1539 lines
60 KiB
Text
1539 lines
60 KiB
Text
# # # # # # # # # # # # # # # # # #
|
|
# GitLab application config file #
|
|
# # # # # # # # # # # # # # # # # #
|
|
#
|
|
########################### NOTE #####################################
|
|
# This file should not receive new settings. All configuration options #
|
|
# * are being moved to ApplicationSetting model! #
|
|
# If a setting requires an application restart say so in that screen. #
|
|
# If you change this file in a merge request, please also create #
|
|
# a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests. #
|
|
# For more details see https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md #
|
|
########################################################################
|
|
#
|
|
#
|
|
# How to use:
|
|
# 1. Copy file as gitlab.yml
|
|
# 2. Update gitlab -> host with your fully qualified domain name
|
|
# 3. Update gitlab -> email_from
|
|
# 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git
|
|
# IMPORTANT: If Git was installed in a different location use that instead.
|
|
# You can check with `which git`. If a wrong path of Git is specified, it will
|
|
# result in various issues such as failures of GitLab CI builds.
|
|
# 5. Review this configuration file for other settings you may want to adjust
|
|
|
|
production: &base
|
|
#
|
|
# 1. GitLab app settings
|
|
# ==========================
|
|
|
|
## GitLab settings
|
|
gitlab:
|
|
## Web server settings (note: host is the FQDN, do not include http://)
|
|
host: localhost
|
|
port: 80 # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
|
|
https: false # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
|
|
# The maximum time unicorn/puma can spend on the request. This needs to be smaller than the worker timeout.
|
|
# Default is 95% of the worker timeout
|
|
max_request_duration_seconds: 57
|
|
|
|
# Uncomment this line below if your ssh host is different from HTTP/HTTPS one
|
|
# (you'd obviously need to replace ssh.host_example.com with your own host).
|
|
# Otherwise, ssh host will be set to the `host:` value above
|
|
# ssh_host: ssh.host_example.com
|
|
|
|
# Relative URL support
|
|
# WARNING: We recommend using an FQDN to host GitLab in a root path instead
|
|
# of using a relative URL.
|
|
# Documentation: http://doc.gitlab.com/ce/install/relative_url.html
|
|
# Uncomment and customize the following line to run in a non-root path
|
|
#
|
|
# relative_url_root: /gitlab
|
|
|
|
# Content Security Policy
|
|
# See https://guides.rubyonrails.org/security.html#content-security-policy
|
|
content_security_policy:
|
|
enabled: true
|
|
report_only: false
|
|
directives:
|
|
base_uri:
|
|
child_src:
|
|
connect_src: "'self' http://localhost:* ws://localhost:* wss://localhost:*"
|
|
default_src: "'self'"
|
|
font_src:
|
|
form_action:
|
|
frame_ancestors: "'self'"
|
|
frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
|
|
img_src: "* data: blob:"
|
|
manifest_src:
|
|
media_src:
|
|
object_src: "'none'"
|
|
script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
|
|
style_src: "'self' 'unsafe-inline'"
|
|
worker_src: "'self' blob:"
|
|
report_uri:
|
|
|
|
allowed_hosts: []
|
|
|
|
# Trusted Proxies
|
|
# Customize if you have GitLab behind a reverse proxy which is running on a different machine.
|
|
# Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
|
|
trusted_proxies:
|
|
# Examples:
|
|
#- 192.168.1.0/24
|
|
#- 192.168.2.1
|
|
#- 2001:0db8::/32
|
|
|
|
# Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
|
|
# user: git
|
|
|
|
## Date & Time settings
|
|
# Uncomment and customize if you want to change the default time zone of GitLab application.
|
|
# To see all available zones, run `bundle exec rake time:zones:all RAILS_ENV=production`
|
|
# time_zone: 'UTC'
|
|
|
|
## Email settings
|
|
# Uncomment and set to false if you need to disable email sending from GitLab (default: true)
|
|
# email_enabled: true
|
|
# Email address used in the "From" field in mails sent by GitLab
|
|
email_from: example@example.com
|
|
email_display_name: GitLab
|
|
email_reply_to: noreply@example.com
|
|
email_subject_suffix: ''
|
|
email_smime:
|
|
# Uncomment and set to true if you need to enable email S/MIME signing (default: false)
|
|
# enabled: false
|
|
# S/MIME private key file in PEM format, unencrypted
|
|
# Default is '.gitlab_smime_key' relative to Rails.root (i.e. root of the GitLab app).
|
|
# key_file: /home/git/gitlab/.gitlab_smime_key
|
|
# S/MIME public certificate key in PEM format, will be attached to signed messages
|
|
# Default is '.gitlab_smime_cert' relative to Rails.root (i.e. root of the GitLab app).
|
|
# cert_file: /home/git/gitlab/.gitlab_smime_cert
|
|
# S/MIME extra CA public certificates in PEM format, will be attached to signed messages
|
|
# Optional
|
|
# ca_certs_file: /home/git/gitlab/.gitlab_smime_ca_certs
|
|
|
|
# Email server smtp settings are in config/initializers/smtp_settings.rb.sample
|
|
|
|
# default_can_create_group: false # default: true
|
|
# username_changing_enabled: false # default: true - User can change their username/namespace
|
|
## Default theme ID
|
|
## 1 - Indigo
|
|
## 2 - Dark
|
|
## 3 - Light
|
|
## 4 - Blue
|
|
## 5 - Green
|
|
## 6 - Light Indigo
|
|
## 7 - Light Blue
|
|
## 8 - Light Green
|
|
## 9 - Red
|
|
## 10 - Light Red
|
|
# default_theme: 1 # default: 1
|
|
|
|
## Automatic issue closing
|
|
# If a commit message matches this regular expression, all issues referenced from the matched text will be closed.
|
|
# This happens when the commit is pushed or merged into the default branch of a project.
|
|
# When not specified the default issue_closing_pattern as specified below will be used.
|
|
# Tip: you can test your closing pattern at http://rubular.com.
|
|
# issue_closing_pattern: '\b((?:[Cc]los(?:e[sd]?|ing)|\b[Ff]ix(?:e[sd]|ing)?|\b[Rr]esolv(?:e[sd]?|ing)|\b[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)'
|
|
|
|
## Default project features settings
|
|
default_projects_features:
|
|
issues: true
|
|
merge_requests: true
|
|
wiki: true
|
|
snippets: true
|
|
builds: true
|
|
container_registry: true
|
|
|
|
## Webhook settings
|
|
# Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)
|
|
# webhook_timeout: 10
|
|
|
|
### GraphQL Settings
|
|
# Tells the rails application how long it has to complete a GraphQL request.
|
|
# We suggest this value to be higher than the database timeout value
|
|
# and lower than the worker timeout set in unicorn/puma. (default: 30)
|
|
# graphql_timeout: 30
|
|
|
|
## Repository downloads directory
|
|
# When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory.
|
|
# The default is 'shared/cache/archive/' relative to the root of the Rails app.
|
|
# repository_downloads_path: shared/cache/archive/
|
|
|
|
## Impersonation settings
|
|
impersonation_enabled: true
|
|
|
|
## Disable jQuery and CSS animations
|
|
# disable_animations: true
|
|
|
|
## Application settings cache expiry in seconds (default: 60)
|
|
# application_settings_cache_seconds: 60
|
|
|
|
## Reply by email
|
|
# Allow users to comment on issues and merge requests by replying to notification emails.
|
|
# For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html
|
|
incoming_email:
|
|
enabled: false
|
|
|
|
# The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
|
|
# The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`).
|
|
# Please be aware that a placeholder is required for the Service Desk feature to work.
|
|
address: "gitlab-incoming+%{key}@gmail.com"
|
|
|
|
# Email account username
|
|
# With third party providers, this is usually the full email address.
|
|
# With self-hosted email servers, this is usually the user part of the email address.
|
|
user: "gitlab-incoming@gmail.com"
|
|
# Email account password
|
|
password: "[REDACTED]"
|
|
|
|
# IMAP server host
|
|
host: "imap.gmail.com"
