· 4 years ago · Apr 14, 2021, 08:34 PM
1## GitLab configuration settings
2##! This file is generated during initial installation and **is not** modified
3##! during upgrades.
4##! Check out the latest version of this file to know about the different
5##! settings that can be configured, when they were introduced and why:
6##! https://gitlab.com/gitlab-org/omnibus-gitlab/blame/master/files/gitlab-config-template/gitlab.rb.template
7
8##! Locally, the complete template corresponding to the installed version can be found at:
9##! /opt/gitlab/etc/gitlab.rb.template
10
11##! You can run `gitlab-ctl diff-config` to compare the contents of the current gitlab.rb with
12##! the gitlab.rb.template from the currently running version.
13
14##! You can run `gitlab-ctl show-config` to display the configuration that will be generated by
15##! running `gitlab-ctl reconfigure`
16
17##! In general, the values specified here should reflect what the default value of the attribute will be.
18##! There are instances where this behavior is not possible or desired. For example, when providing passwords,
19##! or connecting to third party services.
20##! In those instances, we endeavour to provide an example configuration.
21
22## GitLab URL
23##! URL on which GitLab will be reachable.
24##! For more details on configuring external_url see:
25##! https://docs.gitlab.com/omnibus/settings/configuration.html#configuring-the-external-url-for-gitlab
26##!
27##! Note: During installation/upgrades, the value of the environment variable
28##! EXTERNAL_URL will be used to populate/replace this value.
29##! On AWS EC2 instances, we also attempt to fetch the public hostname/IP
30##! address from AWS. For more details, see:
31##! https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
32 external_url 'http://gitlab.lan'
33
34## Roles for multi-instance GitLab
35##! The default is to have no roles enabled, which results in GitLab running as an all-in-one instance.
36##! Options:
37##! redis_sentinel_role redis_master_role redis_replica_role geo_primary_role geo_secondary_role
38##! postgres_role consul_role application_role monitoring_role
39##! For more details on each role, see:
40##! https://docs.gitlab.com/omnibus/roles/README.html#roles
41##!
42# roles ['redis_sentinel_role', 'redis_master_role']
43
44## Legend
45##! The following notations at the beginning of each line may be used to
46##! differentiate between components of this file and to easily select them using
47##! a regex.
48##! ## Titles, subtitles etc
49##! ##! More information - Description, Docs, Links, Issues etc.
50##! Configuration settings have a single # followed by a single space at the
51##! beginning; Remove them to enable the setting.
52
53##! **Configuration settings below are optional.**
54
55
56################################################################################
57################################################################################
58## Configuration Settings for GitLab CE and EE ##
59################################################################################
60################################################################################
61
62################################################################################
63## gitlab.yml configuration
64##! Docs: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md
65################################################################################
66# gitlab_rails['gitlab_ssh_host'] = 'ssh.host_example.com'
67# gitlab_rails['gitlab_ssh_user'] = ''
68# gitlab_rails['time_zone'] = 'UTC'
69
70### Request duration
71###! Tells the rails application how long it has to complete a request
72###! This value needs to be lower than the worker timeout set in unicorn/puma.
73###! By default, we'll allow 95% of the the worker timeout
74# gitlab_rails['max_request_duration_seconds'] = 57
75
76### GitLab email server settings
77###! Docs: https://docs.gitlab.com/omnibus/settings/smtp.html
78###! **Use smtp instead of sendmail/postfix.**
79
80# gitlab_rails['smtp_enable'] = true
81# gitlab_rails['smtp_address'] = "smtp.server"
82# gitlab_rails['smtp_port'] = 465
83# gitlab_rails['smtp_user_name'] = "smtp user"
84# gitlab_rails['smtp_password'] = "smtp password"
85# gitlab_rails['smtp_domain'] = "example.com"
86# gitlab_rails['smtp_authentication'] = "login"
87# gitlab_rails['smtp_enable_starttls_auto'] = true
88# gitlab_rails['smtp_tls'] = false
89
90###! **Can be: 'none', 'peer', 'client_once', 'fail_if_no_peer_cert'**
91###! Docs: http://api.rubyonrails.org/classes/ActionMailer/Base.html
92# gitlab_rails['smtp_openssl_verify_mode'] = 'none'
93
94# gitlab_rails['smtp_ca_path'] = "/etc/ssl/certs"
95# gitlab_rails['smtp_ca_file'] = "/etc/ssl/certs/ca-certificates.crt"
96
97### Email Settings
98
99# gitlab_rails['gitlab_email_enabled'] = true
100
101##! If your SMTP server does not like the default 'From: gitlab@gitlab.example.com'
102##! can change the 'From' with this setting.
103# gitlab_rails['gitlab_email_from'] = 'example@example.com'
104# gitlab_rails['gitlab_email_display_name'] = 'Example'
105# gitlab_rails['gitlab_email_reply_to'] = 'noreply@example.com'
106# gitlab_rails['gitlab_email_subject_suffix'] = ''
107# gitlab_rails['gitlab_email_smime_enabled'] = false
108# gitlab_rails['gitlab_email_smime_key_file'] = '/etc/gitlab/ssl/gitlab_smime.key'
109# gitlab_rails['gitlab_email_smime_cert_file'] = '/etc/gitlab/ssl/gitlab_smime.crt'
110# gitlab_rails['gitlab_email_smime_ca_certs_file'] = '/etc/gitlab/ssl/gitlab_smime_cas.crt'
111
112### GitLab user privileges
113# gitlab_rails['gitlab_default_can_create_group'] = true
114# gitlab_rails['gitlab_username_changing_enabled'] = true
115
116### Default Theme
117### Available values:
118##! `1` for Indigo
119##! `2` for Dark
120##! `3` for Light
121##! `4` for Blue
122##! `5` for Green
123##! `6` for Light Indigo
124##! `7` for Light Blue
125##! `8` for Light Green
126##! `9` for Red
127##! `10` for Light Red
128# gitlab_rails['gitlab_default_theme'] = 2
129
130### Default project feature settings
131# gitlab_rails['gitlab_default_projects_features_issues'] = true
132# gitlab_rails['gitlab_default_projects_features_merge_requests'] = true
133# gitlab_rails['gitlab_default_projects_features_wiki'] = true
134# gitlab_rails['gitlab_default_projects_features_snippets'] = true
135# gitlab_rails['gitlab_default_projects_features_builds'] = true
136# gitlab_rails['gitlab_default_projects_features_container_registry'] = true
137
138### Automatic issue closing
139###! See https://docs.gitlab.com/ee/customization/issue_closing.html for more
140###! information about this pattern.
141# gitlab_rails['gitlab_issue_closing_pattern'] = "\b((?:[Cc]los(?:e[sd]?|ing)|\b[Ff]ix(?:e[sd]|ing)?|\b[Rr]esolv(?:e[sd]?|ing)|\b[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)"
142
143### Download location
144###! When a user clicks e.g. 'Download zip' on a project, a temporary zip file
145###! is created in the following directory.
146###! Should not be the same path, or a sub directory of any of the `git_data_dirs`
147# gitlab_rails['gitlab_repository_downloads_path'] = 'tmp/repositories'
148
149### Gravatar Settings
150# gitlab_rails['gravatar_plain_url'] = 'http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon'
151# gitlab_rails['gravatar_ssl_url'] = 'https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon'
152
153### Auxiliary jobs
154###! Periodically executed jobs, to self-heal Gitlab, do external
155###! synchronizations, etc.
156###! Docs: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job
157###! https://docs.gitlab.com/ee/ci/yaml/README.html#artifactsexpire_in
158# gitlab_rails['stuck_ci_jobs_worker_cron'] = "0 0 * * *"
159# gitlab_rails['expire_build_artifacts_worker_cron'] = "*/7 * * * *"
160# gitlab_rails['environments_auto_stop_cron_worker_cron'] = "24 * * * *"
161# gitlab_rails['pipeline_schedule_worker_cron'] = "19 * * * *"
162# gitlab_rails['ci_archive_traces_cron_worker_cron'] = "17 * * * *"
163# gitlab_rails['repository_check_worker_cron'] = "20 * * * *"
164# gitlab_rails['admin_email_worker_cron'] = "0 0 * * 0"
165# gitlab_rails['personal_access_tokens_expiring_worker_cron'] = "0 1 * * *"
166# gitlab_rails['personal_access_tokens_expired_notification_worker_cron'] = "0 2 * * *"
167# gitlab_rails['repository_archive_cache_worker_cron'] = "0 * * * *"
168# gitlab_rails['pages_domain_verification_cron_worker'] = "*/15 * * * *"
169# gitlab_rails['pages_domain_ssl_renewal_cron_worker'] = "*/10 * * * *"
170# gitlab_rails['pages_domain_removal_cron_worker'] = "47 0 * * *"
171# gitlab_rails['remove_unaccepted_member_invites_cron_worker'] = "10 15 * * *"
172# gitlab_rails['schedule_migrate_external_diffs_worker_cron'] = "15 * * * *"
173# gitlab_rails['ci_platform_metrics_update_cron_worker'] = '47 9 * * *'
174# gitlab_rails['analytics_usage_trends_count_job_trigger_worker_cron'] = "50 23 */1 * *"
175# gitlab_rails['member_invitation_reminder_emails_worker_cron'] = "0 0 * * *"
176# gitlab_rails['user_status_cleanup_batch_worker_cron'] = "* * * * *"
177
178### Webhook Settings
179###! Number of seconds to wait for HTTP response after sending webhook HTTP POST
180###! request (default: 10)
181# gitlab_rails['webhook_timeout'] = 10
182
183### GraphQL Settings
184###! Tells the rails application how long it has to complete a GraphQL request.
185###! We suggest this value to be higher than the database timeout value
186###! and lower than the worker timeout set in unicorn/puma. (default: 30)
187# gitlab_rails['graphql_timeout'] = 30
188
189### Trusted proxies
190###! Customize if you have GitLab behind a reverse proxy which is running on a
191###! different machine.
192###! **Add the IP address for your reverse proxy to the list, otherwise users
193###! will appear signed in from that address.**
194# gitlab_rails['trusted_proxies'] = []
195
196### Content Security Policy
197####! Customize if you want to enable the Content-Security-Policy header, which
198####! can help thwart JavaScript cross-site scripting (XSS) attacks.
199####! See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
200# gitlab_rails['content_security_policy'] = {
201# 'enabled' => false,
202# 'report_only' => false,
203# # Each directive is a String (e.g. "'self'").
204# 'directives' => {
205# 'base_uri' => nil,
206# 'child_src' => nil,
207# 'connect_src' => nil,
208# 'default_src' => nil,
209# 'font_src' => nil,
210# 'form_action' => nil,
211# 'frame_ancestors' => nil,
212# 'frame_src' => nil,
213# 'img_src' => nil,
214# 'manifest_src' => nil,
215# 'media_src' => nil,
216# 'object_src' => nil,
217# 'script_src' => nil,
218# 'style_src' => nil,
219# 'worker_src' => nil,
220# 'report_uri' => nil,
221# }
222# }
223
224### Allowed hosts
225###! Customize the `host` headers that should be catered by the Rails
226###! application. By default, everything is allowed.
227# gitlab_rails['allowed_hosts'] = []
228
229### Monitoring settings
230###! IP whitelist controlling access to monitoring endpoints
231# gitlab_rails['monitoring_whitelist'] = ['127.0.0.0/8', '::1/128']
232###! Time between sampling of unicorn socket metrics, in seconds
233# gitlab_rails['monitoring_unicorn_sampler_interval'] = 10
234
235### Shutdown settings
236###! Defines an interval to block healthcheck,
237###! but continue accepting application requests.
238# gitlab_rails['shutdown_blackout_seconds'] = 10
239
240### Reply by email
241###! Allow users to comment on issues and merge requests by replying to
242###! notification emails.
243###! Docs: https://docs.gitlab.com/ee/administration/reply_by_email.html
244# gitlab_rails['incoming_email_enabled'] = true
245
246#### Incoming Email Address
247####! The email address including the `%{key}` placeholder that will be replaced
248####! to reference the item being replied to.
249####! **The placeholder can be omitted but if present, it must appear in the
250####! "user" part of the address (before the `@`).**
251# gitlab_rails['incoming_email_address'] = "gitlab-incoming+%{key}@gmail.com"
252
253#### Email account username
254####! **With third party providers, this is usually the full email address.**
255####! **With self-hosted email servers, this is usually the user part of the
256####! email address.**
257# gitlab_rails['incoming_email_email'] = "gitlab-incoming@gmail.com"
258
259#### Email account password
260# gitlab_rails['incoming_email_password'] = "[REDACTED]"
261
262#### IMAP Settings
263# gitlab_rails['incoming_email_host'] = "imap.gmail.com"
264# gitlab_rails['incoming_email_port'] = 993
265# gitlab_rails['incoming_email_ssl'] = true
266# gitlab_rails['incoming_email_start_tls'] = false
267
268#### Incoming Mailbox Settings (via `mail_room`)
269####! The mailbox where incoming mail will end up. Usually "inbox".
270# gitlab_rails['incoming_email_mailbox_name'] = "inbox"
271####! The IDLE command timeout.
272# gitlab_rails['incoming_email_idle_timeout'] = 60
273####! The file name for internal `mail_room` JSON logfile
274# gitlab_rails['incoming_email_log_file'] = "/var/log/gitlab/mailroom/mail_room_json.log"
275####! Permanently remove messages from the mailbox when they are deleted after delivery
276# gitlab_rails['incoming_email_expunge_deleted'] = false
277
278####! The format of mail_room crash logs
279# mailroom['exit_log_format'] = "plain"
280
281### Consolidated (simplified) object storage configuration
282###! This uses a single credential for object storage with multiple buckets.
283###! It also enables Workhorse to upload files directly with its own S3 client
284###! instead of using pre-signed URLs.
285###!
286###! This configuration will only take effect if the object_store
287###! sections are not defined within the types. For example, enabling
288###! gitlab_rails['artifacts_object_store_enabled'] or
289###! gitlab_rails['lfs_object_store_enabled'] will prevent the
290###! consolidated settings from being used.
291###!
292###! Be sure to use different buckets for each type of object.
293###! Docs: https://docs.gitlab.com/ee/administration/object_storage.html
294# gitlab_rails['object_store']['enabled'] = false
295# gitlab_rails['object_store']['connection'] = {}
296# gitlab_rails['object_store']['storage_options'] = {}
297# gitlab_rails['object_store']['proxy_download'] = false
298# gitlab_rails['object_store']['objects']['artifacts']['bucket'] = nil
299# gitlab_rails['object_store']['objects']['external_diffs']['bucket'] = nil
300# gitlab_rails['object_store']['objects']['lfs']['bucket'] = nil
301# gitlab_rails['object_store']['objects']['uploads']['bucket'] = nil
302# gitlab_rails['object_store']['objects']['packages']['bucket'] = nil
303# gitlab_rails['object_store']['objects']['dependency_proxy']['bucket'] = nil
304# gitlab_rails['object_store']['objects']['terraform_state']['bucket'] = nil
305
306### Job Artifacts
307# gitlab_rails['artifacts_enabled'] = true
308# gitlab_rails['artifacts_path'] = "/var/opt/gitlab/gitlab-rails/shared/artifacts"
309####! Job artifacts Object Store
310####! Docs: https://docs.gitlab.com/ee/administration/job_artifacts.html#using-object-storage
311# gitlab_rails['artifacts_object_store_enabled'] = false
312# gitlab_rails['artifacts_object_store_direct_upload'] = false
313# gitlab_rails['artifacts_object_store_background_upload'] = true
314# gitlab_rails['artifacts_object_store_proxy_download'] = false
315# gitlab_rails['artifacts_object_store_remote_directory'] = "artifacts"
316# gitlab_rails['artifacts_object_store_connection'] = {
317# 'provider' => 'AWS',
318# 'region' => 'eu-west-1',
319# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
320# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',
321# # # The below options configure an S3 compatible host instead of AWS
322# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.
323# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
324# # 'host' => 's3.amazonaws.com',
325# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
326# }
327
328### External merge request diffs
329# gitlab_rails['external_diffs_enabled'] = false
330# gitlab_rails['external_diffs_when'] = nil
331# gitlab_rails['external_diffs_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/external-diffs"
332# gitlab_rails['external_diffs_object_store_enabled'] = false
333# gitlab_rails['external_diffs_object_store_direct_upload'] = false
334# gitlab_rails['external_diffs_object_store_background_upload'] = false
335# gitlab_rails['external_diffs_object_store_proxy_download'] = false
336# gitlab_rails['external_diffs_object_store_remote_directory'] = "external-diffs"
337# gitlab_rails['external_diffs_object_store_connection'] = {
338# 'provider' => 'AWS',
339# 'region' => 'eu-west-1',
340# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
341# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',
342# # # The below options configure an S3 compatible host instead of AWS
343# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.
344# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
345# # 'host' => 's3.amazonaws.com',
346# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
347# }
348
349### Git LFS
350# gitlab_rails['lfs_enabled'] = true
351# gitlab_rails['lfs_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/lfs-objects"
352# gitlab_rails['lfs_object_store_enabled'] = false
353# gitlab_rails['lfs_object_store_direct_upload'] = false
354# gitlab_rails['lfs_object_store_background_upload'] = true
355# gitlab_rails['lfs_object_store_proxy_download'] = false
356# gitlab_rails['lfs_object_store_remote_directory'] = "lfs-objects"
357# gitlab_rails['lfs_object_store_connection'] = {
358# 'provider' => 'AWS',
359# 'region' => 'eu-west-1',
360# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
361# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',
362# # # The below options configure an S3 compatible host instead of AWS
363# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.
364# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
365# # 'host' => 's3.amazonaws.com',
366# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
367# }
368
369### GitLab uploads
370###! Docs: https://docs.gitlab.com/ee/administration/uploads.html
371# gitlab_rails['uploads_directory'] = "/var/opt/gitlab/gitlab-rails/uploads"
372# gitlab_rails['uploads_storage_path'] = "/opt/gitlab/embedded/service/gitlab-rails/public"
373# gitlab_rails['uploads_base_dir'] = "uploads/-/system"
374# gitlab_rails['uploads_object_store_enabled'] = false
375# gitlab_rails['uploads_object_store_direct_upload'] = false
376# gitlab_rails['uploads_object_store_background_upload'] = true
377# gitlab_rails['uploads_object_store_proxy_download'] = false
378# gitlab_rails['uploads_object_store_remote_directory'] = "uploads"
379# gitlab_rails['uploads_object_store_connection'] = {
380# 'provider' => 'AWS',
381# 'region' => 'eu-west-1',
382# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
383# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',
384# # # The below options configure an S3 compatible host instead of AWS
385# # 'host' => 's3.amazonaws.com',
386# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.
387# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
388# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
389# }
390
391### Terraform state
392###! Docs: https://docs.gitlab.com/ee/administration/terraform_state
393# gitlab_rails['terraform_state_enabled'] = true
394# gitlab_rails['terraform_state_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/terraform_state"
395# gitlab_rails['terraform_state_object_store_enabled'] = false
396# gitlab_rails['terraform_state_object_store_remote_directory'] = "terraform"
397# gitlab_rails['terraform_state_object_store_connection'] = {
398# 'provider' => 'AWS',
399# 'region' => 'eu-west-1',
400# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
401# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',
402# # # The below options configure an S3 compatible host instead of AWS
403# # 'host' => 's3.amazonaws.com',
404# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.
405# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
406# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
407# }
408
409### GitLab Pages
410# gitlab_rails['pages_object_store_enabled'] = false
411# gitlab_rails['pages_object_store_remote_directory'] = "pages"
412# gitlab_rails['pages_object_store_connection'] = {
413# 'provider' => 'AWS',
414# 'region' => 'eu-west-1',
415# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
416# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',
417# # # The below options configure an S3 compatible host instead of AWS
418# # 'host' => 's3.amazonaws.com',
419# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.
420# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
421# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
422# }
423
424### Impersonation settings
425# gitlab_rails['impersonation_enabled'] = true
426
427### Application settings cache expiry in seconds. (default: 60)
428# gitlab_rails['application_settings_cache_seconds'] = 60
429
430### Usage Statistics
431# gitlab_rails['usage_ping_enabled'] = true
432
433### Seat Link setting
434###! Docs: https://docs.gitlab.com/ee/subscriptions/index.html#seat-link
435# gitlab_rails['seat_link_enabled'] = true
436
437### GitLab Mattermost
438###! These settings are void if Mattermost is installed on the same omnibus
439###! install
440# gitlab_rails['mattermost_host'] = "https://mattermost.example.com"
441
442### LDAP Settings
443###! Docs: https://docs.gitlab.com/omnibus/settings/ldap.html
444###! **Be careful not to break the indentation in the ldap_servers block. It is
445###! in yaml format and the spaces must be retained. Using tabs will not work.**
446
447# gitlab_rails['ldap_enabled'] = false
448# gitlab_rails['prevent_ldap_sign_in'] = false
449
450###! **remember to close this block with 'EOS' below**
451# gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
452# main: # 'main' is the GitLab 'provider ID' of this LDAP server
453# label: 'LDAP'
454# host: '_your_ldap_server'
455# port: 389
456# uid: 'sAMAccountName'
457# bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
458# password: '_the_password_of_the_bind_user'
459# encryption: 'plain' # "start_tls" or "simple_tls" or "plain"
460# verify_certificates: true
461# smartcard_auth: false
462# active_directory: true
463# allow_username_or_email_login: false
464# lowercase_usernames: false
465# block_auto_created_users: false
466# base: ''
467# user_filter: ''
468# ## EE only
469# group_base: ''
470# admin_group: ''
471# sync_ssh_keys: false
472#
473# secondary: # 'secondary' is the GitLab 'provider ID' of second LDAP server
474# label: 'LDAP'
475# host: '_your_ldap_server'
476# port: 389
477# uid: 'sAMAccountName'
478# bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
479# password: '_the_password_of_the_bind_user'
480# encryption: 'plain' # "start_tls" or "simple_tls" or "plain"
481# verify_certificates: true
482# smartcard_auth: false
483# active_directory: true
484# allow_username_or_email_login: false
485# lowercase_usernames: false
486# block_auto_created_users: false
487# base: ''
488# user_filter: ''
489# ## EE only
490# group_base: ''
491# admin_group: ''
492# sync_ssh_keys: false
493# EOS
494
495### Smartcard authentication settings
496###! Docs: https://docs.gitlab.com/ee/administration/auth/smartcard.html
497# gitlab_rails['smartcard_enabled'] = false
498# gitlab_rails['smartcard_ca_file'] = "/etc/gitlab/ssl/CA.pem"
499# gitlab_rails['smartcard_client_certificate_required_host'] = 'smartcard.gitlab.example.com'
500# gitlab_rails['smartcard_client_certificate_required_port'] = 3444
501# gitlab_rails['smartcard_required_for_git_access'] = false
502# gitlab_rails['smartcard_san_extensions'] = false
503
504### OmniAuth Settings
505###! Docs: https://docs.gitlab.com/ee/integration/omniauth.html
506# gitlab_rails['omniauth_enabled'] = nil
507# gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
508# gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'
509# gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']
510# gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
511# gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
512# gitlab_rails['omniauth_block_auto_created_users'] = true
513# gitlab_rails['omniauth_auto_link_ldap_user'] = false
514# gitlab_rails['omniauth_auto_link_saml_user'] = false
515# gitlab_rails['omniauth_auto_link_user'] = ['saml']
516# gitlab_rails['omniauth_external_providers'] = ['twitter', 'google_oauth2']
517# gitlab_rails['omniauth_allow_bypass_two_factor'] = ['google_oauth2']
518# gitlab_rails['omniauth_providers'] = [
519# {
520# "name" => "google_oauth2",
521# "app_id" => "YOUR APP ID",
522# "app_secret" => "YOUR APP SECRET",
523# "args" => { "access_type" => "offline", "approval_prompt" => "" }
524# }
525# ]
526
527### FortiAuthenticator authentication settings
528# gitlab_rails['forti_authenticator_enabled'] = false
529# gitlab_rails['forti_authenticator_host'] = 'forti_authenticator.example.com'
530# gitlab_rails['forti_authenticator_port'] = 443
531# gitlab_rails['forti_authenticator_username'] = 'admin'
532# gitlab_rails['forti_authenticator_access_token'] = 's3cr3t'
533
534### FortiToken Cloud authentication settings
535# gitlab_rails['forti_token_cloud_enabled'] = false
536# gitlab_rails['forti_token_cloud_client_id'] = 'forti_token_cloud_client_id'
537# gitlab_rails['forti_token_cloud_client_secret'] = 's3cr3t'
538
539### Backup Settings
540###! Docs: https://docs.gitlab.com/omnibus/settings/backups.html
541
542# gitlab_rails['manage_backup_path'] = true
543# gitlab_rails['backup_path'] = "/var/opt/gitlab/backups"
544
545###! Docs: https://docs.gitlab.com/ee/raketasks/backup_restore.html#backup-archive-permissions
546# gitlab_rails['backup_archive_permissions'] = 0644
547
548# gitlab_rails['backup_pg_schema'] = 'public'
549
550###! The duration in seconds to keep backups before they are allowed to be deleted
551# gitlab_rails['backup_keep_time'] = 604800
552
553# gitlab_rails['backup_upload_connection'] = {
554# 'provider' => 'AWS',
555# 'region' => 'eu-west-1',
556# 'aws_access_key_id' => 'AKIAKIAKI',
557# 'aws_secret_access_key' => 'secret123',
558# # # If IAM profile use is enabled, remove aws_access_key_id and aws_secret_access_key
559# 'use_iam_profile' => false
560# }
561# gitlab_rails['backup_upload_remote_directory'] = 'my.s3.bucket'
562# gitlab_rails['backup_multipart_chunk_size'] = 104857600
563
564###! **Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for
565###! backups**
566# gitlab_rails['backup_encryption'] = 'AES256'
567###! The encryption key to use with AWS Server-Side Encryption.
568###! Setting this value will enable Server-Side Encryption with customer provided keys;
569###! otherwise S3-managed keys are used.
570# gitlab_rails['backup_encryption_key'] = '<base64-encoded encryption key>'
571
572###! **Specifies Amazon S3 storage class to use for backups. Valid values
573###! include 'STANDARD', 'STANDARD_IA', and 'REDUCED_REDUNDANCY'**
574# gitlab_rails['backup_storage_class'] = 'STANDARD'
575
576###! Skip parts of the backup. Comma separated.
577###! Docs: https://docs.gitlab.com/ee/raketasks/backup_restore.html#excluding-specific-directories-from-the-backup
578#gitlab_rails['env'] = {
579# "SKIP" => "db,uploads,repositories,builds,artifacts,lfs,registry,pages"
580#}
581
582### Pseudonymizer Settings
583# gitlab_rails['pseudonymizer_manifest'] = 'config/pseudonymizer.yml'
584# gitlab_rails['pseudonymizer_upload_remote_directory'] = 'gitlab-elt'
585# gitlab_rails['pseudonymizer_upload_connection'] = {
586# 'provider' => 'AWS',
587# 'region' => 'eu-west-1',
588# 'aws_access_key_id' => 'AKIAKIAKI',
589# 'aws_secret_access_key' => 'secret123'
590# }
591
592
593### For setting up different data storing directory
594###! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#storing-git-data-in-an-alternative-directory
595###! **If you want to use a single non-default directory to store git data use a
596###! path that doesn't contain symlinks.**
597# git_data_dirs({
598# "default" => {
599# "path" => "/mnt/nfs-01/git-data"
600# }
601# })
602
603### Gitaly settings
604# gitlab_rails['gitaly_token'] = 'secret token'
605
606### For storing GitLab application uploads, eg. LFS objects, build artifacts
607###! Docs: https://docs.gitlab.com/ee/development/shared_files.html
608# gitlab_rails['shared_path'] = '/var/opt/gitlab/gitlab-rails/shared'
609
610### For storing encrypted configuration files
611###! Docs: https://docs.gitlab.com/ee/administration/encrypted_configuration.html
612# gitlab_rails['encrypted_settings_path'] = '/var/opt/gitlab/gitlab-rails/shared/encrypted_settings'
613
614### Wait for file system to be mounted
615###! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#only-start-omnibus-gitlab-services-after-a-given-filesystem-is-mounted
616# high_availability['mountpoint'] = ["/var/opt/gitlab/git-data", "/var/opt/gitlab/gitlab-rails/shared"]
617
618### GitLab Shell settings for GitLab
619# gitlab_rails['gitlab_shell_ssh_port'] = 22
620# gitlab_rails['gitlab_shell_git_timeout'] = 800
621
622### Extra customization
623# gitlab_rails['extra_google_analytics_id'] = '_your_tracking_id'
624# gitlab_rails['extra_google_tag_manager_id'] = '_your_tracking_id'
625# gitlab_rails['extra_matomo_url'] = '_your_matomo_url'
626# gitlab_rails['extra_matomo_site_id'] = '_your_matomo_site_id'
627# gitlab_rails['extra_matomo_disable_cookies'] = false
628
629##! Docs: https://docs.gitlab.com/omnibus/settings/environment-variables.html
630# gitlab_rails['env'] = {
631# 'BUNDLE_GEMFILE' => "/opt/gitlab/embedded/service/gitlab-rails/Gemfile",
632# 'PATH' => "/opt/gitlab/bin:/opt/gitlab/embedded/bin:/bin:/usr/bin"
633# }
634
635# gitlab_rails['rack_attack_git_basic_auth'] = {
636# 'enabled' => false,
637# 'ip_whitelist' => ["127.0.0.1"],
638# 'maxretry' => 10,
639# 'findtime' => 60,
640# 'bantime' => 3600
641# }
642
643###! **We do not recommend changing these directories.**
644# gitlab_rails['dir'] = "/var/opt/gitlab/gitlab-rails"
645# gitlab_rails['log_directory'] = "/var/log/gitlab/gitlab-rails"
646
647#### Change the initial default admin password and shared runner registration tokens.
648####! **Only applicable on initial setup, changing these settings after database
649####! is created and seeded won't yield any change.**
650# gitlab_rails['initial_root_password'] = "password"
651# gitlab_rails['initial_shared_runners_registration_token'] = "token"
652
653#### Set path to an initial license to be used while bootstrapping GitLab.
654####! **Only applicable on initial setup, future license updations need to be done via UI.
655####! Updating the file specified in this path won't yield any change after the first reconfigure run.
656# gitlab_rails['initial_license_file'] = '/etc/gitlab/company.gitlab-license'
657
658#### Enable or disable automatic database migrations
659# gitlab_rails['auto_migrate'] = true
660
661#### This is advanced feature used by large gitlab deployments where loading
662#### whole RAILS env takes a lot of time.
663# gitlab_rails['rake_cache_clear'] = true
664
665### GitLab database settings
666###! Docs: https://docs.gitlab.com/omnibus/settings/database.html
667###! **Only needed if you use an external database.**
668# gitlab_rails['db_adapter'] = "postgresql"
669# gitlab_rails['db_encoding'] = "unicode"
670# gitlab_rails['db_collation'] = nil
671# gitlab_rails['db_database'] = "gitlabhq_production"
672# gitlab_rails['db_username'] = "gitlab"
673# gitlab_rails['db_password'] = nil
674# gitlab_rails['db_host'] = nil
675# gitlab_rails['db_port'] = 5432
676# gitlab_rails['db_socket'] = nil
677# gitlab_rails['db_sslmode'] = nil
678# gitlab_rails['db_sslcompression'] = 0
679# gitlab_rails['db_sslrootcert'] = nil
680# gitlab_rails['db_sslcert'] = nil
681# gitlab_rails['db_sslkey'] = nil
682# gitlab_rails['db_prepared_statements'] = false
683# gitlab_rails['db_statements_limit'] = 1000
684# gitlab_rails['db_connect_timeout'] = nil
685# gitlab_rails['db_keepalives'] = nil
686# gitlab_rails['db_keepalives_idle'] = nil
687# gitlab_rails['db_keepalives_interval'] = nil
688# gitlab_rails['db_keepalives_count'] = nil
689# gitlab_rails['db_tcp_user_timeout'] = nil
690# gitlab_rails['db_application_name'] = nil
691
692
693### GitLab Redis settings
694###! Connect to your own Redis instance
695###! Docs: https://docs.gitlab.com/omnibus/settings/redis.html
696
697#### Redis TCP connection
698# gitlab_rails['redis_host'] = "127.0.0.1"
699# gitlab_rails['redis_port'] = 6379
700# gitlab_rails['redis_ssl'] = false
701# gitlab_rails['redis_password'] = nil
702# gitlab_rails['redis_database'] = 0
703# gitlab_rails['redis_enable_client'] = true
704
705#### Redis local UNIX socket (will be disabled if TCP method is used)
706# gitlab_rails['redis_socket'] = "/var/opt/gitlab/redis/redis.socket"
707
708#### Sentinel support
709####! To have Sentinel working, you must enable Redis TCP connection support
710####! above and define a few Sentinel hosts below (to get a reliable setup
711####! at least 3 hosts).
