# # # # # # # # # # # # # # # # # # # GitLab application config file # # # # # # # # # # # # # # # # # # # # ########################### NOTE ##################################### # This file should not receive new settings. All configuration options # # * are being moved to ApplicationSetting model! # # If a setting requires an application restart say so in that screen. # # If you change this file in a Merge Request, please also create # # a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests. # # For more details see https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md # ######################################################################## # # # How to use: # 1. Copy file as gitlab.yml # 2. Update gitlab -> host with your fully qualified domain name # 3. Update gitlab -> email_from # 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git # IMPORTANT: If Git was installed in a different location use that instead. # You can check with `which git`. If a wrong path of Git is specified, it will # result in various issues such as failures of GitLab CI builds. # 5. Review this configuration file for other settings you may want to adjust production: &base # # 1. GitLab app settings # ========================== ## GitLab settings gitlab: ## Web server settings (note: host is the FQDN, do not include http://) host: {{GITLAB_HOST}} port: {{GITLAB_PORT}} # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details https: {{GITLAB_HTTPS}} # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details # The maximum time unicorn/puma can spend on the request. This needs to be smaller than the worker timeout. # Default is 95% of the worker timeout max_request_duration_seconds: 57 # Uncomment this line below if your ssh host is different from HTTP/HTTPS one # (you'd obviously need to replace ssh.host_example.com with your own host). # Otherwise, ssh host will be set to the `host:` value above ssh_host: {{GITLAB_SSH_HOST}} # Relative URL support # WARNING: We recommend using an FQDN to host GitLab in a root path instead # of using a relative URL. # Documentation: http://doc.gitlab.com/ce/install/relative_url.html # Uncomment and customize the following line to run in a non-root path # relative_url_root: {{GITLAB_RELATIVE_URL_ROOT}} # Content Security Policy # See https://guides.rubyonrails.org/security.html#content-security-policy content_security_policy: enabled: {{GITLAB_CONTENT_SECURITY_POLICY_ENABLED}} report_only: {{GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY}} directives: base_uri: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI}}" child_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC}}" connect_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC}}" default_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC}}" font_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC}}" form_action: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION}}" frame_ancestors: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS}}" frame_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC}}" img_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC}}" manifest_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC}}" media_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC}}" object_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC}}" script_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC}}" style_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC}}" worker_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC}}" report_uri: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI}}" # Trusted Proxies # Customize if you have GitLab behind a reverse proxy which is running on a different machine. # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address. trusted_proxies: - {{GITLAB_TRUSTED_PROXIES}} # Examples: #- 192.168.1.0/24 #- 192.168.2.1 #- 2001:0db8::/32 # Uncomment and customize if you can't use the default user to run GitLab (default: 'git') # user: git ## Date & Time settings # Uncomment and customize if you want to change the default time zone of GitLab application. # To see all available zones, run `bundle exec rake time:zones:all RAILS_ENV=production` time_zone: '{{GITLAB_TIMEZONE}}' ## Email settings # Uncomment and set to false if you need to disable email sending from GitLab (default: true) email_enabled: {{GITLAB_EMAIL_ENABLED}} # Email address used in the "From" field in mails sent by GitLab email_from: {{GITLAB_EMAIL}} email_display_name: {{GITLAB_EMAIL_DISPLAY_NAME}} email_reply_to: {{GITLAB_EMAIL_REPLY_TO}} email_subject_suffix: '{{GITLAB_EMAIL_SUBJECT_SUFFIX}}' #start-email-smime email_smime: # Uncomment and set to true if you need to enable email S/MIME signing (default: false) enabled: {{GITLAB_EMAIL_SMIME_ENABLE}} # S/MIME private key file in PEM format, unencrypted # Default is '.gitlab_smime_key' relative to Rails.root (i.e. root of the GitLab app). key_file: {{GITLAB_EMAIL_SMIME_KEY_FILE}} # S/MIME public certificate key in PEM format, will be attached to signed messages # Default is '.gitlab_smime_cert' relative to Rails.root (i.e. root of the GitLab app). cert_file: {{GITLAB_EMAIL_SMIME_CERT_FILE}} #end-email-smime # S/MIME extra CA public certificates in PEM format, will be attached to signed messages # Optional # ca_certs_file: /home/git/gitlab/.gitlab_smime_ca_certs # Email server smtp settings are in config/initializers/smtp_settings.rb.sample default_projects_limit: {{GITLAB_PROJECTS_LIMIT}} default_can_create_group: {{GITLAB_CREATE_GROUP}} # default: true username_changing_enabled: {{GITLAB_USERNAME_CHANGE}} # default: true - User can change their username/namespace signup_enabled: {{GITLAB_SIGNUP_ENABLED}} ## Default theme ID ## 1 - Indigo ## 2 - Dark ## 3 - Light ## 4 - Blue ## 5 - Green ## 6 - Light Indigo ## 7 - Light Blue ## 8 - Light Green ## 9 - Red ## 10 - Light Red default_theme: {{GITLAB_DEFAULT_THEME}} # default: 1 ## Automatic issue closing # If a commit message matches this regular expression, all issues referenced from the matched text will be closed. # This happens when the commit is pushed or merged into the default branch of a project. # When not specified the default issue_closing_pattern as specified below will be used. # Tip: you can test your closing pattern at http://rubular.com. issue_closing_pattern: '{{GITLAB_ISSUE_CLOSING_PATTERN}}' ## Default project features settings default_projects_features: issues: {{GITLAB_PROJECTS_ISSUES}} merge_requests: {{GITLAB_PROJECTS_MERGE_REQUESTS}} wiki: {{GITLAB_PROJECTS_WIKI}} snippets: {{GITLAB_PROJECTS_SNIPPETS}} builds: {{GITLAB_PROJECTS_BUILDS}} container_registry: {{GITLAB_PROJECTS_CONTAINER_REGISTRY}} ## Webhook settings # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10) webhook_timeout: {{GITLAB_WEBHOOK_TIMEOUT}} ### GraphQL Settings # Tells the rails application how long it has to complete a GraphQL