gitlab.yml.erb 37.9 KB
Newer Older
1
2
3
# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.
4
5
6
7
8
9
10
11
12

production: &base
  #
  # 1. GitLab app settings
  # ==========================

  ## GitLab settings
  gitlab:
    ## Web server settings (note: host is the FQDN, do not include http://)
13
14
15
    host: <%= @gitlab_host %>
    port: <%= @gitlab_port %>
    https: <%= @gitlab_https %>
16

17
18
    # The maximum time unicorn/puma can spend on the request. This needs to be smaller than the worker timeout.
    # Default is 95% of the worker timeout
19
    max_request_duration_seconds: <%= @max_request_duration_seconds %>
20

21
22
23
    # Uncommment this line below if your ssh host is different from HTTP/HTTPS one
    # (you'd obviously need to replace ssh.host_example.com with your own host).
    # Otherwise, ssh host will be set to the `host:` value above
24
    ssh_host: <%= @gitlab_ssh_host %>
25

26
27
28
29
    # If your ssh user differs from the system user, you need to specify it here
    # Set it to an empty string to omit the username from any ssh url altogether
    ssh_user: <%= quote(@gitlab_ssh_user) %>

30
31
    # WARNING: See config/application.rb under "Relative url support" for the list of
    # other files that need to be changed for relative url support
32
    relative_url_root: <%= @gitlab_relative_url %>
33

34
35
36
37
38
39
40
41
    # Trusted Proxies
    # Customize if you have GitLab behind a reverse proxy which is running on a different machine.
    # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
    trusted_proxies:
<% @trusted_proxies.each do |proxy| %>
      - <%= proxy %>
<% end %>

42
43
44
45
46
47
48
49
    <%- if @content_security_policy -%>
    # Content Security Policy
    # See:
    # * https://guides.rubyonrails.org/security.html#content-security-policy
    # * https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    content_security_policy: <%= @content_security_policy.to_json %>
    <%- end -%>

50
    # Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
51
    user: <%= node['gitlab']['user']['username'] %>
52

Marin Jankovski's avatar
Marin Jankovski committed
53
    ## Date & Time settings
54
    time_zone: <%= quote(@time_zone) %>
Marin Jankovski's avatar
Marin Jankovski committed
55

56
    ## Email settings
57
58
    # Uncomment and set to false if you need to disable email sending from GitLab (default: true)
    email_enabled: <%= @gitlab_email_enabled %>
59
    # Email address used in the "From" field in mails sent by GitLab
60
    email_from: <%= @gitlab_email_from %>
61
    email_display_name: <%= @gitlab_email_display_name %>
Stan Hu's avatar
Stan Hu committed
62
    email_reply_to: <%= @gitlab_email_reply_to %>
63
    email_subject_suffix: <%= @gitlab_email_subject_suffix %>
Diego Louzán's avatar
Diego Louzán committed
64
65
66
67
68
    # Email SMIME signing settings
    email_smime:
      enabled: <%= @gitlab_email_smime_enabled %>
      key_file: <%= @gitlab_email_smime_key_file %>
      cert_file: <%= @gitlab_email_smime_cert_file %>
69
      ca_certs_file: <%= @gitlab_email_smime_ca_certs_file %>
70

71
    # Email server smtp settings are in [a separate file](initializers/smtp_settings.rb.sample).
72
73

    ## User settings
74
    default_can_create_group: <%= @gitlab_default_can_create_group %>  # default: true
75
    username_changing_enabled: <%= @gitlab_username_changing_enabled %> # default: true - User can change her username/namespace
76
    ## Default theme
Marin Jankovski's avatar
Marin Jankovski committed
77
78
79
80
81
82
    ##   1 - Graphite
    ##   2 - Charcoal
    ##   3 - Green
    ##   4 - Gray
    ##   5 - Violet
    ##   6 - Blue
83
    default_theme: <%= @gitlab_default_theme %> # default: 2
84
85
86
87
88

    ## Automatic issue closing
    # If a commit message matches this regular expression, all issues referenced from the matched text will be closed.
    # This happens when the commit is pushed or merged into the default branch of a project.
    # When not specified the default issue_closing_pattern as specified below will be used.
89
    # Tip: you can test your closing pattern at http://rubular.com
90
    issue_closing_pattern: <%= quote(@gitlab_issue_closing_pattern) %>
91
92
93

    ## Default project features settings
    default_projects_features:
94
95
96
97
      issues: <%= @gitlab_default_projects_features_issues %>
      merge_requests: <%= @gitlab_default_projects_features_merge_requests %>
      wiki: <%= @gitlab_default_projects_features_wiki %>
      snippets: <%= @gitlab_default_projects_features_snippets %>
98
      builds: <%= @gitlab_default_projects_features_builds %>
99
      container_registry: <%= @gitlab_default_projects_features_container_registry %>
100

Marin Jankovski's avatar
Marin Jankovski committed
101
102
    ## Webhook settings
    # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)
103
    webhook_timeout: <%= @webhook_timeout %>
Marin Jankovski's avatar
Marin Jankovski committed
104

105
106
107
108
109
110
    ### GraphQL Settings
    # Tells the rails application how long it has to complete a GraphQL request.
    # We suggest this value to be higher than the database timeout value
    # and lower than the worker timeout set in unicorn/puma. (default: 30)
    graphql_timeout: <%= @graphql_timeout %>

Jacob Vosmaer's avatar
Jacob Vosmaer committed
111
112
113
    ## Repository downloads directory
    # When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory.
    # The default is 'tmp/repositories' relative to the root of the Rails app.
114
    repository_downloads_path: <%= @gitlab_repository_downloads_path %>
Jacob Vosmaer's avatar
Jacob Vosmaer committed
115

