archive-gh-me/docker-gitlab
1
0
Fork 0
mirror of https://github.com/sameersbn/docker-gitlab.git synced 2026-01-18 13:58:25 +00:00
Code Issues Projects Releases Wiki Activity
docker-gitlab/assets/runtime/functions
solidnerd fe04334b61 Fix behaviour of gitlab:backup:restore/backup 
Since 10.8 GitLab requires Gitaly as core process. Gitaly needs to be
run to make backups successfuly.

For this case we will start all proccess to let handle the backup and
restore correctly like before.

Signed-off-by: solidnerd <niclas@mietz.io>
2019-07-13 13:30:04 +02:00

1860 lines
61 KiB
Bash
Raw Permalink Blame History

#!/bin/bash
set -e
for file in /gitlab-configs /run/secrets/gitlab-secrets; do
if [[ -e "$file" ]]; then
echo "Loading $file"
source "$file"
fi
done
echo "Loading ${GITLAB_RUNTIME_DIR}/env-defaults"
source ${GITLAB_RUNTIME_DIR}/env-defaults
SYSCONF_TEMPLATES_DIR="${GITLAB_RUNTIME_DIR}/config"
USERCONF_TEMPLATES_DIR="${GITLAB_DATA_DIR}/config"
GITLAB_CONFIG="${GITLAB_INSTALL_DIR}/config/gitlab.yml"
GITLAB_DATABASE_CONFIG="${GITLAB_INSTALL_DIR}/config/database.yml"
GITLAB_UNICORN_CONFIG="${GITLAB_INSTALL_DIR}/config/unicorn.rb"
GITLAB_RELATIVE_URL_CONFIG="${GITLAB_INSTALL_DIR}/config/initializers/relative_url.rb"
GITLAB_RACK_ATTACK_CONFIG="${GITLAB_INSTALL_DIR}/config/initializers/rack_attack.rb"
GITLAB_SMTP_CONFIG="${GITLAB_INSTALL_DIR}/config/initializers/smtp_settings.rb"
GITLAB_RESQUE_CONFIG="${GITLAB_INSTALL_DIR}/config/resque.yml"
GITLAB_SECRETS_CONFIG="${GITLAB_INSTALL_DIR}/config/secrets.yml"
GITLAB_ROBOTS_CONFIG="${GITLAB_INSTALL_DIR}/public/robots.txt"
GITLAB_SHELL_CONFIG="${GITLAB_SHELL_INSTALL_DIR}/config.yml"
GITLAB_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab"
GITLAB_CI_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab_ci"
GITLAB_REGISTRY_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab-registry"
GITLAB_PAGES_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab-pages"
GITLAB_GITALY_CONFIG="${GITLAB_GITALY_INSTALL_DIR}/config.toml"
# Compares two version strings `a` and `b`
# Returns
# - negative integer, if `a` is less than `b`
# - 0, if `a` and `b` are equal
# - non-negative integer, if `a` is greater than `b`
vercmp() {
expr '(' "$1" : '\([^.]*\)' ')' '-' '(' "$2" : '\([^.]*\)' ')' '|' \
'(' "$1.0" : '[^.]*[.]\([^.]*\)' ')' '-' '(' "$2.0" : '[^.]*[.]\([^.]*\)' ')' '|' \
'(' "$1.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' '-' '(' "$2.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' '|' \
'(' "$1.0.0.0" : '[^.]*[.][^.]*[.][^.]*[.]\([^.]*\)' ')' '-' '(' "$2.0.0.0" : '[^.]*[.][^.]*[.][^.]*[.]\([^.]*\)' ')'
}
## Execute a command as GITLAB_USER
exec_as_git() {
if [[ $(whoami) == ${GITLAB_USER} ]]; then
$@
else
sudo -HEu ${GITLAB_USER} "$@"
fi
}
## Copies configuration template to the destination as the specified USER
### Looks up for overrides in ${USERCONF_TEMPLATES_DIR} before using the defaults from ${SYSCONF_TEMPLATES_DIR}
# $1: copy-as user
# $2: source file
# $3: destination location
# $4: mode of destination
install_template() {
local OWNERSHIP=${1}
local SRC=${2}
local DEST=${3}
local MODE=${4:-0644}
if [[ -f ${USERCONF_TEMPLATES_DIR}/${SRC} ]]; then
cp ${USERCONF_TEMPLATES_DIR}/${SRC} ${DEST}
elif [[ -f ${SYSCONF_TEMPLATES_DIR}/${SRC} ]]; then
cp ${SYSCONF_TEMPLATES_DIR}/${SRC} ${DEST}
fi
chmod ${MODE} ${DEST}
chown ${OWNERSHIP} ${DEST}
}
## Replace placeholders with values
# $1: file with placeholders to replace
# $x: placeholders to replace
update_template() {
local FILE=${1?missing argument}
shift
[[ ! -f ${FILE} ]] && return 1
local VARIABLES=($@)
local USR=$(stat -c %U ${FILE})
local tmp_file=$(mktemp)
cp -a "${FILE}" ${tmp_file}
local variable
for variable in ${VARIABLES[@]}; do
# Keep the compatibilty: {{VAR}} => ${VAR}
sed -ri "s/[{]{2}$variable[}]{2}/\${$variable}/g" ${tmp_file}
done
# Replace placeholders
(
export ${VARIABLES[@]}
local IFS=":"; sudo -HEu ${USR} envsubst "${VARIABLES[*]/#/$}" < ${tmp_file} > ${FILE}
)
rm -f ${tmp_file}
}
gitlab_finalize_database_parameters() {
# is a mysql or postgresql database linked?
# requires that the mysql or postgresql containers have exposed
# port 3306 and 5432 respectively.
if [[ -n ${MYSQL_PORT_3306_TCP_ADDR} ]]; then
DB_ADAPTER=${DB_ADAPTER:-mysql2}
DB_HOST=${DB_HOST:-${MYSQL_PORT_3306_TCP_ADDR}}
DB_PORT=${DB_PORT:-${MYSQL_PORT_3306_TCP_PORT}}
# support for linked sameersbn/mysql image
DB_USER=${DB_USER:-${MYSQL_ENV_DB_USER}}
DB_PASS=${DB_PASS:-${MYSQL_ENV_DB_PASS}}
DB_NAME=${DB_NAME:-${MYSQL_ENV_DB_NAME}}
# support for linked orchardup/mysql and enturylink/mysql image
# also supports official mysql image
DB_USER=${DB_USER:-${MYSQL_ENV_MYSQL_USER}}
DB_PASS=${DB_PASS:-${MYSQL_ENV_MYSQL_PASSWORD}}
DB_NAME=${DB_NAME:-${MYSQL_ENV_MYSQL_DATABASE}}
elif [[ -n ${POSTGRESQL_PORT_5432_TCP_ADDR} ]]; then
DB_ADAPTER=${DB_ADAPTER:-postgresql}
DB_HOST=${DB_HOST:-${POSTGRESQL_PORT_5432_TCP_ADDR}}
DB_PORT=${DB_PORT:-${POSTGRESQL_PORT_5432_TCP_PORT}}
# support for linked official postgres image
DB_USER=${DB_USER:-${POSTGRESQL_ENV_POSTGRES_USER}}
DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_POSTGRES_PASSWORD}}
DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_POSTGRES_DB}}
DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_POSTGRES_USER}}
# support for linked sameersbn/postgresql image
DB_USER=${DB_USER:-${POSTGRESQL_ENV_DB_USER}}
DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_DB_PASS}}
DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_DB_NAME}}
# support for linked orchardup/postgresql image
DB_USER=${DB_USER:-${POSTGRESQL_ENV_POSTGRESQL_USER}}
DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_POSTGRESQL_PASS}}
DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_POSTGRESQL_DB}}
# support for linked paintedfox/postgresql image
DB_USER=${DB_USER:-${POSTGRESQL_ENV_USER}}
DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_PASS}}
DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_DB}}
fi
if [[ -z ${DB_HOST} ]]; then
echo
echo "ERROR: "
echo " Please configure the database connection."
echo " Refer http://git.io/wkYhyA for more information."
echo " Cannot continue without a database. Aborting..."
echo
return 1
fi
# set default port number if not specified
DB_ADAPTER=${DB_ADAPTER:-postgresql}
case ${DB_ADAPTER} in
mysql2)
DB_ENCODING=${DB_ENCODING:-utf8}
DB_COLLATION=${DB_COLLATION:-utf8_general_ci}
DB_PORT=${DB_PORT:-3306}
;;
postgresql)
DB_ENCODING=${DB_ENCODING:-unicode}
# DB_COLLATION: Not supported for postgresql and will be removed below.
DB_PORT=${DB_PORT:-5432}
;;
*)
echo
echo "ERROR: "
echo " Please specify the database type in use via the DB_ADAPTER configuration option."
echo " Accepted values are \"postgresql\" or \"mysql2\". Aborting..."
echo
return 1
;;
esac
# set default user and database
DB_USER=${DB_USER:-root}
DB_NAME=${DB_NAME:-gitlabhq_production}
}
gitlab_check_database_connection() {
case ${DB_ADAPTER} in
mysql2)
prog="mysqladmin -h ${DB_HOST} -P ${DB_PORT} -u ${DB_USER} ${DB_PASS:+-p$DB_PASS} status"
;;
postgresql)
prog=$(find /usr/lib/postgresql/ -name pg_isready)
prog="${prog} -h ${DB_HOST} -p ${DB_PORT} -U ${DB_USER} -d ${DB_NAME} -t 1"
;;
esac
timeout=60
while ! ${prog} >/dev/null 2>&1
do
timeout=$(expr $timeout - 1)
if [[ $timeout -eq 0 ]]; then
echo
echo "Could not connect to database server. Aborting..."