|
|
# IMAP server port
|
|
port: 993
|
|
# Whether the IMAP server uses SSL
|
|
ssl: true
|
|
# Whether the IMAP server uses StartTLS
|
|
start_tls: false
|
|
|
|
# The mailbox where incoming mail will end up. Usually "inbox".
|
|
mailbox: "inbox"
|
|
# The IDLE command timeout.
|
|
idle_timeout: 60
|
|
# The log file path for the structured log file.
|
|
# Since `mail_room` is run independently of Rails, an absolute path is preferred.
|
|
# The default is 'log/mail_room_json.log' relative to the root of the Rails app.
|
|
#
|
|
# log_path: log/mail_room_json.log
|
|
|
|
# Whether to expunge (permanently remove) messages from the mailbox when they are deleted after delivery
|
|
expunge_deleted: false
|
|
|
|
# For Microsoft Graph support
|
|
# inbox_method: microsoft_graph
|
|
# inbox_options:
|
|
# tenant_id: "YOUR-TENANT-ID"
|
|
# client_id: "YOUR-CLIENT-ID"
|
|
# client_secret: "YOUR-CLIENT-SECRET"
|
|
|
|
## Consolidated object store config
|
|
## This will only take effect if the object_store sections are not defined
|
|
## within the types (e.g. artifacts, lfs, etc.).
|
|
# object_store:
|
|
# enabled: false
|
|
# proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
|
|
# connection:
|
|
# provider: AWS # Only AWS supported at the moment
|
|
# aws_access_key_id: AWS_ACCESS_KEY_ID
|
|
# aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
# region: us-east-1
|
|
# aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
|
|
# endpoint: 'https://s3.amazonaws.com' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
|
|
# storage_options:
|
|
# server_side_encryption: AES256 # AES256, aws:kms
|
|
# server_side_encryption_kms_key_id: # Amazon Resource Name. See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
|
|
# objects:
|
|
# artifacts:
|
|
# bucket: artifacts
|
|
# external_diffs:
|
|
# bucket: external-diffs
|
|
# lfs:
|
|
# bucket: lfs-objects
|
|
# uploads:
|
|
# bucket: uploads
|
|
# packages:
|
|
# bucket: packages
|
|
# dependency_proxy:
|
|
# bucket: dependency_proxy
|
|
|
|
## Build Artifacts
|
|
artifacts:
|
|
enabled: true
|
|
# The location where build artifacts are stored (default: shared/artifacts).
|
|
# path: shared/artifacts
|
|
# object_store:
|
|
# enabled: false
|
|
# remote_directory: artifacts # The bucket name
|
|
# background_upload: false # Temporary option to limit automatic upload (Default: true)
|
|
# proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
|
|
# connection:
|
|
# provider: AWS # Only AWS supported at the moment
|
|
# aws_access_key_id: AWS_ACCESS_KEY_ID
|
|
# aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
# region: us-east-1
|
|
# aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
|
|
# endpoint: 'https://s3.amazonaws.com' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
|
|
|
|
## Merge request external diff storage
|
|
external_diffs:
|
|
# If disabled (the default), the diffs are in-database. Otherwise, they can
|
|
# be stored on disk, or in object storage
|
|
enabled: false
|
|
# The location where external diffs are stored (default: shared/lfs-external-diffs).
|
|
# storage_path: shared/external-diffs
|
|
# object_store:
|
|
# enabled: false
|
|
# remote_directory: external-diffs
|
|
# background_upload: false
|
|
# proxy_download: false
|
|
# connection:
|
|
# provider: AWS
|
|
# aws_access_key_id: AWS_ACCESS_KEY_ID
|
|
# aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
# region: us-east-1
|
|
|
|
## Git LFS
|
|
lfs:
|
|
enabled: true
|
|
# The location where LFS objects are stored (default: shared/lfs-objects).
|
|
# storage_path: shared/lfs-objects
|
|
object_store:
|
|
enabled: false
|
|
remote_directory: lfs-objects # Bucket name
|
|
# direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false)
|
|
# background_upload: false # Temporary option to limit automatic upload (Default: true)
|
|
# proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
|
|
connection:
|
|
provider: AWS
|
|
aws_access_key_id: AWS_ACCESS_KEY_ID
|
|
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
region: us-east-1
|
|
# Use the following options to configure an AWS compatible host
|
|
# host: 'localhost' # default: s3.amazonaws.com
|
|
# endpoint: 'http://127.0.0.1:9000' # default: nil
|
|
# aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
|
|
# path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
|
|
|
|
## Uploads (attachments, avatars, etc...)
|
|
uploads:
|
|
# The location where uploads objects are stored (default: public/).
|
|
# storage_path: public/
|
|
# base_dir: uploads/-/system
|
|
object_store:
|
|
enabled: false
|
|
remote_directory: uploads # Bucket name
|
|
# direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false)
|
|
# background_upload: false # Temporary option to limit automatic upload (Default: true)
|
|
# proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
|
|
connection:
|
|
provider: AWS
|
|
aws_access_key_id: AWS_ACCESS_KEY_ID
|
|
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
|
|
region: us-east-1
|
|
# host: 'localhost' # default: s3.amazonaws.com
|
|
# endpoint: 'http://127.0.0.1:9000' # default: nil
|
|
# path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
|
|
|
|
## Packages (maven repository, npm registry, etc...)
|
|
packages:
|
|
enabled: true
|
|
dpkg_deb_path: /usr/bin/dpkg-deb
|
|
# The location where build packages are stored (default: shared/packages).
|
|
# storage_path: shared/packages
|
|
object_store:
|
|
enabled: false
|
|
remote_directory: packages # The bucket name
|
|
# direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false)
|
|
# background_upload: false # Temporary option to limit automatic upload (Default: true)
|
|
# proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
|
|
connection:
|
|
provider: AWS
|
|
aws_access_key_id: AWS_ACCESS_KEY_ID
|
|
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
region: us-east-1
|
|
# host: 'localhost' # default: s3.amazonaws.com
|
|
# endpoint: 'http://127.0.0.1:9000' # default: nil
|
|
# aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
|
|
# path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
|
|
|
|
## Dependency Proxy
|
|
dependency_proxy:
|
|
enabled: true
|
|
# The location where build packages are stored (default: shared/dependency_proxy).
|
|
# storage_path: shared/dependency_proxy
|
|
object_store:
|
|
enabled: false
|
|
remote_directory: dependency_proxy # The bucket name
|
|
# direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false)
|
|
# background_upload: false # Temporary option to limit automatic upload (Default: true)
|
|
# proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
|
|
connection:
|
|
provider: AWS
|
|
aws_access_key_id: AWS_ACCESS_KEY_ID
|
|
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
region: us-east-1
|
|
# host: 'localhost' # default: s3.amazonaws.com
|
|
# endpoint: 'http://127.0.0.1:9000' # default: nil
|
|
# aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
|
|
# path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
|
|
|
|
## Terraform state
|
|
terraform_state:
|
|
enabled: true
|
|
# The location where Terraform state files are stored (default: shared/terraform_state).
|
|
# storage_path: shared/terraform_state
|
|
object_store:
|
|
enabled: false
|
|
remote_directory: terraform # The bucket name
|
|
connection:
|
|
provider: AWS
|
|
aws_access_key_id: AWS_ACCESS_KEY_ID
|
|
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
region: us-east-1
|
|
# host: 'localhost' # default: s3.amazonaws.com
|
|
# endpoint: 'http://127.0.0.1:9000' # default: nil
|
|
# aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
|
|
# path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
|
|
|
|
## GitLab Pages
|
|
pages:
|
|
enabled: false
|
|
access_control: false
|
|
# The location where pages are stored (default: shared/pages).
|
|
# path: shared/pages
|
|
|
|
# The domain under which the pages are served:
|
|
# http://group.example.com/project
|
|
# or project path can be a group page: group.example.com
|
|
host: example.com
|
|
port: 80 # Set to 443 if you serve the pages with HTTPS
|
|
https: false # Set to true if you serve the pages with HTTPS
|
|
artifacts_server: true # Set to false if you want to disable online view of HTML artifacts
|
|
# external_http: ["1.1.1.1:80", "[2001::1]:80"] # If defined, enables custom domain support in GitLab Pages
|
|
# external_https: ["1.1.1.1:443", "[2001::1]:443"] # If defined, enables custom domain and certificate support in GitLab Pages
