Repository: sameersbn/docker-gitlab Branch: master Commit: fe0116d1bb16 Files: 65 Total size: 544.6 KB Directory structure: gitextract_0o0z_sra/ ├── .circleci/ │ └── config.yml ├── .dockerignore ├── .github/ │ └── stale.yml ├── .gitignore ├── .gitlab-ci.yml ├── CI_MIGRATION.md ├── CONTRIBUTING.md ├── Changelog.md ├── Dockerfile ├── LICENSE ├── Makefile ├── README.md ├── VERSION ├── assets/ │ ├── build/ │ │ ├── config/ │ │ │ └── database.yml.postgresql │ │ ├── install.sh │ │ └── patches/ │ │ ├── gitlabhq/ │ │ │ ├── 0001-fix-feature-checking-for-gitaly-on-a-fresh-install.patch.bak │ │ │ ├── 0002-fix-condition-for-csr-policy-allow-lfs_v16.3.0.patch.bak │ │ │ ├── 0003-fix_preinstall.mjs-to-avoid-removing-node_modules_dir.patch.bak │ │ │ ├── 0004-fix-raketask-gitlab-assets-compile.patch.bak │ │ │ └── 0005_fix-gitlab-setup-mr225503.patch │ │ └── ruby/ │ │ └── 0001-avoid-seeding_until-ruby3.3.0.bak │ └── runtime/ │ ├── config/ │ │ ├── gitaly/ │ │ │ └── config.toml │ │ ├── gitlab-pages/ │ │ │ └── config │ │ ├── gitlab-shell/ │ │ │ └── config.yml │ │ ├── gitlabhq/ │ │ │ ├── cable.yml │ │ │ ├── database.yml │ │ │ ├── gitlab.yml │ │ │ ├── puma.rb │ │ │ ├── relative_url.rb │ │ │ ├── resque.yml │ │ │ ├── secrets.yml │ │ │ └── smtp_settings.rb │ │ └── nginx/ │ │ ├── gitlab │ │ ├── gitlab-pages │ │ ├── gitlab-pages-ssl │ │ ├── gitlab-registry │ │ ├── gitlab-ssl │ │ └── gitlab_ci │ ├── env-defaults │ ├── functions │ └── scripts/ │ └── configure_feature_flags.rb ├── contrib/ │ ├── docker-swarm/ │ │ ├── docker-compose.yml │ │ ├── gitlab.configs │ │ └── gitlab.secrets │ └── expose-gitlab-ssh-port.sh ├── docker-compose.swarm.yml ├── docker-compose.yml ├── docs/ │ ├── container_registry.md │ ├── docker-compose-keycloak.yml │ ├── docker-compose-registry.yml │ ├── docker-swarm-traefik-registry.md │ ├── exposing-ssh-port.md │ ├── keycloak-idp.md │ └── s3_compatible_storage.md ├── entrypoint.sh ├── hooks/ │ └── build ├── kubernetes/ │ ├── deploy.sh │ ├── gitlab-rc.yml │ ├── gitlab-svc.yml │ ├── postgresql-rc.yml │ ├── postgresql-svc.yml │ ├── redis-rc.yml │ ├── redis-svc.yml │ └── teardown.sh └── scripts/ └── release-notes.sh ================================================ FILE CONTENTS ================================================ ================================================ FILE: .circleci/config.yml ================================================ version: 2.1 orbs: shellcheck: circleci/shellcheck@3.4.0 docker: circleci/docker@2.8.2 go: circleci/go@1.11.0 commands: docker-build: description: | Build and optionally deploy a Docker images parameters: dockerfile: default: Dockerfile description: 'Name of dockerfile to use, defaults to Dockerfile' type: string extra_build_args: default: '' description: > Extra flags to pass to docker build. For examples, see https://docs.docker.com/engine/reference/commandline/build type: string registry: default: docker.io description: | Comma separated list of registry to use, defaults to docker.io type: string image: description: Name of image to build type: string tag: default: $CIRCLE_SHA1 description: 'Image tag, defaults to the value of $CIRCLE_SHA1' type: string path: default: . description: > Path to the directory containing your Dockerfile and build context, defaults to . (working directory) type: string cache_from: default: '' description: > Comma-separated list of images, images will first be pulled, then passed as the --cache-from build argument https://docs.docker.com/engine/reference/commandline/build/ type: string no_output_timeout: default: 10m description: | No output timeout for build step type: string use-buildkit: default: false description: | Use buildkit to build the image. Available on Docker >= 18.09.0 https://docs.docker.com/develop/develop-images/build_enhancements/ type: boolean steps: - when: condition: <> steps: - run: name: Build image for <> no_output_timeout: <> command: > echo "<>" | sed -n 1'p' | tr ',' '\n' | while read image; do echo "Pulling ${image}"; docker pull ${image} || true done docker_tag_args="" IFS="," read -ra DOCKER_REGISTRIES \<<< "<< parameters.registry >>" for registry in "${DOCKER_REGISTRIES[@]}"; do IFS="," read -ra DOCKER_TAGS \<<< "<< parameters.tag >>" for tag in "${DOCKER_TAGS[@]}"; do docker_tag_args="$docker_tag_args -t $registry/<>:${tag}" done done docker buildx build <<#parameters.extra_build_args>><><> \ --cache-from <> \ -f <>/<> \ $docker_tag_args \ <> - unless: condition: <> steps: - run: name: Building image for <> no_output_timeout: <> command: > docker_tag_args="" IFS="," read -ra DOCKER_REGISTRIES \<<< "<< parameters.registry >>" for registry in "${DOCKER_REGISTRIES[@]}"; do IFS="," read -ra DOCKER_TAGS \<<< "<< parameters.tag >>" for tag in "${DOCKER_TAGS[@]}"; do docker_tag_args="$docker_tag_args -t $registry/<>:${tag}" done done docker buildx build <<#parameters.extra_build_args>><><> \ -f <>/<> \ $docker_tag_args \ <> docker-save: description: | Save one or more images to a tar archive parameters: registry: default: docker.io description: | Comma separated list of registry to use, defaults to docker.io type: string image: description: Name of image to build type: string tag: default: $CIRCLE_SHA1 description: 'Image tag, defaults to the value of $CIRCLE_SHA1' type: string steps: - run: name: Save image to tar archive command: > docker_images="" IFS="," read -ra DOCKER_REGISTRIES \<<< "<< parameters.registry >>" for registry in "${DOCKER_REGISTRIES[@]}"; do IFS="," read -ra DOCKER_TAGS \<<< "<< parameters.tag >>" for tag in "${DOCKER_TAGS[@]}"; do docker_images="$docker_images $registry/<>:${tag}" done done mkdir -p ~/docker/ docker save -o ~/docker/docker-images.tar $docker_images - persist_to_workspace: root: ~/ paths: - docker docker-load: description: | Load tar archive steps: - attach_workspace: at: ~/ - run: name: Load images from tar archive command: > docker load -i ~/docker/docker-images.tar docker-publish: description: | Build and optionally deploy a Docker images parameters: pr: default: '' type: string registry: default: docker.io description: | Comma separated list of registry to use, defaults to docker.io type: string image: description: Name of image to build type: string tag: default: $CIRCLE_SHA1 description: 'Image tag, defaults to the value of $CIRCLE_SHA1' type: string steps: - unless: condition: <> steps: - run: name: Publish image for <> command: > IFS="," read -ra DOCKER_REGISTRIES \<<< "<< parameters.registry >>" for registry in "${DOCKER_REGISTRIES[@]}"; do IFS="," read -ra DOCKER_TAGS \<<< "<< parameters.tag >>" for tag in "${DOCKER_TAGS[@]}"; do docker push $registry/<< parameters.image>>:${tag} done done jobs: build: machine: image: ubuntu-2404:edge resource_class: large steps: - checkout - docker-build: registry: docker.io,quay.io image: sameersbn/gitlab tag: ${CIRCLE_TAG:-latest} cache_from: docker.io/sameersbn/gitlab:latest extra_build_args: '--build-arg VCS_REF=${CIRCLE_TAG:-${CIRCLE_SHA1}} --build-arg BUILD_DATE="$(date +"%Y-%m-%d %H:%M:%S%:z")"' no_output_timeout: 45m use-buildkit: true - docker-save: registry: docker.io,quay.io image: sameersbn/gitlab tag: ${CIRCLE_TAG:-latest} test: executor: docker/machine steps: - checkout - docker-load - run: name: Update tag in docker-compose.yml command: | sed -i "s|image: sameersbn/gitlab:.*|image: sameersbn/gitlab:${CIRCLE_TAG:-latest}|" docker-compose.yml - run: name: Launch gitlab stack command: docker-compose up -d --quiet-pull - run: name: Container info command: docker ps - run: name: Wait for stack bootup command: sleep 90 - run: name: Show logs command: docker-compose logs - run: name: Test image bootup command: | docker run --network container:$(docker-compose ps -q gitlab) \ curlimages/curl --ipv4 --retry 60 --retry-delay 5 --retry-connrefused -svf http://localhost/explore -o /dev/null publish-dockerhub: executor: docker/machine steps: - docker-load - docker/check: registry: docker.io docker-username: DOCKER_LOGIN docker-password: DOCKER_PASSWORD - docker-publish: registry: docker.io image: sameersbn/gitlab tag: ${CIRCLE_TAG:-latest} publish-quay: executor: docker/machine steps: - docker-load - docker/check: registry: quay.io docker-username: DOCKER_LOGIN docker-password: DOCKER_PASSWORD - docker-publish: registry: quay.io image: sameersbn/gitlab tag: ${CIRCLE_TAG:-latest} release: executor: name: go/default tag: '1.24' steps: - checkout - run: name: Installing github-release tool command: go install github.com/meterup/github-release@latest - run: name: Creating github release command: | PRE_RELEASE=${CIRCLE_TAG/${CIRCLE_TAG%-rc[0-9]*}/} github-release delete -u ${CIRCLE_PROJECT_USERNAME} -r ${CIRCLE_PROJECT_REPONAME} -t ${CIRCLE_TAG} 2>/dev/null ||: ./scripts/release-notes.sh ${CIRCLE_TAG} | github-release release ${PRE_RELEASE:+-p} -u ${CIRCLE_PROJECT_USERNAME} -r ${CIRCLE_PROJECT_REPONAME} -t ${CIRCLE_TAG} -d - for f in $(find /tmp/dist -type f); do github-release upload -u ${CIRCLE_PROJECT_USERNAME} -r ${CIRCLE_PROJECT_REPONAME} -t ${CIRCLE_TAG} -n $(basename ${f}) -f ${f} ; done workflows: build-test-and-release: jobs: - shellcheck/check: name: shellcheck exclude: SC2086,SC2181 external_sources: true filters: tags: only: /^([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*))?(?:\+[0-9A-Za-z-]+)?$/ - build: requires: - shellcheck filters: tags: only: /^([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*))?(?:\+[0-9A-Za-z-]+)?$/ - test: requires: - build filters: tags: only: /^([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*))?(?:\+[0-9A-Za-z-]+)?$/ - publish-dockerhub: context: dockerhub requires: - test filters: branches: only: master tags: only: /^([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*))?(?:\+[0-9A-Za-z-]+)?$/ - publish-quay: context: quay requires: - test filters: tags: only: /^([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*))?(?:\+[0-9A-Za-z-]+)?$/ branches: only: master - release: context: github requires: - publish-dockerhub - publish-quay filters: tags: only: /^([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*))?(?:\+[0-9A-Za-z-]+)?$/ branches: ignore: /.*/ ================================================ FILE: .dockerignore ================================================ .git .gitignore LICENSE VERSION README.md Changelog.md Makefile docker-compose.yml docs ================================================ FILE: .github/stale.yml ================================================ # Number of days of inactivity before an issue becomes stale daysUntilStale: 60 # Number of days of inactivity before a stale issue is closed daysUntilClose: 7 # Issues with these labels will never be considered stale exemptLabels: - pinned - security - keep-alive # Label to use when marking an issue as stale staleLabel: wontfix # Comment to post when marking an issue as stale. Set to `false` to disable markComment: > This issue has been automatically marked as stale because it has not had any activity for the last 60 days. It will be closed if no further activity occurs during the next 7 days. Thank you for your contributions. # Comment to post when closing a stale issue. Set to `false` to disable closeComment: false ================================================ FILE: .gitignore ================================================ *.gem *.tar.gz *.tar.bz2 ================================================ FILE: .gitlab-ci.yml ================================================ image: docker:18-git stages: - build before_script: - export VERSION=$(cat VERSION) - export CI_REGISTRY=${CI_REGISTRY:-hub.docker.com} - export CI_REGISTRY_USER=${CI_REGISTRY_USER:-gitlab-ci-token} - export CI_REGISTRY_PASSWORD=${CI_REGISTRY_PASSWORD:-${CI_JOB_TOKEN}} - export DOCKER_IMAGE=${DOCKER_IMAGE:-${CI_REGISTRY}/${CI_PROJECT_PATH}} - | if [ "${DOCKER_IMAGE}" = "/" ]; then export DOCKER_IMAGE=sameersbn/gitlab fi docker:build: stage: build only: - master script: - docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY} - docker build --pull --cache-from=${DOCKER_IMAGE} --build-arg=VCS_REF=$(git rev-parse --short HEAD) --build-arg=BUILD_DATE="$(date +"%Y-%m-%d %H:%M:%S%:z")" --tag ${DOCKER_IMAGE} . - docker push ${DOCKER_IMAGE} docker:build:branches: stage: build only: - branches except: - master script: - docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY} - docker build --pull --cache-from=${DOCKER_IMAGE}:${CI_COMMIT_REF_SLUG} --build-arg=VCS_REF=$(git rev-parse --short HEAD) --build-arg=BUILD_DATE="$(date +"%Y-%m-%d %H:%M:%S%:z")" --tag ${DOCKER_IMAGE}:${CI_COMMIT_REF_SLUG} . - docker push ${DOCKER_IMAGE}:${CI_COMMIT_REF_SLUG} docker:build:release: stage: build only: - tags script: - docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY} - docker build --pull --cache-from=${DOCKER_IMAGE}:${VERSION} --build-arg=VCS_REF=$(git rev-parse --short HEAD) --build-arg=BUILD_DATE="$(date +"%Y-%m-%d %H:%M:%S%:z")" --tag ${DOCKER_IMAGE}:${VERSION} . - docker push ${DOCKER_IMAGE}:${VERSION} ================================================ FILE: CI_MIGRATION.md ================================================ # CI Migration Guide Since version `8.0.0`, CI is now a part of GitLab. You no longer need to run a separate instance of the CI server. This guide walks you through the procedure of migrating your existing CI data into GitLab. This guide assumes that you are currently using `sameersbn/gitlab` and `sameersbn/gitlab-ci` for setting up your GitLab and CI requirements. > **Note:** > > If your CI server and your GitLab server use the same database adapter no special care is needed. If your CI server uses MySQL and your GitLab server uses PostgreSQL you need to pass a special option in **Step 4 - Upgrade CI > Create CI backup**. If your CI server uses PostgreSQL and your GitLab server uses MySQL you cannot migrate your CI data to GitLab `8.0`, Please refer to https://github.com/sameersbn/docker-gitlab/issues/429#issuecomment-152799995 for instructions to migrate from MySQL to PostgreSQL first. ## Step 1 - Get Ready Stop your GitLab and CI servers ```bash docker stop gitlab-ci gitlab docker rm gitlab-ci gitlab ``` ## Step 2 - Upgrade to the `7.14.3` releases Migration to GitLab `8.0` can only be done from version `7.14.3`. As a result we need to first migrate to the most recent versions of these images. ### Upgrade to `sameersbn/gitlab:7.14.3` ```bash docker run -it --rm [OPTIONS] \ sameersbn/gitlab:7.14.3 app:init ``` ### Upgrade to `sameersbn/gitlab-ci:7.14.3-1` ```bash docker run -it --rm [OPTIONS] \ sameersbn/gitlab-ci:7.14.3-1 app:init ``` ## Step 3 - Generate Backups Create backups to ensure that we can rollback in case you face issues during the migration ### Create GitLab backup ```bash docker run -it --rm [OPTIONS] \ sameersbn/gitlab:7.14.3 app:rake gitlab:backup:create ``` Make a note of the backup archive `xxxxxxxxxx_gitlab_backup.tar` as it is the backup you will have to rollback to in case of errors. ### Create GitLab CI backup ```bash docker run -it --rm [OPTIONS] \ sameersbn/gitlab-ci:7.14.3-1 app:rake backup:create ``` Make a note of the backup archive `xxxxxxxxxx_gitlab_ci_backup.tar.gz` as it is the backup you will have to rollback to in case of errors. > **Note**: From this point only `8.0.x` version images are used. ## Step 4 - Upgrade CI CI `8.x.x` is only meant for the purpose of migrating to GitLab `8.0`. Here we need to upgrade to version `8.x.x` and generate a backup that will be imported into GitLab. ### Upgrade to `sameersbn/gitlab-ci:8.0.5` ```bash docker run -it --rm [OPTIONS] \ sameersbn/gitlab-ci:8.0.5 app:init ``` ### Create CI backup *If you are converting from MySQL to PostgreSQL, add `MYSQL_TO_POSTGRESQL=1` to the end of the below command.* ```bash docker run -it --rm [OPTIONS] \ sameersbn/gitlab-ci:8.0.5 app:rake backup:create ``` Copy the generated backup archive `xxxxxxxxxx_gitlab_ci_backup.tar` into the `backups/` directory of the GitLab server. ```bash cp /backups/xxxxxxxxxx_gitlab_ci_backup.tar /backups/ ``` We are done with CI. If the rest of the migration goes was planned you will not need to start `sameersbn/gitlab-ci` ever again. ## Step 5 - Upgrade GitLab Before we can upgrade to `sameersbn/gitlab:8.0.5-1`, we need to assign the value of `GITLAB_CI_SECRETS_DB_KEY_BASE` (from CI) to `GITLAB_SECRETS_DB_KEY_BASE` in GitLab's environment. Next you also need to set the environment variable `GITLAB_CI_HOST` to the address of your CI server, eg. `ci.example.com`. This will make sure that your existing runners will be able to communicate to GitLab with the old url. ### Upgrade to `sameersbn/gitlab:8.0.5-1` ```bash docker run -it --rm [OPTIONS] \ --env GITLAB_CI_HOST=ci.example.com --env GITLAB_SECRETS_DB_KEY_BASE=xxxxxx \ sameersbn/gitlab:8.0.5-1 app:init ``` ### Migrate CI data ```bash docker run -it --rm [OPTIONS] \ --env GITLAB_CI_HOST=ci.example.com --env GITLAB_SECRETS_DB_KEY_BASE=xxxxxx \ sameersbn/gitlab:8.0.5-1 app:rake ci:migrate ``` ## Step 6 - Fix DNS and reverse proxy configurations Since GitLab and CI are now one, update your DNS configuration to make sure `ci.example.com` points to your GitLab instance. If you are using a reverse proxy, update the configuration such that `ci.example.com` interfaces with the GitLab server. >**Note**: The above changes results in connections from your runners redirect multiple times before ending up at the right location. If you want to avoid this redirection you can update the url in your runners configuration file to point to `http://git.example.com/ci` when using plain http, or `https://git.example.com/ci` if you are using SSL. > > If you change the url on the runners you can also do away with the `ci.example.com` domain name altogether. ## Step 7 - Done! You can now start the GitLab server normally. Make sure that `GITLAB_CI_HOST` and `GITLAB_SECRETS_DB_KEY_BASE` are defined in your containers environment. ================================================ FILE: CONTRIBUTING.md ================================================ # GitLab-CI Configuration When using your own GitLab instance, the provided .gitlab-ci.yml will automatically be using the settings provided by the GitLab instance. If needed, several options can be overriden. Overrides for these values can be set within the project, under `Settings` -> `CI/CD` -> `Variables`. | Variable | Default Value | Description | | ---------------------- | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `CI_REGISTRY` | `hub.docker.com` | If available this will be automatically overriden by registry address which is configured within the GitLab instance | | `CI_REGISTRY_USER` | `gitlab-ci-token` | Username for the registry | | `CI_REGISTRY_PASSWORD` | `${CI_JOB_TOKEN}` | Password for the registry | | `DOCKER_IMAGE` | `sameersbn/gitlab` | Docker image name, will automatically be overriden by the running GitLab instance with the `${CI_PROJECT_PATH}` variable. This will cause the image to be uploaded to the local registry of the project within GitLab. | ================================================ FILE: Changelog.md ================================================ # Changelog This file only reflects the changes that are made in this image. Please refer to the upstream GitLab [CHANGELOG](https:// gitlab.com/gitlab-org/gitlab-foss/blob/master/CHANGELOG.md) for the list of changes in GitLab. ## 18.9.2 - gitlab: upgrade CE to v18.9.2 - gitaly: upgrade to v18.9.2 - gitlab-pages: upgrade to v18.9.2 - golang: upgrade to v1.25.8 - rubygems: upgrade to v4.0.8 ## 18.9.1 - gitlab: upgrade CE to v18.9.1 - gitaly: upgrade to v18.9.1 - gitlab-pages: upgrade to v18.9.1 ## 18.9.0 - gitlab: upgrade CE to v18.9.0 - gitaly: upgrade to v18.9.0 - gitlab-pages: upgrade to v18.9.0 - gitlab-shell: upgrade to v14.45.6 - ruby: upgrade to v3.3.10 - ubuntu: upgrade to noble-20260210.1 ## 18.8.4 - gitlab: upgrade CE to v18.8.4 - gitaly: upgrade to v18.8.4 - gitlab-pages: upgrade to v18.8.4 - golang: upgrade to v1.25.7 - rubygems: upgrade to v4.0.6 ## 18.8.3 - gitlab: upgrade CE to v18.8.3 - gitaly: upgrade to v18.8.3 - gitlab-pages: upgrade to v18.8.3 ## 18.8.2 - gitlab: upgrade CE to v18.8.2 - gitaly: upgrade to v18.8.2 - gitlab-pages: upgrade to v18.8.2 ## 18.8.1 - gitlab: upgrade CE to v18.8.1 - gitaly: upgrade to v18.8.1 - gitlab-pages: upgrade to v18.8.1 ## 18.8.0 - gitlab: upgrade CE to v18.8.0 - gitaly: upgrade to v18.8.0 - gitlab-pages: upgrade to v18.8.0 - golang: upgrade to v1.24.12 - ruby: upgrade to v3.2.10 - ubuntu: upgrade to noble-20260113 ## 18.7.1 - gitlab: upgrade CE to v18.7.1 - gitaly: upgrade to v18.7.1 - gitlab-pages: upgrade to v18.7.1 ## 18.7.0 - gitlab: upgrade CE to v18.7.0 - gitaly: upgrade to v18.7.0 - gitlab-pages: upgrade to v18.7.0 - gitlab-shell: upgrade to v14.45.5 ## 18.6.2 - gitlab: upgrade CE to v18.6.2 - gitaly: upgrade to v18.6.2 - gitlab-pages: upgrade to v18.6.2 - golang: upgrade to v1.24.11 ## 18.6.1 - gitlab: upgrade CE to v18.6.1 - gitaly: upgrade to v18.6.1 - gitlab-pages: upgrade to v18.6.1 ## 18.6.0 - gitlab: upgrade CE to v18.6.0 - gitaly: upgrade to v18.6.0 - gitlab-pages: upgrade to v18.6.0 - ubuntu: upgrade to noble-20251013 ## 18.5.2 - gitlab: upgrade CE to v18.5.2 - gitaly: upgrade to v18.5.2 - gitlab-pages: upgrade to v18.5.2 - golang: upgrade to v1.24.10 ## 18.5.1 - gitlab: upgrade CE to v18.5.1 - gitaly: upgrade to v18.5.1 - gitlab-pages: upgrade to v18.5.1 ## 18.5.0 - gitlab: upgrade CE to v18.5.0 - gitaly: upgrade to v18.5.0 - gitlab-pages: upgrade to v18.5.0 - gitlab-shell: upgrade to v14.45.3 - golang: upgrade to v1.24.9 - ubuntu: upgrade to noble-20251001 ## 18.4.2 - gitlab: upgrade CE to v18.4.2 - gitaly: upgrade to v18.4.2 - gitlab-pages: upgrade to v18.4.2 - golang: upgrade to v1.24.8 - ubuntu: upgrade to noble-20250925 ## 18.4.1 - gitlab: upgrade CE to v18.4.1 - gitaly: upgrade to v18.4.1 - gitlab-pages: upgrade to v18.4.1 - ubuntu: upgrade to noble-20250910 ## 18.4.0 - gitlab: upgrade CE to v18.4.0 - gitaly: upgrade to v18.4.0 - gitlab-pages: upgrade to v18.4.0 - ubuntu: upgrade to noble-20250910 ## 18.3.2 - gitlab: upgrade CE to v18.3.2 - gitaly: upgrade to v18.3.2 - gitlab-pages: upgrade to v18.3.2 - gitlab-shell: upgrade to v14.45.2 - golang: upgrade to v1.24.7 - rubygems: upgrade to v3.7.2 - ubuntu: upgrade to noble-20250805 ## 18.3.1 - gitlab: upgrade CE to v18.3.1 - gitaly: upgrade to v18.3.1 - gitlab-pages: upgrade to v18.3.1 ## 18.3.0 - gitlab: upgrade CE to v18.3.0 - gitaly: upgrade to v18.3.0 - gitlab-pages: upgrade to v18.3.0 ## 18.2.4 - gitlab: upgrade CE to v18.2.4 - gitaly: upgrade to v18.2.4 - gitlab-pages: upgrade to v18.2.4 - gitlab-shell: upgrade to v14.44.0 ## 18.2.2 - gitlab: upgrade CE to v18.2.2 - gitaly: upgrade to v18.2.2 - gitlab-pages: upgrade to v18.2.2 - golang: upgrade to v1.24.6 - ubuntu: upgrade to noble-20250716 ## 18.2.1 - gitlab: upgrade CE to v18.2.1 - gitaly: upgrade to v18.2.1 - gitlab-pages: upgrade to v18.2.1 - ruby: upgrade to v3.2.9 - rubygems: upgrade to v3.7.1 ## 18.2.0 - gitlab: upgrade CE to v18.2.0 - gitaly: upgrade to v18.2.0 - gitlab-pages: upgrade to v18.2.0 - gitlab-shell: upgrade to v14.43.0 - rubygems: upgrade to v3.7.0 - ubuntu: upgrade to noble-20250714 ## 18.1.2 - gitlab: upgrade CE to v18.1.2 - gitaly: upgrade to v18.1.2 - gitlab-pages: upgrade to v18.1.2 - golang: upgrade to v1.24.5 - ubuntu: upgrade to noble-20250619 ## 18.1.1 - gitlab: upgrade CE to v18.1.1 - gitaly: upgrade to v18.1.1 - gitlab-pages: upgrade to v18.1.1 ## 18.1.0 - gitlab: upgrade CE to v18.1.0 - gitaly: upgrade to v18.1.0 - gitlab-pages: upgrade to v18.1.0 ## 18.0.2 - gitlab: upgrade CE to v18.0.2 - gitaly: upgrade to v18.0.2 - gitlab-pages: upgrade to v18.0.2 - golang: upgrade to v1.24.4 - ubuntu: upgrade to noble-20250529 ## 18.0.1 - gitlab: upgrade CE to v18.0.1 - gitaly: upgrade to v18.0.1 - gitlab-pages: upgrade to v18.0.1 - gitlab-shell: upgrade to v14.42.0 ## 18.0.0 - gitlab: upgrade CE to v18.0.0 - gitaly: upgrade to v18.0.0 - gitlab-pages: upgrade to v18.0.0 - redis: upgrade to v7 - rubygems: upgrade to v3.6.9 - ubuntu: upgrade to noble-20250415.1 ## 17.11.2 - gitlab: upgrade CE to v17.11.2 - gitaly: upgrade to v17.11.2 - gitlab-pages: upgrade to v17.11.2 - golang: upgrade to v1.24.3 - ubuntu: upgrade to jammy-20250415.1 ## 17.11.1 - gitlab: upgrade CE to v17.11.1 - gitaly: upgrade to v17.11.1 - gitlab-pages: upgrade to v17.11.1 - rubygems: upgrade to v3.6.8 ## 17.11.0 - gitlab: upgrade CE to v17.11.0 - gitaly: upgrade to v17.11.0 - gitlab-pages: upgrade to v17.11.0 ## 17.10.4 - gitlab: upgrade CE to v17.10.4 - gitaly: upgrade to v17.10.4 - gitlab-pages: upgrade to v17.10.4 - ubuntu: upgrade to jammy-20250404 ## 17.10.3 - gitlab: upgrade CE to v17.10.3 - gitaly: upgrade to v17.10.3 - gitlab-pages: upgrade to v17.10.3 - golang: upgrade to v1.24.2 - ruby: upgrade to v3.2.8 ## 17.10.1 - gitlab: upgrade CE to v17.10.1 - gitaly: upgrade to v17.10.1 - gitlab-pages: upgrade to v17.10.1 ## 17.10.0 - gitlab: upgrade CE to v17.10.0 - gitaly: upgrade to v17.10.0 - gitlab-pages: upgrade to v17.10.0 - golang: upgrade to v1.24.1 - rubygems: upgrade to v3.6.6 ## 17.9.2 - gitlab: upgrade CE to v17.9.2 - gitaly: upgrade to v17.9.2 - gitlab-pages: upgrade to v17.9.2 ## 17.9.1 - gitlab: upgrade CE to v17.9.1 - gitaly: upgrade to v17.9.1 - gitlab-pages: upgrade to v17.9.1 ## 17.9.0 - gitlab: upgrade CE to v17.9.0 - gitaly: upgrade to v17.9.0 - gitlab-pages: upgrade to v17.9.0 - gitlab-shell: upgrade to v14.40.0 - golang: upgrade to v1.24.0 - rubygems: upgrade to v3.5.23 - ubuntu: upgrade to jammy-20250126 ## 17.8.2 - gitlab: upgrade CE to v17.8.2 - gitaly: upgrade to v17.8.2 - gitlab-pages: upgrade to v17.8.2 - golang: upgrade to v1.23.6 - ruby: upgrade to v3.2.7 ## 17.8.1 - gitlab: upgrade CE to v17.8.1 - gitaly: upgrade to v17.8.1 - gitlab-pages: upgrade to v17.8.1 ## 17.8.0 - gitlab: upgrade CE to v17.8.0 - gitaly: upgrade to v17.8.0 - gitlab-pages: upgrade to v17.8.0 ## 17.7.1 - gitlab: upgrade CE to v17.7.1 - gitaly: upgrade to v17.7.1 - gitlab-pages: upgrade to v17.7.1 ## 17.7.0 - gitlab: upgrade CE to v17.7.0 - gitaly: upgrade to v17.7.0 - gitlab-pages: upgrade to v17.7.0 - ubuntu: upgrade to jammy-20240911.1 - update healthcheck for postgresql ## 17.6.3 - gitlab: upgrade CE to v17.6.3 - gitaly: upgrade to v17.6.3 - gitlab-pages: upgrade to v17.6.3 ## 17.6.2 - gitlab: upgrade CE to v17.6.2 - gitaly: upgrade to v17.6.2 - gitlab-pages: upgrade to v17.6.2 ## 17.6.1 - gitlab: upgrade CE to v17.6.1 - gitlab-pages: upgrade to v17.6.1 - gitaly: upgrade to v17.6.1 - golang: upgrade to v1.23.5 ## 17.6.0 - gitlab: upgrade CE to v17.6.0 - gitaly: upgrade to v17.6.0 - gitlab-pages: upgrade to v17.6.0 ## 17.5.2 - gitlab: upgrade CE to v17.5.2 - gitaly: upgrade to v17.5.2 - gitlab-pages: upgrade to v17.5.2 - golang: upgrade to v1.23.2 - ruby: upgrade to v3.2.6 ## 17.5.1 - gitlab: upgrade CE to v17.5.1 - gitaly: upgrade to v17.5.1 - gitlab-pages: upgrade to v17.5.1 ## 17.5.0 - gitlab: upgrade CE to v17.5.0 - gitaly: upgrade to v17.5.0 - gitlab-pages: upgrade to v17.5.0 - ubuntu: upgrade to focal-20241011 ## 17.4.2 - gitlab: upgrade CE to v17.4.2 - gitaly: upgrade to v17.4.2 - gitlab-pages: upgrade to v17.4.2 - golang: upgrade to v1.23.2 - ubuntu: upgrade to focal-20240918 ## 17.4.1 - gitlab: upgrade CE to v17.4.1 - gitaly: upgrade to v17.4.1 - gitlab-pages: upgrade to v17.4.1 ## 17.4.0 - gitlab: upgrade CE to v17.4.0 - gitaly: upgrade to v17.4.0 - gitlab-pages: upgrade to v17.4.0 - gitlab-shell: upgrade to v14.39.0 ## 17.3.3 - gitlab: upgrade CE to v17.3.3 - gitaly: upgrade to v17.3.3 - gitlab-pages: upgrade to v17.3.3 ## 17.3.2 - gitlab: upgrade CE to v17.3.2 - gitaly: upgrade to v17.3.2 - gitlab-pages: upgrade to v17.3.2 - golang: upgrade to v1.23.1 ## 17.3.1 - gitlab: upgrade CE to v17.3.1 - gitaly: upgrade to v17.3.1 - gitlab-pages: upgrade to v17.3.1 ## 17.3.0 - gitlab: upgrade CE to v17.3.0 - gitaly: upgrade to v17.3.0 - gitlab-pages: upgrade to v17.3.0 - gitlab-shell: upgrade to v14.38.0 - golang: upgrade to v1.23.0 ## 17.2.2 - gitlab: upgrade CE to v17.2.2 - gitaly: upgrade to v17.2.2 - gitlab-pages: upgrade to v17.2.2 - golang: upgrade to v1.22.6 ## 17.2.1 - gitlab: upgrade CE to v17.2.1 - gitaly: upgrade to v17.2.1 - gitlab-pages: upgrade to v17.2.1 - ruby: upgrade to v3.2.5 ## 17.2.0 - gitlab: upgrade CE to v17.2.0 - gitaly: upgrade to v17.2.0 - gitlab-pages: upgrade to v17.2.0 - gitlab-shell: upgrade to v14.37.0 ## 17.1.2 - gitlab: upgrade CE to v17.1.2 - gitaly: upgrade to v17.1.2 - gitlab-pages: upgrade to v17.1.2 - golang: upgrade to v1.22.5 ## 17.1.1 - gitlab: upgrade CE to v17.1.1 - gitaly: upgrade to v17.1.1 - gitlab-pages: upgrade to v17.1.1 ## 17.1.0 - gitlab: upgrade CE to v17.1.0 - gitaly: upgrade to v17.1.0 - gitlab-pages: upgrade to v17.1.0 - gitlab-shell: upgrade to v14.36.0 ## 17.0.2 - gitlab: upgrade CE to v17.0.2 - gitaly: upgrade to v17.0.2 - gitlab-pages: upgrade to v17.0.2 - golang: upgrade to v1.22.4 - ubuntu: upgrade to focal-20240530 ## 17.0.1 - gitlab: upgrade CE to v17.0.1 - gitaly: upgrade to v17.0.1 - gitlab-pages: upgrade to v17.0.1 ## 17.0.0 - gitlab: upgrade CE to v17.0.0 - gitaly: upgrade to v17.0.0 - gitlab-pages: upgrade to v17.0.0 - gitlab-shell: upgrade to v14.35.0 ## 16.11.2 - gitlab: upgrade CE to v16.11.2 - gitaly: upgrade to v16.11.2 - gitlab-pages: upgrade to v16.11.2 - golang: upgrade to v1.22.3 - ubuntu: upgrade to focal-20240427 ## 16.11.1 - gitlab: upgrade CE to v16.11.1 - gitaly: upgrade to v16.11.1 - gitlab-pages: upgrade to v16.11.1 - ruby: upgrade to v3.2.4 - ubuntu: upgrade to focal-20240416 ## 16.11.0 - gitlab: upgrade CE to v16.11.0 - gitaly: upgrade to v16.11.0 - gitlab-pages: upgrade to v16.11.0 - gitlab-shell: upgrade to v14.35.0 ## 16.10.3 - gitlab: upgrade CE to v16.10.3 - gitaly: upgrade to v16.10.3 - gitlab-pages: upgrade to v16.10.3 - ubuntu: upgrade to focal-20240410 ## 16.10.2 - gitlab: upgrade CE to v16.10.2 - gitaly: upgrade to v16.10.2 - gitlab-pages: upgrade to v16.10.2 - golang: upgrade to v1.22.2 ## 16.10.1 - gitlab: upgrade CE to v16.10.1 - gitaly: upgrade to v16.10.1 - gitlab-pages: upgrade to v16.10.1 ## 16.10.0 - gitlab: upgrade CE to v16.10.0 - gitaly: upgrade to v16.10.0 - gitlab-pages: upgrade to v16.10.0 - gitlab-shell: upgrade to v14.34.0 ## 16.9.2 - gitlab: upgrade CE to v16.9.2 - gitaly: upgrade to v16.9.2 - gitlab-pages: upgrade to v16.9.2 - golang: upgrade to v1.22.1 - ubuntu: upgrade to focal-20240216 ## 16.9.1 - gitlab: upgrade CE to v16.9.1 - gitaly: upgrade to v16.9.1 - gitlab-pages: upgrade to v16.9.1 ## 16.9.0 - gitlab: upgrade CE to v16.9.0 - gitaly: upgrade to v16.9.0 - gitlab-pages: upgrade to v16.9.0 ## 16.8.2 - gitlab: upgrade CE to v16.8.2 - gitaly: upgrade to v16.8.2 - gitlab-pages: upgrade to v16.8.2 - golang: upgrade to v1.22.0 - ubuntu: upgrade to focal-20240123 ## 16.8.1 - gitlab: upgrade CE to v16.8.1 - gitaly: upgrade to v16.8.1 - gitlab-pages: upgrade to v16.8.1 - gitlab-shell: upgrade to v14.33.0 ## 16.8.0 - gitlab: upgrade CE to v16.8.0 - gitaly: upgrade to v16.8.0 - gitlab-pages: upgrade to v16.8.0 ## 16.7.3 - gitlab: upgrade CE to v16.7.3 - gitaly: upgrade to v16.7.3 - gitlab-pages: upgrade to v16.7.3 ## 16.7.2 - gitlab: upgrade CE to v16.7.2 - gitaly: upgrade to v16.7.2 - gitlab-pages: upgrade to v16.7.2 - golang: upgrade to v1.21.6 ## 16.7.0 - gitlab: upgrade CE to v16.7.0 - gitaly: upgrade to v16.7.0 - gitlab-pages: upgrade to v16.7.0 - gitlab-shell: upgrade to v14.32.0 - ruby: upgrade to v3.1.4 ## 16.6.2 - gitlab: upgrade CE to v16.6.2 - gitaly: upgrade to v16.6.2 - gitlab-pages: upgrade to v16.6.2 - golang: upgrade to v1.21.5 - ubuntu: upgrade to focal-20231211 ## 16.6.1 - gitlab: upgrade CE to v16.6.1 - gitaly: upgrade to v16.6.1 - gitlab-pages: upgrade to v16.6.1 - ubuntu: upgrade to focal-20231128 ## 16.6.0 - gitlab: upgrade CE to v16.6.0 - gitaly: upgrade to v16.6.0 - gitlab-pages: upgrade to v16.6.0 - gitlab-shell: upgrade to v14.30.0 - golang: upgrade to v1.21.4 ## 16.5.1 - gitlab: upgrade CE to v16.5.1 - gitaly: upgrade to v16.5.1 - gitlab-pages: upgrade to v16.5.1 ## 16.5.0 - gitlab: upgrade CE to v16.5.0 - gitaly: upgrade to v16.5.0 - gitlab-pages: upgrade to v16.5.0 - gitlab-shell: upgrade to v14.29.0 - golang: upgrade to v1.21.3 - ubuntu: upgrade to focal-20231003 ## 16.4.1 - gitlab: upgrade CE to v16.4.1 - gitaly: upgrade to v16.4.1 - gitlab-pages: upgrade to v16.4.1 ## 16.4.0 - gitlab: upgrade CE to v16.4.0 - gitaly: upgrade to v16.4.0 - gitlab-pages: upgrade to v16.4.0 - gitlab-shell: upgrade to v14.28.0 ## 16.3.4 - gitlab: upgrade CE to v16.3.4 - gitaly: upgrade to v16.3.4 - gitlab-pages: upgrade to v16.3.4 ## 16.3.3 - gitlab: upgrade CE to v16.3.3 - gitaly: upgrade to v16.3.3 - gitlab-pages: upgrade to v16.3.3 ## 16.3.2 - gitlab: upgrade CE to v16.3.2 - gitaly: upgrade to v16.3.2 - gitlab-pages: upgrade to v16.3.2 - golang: upgrade to v1.21.1 ## 16.3.1 - gitlab: upgrade CE to v16.3.1 - gitaly: upgrade to v16.3.1 - gitlab-pages: upgrade to v16.3.1 ## 16.3.0 - gitlab: upgrade CE to v16.3.0 - gitaly: upgrade to v16.3.0 - gitlab-pages: upgrade to v16.3.0 ## 16.2.4 - gitlab: upgrade CE to v16.2.4 - gitaly: upgrade to v16.2.4 - gitlab-pages: upgrade to v16.2.4 - golang: upgrade to v1.21.0 ## 16.2.3 - gitlab: upgrade CE to v16.2.3 - gitaly: upgrade to v16.2.3 - gitlab-pages: upgrade to v16.2.3 ## 16.2.2 - gitlab: upgrade CE to v16.2.2 - gitaly: upgrade to v16.2.2 - gitlab-pages: upgrade to v16.2.2 - golang: upgrade to v1.20.7 - ubuntu: upgrade to focal-20230801 ## 16.2.1 - gitlab: upgrade CE to v16.2.1 - gitaly: upgrade to v16.2.1 - gitlab-pages: upgrade to v16.2.1 ## 16.2.0 - gitlab: upgrade CE to v16.2.0 - gitaly: upgrade to v16.2.0 - gitlab-pages: upgrade to v16.2.0 - golang: upgrade to v1.20.6 ## 16.1.2 - gitlab: upgrade CE to v16.1.2 - gitaly: upgrade to v16.1.2 - gitlab-pages: upgrade to v16.1.2 - ubuntu: upgrade to focal-20230624 ## 16.1.1 - gitlab: upgrade CE to v16.1.1 - gitaly: upgrade to v16.1.1 - gitlab-pages: upgrade to v16.1.1 ## 16.1.0 - gitlab: upgrade CE to v16.1.0 - gitaly: upgrade to v16.1.0 - gitlab-pages: upgrade to v16.1.0 - gitlab-shell: upgrade to v14.23.0 ## 16.0.5 - gitlab: upgrade CE to v16.0.5 - gitaly: upgrade to v16.0.5 - gitlab-pages: upgrade to v16.0.5 - ubuntu: upgrade to focal-20230605 ## 16.0.4 - gitlab: upgrade CE to v16.0.4 - gitaly: upgrade to v16.0.4 - gitlab-pages: upgrade to v16.0.4 ## 16.0.3 - gitlab: upgrade CE to v16.0.3 - gitaly: upgrade to v16.0.3 - gitlab-pages: upgrade to v16.0.3 ## 16.0.2 - gitlab: upgrade CE to v16.0.2 - gitaly: upgrade to v16.0.2 - gitlab-pages: upgrade to v16.0.2 - golang: upgrade to v1.20.5 ## 16.0.1 - gitlab: upgrade CE to v16.0.1 - gitaly: upgrade to v16.0.1 - gitlab-pages: upgrade to v16.0.1 ## 16.0.0 - gitlab: upgrade CE to v16.0.0 - gitaly: upgrade to v16.0.0 - gitlab-pages: upgrade to v16.0.0 - gitlab-shell: upgrade to v14.20.0 ## 15.11.5 - gitlab: upgrade CE to v15.11.5 - gitaly: upgrade to v15.11.5 - gitlab-pages: upgrade to v15.11.5 ## 15.11.4 - gitlab: upgrade CE to v15.11.4 - gitaly: upgrade to v15.11.4 - gitlab-pages: upgrade to v15.11.4 ## 15.11.3 - gitlab: upgrade CE to v15.11.3 - gitaly: upgrade to v15.11.3 - gitlab-pages: upgrade to v15.11.3 - ruby: upgrade to v3.0.6 ## 15.11.2 - gitlab: upgrade CE to v15.11.2 - gitaly: upgrade to v15.11.2 - gitlab-pages: upgrade to v15.11.2 ## 15.11.1 - gitlab: upgrade CE to v15.11.1 - gitaly: upgrade to v15.11.1 - gitlab-pages: upgrade to v15.11.1 - golang: upgrade to v1.20.4 ## 15.11.0 - gitlab: upgrade CE to v15.11.0 - gitaly: upgrade to v15.11.0 - gitlab-pages: upgrade to v15.11.0 - ubuntu: upgrade to focal-20230412 ## 15.10.3 - gitlab: upgrade CE to v15.10.3 - gitaly: upgrade to v15.10.3 - gitlab-pages: upgrade to v15.10.3 ## 15.10.2 - gitlab: upgrade CE to v15.10.2 - gitaly: upgrade to v15.10.2 - gitlab-pages: upgrade to v15.10.2 - golang: upgrade to v1.20.3 ## 15.10.1 - gitlab: upgrade CE to v15.10.1 - gitaly: upgrade to v15.10.1 - gitlab-pages: upgrade to v15.10.1 - ruby: upgrade to v2.7.8 - ubuntu: upgrade to focal-20230308 ## 15.10.0 - gitlab: upgrade CE to v15.10.0 - gitaly: upgrade to v15.10.0 - gitlab-pages: upgrade to v15.10.0 - gitlab-shell: upgrade to v14.18.0 - ubuntu: upgrade to focal-20230308 ## 15.9.3 - gitlab: upgrade CE to v15.9.3 - gitaly: upgrade to v15.9.3 - gitlab-pages: upgrade to v15.9.3 - golang: upgrade to v1.20.2 ## 15.9.2 - gitlab: upgrade CE to v15.9.2 - gitaly: upgrade to v15.9.2 - gitlab-pages: upgrade to v15.9.2 - ubuntu: upgrade to focal-20230301 ## 15.9.1 - gitlab: upgrade CE to v15.9.1 - gitaly: upgrade to v15.9.1 - gitlab-pages: upgrade to v15.9.1 ## 15.9.0 - gitlab: upgrade CE to v15.9.0 - gitaly: upgrade to v15.9.0 - gitlab-pages: upgrade to v15.9.0 - gitlab-shell: upgrade to v14.17.0 ## 15.8.2 - gitlab: upgrade CE to v15.8.2 - gitaly: upgrade to v15.8.2 - gitlab-pages: upgrade to v15.8.2 - golang: upgrade to v1.19.6 ## 15.8.1 - gitlab: upgrade CE to v15.8.1 - gitaly: upgrade to v15.8.1 - gitlab-pages: upgrade to v15.8.1 - ubuntu: upgrade to focal-20230126 ## 15.8.0-1 - ruby: rollback to v2.7.7 ## 15.8.0 - gitlab: upgrade CE to v15.8.0 - gitaly: upgrade to v15.8.0 - gitlab-pages: upgrade to v15.8.0 - gitlab-shell: upgrade to v14.15.0 - golang: upgrade to v1.18.10 ## 15.7.5 - gitlab: upgrade CE to v15.7.5 - gitaly: upgrade to v15.7.5 - gitlab-pages: upgrade to v15.7.5 ## 15.7.3 - gitlab: upgrade CE to v15.7.3 - gitaly: upgrade to v15.7.3 - gitlab-pages: upgrade to v15.7.3 ## 15.7.2 - gitlab: upgrade CE to v15.7.2 - gitaly: upgrade to v15.7.2 - gitlab-pages: upgrade to v15.7.2 ## 15.7.1 - gitlab: upgrade CE to v15.7.1 - gitaly: upgrade to v15.7.1 - gitlab-pages: upgrade to v15.7.1 ## 15.7.0 - gitlab: upgrade CE to v15.7.0 - gitaly: upgrade to v15.7.0 - gitlab-pages: upgrade to v15.7.0 - gitlab-shell: upgrade to v14.14.0 - ruby: upgrade to v3.0.5 ## 15.6.3 - gitlab: upgrade CE to v15.6.3 - gitaly: upgrade to v15.6.3 - gitlab-pages: upgrade to v15.6.3 - ubuntu: upgrade to focal-20221130 - ruby: upgrade to v2.7.7 - ruby: upgrade to v3.0.4 ## 15.6.2 - gitlab: upgrade CE to v15.6.2 - gitaly: upgrade to v15.6.2 ## 15.6.1 - gitlab: upgrade CE to v15.6.1 - gitaly: upgrade to v15.6.1 ## 15.6.0 - gitlab: upgrade CE to v15.6.0 - gitaly: upgrade to v15.6.0 - gitlab-shell: upgrade to v14.13.0 - gitlab-pages: upgrade to v1.63.0 - golang: upgrade to v1.18.8 ## 15.5.4 - gitlab: upgrade CE to v15.5.4 - gitaly: upgrade to v15.5.4 ## 15.5.3 - gitlab: upgrade CE to v15.5.3 - gitaly: upgrade to v15.5.3 ## 15.5.2 - gitlab: upgrade CE to v15.5.2 - gitaly: upgrade to v15.5.2 - ubuntu: upgrade to focal-20221019 ## 15.5.1 - gitlab: upgrade CE to v15.5.1 - gitaly: upgrade to v15.5.1 ## 15.5.0 - gitlab: upgrade CE to v15.5.0 - gitaly: upgrade to v15.5.0 - gitlab-shell: upgrade to v14.12.0 ## 15.4.3 - gitlab: upgrade CE to v15.4.3 - gitaly: upgrade to v15.4.3 - ubuntu: upgrade to focal-20220922 ## 15.4.2 - gitlab: upgrade CE to v15.4.2 - gitaly: upgrade to v15.4.2 ## 15.4.1 - gitlab: upgrade CE to v15.4.1 - gitaly: upgrade to v15.4.1 ## 15.4.0 - gitlab: upgrade CE to v15.4.0 - gitaly: upgrade to v15.4.0 - ubuntu: upgrade tofocal-20220826 ## 15.3.3 - gitlab: upgrade CE to v15.3.3 - gitaly: upgrade to v15.3.3 ## 15.3.2 - gitlab: upgrade CE to v15.3.2 - gitaly: upgrade to v15.3.2 ## 15.3.1 - gitlab: upgrade CE to v15.3.1 - gitaly: upgrade to v15.3.1 ## 15.3.0 - gitlab: upgrade CE to v15.3.0 - gitaly: upgrade to v15.3.0 - gitlab-shell: upgrade to v14.10.0 - gitlab-pages: upgrade to v1.62.0 - ubuntu: upgrade to focal-20220801 ## 15.2.2 - gitlab: upgrade CE to v15.2.2 - gitaly: upgrade to v15.2.2 - golang: upgrade to v1.17.13 ## 15.2.1 - gitlab: upgrade CE to v15.2.1 - gitaly: upgrade to v15.2.1 - gitlab-pages: upgrade to v1.61.1 ## 15.2.0 - gitlab: upgrade CE to v15.2.0 - gitaly: upgrade to v15.2.0 - gitlab-shell: upgrade to v14.9.0 - gitlab-pages: upgrade to v1.61.0 - golang: upgrade to v1.17.12 ## 15.1.3 - gitlab: upgrade CE to v15.1.3 - gitaly: upgrade to v15.1.3 ## 15.1.2 - gitlab: upgrade CE to v15.1.2 - gitaly: upgrade to v15.1.2 ## 15.1.1 - gitlab: upgrade CE to v15.1.1 - gitaly: upgrade to v15.1.1 ## 15.1.0 - gitlab: upgrade CE to v15.1.0 - gitaly: upgrade to v15.1.0 - gitlab-shell: upgrade to v14.7.4 - gitlab-pages: upgrade to v1.59.0 ## 15.0.3 - gitlab: upgrade CE to v15.0.3 - gitaly: upgrade to v15.0.3 ## 15.0.2 - gitlab: upgrade CE to v15.0.2 - gitaly: upgrade to v15.0.2 - ubuntu: upgrade to focal-20220531 ## 15.0.1 - gitlab: upgrade CE to v15.0.1 - gitaly: upgrade to v15.0.1 - golang: upgrade to v1.17.11 ## 15.0.0 - gitlab: upgrade CE to v15.0.0 - gitaly: upgrade to v15.0.0 - golang: upgrade to v1.17.10 - gitlab-shell: upgrade to v14.3.0 - gitlab-pages: upgrade to v1.58.0 ## 14.10.3 - gitlab: upgrade CE to v14.10.3 - gitaly: upgrade to v14.10.3 ## 14.10.2 - gitlab: upgrade CE to v14.10.2 - gitaly: upgrade to v14.10.2 - ubuntu: upgrade to focal-20220426 ## 14.10.1 - gitlab: upgrade CE to v14.10.1 - gitaly: upgrade to v14.10.1 - ubuntu: upgrade to focal-20220426 ## 14.10.0 - gitlab: upgrade CE to v14.10.0 - gitaly: upgrade to v14.10.0 - gitlab-shell: upgrade to v13.25.1 - ubuntu: upgrade to focal-20220415 ## 14.9.3 - gitlab: upgrade CE to v14.9.3 - gitaly: upgrade to v14.9.3 - golang: upgrade to v1.17.9 - ruby: upgrade to v2.7.6 - ubuntu: upgrade to focal-20220404 ## 14.9.2 - gitlab: upgrade CE to v14.9.2 - gitaly: upgrade to v14.9.2 - gitlab-pages: upgrade to v1.56.1 ## 14.9.1 - gitlab: upgrade CE to v14.9.1 - gitaly: upgrade to v14.9.1 ## 14.9.0 - gitlab: upgrade CE to v14.9.0 - gitaly: upgrade to v14.9.0 - gitlab-pages: upgrade to v1.56.0 - gitlab-shell: upgrade to v13.24.0 ## 14.8.4 - gitlab: upgrade CE to v14.8.4 - gitaly: upgrade to v14.8.4 ## 14.8.3 - gitlab: upgrade CE to v14.8.3 - gitaly: upgrade to v14.8.3 - golang: upgrade to v1.17.8 - ubuntu: upgrade to focal-20220316 ## 14.8.2 - gitlab: upgrade CE to v14.8.2 - gitaly: upgrade to v14.8.2 ## 14.8.1 - gitlab: upgrade CE to v14.8.1 - gitaly: upgrade to v14.8.1 ## 14.8.0 - gitlab: upgrade CE to v14.8.0 - gitaly: upgrade to v14.8.0 - gitlab-pages: upgrade to v1.54.0 - gitlab-shell: v13.23.2 ## 14.7.3 - gitlab: upgrade CE to v14.7.3 - gitaly: upgrade to v14.7.3 - golang: upgrade to v1.17.7 ## 14.7.2 - gitlab: upgrade CE to v14.7.2 - gitaly: upgrade to v14.7.2 - ubuntu: upgrade to focal-20220113 ## 14.7.1 - gitlab: upgrade CE to v14.7.1 - gitaly: upgrade to v14.7.1 ## 14.7.0 - gitlab: upgrade CE to v14.7.0 - gitaly: upgrade to v14.7.0 - gitlab-shell: v13.22.2 - gitlab-pages: upgrade to v1.51.0 ## 14.6.3 - gitlab: upgrade CE to v14.6.3 - gitaly: upgrade to v14.6.3 ## 14.6.2 - gitlab: upgrade CE to v14.6.2 - gitaly: upgrade to v14.6.2 - golang: upgrade to v1.17.6 - ubuntu: upgrade to focal-20220105 ## 14.6.1 - gitlab: upgrade CE to v14.6.1 - gitaly: upgrade to v14.6.1 ## 14.6.0 - gitlab: upgrade CE to v14.6.0 - gitaly: upgrade to v14.6.0 - gitlab-pages: upgrade to v1.49.0 ## 14.5.2 - gitlab: upgrade CE to v14.5.2 - gitaly: upgrade to v14.5.2 - golang: upgrade to v1.17.5 ## 14.5.1 - gitlab: upgrade CE to v14.5.1 - gitaly: upgrade to v14.5.1 - gitlab-shell: v13.22.1 ## 14.5.0 - gitlab: upgrade CE to v14.5.0 - gitaly: upgrade to v14.5.0 - gitlab-pages: upgrade to v1.48.0 - gitlab-shell: v13.22.0 ## 14.4.4 - gitlab: upgrade CE to v14.4.4 - gitaly: upgrade to v14.4.4 - ruby: upgrade to v2.7.5 ## 14.4.3 - gitlab: upgrade CE to v14.4.3 - gitaly: upgrade to v14.4.3 - golang: upgrade to v1.17.4 ## 14.4.2 - gitlab: upgrade CE to v14.4.2 - gitaly: upgrade to v14.4.2 - redis: upgrade to v6.2.6 ## 14.4.1 - gitlab: upgrade CE to v14.4.1 - gitaly: upgrade to v14.4.1 ## 14.4.0 - gitlab: upgrade CE to v14.4.0 - gitaly: upgrade to v14.4.0 - gitlab-pages: upgrade to v1.46.0 ## 14.3.3 - gitlab: upgrade CE to v14.3.3 - gitaly: upgrade to v14.3.3 ## 14.3.2 - gitlab: upgrade CE to v14.3.2 - gitaly: upgrade to v14.3.2 - gitlab-shell: v13.21.1 ## 14.3.1 - gitlab: upgrade CE to v14.3.1 - gitaly: upgrade to v14.3.1 ## 14.3.0 - gitlab: upgrade CE to v14.3.0 - gitaly: upgrade to v14.3.0 - gitlab-shell: v13.21.0 - gitlab-pages: upgrade to v1.44.0 - ruby: compile ruby from source and use v2.7.4 - ubuntu: upgrade to focal-20211006 ## 14.2.5 - gitlab: upgrade CE to v14.2.5 - gitaly: upgrade to v14.2.5 ## 14.2.4 - gitlab: upgrade CE to v14.2.4 - gitaly: upgrade to v14.2.4 - golang: upgrade to v1.17.1 ## 14.2.3 - gitlab: upgrade CE to v14.2.3 - gitaly: upgrade to v14.2.3 ## 14.2.2 - gitlab: upgrade CE to v14.2.2 - gitaly: upgrade to v14.2.2 - ubuntu: upgrade to focal-20210827 ## 14.2.1 - gitlab: upgrade CE to v14.2.1 - gitaly: upgrade to v14.2.1 ## 14.2.0 - gitlab: upgrade CE to v14.2.0 - gitaly: upgrade to v14.2.0 - gitlab-pages: upgrade to v1.42.0 - golang: upgrade to v1.17 ## 14.1.3 - gitlab: upgrade CE to v14.1.3 - gitaly: upgrade to v14.1.3 - golang: upgrade to v1.16.7 ## 14.1.2 - gitlab: upgrade CE to v14.1.2 - gitaly: upgrade to v14.1.2 - gitlab-shell: upgrade to v13.19.1 ## 14.1.1 - gitlab: upgrade CE to v14.1.1 - gitaly: upgrade to v14.1.1 - ubuntu: upgrade to focal-20210723 ## 14.1.0 - gitlab: upgrade CE to v14.1.0 - gitaly: upgrade to v14.1.0 ## 14.0.6 - gitlab: upgrade CE to v14.0.6 - gitaly: upgrade to v14.0.6 - golang: upgrade to v1.16.6 ## 14.0.5 - gitlab: upgrade CE to v14.0.5 - gitaly: upgrade to v14.0.5 ## 14.0.4 - gitlab: upgrade CE to v14.0.4 - gitaly: upgrade to v14.0.4 ## 14.0.3 - gitlab: upgrade CE to v14.0.3 - gitaly: upgrade to v14.0.3 ## 14.0.2 - gitlab: upgrade CE to v14.0.2 - gitaly: upgrade to v14.0.2 ## 14.0.1 - gitlab: upgrade CE to v14.0.1 - gitaly: upgrade to v14.0.1 ## 14.0.0 - gitlab: upgrade CE to v14.0.0 - gitaly: upgrade to v14.0.0 - gitlab-shell: upgrade to v13.19.0 - gitlab-pages: upgrade to v1.40.0 ## 13.12.5 - gitlab: upgrade CE to v13.12.5 - gitaly: upgrade to v13.12.5 - ubuntu: upgrade to focal-20210609 ## 13.12.4 - gitlab: upgrade CE to v13.12.4 - gitaly: upgrade to v13.12.4 ## 13.12.3 - gitlab: upgrade CE to v13.12.3 - gitaly: upgrade to v13.12.3 - golang: upgrade to v1.16.5 ## 13.12.2 - gitlab: upgrade CE to v13.12.2 - gitaly: upgrade to v13.12.2 ## 13.12.1 - gitlab: upgrade CE to v13.12.1 - gitaly: upgrade to v13.12.1 ## 13.12.0 - gitlab: upgrade CE to v13.12.0 - gitlab-shell: upgrade to v13.18.0 - gitlab-pages: upgrade to v1.39.0 - gitaly: upgrade to v13.12.0 ## 13.11.4 - gitlab: upgrade CE to v13.11.4 - gitaly: upgrade to v13.11.4 - golang: upgrade to v1.16.4 - ubuntu: upgrade to focal-20210416 ## 13.11.3 - gitlab: upgrade CE to v13.11.3 - gitaly: upgrade to v13.11.3 ## 13.11.2 - gitlab: upgrade CE to v13.11.2 - gitaly: upgrade to v13.11.2 ## 13.11.1 - gitlab: upgrade CE to v13.11.1 - gitaly: upgrade to v13.11.1 ## 13.11.0 - gitlab: upgrade CE to v13.11.0 - gitaly: upgrade to v13.11.0 - gitlab-pages: upgrade to v1.38.0 - ubuntu: upgrade to focal-20210401 ## 13.10.3 - gitlab: upgrade CE to v13.10.3 - gitaly: upgrade to v13.10.3 ## 13.10.2 - gitlab: upgrade CE to v13.10.2 - gitaly: upgrade to v13.10.2 - golang: upgrade to v1.16.3 - ubuntu: upgrade to bionic-20210325 ## 13.10.1 - gitlab: upgrade CE to v13.10.1 - gitaly: upgrade to v13.10.1 - added libmagic1 to fit requirements of ruby-magic-static-0.3.4 (necessary for puma) ## 13.10.0 - gitlab: upgrade CE to v13.10.0 - gitaly: upgrade to v13.10.0 - gitlab-pages: upgrade to v1.36.0 ## 13.9.5 - gitlab: upgrade CE to v13.9.5 - gitaly: upgrade to v13.9.5 ## 13.9.4 - gitlab: upgrade CE to v13.9.4 - gitaly: upgrade to v13.9.4 - golang: upgrade to v1.16.2 - ubuntu: upgrade to bionic-20210222 ## 13.9.3 - gitlab: upgrade CE to v13.9.3 - gitaly: upgrade to v13.9.3 - gitlab-shell: upgrade to v13.17.0 ## 13.9.2 - gitlab: upgrade CE to v13.9.2 - gitaly: upgrade to v13.9.2 - gitlab-workhorse: upgrade to v8.63.2 ## 13.9.1 - gitlab: upgrade CE to v13.9.1 - gitaly: upgrade to v13.9.1 ## 13.9.0 - gitlab: upgrade CE to v13.9.0 - gitaly: upgrade to v13.9.0 - gitlab-shell: upgrade to v13.16.1 - gitlab-pages: upgrade to v1.35.0 - gitlab-workhorse: upgrade to v8.63.0 - golang: upgrade to v1.16 ## 13.8.4 - added `SSL_PROTOCOLS` option to change protocols of the nginx - added `SSL_REGISTRY_CIPHERS` - added `SSL_REGISTRY_PROTOCOLS` - added `SSL_PAGES_CIPHERS` - added `SSL_PAGES_PROTOCOLS` - gitlab: upgrade CE to v13.8.4 - gitaly: upgrade to v13.8.4 - gitlab-shell: upgrade to v13.15.1 ## 13.8.3 - gitlab: upgrade CE to v13.8.3 - gitaly: upgrade to v13.8.3 - golang: upgrade to v1.15.8 ## 13.8.2 - gitlab: upgrade CE to v13.8.2 - gitaly: upgrade to v13.8.2 ## 13.8.1 - gitlab: upgrade CE to v13.8.1 - gitaly: upgrade to v13.8.1 ## 13.8.0 - gitlab: upgrade CE to v13.8.0 - gitaly: upgrade to v13.8.0 - gitlab-shell: upgrade to v13.15.0 - gitlab-workhorse: upgrade to v8.59.0 - gitlab-pages: upgrade to v1.34.0 - golang: upgrade to v1.15.7 - ubuntu: upgrade to bionic-20210118 ## 13.7.4 - gitlab: upgrade CE to v13.7.4 ## 13.7.3 - gitlab: upgrade CE to v13.7.3 - gitlab-pages: upgrade to v1.34.0 - gitlab-shell: upgrade to v13.7.3 - gitlab-workhorse: upgrade to v8.58.2 ## 13.7.1 - gitlab: upgrade CE to v13.7.1 - gitaly: upgrade v13.7.1 ## 13.7.0 - gitlab: upgrade CE to v13.7.0 - gitaly: upgrade v13.7.0 - gitlab-shell: upgrade to v13.14.0 - gitlab-pages: upgrade to v1.32.0 - gitlab-workhorse: upgrade to v8.58.0 - ubuntu: upgrade to ubuntu bionic-20201119 - postgresql: upgrade to postgresql 12 ## 13.6.3 - gitlab: upgrade CE to v13.6.3 - gitaly: upgrade v13.6.3 ## 13.6.2 - gitlab: upgrade CE to v13.6.2 - gitaly: upgrade v13.6.2 ## 13.6.1 - gitlab: upgrade CE to v13.6.1 - gitaly: upgrade v13.6.1 ## 13.6.0 - gitlab: upgrade CE to v13.6.0 - gitaly: upgrade v13.6.0 - gitlab-shell: upgrade to v13.13.0 - gitlab-pages: upgrade to v1.30.0 - gitlab-workhorse: upgrade to v8.54.0 - use bundler 2.1.4 - use ruby 2.7 ## 13.5.4 - gitlab: upgrade CE to v13.5.4 - gitaly: upgrade v13.5.4 ## 13.5.3 - gitlab: upgrade CE to v13.5.3 - gitaly: upgrade v13.5.3 ## 13.5.2 - gitlab: upgrade CE to v13.5.2 - gitaly: upgrade v13.5.2 ## 13.5.1 - gitlab: upgrade CE to v13.5.1 - gitaly: upgrade v13.5.1 - gitlab-shell: upgrade to v13.11.0 - gitlab-pages: upgrade to v1.28.0 - gitlab-workhorse: upgrade to v8.51.0 ## 13.4.4 - gitlab: upgrade CE to v13.4.4 - gitaly: upgrade to v13.4.4 ## 13.4.3 - gitlab: upgrade CE to v13.4.3 - gitaly: upgrade to v13.4.3 ## 13.4.2 - gitlab: upgrade CE to v13.4.2 - gitaly: upgrade to v13.4.2 - gitlab-pages: upgrade to 1.25.0 - gitlab-workhorse: upgrade to 8.46.0 - gitlab-shell: uprade to 13.7.0 - ubuntu: upgrade to bionic-20200921 ## 13.3.4 - gitlab: upgrade CE to v13.3.4 - gitaly: upgrade to v13.3.4 ## 13.3.1 - gitlab: upgrade CE to v13.3.1 - gitaly: upgrade to v13.3.1 ## 13.3.0 - gitlab: upgrade CE to v13.3.0 - gitaly: upgrade to v13.3.0 - gitlab-pages: upgrade to v1.22.0 - gitlab-shell: upgrade to v13.6.0 - gitlab-workhorse: upgrade to v8.39.0 ## 13.2.6 - gitlab: upgrade CE to v13.2.6 ## 13.2.4 - gitlab: upgrade CE to v13.2.4 - ubuntu: upgrade to bionic-20200713 ## 13.2.3 - gitlab: upgrade CE to v13.2.3 - golang: upgrade to 1.14.7 - gitaly: upgrade to 13.2.3 - postgresql: add btree_gist extension ## 13.2.2 - gitlab: upgrade CE to v13.2.2 ## 13.2.1 - gitlab: upgrade CE to v13.2.1 ## 13.0.7 - gitlab: upgrade CE to v13.0.7 ## 13.0.6 - gitlab: upgrade CE to v13.0.6 ## 13.0.5 - gitlab: upgrade CE to v13.0.5 ## 13.0.3 - gitlab: upgrade CE to v13.0.3 ## 13.0.2 - gitlab: upgrade CE to v13.0.2 ## 13.0.1 - gitlab: upgrade CE to v13.0.1 ## 13.0.0 - gitlab: upgrade CE to v13.0.0 ## 12.10.6 - gitlab: upgrade CE to v12.10.6 ## 12.10.4 - updated to ubuntu:bionic-20200403 - gitlab-workhorse: update to 8.30.1 - sync: upstream configs - gitlab: upgrade to 12.10.4 ## 12.9.5 - gitlab: updated to 12.9.5 - gitlab-shell: updated to 12.2.0 - gitaly: updated to 12.10.0 ## 12.9.4 - gitlab: upgrade CE to v12.9.4 - Update gitlab-workhorse to 8.25.2 - Update golang to 1.13.10 ## 12.9.2 - gitlab: upgrade CE to v12.9.2 ## 12.9.1 - gitlab: upgrade CE to v12.9.1 ## 12.9.0 - gitlab: upgrade CE to v12.9.0 - replaced unicorn with puma - Removed `UNICORN_WORKERS` - Removed `UNICORN_TIMEOUT` - Added `PUMA_THREADS_MIN` - Added `PUMA_THREADS_MAX` - Added `PUMA_WORKERS` - Added `PUMA_TIMEOUT` ## 12.8.8 - gitlab: upgrade CE to v12.8.8 ## 12.8.7 - gitlab: upgrade CE to v12.8.7 ## 12.8.6 - gitlab: upgrade CE to v12.8.6 ## 12.8.5 - gitlab: upgrade CE to v12.8.5 ## 12.8.4 - gitlab: upgrade CE to v12.8.4 ## 12.8.3 - gitlab: upgrade CE to v12.8.3 ## 12.8.2 - gitlab: upgrade CE to v12.8.2 ## 12.8.1 - gitlab: upgrade CE to v12.8.1 ## 12.8.0 - gitlab: upgrade CE to v12.8.0 - fix: ArgumentError: 'import/{{oauth2_generic_name}}' is not supported [#2101](https://github.com/sameersbn/docker-gitlab/issues/2101) ## 12.7.8 - Upgrade GitLab CE to 12.7.8 ## 12.7.7 - Upgrade GitLab CE to 12.7.7 - Add Generic OAuth Provider PR#2070 ## 12.7.6 - gitlab: upgrade CE to v12.7.6 ## 12.7.5 - gitlab: upgrade CE to v12.7.5 ## 12.7.4 - Upgrade GitLab CE to 12.7.4 - Update golang to 1.13.7 - Update gitlab-pages to 1.15.0 - Update gitlab-workhorse to 8.20.0 - Update gitaly to 1.85.0 ## 12.7.2 - Upgrade GitLab CE to 12.7.2 ## 12.7.0 - Update gitlab-shell to 11.0.0 - Upgrade GitLab CE to 12.7.0 - Update golang to 1.13.6 - Update gitaly to 1.83.0 - Update gitlab-pages to 1.14.0 - Update gitlab-workhorse to 8.19.0 ## 12.6.4 - gitlab: upgrade CE to v12.6.4 ## 12.6.3 - gitlab: upgrade CE to v12.6.3 ## 12.6.2 - gitlab: upgrade CE to v12.6.2 ## 12.6.1 - gitlab: upgrade CE to v12.6.1 ## 12.6.0 - gitlab: upgrade CE to v12.6.0 ## 12.5.7 - gitlab: upgrade CE to v12.5.7 ## 12.5.6 - gitlab: upgrade CE to v12.5.6 ## 12.5.5 - gitlab: upgrade CE to v12.5.5 ## 12.5.4 - gitlab: upgrade CE to v12.5.4 - Update golang to 1.12.14 ## 12.5.3 - gitlab: upgrade CE to v12.5.3 ## 12.5.2 - gitlab: upgrade CE to v12.5.2 ## 12.5.1 - gitlab: upgrade CE to v12.5.1 ## 12.5.0 - gitlab: upgrade CE to v12.5.0 ## 12.4.3 - gitlab: upgrade CE to v12.4.3 ## 12.4.2 - gitlab: upgrade CE to v12.4.2 ## 12.4.1 - gitlab: upgrade CE to v12.4.1 ## 12.4.0 - gitlab: upgrade CE to v12.4.0 ## 12.3.5 - gitlab: upgrade CE to v12.3.5 ## 12.3.4 - gitlab: upgrade CE to v12.3.4 ## 12.3.3 - gitlab: upgrade CE to v12.3.3 ## 12.3.2 - gitlab: upgrade CE to v12.3.2 ## 12.3.1 - gitlab: upgrade CE to v12.3.1 ## 12.3.0 - gitlab: upgrade CE to v12.3.0 ## 12.2.5 - gitlab: upgrade CE to v12.2.5 ## 12.2.4 - gitlab: upgrade CE to v12.2.4 ## 12.2.3 - gitlab: upgrade CE to v12.2.3 ## 12.2.1 - gitlab: upgrade CE to v12.2.1 ## 12.2.0 - gitlab: upgrade CE to v12.2.0 - upgrade base image to ubuntu:bionic ## 12.1.6 - gitlab: upgrade CE to v12.1.6 ## 12.1.4 - gitlab: upgrade CE to v12.1.4 ## 12.1.3 - gitlab: upgrade CE to v12.1.3 ## 12.1.2 - gitlab: upgrade CE to v12.1.2 ## 12.1.1 - gitlab: upgrade CE to v12.1.1 ## 12.1.0 - gitlab: upgrade CE to v12.1.0 - Removed MySQL related information and packages. GitLab v12.1.X or greater requires only PostgreSQL. Do an Migration before upgrading to v12.1.X. For more Information have a look at the [Migration Guide](https://docs.gitlab.com/ce/update/mysql_to_postgresql.html) ## 12.0.4 - gitlab: upgrade CE to v12.0.4 ## 12.0.3 - gitlab: upgrade CE to v12.0.3 ## 12.0.2 - gitlab: upgrade CE to v12.0.2 ## 12.0.1 - gitlab: upgrade CE to v12.0.1 ## 12.0.0 - gitlab: upgrade CE to v12.0.0 - Update gitaly to 1.47.0 - Update gitlab-shell to 9.3.0 - Update gitlab-pages to 1.6.1 - ruby: update to 2.6 - python: update to 3 ## 11.11.3 - gitlab: upgrade CE to v11.11.3 - Update gitaly to 1.42.4 - Update golang to 1.12.6 ## 11.11.2 - gitlab: upgrade CE to v11.11.2 - Update gitaly to 1.42.3 ## 11.11.1 - gitlab: upgrade CE to v11.11.1 - Update gitaly to 1.42.2 ## 11.11.0 - gitlab: upgrade CE to v11.11.0 - Update gitaly to 1.42.0 - Update gitlab-shell to 9.1.0 - Update gitlab-workhorse to 8.7.0 ## 11.10.4 - gitlab: upgrade CE to v11.10.4 ## 11.10.3 - gitlab: upgrade CE to v11.10.3 ## 11.10.2 - gitlab: upgrade CE to v11.10.2 ## 11.10.1 - gitlab: upgrade CE to v11.10.1 ## 11.10.0 - gitlab: upgrade CE to v11.10.0 ## 11.9.8 - gitlab: upgrade CE to v11.9.8 ## 11.9.7 - gitlab: upgrade CE to v11.9.7 ## 11.9.6 - gitlab: upgrade CE to v11.9.6 ## 11.9.5 - gitlab: upgrade CE to v11.9.5 ## 11.9.4 - gitlab: upgrade CE to v11.9.4 - Update gitlab-workhorse to 8.3.3 ## 11.9.1 - gitlab: upgrade CE to v11.9.1 - Update gitaly to 1.27.1 ## 11.9.0 - gitlab: upgrade CE to v11.9.0 ## 11.8.3 - gitlab: upgrade CE to v11.8.3 ## 11.8.2 - gitlab: upgrade CE to v11.8.2 ## 11.8.1 - gitlab: upgrade CE to v11.8.1 ## 11.8.0 - gitlab: upgrade CE to v11.8.0 - Update gitlab-workhorse to 8.3.1 - Update gitaly to 1.20.0 - Update gitlab-pages to 1.5.0 ## 11.7.5 - gitlab: upgrade CE to v11.7.5 ## 11.7.4 - gitlab: upgrade CE to v11.7.4 ## 11.7.3 - gitlab: upgrade CE to v11.7.3 - Update gitlab-workhorse to 8.1.1 - Update gitaly to 1.13.0 - Update gitlab-pages to 1.4.0 ## 11.7.0 - gitlab: upgrade CE to v11.7.0 ## 11.6.5 - gitlab: upgrade CE to v11.6.5 ## 11.6.4 - gitlab: upgrade CE to v11.6.4 ## 11.6.3 - gitlab: upgrade CE to v11.6.3 ## 11.6.2 - gitlab: upgrade CE to v11.6.2 ## 11.6.1 - gitlab: upgrade CE to v11.6.1 - Added `GITLAB_IMPERSONATION_ENABLED` - Added `OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME` - Added `GITLAB_PAGES_ACCESS_CONTROL_SERVER` - Added `GITLAB_PAGES_ACCESS_CLIENT_ID` - Added `GITLAB_PAGES_ACCESS_CLIENT_SECRET` - Added `GITLAB_PAGES_ACCESS_SECRET` - Added `GITLAB_PAGES_ACCESS_REDIRECT_URI` ## 11.6.0 - gitlab: upgrade CE to v11.6.0 - Update gitaly to 1.7.1 - Update gitlab-shell to 8.4.3 - Update gitlab-workhorse to 7.6.0 - Update golang to 1.11.4 - Added `LDAP_USER_ATTRIBUTE_USERNAME` - Added `LDAP_USER_ATTRIBUTE_MAIL` - Added `LDAP_USER_ATTRIBUTE_NAME` - Added `LDAP_USER_ATTRIBUTE_FIRSTNAME` - Added `LDAP_USER_ATTRIBUTE_LASTNAME` - Added `GITLAB_BACKUP_DIR_CHOWN` - Added `GITLAB_BACKUP_DIR_GROUP` - Added `GITLAB_PAGES_NGINX_PROXY` ## 11.5.5 - gitlab: upgrade CE to v11.5.5 ## 11.5.4 - gitlab: upgrade CE to v11.5.4 ## 11.5.3 - gitlab: upgrade CE to v11.5.3 ## 11.5.2 - gitlab: upgrade CE to v11.5.2 ## 11.5.1-1 - Fixed GitLab Dependencies ## 11.5.1 - gitlab: upgrade CE to v11.5.1 ## 11.5.0 - gitlab: upgrade CE to v11.5.0 ## 11.4.7 - gitlab: upgrade CE to v11.4.7 ## 11.4.6 - gitlab: upgrade CE to v11.4.6 ## 11.4.5 - gitlab: upgrade CE to v11.4.5 ## 11.4.4 - gitlab: upgrade CE to v11.4.4 - golang: update to 1.10.4 ## 11.4.3 - gitlab: upgrade CE to v11.4.3 ## 11.4.2 - gitlab: upgrade CE to v11.4.2 ## 11.4.1 - gitlab: upgrade CE to v11.4.1 - Add docs how to reuse ssh port [#1731](https://github.com/sameersbn/docker-gitlab/pull/1731) ## 11.4.0 - gitlab: upgrade CE to v11.4.0 - baseimage: upgrade to xenial-20181005 ## 11.3.6 - gitlab: upgrade CE to v11.3.6 ## 11.3.5 - gitlab: upgrade CE to v11.3.5 ## 11.3.4 - gitlab: upgrade CE to v11.3.4 ## 11.3.3 - gitlab: upgrade CE to v11.3.3 ## 11.3.2 - gitlab: upgrade CE to v11.3.2 ## 11.3.1 - gitlab: upgrade CE to v11.3.1 ## 11.3.0 - gitlab: upgrade CE to v11.3.0 - Fix backup config stripping for when AWS & GCS backups are disabled [#1725](https://github.com/sameersbn/docker-gitlab/pull/1725) - Correct Backup Date format for selective backups [#1699](https://github.com/sameersbn/docker-gitlab/pull/1699) - Fix gitlay-ssh symlink to enable rebase/squash in forks ## 11.2.3 - gitlab: upgrade CE to v11.2.3 ## 11.2.2 - gitlab: upgrade CE to v11.2.2 ## 11.2.1 - gitlab: upgrade CE to v11.2.1 ## 11.2.0 - gitlab: upgrade CE to v11.2.0 - ADD `GITLAB_DEFAULT_THEME` ## 11.1.4 - gitlab: upgrade CE to v11.1.4 ## 11.1.3 - gitlab: upgrade CE to v11.1.3 - Upgrade redis to 4.0.9-1 ## 11.1.2 - gitlab: upgrade CE to v11.1.2 ## 11.1.1 - gitlab: upgrade CE to v11.1.1 ## 11.1.0 - gitlab: upgrade CE to v11.1.0 ## 11.0.4 - gitlab: upgrade CE to v11.0.4 ## 11.0.3 - gitlab: upgrade CE to v11.0.3 - ruby: update to 2.4 ## 11.0.2 - gitlab: upgrade CE to v11.0.2 ## 11.0.1 - gitlab: upgrade CE to v11.0.1 ## 11.0.0 - gitlab: upgrade CE to v11.0.0 ## 10.8.4 - gitlab: upgrade CE to v10.8.4 ## 10.8.3-1 - Fix boot loops that were introduced during [#1621](https://github.com/sameersbn/docker-gitlab/pull/1621) and will be fixed with [#1628](https://github.com/sameersbn/docker-gitlab/pull/1628) ## 10.8.3 - gitlab: upgrade CE to v10.8.3 - Fix potential boot problems on clean setups [#1621](https://github.com/sameersbn/docker-gitlab/pull/1621) ## 10.8.2 - gitlab: upgrade CE to v10.8.2 ## 10.8.1 - gitlab: upgrade CE to v10.8.1 ## 10.8.0 - gitlab: upgrade CE to v10.8.0 - Add support for swarm mode with docker-configs and docker secrets ([#1540](https://github.com/sameersbn/docker-gitlab/pull/1540)) ## 10.7.4 - gitlab: upgrade CE to v10.7.4 - FIX `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` ## 10.7.3 - gitlab: upgrade CE to v10.7.3 ## 10.7.2 - gitlab: upgrade CE to v10.7.2 ## 10.7.1 - gitlab: upgrade CE to v10.7.1 ## 10.7.0 - gitlab: upgrade CE to v10.7.0 - ADD `GITLAB_SIDEKIQ_LOG_FORMAT` - ADD `GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED` - ADD `GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY` - ADD `GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD` - ADD `GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD` - ADD `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER` - ADD `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` - ADD `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` - ADD `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION` - ADD `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST` - ADD `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` - ADD `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE` - ADD `GITLAB_LFS_OBJECT_STORE_ENABLED` - ADD `GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY` - ADD `GITLAB_LFS_OBJECT_STORE_DIRECT_UPLOAD` - ADD `GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD` - ADD `GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD` - ADD `GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER` - ADD `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` - ADD `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` - ADD `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION` - ADD `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST` - ADD `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` - ADD `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE` - ADD `GITLAB_UPLOADS_OBJECT_STORE_ENABLED` - ADD `GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY` - ADD `GITLAB_UPLOADS_OBJECT_STORE_DIRECT_UPLOAD` - ADD `GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD` - ADD `GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD` - ADD `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER` - ADD `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` - ADD `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` - ADD `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION` - ADD `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST` - ADD `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` - ADD `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE` ## 10.6.4 - gitlab: upgrade CE to v10.6.4 ## 10.6.3 - gitlab: upgrade CE to v10.6.3 ## 10.6.2 - gitlab: upgrade CE to v10.6.2 - golang: update to 1.9.5 ## 10.6.1 - gitlab: upgrade CE to v10.6.1 ## 10.6.0 - gitlab: upgrade CE to v10.6.0 ## 10.5.6 - gitlab: security upgrade CE to v10.5.6 ## 10.5.5 - gitlab: upgrade CE to v10.5.5 ## 10.5.4 - gitlab: upgrade CE to v10.5.4 ## 10.5.3 - gitlab: upgrade CE to v10.5.3 ## 10.5.2 - gitlab: upgrade CE to v10.5.2 - Fix `GITLAB_UPLOADS_STORAGE_PATH` ## 10.5.1 - gitlab: upgrade CE to v10.5.1 ## 10.5.0 - gitlab: upgrade CE to v10.5.0 - Add `GITLAB_UPLOADS_STORAGE_PATH` - Add `GITLAB_UPLOADS_BASE_DIR` - Add `LDAP_LOWERCASE_USERNAMES` ## 10.4.4 - gitlab: upgrade CE to v10.4.4 ## 10.4.3 - gitlab: upgrade CE to v10.4.3 ## 10.4.2-1 - FIXED SSH Host Key generation through dropping the support for rsa1 ## 10.4.2 - gitlab: upgrade CE to v10.4.2 ## 10.4.1 - gitlab: upgrade CE to v10.4.1 ## 10.4.0 - gitlab: upgrade CE to v10.4.0 - docker: upgrade to ubuntu xenial as baseimage - golang: update to 1.9.3 ## 10.3.6 - gitlab: upgrade CE to v10.3.6 ## 10.3.5 - gitlab: upgrade CE to v10.3.5 ## 10.3.4 - gitlab: upgrade CE to v10.3.4 ## 10.3.3 - gitlab: upgrade CE to v10.3.3 - ADDED `AWS_BACKUP_ENCRYPTION` [1449](https://github.com/sameersbn/docker-gitlab/pull/1449/) - ADDED `AWS_BACKUP_STORAGE_CLASS` [1449](https://github.com/sameersbn/docker-gitlab/pull/1449/) - FIXED `AWS_BACKUP_MULTIPART_CHUNK_SIZE` [1449](https://github.com/sameersbn/docker-gitlab/pull/1449/) - Apply PaX mark to ruby [1458](https://github.com/sameersbn/docker-gitlab/pull/1458) ## 10.3.2 - gitlab: upgrade CE to v10.3.2 ## 10.3.1 - gitlab: upgrade CE to v10.3.1 ## 10.3.0 - gitlab: upgrade CE to v10.3.0 - REMOVED `GITLAB_REPOSITORIES_STORAGES_DEFAULT_FAILURE_COUNT_THRESHOLD` - REMOVED `GITLAB_REPOSITORIES_STORAGES_DEFAULT_FAILURE_WAIT_TIME` - REMOVED `GITLAB_REPOSITORIES_STORAGES_DEFAULT_FAILURE_RESET_TIME` - REMOVED `GITLAB_REPOSITORIES_STORAGES_DEFAULT_STORAGE_TIMEOUT` - REMOVED `GITLAB_MAX_OBJECT_SIZE` - REMOVED `GITLAB_TIMEOUT` ## 10.2.5 - gitlab: upgrade CE to v10.2.5 ## 10.2.4 - gitlab: upgrade to CE v10.2.4 ## 10.2.3 - gitlab: upgrade to CE v10.2.3 ## 10.2.2 - gitlab: upgrade to CE v10.2.2 ## 10.2.1 - gitlab: upgrade to CE v10.2.1 ## 10.2.0 - gitlab: upgrade to CE v10.2.0 ## 10.1.4 - gitlab: upgrade to CE v10.1.4 ## 10.1.3 - gitlab: upgrade to CE v10.1.3 ## 10.1.2 - gitlab: upgrade to CE v10.1.2 ## 10.1.1 - gitlab: upgrade to CE v10.1.1 ## 10.1.0 - gitlab: upgrade to CE v10.1.0 - REMOVED `GITALY_ENABLED`` - ADDED `GITALY_ARTIFACTS_SERVER` - ADDED `GITALY_CLIENT_PATH` ## 10.0.4 - gitlab: upgrade to CE v10.0.4 ## 10.0.3 - gitlab: upgrade to CE v10.0.3 ## 10.0.2 - gitlab: upgrade to CE v10.0.2 ## 10.0.1 - gitlab: upgrade to CE v10.0.1 ## 10.0.0 - gitlab: upgrade to CE v10.0.0 ## 9.5.5 - gitlab: upgrade to CE v9.5.5 ## 9.5.4 - gitlab: upgrade to CE v9.5.4 ## 9.5.3 - gitlab: upgrade to CE v9.5.3 ## 9.5.2 - gitlab: upgrade to CE v9.5.2 ## 9.5.1 - gitlab: upgrade to CE v9.5.1 ## 9.5.0 - gitlab: upgrade to CE v9.5.0 ## 9.4.5 - gitlab: upgrade to CE v9.4.5 ## 9.4.4 - gitlab: upgrade to CE v9.4.4 ## 9.4.3 - gitlab: upgrade to CE v9.4.3 ## 9.4.2 - gitlab: upgrade to CE v9.4.2 ## 9.4.1 - gitlab: upgrade to CE v9.4.1 ## 9.4.0-1 - Fix asset compiling for missing translations ## 9.4.0 - gitlab: upgrade to CE v9.4.0 - Added support for nginx_real_ip module ([#1137](https://github.com/sameersbn/docker-gitlab/pull/1137)) - Added more security for regenerating certs ([#1288](https://github.com/sameersbn/docker-gitlab/pull/1288)) ## 9.3.9 - gitlab: upgrade to CE v9.3.9 ## 9.3.8 - gitlab: upgrade to CE v9.3.8 - Added RE2 library to build dependencies ([issue 35342](https://gitlab.com/gitlab-org/gitlab-foss/issues/35342)) ## 9.3.7 - gitlab: upgrade to CE v9.3.7 ## 9.3.6 - gitlab: upgrade to CE v9.3.6 ## 9.3.5 - gitlab: upgrade to CE v9.3.5 ## 9.3.4 - gitlab: upgrade to CE v9.3.4 ## 9.3.3 - gitlab: upgrade to CE v9.3.3 ## 9.3.2 - gitlab: upgrade to CE v9.3.2 ## 9.3.1 - gitlab: upgrade to CE v9.3.1 ## 9.3.0-1 - Add the missing Gitaly config to let git commands over http/https working ## 9.3.0 - gitlab: upgrade to CE v9.3.0 - update baseimage to `14.04.20170608` - Add `DB_COLLATION` (For MySQL related doesn't recognize by postgres) - Add `GITLAB_PIPELINE_SCHEDULE_WORKER_CRON` - Add `GITALY_ENABLED` - Add `GITALY_SOCKET_PATH` - Add `GITALY_ADDRESS` ## 9.2.7 - gitlab: upgrade to CE v9.2.7 ## 9.2.6 - gitlab: upgrade to CE v9.2.6 ## 9.2.5 - gitlab: upgrade to CE v9.2.5 ## 9.2.2 - gitlab: upgrade to CE v9.2.2 ## 9.2.1 - gitlab: upgrade to CE v9.2.1 ## 9.2.0 - gitlab: upgrade to CE v9.2.0 - Add flexibility to use versions committed into gitlab-ce ## 9.1.4 - gitlab: upgrade to CE v9.1.4 ## 9.1.3 - gitlab: upgrade to CE v9.1.3 ## 9.1.2 - gitlab: upgrade to CE v9.1.2 - update baseimage to `14.04.20170503` ## 9.1.1 - gitlab: upgrade to CE v9.1.1 ## 9.1.0-1 - Fix gitlab-workhorse version display ## 9.1.0 - gitlab: upgrade to CE v9.1.0 - gitlab-shell: upgrade to 5.0.2 - gitlab-workhorse: upgrade to 1.4.3 ## 9.0.6 - gitlab: upgrade to CE v9.0.6 ## 9.0.5 - gitlab: upgrade to CE v9.0.5 ## 9.0.4 - gitlab: upgrade to CE v9.0.4 ## 9.0.3 - gitlab: upgrade to CE v9.0.3 ## 9.0.2 - gitlab: upgrade to CE v9.0.2 ## 9.0.1 - gitlab: upgrade to CE v9.0.1 - gitlab-workhorse 1.4.2 ## 9.0.0 - gitlab: upgrade to CE v9.0.0 - gitlab-shell 5.0.0 - gitlab-workhorse 1.4.1 - gitlab-pages 0.4.0 ## 8.17.4 - gitlab: upgrade to CE v8.17.4 ## 8.17.3 - gitlab: upgrade to CE v8.17.3 ## 8.17.2 - gitlab: upgrade to CE v8.17.2 ## 8.17.1 - gitlab: upgrade to CE v8.17.1 - fixes first problems with gitlab-pages ## 8.17.0 - gitlab: upgrade to CE v8.17.0 - added `GITLAB_PAGES_ENABLED` - added `GITLAB_PAGES_DOMAIN` - added `GITLAB_PAGES_DIR` - added `GITLAB_PAGES_PORT` - added `GITLAB_PAGES_HTTPS` - added `GITLAB_PAGES_EXTERNAL_HTTP` - added `GITLAB_PAGES_EXTERNAL_HTTPS` - added `SSL_PAGES_KEY_PATH` - added `SSL_PAGES_CERT_PATH` - added nodejs 7.x as core dependencies - added gitlab-pages daemon ## 8.16.6 - gitlab: upgrade to CE v8.16.6 - Fix logical bug of Remote Backup ## 8.16.5 - gitlab: upgrade to CE v8.16.5 ## 8.16.4 - gitlab: upgrade to CE v8.16.4 ## 8.16.3 - gitlab: upgrade to CE v8.16.3 ## 8.16.2 - gitlab: upgrade to CE v8.16.2 ## 8.16.1 - gitlab: upgrade to CE v8.16.1 ## 8.16.0 - gitlab: upgrade to CE v8.16.0 ## 8.15.4 - gitlab: upgrade to CE v8.15.4 ## 8.15.3 - gitlab: upgrade to CE v8.15.3 ## 8.15.2 - gitlab: upgrade to CE v8.15.2 ## 8.15.1 - gitlab: upgrade to CE v8.15.1 ## 8.15.0 - gitlab: upgrade to CE v8.15.0 - added `GITLAB_MATTERMOST_ENABLED` - added `GITLAB_MATTERMOST_URL` - added `OAUTH_AUTHENTIQ_CLIENT_ID` - added `OAUTH_AUTHENTIQ_CLIENT_SECRET` - added `OAUTH_AUTHENTIQ_SCOPE` - added `OAUTH_AUTHENTIQ_REDIRECT_URI` ## 8.14.5 - gitlab: upgrade to CE v8.14.5 ## 8.14.4 - gitlab: upgrade to CE v8.14.4 ## 8.14.3 - gitlab: upgrade to CE v8.14.3 ## 8.14.2 - gitlab: upgrade to CE v8.14.2 ## 8.14.1 - gitlab: upgrade to CE v8.14.1 ## 8.14.0 - gitlab: upgrade to CE v8.14.0 - added `IMAP_TIMEOUT` - update golang to 1.6.3 ## 8.13.6 - gitlab: upgrade to CE v8.13.6 ## 8.13.5 - gitlab: upgrade to CE v8.13.5 ## 8.13.4 **Important:** We skipped `8.13.4` because it doesn't contain any changes. For more information [8.13.4 release](https://about.gitlab.com/2016/11/09/gitlab-8-dot-13-dot-5-released/). ## 8.13.3 - gitlab: upgrade to CE v8.13.3 ## 8.13.2 - gitlab: upgrade to CE v8.13.2 ## 8.13.1 - gitlab: upgrade to CE v8.13.1 ## 8.13.0 - gitlab: upgrade to CE v8.13.0 - added `GITLAB_EMAIL_SUBJECT_SUFFIX` ## 8.12.7 - gitlab: upgrade to CE v8.12.7 ## 8.12.6 - gitlab: upgrade to CE v8.12.6 ## 8.12.5 - gitlab: upgrade to CE v8.12.5 ## 8.12.4 - gitlab: upgrade to CE v8.12.4 ## 8.12.3 - gitlab: upgrade to CE v8.12.3 ## 8.12.2 **Important:** We skipped `8.12.2` because it doesn't contain any changes. For more information [8.12.3 release](https://about.gitlab.com/2016/09/29/gitlab-8-12-3-released/). ## 8.12.1 - gitlab: upgrade to CE v8.12.1 ## 8.12.0 - gitlab: upgrade to CE v8.12.0 ## 8.11.7 - gitlab: upgrade to CE v8.11.7 ## 8.11.6 - gitlab: upgrade to CE v8.11.6 ## 8.11.5 - gitlab: upgrade to CE v8.11.5 ## 8.11.4 - gitlab: upgrade to CE v8.11.4 ## 8.11.3 - gitlab: upgrade to CE v8.11.3 ## 8.11.2 - gitlab: upgrade to CE v8.11.2 ## 8.11.0 - gitlab: upgrade to CE v8.11.0 - added `GITLAB_SECRETS_SECRET_KEY_BASE` - added `GITLAB_SECRETS_OTP_KEY_BASE` ## Important When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/.secret` for `GITLAB_SECRETS_OTP_KEY_BASE` otherwise it will break your 2FA . ## 8.10.7 - gitlab: upgrade to CE v8.10.7 ## 8.10.6 - gitlab: upgrade to CE v8.10.6 ## 8.10.5 - gitlab: upgrade to CE v8.10.5 ## 8.10.4 - gitlab: upgrade to CE v8.10.4 ## 8.10.3 - gitlab: upgrade to CE v8.10.3 ## 8.10.2-1 - Fix `OAUTH_GOOGLE_RESTRICT_DOMAIN` ## 8.10.2 - gitlab: upgrade to CE v8.10.2 - Improve `OAUTH_GOOGLE_RESTRICT_DOMAIN` for multiple restricted domains ## 8.10.1 - gitlab: upgrade to CE v8.10.1 ## 8.10.0 - gitlab: upgrade to CE v8.10.0 ## 8.9.6 - gitlab: upgrade to CE v8.9.6 ## 8.9.5 - gitlab: upgrade to CE v8.9.5 ## 8.9.4 - gitlab: upgrade to CE v8.9.4 ## 8.9.3 - gitlab: upgrade to CE v8.9.3 ## 8.9.2 - gitlab: upgrade to CE v8.9.2 ## 8.9.1 - gitlab: upgrade to CE v8.9.1 ## 8.9.0 - gitlab: upgrade to CE v8.9.0 ## 8.8.5-1 - added GitLab Container Registry support - added `SSL_CIPHERS` option to change ciphers of the nginx ## 8.8.5 - gitlab: upgrade to CE v8.8.5 ## 8.8.4 - gitlab: upgrade to CE v8.8.4 - added `GITLAB_PROJECTS_LIMIT` configuration option ## 8.8.3 - gitlab: upgrade to CE v8.8.3 ## 8.8.2 - gitlab: upgrade to CE v8.8.2 ## 8.8.1 - gitlab: upgrade to CE v8.8.1 ## 8.8.0 - gitlab: upgrade to CE v8.8.0 - oauth: exposed `OAUTH_GITHUB_URL` and `OAUTH_GITHUB_VERIFY_SSL` options for users for GitHub Enterprise. ## 8.7.6 - gitlab: upgrade to CE v8.7.6 ## 8.7.5 - gitlab: upgrade to CE v8.7.5 ## 8.7.3 - gitlab: upgrade to CE v8.7.3 ## 8.7.2 - gitlab: upgrade to CE v8.7.2 ## 8.7.1 - gitlab: upgrade to CE v8.7.1 ## 8.7.0 - gitlab-shell: upgrade to v.2.7.2 - gitlab: upgrade to CE v8.7.0 - SSO: `OAUTH_ALLOW_SSO` now specifies a comma separated list of providers. - OAuth: Added `OAUTH_EXTERNAL_PROVIDERS` to specify external oauth providers. - Exposed `GITLAB_TRUSTED_PROXIES` configuration parameter ## 8.6.7 - added `GITLAB_SIGNUP_ENABLED` option to enable/disable signups - gitlab: upgrade to CE v8.6.7 ## 8.6.6 - gitlab: upgrade to CE v8.6.6 ## 8.6.5 - gitlab: upgrade to CE v8.6.5 ## 8.6.4 - gitlab: upgrade to CE v8.6.4 ## 8.6.3 - gitlab-shell: upgrade to v.2.6.12 - gitlab: upgrade to CE v8.6.3 ## 8.6.2 - gitlab: upgrade to CE v8.6.2 ## 8.6.1 - gitlab: upgrade to CE v8.6.1 ## 8.6.0 - gitlab-shell: upgrade to v.2.6.11 - gitlab-workhorse: upgrade to v0.7.1 - gitlab: upgrade to CE v8.6.0 - exposed configuration parameters for auth0 OAUTH support - fixed relative_url support ## 8.5.8 - gitlab: upgrade to CE v8.5.8 ## 8.5.7 - gitlab: upgrade to CE v8.5.7 ## 8.5.5 - gitlab: upgrade to CE v8.5.5 ## 8.5.4 - gitlab: upgrade to CE v8.5.4 ## 8.5.3 - gitlab: upgrade to CE v8.5.3 ## 8.5.1 - gitlab: upgrade to CE v8.5.1 ## 8.5.0 - gitlab-workhorse: upgrade to v0.6.4 - gitlab: upgrade to CE v8.5.0 - firstrun: expose `GITLAB_ROOT_EMAIL` configuration option - expose `OAUTH_AUTO_LINK_SAML_USER` configuration parameter ## 8.4.4 - gitlab: upgrade to CE v8.4.4 ## 8.4.3 - gitlab: upgrade to CE v8.4.3 ## 8.4.2 - gitlab-workhorse: upgrade to v0.6.2 - gitlab: upgrade to CE v8.4.2 ## 8.4.1 - gitlab: upgrade to CE v8.4.1 ## 8.4.0-1 - `assets:precompile` moved back to build time ## 8.4.0 - gitlab-shell: upgrade to v.2.6.10 - gitlab-workhorse: upgrade to v0.6.1 - gitlab: upgrade to CE v8.4.0 - oauth: expose cas3 oauth configuration options - oauth: expose azure oauth configuration options - `assets:precompile` executed at runtime ## 8.3.4 - gitlab-workhorse: upgrade to v0.5.4 - gitlab: upgrade to CE v8.3.4 - expose `LDAP_TIMEOUT` configuration parameter ## 8.3.2 - gitlab: upgrade to CE v8.3.2 ## 8.3.1 - gitlab: upgrade to CE v8.3.1 ## 8.3.0-1 - fixed static asset routing when `GITLAB_RELATIVE_URL_ROOT` is used. ## 8.3.0 - `envsubst` is now used for updating the configurations - renamed config `CA_CERTIFICATES_PATH` to `SSL_CA_CERTIFICATES_PATH` - renamed config `GITLAB_HTTPS_HSTS_ENABLED` to `NGINX_HSTS_ENABLED` - renamed config `GITLAB_HTTPS_HSTS_MAXAGE` to `NGINX_HSTS_MAXAGE` - renamed config `GITLAB_BACKUPS` to `GITLAB_BACKUP_SCHEDULE` - gitlab-workhorse: upgrade to v0.5.1 - gitlab: upgrade to CE v8.3.0 - expose `GITLAB_MAX_OBJECT_SIZE` configuration parameter - removed `NGINX_MAX_UPLOAD_SIZE` configuration parameter - gitlab-shell: upgrade to v.2.6.9 ## 8.2.3 - fixed static asset routing when `GITLAB_RELATIVE_URL_ROOT` is used. - added `GITLAB_BACKUP_PG_SCHEMA` configuration parameter - gitlab: upgrade to CE v8.2.3 ## 8.2.2 - added `GITLAB_DOWNLOADS_DIR` configuration parameter - `DB_TYPE` parameter renamed to `DB_ADAPTER` with `mysql2` and `postgresql` as accepted values - exposed `DB_ENCODING` parameter - gitlab: upgrade to CE v8.2.2 ## 8.2.1-1 - fixed typo while setting the value of `GITLAB_ARTIFACTS_DIR` ## 8.2.1 - expose rack_attack configuration options - gitlab-shell: upgrade to v.2.6.8 - gitlab: upgrade to CE v8.2.1 - added `GITLAB_ARTIFACTS_ENABLED` configuration parameter - added `GITLAB_ARTIFACTS_DIR` configuration parameter ## 8.2.0 - gitlab-shell: upgrade to v.2.6.7 - gitlab-workhorse: upgrade to v.0.4.2 - gitlab: upgrade to CE v8.2.0 - added `GITLAB_SHARED_DIR` configuration parameter - added `GITLAB_LFS_OBJECTS_DIR` configuration parameter - added `GITLAB_PROJECTS_BUILDS` configuration parameter - added `GITLAB_LFS_ENABLED` configuration parameter ## 8.1.4 - gitlab: upgrade to CE v8.1.4 ## 8.1.3 - proper long-term fix for http/https cloning when `GITLAB_RELATIVE_URL_ROOT` is used - gitlab: upgrade to CE v8.1.3 - Expose Facebook OAUTH configuration parameters ## 8.1.2 - gitlab: upgrade to CE v8.1.2 - removed `GITLAB_SATELLITES_TIMEOUT` configuration parameter ## 8.1.0-2 - Recompile assets when `GITLAB_RELATIVE_URL_ROOT` is used Fixes #481 ## 8.1.0-1 - temporary fix for http/https cloning when `GITLAB_RELATIVE_URL_ROOT` is used ## 8.1.0 - gitlab: upgrade to CE v8.1.0 - gitlab-git-http-server: upgrade to v0.3.0 ## 8.0.5-1 - speed up container startup by compiling assets at image build time - test connection to redis-server ## 8.0.5 - gitlab: upgrade to CE v.8.0.5 ## 8.0.4-2 - fix http/https cloning when `GITLAB_RELATIVE_URL_ROOT` is used - allow user to override `OAUTH_ENABLED` setting ## 8.0.4-1 - update baseimage to `sameersbn/ubuntu:14.04.20151011` ## 8.0.4 - gitlab: upgrade to CE v.8.0.4 ## 8.0.3 - gitlab: upgrade to CE v.8.0.3 ## 8.0.2 - gitlab: upgrade to CE v.8.0.2 - added `IMAP_STARTTLS` parameter, defaults to `false` - expose oauth parameters for crowd server ## 8.0.0 - set default value of `DB_TYPE` to `postgres` - added sample Kubernetes rc and service description files - expose `GITLAB_BACKUP_ARCHIVE_PERMISSIONS` parameter - gitlab: upgrade to CE v.8.0.0 - added `GITLAB_SECRETS_DB_KEY_BASE` parameter - added `GITLAB_NOTIFY_ON_BROKEN_BUILDS` and `GITLAB_NOTIFY_PUSHER` parameters - added options to email IMAP and reply by email feature - set value of `GITLAB_EMAIL` to `SMTP_USER` if defined, else default to `example@example.com` - removed `GITLAB_ROBOTS_OVERRIDE` parameter. Override default `robots.txt` if `GITLAB_ROBOTS_PATH` exists. - added CI redirection using `GITLAB_CI_HOST` parameter ## 7.14.3 - gitlab: upgrade to CE v.7.14.3 ## 7.14.2 - Apply grsecurity policies to nodejs binary #394 - Fix broken emojis post migration #196 - gitlab-shell: upgrade to v.2.6.5 - gitlab: upgrade to CE v.7.14.2 ## 7.14.1 - gitlab: upgrade to CE v.7.14.1 ## 7.14.0 - gitlab-shell: upgrade to v.2.6.4 - gitlab: upgrade to CE v.7.14.0 ## 7.13.5 - gitlab: upgrade to CE v.7.13.5 ## 7.13.4 - gitlab: upgrade to CE v.7.13.4 ## 7.13.3 - gitlab: upgrade to CE v.7.13.3 ## 7.13.2 - gitlab: upgrade to CE v.7.13.2 ## 7.13.1 - gitlab: upgrade to CE v.7.13.1 ## 7.13.0 - expose SAML OAuth provider configuration - expose `OAUTH_AUTO_SIGN_IN_WITH_PROVIDER` configuration - gitlab: upgrade to CE v.7.13.0 ## 7.12.2-2 - enable persistence `.secret` file used in 2FA ## 7.12.2-1 - fixed gitlab:backup:restore raketask ## 7.12.2 - gitlab: upgrade to CE v.7.12.2 ## 7.12.1 - gitlab: upgrade to CE v.7.12.1 ## 7.12.0 - added `SMTP_TLS` configuration parameter - gitlab: upgrade to CE v.7.12.0 - added `OAUTH_AUTO_LINK_LDAP_USER` configuration parameter ## 7.11.4-1 - base image update to fix SSL vulnerability ## 7.11.4 - gitlab: upgrade to CE v.7.11.4 ## 7.11.3 - gitlab: upgrade to CE v.7.11.3 ## 7.11.2 - gitlab: upgrade to CE v.7.11.2 ## 7.11.0 - init: added `SIDEKIQ_MEMORY_KILLER_MAX_RSS` configuration option - init: added `SIDEKIQ_SHUTDOWN_TIMEOUT` configuration option - gitlab-shell: upgrade to v.2.6.3 - gitlab: upgrade to CE v.7.11.0 - init: removed `GITLAB_PROJECTS_VISIBILITY` ENV parameter ## 7.10.4 - gitlab: upgrade to CE v.7.10.4 ## 7.10.3 - gitlab: upgrade to CE v.7.10.3 ## 7.10.2 - init: added support for remote AWS backups - gitlab: upgrade to CE v.7.10.2 ## 7.10.1 - gitlab: upgrade to CE v.7.10.1 ## 7.10.0 - gitlab-shell: upgrade to v.2.6.2 - gitlab: upgrade to CE v.7.10.0 - init: removed ENV variables to configure *External Issue Tracker* integration - init: added `GITLAB_EMAIL_REPLY_TO` configuration option - init: added `LDAP_BLOCK_AUTO_CREATED_USERS` configuration option ## 7.9.4 - gitlab: upgrade to CE v.7.9.4 ## 7.9.3 - added `NGINX_PROXY_BUFFERING` option - added `NGINX_ACCEL_BUFFERING` option - added `GITLAB_GRAVATAR_ENABLED` option - added `GITLAB_GRAVATAR_HTTP_URL` option - added `GITLAB_GRAVATAR_HTTPS_URL` option - fixes: "transfer closed with xxx bytes remaining to read" error - gitlab: upgrade to CE v.7.9.3 ## 7.9.2 - gitlab: upgrade to CE v.7.9.2 ## 7.9.1 - init: set default value of `SMTP_OPENSSL_VERIFY_MODE` to `none` - gitlab: upgrade to CE v.7.9.1 ## 7.9.0 - gitlab-shell: upgrade to v.2.6.0 - gitlab: upgrade to CE v.7.9.0 - init: set default value of `UNICORN_WORKERS` to `3` - init: set default value of `SMTP_OPENSSL_VERIFY_MODE` to `peer` - init: removed `GITLAB_RESTRICTED_VISIBILITY` configuration option, can be set from the UI - init: added BitBucket OAuth configuration support - init: added `GITLAB_EMAIL_DISPLAY_NAME` configuration option ## 7.8.4 - gitlab: upgrade to CE v.7.8.4 ## 7.8.2 - gitlab: upgrade to CE v.7.8.2 ## 7.8.1 - gitlab-shell: upgrade to v.2.5.4 - gitlab: upgrade to CE v.7.8.1 ## 7.8.0 - update postgresql client to the latest version, Closes #249 - removed `GITLAB_SIGNUP` configuration option, can be set from gitlab ui - removed `GITLAB_SIGNIN` configuration option, can be set from gitlab ui - removed `GITLAB_PROJECTS_LIMIT` configuration option, can be set from gitlab ui - removed `GITLAB_GRAVATAR_ENABLED` configuration option, can be set from gitlab ui - gitlab-shell: upgrade to v.2.5.3 - gitlab: upgrade to CE v.7.8.0 - init: set `LDAP_PORT` default value to `389` - init: set `LDAP_METHOD` default value to `plain` - init: added gitlab oauth configuration support ## 7.7.2 - gitlab-shell: upgrade to v.2.4.2 - gitlab: upgrade to CE v.7.7.2 ## 7.7.1 - gitlab: upgrade to CE v.7.7.1 ## 7.7.0 - init: added GOOGLE_ANALYTICS_ID configuration option - added support for mantis issue tracker - fixed log rotation configuration - gitlab-shell: upgrade to v.2.4.1 - gitlab: upgrade to CE v.7.7.0 ## 7.6.2 - gitlab: upgrade to CE v.7.6.2 ## 7.6.1 - disable nginx ipv6 if host does not support it. - init: added GITLAB_BACKUP_TIME configuration option - gitlab: upgrade to CE v.7.6.1 ## 7.6.0 - add support for configuring piwik - gitlab-shell: upgrade to v.2.4.0 - gitlab: upgrade to CE v.7.6.0 ## 7.5.3 - accept `BACKUP` parameter while running the restore rake task, closes #220 - init: do not run `gitlab:satellites:create` rake task at startup - gitlab: upgrade to CE v.7.5.3 ## 7.5.2 - gitlab: upgrade to CE v.7.5.2 ## 7.5.1 - gitlab: upgrade to CE v.7.5.1 - gitlab-shell to v2.2.0 - added `GITLAB_TIMEZONE` configuration option - added `GITLAB_EMAIL_ENABLED` configuration option ## 7.4.4 - gitlab: upgrade to CE v.7.4.4 - added `SSL_VERIFY_CLIENT` configuration option - added `NGINX_WORKERS` configuration option - added `USERMAP_UID` and `USERMAP_GID` configuration option ## 7.4.3 - gitlab: upgrade to CE v.7.4.3 ## 7.4.2 - gitlab: upgrade to CE v.7.4.2 ## 7.4.0 - gitlab: upgrade to CE v.7.4.0 - config: added `LDAP_ACTIVE_DIRECTORY` configuration option - added SMTP_OPENSSL_VERIFY_MODE configuration option - feature: gitlab logs volume - automatically compile assets if relative_url is changed - launch all daemons via supervisord ## 7.3.2-1 - fix mysql status check ## 7.3.2 - upgrade to gitlab-ce 7.3.2 - removed internal mysql server - added support for fetching `DB_NAME`, `DB_USER` and `DB_PASS` from the postgresql linkage - added support for fetching `DB_NAME`, `DB_USER` and `DB_PASS` from the mysql linkage - gitlab-shell: upgrade to v.2.0.1 - added GITLAB_GRAVATAR_ENABLED configuration option - added fig.yml ## 7.3.1-3 - fix mysql command again! ## 7.3.1-2 - fix mysql server status check ## 7.3.1-1 - plug bash vulnerability by switching to dash shell - automatically run the `gitlab:setup` rake task for new installs ## 7.3.1 - upgrade to gitlab-ce 7.3.1 ## 7.3.0 - upgrade to gitlab-ce 7.3.0 - added GITLAB_WEBHOOK_TIMEOUT configuration option - upgrade to gitlab-shell 2.0.0 - removed internal redis server - shutdown the container gracefully ## 7.2.2 - upgrade to gitlab-ce 7.2.2 - added GITLAB_HTTPS_HSTS_ENABLED configuration option (advanced config) - added GITLAB_HTTPS_HSTS_MAXAGE configuration option (advanced config) - upgrade to gitlab-shell 1.9.8 - purge development packages after install. shaves off ~300MB from the image. - rebase image on sameersbn/debian:jessie.20140918 base image - added GITLAB_SSH_HOST configuration option - added GITLAB_USERNAME_CHANGE configuration option ## 7.2.1-1 - removed the GITLAB_HTTPS_ONLY configuration option - added NGINX_X_FORWARDED_PROTO configuration option - optimization: talk directly to the unicorn worker from gitlab-shell ## 7.2.1 - upgrade to gitlab-ce 7.2.1 - added new SMTP_ENABLED configuration option. ## 7.2.0-1 - fix nginx static route handling when GITLAB_RELATIVE_URL_ROOT is used. - fix relative root access without the trailing '/' character - added separate server block for http config in gitlab.https.permissive. Fixes #127 - added OAUTH_GOOGLE_RESTRICT_DOMAIN config option. ## 7.2.0 - upgrade to gitlab-ce 7.2.0 - update to the sameersbn/ubuntu:14.04.20140818 baseimage - remove /var/lib/apt/lists to optimize image size. - disable UsePrivilegeSeparation in sshd configuration, fixes #122 - added OAUTH_BLOCK_AUTO_CREATED_USERS configuration option - added OAUTH_ALLOW_SSO configuration option - added github oauth configuration support - added twitter oauth configuration support - added google oauth configuration support - added support for jira issue tracker - added support for redmine issue tracker - update to gitlab-shell 1.9.7 - update to the sameersbn/ubuntu:14.04.20140812 baseimage ## 7.1.1 - removed "add_header X-Frame-Options DENY" setting from the nginx config. fixes #110 - upgrade to gitlab-ce 7.1.1 - run /etc/init.d/gitlab as git user, plays nicely with selinux ## 7.1.0 - removed GITLAB_SUPPORT configuration option - upgrade to gitlab-ce 7.1.0 - clone gitlab-ce and gitlab-shell sources from the git repo. - disable pam authentication module in sshd - update to the sameersbn/ubuntu:14.04.20140628 baseimage - no more root access over ssh, use nsenter instead - upgrade to nginx-1.6.x series from the nginx/stable ppa ## 7.0.0 - upgrade to gitlab-7.0.0 - fix repository and gitlab-satellites directory permissions. - added GITLAB_RESTRICTED_VISIBILITY configuration option - fix backup restore operation - upgrade to gitlab-shell 1.9.6 - added app:sanitize command - automatically migrate database when gitlab version is updated - upgrade to gitlab-shell 1.9.5 ## 6.9.2 - upgrade to gitlab-ce 6.9.2 ## 6.9.1 - upgrade to gitlab-ce 6.9.1 ## 6.9.0 - upgrade to gitlab-ce 6.9.0 - added GITLAB_RELATIVE_URL_ROOT configuration option - added NGINX_MAX_UPLOAD_SIZE configuration to specify the maximum acceptable size of attachments. ## 6.8.2 - upgrade to gitlab-ce 6.8.2 - renamed configuration option GITLAB_SHELL_SSH_PORT to GITLAB_SSH_PORT - added GITLAB_PROJECTS_VISIBILITY configuration option to specify the default project visibility level. - generate and store ssh host keys at the data store. - default GITLAB_PROJECTS_LIMIT is now set to 100 - use sameersbn/ubuntu:14.04.20140508 base image, the trusted build of sameersbn/ubuntu:14.04.20140505 seems to be broken - use sameersbn/ubuntu:14.04.20140505 base image - added CA_CERTIFICATES_PATH configuration option to specify trusted root certificates. - added SSL support - added SSL_DHPARAM_PATH configuration option to specify path of dhparam.pem file. - added SSL_KEY_PATH configuration option to specify path of ssl key. - added SSL_CERTIFICATE_PATH configuration option to specify path of ssl certificate - added GITLAB_HTTPS_ONLY configuration option to configure strict https only access - added SSL_SELF_SIGNED configuration option to specify use of self signed ssl certificates. - fix git over ssh when the default http/https ports are not used. - compile the assets only if it does not exist or if the gitlab version has changed. - upgrade gitlab-shell to version 1.9.4 - cache compiled assets to boost application startup. - fix symlink to uploads directory ## 6.8.1 - upgrade to gitlab-ce 6.8.1 ## 6.8.0 - upgrade to gitlab-shell 1.9.3 - added GITLAB_SIGNIN setting to enable or disable standard login form - upgraded to gitlab-ce version 6.8.0 - added support for linking with redis container. - use sameersbn/ubuntu as the base docker image - install postgresql-client to fix restoring backups when used with a postgresql database backend. ## 6.7.5 - upgrade gitlab to 6.7.5 - support linking to mysql and postgresql containers - added DEFAULT_PROJECTS_LIMIT configuration option ## 6.7.4 - upgrade gitlab to 6.7.4 - added SMTP_AUTHENTICATION configuration option, defaults to :login. - added LDAP configuration options. ## 6.7.3 - upgrade gitlab to 6.7.3 - install ruby2.0 from ppa ## 6.7.2 - upgrade gitlab to 6.7.2 - upgrade gitlab-shell to 1.9.1 - reorganize repo - do not perform system upgrades () ## 6.6.5 - upgraded to gitlab-6.6.5 ## v6.6.4 - upgraded to gitlab-6.6.4 - added changelog - removed postfix mail delivery - added SMTP_DOMAIN configuration option - added SMTP_STARTTLS configuration option - added SMTP_DOMAIN configuration option - added DB_PORT configuration option - changed backup time to 4am (UTC) ## v6.6.2 - upgraded to gitlab-6.6.2 - added automated daily/monthly backups feature - documented ssh login details for maintenance tasks. - perform upgrade of git, nginx and other system packages - added GITLAB_SHELL_SSH_PORT configuration option - added app:rake command for executing gitlab rake tasks - documented hardware requirements ## v6.6.1 - upgraded to gitlabhq-6.6.1 - reformatted README ================================================ FILE: Dockerfile ================================================ FROM ubuntu:noble-20260210.1 ARG VERSION=18.9.2 ENV GITLAB_VERSION=${VERSION} \ RUBY_VERSION=3.3.10 \ RUBY_SOURCE_SHA256SUM="b555baa467a306cfc8e6c6ed24d0d27b27e9a1bed1d91d95509859eac6b0e928" \ RUBYGEMS_VERSION=4.0.8 \ GOLANG_VERSION=1.25.8 \ GITLAB_SHELL_VERSION=14.45.6 \ GITLAB_PAGES_VERSION=18.9.2 \ GITALY_SERVER_VERSION=18.9.2 \ GITLAB_USER="git" \ GITLAB_HOME="/home/git" \ GITLAB_LOG_DIR="/var/log/gitlab" \ GITLAB_CACHE_DIR="/etc/docker-gitlab" \ RAILS_ENV=production \ NODE_ENV=production \ NO_SOURCEMAPS=true ENV GITLAB_INSTALL_DIR="${GITLAB_HOME}/gitlab" \ GITLAB_SHELL_INSTALL_DIR="${GITLAB_HOME}/gitlab-shell" \ GITLAB_GITALY_INSTALL_DIR="${GITLAB_HOME}/gitaly" \ GITLAB_DATA_DIR="${GITLAB_HOME}/data" \ GITLAB_BUILD_DIR="${GITLAB_CACHE_DIR}/build" \ GITLAB_RUNTIME_DIR="${GITLAB_CACHE_DIR}/runtime" RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \ wget ca-certificates apt-transport-https gnupg2 \ && apt-get upgrade -y \ && rm -rf /var/lib/apt/lists/* RUN set -ex && \ mkdir -p /etc/apt/keyrings \ && wget --quiet -O - https://keyserver.ubuntu.com/pks/lookup?op=get\&search=0xe1dd270288b4e6030699e45fa1715d88e1df1f24 | gpg --dearmor -o /etc/apt/keyrings/git-core.gpg \ && echo "deb [signed-by=/etc/apt/keyrings/git-core.gpg] http://ppa.launchpad.net/git-core/ppa/ubuntu noble main" >> /etc/apt/sources.list \ && wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor -o /etc/apt/keyrings/postgres.gpg \ && echo 'deb [signed-by=/etc/apt/keyrings/postgres.gpg] http://apt.postgresql.org/pub/repos/apt/ noble-pgdg main' > /etc/apt/sources.list.d/pgdg.list \ && wget --quiet -O - https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \ && echo 'deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main' > /etc/apt/sources.list.d/nodesource.list \ && wget --quiet -O - https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor -o /etc/apt/keyrings/yarn.gpg \ && echo 'deb [signed-by=/etc/apt/keyrings/yarn.gpg] https://dl.yarnpkg.com/debian/ stable main' > /etc/apt/sources.list.d/yarn.list \ && wget --quiet -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor -o /etc/apt/keyrings/nginx-archive-keyring.gpg \ && echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/ubuntu noble nginx" >> /etc/apt/sources.list.d/nginx.list \ && printf "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" >> /etc/apt/preferences.d/99nginx \ && set -ex \ && apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \ sudo supervisor logrotate locales curl \ meson \ nginx openssh-server redis-tools \ postgresql-client-13 postgresql-client-14 postgresql-client-15 postgresql-client-16 postgresql-client-17 \ python3 python3-docutils nodejs yarn gettext-base graphicsmagick \ libpq5 zlib1g libyaml-dev libssl-dev libgdbm-dev libre2-dev \ libreadline-dev libncurses5-dev libffi-dev curl openssh-server libxml2-dev libxslt-dev \ libcurl4-openssl-dev libicu-dev libkrb5-dev rsync python3-docutils pkg-config cmake \ tzdata unzip libimage-exiftool-perl libmagic1 \ && update-locale LANG=C.UTF-8 LC_MESSAGES=POSIX \ && locale-gen en_US.UTF-8 \ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales \ && rm -rf /var/lib/apt/lists/* /etc/nginx/conf.d/default.conf COPY assets/build/ ${GITLAB_BUILD_DIR}/ RUN bash ${GITLAB_BUILD_DIR}/install.sh COPY assets/runtime/ ${GITLAB_RUNTIME_DIR}/ COPY entrypoint.sh /sbin/entrypoint.sh RUN chmod 755 /sbin/entrypoint.sh ENV prometheus_multiproc_dir="/dev/shm" ARG BUILD_DATE ARG VCS_REF LABEL \ maintainer="sameer@damagehead.com" \ org.label-schema.schema-version="1.0" \ org.label-schema.build-date=${BUILD_DATE} \ org.label-schema.name=gitlab \ org.label-schema.vendor=damagehead \ org.label-schema.url="https://github.com/sameersbn/docker-gitlab" \ org.label-schema.vcs-url="https://github.com/sameersbn/docker-gitlab.git" \ org.label-schema.vcs-ref=${VCS_REF} \ com.damagehead.gitlab.license=MIT EXPOSE 22/tcp 80/tcp 443/tcp VOLUME ["${GITLAB_DATA_DIR}", "${GITLAB_LOG_DIR}"] WORKDIR ${GITLAB_INSTALL_DIR} ENTRYPOINT ["/sbin/entrypoint.sh"] CMD ["app:start"] ================================================ FILE: LICENSE ================================================ The MIT License (MIT) Copyright (c) 2014 Sameer Naik Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ================================================ FILE: Makefile ================================================ all: build help: @echo "" @echo "-- Help Menu" @echo "" @echo " 1. make build - build the gitlab image" @echo " 2. make quickstart - start gitlab" @echo " 3. make stop - stop gitlab" @echo " 4. make logs - view logs" @echo " 5. make purge - stop and remove the container" build: @docker build --tag=sameersbn/gitlab . \ --build-arg BUILD_DATE="$(shell date +"%Y-%m-%d %H:%M:%S%:z")" \ --build-arg VCS_REF=$(shell git rev-parse --short HEAD) release: build @docker build --tag=sameersbn/gitlab:$(shell cat VERSION) . \ --build-arg BUILD_DATE="$(shell date +"%Y-%m-%d %H:%M:%S%:z")" \ --build-arg VCS_REF=$(git describe --tags --always) quickstart: @echo "Starting postgresql container..." @docker run --name=gitlab-postgresql -d \ --env='DB_NAME=gitlabhq_production' \ --env='DB_USER=gitlab' --env='DB_PASS=password' \ sameersbn/postgresql:latest @echo "Starting redis container..." @docker run --name=gitlab-redis -d \ sameersbn/redis:latest @echo "Starting gitlab container..." @docker run --name='gitlab-demo' -d \ --link=gitlab-postgresql:postgresql --link=gitlab-redis:redisio \ --publish=10022:22 --publish=10080:80 \ --env='GITLAB_PORT=10080' --env='GITLAB_SSH_PORT=10022' \ sameersbn/gitlab:latest @echo "Please be patient. This could take a while..." @echo "GitLab will be available at http://localhost:10080" @echo "Type 'make logs' for the logs" stop: @echo "Stopping gitlab..." @docker stop gitlab-demo >/dev/null @echo "Stopping redis..." @docker stop gitlab-redis >/dev/null @echo "Stopping postgresql..." @docker stop gitlab-postgresql >/dev/null purge: stop @echo "Removing stopped containers..." @docker rm -v gitlab-demo >/dev/null @docker rm -v gitlab-redis >/dev/null @docker rm -v gitlab-postgresql >/dev/null logs: @docker logs -f gitlab-demo ================================================ FILE: README.md ================================================ # sameersbn/gitlab:18.9.2 [![CircleCI](https://circleci.com/gh/sameersbn/docker-gitlab/tree/master.svg?style=svg)](https://circleci.com/gh/sameersbn/docker-gitlab/tree/master) - [Introduction](#introduction) - [Changelog](Changelog.md) - [Contributing](#contributing) - [Team](#team) - [Issues](#issues) - [Announcements](https://github.com/sameersbn/docker-gitlab/issues/39) - [Prerequisites](#prerequisites) - [Installation](#installation) - [Quick Start](#quick-start) - [Configuration](#configuration) - [Data Store](#data-store) - [Database](#database) - [PostgreSQL (Recommended)](#postgresql) - [External PostgreSQL Server](#external-postgresql-server) - [Linking to PostgreSQL Container](#linking-to-postgresql-container) - [Upgrading PostgreSQL](#upgrading-postgresql) - [Redis](#redis) - [Internal Redis Server](#internal-redis-server) - [External Redis Server](#external-redis-server) - [Linking to Redis Container](#linking-to-redis-container) - [Mail](#mail) - [Reply by email](#reply-by-email) - [SSL](#ssl) - [Generation of a Self Signed Certificate](#generation-of-a-self-signed-certificate) - [Strengthening the server security](#strengthening-the-server-security) - [Installation of the SSL Certificates](#installation-of-the-ssl-certificates) - [Enabling HTTPS support](#enabling-https-support) - [Configuring HSTS](#configuring-hsts) - [Using HTTPS with a load balancer](#using-https-with-a-load-balancer) - [Establishing trust with your server](#establishing-trust-with-your-server) - [Installing Trusted SSL Server Certificates](#installing-trusted-ssl-server-certificates) - [Deploy to a subdirectory (relative url root)](#deploy-to-a-subdirectory-relative-url-root) - [OmniAuth Integration](#omniauth-integration) - [CAS3](#cas3) - [Authentiq](#authentiq) - [Google](#google) - [Twitter](#twitter) - [GitHub](#github) - [GitLab](#gitlab) - [BitBucket](#bitbucket) - [SAML](#saml) - [Crowd](#crowd) - [Microsoft Azure](#microsoft-azure) - [Generic OAuth2](#generic-oauth2) - [OpenID Connect](#openid-connect) - [JWT](#jwt) - [Gitlab Pages](#gitlab-pages) - [External Issue Trackers](#external-issue-trackers) - [Host UID / GID Mapping](#host-uid--gid-mapping) - [Piwik](#piwik) - [Feature flags](#feature-flags) - [Exposing ssh port in dockerized gitlab-ce](docs/exposing-ssh-port.md) - [Available Configuration Parameters](#available-configuration-parameters) - [Maintenance](#maintenance) - [Creating Backups](#creating-backups) - [Restoring Backups](#restoring-backups) - [Automated Backups](#automated-backups) - [Amazon Web Services (AWS) Remote Backups](#amazon-web-services-aws-remote-backups) - [Google Cloud Storage (GCS) Remote Backups](#google-cloud-storage-gcs-remote-backups) - [Rake Tasks](#rake-tasks) - [Import Repositories](#import-repositories) - [Upgrading](#upgrading) - [Shell Access](#shell-access) - [Monitoring](#monitoring) - [Health Check](#health-check) - [Container Registry](docs/container_registry.md) - [Deploy in Docker Swarm mode, with HTTPS handled by Traefik proxy and Docker Registry](docs/docker-swarm-traefik-registry.md) - [References](#references) ## Introduction Dockerfile to build a [GitLab](https://about.gitlab.com/) image for the [Docker](https://www.docker.com/products/docker-engine) open source container platform. GitLab CE is set up in the Docker image using the [install from source](https://docs.gitlab.com/ce/install/installation.html) method as documented in the official GitLab documentation. For other methods to install GitLab please refer to the [Official GitLab Installation Guide](https://about.gitlab.com/install/) which includes a [GitLab image for Docker](https://docs.gitlab.com/omnibus/docker/). ## Contributing If you find this image useful here's how you can help: - Send a Pull Request with your awesome new features and bug fixes - Be a part of the community and help resolve [Issues](https://github.com/sameersbn/docker-gitlab/issues) - Support the development of this image with a [donation](http://www.damagehead.com/donate/) ## Team - Niclas Mietz ([solidnerd](https://github.com/solidnerd)) - Sameer Naik ([sameersbn](https://github.com/sameersbn)) See [Contributors](../../graphs/contributors) for the complete list developers that have contributed to this project. ## Issues Docker is actively being developed and tested by a thriving community of developers and testers and every release of Docker features many enhancements and bugfixes. Given the nature of the development and release cycle it is very important that you have the latest version of Docker installed because any issue that you encounter might have already been fixed with a newer Docker release. Install the most recent version of the Docker Engine for your platform using the [official Docker releases](http://docs.docker.com/engine/installation/), which can also be installed using: ```bash wget -qO- https://get.docker.com/ | sh ``` Fedora and RHEL/CentOS users should try disabling selinux with `setenforce 0` and check if resolves the issue. If it does than there is not much that I can help you with. You can either stick with selinux disabled (not recommended by redhat) or switch to using ubuntu. You may also set `DEBUG=true` to enable debugging of the entrypoint script, which could help you pinpoint any configuration issues. If using the latest docker version and/or disabling selinux does not fix the issue then please file an issue request on the [issues](https://github.com/sameersbn/docker-gitlab/issues) page. In your issue report please make sure you provide the following information: - The host distribution and release version. - Output of the `docker version` command - Output of the `docker info` command - The `docker run` command you used to run the image (mask out the sensitive bits). ## Prerequisites Your docker host needs to have 1GB or more of available RAM to run GitLab. Please refer to the GitLab [hardware requirements](https://github.com/gitlabhq/gitlabhq/blob/master/doc/install/requirements.md#hardware-requirements) documentation for additional information. ## Installation Automated builds of the image are available on [Dockerhub](https://hub.docker.com/r/sameersbn/gitlab) and is the recommended method of installation. ```bash docker pull sameersbn/gitlab:18.9.2 ``` You can also pull the `latest` tag which is built from the repository *HEAD* ```bash docker pull sameersbn/gitlab:latest ``` Alternatively you can build the image locally. ```bash docker build -t sameersbn/gitlab github.com/sameersbn/docker-gitlab ``` ## Quick Start The quickest way to get started is using [docker-compose](https://docs.docker.com/compose/). ```bash wget https://raw.githubusercontent.com/sameersbn/docker-gitlab/master/docker-compose.yml ``` Generate random strings that are at least `64` characters long for each of `GITLAB_SECRETS_OTP_KEY_BASE`, `GITLAB_SECRETS_DB_KEY_BASE`, `GITLAB_SECRETS_SECRET_KEY_BASE`, `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE`. These values are used for the following: - `GITLAB_SECRETS_OTP_KEY_BASE` is used to encrypt 2FA secrets in the database. If you lose or rotate this secret, none of your users will be able to log in using 2FA. - `GITLAB_SECRETS_DB_KEY_BASE` is used to encrypt CI secret variables, as well as import credentials, in the database. If you lose or rotate this secret, you will not be able to use existing CI secrets. - `GITLAB_SECRETS_SECRET_KEY_BASE` is used for password reset links, and other 'standard' auth features. If you lose or rotate this secret, password reset tokens in emails will reset. - `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE` is used for reading settings from encrypted files such as SMTP or LDAP credentials. > **Tip**: You can generate a random string using `pwgen -Bsv1 64` and assign it as the value of `GITLAB_SECRETS_DB_KEY_BASE`. Also generate random strings that are typically `32` characters long for each of: - `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY` - `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY` - `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT` These values are used for `ActiveRecord::Encryption` encrypted columns. Details can be found under [Active Record Encryption](https://guides.rubyonrails.org/active_record_encryption.html). Start GitLab using: ```bash docker-compose up ``` Alternatively, you can manually launch the `gitlab` container and the supporting `postgresql` and `redis` containers by following this three step guide. Step 1. Launch a postgresql container ```bash docker run --name gitlab-postgresql -d \ --env 'DB_NAME=gitlabhq_production' \ --env 'DB_USER=gitlab' --env 'DB_PASS=password' \ --env 'DB_EXTENSION=pg_trgm,btree_gist' \ --volume /srv/docker/gitlab/postgresql:/var/lib/postgresql \ kkimurak/sameersbn-postgresql:16 ``` Step 2. Launch a redis container ```bash docker run --name gitlab-redis -d \ --volume /srv/docker/gitlab/redis:/data \ redis:7 ``` Step 3. Launch the gitlab container ```bash docker run --name gitlab -d \ --link gitlab-postgresql:postgresql --link gitlab-redis:redisio \ --publish 10022:22 --publish 10080:80 \ --env 'GITLAB_PORT=10080' --env 'GITLAB_SSH_PORT=10022' \ --env 'GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alpha-numeric-string' \ --env 'GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alpha-numeric-string' \ --env 'GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alpha-numeric-string' \ --env 'GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alpha-numeric-string' \ --env 'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=["long-and-random-alpha-numeric-string"]' \ --env 'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=["long-and-random-alpha-numeric-string"]' \ --env 'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=long-and-random-alpha-numeric-string' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ sameersbn/gitlab:18.9.2 ``` *Please refer to [Available Configuration Parameters](#available-configuration-parameters) to understand `GITLAB_PORT` and other configuration options* **NOTE**: Please allow a couple of minutes for the GitLab application to start. Point your browser to `http://localhost:10080` and set a password for the `root` user account. You should now have the GitLab application up and ready for testing. If you want to use this image in production then please read on. *The rest of the document will use the docker command line. You can quite simply adapt your configuration into a `docker-compose.yml` file if you wish to do so.* ## Configuration ### Data Store GitLab is a code hosting software and as such you don't want to lose your code when the docker container is stopped/deleted. To avoid losing any data, you should mount a volume at, - `/home/git/data` *Note: that if you are using the `docker-compose` approach, you must "inspect" the volumes (```docker volume inspect```) to check the mounted path.* SELinux users are also required to change the security context of the mount point so that it plays nicely with selinux. ```bash mkdir -p /srv/docker/gitlab/gitlab sudo chcon -Rt svirt_sandbox_file_t /srv/docker/gitlab/gitlab ``` Volumes can be mounted in docker by specifying the `-v` option in the docker run command. ```bash docker run --name gitlab -d \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ sameersbn/gitlab:18.9.2 ``` ### Database GitLab uses a database backend to store its data. You can configure this image to use PostgreSQL. *Note:* GitLab requires PostgreSQL now. So use an older image < 12.1 or migrate to PostgresSQL #### PostgreSQL **Important note:** This image is shipped with different versions of the `postgresql-client`. During the startup of the container, the major version of the database system is checked based on the specified connection destination. Only the version of the `postgresql-client`, that matches the major version of the Postgres database is used. If the major version of any version of the included clients does not match, the latest client is used (but may cause issues). All other versions of the `postgresql-client` are deleted at runtime. This behavior can be checked using the command `docker logs` and an output like the following should be available: ````sh … Configuring gitlab::database - Installing postgresql client to avoid version mismatch on dumping -- Detected server version: 160009 - Generating /home/git/.postgresqlrc 16 postgresql:5432 gitlabhq_production - Uninstalling unused client(s): postgresql-client-13 postgresql-client-14 postgresql-client-15 postgresql-client-17 … ```` Please note furthermore, that only compatible versions of the `postgresql-client` to GitLab are shipped with this image. Currently, these belong to - `postgresql-client-13`, - `postgresql-client-14`, - `postgresql-client-15`, - `postgresql-client-16`, - and `postgresql-client-17`. ***Notes:*** - GitLab CE version 13.7.0 and later requires PostgreSQL version 12.x. - GitLab CE version 16.0.0 and later requires PostgreSQL version 13.x. - GitLab CE version 17.0.0 and later requires PostgreSQL version 14.x. - GitLab CE version 18.0.0 and later requires PostgreSQL version 16.x. ##### External PostgreSQL Server The image also supports using an external PostgreSQL Server. This is also controlled via environment variables. ```sql CREATE ROLE gitlab with LOGIN CREATEDB PASSWORD 'password'; CREATE DATABASE gitlabhq_production; GRANT ALL PRIVILEGES ON DATABASE gitlabhq_production to gitlab; ``` Additionally, since GitLab `8.6.0` the `pg_trgm` extension should also be loaded for the `gitlabhq_production` database. We are now ready to start the GitLab application. *Note:* The following applies assuming that the PostgreSQL server host is `192.168.1.100`. ```bash docker run --name gitlab -d \ --env 'DB_HOST=192.168.1.100' \ --env 'DB_NAME=gitlabhq_production' \ --env 'DB_USER=gitlab' --env 'DB_PASS=password' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ sameersbn/gitlab:18.9.2 ``` ##### Linking to PostgreSQL Container You can link this image with a postgresql container for the database requirements. The alias of the postgresql server container should be set to **postgresql** while linking with the gitlab image. If a postgresql container is linked, only the `DB_HOST` and `DB_PORT` settings are automatically retrieved using the linkage. You may still need to set other database connection parameters such as the `DB_NAME`, `DB_USER`, `DB_PASS` and so on. To illustrate linking with a postgresql container, we will use the [sameersbn/postgresql](https://github.com/sameersbn/docker-postgresql) image. When using postgresql image in production you should mount a volume for the postgresql data store. Please refer the [README](https://github.com/sameersbn/docker-postgresql/blob/master/README.md) of docker-postgresql for details. First, let's pull the postgresql image from the docker index. ```bash docker pull kkimurak/sameersbn-postgresql:16 ``` For data persistence lets create a store for the postgresql and start the container. SELinux users are also required to change the security context of the mount point so that it plays nicely with selinux. ```bash mkdir -p /srv/docker/gitlab/postgresql sudo chcon -Rt svirt_sandbox_file_t /srv/docker/gitlab/postgresql ``` The run command looks like this. ```bash docker run --name gitlab-postgresql -d \ --env 'DB_NAME=gitlabhq_production' \ --env 'DB_USER=gitlab' --env 'DB_PASS=password' \ --env 'DB_EXTENSION=pg_trgm' \ --volume /srv/docker/gitlab/postgresql:/var/lib/postgresql \ kkimurak/sameersbn-postgresql:16 ``` The above command will create a database named `gitlabhq_production` and also create a user named `gitlab` with the password `password` with access to the `gitlabhq_production` database. We are now ready to start the GitLab application. ```bash docker run --name gitlab -d --link gitlab-postgresql:postgresql \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ sameersbn/gitlab:18.9.2 ``` Here the image will also automatically fetch the `DB_NAME`, `DB_USER` and `DB_PASS` variables from the postgresql container as they are specified in the `docker run` command for the postgresql container. This is made possible using the magic of docker links and works with the following images: - [postgres](https://hub.docker.com/_/postgres/), - [kkimurak/sameersbn-postgresql](https://hub.docker.com/r/kkimurak/sameersbn-postgresql), or - [sameersbn/postgresql](https://quay.io/repository/sameersbn/postgresql/) . ##### Upgrading PostgreSQL When this Gitlab image upgrades its dependency on specific version of PostgreSQL you will need to make sure to use corresponding version of PostgreSQL. If you are setting a brand new install, there is no data migration involved. However, if you already have an existing setup, the PostgreSQL data will need to be migrated as you are upgrading the version of PostgreSQL. If you are using PostgreSQL image other than [sameersbn/postgresql](https://quay.io/repository/sameersbn/postgresql/) you will need make sure that the image you are using can handle migration itself, **or**, you will need to migrate the data yourself before starting newer version of PostgreSQL. Following project provides Docker image that handles migration of PostgreSQL data: [tianon/postgres-upgrade](https://hub.docker.com/r/tianon/postgres-upgrade/) After migration of the data, verify that other PostgreSQL configuration files in its data folder are copied over as well. One such file is `pg_hba.conf`, it will need to be copied from old version data folder into new version data folder. ### Redis GitLab uses the redis server for its key-value data store. The redis server connection details can be specified using environment variables. #### Internal Redis Server The internal redis server has been removed from the image. Please use a [linked redis](#linking-to-redis-container) container or specify a [external redis](#external-redis-server) connection. #### External Redis Server The image can be configured to use an external redis server. The configuration should be specified using environment variables while starting the GitLab image. *Note:* The following applies assuming that the redis server host is `192.168.1.100`. ```bash docker run --name gitlab -it --rm \ --env 'REDIS_HOST=192.168.1.100' --env 'REDIS_PORT=6379' \ sameersbn/gitlab:18.9.2 ``` #### Linking to Redis Container You can link this image with a redis container to satisfy gitlab's redis requirement. The alias of the redis server container should be set to **redisio** while linking with the gitlab image. To illustrate linking with a redis container, we will use the [redis](https://github.com/docker-library/redis) image. Please refer the [README](https://github.com/docker-library/docs/blob/master/redis/README.md) for details. First, let's pull the redis image from the docker index. ```bash docker pull redis:7 ``` Lets start the redis container ```bash docker run --name gitlab-redis -d \ --volume /srv/docker/gitlab/redis:/data \ redis:7 ``` We are now ready to start the GitLab application. ```bash docker run --name gitlab -d --link gitlab-redis:redisio \ sameersbn/gitlab:18.9.2 ``` #### Mail The mail configuration should be specified using environment variables while starting the GitLab image. The configuration defaults to using gmail to send emails and requires the specification of a valid username and password to login to the gmail servers. If you are using Gmail then all you need to do is: ```bash docker run --name gitlab -d \ --env 'SMTP_USER=USER@gmail.com' --env 'SMTP_PASS=PASSWORD' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ sameersbn/gitlab:18.9.2 ``` Please refer the [Available Configuration Parameters](#available-configuration-parameters) section for the list of SMTP parameters that can be specified. ##### Reply by email Since version `8.0.0` GitLab adds support for commenting on issues by replying to emails. To enable this feature you need to provide IMAP configuration parameters that will allow GitLab to connect to your mail server and read mails. Additionally, you may need to specify `GITLAB_INCOMING_EMAIL_ADDRESS` if your incoming email address is not the same as the `IMAP_USER`. If your email provider supports email [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) then you should add the `+%{key}` placeholder after the user part of the email address, eg. `GITLAB_INCOMING_EMAIL_ADDRESS=reply+%{key}@example.com`. Please read the [documentation on reply by email](http://doc.gitlab.com/ce/incoming_email/README.html) to understand the requirements for this feature. If you are using Gmail then all you need to do is: ```bash docker run --name gitlab -d \ --env 'IMAP_USER=USER@gmail.com' --env 'IMAP_PASS=PASSWORD' \ --env 'GITLAB_INCOMING_EMAIL_ADDRESS=USER+%{key}@gmail.com' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ sameersbn/gitlab:18.9.2 ``` Please refer the [Available Configuration Parameters](#available-configuration-parameters) section for the list of IMAP parameters that can be specified. #### SSL Access to the gitlab application can be secured using SSL so as to prevent unauthorized access to the data in your repositories. While a CA certified SSL certificate allows for verification of trust via the CA, a self-signed certificate can also provide an equal level of trust verification as long as each client takes some additional steps to verify the identity of your website. I will provide instructions on achieving this towards the end of this section. Jump to the [Using HTTPS with a load balancer](#using-https-with-a-load-balancer) section if you are using a load balancer such as hipache, haproxy or nginx. To secure your application via SSL you basically need two things: - **Private key (.key)** - **SSL certificate (.crt)** When using CA certified certificates, these files are provided to you by the CA. When using self-signed certificates you need to generate these files yourself. Skip to [Strengthening the server security](#strengthening-the-server-security) section if you are armed with CA certified SSL certificates. ##### Generation of a Self Signed Certificate Generation of a self-signed SSL certificate involves a simple 3-step procedure: **STEP 1**: Create the server private key ```bash openssl genrsa -out gitlab.key 2048 ``` **STEP 2**: Create the certificate signing request (CSR) ```bash openssl req -new -key gitlab.key -out gitlab.csr ``` **STEP 3**: Sign the certificate using the private key and CSR ```bash openssl x509 -req -days 3650 -in gitlab.csr -signkey gitlab.key -out gitlab.crt ``` Congratulations! You now have a self-signed SSL certificate valid for 10 years. ##### Strengthening the server security This section provides you with instructions to [strengthen your server security](https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html). To achieve this we need to generate stronger DHE parameters. ```bash openssl dhparam -out dhparam.pem 2048 ``` ##### Installation of the SSL Certificates Out of the four files generated above, we need to install the `gitlab.key`, `gitlab.crt` and `dhparam.pem` files at the gitlab server. The CSR file is not needed, but do make sure you safely backup the file (in case you ever need it again). The default path that the gitlab application is configured to look for the SSL certificates is at `/home/git/data/certs`, this can however be changed using the `SSL_KEY_PATH`, `SSL_CERTIFICATE_PATH` and `SSL_DHPARAM_PATH` configuration options. If you remember from above, the `/home/git/data` path is the path of the [data store](#data-store), which means that we have to create a folder named `certs/` inside the volume to where `/home/git/data` point and copy the files into it and as a measure of security we'll update the permission on the `gitlab.key` file to only be readable by the owner. In case use of docker-compose ... ```$>docker volume inspect``` Look for "< user >_gitlab-data" and copy the "certs" directory into the "Mountpoint" ```bash mkdir -p /srv/docker/gitlab/gitlab/certs cp gitlab.key /srv/docker/gitlab/gitlab/certs/ cp gitlab.crt /srv/docker/gitlab/gitlab/certs/ cp dhparam.pem /srv/docker/gitlab/gitlab/certs/ chmod 400 /srv/docker/gitlab/gitlab/certs/gitlab.key ``` Great! We are now just one step away from having our application secured. ##### Enabling HTTPS support HTTPS support can be enabled by setting the `GITLAB_HTTPS` option to `true`. Additionally, when using self-signed SSL certificates you need to the set `SSL_SELF_SIGNED` option to `true` as well. Assuming we are using self-signed certificates ```bash docker run --name gitlab -d \ --publish 10022:22 --publish 10080:80 --publish 10443:443 \ --env 'GITLAB_SSH_PORT=10022' --env 'GITLAB_PORT=10443' \ --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ sameersbn/gitlab:18.9.2 ``` In this configuration, any requests made over the plain http protocol will automatically be redirected to use the https protocol. However, this is not optimal when using a load balancer. ##### Configuring HSTS HSTS if supported by the browsers makes sure that your users will only reach your sever via HTTPS. When the user comes for the first time it sees a header from the server which states for how long from now this site should only be reachable via HTTPS - that's the HSTS max-age value. With `NGINX_HSTS_MAXAGE` you can configure that value. The default value is `31536000` seconds. If you want to disable an already sent HSTS MAXAGE value, set it to `0`. ```bash docker run --name gitlab -d \ --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \ --env 'NGINX_HSTS_MAXAGE=2592000' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ sameersbn/gitlab:18.9.2 ``` If you want to completely disable HSTS set `NGINX_HSTS_ENABLED` to `false`. ##### Using HTTPS with a load balancer Load balancers like nginx/haproxy/hipache talk to backend applications over plain http and as such the installation of ssl keys and certificates are not required and should **NOT** be installed in the container. The SSL configuration has to instead be done at the load balancer. However, when using a load balancer you **MUST** set `GITLAB_HTTPS` to `true`. Additionally, you will need to set the `SSL_SELF_SIGNED` option to `true` if self-signed SSL certificates are in use. With this in place, you should configure the load balancer to support handling of https requests. But that is out of the scope of this document. Please refer to [Using SSL/HTTPS with HAProxy](http://seanmcgary.com/posts/using-sslhttps-with-haproxy) for information on the subject. When using a load balancer, you probably want to make sure the load balancer performs the automatic http to https redirection. Information on this can also be found in the link above. In summation, when using a load balancer, the docker command would look for the most part something like this: ```bash docker run --name gitlab -d \ --publish 10022:22 --publish 10080:80 \ --env 'GITLAB_SSH_PORT=10022' --env 'GITLAB_PORT=443' \ --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ sameersbn/gitlab:18.9.2 ``` Again, drop the `--env 'SSL_SELF_SIGNED=true'` option if you are using CA certified SSL certificates. In case GitLab responds to any kind of POST request (login, OAUTH, changing settings etc.) with a 422 HTTP Error, consider adding this to your reverse proxy configuration: `proxy_set_header X-Forwarded-Ssl on;` (nginx format) ##### Establishing trust with your server This section deals will self-signed ssl certificates. If you are using CA certified certificates, you're done. This section is more of a client side configuration so as to add a level of confidence at the client to be 100 percent sure they are communicating with whom they think they. This is simply done by adding the servers certificate into their list of trusted certificates. On ubuntu, this is done by copying the `gitlab.crt` file to `/usr/local/share/ca-certificates/` and executing `update-ca-certificates`. Again, this is a client side configuration which means that everyone who is going to communicate with the server should perform this configuration on their machine. In short, distribute the `gitlab.crt` file among your developers and ask them to add it to their list of trusted ssl certificates. Failure to do so will result in errors that look like this: ```bash git clone https://git.local.host/gitlab-foss.git fatal: unable to access 'https://git.local.host/gitlab-foss.git': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none ``` You can do the same at the web browser. Instructions for installing the root certificate for firefox can be found [here](http://portal.threatpulse.com/docs/sol/Content/03Solutions/ManagePolicy/SSL/ssl_firefox_cert_ta.htm). You will find similar options chrome, just make sure you install the certificate under the authorities tab of the certificate manager dialog. There you have it, that's all there is to it. ##### Installing Trusted SSL Server Certificates If your GitLab CI server is using self-signed SSL certificates then you should make sure the GitLab CI server certificate is trusted on the GitLab server for them to be able to talk to each other. The default path image is configured to look for the trusted SSL certificates is at `/home/git/data/certs/ca.crt`, this can however be changed using the `SSL_CA_CERTIFICATES_PATH` configuration option. Copy the `ca.crt` file into the certs directory on the [datastore](#data-store). The `ca.crt` file should contain the root certificates of all the servers you want to trust. With respect to GitLab CI, this will be the contents of the gitlab_ci.crt file as described in the [README](https://github.com/sameersbn/docker-gitlab-ci/blob/master/README.md#ssl) of the [docker-gitlab-ci](https://github.com/sameersbn/docker-gitlab-ci) container. By default, our own server certificate [gitlab.crt](#generation-of-a-self-signed-certificate) is added to the trusted certificates list. #### Deploy to a subdirectory (relative url root) By default, GitLab expects that your application is running at the root (e.g.. /). This section explains how to run your application inside a directory. Let's assume we want to deploy our application to '/git'. GitLab needs to know this directory to generate the appropriate routes. This can be specified using the `GITLAB_RELATIVE_URL_ROOT` configuration option like so: ```bash docker run --name gitlab -it --rm \ --env 'GITLAB_RELATIVE_URL_ROOT=/git' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ sameersbn/gitlab:18.9.2 ``` GitLab will now be accessible at the `/git` path, e.g. `http://www.example.com/git`. **Note**: *The `GITLAB_RELATIVE_URL_ROOT` parameter should always begin with a slash and* **SHOULD NOT** *have any trailing slashes.