return 1
fi
echo -n "."
sleep 1
done
echo
}
gitlab_configure_database() {
echo -n "Configuring gitlab::database"
gitlab_finalize_database_parameters
gitlab_check_database_connection
update_template ${GITLAB_DATABASE_CONFIG} \
DB_ADAPTER \
DB_ENCODING \
DB_COLLATION \
DB_HOST \
DB_PORT \
DB_NAME \
DB_USER \
DB_PASS \
DB_POOL
if [[ ${DB_ADAPTER} == postgresql ]]; then
exec_as_git sed -i \
-e "/reconnect: /d" \
-e "/collation: /d" \
${GITLAB_DATABASE_CONFIG}
fi
}
gitlab_finalize_redis_parameters() {
# is a redis container linked?
if [[ -n ${REDISIO_PORT_6379_TCP_ADDR} ]]; then
REDIS_HOST=${REDIS_HOST:-${REDISIO_PORT_6379_TCP_ADDR}}
REDIS_PORT=${REDIS_PORT:-${REDISIO_PORT_6379_TCP_PORT}}
fi
# set default redis port if not specified
REDIS_PORT=${REDIS_PORT:-6379}
if [[ -z ${REDIS_HOST} ]]; then
echo
echo "ERROR: "
echo " Please configure the redis connection."
echo " Refer http://git.io/PMnRSw for more information."
echo " Cannot continue without a redis connection. Aborting..."
echo
return 1
fi
}
gitlab_check_redis_connection() {
timeout=60
while ! redis-cli -h ${REDIS_HOST} -p ${REDIS_PORT} -n ${REDIS_DB_NUMBER} ping >/dev/null 2>&1
do
timeout=$(expr $timeout - 1)
if [[ $timeout -eq 0 ]]; then
echo ""
echo "Could not connect to redis server. Aborting..."
return 1
fi
echo -n "."
sleep 1
done
echo
}
gitlab_configure_redis() {
echo -n "Configuring gitlab::redis"
gitlab_finalize_redis_parameters
gitlab_check_redis_connection
update_template ${GITLAB_RESQUE_CONFIG} \
REDIS_HOST \
REDIS_PORT \
REDIS_DB_NUMBER
}
gitlab_configure_gitaly() {
echo "Configuring gitlab::gitaly..."
update_template ${GITLAB_GITALY_CONFIG} \
GITALY_SOCKET_PATH \
GITLAB_REPOS_DIR
update_template ${GITLAB_CONFIG} \
GITALY_CLIENT_PATH \
GITALY_TOKEN
}
gitlab_configure_monitoring() {
echo "Configuring gitlab::monitoring..."
update_template ${GITLAB_CONFIG} \
GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL \
GITLAB_MONITORING_IP_WHITELIST \
GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED \
GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS \
GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT
}
gitlab_configure_gitlab_workhorse() {
echo "Configuring gitlab::gitlab-workhorse..."
update_template /etc/supervisor/conf.d/gitlab-workhorse.conf \
GITLAB_RELATIVE_URL_ROOT \
GITLAB_WORKHORSE_TIMEOUT
}
gitlab_configure_unicorn() {
echo "Configuring gitlab::unicorn..."
if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then
update_template ${GITLAB_UNICORN_CONFIG} GITLAB_RELATIVE_URL_ROOT
else
exec_as_git sed -i "/{{GITLAB_RELATIVE_URL_ROOT}}/d" ${GITLAB_UNICORN_CONFIG}
fi
update_template ${GITLAB_UNICORN_CONFIG} \
GITLAB_INSTALL_DIR \
UNICORN_WORKERS \
UNICORN_TIMEOUT
}
gitlab_configure_relative_url() {
if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then
echo "Configuring gitlab::relative_url..."
update_template ${GITLAB_RELATIVE_URL_CONFIG} GITLAB_RELATIVE_URL_ROOT
fi
}
gitlab_configure_trusted_proxies() {
if [[ -n ${GITLAB_TRUSTED_PROXIES} ]]; then
echo "Configuring gitlab::trusted_proxies..."
update_template ${GITLAB_CONFIG} GITLAB_TRUSTED_PROXIES
else
exec_as_git sed -i "/{{GITLAB_TRUSTED_PROXIES}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_timezone() {
echo "Configuring gitlab::timezone..."
update_template ${GITLAB_CONFIG} GITLAB_TIMEZONE
}
gitlab_configure_mail_delivery() {
if [[ ${SMTP_ENABLED} == true ]]; then
echo "Configuring gitlab::smtp_settings..."
if [[ -z "${SMTP_USER}" ]]; then
exec_as_git sed -i \
-e '/{{SMTP_USER}}/d' \
-e '/{{SMTP_PASS}}/d' \
${GITLAB_SMTP_CONFIG}
else
if [[ -z "${SMTP_PASS}" ]]; then
exec_as_git sed -i '/{{SMTP_PASS}}/d' ${GITLAB_SMTP_CONFIG}
fi
fi
update_template ${GITLAB_SMTP_CONFIG} \
SMTP_USER \
SMTP_PASS \
SMTP_HOST \
SMTP_PORT \
SMTP_DOMAIN \
SMTP_STARTTLS \
SMTP_TLS \
SMTP_OPENSSL_VERIFY_MODE
case ${SMTP_AUTHENTICATION} in
"") exec_as_git sed -i "/{{SMTP_AUTHENTICATION}}/d" ${GITLAB_SMTP_CONFIG} ;;
*) update_template ${GITLAB_SMTP_CONFIG} SMTP_AUTHENTICATION ;;
esac
if [[ ${SMTP_CA_ENABLED} == true ]]; then
if [[ -d ${SMTP_CA_PATH} ]]; then
update_template ${GITLAB_SMTP_CONFIG} SMTP_CA_PATH
fi
if [[ -f ${SMTP_CA_FILE} ]]; then
update_template ${GITLAB_SMTP_CONFIG} SMTP_CA_FILE
fi
else
exec_as_git sed -i \
-e "/{{SMTP_CA_PATH}}/d" \
-e "/{{SMTP_CA_FILE}}/d" \
${GITLAB_SMTP_CONFIG}
fi
fi
update_template ${GITLAB_CONFIG} \
GITLAB_EMAIL_ENABLED \
GITLAB_EMAIL \
GITLAB_EMAIL_DISPLAY_NAME \
GITLAB_EMAIL_REPLY_TO \
GITLAB_EMAIL_SUBJECT_SUFFIX
}
gitlab_configure_mailroom() {
if [[ ${IMAP_ENABLED} == true ]]; then
echo "Configuring gitlab::incoming_email..."
if [[ -z "${IMAP_USER}" ]]; then
exec_as_git sed -i \
-e '/{{IMAP_USER}}/d' \
-e '/{{IMAP_PASS}}/d' \
${GITLAB_CONFIG}
else
if [[ -z "${IMAP_PASS}" ]]; then
exec_as_git sed -i '/{{IMAP_PASS}}/d' ${GITLAB_CONFIG}
fi
fi
else
exec_as_git sed -i \
-e "/{{IMAP_USER}}/d" \
-e "/{{IMAP_PASS}}/d" \
-e "/{{IMAP_HOST}}/d" \
-e "/{{IMAP_PORT}}/d" \
-e "/{{IMAP_SSL}}/d" \
-e "/{{IMAP_STARTTLS}}/d" \
-e "/{{IMAP_MAILBOX}}/d" \
-e "/{{IMAP_TIMEOUT}}/d" \
${GITLAB_CONFIG}
fi
update_template ${GITLAB_CONFIG} \
GITLAB_INCOMING_EMAIL_ADDRESS \
GITLAB_INCOMING_EMAIL_ENABLED \
IMAP_USER \
IMAP_PASS \
IMAP_HOST \
IMAP_PORT \
IMAP_SSL \
IMAP_STARTTLS \
IMAP_MAILBOX \
IMAP_TIMEOUT
# enable/disable startup of mailroom
echo "mail_room_enabled=${GITLAB_INCOMING_EMAIL_ENABLED}" >> /etc/default/gitlab
update_template /etc/supervisor/conf.d/mail_room.conf GITLAB_INCOMING_EMAIL_ENABLED
}
gitlab_configure_ldap() {
echo "Configuring gitlab::ldap..."