116
117
118
    ## Impersonation settings
    impersonation_enabled: <%= @impersonation_enabled %>

119
120
    usage_ping_enabled: <%= @usage_ping_enabled %>

121
122
123
124
    # Seat link setting
    # When disabled the customer instances would not send seat link information via cron service everyday. (default: true)
    seat_link_enabled: <%= @seat_link_enabled %>

125
126
  ## Reply by email
  # Allow users to comment on issues and merge requests by replying to notification emails.
127
  # For documentation on how to set this up, see https://docs.gitlab.com/ee/administration/reply_by_email.html
128
129
  incoming_email:
    enabled: <%= @incoming_email_enabled %>
130
131

    # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
132
    # The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`).
133
    address: <%= quote(@incoming_email_address) %>
134
135
136
137

    # Email account username
    # With third party providers, this is usually the full email address.
    # With self-hosted email servers, this is usually the user part of the email address.
138
    user: <%= quote(@incoming_email_email) %>
139
    # Email account password
140
    password: <%= quote(@incoming_email_password) %>
141
142

    # IMAP server host
143
    host: <%= quote(@incoming_email_host) %>
144
145
146
147
148
149
150
151
    # IMAP server port
    port: <%= @incoming_email_port %>
    # Whether the IMAP server uses SSL
    ssl: <%= @incoming_email_ssl %>
    # Whether the IMAP server uses StartTLS
    start_tls: <%= @incoming_email_start_tls %>

    # The mailbox where incoming mail will end up. Usually "inbox".
152
    mailbox: <%= quote(@incoming_email_mailbox_name) %>
153
154
    # The IDLE command timeout.
    idle_timeout: <%= @incoming_email_idle_timeout %>
155
    # file path of internal `mail_room` JSON logs
Charlie Ablett's avatar
Charlie Ablett committed
156
    log_path: <%= @incoming_email_log_file %>
157

158
159
160
    # Whether to expunge (permanently remove) messages from the mailbox when they are deleted after delivery
    expunge_deleted: <%= @incoming_email_expunge_deleted %>

161
162
163
164
165
166
167
168
169
170
171
172
  <%- if @object_store['enabled'] -%>
  ## Consolidated object store config
  # This uses a single credential for object storage with multiple buckets.
  # It also enables Workhorse to upload files directly with its own S3 client
  # instead of using pre-signed URLs.
  #
  # This will only take effect if the object_store sections are not defined
  # within the types (e.g. artifacts.object_store, lfs.object_store, etc.).
  object_store:
     enabled: <%= @object_store['enabled'] %>
     proxy_download: <%= @object_store['proxy_download'] %>
     connection: <%= @object_store['connection'].to_json %>
173
     storage_options: <%= @object_store['storage_options'].to_json %>
174
175
176
     objects: <%= @object_store['objects'].to_json %>
  <%- end -%>

177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
  ## Service desk email
  # Allow users to use a separate service desk address
  # For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html
  service_desk_email:
    enabled: <%= @service_desk_email_enabled %>

    # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
    # The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`).
    address: <%= quote(@service_desk_email_address) %>

    # Email account username
    # With third party providers, this is usually the full email address.
    # With self-hosted email servers, this is usually the user part of the email address.
    user: <%= quote(@service_desk_email_email) %>
    # Email account password
    password: <%= quote(@service_desk_email_password) %>

    # IMAP server host
    host: <%= quote(@service_desk_email_host) %>
    # IMAP server port
    port: <%= @service_desk_email_port %>
    # Whether the IMAP server uses SSL
    ssl: <%= @service_desk_email_ssl %>
    # Whether the IMAP server uses StartTLS
    start_tls: <%= @service_desk_email_start_tls %>

    # The mailbox where incoming mail will end up. Usually "inbox".
    mailbox: <%= quote(@service_desk_email_mailbox_name) %>
    # The IDLE command timeout.
    idle_timeout: <%= @service_desk_email_idle_timeout %>
    # file path of internal `mail_room` JSON logs
    log_path: <%= @service_desk_email_log_file %>

210
211
212
213
  ## Build Artifacts
  artifacts:
    enabled: <%= @artifacts_enabled %>
    # The location where Build Artifacts are stored (default: shared/artifacts).
214
    path: <%= @artifacts_path %>
215
    object_store:
216
      enabled: <%= @artifacts_object_store_enabled %>
217
      direct_upload: <%= @artifacts_object_store_direct_upload %>
218
      background_upload: <%= @artifacts_object_store_background_upload %>
219
      proxy_download: <%= @artifacts_object_store_proxy_download %>
220
      remote_directory: <%= quote(@artifacts_object_store_remote_directory) %>
221
      connection: <%= @artifacts_object_store_connection.to_json %>
222

223
224
225
  ## External merge request diffs
  external_diffs:
    enabled: <%= @external_diffs_enabled %>
226
227
228
229
230
231
    <%- if @external_diffs_when -%>
    # Diffs may be `always` external (the default), or they can be made external
    # after they have become `outdated` (i.e., the MR is closed or a new version
    # has been pushed).
    when: <%= @external_diffs_when %>
    <%- end -%>
232
233
234
235
236
237
238
239
240
241
    # The location where merge request diffs are stored (default: shared/external-diffs).
    storage_path: <%= @external_diffs_storage_path %>
    object_store:
      enabled: <%= @external_diffs_object_store_enabled %>
      direct_upload: <%= @external_diffs_object_store_direct_upload %>
      background_upload: <%= @external_diffs_object_store_background_upload %>
      proxy_download: <%= @external_diffs_object_store_proxy_download %>
      remote_directory: <%= quote(@external_diffs_object_store_remote_directory) %>
      connection: <%= @external_diffs_object_store_connection.to_json %>