request. # We suggest this value to be higher than the database timeout value # and lower than the worker timeout set in unicorn/puma. (default: 30) # graphql_timeout: 30 ## Repository downloads directory # When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory. # The default is 'shared/cache/archive/' relative to the root of the Rails app. repository_downloads_path: {{GITLAB_DOWNLOADS_DIR}} ## Impersonation settings impersonation_enabled: {{GITLAB_IMPERSONATION_ENABLED}} ## Disable jQuery and CSS animations # disable_animations: true ## Reply by email # Allow users to comment on issues and merge requests by replying to notification emails. # For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html incoming_email: enabled: {{GITLAB_INCOMING_EMAIL_ENABLED}} # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to. # The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`). # Please be aware that a placeholder is required for the Service Desk feature to work. address: "{{GITLAB_INCOMING_EMAIL_ADDRESS}}" # Email account username # With third party providers, this is usually the full email address. # With self-hosted email servers, this is usually the user part of the email address. user: "{{IMAP_USER}}" # Email account password password: "{{IMAP_PASS}}" # IMAP server host host: "{{IMAP_HOST}}" # IMAP server port port: {{IMAP_PORT}} # Whether the IMAP server uses SSL ssl: {{IMAP_SSL}} # Whether the IMAP server uses StartTLS start_tls: {{IMAP_STARTTLS}} # The mailbox where incoming mail will end up. Usually "inbox". mailbox: "{{IMAP_MAILBOX}}" # The IDLE command timeout. idle_timeout: {{IMAP_TIMEOUT}} # The log file path for the structured log file. # Since `mail_room` is run independently of Rails, an absolute path is preferred. # The default is 'log/mail_room_json.log' relative to the root of the Rails app. # # log_path: log/mail_room_json.log # Whether to expunge (permanently remove) messages from the mailbox when they are deleted after delivery expunge_deleted: false ## Build Artifacts artifacts: enabled: {{GITLAB_ARTIFACTS_ENABLED}} # The location where build artifacts are stored (default: shared/artifacts). path: {{GITLAB_ARTIFACTS_DIR}} object_store: enabled: {{GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED}} remote_directory: {{GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY}} # The bucket name direct_upload: {{GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD}} # Set to true to enable direct upload of Artifacts without the need of local shared storage. background_upload: {{GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD}} # Temporary option to limit automatic upload (Default: true) proxy_download: {{GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD}} # Passthrough all downloads via GitLab instead of using Redirects to Object Storage connection: provider: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER}} # Only AWS supported at the moment #start-artifacts-aws aws_access_key_id: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} aws_secret_access_key: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} region: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION}} host: '{{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com aws_signature_version: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. endpoint: '{{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces path_style: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' #end-artifacts-aws #start-artifacts-gcs google_project: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}} google_client_email: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}} google_json_key_location: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}} #end-artifacts-gcs ## Merge request external diff storage external_diffs: # If disabled (the default), the diffs are in-database. Otherwise, they can # be stored on disk, or in object storage enabled: false # The location where external diffs are stored (default: shared/lfs-external-diffs). # storage_path: shared/external-diffs # object_store: # enabled: false # remote_directory: external-diffs # background_upload: false # proxy_download: false # connection: # provider: AWS # aws_access_key_id: AWS_ACCESS_KEY_ID # aws_secret_access_key: AWS_SECRET_ACCESS_KEY # region: us-east-1 ## Git LFS lfs: enabled: {{GITLAB_LFS_ENABLED}} # The location where LFS objects are stored (default: shared/lfs-objects). storage_path: {{GITLAB_LFS_OBJECTS_DIR}} object_store: enabled: {{GITLAB_LFS_OBJECT_STORE_ENABLED}} remote_directory: {{GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY}} # Bucket name direct_upload: {{GITLAB_LFS_OBJECT_STORE_DIRECT_UPLOAD}} # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false) background_upload: {{GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD}} # Temporary option to limit automatic upload (Default: true) proxy_download: {{GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD}} # Passthrough all downloads via GitLab instead of using Redirects to Object Storage connection: provider: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER}} #start-lfs-aws aws_access_key_id: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} aws_secret_access_key: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} aws_signature_version: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. region: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION}} host: '{{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com endpoint: '{{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil path_style: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' #end-lfs-aws #start-lfs-gcs google_project: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}} google_client_email: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}} google_json_key_location: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}} #end-lfs-gcs # Use the following options to configure an AWS compatible host # host: 'localhost' # default: s3.amazonaws.com # endpoint: 'http://127.0.0.1:9000' # default: nil # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' ## Uploads (attachments, avatars, etc...) uploads: # The location where uploads objects are stored (default: public/). storage_path: {{GITLAB_UPLOADS_STORAGE_PATH}} base_dir: {{GITLAB_UPLOADS_BASE_DIR}} object_store: enabled: {{GITLAB_UPLOADS_OBJECT_STORE_ENABLED}} remote_directory: {{GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY}} # Bucket name direct_upload: {{GITLAB_UPLOADS_OBJECT_STORE_DIRECT_UPLOAD}} # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false) background_upload: {{GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD}} # Temporary option to limit automatic upload (Default: true) proxy_download: {{GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD}} # Passthrough all downloads via GitLab instead of using Redirects to