Add registry.

VERSION

-master
+buildfrombranch:docker-registry

config/software/gitlab-rails.rb

@@ -33,6 +33,7 @@ dependency "libicu"
 dependency "postgresql"
 dependency "python-docutils"
 dependency "krb5"
+dependency "registry"
 if EE
   dependency "mysql-client"

config/software/registry.rb

+#
+## Copyright:: Copyright (c) 2016 GitLab Inc.
+## License:: Apache License, Version 2.0
+##
+## Licensed under the Apache License, Version 2.0 (the "License");
+## you may not use this file except in compliance with the License.
+## You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+##
+#
+
+name "registry"
+default_version "v2.3.1"
+
+source :git => "https://github.com/docker/distribution.git"
+
+relative_path "github.com/docker/distribution"
+
+build do
+  env = with_standard_compiler_flags(with_embedded_path)
+  env = { 'GOPATH' => "#{Omnibus::Config.base_dir}"}
+  cwd = "#{Omnibus::Config.source_dir}/github.com/docker/distribution"
+
+  command "go get github.com/tools/godep", env: env, cwd: cwd
+  command "$GOPATH/bin/godep restore", env: env, cwd: cwd
+  make "build PREFIX=#{install_dir}/embedded", env: env, cwd: cwd
+  make "binaries PREFIX=#{install_dir}/embedded", env: env, cwd: cwd
+end

files/gitlab-cookbooks/gitlab/attributes/default.rb

@@ -119,6 +119,15 @@ default['gitlab']['gitlab-rails']['pages_port'] = nil
 default['gitlab']['gitlab-rails']['pages_https'] = false
 default['gitlab']['gitlab-rails']['pages_path'] = nil
+# TODO
+default['gitlab']['gitlab-rails']['registry_enabled'] = false
+default['gitlab']['gitlab-rails']['registry_host'] = nil
+default['gitlab']['gitlab-rails']['registry_port'] = nil
+default['gitlab']['gitlab-rails']['registry_https'] = nil
+default['gitlab']['gitlab-rails']['registry_internal_host'] = nil
+default['gitlab']['gitlab-rails']['registry_key_path'] = nil
+default['gitlab']['gitlab-rails']['registry_path'] = nil
+
 ####
 # These LDAP settings are deprecated in favor of the new syntax. They are kept here for backwards compatibility.
 # Check
@@ -423,6 +432,20 @@ default['gitlab']['gitlab-pages']['use_http2'] = true
 default['gitlab']['gitlab-pages']['dir'] = "/var/opt/gitlab/gitlab-pages"
 default['gitlab']['gitlab-pages']['log_directory'] = "/var/log/gitlab/gitlab-pages"
+####
+# GitLab Docker Registry
+####
+default['gitlab']['registry']['enable'] = false
+default['gitlab']['registry']['username'] = "registry"
+default['gitlab']['registry']['group'] = "registry"
+default['gitlab']['registry']['uid'] = nil
+default['gitlab']['registry']['gid'] = nil
+default['gitlab']['registry']['dir'] = "/var/opt/gitlab/registry"
+default['gitlab']['registry']['log_directory'] = "/var/log/gitlab/registry"
+default['gitlab']['registry']['rootcertbundle'] = nil
+
+
+
 ####
 # Nginx
 ####
@@ -768,3 +791,9 @@ default['gitlab']['mattermost-nginx']['enable'] = false
 ####
 default['gitlab']['pages-nginx'] = default['gitlab']['nginx'].dup
 default['gitlab']['pages-nginx']['enable'] = true
+
+####
+# GitLab Registry NGINX
+####
+default['gitlab']['registry-nginx'] = default['gitlab']['nginx'].dup
+default['gitlab']['registry-nginx']['enable'] = true

