9.2\n depends_on:\n - redis\n - postgresql\n ports:\n - \"10080:80\"\n - \"10022:22\"\n volumes:\n - /srv/docker/gitlab/gitlab:/home/git/data:Z\n configs:\n - gitlab-configs\n secrets:\n - gitlab-secrets\n environment:\n - DEBUG=false\n\n - DB_ADAPTER=postgresql\n - DB_HOST=postgresql\n - DB_PORT=5432\n - DB_USER=gitlab\n - DB_PASS=password\n - DB_NAME=gitlabhq_production\n\n - REDIS_HOST=redis\n - REDIS_PORT=6379\n\n - TZ=Asia/Kolkata\n - GITLAB_TIMEZONE=Kolkata\n\n - GITLAB_HTTPS=false\n - SSL_SELF_SIGNED=false\n\n - GITLAB_HOST=localhost\n - GITLAB_PORT=10080\n - GITLAB_SSH_PORT=10022\n - GITLAB_RELATIVE_URL_ROOT=\n - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string\n - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string\n - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string\n - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string\n - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=[\"long-and-random-alphanumeric-string\"]\n - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=[\"long-and-random-alphanumeric-string\"]\n - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=long-and-random-alphanumeric-string\n\n - GITLAB_ROOT_PASSWORD=\n - GITLAB_ROOT_EMAIL=\n\n - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true\n - GITLAB_NOTIFY_PUSHER=false\n\n - GITLAB_EMAIL=notifications@example.com\n - GITLAB_EMAIL_REPLY_TO=noreply@example.com\n - GITLAB_INCOMING_EMAIL_ADDRESS=reply@example.com\n\n - GITLAB_BACKUP_SCHEDULE=daily\n - GITLAB_BACKUP_TIME=01:00\n\n - SMTP_ENABLED=false\n - SMTP_DOMAIN=www.example.com\n - SMTP_HOST=smtp.gmail.com\n - SMTP_PORT=587\n - SMTP_USER=mailer@example.com\n - SMTP_PASS=password\n - SMTP_STARTTLS=true\n - SMTP_AUTHENTICATION=login\n\n - IMAP_ENABLED=false\n - IMAP_HOST=imap.gmail.com\n - IMAP_PORT=993\n - IMAP_USER=mailer@example.com\n - IMAP_PASS=password\n - IMAP_SSL=true\n - IMAP_STARTTLS=false\n\n - OAUTH_ENABLED=false\n - OAUTH_AUTO_SIGN_IN_WITH_PROVIDER=\n - OAUTH_ALLOW_SSO=\n - OAUTH_BLOCK_AUTO_CREATED_USERS=true\n - OAUTH_AUTO_LINK_LDAP_USER=false\n - OAUTH_AUTO_LINK_SAML_USER=false\n - OAUTH_EXTERNAL_PROVIDERS=\n - OAUTH_ALLOW_BYPASS_TWO_FACTOR=false\n\n - OAUTH_CAS3_LABEL=cas3\n - OAUTH_CAS3_SERVER=\n - OAUTH_CAS3_DISABLE_SSL_VERIFICATION=false\n - OAUTH_CAS3_LOGIN_URL=/cas/login\n - OAUTH_CAS3_VALIDATE_URL=/cas/p3/serviceValidate\n - OAUTH_CAS3_LOGOUT_URL=/cas/logout\n\n - OAUTH_GOOGLE_API_KEY=\n - OAUTH_GOOGLE_APP_SECRET=\n - OAUTH_GOOGLE_RESTRICT_DOMAIN=\n\n - OAUTH_FACEBOOK_API_KEY=\n - OAUTH_FACEBOOK_APP_SECRET=\n\n - OAUTH_TWITTER_API_KEY=\n - OAUTH_TWITTER_APP_SECRET=\n\n - OAUTH_GITHUB_API_KEY=\n - OAUTH_GITHUB_APP_SECRET=\n - OAUTH_GITHUB_URL=\n - OAUTH_GITHUB_VERIFY_SSL=\n\n - OAUTH_GITLAB_API_KEY=\n - OAUTH_GITLAB_APP_SECRET=\n\n - OAUTH_BITBUCKET_API_KEY=\n - OAUTH_BITBUCKET_APP_SECRET=\n - OAUTH_BITBUCKET_URL=\n\n - OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL=\n - OAUTH_SAML_IDP_CERT_FINGERPRINT=\n - OAUTH_SAML_IDP_SSO_TARGET_URL=\n - OAUTH_SAML_ISSUER=\n - OAUTH_SAML_LABEL=\"Our SAML Provider\"\n - OAUTH_SAML_NAME_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:2.0:nameid-format:transient\n - OAUTH_SAML_GROUPS_ATTRIBUTE=\n - OAUTH_SAML_EXTERNAL_GROUPS=\n - OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL=\n - OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME=\n - OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME=\n - OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME=\n - OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME=\n\n - OAUTH_CROWD_SERVER_URL=\n - OAUTH_CROWD_APP_NAME=\n - OAUTH_CROWD_APP_PASSWORD=\n\n - OAUTH_AUTH0_CLIENT_ID=\n - OAUTH_AUTH0_CLIENT_SECRET=\n - OAUTH_AUTH0_DOMAIN=\n - OAUTH_AUTH0_SCOPE=\n\n - OAUTH2_GENERIC_APP_ID=\n - OAUTH2_GENERIC_APP_SECRET=\n - OAUTH2_GENERIC_CLIENT_SITE=\n - OAUTH2_GENERIC_CLIENT_USER_INFO_URL=\n - OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL=\n - OAUTH2_GENERIC_CLIENT_TOKEN_URL=\n - OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT=\n - OAUTH2_GENERIC_ID_PATH=\n - OAUTH2_GENERIC_USER_UID=\n - OAUTH2_GENERIC_USER_NAME=\n - OAUTH2_GENERIC_USER_EMAIL=\n - OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE=\n - OAUTH2_GENERIC_LABEL=\n - OAUTH2_GENERIC_NAME=\n\n - OAUTH_AZURE_API_KEY=\n - OAUTH_AZURE_API_SECRET=\n - OAUTH_AZURE_TENANT_ID=\n\nconfigs:\n gitlab-configs:\n file: ./gitlab.configs\n\nsecrets:\n gitlab-secrets:\n file: ./gitlab.secrets\n" }, { "path": "contrib/docker-swarm/gitlab.configs", "content": "# config file to be sourced on startup - will over-ride any env set in the docker-compose.yml\n\nTEST=none\n" }, { "path": "contrib/docker-swarm/gitlab.secrets", "content": "# config file to be sourced on startup - will over-ride any env set in the docker-compose.yml\n\nLDAP_ENABLED=true\nLDAP_LABEL=\"LDAP login\"\nLDAP_HOST=pool.ldap.example.com\nLDAP_PORT=3268\nLDAP_BIND_DN=the-ldap\nLDAP_PASS=no-not-really\nLDAP_BASE=ou=People,dc=example,dc=com\n#LDAP_LOWERCASE_USERNAMES=true\n##LDAP_USER_FILTER=uid={login}\n##LDAP_UID=\n#\n" }, { "path": "contrib/expose-gitlab-ssh-port.sh", "content": "#!/usr/bin/env bash\nset -ev\n\nGITLAB_USERGROUP=${GITLAB_USERGROUP:-1010}\nGITLAB_SSH_PORT=${GITLAB_SSH_PORT:-9922}\n\nif ! id -u git >> /dev/null 2>&1; then\n groupadd -g ${GITLAB_USERGROUP} git\n useradd -m -u ${GITLAB_USERGROUP} -g git -s /bin/sh -d /home/git git\nfi\nsu git -c \"mkdir -p /home/git/.ssh/\"\n\nsu git -c \"if [ ! -f /home/git/.ssh/id_ed25519 ]; then ssh-keygen -t ed25519 -N \\\"\\\" -f /home/git/.ssh/id_ed25519; fi\"\nsu git -c \"if [ -f /home/git/.ssh/id_ed25519.pub ]; then mv /home/git/.ssh/id_ed25519.pub /home/git/.ssh/authorized_keys_proxy; fi\"\n\nmkdir -p /home/git/gitlab-shell/bin/\nrm -f /home/git/gitlab-shell/bin/gitlab-shell\ntee -a /home/git/gitlab-shell/bin/gitlab-shell > /dev/null <= 2.4\n- [Docker GitLab](https://github.com/sameersbn/docker-gitlab) >= 8.8.5-1\n\n## Installation\n\n### Setup with Nginx as Reverse Proxy\n\nWe assume that you already have Nginx installed on your host system and that\nyou use a reverse proxy configuration to connect to your GitLab container.\n\nIn this example we use a dedicated domain for the registry. The URLs for\nthe GitLab installation and the registry are:\n\n- git.example.com\n- registry.example.com\n\n> Note: You could also run everything on the same domain and use different ports\n> instead. The required configuration changes below should be straightforward.\n\n#### Create auth tokens\n\nGitLab needs a certificate (\"auth token\") to talk to the registry API. The\ntokens must be provided in the `/certs` directory of your container. You could\nuse an existing domain certificate or create your own with a very long\nlifetime like this:\n\n```bash\nmkdir certs\ncd certs\n# Generate a random password password_file used in the next commands\nopenssl rand -hex -out password_file 32\n# Create a PKCS#10 certificate request\nopenssl req -new -passout file:password_file -newkey rsa:4096 -batch > registry.csr\n# Convert RSA key\nopenssl rsa -passin file:password_file -in privkey.pem -out registry.key\n# Generate certificate\nopenssl x509 -in registry.csr -out registry.crt -req -signkey registry.key -days 10000\n```\n\nIt doesn't matter which details (domain name, etc.) you enter during key\ncreation. This information is not used at all.\n\n#### Update docker-compose.yml\n\n> [!important]\n> Docker Registry v3 is currently not compatible with the JWT tokens signed by GitLab.\n> The example below uses `registry:2` to avoid issues in validating the token.\n> \n> Alternatively, you can generate a JWKS file and specify it as `REGISTRY_AUTH_TOKEN_JWKS`\n> to run `registry:latest`. Further information can be found [here](https://github.com/cesanta/docker_auth/issues/386).