# # # # # # # # # # # # # # # # # # # GitLab application config file # # # # # # # # # # # # # # # # # # # # ########################### NOTE ##################################### # This file should not receive new settings. All configuration options # # * are being moved to ApplicationSetting model! # # If a setting requires an application restart say so in that screen. # # If you change this file in a Merge Request, please also create # # a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests # ######################################################################## # # # How to use: # 1. Copy file as gitlab.yml # 2. Update gitlab -> host with your fully qualified domain name # 3. Update gitlab -> email_from # 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git # IMPORTANT: If Git was installed in a different location use that instead. # You can check with `which git`. If a wrong path of Git is specified, it will # result in various issues such as failures of GitLab CI builds. # 5. Review this configuration file for other settings you may want to adjust production: &base # # 1. GitLab app settings # ========================== ## GitLab settings gitlab: ## Web server settings (note: host is the FQDN, do not include http://) host: {{GITLAB_HOST}} port: {{GITLAB_PORT}} https: {{GITLAB_HTTPS}} # Uncommment this line below if your ssh host is different from HTTP/HTTPS one # (you'd obviously need to replace ssh.host_example.com with your own host). # Otherwise, ssh host will be set to the `host:` value above ssh_host: {{GITLAB_SSH_HOST}} # Relative URL support # WARNING: We recommend using an FQDN to host GitLab in a root path instead # of using a relative URL. # Documentation: http://doc.gitlab.com/ce/install/relative_url.html # Uncomment and customize the following line to run in a non-root path # relative_url_root: {{GITLAB_RELATIVE_URL_ROOT}} # Uncomment and customize if you can't use the default user to run GitLab (default: 'git') # user: git ## Date & Time settings # Uncomment and customize if you want to change the default time zone of GitLab application. # To see all available zones, run `bundle exec rake time:zones:all RAILS_ENV=production` time_zone: '{{GITLAB_TIMEZONE}}' ## Email settings # Uncomment and set to false if you need to disable email sending from GitLab (default: true) email_enabled: {{GITLAB_EMAIL_ENABLED}} # Email address used in the "From" field in mails sent by GitLab email_from: {{GITLAB_EMAIL}} email_display_name: {{GITLAB_EMAIL_DISPLAY_NAME}} email_reply_to: {{GITLAB_EMAIL_REPLY_TO}} # Email server smtp settings are in config/initializers/smtp_settings.rb.sample default_can_create_group: {{GITLAB_CREATE_GROUP}} # default: true username_changing_enabled: {{GITLAB_USERNAME_CHANGE}} # default: true - User can change her username/namespace ## Default theme ID ## 1 - Graphite ## 2 - Charcoal ## 3 - Green ## 4 - Gray ## 5 - Violet ## 6 - Blue # default_theme: 2 # default: 2 ## Automatic issue closing # If a commit message matches this regular expression, all issues referenced from the matched text will be closed. # This happens when the commit is pushed or merged into the default branch of a project. # When not specified the default issue_closing_pattern as specified below will be used. # Tip: you can test your closing pattern at http://rubular.com. # issue_closing_pattern: '((?:[Cc]los(?:e[sd]?|ing)|[Ff]ix(?:e[sd]|ing)?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?))