* #### OmniAuth Integration GitLab leverages OmniAuth to allow users to sign in using Twitter, GitHub, and other popular services. Configuring OmniAuth does not prevent standard GitLab authentication or LDAP (if configured) from continuing to work. Users can choose to sign in using any of the configured mechanisms. Refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/omniauth.html) for additional information. ##### CAS3 To enable the CAS OmniAuth provider you must register your application with your CAS instance. This requires the service URL GitLab will supply to CAS. It should be something like: `https://git.example.com:443/users/auth/cas3/callback?url`. By default handling for SLO is enabled, you only need to configure CAS for backchannel logout. For example, if your cas server url is `https://sso.example.com`, then adding `--env 'OAUTH_CAS3_SERVER=https://sso.example.com'` to the docker run command enables support for CAS3 OAuth. Please refer to [Available Configuration Parameters](#available-configuration-parameters) for additional CAS3 configuration parameters. ##### Authentiq To enable the Authentiq OmniAuth provider for passwordless authentication you must register an application with [Authentiq](https://www.authentiq.com/). Please refer to the GitLab [documentation](https://docs.gitlab.com/ce/administration/auth/authentiq.html) for the procedure to generate the client ID and secret key with Authentiq. Once you have the API client id and client secret generated, configure them using the `OAUTH_AUTHENTIQ_CLIENT_ID` and `OAUTH_AUTHENTIQ_CLIENT_SECRET` environment variables respectively. For example, if your API key is `xxx` and the API secret key is `yyy`, then adding `--env 'OAUTH_AUTHENTIQ_CLIENT_ID=xxx' --env 'OAUTH_AUTHENTIQ_CLIENT_SECRET=yyy'` to the docker run command enables support for Authentiq OAuth. You may want to specify `OAUTH_AUTHENTIQ_REDIRECT_URI` as well. The OAuth scope can be altered as well with `OAUTH_AUTHENTIQ_SCOPE` (defaults to `'aq:name email~rs address aq:push'`). ##### Google To enable the Google OAuth2 OmniAuth provider you must register your application with Google. Google will generate a client ID and secret key for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/google.html) for the procedure to generate the client ID and secret key with google. Once you have the client ID and secret keys generated, configure them using the `OAUTH_GOOGLE_API_KEY` and `OAUTH_GOOGLE_APP_SECRET` environment variables respectively. For example, if your client ID is `xxx.apps.googleusercontent.com` and client secret key is `yyy`, then adding `--env 'OAUTH_GOOGLE_API_KEY=xxx.apps.googleusercontent.com' --env 'OAUTH_GOOGLE_APP_SECRET=yyy'` to the docker run command enables support for Google OAuth. You can also restrict logins to a single domain by adding `--env "OAUTH_GOOGLE_RESTRICT_DOMAIN='example.com'"`. ##### Facebook To enable the Facebook OAuth2 OmniAuth provider you must register your application with Facebook. Facebook will generate an API key and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/facebook.html) for the procedure to generate the API key and secret. Once you have the API key and secret generated, configure them using the `OAUTH_FACEBOOK_API_KEY` and `OAUTH_FACEBOOK_APP_SECRET` environment variables respectively. For example, if your API key is `xxx` and the API secret key is `yyy`, then adding `--env 'OAUTH_FACEBOOK_API_KEY=xxx' --env 'OAUTH_FACEBOOK_APP_SECRET=yyy'` to the docker run command enables support for Facebook OAuth. ##### Twitter To enable the Twitter OAuth2 OmniAuth provider you must register your application with Twitter. Twitter will generate an API key and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/twitter.html) for the procedure to generate the API key and secret with twitter. Once you have the API key and secret generated, configure them using the `OAUTH_TWITTER_API_KEY` and `OAUTH_TWITTER_APP_SECRET` environment variables respectively. For example, if your API key is `xxx` and the API secret key is `yyy`, then adding `--env 'OAUTH_TWITTER_API_KEY=xxx' --env 'OAUTH_TWITTER_APP_SECRET=yyy'` to the docker run command enables support for Twitter OAuth. ##### GitHub To enable the GitHub OAuth2 OmniAuth provider you must register your application with GitHub. GitHub will generate a Client ID and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/github.html) for the procedure to generate the Client ID and secret with github. Once you have the Client ID and secret generated, configure them using the `OAUTH_GITHUB_API_KEY` and `OAUTH_GITHUB_APP_SECRET` environment variables respectively. For example, if your Client ID is `xxx` and the Client secret is `yyy`, then adding `--env 'OAUTH_GITHUB_API_KEY=xxx' --env 'OAUTH_GITHUB_APP_SECRET=yyy'` to the docker run command enables support for GitHub OAuth. Users of GitHub Enterprise may want to specify `OAUTH_GITHUB_URL` and `OAUTH_GITHUB_VERIFY_SSL` as well. ##### GitLab To enable the GitLab OAuth2 OmniAuth provider you must register your application with GitLab. GitLab will generate a Client ID and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/gitlab.html) for the procedure to generate the Client ID and secret with GitLab. Once you have the Client ID and secret generated, configure them using the `OAUTH_GITLAB_API_KEY` and `OAUTH_GITLAB_APP_SECRET` environment variables respectively. For example, if your Client ID is `xxx` and the Client secret is `yyy`, then adding `--env 'OAUTH_GITLAB_API_KEY=xxx' --env 'OAUTH_GITLAB_APP_SECRET=yyy'` to the docker run command enables support for GitLab OAuth. ##### BitBucket To enable the BitBucket OAuth2 OmniAuth provider you must register your application with BitBucket. BitBucket will generate a Client ID and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/bitbucket.html) for the procedure to generate the Client ID and secret with BitBucket. Once you have the Client ID and secret generated, configure them using the `OAUTH_BITBUCKET_API_KEY` and `OAUTH_BITBUCKET_APP_SECRET` environment variables respectively. For example, if your Client ID is `xxx` and the Client secret is `yyy`, then adding `--env 'OAUTH_BITBUCKET_API_KEY=xxx' --env 'OAUTH_BITBUCKET_APP_SECRET=yyy'` to the docker run command enables support for BitBucket OAuth. ##### SAML GitLab can be configured to act as a SAML 2.0 Service Provider (SP). This allows GitLab to consume assertions from a SAML 2.0 Identity Provider (IdP) such as Microsoft ADFS to authenticate users. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/saml.html). The following parameters have to be configured to enable SAML OAuth support in this image: `OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL`, `OAUTH_SAML_IDP_CERT_FINGERPRINT`, `OAUTH_SAML_IDP_SSO_TARGET_URL`, `OAUTH_SAML_ISSUER` and `OAUTH_SAML_NAME_IDENTIFIER_FORMAT`. You can also override the default "Sign in with" button label with `OAUTH_SAML_LABEL`. Please refer to [Available Configuration Parameters](#available-configuration-parameters) for the default configurations of these parameters. ##### Crowd To enable the Crowd server OAuth2 OmniAuth provider you must register your application with Crowd server. Configure GitLab to enable access the Crowd server by specifying the `OAUTH_CROWD_SERVER_URL`, `OAUTH_CROWD_APP_NAME` and `OAUTH_CROWD_APP_PASSWORD` environment variables. ##### Auth0 To enable the Auth0 OmniAuth provider you must register your application with [auth0](https://auth0.com/). Configure the following environment variables `OAUTH_AUTH0_CLIENT_ID`, `OAUTH_AUTH0_CLIENT_SECRET` and `OAUTH_AUTH0_DOMAIN` to complete the integration. ##### Microsoft Azure To enable the Microsoft Azure OAuth2 OmniAuth provider you must register your application with Azure. Azure will generate a Client ID, Client secret and Tenant ID for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/azure.html) for the procedure. Once you have the Client ID, Client secret and Tenant ID generated, configure them using the `OAUTH_AZURE_API_KEY`, `OAUTH_AZURE_API_SECRET` and `OAUTH_AZURE_TENANT_ID` environment variables respectively. For example, if your Client ID is `xxx`, the Client secret is `yyy` and the Tenant ID is `zzz`, then adding `--env 'OAUTH_AZURE_API_KEY=xxx' --env 'OAUTH_AZURE_API_SECRET=yyy' --env 'OAUTH_AZURE_TENANT_ID=zzz'` to the docker run command enables support for Microsoft Azure OAuth. Also you can configure v2 endpoint (`azure_activedirectory_v2`) by using `OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID`, `OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET` and `OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID` environment variables. Optionally you can change label of login button using the `OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL`. ##### Generic OAuth2 To enable the Generic OAuth2 provider, you must register your application with your provider. You also need to confirm OAuth2 provider app's ID and secret, the client options and the user's response structure. As an example this code has been tested with Keycloak, with the following variables: `OAUTH2_GENERIC_APP_ID`, `OAUTH2_GENERIC_APP_SECRET`, `OAUTH2_GENERIC_CLIENT_SITE`, `OAUTH2_GENERIC_CLIENT_USER_INFO_URL`, `OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL`, `OAUTH2_GENERIC_CLIENT_TOKEN_URL`, `OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT`, `OAUTH2_GENERIC_ID_PATH`, `OAUTH2_GENERIC_USER_UID`, `OAUTH2_GENERIC_USER_NAME`, `OAUTH2_GENERIC_USER_EMAIL`, `OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE`, `OAUTH2_GENERIC_LABEL` and `OAUTH2_GENERIC_NAME`. See [GitLab documentation](https://docs.gitlab.com/ee/integration/oauth2_generic.html#sign-into-gitlab-with-almost-any-oauth2-provider) and [Omniauth-oauth2-generic documentation](https://gitlab.com/satorix/omniauth-oauth2-generic) for more details. ##### OpenID Connect To enable OpenID Connect provider, you must register your application with your provider. You also need to confirm OpenID Connect provider app's ID and secret, the client options and the user's response structure. To use OIDC set at least `OAUTH_OIDC_ISSUER` and `OAUTH_OIDC_CLIENT_ID`. | GitLab setting | environment variable | default value | |--------------------------------|-------------------------------------|--------------------------------| | `label` | `OAUTH_OIDC_LABEL` | `OpenID Connect` | | `icon` | `OAUTH_OIDC_ICON` | | | `scope` | `OAUTH_OIDC_SCOPE` | `['openid','profile','email']` | | `response_type` | `OAUTH_OIDC_RESPONSE_TYPE` | `code` | | `issuer` | `OAUTH_OIDC_ISSUER` | | | `discovery` | `OAUTH_OIDC_DISCOVERY` | `true` | | `client_auth_method` | `OAUTH_OIDC_CLIENT_AUTH_METHOD` | `basic` | | `uid_field` | `OAUTH_OIDC_UID_FIELD` | `sub` | | `send_scope_to_token_endpoint` | `OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP` | `false` | | `pkce` | `OAUTH_OIDC_PKCE` | `true` | | `client_options.identifier` | `OAUTH_OIDC_CLIENT_ID` | | | `client_options.secret` | `OAUTH_OIDC_CLIENT_SECRET` | `secret` | | `client_options.redirect_uri` | `OAUTH_OIDC_REDIRECT_URI` | `http://${GITLAB_HOST}/users/auth/openid_connect/callback` or `https://${GITLAB_HOST}/users/auth/openid_connect/callback` depending on the value of `GITLAB_HTTPS` | See [GitLab OIDC documentation](https://docs.gitlab.com/ee/administration/auth/oidc.html) and [OmniAuth OpenID Connect documentation](https://github.com/omniauth/omniauth_openid_connect/). ##### JWT To enable the JWT OmniAuth provider, you must register your application with JWT. JWT provides you with a secret key for you to use. To use JWT set at least `OAUTH_JWT_SECRET` and `OAUTH_JWT_AUTH_URL`. | GitLab setting | environment variable | default value | | ------------------------------ | ----------------------------------- | -------------------------------| | `label` | `OAUTH_JWT_LABEL` | `Jwt` | | `secret` | `OAUTH_JWT_SECRET` | | | `algorithm` | `OAUTH_JWT_ALGORITHM` | `HS256` | | `uid_claim` | `OAUTH_JWT_UID_CLAIM` | `email` | | `required_claims` | `OAUTH_JWT_REQUIRED_CLAIMS` | `["name", "email"]` | | `info_map.name` | `OAUTH_JWT_INFO_MAP_NAME` | `name` | | `info_map.email` | `OAUTH_JWT_INFO_MAP_EMAIL` | `email` | | `auth_url` | `OAUTH_JWT_AUTH_URL` | | | `valid_within` | `OAUTH_JWT_VALID_WITHIN` | `3600` | See [OmniAuth JWT documentation](https://docs.gitlab.com/administration/auth/jwt/). #### Gitlab Pages Gitlab Pages allows a user to host static websites from a project. Gitlab pages can be enabled with setting the environment variable `GITLAB_PAGES_ENABLED` to `true`. #### Gitlab Pages Access Control Since version `11.5.0` Gitlab pages supports access control. This allows only access to a published website if you are a project member, or have access to a certain project. Gitlab pages access control requires additional configuration before activating it through the variable `GITLAB_PAGES_ACCESS_CONTROL`. GitLab pages access control makes use of the Gitlab OAuth Module. - Goto the Gitlab Admin area - Select `Applications` in the menu - Create `New Application` - Name: `Gitlab Pages` - Scopes: - api - Trusted: NO (Do not select) - Redirect URI: `https://projects./auth` Note about the `Redirect URI`; this can be tricky to configure or figure out, What needs to be achieved is the following, the redirect URI needs to end up at the `gitlab-pages` daemon with the `/auth` endpoint. This means that if you run your gitlab pages at domain `pages.example.io` this will be a wildcard domain where your projects are created based on their namespace. The best trick is to enter a NON-Existing gitlab project pages URI as the redirect URI. In the example above; the pages domain `projects` has been chosen. This will cause the nginx, either the built in or your own load balancer to redirect `*.` to the `gitlab-pages` daemon. Which will trigger the pages endpoint. Make sure to choose own which does not exist and make sure that the request is routed to the `gitlab-pages` daemon if you are using your own HTTP load balancer in front of Gitlab. After creating the OAuth application endpoint for the Gitlab Pages Daemon. Gitlab pages access control can now be enabled. Add to following environment variables to your Gitlab Container. | Variable | R/O | Description | |----------|-----|-------------| | GITLAB_PAGES_ACCESS_CONTROL | Required | Set to `true` to enable access control. | | GITLAB_PAGES_ACCESS_SECRET | Optional | Secret Hash, minimal 32 characters, if omitted, it will be auto generated. | | GITLAB_PAGES_ACCESS_CONTROL_SERVER | Required | Gitlab instance URI, example: `https://gitlab.example.io` | | GITLAB_PAGES_ACCESS_CLIENT_ID | Required | Client ID from earlier generated OAuth application | | GITLAB_PAGES_ACCESS_CLIENT_SECRET | Required | Client Secret from earlier generated OAuth application | | GITLAB_PAGES_ACCESS_REDIRECT_URI | Required | Redirect URI, non existing pages domain to redirect to pages daemon, `https://projects.example.io` | After you have enabled the gitlab pages access control. When you go to a project `General Settings` -> `Permissions` you can choose the pages permission level for the project. #### External Issue Trackers Since version `7.10.0` support for external issue trackers can be enabled in the "Service Templates" section of the settings panel. If you are using the [docker-redmine](https://github.com/sameersbn/docker-redmine) image, you can *one up* the gitlab integration with redmine by adding `--volumes-from=gitlab` flag to the docker run command while starting the redmine container. By using the above option the `/home/git/data/repositories` directory will be accessible by the redmine container and now you can add your git repository path to your redmine project. If, for example, in your gitlab server you have a project named `opensource/gitlab`, the bare repository will be accessible at `/home/git/data/repositories/opensource/gitlab.git` in the redmine container. #### Host UID / GID Mapping Per default the container is configured to run gitlab as user and group `git` with `uid` and `gid` `1000`. The host possibly uses this ids for different purposes leading to unfavorable effects. From the host it appears as if the mounted data volumes are owned by the host's user/group `1000`. Also the container processes seem to be executed as the host's user/group `1000`. The container can be configured to map the `uid` and `gid` of `git` to different ids on host by passing the environment variables `USERMAP_UID` and `USERMAP_GID`. The following command maps the ids to user and group `git` on the host. ```bash docker run --name gitlab -it --rm [options] \ --env "USERMAP_UID=$(id -u git)" --env "USERMAP_GID=$(id -g git)" \ sameersbn/gitlab:18.9.2 ``` When changing this mapping, all files and directories in the mounted data volume `/home/git/data` have to be re-owned by the new ids. This can be achieved automatically using the following command: ```bash docker run --name gitlab -d [OPTIONS] \ sameersbn/gitlab:18.9.2 app:sanitize ``` #### Piwik If you want to monitor your gitlab instance with [Piwik](http://piwik.org/), there are two options to setup: `PIWIK_URL` and `PIWIK_SITE_ID`. These options should contain something like: - `PIWIK_URL=piwik.example.org` - `PIWIK_SITE_ID=42` #### Feature flags In this section, we talk about feature flags that administrators can change the state (See ). If you are looking for documentation for "Feature flags" that configured on project deploy settings, see GitLab adopted feature flags strategies to deploy features in an early stage of development so that they can be incrementally rolled out. GitLab administrators with access to the [Rails console](https://docs.gitlab.com/ee/administration/feature_flags.html#how-to-enable-and-disable-features-behind-flags) or the [Feature flags API](https://docs.gitlab.com/ee/api/features.html) can control them (note that `sameersbn/gitlab` is a container image that provides GitLab installations from the source). You can see all feature flags in GitLab at corresponding version of documentation: For `sameersbn/gitlab`, you can control them via environment parameter [`GITLAB_FEATURE_FLAGS_DISABLE_TARGETS`](#gitlab_feature_flags_disable_targets) and [`GITLAB_FEATURE_FLAGS_ENABLE_TARGETS`](#gitlab_feature_flags_enable_targets) in addition to the above methods. This image searches yml files in [`${GITLAB_INSTALL_DIR}/config/feature_flags`](https://gitlab.com/gitlab-org/gitlab-foss/-/tree/master/config/feature_flags) (typically `/home/git/gitlab/config/feature_flags/`) recursively and use the file list as a source of active feature flags. Here is a part of example `docker-compose.yml`: ````yml services: gitlab: image: sameersbn/gitlab:latest environment: - GITLAB_FEATURE_FLAGS_DISABLE_TARGETS=auto_devops_banner_disabled,ci_enable_live_trace - GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=git_push_create_all_pipelines,build_service_proxy ```` Once the container up, you can see following messages in container log like below. ````sh ... Configuring gitlab::feature_flags... - specified feature flags: {:to_be_disabled=>["auto_devops_banner_disabled", "ci_enable_live_trace"], :to_be_enabled=>["git_push_create_all_pipelines", "build_service_proxy"]} - auto_devops_banner_disabled : off - ci_enable_live_trace : off - git_push_create_all_pipelines : on - build_service_proxy : on ... ```` If specified flag names are not included in the list, they will be ignored and appears to container log like below: ````sh ... Configuring gitlab::feature_flags... - specified feature flags: {:to_be_disabled=>["auto_devops_banner_disabled", "invalid_flag_name"], :to_be_enabled=>["git_push_create_all_pipelines", "another_invalid_flag_name"]} - Following flags are probably invalid and have been ignored: invalid_flag_name,another_invalid_flag_name - auto_devops_banner_disabled : off - git_push_create_all_pipelines : on ... ```` #### Available Configuration Parameters *Please refer the docker run command options for the `--env-file` flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command. Alternatively you can use docker-compose. docker-compose users and Docker Swarm mode users can also use the [secrets and config file options](#docker-secrets-and-configs)* Below is the complete list of available options that can be used to customize your gitlab installation. ##### `DEBUG` Set this to `true` to enable entrypoint debugging. ##### `TZ` Set the container timezone. Defaults to `UTC`. Values are expected to be in Canonical format. Example: `Europe/Amsterdam` See the list of [acceptable values](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). For configuring the timezone of gitlab see variable `GITLAB_TIMEZONE`. ##### `GITLAB_HOST` The hostname of the GitLab server. Defaults to `localhost` ##### `GITLAB_CI_HOST` If you are migrating from GitLab CI use this parameter to configure the redirection to the GitLab service so that your existing runners continue to work without any changes. No defaults. ##### `GITLAB_PORT` The port of the GitLab server. This value indicates the public port on which the GitLab application will be accessible on the network and appropriately configures GitLab to generate the correct urls. It does not affect the port on which the internal nginx server will be listening on. Defaults to `443` if `GITLAB_HTTPS=true`, else defaults to `80`. ##### `GITLAB_SECRETS_DB_KEY_BASE` Encryption key for GitLab CI secret variables, as well as import credentials, in the database. Ensure that your key is at least 32 characters long and that you don't lose it. You can generate one using `pwgen -Bsv1 64`. If you are migrating from GitLab CI, you need to set this value to the value of `GITLAB_CI_SECRETS_DB_KEY_BASE`. No defaults. ##### `GITLAB_SECRETS_SECRET_KEY_BASE` Encryption key for session secrets. Ensure that your key is at least 64 characters long and that you don't lose it. This secret can be rotated with minimal impact - the main effect is that previously-sent password reset emails will no longer work. You can generate one using `pwgen -Bsv1 64`. No defaults. ##### `GITLAB_SECRETS_OTP_KEY_BASE` Encryption key for OTP related stuff with GitLab. Ensure that your key is at least 64 characters long and that you don't lose it. **If you lose or change this secret, 2FA will stop working for all users.** You can generate one using `pwgen -Bsv1 64`. No defaults. ##### `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE` Encryption key for encrypted settings related stuff with GitLab. Ensure that your key is at least 64 characters long and that you don't lose it. **If you lose or change this secret, encrypted settings will not work and might cause errors in merge requests and so on** You can generate one using `pwgen -Bsv1 64`. No defaults. ##### `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY` The base key used to encrypt data for non-deterministic `ActiveRecord::Encryption` encrypted columns. This value is used to set `active_record_encryption_primary_key` in `config/secrets.yml`. Ensure that your key is an alphanumeric string. Preferred to be 32 characters long. If you need to set multiple keys, set this parameter in the format `["first_primary_key","second_primary_key"]`. In `docker-compose.yml`, the value must NOT have additional quotes! **If you lose or change this secret, encrypted settings will not work and might cause errors in the API and the web interface.** No defaults. ##### `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY` The base key used to encrypt data for deterministic `ActiveRecord::Encryption` encrypted columns. This value is used to set `active_record_encryption_deterministic_key` in `config/secrets.yml`. Ensure that your key is an alphanumeric string. Preferred to be 32 characters long. If you need to set multiple keys, set this parameter in the format `["first_deterministic_key","second_deterministic_key"]`. In `docker-compose.yml`, the value must NOT have additional quotes! **If you lose or change this secret, encrypted settings will not work and might cause errors in the API and the web interface.** No defaults. ##### `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT` The salt used to encrypt data for `ActiveRecord::Encryption` encrypted columns. This value is used to set `active_record_encryption_key_derivation_salt` in `config/secrets.yml`. Ensure that your salt is an alphanumeric string. Preferred to be 32 characters long. **If you lose or change this secret, encrypted settings will not work and might cause errors in the API and the web interface.** No defaults. ##### `GITLAB_TIMEZONE` Configure the timezone for the gitlab application. This configuration does not effect cron jobs. Defaults to `UTC`. See the list of [acceptable values](http://api.rubyonrails.org/classes/ActiveSupport/TimeZone.html). For settings the container timezone which will affect cron, see variable `TZ` ##### `GITLAB_ROOT_PASSWORD` The password for the root user on firstrun. Defaults to `5iveL!fe`. GitLab requires this to be at least **8 characters long**. ##### `GITLAB_ROOT_EMAIL` The email for the root user on firstrun. Defaults to `admin@example.com` ##### `GITLAB_EMAIL` The email address for the GitLab server. Defaults to value of `SMTP_USER`, else defaults to `example@example.com`. ##### `GITLAB_EMAIL_DISPLAY_NAME` The name displayed in emails sent out by the GitLab mailer. Defaults to `GitLab`. ##### `GITLAB_EMAIL_REPLY_TO` The reply-to address of emails sent out by GitLab. Defaults to value of `GITLAB_EMAIL`, else defaults to `noreply@example.com`. ##### `GITLAB_EMAIL_SUBJECT_SUFFIX` The e-mail subject suffix used in e-mails sent by GitLab. No defaults. ##### `GITLAB_EMAIL_ENABLED` Enable or disable gitlab mailer. Defaults to the `SMTP_ENABLED` configuration. ##### `GITLAB_EMAIL_SMIME_ENABLE` Enable or disable email S/MIME signing. Defaults is `false`. ##### `GITLAB_EMAIL_SMIME_KEY_FILE` Specifies the path to a S/MIME private key file in PEM format, unencrypted. Defaults to ``. ##### `GITLAB_EMAIL_SMIME_CERT_FILE` Specifies the path to a S/MIME public certificate key in PEM format. Defaults to ``. ##### `GITLAB_DEFAULT_THEME` Default theme ID, by default 2. (1 - Indigo, 2 - Dark, 3 - Light, 4 - Blue, 5 - Green, 6 - Light Indigo, 7 - Light Blue, 8 - Light Green, 9 - Red, 10 - Light Red) ##### `GITLAB_ISSUE_CLOSING_PATTERN` Issue closing pattern regex. See [GitLab's documentation](https://docs.gitlab.com/ee/administration/issue_closing_pattern.html) for more detail. Defaults to ` \b((?:[Cc]los(?:e[sd]?|ing)|\b[Ff]ix(?:e[sd]|ing)?|\b[Rr]esolv(?:e[sd]?|ing)|\b[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+) ` . ##### `GITLAB_INCOMING_EMAIL_ADDRESS` The incoming email address for reply by email. Defaults to the value of `IMAP_USER`, else defaults to `reply@example.com`. Please read the [reply by email](http://doc.gitlab.com/ce/incoming_email/README.html) documentation to currently set this parameter. ##### `GITLAB_INCOMING_EMAIL_ENABLED` Enable or disable gitlab reply by email feature. Defaults to the value of `IMAP_ENABLED`. ##### `GITLAB_SIGNUP_ENABLED` Enable or disable user signups (first run only). Default is `true`. ##### `GITLAB_IMPERSONATION_ENABLED` Enable or disable impersonation. Defaults to `true`. ##### `GITLAB_PROJECTS_LIMIT` Set default projects limit. Defaults to `100`. ##### `GITLAB_USERNAME_CHANGE` Enable or disable ability for users to change their username. Defaults to `true`. ##### `GITLAB_CREATE_GROUP` Enable or disable ability for users to create groups. Defaults to `true`. ##### `GITLAB_PROJECTS_ISSUES` Set if *issues* feature should be enabled by default for new projects. Defaults to `true`. ##### `GITLAB_PROJECTS_MERGE_REQUESTS` Set if *merge requests* feature should be enabled by default for new projects. Defaults to `true`. ##### `GITLAB_PROJECTS_WIKI` Set if *wiki* feature should be enabled by default for new projects. Defaults to `true`. ##### `GITLAB_PROJECTS_SNIPPETS` Set if *snippets* feature should be enabled by default for new projects. Defaults to `false`. ##### `GITLAB_PROJECTS_BUILDS` Set if *builds* feature should be enabled by default for new projects. Defaults to `true`. ##### `GITLAB_PROJECTS_CONTAINER_REGISTRY` Set if *container_registry* feature should be enabled by default for new projects. Defaults to `true`. ##### `GITLAB_SHELL_CUSTOM_HOOKS_DIR` Global custom hooks directory. Defaults to `/home/git/gitlab-shell/hooks`. ##### `GITLAB_WEBHOOK_TIMEOUT` Sets the timeout for webhooks. Defaults to `10` seconds. ##### `GITLAB_NOTIFY_ON_BROKEN_BUILDS` Enable or disable broken build notification emails. Defaults to `true` ##### `GITLAB_NOTIFY_PUSHER` Add pusher to recipients list of broken build notification emails. Defaults to `false` ##### `GITLAB_REPOS_DIR` The git repositories folder in the container. Defaults to `/home/git/data/repositories` ##### `GITLAB_BACKUP_DIR` The backup folder in the container. Defaults to `/home/git/data/backups` ##### `GITLAB_BACKUP_DIR_CHOWN` Optionally change ownership of backup files on start-up. Defaults to `true` ##### `GITLAB_BACKUP_DIR_GROUP` Optionally group backups into a subfolder. Can also be used to place backups in to a subfolder on remote storage. Not used by default. ##### `GITLAB_BUILDS_DIR` The build traces directory. Defaults to `/home/git/data/builds` ##### `GITLAB_DOWNLOADS_DIR` The repository downloads directory. A temporary zip is created in this directory when users click **Download Zip** on a project. Defaults to `/home/git/data/tmp/downloads`. ##### `GITLAB_SHARED_DIR` The directory to store the build artifacts. Defaults to `/home/git/data/shared` ##### `GITLAB_ARTIFACTS_ENABLED` Enable/Disable GitLab artifacts support. Defaults to `true`. ##### `GITLAB_ARTIFACTS_DIR` Directory to store the artifacts. Defaults to `$GITLAB_SHARED_DIR/artifacts` ##### `AWS_ACCESS_KEY_ID` Default AWS access key to be used for object store. Defaults to `AWS_ACCESS_KEY_ID` ##### `AWS_SECRET_ACCESS_KEY` Default AWS access key to be used for object store. Defaults to `AWS_SECRET_ACCESS_KEY` ##### `AWS_REGION` AWS Region. Defaults to `us-east-1` ##### `AWS_HOST` Configure this for an compatible AWS host like minio. Defaults to `$AWS_HOST`. Defaults to `s3.amazon.com` ##### `AWS_ENDPOINT` AWS Endpoint like `http://127.0.0.1:9000`. Defaults to `nil` ##### `AWS_PATH_STYLE` Changes AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `true` ##### `AWS_SIGNATURE_VERSION` AWS signature version to use. 2 or 4 are valid options. Digital Ocean Spaces and other providers may need 2. Defaults to `4` ##### `GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` Default Google project to use for Object Store. ##### `GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` Default Google service account email to use for Object Store. ##### `GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` Default Google key file Defaults to `/gcs/key.json` ##### `GITLAB_OBJECT_STORE_CONNECTION_PROVIDER` Default object store connection provider. Defaults to `AWS` ##### `GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED` Enables Object Store for Artifacts that will be remote stored. Defaults to `false` ##### `GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY` Bucket name to store the artifacts. Defaults to `artifacts` ##### `GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD` Set to true to enable direct upload of Artifacts without the need of local shared storage. Defaults to `false` ##### `GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD` Temporary option to limit automatic upload. Defaults to `false` ##### `GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD` Passthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults to `false` ##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER` Connection Provider for the Object Store. (`AWS` or `Google`) Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER` (`AWS`) ##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` AWS Access Key ID for the Bucket. Defaults to `$AWS_ACCESS_KEY_ID` ##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` AWS Secret Access Key. Defaults to `$AWS_SECRET_ACCESS_KEY` ##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION` AWS Region. Defaults to `$AWS_REGION` ##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST` Configure this for an compatible AWS host like minio. Defaults to `$AWS_HOST` ##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` AWS Endpoint like `http://127.0.0.1:9000`. Defaults to `$AWS_ENDPOINT` ##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE` Changes AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `$AWS_PATH_STYLE` ##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION` AWS signature version to use. 2 or 4 are valid options. Digital Ocean Spaces and other providers may need 2. Defaults to `$AWS_SIGNATURE_VERSION` ##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` Google project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` ##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` Google service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` ##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` Default Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`) ##### `GITLAB_PIPELINE_SCHEDULE_WORKER_CRON` Cron notation for the GitLab pipeline schedule worker. Defaults to `'19 * * * *'` ##### `GITLAB_LFS_ENABLED` Enable/Disable Git LFS support. Defaults to `true`. ##### `GITLAB_LFS_OBJECTS_DIR` Directory to store the lfs-objects. Defaults to `$GITLAB_SHARED_DIR/lfs-objects` ##### `GITLAB_LFS_OBJECT_STORE_ENABLED` Enables Object Store for LFS that will be remote stored. Defaults to `false` ##### `GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY` Bucket name to store the LFS. Defaults to `lfs-object` ##### `GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD` Temporary option to limit automatic upload. Defaults to `false` ##### `GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD` Passthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults to `false` ##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER` Connection Provider for the Object Store. (`AWS` or `Google`) Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER` (`AWS`) ##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` AWS Access Key ID for the Bucket. Defaults to `AWS_ACCESS_KEY_ID` ##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` AWS Secret Access Key. Defaults to `AWS_SECRET_ACCESS_KEY` ##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION` AWS Region. Defaults to `$AWS_REGION` ##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST` Configure this for an compatible AWS host like minio. Defaults to `$AWS_HOST` ##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` AWS Endpoint like `http://127.0.0.1:9000`. Defaults to `$AWS_ENDPOINT` ##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE` Changes AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `$AWS_PATH_STYLE` ##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION` AWS signature version to use. 2 or 4 are valid options. Digital Ocean Spaces and other providers may need 2. Defaults to `$AWS_SIGNATURE_VERSION` ##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` Google project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` ##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` Google service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` ##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` Default Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`) ##### `GITLAB_PACKAGES_ENABLED` Enable/Disable Packages support. Defaults to `true`. ##### `GITLAB_PACKAGES_DIR` Directory to store the packages data. Defaults to `$GITLAB_SHARED_DIR/packages` ##### `GITLAB_PACKAGES_OBJECT_STORE_ENABLED` Enables Object Store for Packages that will be remote stored. Defaults to `false` ##### `GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY` Bucket name to store the packages. Defaults to `packages` ##### `GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD` Set to true to enable direct upload of Packages without the need of local shared storage. Defaults to `false` ##### `GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD` Temporary option to limit automatic upload. Defaults to `false` ##### `GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD` Passthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults to `false` ##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER` Connection Provider for the Object Store. (`AWS` or `Google`) Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER` (`AWS`) ##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` AWS Access Key ID for the Bucket. Defaults to `$AWS_ACCESS_KEY_ID` ##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` AWS Secret Access Key. Defaults to `$AWS_SECRET_ACCESS_KEY` ##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION` AWS Region. Defaults to `$AWS_REGION` ##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST` Configure this for an compatible AWS host like minio. Defaults to `$AWS_HOST` ##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` AWS Endpoint like `http://127.0.0.1:9000`. Defaults to `$AWS_ENDPOINT` ##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE` Changes AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `AWS_PATH_STYLE` ##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` Google project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` ##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` Google service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` ##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` Default Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`) ##### `GITLAB_TERRAFORM_STATE_ENABLED` Enable/Disable Terraform State support. Defaults to `true`. ##### `GITLAB_TERRAFORM_STATE_STORAGE_PATH` Directory to store the terraform state data. Defaults to `$GITLAB_SHARED_DIR/terraform_state` ##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED` Enables Object Store for Terraform state that will be remote stored. Defaults to `false` ##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_REMOTE_DIRECTORY` Bucket name to store the Terraform state. Defaults to `terraform_state` ##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER` Connection Provider for the Object Store (AWS or Google). Defaults to $GITLAB_OBJECT_STORE_CONNECTION_PROVIDER (i.e. AWS). ##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` AWS Access Key ID for the Bucket. Defaults to `$AWS_ACCESS_KEY_ID` ##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` AWS Secret Access Key. Defaults to `$AWS_SECRET_ACCESS_KEY` ##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION` AWS Region. Defaults to `$AWS_REGION` ##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST` Configure this for an compatible AWS host like minio. Defaults to `$AWS_HOST` ##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` AWS Endpoint like `http://127.0.0.1:9000`. Defaults to `$AWS_ENDPOINT` ##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE` Changes AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `AWS_PATH_STYLE` ##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` Google project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` ##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` Google service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` ##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` Default Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`) ##### `GITLAB_UPLOADS_STORAGE_PATH` The location where uploads objects are stored. Defaults to `$GITLAB_SHARED_DIR/public`. ##### `GITLAB_UPLOADS_BASE_DIR` Mapping for the `GITLAB_UPLOADS_STORAGE_PATH`. Defaults to `uploads/-/system` ##### `GITLAB_UPLOADS_OBJECT_STORE_ENABLED` Enables Object Store for UPLOADS that will be remote stored. Defaults to `false` ##### `GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY` Bucket name to store the UPLOADS. Defaults to `uploads` ##### `GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD` Temporary option to limit automatic upload. Defaults to `false` ##### `GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD` Passthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults to `false` ##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER` Connection Provider for the Object Store. (`AWS` or `Google`) Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER` (`AWS`) ##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` AWS Access Key ID for the Bucket. Defaults to `AWS_ACCESS_KEY_ID` ##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` AWS Secret Access Key. Defaults to `AWS_SECRET_ACCESS_KEY` ##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION` AWS Region. Defaults to `$AWS_REGION` ##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST` Configure this for an compatible AWS host like minio. Defaults to `$AWS_HOST` ##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` AWS Endpoint like `http://127.0.0.1:9000`. Defaults to `$AWS_ENDPOINT` ##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE` Changes AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `AWS_PATH_STYLE` ##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` Google project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` ##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` Google service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` ##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` Default Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`) ##### `GITLAB_MATTERMOST_ENABLED` Enable/Disable GitLab Mattermost for *Add Mattermost button*. Defaults to `false`. ##### `GITLAB_MATTERMOST_URL` Sets Mattermost URL. Defaults to `https://mattermost.example.com`. ##### `GITLAB_BACKUP_SCHEDULE` Setup cron job to automatic backups. Possible values `disable`, `daily`, `weekly` or `monthly`. Disabled by default ##### `GITLAB_BACKUP_EXPIRY` Configure how long (in seconds) to keep backups before they are deleted. By default when automated backups are disabled backups are kept forever (0 seconds), else the backups expire in 7 days (604800 seconds). ##### `GITLAB_BACKUP_PG_SCHEMA` Specify the PostgreSQL schema for the backups. No defaults, which means that all schemas will be backed up. see #524 ##### `GITLAB_BACKUP_ARCHIVE_PERMISSIONS` Sets the permissions of the backup archives. Defaults to `0600`. [See](http://doc.gitlab.com/ce/raketasks/backup_restore.html#backup-archive-permissions) ##### `GITLAB_BACKUP_TIME` Set a time for the automatic backups in `HH:MM` format. Defaults to `04:00`. ##### `GITLAB_BACKUP_SKIP` Specified sections are skipped by the backups. Defaults to empty, i.e. `lfs,uploads`. [See](http://doc.gitlab.com/ce/raketasks/backup_restore.html#create-a-backup-of-the-gitlab-system) ##### `GITLAB_SSH_HOST` The ssh host. Defaults to **GITLAB_HOST**. ##### `GITLAB_SSH_LISTEN_PORT` The ssh port for SSHD to listen on. Defaults to `22` ##### `GITLAB_SSH_MAXSTARTUPS` The ssh "MaxStartups" parameter, defaults to `10:30:60`. ##### `GITLAB_SSH_PORT` The ssh port number. Defaults to `$GITLAB_SSH_LISTEN_PORT`. ##### `GITLAB_RELATIVE_URL_ROOT` The relative url of the GitLab server, e.g. `/git`. No default. ##### `GITLAB_TRUSTED_PROXIES` Add IP address reverse proxy to trusted proxy list, otherwise users will appear signed in from that address. Currently only a single entry is permitted. No defaults. ##### `GITLAB_REGISTRY_ENABLED` Enables the GitLab Container Registry. Defaults to `false`. ##### `GITLAB_REGISTRY_HOST` Sets the GitLab Registry Host. Defaults to `registry.example.com` ##### `GITLAB_REGISTRY_PORT` Sets the GitLab Registry Port. Defaults to `443`. ##### `GITLAB_REGISTRY_API_URL` Sets the GitLab Registry API URL. Defaults to `http://localhost:5000` ##### `GITLAB_REGISTRY_KEY_PATH` Sets the GitLab Registry Key Path. Defaults to `config/registry.key` ##### `GITLAB_REGISTRY_DIR` Directory to store the container images will be shared with registry. Defaults to `$GITLAB_SHARED_DIR/registry` ##### `GITLAB_REGISTRY_ISSUER` Sets the GitLab Registry Issuer. Defaults to `gitlab-issuer`. ##### `GITLAB_REGISTRY_GENERATE_INTERNAL_CERTIFICATES` Set to `true` to generate SSL internal Registry keys. Used to communicate between a Docker Registry and GitLab. It will generate a self-signed certificate key at the location given by `$GITLAB_REGISTRY_KEY_PATH`, e.g. `/certs/registry.key`. And will generate the certificate file at the same location, with the same name, but changing the extension from `key` to `crt`, e.g. `/certs/registry.crt` ##### `GITLAB_PAGES_ENABLED` Enables the GitLab Pages. Defaults to `false`. ##### `GITLAB_PAGES_DOMAIN` Sets the GitLab Pages Domain. Defaults to `example.com` ##### `GITLAB_PAGES_DIR` Sets GitLab Pages directory where all pages will be stored. Defaults to `$GITLAB_SHARED_DIR/pages` ##### `GITLAB_PAGES_PORT` Sets GitLab Pages Port that will be used in NGINX. Defaults to `80` ##### `GITLAB_PAGES_HTTPS` Sets GitLab Pages to HTTPS and the gitlab-pages-ssl config will be used. Defaults to `false` ##### `GITLAB_PAGES_ARTIFACTS_SERVER` Set to `true` to enable pages artifacts server, enabled by default. ##### `GITLAB_PAGES_ARTIFACTS_SERVER_URL` If `GITLAB_PAGES_ARTIFACTS_SERVER` is enabled, set to API endpoint for GitLab Pages (e.g. `https://example.com/api/v4`). No default. ##### `GITLAB_PAGES_EXTERNAL_HTTP` Sets GitLab Pages external http to receive request on an independent port. Disabled by default ##### `GITLAB_PAGES_EXTERNAL_HTTPS` Sets GitLab Pages external https to receive request on an independent port. Disabled by default ##### `GITLAB_PAGES_ACCESS_CONTROL` Set to `true` to enable access control for pages. Allows access to a Pages site to be controlled based on a user’s membership to that project. Disabled by default. ##### `GITLAB_PAGES_NGINX_PROXY` Disable the nginx proxy for gitlab pages, defaults to `true`. When set to `false` this will turn off the nginx proxy to the gitlab pages daemon, used when the user provides their own http load balancer in combination with a gitlab pages custom domain setup. ##### `GITLAB_PAGES_ACCESS_SECRET` Secret Hash, minimal 32 characters, if omitted, it will be auto generated. ##### `GITLAB_PAGES_ACCESS_CONTROL_SERVER` Gitlab instance URI, example: `https://gitlab.example.io` ##### `GITLAB_PAGES_ACCESS_CLIENT_ID` Client ID from earlier generated OAuth application ##### `GITLAB_PAGES_ACCESS_CLIENT_SECRET` Client Secret from earlier generated OAuth application ##### `GITLAB_PAGES_ACCESS_REDIRECT_URI` Redirect URI, non existing pages domain to redirect to pages daemon, `https://projects.example.io/auth` ##### `GITLAB_PAGES_NAMESPACE_IN_PATH` Enable namespace-in-path option for gitlab pages, defaults to `false`. ##### `GITLAB_PAGES_LOG_VERBOSE` Enable verbose logging for gitlab pages, defaults to `false`. ##### `GITLAB_HTTPS` Set to `true` to enable https support, disabled by default. ##### `GITALY_CLIENT_PATH` Set default path for gitaly. defaults to `/home/git/gitaly` ##### `GITALY_TOKEN` Set a gitaly token, blank by default. ##### `GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL` Time between sampling of unicorn socket metrics, in seconds, defaults to `10` ##### `GITLAB_MONITORING_IP_WHITELIST` IP whitelist to access monitoring endpoints. No defaults. ##### `GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED` Set to `true` to enable the sidekiq exporter, enabled by default. ##### `GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS` Sidekiq exporter address, defaults to `0.0.0.0` ##### `GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT` Sidekiq exporter port, defaults to `3807` ##### `GITLAB_CONTENT_SECURITY_POLICY_ENABLED` Set to `true` to enable [Content Security Policy](https://guides.rubyonrails.org/security.html#content-security-policy), enabled by default. ##### `GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY` Set to `true` to set `Content-Security-Policy-Report-Only` header, disabled by default ##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI` The value of the `base-uri` directive in the `Content-Security-Policy` header ##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC` The value of the `child-src` directive in the `Content-Security-Policy` header ##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC` The value of the `connect-src` directive in the `Content-Security-Policy` header. Default to `'self' http://localhost:* ws://localhost:* wss://localhost:*` ##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC` The value of the `default-src` directive in the `Content-Security-Policy` header. Default to `'self'` ##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC` The value of the `font-src` directive in the `Content-Security-Policy` header ##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION` The value of the `form-action` directive in the `Content-Security-Policy` header ##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS` The value of the `frame-ancestors` directive in the `Content-Security-Policy` header. Default to `'self'` ##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC` The value of the `frame-src` directive in the `Content-Security-Policy` header. Default to `'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com` ##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC` The value of the `img-src` directive in the `Content-Security-Policy` header. Default to `* data: blob:` ##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC` The value of the `manifest-src` directive in the `Content-Security-Policy` header ##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC` The value of the `media-src` directive in the `Content-Security-Policy` header ##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC` The value of the `object-src` directive in the `Content-Security-Policy` header. Default to `'none'` ##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC` The value of the `script-src` directive in the `Content-Security-Policy` header. Default to `'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com` ##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC` The value of the `style-src` directive in the `Content-Security-Policy` header. Default to `'self' 'unsafe-inline'` ##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC` The value of the `worker-src` directive in the `Content-Security-Policy` header. Default to `'self' blob:` ##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI` The value of the `report-uri` directive in the `Content-Security-Policy` header ##### `GITLAB_FEATURE_FLAGS_DISABLE_TARGETS` Comma separated list of feature flag names to be disabled. No whitespace is allowed. You can see all feature flags in GitLab at corresponding version of documentation: Feature flags name and its statement will be appear to container log. Note that some of the feature flags are implicitly enabled or disabled by GitLab itself, and are not appear to container log. No defaults. ##### `GITLAB_FEATURE_FLAGS_ENABLE_TARGETS` This parameter is the same as [`GITLAB_FEATURE_FLAGS_DISABLE_TARGETS`](#gitlab_feature_flags_enable_targets), except its purpose is to enable the feature flag. No defaults. ##### `SSL_SELF_SIGNED` Set to `true` when using self-signed ssl certificates. `false` by default. ##### `SSL_CERTIFICATE_PATH` Location of the ssl certificate. Defaults to `/home/git/data/certs/gitlab.crt` ##### `SSL_KEY_PATH` Location of the ssl private key. Defaults to `/home/git/data/certs/gitlab.key` ##### `SSL_DHPARAM_PATH` Location of the dhparam file. Defaults to `/home/git/data/certs/dhparam.pem` ##### `SSL_VERIFY_CLIENT` Enable verification of client certificates using the `SSL_CA_CERTIFICATES_PATH` file or setting this variable to `on`. Defaults to `off` ##### `SSL_CA_CERTIFICATES_PATH` List of SSL certificates to trust. Defaults to `/home/git/data/certs/ca.crt`. ##### `SSL_REGISTRY_KEY_PATH` Location of the ssl private key for gitlab container registry. Defaults to `/home/git/data/certs/registry.key` ##### `SSL_REGISTRY_CERT_PATH` Location of the ssl certificate for the gitlab container registry. Defaults to `/home/git/data/certs/registry.crt` ##### `SSL_PAGES_KEY_PATH` Location of the ssl private key for gitlab pages. Defaults to `/home/git/data/certs/pages.key` ##### `SSL_PAGES_CERT_PATH` Location of the ssl certificate for the gitlab pages. Defaults to `/home/git/data/certs/pages.crt` ##### `SSL_CIPHERS` List of supported SSL ciphers: Defaults to `ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4` ##### `SSL_PROTOCOLS` List of supported SSL protocols: Defaults to `TLSv1 TLSv1.1 TLSv1.2 TLSv1.3` ##### `SSL_PAGES_CIPHERS` List of supported SSL ciphers for the gitlab pages: Defaults to `SSL_CIPHERS` ##### `SSL_PAGES_PROTOCOLS` List of supported SSL protocols for the gitlab pages: Defaults to `SSL_PROTOCOLS` ##### `SSL_REGISTRY_CIPHERS` List of supported SSL ciphers for gitlab container registry: Defaults to `SSL_CIPHERS` ##### `SSL_REGISTRY_PROTOCOLS` List of supported SSL protocols for gitlab container registry: Defaults to `SSL_PROTOCOLS` ##### `NGINX_WORKERS` The number of nginx workers to start. Defaults to `1`. ##### `NGINX_SERVER_NAMES_HASH_BUCKET_SIZE` Sets the bucket size for the server names hash tables. This is needed when you have long server_names or your an error message from nginx like *nginx: [emerg] could not build server_names_hash, you should increase server_names_hash_bucket_size:..