\n\nFirst add the configuration for the registry container to your `docker-compose.yml`.\n\n```yaml\n registry:\n image: registry:2\n restart: always\n expose:\n - \"5000\"\n ports:\n - \"5000:5000\"\n volumes:\n - ./gitlab/shared/registry:/registry\n - ./certs:/certs\n environment:\n - REGISTRY_LOG_LEVEL=info\n - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/registry\n - REGISTRY_AUTH_TOKEN_REALM=https://git.example.com/jwt/auth\n - REGISTRY_AUTH_TOKEN_SERVICE=container_registry\n - REGISTRY_AUTH_TOKEN_ISSUER=gitlab-issuer\n - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/registry.crt\n - REGISTRY_STORAGE_DELETE_ENABLED=true\n```\n\n> **Important:**\n>\n> 1. Don't change `REGISTRY_AUTH_TOKEN_SERVICE`. It must have\n> `container_registry` as value.\n> 2. `REGISTRY_AUTH_TOKEN_REALM` must look like\n> `https://git.example.com/jwt/auth`. So the endpoint must be `/jwt/auth`.\n>\n> These configuration options are required by the GitLab Container Registry.\n\nThen update the `volumes` and `environment` sections of your `gitlab` container:\n\n```yaml\n gitlab:\n environment:\n # ...\n # Registry\n - GITLAB_REGISTRY_ENABLED=true\n - GITLAB_REGISTRY_HOST=registry.example.com\n - GITLAB_REGISTRY_PORT=443\n - GITLAB_REGISTRY_API_URL=http://registry:5000\n - GITLAB_REGISTRY_KEY_PATH=/certs/registry.key\n\n volumes:\n - ./gitlab:/home/git/data\n - ./certs:/certs\n```\n\n#### Nginx Site Configuration\n\n```nginx\nserver {\n root /dev/null;\n server_name registry.example.com;\n charset UTF-8;\n access_log /var/log/nginx/registry.example.com.access.log;\n error_log /var/log/nginx/registry.example.com.error.log;\n\n # Set up SSL only connections:\n listen *:443 ssl http2;\n ssl_certificate /etc/letsencrypt/live/registry.example.com/fullchain.pem;\n ssl_certificate_key /etc/letsencrypt/live/registry.example.com/privkey.pem;\n\n ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4';\n ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\n ssl_prefer_server_ciphers on;\n ssl_session_cache builtin:1000 shared:SSL:10m;\n ssl_session_timeout 5m;\n\n client_max_body_size 0;\n chunked_transfer_encoding on;\n\n location / {\n proxy_set_header Host $http_host; # required for docker client's sake\n proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP\n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n proxy_set_header X-Forwarded-Proto $scheme;\n proxy_read_timeout 900;\n proxy_pass http://localhost:5000;\n }\n}\n\nserver {\n listen *:80;\n server_name registry.example.com;\n server_tokens off; ## Don't show the nginx version number, a security best practice\n return 301 https://$http_host:$request_uri;\n}\n```\n\n## Configuration\n\n### Available Parameters\n\nHere is an example of all configuration parameters that can be used in the GitLab container.\n\n```yml\n...\ngitlab:\n ...\n environment:\n - GITLAB_REGISTRY_ENABLED=true\n - GITLAB_REGISTRY_HOST=registry.gitlab.example.com\n - GITLAB_REGISTRY_API_URL=http://registry:5000\n - GITLAB_REGISTRY_KEY_PATH=/certs/registry-auth.key\n - GITLAB_REGISTRY_ISSUER=gitlab-issuer\n - SSL_REGISTRY_KEY_PATH=/certs/registry.key\n - SSL_REGISTRY_CERT_PATH=/certs/registry.crt\n```\n\nwhere:\n\n| Parameter | Description |\n| --------- | ----------- |\n| `GITLAB_REGISTRY_ENABLED` | `true` or `false`. Enables the Registry in GitLab. By default this is `false`. |\n| `GITLAB_REGISTRY_HOST` | The host URL under which the Registry will run and the users will be able to use. |\n| `GITLAB_REGISTRY_PORT` | The port under which the external Registry domain will listen on. |\n| `GITLAB_REGISTRY_API_URL` | The internal API URL under which the Registry is exposed to. |\n| `GITLAB_REGISTRY_KEY_PATH`| The private key location that is a pair of Registry's `rootcertbundle`. Read the [token auth configuration documentation][token-config]. |\n| `GITLAB_REGISTRY_PATH` | This should be the same directory like specified in Registry's `rootdirectory`. Read the [storage configuration documentation][storage-config]. This path needs to be readable by the GitLab user, the web-server user and the Registry user *if you use filesystem as storage configuration*. Read more in [#container-registry-storage-path](#container-registry-storage-path). |\n| `GITLAB_REGISTRY_ISSUER` | This should be the same value as configured in Registry's `issuer`. Otherwise the authentication will not work. For more info read the [token auth configuration documentation][token-config]. |\n| `SSL_REGISTRY_KEY_PATH` | The private key of the `SSL_REGISTRY_CERT_PATH`. This will be later used in nginx to proxy your registry via https. |\n| `SSL_REGISTRY_CERT_PATH` | The certificate for the private key of `SSL_REGISTRY_KEY_PATH`. This will be later used in nginx to proxy your registry via https. |\n\nFor more info look at [Available Configuration Parameters](https://github.com/sameersbn/docker-gitlab#available-configuration-parameters).\n\nA minimum set of these parameters are required to use the GitLab Container Registry feature.\n\n```yml\n...\ngitlab:\n environment:\n - GITLAB_REGISTRY_ENABLED=true\n - GITLAB_REGISTRY_HOST=registry.gitlab.example.com\n - GITLAB_REGISTRY_API_URL=http://registry:5000\n - GITLAB_REGISTRY_KEY_PATH=/certs/registry-auth.key\n - GITLAB_REGISTRY_ISSUER=gitlab-issuer\n...\n```\n\n### Container Registry storage driver\n\nYou can configure the Container Registry to use a different storage backend by configuring a different storage driver. By default the GitLab Container Registry is configured to use the filesystem driver, which makes use of [storage path](#container-registry-storage-path) configuration. These configurations will all be done in the registry container.\n\nThe different supported drivers are:\n\n| Driver | Description |\n|------------|-------------------------------------|\n| filesystem | Uses a path on the local filesystem |\n| azure | Microsoft Azure Blob Storage |\n| gcs | Google Cloud Storage |\n| s3 | Amazon Simple Storage Service |\n| swift | OpenStack Swift Object Storage |\n| oss | Aliyun OSS |\n\nRead more about the individual driver's config options in the\n[Docker Registry docs][storage-config].\n\n> **Warning** GitLab will not backup Docker images that are not stored on the filesystem. Remember to enable backups with your object storage provider if desired.\n>\n> If you use **filesystem** as storage driver you need to mount the path from `GITLAB_REGISTRY_DIR` of the GitLab container in the registry container. So both container can access the registry data.\n> If you don't change `GITLAB_REGISTRY_DIR` you will find your registry data in the mounted volume from the GitLab Container under `./gitlab/shared/registry`. This don't need to be separated mounted because `./gitlab` is already mounted in the GitLab Container. If it will be mounted separated the whole restoring process of GitLab backup won't work because gitlab try to create an folder under `./gitlab/shared/registry` /`GITLAB_REGISTRY_DIR` and GitLab can't delete/remove the mount point inside the container so the restoring process of the backup will fail.\n> An example how it works is in the `docker-compose`.\n\n#### Example for Amazon Simple Storage Service (s3)\n\nIf you want to configure your registry via `/etc/docker/registry/config.yml` your storage part should like this snippet below.\n\n```yaml\nstorage:\n s3:\n accesskey: 'AKIAKIAKI'\n secretkey: 'secret123'\n bucket: 'gitlab-registry-bucket-AKIAKIAKI'\n cache:\n blobdescriptor: inmemory\n delete:\n enabled: true\n```\n\n```yaml\n ...