242
243
244
245
246
  ## Git LFS
  lfs:
    enabled: <%= @lfs_enabled %>
    # The location where LFS objects are stored (default: shared/lfs-objects).
    storage_path: <%= @lfs_storage_path %>
247
248
    object_store:
      enabled: <%= @lfs_object_store_enabled %>
249
      direct_upload: <%= @lfs_object_store_direct_upload %>
250
      background_upload: <%= @lfs_object_store_background_upload %>
251
      proxy_download: <%= @lfs_object_store_proxy_download %>
252
253
      remote_directory: <%= quote(@lfs_object_store_remote_directory) %>
      connection: <%= @lfs_object_store_connection.to_json %>
254

255
256
257
258
  ## Uploads
  uploads:
    # The location where uploads objects are stored (default: public/).
    storage_path: <%= @uploads_storage_path %>
Micael Bergeron's avatar
Micael Bergeron committed
259
    <% unless @uploads_base_dir.nil? %>
260
    base_dir: <%= @uploads_base_dir %>
Micael Bergeron's avatar
Micael Bergeron committed
261
    <% end %>
262
263
    object_store:
      enabled: <%= @uploads_object_store_enabled %>
264
      direct_upload: <%= @uploads_object_store_direct_upload %>
265
      background_upload: <%= @uploads_object_store_background_upload %>
266
      proxy_download: <%= @uploads_object_store_proxy_download %>
267
268
269
      remote_directory: <%= quote(@uploads_object_store_remote_directory) %>
      connection: <%= @uploads_object_store_connection.to_json %>

270
  ## Packages
271
272
273
274
275
276
277
278
279
280
281
282
  packages:
    enabled: <%= @packages_enabled %>
    # The location where build packages are stored (default: shared/packages).
    storage_path: <%= @packages_storage_path %>
    object_store:
      enabled: <%= @packages_object_store_enabled %>
      direct_upload: <%= @packages_object_store_direct_upload %>
      background_upload: <%= @packages_object_store_background_upload %>
      proxy_download: <%= @packages_object_store_proxy_download %>
      remote_directory: <%= quote(@packages_object_store_remote_directory) %>
      connection: <%= @packages_object_store_connection.to_json %>

283
284
285
286
287
288
289
290
291
292
293
294
295
  ## Dependency proxy (EE only)
  dependency_proxy:
    enabled: <%= @dependency_proxy_enabled %>
    # The location where dependency_proxy blobs are stored (default: shared/dependency_proxy).
    storage_path: <%= @dependency_proxy_storage_path %>
    object_store:
      enabled: <%= @dependency_proxy_object_store_enabled %>
      direct_upload: <%= @dependency_proxy_object_store_direct_upload %>
      background_upload: <%= @dependency_proxy_object_store_background_upload %>
      proxy_download: <%= @dependency_proxy_object_store_proxy_download %>
      remote_directory: <%= quote(@dependency_proxy_object_store_remote_directory) %>
      connection: <%= @dependency_proxy_object_store_connection.to_json %>

296
297
298
299
300
301
302
303
304
305
  ## Terraform state
  terraform_state:
    enabled: <%= @terraform_state_enabled %>
    # The location where terraform state files are stored (default: shared/terraform_state).
    storage_path: <%= @terraform_state_storage_path %>
    object_store:
      enabled: <%= @terraform_state_object_store_enabled %>
      remote_directory: <%= quote(@terraform_state_object_store_remote_directory) %>
      connection: <%= @terraform_state_object_store_connection.to_json %>

306
  ## Container Registry
Marin Jankovski's avatar
Marin Jankovski committed
307
308
309
  registry:
    enabled: <%= @registry_enabled %>
    host: <%= @registry_host %>
Marin Jankovski's avatar
Marin Jankovski committed
310
    port: <%= @registry_port %>
311
    api_url: <%= @registry_api_url %> # internal address to the registry, will be used by GitLab to directly communicate with API
Marin Jankovski's avatar
Marin Jankovski committed
312
313
    path: <%= @registry_path %>
    key: <%= @registry_key_path %>
Marin Jankovski's avatar
Marin Jankovski committed
314
    issuer: <%= @registry_issuer %>
315
    notification_secret: <%= @registry_notification_secret %>
Marin Jankovski's avatar
Marin Jankovski committed
316

317
318
319
320
  ## Error Reporting and Logging with Sentry
  sentry:
    enabled: <%= @sentry_enabled %>
    dsn: <%= @sentry_dsn %>
321
    clientside_dsn: <%= @sentry_clientside_dsn %>
322
323
    environment: <%= @sentry_environment %> # e.g. development, staging, production

324
325
326
327
  mattermost:
    enabled: <%= @mattermost_enabled %>
    host: <%= @mattermost_host %>

328
  ## GitLab Pages
329
330
  pages:
    enabled: <%= @pages_enabled %>
Nick Thomas's avatar
Nick Thomas committed
331
    access_control: <%= @pages_access_control %>
332
    path: <%= @pages_path %>
Kamil Trzcinski's avatar
Kamil Trzcinski committed
333
334
335
    host: <%= @pages_host %>
    port: <%= @pages_port %>
    https: <%= @pages_https %>
336
337
    external_http: <%= @pages_external_http.to_json %>
    external_https: <%= @pages_external_https.to_json %>
338
    artifacts_server: <%= @pages_artifacts_server %>
339