files/gitlab-cookbooks/gitlab/libraries/account_helper.rb

@@ -78,6 +78,14 @@ class AccountHelper
     node['gitlab']['mattermost']['group']
   end
+  def registry_user
+    node['gitlab']['registry']['username']
+  end
+
+  def registry_group
+    node['gitlab']['registry']['group']
+  end
+
   def users
     %W(
         #{gitlab_user}
@@ -87,6 +95,7 @@ class AccountHelper
         #{gitlab_ci_user}
         #{ci_redis_user}
         #{mattermost_user}
+        #{registry_user}
       )
   end
@@ -99,7 +108,7 @@ class AccountHelper
         #{gitlab_ci_group}
         #{ci_redis_group}
         #{mattermost_group}
+        #{registry_group}
       )
   end
 end
-

files/gitlab-cookbooks/gitlab/libraries/gitlab.rb

@@ -52,6 +52,7 @@ module Gitlab
   gitlab_workhorse Mash.new
   gitlab_git_http_server Mash.new # legacy from GitLab 7.14, 8.0, 8.1
   pages_nginx Mash.new
+  registry_nginx Mash.new
   mailroom Mash.new
   nginx Mash.new
   ci_nginx Mash.new
@@ -63,11 +64,13 @@ module Gitlab
   web_server Mash.new
   mattermost Mash.new
   gitlab_pages Mash.new
+  registry Mash.new
   node nil
   external_url nil
   pages_external_url nil
   ci_external_url nil
   mattermost_external_url nil
+  registry_external_url nil
   git_data_dir nil
   class << self
@@ -91,6 +94,11 @@ module Gitlab
                                                  end
       Gitlab['gitlab_ci']['db_key_base'] ||= generate_hex(64)
+      Gitlab['registry']['http_secret'] ||= generate_hex(64)
+      gitlab_registry_crt, gitlab_registry_key = generate_registry_keypair
+      Gitlab['registry']['internal_certificate'] ||= gitlab_registry_crt
+      Gitlab['registry']['internal_key'] ||= gitlab_registry_key
+
       Gitlab['mattermost']['email_invite_salt'] ||= generate_hex(16)
       Gitlab['mattermost']['file_public_link_salt'] ||= generate_hex(16)
       Gitlab['mattermost']['email_password_reset_salt'] ||= generate_hex(16)
@@ -101,6 +109,22 @@ module Gitlab
       SecretsHelper.write_to_gitlab_secrets
     end
+    def generate_registry_keypair
+      key = OpenSSL::PKey::RSA.new(4096)
+      subject = "/C=USA/O=GitLab/OU=Docker/CN=Registry"
+
+      cert = OpenSSL::X509::Certificate.new
+      cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)
+      cert.not_before = Time.now
+      cert.not_after = Time.now + 18250 * 24 * 60 * 60
+      cert.public_key = key.public_key
+      cert.serial = 0x0
+      cert.version = 2
+      cert.sign key, OpenSSL::Digest::SHA256.new
+
+      [cert.to_pem, key.to_pem]
+    end
+
     def parse_gitlab_git_http_server
       Gitlab['gitlab_git_http_server'].each do |k, v|
         Chef::Log.warn "gitlab_git_http_server is deprecated. Please use gitlab_workhorse in gitlab.rb"
@@ -477,6 +501,57 @@ module Gitlab
       mailroom['enable'] = true if mailroom['enable'].nil?
     end
+    def parse_registry_external_url
+      return unless registry_external_url
+
+      uri = URI(registry_external_url.to_s)
+
+      unless uri.host