|
|
|
|
# File that contains the shared secret key for verifying access for gitlab-pages.
|
|
# Default is '.gitlab_pages_secret' relative to Rails.root (i.e. root of the GitLab app).
|
|
# secret_file: /home/git/gitlab/.gitlab_pages_secret
|
|
object_store:
|
|
enabled: false
|
|
remote_directory: pages # The bucket name
|
|
connection:
|
|
provider: AWS
|
|
aws_access_key_id: AWS_ACCESS_KEY_ID
|
|
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
region: us-east-1
|
|
local_store:
|
|
enabled: true
|
|
# The location where pages are stored (default: shared/pages).
|
|
# path: shared/pages
|
|
|
|
## Mattermost
|
|
## For enabling Add to Mattermost button
|
|
mattermost:
|
|
enabled: false
|
|
host: 'https://mattermost.example.com'
|
|
|
|
## Gravatar
|
|
## If using gravatar.com, there's nothing to change here. For Libravatar
|
|
## you'll need to provide the custom URLs. For more information,
|
|
## see: https://docs.gitlab.com/ee/administration/libravatar.html
|
|
gravatar:
|
|
# Gravatar/Libravatar URLs: possible placeholders: %{hash} %{size} %{email} %{username}
|
|
# plain_url: "http://..." # default: https://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
|
|
# ssl_url: "https://..." # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
|
|
|
|
## Sidekiq
|
|
sidekiq:
|
|
log_format: json # (default is the original format)
|
|
# An array of tuples indicating the rules for re-routing a worker to a
|
|
# desirable queue before scheduling. For example:
|
|
# routing_rules:
|
|
# - ["resource_boundary=cpu", "cpu_boundary"]
|
|
# - ["feature_category=pages", null]
|
|
# - ["*", "default"]
|
|
|
|
## Auxiliary jobs
|
|
# Periodically executed jobs, to self-heal GitLab, do external synchronizations, etc.
|
|
# Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job
|
|
cron_jobs:
|
|
# Flag stuck CI jobs as failed
|
|
stuck_ci_jobs_worker:
|
|
cron: "0 * * * *"
|
|
# Execute scheduled triggers
|
|
pipeline_schedule_worker:
|
|
cron: "3-59/10 * * * *"
|
|
# Remove expired build artifacts
|
|
expire_build_artifacts_worker:
|
|
cron: "*/7 * * * *"
|
|
# Remove expired pipeline artifacts
|
|
ci_pipelines_expire_artifacts_worker:
|
|
cron: "*/23 * * * *"
|
|
# Remove files from object storage
|
|
ci_schedule_delete_objects_worker:
|
|
cron: "*/16 * * * *"
|
|
# Stop expired environments
|
|
environments_auto_stop_cron_worker:
|
|
cron: "24 * * * *"
|
|
# Periodically run 'git fsck' on all repositories. If started more than
|
|
# once per hour you will have concurrent 'git fsck' jobs.
|
|
repository_check_worker:
|
|
cron: "20 * * * *"
|
|
# Archive live traces which have not been archived yet
|
|
ci_archive_traces_cron_worker:
|
|
cron: "17 * * * *"
|
|
# Send admin emails once a week
|
|
admin_email_worker:
|
|
cron: "0 0 * * 0"
|
|
# Send emails for personal tokens which are about to expire
|
|
personal_access_tokens_expiring_worker:
|
|
cron: "0 1 * * *"
|
|
|
|
# Remove outdated repository archives
|
|
repository_archive_cache_worker:
|
|
cron: "0 * * * *"
|
|
|
|
# Verify custom GitLab Pages domains
|
|
pages_domain_verification_cron_worker:
|
|
cron: "*/15 * * * *"
|
|
|
|
# Periodically migrate diffs from the database to external storage
|
|
schedule_migrate_external_diffs_worker:
|
|
cron: "15 * * * *"
|
|
|
|
# Update CI Platform Metrics daily
|
|
ci_platform_metrics_update_cron_worker:
|
|
cron: "47 9 * * *"
|
|
|
|
# GitLab EE only jobs. These jobs are automatically enabled for an EE
|
|
# installation, and ignored for a CE installation.
|
|
ee_cron_jobs:
|
|
# Schedule snapshots for all devops adoption segments
|
|
analytics_devops_adoption_create_all_snapshots_worker:
|
|
cron: 0 4 * * 0
|
|
|
|
# Snapshot active users statistics
|
|
historical_data_worker:
|
|
cron: "0 12 * * *"
|
|
|
|
# In addition to refreshing users when they log in,
|
|
# periodically refresh LDAP users membership.
|
|
# NOTE: This will only take effect if LDAP is enabled
|
|
ldap_sync_worker:
|
|
cron: "30 1 * * *"
|
|
|
|
# Periodically refresh LDAP groups membership.
|
|
# NOTE: This will only take effect if LDAP is enabled
|
|
ldap_group_sync_worker:
|
|
cron: "0 * * * *"
|
|
|
|
# GitLab Geo metrics update worker
|
|
# NOTE: This will only take effect if Geo is enabled
|
|
geo_metrics_update_worker:
|
|
cron: "*/1 * * * *"
|
|
|
|
# GitLab Geo prune event log worker
|
|
# NOTE: This will only take effect if Geo is enabled (primary node only)
|
|
geo_prune_event_log_worker:
|
|
cron: "*/5 * * * *"
|
|
|
|
# GitLab Geo repository sync worker
|
|
# NOTE: This will only take effect if Geo is enabled (secondary nodes only)
|
|
geo_repository_sync_worker:
|
|
cron: "*/1 * * * *"
|
|
|
|
# GitLab Geo registry backfill worker
|
|
# NOTE: This will only take effect if Geo is enabled (secondary nodes only)
|
|
geo_secondary_registry_consistency_worker:
|
|
cron: "* * * * *"
|
|
|
|
# GitLab Geo file download dispatch worker
|
|
# NOTE: This will only take effect if Geo is enabled (secondary nodes only)
|
|
geo_file_download_dispatch_worker:
|
|
cron: "*/1 * * * *"
|
|
|
|
# GitLab Geo registry sync worker (for backfilling)
|
|
# NOTE: This will only take effect if Geo is enabled (secondary nodes only)
|
|
geo_registry_sync_worker:
|
|
cron: "*/1 * * * *"
|
|
|
|
# Export pseudonymized data in CSV format for analysis
|
|
pseudonymizer_worker:
|
|
cron: "0 * * * *"
|
|
|
|
# Elasticsearch bulk updater for incremental updates.
|
|
# NOTE: This will only take effect if elasticsearch is enabled.
|
|
elastic_index_bulk_cron_worker:
|
|
cron: "*/1 * * * *"
|
|
|
|
# Elasticsearch bulk updater for initial updates.
|
|
# NOTE: This will only take effect if elasticsearch is enabled.
|
|
elastic_index_initial_bulk_cron_worker:
|
|
cron: "*/1 * * * *"
|
|
|
|
# Elasticsearch reindexing worker
|
|
# NOTE: This will only take effect if elasticsearch is enabled.
|
|
elastic_index_initial_bulk_cron_worker:
|
|
cron: "*/10 * * * *"
|
|
|
|
registry:
|
|
# enabled: true
|
|
# host: registry.example.com
|
|
# port: 5005
|
|
# api_url: http://localhost:5000/ # internal address to the registry, will be used by GitLab to directly communicate with API
|
|
# key: config/registry.key
|
|
# path: shared/registry
|
|
# issuer: gitlab-issuer
|
|
# notification_secret: '' # only set it when you use Geo replication feature without built-in Registry
|
|
|
|
# Add notification settings if you plan to use Geo Replication for the registry
|
|
# notifications:
|
|
# - name: geo_event
|
|
# url: https://example.com/api/v4/container_registry_event/events
|
|
# timeout: 2s
|
|
# threshold: 5
|
|
# backoff: 1s
|
|
# headers:
|
|
# Authorization: secret_phrase
|
|
|
|
## Error Reporting and Logging with Sentry
|
|
sentry:
|
|
# enabled: false
|
|
# dsn: https://<key>@sentry.io/<project>
|
|
# clientside_dsn: https://<key>@sentry.io/<project>
|
|
# environment: 'production' # e.g. development, staging, production
|
|
|
|
## Geo
|
|
# NOTE: These settings will only take effect if Geo is enabled
|
|
geo:
|
|
# This is an optional identifier which Geo nodes can use to identify themselves.
|
|
# For example, if external_url is the same for two secondaries, you must specify
|
|
# a unique Geo node name for those secondaries.
|
|
#
|
|
# If it is blank, it defaults to external_url.
|
|
node_name: ''
|
|
|
|
registry_replication:
|
|
# enabled: true
|
|
# primary_api_url: http://localhost:5000/ # internal address to the primary registry, will be used by GitLab to directly communicate with primary registry API
|
|
|
|
## Feature Flag https://docs.gitlab.com/ee/operations/feature_flags.html
|
|
feature_flags:
|
|
unleash:
|
|
# enabled: false
|
|
# url: https://gitlab.com/api/v4/feature_flags/unleash/<project_id>
|
|
# app_name: gitlab.com # Environment name of your GitLab instance
|
|
# instance_id: INSTANCE_ID
|
|
|
|
#
|
|
# 2. GitLab CI settings
|
|
# ==========================
|
|
|
|
gitlab_ci:
|
|
# Default project notifications settings:
|
|
#
|
|
# Send emails only on broken builds (default: true)
|
|
# all_broken_builds: true
|
|
#
|
|
# Add pusher to recipients list (default: false)
|
|
# add_pusher: true
|
|
|
|
# The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root
|
|
# builds_path: builds/
|
|
|
|
#
|
|
# 3. Auth settings
|
|
# ==========================
|
|
|
|
## LDAP settings
|
|
# You can test connections and inspect a sample of the LDAP users with login
|
|
# access by running:
|
|
# bundle exec rake gitlab:ldap:check RAILS_ENV=production
|
|
ldap:
|
|
enabled: false
|
|
prevent_ldap_sign_in: false
|
|
|
|
# File location to read encrypted secrets from
|
|
# secret_file: /mnt/gitlab/ldap.yaml.enc # Default: shared/encrypted_settings/ldap.yaml.enc
|
|
|
|
# This setting controls the number of seconds between LDAP permission checks
|
|
# for each user. After this time has expired for a given user, their next
|
|
# interaction with GitLab (a click in the web UI, a git pull, etc.) will be
|
|
# slower because the LDAP permission check is being performed. How much
|
|
# slower depends on your LDAP setup, but it is not uncommon for this check
|
|
# to add seconds of waiting time. The default value is to have a "slow
|
|
# click" once every 3600 seconds (i.e., once per hour).
|
|
#
|
|
# Warning: if you set this value too low, every click in GitLab will be a
|
|
# "slow click" for all of your LDAP users.
|
|
# sync_time: 3600
|
|
|
|
servers:
|
|
##########################################################################
|
|
#
|
|
# Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab
|
|
# Enterprise Edition now supports connecting to multiple LDAP servers.
|
|
#
|
|
# If you are updating from the old (pre-7.4) syntax, you MUST give your
|
|
# old server the ID 'main'.
|
|
#
|
|
##########################################################################
|
|
main: # 'main' is the GitLab 'provider ID' of this LDAP server
|
|
## label
|
|
#
|
|
# A human-friendly name for your LDAP server. It is OK to change the label later,
|
|
# for instance if you find out it is too large to fit on the web page.
|
|
#
|
|
# Example: 'Paris' or 'Acme, Ltd.'
|
|
label: 'LDAP'
|
|
|
|
# Example: 'ldap.mydomain.com'
|
|
host: '_your_ldap_server'
|
|
# This port is an example, it is sometimes different but it is always an integer and not a string
|
|
port: 389 # usually 636 for SSL
|
|
uid: 'sAMAccountName' # This should be the attribute, not the value that maps to uid.
|
|
|
|
# Examples: 'america\\momo' or 'CN=Gitlab Git,CN=Users,DC=mydomain,DC=com'
|
|
bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
|
|
password: '_the_password_of_the_bind_user'
|
|
|
|
# Encryption method. The "method" key is deprecated in favor of
|
|
# "encryption".
|
|
#
|
|
# Examples: "start_tls" or "simple_tls" or "plain"
|
|
#
|
|
# Deprecated values: "tls" was replaced with "start_tls" and "ssl" was
|
|
# replaced with "simple_tls".
|
|
#
|
|
encryption: 'plain'
|
|
|
|
# Enables SSL certificate verification if encryption method is
|
|
# "start_tls" or "simple_tls". Defaults to true.
|
|
verify_certificates: true
|
|
|
|
# OpenSSL::SSL::SSLContext options.
|
|
tls_options:
|
|
# Specifies the path to a file containing a PEM-format CA certificate,
|
|
# e.g. if you need to use an internal CA.
|
|
#
|
|
# Example: '/etc/ca.pem'
|
|
#
|
|
ca_file: ''
|
|
|
|
# Specifies the SSL version for OpenSSL to use, if the OpenSSL default
|
|
# is not appropriate.
|
|
#
|
|
# Example: 'TLSv1_1'
|
|
#
|
|
ssl_version: ''
|
|
|
|
# Specific SSL ciphers to use in communication with LDAP servers.
|
|
#
|
|
# Example: 'ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2'
|
|
ciphers: ''
|
|
|
|
# Client certificate
|
|
#
|
|
# Example:
|
|
# cert: |
|
|
# -----BEGIN CERTIFICATE-----
|
|
# MIIDbDCCAlSgAwIBAgIGAWkJxLmKMA0GCSqGSIb3DQEBCwUAMHcxFDASBgNVBAoTC0dvb2dsZSBJ
|
|
# bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQDEwtMREFQIENsaWVudDEPMA0GA1UE
|
|
# CxMGR1N1aXRlMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTAeFw0xOTAyMjAwNzE4
|
|
# rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl
|
|
# ...
|
|
# 4SbuJPAiJxC1LQ0t39dR6oMCAMab3hXQqhL56LrR6cRBp6Mtlphv7alu9xb/x51y2x+g2zWtsf80
|
|
# Jrv/vKMsIh/sAyuogb7hqMtp55ecnKxceg==
|
|
# -----END CERTIFICATE -----
|
|
cert: ''
|
|
|
|
# Client private key
|
|
# key: |
|
|
# -----BEGIN PRIVATE KEY-----
|
|
# MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC3DmJtLRmJGY4xU1QtI3yjvxO6
|
|
# bNuyE4z1NF6Xn7VSbcAaQtavWQ6GZi5uukMo+W5DHVtEkgDwh92ySZMuJdJogFbNvJvHAayheCdN
|
|
# 7mCQ2UUT9jGXIbmksUn9QMeJVXTZjgJWJzPXToeUdinx9G7+lpVa62UATEd1gaI3oyL72WmpDy/C
|
|
# rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl
|
|
# ...
|
|
# +9IhSYX+XIg7BZOVDeYqlPfxRvQh8vy3qjt/KUihmEPioAjLaGiihs1Fk5ctLk9A2hIUyP+sEQv9
|
|
# l6RG+a/mW+0rCWn8JAd464Ps9hE=
|
|
# -----END PRIVATE KEY-----
|
|
key: ''