340
  ## Gravatar
341
  ## For Libravatar see: https://docs.gitlab.com/ee/customization/libravatar.html
342
  gravatar:
Jacob Vosmaer's avatar
Jacob Vosmaer committed
343
    # gravatar urls: possible placeholders: %{hash} %{size} %{email}
344
345
    plain_url: <%= quote(@gravatar_plain_url) %>     # default: http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
    ssl_url:   <%= quote(@gravatar_ssl_url) %>    # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
346

Stan Hu's avatar
Stan Hu committed
347
348
349
350
  ## Sidekiq
  sidekiq:
    log_format: <%= @sidekiq['log_format'] %>

Marin Jankovski's avatar
Marin Jankovski committed
351
352
353
354
355
  ## Auxiliary jobs
  # Periodically executed jobs, to self-heal GitLab, do external synchronizations, etc.
  # Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job
  cron_jobs:
    # Flag stuck CI builds as failed
356
    stuck_ci_jobs_worker:
357
      cron:<% if @stuck_ci_jobs_worker_cron %> "<%= @stuck_ci_jobs_worker_cron %>"<% end %>
358
359
    # Remove expired build artifacts
    expire_build_artifacts_worker:
360
      cron:<% if @expire_build_artifacts_worker_cron %> "<%= @expire_build_artifacts_worker_cron %>"<% end %>
361
362
363
    # Stop expired environments
    environments_auto_stop_cron_worker:
      cron:<% if @environments_auto_stop_cron_worker_cron %> "<%= @environments_auto_stop_cron_worker_cron %>"<% end %>
364
    # Schedule pipelines in the near future
365
    pipeline_schedule_worker:
366
      cron:<% if @pipeline_schedule_worker_cron %> "<%= @pipeline_schedule_worker_cron %>"<% end %>
367
368
369
    # Periodically run 'git fsck' on all repositories. If started more than
    # once per hour you will have concurrent 'git fsck' jobs.
    repository_check_worker:
370
      cron:<% if @repository_check_worker_cron %> "<%= @repository_check_worker_cron %>"<% end %>
371
372
    # Send admin emails once a week
    admin_email_worker:
373
      cron:<% if @admin_email_worker_cron %> "<%= @admin_email_worker_cron %>"<% end %>
374
375
376
    # Send emails about personal tokens about to expired
    personal_access_tokens_expiring_worker:
      cron:<% if @personal_access_tokens_expiring_worker_cron %> "<%= @personal_access_tokens_expiring_worker_cron %>"<% end %>
377
378
379
    # Send emails about personal tokens that have expired
    personal_access_tokens_expired_notification_worker:
      cron:<% if @personal_access_tokens_expired_notification_worker_cron %> "<%= @personal_access_tokens_expired_notification_worker_cron %>"<% end %>
380
381
    # Remove outdated repository archives
    repository_archive_cache_worker:
382
      cron:<% if @repository_archive_cache_worker_cron %> "<%=  @repository_archive_cache_worker_cron %>"<% end %>
383

384
    # Archive live traces which have not been archived yet
385
386
    ci_archive_traces_cron_worker:
      cron:<% if @ci_archive_traces_cron_worker_cron %> "<%= @ci_archive_traces_cron_worker_cron %>"<% end %>
387

388
389
390
391
    # Verify custom GitLab Pages domains
    pages_domain_verification_cron_worker:
      cron:<% if @pages_domain_verification_cron_worker %> "<%= @pages_domain_verification_cron_worker %>"<% end %>

392
393
394
395
    # Obtain and renew SSL certificates for pages domain through Let's Encrypt
    pages_domain_ssl_renewal_cron_worker:
      cron:<% if @pages_domain_ssl_renewal_cron_worker %> "<%= @pages_domain_ssl_renewal_cron_worker %>"<% end %>

396
397
398
399
    # Removes unverified pages domains
    pages_domain_removal_cron_worker:
      cron:<% if @pages_domain_removal_cron_worker %> "<%= @pages_domain_removal_cron_worker %>"<% end %>

400
401
402
403
    # Periodically migrate diffs from the database to external storage
    schedule_migrate_external_diffs_worker:
      cron:<% if @schedule_migrate_external_diffs_worker_cron %> "<%= @schedule_migrate_external_diffs_worker_cron %>"<% end %>

404
405
406
407
    # Update CI Platform Metrics daily
    ci_platform_metrics_update_cron_worker:
      cron: <% if @ci_platform_metrics_update_cron_worker %> "<%= @ci_platform_metrics_update_cron_worker %>"<% end %>

Marin Jankovski's avatar
Marin Jankovski committed
408
409
410
411
    ##
    # GitLab EE only jobs:

    # Snapshot active users statistics
412
    <% unless @historical_data_worker_cron.nil? %>
Marin Jankovski's avatar
Marin Jankovski committed
413
    historical_data_worker:
414
      cron: "<%= @historical_data_worker_cron %>"
415
    <% end %>
Marin Jankovski's avatar
Marin Jankovski committed
416
417
418
419

    # In addition to refreshing users when they log in,
    # periodically refresh LDAP users membership.
    # NOTE: This will only take effect if LDAP is enabled
420
    <% unless @ldap_sync_worker_cron.nil? %>
Marin Jankovski's avatar
Marin Jankovski committed
421
    ldap_sync_worker:
422
      cron: "<%= @ldap_sync_worker_cron %>"
423
    <% end %>
Marin Jankovski's avatar
Marin Jankovski committed
424