712####! **You don't need to list every sentinel host, but the ones not listed will
713####! not be used in a fail-over situation to query for the new master.**
714# gitlab_rails['redis_sentinels'] = [
715# {'host' => '127.0.0.1', 'port' => 26379},
716# ]
717
718#### Separate instances support
719###! Docs: https://docs.gitlab.com/omnibus/settings/redis.html#running-with-multiple-redis-instances
720# gitlab_rails['redis_cache_instance'] = nil
721# gitlab_rails['redis_cache_sentinels'] = nil
722# gitlab_rails['redis_queues_instance'] = nil
723# gitlab_rails['redis_queues_sentinels'] = nil
724# gitlab_rails['redis_shared_state_instance'] = nil
725# gitlab_rails['redis_shared_sentinels'] = nil
726# gitlab_rails['redis_actioncable_instance'] = nil
727# gitlab_rails['redis_actioncable_sentinels'] = nil
728
729################################################################################
730## Container Registry settings
731##! Docs: https://docs.gitlab.com/ee/administration/container_registry.html
732################################################################################
733
734 registry_external_url 'http://registry.gitlab.lan'
735
736### Settings used by GitLab application
737 gitlab_rails['registry_enabled'] = true
738 gitlab_rails['registry_host'] = "localhost"
739 gitlab_rails['registry_port'] = "5005"
740# gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry"
741
742# Notification secret, it's used to authenticate notification requests to GitLab application
743# You only need to change this when you use external Registry service, otherwise
744# it will be taken directly from notification settings of your Registry
745# gitlab_rails['registry_notification_secret'] = nil
746
747###! **Do not change the following 3 settings unless you know what you are
748###! doing**
749# gitlab_rails['registry_api_url'] = "http://localhost:5000"
750# gitlab_rails['registry_key_path'] = "/var/opt/gitlab/gitlab-rails/certificate.key"
751# gitlab_rails['registry_issuer'] = "omnibus-gitlab-issuer"
752
753### Settings used by Registry application
754 registry['enable'] = true
755# registry['username'] = "registry"
756# registry['group'] = "registry"
757# registry['uid'] = nil
758# registry['gid'] = nil
759 registry['dir'] = "/var/opt/gitlab/registry"
760 registry['registry_http_addr'] = "localhost:5000"
761 registry['debug_addr'] = "localhost:5001"
762 registry['log_directory'] = "/var/log/gitlab/registry"
763# registry['env_directory'] = "/opt/gitlab/etc/registry/env"
764# registry['env'] = {
765# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"
766# }
767# registry['log_level'] = "info"
768# registry['log_formatter'] = "text"
769# registry['rootcertbundle'] = "/var/opt/gitlab/registry/certificate.crt"
770# registry['health_storagedriver_enabled'] = true
771# registry['storage_delete_enabled'] = true
772# registry['validation_enabled'] = false
773# registry['autoredirect'] = false
774# registry['compatibility_schema1_enabled'] = false
775
776### Registry backend storage
777###! Docs: https://docs.gitlab.com/ee/administration/packages/container_registry.html#configure-storage-for-the-container-registry
778# registry['storage'] = {
779# 's3' => {
780# 'accesskey' => 's3-access-key',
781# 'secretkey' => 's3-secret-key-for-access-key',
782# 'bucket' => 'your-s3-bucket',
783# 'region' => 'your-s3-region',
784# 'regionendpoint' => 'your-s3-regionendpoint'
785# },
786# 'redirect' => {
787# 'disable' => false
788# }
789# }
790
791### Registry notifications endpoints
792# registry['notifications'] = [
793# {
794# 'name' => 'test_endpoint',
795# 'url' => 'https://gitlab.example.com/notify2',
796# 'timeout' => '500ms',
797# 'threshold' => 5,
798# 'backoff' => '1s',
799# 'headers' => {
800# "Authorization" => ["AUTHORIZATION_EXAMPLE_TOKEN"]
801# }
802# }
803# ]
804### Default registry notifications
805# registry['default_notifications_timeout'] = "500ms"
806# registry['default_notifications_threshold'] = 5
807# registry['default_notifications_backoff'] = "1s"
808# registry['default_notifications_headers'] = {}
809
810################################################################################
811## Error Reporting and Logging with Sentry
812################################################################################
813# gitlab_rails['sentry_enabled'] = false
814# gitlab_rails['sentry_dsn'] = 'https://<key>@sentry.io/<project>'
815# gitlab_rails['sentry_clientside_dsn'] = 'https://<key>@sentry.io/<project>'
816# gitlab_rails['sentry_environment'] = 'production'
817
818################################################################################
819## CI_JOB_JWT
820################################################################################
821##! RSA private key used to sign CI_JOB_JWT
822# gitlab_rails['ci_jwt_signing_key'] = nil # Will be generated if not set.
823
824################################################################################
825## GitLab Workhorse
826##! Docs: https://gitlab.com/gitlab-org/gitlab-workhorse/blob/master/README.md
827################################################################################
828
829# gitlab_workhorse['enable'] = true
830# gitlab_workhorse['ha'] = false
831# gitlab_workhorse['alt_document_root'] = nil
832# gitlab_workhorse['listen_network'] = "unix"
833# gitlab_workhorse['listen_umask'] = 000
834# gitlab_workhorse['listen_addr'] = "/var/opt/gitlab/gitlab-workhorse/sockets/socket"
835# gitlab_workhorse['auth_backend'] = "http://localhost:8080"
836
837##! the empty string is the default in gitlab-workhorse option parser
838# gitlab_workhorse['auth_socket'] = "''"
839
840##! put an empty string on the command line
841# gitlab_workhorse['pprof_listen_addr'] = "''"
842
843# gitlab_workhorse['prometheus_listen_addr'] = "localhost:9229"
844
845# gitlab_workhorse['dir'] = "/var/opt/gitlab/gitlab-workhorse"
846# gitlab_workhorse['log_directory'] = "/var/log/gitlab/gitlab-workhorse"
847# gitlab_workhorse['proxy_headers_timeout'] = "1m0s"
848
849##! limit number of concurrent API requests, defaults to 0 which is unlimited
850# gitlab_workhorse['api_limit'] = 0
851
852##! limit number of API requests allowed to be queued, defaults to 0 which
853##! disables queuing
854# gitlab_workhorse['api_queue_limit'] = 0
855
856##! duration after which we timeout requests if they sit too long in the queue
857# gitlab_workhorse['api_queue_duration'] = "30s"
858
859##! Long polling duration for job requesting for runners
860# gitlab_workhorse['api_ci_long_polling_duration'] = "60s"
861
862##! Log format: default is json, can also be text or none.
863# gitlab_workhorse['log_format'] = "json"
864
865# gitlab_workhorse['env_directory'] = "/opt/gitlab/etc/gitlab-workhorse/env"
866# gitlab_workhorse['env'] = {
867# 'PATH' => "/opt/gitlab/bin:/opt/gitlab/embedded/bin:/bin:/usr/bin",
868# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"
869# }
870
871##! Resource limitations for the dynamic image scaler.
872##! Exceeding these thresholds will cause Workhorse to serve images in their original size.
873##!
874##! Maximum number of scaler processes that are allowed to execute concurrently.
875##! It is recommended for this not to exceed the number of CPUs available.
876# gitlab_workhorse['image_scaler_max_procs'] = 4
877##!
878##! Maximum file size in bytes for an image to be considered eligible for rescaling
879# gitlab_workhorse['image_scaler_max_filesize'] = 250000
880
881################################################################################
882## GitLab User Settings
883##! Modify default git user.
884##! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#changing-the-name-of-the-git-user-group
885################################################################################
886
887# user['username'] = "git"
888# user['group'] = "git"
889# user['uid'] = nil
890# user['gid'] = nil
891
892##! The shell for the git user
893# user['shell'] = "/bin/sh"
894
895##! The home directory for the git user
896# user['home'] = "/var/opt/gitlab"
897
898# user['git_user_name'] = "GitLab"
899# user['git_user_email'] = "gitlab@#{node['fqdn']}"
900
901################################################################################
902## GitLab Unicorn
903##! Tweak unicorn settings.
904##! Docs: https://docs.gitlab.com/omnibus/settings/unicorn.html
905################################################################################
906
907# unicorn['enable'] = false
908# unicorn['worker_timeout'] = 60
909###! Minimum worker_processes is 2 at this moment
910###! See https://gitlab.com/gitlab-org/gitlab-foss/issues/18771
911# unicorn['worker_processes'] = 2
912
913### Advanced settings
914# unicorn['listen'] = 'localhost'
915# unicorn['port'] = 8080
916# unicorn['socket'] = '/var/opt/gitlab/gitlab-rails/sockets/gitlab.socket'
917# unicorn['pidfile'] = '/opt/gitlab/var/unicorn/unicorn.pid'
918# unicorn['tcp_nopush'] = true
919# unicorn['backlog_socket'] = 1024
920
921###! **Make sure somaxconn is equal or higher then backlog_socket**
922# unicorn['somaxconn'] = 1024
923
924###! **We do not recommend changing this setting**
925# unicorn['log_directory'] = "/var/log/gitlab/unicorn"
926
927### **Only change these settings if you understand well what they mean**
928###! Docs: https://docs.gitlab.com/ee/administration/operations/unicorn.html#unicorn-worker-killer
929###! https://github.com/kzk/unicorn-worker-killer
930# unicorn['worker_memory_limit_min'] = "1024 * 1 << 20"
931# unicorn['worker_memory_limit_max'] = "1280 * 1 << 20"
932
933# unicorn['exporter_enabled'] = false
934# unicorn['exporter_address'] = "127.0.0.1"
935# unicorn['exporter_port'] = 8083
936
937################################################################################
938## GitLab Puma
939##! Tweak puma settings. You should only use Unicorn or Puma, not both.
940##! Docs: https://docs.gitlab.com/omnibus/settings/puma.html
941################################################################################
942
943# puma['enable'] = true
944# puma['ha'] = false
945# puma['worker_timeout'] = 60
946# puma['worker_processes'] = 2
947# puma['min_threads'] = 4
948# puma['max_threads'] = 4
949
950### Advanced settings
951# puma['listen'] = '127.0.0.1'
952# puma['port'] = 8080
953# puma['socket'] = '/var/opt/gitlab/gitlab-rails/sockets/gitlab.socket'
954# puma['somaxconn'] = 1024
955
956# puma['pidfile'] = '/opt/gitlab/var/puma/puma.pid'
957# puma['state_path'] = '/opt/gitlab/var/puma/puma.state'
958
959###! **We do not recommend changing this setting**
960# puma['log_directory'] = "/var/log/gitlab/puma"
961
962### **Only change these settings if you understand well what they mean**
963###! Docs: https://github.com/schneems/puma_worker_killer
964# puma['per_worker_max_memory_mb'] = 850
965
966# puma['exporter_enabled'] = false
967# puma['exporter_address'] = "127.0.0.1"
968# puma['exporter_port'] = 8083
969
970################################################################################
971## GitLab Sidekiq
972################################################################################
973
974##! GitLab allows one to start multiple sidekiq processes. These
975##! processes can be used to consume a dedicated set of queues. This
976##! can be used to ensure certain queues are able to handle additional workload.
977##! https://docs.gitlab.com/ee/administration/operations/extra_sidekiq_processes.html
978
979# sidekiq['log_directory'] = "/var/log/gitlab/sidekiq"
980# sidekiq['log_format'] = "json"
981# sidekiq['shutdown_timeout'] = 4
982# sidekiq['cluster'] = true
983# sidekiq['queue_selector'] = false
984# sidekiq['interval'] = nil
985# sidekiq['max_concurrency'] = 50
986# sidekiq['min_concurrency'] = nil
987
988##! Each entry in the queue_groups array denotes a group of queues that have to be processed by a
989##! Sidekiq process. Multiple queues can be processed by the same process by
990##! separating them with a comma within the group entry, a `*` will process all queues
991
992# sidekiq['queue_groups'] = ['*']
993
994##! If negate is enabled then sidekiq-cluster will process all the queues that
995##! don't match those in queue_groups.
996
997# sidekiq['negate'] = false
998
999# sidekiq['metrics_enabled'] = true
1000# sidekiq['exporter_log_enabled'] = false
1001# sidekiq['listen_address'] = "localhost"
1002# sidekiq['listen_port'] = 8082
1003
1004################################################################################
1005## gitlab-shell
1006################################################################################
1007
1008# gitlab_shell['audit_usernames'] = false
1009# gitlab_shell['log_level'] = 'INFO'
1010# gitlab_shell['log_format'] = 'json'
1011# gitlab_shell['http_settings'] = { user: 'username', password: 'password', ca_file: '/etc/ssl/cert.pem', ca_path: '/etc/pki/tls/certs', self_signed_cert: false}
1012# gitlab_shell['log_directory'] = "/var/log/gitlab/gitlab-shell/"
1013# gitlab_shell['custom_hooks_dir'] = "/opt/gitlab/embedded/service/gitlab-shell/hooks"
1014
1015# gitlab_shell['auth_file'] = "/var/opt/gitlab/.ssh/authorized_keys"
1016
1017### Migration to Go feature flags
1018###! Docs: https://gitlab.com/gitlab-org/gitlab-shell#migration-to-go-feature-flags
1019# gitlab_shell['migration'] = { enabled: true, features: [] }
1020
1021### Git trace log file.
1022###! If set, git commands receive GIT_TRACE* environment variables
1023###! Docs: https://git-scm.com/book/es/v2/Git-Internals-Environment-Variables#Debugging
1024###! An absolute path starting with / – the trace output will be appended to
1025###! that file. It needs to exist so we can check permissions and avoid
1026###! throwing warnings to the users.
1027# gitlab_shell['git_trace_log_file'] = "/var/log/gitlab/gitlab-shell/gitlab-shell-git-trace.log"
1028
1029##! **We do not recommend changing this directory.**
1030# gitlab_shell['dir'] = "/var/opt/gitlab/gitlab-shell"
1031
1032################################################################
1033## GitLab PostgreSQL
1034################################################################
1035
1036###! Changing any of these settings requires a restart of postgresql.
1037###! By default, reconfigure reloads postgresql if it is running. If you
1038###! change any of these settings, be sure to run `gitlab-ctl restart postgresql`
1039###! after reconfigure in order for the changes to take effect.
1040# postgresql['enable'] = true
1041# postgresql['listen_address'] = nil
1042# postgresql['port'] = 5432
1043
1044## Only used when Patroni is enabled. This is the port that PostgreSQL responds to other
1045## cluster members. This port is used by Patroni to advertize the PostgreSQL connection
1046## endpoint to the cluster. By default it is the same as postgresql['port'].