+)' ## Default project features settings default_projects_features: issues: {{GITLAB_PROJECTS_ISSUES}} merge_requests: {{GITLAB_PROJECTS_MERGE_REQUESTS}} wiki: {{GITLAB_PROJECTS_WIKI}} snippets: {{GITLAB_PROJECTS_SNIPPETS}} builds: {{GITLAB_PROJECTS_BUILDS}} ## Webhook settings # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10) webhook_timeout: {{GITLAB_WEBHOOK_TIMEOUT}} ## Repository downloads directory # When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory. # The default is 'tmp/repositories' relative to the root of the Rails app. repository_downloads_path: {{GITLAB_DOWNLOADS_DIR}} ## Reply by email # Allow users to comment on issues and merge requests by replying to notification emails. # For documentation on how to set this up, see http://doc.gitlab.com/ce/incoming_email/README.html incoming_email: enabled: {{GITLAB_INCOMING_EMAIL_ENABLED}} # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to. # The `%{key}` placeholder is added after the user part, after a `+` character, before the `@`. address: "{{GITLAB_INCOMING_EMAIL_ADDRESS}}" # Email account username # With third party providers, this is usually the full email address. # With self-hosted email servers, this is usually the user part of the email address. user: "{{IMAP_USER}}" # Email account password password: "{{IMAP_PASS}}" # IMAP server host host: "{{IMAP_HOST}}" # IMAP server port port: {{IMAP_PORT}} # Whether the IMAP server uses SSL ssl: {{IMAP_SSL}} # Whether the IMAP server uses StartTLS start_tls: {{IMAP_STARTTLS}} # The mailbox where incoming mail will end up. Usually "inbox". mailbox: "{{IMAP_MAILBOX}}" ## Build Artifacts artifacts: enabled: {{GITLAB_ARTIFACTS_ENABLED}} # The location where build artifacts are stored (default: shared/artifacts). path: {{GITLAB_ARTIFACTS_DIR}} ## Git LFS lfs: enabled: {{GITLAB_LFS_ENABLED}} # The location where LFS objects are stored (default: shared/lfs-objects). storage_path: {{GITLAB_LFS_OBJECTS_DIR}} ## Gravatar ## For Libravatar see: http://doc.gitlab.com/ce/customization/libravatar.html gravatar: enabled: {{GITLAB_GRAVATAR_ENABLED}} # Use user avatar image from Gravatar.com (default: true) # gravatar urls: possible placeholders: %{hash} %{size} %{email} plain_url: "{{GITLAB_GRAVATAR_HTTP_URL}}" # default: http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon ssl_url: "{{GITLAB_GRAVATAR_HTTPS_URL}}" # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon ## Auxiliary jobs # Periodically executed jobs, to self-heal Gitlab, do external synchronizations, etc. # Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job cron_jobs: # Flag stuck CI builds as failed stuck_ci_builds_worker: cron: "0 0 * * *" # # 2. GitLab CI settings # ========================== gitlab_ci: # Default project notifications settings: # # Send emails only on broken builds (default: true) all_broken_builds: {{GITLAB_NOTIFY_ON_BROKEN_BUILDS}} # # Add pusher to recipients list (default: false) add_pusher: {{GITLAB_NOTIFY_PUSHER}} # The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root builds_path: {{GITLAB_BUILDS_DIR}} # # 3. Auth settings # ========================== ## LDAP settings # You can inspect a sample of the LDAP users with login access by running: # bundle exec rake gitlab:ldap:check RAILS_ENV=production ldap: enabled: {{LDAP_ENABLED}} servers: ########################################################################## # # Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab # Enterprise Edition now supports connecting to multiple LDAP servers. # # If you are updating from the old (pre-7.4) syntax, you MUST give your # old server the ID 'main'. # ########################################################################## main: # 'main' is the GitLab 'provider ID' of this LDAP server ## label # # A human-friendly name for your LDAP server. It is OK to change