425
426
427
428
429
430
431
    # GitLab LDAP group sync worker
    # NOTE: This will only take effect if LDAP is enabled
    <% unless @ldap_group_sync_worker_cron.nil? %>
    ldap_group_sync_worker:
      cron: "<%= @ldap_group_sync_worker_cron %>"
    <% end %>

432
433
434
435
436
437
438
    # GitLab Geo prune event log worker
    # NOTE: This will only take effect if Geo is enabled (primary node only)
    <% unless @geo_prune_event_log_worker_cron.nil? %>
    geo_prune_event_log_worker:
      cron: "<%= @geo_prune_event_log_worker_cron %>"
    <% end %>

439
    # GitLab Geo repository sync worker
440
    # NOTE: This will only take effect if Geo is enabled
441
442
443
    <% unless @geo_repository_sync_worker_cron.nil? %>
    geo_repository_sync_worker:
      cron: "<%= @geo_repository_sync_worker_cron %>"
444
445
    <% end %>

446
447
448
449
450
451
452
    # GitLab Geo registry backfill worker
    # NOTE: This will only take effect if Geo is enabled (secondary nodes only)
    <% unless @geo_secondary_registry_consistency_worker.nil? %>
    geo_secondary_registry_consistency_worker:
      cron: "<%= @geo_secondary_registry_consistency_worker %>"
    <% end %>

453
    # GitLab Geo file download dispatch worker
454
    # NOTE: This will only take effect if Geo is enabled
455
456
457
    <% unless @geo_file_download_dispatch_worker_cron.nil? %>
    geo_file_download_dispatch_worker:
      cron: "<%= @geo_file_download_dispatch_worker_cron %>"
458
459
    <% end %>

460
461
462
463
464
465
466
467
468
469
470
471
472
473
    # GitLab Geo repository verification primary batch worker
    # NOTE: This will only take effect if Geo is enabled
    <% unless @geo_repository_verification_primary_batch_worker_cron.nil? %>
    geo_repository_verification_primary_batch_worker:
      cron: "<%= @geo_repository_verification_primary_batch_worker_cron %>"
    <% end %>

    # GitLab Geo repository verification secondary scheduler worker
    # NOTE: This will only take effect if Geo is enabled
    <% unless @geo_repository_verification_secondary_scheduler_worker_cron.nil? %>
    geo_repository_verification_secondary_scheduler_worker:
      cron: "<%= @geo_repository_verification_secondary_scheduler_worker_cron %>"
    <% end %>

474
475
476
    # GitLab Geo migrated local files clean up worker
    # NOTE: This will only take effect if Geo is enabled (secondary nodes only)
    <% unless @geo_migrated_local_files_clean_up_worker_cron.nil? %>
477
    <% LoggingHelper.deprecation "gitlab_rails['geo_migrated_local_files_clean_up_worker_cron'] options is deprecated and will be removed in Gitlab 14.0." %>
478
479
480
481
    geo_migrated_local_files_clean_up_worker:
      cron: "<%= @geo_migrated_local_files_clean_up_worker_cron %>"
    <% end %>

482
483
484
485
486
487
    # Export pseudonymized data in CSV format for analysis
    <% unless @pseudonymizer_worker_cron.nil? %>
    pseudonymizer_worker:
      cron: "<%= @pseudonymizer_worker_cron %>"
    <% end %>

488
489
490
491
492
    <% unless @elastic_index_bulk_cron.nil? %>
    elastic_index_bulk_cron_worker:
      cron: "<%= @elastic_index_bulk_cron %>"
    <% end %>

493
494
495
496
497
498
    # Worker for triggering counter jobs for instance statistics
    <% unless @analytics_instance_statistics_count_job_trigger_worker_cron.nil? %>
    analytics_instance_statistics_count_job_trigger_worker:
      cron: "<%= @analytics_instance_statistics_count_job_trigger_worker_cron %>"
    <% end %>

499
500
501
502
503
504
    # Worker for triggering member invitation reminder emails
    <% unless @member_invitation_reminder_emails_worker_cron.nil? %>
    member_invitation_reminder_emails_worker:
      cron: "<%= @member_invitation_reminder_emails_worker_cron %>"
    <% end %>

505
506
507
508
509
510
511
512
513
514
  ## Geo
  # NOTE: These settings will only take effect if Geo is enabled
  geo:
    # This is an optional identifier which Geo nodes can use to identify themselves.
    # For example, if external_url is the same for two secondaries, you must specify
    # a unique Geo node name for those secondaries.
    #
    # If it is blank, it defaults to external_url.
    node_name: <%= @geo_node_name %>

515
516
517
518
    registry_replication:
      enabled: <%= @geo_registry_replication_enabled %>
      primary_api_url: <%= @geo_registry_replication_primary_api_url %> # internal address to the primary registry, will be used by GitLab to directly communicate with primary registry API

519
520
521
522
523
524
525
526
  ## Feature Flag https://docs.gitlab.com/ee/user/project/operations/feature_flags.html
  feature_flags:
    unleash:
      enabled: <%= @feature_flags_unleash_enabled %>
      url: <%= @feature_flags_unleash_url %>
      app_name: <%= @feature_flags_unleash_app_name %> # Environment name of your GitLab instance
      instance_id: <%= @feature_flags_unleash_instance_id %>

527
  #
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
  # 2. GitLab CI settings
  # ==========================

  gitlab_ci:
    # Default project notifications settings:
    #
    # Send emails only on broken builds (default: true)
    all_broken_builds: <%= @gitlab_ci_all_broken_builds %>
    #
    # Add pusher to recipients list (default: false)
    add_pusher: <%= @gitlab_ci_add_pusher || @gitlab_ci_add_committer %>