1047# postgresql['connect_port'] = 5432
1048
1049# postgresql['data_dir'] = "/var/opt/gitlab/postgresql/data"
1050
1051##! **recommend value is 1/4 of total RAM, up to 14GB.**
1052# postgresql['shared_buffers'] = "256MB"
1053
1054### Advanced settings
1055# postgresql['ha'] = false
1056# postgresql['dir'] = "/var/opt/gitlab/postgresql"
1057# postgresql['log_directory'] = "/var/log/gitlab/postgresql"
1058# postgresql['log_destination'] = nil
1059# postgresql['logging_collector'] = nil
1060# postgresql['log_truncate_on_rotation'] = nil
1061# postgresql['log_rotation_age'] = nil
1062# postgresql['log_rotation_size'] = nil
1063# postgresql['username'] = "gitlab-psql"
1064# postgresql['group'] = "gitlab-psql"
1065##! `SQL_USER_PASSWORD_HASH` can be generated using the command `gitlab-ctl pg-password-md5 gitlab`
1066# postgresql['sql_user_password'] = 'SQL_USER_PASSWORD_HASH'
1067# postgresql['uid'] = nil
1068# postgresql['gid'] = nil
1069# postgresql['shell'] = "/bin/sh"
1070# postgresql['home'] = "/var/opt/gitlab/postgresql"
1071# postgresql['user_path'] = "/opt/gitlab/embedded/bin:/opt/gitlab/bin:$PATH"
1072# postgresql['sql_user'] = "gitlab"
1073# postgresql['max_connections'] = 200
1074# postgresql['md5_auth_cidr_addresses'] = []
1075# postgresql['trust_auth_cidr_addresses'] = []
1076# postgresql['wal_buffers'] = "-1"
1077# postgresql['autovacuum_max_workers'] = "3"
1078# postgresql['autovacuum_freeze_max_age'] = "200000000"
1079# postgresql['log_statement'] = nil
1080# postgresql['track_activity_query_size'] = "1024"
1081# postgresql['shared_preload_libraries'] = nil
1082# postgresql['dynamic_shared_memory_type'] = nil
1083# postgresql['hot_standby'] = "off"
1084
1085### SSL settings
1086# See https://www.postgresql.org/docs/11/static/runtime-config-connection.html#GUC-SSL-CERT-FILE for more details
1087# postgresql['ssl'] = 'on'
1088# postgresql['hostssl'] = false
1089# postgresql['ssl_ciphers'] = 'HIGH:MEDIUM:+3DES:!aNULL:!SSLv3:!TLSv1'
1090# postgresql['ssl_cert_file'] = 'server.crt'
1091# postgresql['ssl_key_file'] = 'server.key'
1092# postgresql['ssl_ca_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
1093# postgresql['ssl_crl_file'] = nil
1094# postgresql['cert_auth_addresses'] = {
1095# 'ADDRESS' => {
1096# database: 'gitlabhq_production',
1097# user: 'gitlab'
1098# }
1099# }
1100
1101### Replication settings
1102###! Note, some replication settings do not require a full restart. They are documented below.
1103# postgresql['wal_level'] = "hot_standby"
1104# postgresql['wal_log_hints'] = 'off'
1105# postgresql['max_wal_senders'] = 5
1106# postgresql['max_replication_slots'] = 0
1107# postgresql['max_locks_per_transaction'] = 128
1108
1109# Backup/Archive settings
1110# postgresql['archive_mode'] = "off"
1111
1112###! Changing any of these settings only requires a reload of postgresql. You do not need to
1113###! restart postgresql if you change any of these and run reconfigure.
1114# postgresql['work_mem'] = "16MB"
1115# postgresql['maintenance_work_mem'] = "16MB"
1116# postgresql['checkpoint_segments'] = 10
1117# postgresql['checkpoint_timeout'] = "5min"
1118# postgresql['checkpoint_completion_target'] = 0.9
1119# postgresql['effective_io_concurrency'] = 1
1120# postgresql['checkpoint_warning'] = "30s"
1121# postgresql['effective_cache_size'] = "1MB"
1122# postgresql['shmmax'] = 17179869184 # or 4294967295
1123# postgresql['shmall'] = 4194304 # or 1048575
1124# postgresql['autovacuum'] = "on"
1125# postgresql['log_autovacuum_min_duration'] = "-1"
1126# postgresql['autovacuum_naptime'] = "1min"
1127# postgresql['autovacuum_vacuum_threshold'] = "50"
1128# postgresql['autovacuum_analyze_threshold'] = "50"
1129# postgresql['autovacuum_vacuum_scale_factor'] = "0.02"
1130# postgresql['autovacuum_analyze_scale_factor'] = "0.01"
1131# postgresql['autovacuum_vacuum_cost_delay'] = "20ms"
1132# postgresql['autovacuum_vacuum_cost_limit'] = "-1"
1133# postgresql['statement_timeout'] = "60000"
1134# postgresql['idle_in_transaction_session_timeout'] = "60000"
1135# postgresql['log_line_prefix'] = "%a"
1136# postgresql['max_worker_processes'] = 8
1137# postgresql['max_parallel_workers_per_gather'] = 0
1138# postgresql['log_lock_waits'] = 1
1139# postgresql['deadlock_timeout'] = '5s'
1140# postgresql['track_io_timing'] = 0
1141# postgresql['default_statistics_target'] = 1000
1142
1143### Available in PostgreSQL 9.6 and later
1144# postgresql['min_wal_size'] = "80MB"
1145# postgresql['max_wal_size'] = "1GB"
1146
1147# Backup/Archive settings
1148# postgresql['archive_command'] = nil
1149# postgresql['archive_timeout'] = "0"
1150
1151### Replication settings
1152# postgresql['sql_replication_user'] = "gitlab_replicator"
1153# postgresql['sql_replication_password'] = "md5 hash of postgresql password" # You can generate with `gitlab-ctl pg-password-md5 <dbuser>`
1154# postgresql['wal_keep_segments'] = 10
1155# postgresql['max_standby_archive_delay'] = "30s"
1156# postgresql['max_standby_streaming_delay'] = "30s"
1157# postgresql['synchronous_commit'] = on
1158# postgresql['synchronous_standby_names'] = ''
1159# postgresql['hot_standby_feedback'] = 'off'
1160# postgresql['random_page_cost'] = 2.0
1161# postgresql['log_temp_files'] = -1
1162# postgresql['log_checkpoints'] = 'off'
1163# To add custom entries to pg_hba.conf use the following
1164# postgresql['custom_pg_hba_entries'] = {
1165# APPLICATION: [ # APPLICATION should identify what the settings are used for
1166# {
1167# type: example,
1168# database: example,
1169# user: example,
1170# cidr: example,
1171# method: example,
1172# option: example
1173# }
1174# ]
1175# }
1176# See https://www.postgresql.org/docs/11/static/auth-pg-hba-conf.html for an explanation
1177# of the values
1178
1179### Version settings
1180# Set this if you have disabled the bundled PostgreSQL but still want to use the backup rake tasks
1181# postgresql['version'] = 10
1182
1183################################################################################
1184## GitLab Redis
1185##! **Can be disabled if you are using your own Redis instance.**
1186##! Docs: https://docs.gitlab.com/omnibus/settings/redis.html
1187################################################################################
1188
1189# redis['enable'] = true
1190# redis['ha'] = false
1191# redis['hz'] = 10
1192# redis['dir'] = "/var/opt/gitlab/redis"
1193# redis['log_directory'] = "/var/log/gitlab/redis"
1194# redis['username'] = "gitlab-redis"
1195# redis['group'] = "gitlab-redis"
1196# redis['maxclients'] = "10000"
1197# redis['maxmemory'] = "0"
1198# redis['maxmemory_policy'] = "noeviction"
1199# redis['maxmemory_samples'] = "5"
1200# redis['tcp_backlog'] = 511
1201# redis['tcp_timeout'] = "60"
1202# redis['tcp_keepalive'] = "300"
1203# redis['uid'] = nil
1204# redis['gid'] = nil
1205
1206### Disable or obfuscate unnecessary redis command names
1207### Uncomment and edit this block to add or remove entries.
1208### See https://docs.gitlab.com/omnibus/settings/redis.html#renamed-commands
1209### for detailed usage
1210###
1211# redis['rename_commands'] = {
1212# 'KEYS': ''
1213#}
1214#
1215
1216###! **To enable only Redis service in this machine, uncomment
1217###! one of the lines below (choose master or replica instance types).**
1218###! Docs: https://docs.gitlab.com/omnibus/settings/redis.html
1219###! https://docs.gitlab.com/ee/administration/high_availability/redis.html
1220# redis_master_role['enable'] = true
1221# redis_replica_role['enable'] = true
1222
1223### Redis TCP support (will disable UNIX socket transport)
1224# redis['bind'] = '0.0.0.0' # or specify an IP to bind to a single one
1225# redis['port'] = 6379
1226# redis['password'] = 'redis-password-goes-here'
1227
1228### Redis Sentinel support
1229###! **You need a master replica Redis replication to be able to do failover**
1230###! **Please read the documentation before enabling it to understand the
1231###! caveats:**
1232###! Docs: https://docs.gitlab.com/ee/administration/high_availability/redis.html
1233
1234### Replication support
1235#### Replica Redis instance
1236# redis['master'] = false # by default this is true
1237
1238#### Replica and Sentinel shared configuration
1239####! **Both need to point to the master Redis instance to get replication and
1240####! heartbeat monitoring**
1241# redis['master_name'] = 'gitlab-redis'
1242# redis['master_ip'] = nil
1243# redis['master_port'] = 6379
1244
1245#### Support to run redis replicas in a Docker or NAT environment
1246####! Docs: https://redis.io/topics/replication#configuring-replication-in-docker-and-nat
1247# redis['announce_ip'] = nil
1248# redis['announce_port'] = nil
1249
1250####! **Master password should have the same value defined in
1251####! redis['password'] to enable the instance to transition to/from
1252####! master/replica in a failover event.**
1253# redis['master_password'] = 'redis-password-goes-here'
1254
1255####! Increase these values when your replicas can't catch up with master
1256# redis['client_output_buffer_limit_normal'] = '0 0 0'
1257# redis['client_output_buffer_limit_replica'] = '256mb 64mb 60'
1258# redis['client_output_buffer_limit_pubsub'] = '32mb 8mb 60'
1259
1260#####! Redis snapshotting frequency
1261#####! Set to [] to disable
1262#####! Set to [''] to clear previously set values
1263# redis['save'] = [ '900 1', '300 10', '60 10000' ]
1264
1265#####! Redis lazy freeing
1266#####! Defaults to false
1267# redis['lazyfree_lazy_eviction'] = true
1268# redis['lazyfree_lazy_expire'] = true
1269# redis['lazyfree_lazy_server_del'] = true
1270# redis['replica_lazy_flush'] = true
1271
1272#####! Redis threaded I/O
1273#####! Defaults to disabled
1274# redis['io_threads'] = 4
1275# redis['io_threads_do_reads'] = true
1276
1277################################################################################
1278## GitLab Web server
1279##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#using-a-non-bundled-web-server
1280################################################################################
1281
1282##! When bundled nginx is disabled we need to add the external webserver user to
1283##! the GitLab webserver group.
1284# web_server['external_users'] = []
1285# web_server['username'] = 'gitlab-www'
1286# web_server['group'] = 'gitlab-www'
1287# web_server['uid'] = nil
1288# web_server['gid'] = nil
1289# web_server['shell'] = '/bin/false'
1290# web_server['home'] = '/var/opt/gitlab/nginx'
1291
1292################################################################################
1293## GitLab NGINX
1294##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html
1295################################################################################
1296
1297 nginx['enable'] = true
1298 nginx['client_max_body_size'] = '2000m'
1299 nginx['redirect_http_to_https'] = false
1300 nginx['redirect_http_to_https_port'] = 80
1301
1302##! Most root CA's are included by default
1303# nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt"
1304
1305##! enable/disable 2-way SSL client authentication
1306# nginx['ssl_verify_client'] = "off"
1307
1308##! if ssl_verify_client on, verification depth in the client certificates chain
1309# nginx['ssl_verify_depth'] = "1"
1310
1311# nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
1312# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
1313# nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256"
1314# nginx['ssl_prefer_server_ciphers'] = "on"
1315
1316##! **Recommended by: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
1317##! https://cipherli.st/**
1318# nginx['ssl_protocols'] = "TLSv1.2 TLSv1.3"
1319
1320##! **Recommended in: https://nginx.org/en/docs/http/ngx_http_ssl_module.html**
1321# nginx['ssl_session_cache'] = "builtin:1000 shared:SSL:10m"
1322
1323##! **Default according to https://nginx.org/en/docs/http/ngx_http_ssl_module.html**
1324# nginx['ssl_session_timeout'] = "5m"
1325
1326# nginx['ssl_dhparam'] = nil # Path to dhparams.pem, eg. /etc/gitlab/ssl/dhparams.pem
1327# nginx['listen_addresses'] = ['127.0.0.1']
1328
1329##! **Defaults to forcing web browsers to always communicate using only HTTPS**
1330##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-http-strict-transport-security
1331# nginx['hsts_max_age'] = 31536000
1332# nginx['hsts_include_subdomains'] = false
1333
1334##! Defaults to stripping path information when making cross-origin requests
1335# nginx['referrer_policy'] = 'strict-origin-when-cross-origin'
1336
1337##! **Docs: http://nginx.org/en/docs/http/ngx_http_gzip_module.html**
1338# nginx['gzip_enabled'] = true
1339
1340##! **Override only if you use a reverse proxy**
1341##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-the-nginx-listen-port
1342# nginx['listen_port'] = 80
1343
1344##! **Override only if your reverse proxy internally communicates over HTTP**
1345##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#supporting-proxied-ssl
1346 nginx['listen_https'] = false
1347
1348# nginx['custom_gitlab_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n"
1349# nginx['custom_nginx_config'] = "include /etc/nginx/conf.d/example.conf;"
1350# nginx['proxy_read_timeout'] = 3600
1351# nginx['proxy_connect_timeout'] = 300
1352 nginx['proxy_set_headers'] = {
1353# "X-Real-IP" => "$remote_addr",
1354 "X-Forwarded-Proto" => "http",
1355 "X-Forwarded-Port" => "80",
1356 }
1357# nginx['proxy_cache_path'] = 'proxy_cache keys_zone=gitlab:10m max_size=1g levels=1:2'
1358# nginx['proxy_cache'] = 'gitlab'
1359# nginx['http2_enabled'] = true
1360 nginx['real_ip_trusted_addresses'] = ['10.1.0.0/8','172.1.0.0/8','127.0.0.1/32']
1361 nginx['real_ip_header'] = 'X-Forwarded-For'
1362 nginx['real_ip_recursive'] = 'on'
1363# nginx['custom_error_pages'] = {
1364# '404' => {
1365# 'title' => 'Example title',
1366# 'header' => 'Example header',
1367# 'message' => 'Example message'
1368# }
1369# }
1370
1371### Advanced settings
1372# nginx['dir'] = "/var/opt/gitlab/nginx"
1373# nginx['log_directory'] = "/var/log/gitlab/nginx"
1374# nginx['worker_processes'] = 4
1375# nginx['worker_connections'] = 10240
1376# nginx['log_format'] = '$remote_addr - $remote_user [$time_local] "$request_method $filtered_request_uri $server_protocol" $status $body_bytes_sent "$filtered_http_referer" "$http_user_agent" $gzip_ratio'
1377# nginx['sendfile'] = 'on'
1378# nginx['tcp_nopush'] = 'on'
1379# nginx['tcp_nodelay'] = 'on'
1380# nginx['gzip'] = "on"
1381# nginx['gzip_http_version'] = "1.0"
1382# nginx['gzip_comp_level'] = "2"
1383# nginx['gzip_proxied'] = "any"
1384# nginx['gzip_types'] = [ "text/plain", "text/css", "application/x-javascript", "text/xml", "application/xml", "application/xml+rss", "text/javascript", "application/json" ]
1385# nginx['keepalive_timeout'] = 65
1386# nginx['cache_max_size'] = '5000m'
1387# nginx['server_names_hash_bucket_size'] = 64
1388##! These paths have proxy_request_buffering disabled
1389# nginx['request_buffering_off_path_regex'] = "/api/v\\d/jobs/\\d+/artifacts$|\\.git/git-receive-pack$|\\.git/gitlab-lfs/objects|\\.git/info/lfs/objects/batch$"
1390
1391### Nginx status
1392# nginx['status'] = {
1393# "enable" => true,
1394# "listen_addresses" => ["127.0.0.1"],
1395# "fqdn" => "dev.example.com",
1396# "port" => 9999,
1397# "vts_enable" => true,
1398# "options" => {
1399# "server_tokens" => "off", # Don't show the version of NGINX
1400# "access_log" => "off", # Disable logs for stats
1401# "allow" => "127.0.0.1", # Only allow access from localhost
1402# "deny" => "all" # Deny access to anyone else
1403# }
1404# }
1405
1406################################################################################
1407## GitLab Logging
1408##! Docs: https://docs.gitlab.com/omnibus/settings/logs.html
1409################################################################################
1410
1411# logging['svlogd_size'] = 200 * 1024 * 1024 # rotate after 200 MB of log data
1412# logging['svlogd_num'] = 30 # keep 30 rotated log files
1413# logging['svlogd_timeout'] = 24 * 60 * 60 # rotate after 24 hours
1414# logging['svlogd_filter'] = "gzip" # compress logs with gzip
1415# logging['svlogd_udp'] = nil # transmit log messages via UDP
1416# logging['svlogd_prefix'] = nil # custom prefix for log messages
1417# logging['logrotate_frequency'] = "daily" # rotate logs daily
1418# logging['logrotate_maxsize'] = nil # rotate logs when they grow bigger than size bytes even before the specified time interval (daily, weekly, monthly, or yearly)
1419# logging['logrotate_size'] = nil # do not rotate by size by default
1420# logging['logrotate_rotate'] = 30 # keep 30 rotated logs
1421# logging['logrotate_compress'] = "compress" # see 'man logrotate'
1422# logging['logrotate_method'] = "copytruncate" # see 'man logrotate'
1423# logging['logrotate_postrotate'] = nil # no postrotate command by default
1424# logging['logrotate_dateformat'] = nil # use date extensions for rotated files rather than numbers e.g. a value of "-%Y-%m-%d" would give rotated files like production.log-2016-03-09.gz
1425
1426### UDP log forwarding
1427##! Docs: http://docs.gitlab.com/omnibus/settings/logs.html#udp-log-forwarding
1428
1429##! remote host to ship log messages to via UDP
1430# logging['udp_log_shipping_host'] = nil
1431
1432##! override the hostname used when logs are shipped via UDP,
1433## by default the system hostname will be used.