|
|
|
|
# Set a timeout, in seconds, for LDAP queries. This helps avoid blocking
|
|
# a request if the LDAP server becomes unresponsive.
|
|
# A value of 0 means there is no timeout.
|
|
timeout: 10
|
|
|
|
# Enable smartcard authentication against the LDAP server. Valid values
|
|
# are "false", "optional", and "required".
|
|
smartcard_auth: false
|
|
|
|
# This setting specifies if LDAP server is Active Directory LDAP server.
|
|
# For non AD servers it skips the AD specific queries.
|
|
# If your LDAP server is not AD, set this to false.
|
|
active_directory: true
|
|
|
|
# If allow_username_or_email_login is enabled, GitLab will ignore everything
|
|
# after the first '@' in the LDAP username submitted by the user on login.
|
|
#
|
|
# Example:
|
|
# - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials;
|
|
# - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'.
|
|
#
|
|
# If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
|
|
# disable this setting, because the userPrincipalName contains an '@'.
|
|
allow_username_or_email_login: false
|
|
|
|
# To maintain tight control over the number of active users on your GitLab installation,
|
|
# enable this setting to keep new users blocked until they have been cleared by the admin
|
|
# (default: false).
|
|
block_auto_created_users: false
|
|
|
|
# Base where we can search for users
|
|
#
|
|
# Ex. 'ou=People,dc=gitlab,dc=example' or 'DC=mydomain,DC=com'
|
|
#
|
|
base: ''
|
|
|
|
# Filter LDAP users
|
|
#
|
|
# Format: RFC 4515 https://tools.ietf.org/search/rfc4515
|
|
# Ex. (employeeType=developer)
|
|
#
|
|
# Note: GitLab does not support omniauth-ldap's custom filter syntax.
|
|
#
|
|
# Example for getting only specific users:
|
|
# '(&(objectclass=user)(|(samaccountname=momo)(samaccountname=toto)))'
|
|
#
|
|
user_filter: ''
|
|
|
|
# Base where we can search for groups
|
|
#
|
|
# Ex. ou=Groups,dc=gitlab,dc=example
|
|
#
|
|
group_base: ''
|
|
|
|
# LDAP group of users who should be admins in GitLab
|
|
#
|
|
# Ex. GLAdmins
|
|
#
|
|
admin_group: ''
|
|
|
|
# LDAP group of users who should be marked as external users in GitLab
|
|
#
|
|
# Ex. ['Contractors', 'Interns']
|
|
#
|
|
external_groups: []
|
|
|
|
# Name of attribute which holds a ssh public key of the user object.
|
|
# If false or nil, SSH key syncronisation will be disabled.
|
|
#
|
|
# Ex. sshpublickey
|
|
#
|
|
sync_ssh_keys: false
|
|
|
|
# LDAP attributes that GitLab will use to create an account for the LDAP user.
|
|
# The specified attribute can either be the attribute name as a string (e.g. 'mail'),
|
|
# or an array of attribute names to try in order (e.g. ['mail', 'email']).
|
|
# Note that the user's LDAP login will always be the attribute specified as `uid` above.
|
|
attributes:
|
|
# The username will be used in paths for the user's own projects
|
|
# (like `gitlab.example.com/username/project`) and when mentioning
|
|
# them in issues, merge request and comments (like `@username`).
|
|
# If the attribute specified for `username` contains an email address,
|
|
# the GitLab username will be the part of the email address before the '@'.
|
|
username: ['uid', 'userid', 'sAMAccountName']
|
|
email: ['mail', 'email', 'userPrincipalName']
|
|
|
|
# If no full name could be found at the attribute specified for `name`,
|
|
# the full name is determined using the attributes specified for
|
|
# `first_name` and `last_name`.
|
|
name: 'cn'
|
|
first_name: 'givenName'
|
|
last_name: 'sn'
|
|
|
|
# If lowercase_usernames is enabled, GitLab will lower case the username.
|
|
lowercase_usernames: false
|
|
|
|
# GitLab EE only: add more LDAP servers
|
|
# Choose an ID made of a-z and 0-9 . This ID will be stored in the database
|
|
# so that GitLab can remember which LDAP server a user belongs to.
|
|
# uswest2:
|
|
# label:
|
|
# host:
|
|
# ....
|
|
|
|
## Smartcard authentication settings
|
|
smartcard:
|
|
# Allow smartcard authentication
|
|
enabled: false
|
|
|
|
# Path to a file containing a CA certificate bundle
|
|
ca_file: '/etc/ssl/certs/CA.pem'
|
|
|
|
# Host and port where the client side certificate is requested by the
|
|
# webserver (NGINX/Apache)
|
|
# client_certificate_required_host: smartcard.gitlab.example.com
|
|
# client_certificate_required_port: 3444
|
|
|
|
# Browser session with smartcard sign-in is required for Git access
|
|
# required_for_git_access: false
|
|
|
|
# Use X.509 SAN extensions certificates to identify GitLab users
|
|
# Add a subjectAltName to your certificates like: email:user
|
|
# san_extensions: true
|
|
|
|
## Kerberos settings
|
|
kerberos:
|
|
# Allow the HTTP Negotiate authentication method for Git clients
|
|
enabled: false
|
|
|
|
# Kerberos 5 keytab file. The keytab file must be readable by the GitLab user,
|
|
# and should be different from other keytabs in the system.
|
|
# (default: use default keytab from Krb5 config)
|
|
# keytab: /etc/http.keytab
|
|
|
|
# The Kerberos service name to be used by GitLab.
|
|
# (default: accept any service name in keytab file)
|
|
# service_principal_name: HTTP/gitlab.example.com@EXAMPLE.COM
|
|
|
|
# Kerberos realms/domains that are allowed to automatically link LDAP identities.
|
|
# By default, GitLab accepts a realm that matches the domain derived from the
|
|
# LDAP `base` DN. For example, `ou=users,dc=example,dc=com` would allow users
|
|
# with a realm matching `example.com`.
|
|
# simple_ldap_linking_allowed_realms: ['example.com','kerberos.example.com']
|
|
|
|
# Dedicated port: Git before 2.4 does not fall back to Basic authentication if Negotiate fails.
|
|
# To support both Basic and Negotiate methods with older versions of Git, configure
|
|
# nginx to proxy GitLab on an extra port (e.g. 8443) and uncomment the following lines
|
|
# to dedicate this port to Kerberos authentication. (default: false)
|
|
# use_dedicated_port: true
|
|
# port: 8443
|
|
# https: true
|
|
|
|
## OmniAuth settings
|
|
omniauth:
|
|
# Allow login via Twitter, Google, etc. using OmniAuth providers
|
|
# enabled: true
|
|
|
|
# Uncomment this to automatically sign in with a specific omniauth provider's without
|
|
# showing GitLab's sign-in page (default: show the GitLab sign-in page)
|
|
# auto_sign_in_with_provider: saml
|
|
|
|
# Sync user's profile from the specified Omniauth providers every time the user logs in (default: empty).
|
|
# Define the allowed providers using an array, e.g. ["cas3", "saml", "twitter"],
|
|
# or as true/false to allow all providers or none.
|
|
# When authenticating using LDAP, the user's email is always synced.
|
|
# sync_profile_from_provider: []
|
|
|
|
# Select which info to sync from the providers above. (default: email).
|
|
# Define the synced profile info using an array. Available options are "name", "email" and "location"
|
|
# e.g. ["name", "email", "location"] or as true to sync all available.
|
|
# This consequently will make the selected attributes read-only.
|
|
# sync_profile_attributes: true
|
|
|
|
# CAUTION!
|
|
# This allows users to login without having a user account first. Define the allowed providers
|
|
# using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none.
|
|
# User accounts will be created automatically when authentication was successful.
|
|
allow_single_sign_on: ["saml"]