    # The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root
    builds_path: <%= @builds_directory %>

  #
  # 3. Auth settings
545
546
547
548
549
550
  # ==========================

  ## LDAP settings
  # You can inspect a sample of the LDAP users with login access by running:
  #   bundle exec rake gitlab:ldap:check RAILS_ENV=production
  ldap:
551
    enabled: <%= @ldap_enabled %>
552
    sync_time: <%= @ldap_sync_time %>
553
    prevent_ldap_sign_in: <%= @prevent_ldap_sign_in %>
554
  <% if @ldap_servers.any? %>
555
    servers:
556
557
    <% @ldap_servers.each do |provider_id, settings| %>
      <%= provider_id %>: <%= settings.to_json %>
558
    <% end %>
559
  <% else %>
560
    host: <%= quote(@ldap_host) %>
561
    port: <%= @ldap_port %>
562
563
564
565
    uid: <%= quote(@ldap_uid) %>
    method: <%= quote(@ldap_method) %> # "tls" or "ssl" or "plain"
    bind_dn: <%= quote(@ldap_bind_dn) %>
    password: <%= quote(@ldap_password) %>
566
567
    active_directory: <%= @ldap_active_directory %>
    allow_username_or_email_login: <%= @ldap_allow_username_or_email_login %>
568
    lowercase_usernames: <%= @ldap_lowercase_usernames %>
569
570
    base: <%= quote(@ldap_base) %>
    user_filter: <%= quote(@ldap_user_filter) %>
571
572

    ## EE only
573
574
575
    group_base: <%= quote(@ldap_group_base) %>
    admin_group: <%= quote(@ldap_admin_group) %>
    sync_ssh_keys: <%= quote(@ldap_sync_ssh_keys) %>
576
577
    sync_time: <%= @ldap_sync_time %>
  <% end %>
Jacob Vosmaer's avatar
Jacob Vosmaer committed
578

579
580
581
582
583
584
585
586
  ## Smartcard authentication settings
  smartcard:
    # Allow smartcard authentication
    enabled: <%= @smartcard_enabled %>

    # Path to a file containing a CA certificate
    ca_file: <%= quote(@smartcard_ca_file) %>

587
588
589
    # Host and port where the client side certificate is requested by the
    # webserver (NGINX/Apache)
    client_certificate_required_host: <%= @smartcard_client_certificate_required_host %>
590
591
    client_certificate_required_port: <%= @smartcard_client_certificate_required_port %>

592
593
594
    # Browser session with smartcard sign-in is required for Git access
    required_for_git_access: <%= @smartcard_required_for_git_access %>

595
596
597
    # SAN extensions to match users with certificates
    san_extensions: <%= @smartcard_san_extensions %>

598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
  ## Kerberos settings
  kerberos:
    # Allow the HTTP Negotiate authentication method for Git clients
    enabled: <%= @kerberos_enabled %>

    # Kerberos 5 keytab file. The keytab file must be readable by the GitLab user,
    # and should be different from other keytabs in the system.
    # (default: use default keytab from Krb5 config)
    keytab: <%= @kerberos_keytab %>

    # The Kerberos service name to be used by GitLab.
    # (default: accept any service name in keytab file)
    service_principal_name: <%= @kerberos_service_principal_name %>

    # Dedicated port: Git before 2.4 does not fall back to Basic authentication if Negotiate fails.
    # To support both Basic and Negotiate methods with older versions of Git, configure
    # nginx to proxy GitLab on an extra port (e.g. 8443) and uncomment the following lines
    # to dedicate this port to Kerberos authentication. (default: false)
    use_dedicated_port: <%= @kerberos_use_dedicated_port %>
    port: <%= @kerberos_port %>
    https: <%= @kerberos_https %>


621
622
623
  ## OmniAuth settings
  omniauth:
    # Allow login via Twitter, Google, etc. using OmniAuth providers
624
    enabled: <%= @omniauth_enabled %>
625

626
627
628
629
    # Uncomment this to automatically sign in with a specific omniauth provider's without
    # showing GitLab's sign-in page (default: show the GitLab sign-in page)
    auto_sign_in_with_provider: <%= @omniauth_auto_sign_in_with_provider %>

630
631
632
633
634
635
    # Sync user's email address from the specified Omniauth provider every time the user logs
    # in (default: nil). And consequently make this field read-only.
    <% unless @omniauth_sync_email_from_provider.nil? %>
    sync_email_from_provider: <%= @omniauth_sync_email_from_provider.inspect %>
    <% end %>

636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
    # Sync user's profile from the specified Omniauth providers every time the user logs in (default: empty).
    # Define the allowed providers using an array, e.g. ["cas3", "saml", "twitter"],
    # or as true/false to allow all providers or none.
    # sync_profile_from_provider: []
    <% if @omniauth_sync_profile_from_provider %>
    sync_profile_from_provider: <%= @omniauth_sync_profile_from_provider.to_json %>
    <% end %>

    # Select which info to sync from the providers above. (default: email).
    # Define the synced profile info using an array. Available options are "name", "email" and "location"
    # e.g. ["name", "email", "location"] or as true to sync all available.
    # This consequently will make the selected attributes read-only.
    # sync_profile_attributes: true
    <% if @omniauth_sync_profile_attributes %>
    sync_profile_attributes: <%= @omniauth_sync_profile_attributes.to_json %>
    <% end %>

653
    # CAUTION!
654
655
    # This allows users to login without having a user account first. Define the allowed
    # providers using an array, e.g. ["saml", "twitter"]
656
    # User accounts will be created automatically when authentication was successful.
657
658
    allow_single_sign_on: <%= @omniauth_allow_single_sign_on.to_json %>