\n registry:\n restart: always\n image: registry:2.8.3\n volumes:\n - ./certs:/certs\n environment:\n - REGISTRY_LOG_LEVEL=info\n - REGISTRY_AUTH_TOKEN_REALM=https://gitlab.example.com:10080/jwt/auth\n - REGISTRY_AUTH_TOKEN_SERVICE=container_registry\n - REGISTRY_AUTH_TOKEN_ISSUER=gitlab-issuer\n - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/registry-auth.crt\n - REGISTRY_STORAGE_S3_ACCESSKEY=AKIAKIAKI\n - REGISTRY_STORAGE_S3_SECRETKEY=secret123\n - REGISTRY_STORAGE_S3_BUCKET=gitlab-registry-bucket-AKIAKIAKI\n - REGISTRY_CACHE_BLOBDESCRIPTOR=inmemory\n - REGISTRY_STORAGE_DELETE_ENABLED=true\n```\n\nGenerally for more information about the configuration of the registry container you can find it under [registry configuration](https://docs.docker.com/registry/configuration).\n\n### Storage limitations\n\nCurrently, there is no storage limitation, which means a user can upload an\ninfinite amount of Docker images with arbitrary sizes. This setting will be\nconfigurable in future releases.\n\n## Maintenance\n\nIf you use another storage configuration than filesystem it will have no impact on your Maintenance workflow.\n\n### Creating Backups\n\nCreating Backups is the same like without a container registry. I would recommend to stop your registry container.\n\n```bash\ndocker stop registry gitlab && docker rm registry gitlab\n```\n\nExecute the rake task with a removeable container.\n\n```bash\ndocker run --name gitlab -it --rm [OPTIONS] \\\n sameersbn/gitlab:18.9.2 app:rake gitlab:backup:create\n```\n\n### Restoring Backups\n\nGitLab also defines a rake task to restore a backup.\n\nBefore performing a restore make sure the container is stopped and removed to avoid container name conflicts.\n\n```bash\ndocker stop registry gitlab && docker rm registry gitlab\n```\n\nExecute the rake task to restore a backup. Make sure you run the container in interactive mode `-it`.\n\n```bash\ndocker run --name gitlab -it --rm [OPTIONS] \\\n sameersbn/gitlab:18.9.2 app:rake gitlab:backup:restore\n```\n\nThe list of all available backups will be displayed in reverse chronological order. Select the backup you want to restore and continue.\n\nTo avoid user interaction in the restore operation, specify the timestamp of the backup using the `BACKUP` argument to the rake task.\n\n```bash\ndocker run --name gitlab -it --rm [OPTIONS] \\\n sameersbn/gitlab:18.9.2 app:rake gitlab:backup:restore BACKUP=1417624827\n```\n\n## Upgrading from an existing GitLab installation\n\nIf you want enable this feature for an existing instance of GitLab you need to do the following steps.\n\n- **Step 1**: Update the docker image.\n\n```bash\ndocker pull sameersbn/gitlab:18.9.2\n```\n\n- **Step 2**: Stop and remove the currently running image\n\n```bash\ndocker stop gitlab && docker rm gitlab\n```\n\n- **Step 3**: Create a backup\n\n```bash\ndocker run --name gitlab -it --rm [OPTIONS] \\\n sameersbn/gitlab:x.x.x app:rake gitlab:backup:create\n```\n\n- **Step 4**: Create a certs folder\nCreate an authentication certificate with [Generating certificate for authentication with the registry](#generating-certificate-for-authentication-with-the-registry).\n\n- **Step 5**: Create an registry instance\n\n> **Important Notice**\n>\n> Storage of the registry must be mounted from gitlab from GitLab.\n> GitLab must have the container of the registry storage folder to be able to create and restore backups\n\n```bash\ndocker run --name registry -d \\\n--restart=always \\\n-v /srv/gitlab/shared/registry:/registry \\\n-v ./certs:/certs \\\n--env 'REGISTRY_LOG_LEVEL=info' \\\n--env 'REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/registry' \\\n--env 'REGISTRY_AUTH_TOKEN_REALM=http://gitlab.example.com/jwt/auth' \\\n--env 'REGISTRY_AUTH_TOKEN_SERVICE=container_registry' \\\n--env 'REGISTRY_AUTH_TOKEN_ISSUER=gitlab-issuer' \\\n--env 'REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/registry-auth.crt' \\\n--env 'REGISTRY_STORAGE_DELETE_ENABLED=true' \\\nregistry:2.8.3\n```\n\n- **Step 6**: Start the image\n\n```bash\ndocker run --name gitlab -d [PREVIOUS_OPTIONS] \\\n-v /srv/gitlab/certs:/certs \\\n--env 'SSL_REGISTRY_CERT_PATH=/certs/registry.crt' \\\n--env 'SSL_REGISTRY_KEY_PATH=/certs/registry.key' \\\n--env 'GITLAB_REGISTRY_ENABLED=true' \\\n--env 'GITLAB_REGISTRY_HOST=registry.gitlab.example.com' \\\n--env 'GITLAB_REGISTRY_API_URL=http://registry:5000/' \\\n--env 'GITLAB_REGISTRY_CERT_PATH=/certs/registry-auth.crt' \\\n--env 'GITLAB_REGISTRY_KEY_PATH=/certs/registry-auth.key' \\\n--link registry:registry\nsameersbn/gitlab:18.9.2\n```\n\n[storage-config]: https://docs.docker.com/registry/configuration/#storage\n[token-config]: https://docs.docker.com/registry/configuration/#token\n" }, { "path": "docs/docker-compose-keycloak.yml", "content": "services:\n redis:\n restart: always\n image: redis:7\n command:\n - --loglevel warning\n volumes:\n - redis-data:/var/lib/redis:Z\n\n postgresql:\n restart: always\n image: kkimurak/sameersbn-postgresql:16\n volumes:\n - postgresql-data:/var/lib/postgresql:Z\n environment:\n - DB_USER=gitlab\n - DB_PASS=password\n - DB_NAME=gitlabhq_production\n - DB_EXTENSION=pg_trgm,btree_gist\n\n gitlab:\n restart: always\n image: sameersbn/gitlab:18.9.2\n depends_on:\n - redis\n - postgresql\n ports:\n - \"10080:80\"\n - \"10022:22\"\n volumes:\n - gitlab-data:/home/git/data:Z\n environment:\n - DEBUG=false\n\n - DB_ADAPTER=postgresql\n - DB_HOST=postgresql\n - DB_PORT=5432\n - DB_USER=gitlab\n - DB_PASS=password\n - DB_NAME=gitlabhq_production\n\n - REDIS_HOST=redis\n - REDIS_PORT=6379\n\n - TZ=Asia/Kolkata\n - GITLAB_TIMEZONE=Kolkata\n\n - GITLAB_HTTPS=false\n - SSL_SELF_SIGNED=false\n\n - GITLAB_HOST=''\n - GITLAB_PORT=10080\n - GITLAB_SSH_PORT=10022\n - GITLAB_RELATIVE_URL_ROOT=\n - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string\n - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string\n - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string\n - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string\n\n - GITLAB_ROOT_PASSWORD=\n - GITLAB_ROOT_EMAIL=\n\n - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true\n - GITLAB_NOTIFY_PUSHER=false\n\n - GITLAB_EMAIL=notifications@example.com\n - GITLAB_EMAIL_REPLY_TO=noreply@example.com\n - GITLAB_INCOMING_EMAIL_ADDRESS=reply@example.com\n\n - GITLAB_BACKUP_SCHEDULE=daily\n - GITLAB_BACKUP_TIME=01:00\n\n - SMTP_ENABLED=false\n - SMTP_DOMAIN=www.example.com\n - SMTP_HOST=smtp.gmail.com\n - SMTP_PORT=587\n - SMTP_USER=mailer@example.com\n - SMTP_PASS=password\n - SMTP_STARTTLS=true\n - SMTP_AUTHENTICATION=login\n\n - IMAP_ENABLED=false\n - IMAP_HOST=imap.gmail.com\n - IMAP_PORT=993\n - IMAP_USER=mailer@example.com\n - IMAP_PASS=password\n - IMAP_SSL=true\n - IMAP_STARTTLS=false\n\n - OAUTH_ENABLED=true\n - OAUTH_AUTO_SIGN_IN_WITH_PROVIDER=Keycloak\n - OAUTH_ALLOW_SSO=Keycloak\n - OAUTH_BLOCK_AUTO_CREATED_USERS=false\n - OAUTH_AUTO_LINK_LDAP_USER=false\n - OAUTH_AUTO_LINK_SAML_USER=false\n - OAUTH_EXTERNAL_PROVIDERS=Keycloak\n\n - OAUTH_CAS3_LABEL=cas3\n - OAUTH_CAS3_SERVER=\n - OAUTH_CAS3_DISABLE_SSL_VERIFICATION=false\n - OAUTH_CAS3_LOGIN_URL=/cas/login\n - OAUTH_CAS3_VALIDATE_URL=/cas/p3/serviceValidate\n - OAUTH_CAS3_LOGOUT_URL=/cas/logout\n\n - OAUTH_GOOGLE_API_KEY=\n - OAUTH_GOOGLE_APP_SECRET=\n - OAUTH_GOOGLE_RESTRICT_DOMAIN=\n\n - OAUTH_FACEBOOK_API_KEY=\n - OAUTH_FACEBOOK_APP_SECRET=\n\n - OAUTH_TWITTER_API_KEY=\n - OAUTH_TWITTER_APP_SECRET=\n\n - OAUTH_GITHUB_API_KEY=\n - OAUTH_GITHUB_APP_SECRET=\n - OAUTH_GITHUB_URL=\n - OAUTH_GITHUB_VERIFY_SSL=\n\n - OAUTH_GITLAB_API_KEY=\n - OAUTH_GITLAB_APP_SECRET=\n\n - OAUTH_BITBUCKET_API_KEY=\n - OAUTH_BITBUCKET_APP_SECRET=\n - OAUTH_BITBUCKET_URL=\n\n - OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL=\n - OAUTH_SAML_IDP_CERT_FINGERPRINT=\n - OAUTH_SAML_IDP_SSO_TARGET_URL=\n - OAUTH_SAML_ISSUER=\n - OAUTH_SAML_LABEL=\"Our SAML Provider\"\n - OAUTH_SAML_NAME_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:2.0:nameid-format:transient\n - OAUTH_SAML_GROUPS_ATTRIBUTE=\n - OAUTH_SAML_EXTERNAL_GROUPS=\n - OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL=\n - OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME=\n - OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME=\n - OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME=\n - OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME=\n\n - OAUTH_CROWD_SERVER_URL=\n - OAUTH_CROWD_APP_NAME=\n - OAUTH_CROWD_APP_PASSWORD=\n\n - OAUTH_AUTH0_CLIENT_ID=\n - OAUTH_AUTH0_CLIENT_SECRET=\n - OAUTH_AUTH0_DOMAIN=\n - OAUTH_AUTH0_SCOPE=\n\n - OAUTH_AZURE_API_KEY=\n - OAUTH_AZURE_API_SECRET=\n - OAUTH_AZURE_TENANT_ID=\n\n - OAUTH2_GENERIC_APP_ID=git\n - OAUTH2_GENERIC_APP_SECRET=\n - OAUTH2_GENERIC_CLIENT_SITE=http://:10081\n - OAUTH2_GENERIC_CLIENT_USER_INFO_URL=http://:10081/auth/realms/master/protocol/openid-connect/userinfo\n - OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL=http://:10081/auth/realms/master/protocol/openid-connect/auth\n - OAUTH2_GENERIC_CLIENT_TOKEN_URL=http://:10081/auth/realms/master/protocol/openid-connect/token\n - OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT=http://:10081/auth/realms/master/protocol/openid-connect/logout\n - OAUTH2_GENERIC_ID_PATH=sub\n - OAUTH2_GENERIC_USER_UID=sub\n - OAUTH2_GENERIC_USER_NAME=preferred_username\n - OAUTH2_GENERIC_USER_EMAIL=email\n - OAUTH2_GENERIC_NAME=Keycloak\n\n keycloak:\n restart: always\n image: jboss/keycloak:8.0.1\n ports:\n - \"10081:8080\"\n environment:\n - DEBUG=false\n - KEYCLOAK_PASSWORD=admin\n - KEYCLOAK_USER=admin\n\nvolumes:\n redis-data:\n postgresql-data:\n gitlab-data:\n" }, { "path": "docs/docker-compose-registry.yml", "content": "services:\n redis:\n restart: always\n image: redis:7\n command:\n - --loglevel warning\n volumes:\n - redis:/var/lib/redis:Z\n\n postgresql:\n restart: always\n image: kkimurak/sameersbn-postgresql:16\n volumes:\n - postgresql:/var/lib/postgresql:Z\n environment:\n - DB_USER=gitlab\n - DB_PASS=password\n - DB_NAME=gitlabhq_production\n - DB_EXTENSION=pg_trgm,btree_gist\n\n gitlab:\n restart: always\n image: sameersbn/gitlab:18.9.2\n volumes:\n - gitlab-data:/home/git/data:Z\n - gitlab-logs:/var/log/gitlab\n - ./certs:/certs\n depends_on:\n - redis\n - postgresql\n ports:\n - \"80:80\"\n - \"10022:22\"\n external_links:\n - \"registry:registry.example.com\"\n environment:\n - DEBUG=false\n\n - DB_ADAPTER=postgresql\n - DB_HOST=postgresql\n - DB_PORT=5432\n - DB_USER=gitlab\n - DB_PASS=password\n - DB_NAME=gitlabhq_production\n\n - REDIS_HOST=redis\n - REDIS_PORT=6379\n\n - GITLAB_HTTPS=false\n - SSL_SELF_SIGNED=false\n\n - GITLAB_HOST=gitlab.example.com\n - GITLAB_PORT=80\n - GITLAB_SSH_PORT=10022\n - GITLAB_RELATIVE_URL_ROOT=\n - GITLAB_SECRETS_DB_KEY_BASE=secret\n - GITLAB_SECRETS_SECRET_KEY_BASE=secret\n - GITLAB_SECRETS_OTP_KEY_BASE=secret\n - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=secret\n\n - GITLAB_REGISTRY_ENABLED=true\n - GITLAB_REGISTRY_HOST=registry.example.com\n - GITLAB_REGISTRY_PORT=5000\n - GITLAB_REGISTRY_API_URL=https://registry.example.com:5000\n - GITLAB_REGISTRY_CERT_PATH=/certs/registry-auth.crt\n - GITLAB_REGISTRY_KEY_PATH=/certs/registry-auth.key\n\n registry:\n restart: always\n image: registry:2.4.1\n ports:\n - \"5000:5000\"\n volumes:\n - registry-data:/var/lib/registry\n - ./certs:/certs\n external_links:\n - \"gitlab:gitlab.example.com\"\n environment:\n - REGISTRY_LOG_LEVEL=info\n - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry\n - REGISTRY_AUTH_TOKEN_REALM=http://gitlab.example.com/jwt/auth\n - REGISTRY_AUTH_TOKEN_SERVICE=container_registry\n - REGISTRY_AUTH_TOKEN_ISSUER=gitlab-issuer\n - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/registry-auth.crt\n - REGISTRY_STORAGE_DELETE_ENABLED=true\n - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry-auth.crt\n - REGISTRY_HTTP_TLS_KEY=/certs/registry-auth.key\n - REGISTRY_HTTP_SECRET=secret\n\nvolumes:\n gitlab-data:\n gitlab-logs:\n postgresql:\n redis:\n registry-data:\n" }, { "path": "docs/docker-swarm-traefik-registry.md", "content": "# Docker Swarm mode deployment\n\nHere's a guide to deploy **GitLab** with:\n\n* [Docker Swarm mode](https://docs.docker.com/engine/swarm/) for cluster management and orchestration.\n* [Docker Registry](https://docs.docker.com/registry/) with HTTPS, TLS (SSL) handled automatically, using GitLab credentials and integration with GitLab CI.\n* [Traefik](https://traefik.io/) proxy to handle domain based redirection, HTTPS communication and automatic certificate generation with [Let's encrypt](https://letsencrypt.org/). You don't need to build a custom Nginx proxy or anything similar, it's all handled by Traefik.\n* Automatic generation and configuration of GitLab / Registry internal communication certificates.\n\n## Set up Docker Swarm\n\nSet up a Docker Swarm mode cluster with a main global Traefik load balancer following the guide at [DockerSwarm.rocks](https://dockerswarm.rocks).\n\nIt will take you less than 20 minutes to follow it to deploy a cluster (of one or more machines) and have it ready for the next steps.\n\n## Configure DNS records\n\nConfigure your DNS domain records to point one subdomain for your GitLab instance and one subdomain for the Docker Registry to the new server.\n\nFor example, a DNS `A` record for `gitlab.example.com` and a DNS `A` record for `registry.example.com`.\n\nIf you have a cluster with several nodes, make sure those DNS records point to the IP of the node that will host the `gitlab` and `registry` services.\n\nThis is because `gitlab` has to listen on port `22` for Git to work, but we will configure it to make it listen on port `22` only on the server that has GitLab.\n\nThat way, if you have other servers in your cluster, you won't have to change the default SSH port of all of them.\n\n## Modify the server SSH port\n\nAs by default Git uses the same SSH port `22`, and you want your GitLab container to use that port, modify your server SSH configuration to use a different port. This guide will assume you will use port `2222` for your server SSH and port `22` for your GitLab.\n\nConnect to your remote server as normally, e.g.:\n\n```bash\nssh root@gitlab.example.com\n```\n\nCreate a backup of your SSH config file:\n\n```bash\ncp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup\n```\n\nModify your SSH config.\n\n**Warning**: if something is broken after modifying the SSH configuration, you could lock yourself out of the server.\n\nYou need to have a line `Port 2222` and make sure there's no line `Port 22`.\n\nYou can use this command to do it automatically, it will check for a line with `Port 22` or `#Port 22` and replace it with `Port 2222`.\n\n```bash\nsed -i 's|^#\\?Port 22$|Port 2222|' /etc/ssh/sshd_config\n```\n\nOr you can modify it with `nano` by hand, with:\n\n```bash\nnano /etc/ssh/sshd_config\n```\n\nConfirm that there's a single line with `Port 2222` with:\n\n```bash\ngrep \"^Port\" /etc/ssh/sshd_config\n```\n\nThen restart the SSH server:\n\n```bash\nsystemctl restart sshd.service\n```\n\n**Warning**: at this point, if you lose your connection and something was wrong in the configuration, you could lock yourself out of the server. Run the following steps in a new terminal session, without closing the existing one, so that, if something was wrong, you can use the current session to edit the configurations, revert them, and restart the SSH service, before being locked out.\n\nIn a different terminal session, without closing the existing one, try connecting with SSH to your server using the new port, e.g.:\n\n```bash\nssh -p 2222 root@gitlab.example.com\n```\n\nIf you get connected to the remote server normally, everything is working correctly.\n\n## Download the Docker Compose stack file\n\n* Download the Docker Compose stack file:\n\n```bash\ncurl -L https://raw.githubusercontent.com/sameersbn/docker-gitlab/master/docker-compose.swarm.yml -o docker-compose.swarm.yml\n```\n\n## Set environment variables\n\nSet and export the environment variables `GITLAB_HOST` and `REGISTRY_HOST` to the subdomains you configured.