+        raise "GitLab Registry external URL must must include a schema and FQDN, e.g. https://registry.example.com/"
+      end
+
+      if registry['enable'].nil?
+        registry['enable'] = true
+        Gitlab['gitlab_rails']['registry_enabled'] = true
+      end
+
+      Gitlab['gitlab_rails']['registry_internal_host'] ||= "http://127.0.0.1:5000"
+      Gitlab['registry']['registry_http_addr'] ||= Gitlab['gitlab_rails']['registry_internal_host'].gsub(/^https?\:\/\//, '')
+      Gitlab['gitlab_rails']['registry_host'] = uri.host
+      Gitlab['registry_nginx']['listen_port'] ||= uri.port
+
+      if Gitlab['gitlab_rails']['gitlab_host'] == uri.host && Gitlab['gitlab_rails']['gitlab_https'] == true
+        # set a section in gitlab-rails nginx config
+        Gitlab['nginx']['registry_enabled'] = true
+        Gitlab['nginx']['registry_external_listen_port'] = uri.port
+      else
+        # use a separate nginx config
+        case  uri.scheme
+        when "http"
+          Gitlab['registry']['registry_https'] = false
+        when "https"
+          Gitlab['registry']['registry_https'] = true
+          Gitlab['registry_nginx']['https'] ||= Gitlab['registry']['registry_https']
+          Gitlab['registry_nginx']['ssl_certificate'] ||= "/etc/gitlab/ssl/#{uri.host}.crt"
+          Gitlab['registry_nginx']['ssl_certificate_key'] ||= "/etc/gitlab/ssl/#{uri.host}.key"
+        else
+          raise "Unsupported GitLab Registry external URL scheme: #{uri.scheme}"
+        end
+      end
+
+      unless ["", "/"].include?(uri.path)
+        raise "Unsupported GitLab Registry external URL path: #{uri.path}"
+      end
+
+      Gitlab['registry']['registry_port'] = uri.port
+    end
+
+    def parse_registry
+      return unless registry['enable']
+
+      gitlab_rails['registry_path'] = "#{gitlab_rails['shared_path']}/registry" if gitlab_rails['registry_path'].nil?
+    end
+
     def disable_gitlab_rails_services
       if gitlab_rails["enable"] == false
         redis["enable"] = false
@@ -509,6 +584,7 @@ module Gitlab
         "ci_nginx",
         "mattermost_nginx",
         "pages_nginx",
+        "registry_nginx",
         "logging",
         "remote_syslog",
         "logrotate",
@@ -520,7 +596,8 @@ module Gitlab
         "ci_external_url",
         "mattermost_external_url",
         "pages_external_url",
-        "gitlab_pages"
+        "gitlab_pages",
+        "registry"
       ].each do |key|
         rkey = key.gsub('_', '-')
         results['gitlab'][rkey] = Gitlab[key]
@@ -547,6 +624,7 @@ module Gitlab
       parse_ci_external_url
       parse_pages_external_url
       parse_mattermost_external_url
+      parse_registry_external_url
       parse_unicorn_listen_address
       parse_nginx_listen_address
       parse_nginx_listen_ports
@@ -555,6 +633,7 @@ module Gitlab
       parse_gitlab_mattermost
       parse_incoming_email
       parse_gitlab_pages_daemon
+      parse_registry
       disable_gitlab_rails_services
       # The last step is to convert underscores to hyphens in top-level keys
       generate_hash