1434# logging['udp_log_shipping_hostname'] = nil
1435
1436##! remote port to ship log messages to via UDP
1437# logging['udp_log_shipping_port'] = 514
1438
1439################################################################################
1440## Logrotate
1441##! Docs: https://docs.gitlab.com/omnibus/settings/logs.html#logrotate
1442##! You can disable built in logrotate feature.
1443################################################################################
1444# logrotate['enable'] = true
1445# logrotate['log_directory'] = "/var/log/gitlab/logrotate"
1446
1447################################################################################
1448## Users and groups accounts
1449##! Disable management of users and groups accounts.
1450##! **Set only if creating accounts manually**
1451##! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#disable-user-and-group-account-management
1452################################################################################
1453
1454# manage_accounts['enable'] = false
1455
1456################################################################################
1457## Storage directories
1458##! Disable managing storage directories
1459##! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#disable-storage-directories-management
1460################################################################################
1461
1462##! **Set only if the select directories are created manually**
1463# manage_storage_directories['enable'] = false
1464# manage_storage_directories['manage_etc'] = false
1465
1466################################################################################
1467## Runtime directory
1468##! Docs: https://docs.gitlab.com//omnibus/settings/configuration.html#configuring-runtime-directory
1469################################################################################
1470
1471# runtime_dir '/run'
1472
1473################################################################################
1474## Git
1475##! Advanced setting for configuring git system settings for omnibus-gitlab
1476##! internal git
1477################################################################################
1478
1479##! For multiple options under one header use array of comma separated values,
1480##! eg.:
1481##! { "receive" => ["fsckObjects = true"], "alias" => ["st = status", "co = checkout"] }
1482
1483# omnibus_gitconfig['system'] = {
1484# "pack" => ["threads = 1"],
1485# "receive" => ["fsckObjects = true", "advertisePushOptions = true"],
1486# "repack" => ["writeBitmaps = true"],
1487# "transfer" => ["hideRefs=^refs/tmp/", "hideRefs=^refs/keep-around/", "hideRefs=^refs/remotes/"],
1488# "core" => [
1489# 'alternateRefsCommand="exit 0 #"',
1490# "fsyncObjectFiles = true"
1491# ],
1492# "fetch" => ["writeCommitGraph = true"]
1493# }
1494
1495################################################################################
1496## GitLab Pages
1497##! Docs: https://docs.gitlab.com/ee/pages/administration.html
1498################################################################################
1499
1500##! Define to enable GitLab Pages
1501# pages_external_url "http://pages.example.com/"
1502# gitlab_pages['enable'] = false
1503
1504##! Configure to expose GitLab Pages on external IP address, serving the HTTP
1505# gitlab_pages['external_http'] = []
1506
1507##! Configure to expose GitLab Pages on external IP address, serving the HTTPS
1508# gitlab_pages['external_https'] = []
1509
1510##! Configure to expose GitLab Pages on external IP address, serving the HTTPS over PROXYv2
1511# gitlab_pages['external_https_proxyv2'] = []
1512
1513##! Configure to use the default list of cipher suites
1514# gitlab_pages['insecure_ciphers'] = false
1515
1516##! Configure to enable health check endpoint on GitLab Pages
1517# gitlab_pages['status_uri'] = "/@status"
1518
1519##! Tune the maximum number of concurrent connections GitLab Pages will handle.
1520##! Default to 0 for unlimited connections.
1521# gitlab_pages['max_connections'] = 0
1522
1523##! Setting the propagate_correlation_id to true allows installations behind a reverse proxy
1524##! generate and set a correlation ID to requests sent to GitLab Pages. If a reverse proxy
1525##! sets the header value X-Request-ID, the value will be propagated in the request chain.
1526# gitlab_pages['propagate_correlation_id'] = false
1527
1528##! Configure to use JSON structured logging in GitLab Pages
1529# gitlab_pages['log_format'] = "json"
1530
1531##! Configure verbose logging for GitLab Pages
1532# gitlab_pages['log_verbose'] = false
1533
1534##! Error Reporting and Logging with Sentry
1535# gitlab_pages['sentry_enabled'] = false
1536# gitlab_pages['sentry_dsn'] = 'https://<key>@sentry.io/<project>'
1537# gitlab_pages['sentry_environment'] = 'production'
1538
1539##! Listen for requests forwarded by reverse proxy
1540# gitlab_pages['listen_proxy'] = "localhost:8090"
1541
1542# gitlab_pages['redirect_http'] = true
1543# gitlab_pages['use_http2'] = true
1544# gitlab_pages['dir'] = "/var/opt/gitlab/gitlab-pages"
1545# gitlab_pages['log_directory'] = "/var/log/gitlab/gitlab-pages"
1546
1547# gitlab_pages['artifacts_server'] = true
1548# gitlab_pages['artifacts_server_url'] = nil # Defaults to external_url + '/api/v4'
1549# gitlab_pages['artifacts_server_timeout'] = 10
1550
1551##! Environments that do not support bind-mounting should set this parameter to
1552##! true. This is incompatible with the artifacts server
1553# gitlab_pages['inplace_chroot'] = false
1554
1555##! Prometheus metrics for Pages docs: https://gitlab.com/gitlab-org/gitlab-pages/#enable-prometheus-metrics
1556# gitlab_pages['metrics_address'] = ":9235"
1557
1558##! Specifies the minimum SSL/TLS version ("ssl3", "tls1.0", "tls1.1" or "tls1.2")
1559# gitlab_pages['tls_min_version'] = "ssl3"
1560
1561##! Specifies the maximum SSL/TLS version ("ssl3", "tls1.0", "tls1.1" or "tls1.2")
1562# gitlab_pages['tls_max_version'] = "tls1.2"
1563
1564##! Pages access control
1565# gitlab_pages['access_control'] = false
1566# gitlab_pages['gitlab_id'] = nil # Automatically generated if not present
1567# gitlab_pages['gitlab_secret'] = nil # Generated if not present
1568# gitlab_pages['auth_redirect_uri'] = nil # Defaults to projects subdomain of pages_external_url and + '/auth'
1569# gitlab_pages['gitlab_server'] = nil # Defaults to external_url
1570# gitlab_pages['internal_gitlab_server'] = nil # Defaults to gitlab_server, can be changed to internal load balancer
1571# gitlab_pages['auth_secret'] = nil # Generated if not present
1572# gitlab_pages['auth_scope'] = nil # Defaults to api, can be changed to read_api to increase security
1573
1574##! GitLab API HTTP client connection timeout
1575# gitlab_pages['gitlab_client_http_timeout'] = "10s"
1576
1577##! GitLab API JWT Token expiry time
1578# gitlab_pages['gitlab_client_jwt_expiry'] = "30s"
1579
1580##! Domain configuration source, defaults to disk if set to nil
1581# gitlab_pages['domain_config_source'] = nil
1582
1583##! Advanced settings for API-based configuration for GitLab Pages.
1584##! The recommended default values are set inside GitLab Pages.
1585##! Should be changed only if absolutely needed.
1586
1587##! The maximum time a domain's configuration is stored in the cache.
1588# gitlab_pages['gitlab_cache_expiry'] = "600s"
1589##! The interval at which a domain's configuration is set to be due to refresh (default: 60s).
1590# gitlab_pages['gitlab_cache_refresh'] = "60s"
1591##! The interval at which expired items are removed from the cache (default: 60s).
1592# gitlab_pages['gitlab_cache_cleanup'] = "60s"
1593##! The maximum time to wait for a response from the GitLab API per request.
1594# gitlab_pages['gitlab_retrieval_timeout'] = "30s"
1595##! The interval to wait before retrying to resolve a domain's configuration via the GitLab API.
1596# gitlab_pages['gitlab_retrieval_interval'] = "1s"
1597##! The maximum number of times to retry to resolve a domain's configuration via the API
1598# gitlab_pages['gitlab_retrieval_retries'] = 3
1599
1600##! Define custom gitlab-pages HTTP headers for the whole instance
1601# gitlab_pages['headers'] = []
1602
1603##! Shared secret used for authentication between Pages and GitLab
1604# gitlab_pages['api_secret_key'] = nil # Will be generated if not set. Base64 encoded and exactly 32 bytes long.
1605
1606##! Advanced settings for serving GitLab Pages from zip archives.
1607##! The recommended default values are set inside GitLab Pages.
1608##! Should be changed only if absolutely needed.
1609
1610##! The maximum time an archive will be cached in memory.
1611# gitlab_pages['zip_cache_expiration'] = "60s"
1612##! Zip archive cache cleaning interval.
1613# gitlab_pages['zip_cache_cleanup'] = "30s"
1614##! The interval to refresh a cache archive if accessed before expiring.
1615# gitlab_pages['zip_cache_refresh'] = "30s"
1616##! The maximum amount of time it takes to open a zip archive from the file system or object storage.
1617# gitlab_pages['zip_open_timeout'] = "30s"
1618
1619# gitlab_pages['env_directory'] = "/opt/gitlab/etc/gitlab-pages/env"
1620# gitlab_pages['env'] = {
1621# 'SSL_CERT_DIR' => "#{node['package']['install-dir']}/embedded/ssl/certs/"
1622# }
1623
1624################################################################################
1625## GitLab Pages NGINX
1626################################################################################
1627
1628# All the settings defined in the "GitLab Nginx" section are also available in
1629# this "GitLab Pages NGINX" section, using the key `pages_nginx`. However,
1630# those settings should be explicitly set. That is, settings given as
1631# `nginx['some_setting']` WILL NOT be automatically replicated as
1632# `pages_nginx['some_setting']` and should be set separately.
1633
1634# Below you can find settings that are exclusive to "GitLab Pages NGINX"
1635# pages_nginx['enable'] = true
1636
1637# gitlab_rails['pages_path'] = "/var/opt/gitlab/gitlab-rails/shared/pages"
1638
1639################################################################################
1640## GitLab CI
1641##! Docs: https://docs.gitlab.com/ee/ci/quick_start/README.html
1642################################################################################
1643
1644# gitlab_ci['gitlab_ci_all_broken_builds'] = true
1645# gitlab_ci['gitlab_ci_add_pusher'] = true
1646# gitlab_ci['builds_directory'] = '/var/opt/gitlab/gitlab-ci/builds'
1647
1648################################################################################
1649## GitLab Kubernetes Agent Server
1650##! Docs: https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/blob/master/README.md
1651################################################################################
1652
1653##! Settings used by the GitLab application
1654# gitlab_rails['gitlab_kas_enabled'] = true
1655# gitlab_rails['gitlab_kas_external_url'] = ws://gitlab.example.com/-/kubernetes-agent
1656# gitlab_rails['gitlab_kas_internal_url'] = grpc://localhost:8153
1657
1658##! Enable GitLab KAS
1659# gitlab_kas['enable'] = true
1660
1661##! Agent configuration for GitLab KAS
1662# gitlab_kas['agent_configuration_poll_period'] = 20
1663# gitlab_kas['agent_gitops_poll_period'] = 20
1664# gitlab_kas['agent_gitops_project_info_cache_ttl'] = 300
1665# gitlab_kas['agent_gitops_project_info_cache_error_ttl'] = 60
1666# gitlab_kas['agent_info_cache_ttl'] = 300
1667# gitlab_kas['agent_info_cache_error_ttl'] = 60
1668
1669##! Shared secret used for authentication between KAS and GitLab
1670# gitlab_kas['api_secret_key'] = nil # Will be generated if not set. Base64 encoded and exactly 32 bytes long.
1671
1672##! Listen configuration for GitLab KAS
1673# gitlab_kas['listen_address'] = 'localhost:8150'
1674# gitlab_kas['listen_network'] = 'tcp'
1675# gitlab_kas['listen_websocket'] = true
1676# gitlab_kas['internal_api_listen_network'] = 'tcp'
1677# gitlab_kas['internal_api_listen_address'] = 'localhost:8153'
1678
1679##! Metrics configuration for GitLab KAS
1680# gitlab_kas['metrics_usage_reporting_period'] = 60
1681
1682##! Directories for GitLab KAS
1683# gitlab_kas['dir'] = '/var/opt/gitlab/gitlab-kas'
1684# gitlab_kas['log_directory'] = '/var/log/gitlab/gitlab-kas'
1685# gitlab_kas['env_directory'] = '/opt/gitlab/etc/gitlab-kas/env'
1686
1687################################################################################
1688## GitLab Mattermost
1689##! Docs: https://docs.gitlab.com/omnibus/gitlab-mattermost
1690################################################################################
1691
1692# mattermost_external_url 'http://mattermost.example.com'
1693
1694# mattermost['enable'] = false
1695# mattermost['username'] = 'mattermost'
1696# mattermost['group'] = 'mattermost'
1697# mattermost['uid'] = nil
1698# mattermost['gid'] = nil
1699# mattermost['home'] = '/var/opt/gitlab/mattermost'
1700# mattermost['database_name'] = 'mattermost_production'
1701# mattermost['env'] = {
1702# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"
1703# }
1704# mattermost['service_address'] = "127.0.0.1"
1705# mattermost['service_port'] = "8065"
1706# mattermost['service_site_url'] = nil
1707# mattermost['service_allowed_untrusted_internal_connections'] = ""
1708# mattermost['service_enable_api_team_deletion'] = true
1709# mattermost['team_site_name'] = "GitLab Mattermost"
1710# mattermost['sql_driver_name'] = 'mysql'
1711# mattermost['sql_data_source'] = "mmuser:mostest@tcp(dockerhost:3306)/mattermost_test?charset=utf8mb4,utf8"
1712# mattermost['log_file_directory'] = '/var/log/gitlab/mattermost/'
1713# mattermost['gitlab_enable'] = false
1714# mattermost['gitlab_id'] = "12345656"
1715# mattermost['gitlab_secret'] = "123456789"
1716# mattermost['gitlab_scope'] = ""
1717# mattermost['gitlab_auth_endpoint'] = "http://gitlab.example.com/oauth/authorize"
1718# mattermost['gitlab_token_endpoint'] = "http://gitlab.example.com/oauth/token"
1719# mattermost['gitlab_user_api_endpoint'] = "http://gitlab.example.com/api/v4/user"
1720# mattermost['file_directory'] = "/var/opt/gitlab/mattermost/data"
1721# mattermost['plugin_directory'] = "/var/opt/gitlab/mattermost/plugins"
1722# mattermost['plugin_client_directory'] = "/var/opt/gitlab/mattermost/client-plugins"
1723
1724################################################################################
1725## Mattermost NGINX
1726################################################################################
1727
1728# All the settings defined in the "GitLab Nginx" section are also available in
1729# this "Mattermost NGINX" section, using the key `mattermost_nginx`. However,
1730# those settings should be explicitly set. That is, settings given as
1731# `nginx['some_setting']` WILL NOT be automatically replicated as
1732# `mattermost_nginx['some_setting']` and should be set separately.