\n\nFor example:\n\n```bash\nexport GITLAB_HOST=gitlab.example.com\nexport REGISTRY_HOST=registry.example.com\n```\n\nYou will use the domain for `GITLAB_HOST` to access GitLab in your browser and to commit and push with Git.\n\nAnd you will use the domain for `REGISTRY_HOST` to store, push, and pull Docker images, e.g.:\n\n```bash\ndocker pull registry.example.com/mygroup/myproject/imagename:sometag\n```\n\nThese environment variables will be used by the file `docker-compose.swarm.yml`.\n\nThey are used inside of the stacks and are also used to configure the domains for the Traefik load balancer. Because of that, you need to export them for them to be available when deploying the stack.\n\n## Other environment variables\n\nThere are many additional environment variables with different configurations.\n\nRead the [main README](https://github.com/sameersbn/docker-gitlab) for all the options.\n\nFor Registry specific options and details, check the main [GitLab Registry documentation in this repo](https://github.com/sameersbn/docker-gitlab/blob/master/docs/container_registry.md).\n\nYou can configure them by editing de file `docker-compose.swarm.yml`.\n\nYou can do it in the command line with a program like `nano`, e.g.:\n\n```bash\nnano docker-compose.swarm.yml\n```\n\n## Set other environment variables\n\nIf you want anyone to sign up instead of only people with invitation, change `GITLAB_SIGNUP_ENABLED` to `true`:\n\n```bash\nexport GITLAB_SIGNUP_ENABLED=true\n```\n\nThere are several environment variables that require random strings for keys and passwords.\n\nFor the sections that require generating random strings for keys and passwords, each time, run the following command and copy the output:\n\n```bash\nopenssl rand -hex 32\n# Outputs something like: 99d3b1f01aa639e4a76f4fc281fc834747a543720ba4c8a8648ba755aef9be7f\n```\n\nYou can copy it and set it in the file like:\n\n```yaml\n- GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string\n- GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string\n- GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string\n- GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string\n```\n\nThere are several other settings that you might want to configure, like email accounts for notifications, SMTP credentials to send emails, etc.\n\n## Copy the file\n\nIf you modified the file locally, make sure you copy it to your remote server, e.g.:\n\n```bash\nscp -P 2222 docker-compose.swarm.yml root@gitlab.example.com:/root/\n```\n\nand connect via SSH to your remote server, e.g.:\n\n```bash\nssh -p 2222 root@gitlab.example.com\n```\n\nIf you modified the file locally and then connected to your server later, make sure you export the environment variables `GITLAB_HOST` and `REGISTRY_HOST` that are needed even if you modified the Docker Compose file (as those are used in the Traefik labels).\n\n## About volumes, labels, and constraints\n\nBecause the Docker Swarm cluster may have more than one single node (machine) in the cluster, we need to make sure that the services that need to save and read files from volumes are always deployed to the same node.\n\nFor example, the service for `redis` uses a volume, you can check it on the `docker-compose.swarm.yml` file:\n\n```yaml\n volumes:\n - redis-data:/var/lib/redis:Z\n```\n\nTo make sure `redis` is always deployed to the same node that contains the same volume `redis-data`, we have a constraint:\n\n```yaml\n deploy:\n placement:\n constraints:\n - node.labels.gitlab.redis-data == true\n```\n\nThis tells Docker that the service `redis` should be deployed to a Docker node (a machine in the cluster) with the label `node.labels.gitlab.redis-data=true`.\n\nThen we can make one node (only one) have this label, and Docker Swarm will always deploy the `redis` service to the same node. That way, the service will keep reading the same volume every time. Even if you re-deploy or upgrade the stack.\n\n## Add constraint labels\n\nNow we are going to add the needed labels to satisfy those constraints, to make sure the volumes work correctly.\n\n* Connect to a manager node in your Docker Swarm cluster. It could be the same server that will run GitLab, or it could be a different one.\n\n* If you are deploying the stack in the same current manager node, get its node ID and store it in an environment variable:\n\n```bash\nexport NODE_ID=$(docker info -f '{{.Swarm.NodeID}}')\n```\n\n* Otherwise, you can check the current available nodes with:\n\n```console\n$ docker node ls\n\nID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION\nm48gz5e8ucmk59af4m6enmnaz * dog.example.com Ready Active Leader 19.03.9\n4w456u9lnanau629v3y456k9d cat.example.com Ready Active 19.03.9\nmue36qqwqnzrqt4iqi0yyd6ie gitlab.example.com Ready Active 19.03.9\n```\n\nAnd select the node where you want to deploy the main `gitlab` service. In this example, in the node that has a `HOSTNAME` with value `gitlab.example.com`, with node ID `mue36qqwqnzrqt4iqi0yyd6ie`.\n\nSo, you could export that environment variable using the node ID with something like:\n\n```bash\nexport NODE_ID=mue36qqwqnzrqt4iqi0yyd6ie\n```\n\n* Create a label in that node, so that the service `gitlab` and `registry` are always deployed to the same node and use the same volumes:\n\n```bash\ndocker node update --label-add gitlab.certs-data=true $NODE_ID\n```\n\nWe need to make sure `gitlab` and `registry` are deployed on the same node because they share the same volume with the TLS certificates generated by `gitlab`.\n\nNow create the label for `redis`. You could use another node in your cluster if you have more than one, for simplicity we are going to use the same node, e.g.:\n\n```bash\ndocker node update --label-add gitlab.redis-data=true $NODE_ID\n```\n\nAnd add the label for `postgres`:\n\n```bash\ndocker node update --label-add gitlab.postgresql-data=true $NODE_ID\n```\n\n**Note**: you only have to set those labels once. Not every time you want to re-deploy your stack.\n\n## Deploy the stack\n\nNow, having the labels set in the Docker nodes, and the environment variables exported, you can deploy your stack:\n\n```bash\ndocker stack deploy --compose-file docker-compose.swarm.yml gitlab\n```\n\n**Note**: the environment variables `GITLAB_HOST` and `REGISTRY_HOST` have to be available every time to deploy the stack. But the node labels can be set only once, the first time you deploy.\n\nYou can check the status of the deployment with:\n\n```bash\ndocker stack ps gitlab\n```\n\nOr check the logs, for example for the service `gitlab_gitlab`:\n\n```bash\ndocker service logs gitlab_gitlab\n```\n\n## Internal certificates\n\nGitLab and the Docker Registry have public facing HTTPS certificates generated with Let's Encrypt for each one. But to communicate between themselves they use an additional self-signed certificate.\n\nTo tell GitLab to generate those self-signed certificates for the internal communication with GitLab, the `gitlab` service has an environment variable:\n\n```yaml\n- GITLAB_REGISTRY_GENERATE_INTERNAL_CERTIFICATES=true\n```\n\nGitLab will generate the certificates and store them in the location given by:\n\n```yaml\n- GITLAB_REGISTRY_KEY_PATH=/certs/registry.key\n```\n\nAnd that location, `/certs`, is mounted as a named volume:\n\n```yaml\n volumes:\n - gitlab-data:/home/git/data:Z\n - certs-data:/certs\n```\n\nSo, the self-signed certificates will be generated inside the named volume `gitlab-certs`.