update_template ${GITLAB_CONFIG} \
LDAP_ENABLED \
LDAP_HOST \
LDAP_PORT \
LDAP_UID \
LDAP_METHOD \
LDAP_VERIFY_SSL \
LDAP_CA_FILE \
LDAP_SSL_VERSION \
LDAP_BIND_DN \
LDAP_PASS \
LDAP_TIMEOUT \
LDAP_ACTIVE_DIRECTORY \
LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN \
LDAP_BLOCK_AUTO_CREATED_USERS \
LDAP_BASE \
LDAP_USER_FILTER \
LDAP_LOWERCASE_USERNAMES \
LDAP_USER_ATTRIBUTE_USERNAME \
LDAP_USER_ATTRIBUTE_MAIL \
LDAP_USER_ATTRIBUTE_NAME \
LDAP_USER_ATTRIBUTE_FIRSTNAME \
LDAP_USER_ATTRIBUTE_LASTNAME \
LDAP_LABEL
}
gitlab_configure_oauth_cas3() {
if [[ -n ${OAUTH_CAS3_SERVER} ]]; then
echo "Configuring gitlab::oauth::cas3..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_CAS3_LABEL \
OAUTH_CAS3_SERVER \
OAUTH_CAS3_DISABLE_SSL_VERIFICATION \
OAUTH_CAS3_LOGIN_URL \
OAUTH_CAS3_VALIDATE_URL \
OAUTH_CAS3_LOGOUT_URL
else
exec_as_git sed -i "/name: 'cas3'/,/{{OAUTH_CAS3_LOGOUT_URL}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_google() {
if [[ -n ${OAUTH_GOOGLE_API_KEY} && -n ${OAUTH_GOOGLE_APP_SECRET} ]]; then
echo "Configuring gitlab::oauth::google..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
if [[ -n ${OAUTH_GOOGLE_RESTRICT_DOMAIN} ]]; then
update_template ${GITLAB_CONFIG} \
OAUTH_GOOGLE_API_KEY \
OAUTH_GOOGLE_APP_SECRET \
OAUTH_GOOGLE_RESTRICT_DOMAIN \
OAUTH_GOOGLE_APPROVAL_PROMPT
else
exec_as_git sed -i "/ hd\: \[{{OAUTH_GOOGLE_RESTRICT_DOMAIN}}\]/d" ${GITLAB_CONFIG}
exec_as_git sed -i "s/approval_prompt: '{{OAUTH_GOOGLE_APPROVAL_PROMPT}}',/approval_prompt: '{{OAUTH_GOOGLE_APPROVAL_PROMPT}}' } }/" ${GITLAB_CONFIG}
update_template ${GITLAB_CONFIG} \
OAUTH_GOOGLE_API_KEY \
OAUTH_GOOGLE_APP_SECRET \
OAUTH_GOOGLE_APPROVAL_PROMPT
fi
else
exec_as_git sed -i "/name: 'google_oauth2'/,/{{OAUTH_GOOGLE_RESTRICT_DOMAIN}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_facebook() {
if [[ -n ${OAUTH_FACEBOOK_API_KEY} && -n ${OAUTH_FACEBOOK_APP_SECRET} ]]; then
echo "Configuring gitlab::oauth::facebook..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_FACEBOOK_API_KEY \
OAUTH_FACEBOOK_APP_SECRET
else
exec_as_git sed -i "/name: 'facebook'/,/{{OAUTH_FACEBOOK_APP_SECRET}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_twitter() {
if [[ -n ${OAUTH_TWITTER_API_KEY} && -n ${OAUTH_TWITTER_APP_SECRET} ]]; then
echo "Configuring gitlab::oauth::twitter..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_TWITTER_API_KEY \
OAUTH_TWITTER_APP_SECRET
else
exec_as_git sed -i "/name: 'twitter'/,/{{OAUTH_TWITTER_APP_SECRET}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_authentiq() {
if [[ -n ${OAUTH_AUTHENTIQ_CLIENT_ID} && -n ${OAUTH_AUTHENTIQ_CLIENT_SECRET} ]]; then
echo "Configuring gitlab::oauth::authentiq..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_AUTHENTIQ_CLIENT_ID \
OAUTH_AUTHENTIQ_CLIENT_SECRET \
OAUTH_AUTHENTIQ_SCOPE \
OAUTH_AUTHENTIQ_REDIRECT_URI
else
exec_as_git sed -i "/name: 'authentiq'/,/{{OAUTH_AUTHENTIQ_SCOPE}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_github() {
if [[ -n ${OAUTH_GITHUB_API_KEY} && -n ${OAUTH_GITHUB_APP_SECRET} ]]; then
echo "Configuring gitlab::oauth::github..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_GITHUB_API_KEY \
OAUTH_GITHUB_APP_SECRET \
OAUTH_GITHUB_URL \
OAUTH_GITHUB_VERIFY_SSL \
OAUTH_GITHUB_SCOPE
else
exec_as_git sed -i "/name: 'github'/,/{{OAUTH_GITHUB_SCOPE}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_gitlab() {
if [[ -n ${OAUTH_GITLAB_API_KEY} && -n ${OAUTH_GITLAB_APP_SECRET} ]]; then
echo "Configuring gitlab::oauth::gitlab..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_GITLAB_API_KEY \
OAUTH_GITLAB_APP_SECRET \
OAUTH_GITLAB_SCOPE
else
exec_as_git sed -i "/name: 'gitlab'/,/{{OAUTH_GITLAB_SCOPE}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_bitbucket() {
if [[ -n ${OAUTH_BITBUCKET_API_KEY} && -n ${OAUTH_BITBUCKET_APP_SECRET} ]]; then
echo "Configuring gitlab::oauth::bitbucket..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_BITBUCKET_API_KEY \
OAUTH_BITBUCKET_APP_SECRET
else
exec_as_git sed -i "/name: 'bitbucket'/,/{{OAUTH_BITBUCKET_APP_SECRET}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_saml_attribute_statements() {
if [[ -n ${OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL} && \
-n ${OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME} ]]; then
echo "Configuring gitlab::oauth::saml::attribute_statements..."
update_template ${GITLAB_CONFIG} \
OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL \
OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME \
OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME \
OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME
# Remove undefined optional attributes
exec_as_git sed -i "/email: \\[''\\],/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/name: \\[''\\],/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/username: \\[''\\],/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/first_name: \\[''\\],/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/last_name: \\[''\\],/d" ${GITLAB_CONFIG}
else
exec_as_git sed -i "/attribute_statements:/,/{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_saml() {
if [[ -n ${OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL} && \
-n ${OAUTH_SAML_IDP_CERT_FINGERPRINT} && \
-n ${OAUTH_SAML_IDP_SSO_TARGET_URL} && \
-n ${OAUTH_SAML_ISSUER} && \
-n ${OAUTH_SAML_NAME_IDENTIFIER_FORMAT} ]]; then
echo "Configuring gitlab::oauth::saml..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_SAML_LABEL \
OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL \
OAUTH_SAML_IDP_CERT_FINGERPRINT \
OAUTH_SAML_IDP_SSO_TARGET_URL \
OAUTH_SAML_ISSUER \
OAUTH_SAML_NAME_IDENTIFIER_FORMAT \
OAUTH_SAML_GROUPS_ATTRIBUTE \
OAUTH_SAML_EXTERNAL_GROUPS
exec_as_git sed -i "/groups_attribute: '',/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/external_groups: \\[\\],/d" ${GITLAB_CONFIG}
gitlab_configure_oauth_saml_attribute_statements
else
exec_as_git sed -i "/name: 'saml'/,/{{OAUTH_SAML_NAME_IDENTIFIER_FORMAT}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_crowd() {
if [[ -n ${OAUTH_CROWD_SERVER_URL} && \
-n ${OAUTH_CROWD_APP_NAME} && \
-n ${OAUTH_CROWD_APP_PASSWORD} ]]; then
echo "Configuring gitlab::oauth::crowd..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_CROWD_SERVER_URL \
OAUTH_CROWD_APP_NAME \
OAUTH_CROWD_APP_PASSWORD
else
exec_as_git sed -i "/name: 'crowd'/,/{{OAUTH_CROWD_APP_PASSWORD}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_auth0() {
if [[ -n ${OAUTH_AUTH0_CLIENT_ID} && \
-n ${OAUTH_AUTH0_CLIENT_SECRET} && \
-n ${OAUTH_AUTH0_DOMAIN} ]]; then
echo "Configuring gitlab::oauth::auth0..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_AUTH0_CLIENT_ID \
OAUTH_AUTH0_CLIENT_SECRET \
OAUTH_AUTH0_DOMAIN
else
exec_as_git sed -i "/name: 'auth0'/,/{{OAUTH_AUTH0_DOMAIN}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_azure() {
if [[ -n ${OAUTH_AZURE_API_KEY} && \
-n ${OAUTH_AZURE_API_SECRET} && \
-n ${OAUTH_AZURE_TENANT_ID} ]]; then
echo "Configuring gitlab::oauth::azure..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_AZURE_API_KEY \
OAUTH_AZURE_API_SECRET \
OAUTH_AZURE_TENANT_ID
else
exec_as_git sed -i "/name: 'azure_oauth2'/,/{{OAUTH_AZURE_TENANT_ID}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth() {
echo "Configuring gitlab::oauth..."
gitlab_configure_oauth_cas3
gitlab_configure_oauth_google
gitlab_configure_oauth_facebook
gitlab_configure_oauth_twitter
gitlab_configure_oauth_authentiq
gitlab_configure_oauth_github
gitlab_configure_oauth_gitlab
gitlab_configure_oauth_bitbucket
gitlab_configure_oauth_saml
gitlab_configure_oauth_crowd
gitlab_configure_oauth_auth0
gitlab_configure_oauth_azure
OAUTH_ENABLED=${OAUTH_ENABLED:-false}
update_template ${GITLAB_CONFIG} \
OAUTH_ENABLED \
OAUTH_ALLOW_SSO \
OAUTH_BLOCK_AUTO_CREATED_USERS \
OAUTH_AUTO_LINK_LDAP_USER \
OAUTH_AUTO_LINK_SAML_USER \
OAUTH_EXTERNAL_PROVIDERS
case ${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER} in
cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd|azure_oauth2)
update_template ${GITLAB_CONFIG} OAUTH_AUTO_SIGN_IN_WITH_PROVIDER
;;
*)
exec_as_git sed -i "/{{OAUTH_AUTO_SIGN_IN_WITH_PROVIDER}}/d" ${GITLAB_CONFIG}
;;
esac
}
gitlab_configure_secrets() {
echo "Configuring gitlab::secrets..."
if [[ -z $GITLAB_SECRETS_DB_KEY_BASE ]]; then
echo "ERROR: "
echo " Please configure the GITLAB_SECRETS_DB_KEY_BASE parameter."
echo " Cannot continue. Aborting..."
return 1
fi
if [[ -z $GITLAB_SECRETS_SECRET_KEY_BASE ]]; then
echo "ERROR: "
echo " Please configure the GITLAB_SECRETS_SECRET_KEY_BASE parameter."
echo " Cannot continue. Aborting..."
return 1
fi
if [[ -z $GITLAB_SECRETS_OTP_KEY_BASE ]]; then
echo "ERROR: "
echo " Please configure the GITLAB_SECRETS_OTP_KEY_BASE parameter."
echo " Cannot continue. Aborting..."
return 1
fi
update_template ${GITLAB_SECRETS_CONFIG} \
GITLAB_SECRETS_DB_KEY_BASE \
GITLAB_SECRETS_SECRET_KEY_BASE \
GITLAB_SECRETS_OTP_KEY_BASE
local shell_secret="${GITLAB_INSTALL_DIR}/.gitlab_shell_secret"
if [[ ! -f "${shell_secret}" ]]; then
exec_as_git openssl rand -hex -out "${shell_secret}" 16
chmod 600 "${shell_secret}"
fi
local workhorse_secret="${GITLAB_INSTALL_DIR}/.gitlab_workhorse_secret"
if [[ ! -f "${workhorse_secret}" ]]; then
exec_as_git openssl rand -base64 -out "${workhorse_secret}" 32
chmod 600 "${workhorse_secret}"
fi
}
gitlab_configure_sidekiq() {
echo "Configuring gitlab::sidekiq..."