*. It should be only increment by a power of 2. Defaults to `32`. ##### `NGINX_HSTS_ENABLED` Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to `true`. See [#138](https://github.com/sameersbn/docker-gitlab/issues/138) for use case scenario. ##### `NGINX_HSTS_MAXAGE` Advanced configuration option for setting the HSTS max-age in the gitlab nginx vHost configuration. Applicable only when SSL is in use. Defaults to `31536000`. ##### `NGINX_PROXY_BUFFERING` Enable `proxy_buffering`. Defaults to `off`. ##### `NGINX_ACCEL_BUFFERING` Enable `X-Accel-Buffering` header. Default to `no` ##### `NGINX_X_FORWARDED_PROTO` Advanced configuration option for the `proxy_set_header X-Forwarded-Proto` setting in the gitlab nginx vHost configuration. Defaults to `https` when `GITLAB_HTTPS` is `true`, else defaults to `$scheme`. ##### `NGINX_REAL_IP_RECURSIVE` set to `on` if docker container runs behind a reverse proxy,you may not want the IP address of the proxy to show up as the client address. `off` by default. ##### `NGINX_REAL_IP_TRUSTED_ADDRESSES` You can have NGINX look for a different address to use by adding your reverse proxy to the `NGINX_REAL_IP_TRUSTED_ADDRESSES`. Currently only a single entry is permitted. No defaults. ##### `NGINX_CUSTOM_GITLAB_SERVER_CONFIG` Advanced configuration option. You can add custom configuration for nginx as you like (e.g. custom location proxy). This is similar to setting `nginx['custom_gitlab_server_config']` to `gitlab.rb` for gitlab-omnibus. No defaults. ##### `REDIS_HOST` The hostname of the redis server. Defaults to `localhost` ##### `REDIS_PORT` The connection port of the redis server. Defaults to `6379`. ##### `REDIS_DB_NUMBER` The redis database number. Defaults to '0'. ##### `PUMA_WORKERS` The number of puma workers to start. Defaults to `3`. ##### `PUMA_TIMEOUT` Sets the timeout of puma worker processes. Defaults to `60` seconds. ##### `PUMA_THREADS_MIN` The number of puma minimum threads. Defaults to `1`. ##### `PUMA_THREADS_MAX` The number of puma maximum threads. Defaults to `16`. ##### `PUMA_PER_WORKER_MAX_MEMORY_MB` Maximum memory size of per puma worker process. Defaults to `1024`. ##### `PUMA_MASTER_MAX_MEMORY_MB` Maximum memory size of puma master process. Defaults to `800`. ##### `SIDEKIQ_CONCURRENCY` The number of concurrent sidekiq jobs to run. Defaults to `25` ##### `SIDEKIQ_SHUTDOWN_TIMEOUT` Timeout for sidekiq shutdown. Defaults to `4` ##### `SIDEKIQ_MEMORY_KILLER_MAX_RSS` Non-zero value enables the SidekiqMemoryKiller. Defaults to `2000000`. For additional options refer [Configuring the MemoryKiller](http://doc.gitlab.com/ce/operations/sidekiq_memory_killer.html) ##### `GITLAB_SIDEKIQ_LOG_FORMAT` Sidekiq log format that will be used. Defaults to `json` ##### `DB_ADAPTER` The database type. Currently only postgresql is supported. Possible values: `postgresql`. Defaults to `postgresql`. ##### `DB_ENCODING` The database encoding. For `DB_ADAPTER` values `postgresql` this parameter defaults and `utf8` respectively. ##### `DB_HOST` The database server hostname. Defaults to `localhost`. ##### `DB_PORT` The database server port. Defaults to `5432` for postgresql. ##### `DB_NAME` The database database name. Defaults to `gitlabhq_production` ##### `DB_USER` The database database user. Defaults to `root` ##### `DB_PASS` The database database password. Defaults to no password ##### `DB_POOL` The database database connection pool count. Defaults to `10`. ##### `DB_PREPARED_STATEMENTS` Whether to use database prepared statements. No defaults. But set to `false` if you want to use with [PgBouncer](https://pgbouncer.github.io/) ##### `SMTP_ENABLED` Enable mail delivery via SMTP. Defaults to `true` if `SMTP_USER` is defined, else defaults to `false`. ##### `SMTP_DOMAIN` SMTP domain. Defaults to `www.gmail.com` ##### `SMTP_HOST` SMTP server host. Defaults to `smtp.gmail.com`. ##### `SMTP_PORT` SMTP server port. Defaults to `587`. ##### `SMTP_USER` SMTP username. ##### `SMTP_PASS` SMTP password. ##### `SMTP_STARTTLS` Enable STARTTLS. Defaults to `true`. ##### `SMTP_TLS` Enable SSL/TLS. Defaults to `false`. ##### `SMTP_OPENSSL_VERIFY_MODE` SMTP openssl verification mode. Accepted values are `none`, `peer`, `client_once` and `fail_if_no_peer_cert`. Defaults to `none`. ##### `SMTP_AUTHENTICATION` Specify the SMTP authentication method. Defaults to `login` if `SMTP_USER` is set. ##### `SMTP_CA_ENABLED` Enable custom CA certificates for SMTP email configuration. Defaults to `false`. ##### `SMTP_CA_PATH` Specify the `ca_path` parameter for SMTP email configuration. Defaults to `/home/git/data/certs`. ##### `SMTP_CA_FILE` Specify the `ca_file` parameter for SMTP email configuration. Defaults to `/home/git/data/certs/ca.crt`. ##### `IMAP_ENABLED` Enable mail delivery via IMAP. Defaults to `true` if `IMAP_USER` is defined, else defaults to `false`. ##### `IMAP_HOST` IMAP server host. Defaults to `imap.gmail.com`. ##### `IMAP_PORT` IMAP server port. Defaults to `993`. ##### `IMAP_USER` IMAP username. ##### `IMAP_PASS` IMAP password. ##### `IMAP_SSL` Enable SSL. Defaults to `true`. ##### `IMAP_STARTTLS` Enable STARTTLS. Defaults to `false`. ##### `IMAP_MAILBOX` The name of the mailbox where incoming mail will end up. Defaults to `inbox`. ##### `LDAP_ENABLED` Enable LDAP. Defaults to `false` ##### `LDAP_LABEL` Label to show on login tab for LDAP server. Defaults to 'LDAP' ##### `LDAP_HOST` LDAP Host ##### `LDAP_PORT` LDAP Port. Defaults to `389` ##### `LDAP_UID` LDAP UID. Defaults to `sAMAccountName` ##### `LDAP_METHOD` LDAP method, Possible values are `simple_tls`, `start_tls` and `plain`. Defaults to `plain` ##### `LDAP_VERIFY_SSL` LDAP verify ssl certificate for installations that are using `LDAP_METHOD: 'simple_tls'` or `LDAP_METHOD: 'start_tls'`. Defaults to `true` ##### `LDAP_CA_FILE` Specifies the path to a file containing a PEM-format CA certificate. Defaults to `` ##### `LDAP_SSL_VERSION` Specifies the SSL version for OpenSSL to use, if the OpenSSL default is not appropriate. Example: 'TLSv1_1'. Defaults to `` ##### `LDAP_BIND_DN` No default. ##### `LDAP_PASS` LDAP password ##### `LDAP_TIMEOUT` Timeout, in seconds, for LDAP queries. Defaults to `10`. ##### `LDAP_ACTIVE_DIRECTORY` Specifies if LDAP server is Active Directory LDAP server. If your LDAP server is not AD, set this to `false`. Defaults to `true`, ##### `LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN` If enabled, GitLab will ignore everything after the first '@' in the LDAP username submitted by the user on login. Defaults to `false` if `LDAP_UID` is `userPrincipalName`, else `true`. ##### `LDAP_BLOCK_AUTO_CREATED_USERS` Locks down those users until they have been cleared by the admin. Defaults to `false`. ##### `LDAP_BASE` Base where we can search for users. No default. ##### `LDAP_USER_FILTER` Filter LDAP users. No default. ##### `LDAP_USER_ATTRIBUTE_USERNAME` Attribute fields for the identification of a user. Default to `['uid', 'userid', 'sAMAccountName']` ##### `LDAP_USER_ATTRIBUTE_MAIL` Attribute fields for the shown mail address. Default to `['mail', 'email', 'userPrincipalName']` ##### `LDAP_USER_ATTRIBUTE_NAME` Attribute field for the used username of a user. Defaults to `cn`. ##### `LDAP_USER_ATTRIBUTE_FIRSTNAME` Attribute field for the forename of a user. Default to `givenName` ##### `LDAP_USER_ATTRIBUTE_LASTNAME` Attribute field for the surname of a user. Default to `sn` ##### `LDAP_LOWERCASE_USERNAMES` GitLab will lower case the username for the LDAP Server. Defaults to `false` ##### `LDAP_PREVENT_LDAP_SIGN_IN` Set to `true` to [Disable LDAP web sign in](https://docs.gitlab.com/ce/administration/auth/ldap/#disable-ldap-web-sign-in), defaults to `false` ##### `OAUTH_ENABLED` Enable OAuth support. Defaults to `true` if any of the support OAuth providers is configured, else defaults to `false`. ##### `OAUTH_AUTO_SIGN_IN_WITH_PROVIDER` Automatically sign in with a specific OAuth provider without showing GitLab sign-in page. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default. ##### `OAUTH_ALLOW_SSO` Comma separated list of oauth providers for single sign-on. This allows users to login without having a user account. The account is created automatically when authentication is successful. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default. ##### `OAUTH_BLOCK_AUTO_CREATED_USERS` Locks down those users until they have been cleared by the admin. Defaults to `true`. ##### `OAUTH_AUTO_LINK_LDAP_USER` Look up new users in LDAP servers. If a match is found (same uid), automatically link the omniauth identity with the LDAP account. Defaults to `false`. ##### `OAUTH_AUTO_LINK_SAML_USER` Allow users with existing accounts to login and auto link their account via SAML login, without having to do a manual login first and manually add SAML. Defaults to `false`. ##### `OAUTH_AUTO_LINK_USER` Allow users with existing accounts to login and auto link their account via the defined Omniauth providers login, without having to do a manual login first and manually connect their chosen provider. Defaults to `[]`. ##### `OAUTH_EXTERNAL_PROVIDERS` Comma separated list if oauth providers to disallow access to `internal` projects. Users creating accounts via these providers will have access internal projects. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default. ##### `OAUTH_ALLOW_BYPASS_TWO_FACTOR` Specify oauth providers where users can sign in without using two-factor authentication (2FA). You can define this using an array of providers like `["twitter", "google_oauth2"]`. Setting this to `true` or `false` applies to all - allow all or none. Defaults to `false`. ##### `OAUTH_CAS3_LABEL` The "Sign in with" button label. Defaults to "cas3". ##### `OAUTH_CAS3_SERVER` CAS3 server URL. No defaults. ##### `OAUTH_CAS3_DISABLE_SSL_VERIFICATION` Disable CAS3 SSL verification. Defaults to `false`. ##### `OAUTH_CAS3_LOGIN_URL` CAS3 login URL. Defaults to `/cas/login` ##### `OAUTH_CAS3_VALIDATE_URL` CAS3 validation URL. Defaults to `/cas/p3/serviceValidate` ##### `OAUTH_CAS3_LOGOUT_URL` CAS3 logout URL. Defaults to `/cas/logout` ##### `OAUTH_GOOGLE_API_KEY` Google App Client ID. No defaults. ##### `OAUTH_GOOGLE_APP_SECRET` Google App Client Secret. No defaults. ##### `OAUTH_GOOGLE_RESTRICT_DOMAIN` List of Google App restricted domains. Value is comma separated list of single quoted groups. Example: `'exemple.com','exemple2.com'`. No defaults. ##### `OAUTH_FACEBOOK_API_KEY` Facebook App API key. No defaults. ##### `OAUTH_FACEBOOK_APP_SECRET` Facebook App API secret. No defaults. ##### `OAUTH_TWITTER_API_KEY` Twitter App API key. No defaults. ##### `OAUTH_TWITTER_APP_SECRET` Twitter App API secret. No defaults. ##### `OAUTH_AUTHENTIQ_CLIENT_ID` authentiq Client ID. No defaults. ##### `OAUTH_AUTHENTIQ_CLIENT_SECRET` authentiq Client secret. No defaults. ##### `OAUTH_AUTHENTIQ_SCOPE` Scope of Authentiq Application Defaults to `'aq:name email~rs address aq:push'` ##### `OAUTH_AUTHENTIQ_REDIRECT_URI` Callback URL for Authentiq. No defaults. ##### `OAUTH_GITHUB_API_KEY` GitHub App Client ID. No defaults. ##### `OAUTH_GITHUB_APP_SECRET` GitHub App Client secret. No defaults. ##### `OAUTH_GITHUB_URL` Url to the GitHub Enterprise server. Defaults to `https://github.com` ##### `OAUTH_GITHUB_VERIFY_SSL` Enable SSL verification while communicating with the GitHub server. Defaults to `true`. ##### `OAUTH_GITLAB_API_KEY` GitLab App Client ID. No defaults. ##### `OAUTH_GITLAB_APP_SECRET` GitLab App Client secret. No defaults. ##### `OAUTH_BITBUCKET_API_KEY` BitBucket App Client ID. No defaults. ##### `OAUTH_BITBUCKET_APP_SECRET` BitBucket App Client secret. No defaults. ##### `OAUTH_BITBUCKET_URL` Bitbucket URL. Defaults: `https://bitbucket.org/` ##### `OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL` The URL at which the SAML assertion should be received. When `GITLAB_HTTPS=true`, defaults to `https://${GITLAB_HOST}/users/auth/saml/callback` else defaults to `http://${GITLAB_HOST}/users/auth/saml/callback`. ##### `OAUTH_SAML_IDP_CERT_FINGERPRINT` The SHA1 fingerprint of the certificate. No Defaults. ##### `OAUTH_SAML_IDP_SSO_TARGET_URL` The URL to which the authentication request should be sent. No defaults. ##### `OAUTH_SAML_ISSUER` The name of your application. When `GITLAB_HTTPS=true`, defaults to `https://${GITLAB_HOST}` else defaults to `http://${GITLAB_HOST}`. ##### `OAUTH_SAML_LABEL` The "Sign in with" button label. Defaults to "Our SAML Provider". ##### `OAUTH_SAML_NAME_IDENTIFIER_FORMAT` Describes the format of the username required by GitLab, Defaults to `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` ##### `OAUTH_SAML_GROUPS_ATTRIBUTE` Map groups attribute in a SAMLResponse to external groups. No defaults. ##### `OAUTH_SAML_EXTERNAL_GROUPS` List of external groups in a SAMLResponse. Value is comma separated list of single quoted groups. Example: `'group1','group2'`. No defaults. ##### `OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL` Map 'email' attribute name in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. ##### `OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME` Map 'username' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. ##### `OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME` Map 'name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. ##### `OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME` Map 'first_name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. ##### `OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME` Map 'last_name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. ##### `OAUTH_CROWD_SERVER_URL` Crowd server url. No defaults. ##### `OAUTH_CROWD_APP_NAME` Crowd server application name. No defaults. ##### `OAUTH_CROWD_APP_PASSWORD` Crowd server application password. No defaults. ##### `OAUTH_AUTH0_CLIENT_ID` Auth0 Client ID. No defaults. ##### `OAUTH_AUTH0_CLIENT_SECRET` Auth0 Client secret. No defaults. ##### `OAUTH_AUTH0_DOMAIN` Auth0 Domain. No defaults. ##### `OAUTH_AUTH0_SCOPE` Auth0 Scope. Defaults to `openid profile email`. ##### `OAUTH_AZURE_API_KEY` Azure Client ID. No defaults. ##### `OAUTH_AZURE_API_SECRET` Azure Client secret. No defaults. ##### `OAUTH_AZURE_TENANT_ID` Azure Tenant ID. No defaults. #### `OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID` Client ID for oauth provider `azure_activedirectory_v2`. If not set, corresponding oauth provider configuration will be removed from `gitlab.yml` during container startup. No defaults. #### `OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET` Client secret for oauth provider `azure_activedirectory_v2`. If not set, corresponding oauth provider configuration will be removed from `gitlab.yml` during container startup. No defaults. #### `OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID` Tenant ID for oauth provider `azure_activedirectory_v2`. If not set, corresponding oauth provider configuration will be removed from `gitlab.yml` during container startup. No defaults. #### `OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL` Optional label for login button for `azure_activedirectory_v2`. Defaults to `Azure AD v2` ##### `OAUTH2_GENERIC_APP_ID` Your OAuth2 App ID. No defaults. ##### `OAUTH2_GENERIC_APP_SECRET` Your OAuth2 App Secret. No defaults. ##### `OAUTH2_GENERIC_CLIENT_SITE` The OAuth2 generic client site. No defaults ##### `OAUTH2_GENERIC_CLIENT_USER_INFO_URL` The OAuth2 generic client user info url. No defaults ##### `OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL` The OAuth2 generic client authorize url. No defaults ##### `OAUTH2_GENERIC_CLIENT_TOKEN_URL` The OAuth2 generic client token url. No defaults ##### `OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT` The OAuth2 generic client end session endpoint. No defaults ##### `OAUTH2_GENERIC_ID_PATH` The OAuth2 generic id path. No defaults ##### `OAUTH2_GENERIC_USER_UID` The OAuth2 generic user id path. No defaults ##### `OAUTH2_GENERIC_USER_NAME` The OAuth2 generic user name. No defaults ##### `OAUTH2_GENERIC_USER_EMAIL` The OAuth2 generic user email. No defaults ##### `OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE` The scope of your OAuth2 provider. No defaults ##### `OAUTH2_GENERIC_LABEL` The label of your OAuth2 provider. No defaults ##### `OAUTH2_GENERIC_NAME` The name of your OAuth2 provider. No defaults ##### `GITLAB_GRAVATAR_ENABLED` Enables gravatar integration. Defaults to `true`. ##### `GITLAB_GRAVATAR_HTTP_URL` Sets a custom gravatar url. Defaults to `http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon`. This can be used for [Libravatar integration](http://doc.gitlab.com/ce/customization/libravatar.html). ##### `GITLAB_GRAVATAR_HTTPS_URL` Same as above, but for https. Defaults to `https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon`. ##### `USERMAP_UID` Sets the uid for user `git` to the specified uid. Defaults to `1000`. ##### `USERMAP_GID` Sets the gid for group `git` to the specified gid. Defaults to `USERMAP_UID` if defined, else defaults to `1000`. ##### `GOOGLE_ANALYTICS_ID` Google Analytics ID. No defaults. ##### `PIWIK_URL` Sets the Piwik URL. No defaults. ##### `PIWIK_SITE_ID` Sets the Piwik site ID. No defaults. ##### `AWS_BACKUPS` Enables automatic uploads to an Amazon S3 instance. Defaults to `false`. ##### `AWS_BACKUP_REGION` AWS region. No defaults. ##### `AWS_BACKUP_ENDPOINT` AWS endpoint. No defaults. ##### `AWS_BACKUP_ACCESS_KEY_ID` AWS access key id. No defaults. ##### `AWS_BACKUP_SECRET_ACCESS_KEY` AWS secret access key. No defaults. ##### `AWS_BACKUP_BUCKET` AWS bucket for backup uploads. No defaults. ##### `AWS_BACKUP_MULTIPART_CHUNK_SIZE` Enables multipart uploads when file size reaches a defined size. See at [AWS S3 Docs](http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html) ##### `AWS_BACKUP_ENCRYPTION` Turns on AWS Server-Side Encryption. Defaults to `false`. See at [AWS S3 Docs](http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html) ##### `AWS_BACKUP_STORAGE_CLASS` Configure the storage class for the item. Defaults to `STANDARD` See at [AWS S3 Docs](http://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html) ##### `AWS_BACKUP_SIGNATURE_VERSION` Configure the storage signature version. Defaults to `4` See at [AWS S3 Docs](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version) ##### `GCS_BACKUPS` Enables automatic uploads to an Google Cloud Storage (GCS) instance. Defaults to `false`. ##### `GCS_BACKUP_ACCESS_KEY_ID` GCS access key id. No defaults ##### `GCS_BACKUP_SECRET_ACCESS_KEY` GCS secret access key. No defaults ##### `GCS_BACKUP_BUCKET` GCS bucket for backup uploads. No defaults ##### `GITLAB_ROBOTS_PATH` Location of custom `robots.txt`. Uses GitLab's default `robots.txt` configuration by default. See [www.robotstxt.org](http://www.robotstxt.org) for examples. ##### `RACK_ATTACK_ENABLED` Enable/disable rack middleware for blocking & throttling abusive requests Defaults to `true`. ##### `RACK_ATTACK_WHITELIST` Always allow requests from whitelisted host. This should be a valid yaml sequence of host address. Each host address string must be a valid IP address that can be passed to `IPAddr.new` of ruby. See [ruby-lang reference](https://docs.ruby-lang.org/en/3.0/IPAddr.html#method-c-new) for detail. If you need to set multiple hosts, set this parameter like `["1.1.1.1","192.168.0.0/24"]` for example. ````yaml environment: # pattern 1: `- key=value` style : you can specify array of hosts as is - RACK_ATTACK_WHITELIST=["1.1.1.1","192.168.0.0/24"] # pattern 2: `key: value` style : you must surround with quote, as the value of environment variable must not be an array RACK_ATTACK_WHITELIST: "['1.1.1.1','192.168.0.0/24']" ```` Defaults to `["127.0.0.1"]` ##### `RACK_ATTACK_MAXRETRY` Number of failed auth attempts before which an IP should be banned. Defaults to `10` ##### `RACK_ATTACK_FINDTIME` Number of seconds before resetting the per IP auth attempt counter. Defaults to `60`. ##### `RACK_ATTACK_BANTIME` Number of seconds an IP should be banned after too many auth attempts. Defaults to `3600`. ##### `GITLAB_WORKHORSE_TIMEOUT` Timeout for gitlab workhorse http proxy. Defaults to `5m0s`. ##### `SENTRY_ENABLED` Enables Error Reporting and Logging with Sentry. Defaults to `false`. ##### `SENTRY_DSN` Sentry DSN. No defaults. ##### `SENTRY_CLIENTSIDE_DSN` Sentry client side DSN. No defaults. ##### `SENTRY_ENVIRONMENT` Sentry environment. Defaults to `production`. #### Docker secrets and configs All the above environment variables can be put into a [secrets](https://docs.docker.com/compose/compose-file/#secrets) or [config](https://docs.docker.com/compose/compose-file/#configs) file and then both docker-compose and Docker Swarm can import them into your gitlab container. On startup, the gitlab container will source env vars from a config file labeled `gitlab-config`, and then a secrets file labeled `gitlab-secrets` (both mounted in the default locations). See the example [`contrib/docker-swarm/docker-compose.yml`](./contrib/docker-swarm/docker-compose.yml) file, and the example `gitlab.configs` and `gitlab.secrets` file. You may as well choose file names other than the example source files (`gitlab.configs` and `gitlab.secrets`) and update the `file: ./gitlab.configs` and `file: ./gitlab.secrets` references accordingly. But do not alter the config keys [`gitlab-configs`](contrib/docker-swarm/docker-compose.yml#L158) and [`gitlab-secrets`](contrib/docker-swarm/docker-compose.yml#L162) as they are currently [hardcoded](./assets/runtime/functions#L4:L9) and thus must be kept as in the example. If you're not using one of these files, then don't include its entry in the docker-compose file. ## Maintenance ### Creating backups GitLab defines a rake task to take a backup of your gitlab installation. The backup consists of all git repositories, uploaded files and as you might expect, the sql database. Before taking a backup make sure the container is stopped and removed to avoid container name conflicts. ```bash docker stop gitlab && docker rm gitlab ``` Execute the rake task to create a backup. ```bash docker run --name gitlab -it --rm [OPTIONS] \ sameersbn/gitlab:18.9.2 app:rake gitlab:backup:create ``` A backup will be created in the backups folder of the [Data Store](#data-store). You can change the location of the backups using the `GITLAB_BACKUP_DIR` configuration parameter. *P.S. Backups can also be generated on a running instance using `docker exec` as described in the [Rake Tasks](#rake-tasks) section. However, to avoid undesired side-effects, I advice against running backup and restore operations on a running instance.* When using `docker-compose` you may use the following command to execute the backup. ```bash docker-compose rm -sf gitlab docker-compose run --rm gitlab app:rake gitlab:backup:create ``` Afterwards you can bring your Instance back with the following command: ```bash docker-compose up -d ``` ### Restoring Backups GitLab also defines a rake task to restore a backup. Before performing a restore make sure the container is stopped and removed to avoid container name conflicts. ```bash docker stop gitlab && docker rm gitlab ``` If this is a fresh database that you're doing the restore on, first you need to prepare the database: ```bash docker run --name gitlab -it --rm [OPTIONS] \ sameersbn/gitlab:18.9.2 app:rake db:setup ``` Execute the rake task to restore a backup. Make sure you run the container in interactive mode `-it`. ```bash docker run --name gitlab -it --rm [OPTIONS] \ sameersbn/gitlab:18.9.2 app:rake gitlab:backup:restore ``` The list of all available backups will be displayed in reverse chronological order. Select the backup you want to restore and continue. To avoid user interaction in the restore operation, specify the timestamp, date and version of the backup using the `BACKUP` argument to the rake task. ```bash docker run --name gitlab -it --rm [OPTIONS] \ sameersbn/gitlab:18.9.2 app:rake gitlab:backup:restore BACKUP=1515629493_2020_12_06_13.0.6 ``` When using `docker-compose` you may use the following command to execute the restore. ```bash docker-compose run --rm gitlab app:rake gitlab:backup:restore # List available backups docker-compose run --rm gitlab app:rake gitlab:backup:restore BACKUP=1515629493_2020_12_06_13.10.0 # Choose to restore from 1515629493 ``` ### Host Key Backups (ssh) SSH keys are not backed up in the normal gitlab backup process. You will need to backup the `ssh/` directory in the data volume by hand and you will want to restore it prior to doing a gitlab restore. ### Automated Backups The image can be configured to automatically take backups `daily`, `weekly` or `monthly` using the `GITLAB_BACKUP_SCHEDULE` configuration option. Daily backups are created at `GITLAB_BACKUP_TIME` which defaults to `04:00` everyday. Weekly backups are created every Sunday at the same time as the daily backups. Monthly backups are created on the 1st of every month at the same time as the daily backups. By default, when automated backups are enabled, backups are held for a period of 7 days. While when automated backups are disabled, the backups are held for an infinite period of time. This behavior can be configured via the `GITLAB_BACKUP_EXPIRY` option. #### Amazon Web Services (AWS) Remote Backups The image can be configured to automatically upload the backups to an AWS S3 bucket. To enable automatic AWS backups first add `--env 'AWS_BACKUPS=true'` to the docker run command. In addition `AWS_BACKUP_REGION` and `AWS_BACKUP_BUCKET` must be properly configured to point to the desired AWS location. Finally an IAM user must be configured with appropriate access permission and their AWS keys exposed through `AWS_BACKUP_ACCESS_KEY_ID` and `AWS_BACKUP_SECRET_ACCESS_KEY`. More details about the appropriate IAM user properties can found on [doc.gitlab.com](http://doc.gitlab.com/ce/raketasks/backup_restore.html#upload-backups-to-remote-cloud-storage) For remote backup to self-hosted s3 compatible storage, use `AWS_BACKUP_ENDPOINT`. AWS uploads are performed alongside normal backups, both through the appropriate `app:rake` command and when an automatic backup is performed. #### Google Cloud Storage (GCS) Remote Backups The image can be configured to automatically upload the backups to an Google Cloud Storage bucket. To enable automatic GCS backups first add `--env 'GCS_BACKUPS=true'` to the docker run command. In addition `GCS_BACKUP_BUCKET` must be properly configured to point to the desired GCS location. Finally a couple of `Interoperable storage access keys` user must be created and their keys exposed through `GCS_BACKUP_ACCESS_KEY_ID` and `GCS_BACKUP_SECRET_ACCESS_KEY`. More details about the Cloud storage interoperability properties can found on [cloud.google.com/storage](https://cloud.google.com/storage/docs/interoperability) GCS uploads are performed alongside normal backups, both through the appropriate `app:rake` command and when an automatic backup is performed. ### Rake Tasks The `app:rake` command allows you to run gitlab rake tasks. To run a rake task simply specify the task to be executed to the `app:rake` command. For example, if you want to gather information about GitLab and the system it runs on. ```bash docker run --name gitlab -it --rm [OPTIONS] \ sameersbn/gitlab:18.9.2 app:rake gitlab:env:info ``` You can also use `docker exec` to run rake tasks on running gitlab instance. For example, ```bash docker exec --user git -it gitlab bundle exec rake gitlab:env:info RAILS_ENV=production ``` Similarly, to import bare repositories into GitLab project instance ```bash docker run --name gitlab -it --rm [OPTIONS] \ sameersbn/gitlab:18.9.2 app:rake gitlab:import:repos ``` Or ```bash docker exec -it gitlab sudo -HEu git bundle exec rake gitlab:import:repos RAILS_ENV=production ``` For a complete list of available rake tasks please refer or the help section of your gitlab installation. *P.S. Please avoid running the rake tasks for backup and restore operations on a running gitlab instance.* To use the `app:rake` command with `docker-compose` use the following command. ```bash ## For stopped instances docker-compose run --rm gitlab app:rake gitlab:env:info docker-compose run --rm gitlab app:rake gitlab:import:repos ## For running instances docker-compose exec --user git gitlab bundle exec rake gitlab:env:info RAILS_ENV=production docker-compose exec gitlab sudo -HEu git bundle exec rake gitlab:import:repos RAILS_ENV=production ``` ### Import Repositories Copy all the **bare** git repositories to the `repositories/` directory of the [data store](#data-store) and execute the `gitlab:import:repos` rake task like so: ```bash docker run --name gitlab -it --rm [OPTIONS] \ sameersbn/gitlab:18.9.2 app:rake gitlab:import:repos ``` Watch the logs and your repositories should be available into your new gitlab container. See [Rake Tasks](#rake-tasks) for more information on executing rake tasks. Usage when using `docker-compose` can also be found there. ### Upgrading > **Important Notice** > > Since GitLab release `8.6.0` PostgreSQL users should enable `pg_trgm` extension on the GitLab database. Refer to GitLab's [Postgresql Requirements](http://doc.gitlab.com/ce/install/requirements.html#postgresql-requirements) for more information > > If you're using `sameersbn/postgresql` then please upgrade to `kkimurak/sameersbn-postgresql:16` or later and add `DB_EXTENSION=pg_trgm,btree_gist` to the environment of the PostgreSQL container (see: ). > > Please keep in mind that: > > - As of version 13.7.0, the required PostgreSQL version is 12.x. > - As of version 16.0.0, the required PostgreSQL version is 13.x. > - As of version 17.0.0, the required PostgreSQL version is 14.x. > - As of version 18.0.0, the required PostgreSQL version is 16.x. > > If you're using PostgreSQL image other than the above, please review section [Upgrading PostgreSQL](#upgrading-postgresql). GitLabHQ releases new versions on the 22nd of every month, bugfix releases immediately follow. I update this project almost immediately when a release is made (at least it has been the case so far). If you are using the image in production environments I recommend that you delay updates by a couple of days after the gitlab release, allowing some time for the dust to settle down. To upgrade to newer gitlab releases, simply follow this 4 step upgrade procedure. > **Note** > > Upgrading to `sameersbn/gitlab:18.9.2` from `sameersbn/gitlab:7.x.x` can cause issues. It is therefore required that you first upgrade to `sameersbn/gitlab:8.0.5-1` before upgrading to `sameersbn/gitlab:8.1.0` or higher. - **Step 1**: Update the docker image. ```bash docker pull sameersbn/gitlab:18.9.2 ``` - **Step 2**: Stop and remove the currently running image ```bash docker stop gitlab docker rm gitlab ``` - **Step 3**: Create a backup ```bash docker run --name gitlab -it --rm [OPTIONS] \ sameersbn/gitlab:x.x.x app:rake gitlab:backup:create ``` Replace `x.x.x` with the version you are upgrading from. For example, if you are upgrading from version `6.0.0`, set `x.x.x` to `6.0.0` - **Step 4**: Start the image > **Note**: Since GitLab `8.0.0` you need to provide the `GITLAB_SECRETS_DB_KEY_BASE` parameter while starting the image. > **Note**: Since GitLab `8.11.0` you need to provide the `GITLAB_SECRETS_SECRET_KEY_BASE` and `GITLAB_SECRETS_OTP_KEY_BASE` parameters while starting the image. These should initially both have the same value as the contents of the `/home/git/data/.secret` file. See [Available Configuration Parameters](#available-configuration-parameters) for more information on these parameters. > **Note**: Since Gitlab 13.7 you need to provide the `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE` parameter while starting the image. If not provided, the key will be generated by gitlab. So you can start the image without setting this parameter. But you will lose the key when you shutting down the container without taking a backup of `secrets.yml`. > **Note**: Since Gitlab 17.8 you need to provide `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY`,`GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY` and `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT`. If not provided, these keys will be generated by gitlab. The image can be started without setting these parameters, **but you will lose the settings when you shutting down the container without taking a backup of `secrets.yml` and settings stored securely (such as the Dependency Proxy) will be unusable and unrecoverable.** ```bash docker run --name gitlab -d [OPTIONS] sameersbn/gitlab:18.9.2 ``` ### Shell Access For debugging and maintenance purposes you may want access the containers shell. If you are using docker version `1.3.0` or higher you can access a running containers shell using `docker exec` command. ```bash docker exec -it gitlab bash ``` ## Monitoring You can monitor your GitLab instance status as described in the [official documentation](https://docs.gitlab.com/ee/user/admin_area/monitoring/health_check.html), for example: ```bash curl 'https://gitlab.example.com/-/liveness' ``` On success, the endpoint will return a `200` HTTP status code, and a response like below. ```bash { "status": "ok" } ``` To do that you will need to set the environment variable `GITLAB_MONITORING_IP_WHITELIST` to allow your IP or subnet to make requests to your GitLab instance. ### Health Check You can also set your `docker-compose.yml` [healthcheck](https://docs.docker.com/compose/compose-file/compose-file-v2/#healthcheck) configuration to make periodic checks: ```yml services: gitlab: image: sameersbn/gitlab:18.9.2 healthcheck: test: ["CMD", "/usr/local/sbin/healthcheck"] interval: 1m timeout: 5s retries: 5 start_period: 2m ``` Then you will be able to consult the health check log by executing: ```bash docker inspect --format "{{json .State.Health }}" $(docker-compose ps -q gitlab) | jq ``` ## References - - - - - - - ================================================ FILE: VERSION ================================================ 18.9.2 ================================================ FILE: assets/build/config/database.yml.postgresql ================================================ # HINT: This file is identical to the corresponding configuration file from the # upstream repository, where the additional defined entries for `geo` had to be # removed. Otherwise, it is not possible to build the image, since the build # will fail with the error message: # # > rake aborted! # > ERROR: This installation of GitLab uses unsupported database names in 'config/database.yml': geo. The only supported ones are main, ci. # # This adjustment is hopefully only a temporary workaround (see # ). # # PRODUCTION # production: main: adapter: postgresql encoding: unicode database: gitlabhq_production username: git password: "secure password" host: localhost # load_balancing: # hosts: # - host1.example.com # - host2.example.com # discover: # nameserver: 1.2.3.4 # port: 8600 # record: secondary.postgresql.service.consul # interval: 300 ci: adapter: postgresql encoding: unicode database: gitlabhq_production database_tasks: false username: git password: "secure password" host: localhost # geo: # adapter: postgresql # encoding: unicode # database: gitlabhq_geo_production # username: git # password: "secure password" # host: localhost # # Development specific # development: main: adapter: postgresql encoding: unicode database: gitlabhq_development username: postgres password: "secure password" host: localhost variables: statement_timeout: 15s ci: adapter: postgresql encoding: unicode database: gitlabhq_development database_tasks: false username: postgres password: "secure password" host: localhost variables: statement_timeout: 15s # geo: # adapter: postgresql # encoding: unicode # database: gitlabhq_geo_development # username: postgres # password: "secure password" # host: localhost # # Staging specific # staging: main: adapter: postgresql encoding: unicode database: gitlabhq_staging username: git password: "secure password" host: localhost ci: adapter: postgresql encoding: unicode database: gitlabhq_staging database_tasks: false username: git password: "secure password" host: localhost # geo: # adapter: postgresql # encoding: unicode # database: gitlabhq_geo_staging # username: git # password: "secure password" # host: localhost # Warning: The database defined as "test" will be erased and # re-generated from your development database when you run "rake". # Do not set this db to the same as development or production. test: &test main: adapter: postgresql encoding: unicode database: gitlabhq_test username: postgres password: host: localhost prepared_statements: false variables: statement_timeout: 15s ci: adapter: postgresql encoding: unicode database: gitlabhq_test database_tasks: false username: postgres password: host: localhost prepared_statements: false variables: statement_timeout: 15s # geo: # adapter: postgresql # encoding: unicode # database: gitlabhq_geo_test # username: postgres # password: # host: localhost # embedding: # adapter: postgresql # encoding: unicode # database: gitlabhq_embedding_test # username: postgres # password: # host: localhost ================================================ FILE: assets/build/install.sh ================================================ #!/bin/bash set -e GITLAB_CLONE_URL=https://gitlab.com/gitlab-org/gitlab-foss.git GITLAB_SHELL_URL=https://gitlab.com/gitlab-org/gitlab-shell/-/archive/v${GITLAB_SHELL_VERSION}/gitlab-shell-v${GITLAB_SHELL_VERSION}.tar.bz2 GITLAB_PAGES_URL=https://gitlab.com/gitlab-org/gitlab-pages.git GITLAB_GITALY_URL=https://gitlab.com/gitlab-org/gitaly.git GITLAB_WORKHORSE_BUILD_DIR=${GITLAB_INSTALL_DIR}/workhorse GITLAB_PAGES_BUILD_DIR=/tmp/gitlab-pages GITLAB_GITALY_BUILD_DIR=/tmp/gitaly RUBY_SRC_URL=https://cache.ruby-lang.org/pub/ruby/${RUBY_VERSION%.*}/ruby-${RUBY_VERSION}.tar.gz GEM_CACHE_DIR="${GITLAB_BUILD_DIR}/cache" GOROOT=/tmp/go PATH=${GOROOT}/bin:$PATH export GOROOT PATH # TODO Verify, if this is necessary or not. # BUILD_DEPENDENCIES="gcc g++ make patch pkg-config cmake paxctl \ BUILD_DEPENDENCIES="gcc g++ make patch pkg-config cmake \ libc6-dev \ libpq-dev zlib1g-dev libssl-dev \ libgdbm-dev libreadline-dev libncurses5-dev libffi-dev \ libxml2-dev libxslt-dev libcurl4-openssl-dev libicu-dev \ gettext libkrb5-dev \ libexpat1-dev libz-dev libpcre2-dev build-essential git" ## Execute a command as GITLAB_USER exec_as_git() { if [[ $(whoami) == "${GITLAB_USER}" ]]; then "$@" else sudo -HEu ${GITLAB_USER} "$@" fi } # install build dependencies for gem installation apt-get update DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y ${BUILD_DEPENDENCIES} # build ruby from source echo "Building ruby v${RUBY_VERSION} from source..." PWD_ORG="$PWD" mkdir /tmp/ruby && cd /tmp/ruby curl --remote-name -Ss "${RUBY_SRC_URL}" printf '%s ruby-%s.tar.gz' "${RUBY_SOURCE_SHA256SUM}" "${RUBY_VERSION}" | sha256sum -c - tar xzf ruby-"${RUBY_VERSION}".tar.gz && cd ruby-"${RUBY_VERSION}" find "${GITLAB_BUILD_DIR}/patches/ruby" -name "*.patch" | while read -r patch_file; do echo "Applying patch ${patch_file}" patch -p1 -i "${patch_file}" done ./configure --disable-install-rdoc --enable-shared make -j"$(nproc)" make install cd "$PWD_ORG" && rm -rf /tmp/ruby # upgrade rubygems on demand gem update --no-document --system "${RUBYGEMS_VERSION}" # TODO Verify, if this is necessary or not. # # PaX-mark ruby # # Applying the mark late here does make the build usable on PaX kernels, but # # still the build itself must be executed on a non-PaX kernel. It's done here # # only for simplicity. # paxctl -cvm "$(command -v ruby)" # # https://en.wikibooks.org/wiki/Grsecurity/Application-specific_Settings#Node.js # paxctl -cvm "$(command -v node)" # remove the host keys generated during openssh-server installation rm -rf /etc/ssh/ssh_host_*_key /etc/ssh/ssh_host_*_key.pub # add ${GITLAB_USER} user deluser --remove-home ubuntu addgroup --gid 1000 git adduser --uid 1000 --gid 1000 --disabled-password --gecos 'GitLab' ${GITLAB_USER} passwd -d ${GITLAB_USER} # set PATH (fixes cron job PATH issues) cat >> ${GITLAB_HOME}/.profile < and # there seems to # be some attempts to remove ruby from gitaly. # # cp -a ${GITLAB_GITALY_BUILD_DIR}/ruby ${GITLAB_GITALY_INSTALL_DIR}/ cp -a ${GITLAB_GITALY_BUILD_DIR}/config.toml.example ${GITLAB_GITALY_INSTALL_DIR}/config.toml rm -rf ${GITLAB_GITALY_INSTALL_DIR}/ruby/vendor/bundle/ruby/**/cache chown -R ${GITLAB_USER}: ${GITLAB_GITALY_INSTALL_DIR} # install git bundled with gitaly. make -C ${GITLAB_GITALY_BUILD_DIR} git GIT_PREFIX=/usr/local # clean up rm -rf ${GITLAB_GITALY_BUILD_DIR} # remove go go clean --modcache rm -rf ${GITLAB_BUILD_DIR}/go${GOLANG_VERSION}.linux-amd64.tar.gz ${GOROOT} # revert `rake gitlab:setup` changes from gitlabhq/gitlabhq@a54af831bae023770bf9b2633cc45ec0d5f5a66a exec_as_git sed -i 's/db:reset/db:setup/' ${GITLAB_INSTALL_DIR}/lib/tasks/gitlab/setup.rake # change SSH_ALGORITHM_PATH - we have moved host keys in ${GITLAB_DATA_DIR}/ssh/ to persist them exec_as_git sed -i "s:/etc/ssh/:/${GITLAB_DATA_DIR}/ssh/:g" ${GITLAB_INSTALL_DIR}/app/models/instance_configuration.rb cd ${GITLAB_INSTALL_DIR} # install gems, use local cache if available if [[ -d ${GEM_CACHE_DIR} ]]; then echo "Found local npm package cache..." mv ${GEM_CACHE_DIR} ${GITLAB_INSTALL_DIR}/vendor/cache chown -R ${GITLAB_USER}: ${GITLAB_INSTALL_DIR}/vendor/cache fi exec_as_git bundle config set --local deployment 'true' exec_as_git bundle config set --local without 'development test mysql aws' exec_as_git bundle install -j"$(nproc)" # make sure everything in ${GITLAB_HOME} is owned by ${GITLAB_USER} user chown -R ${GITLAB_USER}: ${GITLAB_HOME} # gitlab.yml and database.yml are required for `assets:precompile` exec_as_git cp ${GITLAB_INSTALL_DIR}/config/resque.yml.example ${GITLAB_INSTALL_DIR}/config/resque.yml exec_as_git cp ${GITLAB_INSTALL_DIR}/config/gitlab.yml.example ${GITLAB_INSTALL_DIR}/config/gitlab.yml # # Temporary workaround, see # # exec_as_git cp ${GITLAB_INSTALL_DIR}/config/database.yml.postgresql ${GITLAB_INSTALL_DIR}/config/database.yml cp ${GITLAB_BUILD_DIR}/config/database.yml.postgresql ${GITLAB_INSTALL_DIR}/config/database.yml chown ${GITLAB_USER}: ${GITLAB_INSTALL_DIR}/config/database.yml # Installs nodejs packages required to compile webpack exec_as_git yarn install --production --pure-lockfile echo "Compiling assets. Please be patient, this could take a while..." exec_as_git bundle exec rake gitlab:assets:compile USE_DB=false SKIP_STORAGE_VALIDATION=true NODE_OPTIONS="--max-old-space-size=8192" # remove auto generated ${GITLAB_DATA_DIR}/config/secrets.yml rm -rf ${GITLAB_DATA_DIR}/config/secrets.yml # remove gitlab shell and workhorse secrets rm -f ${GITLAB_INSTALL_DIR}/.gitlab_shell_secret ${GITLAB_INSTALL_DIR}/.gitlab_workhorse_secret exec_as_git mkdir -p ${GITLAB_INSTALL_DIR}/tmp/pids/ ${GITLAB_INSTALL_DIR}/tmp/sockets/ chmod -R u+rwX ${GITLAB_INSTALL_DIR}/tmp # symlink ${GITLAB_HOME}/.ssh -> ${GITLAB_LOG_DIR}/gitlab rm -rf ${GITLAB_HOME}/.ssh exec_as_git ln -sf ${GITLAB_DATA_DIR}/.ssh ${GITLAB_HOME}/.ssh # symlink ${GITLAB_INSTALL_DIR}/log -> ${GITLAB_LOG_DIR}/gitlab rm -rf ${GITLAB_INSTALL_DIR}/log ln -sf ${GITLAB_LOG_DIR}/gitlab ${GITLAB_INSTALL_DIR}/log # symlink ${GITLAB_INSTALL_DIR}/public/uploads -> ${GITLAB_DATA_DIR}/uploads rm -rf ${GITLAB_INSTALL_DIR}/public/uploads exec_as_git ln -sf ${GITLAB_DATA_DIR}/uploads ${GITLAB_INSTALL_DIR}/public/uploads # symlink ${GITLAB_INSTALL_DIR}/.secret -> ${GITLAB_DATA_DIR}/.secret rm -rf ${GITLAB_INSTALL_DIR}/.secret exec_as_git ln -sf ${GITLAB_DATA_DIR}/.secret ${GITLAB_INSTALL_DIR}/.secret # WORKAROUND for https://github.com/sameersbn/docker-gitlab/issues/509 rm -rf ${GITLAB_INSTALL_DIR}/builds rm -rf ${GITLAB_INSTALL_DIR}/shared # install gitlab bootscript, to silence gitlab:check warnings cp ${GITLAB_INSTALL_DIR}/lib/support/init.d/gitlab /etc/init.d/gitlab chmod +x /etc/init.d/gitlab # disable default nginx configuration and enable gitlab's nginx configuration rm -rf /etc/nginx/sites-enabled/default # configure sshd sed -i \ -e "s|^[#]*UsePAM yes|UsePAM no|" \ -e "s|^[#]*UsePrivilegeSeparation yes|UsePrivilegeSeparation no|" \ -e "s|^[#]*PasswordAuthentication yes|PasswordAuthentication no|" \ -e "s|^[#]*LogLevel INFO|LogLevel VERBOSE|" \ -e "s|^[#]*AuthorizedKeysFile.*|AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys_proxy|" \ /etc/ssh/sshd_config echo "AcceptEnv GIT_PROTOCOL" >> /etc/ssh/sshd_config # Allow clients to explicitly set the Git transfer protocol, e.g. to enable version 2. echo "UseDNS no" >> /etc/ssh/sshd_config # move supervisord.log file to ${GITLAB_LOG_DIR}/supervisor/ sed -i "s|^[#]*logfile=.*|logfile=${GITLAB_LOG_DIR}/supervisor/supervisord.log ;|" /etc/supervisor/supervisord.conf # silence "CRIT Server 'unix_http_server' running without any HTTP authentication checking" message # https://github.com/Supervisor/supervisor/issues/717 sed -i '/\.sock/a password=dummy' /etc/supervisor/supervisord.conf sed -i '/\.sock/a username=dummy' /etc/supervisor/supervisord.conf # prevent confusing warning "CRIT Supervisor running as root" by clarify run as root # user not defined in supervisord.conf by default, so just append it after [supervisord] block sed -i "/\[supervisord\]/a user=root" /etc/supervisor/supervisord.conf # move nginx logs to ${GITLAB_LOG_DIR}/nginx sed -i \ -e "s|access_log /var/log/nginx/access.log;|access_log ${GITLAB_LOG_DIR}/nginx/access.log;|" \ -e "s|error_log /var/log/nginx/error.log;|error_log ${GITLAB_LOG_DIR}/nginx/error.log;|" \ /etc/nginx/nginx.conf # fix "unknown group 'syslog'" error preventing logrotate from functioning sed -i "s|^su root syslog$|su root root|" /etc/logrotate.conf # configure supervisord log rotation cat > /etc/logrotate.d/supervisord < /etc/logrotate.d/gitlab < /etc/logrotate.d/gitlab-shell < /etc/logrotate.d/gitaly < /etc/logrotate.d/gitlab-nginx < /etc/supervisor/conf.d/puma.conf < /etc/supervisor/conf.d/sidekiq.conf < /etc/supervisor/conf.d/gitlab-workhorse.conf < /etc/supervisor/conf.d/gitaly.conf < /etc/supervisor/conf.d/mail_room.conf < /etc/supervisor/conf.d/sshd.conf < /etc/supervisor/conf.d/nginx.conf < /etc/supervisor/conf.d/cron.conf < /etc/supervisor/conf.d/groups.conf < stat.isDirectory()).catch(() => false); + if(isDirectory) { + for (const dir_ent of await readdir(NODE_MODULES, { withFileTypes: true})) { + const to_remove = join(NODE_MODULES, dir_ent.name); + await rm(to_remove, { recursive: true, force: true }); + } + } } ================================================ FILE: assets/build/patches/gitlabhq/0004-fix-raketask-gitlab-assets-compile.patch.bak ================================================ diff --git a/lib/tasks/gitlab/assets.rake b/lib/tasks/gitlab/assets.rake index b8a6e7018767..5096d81ea63f 100644 --- a/lib/tasks/gitlab/assets.rake +++ b/lib/tasks/gitlab/assets.rake @@ -96,7 +96,14 @@ namespace :gitlab do puts "Assets SHA256 for `HEAD`: #{Tasks::Gitlab::Assets.head_assets_sha256.inspect}" if Tasks::Gitlab::Assets.head_assets_sha256 != Tasks::Gitlab::Assets.master_assets_sha256 - FileUtils.rm_rf([Tasks::Gitlab::Assets::PUBLIC_ASSETS_DIR] + Dir.glob('app/assets/javascripts/locale/**/app.js')) + # sameersbn/gitlab takes a cache of public_assets_dir by symlinking to volume to speedup relaunch (if relative url is used) + # so do not remove the directory directly, empty instead + # Dir.glob("*") ignores dotfiles (even it is fine to remove here), so list up children manually + removal_targets = Dir.glob('app/assets/javascripts/locale/**/app.js') + if Dir.exist?(Tasks::Gitlab::Assets::PUBLIC_ASSETS_DIR) + removal_targets += Dir.children(Tasks::Gitlab::Assets::PUBLIC_ASSETS_DIR).map {|child| File.join(Tasks::Gitlab::Assets::PUBLIC_ASSETS_DIR, child)} + end + FileUtils.rm_rf(removal_targets, secure: true) # gettext:compile needs to run before rake:assets:precompile because # app/assets/javascripts/locale/**/app.js are pre-compiled by Sprockets ================================================ FILE: assets/build/patches/gitlabhq/0005_fix-gitlab-setup-mr225503.patch ================================================ From a39aef6cf81149d940061d56f358d220dbf90159 Mon Sep 17 00:00:00 2001 From: Vasilii Iakliushin Date: Mon, 2 Mar 2026 15:21:34 +0100 Subject: [PATCH 1/2] Fix gitlab:setup failure on fresh database Contributes to https://gitlab.com/gitlab-org/gitlab/-/issues/591292 **Problem** Running `gitlab:setup` on a fresh PostgreSQL database fails with `PG::UndefinedTable: ERROR: relation "feature_gates" does not exist`. This regression was introduced in 18.9 by https://gitlab.com/gitlab-org/gitlab/-/merge_requests/220200 which added a circuit breaker to the Gitaly client. The `CircuitBreaker#enabled?` method calls `Feature.enabled?` before the database schema is initialized, causing Flipper to query the non-existent `feature_gates` table. **Solution** Check `Feature::FlipperFeature.table_exists?` before calling `Feature.enabled?` in `CircuitBreaker#enabled?`. This follows the established pattern used in `lib/feature/gitaly.rb`. Changelog: fixed --- lib/gitlab/gitaly_client/circuit_breaker.rb | 2 ++ .../gitaly_client/circuit_breaker_spec.rb | 17 +++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/lib/gitlab/gitaly_client/circuit_breaker.rb b/lib/gitlab/gitaly_client/circuit_breaker.rb index f7f2a79b5d7a..05924b641581 100644 --- a/lib/gitlab/gitaly_client/circuit_breaker.rb +++ b/lib/gitlab/gitaly_client/circuit_breaker.rb @@ -39,6 +39,8 @@ def check! attr_reader :service, :rpc, :storage def enabled? + return false unless Feature::FlipperFeature.table_exists? + Feature.enabled?(:add_circuit_breaker_to_gitaly, Feature.current_request) end ================================================ FILE: assets/build/patches/ruby/0001-avoid-seeding_until-ruby3.3.0.bak ================================================ From 64e503eb62aff0952b655e9a86217e355f786146 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=8D=9C=E9=83=A8=E6=98=8C=E5=B9=B3?= Date: Thu, 13 Apr 2023 15:36:24 +0900 Subject: [PATCH] avoid seeding OpenSSL's man page previously stated that "the application is responsible for seeding the PRNG by calling RAND_add" (see [1]). So we had this code. However things changed. They no longer say so, instead "manual (re-)seeding of the default OpenSSL random generator is not necessary" now (see [2]). It seems all OpenSSL versions that we support now already behaves like this. Let's follow that. [1]: https://www.openssl.org/docs/man1.0.2/man3/RAND_add.html [2]: https://www.openssl.org/docs/manmaster/man3/RAND_add.html --- lib/securerandom.rb | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/lib/securerandom.rb b/lib/securerandom.rb index 07ae048634..c5be6ce734 100644 --- a/lib/securerandom.rb +++ b/lib/securerandom.rb @@ -47,17 +47,6 @@ def bytes(n) private def gen_random_openssl(n) - @pid = 0 unless defined?(@pid) - pid = $$ - unless @pid == pid - now = Process.clock_gettime(Process::CLOCK_REALTIME, :nanosecond) - OpenSSL::Random.random_add([now, @pid, pid].join(""), 0.0) - seed = Random.urandom(16) - if (seed) - OpenSSL::Random.random_add(seed, 16) - end - @pid = pid - end return OpenSSL::Random.random_bytes(n) end -- 2.43.0.windows.1 ================================================ FILE: assets/runtime/config/gitaly/config.toml ================================================ # Example Gitaly configuration file # Documentation lives at https://docs.gitlab.com/ee/administration/gitaly/ and # https://docs.gitlab.com/ee//administration/gitaly/reference socket_path = "{{GITALY_SOCKET_PATH}}" # The directory where Gitaly's executables are stored bin_dir = "/usr/local/bin/" # # Optional: listen on a TCP socket. This is insecure (no authentication) # listen_addr = "localhost:9999" # tls_listen_addr = "localhost:8888 # # Optional: export metrics via Prometheus # prometheus_listen_addr = "localhost:9236" # # Optional: configure where the Gitaly creates the sockets for internal connections. If unset, Gitaly will create a randomly # # named temp directory each time it boots. # # Non Gitaly clients should never connect to these sockets. # internal_socket_dir = "/home/git/gitlab/tmp/sockets/private/internal" # # Optional: authenticate Gitaly requests using a shared secret # [auth] # token = 'abc123secret' # transitioning = false # Set `transitioning` to true to temporarily allow unauthenticated while rolling out authentication. # [tls] # certificate_path = '/home/git/cert.cert' # key_path = '/home/git/key.pem' # # Git settings # [git] # bin_path = "/usr/bin/git" # catfile_cache_size = 100 [[storage]] name = "default" path = "{{GITLAB_REPOS_DIR}}" # # You can optionally configure more storages for this Gitaly instance to serve up # # [[storage]] # name = "other_storage" # path = "/mnt/other_storage/repositories" # # # You can optionally configure Gitaly to output JSON-formatted log messages to stdout [logging] # # The directory where Gitaly stores extra log files dir = "{{GITLAB_LOG_DIR}}/gitaly" # format = "json" # # Optional: Set log level to only log entries with that severity or above # # One of, in order: debug, info, warn, errror, fatal, panic # # Defaults to "info" # level = "warn" # # # Additionally exceptions from the Go server can be reported to Sentry # sentry_dsn = "https://:@sentry.io/" # # Exceptions from gitaly-ruby can also be reported to Sentry # ruby_sentry_dsn = "https://:@sentry.io/" # # You can optionally configure Gitaly to record histogram latencies on GRPC method calls # [prometheus] # grpc_latency_buckets = [0.001, 0.005, 0.025, 0.1, 0.5, 1.0, 10.0, 30.0, 60.0, 300.0, 1500.0] [gitaly-ruby] # The directory where gitaly-ruby is installed dir = "{{GITLAB_GITALY_INSTALL_DIR}}/ruby" # # Gitaly-ruby resident set size (RSS) that triggers a memory restart (bytes) # max_rss = 200000000 # # # Grace period before a gitaly-ruby process is forcibly terminated after exceeding max_rss (seconds) # graceful_restart_timeout = "10m" # # # Time that gitaly-ruby memory must remain high before a restart (seconds) # restart_delay = "5m" # # # Number of gitaly-ruby worker processes # num_workers = 2 # # # Search path for system gitconfig file (e.g. /etc, /opt/gitlab/embedded/etc) # # NOTE: This only affects RPCs that use Rugged. # rugged_git_config_search_path = "/etc" [gitlab-shell] # The directory where gitlab-shell is installed dir = "{{GITLAB_SHELL_INSTALL_DIR}}" # # You can adjust the concurrency of each RPC endpoint # [[concurrency]] # rpc = "/gitaly.RepositoryService/GarbageCollect" # max_per_repo = 1 [gitlab] secret_file = "/home/git/gitlab-shell/.gitlab_shell_secret" url = "http://127.0.0.1:8181{{GITLAB_RELATIVE_URL_ROOT}}" ================================================ FILE: assets/runtime/config/gitlab-pages/config ================================================ auth-client-id={{GITLAB_PAGES_ACCESS_CLIENT_ID}} auth-client-secret={{GITLAB_PAGES_ACCESS_CLIENT_SECRET}} auth-redirect-uri={{GITLAB_PAGES_ACCESS_REDIRECT_URI}} auth-secret={{GITLAB_PAGES_ACCESS_SECRET}} gitlab-server={{GITLAB_PAGES_ACCESS_CONTROL_SERVER}} artifacts-server={{GITLAB_PAGES_ARTIFACTS_SERVER_URL}} internal-gitlab-server=http://127.0.0.1:8080{{GITLAB_RELATIVE_URL_ROOT}} api-secret-key={{GITLAB_INSTALL_DIR}}/.gitlab_pages_secret log-verbose={{GITLAB_PAGES_LOG_VERBOSE}} namespace-in-path={{GITLAB_PAGES_NAMESPACE_IN_PATH}} ================================================ FILE: assets/runtime/config/gitlab-shell/config.yml ================================================ # # If you change this file in a Merge Request, please also create # a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests # # GitLab user. git by default user: git # URL to GitLab instance, used for API calls. Default: http://localhost:8080. # For relative URL support read http://doc.gitlab.com/ce/install/relative_url.html # You only have to change the default if you have configured Unicorn # to listen on a custom port, or if you have configured Unicorn to # only listen on a Unix domain socket. For Unix domain sockets use # "http+unix://", e.g. # "http+unix://%2Fpath%2Fto%2Fsocket" gitlab_url: "http://localhost:8080{{GITLAB_RELATIVE_URL_ROOT}}" # See installation.md#using-https for additional HTTPS configuration details. http_settings: # read_timeout: 300 # user: someone # password: somepass # ca_file: /etc/ssl/cert.pem # ca_path: /etc/pki/tls/certs self_signed_cert: {{SSL_SELF_SIGNED}} # File used as authorized_keys for gitlab user auth_file: "{{GITLAB_HOME}}/.ssh/authorized_keys" # File that contains the secret key for verifying access to GitLab. # Default is .gitlab_shell_secret in the gitlab-shell directory. secret_file: "{{GITLAB_SHELL_INSTALL_DIR}}/.gitlab_shell_secret" # Parent directory for global custom hook directories (pre-receive.d, update.d, post-receive.d) # Default is hooks in the gitlab-shell directory. custom_hooks_dir: "{{GITLAB_SHELL_INSTALL_DIR}}/hooks" # Log file. # Default is gitlab-shell.log in the root directory. log_file: "{{GITLAB_LOG_DIR}}/gitlab-shell/gitlab-shell.log" # Log level. INFO by default log_level: INFO # Log format. 