Object Storage connection: provider: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER}} #start-uploads-aws aws_access_key_id: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} aws_secret_access_key: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} aws_signature_version: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. region: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION}} host: '{{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com endpoint: '{{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil path_style: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' #end-uploads-aws #start-uploads-gcs google_project: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}} google_client_email: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}} google_json_key_location: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}} #end-uploads-gcs ## Packages (maven repository, npm registry, etc...) packages: enabled: {{GITLAB_PACKAGES_ENABLED}} # The location where build packages are stored (default: shared/packages). path: {{GITLAB_PACKAGES_DIR}} object_store: enabled: {{GITLAB_PACKAGES_OBJECT_STORE_ENABLED}} remote_directory: {{GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY}} # The bucket name direct_upload: {{GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD}} # Set to true to enable direct upload of Packages without the need of local shared storage. background_upload: {{GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD}} # Temporary option to limit automatic upload (Default: true) proxy_download: {{GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD}} # Passthrough all downloads via GitLab instead of using Redirects to Object Storage connection: provider: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER}} # Only AWS supported at the moment #start-packages-aws aws_access_key_id: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} aws_secret_access_key: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} region: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION}} host: '{{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com aws_signature_version: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. endpoint: '{{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces path_style: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' #end-packages-aws #start-packages-gcs google_project: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}} google_client_email: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}} google_json_key_location: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}} #end-packages-gcs ## Dependency Proxy dependency_proxy: enabled: true # The location where build packages are stored (default: shared/dependency_proxy). # storage_path: shared/dependency_proxy object_store: enabled: false remote_directory: dependency_proxy # The bucket name # direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false) # background_upload: false # Temporary option to limit automatic upload (Default: true) # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage connection: provider: AWS aws_access_key_id: AWS_ACCESS_KEY_ID aws_secret_access_key: AWS_SECRET_ACCESS_KEY region: us-east-1 # host: 'localhost' # default: s3.amazonaws.com # endpoint: 'http://127.0.0.1:9000' # default: nil # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' ## Terraform state terraform_state: enabled: {{GITLAB_TERRAFORM_STATE_ENABLED}} # The location where Terraform state files are stored (default: shared/terraform_state). storage_path: {{GITLAB_TERRAFORM_STATE_STORAGE_PATH}} object_store: enabled: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED}} remote_directory: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_REMOTE_DIRECTORY}} # The bucket name connection: provider: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER}} #start-terraform_state-aws aws_access_key_id: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} aws_secret_access_key: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} region: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION}} host: '{{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com endpoint: '{{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil aws_signature_version: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. path_style: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' #end-terraform_state-aws #start-terraform_state-gcs google_project: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}} google_client_email: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}} google_json_key_location: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}} #end-terraform_state-gcs ## GitLab Pages pages: enabled: {{GITLAB_PAGES_ENABLED}} access_control: {{GITLAB_PAGES_ACCESS_CONTROL}} # The location where pages are stored (default: shared/pages). # path: shared/pages # The domain under which the pages are served: # http://group.example.com/project # or project path can be a group page: group.example.com host: {{GITLAB_PAGES_DOMAIN}} port: {{GITLAB_PAGES_PORT}} # Set to 443 if you serve the pages with HTTPS https: {{GITLAB_PAGES_HTTPS}} # Set to true if you serve the pages with HTTPS artifacts_server: {{GITLAB_PAGES_ARTIFACTS_SERVER}} # Set to false if you want to disable online view of HTML artifacts external_http: {{GITLAB_PAGES_EXTERNAL_HTTP}} # If defined, enables custom domain support in GitLab Pages external_https: {{GITLAB_PAGES_EXTERNAL_HTTPS}} # If defined, enables custom domain and certificate support in GitLab Pages # File that contains the shared secret key for verifying access for gitlab-pages. # Default is '.gitlab_pages_secret' relative to Rails.root (i.e. root of the GitLab app). # secret_file: /home/git/gitlab/.gitlab_pages_secret ## Mattermost ## For enabling Add to Mattermost button mattermost: enabled: {{GITLAB_MATTERMOST_ENABLED}} host: '{{GITLAB_MATTERMOST_URL}}' ## Gravatar ## If using gravatar.com, there's nothing to change here. For Libravatar ## you'll need to provide the custom URLs. For more information, ## see: https://docs.gitlab.com/ee/customization/libravatar.html gravatar: enabled: {{GITLAB_GRAVATAR_ENABLED}} # Gravatar/Libravatar URLs: possible placeholders: %{hash} %{size} %{email} %{username} plain_url: "{{GITLAB_GRAVATAR_HTTP_URL}}" # default: https://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon ssl_url: "{{GITLAB_GRAVATAR_HTTPS_URL}}" # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon ## Sidekiq sidekiq: log_format: {{GITLAB_SIDEKIQ_LOG_FORMAT}} # (default is the original format) ## Auxiliary jobs # Periodically executed jobs, to self-heal GitLab, do external synchronizations, etc. # Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job cron_jobs: # Flag stuck CI jobs as failed stuck_ci_jobs_worker: cron: "0 * * * *" # Execute scheduled triggers pipeline_schedule_worker: cron: "{{GITLAB_PIPELINE_SCHEDULE_WORKER_CRON}}" # Remove expired build artifacts expire_build_artifacts_worker: cron: "50 * * * *" # Stop expired environments environments_auto_stop_cron_worker: cron: "24 * * * *" # Periodically run 'git fsck' on all repositories. If started more than # once per hour you will have concurrent 'git fsck' jobs. repository_check_worker: cron: "20 * * * *" # Archive live traces which have not been archived yet ci_archive_traces_cron_worker: cron: "17 * * * *" # Send admin emails once a week admin_email_worker: cron: "0 0 * * 0" # Send emails for personal tokens which are about to expire personal_access_tokens_expiring_worker: cron: "0 1 * * *" # Remove outdated repository archives repository_archive_cache_worker: cron: "0 * * * *" # Verify custom GitLab Pages domains pages_domain_verification_cron_worker: cron: "*/15 * * * *" # Periodically migrate diffs from the database to external storage schedule_migrate_external_diffs_worker: cron: "15 * * * *" # GitLab EE only jobs. These jobs are automatically enabled for an EE # installation, and ignored for a CE installation. ee_cron_jobs: # Snapshot active users statistics historical_data_worker: cron: "0 12 * * *" # In addition to refreshing users when they log in, # periodically refresh LDAP users membership. # NOTE: This will only take effect if LDAP is enabled ldap_sync_worker: cron: "30 1 * * *" # Periodically refresh LDAP groups membership. # NOTE: This will only take effect if LDAP is enabled ldap_group_sync_worker: cron: "0 * * * *" # GitLab Geo metrics update worker # NOTE: This will only take effect if Geo is enabled geo_metrics_update_worker: cron: "*/1 * * * *" # GitLab Geo prune event log worker # NOTE: This will only take effect if Geo is enabled (primary node only) geo_prune_event_log_worker: cron: "*/5 * * * *" # GitLab Geo repository sync worker # NOTE: This will only take effect if Geo is enabled (secondary nodes only) geo_repository_sync_worker: cron: "*/1 * * * *" # GitLab Geo registry backfill worker # NOTE: This will only take effect if Geo is enabled (secondary nodes only) geo_secondary_registry_consistency_worker: cron: "* * * * *" # GitLab Geo file download dispatch worker # NOTE: This will only take effect if Geo is enabled (secondary nodes only) geo_file_download_dispatch_worker: cron: "*/1 * * * *" # GitLab Geo migrated local files clean up worker # NOTE: This will only take effect if Geo is enabled (secondary nodes only) geo_migrated_local_files_clean_up_worker: cron: "15 */6 * * *" # Export pseudonymized data in CSV format for analysis pseudonymizer_worker: cron: "0 * * * *" # Elasticsearch bulk updater for incremental updates. # NOTE: This will only take effect if elasticsearch is enabled. elastic_index_bulk_cron_worker: cron: "*/1 * * * *" registry: enabled: {{GITLAB_REGISTRY_ENABLED}} host: {{GITLAB_REGISTRY_HOST}} port: {{GITLAB_REGISTRY_PORT}} api_url: {{GITLAB_REGISTRY_API_URL}} # internal address to the registry, will be used by GitLab to directly communicate with API key: {{GITLAB_REGISTRY_KEY_PATH}} path: {{GITLAB_REGISTRY_DIR}} issuer: {{GITLAB_REGISTRY_ISSUER}} # notification_secret: '' # only set it when you use Geo replication feature without built-in Registry # Add notification settings if you plan to use Geo Replication for the registry # notifications: # - name: geo_event # url: https://example.com/api/v4/container_registry_event/events # timeout: 2s # threshold: 5 # backoff: 1s # headers: # Authorization: secret_phrase ## Error Reporting and Logging with Sentry sentry: enabled: {{SENTRY_ENABLED}} dsn: {{SENTRY_DSN}} clientside_dsn: {{SENTRY_CLIENTSIDE_DSN}} environment: '{{SENTRY_ENVIRONMENT}}' # e.g. development, staging, production ## Geo # NOTE: These settings will only take effect if Geo is enabled geo: # This is an optional identifier which Geo nodes can use to identify themselves. # For example, if external_url is the same for two secondaries, you must specify # a unique Geo node name for those secondaries. # # If it is blank, it defaults to external_url. node_name: '' registry_replication: # enabled: true # primary_api_url: http://localhost:5000/ # internal address to the primary registry, will be used by GitLab to directly communicate with primary registry API ## Feature Flag https://docs.gitlab.com/ee/user/project/operations/feature_flags.html feature_flags: unleash: # enabled: false # url: https://gitlab.com/api/v4/feature_flags/unleash/ # app_name: gitlab.com # Environment name of your GitLab instance # instance_id: INSTANCE_ID # # 2. GitLab CI settings # ========================== gitlab_ci: # Default project notifications settings: # # Send emails only on broken builds (default: true) all_broken_builds: {{GITLAB_NOTIFY_ON_BROKEN_BUILDS}} # # Add pusher to recipients list (default: false) add_pusher: {{GITLAB_NOTIFY_PUSHER}} # The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root builds_path: {{GITLAB_BUILDS_DIR}} # # 3. Auth settings # ========================== ## LDAP settings # You can test connections and inspect a sample of the LDAP users with login # access by running: # bundle exec rake gitlab:ldap:check RAILS_ENV=production ldap: enabled: {{LDAP_ENABLED}} prevent_ldap_sign_in: {{LDAP_PREVENT_LDAP_SIGN_IN}} # This setting controls the number of seconds between LDAP permission checks # for each user. After this time has expired for a given user, their next # interaction with GitLab (a click in the web UI, a git pull, etc.) will be # slower because the LDAP permission check is being performed. How much # slower depends on your LDAP setup, but it is not uncommon for this check # to add seconds of waiting time. The default value is to have a "slow # click" once every 3600 seconds (i.e., once per hour). # # Warning: if you set this value too low, every click in GitLab will be a # "slow click" for all of your LDAP users. # sync_time: 3600 servers: ########################################################################## # # Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab # Enterprise Edition now supports connecting to multiple LDAP servers. # # If you are updating from the old (pre-7.4) syntax, you MUST give your # old server the ID 'main'. # ########################################################################## main: # 'main' is the GitLab 'provider ID' of this LDAP server ## label # # A human-friendly name for your LDAP server. It is OK to change the label later, # for instance if you find out it is too large to fit on the web page. # # Example: 'Paris' or 'Acme, Ltd.' label: '{{LDAP_LABEL}}' # Example: 'ldap.mydomain.com' host: '{{LDAP_HOST}}' # This port is an example, it is sometimes different but it is always an integer and not a string port: {{LDAP_PORT}} # usually 636 for SSL uid: '{{LDAP_UID}}' # This should be the attribute, not the value that maps to uid. # Examples: 'america\\momo' or 'CN=Gitlab