1733
1734# Below you can find settings that are exclusive to "Mattermost NGINX"
1735# mattermost_nginx['enable'] = false
1736
1737# mattermost_nginx['custom_gitlab_mattermost_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n"
1738# mattermost_nginx['proxy_set_headers'] = {
1739# "Host" => "$http_host",
1740# "X-Real-IP" => "$remote_addr",
1741# "X-Forwarded-For" => "$proxy_add_x_forwarded_for",
1742# "X-Frame-Options" => "SAMEORIGIN",
1743# "X-Forwarded-Proto" => "https",
1744# "X-Forwarded-Ssl" => "on",
1745# "Upgrade" => "$http_upgrade",
1746# "Connection" => "$connection_upgrade"
1747# }
1748
1749
1750################################################################################
1751## Registry NGINX
1752################################################################################
1753
1754# All the settings defined in the "GitLab Nginx" section are also available in
1755# this "Registry NGINX" section, using the key `registry_nginx`. However, those
1756# settings should be explicitly set. That is, settings given as
1757# `nginx['some_setting']` WILL NOT be automatically replicated as
1758# `registry_nginx['some_setting']` and should be set separately.
1759
1760# Below you can find settings that are exclusive to "Registry NGINX"
1761# registry_nginx['enable'] = false
1762
1763# registry_nginx['proxy_set_headers'] = {
1764# "Host" => "$http_host",
1765# "X-Real-IP" => "$remote_addr",
1766# "X-Forwarded-For" => "$proxy_add_x_forwarded_for",
1767# "X-Forwarded-Proto" => "https",
1768# "X-Forwarded-Ssl" => "on"
1769# }
1770
1771# When the registry is automatically enabled using the same domain as `external_url`,
1772# it listens on this port
1773# registry_nginx['listen_port'] = 5050
1774
1775################################################################################
1776## Prometheus
1777##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/
1778################################################################################
1779
1780###! **To enable only Monitoring service in this machine, uncomment
1781###! the line below.**
1782###! Docs: https://docs.gitlab.com/ee/administration/high_availability
1783# monitoring_role['enable'] = true
1784
1785# prometheus['enable'] = true
1786# prometheus['monitor_kubernetes'] = true
1787# prometheus['username'] = 'gitlab-prometheus'
1788# prometheus['group'] = 'gitlab-prometheus'
1789# prometheus['uid'] = nil
1790# prometheus['gid'] = nil
1791# prometheus['shell'] = '/bin/sh'
1792# prometheus['home'] = '/var/opt/gitlab/prometheus'
1793# prometheus['log_directory'] = '/var/log/gitlab/prometheus'
1794# prometheus['rules_files'] = ['/var/opt/gitlab/prometheus/rules/*.rules']
1795# prometheus['scrape_interval'] = 15
1796# prometheus['scrape_timeout'] = 15
1797# prometheus['external_labels'] = { }
1798# prometheus['env_directory'] = '/opt/gitlab/etc/prometheus/env'
1799# prometheus['env'] = {
1800# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"
1801# }
1802#
1803### Custom scrape configs
1804#
1805# Prometheus can scrape additional jobs via scrape_configs. The default automatically
1806# includes all of the exporters supported by the omnibus config.
1807#
1808# See: https://prometheus.io/docs/operating/configuration/#<scrape_config>
1809#
1810# Example:
1811#
1812# prometheus['scrape_configs'] = [
1813# {
1814# 'job_name': 'example',
1815# 'static_configs' => [
1816# 'targets' => ['hostname:port'],
1817# ],
1818# },
1819# ]
1820#
1821### Custom alertmanager config
1822#
1823# To configure external alertmanagers, create an alertmanager config.
1824#
1825# See: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config
1826#
1827# prometheus['alertmanagers'] = [
1828# {
1829# 'static_configs' => [
1830# {
1831# 'targets' => [
1832# 'hostname:port'
1833# ]
1834# }
1835# ]
1836# }
1837# ]
1838#
1839### Custom Prometheus flags
1840#
1841# prometheus['flags'] = {
1842# 'storage.tsdb.path' => "/var/opt/gitlab/prometheus/data",
1843# 'storage.tsdb.retention.time' => "15d",
1844# 'config.file' => "/var/opt/gitlab/prometheus/prometheus.yml"
1845# }
1846
1847##! Advanced settings. Should be changed only if absolutely needed.
1848# prometheus['listen_address'] = 'localhost:9090'
1849#
1850
1851################################################################################
1852###! **Only needed if Prometheus and Rails are not on the same server.**
1853### For example, in a multi-node architecture, Prometheus will be installed on the monitoring node, while Rails will be on the Rails node.
1854### https://docs.gitlab.com/ee/administration/monitoring/prometheus/index.html#using-an-external-prometheus-server
1855### This value should be the address at which Prometheus is available to GitLab Rails(Puma/Unicorn, Sidekiq) node.
1856################################################################################
1857# gitlab_rails['prometheus_address'] = 'your.prom:9090'
1858
1859################################################################################
1860## Prometheus Alertmanager
1861################################################################################
1862
1863# alertmanager['enable'] = true
1864# alertmanager['home'] = '/var/opt/gitlab/alertmanager'
1865# alertmanager['log_directory'] = '/var/log/gitlab/alertmanager'
1866# alertmanager['admin_email'] = 'admin@example.com'
1867# alertmanager['flags'] = {
1868# 'web.listen-address' => "localhost:9093",
1869# 'storage.path' => "/var/opt/gitlab/alertmanager/data",
1870# 'config.file' => "/var/opt/gitlab/alertmanager/alertmanager.yml"
1871# }
1872# alertmanager['env_directory'] = '/opt/gitlab/etc/alertmanager/env'
1873# alertmanager['env'] = {
1874# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"
1875# }
1876
1877##! Advanced settings. Should be changed only if absolutely needed.
1878# alertmanager['listen_address'] = 'localhost:9093'
1879# alertmanager['global'] = {}
1880
1881################################################################################
1882## Prometheus Node Exporter
1883##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/node_exporter.html
1884################################################################################
1885
1886# node_exporter['enable'] = true
1887# node_exporter['home'] = '/var/opt/gitlab/node-exporter'
1888# node_exporter['log_directory'] = '/var/log/gitlab/node-exporter'
1889# node_exporter['flags'] = {
1890# 'collector.textfile.directory' => "/var/opt/gitlab/node-exporter/textfile_collector"
1891# }
1892# node_exporter['env_directory'] = '/opt/gitlab/etc/node-exporter/env'
1893# node_exporter['env'] = {
1894# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"
1895# }
1896
1897##! Advanced settings. Should be changed only if absolutely needed.
1898# node_exporter['listen_address'] = 'localhost:9100'
1899
1900################################################################################
1901## Prometheus Redis exporter
1902##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/redis_exporter.html
1903################################################################################
1904
1905# redis_exporter['enable'] = true
1906# redis_exporter['log_directory'] = '/var/log/gitlab/redis-exporter'
1907# redis_exporter['flags'] = {
1908# 'redis.addr' => "unix:///var/opt/gitlab/redis/redis.socket",
1909# }
1910# redis_exporter['env_directory'] = '/opt/gitlab/etc/redis-exporter/env'
1911# redis_exporter['env'] = {
1912# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"
1913# }
1914
1915##! Advanced settings. Should be changed only if absolutely needed.
1916# redis_exporter['listen_address'] = 'localhost:9121'
1917
1918################################################################################
1919## Prometheus Postgres exporter
1920##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/postgres_exporter.html
1921################################################################################
1922
1923# postgres_exporter['enable'] = true
1924# postgres_exporter['home'] = '/var/opt/gitlab/postgres-exporter'
1925# postgres_exporter['log_directory'] = '/var/log/gitlab/postgres-exporter'
1926# postgres_exporter['flags'] = {}
1927# postgres_exporter['listen_address'] = 'localhost:9187'
1928# postgres_exporter['env_directory'] = '/opt/gitlab/etc/postgres-exporter/env'
1929# postgres_exporter['env'] = {
1930# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"
1931# }
1932# postgres_exporter['sslmode'] = nil
1933# postgres_exporter['per_table_stats'] = false
1934
1935################################################################################
1936## Prometheus PgBouncer exporter (EE only)
1937##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/pgbouncer_exporter.html
1938################################################################################
1939
1940# pgbouncer_exporter['enable'] = false
1941# pgbouncer_exporter['log_directory'] = "/var/log/gitlab/pgbouncer-exporter"
1942# pgbouncer_exporter['listen_address'] = 'localhost:9188'
1943# pgbouncer_exporter['env_directory'] = '/opt/gitlab/etc/pgbouncer-exporter/env'
1944# pgbouncer_exporter['env'] = {
1945# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"
1946# }
1947
1948################################################################################
1949## Prometheus Gitlab exporter
1950##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/gitlab_exporter.html
1951################################################################################
1952
1953
1954# gitlab_exporter['enable'] = true
1955# gitlab_exporter['log_directory'] = "/var/log/gitlab/gitlab-exporter"
1956# gitlab_exporter['home'] = "/var/opt/gitlab/gitlab-exporter"
1957
1958##! Advanced settings. Should be changed only if absolutely needed.
1959# gitlab_exporter['server_name'] = 'webrick'
1960# gitlab_exporter['listen_address'] = 'localhost'
1961# gitlab_exporter['listen_port'] = '9168'
1962
1963##! Manage gitlab-exporter sidekiq probes. false by default when Sentinels are
1964##! found.
1965# gitlab_exporter['probe_sidekiq'] = true
1966
1967# To completely disable prometheus, and all of it's exporters, set to false
1968# prometheus_monitoring['enable'] = true
1969
1970################################################################################
1971## Grafana Dashboards
1972##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/#prometheus-as-a-grafana-data-source
1973################################################################################
1974
1975# grafana['enable'] = true
1976# grafana['log_directory'] = '/var/log/gitlab/grafana'
1977# grafana['home'] = '/var/opt/gitlab/grafana'
1978# grafana['admin_password'] = 'admin'
1979# grafana['allow_user_sign_up'] = false
1980# grafana['basic_auth_enabled'] = false
1981# grafana['disable_login_form'] = true
1982# grafana['gitlab_application_id'] = 'GITLAB_APPLICATION_ID'
1983# grafana['gitlab_secret'] = 'GITLAB_SECRET'
1984# grafana['env_directory'] = '/opt/gitlab/etc/grafana/env'
1985# grafana['allowed_groups'] = []
1986# grafana['gitlab_auth_sign_up'] = true
1987# grafana['env'] = {
1988# 'SSL_CERT_DIR' => "#{node['package']['install-dir']}/embedded/ssl/certs/"
1989# }
1990# grafana['metrics_enabled'] = false
1991# grafana['metrics_basic_auth_username'] = 'grafana_metrics' # default: nil
1992# grafana['metrics_basic_auth_password'] = 'please_set_a_unique_password' # default: nil
1993# grafana['alerting_enabled'] = false
1994
1995### SMTP Configuration
1996#
1997# See: http://docs.grafana.org/administration/configuration/#smtp
1998#
1999# grafana['smtp'] = {
2000# 'enabled' => true,
2001# 'host' => 'localhost:25',
2002# 'user' => nil,
2003# 'password' => nil,
2004# 'cert_file' => nil,
2005# 'key_file' => nil,
2006# 'skip_verify' => false,
2007# 'from_address' => 'admin@grafana.localhost',
2008# 'from_name' => 'Grafana',
2009# 'ehlo_identity' => 'dashboard.example.com',
2010# 'startTLS_policy' => nil
2011# }
2012
2013# Grafana usage reporting defaults to gitlab_rails['usage_ping_enabled']
2014# grafana['reporting_enabled'] = true
2015
2016### Dashboards
2017#
2018# See: http://docs.grafana.org/administration/provisioning/#dashboards
2019#
2020# NOTE: Setting this will override the default.
2021#
2022# grafana['dashboards'] = [
2023# {
2024# 'name' => 'GitLab Omnibus',
2025# 'orgId' => 1,
2026# 'folder' => 'GitLab Omnibus',
2027# 'type' => 'file',
2028# 'disableDeletion' => true,
2029# 'updateIntervalSeconds' => 600,
2030# 'options' => {
2031# 'path' => '/opt/gitlab/embedded/service/grafana-dashboards',
2032# }
2033# }
2034# ]
2035
2036### Datasources
2037#
2038# See: http://docs.grafana.org/administration/provisioning/#example-datasource-config-file
2039#
2040# NOTE: Setting this will override the default.
2041#
2042# grafana['datasources'] = [
2043# {
2044# 'name' => 'GitLab Omnibus',
2045# 'type' => 'prometheus',
2046# 'access' => 'proxy',
2047# 'url' => 'http://localhost:9090'
2048# }
2049# ]
2050
2051##! Advanced settings. Should be changed only if absolutely needed.
2052# grafana['http_addr'] = 'localhost'
2053# grafana['http_port'] = 3000
2054
2055################################################################################
2056## Gitaly
2057##! Docs:
2058################################################################################
2059
2060# The gitaly['enable'] option exists for the purpose of cluster
2061# deployments, see https://docs.gitlab.com/ee/administration/gitaly/index.html .
2062# gitaly['enable'] = true
2063# gitaly['dir'] = "/var/opt/gitlab/gitaly"
2064# gitaly['log_directory'] = "/var/log/gitlab/gitaly"
2065# gitaly['bin_path'] = "/opt/gitlab/embedded/bin/gitaly"
2066# gitaly['env_directory'] = "/opt/gitlab/etc/gitaly/env"
2067# gitaly['env'] = {
2068# 'PATH' => "/opt/gitlab/bin:/opt/gitlab/embedded/bin:/bin:/usr/bin",
2069# 'HOME' => '/var/opt/gitlab',
2070# 'TZ' => ':/etc/localtime',
2071# 'PYTHONPATH' => "/opt/gitlab/embedded/lib/python3.7/site-packages",
2072# 'ICU_DATA' => "/opt/gitlab/embedded/share/icu/current",
2073# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/",
2074# 'WRAPPER_JSON_LOGGING' => true
2075# }
2076
2077##! internal_socket_dir is the directory that will contain internal gitaly sockets,
2078##! separate from socket_path which is the socket that external clients listen on
2079
2080# gitaly['internal_socket_dir'] = "/var/opt/gitlab/gitaly"
2081# gitaly['socket_path'] = "/var/opt/gitlab/gitaly/gitaly.socket"
2082# gitaly['listen_addr'] = "localhost:8075"
2083# gitaly['tls_listen_addr'] = "localhost:9075"
2084# gitaly['certificate_path'] = "/var/opt/gitlab/gitaly/certificate.pem"
2085# gitaly['key_path'] = "/var/opt/gitlab/gitaly/key.pem"
2086# gitaly['prometheus_listen_addr'] = "localhost:9236"
2087# gitaly['logging_level'] = "warn"
2088# gitaly['logging_format'] = "json"
2089# gitaly['logging_sentry_dsn'] = "https://<key>:<secret>@sentry.io/<project>"
2090# gitaly['logging_ruby_sentry_dsn'] = "https://<key>:<secret>@sentry.io/<project>"
2091# gitaly['logging_sentry_environment'] = "production"
2092# gitaly['prometheus_grpc_latency_buckets'] = "[0.001, 0.005, 0.025, 0.1, 0.5, 1.0, 10.0, 30.0, 60.0, 300.0, 1500.0]"
2093# gitaly['auth_token'] = '<secret>'
2094# gitaly['auth_transitioning'] = false # When true, auth is logged to Prometheus but NOT enforced
2095# gitaly['graceful_restart_timeout'] = '1m' # Grace time for a gitaly process to finish ongoing requests
2096# gitaly['git_catfile_cache_size'] = 100 # Number of 'git cat-file' processes kept around for re-use
2097# gitaly['git_bin_path'] = "/opt/gitlab/embedded/bin/git" # A custom path for the 'git' executable
2098# gitaly['open_files_ulimit'] = 15000 # Maximum number of open files allowed for the gitaly process
2099# gitaly['ruby_max_rss'] = 300000000 # RSS threshold in bytes for triggering a gitaly-ruby restart
2100# gitaly['ruby_graceful_restart_timeout'] = '10m' # Grace time for a gitaly-ruby process to finish ongoing requests
2101# gitaly['ruby_restart_delay'] = '5m' # Period of sustained high RSS that needs to be observed before restarting gitaly-ruby
2102# gitaly['ruby_rugged_git_config_search_path'] = "/opt/gitlab/embedded/etc" # Location of system-wide gitconfig file
2103# gitaly['ruby_num_workers'] = 3 # Number of gitaly-ruby worker processes. Minimum 2, default 2.