the label later, # for instance if you find out it is too large to fit on the web page. # # Example: 'Paris' or 'Acme, Ltd.' label: '{{LDAP_LABEL}}' host: '{{LDAP_HOST}}' port: {{LDAP_PORT}} uid: '{{LDAP_UID}}' method: '{{LDAP_METHOD}}' # "tls" or "ssl" or "plain" bind_dn: '{{LDAP_BIND_DN}}' password: '{{LDAP_PASS}}' # Set a timeout, in seconds, for LDAP queries. This helps avoid blocking # a request if the LDAP server becomes unresponsive. # A value of 0 means there is no timeout. timeout: {{LDAP_TIMEOUT}} # This setting specifies if LDAP server is Active Directory LDAP server. # For non AD servers it skips the AD specific queries. # If your LDAP server is not AD, set this to false. active_directory: {{LDAP_ACTIVE_DIRECTORY}} # If allow_username_or_email_login is enabled, GitLab will ignore everything # after the first '@' in the LDAP username submitted by the user on login. # # Example: # - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials; # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'. # # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to # disable this setting, because the userPrincipalName contains an '@'. allow_username_or_email_login: {{LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN}} # To maintain tight control over the number of active users on your GitLab installation, # enable this setting to keep new users blocked until they have been cleared by the admin # (default: false). block_auto_created_users: {{LDAP_BLOCK_AUTO_CREATED_USERS}} # Base where we can search for users # # Ex. ou=People,dc=gitlab,dc=example # base: '{{LDAP_BASE}}' # Filter LDAP users # # Format: RFC 4515 http://tools.ietf.org/search/rfc4515 # Ex. (employeeType=developer) # # Note: GitLab does not support omniauth-ldap's custom filter syntax. # user_filter: '{{LDAP_USER_FILTER}}' # LDAP attributes that GitLab will use to create an account for the LDAP user. # The specified attribute can either be the attribute name as a string (e.g. 'mail'), # or an array of attribute names to try in order (e.g. ['mail', 'email']). # Note that the user's LDAP login will always be the attribute specified as `uid` above. attributes: # The username will be used in paths for the user's own projects # (like `gitlab.example.com/username/project`) and when mentioning # them in issues, merge request and comments (like `@username`). # If the attribute specified for `username` contains an email address, # the GitLab username will be the part of the email address before the '@'. username: ['uid', 'userid', 'sAMAccountName'] email: ['mail', 'email', 'userPrincipalName'] # If no full name could be found at the attribute specified for `name`, # the full name is determined using the attributes specified for # `first_name` and `last_name`. name: 'cn' first_name: 'givenName' last_name: 'sn' # GitLab EE only: add more LDAP servers # Choose an ID made of a-z and 0-9 . This ID will be stored in the database # so that GitLab can remember which LDAP server a user belongs to. # uswest2: # label: # host: # .... ## OmniAuth settings omniauth: # Allow login via Twitter, Google, etc. using OmniAuth providers enabled: {{OAUTH_ENABLED}} # Uncomment this to automatically sign in with a specific omniauth provider's without # showing GitLab's sign-in page (default: show the GitLab sign-in page) auto_sign_in_with_provider: {{OAUTH_AUTO_SIGN_IN_WITH_PROVIDER}} # CAUTION! # This allows users to login without having a user account first. Define the allowed providers # using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none. # User accounts will be created automatically when authentication was successful. allow_single_sign_on: {{OAUTH_ALLOW_SSO}} # Locks down those users until they have been cleared by the admin (default: true). block_auto_created_users: {{OAUTH_BLOCK_AUTO_CREATED_USERS}} # Look up new users in LDAP servers. If a match is found (same uid), automatically # link the omniauth identity with the LDAP account. (default: false) auto_link_ldap_user: {{OAUTH_AUTO_LINK_LDAP_USER}} # Allow users with existing accounts to login and auto link their account via SAML # login, without having to do a manual login first and manually add SAML # (default: false) auto_link_saml_user: {{OAUTH_AUTO_LINK_SAML_USER}} ## Auth providers # Uncomment the following lines and fill in the data of the auth provider you want to use # If your favorite auth provider is not listed you can use others: # see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations # The 'app_id' and 'app_secret' parameters are always passed as the first two # arguments, followed by optional 'args' which can be either a hash or an array. # Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html providers: # See omniauth-cas3 for more configuration details - { name: 'cas3', label: '{{OAUTH_CAS3_LABEL}}', args: { url: '{{OAUTH_CAS3_SERVER}}', disable_ssl_verification: {{OAUTH_CAS3_DISABLE_SSL_VERIFICATION}}, login_url: '{{OAUTH_CAS3_LOGIN_URL}}', service_validate_url: '{{OAUTH_CAS3_VALIDATE_URL}}', logout_url: '{{OAUTH_CAS3_LOGOUT_URL}}'} } - { name: 'github', label: 'GitHub', app_id: '{{OAUTH_GITHUB_API_KEY}}', app_secret: '{{OAUTH_GITHUB_APP_SECRET}}', args: { scope: '{{OAUTH_GITHUB_SCOPE}}' } } - { name: 'bitbucket', app_id: '{{OAUTH_BITBUCKET_API_KEY}}', app_secret: '{{OAUTH_BITBUCKET_APP_SECRET}}' } - { name: 'gitlab', label: 'GitLab.com', app_id: '{{OAUTH_GITLAB_API_KEY}}', app_secret: '{{OAUTH_GITLAB_APP_SECRET}}', args: { scope: '{{OAUTH_GITLAB_SCOPE}}' } } - { name: 'google_oauth2', label: 'Google', app_id: '{{OAUTH_GOOGLE_API_KEY}}', app_secret: '{{OAUTH_GOOGLE_APP_SECRET}}', args: { access_type: 'offline', approval_prompt: '{{OAUTH_GOOGLE_APPROVAL_PROMPT}}', hd: '{{OAUTH_GOOGLE_RESTRICT_DOMAIN}}' } } - { name: 'facebook', app_id: '{{OAUTH_FACEBOOK_API_KEY}}', app_secret: '{{OAUTH_FACEBOOK_APP_SECRET}}' } - { name: 'twitter', app_id: '{{OAUTH_TWITTER_API_KEY}}', app_secret: '{{OAUTH_TWITTER_APP_SECRET}}' } - { name: 'saml', label: '{{OAUTH_SAML_LABEL}}', args: { assertion_consumer_service_url: '{{OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL}}', idp_cert_fingerprint: '{{OAUTH_SAML_IDP_CERT_FINGERPRINT}}', idp_sso_target_url: '{{OAUTH_SAML_IDP_SSO_TARGET_URL}}', issuer: '{{OAUTH_SAML_ISSUER}}', name_identifier_format: '{{OAUTH_SAML_NAME_IDENTIFIER_FORMAT}}' } } - { name: 'crowd', args: { crowd_server_url: '{{OAUTH_CROWD_SERVER_URL}}', application_name: '{{OAUTH_CROWD_APP_NAME}}', application_password: '{{OAUTH_CROWD_APP_PASSWORD}}' } } - { name: 'auth0', args: { client_id: '{{OAUTH_AUTH0_CLIENT_ID}}', client_secret: '{{OAUTH_AUTH0_CLIENT_SECRET}}', namespace: '{{OAUTH_AUTH0_DOMAIN}}' } } - { name: 'azure_oauth2', args: { client_id: '{{OAUTH_AZURE_API_KEY}}', client_secret: '{{OAUTH_AZURE_API_SECRET}}', tenant_id: '{{OAUTH_AZURE_TENANT_ID}}' } } # SSO maximum session duration in seconds. Defaults to CAS default of 8 hours. # cas3: # session_duration: 28800 # Shared file storage settings shared: path: {{GITLAB_SHARED_DIR}} # # 4. Advanced settings # ========================== # GitLab Satellites # # Note for maintainers: keep the satellites.path setting until GitLab 9.0 at # least. This setting is fed to 'rm -rf' in # db/migrate/20151023144219_remove_satellites.rb satellites: path: {{GITLAB_DATA_DIR}}/gitlab-satellites/ ## Backup