5fbbd3dd6e
A nonce-based Content-Security-Policy thwarts XSS attacks by allowing inline JavaScript to execute if the script nonce matches the header value. Rails 5.2 supports nonce-based Content-Security-Policy headers, so provide configuration to enable this and make it work. To support this, we need to change all `:javascript` HAML filters to the following form: ``` = javascript_tag nonce: true do :plain ... ``` We use `%script` throughout our HAML to store JSON and other text, but since this doesn't execute, browsers don't appear to block this content from being used and require the nonce value to be present.
1213 lines
48 KiB
Text
1213 lines
48 KiB
Text
# # # # # # # # # # # # # # # # # #
|
|
# GitLab application config file #
|
|
# # # # # # # # # # # # # # # # # #
|
|
#
|
|
########################### NOTE #####################################
|
|
# This file should not receive new settings. All configuration options #
|
|
# * are being moved to ApplicationSetting model! #
|
|
# If a setting requires an application restart say so in that screen. #
|
|
# If you change this file in a Merge Request, please also create #
|
|
# a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests. #
|
|
# For more details see https://gitlab.com/gitlab-org/omnibus-gitlab/blob/0928cfb09f43993fd9454b0b14dbd1924b1407bc/doc/settings/gitlab.yml.md #
|
|
########################################################################
|
|
#
|
|
#
|
|
# How to use:
|
|
# 1. Copy file as gitlab.yml
|
|
# 2. Update gitlab -> host with your fully qualified domain name
|
|
# 3. Update gitlab -> email_from
|
|
# 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git
|
|
# IMPORTANT: If Git was installed in a different location use that instead.
|
|
# You can check with `which git`. If a wrong path of Git is specified, it will
|
|
# result in various issues such as failures of GitLab CI builds.
|
|
# 5. Review this configuration file for other settings you may want to adjust
|
|
|
|
production: &base
|
|
#
|
|
# 1. GitLab app settings
|
|
# ==========================
|
|
|
|
## GitLab settings
|
|
gitlab:
|
|
## Web server settings (note: host is the FQDN, do not include http://)
|
|
host: localhost
|
|
port: 80 # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
|
|
https: false # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
|
|
|
|
# Uncomment this line below if your ssh host is different from HTTP/HTTPS one
|
|
# (you'd obviously need to replace ssh.host_example.com with your own host).
|
|
# Otherwise, ssh host will be set to the `host:` value above
|
|
# ssh_host: ssh.host_example.com
|
|
|
|
# Relative URL support
|
|
# WARNING: We recommend using an FQDN to host GitLab in a root path instead
|
|
# of using a relative URL.
|
|
# Documentation: http://doc.gitlab.com/ce/install/relative_url.html
|
|
# Uncomment and customize the following line to run in a non-root path
|
|
#
|
|
# relative_url_root: /gitlab
|
|
|
|
# Content Security Policy
|
|
# See https://guides.rubyonrails.org/security.html#content-security-policy
|
|
content_security_policy:
|
|
enabled: false
|
|
report_only: false
|
|
directives:
|
|
base_uri:
|
|
child_src:
|
|
connect_src: "'self' http://localhost:3808 ws://localhost:3808 wss://localhost:3000"
|
|
default_src: "'self'"
|
|
font_src:
|
|
form_action:
|
|
frame_ancestors: "'self'"
|
|
frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
|
|
img_src: "* data: blob"
|
|
manifest_src:
|
|
media_src:
|
|
object_src: "'self' http://localhost:3808 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
|
|
script_src:
|
|
style_src: "'self' 'unsafe-inline'"
|
|
worker_src: "http://localhost:3000 blob:"
|
|
report_uri:
|
|
|
|
# Trusted Proxies
|
|
# Customize if you have GitLab behind a reverse proxy which is running on a different machine.
|
|
# Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
|
|
trusted_proxies:
|
|
# Examples:
|
|
#- 192.168.1.0/24
|
|
#- 192.168.2.1
|
|
#- 2001:0db8::/32
|
|
|
|
# Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
|
|
# user: git
|
|
|
|
## Date & Time settings
|
|
# Uncomment and customize if you want to change the default time zone of GitLab application.
|
|
# To see all available zones, run `bundle exec rake time:zones:all RAILS_ENV=production`
|
|
# time_zone: 'UTC'
|
|
|
|
## Email settings
|
|
# Uncomment and set to false if you need to disable email sending from GitLab (default: true)
|
|
# email_enabled: true
|
|
# Email address used in the "From" field in mails sent by GitLab
|
|
email_from: example@example.com
|
|
email_display_name: GitLab
|
|
email_reply_to: noreply@example.com
|
|
email_subject_suffix: ''
|
|
|
|
# Email server smtp settings are in config/initializers/smtp_settings.rb.sample
|
|
|
|
# default_can_create_group: false # default: true
|
|
# username_changing_enabled: false # default: true - User can change her username/namespace
|
|
## Default theme ID
|
|
## 1 - Indigo
|
|
## 2 - Dark
|
|
## 3 - Light
|
|
## 4 - Blue
|
|
## 5 - Green
|
|
## 6 - Light Indigo
|
|
## 7 - Light Blue
|
|
## 8 - Light Green
|
|
## 9 - Red
|
|
## 10 - Light Red
|
|
# default_theme: 1 # default: 1
|
|
|
|
## Automatic issue closing
|
|
# If a commit message matches this regular expression, all issues referenced from the matched text will be closed.
|
|
# This happens when the commit is pushed or merged into the default branch of a project.
|
|
# When not specified the default issue_closing_pattern as specified below will be used.
|
|
# Tip: you can test your closing pattern at http://rubular.com.
|
|
# issue_closing_pattern: '\b((?:[Cc]los(?:e[sd]?|ing)|\b[Ff]ix(?:e[sd]|ing)?|\b[Rr]esolv(?:e[sd]?|ing)|\b[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)'
|
|
|
|
## Default project features settings
|
|
default_projects_features:
|
|
issues: true
|
|
merge_requests: true
|
|
wiki: true
|
|
snippets: true
|
|
builds: true
|
|
container_registry: true
|
|
|
|
## Webhook settings
|
|
# Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)