# configure gitlab sidekiq log format
update_template ${GITLAB_CONFIG} \
GITLAB_SIDEKIQ_LOG_FORMAT
# configure sidekiq
update_template /etc/supervisor/conf.d/sidekiq.conf \
SIDEKIQ_CONCURRENCY \
SIDEKIQ_SHUTDOWN_TIMEOUT
# enable SidekiqMemoryKiller
## The MemoryKiller is enabled by gitlab if the `SIDEKIQ_MEMORY_KILLER_MAX_RSS` is
## defined in the programs environment and has a non-zero value.
##
## Simply exporting the variable makes it available in the programs environment and
## therefore should enable the MemoryKiller.
##
## Every other MemoryKiller option specified in the docker env will automatically
## be exported, so why bother
export SIDEKIQ_MEMORY_KILLER_MAX_RSS
}
gitlab_configure_backups_schedule() {
case ${GITLAB_BACKUP_SCHEDULE} in
daily|weekly|monthly)
if ! crontab -u ${GITLAB_USER} -l >/tmp/cron.${GITLAB_USER} 2>/dev/null || ! grep -q 'bundle exec rake gitlab:backup:create' /tmp/cron.${GITLAB_USER}; then
echo "Configuring gitlab::backups::schedule..."
read hour min <<< ${GITLAB_BACKUP_TIME//[:]/ }
day_of_month=*
month=*
day_of_week=*
case ${GITLAB_BACKUP_SCHEDULE} in
daily) ;;
weekly) day_of_week=0 ;;
monthly) day_of_month=01 ;;
esac
if [[ -n ${GITLAB_BACKUP_DIR_GROUP} ]]; then
echo "$min $hour $day_of_month $month $day_of_week /bin/bash -l -c 'cd ${GITLAB_INSTALL_DIR} && bundle exec rake gitlab:backup:create SKIP=${GITLAB_BACKUP_SKIP} DIRECTORY=${GITLAB_BACKUP_DIR_GROUP} RAILS_ENV=${RAILS_ENV}'" >> /tmp/cron.${GITLAB_USER}
else
echo "$min $hour $day_of_month $month $day_of_week /bin/bash -l -c 'cd ${GITLAB_INSTALL_DIR} && bundle exec rake gitlab:backup:create SKIP=${GITLAB_BACKUP_SKIP} RAILS_ENV=${RAILS_ENV}'" >> /tmp/cron.${GITLAB_USER}
fi
crontab -u ${GITLAB_USER} /tmp/cron.${GITLAB_USER}
fi
rm -rf /tmp/cron.${GITLAB_USER}
;;
esac
}
gitlab_configure_backups_aws() {
echo "Configuring gitlab::backups::aws..."
exec_as_git sed -i "/#start-gcs/,/#end-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-aws/d" ${GITLAB_CONFIG}
if [[ -z ${AWS_BACKUP_MULTIPART_CHUNK_SIZE} ]]; then
exec_as_git sed -i "/#start-multipart/,/#end-multipart/d" ${GITLAB_CONFIG}
fi
if [[ -z ${AWS_BACKUP_MULTIPART_CHUNK_SIZE} ]]; then
exec_as_git sed -i "/#start-multipart-aws/,/#end-multipart-aws/d" ${GITLAB_CONFIG}
fi
if [[ ${AWS_BACKUP_ENCRYPTION} != true ]]; then
exec_as_git sed -i "/#start-encryption-aws/,/#end-encryption-aws/d" ${GITLAB_CONFIG}
fi
if [[ -z ${AWS_BACKUP_REGION} && -z ${AWS_BACKUP_ENDPOINT} ]]; then
echo "\nMissing AWS region or endpoint. Aborting...\n"
return 1
fi
if [[ ! -z ${AWS_BACKUP_ENDPOINT} ]]; then
AWS_BACKUP_PATH_STYLE="true"
fi
if [[ -z ${AWS_BACKUP_ACCESS_KEY_ID} || -z ${AWS_BACKUP_SECRET_ACCESS_KEY} || -z ${AWS_BACKUP_BUCKET} ]]; then
echo "\nMissing AWS options. Aborting...\n"
return 1
fi
update_template ${GITLAB_CONFIG} \
AWS_BACKUP_REGION \
AWS_BACKUP_ENDPOINT \
AWS_BACKUP_PATH_STYLE \
AWS_BACKUP_ACCESS_KEY_ID \
AWS_BACKUP_SECRET_ACCESS_KEY \
AWS_BACKUP_BUCKET \
AWS_BACKUP_MULTIPART_CHUNK_SIZE \
AWS_BACKUP_STORAGE_CLASS \
AWS_BACKUP_SIGNATURE_VERSION
}
gitlab_configure_backup_gcs() {
echo "Configuring gitlab::backups::gcs..."
exec_as_git sed -i "/#start-aws/,/#end-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-gcs/d" ${GITLAB_CONFIG}
if [[ -z ${GCS_BACKUP_ACCESS_KEY_ID} || -z ${GCS_BACKUP_SECRET_ACCESS_KEY} || -z ${GCS_BACKUP_BUCKET} ]]; then
printf "\nMissing GCS options. Aborting...\n"
return 1
fi
update_template ${GITLAB_CONFIG} \
GCS_BACKUP_ACCESS_KEY_ID \
GCS_BACKUP_SECRET_ACCESS_KEY \
GCS_BACKUP_BUCKET
}
gitlab_configure_backups() {
echo "Configuring gitlab::backups..."
update_template ${GITLAB_CONFIG} \
GITLAB_BACKUP_DIR \
GITLAB_BACKUP_EXPIRY \
GITLAB_BACKUP_PG_SCHEMA \
GITLAB_BACKUP_ARCHIVE_PERMISSIONS
gitlab_configure_backups_schedule
if [[ ${AWS_BACKUPS} != true && ${GCS_BACKUPS} != true ]]; then
exec_as_git sed -i "/\s\+upload:/,/#end-gcs/d" ${GITLAB_CONFIG}
return 0
fi
if [[ ${AWS_BACKUPS} == true && ${GCS_BACKUPS} == true ]]; then
printf "\nAWS and GCE cannot be enabled together, please choose one...\n"
return 1
fi
if [[ ${AWS_BACKUPS} == true ]]; then
gitlab_configure_backups_aws
fi
if [[ ${GCS_BACKUPS} == true ]]; then
gitlab_configure_backup_gcs
fi
}
gitlab_configure_gravatar() {
update_template ${GITLAB_CONFIG} GITLAB_GRAVATAR_ENABLED
if [[ -n ${GITLAB_GRAVATAR_HTTP_URL} ]]; then
echo "Configuring gitlab::gravatar::http..."
update_template ${GITLAB_CONFIG} GITLAB_GRAVATAR_HTTP_URL
else
exec_as_git sed -i "/{{GITLAB_GRAVATAR_HTTP_URL}}/d" ${GITLAB_CONFIG}
fi
if [[ -n ${GITLAB_GRAVATAR_HTTPS_URL} ]]; then
echo "Configuring gitlab::gravatar::https..."
update_template ${GITLAB_CONFIG} GITLAB_GRAVATAR_HTTPS_URL
else
exec_as_git sed -i "/{{GITLAB_GRAVATAR_HTTPS_URL}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_cron_jobs() {
echo "Configuring gitlab::cron_jobs..."
if [[ -n "${GITLAB_PIPELINE_SCHEDULE_WORKER_CRON}" ]]; then
update_template ${GITLAB_CONFIG} GITLAB_PIPELINE_SCHEDULE_WORKER_CRON
else
exec_as_git sed -i "/{{GITLAB_PIPELINE_SCHEDULE_WORKER_CRON}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_analytics_google() {
if [[ -n ${GOOGLE_ANALYTICS_ID} ]]; then
echo "Configuring gitlab::analytics:google..."
update_template ${GITLAB_CONFIG} GOOGLE_ANALYTICS_ID
else
exec_as_git sed -i "/{{GOOGLE_ANALYTICS_ID}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_analytics_piwik() {
if [[ -n ${PIWIK_URL} && -n ${PIWIK_SITE_ID} ]]; then
echo "Configuring gitlab::analytics:piwik..."
update_template ${GITLAB_CONFIG} \
PIWIK_URL \
PIWIK_SITE_ID
else
exec_as_git sed -i \
-e "/{{PIWIK_URL}}/d" \
-e "/{{PIWIK_SITE_ID}}/d" \
${GITLAB_CONFIG}
fi
}
gitlab_configure_analytics() {
gitlab_configure_analytics_google
gitlab_configure_analytics_piwik
}
gitlab_configure_rack_attack() {
echo "Configuring gitlab::rack_attack..."