settings backup: path: "{{GITLAB_BACKUP_DIR}}" # Relative paths are relative to Rails.root (default: tmp/backups/) archive_permissions: {{GITLAB_BACKUP_ARCHIVE_PERMISSIONS}} # Permissions for the resulting backup.tar file (default: 0600) keep_time: {{GITLAB_BACKUP_EXPIRY}} # default: 0 (forever) (in seconds) pg_schema: {{GITLAB_BACKUP_PG_SCHEMA}} # default: nil, it means that all schemas will be backed up upload: # Fog storage connection settings, see http://fog.io/storage/ . connection: provider: AWS region: {{AWS_BACKUP_REGION}} aws_access_key_id: {{AWS_BACKUP_ACCESS_KEY_ID}} aws_secret_access_key: '{{AWS_BACKUP_SECRET_ACCESS_KEY}}' # The remote 'directory' to store your backups. For S3, this would be the bucket name. remote_directory: '{{AWS_BACKUP_BUCKET}}' # # Use multipart uploads when file size reaches 100MB, see # # http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html # multipart_chunk_size: 104857600 # # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional # # encryption: 'AES256' ## GitLab Shell settings gitlab_shell: path: {{GITLAB_SHELL_INSTALL_DIR}}/ # REPOS_PATH MUST NOT BE A SYMLINK!!! repos_path: {{GITLAB_REPOS_DIR}}/ hooks_path: {{GITLAB_SHELL_INSTALL_DIR}}/hooks/ # File that contains the secret key for verifying access for gitlab-shell. # Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app). secret_file: {{GITLAB_INSTALL_DIR}}/.gitlab_shell_secret # Git over HTTP upload_pack: true receive_pack: true # If you use non-standard ssh port you need to specify it ssh_port: {{GITLAB_SSH_PORT}} ## Git settings # CAUTION! # Use the default values unless you really know what you are doing git: bin_path: /usr/bin/git # The next value is the maximum memory size grit can use # Given in number of bytes per git object (e.g. a commit) # This value can be increased if you have very large commits max_size: {{GITLAB_MAX_OBJECT_SIZE}} # 20.megabytes # Git timeout to read a commit, in seconds timeout: {{GITLAB_TIMEOUT}} # # 5. Extra customization # ========================== extra: ## Google analytics. Uncomment if you want it google_analytics_id: '{{GOOGLE_ANALYTICS_ID}}' ## Piwik analytics. piwik_url: '{{PIWIK_URL}}' piwik_site_id: '{{PIWIK_SITE_ID}}' rack_attack: git_basic_auth: # Rack Attack IP banning enabled enabled: {{RACK_ATTACK_ENABLED}} # # Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers ip_whitelist: [{{RACK_ATTACK_WHITELIST}}] # # Limit the number of Git HTTP authentication attempts per IP maxretry: {{RACK_ATTACK_MAXRETRY}} # # Reset the auth attempt counter per IP after 60 seconds findtime: {{RACK_ATTACK_FINDTIME}} # # Ban an IP for one hour (3600s) after too many auth attempts bantime: {{RACK_ATTACK_BANTIME}} development: <<: *base test: <<: *base gravatar: enabled: true lfs: enabled: false gitlab: host: localhost port: 80 # When you run tests we clone and setup gitlab-shell # In order to setup it correctly you need to specify # your system username you use to run GitLab # user: YOUR_USERNAME satellites: path: tmp/tests/gitlab-satellites/ backup: path: tmp/tests/backups gitlab_shell: path: tmp/tests/gitlab-shell/ repos_path: tmp/tests/repositories/ hooks_path: tmp/tests/gitlab-shell/hooks/ issues_tracker: redmine: title: "Redmine" project_url: "http://redmine/projects/:issues_tracker_id" issues_url: "http://redmine/:project_id/:issues_tracker_id/:id" new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new" ldap: enabled: false servers: main: label: ldap host: 127.0.0.1 port: 3890 uid: 'uid' method: 'plain' # "tls" or "ssl" or "plain" base: 'dc=example,dc=com' user_filter: '' group_base: 'ou=groups,dc=example,dc=com' admin_group: '' staging: <<: *base