|
|
# webhook_timeout: 10
|
|
|
|
## Repository downloads directory
|
|
# When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory.
|
|
# The default is 'shared/cache/archive/' relative to the root of the Rails app.
|
|
# repository_downloads_path: shared/cache/archive/
|
|
|
|
## Impersonation settings
|
|
impersonation_enabled: true
|
|
|
|
## Reply by email
|
|
# Allow users to comment on issues and merge requests by replying to notification emails.
|
|
# For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html
|
|
incoming_email:
|
|
enabled: false
|
|
|
|
# The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
|
|
# The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`).
|
|
address: "gitlab-incoming+%{key}@gmail.com"
|
|
|
|
# Email account username
|
|
# With third party providers, this is usually the full email address.
|
|
# With self-hosted email servers, this is usually the user part of the email address.
|
|
user: "gitlab-incoming@gmail.com"
|
|
# Email account password
|
|
password: "[REDACTED]"
|
|
|
|
# IMAP server host
|
|
host: "imap.gmail.com"
|
|
# IMAP server port
|
|
port: 993
|
|
# Whether the IMAP server uses SSL
|
|
ssl: true
|
|
# Whether the IMAP server uses StartTLS
|
|
start_tls: false
|
|
|
|
# The mailbox where incoming mail will end up. Usually "inbox".
|
|
mailbox: "inbox"
|
|
# The IDLE command timeout.
|
|
idle_timeout: 60
|
|
|
|
## Build Artifacts
|
|
artifacts:
|
|
enabled: true
|
|
# The location where build artifacts are stored (default: shared/artifacts).
|
|
# path: shared/artifacts
|
|
# object_store:
|
|
# enabled: false
|
|
# remote_directory: artifacts # The bucket name
|
|
# background_upload: false # Temporary option to limit automatic upload (Default: true)
|
|
# proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
|
|
# connection:
|
|
# provider: AWS # Only AWS supported at the moment
|
|
# aws_access_key_id: AWS_ACCESS_KEY_ID
|
|
# aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
# region: us-east-1
|
|
# aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
|
|
# endpoint: 'https://s3.amazonaws.com' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
|
|
|
|
## Merge request external diff storage
|
|
external_diffs:
|
|
# If disabled (the default), the diffs are in-database. Otherwise, they can
|
|
# be stored on disk, or in object storage
|
|
enabled: false
|
|
# The location where external diffs are stored (default: shared/lfs-external-diffs).
|
|
# storage_path: shared/external-diffs
|
|
# object_store:
|
|
# enabled: false
|
|
# remote_directory: external-diffs
|
|
# background_upload: false
|
|
# proxy_download: false
|
|
# connection:
|
|
# provider: AWS
|
|
# aws_access_key_id: AWS_ACCESS_KEY_ID
|
|
# aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
# region: us-east-1
|
|
|
|
## Git LFS
|
|
lfs:
|
|
enabled: true
|
|
# The location where LFS objects are stored (default: shared/lfs-objects).
|
|
# storage_path: shared/lfs-objects
|
|
object_store:
|
|
enabled: false
|
|
remote_directory: lfs-objects # Bucket name
|
|
# direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false)
|
|
# background_upload: false # Temporary option to limit automatic upload (Default: true)
|
|
# proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
|
|
connection:
|
|
provider: AWS
|
|
aws_access_key_id: AWS_ACCESS_KEY_ID
|
|
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
region: us-east-1
|
|
# Use the following options to configure an AWS compatible host
|
|
# host: 'localhost' # default: s3.amazonaws.com
|
|
# endpoint: 'http://127.0.0.1:9000' # default: nil
|
|
# aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
|
|
# path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
|
|
|
|
## Uploads (attachments, avatars, etc...)
|
|
uploads:
|
|
# The location where uploads objects are stored (default: public/).
|
|
# storage_path: public/
|
|
# base_dir: uploads/-/system
|
|
object_store:
|
|
enabled: false
|
|
remote_directory: uploads # Bucket name
|
|
# direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false)
|
|
# background_upload: false # Temporary option to limit automatic upload (Default: true)
|
|
# proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
|
|
connection:
|
|
provider: AWS
|
|
aws_access_key_id: AWS_ACCESS_KEY_ID
|
|
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
|
|
region: us-east-1
|
|
# host: 'localhost' # default: s3.amazonaws.com
|
|
# endpoint: 'http://127.0.0.1:9000' # default: nil
|
|
# path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
|
|
|
|
## Packages (maven repository, npm registry, etc...)
|
|
packages:
|
|
enabled: true
|
|
# The location where build packages are stored (default: shared/packages).
|
|
# storage_path: shared/packages
|
|
object_store:
|
|
enabled: false
|
|
remote_directory: packages # The bucket name
|
|
# direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false)
|
|
# background_upload: false # Temporary option to limit automatic upload (Default: true)
|
|
# proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
|
|
connection:
|
|
provider: AWS
|
|
aws_access_key_id: AWS_ACCESS_KEY_ID
|
|
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
region: us-east-1
|
|
# host: 'localhost' # default: s3.amazonaws.com
|
|
# endpoint: 'http://127.0.0.1:9000' # default: nil
|
|
# aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
|
|
# path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
|
|
|
|
## Dependency Proxy
|
|
dependency_proxy:
|
|
enabled: true
|
|
# The location where build packages are stored (default: shared/dependency_proxy).
|
|
# storage_path: shared/dependency_proxy
|
|
object_store:
|
|
enabled: false
|
|
remote_directory: dependency_proxy # The bucket name
|
|
# direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false)
|
|
# background_upload: false # Temporary option to limit automatic upload (Default: true)
|
|
# proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
|
|
connection:
|
|
provider: AWS
|
|
aws_access_key_id: AWS_ACCESS_KEY_ID
|
|
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
region: us-east-1
|
|
# host: 'localhost' # default: s3.amazonaws.com
|
|
# endpoint: 'http://127.0.0.1:9000' # default: nil
|
|
# aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
|
|
# path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
|
|
|
|
## GitLab Pages
|
|
pages:
|
|
enabled: false
|
|
access_control: false
|
|
# The location where pages are stored (default: shared/pages).
|
|
# path: shared/pages
|
|
|
|
# The domain under which the pages are served:
|
|
# http://group.example.com/project
|
|
# or project path can be a group page: group.example.com
|
|
host: example.com
|
|
port: 80 # Set to 443 if you serve the pages with HTTPS
|
|
https: false # Set to true if you serve the pages with HTTPS
|
|
artifacts_server: true # Set to false if you want to disable online view of HTML artifacts
|
|
# external_http: ["1.1.1.1:80", "[2001::1]:80"] # If defined, enables custom domain support in GitLab Pages
|
|
# external_https: ["1.1.1.1:443", "[2001::1]:443"] # If defined, enables custom domain and certificate support in GitLab Pages
|
|
admin:
|
|
address: unix:/home/git/gitlab/tmp/sockets/private/pages-admin.socket # TCP connections are supported too (e.g. tcp://host:port)
|
|
|
|
## Mattermost
|
|
## For enabling Add to Mattermost button
|
|
mattermost:
|
|
enabled: false
|
|
host: 'https://mattermost.example.com'
|
|
|
|
## Gravatar
|
|
## If using gravatar.com, there's nothing to change here. For Libravatar
|
|
## you'll need to provide the custom URLs. For more information,
|
|
## see: https://docs.gitlab.com/ee/customization/libravatar.html
|
|
gravatar:
|
|
# Gravatar/Libravatar URLs: possible placeholders: %{hash} %{size} %{email} %{username}
|
|
# plain_url: "http://..." # default: https://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
|
|
# ssl_url: "https://..." # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
|
|
|
|
## Sidekiq
|
|
sidekiq:
|
|
log_format: default # (json is also supported)
|
|
|
|
## Auxiliary jobs
|
|
# Periodically executed jobs, to self-heal GitLab, do external synchronizations, etc.
|
|
# Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job
|
|
cron_jobs:
|
|
# Flag stuck CI jobs as failed
|
|
stuck_ci_jobs_worker:
|
|
cron: "0 * * * *"
|
|
# Execute scheduled triggers
|
|
pipeline_schedule_worker:
|
|
cron: "19 * * * *"
|
|
# Remove expired build artifacts
|
|
expire_build_artifacts_worker:
|
|
cron: "50 * * * *"
|
|
# Periodically run 'git fsck' on all repositories. If started more than
|
|
# once per hour you will have concurrent 'git fsck' jobs.
|
|
repository_check_worker:
|
|
cron: "20 * * * *"
|
|
# Archive live traces which have not been archived yet
|
|
ci_archive_traces_cron_worker:
|
|
cron: "17 * * * *"
|
|
# Send admin emails once a week
|
|
admin_email_worker:
|
|
cron: "0 0 * * 0"
|
|
|
|
# Remove outdated repository archives
|
|
repository_archive_cache_worker:
|
|
cron: "0 * * * *"
|
|
|
|
# Verify custom GitLab Pages domains
|
|
pages_domain_verification_cron_worker:
|
|
cron: "*/15 * * * *"
|
|
|
|
# Periodically migrate diffs from the database to external storage
|
|
schedule_migrate_external_diffs_worker:
|
|
cron: "15 * * * *"
|
|
|
|
# GitLab EE only jobs. These jobs are automatically enabled for an EE
|
|
# installation, and ignored for a CE installation.
|
|
ee_cron_jobs:
|
|
# Snapshot active users statistics
|
|
historical_data_worker:
|
|
cron: "0 12 * * *"
|
|
|
|
# In addition to refreshing users when they log in,
|
|
# periodically refresh LDAP users membership.
|
|
# NOTE: This will only take effect if LDAP is enabled
|
|
ldap_sync_worker:
|
|
cron: "30 1 * * *"
|
|
|
|
# Periodically refresh LDAP groups membership.
|
|
# NOTE: This will only take effect if LDAP is enabled
|
|
ldap_group_sync_worker:
|
|
cron: "0 * * * *"
|
|
|
|
# GitLab Geo metrics update worker
|
|
# NOTE: This will only take effect if Geo is enabled
|
|
geo_metrics_update_worker:
|
|
cron: "*/1 * * * *"
|
|
|
|
# GitLab Geo prune event log worker
|
|
# NOTE: This will only take effect if Geo is enabled (primary node only)
|
|
geo_prune_event_log_worker:
|
|
cron: "*/5 * * * *"
|
|
|
|
# GitLab Geo repository sync worker
|
|
# NOTE: This will only take effect if Geo is enabled (secondary nodes only)
|
|
geo_repository_sync_worker:
|
|
cron: "*/1 * * * *"
|
|
|
|
# GitLab Geo file download dispatch worker
|
|
# NOTE: This will only take effect if Geo is enabled (secondary nodes only)
|
|
geo_file_download_dispatch_worker:
|
|
cron: "*/1 * * * *"
|
|
|
|
# GitLab Geo migrated local files clean up worker
|
|
# NOTE: This will only take effect if Geo is enabled (secondary nodes only)
|
|
geo_migrated_local_files_clean_up_worker:
|
|
cron: "15 */6 * * *"
|
|
|
|
# Export pseudonymized data in CSV format for analysis
|
|
pseudonymizer_worker:
|
|
cron: "0 * * * *"
|
|
|
|
registry:
|
|
# enabled: true
|
|
# host: registry.example.com
|
|
# port: 5005
|
|
# api_url: http://localhost:5000/ # internal address to the registry, will be used by GitLab to directly communicate with API
|
|
# key: config/registry.key
|
|
# path: shared/registry
|
|
# issuer: gitlab-issuer
|
|
|
|
# Add notification settings if you plan to use Geo Replication for the registry
|
|
# notifications:
|
|
# - name: geo_event
|
|
# url: https://example.com/api/v4/container_registry_event/events
|
|
# timeout: 2s
|
|
# threshold: 5
|
|
# backoff: 1s
|
|
# headers:
|
|
# Authorization: secret_phrase
|
|
|
|
## Error Reporting and Logging with Sentry
|
|
sentry:
|
|
# enabled: false
|
|
# dsn: https://<key>@sentry.io/<project>
|
|
# clientside_dsn: https://<key>@sentry.io/<project>
|
|
# environment: 'production' # e.g. development, staging, production
|
|
|
|
## Geo
|
|
# NOTE: These settings will only take effect if Geo is enabled
|
|
geo:
|
|
# This is an optional identifier which Geo nodes can use to identify themselves.
|
|
# For example, if external_url is the same for two secondaries, you must specify
|
|
# a unique Geo node name for those secondaries.
|
|
#
|
|
# If it is blank, it defaults to external_url.
|
|
node_name: ''
|
|
|
|
registry_replication:
|
|
# enabled: true
|
|
# primary_api_url: http://localhost:5000/ # internal address to the primary registry, will be used by GitLab to directly communicate with primary registry API
|
|
|
|
|
|
#
|
|
# 2. GitLab CI settings
|
|
# ==========================
|
|
|
|
gitlab_ci:
|
|
# Default project notifications settings:
|
|
#
|
|
# Send emails only on broken builds (default: true)
|
|
# all_broken_builds: true
|
|
#
|
|
# Add pusher to recipients list (default: false)
|
|
# add_pusher: true
|
|
|
|
# The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root
|
|
# builds_path: builds/
|
|
|
|
#
|
|
# 3. Auth settings
|
|
# ==========================
|
|
|
|
## LDAP settings
|
|
# You can test connections and inspect a sample of the LDAP users with login
|
|
# access by running:
|
|
# bundle exec rake gitlab:ldap:check RAILS_ENV=production
|
|
ldap:
|
|
enabled: false
|
|
|
|
# This setting controls the number of seconds between LDAP permission checks
|
|
# for each user. After this time has expired for a given user, their next
|
|
# interaction with GitLab (a click in the web UI, a git pull, etc.) will be
|
|
# slower because the LDAP permission check is being performed. How much
|
|
# slower depends on your LDAP setup, but it is not uncommon for this check
|
|
# to add seconds of waiting time. The default value is to have a "slow
|
|
# click" once every 3600 seconds (i.e., once per hour).
|
|
#
|
|
# Warning: if you set this value too low, every click in GitLab will be a
|
|
# "slow click" for all of your LDAP users.
|
|
# sync_time: 3600
|
|
|
|
servers:
|
|
##########################################################################
|
|
#
|
|
# Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab
|
|
# Enterprise Edition now supports connecting to multiple LDAP servers.
|
|
#
|
|
# If you are updating from the old (pre-7.4) syntax, you MUST give your
|
|
# old server the ID 'main'.
|
|
#
|
|
##########################################################################
|
|
main: # 'main' is the GitLab 'provider ID' of this LDAP server
|
|
## label
|
|
#
|
|
# A human-friendly name for your LDAP server. It is OK to change the label later,
|
|
# for instance if you find out it is too large to fit on the web page.
|
|
#
|
|
# Example: 'Paris' or 'Acme, Ltd.'
|
|
label: 'LDAP'
|
|
|
|
# Example: 'ldap.mydomain.com'
|
|
host: '_your_ldap_server'
|
|
# This port is an example, it is sometimes different but it is always an integer and not a string
|
|
port: 389 # usually 636 for SSL
|
|
uid: 'sAMAccountName' # This should be the attribute, not the value that maps to uid.
|
|
|
|
# Examples: 'america\\momo' or 'CN=Gitlab Git,CN=Users,DC=mydomain,DC=com'
|
|
bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
|
|
password: '_the_password_of_the_bind_user'
|
|
|
|
# Encryption method. The "method" key is deprecated in favor of
|
|
# "encryption".
|
|
#
|
|
# Examples: "start_tls" or "simple_tls" or "plain"
|
|
#
|
|
# Deprecated values: "tls" was replaced with "start_tls" and "ssl" was
|
|
# replaced with "simple_tls".
|
|
#
|
|
encryption: 'plain'
|
|
|
|
# Enables SSL certificate verification if encryption method is
|
|
# "start_tls" or "simple_tls". Defaults to true.
|
|
verify_certificates: true
|
|
|
|
# OpenSSL::SSL::SSLContext options.
|
|
tls_options:
|
|
# Specifies the path to a file containing a PEM-format CA certificate,
|
|
# e.g. if you need to use an internal CA.
|
|
#
|
|
# Example: '/etc/ca.pem'
|
|
#
|
|
ca_file: ''
|
|
|
|
# Specifies the SSL version for OpenSSL to use, if the OpenSSL default
|
|
# is not appropriate.
|
|
#
|
|
# Example: 'TLSv1_1'
|
|
#
|
|
ssl_version: ''
|
|
|
|
# Specific SSL ciphers to use in communication with LDAP servers.
|
|
#
|
|
# Example: 'ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2'
|
|
ciphers: ''
|
|
|
|
# Client certificate
|
|
#
|
|
# Example:
|
|
# cert: |
|
|
# -----BEGIN CERTIFICATE-----
|
|
# MIIDbDCCAlSgAwIBAgIGAWkJxLmKMA0GCSqGSIb3DQEBCwUAMHcxFDASBgNVBAoTC0dvb2dsZSBJ
|
|
# bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQDEwtMREFQIENsaWVudDEPMA0GA1UE
|
|
# CxMGR1N1aXRlMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTAeFw0xOTAyMjAwNzE4
|
|
# rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl
|
|
# ...
|
|
# 4SbuJPAiJxC1LQ0t39dR6oMCAMab3hXQqhL56LrR6cRBp6Mtlphv7alu9xb/x51y2x+g2zWtsf80
|
|
# Jrv/vKMsIh/sAyuogb7hqMtp55ecnKxceg==
|
|
# -----END CERTIFICATE -----
|
|
cert: ''
|
|
|
|
# Client private key
|
|
# key: |
|
|
# -----BEGIN PRIVATE KEY-----
|
|
# MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC3DmJtLRmJGY4xU1QtI3yjvxO6
|
|
# bNuyE4z1NF6Xn7VSbcAaQtavWQ6GZi5uukMo+W5DHVtEkgDwh92ySZMuJdJogFbNvJvHAayheCdN
|
|
# 7mCQ2UUT9jGXIbmksUn9QMeJVXTZjgJWJzPXToeUdinx9G7+lpVa62UATEd1gaI3oyL72WmpDy/C
|
|
# rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl
|
|
# ...
|
|
# +9IhSYX+XIg7BZOVDeYqlPfxRvQh8vy3qjt/KUihmEPioAjLaGiihs1Fk5ctLk9A2hIUyP+sEQv9
|
|
# l6RG+a/mW+0rCWn8JAd464Ps9hE=
|
|
# -----END PRIVATE KEY-----
|
|
key: ''