update_template ${GITLAB_CONFIG} \
RACK_ATTACK_ENABLED \
RACK_ATTACK_WHITELIST \
RACK_ATTACK_MAXRETRY \
RACK_ATTACK_FINDTIME \
RACK_ATTACK_BANTIME
}
gitlab_configure_ci() {
echo "Configuring gitlab::ci..."
update_template ${GITLAB_CONFIG} \
GITLAB_NOTIFY_ON_BROKEN_BUILDS \
GITLAB_NOTIFY_PUSHER GITLAB_BUILDS_DIR
}
gitlab_configure_artifacts() {
if [[ ${GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED} == true ]]; then
echo "Configuring gitlab::artifacts:object_store"
if [[ "${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then
echo " -> Google ARTIFACTS provider selected removing aws config"
exec_as_git sed -i "/#start-artifacts-aws/,/#end-artifacts-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-artifacts-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-artifacts-gcs/d" ${GITLAB_CONFIG}
fi
if [[ "${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then
echo " -> AWS ARTIFACTS provider selected removing Google config"
exec_as_git sed -i "/#start-artifacts-gcs/,/#end-artifacts-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-artifacts-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-artifacts-aws/d" ${GITLAB_CONFIG}
fi
update_template ${GITLAB_CONFIG} \
GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED \
GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY \
GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD \
GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD \
GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION
else
exec_as_git sed -i -e "/path: {{GITLAB_ARTIFACTS_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG}
fi
echo "Configuring gitlab::artifacts..."
update_template ${GITLAB_CONFIG} \
GITLAB_ARTIFACTS_ENABLED \
GITLAB_ARTIFACTS_DIR
}
gitlab_configure_lfs() {
if [[ ${GITLAB_LFS_OBJECT_STORE_ENABLED} == true ]]; then
echo "Configuring gitlab::lfs:object_store"
if [[ "${GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then
echo " -> Google LFS provider selected removing aws config"
exec_as_git sed -i "/#start-lfs-aws/,/#end-lfs-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-lfs-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-lfs-gcs/d" ${GITLAB_CONFIG}
fi
if [[ "${GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then
echo " -> AWS LFS provider selected removing Google config"
exec_as_git sed -i "/#start-lfs-gcs/,/#end-lfs-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-lfs-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-lfs-aws/d" ${GITLAB_CONFIG}
fi
update_template ${GITLAB_CONFIG} \
GITLAB_LFS_OBJECT_STORE_ENABLED \
GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY \
GITLAB_LFS_OBJECT_STORE_DIRECT_UPLOAD \
GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD \
GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD \
GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER \
GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \
GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \
GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION \
GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST \
GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \
GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \
GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \
GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \
GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION
else
exec_as_git sed -i -e "/path: {{GITLAB_LFS_OBJECTS_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG}
fi
echo "Configuring gitlab::lfs..."
update_template ${GITLAB_CONFIG} \
GITLAB_LFS_ENABLED \
GITLAB_LFS_OBJECTS_DIR
}
gitlab_configure_uploads() {
if [[ ${GITLAB_UPLOADS_OBJECT_STORE_ENABLED} == true ]]; then
echo "Configuring gitlab::uploads:object_store"
if [[ "${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then
echo " -> Google UPLOADS provider selected removing aws config"
exec_as_git sed -i "/#start-uploads-aws/,/#end-uploads-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-uploads-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-uploads-gcs/d" ${GITLAB_CONFIG}
fi
if [[ "${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then
echo " -> AWS UPLOADS provider selected removing Google config"
exec_as_git sed -i "/#start-uploads-gcs/,/#end-uploads-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-uploads-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-uploads-aws/d" ${GITLAB_CONFIG}
fi
update_template ${GITLAB_CONFIG} \
GITLAB_UPLOADS_OBJECT_STORE_ENABLED \
GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY \
GITLAB_UPLOADS_OBJECT_STORE_DIRECT_UPLOAD \
GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD \
GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION
else
exec_as_git sed -i -e "/base_dir: {{GITLAB_UPLOADS_BASE_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG}
fi
echo "Configuring gitlab::uploads..."
update_template ${GITLAB_CONFIG} \
GITLAB_UPLOADS_STORAGE_PATH \
GITLAB_UPLOADS_BASE_DIR
}
gitlab_configure_mattermost() {
echo "Configuring gitlab::mattermost..."
update_template ${GITLAB_CONFIG} \
GITLAB_MATTERMOST_ENABLED \
GITLAB_MATTERMOST_URL
}
gitlab_configure_project_features() {
echo "Configuring gitlab::project_features..."
update_template ${GITLAB_CONFIG} \
GITLAB_PROJECTS_ISSUES \
GITLAB_PROJECTS_MERGE_REQUESTS \
GITLAB_PROJECTS_WIKI \
GITLAB_PROJECTS_SNIPPETS \
GITLAB_PROJECTS_BUILDS \
GITLAB_PROJECTS_CONTAINER_REGISTRY \
GITLAB_WEBHOOK_TIMEOUT
}
gitlab_configure_registry(){
echo "Configuring gitlab::registry..."
if [[ ${GITLAB_REGISTRY_PORT} == 443 ]]; then
# Sets GITLAB_REGISTRY_PORT empty for the scope of this function.
# This helps us to add an empty key to `.gitlab-ci.yml`.
# Because 443 is the default https port it doesn't need to be included in docker push/pull commands
# and shouldn't be displayed on the gitlab ui.
# Example: `docker pull registry:443/some/image` is the same as `docker pull registry/some/image`
local GITLAB_REGISTRY_PORT=""
fi
update_template ${GITLAB_CONFIG} \
GITLAB_REGISTRY_ENABLED \
GITLAB_REGISTRY_DIR \
GITLAB_REGISTRY_HOST \
GITLAB_REGISTRY_PORT \
GITLAB_REGISTRY_API_URL \
GITLAB_REGISTRY_KEY_PATH \
GITLAB_REGISTRY_ISSUER
}
gitlab_configure_pages(){
echo "Configuring gitlab::pages..."
update_template ${GITLAB_CONFIG} \
GITLAB_PAGES_ENABLED \
GITLAB_PAGES_DOMAIN \
GITLAB_PAGES_PORT \
GITLAB_PAGES_HTTPS \
GITLAB_PAGES_ARTIFACTS_SERVER \
GITLAB_PAGES_ACCESS_CONTROL
if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTP} ]]; then
update_template ${GITLAB_CONFIG} \
GITLAB_PAGES_EXTERNAL_HTTP
else
exec_as_git sed -ie "/{{GITLAB_PAGES_EXTERNAL_HTTP}}/d" ${GITLAB_CONFIG}
fi
if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTPS} ]]; then
update_template ${GITLAB_CONFIG} \
GITLAB_PAGES_EXTERNAL_HTTPS
else
exec_as_git sed -ie "/{{GITLAB_PAGES_EXTERNAL_HTTPS}}/d" ${GITLAB_CONFIG}
fi
}
nginx_configure_gitlab_ssl() {
if [[ ${GITLAB_HTTPS} == true && -f ${SSL_CERTIFICATE_PATH} && -f ${SSL_KEY_PATH} && -f ${SSL_DHPARAM_PATH} ]]; then
echo "Configuring nginx::gitlab::ssl..."
if [[ ! -f ${SSL_CA_CERTIFICATES_PATH} ]]; then
sed -i "/{{SSL_CA_CERTIFICATES_PATH}}/d" ${GITLAB_NGINX_CONFIG}
fi
update_template ${GITLAB_NGINX_CONFIG} \
SSL_CERTIFICATE_PATH \
SSL_KEY_PATH \
SSL_DHPARAM_PATH \
SSL_VERIFY_CLIENT \
SSL_CA_CERTIFICATES_PATH \
SSL_CIPHERS
fi
}
nginx_configure_gitlab_hsts() {
if [[ ${GITLAB_HTTPS} == true ]]; then
echo "Configuring nginx::gitlab::hsts..."
if [[ ${NGINX_HSTS_ENABLED} != true ]]; then
sed -i "/{{NGINX_HSTS_MAXAGE}}/d" ${GITLAB_NGINX_CONFIG}
fi
update_template ${GITLAB_NGINX_CONFIG} NGINX_HSTS_MAXAGE
else
sed -i "/{{NGINX_HSTS_MAXAGE}}/d" ${GITLAB_NGINX_CONFIG}
fi
}
nginx_configure_gitlab_ipv6() {
if [[ ! -f /proc/net/if_inet6 ]]; then
# disable ipv6 support in nginx for gitlab
sed -i \
-e "/listen \[::\]:80/d" \
-e "/listen \[::\]:443/d" \
${GITLAB_NGINX_CONFIG}
# disable ipv6 support in nginx for pages
if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then
if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then
sed -i \
-e "/listen \[::\]:80/d" \
-e "/listen \[::\]:443/d" \
${GITLAB_PAGES_NGINX_CONFIG}
fi
fi
fi
}
nginx_configure_gitlab_real_ip() {
if [[ ${NGINX_REAL_IP_RECURSIVE} == on && \
-n ${NGINX_REAL_IP_TRUSTED_ADDRESSES} ]]; then
echo "Configuring nginx::gitlab::real_ip..."
update_template ${GITLAB_NGINX_CONFIG} \
NGINX_REAL_IP_RECURSIVE \
NGINX_REAL_IP_TRUSTED_ADDRESSES
else
NGINX_REAL_IP_RECURSIVE="off"
update_template ${GITLAB_NGINX_CONFIG} \
NGINX_REAL_IP_RECURSIVE
sed -i "/{{NGINX_REAL_IP_TRUSTED_ADDRESSES}}/d" ${GITLAB_NGINX_CONFIG}
fi
}
nginx_configure_gitlab() {
echo "Configuring nginx::gitlab..."
update_template ${GITLAB_NGINX_CONFIG} \
GITLAB_INSTALL_DIR \
GITLAB_LOG_DIR \
GITLAB_HOST \
GITLAB_PORT \
NGINX_PROXY_BUFFERING \
NGINX_ACCEL_BUFFERING \
NGINX_X_FORWARDED_PROTO
nginx_configure_gitlab_ssl
nginx_configure_gitlab_hsts
nginx_configure_gitlab_ipv6
nginx_configure_gitlab_real_ip
}
nginx_configure_gitlab_ci() {
if [[ -n $GITLAB_CI_HOST ]]; then
echo "Configuring nginx::gitlab_ci..."