files/gitlab-cookbooks/gitlab/libraries/helper.rb

@@ -264,6 +264,12 @@ class SecretsHelper
                         'secret_key_base' => Gitlab['gitlab_ci']['secret_key_base'],
                         'db_key_base' => Gitlab['gitlab_ci']['db_key_base'],
                       },
+                      'registry' => {
+                        'http_secret' => Gitlab['registry']['http_secret'],
+                        'internal_certificate' => Gitlab['registry']['internal_certificate'],
+                        'internal_key' => Gitlab['registry']['internal_key']
+
+                      },
                       'mattermost' => {
                         'email_invite_salt' => Gitlab['mattermost']['email_invite_salt'],
                         'file_public_link_salt' => Gitlab['mattermost']['file_public_link_salt'],

files/gitlab-cookbooks/gitlab/recipes/default.rb

@@ -104,7 +104,8 @@ include_recipe "runit"
   "logrotate",
   "bootstrap",
   "mattermost",
-  "gitlab-pages"
+  "gitlab-pages",
+  "registry"
 ].each do |service|
   if node["gitlab"][service]["enable"]
     include_recipe "gitlab::#{service}"

files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb

@@ -30,6 +30,9 @@ gitlab_ci_dir = node['gitlab']['gitlab-ci']['dir']
 gitlab_ci_builds_dir = node['gitlab']['gitlab-ci']['builds_directory']
 upgrade_status_dir = File.join(gitlab_rails_dir, "upgrade-status")
+# Set path to the private key used for communication betwee registry and Gitlab.
+node.default['gitlab']['gitlab-rails']['registry_key_path'] = File.join(gitlab_rails_etc_dir, "gitlab-registry.key")
+
 ssh_dir = File.join(node['gitlab']['user']['home'], ".ssh")
 known_hosts = File.join(ssh_dir, "known_hosts")

files/gitlab-cookbooks/gitlab/recipes/nginx.rb

@@ -43,6 +43,7 @@ nginx_config = File.join(nginx_conf_dir, "nginx.conf")
 gitlab_rails_http_conf = File.join(nginx_conf_dir, "gitlab-http.conf")
 gitlab_pages_http_conf = File.join(nginx_conf_dir, "gitlab-pages.conf")
+gitlab_registry_http_conf = File.join(nginx_conf_dir, "gitlab-registry.conf")
 gitlab_mattermost_http_conf = File.join(nginx_conf_dir, "gitlab-mattermost-http.conf")
 # If the service is enabled, check if we are using internal nginx
@@ -64,6 +65,12 @@ gitlab_pages_enabled = if node['gitlab']['gitlab-rails']['pages_enabled']
                          false
                        end
+gitlab_registry_enabled = if node['gitlab']['registry']['enable']
+                         node['gitlab']['registry-nginx']['enable']
+                       else
+                         false
+                       end
+
 # Include the config file for gitlab-rails in nginx.conf later
 nginx_vars = node['gitlab']['nginx'].to_hash.merge({
                :gitlab_http_config => gitlab_rails_enabled ? gitlab_rails_http_conf : nil
@@ -79,6 +86,10 @@ nginx_vars = nginx_vars.to_hash.merge!({
                                          :gitlab_pages_http_config => gitlab_pages_enabled ? gitlab_pages_http_conf : nil
                                        })
+nginx_vars = nginx_vars.to_hash.merge!({
+                                         :gitlab_registry_http_config => gitlab_registry_enabled ? gitlab_registry_http_conf : nil
+                                       })
+
 if nginx_vars['listen_https'].nil?
   nginx_vars['https'] = node['gitlab']['gitlab-rails']['gitlab_https']
 else
@@ -98,7 +109,8 @@ template gitlab_rails_http_conf do
       :kerberos_enabled => node['gitlab']['gitlab-rails']['kerberos_enabled'],
       :kerberos_use_dedicated_port => node['gitlab']['gitlab-rails']['kerberos_use_dedicated_port'],
       :kerberos_port => node['gitlab']['gitlab-rails']['kerberos_port'],
-      :kerberos_https => node['gitlab']['gitlab-rails']['kerberos_https']
+      :kerberos_https => node['gitlab']['gitlab-rails']['kerberos_https'],
+      :registry_internal_host => node['gitlab']['gitlab-rails']['registry_internal_host']
     }
   ))
   notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx")
@@ -128,6 +140,22 @@ template gitlab_pages_http_conf do
   action gitlab_pages_enabled ? :create : :delete
 end
+registry_nginx_vars = node['gitlab']['registry-nginx'].to_hash
+template gitlab_registry_http_conf do
+  source "nginx-gitlab-registry-http.conf.erb"
+  owner "root"
+  group "root"
+  mode "0644"
+  variables(registry_nginx_vars.merge(
+    {
+      registry_internal_host: node['gitlab']['gitlab-rails']['registry_internal_host'],
+      registry_host: node['gitlab']['gitlab-rails']['registry_host']
+    }
+  ))
+  notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx")
+  action gitlab_registry_enabled ? :create : :delete
+end
+
 mattermost_nginx_vars = node['gitlab']['mattermost-nginx'].to_hash
 if mattermost_nginx_vars['listen_https'].nil?