2104# gitaly['concurrency'] = [
2105# {
2106# 'rpc' => "/gitaly.SmartHTTPService/PostReceivePack",
2107# 'max_per_repo' => 20
2108# }, {
2109# 'rpc' => "/gitaly.SSHService/SSHUploadPack",
2110# 'max_per_repo' => 5
2111# }
2112# ]
2113#
2114# gitaly['daily_maintenance_start_hour'] = 22
2115# gitaly['daily_maintenance_start_minute'] = 30
2116# gitaly['daily_maintenance_duration'] = '30m'
2117# gitaly['daily_maintenance_storages'] = ["default"]
2118# gitaly['cgroups_count'] = 10
2119# gitaly['cgroups_mountpoint'] = '/sys/fs/cgroup'
2120# gitaly['cgroups_hierarchy_root'] = 'gitaly'
2121# gitaly['cgroups_memory_enabled'] = true
2122# gitaly['cgroups_memory_limit'] = 1048576
2123# gitaly['cgroups_cpu_enabled'] = true
2124# gitaly['cgroups_cpu_shares'] = 512
2125
2126################################################################################
2127## Praefect
2128##! Docs: https://gitlab.com/gitlab-org/gitaly/blob/master/doc/design_ha.md
2129################################################################################
2130
2131# praefect['enable'] = false
2132# praefect['dir'] = "/var/opt/gitlab/praefect"
2133# praefect['log_directory'] = "/var/log/gitlab/praefect"
2134# praefect['env_directory'] = "/opt/gitlab/etc/praefect/env"
2135# praefect['env'] = {
2136# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/",
2137# 'GITALY_PID_FILE' => "/var/opt/gitlab/praefect/praefect.pid",
2138# 'WRAPPER_JSON_LOGGING' => true
2139# }
2140# praefect['wrapper_path'] = "/opt/gitlab/embedded/bin/gitaly-wrapper"
2141# praefect['virtual_storage_name'] = "praefect"
2142# praefect['failover_enabled'] = false
2143# praefect['failover_election_strategy'] = 'sql'
2144# praefect['auth_token'] = ""
2145# praefect['auth_transitioning'] = false
2146# praefect['listen_addr'] = "localhost:2305"
2147# praefect['tls_listen_addr'] = "localhost:3305"
2148# praefect['certificate_path'] = "/var/opt/gitlab/prafect/certificate.pem"
2149# praefect['key_path'] = "/var/opt/gitlab/prafect/key.pem"
2150# praefect['prometheus_listen_addr'] = "localhost:9652"
2151# praefect['prometheus_grpc_latency_buckets'] = "[0.001, 0.005, 0.025, 0.1, 0.5, 1.0, 10.0, 30.0, 60.0, 300.0, 1500.0]"
2152# praefect['logging_level'] = "warn"
2153# praefect['logging_format'] = "json"
2154# praefect['virtual_storages'] = {
2155# 'default' => {
2156# 'default_replication_factor' => 3,
2157# 'nodes' => {
2158# 'praefect-internal-0' => {
2159# 'address' => 'tcp://10.23.56.78:8075',
2160# 'token' => 'abc123'
2161# },
2162# 'praefect-internal-1' => {
2163# 'address' => 'tcp://10.76.23.31:8075',
2164# 'token' => 'xyz456'
2165# }
2166# }
2167# },
2168# 'alternative' => {
2169# 'nodes' => {
2170# 'praefect-internal-2' => {
2171# 'address' => 'tcp://10.34.1.16:8075',
2172# 'token' => 'abc321'
2173# },
2174# 'praefect-internal-3' => {
2175# 'address' => 'tcp://10.23.18.6:8075',
2176# 'token' => 'xyz890'
2177# }
2178# }
2179# }
2180# }
2181# praefect['sentry_dsn'] = "https://<key>:<secret>@sentry.io/<project>"
2182# praefect['sentry_environment'] = "production"
2183# praefect['auto_migrate'] = true
2184# praefect['database_host'] = 'postgres.external'
2185# praefect['database_port'] = 6432
2186# praefect['database_user'] = 'praefect'
2187# praefect['database_password'] = 'secret'
2188# praefect['database_dbname'] = 'praefect_production'
2189# praefect['database_sslmode'] = 'disable'
2190# praefect['database_sslcert'] = '/path/to/client-cert'
2191# praefect['database_sslkey'] = '/path/to/client-key'
2192# praefect['database_sslrootcert'] = '/path/to/rootcert'
2193# praefect['reconciliation_scheduling_interval'] = '5m'
2194# praefect['reconciliation_histogram_buckets'] = '[0.001, 0.005, 0.025, 0.1, 0.5, 1.0, 10.0]'
2195# praefect['database_host_no_proxy'] = 'postgres.internal'
2196# praefect['database_port_no_proxy'] = 5432
2197
2198################################################################################
2199# Storage check
2200################################################################################
2201# storage_check['enable'] = false
2202# storage_check['target'] = 'unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket'
2203# storage_check['log_directory'] = '/var/log/gitlab/storage-check'
2204
2205################################################################################
2206# Let's Encrypt integration
2207################################################################################
2208letsencrypt['enable'] = false
2209# letsencrypt['contact_emails'] = [] # This should be an array of email addresses to add as contacts
2210# letsencrypt['group'] = 'root'
2211# letsencrypt['key_size'] = 2048
2212# letsencrypt['owner'] = 'root'
2213# letsencrypt['wwwroot'] = '/var/opt/gitlab/nginx/www'
2214# See http://docs.gitlab.com/omnibus/settings/ssl.html#automatic-renewal for more on these sesttings
2215# letsencrypt['auto_renew'] = true
2216# letsencrypt['auto_renew_hour'] = 0
2217# letsencrypt['auto_renew_minute'] = nil # Should be a number or cron expression, if specified.
2218# letsencrypt['auto_renew_day_of_month'] = "*/4"
2219# letsencrypt['auto_renew_log_directory'] = '/var/log/gitlab/lets-encrypt'
2220
2221##! Turn off automatic init system detection. To skip init detection in
2222##! non-docker containers. Recommended not to change.
2223# package['detect_init'] = true
2224
2225##! Attempt to modify kernel paramaters. To skip this in containers where the
2226##! relevant file system is read-only, set the value to false.
2227# package['modify_kernel_parameters'] = true
2228
2229##! Specify maximum number of tasks that can be created by the systemd unit
2230##! Will be populated as TasksMax value to the unit file if user is on a systemd
2231##! version that supports it (>= 227). Will be a no-op if user is not on systemd.
2232# package['systemd_tasks_max'] = 4915
2233
2234##! Settings to configure order of GitLab's systemd unit.
2235##! Note: We do not recommend changing these values unless absolutely necessary
2236# package['systemd_after'] = 'multi-user.target'
2237# package['systemd_wanted_by'] = 'multi-user.target'
2238################################################################################
2239################################################################################
2240## Configuration Settings for GitLab EE only ##
2241################################################################################
2242################################################################################
2243
2244
2245################################################################################
2246## Auxiliary cron jobs applicable to GitLab EE only
2247################################################################################
2248#
2249# gitlab_rails['geo_file_download_dispatch_worker_cron'] = "*/10 * * * *"
2250# gitlab_rails['geo_repository_sync_worker_cron'] = "*/5 * * * *"
2251# gitlab_rails['geo_secondary_registry_consistency_worker'] = "* * * * *"
2252# gitlab_rails['geo_prune_event_log_worker_cron'] = "*/5 * * * *"
2253# gitlab_rails['geo_repository_verification_primary_batch_worker_cron'] = "*/5 * * * *"
2254# gitlab_rails['geo_repository_verification_secondary_scheduler_worker_cron'] = "*/5 * * * *"
2255# gitlab_rails['ldap_sync_worker_cron'] = "30 1 * * *"
2256# gitlab_rails['ldap_group_sync_worker_cron'] = "0 * * * *"
2257# gitlab_rails['historical_data_worker_cron'] = "0 12 * * *"
2258# gitlab_rails['pseudonymizer_worker_cron'] = "0 23 * * *"
2259# gitlab_rails['elastic_index_bulk_cron'] = "*/1 * * * *"
2260# gitlab_rails['analytics_devops_adoption_create_all_snapshots_worker_cron'] = "0 4 * * *"
2261
2262################################################################################
2263## Kerberos (EE Only)
2264##! Docs: https://docs.gitlab.com/ee/integration/kerberos.html#http-git-access
2265################################################################################
2266
2267# gitlab_rails['kerberos_enabled'] = true
2268# gitlab_rails['kerberos_keytab'] = /etc/http.keytab
2269# gitlab_rails['kerberos_service_principal_name'] = HTTP/gitlab.example.com@EXAMPLE.COM
2270# gitlab_rails['kerberos_simple_ldap_linking_allowed_realms'] = ['example.com','kerberos.example.com']
2271# gitlab_rails['kerberos_use_dedicated_port'] = true
2272# gitlab_rails['kerberos_port'] = 8443
2273# gitlab_rails['kerberos_https'] = true
2274
2275################################################################################
2276## Package repository
2277##! Docs: https://docs.gitlab.com/ee/administration/packages/
2278################################################################################
2279
2280# gitlab_rails['packages_enabled'] = true
2281# gitlab_rails['packages_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/packages"
2282# gitlab_rails['packages_object_store_enabled'] = false
2283# gitlab_rails['packages_object_store_direct_upload'] = false
2284# gitlab_rails['packages_object_store_background_upload'] = true
2285# gitlab_rails['packages_object_store_proxy_download'] = false
2286# gitlab_rails['packages_object_store_remote_directory'] = "packages"
2287# gitlab_rails['packages_object_store_connection'] = {
2288# 'provider' => 'AWS',
2289# 'region' => 'eu-west-1',
2290# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
2291# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',
2292# # # The below options configure an S3 compatible host instead of AWS
2293# # 'host' => 's3.amazonaws.com',
2294# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.
2295# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
2296# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
2297# }
2298
2299################################################################################
2300## Dependency proxy
2301##! Docs: https://docs.gitlab.com/ee/administration/packages/dependency_proxy.html
2302################################################################################
2303
2304# gitlab_rails['dependency_proxy_enabled'] = true
2305# gitlab_rails['dependency_proxy_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/dependency_proxy"
2306# gitlab_rails['dependency_proxy_object_store_enabled'] = false
2307# gitlab_rails['dependency_proxy_object_store_direct_upload'] = false
2308# gitlab_rails['dependency_proxy_object_store_background_upload'] = true
2309# gitlab_rails['dependency_proxy_object_store_proxy_download'] = false
2310# gitlab_rails['dependency_proxy_object_store_remote_directory'] = "dependency_proxy"
2311# gitlab_rails['dependency_proxy_object_store_connection'] = {
2312# 'provider' => 'AWS',
2313# 'region' => 'eu-west-1',
2314# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
2315# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',
2316# # # The below options configure an S3 compatible host instead of AWS
2317# # 'host' => 's3.amazonaws.com',
2318# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.
2319# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
2320# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
2321# }
2322
2323################################################################################
2324## GitLab Sentinel (EE Only)
2325##! Docs: http://docs.gitlab.com/ce/administration/high_availability/redis.html#high-availability-with-sentinel
2326################################################################################
2327
2328##! **Make sure you configured all redis['master_*'] keys above before
2329##! continuing.**
2330
2331##! To enable Sentinel and disable all other services in this machine,
2332##! uncomment the line below (if you've enabled Redis role, it will keep it).
2333##! Docs: https://docs.gitlab.com/ee/administration/high_availability/redis.html
2334# redis_sentinel_role['enable'] = true
2335
2336# sentinel['enable'] = true
2337
2338##! Bind to all interfaces, uncomment to specify an IP and bind to a single one
2339# sentinel['bind'] = '0.0.0.0'
2340
2341##! Uncomment to change default port
2342# sentinel['port'] = 26379
2343
2344#### Support to run sentinels in a Docker or NAT environment
2345#####! Docs: https://redis.io/topics/sentinel#sentinel-docker-nat-and-possible-issues
2346# In an standard case, Sentinel will run in the same network service as Redis, so the same IP will be announce for Redis and Sentinel
2347# Only define these values if it is needed to announce for Sentinel a differen IP service than Redis
2348# sentinel['announce_ip'] = nil # If not defined, its value will be taken from redis['announce_ip'] or nil if not present
2349# sentinel['announce_port'] = nil # If not defined, its value will be taken from sentinel['port'] or nil if redis['announce_ip'] not present
2350
2351##! Quorum must reflect the amount of voting sentinels it take to start a
2352##! failover.
2353##! **Value must NOT be greater then the amount of sentinels.**
2354##! The quorum can be used to tune Sentinel in two ways:
2355##! 1. If a the quorum is set to a value smaller than the majority of Sentinels
2356##! we deploy, we are basically making Sentinel more sensible to master
2357##! failures, triggering a failover as soon as even just a minority of
2358##! Sentinels is no longer able to talk with the master.
2359##! 2. If a quorum is set to a value greater than the majority of Sentinels, we
2360##! are making Sentinel able to failover only when there are a very large
2361##! number (larger than majority) of well connected Sentinels which agree
2362##! about the master being down.
2363# sentinel['quorum'] = 1
2364
2365### Consider unresponsive server down after x amount of ms.
2366# sentinel['down_after_milliseconds'] = 10000
2367
2368### Specifies the failover timeout in milliseconds.
2369##! It is used in many ways:
2370##!
2371##! - The time needed to re-start a failover after a previous failover was
2372##! already tried against the same master by a given Sentinel, is two
2373##! times the failover timeout.
2374##!
2375##! - The time needed for a replica replicating to a wrong master according
2376##! to a Sentinel current configuration, to be forced to replicate
2377##! with the right master, is exactly the failover timeout (counting since
2378##! the moment a Sentinel detected the misconfiguration).
2379##!
2380##! - The time needed to cancel a failover that is already in progress but
2381##! did not produced any configuration change (REPLICAOF NO ONE yet not
2382##! acknowledged by the promoted replica).
2383##!
2384##! - The maximum time a failover in progress waits for all the replicas to be
2385##! reconfigured as replicas of the new master. However even after this time
2386##! the replicas will be reconfigured by the Sentinels anyway, but not with
2387##! the exact parallel-syncs progression as specified.
2388# sentinel['failover_timeout'] = 60000
2389
2390################################################################################
2391## Additional Database Settings (EE only)
2392##! Docs: https://docs.gitlab.com/ee/administration/database_load_balancing.html
2393################################################################################
2394# gitlab_rails['db_load_balancing'] = { 'hosts' => ['secondary1.example.com'] }
2395
2396################################################################################
2397## GitLab Geo
2398##! Docs: https://docs.gitlab.com/ee/gitlab-geo
2399################################################################################
2400##! Geo roles 'geo_primary_role' and 'geo_secondary_role' are set above with
2401##! other roles. For more information, see: https://docs.gitlab.com/omnibus/roles/README.html#roles.