|
|
|
|
# Locks down those users until they have been cleared by the admin (default: true).
|
|
block_auto_created_users: true
|
|
# Look up new users in LDAP servers. If a match is found (same uid), automatically
|
|
# link the omniauth identity with the LDAP account. (default: false)
|
|
auto_link_ldap_user: false
|
|
|
|
# Allow users with existing accounts to login and auto link their account via SAML
|
|
# login, without having to do a manual login first and manually add SAML
|
|
# (default: false)
|
|
auto_link_saml_user: false
|
|
|
|
# Allow users with existing accounts to sign in and auto link their account via OmniAuth
|
|
# login, without having to do a manual login first and manually add OmniAuth. Links on email.
|
|
# Define the allowed providers using an array, e.g. ["saml", "twitter"], or as true/false to
|
|
# allow all providers or none.
|
|
# (default: false)
|
|
auto_link_user: ["saml", "twitter"]
|
|
|
|
# Set different Omniauth providers as external so that all users creating accounts
|
|
# via these providers will not be able to have access to internal projects. You
|
|
# will need to use the full name of the provider, like `google_oauth2` for Google.
|
|
# Refer to the examples below for the full names of the supported providers.
|
|
# (default: [])
|
|
external_providers: []
|
|
|
|
# CAUTION!
|
|
# This allows users to login with the specified providers without two factor. Define the allowed providers
|
|
# using an array, e.g. ["twitter", 'google_oauth2'], or as true/false to allow all providers or none.
|
|
# This option should only be configured for providers which already have two factor.
|
|
# This configration dose not apply to SAML.
|
|
# (default: false)
|
|
allow_bypass_two_factor: ["twitter", 'google_oauth2']
|
|
|
|
## Auth providers
|
|
# Uncomment the following lines and fill in the data of the auth provider you want to use
|
|
# If your favorite auth provider is not listed you can use others:
|
|
# see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations
|
|
# The 'app_id' and 'app_secret' parameters are always passed as the first two
|
|
# arguments, followed by optional 'args' which can be either a hash or an array.
|
|
# Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html
|
|
providers:
|
|
# See omniauth-cas3 for more configuration details
|
|
# - { name: 'cas3',
|
|
# label: 'cas3',
|
|
# args: {
|
|
# url: 'https://sso.example.com',
|
|
# disable_ssl_verification: false,
|
|
# login_url: '/cas/login',
|
|
# service_validate_url: '/cas/p3/serviceValidate',
|
|
# logout_url: '/cas/logout'} }
|
|
# - { name: 'authentiq',
|
|
# # for client credentials (client ID and secret), go to https://www.authentiq.com/developers
|
|
# app_id: 'YOUR_CLIENT_ID',
|
|
# app_secret: 'YOUR_CLIENT_SECRET',
|
|
# args: {
|
|
# scope: 'aq:name email~rs address aq:push'
|
|
# # callback_url parameter is optional except when 'gitlab.host' in this file is set to 'localhost'
|
|
# # callback_url: 'YOUR_CALLBACK_URL'
|
|
# }
|
|
# }
|
|
# - { name: 'github',
|
|
# app_id: 'YOUR_APP_ID',
|
|
# app_secret: 'YOUR_APP_SECRET',
|
|
# url: "https://github.com/",
|
|
# verify_ssl: true,
|
|
# args: { scope: 'user:email' } }
|
|
# - { name: 'bitbucket',
|
|
# app_id: 'YOUR_APP_ID',
|
|
# app_secret: 'YOUR_APP_SECRET' }
|
|
# - { name: 'gitlab',
|
|
# app_id: 'YOUR_APP_ID',
|
|
# app_secret: 'YOUR_APP_SECRET',
|
|
# args: { scope: 'api' } }
|
|
# - { name: 'google_oauth2',
|
|
# app_id: 'YOUR_APP_ID',
|
|
# app_secret: 'YOUR_APP_SECRET',
|
|
# args: { access_type: 'offline', approval_prompt: '' } }
|
|
# - { name: 'facebook',
|
|
# app_id: 'YOUR_APP_ID',
|
|
# app_secret: 'YOUR_APP_SECRET' }
|
|
# - { name: 'twitter',
|
|
# app_id: 'YOUR_APP_ID',
|
|
# app_secret: 'YOUR_APP_SECRET' }
|
|
# - { name: 'jwt',
|
|
# args: {
|
|
# secret: 'YOUR_APP_SECRET',
|
|
# algorithm: 'HS256', # Supported algorithms: 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512'
|
|
# uid_claim: 'email',
|
|
# required_claims: ['name', 'email'],
|
|
# info_map: { name: 'name', email: 'email' },
|
|
# auth_url: 'https://example.com/',
|
|
# valid_within: 3600 # 1 hour
|
|
# }
|
|
# }
|
|
# - { name: 'saml',
|
|
# label: 'Our SAML Provider',
|
|
# groups_attribute: 'Groups',
|
|
# external_groups: ['Contractors', 'Freelancers'],
|
|
# args: {
|
|
# assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
|
|
# idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
|
|
# idp_sso_target_url: 'https://login.example.com/idp',
|
|
# issuer: 'https://gitlab.example.com',
|
|
# name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
|
|
# } }
|
|
#
|
|
# - { name: 'group_saml' }
|
|
#
|
|
# - { name: 'crowd',
|
|
# args: {
|
|
# crowd_server_url: 'CROWD SERVER URL',
|
|
# application_name: 'YOUR_APP_NAME',
|
|
# application_password: 'YOUR_APP_PASSWORD' } }
|
|
#
|
|
# - { name: 'auth0',
|
|
# args: {
|
|
# client_id: 'YOUR_AUTH0_CLIENT_ID',
|
|
# client_secret: 'YOUR_AUTH0_CLIENT_SECRET',
|
|
# namespace: 'YOUR_AUTH0_DOMAIN' } }
|
|
|
|
# SSO maximum session duration in seconds. Defaults to CAS default of 8 hours.
|
|
# cas3:
|
|
# session_duration: 28800
|
|
|
|
# FortiAuthenticator settings
|
|
forti_authenticator:
|
|
# Allow using FortiAuthenticator as OTP provider
|
|
enabled: false
|
|
|
|
# Host and port of FortiAuthenticator instance
|
|
# host: forti_authenticator.example.com
|
|
# port: 443
|
|
|
|
# Username for accessing FortiAuthenticator API
|
|
# username: john
|
|
|
|
# Access token for FortiAuthenticator API
|
|
# access_token: 123s3cr3t456
|
|
|
|
# FortiToken Cloud settings
|
|
forti_token_cloud:
|
|
# Allow using FortiToken Cloud as OTP provider
|
|
enabled: false
|
|
|
|
# Client ID and Secret to access FortiToken Cloud API
|
|
# client_id: 'YOUR_FORTI_TOKEN_CLOUD_CLIENT_ID'
|
|
# client_secret: 'YOUR_FORTI_TOKEN_CLOUD_CLIENT_SECRET'
|
|
|
|
# Shared file storage settings
|
|
shared:
|
|
# path: /mnt/gitlab # Default: shared
|
|
|
|
# Encrypted Settings configuration
|
|
encrypted_settings:
|
|
# path: /mnt/gitlab/encrypted_settings # Default: shared/encrypted_settings
|
|
|
|
# Gitaly settings
|
|
gitaly:
|
|
# Path to the directory containing Gitaly client executables.
|
|
client_path: /home/git/gitaly
|
|
# Default Gitaly authentication token. Can be overridden per storage. Can
|
|
# be left blank when Gitaly is running locally on a Unix socket, which
|
|
# is the normal way to deploy Gitaly.
|
|
token:
|
|
|
|
#
|
|
# 4. Advanced settings
|
|
# ==========================
|
|
|
|
## Repositories settings
|
|
repositories:
|
|
# Paths where repositories can be stored. Give the canonicalized absolute pathname.
|
|
# IMPORTANT: None of the path components may be symlink, because
|
|
# gitlab-shell invokes Dir.pwd inside the repository path and that results
|
|
# real path not the symlink.
|
|
storages: # You must have at least a `default` storage path.
|
|
default:
|
|
path: /home/git/repositories/
|
|
gitaly_address: unix:/home/git/gitlab/tmp/sockets/private/gitaly.socket # TCP connections are supported too (e.g. tcp://host:port). TLS connections are also supported using the system certificate pool (eg: tls://host:port).