659
    # Locks down those users until they have been cleared by the admin (default: true).
660
    block_auto_created_users: <%= @omniauth_block_auto_created_users %>
661
662
663
664
    # Look up new users in LDAP servers. If a match is found (same uid), automatically
    # link the omniauth identity with the LDAP account. (default: false)
    auto_link_ldap_user: <%= @omniauth_auto_link_ldap_user %>

665
666
667
668
669
    # Allow users with existing accounts to login and auto link their account via SAML
    # login, without having to do a manual login first and manually add SAML
    # (default: false)
    auto_link_saml_user: <%= @omniauth_auto_link_saml_user.to_json %>

670
671
672
673
674
675
676
    # Allow users with existing accounts to sign in and auto link their account via OmniAuth
    # login, without having to do a manual login first and manually add OmniAuth. Links on email.
    # Define the allowed providers using an array, e.g. ["saml", "twitter"], or as true/false to
    # allow all providers or none.
    # (default: false)
    auto_link_user: <%= @omniauth_auto_link_user.to_json %>

677
678
679
680
681
682
    # Set different Omniauth providers as external so that all users creating accounts
    # via these providers will not be able to have access to internal projects. You
    # will need to use the full name of the provider, like `google_oauth2` for Google.
    # Refer to the examples below for the full names of the supported providers.
    # (default: [])
    external_providers: <%= @omniauth_external_providers.to_json %>
683

684
685
686
687
688
689
690
    # CAUTION!
    # This allows users to login with the specified providers without two factor. Define the allowed providers
    # using an array, e.g. ["twitter", 'google_oauth2'], or as true/false to allow all providers or none.
    # This option should only be configured for providers which already have two factor.
    # (default: false)
    allow_bypass_two_factor:  <%= @omniauth_allow_bypass_two_factor.to_json %>

691
692
693
    ## Auth providers
    # Uncomment the following lines and fill in the data of the auth provider you want to use
    # If your favorite auth provider is not listed you can use others:
694
    # see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations
695
696
    # The 'app_id' and 'app_secret' parameters are always passed as the first two
    # arguments, followed by optional 'args' which can be either a hash or an array.
697
    # Documentation for this is available at https://docs.gitlab.com/ee/integration/omniauth.html
698
699
700
701
702
703
704
705
706
    providers:
      # - { name: 'google_oauth2', app_id: 'YOUR APP ID',
      #     app_secret: 'YOUR APP SECRET',
      #     args: { access_type: 'offline', approval_prompt: '' } }
      # - { name: 'twitter', app_id: 'YOUR APP ID',
      #     app_secret: 'YOUR APP SECRET'}
      # - { name: 'github', app_id: 'YOUR APP ID',
      #     app_secret: 'YOUR APP SECRET',
      #     args: { scope: 'user:email' } }
707
708
709
<% @omniauth_providers.each do |provider| %>
      - <%= provider.to_json %>
<% end %>
710

711
712
713
  # Shared file storage settings
  shared:
    path: <%= @shared_path %>
714

Marin Jankovski's avatar
Marin Jankovski committed
715
  # Gitaly settings
Marin Jankovski's avatar
Marin Jankovski committed
716
717
718
  # This setting controls whether GitLab uses Gitaly
  # Eventually Gitaly use will become mandatory and
  # this option will disappear.
Marin Jankovski's avatar
Marin Jankovski committed
719
  gitaly:
720
    client_path: /opt/gitlab/embedded/bin
721
    token: <%= @gitaly_token.to_s.to_json %>
Marin Jankovski's avatar
Marin Jankovski committed
722

723
724

  #
725
  # 4. Advanced settings
726
727
  # ==========================

728
729
730
731
732
733
  ## Repositories settings
  repositories:
    # Paths where repositories can be stored. Give the canonicalized absolute pathname.
    # NOTE: REPOS PATHS MUST NOT CONTAIN ANY SYMLINK!!!
    storages: <%= JSON.dump(@repositories_storages) %>

734
735
  ## Backup settings
  backup:
736
    path: "<%= @backup_path %>"   # Relative paths are relative to Rails.root (default: tmp/backups/)
737
    archive_permissions: <%= @backup_archive_permissions %> # Permissions for the resulting backup.tar file (default: 0600)
738
    keep_time: <%= @backup_keep_time %>   # default: 0 (forever) (in seconds)
739
    pg_schema: <%= @backup_pg_schema %>   # default: nil, it means that all schemas will be backed up
740
741
    upload:
      # Fog storage connection settings, see http://fog.io/storage/ .
742
      connection: <%= @backup_upload_connection.to_json if @backup_upload_connection %>
743
      # The remote 'directory' to store your backups. For S3, this would be the bucket name.
744
      remote_directory: <%= quote(@backup_upload_remote_directory) %>
745
      multipart_chunk_size: <%= @backup_multipart_chunk_size %>
746
      encryption: <%= @backup_encryption %>
747
      encryption_key: <%= @backup_encryption_key %>
748
      storage_class: <%= @backup_storage_class %>
749

750
751
752
753
754
  ## Pseudonymizer settings
  pseudonymizer:
    manifest: <%= quote(@pseudonymizer_manifest) %>
    upload:
      remote_directory: <%= quote(@pseudonymizer_upload_remote_directory) %>
Micael Bergeron's avatar
Micael Bergeron committed
755
      connection: <%= @pseudonymizer_upload_connection.to_json %>
756