DNS_RESOLVERS=$(cat /etc/resolv.conf | grep '^\s*nameserver' | awk '{print $2}' ORS=' ')
update_template ${GITLAB_CI_NGINX_CONFIG} \
GITLAB_LOG_DIR \
GITLAB_HOST \
GITLAB_CI_HOST \
DNS_RESOLVERS
fi
}
nginx_configure_gitlab_registry() {
if [[ $GITLAB_REGISTRY_ENABLED == true && -f ${SSL_REGISTRY_CERT_PATH} && -f ${SSL_REGISTRY_KEY_PATH} ]]; then
echo "Configuring nginx::gitlab-registry..."
update_template ${GITLAB_REGISTRY_NGINX_CONFIG} \
GITLAB_LOG_DIR \
GITLAB_REGISTRY_PORT \
GITLAB_REGISTRY_HOST \
GITLAB_REGISTRY_API_URL \
SSL_REGISTRY_KEY_PATH \
SSL_REGISTRY_CERT_PATH
fi
}
nginx_configure_pages(){
local GITLAB_PAGES_DOMAIN=$(echo $GITLAB_PAGES_DOMAIN | sed 's/\./\\\\./g')
if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then
echo "Configuring nginx::gitlab-pages..."
if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then
if [[ ${GITLAB_PAGES_HTTPS} == true ]]; then
update_template ${GITLAB_PAGES_NGINX_CONFIG} \
GITLAB_PORT \
GITLAB_PAGES_DOMAIN \
GITLAB_PAGES_PORT \
GITLAB_LOG_DIR \
GITLAB_PAGES_DOMAIN \
SSL_PAGES_CERT_PATH \
SSL_PAGES_KEY_PATH \
SSL_DHPARAM_PATH \
GITLAB_LOG_DIR
else
update_template ${GITLAB_PAGES_NGINX_CONFIG} \
GITLAB_PAGES_DOMAIN \
GITLAB_LOG_DIR
fi
else
echo "Gitlab pages nginx proxy disabled"
echo "Assuming custom domain setup with own HTTP(S) load balancer'"
fi
fi
}
# _|_|_| _| _| _|
# _| _| _| _| _|_|_| _| _|_|_|
# _|_|_| _| _| _| _| _| _| _|
# _| _| _| _| _| _| _| _|
# _| _|_|_| _|_|_| _| _| _|_|_|
map_uidgid() {
USERMAP_ORIG_UID=$(id -u ${GITLAB_USER})
USERMAP_ORIG_GID=$(id -g ${GITLAB_USER})
USERMAP_GID=${USERMAP_GID:-${USERMAP_UID:-$USERMAP_ORIG_GID}}
USERMAP_UID=${USERMAP_UID:-$USERMAP_ORIG_UID}
if [[ ${USERMAP_UID} != ${USERMAP_ORIG_UID} ]] || [[ ${USERMAP_GID} != ${USERMAP_ORIG_GID} ]]; then
echo "Mapping UID and GID for ${GITLAB_USER}:${GITLAB_USER} to $USERMAP_UID:$USERMAP_GID"
groupmod -o -g ${USERMAP_GID} ${GITLAB_USER}
sed -i -e "s|:${USERMAP_ORIG_UID}:${USERMAP_GID}:|:${USERMAP_UID}:${USERMAP_GID}:|" /etc/passwd
find ${GITLAB_HOME} -path ${GITLAB_DATA_DIR}/\* -prune -o -print0 | xargs -0 chown -h ${GITLAB_USER}:
fi
}
update_ca_certificates() {
if [[ -f ${SSL_CERTIFICATE_PATH} || -f ${SSL_CA_CERTIFICATES_PATH} || -f ${SSL_REGISTRY_CERT_PATH} ]]; then
echo "Updating CA certificates..."
[[ -f ${SSL_CERTIFICATE_PATH} ]] && cp "${SSL_CERTIFICATE_PATH}" /usr/local/share/ca-certificates/gitlab.crt
[[ -f ${SSL_CA_CERTIFICATES_PATH} ]] && cp "${SSL_CA_CERTIFICATES_PATH}" /usr/local/share/ca-certificates/ca.crt
[[ -f ${SSL_REGISTRY_CERT_PATH} ]] && cp "${SSL_REGISTRY_CERT_PATH}" /usr/local/share/ca-certificates/registry-ca.crt
update-ca-certificates --fresh >/dev/null
fi
}
initialize_logdir() {
echo "Initializing logdir..."
mkdir -p ${GITLAB_LOG_DIR}/supervisor
chmod -R 0755 ${GITLAB_LOG_DIR}/supervisor
chown -R root: ${GITLAB_LOG_DIR}/supervisor
mkdir -p ${GITLAB_LOG_DIR}/nginx
chmod -R 0755 ${GITLAB_LOG_DIR}/nginx
chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/nginx
mkdir -p ${GITLAB_LOG_DIR}/gitlab
chmod -R 0755 ${GITLAB_LOG_DIR}/gitlab
chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/gitlab
mkdir -p ${GITLAB_LOG_DIR}/gitlab-shell
chmod -R 0755 ${GITLAB_LOG_DIR}/gitlab-shell
chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/gitlab-shell
}
initialize_datadir() {
echo "Initializing datadir..."
chmod 755 ${GITLAB_DATA_DIR}
chown ${GITLAB_USER}: ${GITLAB_DATA_DIR}
# create the ssh directory for server keys
mkdir -p ${GITLAB_DATA_DIR}/ssh
chown -R root: ${GITLAB_DATA_DIR}/ssh
# create the repositories directory and make sure it has the right permissions
mkdir -p ${GITLAB_REPOS_DIR}
chown ${GITLAB_USER}: ${GITLAB_REPOS_DIR}
chmod ug+rwX,o-rwx ${GITLAB_REPOS_DIR}
exec_as_git chmod g+s ${GITLAB_REPOS_DIR}
# create build traces directory
mkdir -p ${GITLAB_BUILDS_DIR}
chmod u+rwX ${GITLAB_BUILDS_DIR}
chown ${GITLAB_USER}: ${GITLAB_BUILDS_DIR}
# gitlab:backup:create does not respect the builds_path configuration, so we
# symlink ${GITLAB_INSTALL_DIR}/builds -> ${GITLAB_BUILDS_DIR}
rm -rf ${GITLAB_INSTALL_DIR}/builds
ln -sf ${GITLAB_BUILDS_DIR} ${GITLAB_INSTALL_DIR}/builds
# create downloads directory
mkdir -p ${GITLAB_DOWNLOADS_DIR}
chmod u+rwX ${GITLAB_DOWNLOADS_DIR}
chown ${GITLAB_USER}: ${GITLAB_DOWNLOADS_DIR}
# create shared directory
mkdir -p ${GITLAB_SHARED_DIR}
chmod u+rwX ${GITLAB_SHARED_DIR}
chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}
# create attifacts dir
mkdir -p ${GITLAB_ARTIFACTS_DIR}
chmod u+rwX ${GITLAB_ARTIFACTS_DIR}
chown ${GITLAB_USER}: ${GITLAB_ARTIFACTS_DIR}
# create pages dir
mkdir -p ${GITLAB_PAGES_DIR}
chmod u+rwX ${GITLAB_PAGES_DIR}
chown ${GITLAB_USER}: ${GITLAB_PAGES_DIR}
# symlink ${GITLAB_INSTALL_DIR}/shared -> ${GITLAB_DATA_DIR}/shared
rm -rf ${GITLAB_INSTALL_DIR}/shared
ln -sf ${GITLAB_SHARED_DIR} ${GITLAB_INSTALL_DIR}/shared
# create lfs-objects directory
mkdir -p ${GITLAB_LFS_OBJECTS_DIR}
chmod u+rwX ${GITLAB_LFS_OBJECTS_DIR}
chown ${GITLAB_USER}: ${GITLAB_LFS_OBJECTS_DIR}
# create registry dir
if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then
mkdir -p ${GITLAB_REGISTRY_DIR}
chmod u+rwX ${GITLAB_REGISTRY_DIR}
chown ${GITLAB_USER}: ${GITLAB_REGISTRY_DIR}
fi
# create the backups directory
mkdir -p ${GITLAB_BACKUP_DIR}
if [[ ${GITLAB_BACKUP_DIR_CHOWN} == true ]]; then
chown ${GITLAB_USER}: ${GITLAB_BACKUP_DIR}
fi
# create the uploads directory
mkdir -p ${GITLAB_DATA_DIR}/uploads
chmod 0700 ${GITLAB_DATA_DIR}/uploads
chown ${GITLAB_USER}: ${GITLAB_DATA_DIR}/uploads
# create the .ssh directory
mkdir -p ${GITLAB_DATA_DIR}/.ssh
touch ${GITLAB_DATA_DIR}/.ssh/authorized_keys
chmod 700 ${GITLAB_DATA_DIR}/.ssh
chmod 600 ${GITLAB_DATA_DIR}/.ssh/authorized_keys
chown -R ${GITLAB_USER}: ${GITLAB_DATA_DIR}/.ssh
# recompile and persist assets when relative_url is in use
if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then
mkdir -p ${GITLAB_TEMP_DIR}/cache
chmod 755 ${GITLAB_TEMP_DIR}/cache
chown ${GITLAB_USER}: ${GITLAB_TEMP_DIR}/cache
mkdir -p ${GITLAB_TEMP_DIR}/assets
chmod 755 ${GITLAB_TEMP_DIR}/assets
chown ${GITLAB_USER}: ${GITLAB_TEMP_DIR}/assets
# symlink ${GITLAB_INSTALL_DIR}/tmp/cache -> ${GITLAB_TEMP_DIR}/cache
rm -rf ${GITLAB_INSTALL_DIR}/tmp/cache
exec_as_git ln -s ${GITLAB_TEMP_DIR}/cache ${GITLAB_INSTALL_DIR}/tmp/cache
# symlink ${GITLAB_INSTALL_DIR}/public/assets -> ${GITLAB_TEMP_DIR}/assets
rm -rf ${GITLAB_INSTALL_DIR}/public/assets
exec_as_git ln -s ${GITLAB_TEMP_DIR}/assets ${GITLAB_INSTALL_DIR}/public/assets
fi
}
sanitize_datadir() {
echo "Sanitizing datadir. Please be patient..."