|
|
# gitaly_token: 'special token' # Optional: override global gitaly.token for this storage.
|
|
|
|
## Backup settings
|
|
backup:
|
|
path: "tmp/backups" # Relative paths are relative to Rails.root (default: tmp/backups/)
|
|
# archive_permissions: 0640 # Permissions for the resulting backup.tar file (default: 0600)
|
|
# keep_time: 604800 # default: 0 (forever) (in seconds)
|
|
# pg_schema: public # default: nil, it means that all schemas will be backed up
|
|
# upload:
|
|
# # Fog storage connection settings, see http://fog.io/storage/ .
|
|
# connection:
|
|
# provider: AWS
|
|
# region: eu-west-1
|
|
# aws_access_key_id: AKIAKIAKI
|
|
# aws_secret_access_key: 'secret123'
|
|
# # The remote 'directory' to store your backups. For S3, this would be the bucket name.
|
|
# remote_directory: 'my.s3.bucket'
|
|
# # Use multipart uploads when file size reaches 100MB, see
|
|
# # http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html
|
|
# multipart_chunk_size: 104857600
|
|
# # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional
|
|
# # encryption: 'AES256'
|
|
# # Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional
|
|
# # This should be set to the 256-bit encryption key for Amazon S3 to use to encrypt or decrypt your data.
|
|
# # 'encryption' must also be set in order for this to have any effect.
|
|
# # encryption_key: '<key>'
|
|
# # Specifies Amazon S3 storage class to use for backups, this is optional
|
|
# # storage_class: 'STANDARD'
|
|
|
|
## Pseudonymizer exporter
|
|
pseudonymizer:
|
|
# Tables manifest that specifies the fields to extract and pseudonymize.
|
|
manifest: config/pseudonymizer.yml
|
|
upload:
|
|
remote_directory: 'gitlab-elt'
|
|
# Fog storage connection settings, see http://fog.io/storage/ .
|
|
connection:
|
|
# provider: AWS
|
|
# region: eu-west-1
|
|
# aws_access_key_id: AKIAKIAKI
|
|
# aws_secret_access_key: 'secret123'
|
|
# # The remote 'directory' to store the CSV files. For S3, this would be the bucket name.
|
|
|
|
## GitLab Shell settings
|
|
gitlab_shell:
|
|
path: /home/git/gitlab-shell/
|
|
authorized_keys_file: /home/git/.ssh/authorized_keys
|
|
|
|
# File that contains the secret key for verifying access for gitlab-shell.
|
|
# Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app).
|
|
# secret_file: /home/git/gitlab/.gitlab_shell_secret
|
|
|
|
# Git over HTTP
|
|
upload_pack: true
|
|
receive_pack: true
|
|
|
|
# Git import/fetch timeout, in seconds. Defaults to 3 hours.
|
|
# git_timeout: 10800
|
|
|
|
# If you use non-standard ssh port you need to specify it
|
|
# ssh_port: 22
|
|
|
|
workhorse:
|
|
# File that contains the secret key for verifying access for gitlab-workhorse.
|
|
# Default is '.gitlab_workhorse_secret' relative to Rails.root (i.e. root of the GitLab app).
|
|
# secret_file: /home/git/gitlab/.gitlab_workhorse_secret
|
|
|
|
gitlab_kas:
|
|
# enabled: true
|
|
# File that contains the secret key for verifying access for gitlab-kas.
|
|
# Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app).
|
|
# secret_file: /home/git/gitlab/.gitlab_kas_secret
|
|
|
|
# The URL to the external KAS API (used by the Kubernetes agents)
|
|
# external_url: wss://kas.example.com
|
|
|
|
# The URL to the internal KAS API (used by the GitLab backend)
|
|
# internal_url: grpc://localhost:8153
|
|
|
|
## GitLab Elasticsearch settings
|
|
elasticsearch:
|
|
indexer_path: /home/git/gitlab-elasticsearch-indexer/
|
|
|
|
## Git settings
|
|
# CAUTION!
|
|
# Use the default values unless you really know what you are doing
|
|
git:
|
|
bin_path: /usr/bin/git
|
|
|
|
## Webpack settings
|
|
# If enabled, this will tell rails to serve frontend assets from the webpack-dev-server running
|
|
# on a given port instead of serving directly from /assets/webpack. This is only indended for use
|
|
# in development.
|
|
webpack:
|
|
# dev_server:
|
|
# enabled: true
|
|
# host: localhost
|
|
# port: 3808
|
|
|
|
## Monitoring
|
|
# Built in monitoring settings
|
|
monitoring:
|
|
# Time between sampling of unicorn socket metrics, in seconds
|
|
# unicorn_sampler_interval: 10
|
|
# IP whitelist to access monitoring endpoints
|
|
ip_whitelist:
|
|
- 127.0.0.0/8
|
|
|
|
# Sidekiq exporter is webserver built in to Sidekiq to expose Prometheus metrics
|
|
sidekiq_exporter:
|
|
# enabled: true
|
|
# log_enabled: false
|
|
# address: localhost
|
|
# port: 8082
|
|
|
|
# Web exporter is webserver built in to Unicorn/Puma to expose Prometheus metrics
|
|
# It runs alongside the `/metrics` endpoints to ease the publish of metrics
|
|
web_exporter:
|
|
# enabled: true
|
|
# address: localhost
|
|
# port: 8083
|
|
|
|
## Prometheus settings
|
|
# Do not modify these settings here. They should be modified in /etc/gitlab/gitlab.rb
|
|
# if you installed GitLab via Omnibus.
|
|
# If you installed from source, you need to install and configure Prometheus
|
|
# yourself, and then update the values here.
|
|
# https://docs.gitlab.com/ee/administration/monitoring/prometheus/
|
|
prometheus:
|
|
# enabled: true
|
|
# server_address: 'localhost:9090'
|
|
|
|
## Consul settings
|
|
consul:
|
|
# api_url: 'http://localhost:8500'
|
|
|
|
shutdown:
|
|
# # blackout_seconds:
|
|
# # defines an interval to block healthcheck,
|
|
# # but continue accepting application requests
|
|
# # this allows Load Balancer to notice service
|
|
# # being shutdown and not interrupt any of the clients
|
|
# blackout_seconds: 10
|
|
|
|
#
|
|
# 5. Extra customization
|
|
# ==========================
|
|
|
|
extra:
|
|
## Google analytics. Uncomment if you want it
|
|
# google_analytics_id: '_your_tracking_id'
|
|
|
|
## Google tag manager
|
|
# google_tag_manager_id: '_your_tracking_id'
|
|
|
|
## Matomo analytics.
|
|
# matomo_url: '_your_matomo_url'
|
|
# matomo_site_id: '_your_matomo_site_id'
|
|
# matomo_disable_cookies: false
|
|
|
|
rack_attack:
|
|
git_basic_auth:
|
|
# Rack Attack IP banning enabled
|
|
# enabled: true
|
|
#
|
|
# Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers
|
|
# ip_whitelist: ["127.0.0.1"]
|
|
#
|
|
# Limit the number of Git HTTP authentication attempts per IP
|
|
# maxretry: 10
|
|
#
|
|
# Reset the auth attempt counter per IP after 60 seconds
|
|
# findtime: 60
|
|
#
|
|
# Ban an IP for one hour (3600s) after too many auth attempts
|
|
# bantime: 3600
|
|
|
|
development:
|
|
<<: *base
|
|
|
|
# We want to run web/sidekiq exporters for devs
|
|
# to catch errors from using them.
|
|
#
|
|
# We use random port to not block ability to run
|
|
# multiple instances of the service
|
|
monitoring:
|
|
sidekiq_exporter:
|
|
enabled: true
|
|
address: 127.0.0.1
|
|
port: 0
|
|
web_exporter:
|
|
enabled: true
|
|
address: 127.0.0.1
|
|
port: 0
|
|
|
|
test:
|
|
<<: *base
|
|
gravatar:
|
|
enabled: true
|
|
external_diffs:
|
|
enabled: false
|
|
# Diffs may be `always` external (the default), or they can be made external
|
|
# after they have become `outdated` (i.e., the MR is closed or a new version
|
|
# has been pushed).
|
|
# when: always
|
|
# The location where external diffs are stored (default: shared/external-diffs).
|
|
storage_path: tmp/tests/external-diffs
|
|
object_store:
|
|
enabled: false
|
|
remote_directory: external-diffs # The bucket name
|
|
connection:
|
|
provider: AWS # Only AWS supported at the moment
|
|
aws_access_key_id: AWS_ACCESS_KEY_ID
|
|
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
region: us-east-1
|
|
lfs:
|
|
enabled: false
|
|
# The location where LFS objects are stored (default: shared/lfs-objects).
|
|
# storage_path: shared/lfs-objects
|
|
object_store:
|
|
enabled: false
|
|
remote_directory: lfs-objects # The bucket name
|
|
connection:
|
|
provider: AWS # Only AWS supported at the moment
|
|
aws_access_key_id: AWS_ACCESS_KEY_ID
|
|
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
region: us-east-1
|
|
artifacts:
|
|
path: tmp/tests/artifacts
|
|
enabled: true
|
|
# The location where build artifacts are stored (default: shared/artifacts).
|
|
# path: shared/artifacts
|
|
object_store:
|
|
enabled: false
|
|
remote_directory: artifacts # The bucket name
|
|
background_upload: false
|
|
connection:
|
|
provider: AWS # Only AWS supported at the moment
|
|
aws_access_key_id: AWS_ACCESS_KEY_ID
|
|
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
region: us-east-1
|
|
uploads:
|
|
storage_path: tmp/tests/public
|
|
object_store:
|
|
enabled: false
|
|
connection:
|
|
provider: AWS # Only AWS supported at the moment
|
|
aws_access_key_id: AWS_ACCESS_KEY_ID
|
|
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
region: us-east-1
|
|
|
|
terraform_state:
|
|
enabled: true
|
|
storage_path: tmp/tests/terraform_state
|
|
object_store:
|
|
enabled: false
|
|
remote_directory: terraform
|
|
connection:
|
|
provider: AWS # Only AWS supported at the moment
|
|
aws_access_key_id: AWS_ACCESS_KEY_ID
|
|
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
region: us-east-1
|
|
|
|
gitlab:
|
|
host: localhost
|
|
port: 80
|
|
|
|
content_security_policy:
|
|
enabled: true
|
|
report_only: false
|
|
directives:
|
|
base_uri:
|
|
child_src:
|
|
connect_src:
|
|
default_src: "'self'"
|
|
font_src:
|
|
form_action:
|
|
frame_ancestors: "'self'"
|
|
frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
|
|
img_src: "* data: blob:"
|
|
manifest_src:
|
|
media_src:
|
|
object_src: "'none'"
|
|
script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
|
|
style_src: "'self' 'unsafe-inline'"
|
|
worker_src: "'self' blob:"
|
|
report_uri:
|
|
|
|
# When you run tests we clone and set up gitlab-shell
|
|
# In order to set it up correctly you need to specify
|
|
# your system username you use to run GitLab
|
|
# user: YOUR_USERNAME
|
|
pages:
|
|
path: tmp/tests/pages
|
|
object_store:
|
|
enabled: false
|
|
remote_directory: pages # The bucket name
|
|
connection:
|
|
provider: AWS
|
|
aws_access_key_id: AWS_ACCESS_KEY_ID
|
|
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
region: us-east-1
|
|
local_store:
|
|
enabled: true
|
|
path: tmp/tests/pages
|
|
repositories:
|
|
storages:
|
|
default:
|
|
path: tmp/tests/repositories/
|
|
gitaly_address: unix:tmp/tests/gitaly/praefect.socket
|
|
|
|
gitaly:
|
|
client_path: tmp/tests/gitaly/_build/bin
|
|
token: secret
|
|
workhorse:
|
|
secret_file: tmp/gitlab_workhorse_test_secret
|
|
backup:
|
|
path: tmp/tests/backups
|
|
pseudonymizer:
|
|
manifest: config/pseudonymizer.yml
|
|
upload:
|
|
# The remote 'directory' to store the CSV files. For S3, this would be the bucket name.
|
|
remote_directory: gitlab-elt.test
|
|
# Fog storage connection settings, see http://fog.io/storage/
|
|
connection:
|
|
provider: AWS # Only AWS supported at the moment
|
|
aws_access_key_id: AWS_ACCESS_KEY_ID
|
|
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
region: us-east-1
|
|
gitlab_shell:
|
|
path: tmp/tests/gitlab-shell/
|
|
authorized_keys_file: tmp/tests/authorized_keys
|
|
issues_tracker:
|
|
redmine:
|
|
title: "Redmine"
|
|
project_url: "http://redmine/projects/:issues_tracker_id"
|
|
issues_url: "http://redmine/:project_id/:issues_tracker_id/:id"
|
|
new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new"
|
|
jira:
|
|
title: "Jira"
|
|
url: https://sample_company.atlassian.net
|
|
project_key: PROJECT
|
|
|
|
omniauth:
|
|
# enabled: true
|
|
allow_single_sign_on: true
|
|
external_providers: []
|
|
|
|
providers:
|
|
- { name: 'cas3',
|
|
label: 'cas3',
|
|
args: { url: 'https://sso.example.com',
|
|
disable_ssl_verification: false,
|
|
login_url: '/cas/login',
|
|
service_validate_url: '/cas/p3/serviceValidate',
|
|
logout_url: '/cas/logout'} }
|
|
- { name: 'github',
|
|
app_id: 'YOUR_APP_ID',
|
|
app_secret: 'YOUR_APP_SECRET',
|
|
url: "https://github.com/",
|
|
verify_ssl: false,
|
|
args: { scope: 'user:email' } }
|
|
- { name: 'bitbucket',
|
|
app_id: 'YOUR_APP_ID',
|
|
app_secret: 'YOUR_APP_SECRET' }
|
|
- { name: 'gitlab',
|
|
app_id: 'YOUR_APP_ID',
|
|
app_secret: 'YOUR_APP_SECRET',
|
|
args: { scope: 'api' } }
|
|
- { name: 'google_oauth2',
|
|
app_id: 'YOUR_APP_ID',
|
|
app_secret: 'YOUR_APP_SECRET',
|
|
args: { access_type: 'offline', approval_prompt: '' } }
|
|
- { name: 'facebook',
|
|
app_id: 'YOUR_APP_ID',
|
|
app_secret: 'YOUR_APP_SECRET' }
|
|
- { name: 'twitter',
|
|
app_id: 'YOUR_APP_ID',
|
|
app_secret: 'YOUR_APP_SECRET' }
|
|
- { name: 'jwt',
|
|
app_secret: 'YOUR_APP_SECRET',
|
|
args: {
|
|
algorithm: 'HS256',
|
|
uid_claim: 'email',
|
|
required_claims: ["name", "email"],
|
|
info_map: { name: "name", email: "email" },
|
|
auth_url: 'https://example.com/',
|
|
valid_within: null,
|
|
}
|
|
}
|
|
- { name: 'auth0',
|
|
args: {
|
|
client_id: 'YOUR_AUTH0_CLIENT_ID',
|
|
client_secret: 'YOUR_AUTH0_CLIENT_SECRET',
|
|
namespace: 'YOUR_AUTH0_DOMAIN' } }
|
|
- { name: 'authentiq',
|
|
app_id: 'YOUR_CLIENT_ID',
|
|
app_secret: 'YOUR_CLIENT_SECRET',
|
|
args: { scope: 'aq:name email~rs address aq:push' } }
|
|
- { name: 'salesforce',
|
|
app_id: 'YOUR_CLIENT_ID',
|
|
app_secret: 'YOUR_CLIENT_SECRET'
|
|
}
|
|
- { name: 'atlassian_oauth2',
|
|
app_id: 'YOUR_CLIENT_ID',
|
|
app_secret: 'YOUR_CLIENT_SECRET',
|
|
args: { scope: 'offline_access read:jira-user read:jira-work', prompt: 'consent' }
|
|
}
|
|
ldap:
|
|
enabled: false
|
|
servers:
|
|
main:
|
|
label: ldap
|
|
host: 127.0.0.1
|
|
port: 3890
|
|
uid: 'uid'
|
|
encryption: 'plain' # "start_tls" or "simple_tls" or "plain"
|
|
base: 'dc=example,dc=com'
|
|
user_filter: ''
|
|
group_base: 'ou=groups,dc=example,dc=com'
|
|
admin_group: ''
|
|
prometheus:
|
|
enabled: true
|
|
server_address: 'localhost:9090'
|
|
|
|
staging:
|
|
<<: *base
|