files/gitlab-cookbooks/gitlab/recipes/registry.rb

+#
+# Copyright:: Copyright (c) 2016 GitLab Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+account_helper = AccountHelper.new(node)
+registry_uid = node['gitlab']['registry']['uid']
+registry_gid = node['gitlab']['registry']['gid']
+
+working_dir = node['gitlab']['registry']['dir']
+log_directory = node['gitlab']['registry']['log_directory']
+
+directory working_dir do
+  recursive true
+end
+
+account "Docker registry user and group" do
+  username account_helper.registry_user
+  uid registry_uid
+  ugid account_helper.registry_group
+  groupname account_helper.registry_group
+  gid registry_gid
+  shell '/bin/sh'
+  home working_dir
+  manage node['gitlab']['manage-accounts']['enable']
+end
+
+[
+  working_dir,
+  log_directory,
+].each do |dir|
+  directory dir do
+    owner account_helper.registry_user
+    mode '0700'
+    recursive true
+  end
+end
+
+key_file_path = node['gitlab']['gitlab-rails']['registry_key_path']
+file key_file_path do
+  content node['gitlab']['registry']['internal_key']
+  owner account_helper.gitlab_user
+  group account_helper.gitlab_group
+end
+
+cert_file_path = File.join(working_dir, "gitlab-registry.crt")
+node.default['gitlab']['registry']['rootcertbundle'] = cert_file_path
+file cert_file_path do
+  content node['gitlab']['registry']['internal_certificate']
+  owner account_helper.registry_user
+  group account_helper.registry_group
+end
+
+template "#{working_dir}/config.yml" do
+  source "registry-config.yml.erb"
+  owner account_helper.registry_user
+  variables node['gitlab']['registry'].to_hash.merge(node['gitlab']['gitlab-rails'].to_hash)
+  mode "0644"
+  notifies :restart, "service[registry]"
+end
+
+runit_service 'registry' do
+  options({
+    :log_directory => log_directory
+  }.merge(params))
+  log_options node['gitlab']['logging'].to_hash.merge(node['gitlab']['registry'].to_hash)
+end

files/gitlab-cookbooks/gitlab/recipes/registry_disable.rb

+#
+# Copyright:: Copyright (c) 2016 GitLab Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+runit_service "registry" do
+  action :disable
+end

files/gitlab-cookbooks/gitlab/recipes/web-server.rb

@@ -18,12 +18,13 @@
 account_helper = AccountHelper.new(node)
 webserver_username = account_helper.web_server_user
 webserver_group = account_helper.web_server_group
-external_webserver_users = node['gitlab']['web-server']['external_users']
-# Create the group for the GitLab user
+# Add docker registry user to the GitLab webserver group.
 # If external webserver is used, add the external webserver user to
-# GitLab webserver group
-append_members = external_webserver_users.any? && !node['gitlab']['nginx']['enable']
+# GitLab webserver group.
+
+# TODO THIS WON'T WORK ON THE FIRST RUN
+external_webserver_users = [ account_helper.registry_user ] + node['gitlab']['web-server']['external_users']
 account "Webserver user and group" do
   username webserver_username
@@ -33,7 +34,7 @@ account "Webserver user and group" do
   gid node['gitlab']['web-server']['gid']
   shell node['gitlab']['web-server']['shell']
   home node['gitlab']['web-server']['home']
-  append_to_group append_members
+  append_to_group true
   group_members external_webserver_users
   user_supports manage_home: false
   manage node['gitlab']['manage-accounts']['enable']