'text' by default # log_format: json # Audit usernames. # Set to true to see real usernames in the logs instead of key ids, which is easier to follow, but # incurs an extra API call on every gitlab-shell command. audit_usernames: false # Distributed Tracing. GitLab-Shell has distributed tracing instrumentation. # For more details, visit https://docs.gitlab.com/ee/development/distributed_tracing.html # gitlab_tracing: opentracing://driver ================================================ FILE: assets/runtime/config/gitlabhq/cable.yml ================================================ # This is a template taken from here: # https://gitlab.com/gitlab-org/gitlab/-/blob/master/config/cable.yml.example development: adapter: redis url: redis://127.0.0.1:6379 channel_prefix: gitlab_development test: adapter: redis url: redis://127.0.0.1:6379 channel_prefix: gitlab_test production: adapter: redis url: redis://{{REDIS_HOST}}:{{REDIS_PORT}}/{{REDIS_DB_NUMBER}} channel_prefix: gitlab_production ================================================ FILE: assets/runtime/config/gitlabhq/database.yml ================================================ # # PRODUCTION (here: non-decomposed database) # production: main: adapter: postgresql encoding: {{DB_ENCODING}} database: {{DB_NAME}} host: {{DB_HOST}} port: {{DB_PORT}} username: {{DB_USER}} password: "{{DB_PASS}}" pool: {{DB_POOL}} prepared_statements: {{DB_PREPARED_STATEMENTS}} ci: adapter: postgresql encoding: {{DB_ENCODING}} database: {{DB_NAME}} database_tasks: false host: {{DB_HOST}} port: {{DB_PORT}} username: {{DB_USER}} password: "{{DB_PASS}}" pool: {{DB_POOL}} ================================================ FILE: assets/runtime/config/gitlabhq/gitlab.yml ================================================ # # # # # # # # # # # # # # # # # # # GitLab application config file # # # # # # # # # # # # # # # # # # # # ########################### NOTE ##################################### # This file should not receive new settings. All configuration options # # * are being moved to ApplicationSetting model! # # If a setting requires an application restart say so in that screen. # # If you change this file in a Merge Request, please also create # # a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests. # # For more details see https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md # ######################################################################## # # # How to use: # 1. Copy file as gitlab.yml # 2. Update gitlab -> host with your fully qualified domain name # 3. Update gitlab -> email_from # 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git # IMPORTANT: If Git was installed in a different location use that instead. # You can check with `which git`. If a wrong path of Git is specified, it will # result in various issues such as failures of GitLab CI builds. # 5. Review this configuration file for other settings you may want to adjust production: &base # # 1. GitLab app settings # ========================== ## GitLab settings gitlab: ## Web server settings (note: host is the FQDN, do not include http://) host: {{GITLAB_HOST}} port: {{GITLAB_PORT}} # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details https: {{GITLAB_HTTPS}} # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details # The maximum time unicorn/puma can spend on the request. This needs to be smaller than the worker timeout. # Default is 95% of the worker timeout max_request_duration_seconds: 57 # Uncomment this line below if your ssh host is different from HTTP/HTTPS one # (you'd obviously need to replace ssh.host_example.com with your own host). # Otherwise, ssh host will be set to the `host:` value above ssh_host: {{GITLAB_SSH_HOST}} # Relative URL support # WARNING: We recommend using an FQDN to host GitLab in a root path instead # of using a relative URL. # Documentation: http://doc.gitlab.com/ce/install/relative_url.html # Uncomment and customize the following line to run in a non-root path # relative_url_root: {{GITLAB_RELATIVE_URL_ROOT}} # Content Security Policy # See https://guides.rubyonrails.org/security.html#content-security-policy content_security_policy: enabled: {{GITLAB_CONTENT_SECURITY_POLICY_ENABLED}} report_only: {{GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY}} directives: base_uri: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI}}" child_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC}}" connect_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC}}" default_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC}}" font_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC}}" form_action: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION}}" frame_ancestors: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS}}" frame_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC}}" img_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC}}" manifest_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC}}" media_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC}}" object_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC}}" script_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC}}" style_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC}}" worker_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC}}" report_uri: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI}}" # Trusted Proxies # Customize if you have GitLab behind a reverse proxy which is running on a different machine. # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address. trusted_proxies: - {{GITLAB_TRUSTED_PROXIES}} # Examples: #- 192.168.1.0/24 #- 192.168.2.1 #- 2001:0db8::/32 # Uncomment and customize if you can't use the default user to run GitLab (default: 'git') # user: git ## Date & Time settings # Uncomment and customize if you want to change the default time zone of GitLab application. # To see all available zones, run `bundle exec rake time:zones:all RAILS_ENV=production` time_zone: '{{GITLAB_TIMEZONE}}' ## Email settings # Uncomment and set to false if you need to disable email sending from GitLab (default: true) email_enabled: {{GITLAB_EMAIL_ENABLED}} # Email address used in the "From" field in mails sent by GitLab email_from: {{GITLAB_EMAIL}} email_display_name: {{GITLAB_EMAIL_DISPLAY_NAME}} email_reply_to: {{GITLAB_EMAIL_REPLY_TO}} email_subject_suffix: '{{GITLAB_EMAIL_SUBJECT_SUFFIX}}' #start-email-smime email_smime: # Uncomment and set to true if you need to enable email S/MIME signing (default: false) enabled: {{GITLAB_EMAIL_SMIME_ENABLE}} # S/MIME private key file in PEM format, unencrypted # Default is '.gitlab_smime_key' relative to Rails.root (i.e. root of the GitLab app). key_file: {{GITLAB_EMAIL_SMIME_KEY_FILE}} # S/MIME public certificate key in PEM format, will be attached to signed messages # Default is '.gitlab_smime_cert' relative to Rails.root (i.e. root of the GitLab app). cert_file: {{GITLAB_EMAIL_SMIME_CERT_FILE}} #end-email-smime # S/MIME extra CA public certificates in PEM format, will be attached to signed messages # Optional # ca_certs_file: /home/git/gitlab/.gitlab_smime_ca_certs # Email server smtp settings are in config/initializers/smtp_settings.rb.sample default_projects_limit: {{GITLAB_PROJECTS_LIMIT}} default_can_create_group: {{GITLAB_CREATE_GROUP}} # default: true username_changing_enabled: {{GITLAB_USERNAME_CHANGE}} # default: true - User can change their username/namespace signup_enabled: {{GITLAB_SIGNUP_ENABLED}} ## Default theme ID ## 1 - Indigo ## 2 - Dark ## 3 - Light ## 4 - Blue ## 5 - Green ## 6 - Light Indigo ## 7 - Light Blue ## 8 - Light Green ## 9 - Red ## 10 - Light Red default_theme: {{GITLAB_DEFAULT_THEME}} # default: 1 ## Automatic issue closing # If a commit message matches this regular expression, all issues referenced from the matched text will be closed. # This happens when the commit is pushed or merged into the default branch of a project. # When not specified the default issue_closing_pattern as specified below will be used. # Tip: you can test your closing pattern at http://rubular.com. issue_closing_pattern: '{{GITLAB_ISSUE_CLOSING_PATTERN}}' ## Default project features settings default_projects_features: issues: {{GITLAB_PROJECTS_ISSUES}} merge_requests: {{GITLAB_PROJECTS_MERGE_REQUESTS}} wiki: {{GITLAB_PROJECTS_WIKI}} snippets: {{GITLAB_PROJECTS_SNIPPETS}} builds: {{GITLAB_PROJECTS_BUILDS}} container_registry: {{GITLAB_PROJECTS_CONTAINER_REGISTRY}} ## Webhook settings # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10) webhook_timeout: {{GITLAB_WEBHOOK_TIMEOUT}} ### GraphQL Settings # Tells the rails application how long it has to complete a GraphQL request. # We suggest this value to be higher than the database timeout value # and lower than the worker timeout set in unicorn/puma. (default: 30) # graphql_timeout: 30 ## Repository downloads directory # When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory. # The default is 'shared/cache/archive/' relative to the root of the Rails app. repository_downloads_path: {{GITLAB_DOWNLOADS_DIR}} ## Impersonation settings impersonation_enabled: {{GITLAB_IMPERSONATION_ENABLED}} ## Disable jQuery and CSS animations # disable_animations: true ## Reply by email # Allow users to comment on issues and merge requests by replying to notification emails. # For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html incoming_email: enabled: {{GITLAB_INCOMING_EMAIL_ENABLED}} # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to. # The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`). # Please be aware that a placeholder is required for the Service Desk feature to work. address: "{{GITLAB_INCOMING_EMAIL_ADDRESS}}" # Email account username # With third party providers, this is usually the full email address. # With self-hosted email servers, this is usually the user part of the email address. user: "{{IMAP_USER}}" # Email account password password: "{{IMAP_PASS}}" # IMAP server host host: "{{IMAP_HOST}}" # IMAP server port port: {{IMAP_PORT}} # Whether the IMAP server uses SSL ssl: {{IMAP_SSL}} # Whether the IMAP server uses StartTLS start_tls: {{IMAP_STARTTLS}} # The mailbox where incoming mail will end up. Usually "inbox". mailbox: "{{IMAP_MAILBOX}}" # The IDLE command timeout. idle_timeout: {{IMAP_TIMEOUT}} # The log file path for the structured log file. # Since `mail_room` is run independently of Rails, an absolute path is preferred. # The default is 'log/mail_room_json.log' relative to the root of the Rails app. # # log_path: log/mail_room_json.log # Whether to expunge (permanently remove) messages from the mailbox when they are deleted after delivery expunge_deleted: false ## Build Artifacts artifacts: enabled: {{GITLAB_ARTIFACTS_ENABLED}} # The location where build artifacts are stored (default: shared/artifacts). path: {{GITLAB_ARTIFACTS_DIR}} object_store: enabled: {{GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED}} remote_directory: {{GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY}} # The bucket name direct_upload: {{GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD}} # Set to true to enable direct upload of Artifacts without the need of local shared storage. background_upload: {{GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD}} # Temporary option to limit automatic upload (Default: true) proxy_download: {{GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD}} # Passthrough all downloads via GitLab instead of using Redirects to Object Storage connection: provider: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER}} # Only AWS supported at the moment #start-artifacts-aws aws_access_key_id: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} aws_secret_access_key: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} region: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION}} host: '{{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com aws_signature_version: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. endpoint: '{{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces path_style: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' #end-artifacts-aws #start-artifacts-gcs google_project: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}} google_client_email: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}} google_json_key_location: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}} #end-artifacts-gcs ## Merge request external diff storage external_diffs: # If disabled (the default), the diffs are in-database. Otherwise, they can # be stored on disk, or in object storage enabled: false # The location where external diffs are stored (default: shared/lfs-external-diffs). # storage_path: shared/external-diffs # object_store: # enabled: false # remote_directory: external-diffs # background_upload: false # proxy_download: false # connection: # provider: AWS # aws_access_key_id: AWS_ACCESS_KEY_ID # aws_secret_access_key: AWS_SECRET_ACCESS_KEY # region: us-east-1 ## Git LFS lfs: enabled: {{GITLAB_LFS_ENABLED}} # The location where LFS objects are stored (default: shared/lfs-objects). storage_path: {{GITLAB_LFS_OBJECTS_DIR}} object_store: enabled: {{GITLAB_LFS_OBJECT_STORE_ENABLED}} remote_directory: {{GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY}} # Bucket name direct_upload: {{GITLAB_LFS_OBJECT_STORE_DIRECT_UPLOAD}} # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false) background_upload: {{GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD}} # Temporary option to limit automatic upload (Default: true) proxy_download: {{GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD}} # Passthrough all downloads via GitLab instead of using Redirects to Object Storage connection: provider: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER}} #start-lfs-aws aws_access_key_id: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} aws_secret_access_key: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} aws_signature_version: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. region: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION}} host: '{{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com endpoint: '{{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil path_style: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' #end-lfs-aws #start-lfs-gcs google_project: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}} google_client_email: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}} google_json_key_location: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}} #end-lfs-gcs # Use the following options to configure an AWS compatible host # host: 'localhost' # default: s3.amazonaws.com # endpoint: 'http://127.0.0.1:9000' # default: nil # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' ## Uploads (attachments, avatars, etc...) uploads: # The location where uploads objects are stored (default: public/). storage_path: {{GITLAB_UPLOADS_STORAGE_PATH}} base_dir: {{GITLAB_UPLOADS_BASE_DIR}} object_store: enabled: {{GITLAB_UPLOADS_OBJECT_STORE_ENABLED}} remote_directory: {{GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY}} # Bucket name direct_upload: {{GITLAB_UPLOADS_OBJECT_STORE_DIRECT_UPLOAD}} # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false) background_upload: {{GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD}} # Temporary option to limit automatic upload (Default: true) proxy_download: {{GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD}} # Passthrough all downloads via GitLab instead of using Redirects to Object Storage connection: provider: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER}} #start-uploads-aws aws_access_key_id: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} aws_secret_access_key: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} aws_signature_version: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. region: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION}} host: '{{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com endpoint: '{{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil path_style: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' #end-uploads-aws #start-uploads-gcs google_project: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}} google_client_email: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}} google_json_key_location: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}} #end-uploads-gcs ## Packages (maven repository, npm registry, etc...) packages: enabled: {{GITLAB_PACKAGES_ENABLED}} # The location where build packages are stored (default: shared/packages). path: {{GITLAB_PACKAGES_DIR}} object_store: enabled: {{GITLAB_PACKAGES_OBJECT_STORE_ENABLED}} remote_directory: {{GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY}} # The bucket name direct_upload: {{GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD}} # Set to true to enable direct upload of Packages without the need of local shared storage. background_upload: {{GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD}} # Temporary option to limit automatic upload (Default: true) proxy_download: {{GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD}} # Passthrough all downloads via GitLab instead of using Redirects to Object Storage connection: provider: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER}} # Only AWS supported at the moment #start-packages-aws aws_access_key_id: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} aws_secret_access_key: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} region: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION}} host: '{{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com aws_signature_version: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. endpoint: '{{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces path_style: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' #end-packages-aws #start-packages-gcs google_project: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}} google_client_email: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}} google_json_key_location: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}} #end-packages-gcs ## Dependency Proxy dependency_proxy: enabled: true # The location where build packages are stored (default: shared/dependency_proxy). # storage_path: shared/dependency_proxy object_store: enabled: false remote_directory: dependency_proxy # The bucket name # direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false) # background_upload: false # Temporary option to limit automatic upload (Default: true) # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage connection: provider: AWS aws_access_key_id: AWS_ACCESS_KEY_ID aws_secret_access_key: AWS_SECRET_ACCESS_KEY region: us-east-1 # host: 'localhost' # default: s3.amazonaws.com # endpoint: 'http://127.0.0.1:9000' # default: nil # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' ## Terraform state terraform_state: enabled: {{GITLAB_TERRAFORM_STATE_ENABLED}} # The location where Terraform state files are stored (default: shared/terraform_state). storage_path: {{GITLAB_TERRAFORM_STATE_STORAGE_PATH}} object_store: enabled: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED}} remote_directory: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_REMOTE_DIRECTORY}} # The bucket name connection: provider: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER}} #start-terraform_state-aws aws_access_key_id: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} aws_secret_access_key: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} region: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION}} host: '{{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com endpoint: '{{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil aws_signature_version: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. path_style: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' #end-terraform_state-aws #start-terraform_state-gcs google_project: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}} google_client_email: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}} google_json_key_location: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}} #end-terraform_state-gcs ## GitLab Pages pages: enabled: {{GITLAB_PAGES_ENABLED}} access_control: {{GITLAB_PAGES_ACCESS_CONTROL}} # The location where pages are stored (default: shared/pages). # path: shared/pages # The domain under which the pages are served: # http://group.example.com/project # or project path can be a group page: group.example.com host: {{GITLAB_PAGES_DOMAIN}} port: {{GITLAB_PAGES_PORT}} # Set to 443 if you serve the pages with HTTPS https: {{GITLAB_PAGES_HTTPS}} # Set to true if you serve the pages with HTTPS artifacts_server: {{GITLAB_PAGES_ARTIFACTS_SERVER}} # Set to false if you want to disable online view of HTML artifacts external_http: {{GITLAB_PAGES_EXTERNAL_HTTP}} # If defined, enables custom domain support in GitLab Pages external_https: {{GITLAB_PAGES_EXTERNAL_HTTPS}} # If defined, enables custom domain and certificate support in GitLab Pages namespace_in_path: {{GITLAB_PAGES_NAMESPACE_IN_PATH}} # File that contains the shared secret key for verifying access for gitlab-pages. # Default is '.gitlab_pages_secret' relative to Rails.root (i.e. root of the GitLab app). # secret_file: /home/git/gitlab/.gitlab_pages_secret ## Mattermost ## For enabling Add to Mattermost button mattermost: enabled: {{GITLAB_MATTERMOST_ENABLED}} host: '{{GITLAB_MATTERMOST_URL}}' ## Gravatar ## If using gravatar.com, there's nothing to change here. For Libravatar ## you'll need to provide the custom URLs. For more information, ## see: https://docs.gitlab.com/ee/customization/libravatar.html gravatar: enabled: {{GITLAB_GRAVATAR_ENABLED}} # Gravatar/Libravatar URLs: possible placeholders: %{hash} %{size} %{email} %{username} plain_url: "{{GITLAB_GRAVATAR_HTTP_URL}}" # default: https://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon ssl_url: "{{GITLAB_GRAVATAR_HTTPS_URL}}" # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon ## Sidekiq sidekiq: log_format: {{GITLAB_SIDEKIQ_LOG_FORMAT}} # (default is the original format) ## Auxiliary jobs # Periodically executed jobs, to self-heal GitLab, do external synchronizations, etc. # Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job cron_jobs: # Flag stuck CI jobs as failed stuck_ci_jobs_worker: cron: "0 * * * *" # Execute scheduled triggers pipeline_schedule_worker: cron: "{{GITLAB_PIPELINE_SCHEDULE_WORKER_CRON}}" # Remove expired build artifacts expire_build_artifacts_worker: cron: "50 * * * *" # Stop expired environments environments_auto_stop_cron_worker: cron: "24 * * * *" # Periodically run 'git fsck' on all repositories. If started more than # once per hour you will have concurrent 'git fsck' jobs. repository_check_worker: cron: "20 * * * *" # Archive live traces which have not been archived yet ci_archive_traces_cron_worker: cron: "17 * * * *" # Send admin emails once a week admin_email_worker: cron: "0 0 * * 0" # Send emails for personal tokens which are about to expire personal_access_tokens_expiring_worker: cron: "0 1 * * *" # Remove outdated repository archives repository_archive_cache_worker: cron: "0 * * * *" # Verify custom GitLab Pages domains pages_domain_verification_cron_worker: cron: "*/15 * * * *" # Periodically migrate diffs from the database to external storage schedule_migrate_external_diffs_worker: cron: "15 * * * *" # GitLab EE only jobs. These jobs are automatically enabled for an EE # installation, and ignored for a CE installation. ee_cron_jobs: # Snapshot active users statistics historical_data_worker: cron: "0 12 * * *" # In addition to refreshing users when they log in, # periodically refresh LDAP users membership. # NOTE: This will only take effect if LDAP is enabled ldap_sync_worker: cron: "30 1 * * *" # Periodically refresh LDAP groups membership. # NOTE: This will only take effect if LDAP is enabled ldap_group_sync_worker: cron: "0 * * * *" # GitLab Geo metrics update worker # NOTE: This will only take effect if Geo is enabled geo_metrics_update_worker: cron: "*/1 * * * *" # GitLab Geo prune event log worker # NOTE: This will only take effect if Geo is enabled (primary node only) geo_prune_event_log_worker: cron: "*/5 * * * *" # GitLab Geo repository sync worker # NOTE: This will only take effect if Geo is enabled (secondary nodes only) geo_repository_sync_worker: cron: "*/1 * * * *" # GitLab Geo registry backfill worker # NOTE: This will only take effect if Geo is enabled (secondary nodes only) geo_secondary_registry_consistency_worker: cron: "* * * * *" # GitLab Geo file download dispatch worker # NOTE: This will only take effect if Geo is enabled (secondary nodes only) geo_file_download_dispatch_worker: cron: "*/1 * * * *" # GitLab Geo migrated local files clean up worker # NOTE: This will only take effect if Geo is enabled (secondary nodes only) geo_migrated_local_files_clean_up_worker: cron: "15 */6 * * *" # Export pseudonymized data in CSV format for analysis pseudonymizer_worker: cron: "0 * * * *" # Elasticsearch bulk updater for incremental updates. # NOTE: This will only take effect if elasticsearch is enabled. elastic_index_bulk_cron_worker: cron: "*/1 * * * *" registry: enabled: {{GITLAB_REGISTRY_ENABLED}} host: {{GITLAB_REGISTRY_HOST}} port: {{GITLAB_REGISTRY_PORT}} api_url: {{GITLAB_REGISTRY_API_URL}} # internal address to the registry, will be used by GitLab to directly communicate with API key: {{GITLAB_REGISTRY_KEY_PATH}} path: {{GITLAB_REGISTRY_DIR}} issuer: {{GITLAB_REGISTRY_ISSUER}} # notification_secret: '' # only set it when you use Geo replication feature without built-in Registry # Add notification settings if you plan to use Geo Replication for the registry # notifications: # - name: geo_event # url: https://example.com/api/v4/container_registry_event/events # timeout: 2s # threshold: 5 # backoff: 1s # headers: # Authorization: secret_phrase ## Error Reporting and Logging with Sentry sentry: enabled: {{SENTRY_ENABLED}} dsn: {{SENTRY_DSN}} clientside_dsn: {{SENTRY_CLIENTSIDE_DSN}} environment: '{{SENTRY_ENVIRONMENT}}' # e.g. development, staging, production ## Geo # NOTE: These settings will only take effect if Geo is enabled geo: # This is an optional identifier which Geo nodes can use to identify themselves. # For example, if external_url is the same for two secondaries, you must specify # a unique Geo node name for those secondaries. # # If it is blank, it defaults to external_url. node_name: '' registry_replication: # enabled: true # primary_api_url: http://localhost:5000/ # internal address to the primary registry, will be used by GitLab to directly communicate with primary registry API ## Feature Flag https://docs.gitlab.com/ee/user/project/operations/feature_flags.html feature_flags: unleash: # enabled: false # url: https://gitlab.com/api/v4/feature_flags/unleash/ # app_name: gitlab.com # Environment name of your GitLab instance # instance_id: INSTANCE_ID # # 2. GitLab CI settings # ========================== gitlab_ci: # Default project notifications settings: # # Send emails only on broken builds (default: true) all_broken_builds: {{GITLAB_NOTIFY_ON_BROKEN_BUILDS}} # # Add pusher to recipients list (default: false) add_pusher: {{GITLAB_NOTIFY_PUSHER}} # The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root builds_path: {{GITLAB_BUILDS_DIR}} # # 3. Auth settings # ========================== ## LDAP settings # You can test connections and inspect a sample of the LDAP users with login # access by running: # bundle exec rake gitlab:ldap:check RAILS_ENV=production ldap: enabled: {{LDAP_ENABLED}} prevent_ldap_sign_in: {{LDAP_PREVENT_LDAP_SIGN_IN}} # This setting controls the number of seconds between LDAP permission checks # for each user. After this time has expired for a given user, their next # interaction with GitLab (a click in the web UI, a git pull, etc.) will be # slower because the LDAP permission check is being performed. How much # slower depends on your LDAP setup, but it is not uncommon for this check # to add seconds of waiting time. The default value is to have a "slow # click" once every 3600 seconds (i.e., once per hour). # # Warning: if you set this value too low, every click in GitLab will be a # "slow click" for all of your LDAP users. # sync_time: 3600 servers: ########################################################################## # # Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab # Enterprise Edition now supports connecting to multiple LDAP servers. # # If you are updating from the old (pre-7.4) syntax, you MUST give your # old server the ID 'main'. # ########################################################################## main: # 'main' is the GitLab 'provider ID' of this LDAP server ## label # # A human-friendly name for your LDAP server. It is OK to change the label later, # for instance if you find out it is too large to fit on the web page. # # Example: 'Paris' or 'Acme, Ltd.' label: '{{LDAP_LABEL}}' # Example: 'ldap.mydomain.com' host: '{{LDAP_HOST}}' # This port is an example, it is sometimes different but it is always an integer and not a string port: {{LDAP_PORT}} # usually 636 for SSL uid: '{{LDAP_UID}}' # This should be the attribute, not the value that maps to uid. # Examples: 'america\\momo' or 'CN=Gitlab Git,CN=Users,DC=mydomain,DC=com' bind_dn: '{{LDAP_BIND_DN}}' password: '{{LDAP_PASS}}' # Encryption method. The "method" key is deprecated in favor of # "encryption". # # Examples: "start_tls" or "simple_tls" or "plain" # # Deprecated values: "tls" was replaced with "start_tls" and "ssl" was # replaced with "simple_tls". # encryption: '{{LDAP_METHOD}}' # Enables SSL certificate verification if encryption method is # "start_tls" or "simple_tls". Defaults to true. verify_certificates: {{LDAP_VERIFY_SSL}} # OpenSSL::SSL::SSLContext options. tls_options: # Specifies the path to a file containing a PEM-format CA certificate, # e.g. if you need to use an internal CA. # # Example: '/etc/ca.pem' # ca_file: '{{LDAP_CA_FILE}}' # Specifies the SSL version for OpenSSL to use, if the OpenSSL default # is not appropriate. # # Example: 'TLSv1_1' # ssl_version: '{{LDAP_SSL_VERSION}}' # Specific SSL ciphers to use in communication with LDAP servers. # # Example: 'ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2' ciphers: '' # Client certificate # # Example: # cert: | # -----BEGIN CERTIFICATE----- # MIIDbDCCAlSgAwIBAgIGAWkJxLmKMA0GCSqGSIb3DQEBCwUAMHcxFDASBgNVBAoTC0dvb2dsZSBJ # bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQDEwtMREFQIENsaWVudDEPMA0GA1UE # CxMGR1N1aXRlMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTAeFw0xOTAyMjAwNzE4 # rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl # ... # 4SbuJPAiJxC1LQ0t39dR6oMCAMab3hXQqhL56LrR6cRBp6Mtlphv7alu9xb/x51y2x+g2zWtsf80 # Jrv/vKMsIh/sAyuogb7hqMtp55ecnKxceg== # -----END CERTIFICATE ----- cert: '' # Client private key # key: | # -----BEGIN PRIVATE KEY----- # MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC3DmJtLRmJGY4xU1QtI3yjvxO6 # bNuyE4z1NF6Xn7VSbcAaQtavWQ6GZi5uukMo+W5DHVtEkgDwh92ySZMuJdJogFbNvJvHAayheCdN # 7mCQ2UUT9jGXIbmksUn9QMeJVXTZjgJWJzPXToeUdinx9G7+lpVa62UATEd1gaI3oyL72WmpDy/C # rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl # ... # +9IhSYX+XIg7BZOVDeYqlPfxRvQh8vy3qjt/KUihmEPioAjLaGiihs1Fk5ctLk9A2hIUyP+sEQv9 # l6RG+a/mW+0rCWn8JAd464Ps9hE= # -----END PRIVATE KEY----- key: '' # Set a timeout, in seconds, for LDAP queries. This helps avoid blocking # a request if the LDAP server becomes unresponsive. # A value of 0 means there is no timeout. timeout: {{LDAP_TIMEOUT}} # Enable smartcard authentication against the LDAP server. Valid values # are "false", "optional", and "required". smartcard_auth: false # This setting specifies if LDAP server is Active Directory LDAP server. # For non AD servers it skips the AD specific queries. # If your LDAP server is not AD, set this to false. active_directory: {{LDAP_ACTIVE_DIRECTORY}} # If allow_username_or_email_login is enabled, GitLab will ignore everything # after the first '@' in the LDAP username submitted by the user on login. # # Example: # - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials; # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'. # # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to # disable this setting, because the userPrincipalName contains an '@'. allow_username_or_email_login: {{LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN}} # To maintain tight control over the number of active users on your GitLab installation, # enable this setting to keep new users blocked until they have been cleared by the admin # (default: false). block_auto_created_users: {{LDAP_BLOCK_AUTO_CREATED_USERS}} # Base where we can search for users # # Ex. 'ou=People,dc=gitlab,dc=example' or 'DC=mydomain,DC=com' # base: '{{LDAP_BASE}}' # Filter LDAP users # # Format: RFC 4515 https://tools.ietf.org/search/rfc4515 # Ex. (employeeType=developer) # # Note: GitLab does not support omniauth-ldap's custom filter syntax. # # Example for getting only specific users: # '(&(objectclass=user)(|(samaccountname=momo)(samaccountname=toto)))' # user_filter: '{{LDAP_USER_FILTER}}' # Base where we can search for groups # # Ex. ou=Groups,dc=gitlab,dc=example # group_base: '' # LDAP group of users who should be admins in GitLab # # Ex. GLAdmins # admin_group: '' # LDAP group of users who should be marked as external users in GitLab # # Ex. ['Contractors', 'Interns'] # external_groups: [] # Name of attribute which holds a ssh public key of the user object. # If false or nil, SSH key syncronisation will be disabled. # # Ex. sshpublickey # sync_ssh_keys: false # LDAP attributes that GitLab will use to create an account for the LDAP user. # The specified attribute can either be the attribute name as a string (e.g. 'mail'), # or an array of attribute names to try in order (e.g. ['mail', 'email']). # Note that the user's LDAP login will always be the attribute specified as `uid` above. attributes: # The username will be used in paths for the user's own projects # (like `gitlab.example.com/username/project`) and when mentioning # them in issues, merge request and comments (like `@username`). # If the attribute specified for `username` contains an email address, # the GitLab username will be the part of the email address before the '@'. username: {{LDAP_USER_ATTRIBUTE_USERNAME}} email: {{LDAP_USER_ATTRIBUTE_MAIL}} # If no full name could be found at the attribute specified for `name`, # the full name is determined using the attributes specified for # `first_name` and `last_name`. name: '{{LDAP_USER_ATTRIBUTE_NAME}}' first_name: '{{LDAP_USER_ATTRIBUTE_FIRSTNAME}}' last_name: '{{LDAP_USER_ATTRIBUTE_LASTNAME}}' # If lowercase_usernames is enabled, GitLab will lower case the username. lowercase_usernames: {{LDAP_LOWERCASE_USERNAMES}} # GitLab EE only: add more LDAP servers # Choose an ID made of a-z and 0-9 . This ID will be stored in the database # so that GitLab can remember which LDAP server a user belongs to. # uswest2: # label: # host: # .... ## Smartcard authentication settings smartcard: # Allow smartcard authentication enabled: false # Path to a file containing a CA certificate bundle ca_file: '/etc/ssl/certs/CA.pem' # Host and port where the client side certificate is requested by the # webserver (NGINX/Apache) # client_certificate_required_host: smartcard.gitlab.example.com # client_certificate_required_port: 3444 # Browser session with smartcard sign-in is required for Git access # required_for_git_access: false # Use X.509 SAN extensions certificates to identify GitLab users # Add a subjectAltName to your certificates like: email:user # san_extensions: true ## Kerberos settings kerberos: # Allow the HTTP Negotiate authentication method for Git clients enabled: false # Kerberos 5 keytab file. The keytab file must be readable by the GitLab user, # and should be different from other keytabs in the system. # (default: use default keytab from Krb5 config) # keytab: /etc/http.keytab # The Kerberos service name to be used by GitLab. # (default: accept any service name in keytab file) # service_principal_name: HTTP/gitlab.example.com@EXAMPLE.COM # Dedicated port: Git before 2.4 does not fall back to Basic authentication if Negotiate fails. # To support both Basic and Negotiate methods with older versions of Git, configure # nginx to proxy GitLab on an extra port (e.g. 8443) and uncomment the following lines # to dedicate this port to Kerberos authentication. (default: false) # use_dedicated_port: true # port: 8443 # https: true ## OmniAuth settings omniauth: # Allow login via Twitter, Google, etc. using OmniAuth providers enabled: {{OAUTH_ENABLED}} # Uncomment this to automatically sign in with a specific omniauth provider's without # showing GitLab's sign-in page (default: show the GitLab sign-in page) auto_sign_in_with_provider: {{OAUTH_AUTO_SIGN_IN_WITH_PROVIDER}} # Sync user's profile from the specified Omniauth providers every time the user logs in (default: empty). # Define the allowed providers using an array, e.g. ["cas3", "saml", "twitter"], # or as true/false to allow all providers or none. # When authenticating using LDAP, the user's email is always synced. # sync_profile_from_provider: [] # Select which info to sync from the providers above. (default: email). # Define the synced profile info using an array. Available options are "name", "email" and "location" # e.g. ["name", "email", "location"] or as true to sync all available. # This consequently will make the selected attributes read-only. # sync_profile_attributes: true # CAUTION! # This allows users to login without having a user account first. Define the allowed providers # using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none. # User accounts will be created automatically when authentication was successful. allow_single_sign_on: ["{{OAUTH_ALLOW_SSO}}"] # Locks down those users until they have been cleared by the admin (default: true). block_auto_created_users: {{OAUTH_BLOCK_AUTO_CREATED_USERS}} # Look up new users in LDAP servers. If a match is found (same uid), automatically # link the omniauth identity with the LDAP account. (default: false) auto_link_ldap_user: {{OAUTH_AUTO_LINK_LDAP_USER}} # Allow users with existing accounts to login and auto link their account via SAML # login, without having to do a manual login first and manually add SAML # (default: false) auto_link_saml_user: {{OAUTH_AUTO_LINK_SAML_USER}} # Allow users with existing accounts to login and auto link their account via the # defined Omniauth providers login, without having to do a manual login first and # manually connect their chosen provider. # (default: []) auto_link_user: [{{OAUTH_AUTO_LINK_USER}}] # Set different Omniauth providers as external so that all users creating accounts # via these providers will not be able to have access to internal projects. You # will need to use the full name of the provider, like `google_oauth2` for Google. # Refer to the examples below for the full names of the supported providers. # (default: []) external_providers: [{{OAUTH_EXTERNAL_PROVIDERS}}] # CAUTION! # This allows users to login with the specified providers without two factor. Define the allowed providers # using an array, e.g. ["twitter", 'google_oauth2'], or as true/false to allow all providers or none. # This option should only be configured for providers which already have two factor. # This configration dose not apply to SAML. # (default: false) allow_bypass_two_factor: {{OAUTH_ALLOW_BYPASS_TWO_FACTOR}} ## Auth providers # Uncomment the following lines and fill in the data of the auth provider you want to use # If your favorite auth provider is not listed you can use others: # see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations # The 'app_id' and 'app_secret' parameters are always passed as the first two # arguments, followed by optional 'args' which can be either a hash or an array. # Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html providers: # See omniauth-cas3 for more configuration details - { name: 'cas3', label: '{{OAUTH_CAS3_LABEL}}', args: { url: '{{OAUTH_CAS3_SERVER}}', disable_ssl_verification: {{OAUTH_CAS3_DISABLE_SSL_VERIFICATION}}, login_url: '{{OAUTH_CAS3_LOGIN_URL}}', service_validate_url: '{{OAUTH_CAS3_VALIDATE_URL}}', logout_url: '{{OAUTH_CAS3_LOGOUT_URL}}'} } - { name: 'authentiq', app_id: '{{OAUTH_AUTHENTIQ_CLIENT_ID}}', app_secret: 'OAUTH_AUTHENTIQ_CLIENT_SECRET', args: { scope: {{OAUTH_AUTHENTIQ_SCOPE}}, redirect_uri: '{{OAUTH_AUTHENTIQ_REDIRECT_URI}}' } } - { name: 'github', label: 'GitHub', app_id: '{{OAUTH_GITHUB_API_KEY}}', app_secret: '{{OAUTH_GITHUB_APP_SECRET}}', url: "{{OAUTH_GITHUB_URL}}", verify_ssl: {{OAUTH_GITHUB_VERIFY_SSL}}, args: { scope: '{{OAUTH_GITHUB_SCOPE}}' } } - { name: 'bitbucket', app_id: '{{OAUTH_BITBUCKET_API_KEY}}', app_secret: '{{OAUTH_BITBUCKET_APP_SECRET}}', url: '{{OAUTH_BITBUCKET_URL}}' } - { name: 'gitlab', label: 'GitLab.com', app_id: '{{OAUTH_GITLAB_API_KEY}}', app_secret: '{{OAUTH_GITLAB_APP_SECRET}}', args: { scope: '{{OAUTH_GITLAB_SCOPE}}' } } - { name: 'google_oauth2', label: 'Google', app_id: '{{OAUTH_GOOGLE_API_KEY}}', app_secret: '{{OAUTH_GOOGLE_APP_SECRET}}', args: { access_type: 'offline', approval_prompt: '{{OAUTH_GOOGLE_APPROVAL_PROMPT}}', hd: [{{OAUTH_GOOGLE_RESTRICT_DOMAIN}}] } } - { name: 'facebook', app_id: '{{OAUTH_FACEBOOK_API_KEY}}', app_secret: '{{OAUTH_FACEBOOK_APP_SECRET}}' } - { name: 'twitter', app_id: '{{OAUTH_TWITTER_API_KEY}}', app_secret: '{{OAUTH_TWITTER_APP_SECRET}}' } - { name: 'saml', label: '{{OAUTH_SAML_LABEL}}', groups_attribute: '{{OAUTH_SAML_GROUPS_ATTRIBUTE}}', external_groups: [{{OAUTH_SAML_EXTERNAL_GROUPS}}], args: { assertion_consumer_service_url: '{{OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL}}', idp_cert_fingerprint: '{{OAUTH_SAML_IDP_CERT_FINGERPRINT}}', idp_sso_target_url: '{{OAUTH_SAML_IDP_SSO_TARGET_URL}}', issuer: '{{OAUTH_SAML_ISSUER}}', attribute_statements: { first_name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME}}'], last_name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME}}'], username: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME}}'], name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME}}'], email: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL}}'] }, name_identifier_format: '{{OAUTH_SAML_NAME_IDENTIFIER_FORMAT}}' } } - { name: 'crowd', args: { crowd_server_url: '{{OAUTH_CROWD_SERVER_URL}}', application_name: '{{OAUTH_CROWD_APP_NAME}}', application_password: '{{OAUTH_CROWD_APP_PASSWORD}}' } } - { name: 'auth0', args: { client_id: '{{OAUTH_AUTH0_CLIENT_ID}}', client_secret: '{{OAUTH_AUTH0_CLIENT_SECRET}}', domain: '{{OAUTH_AUTH0_DOMAIN}}', scope: '{{OAUTH_AUTH0_SCOPE}}' } } - { name: 'oauth2_generic', app_id: '{{OAUTH2_GENERIC_APP_ID}}', app_secret: '{{OAUTH2_GENERIC_APP_SECRET}}', args: { client_options: { site: '{{OAUTH2_GENERIC_CLIENT_SITE}}', user_info_url: '{{OAUTH2_GENERIC_CLIENT_USER_INFO_URL}}', authorize_url: '{{OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL}}', token_url: '{{OAUTH2_GENERIC_CLIENT_TOKEN_URL}}', end_session_endpoint: '{{OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT}}', }, user_response_structure: { id_path: '{{OAUTH2_GENERIC_ID_PATH}}', attributes: { uid: '{{OAUTH2_GENERIC_USER_UID}}', name: '{{OAUTH2_GENERIC_USER_NAME}}', email: '{{OAUTH2_GENERIC_USER_EMAIL}}' } }, authorize_params: { scope: "{{OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE}}" }, label: '{{OAUTH2_GENERIC_LABEL}}', name: '{{OAUTH2_GENERIC_NAME}}' }} - { name: 'azure_oauth2', args: { client_id: '{{OAUTH_AZURE_API_KEY}}', client_secret: '{{OAUTH_AZURE_API_SECRET}}', tenant_id: '{{OAUTH_AZURE_TENANT_ID}}' } } - { name: 'azure_activedirectory_v2', label: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL}}', args: { client_id: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID}}', client_secret: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET}}', tenant_id: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID}}' } } - { name: 'openid_connect', label: '{{OAUTH_OIDC_LABEL}}', icon: '{{OAUTH_OIDC_ICON}}', args: { name: 'openid_connect', scope: {{OAUTH_OIDC_SCOPE}}, response_type: '{{OAUTH_OIDC_RESPONSE_TYPE}}', issuer: '{{OAUTH_OIDC_ISSUER}}', discovery: {{OAUTH_OIDC_DISCOVERY}}, client_auth_method: '{{OAUTH_OIDC_CLIENT_AUTH_METHOD}}', uid_field: '{{OAUTH_OIDC_UID_FIELD}}', send_scope_to_token_endpoint: {{OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP}}, pkce: {{OAUTH_OIDC_PKCE}}, client_options: { identifier: '{{OAUTH_OIDC_CLIENT_ID}}', secret: '{{OAUTH_OIDC_CLIENT_SECRET}}', redirect_uri: '{{OAUTH_OIDC_REDIRECT_URI}}' } } } - { name: 'jwt', label: '{{OAUTH_JWT_LABEL}}', args: { secret: '{{OAUTH_JWT_SECRET}}', algorithm: '{{OAUTH_JWT_ALGORITHM}}', uid_claim: '{{OAUTH_JWT_UID_CLAIM}}', required_claims: {{OAUTH_JWT_REQUIRED_CLAIMS}}, info_map: { name: '{{OAUTH_JWT_INFO_MAP_NAME}}', email: '{{OAUTH_JWT_INFO_MAP_EMAIL}}' }, auth_url: '{{OAUTH_JWT_AUTH_URL}}', valid_within: {{OAUTH_JWT_VALID_WITHIN}} } } # SSO maximum session duration in seconds. Defaults to CAS default of 8 hours. # cas3: # session_duration: 28800 # Shared file storage settings shared: path: {{GITLAB_SHARED_DIR}} # Default: shared # Gitaly settings gitaly: # Path to the directory containing Gitaly client executables. client_path: {{GITALY_CLIENT_PATH}} # Default Gitaly authentication token. Can be overridden per storage. Can # be left blank when Gitaly is running locally on a Unix socket, which # is the normal way to deploy Gitaly. token: {{GITALY_TOKEN}} # # 4. Advanced settings # ========================== ## Repositories settings repositories: # Paths where repositories can be stored. Give the canonicalized absolute pathname. # IMPORTANT: None of the path components may be symlink, because # gitlab-shell invokes Dir.pwd inside the repository path and that results # real path not the symlink. storages: # You must have at least a `default` storage path. default: path: {{GITLAB_REPOS_DIR}}/ gitaly_address: unix:{{GITLAB_INSTALL_DIR}}/tmp/sockets/private/gitaly.socket # TCP connections are supported too (e.g. tcp://host:port). TLS connections are also supported using the system certificate pool (eg: tls://host:port). # gitaly_token: 'special token' # Optional: override global gitaly.token for this storage. ## Backup settings backup: path: "{{GITLAB_BACKUP_DIR}}" # Relative paths are relative to Rails.root (default: tmp/backups/) archive_permissions: {{GITLAB_BACKUP_ARCHIVE_PERMISSIONS}} # Permissions for the resulting backup.tar file (default: 0600) keep_time: {{GITLAB_BACKUP_EXPIRY}} # default: 0 (forever) (in seconds) pg_schema: {{GITLAB_BACKUP_PG_SCHEMA}} # default: nil, it means that all schemas will be backed up upload: # Fog storage connection settings, see http://fog.io/storage/ . #start-aws connection: provider: AWS region: {{AWS_BACKUP_REGION}} endpoint: {{AWS_BACKUP_ENDPOINT}} path_style: {{AWS_BACKUP_PATH_STYLE}} aws_access_key_id: {{AWS_BACKUP_ACCESS_KEY_ID}} aws_secret_access_key: '{{AWS_BACKUP_SECRET_ACCESS_KEY}}' aws_signature_version: {{AWS_BACKUP_SIGNATURE_VERSION}} # The remote 'directory' to store your backups. For S3, this would be the bucket name. remote_directory: '{{AWS_BACKUP_BUCKET}}' #start-multipart-aws # Use multipart uploads when file size reaches 100MB, see # http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html multipart_chunk_size: {{AWS_BACKUP_MULTIPART_CHUNK_SIZE}} #end-multipart-aws #start-encryption-aws # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional encryption: 'AES256' # Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional # This should be set to the 256-bit encryption key for Amazon S3 to use to encrypt or decrypt your data. # 'encryption' must also be set in order for this to have any effect. # encryption_key: '' #end-encryption-aws # Specifies Amazon S3 storage class to use for backups, this is optional storage_class: '{{AWS_BACKUP_STORAGE_CLASS}}' #end-aws #start-gcs # Fog storage connection settings, see http://fog.io/storage/ . connection: provider: Google google_storage_access_key_id: {{GCS_BACKUP_ACCESS_KEY_ID}} google_storage_secret_access_key: '{{GCS_BACKUP_SECRET_ACCESS_KEY}}' remote_directory: '{{GCS_BACKUP_BUCKET}}' #end-gcs ## Pseudonymizer exporter pseudonymizer: # Tables manifest that specifies the fields to extract and pseudonymize. manifest: config/pseudonymizer.yml upload: remote_directory: 'gitlab-elt' # Fog storage connection settings, see http://fog.io/storage/ . connection: # provider: AWS # region: eu-west-1 # aws_access_key_id: AKIAKIAKI # aws_secret_access_key: 'secret123' # # The remote 'directory' to store the CSV files. For S3, this would be the bucket name. ## GitLab Shell settings gitlab_shell: path: {{GITLAB_SHELL_INSTALL_DIR}}/ authorized_keys_file: {{GITLAB_HOME}}/.ssh/authorized_keys # File that contains the secret key for verifying access for gitlab-shell. # Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app). secret_file: {{GITLAB_INSTALL_DIR}}/.gitlab_shell_secret # Git over HTTP upload_pack: true receive_pack: true # Git import/fetch timeout, in seconds. Defaults to 3 hours. # git_timeout: 10800 # If you use non-standard ssh port you need to specify it ssh_port: {{GITLAB_SSH_PORT}} workhorse: # File that contains the secret key for verifying access for gitlab-workhorse. # Default is '.gitlab_workhorse_secret' relative to Rails.root (i.e. root of the GitLab app). # secret_file: /home/git/gitlab/.gitlab_workhorse_secret ## GitLab Elasticsearch settings elasticsearch: indexer_path: {{GITLAB_HOME}}/gitlab-elasticsearch-indexer/ ## Git settings # CAUTION! # Use the default values unless you really know what you are doing git: bin_path: /usr/local/bin/git ## ActionCable settings action_cable: # Number of threads used to process ActionCable connection callbacks and channel actions # worker_pool_size: 4 ## Webpack settings # If enabled, this will tell rails to serve frontend assets from the webpack-dev-server running # on a given port instead of serving directly from /assets/webpack. This is only indended for use # in development. webpack: # dev_server: # enabled: true # host: localhost # port: 3808 ## Monitoring # Built in monitoring settings monitoring: # Time between sampling of unicorn socket metrics, in seconds unicorn_sampler_interval: {{GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL}} # Time between sampling of Puma metrics, in seconds # puma_sampler_interval: 5 # IP whitelist to access monitoring endpoints ip_whitelist: - 127.0.0.0/8 - {{GITLAB_MONITORING_IP_WHITELIST}} # Sidekiq exporter is webserver built in to Sidekiq to expose Prometheus metrics sidekiq_exporter: enabled: {{GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED}} address: {{GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS}} port: {{GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT}} # Web exporter is webserver built in to Unicorn/Puma to expose Prometheus metrics # It runs alongside the `/metrics` endpoints to ease the publish of metrics web_exporter: # enabled: true # address: localhost # port: 8083 ## Prometheus settings # Do not modify these settings here. They should be modified in /etc/gitlab/gitlab.rb # if you installed GitLab via Omnibus. # If you installed from source, you need to install and configure Prometheus # yourself, and then update the values here. # https://docs.gitlab.com/ee/administration/monitoring/prometheus/ prometheus: # enable: true # listen_address: 'localhost:9090' shutdown: # # blackout_seconds: # # defines an interval to block healthcheck, # # but continue accepting application requests # # this allows Load Balancer to notice service # # being shutdown and not interrupt any of the clients # blackout_seconds: 10 # # 5. Extra customization # ========================== extra: ## Google analytics. Uncomment if you want it google_analytics_id: '{{GOOGLE_ANALYTICS_ID}}' ## Piwik analytics. piwik_url: '{{PIWIK_URL}}' piwik_site_id: '{{PIWIK_SITE_ID}}' rack_attack: git_basic_auth: # Rack Attack IP banning enabled enabled: {{RACK_ATTACK_ENABLED}} # # Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers ip_whitelist: {{RACK_ATTACK_WHITELIST}} # # Limit the number of Git HTTP authentication attempts per IP maxretry: {{RACK_ATTACK_MAXRETRY}} # # Reset the auth attempt counter per IP after 60 seconds findtime: {{RACK_ATTACK_FINDTIME}} # # Ban an IP for one hour (3600s) after too many auth attempts bantime: {{RACK_ATTACK_BANTIME}} development: <<: *base # We want to run web/sidekiq exporters for devs # to catch errors from using them. # # We use random port to not block ability to run # multiple instances of the service monitoring: sidekiq_exporter: enabled: true address: 127.0.0.1 port: 0 web_exporter: enabled: true address: 127.0.0.1 port: 0 test: <<: *base gravatar: enabled: true external_diffs: enabled: false # Diffs may be `always` external (the default), or they can be made external # after they have become `outdated` (i.e., the MR is closed or a new version # has been pushed). # when: always # The location where external diffs are stored (default: shared/external-diffs). # storage_path: shared/external-diffs object_store: enabled: false remote_directory: external-diffs # The bucket name connection: provider: AWS # Only AWS supported at the moment aws_access_key_id: AWS_ACCESS_KEY_ID aws_secret_access_key: AWS_SECRET_ACCESS_KEY region: us-east-1 lfs: enabled: false # The location where LFS objects are stored (default: shared/lfs-objects). # storage_path: shared/lfs-objects object_store: enabled: false remote_directory: lfs-objects # The bucket name connection: provider: AWS # Only AWS supported at the moment aws_access_key_id: AWS_ACCESS_KEY_ID aws_secret_access_key: AWS_SECRET_ACCESS_KEY region: us-east-1 artifacts: path: tmp/tests/artifacts enabled: true # The location where build artifacts are stored (default: shared/artifacts). # path: shared/artifacts object_store: enabled: false remote_directory: artifacts # The bucket name background_upload: false connection: provider: AWS # Only AWS supported at the moment aws_access_key_id: AWS_ACCESS_KEY_ID aws_secret_access_key: AWS_SECRET_ACCESS_KEY region: us-east-1 uploads: storage_path: tmp/tests/public object_store: enabled: false connection: provider: AWS # Only AWS supported at the moment aws_access_key_id: AWS_ACCESS_KEY_ID aws_secret_access_key: AWS_SECRET_ACCESS_KEY region: us-east-1 terraform_state: enabled: true storage_path: tmp/tests/terraform_state object_store: enabled: false remote_directory: terraform_state connection: provider: AWS # Only AWS supported at the moment aws_access_key_id: AWS_ACCESS_KEY_ID aws_secret_access_key: AWS_SECRET_ACCESS_KEY region: us-east-1 gitlab: host: localhost port: 80 content_security_policy: enabled: true report_only: false directives: base_uri: child_src: connect_src: default_src: "'self'" font_src: form_action: frame_ancestors: "'self'" frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com" img_src: "* data: blob:" manifest_src: media_src: object_src: "'none'" script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com" style_src: "'self' 'unsafe-inline'" worker_src: "'self' blob:" report_uri: # When you run tests we clone and set up gitlab-shell # In order to set it up correctly you need to specify # your system username you use to run GitLab # user: YOUR_USERNAME pages: path: tmp/tests/pages repositories: storages: default: path: tmp/tests/repositories/ gitaly_address: unix:tmp/tests/gitaly/gitaly.socket gitaly: client_path: tmp/tests/gitaly token: secret workhorse: secret_file: tmp/gitlab_workhorse_test_secret backup: path: tmp/tests/backups pseudonymizer: manifest: config/pseudonymizer.yml upload: # The remote 'directory' to store the CSV files. For S3, this would be the bucket name. remote_directory: gitlab-elt.test # Fog storage connection settings, see http://fog.io/storage/ connection: provider: AWS # Only AWS supported at the moment aws_access_key_id: AWS_ACCESS_KEY_ID aws_secret_access_key: AWS_SECRET_ACCESS_KEY region: us-east-1 gitlab_shell: path: tmp/tests/gitlab-shell/ authorized_keys_file: tmp/tests/authorized_keys issues_tracker: redmine: title: "Redmine" project_url: "http://redmine/projects/:issues_tracker_id" issues_url: "http://redmine/:project_id/:issues_tracker_id/:id" new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new" jira: title: "Jira" url: https://sample_company.atlassian.net project_key: PROJECT omniauth: # enabled: true allow_single_sign_on: true external_providers: [] providers: - { name: 'cas3', label: 'cas3', args: { url: 'https://sso.example.com', disable_ssl_verification: false, login_url: '/cas/login', service_validate_url: '/cas/p3/serviceValidate', logout_url: '/cas/logout'} } - { name: 'github', app_id: 'YOUR_APP_ID', app_secret: 'YOUR_APP_SECRET', url: "https://github.com/", verify_ssl: false, args: { scope: 'user:email' } } - { name: 'bitbucket', app_id: 'YOUR_APP_ID', app_secret: 'YOUR_APP_SECRET' } - { name: 'gitlab', app_id: 'YOUR_APP_ID', app_secret: 'YOUR_APP_SECRET', args: { scope: 'api' } } - { name: 'google_oauth2', app_id: 'YOUR_APP_ID', app_secret: 'YOUR_APP_SECRET', args: { access_type: 'offline', approval_prompt: '' } } - { name: 'facebook', app_id: 'YOUR_APP_ID', app_secret: 'YOUR_APP_SECRET' } - { name: 'twitter', app_id: 'YOUR_APP_ID', app_secret: 'YOUR_APP_SECRET' } - { name: 'jwt', app_secret: 'YOUR_APP_SECRET', args: { algorithm: 'HS256', uid_claim: 'email', required_claims: ["name", "email"], info_map: { name: "name", email: "email" }, auth_url: 'https://example.com/', valid_within: null, } } - { name: 'auth0', args: { client_id: 'YOUR_AUTH0_CLIENT_ID', client_secret: 'YOUR_AUTH0_CLIENT_SECRET', namespace: 'YOUR_AUTH0_DOMAIN' } } - { name: 'authentiq', app_id: 'YOUR_CLIENT_ID', app_secret: 'YOUR_CLIENT_SECRET', args: { scope: 'aq:name email~rs address aq:push' } } - { name: 'salesforce', app_id: 'YOUR_CLIENT_ID', app_secret: 'YOUR_CLIENT_SECRET' } ldap: enabled: false servers: main: label: ldap host: 127.0.0.1 port: 3890 uid: 'uid' encryption: 'plain' # "start_tls" or "simple_tls" or "plain" base: 'dc=example,dc=com' user_filter: '' group_base: 'ou=groups,dc=example,dc=com' admin_group: '' prometheus: enable: true listen_address: 'localhost:9090' staging: <<: *base ================================================ FILE: assets/runtime/config/gitlabhq/puma.rb ================================================ ENV['RAILS_RELATIVE_URL_ROOT'] = "{{GITLAB_RELATIVE_URL_ROOT}}" # frozen_string_literal: true # Load "path" as a rackup file. # # The default is "config.ru". # rackup 'config.ru' pidfile '{{GITLAB_INSTALL_DIR}}/tmp/pids/puma.pid' state_path '{{GITLAB_INSTALL_DIR}}/tmp/pids/puma.state' stdout_redirect '{{GITLAB_INSTALL_DIR}}/log/puma.stdout.log', '{{GITLAB_INSTALL_DIR}}/log/puma.stderr.log', true # Configure "min" to be the minimum number of threads to use to answer # requests and "max" the maximum. # # The default is "0, 16". # threads {{PUMA_THREADS_MIN}}, {{PUMA_THREADS_MAX}} # By default, workers accept all requests and queue them to pass to handlers. # When false, workers accept the number of simultaneous requests configured. # # Queueing requests generally improves performance, but can cause deadlocks if # the app is waiting on a request to itself. See https://github.com/puma/puma/issues/612 # # When set to false this may require a reverse proxy to handle slow clients and # queue requests before they reach puma. This is due to disabling HTTP keepalive queue_requests false # Bind the server to "url". "tcp://", "unix://" and "ssl://" are the only # accepted protocols. bind 'unix:///home/git/gitlab/tmp/sockets/gitlab.socket' bind 'tcp://127.0.0.1:8080' workers {{PUMA_WORKERS}} require_relative "{{GITLAB_INSTALL_DIR}}/lib/gitlab/cluster/lifecycle_events" if Gem::Version.new(Puma::Const::PUMA_VERSION) < Gem::Version.new('7.0') Gitlab::Cluster::LifecycleEvents.set_puma_options @config.options on_restart do # Signal application hooks that we're about to restart Gitlab::Cluster::LifecycleEvents.do_before_master_restart end on_worker_boot do # Signal application hooks of worker start Gitlab::Cluster::LifecycleEvents.do_worker_start end on_worker_shutdown do # Signal application hooks that a worker is shutting down Gitlab::Cluster::LifecycleEvents.do_worker_stop end else Gitlab::Cluster::LifecycleEvents.set_puma_worker_count(3) before_restart do # Signal application hooks that we're about to restart Gitlab::Cluster::LifecycleEvents.do_before_master_restart end before_worker_boot do # Signal application hooks of worker start Gitlab::Cluster::LifecycleEvents.do_worker_start end before_worker_shutdown do # Signal application hooks that a worker is shutting down Gitlab::Cluster::LifecycleEvents.do_worker_stop end end before_fork do # Signal application hooks that we're about to fork Gitlab::Cluster::LifecycleEvents.do_before_fork end # Preload the application before starting the workers; this conflicts with # phased restart feature. (off by default) preload_app! tag 'gitlab-puma-worker' # Verifies that all workers have checked in to the master process within # the given timeout. If not the worker process will be restarted. Default # value is 60 seconds. # worker_timeout {{PUMA_TIMEOUT}} # https://github.com/puma/puma/blob/master/5.0-Upgrade.md#lower-latency-better-throughput wait_for_less_busy_worker ENV.fetch('PUMA_WAIT_FOR_LESS_BUSY_WORKER', 0.001).to_f # Use json formatter require_relative "{{GITLAB_INSTALL_DIR}}/lib/gitlab/puma_logging/json_formatter" json_formatter = Gitlab::PumaLogging::JSONFormatter.new log_formatter do |str| json_formatter.call(str) end require_relative "{{GITLAB_INSTALL_DIR}}/lib/gitlab/puma/error_handler" error_handler = Gitlab::Puma::ErrorHandler.new(ENV['RAILS_ENV'] == 'production') lowlevel_error_handler do |ex, env, status_code| error_handler.execute(ex, env, status_code) end ================================================ FILE: assets/runtime/config/gitlabhq/relative_url.rb ================================================ # Relative URL support # WARNING: We recommend using an FQDN to host GitLab in a root path instead # of using a relative URL. # Documentation: http://doc.gitlab.com/ce/install/relative_url.html # Copy this file to relative_url.rb and customize it to run in a non-root path # Rails.application.configure do config.relative_url_root = "{{GITLAB_RELATIVE_URL_ROOT}}" end ================================================ FILE: assets/runtime/config/gitlabhq/resque.yml ================================================ # If you change this file in a Merge Request, please also create # a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests # development: url: redis://127.0.0.1:6379 # sentinels: # - # host: localhost # port: 26380 # point to sentinel, not to redis port # - # host: slave2 # port: 26381 # point to sentinel, not to redis port test: url: redis://127.0.0.1:6379 production: # Redis (single instance) url: redis://{{REDIS_HOST}}:{{REDIS_PORT}}/{{REDIS_DB_NUMBER}} ## # Redis + Sentinel (for HA) # # Please read instructions carefully before using it as you may lose data: # http://redis.io/topics/sentinel # # You must specify a list of a few sentinels that will handle client connection # please read here for more information: https://docs.gitlab.com/ce/administration/high_availability/redis.html ## # url: redis://master:6379 # sentinels: # - # host: slave1 # port: 26379 # point to sentinel, not to redis port # - # host: slave2 # port: 26379 # point to sentinel, not to redis port ================================================ FILE: assets/runtime/config/gitlabhq/secrets.yml ================================================ production: # db_key_base is used to encrypt for Variables. Ensure that you don't lose it. # If you change or lose this key you will be unable to access variables stored in database. # Make sure the secret is at least 30 characters and all random, # no regular words or you'll be exposed to dictionary attacks. db_key_base: {{GITLAB_SECRETS_DB_KEY_BASE}} secret_key_base: {{GITLAB_SECRETS_SECRET_KEY_BASE}} otp_key_base: {{GITLAB_SECRETS_OTP_KEY_BASE}} encrypted_settings_key_base: {{GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE}} active_record_encryption_primary_key: {{GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY}} active_record_encryption_deterministic_key: {{GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY}} active_record_encryption_key_derivation_salt: {{GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT}} development: db_key_base: development test: db_key_base: test ================================================ FILE: assets/runtime/config/gitlabhq/smtp_settings.rb ================================================ # To enable smtp email delivery for your GitLab instance do the following: # 1. Rename this file to smtp_settings.rb # 2. Edit settings inside this file # 3. Restart GitLab instance # # For full list of options and their values see http://api.rubyonrails.org/classes/ActionMailer/Base.html # # If you change this file in a Merge Request, please also create a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests if Rails.env.production? Rails.application.config.action_mailer.delivery_method = :smtp ActionMailer::Base.delivery_method = :smtp ActionMailer::Base.smtp_settings = { address: "{{SMTP_HOST}}", port: {{SMTP_PORT}}, user_name: "{{SMTP_USER}}", password: "{{SMTP_PASS}}", domain: "{{SMTP_DOMAIN}}", authentication: "{{SMTP_AUTHENTICATION}}", enable_starttls_auto: {{SMTP_STARTTLS}}, openssl_verify_mode: '{{SMTP_OPENSSL_VERIFY_MODE}}', ca_path: "{{SMTP_CA_PATH}}", ca_file: "{{SMTP_CA_FILE}}", tls: {{SMTP_TLS}} } end ================================================ FILE: assets/runtime/config/nginx/gitlab ================================================ ## GitLab ## ## Lines starting with two hashes (##) are comments with information. ## Lines starting with one hash (#) are configuration parameters that can be uncommented. ## ################################## ## CONTRIBUTING ## ################################## ## ## If you change this file in a Merge Request, please also create ## a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests ## ################################### ## configuration ## ################################### ## ## See installation.md#using-https for additional HTTPS configuration details. upstream gitlab-workhorse { server 127.0.0.1:8181 fail_timeout=0; } map $http_upgrade $connection_upgrade_gitlab { default upgrade; '' close; } ## Obfuscate access_token and private_token in access log map $request_uri $obfuscated_request_uri { ~(.