Git,CN=Users,DC=mydomain,DC=com' bind_dn: '{{LDAP_BIND_DN}}' password: '{{LDAP_PASS}}' # Encryption method. The "method" key is deprecated in favor of # "encryption". # # Examples: "start_tls" or "simple_tls" or "plain" # # Deprecated values: "tls" was replaced with "start_tls" and "ssl" was # replaced with "simple_tls". # encryption: '{{LDAP_METHOD}}' # Enables SSL certificate verification if encryption method is # "start_tls" or "simple_tls". Defaults to true. verify_certificates: {{LDAP_VERIFY_SSL}} # OpenSSL::SSL::SSLContext options. tls_options: # Specifies the path to a file containing a PEM-format CA certificate, # e.g. if you need to use an internal CA. # # Example: '/etc/ca.pem' # ca_file: '{{LDAP_CA_FILE}}' # Specifies the SSL version for OpenSSL to use, if the OpenSSL default # is not appropriate. # # Example: 'TLSv1_1' # ssl_version: '{{LDAP_SSL_VERSION}}' # Specific SSL ciphers to use in communication with LDAP servers. # # Example: 'ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2' ciphers: '' # Client certificate # # Example: # cert: | # -----BEGIN CERTIFICATE----- # MIIDbDCCAlSgAwIBAgIGAWkJxLmKMA0GCSqGSIb3DQEBCwUAMHcxFDASBgNVBAoTC0dvb2dsZSBJ # bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQDEwtMREFQIENsaWVudDEPMA0GA1UE # CxMGR1N1aXRlMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTAeFw0xOTAyMjAwNzE4 # rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl # ... # 4SbuJPAiJxC1LQ0t39dR6oMCAMab3hXQqhL56LrR6cRBp6Mtlphv7alu9xb/x51y2x+g2zWtsf80 # Jrv/vKMsIh/sAyuogb7hqMtp55ecnKxceg== # -----END CERTIFICATE ----- cert: '' # Client private key # key: | # -----BEGIN PRIVATE KEY----- # MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC3DmJtLRmJGY4xU1QtI3yjvxO6 # bNuyE4z1NF6Xn7VSbcAaQtavWQ6GZi5uukMo+W5DHVtEkgDwh92ySZMuJdJogFbNvJvHAayheCdN # 7mCQ2UUT9jGXIbmksUn9QMeJVXTZjgJWJzPXToeUdinx9G7+lpVa62UATEd1gaI3oyL72WmpDy/C # rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl # ... # +9IhSYX+XIg7BZOVDeYqlPfxRvQh8vy3qjt/KUihmEPioAjLaGiihs1Fk5ctLk9A2hIUyP+sEQv9 # l6RG+a/mW+0rCWn8JAd464Ps9hE= # -----END PRIVATE KEY----- key: '' # Set a timeout, in seconds, for LDAP queries. This helps avoid blocking # a request if the LDAP server becomes unresponsive. # A value of 0 means there is no timeout. timeout: {{LDAP_TIMEOUT}} # Enable smartcard authentication against the LDAP server. Valid values # are "false", "optional", and "required". smartcard_auth: false # This setting specifies if LDAP server is Active Directory LDAP server. # For non AD servers it skips the AD specific queries. # If your LDAP server is not AD, set this to false. active_directory: {{LDAP_ACTIVE_DIRECTORY}} # If allow_username_or_email_login is enabled, GitLab will ignore everything # after the first '@' in the LDAP username submitted by the user on login. # # Example: # - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials; # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'. # # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to # disable this setting, because the userPrincipalName contains an '@'. allow_username_or_email_login: {{LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN}} # To maintain tight control over the number of active users on your GitLab installation, # enable this setting to keep new users blocked until they have been cleared by the admin # (default: false). block_auto_created_users: {{LDAP_BLOCK_AUTO_CREATED_USERS}} # Base where we can search for users # # Ex. 'ou=People,dc=gitlab,dc=example' or 'DC=mydomain,DC=com' # base: '{{LDAP_BASE}}' # Filter LDAP users # # Format: RFC 4515 https://tools.ietf.org/search/rfc4515 # Ex. (employeeType=developer) # # Note: GitLab does not support omniauth-ldap's custom filter syntax. # # Example for getting only specific users: # '(&(objectclass=user)(|(samaccountname=momo)(samaccountname=toto)))' # user_filter: '{{LDAP_USER_FILTER}}' # Base where we can search for groups # # Ex. ou=Groups,dc=gitlab,dc=example # group_base: '' # LDAP group of users who should be admins in GitLab # # Ex. GLAdmins # admin_group: '' # LDAP group of users who should be marked as external users in GitLab # # Ex. ['Contractors', 'Interns'] # external_groups: [] # Name of attribute which holds a ssh public key of the user object. # If false or nil, SSH key syncronisation will be disabled. # # Ex. sshpublickey # sync_ssh_keys: false # LDAP attributes that GitLab will use to create an account for the LDAP user. # The specified attribute can either be the attribute name as a string (e.g. 'mail'), # or an array of attribute names to try in order (e.g. ['mail', 'email']). # Note that the user's LDAP login will always be the attribute specified as `uid` above. attributes: # The username will be used in paths for the user's own projects # (like `gitlab.example.com/username/project`) and when mentioning # them in issues, merge request and comments (like `@username`). # If the attribute specified for `username` contains an email address, # the GitLab username will be the part of the email address before the '@'. username: {{LDAP_USER_ATTRIBUTE_USERNAME}} email: {{LDAP_USER_ATTRIBUTE_MAIL}} # If no full name could be found at the attribute specified for `name`, # the full name is determined using the attributes specified for # `first_name` and `last_name`. name: '{{LDAP_USER_ATTRIBUTE_NAME}}' first_name: '{{LDAP_USER_ATTRIBUTE_FIRSTNAME}}' last_name: '{{LDAP_USER_ATTRIBUTE_LASTNAME}}' # If lowercase_usernames is enabled, GitLab will lower case the username. lowercase_usernames: {{LDAP_LOWERCASE_USERNAMES}} # GitLab EE only: add more LDAP servers # Choose an ID made of a-z and 0-9 . This ID will be stored in the database # so that GitLab can remember which LDAP server a user belongs to. # uswest2: # label: # host: # .... ## Smartcard authentication settings smartcard: # Allow smartcard authentication enabled: false # Path to a file containing a CA certificate bundle ca_file: '/etc/ssl/certs/CA.pem' # Host and port where the client side certificate is requested by the # webserver (NGINX/Apache) # client_certificate_required_host: smartcard.gitlab.example.com # client_certificate_required_port: 3444 # Browser session with smartcard sign-in is required for Git access # required_for_git_access: false # Use X.509 SAN extensions certificates to identify GitLab users # Add a subjectAltName to your certificates like: email:user # san_extensions: true ## Kerberos settings kerberos: # Allow the HTTP Negotiate authentication method for Git clients enabled: false # Kerberos 5 keytab file. The keytab file must be readable by the GitLab user, # and should be different from other keytabs in the system. # (default: use default keytab from Krb5 config) # keytab: /etc/http.keytab # The Kerberos service name to be used by GitLab. # (default: accept any service name in keytab file) # service_principal_name: HTTP/gitlab.example.com@EXAMPLE.COM # Dedicated