files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb

@@ -124,6 +124,16 @@ production: &base
     # The location where LFS objects are stored (default: shared/lfs-objects).
     storage_path: <%= @lfs_storage_path %>
+  ## Docker Registry
+  registry:
+    enabled: <%= @registry_enabled %>
+    host: <%= @registry_host %>
+    port: <%= @registry_port %>
+    https: <%= @registry_https %>
+    internal_host: <%= @registry_internal_host %> # internal address to the registry, will be used by GitLab to directly communicate with API
+    path: <%= @registry_path %>
+    key: <%= @registry_key_path %>
+
   ## GitLab Pages (EE only)
   pages:
     enabled: <%= @pages_enabled %>

files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb

@@ -135,3 +135,80 @@ server {
   <%= @custom_gitlab_server_config %>
 }
+
+<% if @registry_enabled %>
+server {
+<% @listen_addresses.each do |listen_address| %>
+  listen <%= listen_address %>:<%= @registry_external_listen_port %><% if @https %> ssl<% if @http2_enabled %> http2<% end %><% end %>;
+<% end %>
+  server_name <%= @fqdn %>;
+  server_tokens off; ## Don't show the nginx version number, a security best practice
+
+  ## Increase this if you want to upload large attachments
+  ## Or if you want to accept large git objects over http
+  client_max_body_size <%= @client_max_body_size %>;
+
+  <% if @https %>
+  ## Strong SSL Security
+  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
+  ssl on;
+  ssl_certificate <%= @ssl_certificate %>;
+  ssl_certificate_key <%= @ssl_certificate_key %>;
+  <% if @ssl_client_certificate %>
+  ssl_client_certificate <%= @ssl_client_certificate%>;
+  <% end %>
+
+  # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
+  ssl_ciphers '<%= @ssl_ciphers %>';
+  ssl_protocols  <%= @ssl_protocols %>;
+  ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
+  ssl_session_cache  <%= @ssl_session_cache %>;
+  ssl_session_timeout  <%= @ssl_session_timeout %>;
+
+  <% if @ssl_dhparam %>
+  ssl_dhparam <%= @ssl_dhparam %>;
+  <% end %>
+  <% end %>
+
+  ## Real IP Module Config
+  ## http://nginx.org/en/docs/http/ngx_http_realip_module.html
+  <% if @real_ip_header %>
+  real_ip_header <%= @real_ip_header %>;
+  <% end %>
+  <% if @real_ip_recursive %>
+  real_ip_recursive <%= @real_ip_recursive %>;
+  <% end %>
+  <% @real_ip_trusted_addresses.each do |trusted_address| %>
+  set_real_ip_from <%= trusted_address %>;
+  <% end %>
+
+  ## Individual nginx logs for this GitLab vhost
+  access_log  <%= @log_directory %>/gitlab_access.log gitlab_access;
+  error_log   <%= @log_directory %>/gitlab_error.log;
+
+  <% path = @relative_url ? @relative_url : "/" %>
+  location <%= path %> {
+    ## If you use HTTPS make sure you disable gzip compression
+    ## to be safe against BREACH attack.
+    <%= 'gzip off;' if @https %>
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      <%= @proxy_read_timeout %>;
+    proxy_connect_timeout   <%= @proxy_connect_timeout %>;
+    proxy_redirect          off;
+
+    proxy_http_version 1.1;
+
+    <% @proxy_set_headers.each do |header| %>
+    <% next if header[1].nil? %>
+    proxy_set_header <%= header[0] %> <%= header[1] %>;
+    <% end %>
+
+    proxy_pass <%= @registry_internal_host %>;
+  }
+
+
+  <%= @custom_gitlab_server_config %>
+}
+<% end %>

files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-registry-http.conf.erb