+\?)(.*&)?(private_token=|access_token=)[^&]*(&.*|$) $1$2$3****$4; default $request_uri; } log_format gitlab_access '$remote_addr - $remote_user [$time_local] ' '"$request_method $obfuscated_request_uri $server_protocol" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; ## Normal HTTP host server { ## Either remove "default_server" from the listen line below, ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab ## to be served if you visit any address that your server responds to, eg. ## the ip address of the server (http://x.x.x.x/)n 0.0.0.0:80 default_server; listen 0.0.0.0:80 default_server; listen [::]:80 default_server; server_name {{GITLAB_HOST}}; ## Replace this with something like gitlab.example.com server_tokens off; ## Don't show the nginx version number, a security best practice ## See app/controllers/application_controller.rb for headers set ## Real IP Module Config ## http://nginx.org/en/docs/http/ngx_http_realip_module.html real_ip_header X-Real-IP; ## X-Real-IP or X-Forwarded-For or proxy_protocol real_ip_recursive {{NGINX_REAL_IP_RECURSIVE}}; ## If you enable 'on' ## If you have a trusted IP address, uncomment it and set it set_real_ip_from {{NGINX_REAL_IP_TRUSTED_ADDRESSES}}; ## Replace this with something like 192.168.1.0/24 add_header X-Accel-Buffering {{NGINX_ACCEL_BUFFERING}}; add_header Strict-Transport-Security "max-age={{NGINX_HSTS_MAXAGE}};"; ## Individual nginx logs for this GitLab vhost access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log gitlab_access; error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log; location / { client_max_body_size 0; gzip off; ## https://github.com/gitlabhq/gitlabhq/issues/694 ## Some requests take more than 30 seconds. proxy_read_timeout 300; proxy_connect_timeout 300; proxy_redirect off; proxy_buffering {{NGINX_PROXY_BUFFERING}}; proxy_http_version 1.1; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade_gitlab; proxy_pass http://gitlab-workhorse; } error_page 404 /404.html; error_page 422 /422.html; error_page 500 /500.html; error_page 502 /502.html; error_page 503 /503.html; location ~ ^/(404|422|500|502|503)\.html$ { root {{GITLAB_INSTALL_DIR}}/public; internal; } {{NGINX_CUSTOM_GITLAB_SERVER_CONFIG}} } ================================================ FILE: assets/runtime/config/nginx/gitlab-pages ================================================ ## GitLab ## ## Pages serving host server { listen 0.0.0.0:80; listen [::]:80; ## Replace this with something like pages.gitlab.com server_name ~^.*{{GITLAB_PAGES_DOMAIN}}; ## Individual nginx logs for GitLab pages access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_access.log; error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_error.log; location / { proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # The same address as passed to GitLab Pages: `-listen-proxy` proxy_pass http://127.0.0.1:8090/; } # Define custom error pages error_page 403 /403.html; error_page 404 /404.html; } ================================================ FILE: assets/runtime/config/nginx/gitlab-pages-ssl ================================================ ## GitLab ## ## Redirects all HTTP traffic to the HTTPS host server { ## Either remove "default_server" from the listen line below, ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab ## to be served if you visit any address that your server responds to, eg. ## the ip address of the server (http://x.x.x.x/) listen 0.0.0.0:80; listen [::]:80; ## Replace this with something like pages.gitlab.com server_name ~^.*{{GITLAB_PAGES_DOMAIN}}; server_tokens off; ## Don't show the nginx version number, a security best practice return 301 https://$host:{{GITLAB_PORT}}$request_uri; access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_access.log; error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_error.log; } ## Pages serving host server { listen 0.0.0.0:443 ssl; listen [::]:443 ssl; http2 on; ## Replace this with something like pages.gitlab.com server_name ~^.*{{GITLAB_PAGES_DOMAIN}}; server_tokens off; ## Don't show the nginx version number, a security best practice ## Strong SSL Security ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ ssl_certificate {{SSL_PAGES_CERT_PATH}}; ssl_certificate_key {{SSL_PAGES_KEY_PATH}}; # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs ssl_ciphers "{{SSL_PAGES_CIPHERS}}"; ssl_protocols {{SSL_PAGES_PROTOCOLS}}; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; ## See app/controllers/application_controller.rb for headers set ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. ## Replace with your ssl_trusted_certificate. For more info see: ## - https://medium.com/devops-programming/4445f4862461 ## - https://www.ruby-forum.com/topic/4419319 ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx # ssl_stapling on; # ssl_stapling_verify on; # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; ## [Optional] Generate a stronger DHE parameter: ## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 ## ssl_dhparam {{SSL_DHPARAM_PATH}}; ## Individual nginx logs for this GitLab vhost access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_access.log; error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_error.log; location / { proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # The same address as passed to GitLab Pages: `-listen-proxy` proxy_pass http://localhost:8090/; } # Define custom error pages error_page 403 /403.html; error_page 404 /404.html; } ================================================ FILE: assets/runtime/config/nginx/gitlab-registry ================================================ ## Lines starting with two hashes (##) are comments with information. ## Lines starting with one hash (#) are configuration parameters that can be uncommented. ## ################################### ## configuration ## ################################### ## Redirects all HTTP traffic to the HTTPS host server { listen *:80; server_name {{GITLAB_REGISTRY_HOST}}; server_tokens off; ## Don't show the nginx version number, a security best practice return 301 https://$http_host$request_uri; access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_access.log; error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_error.log; } server { # If a different port is specified in https://gitlab.com/gitlab-org/gitlab-foss/blob/8-8-stable/config/gitlab.yml.example#L182, # it should be declared here as well listen *:{{GITLAB_REGISTRY_PORT}} ssl; http2 on; server_name {{GITLAB_REGISTRY_HOST}}; server_tokens off; ## Don't show the nginx version number, a security best practice client_max_body_size 0; chunked_transfer_encoding on; ## Strong SSL Security ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ ssl_certificate {{SSL_REGISTRY_CERT_PATH}}; ssl_certificate_key {{SSL_REGISTRY_KEY_PATH}}; ssl_ciphers "{{SSL_REGISTRY_CIPHERS}}"; ssl_protocols {{SSL_REGISTRY_PROTOCOLS}}; ssl_prefer_server_ciphers on; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_session_timeout 5m; access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_access.log; error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_error.log; location / { proxy_set_header Host $http_host; # required for docker client's sake proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 900; proxy_pass {{GITLAB_REGISTRY_API_URL}}; } } ================================================ FILE: assets/runtime/config/nginx/gitlab-ssl ================================================ ## GitLab ## ## Modified from nginx http version ## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/ ## Modified from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ## ## Lines starting with two hashes (##) are comments with information. ## Lines starting with one hash (#) are configuration parameters that can be uncommented. ## ################################## ## CONTRIBUTING ## ################################## ## ## If you change this file in a Merge Request, please also create ## a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests ## ################################### ## configuration ## ################################### ## ## See installation.md#using-https for additional HTTPS configuration details. upstream gitlab-workhorse { server 127.0.0.1:8181 fail_timeout=0; } map $http_upgrade $connection_upgrade_gitlab_ssl { default upgrade; '' close; } ## Obfuscate access_token and private_token in access log map $request_uri $obfuscated_request_uri { ~(.+\?)(.*&)?(private_token=|access_token=)[^&]*(&.*|$) $1$2$3****$4; default $request_uri; } log_format gitlab_ssl_access '$remote_addr - $remote_user [$time_local] ' '"$request_method $obfuscated_request_uri $server_protocol" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; ## Redirects all HTTP traffic to the HTTPS host server { ## Either remove "default_server" from the listen line below, ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab ## to be served if you visit any address that your server responds to, eg. ## the ip address of the server (http://x.x.x.x/) listen 0.0.0.0:80; listen [::]:80 ipv6only=on default_server; server_name _; ## Replace this with something like gitlab.example.com server_tokens off; ## Don't show the nginx version number, a security best practice return 301 https://$host:{{GITLAB_PORT}}$request_uri; access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log gitlab_ssl_access; error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log; } ## HTTPS host server { listen 0.0.0.0:443 ssl; listen [::]:443 ipv6only=on ssl default_server; http2 on; server_name {{GITLAB_HOST}}; ## Replace this with something like gitlab.example.com server_tokens off; ## Don't show the nginx version number, a security best practice ## Strong SSL Security ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ ssl_certificate {{SSL_CERTIFICATE_PATH}}; ssl_certificate_key {{SSL_KEY_PATH}}; ssl_verify_client {{SSL_VERIFY_CLIENT}}; ssl_client_certificate {{SSL_CA_CERTIFICATES_PATH}}; # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs ssl_ciphers "{{SSL_CIPHERS}}"; ssl_protocols {{SSL_PROTOCOLS}}; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; ## See app/controllers/application_controller.rb for headers set ## Real IP Module Config ## http://nginx.org/en/docs/http/ngx_http_realip_module.html real_ip_header X-Real-IP; ## X-Real-IP or X-Forwarded-For or proxy_protocol real_ip_recursive {{NGINX_REAL_IP_RECURSIVE}}; ## If you enable 'on' ## If you have a trusted IP address, uncomment it and set it set_real_ip_from {{NGINX_REAL_IP_TRUSTED_ADDRESSES}}; ## Replace this with something like 192.168.1.0/24 add_header X-Accel-Buffering {{NGINX_ACCEL_BUFFERING}}; add_header Strict-Transport-Security "max-age={{NGINX_HSTS_MAXAGE}};"; ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. ## Replace with your ssl_trusted_certificate. For more info see: ## - https://medium.com/devops-programming/4445f4862461 ## - https://www.ruby-forum.com/topic/4419319 ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx # ssl_stapling on; # ssl_stapling_verify on; # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired # resolver_timeout 5s; ## [Optional] Generate a stronger DHE parameter: ## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 ## ssl_dhparam {{SSL_DHPARAM_PATH}}; ## Individual nginx logs for this GitLab vhost access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log gitlab_ssl_access; error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log; location / { client_max_body_size 0; gzip off; ## https://github.com/gitlabhq/gitlabhq/issues/694 ## Some requests take more than 30 seconds. proxy_read_timeout 300; proxy_connect_timeout 300; proxy_redirect off; proxy_buffering {{NGINX_PROXY_BUFFERING}}; proxy_http_version 1.1; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade_gitlab_ssl; proxy_pass http://gitlab-workhorse; } error_page 404 /404.html; error_page 422 /422.html; error_page 500 /500.html; error_page 502 /502.html; error_page 503 /503.html; location ~ ^/(404|422|500|502|503)\.html$ { root {{GITLAB_INSTALL_DIR}}/public; internal; } {{NGINX_CUSTOM_GITLAB_SERVER_CONFIG}} } ================================================ FILE: assets/runtime/config/nginx/gitlab_ci ================================================ # GITLAB CI server { listen 80; # e.g., listen 192.168.1.1:80; server_name {{GITLAB_CI_HOST}}; # e.g., server_name source.example.com; access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_ci_access.log; error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_ci_error.log; # expose API to fix runners location /api { proxy_read_timeout 300; proxy_connect_timeout 300; proxy_redirect off; proxy_set_header X-Real-IP $remote_addr; resolver {{DNS_RESOLVERS}}; proxy_pass $scheme://{{GITLAB_HOST}}/ci$request_uri; } # redirect all other CI requests location / { return 301 $scheme://{{GITLAB_HOST}}/ci$request_uri; } # adjust this to match the largest build log your runners might submit, # set to 0 to disable limit client_max_body_size 0; } ================================================ FILE: assets/runtime/env-defaults ================================================ #!/bin/bash # CONTAINER DEBUG=${DEBUG:-$DEBUG_ENTRYPOINT} TIMEZONE=${TZ:-UTC} ## GITLAB CORE GITLAB_TEMP_DIR="${GITLAB_DATA_DIR}/tmp" GITLAB_BACKUP_DIR="${GITLAB_BACKUP_DIR:-$GITLAB_DATA_DIR/backups}" GITLAB_BACKUP_DIR_CHOWN=${GITLAB_BACKUP_DIR_CHOWN:-true} GITLAB_BACKUP_DIR_GROUP=${GITLAB_BACKUP_DIR_GROUP:-} GITLAB_REPOS_DIR="${GITLAB_REPOS_DIR:-$GITLAB_DATA_DIR/repositories}" GITLAB_BUILDS_DIR="${GITLAB_BUILDS_DIR:-$GITLAB_DATA_DIR/builds}" GITLAB_DOWNLOADS_DIR="${GITLAB_DOWNLOADS_DIR:-$GITLAB_TEMP_DIR/downloads}" GITLAB_SHARED_DIR="${GITLAB_SHARED_DIR:-$GITLAB_DATA_DIR/shared}" GITLAB_DEFAULT_THEME=${GITLAB_DEFAULT_THEME:-2} GITLAB_HTTPS=${GITLAB_HTTPS:-false} GITLAB_HOST=${GITLAB_HOST:-127.0.0.1} GITLAB_CI_HOST=${GITLAB_CI_HOST:-} GITLAB_PORT=${GITLAB_PORT:-} GITLAB_IMPERSONATION_ENABLED=${GITLAB_IMPERSONATION_ENABLED:-true} if [[ $GITLAB_HTTPS == true ]]; then GITLAB_PORT=${GITLAB_PORT:-443} else GITLAB_PORT=${GITLAB_PORT:-80} fi ## SSH GITLAB_SSH_HOST=${GITLAB_SSH_HOST:-$GITLAB_HOST} GITLAB_SSH_PORT=${GITLAB_SSH_PORT:-$GITLAB_SHELL_SSH_PORT} # for backwards compatibility GITLAB_SSH_LISTEN_PORT=${GITLAB_SSH_LISTEN_PORT:-22} GITLAB_SSH_PORT=${GITLAB_SSH_PORT:-$GITLAB_SSH_LISTEN_PORT} GITLAB_SSH_MAXSTARTUPS=${GITLAB_SSH_MAXSTARTUPS:-10:30:60} NGINX_HSTS_ENABLED=${NGINX_HSTS_ENABLED:-$GITLAB_HTTPS_HSTS_ENABLED} # backward compatibility NGINX_HSTS_ENABLED=${NGINX_HSTS_ENABLED:-true} NGINX_HSTS_MAXAGE=${NGINX_HSTS_MAXAGE:-$GITLAB_HTTPS_HSTS_MAXAGE} # backward compatibility NGINX_HSTS_MAXAGE=${NGINX_HSTS_MAXAGE:-31536000} ## DATABASE DB_ADAPTER=${DB_ADAPTER:-postgresql} DB_ENCODING=${DB_ENCODING:-} DB_HOST=${DB_HOST:-} DB_PORT=${DB_PORT:-} DB_NAME=${DB_NAME:-} DB_USER=${DB_USER:-} DB_PASS=${DB_PASS:-} DB_POOL=${DB_POOL:-10} DB_PREPARED_STATEMENTS=${DB_PREPARED_STATEMENTS:-true} # backward compatibility case ${DB_TYPE} in postgres) DB_ADAPTER=${DB_ADAPTER:-postgresql} ;; esac ## REDIS REDIS_HOST=${REDIS_HOST:-} REDIS_PORT=${REDIS_PORT:-} REDIS_DB_NUMBER=${REDIS_DB_NUMBER:-0} ## SIDEKIQ SIDEKIQ_SHUTDOWN_TIMEOUT=${SIDEKIQ_SHUTDOWN_TIMEOUT:-4} SIDEKIQ_CONCURRENCY=${SIDEKIQ_CONCURRENCY:-25} SIDEKIQ_MEMORY_KILLER_MAX_RSS=${SIDEKIQ_MEMORY_KILLER_MAX_RSS:-2000000} GITLAB_SIDEKIQ_LOG_FORMAT=${GITLAB_SIDEKIQ_LOG_FORMAT:-json} ## PUMA PUMA_THREADS_MIN=${PUMA_THREADS_MIN:-1} PUMA_THREADS_MAX=${PUMA_THREADS_MAX:-16} PUMA_WORKERS=${PUMA_WORKERS:-3} PUMA_TIMEOUT=${PUMA_TIMEOUT:-60} PUMA_PER_WORKER_MAX_MEMORY_MB=${PUMA_PER_WORKER_MAX_MEMORY_MB:-1024} PUMA_MASTER_MAX_MEMORY_MB=${PUMA_MASTER_MAX_MEMORY_MB:-800} # Set Default values according to the documentation # https://docs.gitlab.com/ee/administration/operations/unicorn.html#unicorn-worker-killer GITLAB_UNICORN_MEMORY_MIN=${GITLAB_UNICORN_MEMORY_MIN:-1073741824} GITLAB_UNICORN_MEMORY_MAX=${GITLAB_UNICORN_MEMORY_MAX:-1342177280} ## GITLAB_TIMEZONE=${GITLAB_TIMEZONE:-UTC} GITLAB_SIGNUP_ENABLED=${GITLAB_SIGNUP_ENABLED:-true} GITLAB_ISSUE_CLOSING_PATTERN=${GITLAB_ISSUE_CLOSING_PATTERN:-'\b((?:[Cc]los(?:e[sd]?|ing)|\b[Ff]ix(?:e[sd]|ing)?|\b[Rr]esolv(?:e[sd]?|ing)|\b[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)'} GITLAB_PROJECTS_LIMIT=${GITLAB_PROJECTS_LIMIT:-100} GITLAB_USERNAME_CHANGE=${GITLAB_USERNAME_CHANGE:-true} GITLAB_CREATE_GROUP=${GITLAB_CREATE_GROUP:-true} GITLAB_PROJECTS_ISSUES=${GITLAB_PROJECTS_ISSUES:-true} GITLAB_PROJECTS_MERGE_REQUESTS=${GITLAB_PROJECTS_MERGE_REQUESTS:-true} GITLAB_PROJECTS_WIKI=${GITLAB_PROJECTS_WIKI:-true} GITLAB_PROJECTS_SNIPPETS=${GITLAB_PROJECTS_SNIPPETS:-true} GITLAB_PROJECTS_BUILDS=${GITLAB_PROJECTS_BUILDS:-true} GITLAB_PROJECTS_CONTAINER_REGISTRY=${GITLAB_PROJECTS_CONTAINER_REGISTRY:-true} GITLAB_RELATIVE_URL_ROOT=${GITLAB_RELATIVE_URL_ROOT:-} GITLAB_TRUSTED_PROXIES=${GITLAB_TRUSTED_PROXIES:-} if [[ -z ${GITLAB_RELATIVE_URL_ROOT} || ${GITLAB_RELATIVE_URL_ROOT} == / ]]; then # should not be set to `/` GITLAB_RELATIVE_URL_ROOT= fi GITLAB_WEBHOOK_TIMEOUT=${GITLAB_WEBHOOK_TIMEOUT:-10} GITLAB_WORKHORSE_TIMEOUT=${GITLAB_WORKHORSE_TIMEOUT:-5m0s} # OBJECTSTORE GITLAB_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_OBJECT_STORE_CONNECTION_PROVIDER:-AWS} #-- AWS AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID:-AWS_ACCESS_KEY_ID} AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY:-AWS_SECRET_ACCESS_KEY} AWS_REGION=${AWS_REGION:-us-east-1} AWS_HOST=${AWS_HOST:-s3.amazonaws.com} AWS_ENDPOINT=${AWS_ENDPOINT:-nil} AWS_PATH_STYLE=${AWS_PATH_STYLE:-true} AWS_SIGNATURE_VERSION=${AWS_SIGNATURE_VERSION:-4} #-- Google GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT=${GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT} GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL=${GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL} GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION=${GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION:-"/gcs/key.json"} ## ARTIFACTS GITLAB_ARTIFACTS_ENABLED=${GITLAB_ARTIFACTS_ENABLED:-true} GITLAB_ARTIFACTS_DIR="${GITLAB_ARTIFACTS_DIR:-$GITLAB_SHARED_DIR/artifacts}" GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED=${GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED:-false} GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY=${GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY:-artifacts} GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD=${GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD:-false} GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD=${GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD:-false} GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD=${GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD:-false} GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER:-$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER} # ARTIFACTS:AWS GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID} GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY} GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION} GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST} GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT} GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE:-$AWS_PATH_STYLE} GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION:-$AWS_SIGNATURE_VERSION} # ARTIFACTS:Google GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT} GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL} GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION} ## PACKAGES GITLAB_PACKAGES_ENABLED=${GITLAB_PACKAGES_ENABLED:-true} GITLAB_PACKAGES_DIR="${GITLAB_PACKAGES_DIR:-$GITLAB_SHARED_DIR/packages}" GITLAB_PACKAGES_OBJECT_STORE_ENABLED=${GITLAB_PACKAGES_OBJECT_STORE_ENABLED:-false} GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY=${GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY:-packages} GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD=${GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD:-false} GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD=${GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD:-false} GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD=${GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD:-false} GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER:-$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER} # PACKAGES:AWS GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID} GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY} GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION} GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST} GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT} GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE:-$AWS_PATH_STYLE} GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION:-$AWS_SIGNATURE_VERSION} # PACKAGES:Google GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT} GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL} GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION} ## TERRAFORM STATE GITLAB_TERRAFORM_STATE_ENABLED=${GITLAB_TERRAFORM_STATE_ENABLED:-true} GITLAB_TERRAFORM_STATE_STORAGE_PATH="${GITLAB_TERRAFORM_STATE_STORAGE_PATH:-$GITLAB_SHARED_DIR/terraform_state}" GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED:-false} GITLAB_TERRAFORM_STATE_OBJECT_STORE_REMOTE_DIRECTORY=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_REMOTE_DIRECTORY:-terraform_state} GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER:-$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER} # TERRAFORM STATE:AWS GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID} GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY} GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION} GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST} GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT} GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE:-$AWS_PATH_STYLE} GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION:-$AWS_SIGNATURE_VERSION} # TERRAFORM STATE:Google GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT} GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL} GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION} ## Cron Jobs GITLAB_PIPELINE_SCHEDULE_WORKER_CRON=${GITLAB_PIPELINE_SCHEDULE_WORKER_CRON:-"19 * * * *"} ## LFS GITLAB_LFS_ENABLED=${GITLAB_LFS_ENABLED:-true} GITLAB_LFS_OBJECTS_DIR="${GITLAB_LFS_OBJECTS_DIR:-$GITLAB_SHARED_DIR/lfs-objects}" GITLAB_LFS_OBJECT_STORE_ENABLED=${GITLAB_LFS_OBJECT_STORE_ENABLED:-false} GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY=${GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY:-lfs-objects} GITLAB_LFS_OBJECT_STORE_DIRECT_UPLOAD=${GITLAB_LFS_OBJECT_STORE_DIRECT_UPLOAD:-false} GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD=${GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD:-false} GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD=${GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD:-false} GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER:-$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER} # LFS:AWS GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID} GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY} GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION} GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST} GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT} GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE:-$AWS_PATH_STYLE} GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION:-$AWS_SIGNATURE_VERSION} # LFS:Google GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT=${GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT} GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL=${GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL} GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION=${GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION} ## Uploads GITLAB_UPLOADS_STORAGE_PATH="${GITLAB_UPLOADS_STORAGE_PATH:-$GITLAB_INSTALL_DIR/public}" GITLAB_UPLOADS_BASE_DIR="${GITLAB_UPLOADS_BASE_DIR:-uploads/-/system}" GITLAB_UPLOADS_OBJECT_STORE_ENABLED=${GITLAB_UPLOADS_OBJECT_STORE_ENABLED:-false} GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY=${GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY:-uploads} GITLAB_UPLOADS_OBJECT_STORE_DIRECT_UPLOAD=${GITLAB_UPLOADS_OBJECT_STORE_DIRECT_UPLOAD:-false} GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD=${GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD:-false} GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD=${GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD:-false} GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER:-$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER} # Uploads:AWS GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID} GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY} GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION} GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST} GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT} GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE:-$AWS_PATH_STYLE} GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION:-$AWS_SIGNATURE_VERSION} # Uploads:Google GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT} GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL} GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION} ## Mattermost GITLAB_MATTERMOST_ENABLED=${GITLAB_MATTERMOST_ENABLED:-false} GITLAB_MATTERMOST_URL=${GITLAB_MATTERMOST_URL:-https://mattermost.example.com} # secrets GITLAB_SECRETS_DB_KEY_BASE=${GITLAB_SECRETS_DB_KEY_BASE:-} GITLAB_SECRETS_SECRET_KEY_BASE=${GITLAB_SECRETS_SECRET_KEY_BASE:-} GITLAB_SECRETS_OTP_KEY_BASE=${GITLAB_SECRETS_OTP_KEY_BASE:-} GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=${GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE:-} GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=${GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY:-} GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=${GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY:-} GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=${GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT:-} GITLAB_NOTIFY_ON_BROKEN_BUILDS=${GITLAB_NOTIFY_ON_BROKEN_BUILDS:-true} GITLAB_NOTIFY_PUSHER=${GITLAB_NOTIFY_PUSHER:-false} GITLAB_ROBOTS_PATH=${GITLAB_ROBOTS_PATH:-${USERCONF_TEMPLATES_DIR}/gitlabhq/robots.txt} ## REGISTRY GITLAB_REGISTRY_ENABLED=${GITLAB_REGISTRY_ENABLED:-false} GITLAB_REGISTRY_DIR="${GITLAB_REGISTRY_DIR:-$GITLAB_SHARED_DIR/registry}" GITLAB_REGISTRY_HOST=${GITLAB_REGISTRY_HOST:-registry.example.com} GITLAB_REGISTRY_PORT=${GITLAB_REGISTRY_PORT:-443} GITLAB_REGISTRY_API_URL=${GITLAB_REGISTRY_API_URL:-http://127.0.0.1:5000/} GITLAB_REGISTRY_KEY_PATH=${GITLAB_REGISTRY_KEY_PATH:-config/registry.key} GITLAB_REGISTRY_ISSUER=${GITLAB_REGISTRY_ISSUER:-gitlab-issuer} GITLAB_REGISTRY_GENERATE_INTERNAL_CERTIFICATES=${GITLAB_REGISTRY_GENERATE_INTERNAL_CERTIFICATES:-false} ## SSL SSL_SELF_SIGNED=${SSL_SELF_SIGNED:-false} SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-$GITLAB_DATA_DIR/certs/gitlab.crt} SSL_KEY_PATH=${SSL_KEY_PATH:-$GITLAB_DATA_DIR/certs/gitlab.key} SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-$GITLAB_DATA_DIR/certs/dhparam.pem} SSL_VERIFY_CLIENT=${SSL_VERIFY_CLIENT:-off} SSL_CIPHERS=${SSL_CIPHERS:-'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'} SSL_PROTOCOLS=${SSL_PROTOCOLS:-'TLSv1 TLSv1.1 TLSv1.2 TLSv1.3'} SSL_REGISTRY_KEY_PATH=${SSL_REGISTRY_KEY_PATH:-$GITLAB_REGISTRY_KEY_PATH} SSL_REGISTRY_KEY_PATH=${SSL_REGISTRY_KEY_PATH:-$GITLAB_DATA_DIR/certs/registry.key} SSL_REGISTRY_CERT_PATH=${SSL_REGISTRY_CERT_PATH:-$GITLAB_REGISTRY_CERT_PATH} SSL_REGISTRY_CERT_PATH=${SSL_REGISTRY_CERT_PATH:-$GITLAB_DATA_DIR/certs/registry.crt} SSL_REGISTRY_CIPHERS=${SSL_REGISTRY_CIPHERS:-$SSL_CIPHERS} SSL_REGISTRY_PROTOCOLS=${SSL_REGISTRY_PROTOCOLS:-$SSL_PROTOCOLS} SSL_PAGES_KEY_PATH=${SSL_PAGES_KEY_PATH:-$GITLAB_DATA_DIR/certs/pages.key} SSL_PAGES_CERT_PATH=${SSL_PAGES_CERT_PATH:-$GITLAB_DATA_DIR/certs/pages.crt} SSL_PAGES_CIPHERS=${SSL_PAGES_CIPHERS:-$SSL_CIPHERS} SSL_PAGES_PROTOCOLS=${SSL_PAGES_PROTOCOLS:-$SSL_PROTOCOLS} SSL_CA_CERTIFICATES_PATH=${SSL_CA_CERTIFICATES_PATH:-$CA_CERTIFICATES_PATH} # backward compatibility SSL_CA_CERTIFICATES_PATH=${SSL_CA_CERTIFICATES_PATH:-$GITLAB_DATA_DIR/certs/ca.crt} ## BACKUPS GITLAB_BACKUP_SCHEDULE=${GITLAB_BACKUP_SCHEDULE:-$GITLAB_BACKUPS} # backward compatibility GITLAB_BACKUP_SCHEDULE=${GITLAB_BACKUP_SCHEDULE:-disable} GITLAB_BACKUP_TIME=${GITLAB_BACKUP_TIME:-04:00} GITLAB_BACKUP_EXPIRY=${GITLAB_BACKUP_EXPIRY:-} GITLAB_BACKUP_PG_SCHEMA=${GITLAB_BACKUP_PG_SCHEMA:-} GITLAB_BACKUP_ARCHIVE_PERMISSIONS=${GITLAB_BACKUP_ARCHIVE_PERMISSIONS:-0600} case ${GITLAB_BACKUP_SCHEDULE} in daily|weekly|monthly) GITLAB_BACKUP_EXPIRY=${GITLAB_BACKUP_EXPIRY:-604800} ;; disable|*) GITLAB_BACKUP_EXPIRY=${GITLAB_BACKUP_EXPIRY:-0} ;; esac ### AWS BACKUPS AWS_BACKUPS=${AWS_BACKUPS:-false} AWS_BACKUP_REGION=${AWS_BACKUP_REGION} AWS_BACKUP_ENDPOINT=${AWS_BACKUP_ENDPOINT} AWS_BACKUP_PATH_STYLE=${AWS_BACKUP_PATH_STYLE:-false} AWS_BACKUP_ACCESS_KEY_ID=${AWS_BACKUP_ACCESS_KEY_ID} AWS_BACKUP_SECRET_ACCESS_KEY=${AWS_BACKUP_SECRET_ACCESS_KEY} AWS_BACKUP_BUCKET=${AWS_BACKUP_BUCKET} AWS_BACKUP_MULTIPART_CHUNK_SIZE=${AWS_BACKUP_MULTIPART_CHUNK_SIZE} AWS_BACKUP_ENCRYPTION=${AWS_BACKUP_ENCRYPTION} AWS_BACKUP_STORAGE_CLASS=${AWS_BACKUP_STORAGE_CLASS:-STANDARD} AWS_BACKUP_SIGNATURE_VERSION=${AWS_BACKUP_SIGNATURE_VERSION:-4} ### GCS BACKUPS GCS_BACKUPS=${GCS_BACKUPS:-false} GCS_BACKUP_ACCESS_KEY_ID=${GCS_BACKUP_ACCESS_KEY_ID} GCS_BACKUP_SECRET_ACCESS_KEY=${GCS_BACKUP_SECRET_ACCESS_KEY} GCS_BACKUP_BUCKET=${GCS_BACKUP_BUCKET} ## NGINX NGINX_SERVER_NAMES_HASH_BUCKET_SIZE=${NGINX_SERVER_NAMES_HASH_BUCKET_SIZE:-32}; NGINX_WORKERS=${NGINX_WORKERS:-1} NGINX_ACCEL_BUFFERING=${NGINX_ACCEL_BUFFERING:-no} NGINX_PROXY_BUFFERING=${NGINX_PROXY_BUFFERING:-off} NGINX_REAL_IP_RECURSIVE=${NGINX_REAL_IP_RECURSIVE:-off} NGINX_REAL_IP_TRUSTED_ADDRESSES=${NGINX_REAL_IP_TRUSTED_ADDRESSES:-} case ${GITLAB_HTTPS} in true) NGINX_X_FORWARDED_PROTO=${NGINX_X_FORWARDED_PROTO:-https} ;; *) NGINX_X_FORWARDED_PROTO=${NGINX_X_FORWARDED_PROTO:-\$scheme} ;; esac NGINX_CUSTOM_GITLAB_SERVER_CONFIG=${NGINX_CUSTOM_GITLAB_SERVER_CONFIG:-} ## MAIL DELIVERY SMTP_DOMAIN=${SMTP_DOMAIN:-www.gmail.com} SMTP_HOST=${SMTP_HOST:-smtp.gmail.com} SMTP_PORT=${SMTP_PORT:-587} SMTP_USER=${SMTP_USER:-} SMTP_PASS=${SMTP_PASS:-} SMTP_OPENSSL_VERIFY_MODE=${SMTP_OPENSSL_VERIFY_MODE:-none} SMTP_STARTTLS=${SMTP_STARTTLS:-true} SMTP_TLS=${SMTP_TLS:-false} SMTP_CA_ENABLED=${SMTP_CA_ENABLED:-false} SMTP_CA_PATH=${SMTP_CA_PATH:-$GITLAB_DATA_DIR/certs} SMTP_CA_FILE=${SMTP_CA_FILE:-$GITLAB_DATA_DIR/certs/ca.crt} if [[ -n ${SMTP_USER} ]]; then SMTP_ENABLED=${SMTP_ENABLED:-true} SMTP_AUTHENTICATION=${SMTP_AUTHENTICATION:-login} fi SMTP_ENABLED=${SMTP_ENABLED:-false} GITLAB_EMAIL_ENABLED=${GITLAB_EMAIL_ENABLED:-${SMTP_ENABLED}} GITLAB_EMAIL=${GITLAB_EMAIL:-${SMTP_USER}} GITLAB_EMAIL_REPLY_TO=${GITLAB_EMAIL_REPLY_TO:-${GITLAB_EMAIL}} GITLAB_EMAIL_SUBJECT_SUFFIX=${GITLAB_EMAIL_SUBJECT_SUFFIX:-} GITLAB_EMAIL=${GITLAB_EMAIL:-example@example.com} GITLAB_EMAIL_REPLY_TO=${GITLAB_EMAIL_REPLY_TO:-noreply@example.com} GITLAB_EMAIL_DISPLAY_NAME=${GITLAB_EMAIL_DISPLAY_NAME:-GitLab} GITLAB_EMAIL_SMIME_ENABLE=${GITLAB_EMAIL_SMIME_ENABLE:-false} GITLAB_EMAIL_SMIME_KEY_FILE=${GITLAB_EMAIL_SMIME_KEY_FILE:-} GITLAB_EMAIL_SMIME_CERT_FILE=${GITLAB_EMAIL_SMIME_CERT_FILE:-} ## INCOMING MAIL IMAP_HOST=${IMAP_HOST:-imap.gmail.com} IMAP_PORT=${IMAP_PORT:-993} IMAP_USER=${IMAP_USER:-} IMAP_PASS=${IMAP_PASS:-} IMAP_SSL=${IMAP_SSL:-true} IMAP_STARTTLS=${IMAP_STARTTLS:-false} IMAP_MAILBOX=${IMAP_MAILBOX:-inbox} IMAP_TIMEOUT=${IMAP_TIMEOUT:-60} if [[ -n ${IMAP_USER} ]]; then IMAP_ENABLED=${IMAP_ENABLED:-true} fi IMAP_ENABLED=${IMAP_ENABLED:-false} GITLAB_INCOMING_EMAIL_ENABLED=${GITLAB_INCOMING_EMAIL_ENABLED:-${IMAP_ENABLED}} GITLAB_INCOMING_EMAIL_ADDRESS=${GITLAB_INCOMING_EMAIL_ADDRESS:-${IMAP_USER}} GITLAB_INCOMING_EMAIL_ADDRESS=${GITLAB_INCOMING_EMAIL_ADDRESS:-reply@example.com} ## LDAP LDAP_ENABLED=${LDAP_ENABLED:-false} LDAP_HOST=${LDAP_HOST:-} LDAP_PORT=${LDAP_PORT:-389} LDAP_UID=${LDAP_UID:-sAMAccountName} LDAP_METHOD=${LDAP_METHOD:-plain} LDAP_VERIFY_SSL=${LDAP_VERIFY_SSL:-true} LDAP_CA_FILE=${LDAP_CA_FILE:-} LDAP_SSL_VERSION=${LDAP_SSL_VERSION:-} LDAP_BIND_DN=${LDAP_BIND_DN:-} LDAP_PASS=${LDAP_PASS:-} LDAP_TIMEOUT=${LDAP_TIMEOUT:-10} LDAP_ACTIVE_DIRECTORY=${LDAP_ACTIVE_DIRECTORY:-true} LDAP_BLOCK_AUTO_CREATED_USERS=${LDAP_BLOCK_AUTO_CREATED_USERS:-false} LDAP_BASE=${LDAP_BASE:-} LDAP_USER_FILTER=${LDAP_USER_FILTER:-} LDAP_USER_ATTRIBUTE_USERNAME=${LDAP_USER_ATTRIBUTE_USERNAME:-['uid', 'userid', 'sAMAccountName']} LDAP_USER_ATTRIBUTE_MAIL=${LDAP_USER_ATTRIBUTE_MAIL:-['mail', 'email', 'userPrincipalName']} LDAP_USER_ATTRIBUTE_NAME=${LDAP_USER_ATTRIBUTE_NAME:-cn} LDAP_USER_ATTRIBUTE_FIRSTNAME=${LDAP_USER_ATTRIBUTE_FIRSTNAME:-givenName} LDAP_USER_ATTRIBUTE_LASTNAME=${LDAP_USER_ATTRIBUTE_LASTNAME:-sn} LDAP_LOWERCASE_USERNAMES="${LDAP_LOWERCASE_USERNAMES:-false}" LDAP_LABEL=${LDAP_LABEL:-LDAP} LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN=${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN:-} LDAP_PREVENT_LDAP_SIGN_IN=${LDAP_PREVENT_LDAP_SIGN_IN:-false} case ${LDAP_UID} in userPrincipalName) LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN=${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN:-false} ;; *) LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN=${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN:-true} esac ## GRAVATAR GITLAB_GRAVATAR_ENABLED=${GITLAB_GRAVATAR_ENABLED:-true} GITLAB_GRAVATAR_HTTP_URL=${GITLAB_GRAVATAR_HTTP_URL:-} GITLAB_GRAVATAR_HTTPS_URL=${GITLAB_GRAVATAR_HTTPS_URL:-} ## OAUTH OAUTH_ENABLED=${OAUTH_ENABLED:-} OAUTH_AUTO_SIGN_IN_WITH_PROVIDER=${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER:-} OAUTH_ALLOW_SSO=${OAUTH_ALLOW_SSO:-} OAUTH_BLOCK_AUTO_CREATED_USERS=${OAUTH_BLOCK_AUTO_CREATED_USERS:-true} OAUTH_AUTO_LINK_LDAP_USER=${OAUTH_AUTO_LINK_LDAP_USER:-false} OAUTH_AUTO_LINK_SAML_USER=${OAUTH_AUTO_LINK_SAML_USER:-false} OAUTH_EXTERNAL_PROVIDERS=${OAUTH_EXTERNAL_PROVIDERS:-} OAUTH_ALLOW_BYPASS_TWO_FACTOR=${OAUTH_ALLOW_BYPASS_TWO_FACTOR:-false} ### GOOGLE OAUTH_GOOGLE_API_KEY=${OAUTH_GOOGLE_API_KEY:-} OAUTH_GOOGLE_APP_SECRET=${OAUTH_GOOGLE_APP_SECRET:-} OAUTH_GOOGLE_APPROVAL_PROMPT=${OAUTH_GOOGLE_APPROVAL_PROMPT:-} OAUTH_GOOGLE_RESTRICT_DOMAIN=${OAUTH_GOOGLE_RESTRICT_DOMAIN:-} if [[ -n ${OAUTH_GOOGLE_RESTRICT_DOMAIN} ]]; then # backward compatibility if [[ ${OAUTH_GOOGLE_RESTRICT_DOMAIN} != "'"* ]]; then OAUTH_GOOGLE_RESTRICT_DOMAIN="'${OAUTH_GOOGLE_RESTRICT_DOMAIN}'" fi fi ### FACEBOOK OAUTH_FACEBOOK_API_KEY=${OAUTH_FACEBOOK_API_KEY:-} OAUTH_FACEBOOK_APP_SECRET=${OAUTH_FACEBOOK_APP_SECRET:-} ### TWITTER OAUTH_TWITTER_API_KEY=${OAUTH_TWITTER_API_KEY:-} OAUTH_TWITTER_APP_SECRET=${OAUTH_TWITTER_APP_SECRET:-} ## Authentiq OAUTH_AUTHENTIQ_CLIENT_ID=${OAUTH_AUTHENTIQ_CLIENT_ID:-} OAUTH_AUTHENTIQ_CLIENT_SECRET=${OAUTH_AUTHENTIQ_CLIENT_SECRET:-} OAUTH_AUTHENTIQ_SCOPE=${OAUTH_AUTHENTIQ_SCOPE:-'aq:name email~rs address aq:push'} OAUTH_AUTHENTIQ_REDIRECT_URI=${OAUTH_AUTHENTIQ_REDIRECT_URI:-} ### GITHUB OAUTH_GITHUB_API_KEY=${OAUTH_GITHUB_API_KEY:-} OAUTH_GITHUB_APP_SECRET=${OAUTH_GITHUB_APP_SECRET:-} OAUTH_GITHUB_URL=${OAUTH_GITHUB_URL:-https://github.com/} OAUTH_GITHUB_VERIFY_SSL=${OAUTH_GITHUB_VERIFY_SSL:-true} OAUTH_GITHUB_SCOPE=${OAUTH_GITHUB_SCOPE:-user:email} ### GITLAB OAUTH_GITLAB_API_KEY=${OAUTH_GITLAB_API_KEY:-} OAUTH_GITLAB_APP_SECRET=${OAUTH_GITLAB_APP_SECRET:-} OAUTH_GITLAB_SCOPE=${OAUTH_GITLAB_SCOPE:-api} ### BITBUCKET OAUTH_BITBUCKET_API_KEY=${OAUTH_BITBUCKET_API_KEY:-} OAUTH_BITBUCKET_APP_SECRET=${OAUTH_BITBUCKET_APP_SECRET:-} OAUTH_BITBUCKET_URL=${OAUTH_BITBUCKET_URL:-https://bitbucket.org/} ### CROWD OAUTH_CROWD_SERVER_URL=${OAUTH_CROWD_SERVER_URL:-} OAUTH_CROWD_APP_NAME=${OAUTH_CROWD_APP_NAME:-} OAUTH_CROWD_APP_PASSWORD=${OAUTH_CROWD_APP_PASSWORD:-} ## AZURE OAUTH_AZURE_API_KEY=${OAUTH_AZURE_API_KEY:-} OAUTH_AZURE_API_SECRET=${OAUTH_AZURE_API_SECRET:-} OAUTH_AZURE_TENANT_ID=${OAUTH_AZURE_TENANT_ID:-} ## AZURE Active Directory V2 endpoint OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL=${OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL:-'Azure AD v2'} OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID=${OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID:-} OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET=${OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET:-} OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID=${OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID:-} ### SAML case $GITLAB_HTTPS in true) OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL=${OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL:-https://${GITLAB_HOST}/users/auth/saml/callback} OAUTH_SAML_ISSUER=${OAUTH_SAML_ISSUER:-https://${GITLAB_HOST}} ;; false) OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL=${OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL:-http://${GITLAB_HOST}/users/auth/saml/callback} OAUTH_SAML_ISSUER=${OAUTH_SAML_ISSUER:-http://${GITLAB_HOST}} ;; esac OAUTH_SAML_LABEL=${OAUTH_SAML_LABEL:-'Our SAML Provider'} OAUTH_SAML_IDP_CERT_FINGERPRINT=${OAUTH_SAML_IDP_CERT_FINGERPRINT:-} OAUTH_SAML_IDP_SSO_TARGET_URL=${OAUTH_SAML_IDP_SSO_TARGET_URL:-} OAUTH_SAML_NAME_IDENTIFIER_FORMAT=${OAUTH_SAML_NAME_IDENTIFIER_FORMAT:-urn:oasis:names:tc:SAML:2.0:nameid-format:transient} OAUTH_SAML_GROUPS_ATTRIBUTE=${OAUTH_SAML_GROUPS_ATTRIBUTE:-} OAUTH_SAML_EXTERNAL_GROUPS=${OAUTH_SAML_EXTERNAL_GROUPS:-} OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL=${OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL:-} OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME=${OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME:-} OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME=${OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME:-} OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME=${OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME:-} OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME=${OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME:-} ### CAS3 OAUTH_CAS3_LABEL=${OAUTH_CAS3_LABEL:-cas3} OAUTH_CAS3_SERVER=${OAUTH_CAS3_SERVER:-} OAUTH_CAS3_DISABLE_SSL_VERIFICATION=${OAUTH_CAS3_DISABLE_SSL_VERIFICATION:-false} OAUTH_CAS3_LOGIN_URL=${OAUTH_CAS3_LOGIN_URL:-/cas/login} OAUTH_CAS3_VALIDATE_URL=${OAUTH_CAS3_VALIDATE_URL:-/cas/p3/serviceValidate} OAUTH_CAS3_LOGOUT_URL=${OAUTH_CAS3_LOGOUT_URL:-/cas/logout} ### AUTH0 OAUTH_AUTH0_SCOPE=${OAUTH_AUTH0_SCOPE:-openid profile email} ## OAUTH2 GENERIC OAUTH2_GENERIC_APP_ID=${OAUTH2_GENERIC_APP_ID:-} OAUTH2_GENERIC_APP_SECRET=${OAUTH2_GENERIC_APP_SECRET:-} OAUTH2_GENERIC_CLIENT_SITE=${OAUTH2_GENERIC_CLIENT_SITE:-} OAUTH2_GENERIC_CLIENT_USER_INFO_URL=${OAUTH2_GENERIC_CLIENT_USER_INFO_URL:-} OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL=${OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL:-} OAUTH2_GENERIC_CLIENT_TOKEN_URL=${OAUTH2_GENERIC_CLIENT_TOKEN_URL:-} OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT=${OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT:-} OAUTH2_GENERIC_ID_PATH=${OAUTH2_GENERIC_ID_PATH:-} OAUTH2_GENERIC_USER_UID=${OAUTH2_GENERIC_USER_UID:-} OAUTH2_GENERIC_USER_NAME=${OAUTH2_GENERIC_USER_NAME:-} OAUTH2_GENERIC_USER_EMAIL=${OAUTH2_GENERIC_USER_EMAIL:-} OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE=${OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE:-} OAUTH2_GENERIC_LABEL=${OAUTH2_GENERIC_LABEL:-} OAUTH2_GENERIC_NAME=${OAUTH2_GENERIC_NAME:-} ### OpenID Connect OAUTH_OIDC_LABEL=${OAUTH_OIDC_LABEL:-'OpenID Connect'} OAUTH_OIDC_ICON=${OAUTH_OIDC_ICON:-} OAUTH_OIDC_SCOPE=${OAUTH_OIDC_SCOPE:-"['openid','profile','email']"} OAUTH_OIDC_RESPONSE_TYPE=${OAUTH_OIDC_RESPONSE_TYPE:-'code'} OAUTH_OIDC_ISSUER=${OAUTH_OIDC_ISSUER:-} OAUTH_OIDC_DISCOVERY=${OAUTH_OIDC_DISCOVERY:-true} OAUTH_OIDC_CLIENT_AUTH_METHOD=${OAUTH_OIDC_CLIENT_AUTH_METHOD:-'basic'} OAUTH_OIDC_UID_FIELD=${OAUTH_OIDC_UID_FIELD:-sub} OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP=${OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP:-false} OAUTH_OIDC_PKCE=${OAUTH_OIDC_PKCE:-true} OAUTH_OIDC_CLIENT_ID=${OAUTH_OIDC_CLIENT_ID:-} OAUTH_OIDC_CLIENT_SECRET=${OAUTH_OIDC_CLIENT_SECRET:-'secret'} case $GITLAB_HTTPS in true) OAUTH_OIDC_REDIRECT_URI=${OAUTH_OIDC_REDIRECT_URI:-https://${GITLAB_HOST}/users/auth/openid_connect/callback} ;; false) OAUTH_OIDC_REDIRECT_URI=${OAUTH_OIDC_REDIRECT_URI:-http://${GITLAB_HOST}/users/auth/openid_connect/callback} ;; esac ### JWT OAUTH_JWT_LABEL=${OAUTH_JWT_LABEL:-'Jwt'} OAUTH_JWT_SECRET=${OAUTH_JWT_SECRET:-} OAUTH_JWT_ALGORITHM=${OAUTH_JWT_ALGORITHM:-'HS256'} OAUTH_JWT_UID_CLAIM=${OAUTH_JWT_UID_CLAIM:-'email'} OAUTH_JWT_REQUIRED_CLAIMS=${OAUTH_JWT_REQUIRED_CLAIMS:-'["name", "email"]'} OAUTH_JWT_INFO_MAP_NAME=${OAUTH_JWT_INFO_MAP_NAME:-'name'} OAUTH_JWT_INFO_MAP_EMAIL=${OAUTH_JWT_INFO_MAP_EMAIL:-'email'} OAUTH_JWT_AUTH_URL=${OAUTH_JWT_AUTH_URL:-} OAUTH_JWT_VALID_WITHIN=${OAUTH_JWT_VALID_WITHIN:-3600} ## ANALYTICS ### GOOGLE GOOGLE_ANALYTICS_ID=${GOOGLE_ANALYTICS_ID:-} ### PIWIK PIWIK_URL=${PIWIK_URL:-} PIWIK_SITE_ID=${PIWIK_SITE_ID:-} ## RACK ATTACK RACK_ATTACK_ENABLED=${RACK_ATTACK_ENABLED:-true} RACK_ATTACK_WHITELIST=${RACK_ATTACK_WHITELIST:-'["127.0.0.1"]'} RACK_ATTACK_WHITELIST=${RACK_ATTACK_WHITELIST// /} # Backward compatibility : See sameersbn/docker-gitlab#2828 # Pre-check: each host is surrounded by single / double quotation # if not, generated string will be [127.0.0.1] for example and ruby raises error RACK_ATTACK_WHITELIST_ORIGIN=${RACK_ATTACK_WHITELIST} # remove [], then iterate entries RACK_ATTACK_WHITELIST=${RACK_ATTACK_WHITELIST#"["} RACK_ATTACK_WHITELIST=${RACK_ATTACK_WHITELIST%"]"} IFS_ORG=${IFS} IFS=, for host in ${RACK_ATTACK_WHITELIST}; do # Both single / double quotation may be used if ! [[ ${host} =~ ^(\"|\').*(\"|\')$ ]]; then RACK_ATTACK_WHITELIST=${RACK_ATTACK_WHITELIST/${host}/\"${host//(\'|\")/}\"} fi done IFS=$IFS_ORG # surround with [] RACK_ATTACK_WHITELIST="[${RACK_ATTACK_WHITELIST}]" if [[ "${RACK_ATTACK_WHITELIST}" != "${RACK_ATTACK_WHITELIST_ORIGIN}" ]]; then printf "[warning] RACK_ATTACK_WHITELIST must be a yaml sequence of hosts.\nFixing from %s to %s\n" \ "${RACK_ATTACK_WHITELIST_ORIGIN}" \ "${RACK_ATTACK_WHITELIST}" fi RACK_ATTACK_MAXRETRY=${RACK_ATTACK_MAXRETRY:-10} RACK_ATTACK_FINDTIME=${RACK_ATTACK_FINDTIME:-60} RACK_ATTACK_BANTIME=${RACK_ATTACK_BANTIME:-3600} ## GitLab Pages GITLAB_PAGES_ENABLED=${GITLAB_PAGES_ENABLED:-false} GITLAB_PAGES_DOMAIN=${GITLAB_PAGES_DOMAIN:-"example.com"} GITLAB_PAGES_DIR="${GITLAB_PAGES_DIR:-$GITLAB_SHARED_DIR/pages}" GITLAB_PAGES_PORT=${GITLAB_PAGES_PORT:-80} GITLAB_PAGES_ARTIFACTS_SERVER=${GITLAB_PAGES_ARTIFACTS_SERVER:-true} GITLAB_PAGES_ARTIFACTS_SERVER_URL=${GITLAB_PAGES_ARTIFACTS_SERVER_URL:-} GITLAB_PAGES_HTTPS=${GITLAB_PAGES_HTTPS:-false} GITLAB_PAGES_EXTERNAL_HTTP=${GITLAB_PAGES_EXTERNAL_HTTP:-} GITLAB_PAGES_EXTERNAL_HTTPS=${GITLAB_PAGES_EXTERNAL_HTTPS:-} GITLAB_PAGES_ACCESS_CONTROL=${GITLAB_PAGES_ACCESS_CONTROL:-false} GITLAB_PAGES_ACCESS_CONTROL_SERVER=${GITLAB_PAGES_ACCESS_CONTROL_SERVER:-} GITLAB_PAGES_ACCESS_SECRET=${GITLAB_PAGES_ACCESS_SECRET:-} GITLAB_PAGES_ACCESS_CLIENT_ID=${GITLAB_PAGES_ACCESS_CLIENT_ID:-} GITLAB_PAGES_ACCESS_CLIENT_SECRET=${GITLAB_PAGES_ACCESS_CLIENT_SECRET:-} GITLAB_PAGES_ACCESS_REDIRECT_URI=${GITLAB_PAGES_ACCESS_REDIRECT_URI:-} GITLAB_PAGES_NGINX_PROXY=${GITLAB_PAGES_NGINX_PROXY:-true} GITLAB_PAGES_NAMESPACE_IN_PATH=${GITLAB_PAGES_NAMESPACE_IN_PATH:-false} GITLAB_PAGES_LOG_VERBOSE=${GITLAB_PAGES_LOG_VERBOSE:-false} ## Gitaly GITALY_CLIENT_PATH=${GITALY_CLIENT_PATH:-$GITLAB_GITALY_INSTALL_DIR} GITALY_TOKEN=${GITALY_TOKEN:-} GITALY_SOCKET_PATH=${GITLAB_INSTALL_DIR}/tmp/sockets/private/gitaly.socket GITALY_ADDRESS=${GITALY_ADDRESS:-unix:$GITALY_SOCKET_PATH} ## GitLab Shell GITLAB_SHELL_CUSTOM_HOOKS_DIR=${GITLAB_SHELL_CUSTOM_HOOKS_DIR:-"$GITLAB_SHELL_INSTALL_DIR/hooks"} ## MONITORING GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL=${GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL:-10} GITLAB_MONITORING_IP_WHITELIST=${GITLAB_MONITORING_IP_WHITELIST:-} GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED=${GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED:-true} GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS=${GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS:-"0.0.0.0"} GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT=${GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT:-3807} ## Sentry SENTRY_ENABLED=${SENTRY_ENABLED:-false} SENTRY_DSN=${SENTRY_DSN:-} SENTRY_CLIENTSIDE_DSN=${SENTRY_CLIENTSIDE_DSN:-} SENTRY_ENVIRONMENT=${SENTRY_ENVIRONMENT:-production} ## Content Security Policy # See https://guides.rubyonrails.org/security.html#content-security-policy GITLAB_CONTENT_SECURITY_POLICY_ENABLED=${GITLAB_CONTENT_SECURITY_POLICY_ENABLED:-true} GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY=${GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY:-false} GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI:-} GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC:-} GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC:-"'self' http://localhost:* ws://localhost:* wss://localhost:*"} GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC:-"'self'"} GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC:-} GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION:-} GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS:-"'self'"} GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC:-"'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"} GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC:-"* data: blob:"} GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC:-} GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC:-} GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC:-"'none'"} GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC:-"'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"} GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC:-"'self' 'unsafe-inline'"} GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC:-"'self' blob:"} GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI:-} ## Feature Flags GITLAB_FEATURE_FLAGS_DISABLE_TARGETS=${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS:-} GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS:-} ================================================ FILE: assets/runtime/functions ================================================ #!/bin/bash set -e for file in /gitlab-configs /run/secrets/gitlab-secrets; do if [[ -e "$file" ]]; then echo "Loading $file" source "$file" fi done echo "Loading ${GITLAB_RUNTIME_DIR}/env-defaults" source ${GITLAB_RUNTIME_DIR}/env-defaults SYSCONF_TEMPLATES_DIR="${GITLAB_RUNTIME_DIR}/config" USERCONF_TEMPLATES_DIR="${GITLAB_DATA_DIR}/config" GITLAB_CONFIG="${GITLAB_INSTALL_DIR}/config/gitlab.yml" GITLAB_DATABASE_CONFIG="${GITLAB_INSTALL_DIR}/config/database.yml" GITLAB_PUMA_CONFIG="${GITLAB_INSTALL_DIR}/config/puma.rb" GITLAB_RELATIVE_URL_CONFIG="${GITLAB_INSTALL_DIR}/config/initializers/relative_url.rb" GITLAB_SMTP_CONFIG="${GITLAB_INSTALL_DIR}/config/initializers/smtp_settings.rb" GITLAB_RESQUE_CONFIG="${GITLAB_INSTALL_DIR}/config/resque.yml" GITLAB_ACTIONCABLE_CONFIG="${GITLAB_INSTALL_DIR}/config/cable.yml" GITLAB_SECRETS_CONFIG="${GITLAB_INSTALL_DIR}/config/secrets.yml" GITLAB_ROBOTS_CONFIG="${GITLAB_INSTALL_DIR}/public/robots.txt" GITLAB_SHELL_CONFIG="${GITLAB_SHELL_INSTALL_DIR}/config.yml" GITLAB_NGINX_CONFIG="/etc/nginx/conf.d/gitlab.conf" GITLAB_CI_NGINX_CONFIG="/etc/nginx/conf.d/gitlab_ci.conf" GITLAB_REGISTRY_NGINX_CONFIG="/etc/nginx/conf.d/gitlab-registry.conf" GITLAB_PAGES_NGINX_CONFIG="/etc/nginx/conf.d/gitlab-pages.conf" GITLAB_PAGES_CONFIG="${GITLAB_INSTALL_DIR}/gitlab-pages-config" GITLAB_GITALY_CONFIG="${GITLAB_GITALY_INSTALL_DIR}/config.toml" # Compares two version strings `a` and `b` # Returns # - negative integer, if `a` is less than `b` # - 0, if `a` and `b` are equal # - non-negative integer, if `a` is greater than `b` vercmp() { expr '(' "$1" : '\([^.]*\)' ')' '-' '(' "$2" : '\([^.]*\)' ')' '|' \ '(' "$1.0" : '[^.]*[.]\([^.]*\)' ')' '-' '(' "$2.0" : '[^.]*[.]\([^.]*\)' ')' '|' \ '(' "$1.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' '-' '(' "$2.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' '|' \ '(' "$1.0.0.0" : '[^.]*[.][^.]*[.][^.]*[.]\([^.]*\)' ')' '-' '(' "$2.0.0.0" : '[^.]*[.][^.]*[.][^.]*[.]\([^.]*\)' ')' } ## Execute a command as GITLAB_USER exec_as_git() { if [[ $(whoami) == ${GITLAB_USER} ]]; then $@ else sudo -HEu ${GITLAB_USER} "$@" fi } ## Copies configuration template to the destination as the specified USER ### Looks up for overrides in ${USERCONF_TEMPLATES_DIR} before using the defaults from ${SYSCONF_TEMPLATES_DIR} # $1: copy-as user # $2: source file # $3: destination location # $4: mode of destination install_template() { local OWNERSHIP=${1} local SRC=${2} local DEST=${3} local MODE=${4:-0644} if [[ -f ${USERCONF_TEMPLATES_DIR}/${SRC} ]]; then cp ${USERCONF_TEMPLATES_DIR}/${SRC} ${DEST} elif [[ -f ${SYSCONF_TEMPLATES_DIR}/${SRC} ]]; then cp ${SYSCONF_TEMPLATES_DIR}/${SRC} ${DEST} fi chmod ${MODE} ${DEST} chown ${OWNERSHIP} ${DEST} } ## Replace placeholders with values # $1: file with placeholders to replace # $x: placeholders to replace update_template() { local FILE=${1?missing argument} shift [[ ! -f ${FILE} ]] && return 1 local VARIABLES=($@) local USR=$(stat -c %U ${FILE}) local tmp_file=$(mktemp) cp -a "${FILE}" ${tmp_file} local variable for variable in ${VARIABLES[@]}; do # Keep the compatibilty: {{VAR}} => ${VAR} sed -ri "s/[{]{2}$variable[}]{2}/\${$variable}/g" ${tmp_file} done # Replace placeholders ( export ${VARIABLES[@]} local IFS=":"; sudo -HEu ${USR} envsubst "${VARIABLES[*]/#/$}" < ${tmp_file} > ${FILE} ) rm -f ${tmp_file} } gitlab_finalize_database_parameters() { # is a postgresql database linked? # requires that the postgresql containers have exposed port 5432. DB_HOST=${DB_HOST:-${POSTGRESQL_PORT_5432_TCP_ADDR}} DB_PORT=${DB_PORT:-${POSTGRESQL_PORT_5432_TCP_PORT}} # support for linked official postgres image DB_USER=${DB_USER:-${POSTGRESQL_ENV_POSTGRES_USER}} DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_POSTGRES_PASSWORD}} DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_POSTGRES_DB}} DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_POSTGRES_USER}} # support for linked sameersbn/postgresql image DB_USER=${DB_USER:-${POSTGRESQL_ENV_DB_USER}} DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_DB_PASS}} DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_DB_NAME}} # support for linked orchardup/postgresql image DB_USER=${DB_USER:-${POSTGRESQL_ENV_POSTGRESQL_USER}} DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_POSTGRESQL_PASS}} DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_POSTGRESQL_DB}} # support for linked paintedfox/postgresql image DB_USER=${DB_USER:-${POSTGRESQL_ENV_USER}} DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_PASS}} DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_DB}} if [[ -z ${DB_HOST} ]]; then echo echo "ERROR: " echo " Please configure the database connection." echo " Refer http://git.io/wkYhyA for more information." echo " Cannot continue without a database. Aborting..." echo return 1 fi # set default port number if not specified DB_PORT=${DB_PORT:-5432} DB_ENCODING=${DB_ENCODING:-unicode} # set default user and database DB_USER=${DB_USER:-root} DB_NAME=${DB_NAME:-gitlabhq_production} } gitlab_check_database_connection() { prog=$(command -v pg_isready) prog="${prog} -h ${DB_HOST} -p ${DB_PORT} -U ${DB_USER} -d ${DB_NAME} -t 1" timeout=60 while ! ${prog} >/dev/null 2>&1 do timeout=$(expr $timeout - 1) if [[ $timeout -eq 0 ]]; then echo echo "Could not connect to database server. Aborting..." return 1 fi echo -n "." sleep 1 done echo } gitlab_generate_postgresqlrc() { echo "Configuring /home/${GITLAB_USER}/.postgresqlrc to avoid version mismatch on dumping" # server_version_num property is a number built from version string: # https://www.postgresql.org/docs/15/libpq-status.html#LIBPQ-PQSERVERVERSION # > The result is formed by multiplying the server's major version number by 10000 and adding the minor version number. # > For example, version 10.1 will be returned as 100001, and version 11.0 will be returned as 110000. Zero is returned if the connection is bad. # > # > Prior to major version 10, PostgreSQL used three-part version numbers in which the first two parts together represented the major version. # > For those versions, PQserverVersion uses two digits for each part; # > for example version 9.1.5 will be returned as 90105, and version 9.2.0 will be returned as 90200. # # This difference also appends to apt package name. # For example, in ubuntu:focal, postgresql-client-{8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, 9.5, 9.6, 10, 11, 12, 13, 14, 15} are available. # DB_SERVER_VERSION=$(PGPASSWORD=${DB_PASS} psql -h "${DB_HOST}" -p "${DB_PORT}" -U "${DB_USER}" -d "${DB_NAME}" -Atw -c "SHOW server_version_num") if [[ "${DB_SERVER_VERSION}" -eq 0 ]]; then echo echo "Could not retrieve database server version correctly. Aborting..." return 1 fi echo "- Detected server version: ${DB_SERVER_VERSION}" # Anyway, we can get major version (8, 9, 10 and so on) by dividing by 10000. # DB_SERVER_VERSION_MAJOR=${DB_SERVER_VERSION%%.*} DB_SERVER_VERSION_MAJOR=$((DB_SERVER_VERSION/10000)) DB_CLIENT_VERSION_PACKAGE_NAME= if [[ "${DB_SERVER_VERSION_MAJOR}" -ge 10 ]]; then # v10 or later: use "rought major version" as version number in package name DB_CLIENT_VERSION_PACKAGE_NAME=${DB_SERVER_VERSION_MAJOR} else # prior to v10: convert # FIXME: rough implementation # It exploits the fact that there is no version such as 9.10, and it lacks versatility. # divide by 100, then replace first 0 to comma DB_CLIENT_VERSION_PACKAGE_NAME=$((DB_SERVER_VERSION/100)) DB_CLIENT_VERSION_PACKAGE_NAME=${DB_CLIENT_VERSION_PACKAGE_NAME/0/.} fi # if exact-match client not found, select latest version from installed clients if [[ "$(apt-cache pkgnames postgresql-client | grep -e "-${DB_CLIENT_VERSION_PACKAGE_NAME}" | wc -l)" -ne 1 ]]; then LATEST_CLIENT="$(apt-cache pkgnames postgresql-client | grep -v -e "-common" | sort --version-sort | tail -n1)" DB_CLIENT_VERSION_PACKAGE_NAME=${LATEST_CLIENT/postgresql-client-/} echo "gitlab_generate_postgresqlrc(): WARNING - Suitable client not installed. postgresql-client-${DB_CLIENT_VERSION_PACKAGE_NAME} will be used but you may face issue (database in backup will be empty, for example)" fi # generate ~/.postgresqlrc to switch client version GITLAB_USER_POSTGRESQLRC="/home/${GITLAB_USER}/.postgresqlrc" echo "- Generating ${GITLAB_USER_POSTGRESQLRC}" echo "${DB_CLIENT_VERSION_PACKAGE_NAME} ${DB_HOST}:${DB_PORT} ${DB_NAME}" | exec_as_git tee "${GITLAB_USER_POSTGRESQLRC}" } gitlab_uninstall_unused_database_client() { if [[ -f "/home/${GITLAB_USER}/.postgresqlrc" ]]; then # refer /home/${GITLAB_USER}/.postgresqlrc and pick up versions in use # .postgresqlrc contains following information per line # database_major_version host:port database_name # - ignore lines starts with # by specifying pattern /^[^#]/ # - first field is the version number in use. # - cocnat whole lines into single string. convert newline to \| # this is escaped regex "OR" # now we got the following regex that can be used as an option to grep: # \|-12\|-13 DB_CLIENT_VERSIONS_IN_USE="$(awk '/^[^#]/ {printf("\|-%s",$1)}' "/home/${GITLAB_USER}/.postgresqlrc")" # we also need to keep postgresql-client-common package to switch based on ~/.postgresqlrc REGEX_DB_CLIENT_VERSIONS_IN_USE="-common${DB_CLIENT_VERSIONS_IN_USE}" # remove unused client using regex above # grep may return non-zero code on mo match, so fake the exit code with the `|| true` to swallow that UNUSED_DB_CLIENTS=$(apt-cache pkgnames postgresql-client | grep -v -e "${REGEX_DB_CLIENT_VERSIONS_IN_USE}" || true) if [[ "${UNUSED_DB_CLIENTS}" == "" ]]; then echo "- All installed version of clients are in use. Did not uninstalled any client..." return fi # just to get clean log, convert newline (package name delimiter) to single whitespace UNUSED_DB_CLIENTS=$(echo ${UNUSED_DB_CLIENTS} | tr '\n' ' ') echo "- Uninstalling unused client(s): ${UNUSED_DB_CLIENTS}" DEBIAN_FRONTEND=noninteractive apt-get -qq -y purge -- ${UNUSED_DB_CLIENTS} >/dev/null fi } gitlab_configure_database() { echo -n "Configuring gitlab::database" gitlab_finalize_database_parameters gitlab_check_database_connection gitlab_generate_postgresqlrc gitlab_uninstall_unused_database_client update_template ${GITLAB_DATABASE_CONFIG} \ DB_ENCODING \ DB_HOST \ DB_PORT \ DB_NAME \ DB_USER \ DB_PASS \ DB_POOL \ DB_PREPARED_STATEMENTS } gitlab_finalize_redis_parameters() { # is a redis container linked? if [[ -n ${REDISIO_PORT_6379_TCP_ADDR} ]]; then REDIS_HOST=${REDIS_HOST:-${REDISIO_PORT_6379_TCP_ADDR}} REDIS_PORT=${REDIS_PORT:-${REDISIO_PORT_6379_TCP_PORT}} fi # set default redis port if not specified REDIS_PORT=${REDIS_PORT:-6379} if [[ -z ${REDIS_HOST} ]]; then echo echo "ERROR: " echo " Please configure the redis connection." echo " Refer http://git.io/PMnRSw for more information." echo " Cannot continue without a redis connection. Aborting..." echo return 1 fi } gitlab_check_redis_connection() { timeout=60 while ! redis-cli -h ${REDIS_HOST} -p ${REDIS_PORT} -n ${REDIS_DB_NUMBER} ping >/dev/null 2>&1 do timeout=$(expr $timeout - 1) if [[ $timeout -eq 0 ]]; then echo "" echo "Could not connect to redis server. Aborting..." return 1 fi echo -n "." sleep 1 done echo } gitlab_configure_redis() { echo -n "Configuring gitlab::redis" gitlab_finalize_redis_parameters gitlab_check_redis_connection update_template ${GITLAB_RESQUE_CONFIG} \ REDIS_HOST \ REDIS_PORT \ REDIS_DB_NUMBER } gitlab_configure_actioncable() { echo -n "Configuring gitlab::actioncable" gitlab_finalize_redis_parameters gitlab_check_redis_connection update_template ${GITLAB_ACTIONCABLE_CONFIG} \ REDIS_HOST \ REDIS_PORT \ REDIS_DB_NUMBER } gitlab_configure_gitaly() { echo "Configuring gitlab::gitaly..." update_template ${GITLAB_GITALY_CONFIG} \ GITALY_SOCKET_PATH \ GITLAB_GITALY_INSTALL_DIR \ GITLAB_LOG_DIR \ GITLAB_REPOS_DIR \ GITLAB_SHELL_INSTALL_DIR \ GITLAB_RELATIVE_URL_ROOT update_template ${GITLAB_CONFIG} \ GITALY_CLIENT_PATH \ GITALY_TOKEN } gitlab_configure_monitoring() { echo "Configuring gitlab::monitoring..." if [ "${GITLAB_MONITORING_IP_WHITELIST}" == "" ]; then exec_as_git sed -i "/{{GITLAB_MONITORING_IP_WHITELIST}}/d" ${GITLAB_CONFIG} fi update_template ${GITLAB_CONFIG} \ GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL \ GITLAB_MONITORING_IP_WHITELIST \ GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED \ GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS \ GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT } gitlab_configure_gitlab_workhorse() { echo "Configuring gitlab::gitlab-workhorse..." update_template /etc/supervisor/conf.d/gitlab-workhorse.conf \ GITLAB_RELATIVE_URL_ROOT \ GITLAB_WORKHORSE_TIMEOUT } gitlab_configure_puma() { echo "Configuring gitlab::puma..." if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then update_template ${GITLAB_PUMA_CONFIG} GITLAB_RELATIVE_URL_ROOT else exec_as_git sed -i "/{{GITLAB_RELATIVE_URL_ROOT}}/d" ${GITLAB_PUMA_CONFIG} fi update_template ${GITLAB_PUMA_CONFIG} \ GITLAB_INSTALL_DIR \ PUMA_THREADS_MIN \ PUMA_THREADS_MAX \ PUMA_WORKERS \ PUMA_PER_WORKER_MAX_MEMORY_MB \ PUMA_MASTER_MAX_MEMORY_MB \ PUMA_TIMEOUT } gitlab_configure_relative_url() { if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then echo "Configuring gitlab::relative_url..." update_template ${GITLAB_RELATIVE_URL_CONFIG} GITLAB_RELATIVE_URL_ROOT fi } gitlab_configure_trusted_proxies() { if [[ -n ${GITLAB_TRUSTED_PROXIES} ]]; then echo "Configuring gitlab::trusted_proxies..." update_template ${GITLAB_CONFIG} GITLAB_TRUSTED_PROXIES else exec_as_git sed -i "/{{GITLAB_TRUSTED_PROXIES}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_timezone() { echo "Configuring gitlab::timezone..." update_template ${GITLAB_CONFIG} GITLAB_TIMEZONE } gitlab_configure_mail_delivery() { if [[ ${SMTP_ENABLED} == true ]]; then echo "Configuring gitlab::smtp_settings..." if [[ -z "${SMTP_USER}" ]]; then exec_as_git sed -i \ -e '/{{SMTP_USER}}/d' \ -e '/{{SMTP_PASS}}/d' \ ${GITLAB_SMTP_CONFIG} else if [[ -z "${SMTP_PASS}" ]]; then exec_as_git sed -i '/{{SMTP_PASS}}/d' ${GITLAB_SMTP_CONFIG} fi fi update_template ${GITLAB_SMTP_CONFIG} \ SMTP_USER \ SMTP_PASS \ SMTP_HOST \ SMTP_PORT \ SMTP_DOMAIN \ SMTP_STARTTLS \ SMTP_TLS \ SMTP_OPENSSL_VERIFY_MODE case ${SMTP_AUTHENTICATION} in "") exec_as_git sed -i "/{{SMTP_AUTHENTICATION}}/d" ${GITLAB_SMTP_CONFIG} ;; *) update_template ${GITLAB_SMTP_CONFIG} SMTP_AUTHENTICATION ;; esac if [[ ${SMTP_CA_ENABLED} == true ]]; then if [[ -d ${SMTP_CA_PATH} ]]; then update_template ${GITLAB_SMTP_CONFIG} SMTP_CA_PATH fi if [[ -f ${SMTP_CA_FILE} ]]; then update_template ${GITLAB_SMTP_CONFIG} SMTP_CA_FILE fi else exec_as_git sed -i \ -e "/{{SMTP_CA_PATH}}/d" \ -e "/{{SMTP_CA_FILE}}/d" \ ${GITLAB_SMTP_CONFIG} fi fi update_template ${GITLAB_CONFIG} \ GITLAB_EMAIL_ENABLED \ GITLAB_EMAIL \ GITLAB_EMAIL_DISPLAY_NAME \ GITLAB_EMAIL_REPLY_TO \ GITLAB_EMAIL_SUBJECT_SUFFIX if [[ ${GITLAB_EMAIL_SMIME_ENABLE} == true ]]; then exec_as_git sed -i "/#start-email-smime/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-email-smime/d" ${GITLAB_CONFIG} update_template ${GITLAB_CONFIG} \ GITLAB_EMAIL_SMIME_ENABLE \ GITLAB_EMAIL_SMIME_KEY_FILE \ GITLAB_EMAIL_SMIME_CERT_FILE else exec_as_git sed -i "/#start-email-smime/,/#end-email-smime/d" ${GITLAB_CONFIG} fi } gitlab_configure_mailroom() { if [[ ${IMAP_ENABLED} == true ]]; then echo "Configuring gitlab::incoming_email..." if [[ -z "${IMAP_USER}" ]]; then exec_as_git sed -i \ -e '/{{IMAP_USER}}/d' \ -e '/{{IMAP_PASS}}/d' \ ${GITLAB_CONFIG} else if [[ -z "${IMAP_PASS}" ]]; then exec_as_git sed -i '/{{IMAP_PASS}}/d' ${GITLAB_CONFIG} fi fi else exec_as_git sed -i \ -e "/{{IMAP_USER}}/d" \ -e "/{{IMAP_PASS}}/d" \ -e "/{{IMAP_HOST}}/d" \ -e "/{{IMAP_PORT}}/d" \ -e "/{{IMAP_SSL}}/d" \ -e "/{{IMAP_STARTTLS}}/d" \ -e "/{{IMAP_MAILBOX}}/d" \ -e "/{{IMAP_TIMEOUT}}/d" \ ${GITLAB_CONFIG} fi update_template ${GITLAB_CONFIG} \ GITLAB_INCOMING_EMAIL_ADDRESS \ GITLAB_INCOMING_EMAIL_ENABLED \ IMAP_USER \ IMAP_PASS \ IMAP_HOST \ IMAP_PORT \ IMAP_SSL \ IMAP_STARTTLS \ IMAP_MAILBOX \ IMAP_TIMEOUT # enable/disable startup of mailroom echo "mail_room_enabled=${GITLAB_INCOMING_EMAIL_ENABLED}" >> /etc/default/gitlab update_template /etc/supervisor/conf.d/mail_room.conf GITLAB_INCOMING_EMAIL_ENABLED } gitlab_configure_ldap() { echo "Configuring gitlab::ldap..." update_template ${GITLAB_CONFIG} \ LDAP_ENABLED \ LDAP_HOST \ LDAP_PORT \ LDAP_UID \ LDAP_METHOD \ LDAP_VERIFY_SSL \ LDAP_CA_FILE \ LDAP_SSL_VERSION \ LDAP_BIND_DN \ LDAP_PASS \ LDAP_TIMEOUT \ LDAP_ACTIVE_DIRECTORY \ LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN \ LDAP_BLOCK_AUTO_CREATED_USERS \ LDAP_BASE \ LDAP_USER_FILTER \ LDAP_LOWERCASE_USERNAMES \ LDAP_USER_ATTRIBUTE_USERNAME \ LDAP_USER_ATTRIBUTE_MAIL \ LDAP_USER_ATTRIBUTE_NAME \ LDAP_USER_ATTRIBUTE_FIRSTNAME \ LDAP_USER_ATTRIBUTE_LASTNAME \ LDAP_LABEL \ LDAP_PREVENT_LDAP_SIGN_IN } gitlab_configure_oauth_cas3() { if [[ -n ${OAUTH_CAS3_SERVER} ]]; then echo "Configuring gitlab::oauth::cas3..