port: Git before 2.4 does not fall back to Basic authentication if Negotiate fails. # To support both Basic and Negotiate methods with older versions of Git, configure # nginx to proxy GitLab on an extra port (e.g. 8443) and uncomment the following lines # to dedicate this port to Kerberos authentication. (default: false) # use_dedicated_port: true # port: 8443 # https: true ## OmniAuth settings omniauth: # Allow login via Twitter, Google, etc. using OmniAuth providers enabled: {{OAUTH_ENABLED}} # Uncomment this to automatically sign in with a specific omniauth provider's without # showing GitLab's sign-in page (default: show the GitLab sign-in page) auto_sign_in_with_provider: {{OAUTH_AUTO_SIGN_IN_WITH_PROVIDER}} # Sync user's profile from the specified Omniauth providers every time the user logs in (default: empty). # Define the allowed providers using an array, e.g. ["cas3", "saml", "twitter"], # or as true/false to allow all providers or none. # When authenticating using LDAP, the user's email is always synced. # sync_profile_from_provider: [] # Select which info to sync from the providers above. (default: email). # Define the synced profile info using an array. Available options are "name", "email" and "location" # e.g. ["name", "email", "location"] or as true to sync all available. # This consequently will make the selected attributes read-only. # sync_profile_attributes: true # CAUTION! # This allows users to login without having a user account first. Define the allowed providers # using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none. # User accounts will be created automatically when authentication was successful. allow_single_sign_on: ["{{OAUTH_ALLOW_SSO}}"] # Locks down those users until they have been cleared by the admin (default: true). block_auto_created_users: {{OAUTH_BLOCK_AUTO_CREATED_USERS}} # Look up new users in LDAP servers. If a match is found (same uid), automatically # link the omniauth identity with the LDAP account. (default: false) auto_link_ldap_user: {{OAUTH_AUTO_LINK_LDAP_USER}} # Allow users with existing accounts to login and auto link their account via SAML # login, without having to do a manual login first and manually add SAML # (default: false) auto_link_saml_user: {{OAUTH_AUTO_LINK_SAML_USER}} # Allow users with existing accounts to login and auto link their account via the # defined Omniauth providers login, without having to do a manual login first and # manually connect their chosen provider. # (default: []) auto_link_user: [{{OAUTH_AUTO_LINK_USER}}] # Set different Omniauth providers as external so that all users creating accounts # via these providers will not be able to have access to internal projects. You # will need to use the full name of the provider, like `google_oauth2` for Google. # Refer to the examples below for the full names of the supported providers. # (default: []) external_providers: [{{OAUTH_EXTERNAL_PROVIDERS}}] # CAUTION! # This allows users to login with the specified providers without two factor. Define the allowed providers # using an array, e.g. ["twitter", 'google_oauth2'], or as true/false to allow all providers or none. # This option should only be configured for providers which already have two factor. # This configration dose not apply to SAML. # (default: false) allow_bypass_two_factor: null ## Auth providers # Uncomment the following lines and fill in the data of the auth provider you want to use # If your favorite auth provider is not listed you can use others: # see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations # The 'app_id' and 'app_secret' parameters are always passed as the first two # arguments, followed by optional 'args' which can be either a hash or an array. # Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html providers: # See omniauth-cas3 for more configuration details - { name: 'cas3', label: '{{OAUTH_CAS3_LABEL}}', args: { url: '{{OAUTH_CAS3_SERVER}}', disable_ssl_verification: {{OAUTH_CAS3_DISABLE_SSL_VERIFICATION}}, login_url: '{{OAUTH_CAS3_LOGIN_URL}}', service_validate_url: '{{OAUTH_CAS3_VALIDATE_URL}}', logout_url: '{{OAUTH_CAS3_LOGOUT_URL}}'} } - { name: 'authentiq', app_id: '{{OAUTH_AUTHENTIQ_CLIENT_ID}}', app_secret: 'OAUTH_AUTHENTIQ_CLIENT_SECRET', args: { scope: {{OAUTH_AUTHENTIQ_SCOPE}}, redirect_uri: '{{OAUTH_AUTHENTIQ_REDIRECT_URI}}' } } - { name: 'github', label: 'GitHub', app_id: '{{OAUTH_GITHUB_API_KEY}}', app_secret: '{{OAUTH_GITHUB_APP_SECRET}}', url: "{{OAUTH_GITHUB_URL}}", verify_ssl: {{OAUTH_GITHUB_VERIFY_SSL}}, args: { scope: '{{OAUTH_GITHUB_SCOPE}}' } } - { name: 'bitbucket', app_id: '{{OAUTH_BITBUCKET_API_KEY}}', app_secret: '{{OAUTH_BITBUCKET_APP_SECRET}}', url: '{{OAUTH_BITBUCKET_URL}}' } - { name: 'gitlab', label: 'GitLab.com', app_id: '{{OAUTH_GITLAB_API_KEY}}', app_secret: '{{OAUTH_GITLAB_APP_SECRET}}', args: { scope: '{{OAUTH_GITLAB_SCOPE}}' } } - { name: 'google_oauth2', label: 'Google', app_id: '{{OAUTH_GOOGLE_API_KEY}}', app_secret: '{{OAUTH_GOOGLE_APP_SECRET}}', args: { access_type: 'offline', approval_prompt: '{{OAUTH_GOOGLE_APPROVAL_PROMPT}}', hd: [{{OAUTH_GOOGLE_RESTRICT_DOMAIN}}] } } - { name: 'facebook', app_id: '{{OAUTH_FACEBOOK_API_KEY}}', app_secret: '{{OAUTH_FACEBOOK_APP_SECRET}}' } - { name: 'twitter', app_id: '{{OAUTH_TWITTER_API_KEY}}', app_secret: '{{OAUTH_TWITTER_APP_SECRET}}' } - { name: 'saml', label: '{{OAUTH_SAML_LABEL}}', groups_attribute: '{{OAUTH_SAML_GROUPS_ATTRIBUTE}}', external_groups: [{{OAUTH_SAML_EXTERNAL_GROUPS}}], args: { assertion_consumer_service_url: '{{OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL}}', idp_cert_fingerprint: '{{OAUTH_SAML_IDP_CERT_FINGERPRINT}}', idp_sso_target_url: '{{OAUTH_SAML_IDP_SSO_TARGET_URL}}', issuer: '{{OAUTH_SAML_ISSUER}}', attribute_statements: { first_name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME}}'], last_name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME}}'], username: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME}}'], name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME}}'], email: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL}}'] }, name_identifier_format: '{{OAUTH_SAML_NAME_IDENTIFIER_FORMAT}}' } } - { name: 'crowd', args: { crowd_server_url: '{{OAUTH_CROWD_SERVER_URL}}', application_name: '{{OAUTH_CROWD_APP_NAME}}', application_password: '{{OAUTH_CROWD_APP_PASSWORD}}' } } - { name: 'auth0', args: { client_id: '{{OAUTH_AUTH0_CLIENT_ID}}', client_secret: '{{OAUTH_AUTH0_CLIENT_SECRET}}', domain: '{{OAUTH_AUTH0_DOMAIN}}', scope: '{{OAUTH_AUTH0_SCOPE}}' } } - { name: 'oauth2_generic', app_id: '{{OAUTH2_GENERIC_APP_ID}}', app_secret: '{{OAUTH2_GENERIC_APP_SECRET}}', args: { client_options: { site: '{{OAUTH2_GENERIC_CLIENT_SITE}}', user_info_url: '{{OAUTH2_GENERIC_CLIENT_USER_INFO_URL}}', authorize_url: '{{OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL}}', token_url: '{{OAUTH2_GENERIC_CLIENT_TOKEN_URL}}', end_session_endpoint: '{{OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT}}', }, user_response_structure: { id_path: '{{OAUTH2_GENERIC_ID_PATH}}', attributes: { uid: '{{OAUTH2_GENERIC_USER_UID}}', name: '{{OAUTH2_GENERIC_USER_NAME}}', email: '{{OAUTH2_GENERIC_USER_EMAIL}}' } }, name: '{{OAUTH2_GENERIC_NAME}}' }} - { name: 'azure_oauth2', args: { client_id: '{{OAUTH_AZURE_API_KEY}}', client_secret: '{{OAUTH_AZURE_API_SECRET}}', tenant_id: '{{OAUTH_AZURE_TENANT_ID}}' } } # SSO maximum session duration in seconds. Defaults to CAS default of 8 hours. # cas3: # session_duration: 28800 # Shared file storage settings shared: path: {{GITLAB_SHARED_DIR}} # Default: shared # Gitaly settings gitaly: # Path to the directory containing Gitaly client executables. client_path: {{GITALY_CLIENT_PATH}} # Default Gitaly authentication token. Can be overridden per storage. Can # be left blank when Gitaly is running locally on a Unix socket, which # is the normal way to deploy Gitaly. token: {{GITALY_TOKEN}} # # 4. Advanced settings # ========================== ## Repositories settings repositories: # Paths where repositories can be stored. Give the canonicalized absolute pathname. # IMPORTANT: None of the path components may be symlink, because # gitlab-shell invokes Dir.pwd inside the repository path and that results # real path not the symlink. storages: # You must have at least a `default` storage path. default: path: {{GITLAB_REPOS_DIR}}/ gitaly_address: unix:{{GITLAB_INSTALL_DIR}}/tmp/sockets/private/gitaly.socket # TCP connections are supported too (e.g. tcp://host:port). TLS connections are also supported using the system certificate pool (eg: tls://host:port). # gitaly_token: 'special token' # Optional: override global gitaly.token for this storage. ## Backup settings backup: path: "{{GITLAB_BACKUP_DIR}}" # Relative paths are relative to Rails.root (default: tmp/backups/) archive_permissions: {{GITLAB_BACKUP_ARCHIVE_PERMISSIONS}} # Permissions for the resulting backup.tar file (default: 0600) keep_time: {{GITLAB_BACKUP_EXPIRY}} # default: 0 (forever) (in seconds) pg_schema: {{GITLAB_BACKUP_PG_SCHEMA}} # default: nil, it means that all schemas will be backed up upload: # Fog storage connection settings, see http://fog.io/storage/ . #start-aws connection: provider: AWS region: {{AWS_BACKUP_REGION}} endpoint: {{AWS_BACKUP_ENDPOINT}} path_style: {{AWS_BACKUP_PATH_STYLE}} aws_access_key_id: {{AWS_BACKUP_ACCESS_KEY_ID}} aws_secret_access_key: '{{AWS_BACKUP_SECRET_ACCESS_KEY}}' aws_signature_version: {{AWS_BACKUP_SIGNATURE_VERSION}} # The remote 'directory' to store your backups. For S3, this would be the bucket name. remote_directory: '{{AWS_BACKUP_BUCKET}}' #start-multipart-aws # Use multipart uploads when file size reaches 100MB, see # http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html multipart_chunk_size: {{AWS_BACKUP_MULTIPART_CHUNK_SIZE}} #end-multipart-aws #start-encryption-aws # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional encryption: 'AES256' # Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional # This should be set to the 256-bit encryption key for Amazon S3 to use to encrypt or decrypt your data. # 'encryption' must also be set in order for this to have any effect. # encryption_key: '' #end-encryption-aws # Specifies Amazon S3 storage class to use for backups, this is optional storage_class: '{{AWS_BACKUP_STORAGE_CLASS}}' #end-aws #start-gcs # Fog storage connection settings, see http://fog.io/storage/ . connection: provider: Google google_storage_access_key_id: {{GCS_BACKUP_ACCESS_KEY_ID}} google_storage_secret_access_key: '{{GCS_BACKUP_SECRET_ACCESS_KEY}}' remote_directory: '{{GCS_BACKUP_BUCKET}}' #end-gcs ## Pseudonymizer exporter pseudonymizer: # Tables manifest that specifies the fields to extract and pseudonymize. manifest: config/pseudonymizer.yml upload: remote_directory: 'gitlab-elt' # Fog storage connection settings, see http://fog.io/storage/ . connection: # provider: AWS # region: eu-west-1 # aws_access_key_id: AKIAKIAKI # aws_secret_access_key: 'secret123' # # The remote 'directory' to store the CSV files. For S3, this would be the bucket name. ## GitLab Shell settings gitlab_shell: path: {{GITLAB_SHELL_INSTALL_DIR}}/ authorized_keys_file: {{GITLAB_HOME}}/.ssh/authorized_keys # File that contains the secret key for verifying access for gitlab-shell. # Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app). secret_file: {{GITLAB_INSTALL_DIR}}/.gitlab_shell_secret # Git over HTTP upload_pack: true receive_pack: true # Git import/fetch timeout, in seconds. Defaults to 3 hours. # git_timeout: 10800 # If you use non-standard ssh port you need to specify it ssh_port: {{GITLAB_SSH_PORT}} workhorse: # File that contains the secret key for verifying access for gitlab-workhorse. # Default is '.gitlab_workhorse_secret' relative to Rails.root (i.e. root of the GitLab app). # secret_file: /home/git/gitlab/.gitlab_workhorse_secret ## GitLab Elasticsearch settings elasticsearch: indexer_path: {{GITLAB_HOME}}/gitlab-elasticsearch-indexer/ ## Git settings # CAUTION! # Use the default values unless you really know what you are doing git: bin_path: /usr/local/bin/git ## ActionCable settings action_cable: # Number of threads used to process ActionCable connection callbacks and channel actions # worker_pool_size: 4 ## Webpack settings # If enabled, this will tell rails to serve frontend assets from the webpack-dev-server running # on a given port instead of serving directly from /assets/webpack. This is only indended for use # in development. webpack: # dev_server: # enabled: true # host: localhost # port: 3808 ## Monitoring # Built in monitoring settings monitoring: # Time between sampling of unicorn socket metrics, in seconds unicorn_sampler_interval: {{GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL}} # Time between sampling of Puma metrics, in seconds # puma_sampler_interval: 5 # IP whitelist to access monitoring endpoints ip_whitelist: - 127.0.0.0/8 - {{GITLAB_MONITORING_IP_WHITELIST}} # Sidekiq exporter is webserver built in to Sidekiq to expose Prometheus metrics sidekiq_exporter: enabled: {{GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED}} address: {{GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS}} port: {{GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT}} # Web exporter is webserver built in to Unicorn/Puma to expose Prometheus metrics # It runs alongside the `/metrics` endpoints to ease the publish of metrics web_exporter: # enabled: true # address: localhost # port: 8083 ## Prometheus settings # Do not modify these settings here. They should be modified in /etc/gitlab/gitlab.rb # if you installed GitLab via Omnibus. # If you installed from source, you need to install and configure Prometheus # yourself, and then update the values here. # https://docs.gitlab.com/ee/administration/monitoring/prometheus/ prometheus: # enable: true # listen_address: 'localhost:9090' shutdown: # # blackout_seconds: # # defines an interval to block healthcheck, # # but continue accepting application requests # # this allows Load Balancer to notice service # # being shutdown and not interrupt any of the clients # blackout_seconds: 10 # # 5. Extra customization # ========================== extra: ## Google analytics. Uncomment if you want it google_analytics_id: '{{GOOGLE_ANALYTICS_ID}}' ## Piwik analytics. piwik_url: '{{PIWIK_URL}}' piwik_site_id: '{{PIWIK_SITE_ID}}' rack_attack: git_basic_auth: # Rack Attack IP banning enabled enabled: {{RACK_ATTACK_ENABLED}} # # Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers ip_whitelist: ["{{RACK_ATTACK_WHITELIST}}"] # # Limit the number of Git HTTP authentication attempts per IP maxretry: {{RACK_ATTACK_MAXRETRY}} # # Reset the auth attempt counter per IP after 60 seconds findtime: {{RACK_ATTACK_FINDTIME}} # # Ban an IP for one hour (3600s) after too many auth attempts bantime: {{RACK_ATTACK_BANTIME}} development: <<: *base # We want to run web/sidekiq exporters for devs # to catch errors from using them. # # We use random port to not block ability to run # multiple instances of the service monitoring: sidekiq_exporter: enabled: true address: 127.0.0.1 port: 0 web_exporter: enabled: true address: 127.0.0.1 port: 0 test: <<: *base gravatar: enabled: true external_diffs: enabled: false # Diffs may be `always` external (the default), or they can be made external # after they have become `outdated` (i.e., the MR is closed or a new version # has been pushed). # when: always # The location where external diffs are stored (default: shared/external-diffs). # storage_path: shared/external-diffs object_store: enabled: false remote_directory: external-diffs # The bucket name connection: provider: AWS # Only AWS supported at the moment aws_access_key_id: AWS_ACCESS_KEY_ID aws_secret_access_key: AWS_SECRET_ACCESS_KEY region: us-east-1 lfs: enabled: false # The location where LFS objects are stored (default: shared/lfs-objects). # storage_path: shared/lfs-objects object_store: enabled: false remote_directory: lfs-objects # The bucket name connection: provider: AWS # Only AWS supported at the moment aws_access_key_id: AWS_ACCESS_KEY_ID aws_secret_access_key: AWS_SECRET_ACCESS_KEY region: us-east-1 artifacts: path: tmp/tests/artifacts enabled: true # The location where build artifacts are stored (default: shared/artifacts). # path: shared/artifacts object_store: enabled: false remote_directory: artifacts # The bucket name background_upload: false connection: provider: AWS # Only AWS supported at the moment aws_access_key_id: AWS_ACCESS_KEY_ID aws_secret_access_key: AWS_SECRET_ACCESS_KEY region: us-east-1 uploads: storage_path: tmp/tests/public object_store: enabled: false connection: provider: AWS # Only AWS supported at the moment aws_access_key_id: AWS_ACCESS_KEY_ID aws_secret_access_key: AWS_SECRET_ACCESS_KEY region: us-east-1 terraform_state: enabled: true storage_path: tmp/tests/terraform_state object_store: enabled: false remote_directory: terraform_state connection: provider: AWS # Only AWS supported at the moment aws_access_key_id: AWS_ACCESS_KEY_ID aws_secret_access_key: AWS_SECRET_ACCESS_KEY region: us-east-1 gitlab: host: localhost port: 80 content_security_policy: enabled: true report_only: false directives: base_uri: child_src: connect_src: default_src: "'self'" font_src: form_action: frame_ancestors: "'self'" frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com" img_src: "* data: blob:" manifest_src: media_src: object_src: "'none'" script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com" style_src: "'self' 'unsafe-inline'" worker_src: "'self' blob:" report_uri: # When you run tests we clone and set up gitlab-shell # In order to set it up correctly you need to specify # your system username you use to run GitLab # user: YOUR_USERNAME pages: path: tmp/tests/pages repositories: storages: default: path: tmp/tests/repositories/ gitaly_address: unix:tmp/tests/gitaly/gitaly.socket gitaly: client_path: tmp/tests/gitaly token: secret workhorse: secret_file: tmp/gitlab_workhorse_test_secret backup: path: tmp/tests/backups pseudonymizer: manifest: config/pseudonymizer.yml upload: # The remote 'directory' to store the CSV files. For S3, this would be the bucket name. remote_directory: gitlab-elt.test # Fog storage connection settings, see http://fog.io/storage/ connection: provider: AWS # Only AWS supported at the moment aws_access_key_id: AWS_ACCESS_KEY_ID aws_secret_access_key: AWS_SECRET_ACCESS_KEY region: us-east-1 gitlab_shell: path: tmp/tests/gitlab-shell/ authorized_keys_file: tmp/tests/authorized_keys issues_tracker: redmine: title: "Redmine" project_url: "http://redmine/projects/:issues_tracker_id" issues_url: "http://redmine/:project_id/:issues_tracker_id/:id" new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new" jira: title: "Jira" url: https://sample_company.atlassian.net project_key: PROJECT omniauth: # enabled: true allow_single_sign_on: true external_providers: [] providers: - { name: 'cas3', label: 'cas3', args: { url: 'https://sso.example.com', disable_ssl_verification: false, login_url: '/cas/login', service_validate_url: '/cas/p3/serviceValidate', logout_url: '/cas/logout'} } - { name: 'github', app_id: 'YOUR_APP_ID', app_secret: 'YOUR_APP_SECRET', url: "https://github.com/", verify_ssl: false, args: { scope: 'user:email' } } - { name: 'bitbucket', app_id: 'YOUR_APP_ID', app_secret: 'YOUR_APP_SECRET' } - { name: 'gitlab', app_id: 'YOUR_APP_ID', app_secret: 'YOUR_APP_SECRET', args: { scope: 'api' } } - { name: 'google_oauth2', app_id: 'YOUR_APP_ID', app_secret: 'YOUR_APP_SECRET', args: { access_type: 'offline', approval_prompt: '' } } - { name: 'facebook', app_id: 'YOUR_APP_ID', app_secret: 'YOUR_APP_SECRET' } - { name: 'twitter', app_id: 'YOUR_APP_ID', app_secret: 'YOUR_APP_SECRET' } - { name: 'jwt', app_secret: 'YOUR_APP_SECRET', args: { algorithm: 'HS256', uid_claim: 'email', required_claims: ["name", "email"], info_map: { name: "name", email: "email" }, auth_url: 'https://example.com/', valid_within: null, } } - { name: 'auth0', args: { client_id: 'YOUR_AUTH0_CLIENT_ID', client_secret: 'YOUR_AUTH0_CLIENT_SECRET', namespace: 'YOUR_AUTH0_DOMAIN' } } - { name: 'authentiq', app_id: 'YOUR_CLIENT_ID', app_secret: 'YOUR_CLIENT_SECRET', args: { scope: 'aq:name email~rs address aq:push' } } - { name: 'salesforce', app_id: 'YOUR_CLIENT_ID', app_secret: 'YOUR_CLIENT_SECRET' } ldap: enabled: false servers: main: label: ldap host: 127.0.0.1 port: 3890 uid: 'uid' encryption: 'plain' # "start_tls" or "simple_tls" or "plain" base: 'dc=example,dc=com' user_filter: '' group_base: 'ou=groups,dc=example,dc=com' admin_group: '' prometheus: enable: true listen_address: 'localhost:9090' staging: <<: *base