\n\nAnd the Registry also has that named volume mounted:\n\n```yaml\n volumes:\n - registry-data:/registry\n - certs-data:/certs\n```\n\nAnd the Registry is configured to look for the certificate in that same location that GitLab used to generate the certificate:\n\n```yaml\n- REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/registry.crt\n```\n\n## GitLab Runner in Docker\n\nIf you use GitLab and want to integrate Continuous Integration / Continuous Deployment, you can follow this section to install the GitLab runner.\n\nYou should create the runner using Docker standalone instead of in Docker Swarm mode, as you need the configurations to persist, and in Docker Swarm mode, the container could be deployed to a different server and you would lose those configurations.\n\n### Testing and Deployment\n\nFor testing, the GitLab runner can run in any node.\n\nBut if you want to deploy another runner for deployment (or use the same one), it has to run on a manager node in the Docker Swarm cluster.\n\n### Create the GitLab Runner in Docker standalone mode\n\nTo install a GitLab runner in a standalone Docker run:\n\n```bash\ndocker run -d \\\n --name gitlab-runner \\\n --restart always \\\n -v gitlab-runner:/etc/gitlab-runner \\\n -v /tmp/builds:/tmp/builds \\\n -v /var/run/docker.sock:/var/run/docker.sock \\\n gitlab/gitlab-runner:latest\n```\n\nThen, enter into that container:\n\n```bash\ndocker exec -it gitlab-runner bash\n```\n\n### Install the GitLab Runner\n\n* Go to the GitLab \"Admin Area -> Runners\" section.\n* Get the URL and create a variable with it in the bash session inside of your Runner's Docker container, e.g.:\n\n```bash\nexport GITLAB_URL=https://gitlab.example.com/\n```\n\n* Get the registration token and create a variable in the bash session inside of your Runner's Docker container, e.g.:\n\n```bash\nexport GITLAB_TOKEN=WYasdfJp4sdfasdf1234\n```\n\n* Run the next command editing the name and tags as you need, you can also edit them later in the web user interface.\n\n```bash\ngitlab-runner \\\n register -n \\\n --name \"Docker Runner\" \\\n --executor docker \\\n --locked false \\\n --access-level not_protected \\\n --builds-dir /tmp/builds \\\n --docker-image docker:latest \\\n --docker-volumes /tmp/builds:/tmp/builds \\\n --docker-volumes /var/run/docker.sock:/var/run/docker.sock \\\n --url $GITLAB_URL \\\n --registration-token $GITLAB_TOKEN \\\n --tag-list dog-cat-cluster,stag,prod\n```\n\n* You can edit the runner more from the GitLab admin section.\n" }, { "path": "docs/exposing-ssh-port.md", "content": "# Exposing ssh port in dockerized gitlab-ce\n\nThis is how to expose this internal ssh port without affecting the existing ssh port on the host server:\n\n* use this configuration script: [`../contrib/expose-gitlab-ssh-port.sh`](../contrib/expose-gitlab-ssh-port.sh)\n* see implementation example in Vagrant: [harobed/docker-gitlab-vagrant-test](https://github.com/harobed/docker-gitlab-vagrant-test)\n* more information, see [« Exposing ssh port in dockerized gitlab-ce »](https://blog.xiaket.org/2017/exposing.ssh.port.in.dockerized.gitlab-ce.html) post\n" }, { "path": "docs/keycloak-idp.md", "content": "# Integrate Keycloak as an IDP with GitLab\n\nIn this document, we will explain how to set up Keycloak and integrate it into GitLab.\n\n## Setting up Keycloak\n\nFirst, you need a client in Keycloak to authenticate with GitLab. You can start Keycloak by running `docker-compose up -d keycloak`.\n\nWhen Keycloak is running, log in using the `Administration console`. You can visit the Keycloak on the [local IP](http://localhost:10081) of your laptop.\n\n![Keycloak Home](images/keycloak-home.png)\n\nNext, create a client.\n\n![Keycloak client](images/keycloak-client.png)\n\nFill in the following variables:\n\n![Keycloak client creation](images/keycloak-client-creation.png)\n\nMake access type confidential and enable service accounts and authorization.\n\n![Keycloak client creation](images/keycloak-client-creation2.png)\n\nNext, click save, get the client secret generated by Keycloak and start filling out the variables for GitLab in the docker-compose file.\n\n![Keycloak client secret](images/keycloak-secret.png)\n\nSet the following in the docker-compose file:\n\n```yaml\n - OAUTH2_GENERIC_APP_SECRET=\n - OAUTH2_GENERIC_CLIENT_SITE=http://:10081\n - OAUTH2_GENERIC_CLIENT_USER_INFO_URL=http://:10081/auth/realms/master/protocol/openid-connect/userinfo\n - OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL=http://:10081/auth/realms/master/protocol/openid-connect/auth\n - OAUTH2_GENERIC_CLIENT_TOKEN_URL=http://:10081/auth/realms/master/protocol/openid-connect/token\n - OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT=http://:10081/auth/realms/master/protocol/openid-connect/logout\n```\n\n`` is the IP address of your keycloak. For this example this would be your IP address, but if your Keycloak existed elsewhere for your deployment `` would be different as would the port and the realm.\n\nThe following must also be configured:\n\n```yaml\n - OAUTH2_GENERIC_USER_UID='preferred_username'\n - OAUTH2_GENERIC_USER_NAME='name'\n - OAUTH2_GENERIC_USER_EMAIL='email' \n```\n\nThe values will be different for your deployment. Navigate Keycloak's UI, select `Clients`, click `[your client]`, then open the `Client Scopes` tab, then open `Evaluate` sub-tab, enter a username you know in the `User` field, select the match, then `Generate Access Token` to see the values you need to configure.\n\nAlso, make sure the following variables are filled in the docker-compose file:\n\n```yaml\n - GITLAB_HOST=''\n ...\n - OAUTH_ENABLED=true\n - OAUTH_AUTO_SIGN_IN_WITH_PROVIDER=Keycloak\n - OAUTH_ALLOW_SSO=Keycloak\n - OAUTH_BLOCK_AUTO_CREATED_USERS=false\n - OAUTH_AUTO_LINK_LDAP_USER=false\n - OAUTH_AUTO_LINK_SAML_USER=false\n```\n\n`` is the IP address of your GitLab for this example this would be the your IP address, but if your GitLab was to be proxied or deployed elsewhere `` would be another value appropriate for your deployment.\n\nGitLab does not allow login from users in Keycloak with an empty email or name. To prevent this, you can create a new user in Keycloak or you can add email and name for the admin account.\n\nVisit the `Users` tab and click on `View all users` to modify the Admin user.\n\n![keycloak-users](images/keycloak-users.png)\n\nModify the `Email`, `First name` and `Last Name` fields.\n![admin-account](images/keycloak-admin-acc.png)\n\nDeploy GitLab, Redis and PostgreSQL by running the following command: `docker-compose up -d gitlab redis postgresql`.\n\nYou can now login on the local GitLab instance with with Keycloak on your [local IP](http://localhost:10080).\n\n![gitlab-login](images/keycloak-gitlab-login.png)\n" }, { "path": "docs/s3_compatible_storage.md", "content": "# GitLab Backup to s3 compatible storage\n\nEnables automatic backups to self-hosted s3 compatible storage like minio () and others.\nThis is an extend of AWS Remote Backups.\n\nAs explained in [doc.gitlab.com](https://docs.gitlab.com/ce/raketasks/backup_restore.html#upload-backups-to-remote-cloud-storage), it uses [Fog library](http://fog.io) and the module fog-aws. More details on [s3 supported parameters](https://github.com/fog/fog-aws/blob/master/lib/fog/aws/storage.rb)\n\n- [GitLab Backup to s3 compatible storage](#gitlab-backup-to-s3-compatible-storage)\n - [Available Parameters](#available-parameters)\n - [Installation](#installation)\n - [Docker Compose](#docker-compose)\n - [Creating Backups](#creating-backups)\n - [Restoring Backups](#restoring-backups)\n\n## Available Parameters\n\nHere is an example of all configuration parameters that can be used in the GitLab container.\n\n```yaml\n...\ngitlab:\n ...