|
|
|
|
# Set a timeout, in seconds, for LDAP queries. This helps avoid blocking
|
|
# a request if the LDAP server becomes unresponsive.
|
|
# A value of 0 means there is no timeout.
|
|
timeout: 10
|
|
|
|
# Enable smartcard authentication against the LDAP server. Valid values
|
|
# are "false", "optional", and "required".
|
|
smartcard_auth: false
|
|
|
|
# This setting specifies if LDAP server is Active Directory LDAP server.
|
|
# For non AD servers it skips the AD specific queries.
|
|
# If your LDAP server is not AD, set this to false.
|
|
active_directory: true
|
|
|
|
# If allow_username_or_email_login is enabled, GitLab will ignore everything
|
|
# after the first '@' in the LDAP username submitted by the user on login.
|
|
#
|
|
# Example:
|
|
# - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials;
|
|
# - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'.
|
|
#
|
|
# If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
|
|
# disable this setting, because the userPrincipalName contains an '@'.
|
|
allow_username_or_email_login: false
|
|
|
|
# To maintain tight control over the number of active users on your GitLab installation,
|
|
# enable this setting to keep new users blocked until they have been cleared by the admin
|
|
# (default: false).
|
|
block_auto_created_users: false
|
|
|
|
# Base where we can search for users
|
|
#
|
|
# Ex. 'ou=People,dc=gitlab,dc=example' or 'DC=mydomain,DC=com'
|
|
#
|
|
base: ''
|
|
|
|
# Filter LDAP users
|
|
#
|
|
# Format: RFC 4515 https://tools.ietf.org/search/rfc4515
|
|
# Ex. (employeeType=developer)
|
|
#
|
|
# Note: GitLab does not support omniauth-ldap's custom filter syntax.
|
|
#
|
|
# Example for getting only specific users:
|
|
# '(&(objectclass=user)(|(samaccountname=momo)(samaccountname=toto)))'
|
|
#
|
|
user_filter: ''
|
|
|
|
# Base where we can search for groups
|
|
#
|
|
# Ex. ou=Groups,dc=gitlab,dc=example
|
|
#
|
|
group_base: ''
|
|
|
|
# LDAP group of users who should be admins in GitLab
|
|
#
|
|
# Ex. GLAdmins
|
|
#
|
|
admin_group: ''
|
|
|
|
# LDAP group of users who should be marked as external users in GitLab
|
|
#
|
|
# Ex. ['Contractors', 'Interns']
|
|
#
|
|
external_groups: []
|
|
|
|
# Name of attribute which holds a ssh public key of the user object.
|
|
# If false or nil, SSH key syncronisation will be disabled.
|
|
#
|
|
# Ex. sshpublickey
|
|
#
|
|
sync_ssh_keys: false
|
|
|
|
# LDAP attributes that GitLab will use to create an account for the LDAP user.
|
|
# The specified attribute can either be the attribute name as a string (e.g. 'mail'),
|
|
# or an array of attribute names to try in order (e.g. ['mail', 'email']).
|
|
# Note that the user's LDAP login will always be the attribute specified as `uid` above.
|
|
attributes:
|
|
# The username will be used in paths for the user's own projects
|
|
# (like `gitlab.example.com/username/project`) and when mentioning
|
|
# them in issues, merge request and comments (like `@username`).
|
|
# If the attribute specified for `username` contains an email address,
|
|
# the GitLab username will be the part of the email address before the '@'.
|
|
username: ['uid', 'userid', 'sAMAccountName']
|
|
email: ['mail', 'email', 'userPrincipalName']
|
|
|
|
# If no full name could be found at the attribute specified for `name`,
|
|
# the full name is determined using the attributes specified for
|
|
# `first_name` and `last_name`.
|
|
name: 'cn'
|
|
first_name: 'givenName'
|
|
last_name: 'sn'
|
|
|
|
# If lowercase_usernames is enabled, GitLab will lower case the username.
|
|
lowercase_usernames: false
|
|
|
|
# GitLab EE only: add more LDAP servers
|
|
# Choose an ID made of a-z and 0-9 . This ID will be stored in the database
|
|
# so that GitLab can remember which LDAP server a user belongs to.
|
|
# uswest2:
|
|
# label:
|
|
# host:
|
|
# ....
|
|
|
|
## Smartcard authentication settings
|
|
smartcard:
|
|
# Allow smartcard authentication
|
|
enabled: false
|
|
|
|
# Path to a file containing a CA certificate
|
|
ca_file: '/etc/ssl/certs/CA.pem'
|
|
|
|
# Port where the client side certificate is requested by the webserver (NGINX/Apache)
|
|
# client_certificate_required_port: 3444
|
|
|
|
# Browser session with smartcard sign-in is required for Git access
|
|
# required_for_git_access: false
|
|
|
|
## Kerberos settings
|
|
kerberos:
|
|
# Allow the HTTP Negotiate authentication method for Git clients
|
|
enabled: false
|
|
|
|
# Kerberos 5 keytab file. The keytab file must be readable by the GitLab user,
|
|
# and should be different from other keytabs in the system.
|
|
# (default: use default keytab from Krb5 config)
|
|
# keytab: /etc/http.keytab
|
|
|
|
# The Kerberos service name to be used by GitLab.
|
|
# (default: accept any service name in keytab file)
|
|
# service_principal_name: HTTP/gitlab.example.com@EXAMPLE.COM
|
|
|
|
# Dedicated port: Git before 2.4 does not fall back to Basic authentication if Negotiate fails.
|
|
# To support both Basic and Negotiate methods with older versions of Git, configure
|
|
# nginx to proxy GitLab on an extra port (e.g. 8443) and uncomment the following lines
|
|
# to dedicate this port to Kerberos authentication. (default: false)
|
|
# use_dedicated_port: true
|
|
# port: 8443
|
|
# https: true
|
|
|
|
## OmniAuth settings
|
|
omniauth:
|
|
# Allow login via Twitter, Google, etc. using OmniAuth providers
|
|
# enabled: true
|
|
|
|
# Uncomment this to automatically sign in with a specific omniauth provider's without
|
|
# showing GitLab's sign-in page (default: show the GitLab sign-in page)
|
|
# auto_sign_in_with_provider: saml
|
|
|
|
# Sync user's profile from the specified Omniauth providers every time the user logs in (default: empty).
|
|
# Define the allowed providers using an array, e.g. ["cas3", "saml", "twitter"],
|
|
# or as true/false to allow all providers or none.
|
|
# When authenticating using LDAP, the user's email is always synced.
|
|
# sync_profile_from_provider: []
|
|
|
|
# Select which info to sync from the providers above. (default: email).
|
|
# Define the synced profile info using an array. Available options are "name", "email" and "location"
|
|
# e.g. ["name", "email", "location"] or as true to sync all available.
|
|
# This consequently will make the selected attributes read-only.
|
|
# sync_profile_attributes: true
|
|
|
|
# CAUTION!
|
|
# This allows users to login without having a user account first. Define the allowed providers
|
|
# using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none.
|
|
# User accounts will be created automatically when authentication was successful.
|
|
allow_single_sign_on: ["saml"]