+# This file is managed by gitlab-ctl. Manual changes will be
+# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
+# and run `sudo gitlab-ctl reconfigure`.
+
+## Lines starting with two hashes (##) are comments with information.
+## Lines starting with one hash (#) are configuration parameters that can be uncommented.
+##
+###################################
+##         configuration         ##
+###################################
+
+## Redirects all HTTP traffic to the HTTPS host
+server {
+<% @listen_addresses.each do |listen_address| %>
+  listen <%= listen_address %>:<%= @redirect_http_to_https_port %>;
+<% end %>
+  server_name  <%= @registry_host %>;
+  server_tokens off; ## Don't show the nginx version number, a security best practice
+  return 301 https://$http_host:<%= @port %>$request_uri;
+  access_log  <%= @log_directory %>/gitlab_registry_access.log gitlab_access;
+  error_log   <%= @log_directory %>/gitlab_registry_error.log;
+}
+
+server {
+<% @listen_addresses.each do |listen_address| %>
+  listen <%= listen_address %>:<%= @listen_port %><% if @https %> ssl http2<% end %>;
+<% end %>
+  server_name  <%= @registry_host %>;
+  server_tokens off; ## Don't show the nginx version number, a security best practice
+
+  client_max_body_size 0;
+  chunked_transfer_encoding on;
+
+  <% if @https %>
+  ## Strong SSL Security
+  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
+  ssl on;
+  ssl_certificate <%= @ssl_certificate %>;
+  ssl_certificate_key <%= @ssl_certificate_key %>;
+  <% if @ssl_client_certificate %>
+  ssl_client_certificate <%= @ssl_client_certificate%>;
+  <% end %>
+
+  ssl_ciphers '<%= @ssl_ciphers %>';
+  ssl_protocols  <%= @ssl_protocols %>;
+  ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
+  ssl_session_cache  <%= @ssl_session_cache %>;
+  ssl_session_timeout  <%= @ssl_session_timeout %>;
+
+  <% if @ssl_dhparam %>
+  ssl_dhparam <%= @ssl_dhparam %>;
+  <% end %>
+  <% end %>
+
+  access_log  <%= @log_directory %>/gitlab_registry_access.log gitlab_access;
+  error_log   <%= @log_directory %>/gitlab_registry_error.log;
+
+  location / {
+    proxy_set_header  Host              $http_host;   # required for docker client's sake
+    proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
+    proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
+    proxy_set_header  X-Forwarded-Proto $scheme;
+    proxy_read_timeout                  900;
+
+    proxy_pass          <%= @registry_internal_host %>;
+  }
+
+  <%= @custom_gitlab_server_config %>
+}

files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb

@@ -51,5 +51,9 @@ http {
   include <%= @gitlab_mattermost_http_config %>;
   <% end %>
+  <% if @gitlab_registry_http_config %>
+  include <%= @gitlab_registry_http_config %>;
+  <% end %>
+
   <%= @custom_nginx_config %>
 }

files/gitlab-cookbooks/gitlab/templates/default/registry-config.yml.erb

+version: 0.1
+log:
+  fields:
+    service: registry
+    environment: production
+storage:
+  cache:
+    blobdescriptor: inmemory
+  filesystem:
+    rootdirectory: <%= @registry_path %>
+http:
+  addr: <%= @registry_http_addr %>
+  secret: "<%= @http_secret %>"
+  headers:
+    X-Content-Type-Options: [nosniff]
+health:
+  storagedriver:
+    enabled: true
+    interval: 10s
+    threshold: 3
+auth:
+  token:
+    realm: http://127.0.0.1/api/v3/auth/token
+    service: docker
+    issuer: omnibus-issuer
+    rootcertbundle: <%= @rootcertbundle %>

files/gitlab-cookbooks/gitlab/templates/default/sv-docker-registry-log-config.erb

+<%= "s#@svlogd_size" if @svlogd_size %>
+<%= "n#@svlogd_num" if @svlogd_num %>
+<%= "t#@svlogd_timeout" if @svlogd_timeout %>
+<%= "!#@svlogd_filter" if @svlogd_filter %>
+<%= "u#@svlogd_udp" if @svlogd_udp %>
+<%= "p#@svlogd_prefix" if @svlogd_prefix %>

files/gitlab-cookbooks/gitlab/templates/default/sv-docker-registry-log-run.erb

+#!/bin/sh
+exec svlogd -tt <%= @options[:log_directory] %>