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_CAS3_LABEL \ OAUTH_CAS3_SERVER \ OAUTH_CAS3_DISABLE_SSL_VERIFICATION \ OAUTH_CAS3_LOGIN_URL \ OAUTH_CAS3_VALIDATE_URL \ OAUTH_CAS3_LOGOUT_URL else exec_as_git sed -i "/name: 'cas3'/,/{{OAUTH_CAS3_LOGOUT_URL}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_google() { if [[ -n ${OAUTH_GOOGLE_API_KEY} && -n ${OAUTH_GOOGLE_APP_SECRET} ]]; then echo "Configuring gitlab::oauth::google..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} if [[ -n ${OAUTH_GOOGLE_RESTRICT_DOMAIN} ]]; then update_template ${GITLAB_CONFIG} \ OAUTH_GOOGLE_API_KEY \ OAUTH_GOOGLE_APP_SECRET \ OAUTH_GOOGLE_RESTRICT_DOMAIN \ OAUTH_GOOGLE_APPROVAL_PROMPT else exec_as_git sed -i "/ hd\: \[{{OAUTH_GOOGLE_RESTRICT_DOMAIN}}\]/d" ${GITLAB_CONFIG} exec_as_git sed -i "s/approval_prompt: '{{OAUTH_GOOGLE_APPROVAL_PROMPT}}',/approval_prompt: '{{OAUTH_GOOGLE_APPROVAL_PROMPT}}' } }/" ${GITLAB_CONFIG} update_template ${GITLAB_CONFIG} \ OAUTH_GOOGLE_API_KEY \ OAUTH_GOOGLE_APP_SECRET \ OAUTH_GOOGLE_APPROVAL_PROMPT fi else exec_as_git sed -i "/name: 'google_oauth2'/,/{{OAUTH_GOOGLE_RESTRICT_DOMAIN}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_facebook() { if [[ -n ${OAUTH_FACEBOOK_API_KEY} && -n ${OAUTH_FACEBOOK_APP_SECRET} ]]; then echo "Configuring gitlab::oauth::facebook..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_FACEBOOK_API_KEY \ OAUTH_FACEBOOK_APP_SECRET else exec_as_git sed -i "/name: 'facebook'/,/{{OAUTH_FACEBOOK_APP_SECRET}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_twitter() { if [[ -n ${OAUTH_TWITTER_API_KEY} && -n ${OAUTH_TWITTER_APP_SECRET} ]]; then echo "Configuring gitlab::oauth::twitter..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_TWITTER_API_KEY \ OAUTH_TWITTER_APP_SECRET else exec_as_git sed -i "/name: 'twitter'/,/{{OAUTH_TWITTER_APP_SECRET}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_authentiq() { if [[ -n ${OAUTH_AUTHENTIQ_CLIENT_ID} && -n ${OAUTH_AUTHENTIQ_CLIENT_SECRET} ]]; then echo "Configuring gitlab::oauth::authentiq..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_AUTHENTIQ_CLIENT_ID \ OAUTH_AUTHENTIQ_CLIENT_SECRET \ OAUTH_AUTHENTIQ_SCOPE \ OAUTH_AUTHENTIQ_REDIRECT_URI else exec_as_git sed -i "/name: 'authentiq'/,/{{OAUTH_AUTHENTIQ_SCOPE}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_github() { if [[ -n ${OAUTH_GITHUB_API_KEY} && -n ${OAUTH_GITHUB_APP_SECRET} ]]; then echo "Configuring gitlab::oauth::github..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_GITHUB_API_KEY \ OAUTH_GITHUB_APP_SECRET \ OAUTH_GITHUB_URL \ OAUTH_GITHUB_VERIFY_SSL \ OAUTH_GITHUB_SCOPE else exec_as_git sed -i "/name: 'github'/,/{{OAUTH_GITHUB_SCOPE}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_gitlab() { if [[ -n ${OAUTH_GITLAB_API_KEY} && -n ${OAUTH_GITLAB_APP_SECRET} ]]; then echo "Configuring gitlab::oauth::gitlab..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_GITLAB_API_KEY \ OAUTH_GITLAB_APP_SECRET \ OAUTH_GITLAB_SCOPE else exec_as_git sed -i "/name: 'gitlab'/,/{{OAUTH_GITLAB_SCOPE}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_bitbucket() { if [[ -n ${OAUTH_BITBUCKET_API_KEY} && -n ${OAUTH_BITBUCKET_APP_SECRET} ]]; then echo "Configuring gitlab::oauth::bitbucket..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_BITBUCKET_API_KEY \ OAUTH_BITBUCKET_APP_SECRET \ OAUTH_BITBUCKET_URL else exec_as_git sed -i "/name: 'bitbucket'/,/{{OAUTH_BITBUCKET_URL}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_saml_attribute_statements() { if [[ -n ${OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL} ]]; then echo "Configuring gitlab::oauth::saml::attribute_statements..." update_template ${GITLAB_CONFIG} \ OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL \ OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME \ OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME \ OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME \ OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME # Remove undefined optional attributes exec_as_git sed -i "/email: \\[''\\],/d" ${GITLAB_CONFIG} exec_as_git sed -i "/name: \\[''\\],/d" ${GITLAB_CONFIG} exec_as_git sed -i "/username: \\[''\\],/d" ${GITLAB_CONFIG} exec_as_git sed -i "/first_name: \\[''\\],/d" ${GITLAB_CONFIG} exec_as_git sed -i "/last_name: \\[''\\],/d" ${GITLAB_CONFIG} else exec_as_git sed -i "/attribute_statements:/,/{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_saml() { if [[ -n ${OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL} && \ -n ${OAUTH_SAML_IDP_CERT_FINGERPRINT} && \ -n ${OAUTH_SAML_IDP_SSO_TARGET_URL} && \ -n ${OAUTH_SAML_ISSUER} && \ -n ${OAUTH_SAML_NAME_IDENTIFIER_FORMAT} ]]; then echo "Configuring gitlab::oauth::saml..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_SAML_LABEL \ OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL \ OAUTH_SAML_IDP_CERT_FINGERPRINT \ OAUTH_SAML_IDP_SSO_TARGET_URL \ OAUTH_SAML_ISSUER \ OAUTH_SAML_NAME_IDENTIFIER_FORMAT \ OAUTH_SAML_GROUPS_ATTRIBUTE \ OAUTH_SAML_EXTERNAL_GROUPS exec_as_git sed -i "/groups_attribute: '',/d" ${GITLAB_CONFIG} exec_as_git sed -i "/external_groups: \\[\\],/d" ${GITLAB_CONFIG} gitlab_configure_oauth_saml_attribute_statements else exec_as_git sed -i "/name: 'saml'/,/{{OAUTH_SAML_NAME_IDENTIFIER_FORMAT}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth2_generic() { if [[ -n ${OAUTH2_GENERIC_APP_ID} && \ -n ${OAUTH2_GENERIC_APP_SECRET} ]]; then echo "Configuring gitlab::oauth::generic..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH2_GENERIC_APP_ID \ OAUTH2_GENERIC_APP_SECRET \ OAUTH2_GENERIC_CLIENT_SITE \ OAUTH2_GENERIC_CLIENT_USER_INFO_URL \ OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL \ OAUTH2_GENERIC_CLIENT_TOKEN_URL \ OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT \ OAUTH2_GENERIC_ID_PATH \ OAUTH2_GENERIC_USER_UID \ OAUTH2_GENERIC_USER_NAME \ OAUTH2_GENERIC_USER_EMAIL \ OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE \ OAUTH2_GENERIC_LABEL \ OAUTH2_GENERIC_NAME else exec_as_git sed -i "/name: 'oauth2_generic'/,/{{OAUTH2_GENERIC_NAME}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_crowd() { if [[ -n ${OAUTH_CROWD_SERVER_URL} && \ -n ${OAUTH_CROWD_APP_NAME} && \ -n ${OAUTH_CROWD_APP_PASSWORD} ]]; then echo "Configuring gitlab::oauth::crowd..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_CROWD_SERVER_URL \ OAUTH_CROWD_APP_NAME \ OAUTH_CROWD_APP_PASSWORD else exec_as_git sed -i "/name: 'crowd'/,/{{OAUTH_CROWD_APP_PASSWORD}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_auth0() { if [[ -n ${OAUTH_AUTH0_CLIENT_ID} && \ -n ${OAUTH_AUTH0_CLIENT_SECRET} && \ -n ${OAUTH_AUTH0_SCOPE} && \ -n ${OAUTH_AUTH0_DOMAIN} ]]; then echo "Configuring gitlab::oauth::auth0..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_AUTH0_CLIENT_ID \ OAUTH_AUTH0_CLIENT_SECRET \ OAUTH_AUTH0_DOMAIN \ OAUTH_AUTH0_SCOPE else exec_as_git sed -i "/name: 'auth0'/,/{{OAUTH_AUTH0_SCOPE}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_azure() { if [[ -n ${OAUTH_AZURE_API_KEY} && \ -n ${OAUTH_AZURE_API_SECRET} && \ -n ${OAUTH_AZURE_TENANT_ID} ]]; then echo "Configuring gitlab::oauth::azure..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_AZURE_API_KEY \ OAUTH_AZURE_API_SECRET \ OAUTH_AZURE_TENANT_ID else exec_as_git sed -i "/name: 'azure_oauth2'/,/{{OAUTH_AZURE_TENANT_ID}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_azure_ad_v2() { # we don't check if OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL because it is optional if [[ -n ${OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID} && \ -n ${OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET} && \ -n ${OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID} ]]; then echo "Configuring gitlab::oauth::azure_activedirectory_v2..." update_template ${GITLAB_CONFIG} \ OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL \ OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID \ OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET \ OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID else exec_as_git sed -i "/name: 'azure_activedirectory_v2'/,/{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_oidc() { if [[ -n ${OAUTH_OIDC_ISSUER} && \ -n ${OAUTH_OIDC_CLIENT_ID} ]]; then echo "Configuring gitlab::oauth::oidc..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_OIDC_LABEL \ OAUTH_OIDC_ICON \ OAUTH_OIDC_SCOPE \ OAUTH_OIDC_RESPONSE_TYPE \ OAUTH_OIDC_ISSUER \ OAUTH_OIDC_DISCOVERY \ OAUTH_OIDC_CLIENT_AUTH_METHOD \ OAUTH_OIDC_UID_FIELD \ OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP \ OAUTH_OIDC_PKCE \ OAUTH_OIDC_CLIENT_ID \ OAUTH_OIDC_CLIENT_SECRET \ OAUTH_OIDC_REDIRECT_URI else exec_as_git sed -i "/name: 'openid_connect'/,/{{OAUTH_OIDC_REDIRECT_URI}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_jwt() { if [[ -n ${OAUTH_JWT_SECRET} && \ -n ${OAUTH_JWT_AUTH_URL} ]]; then echo "Configuring gitlab::oauth::jwt..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_JWT_LABEL \ OAUTH_JWT_SECRET \ OAUTH_JWT_ALGORITHM \ OAUTH_JWT_UID_CLAIM \ OAUTH_JWT_REQUIRED_CLAIMS \ OAUTH_JWT_INFO_MAP_NAME \ OAUTH_JWT_INFO_MAP_EMAIL \ OAUTH_JWT_AUTH_URL \ OAUTH_JWT_VALID_WITHIN else exec_as_git sed -i "/name: 'jwt'/,/{{OAUTH_JWT_VALID_WITHIN}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth() { echo "Configuring gitlab::oauth..." gitlab_configure_oauth_cas3 gitlab_configure_oauth_google gitlab_configure_oauth_facebook gitlab_configure_oauth_twitter gitlab_configure_oauth_authentiq gitlab_configure_oauth_github gitlab_configure_oauth_gitlab gitlab_configure_oauth_bitbucket gitlab_configure_oauth_saml gitlab_configure_oauth2_generic gitlab_configure_oauth_crowd gitlab_configure_oauth_auth0 gitlab_configure_oauth_azure gitlab_configure_oauth_azure_ad_v2 gitlab_configure_oauth_oidc gitlab_configure_oauth_jwt OAUTH_ENABLED=${OAUTH_ENABLED:-false} update_template ${GITLAB_CONFIG} \ OAUTH_ENABLED \ OAUTH_ALLOW_SSO \ OAUTH_BLOCK_AUTO_CREATED_USERS \ OAUTH_AUTO_LINK_LDAP_USER \ OAUTH_AUTO_LINK_SAML_USER \ OAUTH_AUTO_LINK_USER \ OAUTH_EXTERNAL_PROVIDERS \ OAUTH_ALLOW_BYPASS_TWO_FACTOR case ${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER} in cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd|azure_oauth2|azure_activedirectory_v2|oauth2_generic|$OAUTH2_GENERIC_NAME|oidc|jwt) update_template ${GITLAB_CONFIG} OAUTH_AUTO_SIGN_IN_WITH_PROVIDER ;; *) exec_as_git sed -i "/{{OAUTH_AUTO_SIGN_IN_WITH_PROVIDER}}/d" ${GITLAB_CONFIG} ;; esac } gitlab_configure_secrets() { echo "Configuring gitlab::secrets..." if [[ -z $GITLAB_SECRETS_DB_KEY_BASE ]]; then echo "ERROR: " echo " Please configure the GITLAB_SECRETS_DB_KEY_BASE parameter." echo " Cannot continue. Aborting..." return 1 fi if [[ -z $GITLAB_SECRETS_SECRET_KEY_BASE ]]; then echo "ERROR: " echo " Please configure the GITLAB_SECRETS_SECRET_KEY_BASE parameter." echo " Cannot continue. Aborting..." return 1 fi if [[ -z $GITLAB_SECRETS_OTP_KEY_BASE ]]; then echo "ERROR: " echo " Please configure the GITLAB_SECRETS_OTP_KEY_BASE parameter." echo " Cannot continue. Aborting..." return 1 fi update_template ${GITLAB_SECRETS_CONFIG} \ GITLAB_SECRETS_DB_KEY_BASE \ GITLAB_SECRETS_SECRET_KEY_BASE \ GITLAB_SECRETS_OTP_KEY_BASE \ GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE \ GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY \ GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY \ GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT local shell_secret="${GITLAB_INSTALL_DIR}/.gitlab_shell_secret" if [[ ! -f "${shell_secret}" ]]; then exec_as_git openssl rand -hex -out "${shell_secret}" 16 chmod 600 "${shell_secret}" fi local workhorse_secret="${GITLAB_INSTALL_DIR}/.gitlab_workhorse_secret" if [[ ! -f "${workhorse_secret}" ]]; then exec_as_git openssl rand -base64 -out "${workhorse_secret}" 32 chmod 600 "${workhorse_secret}" fi local pages_secret="${GITLAB_INSTALL_DIR}/.gitlab_pages_secret" if [[ ! -f "${pages_secret}" ]]; then exec_as_git openssl rand -base64 -out "${pages_secret}" 32 chmod 600 "${pages_secret}" fi } gitlab_configure_sidekiq() { echo "Configuring gitlab::sidekiq..." # configure gitlab sidekiq log format update_template ${GITLAB_CONFIG} \ GITLAB_SIDEKIQ_LOG_FORMAT # configure sidekiq update_template /etc/supervisor/conf.d/sidekiq.conf \ SIDEKIQ_CONCURRENCY \ SIDEKIQ_SHUTDOWN_TIMEOUT # enable SidekiqMemoryKiller ## The MemoryKiller is enabled by gitlab if the `SIDEKIQ_MEMORY_KILLER_MAX_RSS` is ## defined in the programs environment and has a non-zero value. ## ## Simply exporting the variable makes it available in the programs environment and ## therefore should enable the MemoryKiller. ## ## Every other MemoryKiller option specified in the docker env will automatically ## be exported, so why bother export SIDEKIQ_MEMORY_KILLER_MAX_RSS } gitlab_configure_backups_schedule() { case ${GITLAB_BACKUP_SCHEDULE} in daily|weekly|monthly) if ! crontab -u ${GITLAB_USER} -l >/tmp/cron.${GITLAB_USER} 2>/dev/null || ! grep -q 'bundle exec rake gitlab:backup:create' /tmp/cron.${GITLAB_USER}; then echo "Configuring gitlab::backups::schedule..." gitlab_backup_log="${GITLAB_LOG_DIR}/gitlab/gitlab-backup.log" read -r hour min <<< "${GITLAB_BACKUP_TIME//[:]/ }" day_of_month="*" month="*" day_of_week="*" case ${GITLAB_BACKUP_SCHEDULE} in daily) ;; weekly) day_of_week=0 ;; monthly) day_of_month=01 ;; esac if [[ -n ${GITLAB_BACKUP_DIR_GROUP} ]]; then echo "$min $hour $day_of_month $month $day_of_week /bin/bash -l -c 'cd ${GITLAB_INSTALL_DIR} && bundle exec rake gitlab:backup:create SKIP=${GITLAB_BACKUP_SKIP} DIRECTORY=${GITLAB_BACKUP_DIR_GROUP} RAILS_ENV=${RAILS_ENV}' >> ${gitlab_backup_log} 2>&1" >> "/tmp/cron.${GITLAB_USER}" else echo "$min $hour $day_of_month $month $day_of_week /bin/bash -l -c 'cd ${GITLAB_INSTALL_DIR} && bundle exec rake gitlab:backup:create SKIP=${GITLAB_BACKUP_SKIP} RAILS_ENV=${RAILS_ENV}' >> ${gitlab_backup_log} 2>&1" >> "/tmp/cron.${GITLAB_USER}" fi crontab -u ${GITLAB_USER} /tmp/cron.${GITLAB_USER} fi rm -rf /tmp/cron.${GITLAB_USER} ;; esac } gitlab_configure_backups_aws() { echo "Configuring gitlab::backups::aws..." exec_as_git sed -i "/#start-gcs/,/#end-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-aws/d" ${GITLAB_CONFIG} if [[ -z ${AWS_BACKUP_MULTIPART_CHUNK_SIZE} ]]; then exec_as_git sed -i "/#start-multipart/,/#end-multipart/d" ${GITLAB_CONFIG} fi if [[ -z ${AWS_BACKUP_MULTIPART_CHUNK_SIZE} ]]; then exec_as_git sed -i "/#start-multipart-aws/,/#end-multipart-aws/d" ${GITLAB_CONFIG} fi if [[ ${AWS_BACKUP_ENCRYPTION} != true ]]; then exec_as_git sed -i "/#start-encryption-aws/,/#end-encryption-aws/d" ${GITLAB_CONFIG} fi if [[ -z ${AWS_BACKUP_REGION} && -z ${AWS_BACKUP_ENDPOINT} ]]; then echo "\nMissing AWS region or endpoint. Aborting...\n" return 1 fi if [[ ! -z ${AWS_BACKUP_ENDPOINT} ]]; then AWS_BACKUP_PATH_STYLE="true" fi if [[ -z ${AWS_BACKUP_ACCESS_KEY_ID} || -z ${AWS_BACKUP_SECRET_ACCESS_KEY} || -z ${AWS_BACKUP_BUCKET} ]]; then echo "\nMissing AWS options. Aborting...\n" return 1 fi update_template ${GITLAB_CONFIG} \ AWS_BACKUP_REGION \ AWS_BACKUP_ENDPOINT \ AWS_BACKUP_PATH_STYLE \ AWS_BACKUP_ACCESS_KEY_ID \ AWS_BACKUP_SECRET_ACCESS_KEY \ AWS_BACKUP_BUCKET \ AWS_BACKUP_MULTIPART_CHUNK_SIZE \ AWS_BACKUP_STORAGE_CLASS \ AWS_BACKUP_SIGNATURE_VERSION } gitlab_configure_backup_gcs() { echo "Configuring gitlab::backups::gcs..." exec_as_git sed -i "/#start-aws/,/#end-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-gcs/d" ${GITLAB_CONFIG} if [[ -z ${GCS_BACKUP_ACCESS_KEY_ID} || -z ${GCS_BACKUP_SECRET_ACCESS_KEY} || -z ${GCS_BACKUP_BUCKET} ]]; then printf "\nMissing GCS options. Aborting...\n" return 1 fi update_template ${GITLAB_CONFIG} \ GCS_BACKUP_ACCESS_KEY_ID \ GCS_BACKUP_SECRET_ACCESS_KEY \ GCS_BACKUP_BUCKET } gitlab_configure_backups() { echo "Configuring gitlab::backups..." update_template ${GITLAB_CONFIG} \ GITLAB_BACKUP_DIR \ GITLAB_BACKUP_EXPIRY \ GITLAB_BACKUP_PG_SCHEMA \ GITLAB_BACKUP_ARCHIVE_PERMISSIONS gitlab_configure_backups_schedule if [[ ${AWS_BACKUPS} != true && ${GCS_BACKUPS} != true ]]; then exec_as_git sed -i "/\s\+#start-aws/,/#end-gcs/d" ${GITLAB_CONFIG} return 0 fi if [[ ${AWS_BACKUPS} == true && ${GCS_BACKUPS} == true ]]; then printf "\nAWS and GCE cannot be enabled together, please choose one...\n" return 1 fi if [[ ${AWS_BACKUPS} == true ]]; then gitlab_configure_backups_aws fi if [[ ${GCS_BACKUPS} == true ]]; then gitlab_configure_backup_gcs fi } gitlab_configure_gravatar() { update_template ${GITLAB_CONFIG} GITLAB_GRAVATAR_ENABLED if [[ -n ${GITLAB_GRAVATAR_HTTP_URL} ]]; then echo "Configuring gitlab::gravatar::http..." update_template ${GITLAB_CONFIG} GITLAB_GRAVATAR_HTTP_URL else exec_as_git sed -i "/{{GITLAB_GRAVATAR_HTTP_URL}}/d" ${GITLAB_CONFIG} fi if [[ -n ${GITLAB_GRAVATAR_HTTPS_URL} ]]; then echo "Configuring gitlab::gravatar::https..." update_template ${GITLAB_CONFIG} GITLAB_GRAVATAR_HTTPS_URL else exec_as_git sed -i "/{{GITLAB_GRAVATAR_HTTPS_URL}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_cron_jobs() { echo "Configuring gitlab::cron_jobs..." if [[ -n "${GITLAB_PIPELINE_SCHEDULE_WORKER_CRON}" ]]; then update_template ${GITLAB_CONFIG} GITLAB_PIPELINE_SCHEDULE_WORKER_CRON else exec_as_git sed -i "/{{GITLAB_PIPELINE_SCHEDULE_WORKER_CRON}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_analytics_google() { if [[ -n ${GOOGLE_ANALYTICS_ID} ]]; then echo "Configuring gitlab::analytics:google..." update_template ${GITLAB_CONFIG} GOOGLE_ANALYTICS_ID else exec_as_git sed -i "/{{GOOGLE_ANALYTICS_ID}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_analytics_piwik() { if [[ -n ${PIWIK_URL} && -n ${PIWIK_SITE_ID} ]]; then echo "Configuring gitlab::analytics:piwik..." update_template ${GITLAB_CONFIG} \ PIWIK_URL \ PIWIK_SITE_ID else exec_as_git sed -i \ -e "/{{PIWIK_URL}}/d" \ -e "/{{PIWIK_SITE_ID}}/d" \ ${GITLAB_CONFIG} fi } gitlab_configure_analytics() { gitlab_configure_analytics_google gitlab_configure_analytics_piwik } gitlab_configure_rack_attack() { echo "Configuring gitlab::rack_attack..." # validity check : RACK_ATTACK_WHITELIST should be an array of valid IP Address string echo " Validating RACK_ATTACK_WHITELIST..." /usr/bin/env ruby << SCRIPT require 'ipaddr' ${RACK_ATTACK_WHITELIST}.each do |host| begin printf(" input=%s, to_range=%s\n", host, IPAddr.new(host).to_range) rescue IPAddr::InvalidAddressError => e p e exit 1 rescue => e put "Unexpected error", e exit 1 end end SCRIPT update_template ${GITLAB_CONFIG} \ RACK_ATTACK_ENABLED \ RACK_ATTACK_WHITELIST \ RACK_ATTACK_MAXRETRY \ RACK_ATTACK_FINDTIME \ RACK_ATTACK_BANTIME } gitlab_configure_ci() { echo "Configuring gitlab::ci..." update_template ${GITLAB_CONFIG} \ GITLAB_NOTIFY_ON_BROKEN_BUILDS \ GITLAB_NOTIFY_PUSHER GITLAB_BUILDS_DIR } gitlab_configure_artifacts() { update_template ${GITLAB_CONFIG} \ GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED if [[ ${GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED} == true ]]; then echo "Configuring gitlab::artifacts:object_store" if [[ "${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then echo " -> Google ARTIFACTS provider selected removing aws config" exec_as_git sed -i "/#start-artifacts-aws/,/#end-artifacts-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-artifacts-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-artifacts-gcs/d" ${GITLAB_CONFIG} fi if [[ "${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then echo " -> AWS ARTIFACTS provider selected removing Google config" exec_as_git sed -i "/#start-artifacts-gcs/,/#end-artifacts-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-artifacts-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-artifacts-aws/d" ${GITLAB_CONFIG} fi update_template ${GITLAB_CONFIG} \ GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY \ GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD \ GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD \ GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION else exec_as_git sed -i -e "/path: {{GITLAB_ARTIFACTS_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG} fi echo "Configuring gitlab::artifacts..." update_template ${GITLAB_CONFIG} \ GITLAB_ARTIFACTS_ENABLED \ GITLAB_ARTIFACTS_DIR } gitlab_configure_packages() { update_template ${GITLAB_CONFIG} \ GITLAB_PACKAGES_OBJECT_STORE_ENABLED if [[ ${GITLAB_PACKAGES_OBJECT_STORE_ENABLED} == true ]]; then echo "Configuring gitlab::packages:object_store" if [[ "${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then echo " -> Google PACKAGES provider selected removing aws config" exec_as_git sed -i "/#start-packages-aws/,/#end-packages-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-packages-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-packages-gcs/d" ${GITLAB_CONFIG} fi if [[ "${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then echo " -> AWS PACKAGES provider selected removing Google config" exec_as_git sed -i "/#start-packages-gcs/,/#end-packages-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-packages-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-packages-aws/d" ${GITLAB_CONFIG} fi update_template ${GITLAB_CONFIG} \ GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY \ GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD \ GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD \ GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION else exec_as_git sed -i -e "/path: {{GITLAB_PACKAGES_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG} fi echo "Configuring gitlab::packages..." update_template ${GITLAB_CONFIG} \ GITLAB_PACKAGES_ENABLED \ GITLAB_PACKAGES_DIR } gitlab_configure_terraform_state() { update_template ${GITLAB_CONFIG} \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED if [[ ${GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED} == true ]]; then echo "Configuring gitlab::terraform_state:object_store" if [[ "${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then echo " -> Google TERRAFORM STATE provider selected removing aws config" exec_as_git sed -i "/#start-terraform_state-aws/,/#end-terraform_state-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-terraform_state-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-terraform_state-gcs/d" ${GITLAB_CONFIG} fi if [[ "${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then echo " -> AWS TERRAFORM STATE provider selected removing Google config" exec_as_git sed -i "/#start-terraform_state-gcs/,/#end-terraform_state-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-terraform_state-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-terraform_state-aws/d" ${GITLAB_CONFIG} fi update_template ${GITLAB_CONFIG} \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_REMOTE_DIRECTORY \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION else exec_as_git sed -i -e "/storage_path: {{GITLAB_TERRAFORM_STATE_STORAGE_PATH}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG} fi echo "Configuring gitlab::terraform_state..." update_template ${GITLAB_CONFIG} \ GITLAB_TERRAFORM_STATE_ENABLED \ GITLAB_TERRAFORM_STATE_STORAGE_PATH } gitlab_configure_lfs() { update_template ${GITLAB_CONFIG} \ GITLAB_LFS_OBJECT_STORE_ENABLED \ if [[ ${GITLAB_LFS_OBJECT_STORE_ENABLED} == true ]]; then echo "Configuring gitlab::lfs:object_store" if [[ "${GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then echo " -> Google LFS provider selected removing aws config" exec_as_git sed -i "/#start-lfs-aws/,/#end-lfs-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-lfs-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-lfs-gcs/d" ${GITLAB_CONFIG} fi if [[ "${GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then echo " -> AWS LFS provider selected removing Google config" exec_as_git sed -i "/#start-lfs-gcs/,/#end-lfs-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-lfs-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-lfs-aws/d" ${GITLAB_CONFIG} fi update_template ${GITLAB_CONFIG} \ GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY \ GITLAB_LFS_OBJECT_STORE_DIRECT_UPLOAD \ GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD \ GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD \ GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER \ GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \ GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \ GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION \ GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST \ GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \ GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \ GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \ GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \ GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \ GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION else exec_as_git sed -i -e "/path: {{GITLAB_LFS_OBJECTS_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG} fi echo "Configuring gitlab::lfs..." update_template ${GITLAB_CONFIG} \ GITLAB_LFS_ENABLED \ GITLAB_LFS_OBJECTS_DIR } gitlab_configure_uploads() { update_template ${GITLAB_CONFIG} \ GITLAB_UPLOADS_OBJECT_STORE_ENABLED if [[ ${GITLAB_UPLOADS_OBJECT_STORE_ENABLED} == true ]]; then echo "Configuring gitlab::uploads:object_store" if [[ "${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then echo " -> Google UPLOADS provider selected removing aws config" exec_as_git sed -i "/#start-uploads-aws/,/#end-uploads-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-uploads-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-uploads-gcs/d" ${GITLAB_CONFIG} fi if [[ "${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then echo " -> AWS UPLOADS provider selected removing Google config" exec_as_git sed -i "/#start-uploads-gcs/,/#end-uploads-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-uploads-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-uploads-aws/d" ${GITLAB_CONFIG} fi update_template ${GITLAB_CONFIG} \ GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY \ GITLAB_UPLOADS_OBJECT_STORE_DIRECT_UPLOAD \ GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD \ GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION else exec_as_git sed -i -e "/base_dir: {{GITLAB_UPLOADS_BASE_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG} fi echo "Configuring gitlab::uploads..." update_template ${GITLAB_CONFIG} \ GITLAB_UPLOADS_STORAGE_PATH \ GITLAB_UPLOADS_BASE_DIR } gitlab_configure_mattermost() { echo "Configuring gitlab::mattermost..." update_template ${GITLAB_CONFIG} \ GITLAB_MATTERMOST_ENABLED \ GITLAB_MATTERMOST_URL } gitlab_configure_project_features() { echo "Configuring gitlab::project_features..." update_template ${GITLAB_CONFIG} \ GITLAB_PROJECTS_ISSUES \ GITLAB_PROJECTS_MERGE_REQUESTS \ GITLAB_PROJECTS_WIKI \ GITLAB_PROJECTS_SNIPPETS \ GITLAB_PROJECTS_BUILDS \ GITLAB_PROJECTS_CONTAINER_REGISTRY \ GITLAB_WEBHOOK_TIMEOUT } gitlab_configure_registry(){ echo "Configuring gitlab::registry..." if [[ ${GITLAB_REGISTRY_PORT} == 443 ]]; then # Sets GITLAB_REGISTRY_PORT empty for the scope of this function. # This helps us to add an empty key to `.gitlab-ci.yml`. # Because 443 is the default https port it doesn't need to be included in docker push/pull commands # and shouldn't be displayed on the gitlab ui. # Example: `docker pull registry:443/some/image` is the same as `docker pull registry/some/image` local GITLAB_REGISTRY_PORT="" fi update_template ${GITLAB_CONFIG} \ GITLAB_REGISTRY_ENABLED \ GITLAB_REGISTRY_DIR \ GITLAB_REGISTRY_HOST \ GITLAB_REGISTRY_PORT \ GITLAB_REGISTRY_API_URL \ GITLAB_REGISTRY_KEY_PATH \ GITLAB_REGISTRY_ISSUER } gitlab_configure_pages(){ echo "Configuring gitlab::pages..." update_template ${GITLAB_CONFIG} \ GITLAB_PAGES_ENABLED \ GITLAB_PAGES_DOMAIN \ GITLAB_PAGES_PORT \ GITLAB_PAGES_HTTPS \ GITLAB_PAGES_ARTIFACTS_SERVER \ GITLAB_PAGES_ACCESS_CONTROL \ GITLAB_PAGES_NAMESPACE_IN_PATH if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTP} ]]; then update_template ${GITLAB_CONFIG} \ GITLAB_PAGES_EXTERNAL_HTTP else exec_as_git sed -ie "/{{GITLAB_PAGES_EXTERNAL_HTTP}}/d" ${GITLAB_CONFIG} fi if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTPS} ]]; then update_template ${GITLAB_CONFIG} \ GITLAB_PAGES_EXTERNAL_HTTPS else exec_as_git sed -ie "/{{GITLAB_PAGES_EXTERNAL_HTTPS}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_sentry(){ echo "Configuring gitlab::sentry..." update_template ${GITLAB_CONFIG} \ SENTRY_ENABLED \ SENTRY_DSN \ SENTRY_CLIENTSIDE_DSN \ SENTRY_ENVIRONMENT } gitlab_configure_content_security_policy(){ echo "Configuring gitlab::content_security_policy..." update_template ${GITLAB_CONFIG} \ GITLAB_CONTENT_SECURITY_POLICY_ENABLED \ GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI } nginx_configure_gitlab_ssl() { if [[ ${GITLAB_HTTPS} == true && -f ${SSL_CERTIFICATE_PATH} && -f ${SSL_KEY_PATH} && -f ${SSL_DHPARAM_PATH} ]]; then echo "Configuring nginx::gitlab::ssl..." if [[ ! -f ${SSL_CA_CERTIFICATES_PATH} ]]; then sed -i "/{{SSL_CA_CERTIFICATES_PATH}}/d" ${GITLAB_NGINX_CONFIG} fi update_template ${GITLAB_NGINX_CONFIG} \ SSL_CERTIFICATE_PATH \ SSL_KEY_PATH \ SSL_DHPARAM_PATH \ SSL_VERIFY_CLIENT \ SSL_CA_CERTIFICATES_PATH \ SSL_CIPHERS \ SSL_PROTOCOLS fi } nginx_configure_gitlab_hsts() { if [[ ${GITLAB_HTTPS} == true ]]; then echo "Configuring nginx::gitlab::hsts..." if [[ ${NGINX_HSTS_ENABLED} != true ]]; then sed -i "/{{NGINX_HSTS_MAXAGE}}/d" ${GITLAB_NGINX_CONFIG} fi update_template ${GITLAB_NGINX_CONFIG} NGINX_HSTS_MAXAGE else sed -i "/{{NGINX_HSTS_MAXAGE}}/d" ${GITLAB_NGINX_CONFIG} fi } nginx_configure_gitlab_ipv6() { if [[ ! -f /proc/net/if_inet6 ]]; then # disable ipv6 support in nginx for gitlab sed -i \ -e "/listen \[::\]:80/d" \ -e "/listen \[::\]:443/d" \ ${GITLAB_NGINX_CONFIG} # disable ipv6 support in nginx for pages if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then sed -i \ -e "/listen \[::\]:80/d" \ -e "/listen \[::\]:443/d" \ ${GITLAB_PAGES_NGINX_CONFIG} fi fi fi } nginx_configure_gitlab_real_ip() { if [[ ${NGINX_REAL_IP_RECURSIVE} == on && \ -n ${NGINX_REAL_IP_TRUSTED_ADDRESSES} ]]; then echo "Configuring nginx::gitlab::real_ip..." update_template ${GITLAB_NGINX_CONFIG} \ NGINX_REAL_IP_RECURSIVE \ NGINX_REAL_IP_TRUSTED_ADDRESSES else NGINX_REAL_IP_RECURSIVE="off" update_template ${GITLAB_NGINX_CONFIG} \ NGINX_REAL_IP_RECURSIVE sed -i "/{{NGINX_REAL_IP_TRUSTED_ADDRESSES}}/d" ${GITLAB_NGINX_CONFIG} fi } nginx_configure_gitlab() { echo "Configuring nginx::gitlab..." update_template ${GITLAB_NGINX_CONFIG} \ GITLAB_HOME \ GITLAB_INSTALL_DIR \ GITLAB_LOG_DIR \ GITLAB_HOST \ GITLAB_PORT \ NGINX_PROXY_BUFFERING \ NGINX_ACCEL_BUFFERING \ NGINX_X_FORWARDED_PROTO \ NGINX_CUSTOM_GITLAB_SERVER_CONFIG nginx_configure_gitlab_ssl nginx_configure_gitlab_hsts nginx_configure_gitlab_ipv6 nginx_configure_gitlab_real_ip } nginx_configure_gitlab_ci() { if [[ -n $GITLAB_CI_HOST ]]; then echo "Configuring nginx::gitlab_ci..." DNS_RESOLVERS=$(cat /etc/resolv.conf | grep '^\s*nameserver' | awk '{print $2}' ORS=' ') update_template ${GITLAB_CI_NGINX_CONFIG} \ GITLAB_LOG_DIR \ GITLAB_HOST \ GITLAB_CI_HOST \ DNS_RESOLVERS fi } nginx_configure_gitlab_registry() { if [[ $GITLAB_REGISTRY_ENABLED == true && -f ${SSL_REGISTRY_CERT_PATH} && -f ${SSL_REGISTRY_KEY_PATH} ]]; then echo "Configuring nginx::gitlab-registry..." update_template ${GITLAB_REGISTRY_NGINX_CONFIG} \ GITLAB_LOG_DIR \ GITLAB_REGISTRY_PORT \ GITLAB_REGISTRY_HOST \ GITLAB_REGISTRY_API_URL \ SSL_REGISTRY_KEY_PATH \ SSL_REGISTRY_CERT_PATH \ SSL_REGISTRY_CIPHERS \ SSL_REGISTRY_PROTOCOLS fi } nginx_configure_pages(){ local GITLAB_PAGES_DOMAIN=$(echo $GITLAB_PAGES_DOMAIN | sed 's/\./\\\\./g') if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then echo "Configuring nginx::gitlab-pages..." if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then if [[ ${GITLAB_PAGES_HTTPS} == true ]]; then update_template ${GITLAB_PAGES_NGINX_CONFIG} \ GITLAB_PORT \ GITLAB_PAGES_DOMAIN \ GITLAB_PAGES_PORT \ GITLAB_LOG_DIR \ GITLAB_PAGES_DOMAIN \ SSL_PAGES_CERT_PATH \ SSL_PAGES_KEY_PATH \ SSL_PAGES_CIPHERS \ SSL_PAGES_PROTOCOLS \ SSL_DHPARAM_PATH \ GITLAB_LOG_DIR else update_template ${GITLAB_PAGES_NGINX_CONFIG} \ GITLAB_PAGES_DOMAIN \ GITLAB_LOG_DIR fi else echo "Gitlab pages nginx proxy disabled" echo "Assuming custom domain setup with own HTTP(S) load balancer'" fi fi } # _|_|_| _| _| _| # _| _| _| _| _|_|_| _| _|_|_| # _|_|_| _| _| _| _| _| _| _| # _| _| _| _| _| _| _| _| # _| _|_|_| _|_|_| _| _| _|_|_| map_uidgid() { USERMAP_ORIG_UID=$(id -u ${GITLAB_USER}) USERMAP_ORIG_GID=$(id -g ${GITLAB_USER}) USERMAP_GID=${USERMAP_GID:-${USERMAP_UID:-$USERMAP_ORIG_GID}} USERMAP_UID=${USERMAP_UID:-$USERMAP_ORIG_UID} if [[ ${USERMAP_UID} != ${USERMAP_ORIG_UID} ]] || [[ ${USERMAP_GID} != ${USERMAP_ORIG_GID} ]]; then echo "Mapping UID and GID for ${GITLAB_USER}:${GITLAB_USER} to $USERMAP_UID:$USERMAP_GID" groupmod -o -g ${USERMAP_GID} ${GITLAB_USER} sed -i -e "s|:${USERMAP_ORIG_UID}:${USERMAP_GID}:|:${USERMAP_UID}:${USERMAP_GID}:|" /etc/passwd find ${GITLAB_HOME} -path ${GITLAB_DATA_DIR}/\* -prune -o -print0 | xargs -0 chown -h ${GITLAB_USER}: fi } update_ca_certificates() { if [[ -f ${SSL_CERTIFICATE_PATH} || -f ${SSL_CA_CERTIFICATES_PATH} || -f ${SSL_REGISTRY_CERT_PATH} ]]; then echo "Updating CA certificates..." [[ -f ${SSL_CERTIFICATE_PATH} ]] && cp "${SSL_CERTIFICATE_PATH}" /usr/local/share/ca-certificates/gitlab.crt [[ -f ${SSL_CA_CERTIFICATES_PATH} ]] && cp "${SSL_CA_CERTIFICATES_PATH}" /usr/local/share/ca-certificates/ca.crt [[ -f ${SSL_REGISTRY_CERT_PATH} ]] && cp "${SSL_REGISTRY_CERT_PATH}" /usr/local/share/ca-certificates/registry-ca.crt update-ca-certificates --fresh >/dev/null fi } initialize_logdir() { echo "Initializing logdir..." mkdir -p ${GITLAB_LOG_DIR}/supervisor chmod -R 0755 ${GITLAB_LOG_DIR}/supervisor chown -R root: ${GITLAB_LOG_DIR}/supervisor mkdir -p ${GITLAB_LOG_DIR}/nginx chmod -R 0755 ${GITLAB_LOG_DIR}/nginx chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/nginx mkdir -p ${GITLAB_LOG_DIR}/gitlab chmod -R 0755 ${GITLAB_LOG_DIR}/gitlab chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/gitlab mkdir -p ${GITLAB_LOG_DIR}/gitlab-shell chmod -R 0755 ${GITLAB_LOG_DIR}/gitlab-shell chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/gitlab-shell mkdir -p ${GITLAB_LOG_DIR}/gitaly chmod -R 0755 ${GITLAB_LOG_DIR}/gitaly chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/gitaly } initialize_datadir() { echo "Initializing datadir..." chmod 755 ${GITLAB_DATA_DIR} chown ${GITLAB_USER}: ${GITLAB_DATA_DIR} # create the ssh directory for server keys mkdir -p ${GITLAB_DATA_DIR}/ssh chown -R root: ${GITLAB_DATA_DIR}/ssh # create the repositories directory and make sure it has the right permissions mkdir -p ${GITLAB_REPOS_DIR} chown ${GITLAB_USER}: ${GITLAB_REPOS_DIR} chmod ug+rwX,o-rwx ${GITLAB_REPOS_DIR} exec_as_git chmod g+s ${GITLAB_REPOS_DIR} # create build traces directory mkdir -p ${GITLAB_BUILDS_DIR} chmod u+rwX ${GITLAB_BUILDS_DIR} chown ${GITLAB_USER}: ${GITLAB_BUILDS_DIR} # gitlab:backup:create does not respect the builds_path configuration, so we # symlink ${GITLAB_INSTALL_DIR}/builds -> ${GITLAB_BUILDS_DIR} rm -rf ${GITLAB_INSTALL_DIR}/builds ln -sf ${GITLAB_BUILDS_DIR} ${GITLAB_INSTALL_DIR}/builds # create downloads directory mkdir -p ${GITLAB_DOWNLOADS_DIR} chmod u+rwX ${GITLAB_DOWNLOADS_DIR} chown ${GITLAB_USER}: ${GITLAB_DOWNLOADS_DIR} # create shared directory mkdir -p ${GITLAB_SHARED_DIR} chmod u+rwX ${GITLAB_SHARED_DIR} chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR} # create the ci_secure_files directory mkdir -p ${GITLAB_SHARED_DIR}/ci_secure_files chmod u+rwX ${GITLAB_SHARED_DIR}/ci_secure_files chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}/ci_secure_files # create external-diffs dir mkdir -p ${GITLAB_SHARED_DIR}/external-diffs chmod u+rwX ${GITLAB_SHARED_DIR}/external-diffs chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}/external-diffs # create artifacts dir mkdir -p ${GITLAB_ARTIFACTS_DIR} chmod u+rwX ${GITLAB_ARTIFACTS_DIR} chown ${GITLAB_USER}: ${GITLAB_ARTIFACTS_DIR} # create pages dir mkdir -p ${GITLAB_PAGES_DIR} chmod u+rwX ${GITLAB_PAGES_DIR} chown ${GITLAB_USER}: ${GITLAB_PAGES_DIR} # symlink ${GITLAB_INSTALL_DIR}/shared -> ${GITLAB_DATA_DIR}/shared rm -rf ${GITLAB_INSTALL_DIR}/shared ln -sf ${GITLAB_SHARED_DIR} ${GITLAB_INSTALL_DIR}/shared # create lfs-objects directory mkdir -p ${GITLAB_LFS_OBJECTS_DIR} chmod u+rwX ${GITLAB_LFS_OBJECTS_DIR} chown ${GITLAB_USER}: ${GITLAB_LFS_OBJECTS_DIR} # create terraform_state directory if [[ ${GITLAB_TERRAFORM_STATE_ENABLED} == true ]]; then mkdir -p ${GITLAB_TERRAFORM_STATE_STORAGE_PATH} chmod u+rwX ${GITLAB_TERRAFORM_STATE_STORAGE_PATH} chown ${GITLAB_USER}: ${GITLAB_TERRAFORM_STATE_STORAGE_PATH} fi # create registry dir if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then mkdir -p ${GITLAB_REGISTRY_DIR} chmod u+rwX ${GITLAB_REGISTRY_DIR} chown ${GITLAB_USER}: ${GITLAB_REGISTRY_DIR} fi # create packages directory if [[ ${GITLAB_PACKAGES_ENABLED} == true ]]; then mkdir -p ${GITLAB_PACKAGES_DIR} chmod u+rwX ${GITLAB_PACKAGES_DIR} chown ${GITLAB_USER}: ${GITLAB_PACKAGES_DIR} fi # create the backups directory mkdir -p ${GITLAB_BACKUP_DIR} if [[ ${GITLAB_BACKUP_DIR_CHOWN} == true ]]; then chown ${GITLAB_USER}: ${GITLAB_BACKUP_DIR} fi # create the uploads directory mkdir -p ${GITLAB_DATA_DIR}/uploads chmod 0700 ${GITLAB_DATA_DIR}/uploads chown ${GITLAB_USER}: ${GITLAB_DATA_DIR}/uploads # create the .ssh directory mkdir -p ${GITLAB_DATA_DIR}/.ssh touch ${GITLAB_DATA_DIR}/.ssh/authorized_keys chmod 700 ${GITLAB_DATA_DIR}/.ssh chmod 600 ${GITLAB_DATA_DIR}/.ssh/authorized_keys chown -R ${GITLAB_USER}: ${GITLAB_DATA_DIR}/.ssh } sanitize_datadir() { echo "Sanitizing datadir. Please be patient..." chmod -R ug+rwX,o-rwx ${GITLAB_REPOS_DIR}/ chmod -R ug-s ${GITLAB_REPOS_DIR}/ find ${GITLAB_REPOS_DIR}/ -type d -print0 | xargs -0 chmod g+s chown -R ${GITLAB_USER}: ${GITLAB_REPOS_DIR} chmod -R u+rwX ${GITLAB_BUILDS_DIR} chown -R ${GITLAB_USER}: ${GITLAB_BUILDS_DIR} chmod -R u+rwX ${GITLAB_DOWNLOADS_DIR} chown -R ${GITLAB_USER}: ${GITLAB_DOWNLOADS_DIR} chmod -R u+rwX ${GITLAB_TEMP_DIR} chown -R ${GITLAB_USER}: ${GITLAB_TEMP_DIR} chmod -R u+rwX ${GITLAB_SHARED_DIR} chown -R ${GITLAB_USER}: ${GITLAB_SHARED_DIR} chmod -R u+rwX ${GITLAB_ARTIFACTS_DIR} chown -R ${GITLAB_USER}: ${GITLAB_ARTIFACTS_DIR} chmod -R u+rwX ${GITLAB_PAGES_DIR} chown -R ${GITLAB_USER}: ${GITLAB_PAGES_DIR} chmod -R u+rwX ${GITLAB_LFS_OBJECTS_DIR} chown -R ${GITLAB_USER}: ${GITLAB_LFS_OBJECTS_DIR} # create terraform_state directory # TODO : wrap with "if [[ _ENABLED ]]" condition chmod u+rwX ${GITLAB_SHARED_DIR}/terraform_state chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}/terraform_state if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then chmod -R u+rwX ${GITLAB_REGISTRY_DIR} chown -R ${GITLAB_USER}: ${GITLAB_REGISTRY_DIR} fi if [[ ${GITLAB_PACKAGES_ENABLED} ]]; then chmod u+rwX ${GITLAB_PACKAGES_DIR} chown ${GITLAB_USER}: ${GITLAB_PACKAGES_DIR} fi find ${GITLAB_DATA_DIR}/uploads -type f -exec chmod 0644 {} \; find ${GITLAB_DATA_DIR}/uploads -type d -not -path ${GITLAB_DATA_DIR}/uploads -exec chmod 0755 {} \; chmod 0700 ${GITLAB_DATA_DIR}/uploads/ chown ${GITLAB_USER}: ${GITLAB_DATA_DIR}/uploads/ echo "Creating gitlab-shell hooks..." exec_as_git ${GITLAB_SHELL_INSTALL_DIR}/bin/create-hooks } generate_ssh_key() { echo -n "${1^^} " ssh-keygen -qt ${1} -N '' -f ${2} } generate_ssh_host_keys() { sed -i "s|^[#]*MaxStartups[^$]*|MaxStartups ${GITLAB_SSH_MAXSTARTUPS}|" /etc/ssh/sshd_config sed -i "s|#HostKey /etc/ssh/|HostKey ${GITLAB_DATA_DIR}/ssh/|g" /etc/ssh/sshd_config if [[ ! -e ${GITLAB_DATA_DIR}/ssh/ssh_host_rsa_key ]]; then echo -n "Generating OpenSSH host keys... " generate_ssh_key rsa ${GITLAB_DATA_DIR}/ssh/ssh_host_rsa_key generate_ssh_key dsa ${GITLAB_DATA_DIR}/ssh/ssh_host_dsa_key generate_ssh_key ecdsa ${GITLAB_DATA_DIR}/ssh/ssh_host_ecdsa_key generate_ssh_key ed25519 ${GITLAB_DATA_DIR}/ssh/ssh_host_ed25519_key echo fi # ensure existing host keys have the right permissions chmod 0600 ${GITLAB_DATA_DIR}/ssh/*_key chmod 0644 ${GITLAB_DATA_DIR}/ssh/*.pub } update_ssh_listen_port() { sed -i "s|#Port 22|Port ${GITLAB_SSH_LISTEN_PORT}|g" /etc/ssh/sshd_config } generate_healthcheck_script() { # configure healthcheck script ## https://docs.gitlab.com/ee/user/admin_area/monitoring/health_check.html local HEALTHCHECK_PROTOCOL="http" if [[ "${GITLAB_HTTPS}" == true && "${SSL_SELF_SIGNED}" == false ]]; then HEALTHCHECK_PROTOCOL="${HEALTHCHECK_PROTOCOL}s" fi cat > /usr/local/sbin/healthcheck < /etc/timezone echo "Container TimeZone -> ${TIMEZONE}" fi } initialize_system() { map_uidgid initialize_logdir initialize_datadir update_ca_certificates generate_ssh_host_keys update_ssh_listen_port configure_container_timezone install_configuration_templates rm -rf /var/run/supervisor.sock } install_configuration_templates() { echo "Installing configuration templates..." install_template ${GITLAB_USER}: gitlabhq/gitlab.yml ${GITLAB_CONFIG} 0640 install_template ${GITLAB_USER}: gitlabhq/database.yml ${GITLAB_DATABASE_CONFIG} 0640 install_template ${GITLAB_USER}: gitlabhq/puma.rb ${GITLAB_PUMA_CONFIG} 0644 install_template ${GITLAB_USER}: gitlabhq/resque.yml ${GITLAB_RESQUE_CONFIG} 0640 install_template ${GITLAB_USER}: gitlabhq/secrets.yml ${GITLAB_SECRETS_CONFIG} 0600 install_template ${GITLAB_USER}: gitlab-shell/config.yml ${GITLAB_SHELL_CONFIG} 0640 install_template ${GITLAB_USER}: gitlabhq/cable.yml ${GITLAB_ACTIONCABLE_CONFIG} 0640 if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then install_template ${GITLAB_USER}: gitlabhq/relative_url.rb ${GITLAB_RELATIVE_URL_CONFIG} 0644 fi if [[ ${SMTP_ENABLED} == true ]]; then install_template ${GITLAB_USER}: gitlabhq/smtp_settings.rb ${GITLAB_SMTP_CONFIG} fi # custom user specified robots.txt if [[ -f ${GITLAB_ROBOTS_PATH} ]]; then exec_as_git cp ${GITLAB_ROBOTS_PATH} ${GITLAB_ROBOTS_CONFIG} fi ## ${GITLAB_NGINX_CONFIG} if [[ ${GITLAB_HTTPS} == true ]]; then if [[ -f ${SSL_CERTIFICATE_PATH} && -f ${SSL_KEY_PATH} && -f ${SSL_DHPARAM_PATH} ]]; then install_template root: nginx/gitlab-ssl ${GITLAB_NGINX_CONFIG} else echo "SSL Key, SSL Certificate and DHParam were not found." echo "Assuming that the container is running behind a HTTPS enabled load balancer." install_template root: nginx/gitlab ${GITLAB_NGINX_CONFIG} fi else install_template root: nginx/gitlab ${GITLAB_NGINX_CONFIG} fi ## ${GITLAB_PAGES_NGINX_CONFIG} if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then install_template ${GITLAB_USER}: gitlab-pages/config ${GITLAB_PAGES_CONFIG} 0640 if [[ ${GITLAB_PAGES_HTTPS} == true && -f ${SSL_PAGES_CERT_PATH} && -f ${SSL_PAGES_KEY_PATH} ]]; then if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then install_template root: nginx/gitlab-pages-ssl ${GITLAB_PAGES_NGINX_CONFIG} else echo "Gitlab pages nginx proxy disabled" echo "Assuming custom domain setup with own HTTP(S) load balancer'" fi else if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then echo "SSL Key, SSL Certificate were not found." echo "Assuming that the container is running behind a HTTPS enabled load balancer." install_template root: nginx/gitlab-pages ${GITLAB_PAGES_NGINX_CONFIG} else echo "Gitlab pages nginx proxy disabled" echo "Assuming custom domain setup with own HTTP(S) load balancer'" fi fi fi if [[ -n $GITLAB_CI_HOST ]]; then install_template root: nginx/gitlab_ci ${GITLAB_CI_NGINX_CONFIG} fi if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then if [[ -f ${SSL_REGISTRY_CERT_PATH} && -f ${SSL_REGISTRY_KEY_PATH} ]]; then install_template root: nginx/gitlab-registry ${GITLAB_REGISTRY_NGINX_CONFIG} else echo "SSL key and certificates for Registry were not found" echo "Assuming that the Registry is running behind a HTTPS enabled load balancer." fi fi install_template ${GITLAB_USER}: gitaly/config.toml ${GITLAB_GITALY_CONFIG} } configure_gitlab() { echo "Configuring gitlab..." update_template ${GITLAB_CONFIG} \ GITLAB_INSTALL_DIR \ GITLAB_SHELL_INSTALL_DIR \ GITLAB_DATA_DIR \ GITLAB_REPOS_DIR \ GITLAB_DOWNLOADS_DIR \ GITLAB_SHARED_DIR \ GITLAB_HOME \ GITLAB_HOST \ GITLAB_PORT \ GITLAB_RELATIVE_URL_ROOT \ GITLAB_HTTPS \ GITLAB_SSH_HOST \ GITLAB_SSH_LISTEN_PORT \ GITLAB_SSH_PORT \ GITLAB_SIGNUP_ENABLED \ GITLAB_IMPERSONATION_ENABLED \ GITLAB_PROJECTS_LIMIT \ GITLAB_USERNAME_CHANGE \ GITLAB_DEFAULT_THEME \ GITLAB_CREATE_GROUP \ GITLAB_ISSUE_CLOSING_PATTERN gitlab_configure_database gitlab_configure_redis gitlab_configure_actioncable gitlab_configure_secrets gitlab_configure_sidekiq gitlab_configure_gitaly gitlab_configure_monitoring gitlab_configure_gitlab_workhorse gitlab_configure_relative_url gitlab_configure_trusted_proxies gitlab_configure_puma gitlab_configure_timezone gitlab_configure_rack_attack gitlab_configure_ci gitlab_configure_artifacts gitlab_configure_packages gitlab_configure_terraform_state gitlab_configure_lfs gitlab_configure_uploads gitlab_configure_mattermost gitlab_configure_project_features gitlab_configure_mail_delivery gitlab_configure_mailroom gitlab_configure_oauth gitlab_configure_ldap gitlab_configure_gravatar gitlab_configure_cron_jobs gitlab_configure_analytics gitlab_configure_backups generate_registry_certificates gitlab_configure_registry gitlab_configure_pages gitlab_configure_sentry generate_healthcheck_script gitlab_configure_content_security_policy # remove stale gitlab.socket rm -rf ${GITLAB_INSTALL_DIR}/tmp/sockets/gitlab.socket } # feature flags are recorded to database (schema "application_settings") so requires DB is (at least) initialized gitlab_configure_feature_flags() { echo "Configuring gitlab::feature_flags..." if [[ -z "${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}" && -z "${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}" ]]; then # Do nothing and reports no error if no targets specified echo "- No targets specified. skipping..." return 0 fi # Build command line argument for script only when target is specified # If not, scripts fails because option specifier is recognized as feature flags for example # like "--disable --enable" : for this case, --disable is recognized as a value of option "--enable" if [[ -n "${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS}" ]]; then GITLAB_FEATURE_FLAGS_DISABLE_TARGETS="--disable ${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS}" fi # The same goes for --enable (this is the last option passed to "rails runner" that will be run below) # For this case (final option), it throws "missing argument" error for execution like: # like "--disable feature1,feature2 --enable" if [[ -n "${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}" ]]; then GITLAB_FEATURE_FLAGS_ENABLE_TARGETS="--enable ${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}" fi PWD_ORG=${PWD} cd "${GITLAB_INSTALL_DIR}" # copy the script to temporal directory : to avoid permission issue cp "${GITLAB_RUNTIME_DIR}/scripts/configure_feature_flags.rb" "${GITLAB_TEMP_DIR}/" chown "${GITLAB_USER}:" "${GITLAB_TEMP_DIR}/configure_feature_flags.rb" echo "- Launching rails runner to set feature flags. This will take some time...." # If arguments are empty, the script will do nothing and print object dump like below: # - specified feature flags: {:to_be_disabled=>[], :to_be_enabled=>[]} # DO NOT qupte variables : word splitting must be enabled. # If disabled, whole string like '--disable feature_name_1,feature_name_2' # will be recognized as single option and results to invalid argument error # # shellcheck disable=SC2086 exec_as_git bundle exec rails runner "${GITLAB_TEMP_DIR}/configure_feature_flags.rb" \ ${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS} \ ${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS} rm "${GITLAB_TEMP_DIR}/configure_feature_flags.rb" cd "${PWD_ORG}" } configure_gitlab_requires_db() { gitlab_configure_feature_flags } configure_gitlab_shell() { echo "Configuring gitlab-shell..." update_template ${GITLAB_SHELL_CONFIG} \ GITLAB_RELATIVE_URL_ROOT \ GITLAB_HOME \ GITLAB_LOG_DIR \ GITLAB_SHELL_INSTALL_DIR \ SSL_SELF_SIGNED \ REDIS_HOST \ REDIS_PORT \ REDIS_DB_NUMBER # update custom_hooks_dir if set $GITLAB_SHELL_CUSTOM_HOOKS_DIR if [[ -n ${GITLAB_SHELL_CUSTOM_HOOKS_DIR} ]]; then exec_as_git sed -i \ "s|custom_hooks_dir:.*|custom_hooks_dir: $GITLAB_SHELL_CUSTOM_HOOKS_DIR|g" \ ${GITLAB_SHELL_CONFIG} fi } configure_gitlab_pages() { if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then echo "Configuring gitlab-pages..." cat > /etc/supervisor/conf.d/gitlab-pages.conf <> /etc/supervisor/conf.d/gitlab-pages.conf <> /etc/supervisor/conf.d/gitlab-pages.conf <> /etc/supervisor/conf.d/gitlab-pages.conf <> /etc/supervisor/conf.d/gitlab-pages.conf </dev/null fi # migrate database if the gitlab version has changed. CACHE_VERSION= [[ -f ${GITLAB_TEMP_DIR}/VERSION ]] && CACHE_VERSION=$(cat ${GITLAB_TEMP_DIR}/VERSION) if [[ ${GITLAB_VERSION} != ${CACHE_VERSION} ]]; then ## version check, only upgrades are allowed if [[ -n ${CACHE_VERSION} && $(vercmp ${GITLAB_VERSION} ${CACHE_VERSION}) -lt 0 ]]; then echo echo "ERROR: " echo " Cannot downgrade from GitLab version ${CACHE_VERSION} to ${GITLAB_VERSION}." echo " Only upgrades are allowed. Please use sameersbn/gitlab:${CACHE_VERSION} or higher." echo " Cannot continue. Aborting!" echo return 1 fi if [[ $(vercmp ${GITLAB_VERSION} 8.0.0) -gt 0 ]]; then if [[ -n ${CACHE_VERSION} && $(vercmp ${CACHE_VERSION} 8.0.0) -lt 0 ]]; then echo echo "ABORT: " echo " Upgrading to GitLab ${GITLAB_VERSION} from ${CACHE_VERSION} is not recommended." echo " Please upgrade to version 8.0.5-1 before upgrading to 8.1.0 or higher." echo " Refer to https://git.io/vur4j for CI migration instructions." echo " Aborting for your own safety!" echo return 1 fi fi echo "Migrating database..." exec_as_git bundle exec rake db:migrate >/dev/null echo "${GITLAB_VERSION}" > ${GITLAB_TEMP_DIR}/VERSION rm -rf ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT # force cache cleanup fi # clear cache if relative_url has changed. [[ -f ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT ]] && CACHE_GITLAB_RELATIVE_URL_ROOT=$(cat ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT) if [[ ! -f ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT || ${GITLAB_RELATIVE_URL_ROOT} != ${CACHE_GITLAB_RELATIVE_URL_ROOT} ]]; then echo "Clearing cache..." exec_as_git bundle exec rake cache:clear >/dev/null 2>&1 echo "${GITLAB_RELATIVE_URL_ROOT}" > ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT fi } execute_raketask() { if [[ -z ${1} ]]; then echo "Please specify the rake task to execute. See https://github.com/gitlabhq/gitlabhq/tree/master/doc/raketasks" return 1 fi if [[ ${1} == gitlab:backup:create ]]; then /usr/bin/supervisord -c /etc/supervisor/supervisord.conf supervisorctl stop gitlab_extensions:* supervisorctl stop gitlab:* fi if [[ ${1} == gitlab:backup:restore ]]; then /usr/bin/supervisord -c /etc/supervisor/supervisord.conf supervisorctl stop gitlab_extensions:* supervisorctl stop gitlab:* interactive=true for arg in $@ do if [[ $arg == BACKUP=* ]]; then interactive=false break fi done # user needs to select the backup to restore if [[ $interactive == true ]]; then nBackups=$(ls ${GITLAB_BACKUP_DIR}/*_gitlab_backup.tar | wc -l) if [[ $nBackups -eq 0 ]]; then echo "No backup present. Cannot continue restore process.". return 1 fi echo for b in $(ls ${GITLAB_BACKUP_DIR} | grep _gitlab_backup | sort -r) do echo "‣ $b (created at $(date --date="@${b%%_*_gitlab_backup.tar}" +'%d %b, %G - %H:%M:%S %Z'))" done echo read -p "Select a backup to restore: " file if [[ -z ${file} ]]; then echo "Backup not specified. Exiting..." return 1 fi if [[ ! -f ${GITLAB_BACKUP_DIR}/${file} ]]; then echo "Specified backup does not exist. Aborting..." return 1 fi BACKUP=${file%%_gitlab_backup.tar} fi elif [[ ${1} == gitlab:import:repos ]]; then # sanitize the datadir to avoid permission issues sanitize_datadir fi echo "Running raketask ${1}..." exec_as_git bundle exec rake $@ ${BACKUP:+BACKUP=$BACKUP} } generate_registry_certificates() { if [[ ${GITLAB_REGISTRY_GENERATE_INTERNAL_CERTIFICATES} == true ]]; then echo 'Generating GitLab Registry internal certificates for communication between Gitlab and a Docker Registry' PREVIOUS_DIRECTORY=$(pwd) # Get directory from cert file path if [[ -z $GITLAB_REGISTRY_KEY_PATH ]]; then echo "\$GITLAB_REGISTRY_KEY_PATH is empty" return 1 fi DIRECTORY=$(dirname "$GITLAB_REGISTRY_KEY_PATH") echo "Registry internal certificates will be generated in directory: $DIRECTORY" # Make certs directory if it doesn't exists mkdir -p "$DIRECTORY" # Go to the temporary directory cd "$DIRECTORY" || return # Get key filename KEY_FILENAME=$(basename "$GITLAB_REGISTRY_KEY_PATH") echo "Registry internal key filename: $KEY_FILENAME" # Generate cert filename, by default, in same directory as $KEY_FILENAME, with same name, but with extension .crt CERT_FILENAME=$(echo "$KEY_FILENAME" | sed "s|key|crt|" -) echo "Registry internal cert filename: $CERT_FILENAME" # Generate a random password password_file used in the next commands if [[ -f password_file ]] ; then echo "password_file exists" else openssl rand -hex -out password_file 32 fi # Create a PKCS#10 certificate request echo "Generating internal certificate request" if [[ -f registry.csr ]] ; then echo "registry.csr exists" else openssl req -new -passout file:password_file -newkey rsa:4096 -batch > registry.csr fi # Process RSA key echo "Processing RSA internal key" if [[ -f $KEY_FILENAME ]] ; then echo "$KEY_FILENAME exists" else openssl rsa -passin file:password_file -in privkey.pem -out "$KEY_FILENAME" fi # Generate certificate echo "Generating internal certificate" if [[ -f $CERT_FILENAME ]] ; then echo "$CERT_FILENAME exists" else openssl x509 -in registry.csr -out "$CERT_FILENAME" -req -signkey "$KEY_FILENAME" -days 10000 fi chown -R ${GITLAB_USER}: ${DIRECTORY} cd ${PREVIOUS_DIRECTORY} fi } ================================================ FILE: assets/runtime/scripts/configure_feature_flags.rb ================================================ #!