|
|
|
|
# Locks down those users until they have been cleared by the admin (default: true).
|
|
block_auto_created_users: true
|
|
# Look up new users in LDAP servers. If a match is found (same uid), automatically
|
|
# link the omniauth identity with the LDAP account. (default: false)
|
|
auto_link_ldap_user: false
|
|
|
|
# Allow users with existing accounts to login and auto link their account via SAML
|
|
# login, without having to do a manual login first and manually add SAML
|
|
# (default: false)
|
|
auto_link_saml_user: false
|
|
|
|
# Set different Omniauth providers as external so that all users creating accounts
|
|
# via these providers will not be able to have access to internal projects. You
|
|
# will need to use the full name of the provider, like `google_oauth2` for Google.
|
|
# Refer to the examples below for the full names of the supported providers.
|
|
# (default: [])
|
|
external_providers: []
|
|
|
|
## Auth providers
|
|
# Uncomment the following lines and fill in the data of the auth provider you want to use
|
|
# If your favorite auth provider is not listed you can use others:
|
|
# see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations
|
|
# The 'app_id' and 'app_secret' parameters are always passed as the first two
|
|
# arguments, followed by optional 'args' which can be either a hash or an array.
|
|
# Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html
|
|
providers:
|
|
# See omniauth-cas3 for more configuration details
|
|
# - { name: 'cas3',
|
|
# label: 'cas3',
|
|
# args: {
|
|
# url: 'https://sso.example.com',
|
|
# disable_ssl_verification: false,
|
|
# login_url: '/cas/login',
|
|
# service_validate_url: '/cas/p3/serviceValidate',
|
|
# logout_url: '/cas/logout'} }
|
|
# - { name: 'authentiq',
|
|
# # for client credentials (client ID and secret), go to https://www.authentiq.com/developers
|
|
# app_id: 'YOUR_CLIENT_ID',
|
|
# app_secret: 'YOUR_CLIENT_SECRET',
|
|
# args: {
|
|
# scope: 'aq:name email~rs address aq:push'
|
|
# # callback_url parameter is optional except when 'gitlab.host' in this file is set to 'localhost'
|
|
# # callback_url: 'YOUR_CALLBACK_URL'
|
|
# }
|
|
# }
|
|
# - { name: 'github',
|
|
# app_id: 'YOUR_APP_ID',
|
|
# app_secret: 'YOUR_APP_SECRET',
|
|
# url: "https://github.com/",
|
|
# verify_ssl: true,
|
|
# args: { scope: 'user:email' } }
|
|
# - { name: 'bitbucket',
|
|
# app_id: 'YOUR_APP_ID',
|
|
# app_secret: 'YOUR_APP_SECRET' }
|
|
# - { name: 'gitlab',
|
|
# app_id: 'YOUR_APP_ID',
|
|
# app_secret: 'YOUR_APP_SECRET',
|
|
# args: { scope: 'api' } }
|
|
# - { name: 'google_oauth2',
|
|
# app_id: 'YOUR_APP_ID',
|
|
# app_secret: 'YOUR_APP_SECRET',
|
|
# args: { access_type: 'offline', approval_prompt: '' } }
|
|
# - { name: 'facebook',
|
|
# app_id: 'YOUR_APP_ID',
|
|
# app_secret: 'YOUR_APP_SECRET' }
|
|
# - { name: 'twitter',
|
|
# app_id: 'YOUR_APP_ID',
|
|
# app_secret: 'YOUR_APP_SECRET' }
|
|
# - { name: 'jwt',
|
|
# args: {
|
|
# secret: 'YOUR_APP_SECRET',
|
|
# algorithm: 'HS256', # Supported algorithms: 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512'
|
|
# uid_claim: 'email',
|
|
# required_claims: ['name', 'email'],
|
|
# info_map: { name: 'name', email: 'email' },
|
|
# auth_url: 'https://example.com/',
|
|
# valid_within: 3600 # 1 hour
|
|
# }
|
|
# }
|
|
# - { name: 'saml',
|
|
# label: 'Our SAML Provider',
|
|
# groups_attribute: 'Groups',
|
|
# external_groups: ['Contractors', 'Freelancers'],
|
|
# args: {
|
|
# assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
|
|
# idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
|
|
# idp_sso_target_url: 'https://login.example.com/idp',
|
|
# issuer: 'https://gitlab.example.com',
|
|
# name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
|
|
# } }
|
|
#
|
|
# - { name: 'group_saml' }
|
|
#
|
|
# - { name: 'crowd',
|
|
# args: {
|
|
# crowd_server_url: 'CROWD SERVER URL',
|
|
# application_name: 'YOUR_APP_NAME',
|
|
# application_password: 'YOUR_APP_PASSWORD' } }
|
|
#
|
|
# - { name: 'auth0',
|
|
# args: {
|
|
# client_id: 'YOUR_AUTH0_CLIENT_ID',
|
|
# client_secret: 'YOUR_AUTH0_CLIENT_SECRET',
|
|
# namespace: 'YOUR_AUTH0_DOMAIN' } }
|
|
|
|
# SSO maximum session duration in seconds. Defaults to CAS default of 8 hours.
|
|
# cas3:
|
|
# session_duration: 28800
|
|
|
|
# Shared file storage settings
|
|
shared:
|
|
# path: /mnt/gitlab # Default: shared
|
|
|
|
# Gitaly settings
|
|
gitaly:
|
|
# Path to the directory containing Gitaly client executables.
|
|
client_path: /home/git/gitaly/bin
|
|
# Default Gitaly authentication token. Can be overridden per storage. Can
|
|
# be left blank when Gitaly is running locally on a Unix socket, which
|
|
# is the normal way to deploy Gitaly.
|
|
token:
|
|
|
|
#
|
|
# 4. Advanced settings
|
|
# ==========================
|
|
|
|
## Repositories settings
|
|
repositories:
|
|
# Paths where repositories can be stored. Give the canonicalized absolute pathname.
|
|
# IMPORTANT: None of the path components may be symlink, because
|
|
# gitlab-shell invokes Dir.pwd inside the repository path and that results
|
|
# real path not the symlink.
|
|
storages: # You must have at least a `default` storage path.
|
|
default:
|
|
path: /home/git/repositories/
|
|
gitaly_address: unix:/home/git/gitlab/tmp/sockets/private/gitaly.socket # TCP connections are supported too (e.g. tcp://host:port). TLS connections are also supported using the system certificate pool (eg: tls://host:port).