chmod -R ug+rwX,o-rwx ${GITLAB_REPOS_DIR}/
chmod -R ug-s ${GITLAB_REPOS_DIR}/
find ${GITLAB_REPOS_DIR}/ -type d -print0 | xargs -0 chmod g+s
chown -R ${GITLAB_USER}: ${GITLAB_REPOS_DIR}
chmod -R u+rwX ${GITLAB_BUILDS_DIR}
chown -R ${GITLAB_USER}: ${GITLAB_BUILDS_DIR}
chmod -R u+rwX ${GITLAB_DOWNLOADS_DIR}
chown -R ${GITLAB_USER}: ${GITLAB_DOWNLOADS_DIR}
chmod -R u+rwX ${GITLAB_TEMP_DIR}
chown -R ${GITLAB_USER}: ${GITLAB_TEMP_DIR}
chmod -R u+rwX ${GITLAB_SHARED_DIR}
chown -R ${GITLAB_USER}: ${GITLAB_SHARED_DIR}
chmod -R u+rwX ${GITLAB_ARTIFACTS_DIR}
chown -R ${GITLAB_USER}: ${GITLAB_ARTIFACTS_DIR}
chmod -R u+rwX ${GITLAB_PAGES_DIR}
chown -R ${GITLAB_USER}: ${GITLAB_PAGES_DIR}
chmod -R u+rwX ${GITLAB_LFS_OBJECTS_DIR}
chown -R ${GITLAB_USER}: ${GITLAB_LFS_OBJECTS_DIR}
if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then
chmod -R u+rwX ${GITLAB_REGISTRY_DIR}
chown -R ${GITLAB_USER}: ${GITLAB_REGISTRY_DIR}
fi
find ${GITLAB_DATA_DIR}/uploads -type f -exec chmod 0644 {} \;
find ${GITLAB_DATA_DIR}/uploads -type d -not -path ${GITLAB_DATA_DIR}/uploads -exec chmod 0755 {} \;
chmod 0700 ${GITLAB_DATA_DIR}/uploads/
chown ${GITLAB_USER}: ${GITLAB_DATA_DIR}/uploads/
echo "Creating gitlab-shell hooks..."
exec_as_git ${GITLAB_SHELL_INSTALL_DIR}/bin/create-hooks
}
generate_ssh_key() {
echo -n "${1^^} "
ssh-keygen -qt ${1} -N '' -f ${2}
}
generate_ssh_host_keys() {
sed -i "s|HostKey /etc/ssh/|HostKey ${GITLAB_DATA_DIR}/ssh/|g" /etc/ssh/sshd_config
if [[ ! -e ${GITLAB_DATA_DIR}/ssh/ssh_host_rsa_key ]]; then
echo -n "Generating OpenSSH host keys... "
generate_ssh_key rsa ${GITLAB_DATA_DIR}/ssh/ssh_host_rsa_key
generate_ssh_key dsa ${GITLAB_DATA_DIR}/ssh/ssh_host_dsa_key
generate_ssh_key ecdsa ${GITLAB_DATA_DIR}/ssh/ssh_host_ecdsa_key
generate_ssh_key ed25519 ${GITLAB_DATA_DIR}/ssh/ssh_host_ed25519_key
echo
fi
# ensure existing host keys have the right permissions
chmod 0600 ${GITLAB_DATA_DIR}/ssh/*_key
chmod 0644 ${GITLAB_DATA_DIR}/ssh/*.pub
}
initialize_system() {
map_uidgid
initialize_logdir
initialize_datadir
update_ca_certificates
generate_ssh_host_keys
install_configuration_templates
rm -rf /var/run/supervisor.sock
}
install_configuration_templates() {
echo "Installing configuration templates..."
install_template ${GITLAB_USER}: gitlabhq/gitlab.yml ${GITLAB_CONFIG} 0640
install_template ${GITLAB_USER}: gitlabhq/database.yml ${GITLAB_DATABASE_CONFIG} 0640
install_template ${GITLAB_USER}: gitlabhq/unicorn.rb ${GITLAB_UNICORN_CONFIG} 0644
install_template ${GITLAB_USER}: gitlabhq/rack_attack.rb ${GITLAB_RACK_ATTACK_CONFIG} 0644
install_template ${GITLAB_USER}: gitlabhq/resque.yml ${GITLAB_RESQUE_CONFIG} 0640
install_template ${GITLAB_USER}: gitlabhq/secrets.yml ${GITLAB_SECRETS_CONFIG} 0600
install_template ${GITLAB_USER}: gitlab-shell/config.yml ${GITLAB_SHELL_CONFIG} 0640
if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then
install_template ${GITLAB_USER}: gitlabhq/relative_url.rb ${GITLAB_RELATIVE_URL_CONFIG} 0644
fi
if [[ ${SMTP_ENABLED} == true ]]; then
install_template ${GITLAB_USER}: gitlabhq/smtp_settings.rb ${GITLAB_SMTP_CONFIG}
fi
# custom user specified robots.txt
if [[ -f ${GITLAB_ROBOTS_PATH} ]]; then
exec_as_git cp ${GITLAB_ROBOTS_PATH} ${GITLAB_ROBOTS_CONFIG}
fi
## ${GITLAB_NGINX_CONFIG}
if [[ ${GITLAB_HTTPS} == true ]]; then
if [[ -f ${SSL_CERTIFICATE_PATH} && -f ${SSL_KEY_PATH} && -f ${SSL_DHPARAM_PATH} ]]; then
install_template root: nginx/gitlab-ssl ${GITLAB_NGINX_CONFIG}
else
echo "SSL Key, SSL Certificate and DHParam were not found."
echo "Assuming that the container is running behind a HTTPS enabled load balancer."
install_template root: nginx/gitlab ${GITLAB_NGINX_CONFIG}
fi
else
install_template root: nginx/gitlab ${GITLAB_NGINX_CONFIG}
fi
## ${GITLAB_PAGES_NGINX_CONFIG}
if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then
if [[ ${GITLAB_PAGES_HTTPS} == true && -f ${SSL_PAGES_CERT_PATH} && -f ${SSL_PAGES_KEY_PATH} ]]; then
if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then
install_template root: nginx/gitlab-pages-ssl ${GITLAB_PAGES_NGINX_CONFIG}
else
echo "Gitlab pages nginx proxy disabled"
echo "Assuming custom domain setup with own HTTP(S) load balancer'"
fi
else
if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then
echo "SSL Key, SSL Certificate were not found."
echo "Assuming that the container is running behind a HTTPS enabled load balancer."
install_template root: nginx/gitlab-pages ${GITLAB_PAGES_NGINX_CONFIG}
else
echo "Gitlab pages nginx proxy disabled"
echo "Assuming custom domain setup with own HTTP(S) load balancer'"
fi
fi
fi
if [[ -n $GITLAB_CI_HOST ]]; then
install_template root: nginx/gitlab_ci ${GITLAB_CI_NGINX_CONFIG}
fi
if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then
if [[ -f ${SSL_REGISTRY_CERT_PATH} && -f ${SSL_REGISTRY_KEY_PATH} ]]; then
install_template root: nginx/gitlab-registry ${GITLAB_REGISTRY_NGINX_CONFIG}
else
echo "SSL key and certificates for Registry were not found"
echo "Assuming that the Registry is running behind a HTTPS enabled load balancer."
fi
fi
install_template ${GITLAB_USER}: gitaly/config.toml ${GITLAB_GITALY_CONFIG}
}
configure_gitlab() {
echo "Configuring gitlab..."
update_template ${GITLAB_CONFIG} \
GITLAB_INSTALL_DIR \
GITLAB_SHELL_INSTALL_DIR \
GITLAB_DATA_DIR \
GITLAB_REPOS_DIR \
GITLAB_DOWNLOADS_DIR \
GITLAB_SHARED_DIR \
GITLAB_HOST \
GITLAB_PORT \
GITLAB_RELATIVE_URL_ROOT \
GITLAB_HTTPS \
GITLAB_SSH_HOST \
GITLAB_SSH_PORT \
GITLAB_SIGNUP_ENABLED \
GITLAB_IMPERSONATION_ENABLED \
GITLAB_PROJECTS_LIMIT \
GITLAB_USERNAME_CHANGE \
GITLAB_DEFAULT_THEME \
GITLAB_CREATE_GROUP
gitlab_configure_database
gitlab_configure_redis
gitlab_configure_secrets
gitlab_configure_sidekiq
gitlab_configure_gitaly
gitlab_configure_monitoring
gitlab_configure_gitlab_workhorse
gitlab_configure_relative_url
gitlab_configure_trusted_proxies
gitlab_configure_unicorn
gitlab_configure_timezone
gitlab_configure_rack_attack
gitlab_configure_ci
gitlab_configure_artifacts
gitlab_configure_lfs
gitlab_configure_uploads
gitlab_configure_mattermost
gitlab_configure_project_features
gitlab_configure_mail_delivery
gitlab_configure_mailroom
gitlab_configure_oauth
gitlab_configure_ldap
gitlab_configure_gravatar
gitlab_configure_cron_jobs
gitlab_configure_analytics
gitlab_configure_backups
gitlab_configure_registry
gitlab_configure_pages
# remove stale gitlab.socket
rm -rf ${GITLAB_INSTALL_DIR}/tmp/sockets/gitlab.socket
}
configure_gitlab_shell() {
echo "Configuring gitlab-shell..."