\n environment:\n - AWS_BACKUPS=true\n - AWS_BACKUP_ENDPOINT='http://minio:9000'\n - AWS_BACKUP_ACCESS_KEY_ID=minio\n - AWS_BACKUP_SECRET_ACCESS_KEY=minio123\n - AWS_BACKUP_BUCKET=docker\n - AWS_BACKUP_MULTIPART_CHUNK_SIZE=104857600\n```\n\nwhere:\n\n| Parameter | Description |\n| --------- | ----------- |\n| `AWS_BACKUPS` | Enables automatic uploads to an Amazon S3 instance. Defaults to `false`. |\n| `AWS_BACKUP_ENDPOINT` | AWS endpoint. No defaults. |\n| `AWS_BACKUP_ACCESS_KEY_ID` | AWS access key id. No defaults. |\n| `AWS_BACKUP_SECRET_ACCESS_KEY` | AWS secret access key. No defaults. |\n| `AWS_BACKUP_BUCKET` | AWS bucket for backup uploads. No defaults. |\n| `AWS_BACKUP_MULTIPART_CHUNK_SIZE` | Enables multipart uploads when file size reaches a defined size. See at [AWS S3 Docs](http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html) |\n\nFor more info look at [Available Configuration Parameters](https://github.com/sameersbn/docker-gitlab#available-configuration-parameters).\n\nA minimum set of these parameters are required to use the s3 compatible storage:\n\n```yaml\n...\ngitlab:\n environment:\n - AWS_BACKUPS=true\n - AWS_BACKUP_ENDPOINT='http://minio:9000'\n - AWS_BACKUP_ACCESS_KEY_ID=minio\n - AWS_BACKUP_SECRET_ACCESS_KEY=minio123\n - AWS_BACKUP_BUCKET=docker\n...\n```\n\n## Installation\n\nStarting a fresh installation with GitLab would be like the `docker-compose` file.\n\n### Docker Compose\n\nThis is an example with minio.\n\n```yml\nservices:\n redis:\n restart: always\n image: sameersbn/redis:7\n command:\n - --loglevel warning\n volumes:\n - /tmp/docker/gitlab/redis:/data:Z\n\n postgresql:\n restart: always\n image: sameersbn/postgresql:10-2\n volumes:\n - /tmp/docker/gitlab/postgresql:/var/lib/postgresql:Z\n environment:\n - DB_USER=gitlab\n - DB_PASS=password\n - DB_NAME=gitlabhq_production\n - DB_EXTENSION=pg_trgm\n\n gitlab:\n restart: always\n #image: sameersbn/gitlab:8.16.4\n build: .\n depends_on:\n - redis\n - postgresql\n ports:\n - \"10080:80\"\n - \"10022:22\"\n volumes:\n - /tmp/docker/gitlab/gitlab:/home/git/data:Z\n environment:\n - DEBUG=false\n - DB_ADAPTER=postgresql\n - DB_HOST=postgresql\n - DB_PORT=5432\n - DB_USER=gitlab\n - DB_PASS=password\n - DB_NAME=gitlabhq_production\n - REDIS_HOST=redis\n - REDIS_PORT=6379\n - TZ=Asia/Kolkata\n - GITLAB_TIMEZONE=Kolkata\n - GITLAB_HTTPS=false\n - SSL_SELF_SIGNED=false\n - GITLAB_HOST=localhost\n - GITLAB_PORT=10080\n - GITLAB_SSH_PORT=10022\n - GITLAB_RELATIVE_URL_ROOT=\n - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string\n - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string\n - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string\n - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string\n - GITLAB_ROOT_PASSWORD=\n - GITLAB_ROOT_EMAIL=\n - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true\n - GITLAB_NOTIFY_PUSHER=false\n - GITLAB_EMAIL=notifications@example.com\n - GITLAB_EMAIL_REPLY_TO=noreply@example.com\n - GITLAB_INCOMING_EMAIL_ADDRESS=reply@example.com\n - GITLAB_BACKUP_SCHEDULE=daily\n - GITLAB_BACKUP_TIME=01:00\n - SMTP_ENABLED=false\n - SMTP_DOMAIN=www.example.com\n - SMTP_HOST=smtp.gmail.com\n - SMTP_PORT=587\n - SMTP_USER=mailer@example.com\n - SMTP_PASS=password\n - SMTP_STARTTLS=true\n - SMTP_AUTHENTICATION=login\n - IMAP_ENABLED=false\n - IMAP_HOST=imap.gmail.com\n - IMAP_PORT=993\n - IMAP_USER=mailer@example.com\n - IMAP_PASS=password\n - IMAP_SSL=true\n - IMAP_STARTTLS=false\n - OAUTH_ENABLED=false\n - OAUTH_AUTO_SIGN_IN_WITH_PROVIDER=\n - OAUTH_ALLOW_SSO=\n - OAUTH_BLOCK_AUTO_CREATED_USERS=true\n - OAUTH_AUTO_LINK_LDAP_USER=false\n - OAUTH_AUTO_LINK_SAML_USER=false\n - OAUTH_EXTERNAL_PROVIDERS=\n - OAUTH_CAS3_LABEL=cas3\n - OAUTH_CAS3_SERVER=\n - OAUTH_CAS3_DISABLE_SSL_VERIFICATION=false\n - OAUTH_CAS3_LOGIN_URL=/cas/login\n - OAUTH_CAS3_VALIDATE_URL=/cas/p3/serviceValidate\n - OAUTH_CAS3_LOGOUT_URL=/cas/logout\n - OAUTH_GOOGLE_API_KEY=\n - OAUTH_GOOGLE_APP_SECRET=\n - OAUTH_GOOGLE_RESTRICT_DOMAIN=\n - OAUTH_FACEBOOK_API_KEY=\n - OAUTH_FACEBOOK_APP_SECRET=\n - OAUTH_TWITTER_API_KEY=\n - OAUTH_TWITTER_APP_SECRET=\n - OAUTH_GITHUB_API_KEY=\n - OAUTH_GITHUB_APP_SECRET=\n - OAUTH_GITHUB_URL=\n - OAUTH_GITHUB_VERIFY_SSL=\n - OAUTH_GITLAB_API_KEY=\n - OAUTH_GITLAB_APP_SECRET=\n - OAUTH_BITBUCKET_API_KEY=\n - OAUTH_BITBUCKET_APP_SECRET=\n - OAUTH_BITBUCKET_URL=\n - OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL=\n - OAUTH_SAML_IDP_CERT_FINGERPRINT=\n - OAUTH_SAML_IDP_SSO_TARGET_URL=\n - OAUTH_SAML_ISSUER=\n - OAUTH_SAML_LABEL=\"Our SAML Provider\"\n - OAUTH_SAML_NAME_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:2.0:nameid-format:transient\n - OAUTH_SAML_GROUPS_ATTRIBUTE=\n - OAUTH_SAML_EXTERNAL_GROUPS=\n - OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL=\n - OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME=\n - OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME=\n - OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME=\n - OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME=\n - OAUTH_CROWD_SERVER_URL=\n - OAUTH_CROWD_APP_NAME=\n - OAUTH_CROWD_APP_PASSWORD=\n - OAUTH_AUTH0_CLIENT_ID=\n - OAUTH_AUTH0_CLIENT_SECRET=\n - OAUTH_AUTH0_DOMAIN=\n - OAUTH_AUTH0_SCOPE=\n - OAUTH_AZURE_API_KEY=\n - OAUTH_AZURE_API_SECRET=\n - OAUTH_AZURE_TENANT_ID=\n - AWS_BACKUPS=true\n - AWS_BACKUP_ENDPOINT='http://minio:9000'\n - AWS_BACKUP_ACCESS_KEY_ID=minio\n - AWS_BACKUP_SECRET_ACCESS_KEY=minio123\n - AWS_BACKUP_BUCKET=docker\n\n minio:\n image: minio/minio\n ports:\n - \"9000:9000\"\n environment:\n MINIO_ACCESS_KEY: minio\n MINIO_SECRET_KEY: minio123\n command: server /export\n```\n\n### Creating Backups\n\nExecute the rake task with a removeable container.\n\n```bash\ndocker run --name gitlab -it --rm [OPTIONS] \\\n sameersbn/gitlab:8.16.4 app:rake gitlab:backup:create\n```\n\n### Restoring Backups\n\nExecute the rake task to restore a backup. Make sure you run the container in interactive mode `-it`.\n\n```bash\ndocker run --name gitlab -it --rm [OPTIONS] \\\n sameersbn/gitlab:8.16.4 app:rake gitlab:backup:restore\n```\n\nThe list of all available backups will be displayed in reverse chronological order. Select the backup you want to restore and continue.\n\nTo avoid user interaction in the restore operation, specify the timestamp of the backup using the `BACKUP` argument to the rake task.\n\n```bash\ndocker run --name gitlab -it --rm [OPTIONS] \\\n sameersbn/gitlab:8.16.4 app:rake gitlab:backup:restore BACKUP=1417624827\n```\n" }, { "path": "entrypoint.sh", "content": "#!/bin/bash\nset -e\nset -o pipefail\n\n# shellcheck source=assets/runtime/functions\nsource \"${GITLAB_RUNTIME_DIR}/functions\"\n\n[[ $DEBUG == true ]] && set -x\n\ncase ${1} in\n app:init|app:start|app:sanitize|app:rake)\n\n initialize_system\n configure_gitlab\n configure_gitlab_shell\n configure_gitlab_pages\n configure_nginx\n\n case ${1} in\n app:start)\n /usr/bin/supervisord -nc /etc/supervisor/supervisord.conf &\n SUPERVISOR_PID=$!\n while ! test -e \"/var/run/supervisor.sock\" 2>/dev/null; do\n echo \"waiting supervisor to start\"\n sleep 1\n done\n set +e\n supervisorctl stop sidekiq gitlab:puma\n set -e\n migrate_database\n kill -15 $SUPERVISOR_PID\n if ps h -p $SUPERVISOR_PID > /dev/null ; then\n wait $SUPERVISOR_PID || true\n fi\n rm -rf /var/run/supervisor.sock\n configure_gitlab_requires_db\n exec /usr/bin/supervisord -nc /etc/supervisor/supervisord.conf\n ;;\n app:init)\n migrate_database\n ;;\n app:sanitize)\n sanitize_datadir\n ;;\n app:rake)\n shift 1\n execute_raketask \"$@\"\n ;;\n esac\n ;;\n app:help)\n echo \"Available options:\"\n echo \" app:start - Starts the gitlab server (default)\"\n echo \" app:init - Initialize the gitlab server (e.g. create databases, compile assets), but don't start it.\"\n echo \" app:sanitize - Fix repository/builds directory permissions.\"\n echo \" app:rake - Execute a rake task.\"\n echo \" app:help - Displays the help\"\n echo \" [command] - Execute the specified command, eg. bash.