|
|
# gitaly_token: 'special token' # Optional: override global gitaly.token for this storage.
|
|
|
|
## Backup settings
|
|
backup:
|
|
path: "tmp/backups" # Relative paths are relative to Rails.root (default: tmp/backups/)
|
|
# archive_permissions: 0640 # Permissions for the resulting backup.tar file (default: 0600)
|
|
# keep_time: 604800 # default: 0 (forever) (in seconds)
|
|
# pg_schema: public # default: nil, it means that all schemas will be backed up
|
|
# upload:
|
|
# # Fog storage connection settings, see http://fog.io/storage/ .
|
|
# connection:
|
|
# provider: AWS
|
|
# region: eu-west-1
|
|
# aws_access_key_id: AKIAKIAKI
|
|
# aws_secret_access_key: 'secret123'
|
|
# # The remote 'directory' to store your backups. For S3, this would be the bucket name.
|
|
# remote_directory: 'my.s3.bucket'
|
|
# # Use multipart uploads when file size reaches 100MB, see
|
|
# # http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html
|
|
# multipart_chunk_size: 104857600
|
|
# # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional
|
|
# # encryption: 'AES256'
|
|
# # Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional
|
|
# # This should be set to the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data.
|
|
# # 'encryption' must also be set in order for this to have any effect.
|
|
# # encryption_key: '<base64 key>'
|
|
# # Specifies Amazon S3 storage class to use for backups, this is optional
|
|
# # storage_class: 'STANDARD'
|
|
|
|
## Pseudonymizer exporter
|
|
pseudonymizer:
|
|
# Tables manifest that specifies the fields to extract and pseudonymize.
|
|
manifest: config/pseudonymizer.yml
|
|
upload:
|
|
remote_directory: 'gitlab-elt'
|
|
# Fog storage connection settings, see http://fog.io/storage/ .
|
|
connection:
|
|
# provider: AWS
|
|
# region: eu-west-1
|
|
# aws_access_key_id: AKIAKIAKI
|
|
# aws_secret_access_key: 'secret123'
|
|
# # The remote 'directory' to store the CSV files. For S3, this would be the bucket name.
|
|
|
|
## GitLab Shell settings
|
|
gitlab_shell:
|
|
path: /home/git/gitlab-shell/
|
|
authorized_keys_file: /home/git/.ssh/authorized_keys
|
|
|
|
# File that contains the secret key for verifying access for gitlab-shell.
|
|
# Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app).
|
|
# secret_file: /home/git/gitlab/.gitlab_shell_secret
|
|
|
|
# Git over HTTP
|
|
upload_pack: true
|
|
receive_pack: true
|
|
|
|
# Git import/fetch timeout, in seconds. Defaults to 3 hours.
|
|
# git_timeout: 10800
|
|
|
|
# If you use non-standard ssh port you need to specify it
|
|
# ssh_port: 22
|
|
|
|
workhorse:
|
|
# File that contains the secret key for verifying access for gitlab-workhorse.
|
|
# Default is '.gitlab_workhorse_secret' relative to Rails.root (i.e. root of the GitLab app).
|
|
# secret_file: /home/git/gitlab/.gitlab_workhorse_secret
|
|
|
|
## Git settings
|
|
# CAUTION!
|
|
# Use the default values unless you really know what you are doing
|
|
git:
|
|
bin_path: /usr/bin/git
|
|
|
|
## Webpack settings
|
|
# If enabled, this will tell rails to serve frontend assets from the webpack-dev-server running
|
|
# on a given port instead of serving directly from /assets/webpack. This is only indended for use
|
|
# in development.
|
|
webpack:
|
|
# dev_server:
|
|
# enabled: true
|
|
# host: localhost
|
|
# port: 3808
|
|
|
|
## Monitoring
|
|
# Built in monitoring settings
|
|
monitoring:
|
|
# Time between sampling of unicorn socket metrics, in seconds
|
|
# unicorn_sampler_interval: 10
|
|
# Time between sampling of Puma metrics, in seconds
|
|
# puma_sampler_interval: 5
|
|
# IP whitelist to access monitoring endpoints
|
|
ip_whitelist:
|
|
- 127.0.0.0/8
|
|
|
|
# Sidekiq exporter is webserver built in to Sidekiq to expose Prometheus metrics
|
|
sidekiq_exporter:
|
|
# enabled: true
|
|
# address: localhost
|
|
# port: 3807
|
|
|
|
## Prometheus settings
|
|
# Do not modify these settings here. They should be modified in /etc/gitlab/gitlab.rb
|
|
# if you installed GitLab via Omnibus.
|
|
# If you installed from source, you need to install and configure Prometheus
|
|
# yourself, and then update the values here.
|
|
# https://docs.gitlab.com/ee/administration/monitoring/prometheus/
|
|
prometheus:
|
|
# enable: true
|
|
# listen_address: 'localhost:9090'
|
|
|
|
#
|
|
# 5. Extra customization
|
|
# ==========================
|
|
|
|
extra:
|
|
## Google analytics. Uncomment if you want it
|
|
# google_analytics_id: '_your_tracking_id'
|
|
|
|
## Piwik analytics.
|
|
# piwik_url: '_your_piwik_url'
|
|
# piwik_site_id: '_your_piwik_site_id'
|
|
|
|
rack_attack:
|
|
git_basic_auth:
|
|
# Rack Attack IP banning enabled
|
|
# enabled: true
|
|
#
|
|
# Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers
|
|
# ip_whitelist: ["127.0.0.1"]
|
|
#
|
|
# Limit the number of Git HTTP authentication attempts per IP
|
|
# maxretry: 10
|
|
#
|
|
# Reset the auth attempt counter per IP after 60 seconds
|
|
# findtime: 60
|
|
#
|
|
# Ban an IP for one hour (3600s) after too many auth attempts
|
|
# bantime: 3600
|
|
|
|
development:
|
|
<<: *base
|
|
|
|
test:
|
|
<<: *base
|
|
gravatar:
|
|
enabled: true
|
|
external_diffs:
|
|
enabled: false
|
|
# Diffs may be `always` external (the default), or they can be made external
|
|
# after they have become `outdated` (i.e., the MR is closed or a new version
|
|
# has been pushed).
|
|
# when: always
|
|
# The location where external diffs are stored (default: shared/external-diffs).
|
|
# storage_path: shared/external-diffs
|
|
object_store:
|
|
enabled: false
|
|
remote_directory: external-diffs # The bucket name
|
|
connection:
|
|
provider: AWS # Only AWS supported at the moment
|
|
aws_access_key_id: AWS_ACCESS_KEY_ID
|
|
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
region: us-east-1
|
|
lfs:
|
|
enabled: false
|
|
# The location where LFS objects are stored (default: shared/lfs-objects).
|
|
# storage_path: shared/lfs-objects
|
|
object_store:
|
|
enabled: false
|
|
remote_directory: lfs-objects # The bucket name
|
|
connection:
|
|
provider: AWS # Only AWS supported at the moment
|
|
aws_access_key_id: AWS_ACCESS_KEY_ID
|
|
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
region: us-east-1
|
|
artifacts:
|
|
path: tmp/tests/artifacts
|
|
enabled: true
|
|
# The location where build artifacts are stored (default: shared/artifacts).
|
|
# path: shared/artifacts
|
|
object_store:
|
|
enabled: false
|
|
remote_directory: artifacts # The bucket name
|
|
background_upload: false
|
|
connection:
|
|
provider: AWS # Only AWS supported at the moment
|
|
aws_access_key_id: AWS_ACCESS_KEY_ID
|
|
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
region: us-east-1
|
|
uploads:
|
|
storage_path: tmp/tests/public
|
|
object_store:
|
|
enabled: false
|
|
connection:
|
|
provider: AWS # Only AWS supported at the moment
|
|
aws_access_key_id: AWS_ACCESS_KEY_ID
|
|
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
region: us-east-1
|
|
gitlab:
|
|
host: localhost
|
|
port: 80
|
|
|
|
# When you run tests we clone and set up gitlab-shell
|
|
# In order to set it up correctly you need to specify
|
|
# your system username you use to run GitLab
|
|
# user: YOUR_USERNAME
|
|
pages:
|
|
path: tmp/tests/pages
|
|
repositories:
|
|
storages:
|
|
default:
|
|
path: tmp/tests/repositories/
|
|
gitaly_address: unix:tmp/tests/gitaly/gitaly.socket
|
|
|
|
gitaly:
|
|
client_path: tmp/tests/gitaly
|
|
token: secret
|
|
backup:
|
|
path: tmp/tests/backups
|
|
pseudonymizer:
|
|
manifest: config/pseudonymizer.yml
|
|
upload:
|
|
# The remote 'directory' to store the CSV files. For S3, this would be the bucket name.
|
|
remote_directory: gitlab-elt.test
|
|
# Fog storage connection settings, see http://fog.io/storage/
|
|
connection:
|
|
provider: AWS # Only AWS supported at the moment
|
|
aws_access_key_id: AWS_ACCESS_KEY_ID
|
|
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
|
|
region: us-east-1
|
|
gitlab_shell:
|
|
path: tmp/tests/gitlab-shell/
|
|
authorized_keys_file: tmp/tests/authorized_keys
|
|
issues_tracker:
|
|
redmine:
|
|
title: "Redmine"
|
|
project_url: "http://redmine/projects/:issues_tracker_id"
|
|
issues_url: "http://redmine/:project_id/:issues_tracker_id/:id"
|
|
new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new"
|
|
jira:
|
|
title: "Jira"
|
|
url: https://sample_company.atlassian.net
|
|
project_key: PROJECT
|
|
|
|
omniauth:
|
|
# enabled: true
|
|
allow_single_sign_on: true
|
|
external_providers: []
|
|
|
|
providers:
|
|
- { name: 'cas3',
|
|
label: 'cas3',
|
|
args: { url: 'https://sso.example.com',
|
|
disable_ssl_verification: false,
|
|
login_url: '/cas/login',
|
|
service_validate_url: '/cas/p3/serviceValidate',
|
|
logout_url: '/cas/logout'} }
|
|
- { name: 'github',
|
|
app_id: 'YOUR_APP_ID',
|
|
app_secret: 'YOUR_APP_SECRET',
|
|
url: "https://github.com/",
|
|
verify_ssl: false,
|
|
args: { scope: 'user:email' } }
|
|
- { name: 'bitbucket',
|
|
app_id: 'YOUR_APP_ID',
|
|
app_secret: 'YOUR_APP_SECRET' }
|
|
- { name: 'gitlab',
|
|
app_id: 'YOUR_APP_ID',
|
|
app_secret: 'YOUR_APP_SECRET',
|
|
args: { scope: 'api' } }
|
|
- { name: 'google_oauth2',
|
|
app_id: 'YOUR_APP_ID',
|
|
app_secret: 'YOUR_APP_SECRET',
|
|
args: { access_type: 'offline', approval_prompt: '' } }
|
|
- { name: 'facebook',
|
|
app_id: 'YOUR_APP_ID',
|
|
app_secret: 'YOUR_APP_SECRET' }
|
|
- { name: 'twitter',
|
|
app_id: 'YOUR_APP_ID',
|
|
app_secret: 'YOUR_APP_SECRET' }
|
|
- { name: 'jwt',
|
|
app_secret: 'YOUR_APP_SECRET',
|
|
args: {
|
|
algorithm: 'HS256',
|
|
uid_claim: 'email',
|
|
required_claims: ["name", "email"],
|
|
info_map: { name: "name", email: "email" },
|
|
auth_url: 'https://example.com/',
|
|
valid_within: null,
|
|
}
|
|
}
|
|
- { name: 'auth0',
|
|
args: {
|
|
client_id: 'YOUR_AUTH0_CLIENT_ID',
|
|
client_secret: 'YOUR_AUTH0_CLIENT_SECRET',
|
|
namespace: 'YOUR_AUTH0_DOMAIN' } }
|
|
- { name: 'authentiq',
|
|
app_id: 'YOUR_CLIENT_ID',
|
|
app_secret: 'YOUR_CLIENT_SECRET',
|
|
args: { scope: 'aq:name email~rs address aq:push' } }
|
|
- { name: 'salesforce',
|
|
app_id: 'YOUR_CLIENT_ID',
|
|
app_secret: 'YOUR_CLIENT_SECRET'
|
|
}
|
|
ldap:
|
|
enabled: false
|
|
servers:
|
|
main:
|
|
label: ldap
|
|
host: 127.0.0.1
|
|
port: 3890
|
|
uid: 'uid'
|
|
encryption: 'plain' # "start_tls" or "simple_tls" or "plain"
|
|
base: 'dc=example,dc=com'
|
|
user_filter: ''
|
|
group_base: 'ou=groups,dc=example,dc=com'
|
|
admin_group: ''
|
|
prometheus:
|
|
enable: true
|
|
listen_address: 'localhost:9090'
|
|
|
|
staging:
|
|
<<: *base
|