/usr/bin/env ruby require "optparse" require "set" # sameersbn/docker-gitlab # Ruby script to configure feature flags via CLI # Intended to be executed in the context of Rails Runner of Gitlab application # (to get valid "Feature" module, defined in (gitlab root)/lib/feature.rb) # https://guides.rubyonrails.org/command_line.html#bin-rails-runner # bundle exec rails runner -- --enable --disable class FeatureFlagCLI def available_feature_flags() # Feature flag lists are stored in (Gitlab root directory)/config/feature_flags/ # We can get the directory by accessing "root" property of "Gitlab" Module # (may returns /home/git/gitlab for sameersbn/docker-gitlab) feature_flag_yamls = Dir.glob("#{Gitlab.root}/config/feature_flags/**/*.yml") if Gitlab.ee? feature_flag_yamls.concat(Dir.glob("#{Gitlab.root}/ee/config/feature_flags/**/*.yml")) end if list = feature_flag_yamls.map { |p| File.basename(p, File.extname(p)) } list end def parse_options(argv = ARGV) op = OptionParser.new opts = { to_be_disabled: [], to_be_enabled: [], # TODO support "opt out", "opt out removed" # to_be_opted_out: [], # opt_out_removed: [], } op.on("-d", "--disable feature_a,feature_b,feature_c", Array, "comma-separated list of feature flags to be disabled (defaults: ${opts[:to_be_disabled]})") { |v| opts[:to_be_disabled] = v.uniq puts "- Specified feature flags to be disabled" puts opts[:to_be_disabled].map { |f| format("--- %s", opt: f) } } op.on("-e", "--enable feature_a,feature_b,feature_c", Array, "comma-separated list of feature flags to be enabled (defaults: ${opts[:to_be_enabled]})") { |v| opts[:to_be_enabled] = v.uniq puts "- Specified feature flags to be enabled" puts opts[:to_be_enabled].map { |f| format("--- %s", opt: f) } } begin args = op.parse(argv) succeed = true rescue OptionParser::InvalidOption, OptionParser::MissingArgument => e puts e.message puts op.help succeed = false end [succeed, opts, args] end def run succeed, opts, args = parse_options if succeed available_flags = self.available_feature_flags disable_targets = available_flags & opts[:to_be_disabled] enable_targets = available_flags & opts[:to_be_enabled] disable_targets.each do |feature| Feature.disable(feature) end enable_targets.each do |feature| Feature.enable(feature) end invalid_enable_targets = opts[:to_be_enabled] - enable_targets invalid_disable_targets = opts[:to_be_disabled] - disable_targets invalid_targets = invalid_disable_targets | invalid_enable_targets if invalid_targets.length > 0 puts "- Following flags are probably invalid and have been ignored" puts invalid_targets.map { |f| format("--- %s", name: f) } end end Feature.all end end features = FeatureFlagCLI.new.run puts features.map { |f| format("- feature %s : %s", name: f.name, state: f.state) } ================================================ FILE: contrib/docker-swarm/docker-compose.yml ================================================ services: redis: restart: always image: redis:7 command: - --loglevel warning volumes: - /srv/docker/gitlab/redis:/var/lib/redis:Z postgresql: restart: always image: kkimurak/sameersbn-postgresql:16 volumes: - /srv/docker/gitlab/postgresql:/var/lib/postgresql:Z environment: - DB_USER=gitlab - DB_PASS=password - DB_NAME=gitlabhq_production - DB_EXTENSION=pg_trgm gitlab: restart: always image: sameersbn/gitlab:18.9.2 depends_on: - redis - postgresql ports: - "10080:80" - "10022:22" volumes: - /srv/docker/gitlab/gitlab:/home/git/data:Z configs: - gitlab-configs secrets: - gitlab-secrets environment: - DEBUG=false - DB_ADAPTER=postgresql - DB_HOST=postgresql - DB_PORT=5432 - DB_USER=gitlab - DB_PASS=password - DB_NAME=gitlabhq_production - REDIS_HOST=redis - REDIS_PORT=6379 - TZ=Asia/Kolkata - GITLAB_TIMEZONE=Kolkata - GITLAB_HTTPS=false - SSL_SELF_SIGNED=false - GITLAB_HOST=localhost - GITLAB_PORT=10080 - GITLAB_SSH_PORT=10022 - GITLAB_RELATIVE_URL_ROOT= - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=["long-and-random-alphanumeric-string"] - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=["long-and-random-alphanumeric-string"] - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=long-and-random-alphanumeric-string - GITLAB_ROOT_PASSWORD= - GITLAB_ROOT_EMAIL= - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true - GITLAB_NOTIFY_PUSHER=false - GITLAB_EMAIL=notifications@example.com - GITLAB_EMAIL_REPLY_TO=noreply@example.com - GITLAB_INCOMING_EMAIL_ADDRESS=reply@example.com - GITLAB_BACKUP_SCHEDULE=daily - GITLAB_BACKUP_TIME=01:00 - SMTP_ENABLED=false - SMTP_DOMAIN=www.example.com - SMTP_HOST=smtp.gmail.com - SMTP_PORT=587 - SMTP_USER=mailer@example.com - SMTP_PASS=password - SMTP_STARTTLS=true - SMTP_AUTHENTICATION=login - IMAP_ENABLED=false - IMAP_HOST=imap.gmail.com - IMAP_PORT=993 - IMAP_USER=mailer@example.com - IMAP_PASS=password - IMAP_SSL=true - IMAP_STARTTLS=false - OAUTH_ENABLED=false - OAUTH_AUTO_SIGN_IN_WITH_PROVIDER= - OAUTH_ALLOW_SSO= - OAUTH_BLOCK_AUTO_CREATED_USERS=true - OAUTH_AUTO_LINK_LDAP_USER=false - OAUTH_AUTO_LINK_SAML_USER=false - OAUTH_EXTERNAL_PROVIDERS= - OAUTH_ALLOW_BYPASS_TWO_FACTOR=false - OAUTH_CAS3_LABEL=cas3 - OAUTH_CAS3_SERVER= - OAUTH_CAS3_DISABLE_SSL_VERIFICATION=false - OAUTH_CAS3_LOGIN_URL=/cas/login - OAUTH_CAS3_VALIDATE_URL=/cas/p3/serviceValidate - OAUTH_CAS3_LOGOUT_URL=/cas/logout - OAUTH_GOOGLE_API_KEY= - OAUTH_GOOGLE_APP_SECRET= - OAUTH_GOOGLE_RESTRICT_DOMAIN= - OAUTH_FACEBOOK_API_KEY= - OAUTH_FACEBOOK_APP_SECRET= - OAUTH_TWITTER_API_KEY= - OAUTH_TWITTER_APP_SECRET= - OAUTH_GITHUB_API_KEY= - OAUTH_GITHUB_APP_SECRET= - OAUTH_GITHUB_URL= - OAUTH_GITHUB_VERIFY_SSL= - OAUTH_GITLAB_API_KEY= - OAUTH_GITLAB_APP_SECRET= - OAUTH_BITBUCKET_API_KEY= - OAUTH_BITBUCKET_APP_SECRET= - OAUTH_BITBUCKET_URL= - OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL= - OAUTH_SAML_IDP_CERT_FINGERPRINT= - OAUTH_SAML_IDP_SSO_TARGET_URL= - OAUTH_SAML_ISSUER= - OAUTH_SAML_LABEL="Our SAML Provider" - OAUTH_SAML_NAME_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:2.0:nameid-format:transient - OAUTH_SAML_GROUPS_ATTRIBUTE= - OAUTH_SAML_EXTERNAL_GROUPS= - OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL= - OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME= - OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME= - OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME= - OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME= - OAUTH_CROWD_SERVER_URL= - OAUTH_CROWD_APP_NAME= - OAUTH_CROWD_APP_PASSWORD= - OAUTH_AUTH0_CLIENT_ID= - OAUTH_AUTH0_CLIENT_SECRET= - OAUTH_AUTH0_DOMAIN= - OAUTH_AUTH0_SCOPE= - OAUTH2_GENERIC_APP_ID= - OAUTH2_GENERIC_APP_SECRET= - OAUTH2_GENERIC_CLIENT_SITE= - OAUTH2_GENERIC_CLIENT_USER_INFO_URL= - OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL= - OAUTH2_GENERIC_CLIENT_TOKEN_URL= - OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT= - OAUTH2_GENERIC_ID_PATH= - OAUTH2_GENERIC_USER_UID= - OAUTH2_GENERIC_USER_NAME= - OAUTH2_GENERIC_USER_EMAIL= - OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE= - OAUTH2_GENERIC_LABEL= - OAUTH2_GENERIC_NAME= - OAUTH_AZURE_API_KEY= - OAUTH_AZURE_API_SECRET= - OAUTH_AZURE_TENANT_ID= configs: gitlab-configs: file: ./gitlab.configs secrets: gitlab-secrets: file: ./gitlab.secrets ================================================ FILE: contrib/docker-swarm/gitlab.configs ================================================ # config file to be sourced on startup - will over-ride any env set in the docker-compose.yml TEST=none ================================================ FILE: contrib/docker-swarm/gitlab.secrets ================================================ # config file to be sourced on startup - will over-ride any env set in the docker-compose.yml LDAP_ENABLED=true LDAP_LABEL="LDAP login" LDAP_HOST=pool.ldap.example.com LDAP_PORT=3268 LDAP_BIND_DN=the-ldap LDAP_PASS=no-not-really LDAP_BASE=ou=People,dc=example,dc=com #LDAP_LOWERCASE_USERNAMES=true ##LDAP_USER_FILTER=uid={login} ##LDAP_UID= # ================================================ FILE: contrib/expose-gitlab-ssh-port.sh ================================================ #!/usr/bin/env bash set -ev GITLAB_USERGROUP=${GITLAB_USERGROUP:-1010} GITLAB_SSH_PORT=${GITLAB_SSH_PORT:-9922} if ! id -u git >> /dev/null 2>&1; then groupadd -g ${GITLAB_USERGROUP} git useradd -m -u ${GITLAB_USERGROUP} -g git -s /bin/sh -d /home/git git fi su git -c "mkdir -p /home/git/.ssh/" su git -c "if [ ! -f /home/git/.ssh/id_ed25519 ]; then ssh-keygen -t ed25519 -N \"\" -f /home/git/.ssh/id_ed25519; fi" su git -c "if [ -f /home/git/.ssh/id_ed25519.pub ]; then mv /home/git/.ssh/id_ed25519.pub /home/git/.ssh/authorized_keys_proxy; fi" mkdir -p /home/git/gitlab-shell/bin/ rm -f /home/git/gitlab-shell/bin/gitlab-shell tee -a /home/git/gitlab-shell/bin/gitlab-shell > /dev/null <= 2.4 - [Docker GitLab](https://github.com/sameersbn/docker-gitlab) >= 8.8.5-1 ## Installation ### Setup with Nginx as Reverse Proxy We assume that you already have Nginx installed on your host system and that you use a reverse proxy configuration to connect to your GitLab container. In this example we use a dedicated domain for the registry. The URLs for the GitLab installation and the registry are: - git.example.com - registry.example.com > Note: You could also run everything on the same domain and use different ports > instead. The required configuration changes below should be straightforward. #### Create auth tokens GitLab needs a certificate ("auth token") to talk to the registry API. The tokens must be provided in the `/certs` directory of your container. You could use an existing domain certificate or create your own with a very long lifetime like this: ```bash mkdir certs cd certs # Generate a random password password_file used in the next commands openssl rand -hex -out password_file 32 # Create a PKCS#10 certificate request openssl req -new -passout file:password_file -newkey rsa:4096 -batch > registry.csr # Convert RSA key openssl rsa -passin file:password_file -in privkey.pem -out registry.key # Generate certificate openssl x509 -in registry.csr -out registry.crt -req -signkey registry.key -days 10000 ``` It doesn't matter which details (domain name, etc.) you enter during key creation. This information is not used at all. #### Update docker-compose.yml > [!important] > Docker Registry v3 is currently not compatible with the JWT tokens signed by GitLab. > The example below uses `registry:2` to avoid issues in validating the token. > > Alternatively, you can generate a JWKS file and specify it as `REGISTRY_AUTH_TOKEN_JWKS` > to run `registry:latest`. Further information can be found [here](https://github.com/cesanta/docker_auth/issues/386). First add the configuration for the registry container to your `docker-compose.yml`. ```yaml registry: image: registry:2 restart: always expose: - "5000" ports: - "5000:5000" volumes: - ./gitlab/shared/registry:/registry - ./certs:/certs environment: - REGISTRY_LOG_LEVEL=info - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/registry - REGISTRY_AUTH_TOKEN_REALM=https://git.example.com/jwt/auth - REGISTRY_AUTH_TOKEN_SERVICE=container_registry - REGISTRY_AUTH_TOKEN_ISSUER=gitlab-issuer - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/registry.crt - REGISTRY_STORAGE_DELETE_ENABLED=true ``` > **Important:** > > 1. Don't change `REGISTRY_AUTH_TOKEN_SERVICE`. It must have > `container_registry` as value. > 2. `REGISTRY_AUTH_TOKEN_REALM` must look like > `https://git.example.com/jwt/auth`. So the endpoint must be `/jwt/auth`. > > These configuration options are required by the GitLab Container Registry. Then update the `volumes` and `environment` sections of your `gitlab` container: ```yaml gitlab: environment: # ... # Registry - GITLAB_REGISTRY_ENABLED=true - GITLAB_REGISTRY_HOST=registry.example.com - GITLAB_REGISTRY_PORT=443 - GITLAB_REGISTRY_API_URL=http://registry:5000 - GITLAB_REGISTRY_KEY_PATH=/certs/registry.key volumes: - ./gitlab:/home/git/data - ./certs:/certs ``` #### Nginx Site Configuration ```nginx server { root /dev/null; server_name registry.example.com; charset UTF-8; access_log /var/log/nginx/registry.example.com.access.log; error_log /var/log/nginx/registry.example.com.error.log; # Set up SSL only connections: listen *:443 ssl http2; ssl_certificate /etc/letsencrypt/live/registry.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/registry.example.com/privkey.pem; ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_session_timeout 5m; client_max_body_size 0; chunked_transfer_encoding on; location / { proxy_set_header Host $http_host; # required for docker client's sake proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 900; proxy_pass http://localhost:5000; } } server { listen *:80; server_name registry.example.com; server_tokens off; ## Don't show the nginx version number, a security best practice return 301 https://$http_host:$request_uri; } ``` ## Configuration ### Available Parameters Here is an example of all configuration parameters that can be used in the GitLab container. ```yml ... gitlab: ... environment: - GITLAB_REGISTRY_ENABLED=true - GITLAB_REGISTRY_HOST=registry.gitlab.example.com - GITLAB_REGISTRY_API_URL=http://registry:5000 - GITLAB_REGISTRY_KEY_PATH=/certs/registry-auth.key - GITLAB_REGISTRY_ISSUER=gitlab-issuer - SSL_REGISTRY_KEY_PATH=/certs/registry.key - SSL_REGISTRY_CERT_PATH=/certs/registry.crt ``` where: | Parameter | Description | | --------- | ----------- | | `GITLAB_REGISTRY_ENABLED` | `true` or `false`. Enables the Registry in GitLab. By default this is `false`. | | `GITLAB_REGISTRY_HOST` | The host URL under which the Registry will run and the users will be able to use. | | `GITLAB_REGISTRY_PORT` | The port under which the external Registry domain will listen on. | | `GITLAB_REGISTRY_API_URL` | The internal API URL under which the Registry is exposed to. | | `GITLAB_REGISTRY_KEY_PATH`| The private key location that is a pair of Registry's `rootcertbundle`. Read the [token auth configuration documentation][token-config]. | | `GITLAB_REGISTRY_PATH` | This should be the same directory like specified in Registry's `rootdirectory`. Read the [storage configuration documentation][storage-config]. This path needs to be readable by the GitLab user, the web-server user and the Registry user *if you use filesystem as storage configuration*. Read more in [#container-registry-storage-path](#container-registry-storage-path). | | `GITLAB_REGISTRY_ISSUER` | This should be the same value as configured in Registry's `issuer`. Otherwise the authentication will not work. For more info read the [token auth configuration documentation][token-config]. | | `SSL_REGISTRY_KEY_PATH` | The private key of the `SSL_REGISTRY_CERT_PATH`. This will be later used in nginx to proxy your registry via https. | | `SSL_REGISTRY_CERT_PATH` | The certificate for the private key of `SSL_REGISTRY_KEY_PATH`. This will be later used in nginx to proxy your registry via https. | For more info look at [Available Configuration Parameters](https://github.com/sameersbn/docker-gitlab#available-configuration-parameters). A minimum set of these parameters are required to use the GitLab Container Registry feature. ```yml ... gitlab: environment: - GITLAB_REGISTRY_ENABLED=true - GITLAB_REGISTRY_HOST=registry.gitlab.example.com - GITLAB_REGISTRY_API_URL=http://registry:5000 - GITLAB_REGISTRY_KEY_PATH=/certs/registry-auth.key - GITLAB_REGISTRY_ISSUER=gitlab-issuer ... ``` ### Container Registry storage driver You can configure the Container Registry to use a different storage backend by configuring a different storage driver. By default the GitLab Container Registry is configured to use the filesystem driver, which makes use of [storage path](#container-registry-storage-path) configuration. These configurations will all be done in the registry container. The different supported drivers are: | Driver | Description | |------------|-------------------------------------| | filesystem | Uses a path on the local filesystem | | azure | Microsoft Azure Blob Storage | | gcs | Google Cloud Storage | | s3 | Amazon Simple Storage Service | | swift | OpenStack Swift Object Storage | | oss | Aliyun OSS | Read more about the individual driver's config options in the [Docker Registry docs][storage-config]. > **Warning** GitLab will not backup Docker images that are not stored on the filesystem. Remember to enable backups with your object storage provider if desired. > > If you use **filesystem** as storage driver you need to mount the path from `GITLAB_REGISTRY_DIR` of the GitLab container in the registry container. So both container can access the registry data. > If you don't change `GITLAB_REGISTRY_DIR` you will find your registry data in the mounted volume from the GitLab Container under `./gitlab/shared/registry`. This don't need to be separated mounted because `./gitlab` is already mounted in the GitLab Container. If it will be mounted separated the whole restoring process of GitLab backup won't work because gitlab try to create an folder under `./gitlab/shared/registry` /`GITLAB_REGISTRY_DIR` and GitLab can't delete/remove the mount point inside the container so the restoring process of the backup will fail. > An example how it works is in the `docker-compose`. #### Example for Amazon Simple Storage Service (s3) If you want to configure your registry via `/etc/docker/registry/config.yml` your storage part should like this snippet below. ```yaml storage: s3: accesskey: 'AKIAKIAKI' secretkey: 'secret123' bucket: 'gitlab-registry-bucket-AKIAKIAKI' cache: blobdescriptor: inmemory delete: enabled: true ``` ```yaml ... registry: restart: always image: registry:2.8.3 volumes: - ./certs:/certs environment: - REGISTRY_LOG_LEVEL=info - REGISTRY_AUTH_TOKEN_REALM=https://gitlab.example.com:10080/jwt/auth - REGISTRY_AUTH_TOKEN_SERVICE=container_registry - REGISTRY_AUTH_TOKEN_ISSUER=gitlab-issuer - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/registry-auth.crt - REGISTRY_STORAGE_S3_ACCESSKEY=AKIAKIAKI - REGISTRY_STORAGE_S3_SECRETKEY=secret123 - REGISTRY_STORAGE_S3_BUCKET=gitlab-registry-bucket-AKIAKIAKI - REGISTRY_CACHE_BLOBDESCRIPTOR=inmemory - REGISTRY_STORAGE_DELETE_ENABLED=true ``` Generally for more information about the configuration of the registry container you can find it under [registry configuration](https://docs.docker.com/registry/configuration). ### Storage limitations Currently, there is no storage limitation, which means a user can upload an infinite amount of Docker images with arbitrary sizes. This setting will be configurable in future releases. ## Maintenance If you use another storage configuration than filesystem it will have no impact on your Maintenance workflow. ### Creating Backups Creating Backups is the same like without a container registry. I would recommend to stop your registry container. ```bash docker stop registry gitlab && docker rm registry gitlab ``` Execute the rake task with a removeable container. ```bash docker run --name gitlab -it --rm [OPTIONS] \ sameersbn/gitlab:18.9.2 app:rake gitlab:backup:create ``` ### Restoring Backups GitLab also defines a rake task to restore a backup. Before performing a restore make sure the container is stopped and removed to avoid container name conflicts. ```bash docker stop registry gitlab && docker rm registry gitlab ``` Execute the rake task to restore a backup. Make sure you run the container in interactive mode `-it`. ```bash docker run --name gitlab -it --rm [OPTIONS] \ sameersbn/gitlab:18.9.2 app:rake gitlab:backup:restore ``` The list of all available backups will be displayed in reverse chronological order. Select the backup you want to restore and continue. To avoid user interaction in the restore operation, specify the timestamp of the backup using the `BACKUP` argument to the rake task. ```bash docker run --name gitlab -it --rm [OPTIONS] \ sameersbn/gitlab:18.9.2 app:rake gitlab:backup:restore BACKUP=1417624827 ``` ## Upgrading from an existing GitLab installation If you want enable this feature for an existing instance of GitLab you need to do the following steps. - **Step 1**: Update the docker image. ```bash docker pull sameersbn/gitlab:18.9.2 ``` - **Step 2**: Stop and remove the currently running image ```bash docker stop gitlab && docker rm gitlab ``` - **Step 3**: Create a backup ```bash docker run --name gitlab -it --rm [OPTIONS] \ sameersbn/gitlab:x.x.x app:rake gitlab:backup:create ``` - **Step 4**: Create a certs folder Create an authentication certificate with [Generating certificate for authentication with the registry](#generating-certificate-for-authentication-with-the-registry). - **Step 5**: Create an registry instance > **Important Notice** > > Storage of the registry must be mounted from gitlab from GitLab. > GitLab must have the container of the registry storage folder to be able to create and restore backups ```bash docker run --name registry -d \ --restart=always \ -v /srv/gitlab/shared/registry:/registry \ -v ./certs:/certs \ --env 'REGISTRY_LOG_LEVEL=info' \ --env 'REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/registry' \ --env 'REGISTRY_AUTH_TOKEN_REALM=http://gitlab.example.com/jwt/auth' \ --env 'REGISTRY_AUTH_TOKEN_SERVICE=container_registry' \ --env 'REGISTRY_AUTH_TOKEN_ISSUER=gitlab-issuer' \ --env 'REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/registry-auth.crt' \ --env 'REGISTRY_STORAGE_DELETE_ENABLED=true' \ registry:2.8.3 ``` - **Step 6**: Start the image ```bash docker run --name gitlab -d [PREVIOUS_OPTIONS] \ -v /srv/gitlab/certs:/certs \ --env 'SSL_REGISTRY_CERT_PATH=/certs/registry.crt' \ --env 'SSL_REGISTRY_KEY_PATH=/certs/registry.key' \ --env 'GITLAB_REGISTRY_ENABLED=true' \ --env 'GITLAB_REGISTRY_HOST=registry.gitlab.example.com' \ --env 'GITLAB_REGISTRY_API_URL=http://registry:5000/' \ --env 'GITLAB_REGISTRY_CERT_PATH=/certs/registry-auth.crt' \ --env 'GITLAB_REGISTRY_KEY_PATH=/certs/registry-auth.key' \ --link registry:registry sameersbn/gitlab:18.9.2 ``` [storage-config]: https://docs.docker.com/registry/configuration/#storage [token-config]: https://docs.docker.com/registry/configuration/#token ================================================ FILE: docs/docker-compose-keycloak.yml ================================================ services: redis: restart: always image: redis:7 command: - --loglevel warning volumes: - redis-data:/var/lib/redis:Z postgresql: restart: always image: kkimurak/sameersbn-postgresql:16 volumes: - postgresql-data:/var/lib/postgresql:Z environment: - DB_USER=gitlab - DB_PASS=password - DB_NAME=gitlabhq_production - DB_EXTENSION=pg_trgm,btree_gist gitlab: restart: always image: sameersbn/gitlab:18.9.2 depends_on: - redis - postgresql ports: - "10080:80" - "10022:22" volumes: - gitlab-data:/home/git/data:Z environment: - DEBUG=false - DB_ADAPTER=postgresql - DB_HOST=postgresql - DB_PORT=5432 - DB_USER=gitlab - DB_PASS=password - DB_NAME=gitlabhq_production - REDIS_HOST=redis - REDIS_PORT=6379 - TZ=Asia/Kolkata - GITLAB_TIMEZONE=Kolkata - GITLAB_HTTPS=false - SSL_SELF_SIGNED=false - GITLAB_HOST='' - GITLAB_PORT=10080 - GITLAB_SSH_PORT=10022 - GITLAB_RELATIVE_URL_ROOT= - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_ROOT_PASSWORD= - GITLAB_ROOT_EMAIL= - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true - GITLAB_NOTIFY_PUSHER=false - GITLAB_EMAIL=notifications@example.com - GITLAB_EMAIL_REPLY_TO=noreply@example.com - GITLAB_INCOMING_EMAIL_ADDRESS=reply@example.com - GITLAB_BACKUP_SCHEDULE=daily - GITLAB_BACKUP_TIME=01:00 - SMTP_ENABLED=false - SMTP_DOMAIN=www.example.com - SMTP_HOST=smtp.gmail.com - SMTP_PORT=587 - SMTP_USER=mailer@example.com - SMTP_PASS=password - SMTP_STARTTLS=true - SMTP_AUTHENTICATION=login - IMAP_ENABLED=false - IMAP_HOST=imap.gmail.com - IMAP_PORT=993 - IMAP_USER=mailer@example.com - IMAP_PASS=password - IMAP_SSL=true - IMAP_STARTTLS=false - OAUTH_ENABLED=true - OAUTH_AUTO_SIGN_IN_WITH_PROVIDER=Keycloak - OAUTH_ALLOW_SSO=Keycloak - OAUTH_BLOCK_AUTO_CREATED_USERS=false - OAUTH_AUTO_LINK_LDAP_USER=false - OAUTH_AUTO_LINK_SAML_USER=false - OAUTH_EXTERNAL_PROVIDERS=Keycloak - OAUTH_CAS3_LABEL=cas3 - OAUTH_CAS3_SERVER= - OAUTH_CAS3_DISABLE_SSL_VERIFICATION=false - OAUTH_CAS3_LOGIN_URL=/cas/login - OAUTH_CAS3_VALIDATE_URL=/cas/p3/serviceValidate - OAUTH_CAS3_LOGOUT_URL=/cas/logout - OAUTH_GOOGLE_API_KEY= - OAUTH_GOOGLE_APP_SECRET= - OAUTH_GOOGLE_RESTRICT_DOMAIN= - OAUTH_FACEBOOK_API_KEY= - OAUTH_FACEBOOK_APP_SECRET= - OAUTH_TWITTER_API_KEY= - OAUTH_TWITTER_APP_SECRET= - OAUTH_GITHUB_API_KEY= - OAUTH_GITHUB_APP_SECRET= - OAUTH_GITHUB_URL= - OAUTH_GITHUB_VERIFY_SSL= - OAUTH_GITLAB_API_KEY= - OAUTH_GITLAB_APP_SECRET= - OAUTH_BITBUCKET_API_KEY= - OAUTH_BITBUCKET_APP_SECRET= - OAUTH_BITBUCKET_URL= - OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL= - OAUTH_SAML_IDP_CERT_FINGERPRINT= - OAUTH_SAML_IDP_SSO_TARGET_URL= - OAUTH_SAML_ISSUER= - OAUTH_SAML_LABEL="Our SAML Provider" - OAUTH_SAML_NAME_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:2.0:nameid-format:transient - OAUTH_SAML_GROUPS_ATTRIBUTE= - OAUTH_SAML_EXTERNAL_GROUPS= - OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL= - OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME= - OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME= - OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME= - OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME= - OAUTH_CROWD_SERVER_URL= - OAUTH_CROWD_APP_NAME= - OAUTH_CROWD_APP_PASSWORD= - OAUTH_AUTH0_CLIENT_ID= - OAUTH_AUTH0_CLIENT_SECRET= - OAUTH_AUTH0_DOMAIN= - OAUTH_AUTH0_SCOPE= - OAUTH_AZURE_API_KEY= - OAUTH_AZURE_API_SECRET= - OAUTH_AZURE_TENANT_ID= - OAUTH2_GENERIC_APP_ID=git - OAUTH2_GENERIC_APP_SECRET= - OAUTH2_GENERIC_CLIENT_SITE=http://:10081 - OAUTH2_GENERIC_CLIENT_USER_INFO_URL=http://:10081/auth/realms/master/protocol/openid-connect/userinfo - OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL=http://:10081/auth/realms/master/protocol/openid-connect/auth - OAUTH2_GENERIC_CLIENT_TOKEN_URL=http://:10081/auth/realms/master/protocol/openid-connect/token - OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT=http://:10081/auth/realms/master/protocol/openid-connect/logout - OAUTH2_GENERIC_ID_PATH=sub - OAUTH2_GENERIC_USER_UID=sub - OAUTH2_GENERIC_USER_NAME=preferred_username - OAUTH2_GENERIC_USER_EMAIL=email - OAUTH2_GENERIC_NAME=Keycloak keycloak: restart: always image: jboss/keycloak:8.0.1 ports: - "10081:8080" environment: - DEBUG=false - KEYCLOAK_PASSWORD=admin - KEYCLOAK_USER=admin volumes: redis-data: postgresql-data: gitlab-data: ================================================ FILE: docs/docker-compose-registry.yml ================================================ services: redis: restart: always image: redis:7 command: - --loglevel warning volumes: - redis:/var/lib/redis:Z postgresql: restart: always image: kkimurak/sameersbn-postgresql:16 volumes: - postgresql:/var/lib/postgresql:Z environment: - DB_USER=gitlab - DB_PASS=password - DB_NAME=gitlabhq_production - DB_EXTENSION=pg_trgm,btree_gist gitlab: restart: always image: sameersbn/gitlab:18.9.2 volumes: - gitlab-data:/home/git/data:Z - gitlab-logs:/var/log/gitlab - ./certs:/certs depends_on: - redis - postgresql ports: - "80:80" - "10022:22" external_links: - "registry:registry.example.com" environment: - DEBUG=false - DB_ADAPTER=postgresql - DB_HOST=postgresql - DB_PORT=5432 - DB_USER=gitlab - DB_PASS=password - DB_NAME=gitlabhq_production - REDIS_HOST=redis - REDIS_PORT=6379 - GITLAB_HTTPS=false - SSL_SELF_SIGNED=false - GITLAB_HOST=gitlab.example.com - GITLAB_PORT=80 - GITLAB_SSH_PORT=10022 - GITLAB_RELATIVE_URL_ROOT= - GITLAB_SECRETS_DB_KEY_BASE=secret - GITLAB_SECRETS_SECRET_KEY_BASE=secret - GITLAB_SECRETS_OTP_KEY_BASE=secret - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=secret - GITLAB_REGISTRY_ENABLED=true - GITLAB_REGISTRY_HOST=registry.example.com - GITLAB_REGISTRY_PORT=5000 - GITLAB_REGISTRY_API_URL=https://registry.example.com:5000 - GITLAB_REGISTRY_CERT_PATH=/certs/registry-auth.crt - GITLAB_REGISTRY_KEY_PATH=/certs/registry-auth.key registry: restart: always image: registry:2.4.1 ports: - "5000:5000" volumes: - registry-data:/var/lib/registry - ./certs:/certs external_links: - "gitlab:gitlab.example.com" environment: - REGISTRY_LOG_LEVEL=info - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry - REGISTRY_AUTH_TOKEN_REALM=http://gitlab.example.com/jwt/auth - REGISTRY_AUTH_TOKEN_SERVICE=container_registry - REGISTRY_AUTH_TOKEN_ISSUER=gitlab-issuer - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/registry-auth.crt - REGISTRY_STORAGE_DELETE_ENABLED=true - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry-auth.crt - REGISTRY_HTTP_TLS_KEY=/certs/registry-auth.key - REGISTRY_HTTP_SECRET=secret volumes: gitlab-data: gitlab-logs: postgresql: redis: registry-data: ================================================ FILE: docs/docker-swarm-traefik-registry.md ================================================ # Docker Swarm mode deployment Here's a guide to deploy **GitLab** with: * [Docker Swarm mode](https://docs.docker.com/engine/swarm/) for cluster management and orchestration. * [Docker Registry](https://docs.docker.com/registry/) with HTTPS, TLS (SSL) handled automatically, using GitLab credentials and integration with GitLab CI. * [Traefik](https://traefik.io/) proxy to handle domain based redirection, HTTPS communication and automatic certificate generation with [Let's encrypt](https://letsencrypt.org/). You don't need to build a custom Nginx proxy or anything similar, it's all handled by Traefik. * Automatic generation and configuration of GitLab / Registry internal communication certificates. ## Set up Docker Swarm Set up a Docker Swarm mode cluster with a main global Traefik load balancer following the guide at [DockerSwarm.rocks](https://dockerswarm.rocks). It will take you less than 20 minutes to follow it to deploy a cluster (of one or more machines) and have it ready for the next steps. ## Configure DNS records Configure your DNS domain records to point one subdomain for your GitLab instance and one subdomain for the Docker Registry to the new server. For example, a DNS `A` record for `gitlab.example.com` and a DNS `A` record for `registry.example.com`. If you have a cluster with several nodes, make sure those DNS records point to the IP of the node that will host the `gitlab` and `registry` services. This is because `gitlab` has to listen on port `22` for Git to work, but we will configure it to make it listen on port `22` only on the server that has GitLab. That way, if you have other servers in your cluster, you won't have to change the default SSH port of all of them. ## Modify the server SSH port As by default Git uses the same SSH port `22`, and you want your GitLab container to use that port, modify your server SSH configuration to use a different port. This guide will assume you will use port `2222` for your server SSH and port `22` for your GitLab. Connect to your remote server as normally, e.g.: ```bash ssh root@gitlab.example.com ``` Create a backup of your SSH config file: ```bash cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup ``` Modify your SSH config. **Warning**: if something is broken after modifying the SSH configuration, you could lock yourself out of the server. You need to have a line `Port 2222` and make sure there's no line `Port 22`. You can use this command to do it automatically, it will check for a line with `Port 22` or `#Port 22` and replace it with `Port 2222`. ```bash sed -i 's|^#\?Port 22$|Port 2222|' /etc/ssh/sshd_config ``` Or you can modify it with `nano` by hand, with: ```bash nano /etc/ssh/sshd_config ``` Confirm that there's a single line with `Port 2222` with: ```bash grep "^Port" /etc/ssh/sshd_config ``` Then restart the SSH server: ```bash systemctl restart sshd.service ``` **Warning**: at this point, if you lose your connection and something was wrong in the configuration, you could lock yourself out of the server. Run the following steps in a new terminal session, without closing the existing one, so that, if something was wrong, you can use the current session to edit the configurations, revert them, and restart the SSH service, before being locked out. In a different terminal session, without closing the existing one, try connecting with SSH to your server using the new port, e.g.: ```bash ssh -p 2222 root@gitlab.example.com ``` If you get connected to the remote server normally, everything is working correctly. ## Download the Docker Compose stack file * Download the Docker Compose stack file: ```bash curl -L https://raw.githubusercontent.com/sameersbn/docker-gitlab/master/docker-compose.swarm.yml -o docker-compose.swarm.yml ``` ## Set environment variables Set and export the environment variables `GITLAB_HOST` and `REGISTRY_HOST` to the subdomains you configured. For example: ```bash export GITLAB_HOST=gitlab.example.com export REGISTRY_HOST=registry.example.com ``` You will use the domain for `GITLAB_HOST` to access GitLab in your browser and to commit and push with Git. And you will use the domain for `REGISTRY_HOST` to store, push, and pull Docker images, e.g.: ```bash docker pull registry.example.com/mygroup/myproject/imagename:sometag ``` These environment variables will be used by the file `docker-compose.swarm.yml`. They are used inside of the stacks and are also used to configure the domains for the Traefik load balancer. Because of that, you need to export them for them to be available when deploying the stack. ## Other environment variables There are many additional environment variables with different configurations. Read the [main README](https://github.com/sameersbn/docker-gitlab) for all the options. For Registry specific options and details, check the main [GitLab Registry documentation in this repo](https://github.com/sameersbn/docker-gitlab/blob/master/docs/container_registry.md). You can configure them by editing de file `docker-compose.swarm.yml`. You can do it in the command line with a program like `nano`, e.g.: ```bash nano docker-compose.swarm.yml ``` ## Set other environment variables If you want anyone to sign up instead of only people with invitation, change `GITLAB_SIGNUP_ENABLED` to `true`: ```bash export GITLAB_SIGNUP_ENABLED=true ``` There are several environment variables that require random strings for keys and passwords. For the sections that require generating random strings for keys and passwords, each time, run the following command and copy the output: ```bash openssl rand -hex 32 # Outputs something like: 99d3b1f01aa639e4a76f4fc281fc834747a543720ba4c8a8648ba755aef9be7f ``` You can copy it and set it in the file like: ```yaml - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string ``` There are several other settings that you might want to configure, like email accounts for notifications, SMTP credentials to send emails, etc. ## Copy the file If you modified the file locally, make sure you copy it to your remote server, e.g.: ```bash scp -P 2222 docker-compose.swarm.yml root@gitlab.example.com:/root/ ``` and connect via SSH to your remote server, e.g.: ```bash ssh -p 2222 root@gitlab.example.com ``` If you modified the file locally and then connected to your server later, make sure you export the environment variables `GITLAB_HOST` and `REGISTRY_HOST` that are needed even if you modified the Docker Compose file (as those are used in the Traefik labels). ## About volumes, labels, and constraints Because the Docker Swarm cluster may have more than one single node (machine) in the cluster, we need to make sure that the services that need to save and read files from volumes are always deployed to the same node. For example, the service for `redis` uses a volume, you can check it on the `docker-compose.swarm.yml` file: ```yaml volumes: - redis-data:/var/lib/redis:Z ``` To make sure `redis` is always deployed to the same node that contains the same volume `redis-data`, we have a constraint: ```yaml deploy: placement: constraints: - node.labels.gitlab.redis-data == true ``` This tells Docker that the service `redis` should be deployed to a Docker node (a machine in the cluster) with the label `node.labels.gitlab.redis-data=true`. Then we can make one node (only one) have this label, and Docker Swarm will always deploy the `redis` service to the same node. That way, the service will keep reading the same volume every time. Even if you re-deploy or upgrade the stack. ## Add constraint labels Now we are going to add the needed labels to satisfy those constraints, to make sure the volumes work correctly. * Connect to a manager node in your Docker Swarm cluster. It could be the same server that will run GitLab, or it could be a different one. * If you are deploying the stack in the same current manager node, get its node ID and store it in an environment variable: ```bash export NODE_ID=$(docker info -f '{{.Swarm.NodeID}}') ``` * Otherwise, you can check the current available nodes with: ```console $ docker node ls ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION m48gz5e8ucmk59af4m6enmnaz * dog.example.com Ready Active Leader 19.03.9 4w456u9lnanau629v3y456k9d cat.example.com Ready Active 19.03.9 mue36qqwqnzrqt4iqi0yyd6ie gitlab.example.com Ready Active 19.03.9 ``` And select the node where you want to deploy the main `gitlab` service. In this example, in the node that has a `HOSTNAME` with value `gitlab.example.com`, with node ID `mue36qqwqnzrqt4iqi0yyd6ie`. So, you could export that environment variable using the node ID with something like: ```bash export NODE_ID=mue36qqwqnzrqt4iqi0yyd6ie ``` * Create a label in that node, so that the service `gitlab` and `registry` are always deployed to the same node and use the same volumes: ```bash docker node update --label-add gitlab.certs-data=true $NODE_ID ``` We need to make sure `gitlab` and `registry` are deployed on the same node because they share the same volume with the TLS certificates generated by `gitlab`. Now create the label for `redis`. You could use another node in your cluster if you have more than one, for simplicity we are going to use the same node, e.g.: ```bash docker node update --label-add gitlab.redis-data=true $NODE_ID ``` And add the label for `postgres`: ```bash docker node update --label-add gitlab.postgresql-data=true $NODE_ID ``` **Note**: you only have to set those labels once. Not every time you want to re-deploy your stack. ## Deploy the stack Now, having the labels set in the Docker nodes, and the environment variables exported, you can deploy your stack: ```bash docker stack deploy --compose-file docker-compose.swarm.yml gitlab ``` **Note**: the environment variables `GITLAB_HOST` and `REGISTRY_HOST` have to be available every time to deploy the stack. But the node labels can be set only once, the first time you deploy. You can check the status of the deployment with: ```bash docker stack ps gitlab ``` Or check the logs, for example for the service `gitlab_gitlab`: ```bash docker service logs gitlab_gitlab ``` ## Internal certificates GitLab and the Docker Registry have public facing HTTPS certificates generated with Let's Encrypt for each one. But to communicate between themselves they use an additional self-signed certificate. To tell GitLab to generate those self-signed certificates for the internal communication with GitLab, the `gitlab` service has an environment variable: ```yaml - GITLAB_REGISTRY_GENERATE_INTERNAL_CERTIFICATES=true ``` GitLab will generate the certificates and store them in the location given by: ```yaml - GITLAB_REGISTRY_KEY_PATH=/certs/registry.key ``` And that location, `/certs`, is mounted as a named volume: ```yaml volumes: - gitlab-data:/home/git/data:Z - certs-data:/certs ``` So, the self-signed certificates will be generated inside the named volume `gitlab-certs`. And the Registry also has that named volume mounted: ```yaml volumes: - registry-data:/registry - certs-data:/certs ``` And the Registry is configured to look for the certificate in that same location that GitLab used to generate the certificate: ```yaml - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/registry.crt ``` ## GitLab Runner in Docker If you use GitLab and want to integrate Continuous Integration / Continuous Deployment, you can follow this section to install the GitLab runner. You should create the runner using Docker standalone instead of in Docker Swarm mode, as you need the configurations to persist, and in Docker Swarm mode, the container could be deployed to a different server and you would lose those configurations. ### Testing and Deployment For testing, the GitLab runner can run in any node. But if you want to deploy another runner for deployment (or use the same one), it has to run on a manager node in the Docker Swarm cluster. ### Create the GitLab Runner in Docker standalone mode To install a GitLab runner in a standalone Docker run: ```bash docker run -d \ --name gitlab-runner \ --restart always \ -v gitlab-runner:/etc/gitlab-runner \ -v /tmp/builds:/tmp/builds \ -v /var/run/docker.sock:/var/run/docker.sock \ gitlab/gitlab-runner:latest ``` Then, enter into that container: ```bash docker exec -it gitlab-runner bash ``` ### Install the GitLab Runner * Go to the GitLab "Admin Area -> Runners" section. * Get the URL and create a variable with it in the bash session inside of your Runner's Docker container, e.g.: ```bash export GITLAB_URL=https://gitlab.example.com/ ``` * Get the registration token and create a variable in the bash session inside of your Runner's Docker container, e.g.: ```bash export GITLAB_TOKEN=WYasdfJp4sdfasdf1234 ``` * Run the next command editing the name and tags as you need, you can also edit them later in the web user interface. ```bash gitlab-runner \ register -n \ --name "Docker Runner" \ --executor docker \ --locked false \ --access-level not_protected \ --builds-dir /tmp/builds \ --docker-image docker:latest \ --docker-volumes /tmp/builds:/tmp/builds \ --docker-volumes /var/run/docker.sock:/var/run/docker.sock \ --url $GITLAB_URL \ --registration-token $GITLAB_TOKEN \ --tag-list dog-cat-cluster,stag,prod ``` * You can edit the runner more from the GitLab admin section. ================================================ FILE: docs/exposing-ssh-port.md ================================================ # Exposing ssh port in dockerized gitlab-ce This is how to expose this internal ssh port without affecting the existing ssh port on the host server: * use this configuration script: [`../contrib/expose-gitlab-ssh-port.sh`](../contrib/expose-gitlab-ssh-port.sh) * see implementation example in Vagrant: [harobed/docker-gitlab-vagrant-test](https://github.com/harobed/docker-gitlab-vagrant-test) * more information, see [« Exposing ssh port in dockerized gitlab-ce »](https://blog.xiaket.org/2017/exposing.ssh.port.in.dockerized.gitlab-ce.html) post ================================================ FILE: docs/keycloak-idp.md ================================================ # Integrate Keycloak as an IDP with GitLab In this document, we will explain how to set up Keycloak and integrate it into GitLab. ## Setting up Keycloak First, you need a client in Keycloak to authenticate with GitLab. You can start Keycloak by running `docker-compose up -d keycloak`. When Keycloak is running, log in using the `Administration console`. You can visit the Keycloak on the [local IP](http://localhost:10081) of your laptop. ![Keycloak Home](images/keycloak-home.png) Next, create a client. ![Keycloak client](images/keycloak-client.png) Fill in the following variables: ![Keycloak client creation](images/keycloak-client-creation.png) Make access type confidential and enable service accounts and authorization. ![Keycloak client creation](images/keycloak-client-creation2.png) Next, click save, get the client secret generated by Keycloak and start filling out the variables for GitLab in the docker-compose file. ![Keycloak client secret](images/keycloak-secret.png) Set the following in the docker-compose file: ```yaml - OAUTH2_GENERIC_APP_SECRET= - OAUTH2_GENERIC_CLIENT_SITE=http://:10081 - OAUTH2_GENERIC_CLIENT_USER_INFO_URL=http://:10081/auth/realms/master/protocol/openid-connect/userinfo - OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL=http://:10081/auth/realms/master/protocol/openid-connect/auth - OAUTH2_GENERIC_CLIENT_TOKEN_URL=http://:10081/auth/realms/master/protocol/openid-connect/token - OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT=http://:10081/auth/realms/master/protocol/openid-connect/logout ``` `` is the IP address of your keycloak. For this example this would be your IP address, but if your Keycloak existed elsewhere for your deployment `` would be different as would the port and the realm. The following must also be configured: ```yaml - OAUTH2_GENERIC_USER_UID='preferred_username' - OAUTH2_GENERIC_USER_NAME='name' - OAUTH2_GENERIC_USER_EMAIL='email' ``` The values will be different for your deployment. Navigate Keycloak's UI, select `Clients`, click `[your client]`, then open the `Client Scopes` tab, then open `Evaluate` sub-tab, enter a username you know in the `User` field, select the match, then `Generate Access Token` to see the values you need to configure. Also, make sure the following variables are filled in the docker-compose file: ```yaml - GITLAB_HOST='' ... - OAUTH_ENABLED=true - OAUTH_AUTO_SIGN_IN_WITH_PROVIDER=Keycloak - OAUTH_ALLOW_SSO=Keycloak - OAUTH_BLOCK_AUTO_CREATED_USERS=false - OAUTH_AUTO_LINK_LDAP_USER=false - OAUTH_AUTO_LINK_SAML_USER=false ``` `` is the IP address of your GitLab for this example this would be the your IP address, but if your GitLab was to be proxied or deployed elsewhere `` would be another value appropriate for your deployment. GitLab does not allow login from users in Keycloak with an empty email or name. To prevent this, you can create a new user in Keycloak or you can add email and name for the admin account. Visit the `Users` tab and click on `View all users` to modify the Admin user. ![keycloak-users](images/keycloak-users.png) Modify the `Email`, `First name` and `Last Name` fields. ![admin-account](images/keycloak-admin-acc.png) Deploy GitLab, Redis and PostgreSQL by running the following command: `docker-compose up -d gitlab redis postgresql`. You can now login on the local GitLab instance with with Keycloak on your [local IP](http://localhost:10080). ![gitlab-login](images/keycloak-gitlab-login.png) ================================================ FILE: docs/s3_compatible_storage.md ================================================ # GitLab Backup to s3 compatible storage Enables automatic backups to self-hosted s3 compatible storage like minio () and others. This is an extend of AWS Remote Backups. As explained in [doc.gitlab.com](https://docs.gitlab.com/ce/raketasks/backup_restore.html#upload-backups-to-remote-cloud-storage), it uses [Fog library](http://fog.io) and the module fog-aws. More details on [s3 supported parameters](https://github.com/fog/fog-aws/blob/master/lib/fog/aws/storage.rb) - [GitLab Backup to s3 compatible storage](#gitlab-backup-to-s3-compatible-storage) - [Available Parameters](#available-parameters) - [Installation](#installation) - [Docker Compose](#docker-compose) - [Creating Backups](#creating-backups) - [Restoring Backups](#restoring-backups) ## Available Parameters Here is an example of all configuration parameters that can be used in the GitLab container. ```yaml ... gitlab: ... environment: - AWS_BACKUPS=true - AWS_BACKUP_ENDPOINT='http://minio:9000' - AWS_BACKUP_ACCESS_KEY_ID=minio - AWS_BACKUP_SECRET_ACCESS_KEY=minio123 - AWS_BACKUP_BUCKET=docker - AWS_BACKUP_MULTIPART_CHUNK_SIZE=104857600 ``` where: | Parameter | Description | | --------- | ----------- | | `AWS_BACKUPS` | Enables automatic uploads to an Amazon S3 instance. Defaults to `false`. | | `AWS_BACKUP_ENDPOINT` | AWS endpoint. No defaults. | | `AWS_BACKUP_ACCESS_KEY_ID` | AWS access key id. No defaults. | | `AWS_BACKUP_SECRET_ACCESS_KEY` | AWS secret access key. No defaults. | | `AWS_BACKUP_BUCKET` | AWS bucket for backup uploads. No defaults. | | `AWS_BACKUP_MULTIPART_CHUNK_SIZE` | Enables multipart uploads when file size reaches a defined size. See at [AWS S3 Docs](http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html) | For more info look at [Available Configuration Parameters](https://github.com/sameersbn/docker-gitlab#available-configuration-parameters). A minimum set of these parameters are required to use the s3 compatible storage: ```yaml ... gitlab: environment: - AWS_BACKUPS=true - AWS_BACKUP_ENDPOINT='http://minio:9000' - AWS_BACKUP_ACCESS_KEY_ID=minio - AWS_BACKUP_SECRET_ACCESS_KEY=minio123 - AWS_BACKUP_BUCKET=docker ... ``` ## Installation Starting a fresh installation with GitLab would be like the `docker-compose` file. ### Docker Compose This is an example with minio. ```yml services: redis: restart: always image: sameersbn/redis:7 command: - --loglevel warning volumes: - /tmp/docker/gitlab/redis:/data:Z postgresql: restart: always image: sameersbn/postgresql:10-2 volumes: - /tmp/docker/gitlab/postgresql:/var/lib/postgresql:Z environment: - DB_USER=gitlab - DB_PASS=password - DB_NAME=gitlabhq_production - DB_EXTENSION=pg_trgm gitlab: restart: always #image: sameersbn/gitlab:8.16.4 build: . depends_on: - redis - postgresql ports: - "10080:80" - "10022:22" volumes: - /tmp/docker/gitlab/gitlab:/home/git/data:Z environment: - DEBUG=false - DB_ADAPTER=postgresql - DB_HOST=postgresql - DB_PORT=5432 - DB_USER=gitlab - DB_PASS=password - DB_NAME=gitlabhq_production - REDIS_HOST=redis - REDIS_PORT=6379 - TZ=Asia/Kolkata - GITLAB_TIMEZONE=Kolkata - GITLAB_HTTPS=false - SSL_SELF_SIGNED=false - GITLAB_HOST=localhost - GITLAB_PORT=10080 - GITLAB_SSH_PORT=10022 - GITLAB_RELATIVE_URL_ROOT= - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_ROOT_PASSWORD= - GITLAB_ROOT_EMAIL= - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true - GITLAB_NOTIFY_PUSHER=false - GITLAB_EMAIL=notifications@example.com - GITLAB_EMAIL_REPLY_TO=noreply@example.com - GITLAB_INCOMING_EMAIL_ADDRESS=reply@example.com - GITLAB_BACKUP_SCHEDULE=daily - GITLAB_BACKUP_TIME=01:00 - SMTP_ENABLED=false - SMTP_DOMAIN=www.example.com - SMTP_HOST=smtp.gmail.com - SMTP_PORT=587 - SMTP_USER=mailer@example.com - SMTP_PASS=password - SMTP_STARTTLS=true - SMTP_AUTHENTICATION=login - IMAP_ENABLED=false - IMAP_HOST=imap.gmail.com - IMAP_PORT=993 - IMAP_USER=mailer@example.com - IMAP_PASS=password - IMAP_SSL=true - IMAP_STARTTLS=false - OAUTH_ENABLED=false - OAUTH_AUTO_SIGN_IN_WITH_PROVIDER= - OAUTH_ALLOW_SSO= - OAUTH_BLOCK_AUTO_CREATED_USERS=true - OAUTH_AUTO_LINK_LDAP_USER=false - OAUTH_AUTO_LINK_SAML_USER=false - OAUTH_EXTERNAL_PROVIDERS= - OAUTH_CAS3_LABEL=cas3 - OAUTH_CAS3_SERVER= - OAUTH_CAS3_DISABLE_SSL_VERIFICATION=false - OAUTH_CAS3_LOGIN_URL=/cas/login - OAUTH_CAS3_VALIDATE_URL=/cas/p3/serviceValidate - OAUTH_CAS3_LOGOUT_URL=/cas/logout - OAUTH_GOOGLE_API_KEY= - OAUTH_GOOGLE_APP_SECRET= - OAUTH_GOOGLE_RESTRICT_DOMAIN= - OAUTH_FACEBOOK_API_KEY= - OAUTH_FACEBOOK_APP_SECRET= - OAUTH_TWITTER_API_KEY= - OAUTH_TWITTER_APP_SECRET= - OAUTH_GITHUB_API_KEY= - OAUTH_GITHUB_APP_SECRET= - OAUTH_GITHUB_URL= - OAUTH_GITHUB_VERIFY_SSL= - OAUTH_GITLAB_API_KEY= - OAUTH_GITLAB_APP_SECRET= - OAUTH_BITBUCKET_API_KEY= - OAUTH_BITBUCKET_APP_SECRET= - OAUTH_BITBUCKET_URL= - OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL= - OAUTH_SAML_IDP_CERT_FINGERPRINT= - OAUTH_SAML_IDP_SSO_TARGET_URL= - OAUTH_SAML_ISSUER= - OAUTH_SAML_LABEL="Our SAML Provider" - OAUTH_SAML_NAME_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:2.0:nameid-format:transient - OAUTH_SAML_GROUPS_ATTRIBUTE= - OAUTH_SAML_EXTERNAL_GROUPS= - OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL= - OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME= - OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME= - OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME= - OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME= - OAUTH_CROWD_SERVER_URL= - OAUTH_CROWD_APP_NAME= - OAUTH_CROWD_APP_PASSWORD= - OAUTH_AUTH0_CLIENT_ID= - OAUTH_AUTH0_CLIENT_SECRET= - OAUTH_AUTH0_DOMAIN= - OAUTH_AUTH0_SCOPE= - OAUTH_AZURE_API_KEY= - OAUTH_AZURE_API_SECRET= - OAUTH_AZURE_TENANT_ID= - AWS_BACKUPS=true - AWS_BACKUP_ENDPOINT='http://minio:9000' - AWS_BACKUP_ACCESS_KEY_ID=minio - AWS_BACKUP_SECRET_ACCESS_KEY=minio123 - AWS_BACKUP_BUCKET=docker minio: image: minio/minio ports: - "9000:9000" environment: MINIO_ACCESS_KEY: minio MINIO_SECRET_KEY: minio123 command: server /export ``` ### Creating Backups Execute the rake task with a removeable container. ```bash docker run --name gitlab -it --rm [OPTIONS] \ sameersbn/gitlab:8.16.4 app:rake gitlab:backup:create ``` ### Restoring Backups Execute the rake task to restore a backup. Make sure you run the container in interactive mode `-it`. ```bash docker run --name gitlab -it --rm [OPTIONS] \ sameersbn/gitlab:8.16.4 app:rake gitlab:backup:restore ``` The list of all available backups will be displayed in reverse chronological order. Select the backup you want to restore and continue. To avoid user interaction in the restore operation, specify the timestamp of the backup using the `BACKUP` argument to the rake task. ```bash docker run --name gitlab -it --rm [OPTIONS] \ sameersbn/gitlab:8.16.4 app:rake gitlab:backup:restore BACKUP=1417624827 ``` ================================================ FILE: entrypoint.sh ================================================ #!/bin/bash set -e set -o pipefail # shellcheck source=assets/runtime/functions source "${GITLAB_RUNTIME_DIR}/functions" [[ $DEBUG == true ]] && set -x case ${1} in app:init|app:start|app:sanitize|app:rake) initialize_system configure_gitlab configure_gitlab_shell configure_gitlab_pages configure_nginx case ${1} in app:start) /usr/bin/supervisord -nc /etc/supervisor/supervisord.conf & SUPERVISOR_PID=$! while ! test -e "/var/run/supervisor.sock" 2>/dev/null; do echo "waiting supervisor to start" sleep 1 done set +e supervisorctl stop sidekiq gitlab:puma set -e migrate_database kill -15 $SUPERVISOR_PID if ps h -p $SUPERVISOR_PID > /dev/null ; then wait $SUPERVISOR_PID || true fi rm -rf /var/run/supervisor.sock configure_gitlab_requires_db exec /usr/bin/supervisord -nc /etc/supervisor/supervisord.conf ;; app:init) migrate_database ;; app:sanitize) sanitize_datadir ;; app:rake) shift 1 execute_raketask "$@" ;; esac ;; app:help) echo "Available options:" echo " app:start - Starts the gitlab server (default)" echo " app:init - Initialize the gitlab server (e.g. create databases, compile assets), but don't start it." echo " app:sanitize - Fix repository/builds directory permissions." echo " app:rake - Execute a rake task." echo " app:help - Displays the help" echo " [command] - Execute the specified command, eg. bash." ;; *) exec "$@" ;; esac ================================================ FILE: hooks/build ================================================ #!/bin/bash # Docker Daemon Build Hook # $IMAGE_NAME var is injected into the build so the tag is correct. docker pull ${DOCKER_REPO}:latest docker build \ --cache-from=${DOCKER_REPO}:latest \ --build-arg=BUILD_DATE="$(date +"%Y-%m-%d %H:%M:%S%:z")" \ --build-arg=VCS_REF="$(git rev-parse --short HEAD)" \ -t ${IMAGE_NAME} . ================================================ FILE: kubernetes/deploy.sh ================================================ #!/bin/bash set -e set -o pipefail if ! command -v kubectl > /dev/null; then echo "kubectl command not installed" exit 1 fi # create the services for svc in *-svc.yml do echo -n "Creating $svc... " kubectl -f $svc create done # create the replication controllers for rc in *-rc.yml do echo -n "Creating $rc... " kubectl -f $rc create done # list pod,rc,svc echo "Pod:" kubectl get pod echo "RC:" kubectl get rc echo "Service:" kubectl get svc ================================================ FILE: kubernetes/gitlab-rc.yml ================================================ apiVersion: v1 kind: ReplicationController metadata: name: gitlab spec: replicas: 1 selector: name: gitlab template: metadata: name: gitlab labels: name: gitlab spec: containers: - name: gitlab image: sameersbn/gitlab:18.9.2 env: - name: TZ value: Asia/Kolkata - name: GITLAB_TIMEZONE value: Kolkata - name: GITLAB_SECRETS_DB_KEY_BASE value: long-and-random-alpha-numeric-string - name: GITLAB_SECRETS_SECRET_KEY_BASE value: long-and-random-alpha-numeric-string - name: GITLAB_SECRETS_OTP_KEY_BASE value: long-and-random-alpha-numeric-string - name: GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE value: long-and-random-alpha-numeric-string - name: GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY value: '[long-and-random-alpha-numeric-string]' - name: GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY value: '[long-and-random-alpha-numeric-string]' - name: GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT value: long-and-random-alpha-numeric-string - name: GITLAB_ROOT_PASSWORD value: - name: GITLAB_ROOT_EMAIL value: - name: GITLAB_HOST value: git.default.cluster.local - name: GITLAB_PORT value: "80" - name: GITLAB_SSH_PORT value: "22" - name: GITLAB_NOTIFY_ON_BROKEN_BUILDS value: "true" - name: GITLAB_NOTIFY_PUSHER value: "false" - name: GITLAB_BACKUP_SCHEDULE value: daily - name: GITLAB_BACKUP_TIME value: 01:00 - name: DB_TYPE value: postgres - name: DB_HOST value: postgresql - name: DB_PORT value: "5432" - name: DB_USER value: gitlab - name: DB_PASS value: passw0rd - name: DB_NAME value: gitlab_production - name: REDIS_HOST value: redis - name: REDIS_PORT value: "6379" - name: SMTP_ENABLED value: "false" - name: SMTP_DOMAIN value: www.example.com - name: SMTP_HOST value: smtp.gmail.com - name: SMTP_PORT value: "587" - name: SMTP_USER value: mailer@example.com - name: SMTP_PASS value: password - name: SMTP_STARTTLS value: "true" - name: SMTP_AUTHENTICATION value: login - name: IMAP_ENABLED value: "false" - name: IMAP_HOST value: imap.gmail.com - name: IMAP_PORT value: "993" - name: IMAP_USER value: mailer@example.com - name: IMAP_PASS value: password - name: IMAP_SSL value: "true" - name: IMAP_STARTTLS value: "false" ports: - name: http containerPort: 80 - name: ssh containerPort: 22 volumeMounts: - mountPath: /home/git/data name: data livenessProbe: httpGet: path: / port: 80 initialDelaySeconds: 180 timeoutSeconds: 5 readinessProbe: httpGet: path: / port: 80 initialDelaySeconds: 5 timeoutSeconds: 1 volumes: - name: data emptyDir: {} ================================================ FILE: kubernetes/gitlab-svc.yml ================================================ apiVersion: v1 kind: Service metadata: name: gitlab labels: name: gitlab spec: type: LoadBalancer ports: - name: http port: 80 targetPort: http - name: ssh port: 22 targetPort: ssh selector: name: gitlab ================================================ FILE: kubernetes/postgresql-rc.yml ================================================ apiVersion: v1 kind: ReplicationController metadata: name: postgresql spec: replicas: 1 selector: name: postgresql template: metadata: name: postgresql labels: name: postgresql spec: containers: - name: postgresql image: kkimurak/sameersbn-postgresql:16 env: - name: DB_USER value: gitlab - name: DB_PASS value: passw0rd - name: DB_NAME value: gitlab_production - name: DB_EXTENSION value: pg_trgm ports: - name: postgres containerPort: 5432 volumeMounts: - mountPath: /var/lib/postgresql name: data livenessProbe: exec: command: - pg_isready - -h - localhost - -U - postgres initialDelaySeconds: 30 timeoutSeconds: 5 readinessProbe: exec: command: - pg_isready - -h - localhost - -U - postgres initialDelaySeconds: 5 timeoutSeconds: 1 volumes: - name: data emptyDir: {} ================================================ FILE: kubernetes/postgresql-svc.yml ================================================ apiVersion: v1 kind: Service metadata: name: postgresql labels: name: postgresql spec: ports: - name: postgres port: 5432 targetPort: postgres selector: name: postgresql ================================================ FILE: kubernetes/redis-rc.yml ================================================ apiVersion: v1 kind: ReplicationController metadata: name: redis spec: replicas: 1 selector: name: redis template: metadata: name: redis labels: name: redis spec: containers: - name: redis image: redis:7 ports: - name: redis containerPort: 6379 volumeMounts: - mountPath: /var/lib/redis name: data livenessProbe: exec: command: - redis-cli - ping initialDelaySeconds: 30 timeoutSeconds: 5 readinessProbe: exec: command: - redis-cli - ping initialDelaySeconds: 5 timeoutSeconds: 1 volumes: - name: data emptyDir: {} ================================================ FILE: kubernetes/redis-svc.yml ================================================ apiVersion: v1 kind: Service metadata: name: redis labels: name: redis spec: ports: - name: redis port: 6379 targetPort: redis selector: name: redis ================================================ FILE: kubernetes/teardown.sh ================================================ #!/bin/bash set -e set -o pipefail if ! command -v kubectl > /dev/null; then echo "kubectl command not installed" exit 1 fi # delete the services for svc in *-svc.yml do echo -n "Deleting $svc... " kubectl -f $svc delete done # delete the replication controllers for rc in *-rc.yml do echo -n "Deleting $rc... " kubectl -f $rc delete done ================================================ FILE: scripts/release-notes.sh ================================================ #!/usr/bin/env sh RELEASE=${GIT_TAG:-$1} if [ -z "${RELEASE}" ]; then echo "Usage:" echo "./scripts/release-notes.sh v0.1.0" exit 1 fi if ! git rev-list ${RELEASE} >/dev/null 2>&1; then echo "${RELEASE} does not exist" exit fi PREV_RELEASE=${PREV_RELEASE:-$(git describe --tags --abbrev=0 ${RELEASE}^)} PREV_RELEASE=${PREV_RELEASE:-$(git rev-list --max-parents=0 ${RELEASE}^)} NOTABLE_CHANGES=$(git cat-file -p ${RELEASE} | sed '/-----BEGIN PGP SIGNATURE-----/,//d' | tail -n +6) CHANGELOG=$(git log --no-merges --pretty=format:'- [%h] %s (%aN)' ${PREV_RELEASE}..${RELEASE}) if [ $? -ne 0 ]; then echo "Error creating changelog" exit 1 fi cat <. ## Contributing You are kindly invited to provide contributions. If you find this image useful here's how you can help: - Send a Pull Request with your awesome new features and bug fixes - Be a part of the community and help resolve [issues](https://github.com/sameersbn/docker-gitlab/issues) - Support the development of this image with a [donation](http://www.damagehead.com/donate/) ## Changelog ${CHANGELOG} EOF