update_template ${GITLAB_SHELL_CONFIG} \
GITLAB_RELATIVE_URL_ROOT \
GITLAB_HOME \
GITLAB_LOG_DIR \
GITLAB_SHELL_INSTALL_DIR \
SSL_SELF_SIGNED \
REDIS_HOST \
REDIS_PORT \
REDIS_DB_NUMBER
}
configure_gitlab_pages() {
if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then
echo "Configuring gitlab-pages..."
cat > /etc/supervisor/conf.d/gitlab-pages.conf <<EOF
[program:gitlab-pages]
priority=20
directory=${GITLAB_INSTALL_DIR}
environment=HOME=${GITLAB_HOME}
command=/usr/local/bin/gitlab-pages
-pages-domain ${GITLAB_PAGES_DOMAIN}
-pages-root ${GITLAB_PAGES_DIR}
-listen-proxy :8090
EOF
if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTP} ]]; then
cat >> /etc/supervisor/conf.d/gitlab-pages.conf <<EOF
-listen-http ${GITLAB_PAGES_EXTERNAL_HTTP}
EOF
fi
if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTPS} ]]; then
cat >> /etc/supervisor/conf.d/gitlab-pages.conf <<EOF
-listen-https ${GITLAB_PAGES_EXTERNAL_HTTPS}
-root-cert ${SSL_PAGES_CERT_PATH}
-root-key ${SSL_PAGES_KEY_PATH}
EOF
fi
if [[ ${GITLAB_PAGES_ACCESS_CONTROL} == true ]]; then
if [[ -z ${GITLAB_PAGES_ACCESS_SECRET} ]]; then
GITLAB_PAGES_ACCESS_SECRET=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 40 ; echo '')
fi
cat >> /etc/supervisor/conf.d/gitlab-pages.conf <<EOF
-auth-server ${GITLAB_PAGES_ACCESS_CONTROL_SERVER}
-auth-secret ${GITLAB_PAGES_ACCESS_SECRET}
-auth-client-id ${GITLAB_PAGES_ACCESS_CLIENT_ID}
-auth-client-secret ${GITLAB_PAGES_ACCESS_CLIENT_SECRET}
-auth-redirect-uri ${GITLAB_PAGES_ACCESS_REDIRECT_URI}
EOF
fi
cat >> /etc/supervisor/conf.d/gitlab-pages.conf <<EOF
user=git
autostart=true
autorestart=true
stdout_logfile=${GITLAB_INSTALL_DIR}/log/%(program_name)s.log
stderr_logfile=${GITLAB_INSTALL_DIR}/log/%(program_name)s.log
EOF
fi
}
configure_nginx() {
echo "Configuring nginx..."
sed -i \
-e "s|worker_processes .*|worker_processes ${NGINX_WORKERS};|" \
-e "s|# server_names_hash_bucket_size 64;|server_names_hash_bucket_size ${NGINX_SERVER_NAMES_HASH_BUCKET_SIZE};|" \
/etc/nginx/nginx.conf
nginx_configure_gitlab
nginx_configure_gitlab_ci
nginx_configure_gitlab_registry
nginx_configure_pages
}
migrate_database() {
# run the `gitlab:setup` rake task if required
case ${DB_ADAPTER} in
mysql2)
QUERY="SELECT count(*) FROM information_schema.tables WHERE table_schema = '${DB_NAME}';"
COUNT=$(mysql -h ${DB_HOST} -P ${DB_PORT} -u ${DB_USER} ${DB_PASS:+-p$DB_PASS} -ss -e "${QUERY}")
;;
postgresql)
QUERY="SELECT count(*) FROM information_schema.tables WHERE table_schema = 'public';"
COUNT=$(PGPASSWORD="${DB_PASS}" psql -h ${DB_HOST} -p ${DB_PORT} -U ${DB_USER} -d ${DB_NAME} -Atw -c "${QUERY}")
;;
esac
if [[ -z ${COUNT} || ${COUNT} -eq 0 ]]; then
echo "Setting up GitLab for firstrun. Please be patient, this could take a while..."
exec_as_git force=yes bundle exec rake gitlab:setup \
${GITLAB_ROOT_PASSWORD:+GITLAB_ROOT_PASSWORD=$GITLAB_ROOT_PASSWORD} \
${GITLAB_ROOT_EMAIL:+GITLAB_ROOT_EMAIL=$GITLAB_ROOT_EMAIL} >/dev/null
fi
# migrate database if the gitlab version has changed.
CACHE_VERSION=
[[ -f ${GITLAB_TEMP_DIR}/VERSION ]] && CACHE_VERSION=$(cat ${GITLAB_TEMP_DIR}/VERSION)
if [[ ${GITLAB_VERSION} != ${CACHE_VERSION} ]]; then
## version check, only upgrades are allowed
if [[ -n ${CACHE_VERSION} && $(vercmp ${GITLAB_VERSION} ${CACHE_VERSION}) -lt 0 ]]; then
echo
echo "ERROR: "
echo " Cannot downgrade from GitLab version ${CACHE_VERSION} to ${GITLAB_VERSION}."
echo " Only upgrades are allowed. Please use sameersbn/gitlab:${CACHE_VERSION} or higher."
echo " Cannot continue. Aborting!"
echo
return 1
fi
if [[ $(vercmp ${GITLAB_VERSION} 8.0.0) -gt 0 ]]; then
if [[ -n ${CACHE_VERSION} && $(vercmp ${CACHE_VERSION} 8.0.0) -lt 0 ]]; then
echo
echo "ABORT: "
echo " Upgrading to GitLab ${GITLAB_VERSION} from ${CACHE_VERSION} is not recommended."
echo " Please upgrade to version 8.0.5-1 before upgrading to 8.1.0 or higher."
echo " Refer to https://git.io/vur4j for CI migration instructions."
echo " Aborting for your own safety!"
echo
return 1
fi
fi
echo "Migrating database..."
exec_as_git bundle exec rake db:migrate >/dev/null
if [[ ${DB_ADAPTER} == mysql2 ]]; then
exec_as_git bundle exec rake add_limits_mysql >/dev/null
fi
echo "${GITLAB_VERSION}" > ${GITLAB_TEMP_DIR}/VERSION
rm -rf ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT # force cache cleanup
fi
# clear cache if relative_url has changed.
[[ -f ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT ]] && CACHE_GITLAB_RELATIVE_URL_ROOT=$(cat ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT)
if [[ ! -f ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT || ${GITLAB_RELATIVE_URL_ROOT} != ${CACHE_GITLAB_RELATIVE_URL_ROOT} ]]; then
# assets need to be recompiled when GITLAB_RELATIVE_URL_ROOT is used
if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then
echo "Recompiling assets (relative_url in use), this could take a while..."
exec_as_git bundle exec rake gitlab:assets:compile NODE_OPTIONS="--max-old-space-size=4096" >/dev/null 2>&1
fi
echo "Clearing cache..."
exec_as_git bundle exec rake cache:clear >/dev/null 2>&1
echo "${GITLAB_RELATIVE_URL_ROOT}" > ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT
fi
}
execute_raketask() {
if [[ -z ${1} ]]; then
echo "Please specify the rake task to execute. See https://github.com/gitlabhq/gitlabhq/tree/master/doc/raketasks"
return 1
fi
if [[ ${1} == gitlab:backup:create ]]; then
/usr/bin/supervisord -c /etc/supervisor/supervisord.conf
supervisorctl stop gitlab_extensions:*
supervisorctl stop gitlab:*
fi
if [[ ${1} == gitlab:backup:restore ]]; then
/usr/bin/supervisord -c /etc/supervisor/supervisord.conf
supervisorctl stop gitlab_extensions:*
supervisorctl stop gitlab:*
interactive=true
for arg in $@
do
if [[ $arg == BACKUP=* ]]; then
interactive=false
break
fi
done
# user needs to select the backup to restore
if [[ $interactive == true ]]; then
nBackups=$(ls ${GITLAB_BACKUP_DIR}/*_gitlab_backup.tar | wc -l)
if [[ $nBackups -eq 0 ]]; then
echo "No backup present. Cannot continue restore process.".
return 1
fi
echo
for b in $(ls ${GITLAB_BACKUP_DIR} | grep _gitlab_backup | sort -r)
do
echo "$b (created at $(date --date="@${b%%_*_gitlab_backup.tar}" +'%d %b, %G - %H:%M:%S %Z'))"
done
echo
read -p "Select a backup to restore: " file
if [[ -z ${file} ]]; then
echo "Backup not specified. Exiting..."
return 1
fi
if [[ ! -f ${GITLAB_BACKUP_DIR}/${file} ]]; then
echo "Specified backup does not exist. Aborting..."
return 1
fi
BACKUP=${file%%_gitlab_backup.tar}
fi
elif [[ ${1} == gitlab:import:repos ]]; then
# sanitize the datadir to avoid permission issues
sanitize_datadir
fi
echo "Running raketask ${1}..."
exec_as_git bundle exec rake $@ ${BACKUP:+BACKUP=$BACKUP}
}
Reference in New Issue View Git Blame Copy Permalink