757
758
  ## GitLab Shell settings
  gitlab_shell:
759
760
    path: <%= @gitlab_shell_path %>
    hooks_path: <%= @gitlab_shell_hooks_path %>
761
    authorized_keys_file: <%= @gitlab_shell_authorized_keys_file %>
762
763

    # Git over HTTP
764
765
    upload_pack: <%= @gitlab_shell_upload_pack %>
    receive_pack: <%= @gitlab_shell_receive_pack %>
766
767

    # If you use non-standard ssh port you need to specify it
768
    ssh_port: <%= @gitlab_shell_ssh_port %>
769

770
771
772
    # Git import/fetch timeout
    git_timeout: <%= @gitlab_shell_git_timeout %>

773
774
775
776
  ## Git settings
  # CAUTION!
  # Use the default values unless you really know what you are doing
  git:
777
    bin_path: <%= @git_bin_path %>
778

779
780
781
782
783
784
  monitoring:
    # Time between sampling of unicorn socket metrics, in seconds
    unicorn_sampler_interval: <%= @monitoring_unicorn_sampler_interval %>
    # IP whitelist controlling access to monitoring endpoints
    ip_whitelist:
<% @monitoring_whitelist.each do |entry| %>
785
      - "<%= entry %>"
786
<% end %>
Ben Kochie's avatar
Ben Kochie committed
787
788
789
    # Sidekiq exporter is webserver built in to Sidekiq to expose Prometheus metrics
    sidekiq_exporter:
      enabled: <%= @sidekiq['metrics_enabled'] %>
790
      log_enabled: <%= @sidekiq['exporter_log_enabled'] %>
Ben Kochie's avatar
Ben Kochie committed
791
792
      address: <%= @sidekiq['listen_address'] %>
      port: <%= @sidekiq['listen_port'] %>
793

794
795
796
797
798
    # Web exporter is webserver built in to Unicorn/Puma to expose Prometheus metrics
    web_exporter:
      enabled: <%= @puma['enable'] ? @puma['exporter_enabled'] : @unicorn['exporter_enabled']  %>
      address: <%= @puma['enable'] ? @puma['exporter_address'] : @unicorn['exporter_address']  %>
      port: <%= @puma['enable'] ? @puma['exporter_port'] : @unicorn['exporter_port']  %>
799
800
801

  shutdown:
    blackout_seconds: <%= @shutdown_blackout_seconds %>
802

803
804
805
806
807
808
809
  ## Prometheus settings
  # Do not modify these settings here. They should be modified in /etc/gitlab/gitlab.rb
  # if you installed GitLab via Omnibus.
  # If you installed from source, you need to install and configure Prometheus
  # yourself, and then update the values here.
  # https://docs.gitlab.com/ee/administration/monitoring/prometheus/
  prometheus:
810
811
812
813
814
815
    # Do not use `enable` and `listen_address` in any new code, as they are deprecated. Use `server_address` instead.
    # https://gitlab.com/gitlab-org/gitlab/-/issues/227111
    enable: <%= @prometheus_available %>
    listen_address: "<%= @prometheus_server_address %>"
    # IP address(including listen port) of Prometheus server
    server_address: "<%= @prometheus_server_address %>"
816

817
818
819
820
  ## Consul settings
  consul:
    api_url: "<%= @consul_api_url %>"

821
  #
822
  # 5. Extra customization
823
824
825
  # ==========================

  extra:
826
    <% if @extra_google_analytics_id %>
827
    ## Google analytics. Uncomment if you want it
828
    google_analytics_id: <%= quote(@extra_google_analytics_id) %>
829
    <% end %>
830

831
    <% if @extra_piwik_url %>
832
    ## Piwik analytics.
833
834
    piwik_url: <%= quote(@extra_piwik_url) %>
    piwik_site_id: <%= quote(@extra_piwik_site_id) %>
835
    <% end %>
836

837
838
  rack_attack:
    git_basic_auth: <%= @rack_attack_git_basic_auth.to_json if @rack_attack_git_basic_auth %>
839
840


841
842
843
844
845
development:
  <<: *base

test:
  <<: *base
Jacob Vosmaer's avatar
Jacob Vosmaer committed
846
847
848
849
850
  gravatar:
    enabled: true
  gitlab:
    host: localhost
    port: 80
851
852
853
854
855

    # When you run tests we clone and setup gitlab-shell
    # In order to setup it correctly you need to specify
    # your system username you use to run GitLab
    # user: YOUR_USERNAME
856
857
  repositories:
    storages:
858
      default: { "path": "tmp/tests/repositories/" }
859
860
861
  gitlab_shell:
    path: tmp/tests/gitlab-shell/
    hooks_path: tmp/tests/gitlab-shell/hooks/
862
863
864
865
866
867
  issues_tracker:
    redmine:
      title: "Redmine"
      project_url: "http://redmine/projects/:issues_tracker_id"
      issues_url: "http://redmine/:project_id/:issues_tracker_id/:id"
      new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new"
Felipe Artur's avatar
Felipe Artur committed
868
869
    jira:
      title: "JIRA"
870
      url: https://samplecompany.example.net
Felipe Artur's avatar
Felipe Artur committed
871
      project_key: PROJECT
872
873
874
875
876
877
878
879
880
881
882
883
884
885
  ldap:
    enabled: false
    servers:
      main:
        label: ldap
        host: 127.0.0.1
        port: 3890
        uid: 'uid'
        method: 'plain' # "tls" or "ssl" or "plain"
        base: 'dc=example,dc=com'
        user_filter: ''
        group_base: 'ou=groups,dc=example,dc=com'
        admin_group: ''
        sync_ssh_keys: false
886
887

staging:
888
  <<: *base