\"\n ;;\n *)\n exec \"$@\"\n ;;\nesac\n" }, { "path": "hooks/build", "content": "#!/bin/bash\n\n# Docker Daemon Build Hook\n# $IMAGE_NAME var is injected into the build so the tag is correct.\n\ndocker pull ${DOCKER_REPO}:latest\n\ndocker build \\\n\t\t--cache-from=${DOCKER_REPO}:latest \\\n\t\t--build-arg=BUILD_DATE=\"$(date +\"%Y-%m-%d %H:%M:%S%:z\")\" \\\n\t\t--build-arg=VCS_REF=\"$(git rev-parse --short HEAD)\" \\\n\t\t-t ${IMAGE_NAME} .\n" }, { "path": "kubernetes/deploy.sh", "content": "#!/bin/bash\nset -e \nset -o pipefail\n\nif ! command -v kubectl > /dev/null; then\n echo \"kubectl command not installed\"\n exit 1\nfi\n\n# create the services\nfor svc in *-svc.yml\ndo\n echo -n \"Creating $svc... \"\n kubectl -f $svc create\ndone\n\n# create the replication controllers\nfor rc in *-rc.yml\ndo\n echo -n \"Creating $rc... \"\n kubectl -f $rc create\ndone\n\n# list pod,rc,svc\necho \"Pod:\"\nkubectl get pod\n\necho \"RC:\"\nkubectl get rc\n\necho \"Service:\"\nkubectl get svc\n" }, { "path": "kubernetes/gitlab-rc.yml", "content": "apiVersion: v1\nkind: ReplicationController\nmetadata:\n name: gitlab\nspec:\n replicas: 1\n selector:\n name: gitlab\n template:\n metadata:\n name: gitlab\n labels:\n name: gitlab\n spec:\n containers:\n - name: gitlab\n image: sameersbn/gitlab:18.9.2\n env:\n - name: TZ\n value: Asia/Kolkata\n - name: GITLAB_TIMEZONE\n value: Kolkata\n\n - name: GITLAB_SECRETS_DB_KEY_BASE\n value: long-and-random-alpha-numeric-string\n - name: GITLAB_SECRETS_SECRET_KEY_BASE\n value: long-and-random-alpha-numeric-string\n - name: GITLAB_SECRETS_OTP_KEY_BASE\n value: long-and-random-alpha-numeric-string\n - name: GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE\n value: long-and-random-alpha-numeric-string\n - name: GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY\n value: '[long-and-random-alpha-numeric-string]'\n - name: GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY\n value: '[long-and-random-alpha-numeric-string]'\n - name: GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT\n value: long-and-random-alpha-numeric-string\n\n - name: GITLAB_ROOT_PASSWORD\n value:\n - name: GITLAB_ROOT_EMAIL\n value:\n\n - name: GITLAB_HOST\n value: git.default.cluster.local\n - name: GITLAB_PORT\n value: \"80\"\n - name: GITLAB_SSH_PORT\n value: \"22\"\n\n - name: GITLAB_NOTIFY_ON_BROKEN_BUILDS\n value: \"true\"\n - name: GITLAB_NOTIFY_PUSHER\n value: \"false\"\n\n - name: GITLAB_BACKUP_SCHEDULE\n value: daily\n - name: GITLAB_BACKUP_TIME\n value: 01:00\n\n - name: DB_TYPE\n value: postgres\n - name: DB_HOST\n value: postgresql\n - name: DB_PORT\n value: \"5432\"\n - name: DB_USER\n value: gitlab\n - name: DB_PASS\n value: passw0rd\n - name: DB_NAME\n value: gitlab_production\n\n - name: REDIS_HOST\n value: redis\n - name: REDIS_PORT\n value: \"6379\"\n\n - name: SMTP_ENABLED\n value: \"false\"\n - name: SMTP_DOMAIN\n value: www.example.com\n - name: SMTP_HOST\n value: smtp.gmail.com\n - name: SMTP_PORT\n value: \"587\"\n - name: SMTP_USER\n value: mailer@example.com\n - name: SMTP_PASS\n value: password\n - name: SMTP_STARTTLS\n value: \"true\"\n - name: SMTP_AUTHENTICATION\n value: login\n\n - name: IMAP_ENABLED\n value: \"false\"\n - name: IMAP_HOST\n value: imap.gmail.com\n - name: IMAP_PORT\n value: \"993\"\n - name: IMAP_USER\n value: mailer@example.com\n - name: IMAP_PASS\n value: password\n - name: IMAP_SSL\n value: \"true\"\n - name: IMAP_STARTTLS\n value: \"false\"\n ports:\n - name: http\n containerPort: 80\n - name: ssh\n containerPort: 22\n volumeMounts:\n - mountPath: /home/git/data\n name: data\n livenessProbe:\n httpGet:\n path: /\n port: 80\n initialDelaySeconds: 180\n timeoutSeconds: 5\n readinessProbe:\n httpGet:\n path: /\n port: 80\n initialDelaySeconds: 5\n timeoutSeconds: 1\n volumes:\n - name: data\n emptyDir: {}\n" }, { "path": "kubernetes/gitlab-svc.yml", "content": "apiVersion: v1\nkind: Service\nmetadata:\n name: gitlab\n labels:\n name: gitlab\nspec:\n type: LoadBalancer\n ports:\n - name: http\n port: 80\n targetPort: http\n - name: ssh\n port: 22\n targetPort: ssh\n selector:\n name: gitlab\n" }, { "path": "kubernetes/postgresql-rc.yml", "content": "apiVersion: v1\nkind: ReplicationController\nmetadata:\n name: postgresql\nspec:\n replicas: 1\n selector:\n name: postgresql\n template:\n metadata:\n name: postgresql\n labels:\n name: postgresql\n spec:\n containers:\n - name: postgresql\n image: kkimurak/sameersbn-postgresql:16\n env:\n - name: DB_USER\n value: gitlab\n - name: DB_PASS\n value: passw0rd\n - name: DB_NAME\n value: gitlab_production\n - name: DB_EXTENSION\n value: pg_trgm\n ports:\n - name: postgres\n containerPort: 5432\n volumeMounts:\n - mountPath: /var/lib/postgresql\n name: data\n livenessProbe:\n exec:\n command:\n - pg_isready\n - -h\n - localhost\n - -U\n - postgres\n initialDelaySeconds: 30\n timeoutSeconds: 5\n readinessProbe:\n exec:\n command:\n - pg_isready\n - -h\n - localhost\n - -U\n - postgres\n initialDelaySeconds: 5\n timeoutSeconds: 1\n volumes:\n - name: data\n emptyDir: {}\n" }, { "path": "kubernetes/postgresql-svc.yml", "content": "apiVersion: v1\nkind: Service\nmetadata:\n name: postgresql\n labels:\n name: postgresql\nspec:\n ports:\n - name: postgres\n port: 5432\n targetPort: postgres\n selector:\n name: postgresql\n" }, { "path": "kubernetes/redis-rc.yml", "content": "apiVersion: v1\nkind: ReplicationController\nmetadata:\n name: redis\nspec:\n replicas: 1\n selector:\n name: redis\n template:\n metadata:\n name: redis\n labels:\n name: redis\n spec:\n containers:\n - name: redis\n image: redis:7\n ports:\n - name: redis\n containerPort: 6379\n volumeMounts:\n - mountPath: /var/lib/redis\n name: data\n livenessProbe:\n exec:\n command:\n - redis-cli\n - ping\n initialDelaySeconds: 30\n timeoutSeconds: 5\n readinessProbe:\n exec:\n command:\n - redis-cli\n - ping\n initialDelaySeconds: 5\n timeoutSeconds: 1\n volumes:\n - name: data\n emptyDir: {}\n" }, { "path": "kubernetes/redis-svc.yml", "content": "apiVersion: v1\nkind: Service\nmetadata:\n name: redis\n labels:\n name: redis\nspec:\n ports:\n - name: redis\n port: 6379\n targetPort: redis\n selector:\n name: redis\n" }, { "path": "kubernetes/teardown.sh", "content": "#!/bin/bash\nset -e \nset -o pipefail\n\nif ! command -v kubectl > /dev/null; then\n echo \"kubectl command not installed\"\n exit 1\nfi\n\n# delete the services\nfor svc in *-svc.yml\ndo\n echo -n \"Deleting $svc... \"\n kubectl -f $svc delete\ndone\n\n# delete the replication controllers\nfor rc in *-rc.yml\ndo\n echo -n \"Deleting $rc... \"\n kubectl -f $rc delete\ndone\n" }, { "path": "scripts/release-notes.sh", "content": "#!/usr/bin/env sh\n\nRELEASE=${GIT_TAG:-$1}\n\nif [ -z \"${RELEASE}\" ]; then\n echo \"Usage:\"\n echo \"./scripts/release-notes.sh v0.1.0\"\n exit 1\nfi\n\nif ! git rev-list ${RELEASE} >/dev/null 2>&1; then\n echo \"${RELEASE} does not exist\"\n exit\nfi\n\nPREV_RELEASE=${PREV_RELEASE:-$(git describe --tags --abbrev=0 ${RELEASE}^)}\nPREV_RELEASE=${PREV_RELEASE:-$(git rev-list --max-parents=0 ${RELEASE}^)}\nNOTABLE_CHANGES=$(git cat-file -p ${RELEASE} | sed '/-----BEGIN PGP SIGNATURE-----/,//d' | tail -n +6)\nCHANGELOG=$(git log --no-merges --pretty=format:'- [%h] %s (%aN)' ${PREV_RELEASE}..${RELEASE})\nif [ $? -ne 0 ]; then\n echo \"Error creating changelog\"\n exit 1\nfi\n\ncat <.\n\n## Contributing\n\nYou are kindly invited to provide contributions. If you find this image useful here's how you can help:\n\n- Send a Pull Request with your awesome new features and bug fixes\n- Be a part of the community and help resolve [issues](https://github.com/sameersbn/docker-gitlab/issues)\n- Support the development of this image with a [donation](http://www.damagehead.com/donate/)\n\n## Changelog\n\n${CHANGELOG}\nEOF\n" } ]