2402
2403# This is an optional identifier which Geo nodes can use to identify themselves.
2404# For example, if external_url is the same for two secondaries, you must specify
2405# a unique Geo node name for those secondaries.
2406#
2407# If it is blank, it defaults to external_url.
2408# gitlab_rails['geo_node_name'] = nil
2409
2410# gitlab_rails['geo_registry_replication_enabled'] = true
2411# gitlab_rails['geo_registry_replication_primary_api_url'] = 'https://example.com:5050'
2412
2413
2414################################################################################
2415## GitLab Geo Secondary (EE only)
2416################################################################################
2417# geo_secondary['auto_migrate'] = true
2418# geo_secondary['db_adapter'] = "postgresql"
2419# geo_secondary['db_encoding'] = "unicode"
2420# geo_secondary['db_collation'] = nil
2421# geo_secondary['db_database'] = "gitlabhq_geo_production"
2422# geo_secondary['db_username'] = "gitlab_geo"
2423# geo_secondary['db_password'] = nil
2424# geo_secondary['db_host'] = "/var/opt/gitlab/geo-postgresql"
2425# geo_secondary['db_port'] = 5431
2426# geo_secondary['db_socket'] = nil
2427# geo_secondary['db_sslmode'] = nil
2428# geo_secondary['db_sslcompression'] = 0
2429# geo_secondary['db_sslrootcert'] = nil
2430# geo_secondary['db_sslca'] = nil
2431
2432################################################################################
2433## GitLab Geo Secondary Tracking Database (EE only)
2434################################################################################
2435
2436# geo_postgresql['enable'] = false
2437# geo_postgresql['ha'] = false
2438# geo_postgresql['dir'] = '/var/opt/gitlab/geo-postgresql'
2439# geo_postgresql['data_dir'] = '/var/opt/gitlab/geo-postgresql/data'
2440# geo_postgresql['pgbouncer_user'] = nil
2441# geo_postgresql['pgbouncer_user_password'] = nil
2442##! `SQL_USER_PASSWORD_HASH` can be generated using the command `gitlab-ctl pg-password-md5 gitlab`
2443# geo_postgresql['sql_user_password'] = 'SQL_USER_PASSWORD_HASH'
2444
2445################################################################################
2446## Unleash
2447##! These settings are for GitLab internal use.
2448##! They are used to control feature flags during GitLab development.
2449##! Docs: https://docs.gitlab.com/ee/development/feature_flags
2450################################################################################
2451# gitlab_rails['feature_flags_unleash_enabled'] = false
2452# gitlab_rails['feature_flags_unleash_url'] = nil
2453# gitlab_rails['feature_flags_unleash_app_name'] = nil
2454# gitlab_rails['feature_flags_unleash_instance_id'] = nil
2455
2456################################################################################
2457# Pgbouncer (EE only)
2458# See [GitLab PgBouncer documentation](http://docs.gitlab.com/omnibus/settings/database.html#enabling-pgbouncer-ee-only)
2459# See the [PgBouncer page](https://pgbouncer.github.io/config.html) for details
2460################################################################################
2461# pgbouncer['enable'] = false
2462# pgbouncer['log_directory'] = '/var/log/gitlab/pgbouncer'
2463# pgbouncer['data_directory'] = '/var/opt/gitlab/pgbouncer'
2464# pgbouncer['env_directory'] = '/opt/gitlab/etc/pgbouncer/env'
2465# pgbouncer['env'] = {
2466# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"
2467# }
2468# pgbouncer['listen_addr'] = '0.0.0.0'
2469# pgbouncer['listen_port'] = '6432'
2470# pgbouncer['pool_mode'] = 'transaction'
2471# pgbouncer['server_reset_query'] = 'DISCARD ALL'
2472# pgbouncer['application_name_add_host'] = '1'
2473# pgbouncer['max_client_conn'] = '2048'
2474# pgbouncer['default_pool_size'] = '100'
2475# pgbouncer['min_pool_size'] = '0'
2476# pgbouncer['reserve_pool_size'] = '5'
2477# pgbouncer['reserve_pool_timeout'] = '5.0'
2478# pgbouncer['server_round_robin'] = '0'
2479# pgbouncer['log_connections'] = '0'
2480# pgbouncer['server_idle_timeout'] = '30'
2481# pgbouncer['dns_max_ttl'] = '15.0'
2482# pgbouncer['dns_zone_check_period'] = '0'
2483# pgbouncer['dns_nxdomain_ttl'] = '15.0'
2484# pgbouncer['admin_users'] = %w(gitlab-psql postgres pgbouncer)
2485# pgbouncer['stats_users'] = %w(gitlab-psql postgres pgbouncer)
2486# pgbouncer['ignore_startup_parameters'] = 'extra_float_digits'
2487# pgbouncer['databases'] = {
2488# DATABASE_NAME: {
2489# host: HOSTNAME,
2490# port: PORT
2491# user: USERNAME,
2492# password: PASSWORD
2493###! generate this with `echo -n '$password + $username' | md5sum`
2494# }
2495# ...
2496# }
2497# pgbouncer['logfile'] = nil
2498# pgbouncer['unix_socket_dir'] = nil
2499# pgbouncer['unix_socket_mode'] = '0777'
2500# pgbouncer['unix_socket_group'] = nil
2501# pgbouncer['auth_type'] = 'md5'
2502# pgbouncer['auth_hba_file'] = nil
2503# pgbouncer['auth_query'] = 'SELECT username, password FROM public.pg_shadow_lookup($1)'
2504# pgbouncer['users'] = {
2505# {
2506# name: USERNAME,
2507# password: MD5_PASSWORD_HASH
2508# }
2509# }
2510# postgresql['pgbouncer_user'] = nil
2511# postgresql['pgbouncer_user_password'] = nil
2512# pgbouncer['server_reset_query_always'] = 0
2513# pgbouncer['server_check_query'] = 'select 1'
2514# pgbouncer['server_check_delay'] = 30
2515# pgbouncer['max_db_connections'] = nil
2516# pgbouncer['max_user_connections'] = nil
2517# pgbouncer['syslog'] = 0
2518# pgbouncer['syslog_facility'] = 'daemon'
2519# pgbouncer['syslog_ident'] = 'pgbouncer'
2520# pgbouncer['log_disconnections'] = 1
2521# pgbouncer['log_pooler_errors'] = 1
2522# pgbouncer['stats_period'] = 60
2523# pgbouncer['verbose'] = 0
2524# pgbouncer['server_lifetime'] = 3600
2525# pgbouncer['server_connect_timeout'] = 15
2526# pgbouncer['server_login_retry'] = 15
2527# pgbouncer['query_timeout'] = 0
2528# pgbouncer['query_wait_timeout'] = 120
2529# pgbouncer['client_idle_timeout'] = 0
2530# pgbouncer['client_login_timeout'] = 60
2531# pgbouncer['autodb_idle_timeout'] = 3600
2532# pgbouncer['suspend_timeout'] = 10
2533# pgbouncer['idle_transaction_timeout'] = 0
2534# pgbouncer['pkt_buf'] = 4096
2535# pgbouncer['listen_backlog'] = 128
2536# pgbouncer['sbuf_loopcnt'] = 5
2537# pgbouncer['max_packet_size'] = 2147483647
2538# pgbouncer['tcp_defer_accept'] = 0
2539# pgbouncer['tcp_socket_buffer'] = 0
2540# pgbouncer['tcp_keepalive'] = 1
2541# pgbouncer['tcp_keepcnt'] = 0
2542# pgbouncer['tcp_keepidle'] = 0
2543# pgbouncer['tcp_keepintvl'] = 0
2544# pgbouncer['disable_pqexec'] = 0
2545
2546## Pgbouncer client TLS options
2547# pgbouncer['client_tls_sslmode'] = 'disable'
2548# pgbouncer['client_tls_ca_file'] = nil
2549# pgbouncer['client_tls_key_file'] = nil
2550# pgbouncer['client_tls_cert_file'] = nil
2551# pgbouncer['client_tls_protocols'] = 'all'
2552# pgbouncer['client_tls_dheparams'] = 'auto'
2553# pgbouncer['client_tls_ecdhcurve'] = 'auto'
2554#
2555## Pgbouncer server TLS options
2556# pgbouncer['server_tls_sslmode'] = 'disable'
2557# pgbouncer['server_tls_ca_file'] = nil
2558# pgbouncer['server_tls_key_file'] = nil
2559# pgbouncer['server_tls_cert_file'] = nil
2560# pgbouncer['server_tls_protocols'] = 'all'
2561# pgbouncer['server_tls_ciphers'] = 'fast'
2562
2563################################################################################
2564# Repmgr (EE only)
2565################################################################################
2566# repmgr['enable'] = false
2567# repmgr['cluster'] = 'gitlab_cluster'
2568# repmgr['database'] = 'gitlab_repmgr'
2569# repmgr['host'] = nil
2570# repmgr['node_number'] = nil
2571# repmgr['port'] = 5432
2572# repmgr['trust_auth_cidr_addresses'] = []
2573# repmgr['username'] = 'gitlab_repmgr'
2574# repmgr['sslmode'] = 'prefer'
2575# repmgr['sslcompression'] = 0
2576# repmgr['failover'] = 'automatic'
2577# repmgr['log_directory'] = '/var/log/gitlab/repmgrd'
2578# repmgr['node_name'] = nil
2579# repmgr['pg_bindir'] = '/opt/gitlab/embedded/bin'
2580# repmgr['service_start_command'] = '/opt/gitlab/bin/gitlab-ctl start postgresql'
2581# repmgr['service_stop_command'] = '/opt/gitlab/bin/gitlab-ctl stop postgresql'
2582# repmgr['service_reload_command'] = '/opt/gitlab/bin/gitlab-ctl hup postgresql'
2583# repmgr['service_restart_command'] = '/opt/gitlab/bin/gitlab-ctl restart postgresql'
2584# repmgr['service_promote_command'] = nil
2585# repmgr['promote_command'] = '/opt/gitlab/embedded/bin/repmgr standby promote -f /var/opt/gitlab/postgresql/repmgr.conf'
2586# repmgr['follow_command'] = '/opt/gitlab/embedded/bin/repmgr standby follow -f /var/opt/gitlab/postgresql/repmgr.conf'
2587
2588# repmgr['upstream_node'] = nil
2589# repmgr['use_replication_slots'] = false
2590# repmgr['loglevel'] = 'INFO'
2591# repmgr['logfacility'] = 'STDERR'
2592# repmgr['logfile'] = nil
2593
2594# repmgr['event_notification_command'] = nil
2595# repmgr['event_notifications'] = nil
2596
2597# repmgr['rsync_options'] = nil
2598# repmgr['ssh_options'] = nil
2599# repmgr['priority'] = nil
2600#
2601# HA setting to specify if a node should attempt to be master on initialization
2602# repmgr['master_on_initialization'] = true
2603
2604# repmgr['retry_promote_interval_secs'] = 300
2605# repmgr['witness_repl_nodes_sync_interval_secs'] = 15
2606# repmgr['reconnect_attempts'] = 6
2607# repmgr['reconnect_interval'] = 10
2608# repmgr['monitor_interval_secs'] = 2
2609# repmgr['master_response_timeout'] = 60
2610# repmgr['daemon'] = true
2611# repmgrd['enable'] = true
2612
2613################################################################################
2614# Patroni (EE only)
2615#
2616# NOTICE: Patroni is an experimental feature and subject to change.
2617#
2618################################################################################
2619# patroni['enable'] = false
2620
2621# patroni['dir'] = '/var/opt/gitlab/patroni'
2622# patroni['data_dir'] = '/var/opt/gitlab/patroni/data'
2623# patroni['ctl_command'] = '/opt/gitlab/embedded/bin/patronictl'
2624
2625## Patroni dynamic configuration settings
2626# patroni['loop_wait'] = 10
2627# patroni['ttl'] = 30
2628# patroni['retry_timeout'] = 10
2629# patroni['maximum_lag_on_failover'] = 1_048_576
2630# patroni['max_timelines_history'] = 0
2631# patroni['master_start_timeout'] = 300
2632# patroni['use_pg_rewind'] = true
2633# patroni['remove_data_directory_on_rewind_failure'] = false
2634# patroni['remove_data_directory_on_diverged_timelines'] = false
2635# patroni['use_slots'] = true
2636# patroni['replication_password'] = nil
2637# patroni['replication_slots'] = {}
2638
2639## Standby cluster replication settings
2640# patroni['standby_cluster']['enable'] = false
2641# patroni['standby_cluster']['host'] = nil
2642# patroni['standby_cluster']['port'] = 5432
2643# patroni['standby_cluster']['primary_slot_name'] = nil
2644
2645## Global/Universal settings
2646# patroni['scope'] = 'gitlab-postgresql-ha'
2647# patroni['name'] = nil
2648
2649## Log settings
2650# patroni['log_directory'] = '/var/log/gitlab/patroni'
2651# patroni['log_level'] = 'INFO'
2652
2653## Consul specific settings
2654# patroni['consul']['url'] = 'http://127.0.0.1:8500'
2655# patroni['consul']['service_check_interval'] = '10s'
2656# patroni['consul']['register_service'] = true
2657# patroni['consul']['checks'] = []
2658
2659## PostgreSQL configuration override
2660# patroni['postgresql']['hot_standby'] = 'on'
2661
2662## The following must hold the same values on all nodes.
2663## Leave unassined to use PostgreSQL's default values.
2664# patroni['postgresql']['wal_level'] = 'replica'
2665# patroni['postgresql']['wal_log_hints'] = 'on'
2666# patroni['postgresql']['max_worker_processes'] = 8
2667# patroni['postgresql']['max_locks_per_transaction'] = 64
2668# patroni['postgresql']['max_connections'] = 200
2669# patroni['postgresql']['checkpoint_timeout'] = 30
2670
2671## The following can hold different values on all nodes.
2672## Leave unassined to use PostgreSQL's default values.
2673# patroni['postgresql']['wal_keep_segments'] = 8
2674# patroni['postgresql']['max_wal_senders'] = 5
2675# patroni['postgresql']['max_replication_slots'] = 5
2676
2677## Permanent replication slots for Streaming Replication
2678# patroni['replication_slots'] = {
2679# 'geo_secondary' => { 'type' => 'physical' }
2680# }
2681
2682## The address and port that Patroni API binds to and listens on.
2683# patroni['listen_address'] = nil
2684# patroni['port'] = '8008'
2685
2686## The address of the Patroni node that is advertized to other cluster
2687## members to communicate with its API and PostgreSQL. If it is not specified,
2688## it tries to use the first available private IP and falls back to the default
2689## network interface.
2690# patroni['connect_address'] = nil
2691
2692## The port that Patroni API responds to other cluster members. This port is
2693## advertized and by default is the same as patroni['port'].
2694# patroni['connect_port'] = '8008'
2695
2696
2697################################################################################
2698# Consul (EEP only)
2699################################################################################
2700# consul['enable'] = false
2701# consul['dir'] = '/var/opt/gitlab/consul'
2702# consul['username'] = 'gitlab-consul'
2703# consul['group'] = 'gitlab-consul'
2704# consul['config_file'] = '/var/opt/gitlab/consul/config.json'
2705# consul['config_dir'] = '/var/opt/gitlab/consul/config.d'
2706# consul['data_dir'] = '/var/opt/gitlab/consul/data'
2707# consul['log_directory'] = '/var/log/gitlab/consul'
2708# consul['env_directory'] = '/opt/gitlab/etc/consul/env'
2709# consul['env'] = {
2710# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"
2711# }
2712# consul['monitoring_service_discovery'] = false
2713# consul['node_name'] = nil
2714# consul['script_directory'] = '/var/opt/gitlab/consul/scripts'
2715# consul['configuration'] = {
2716# 'client_addr' => nil,
2717# 'datacenter' => 'gitlab_consul',
2718# 'enable_script_checks' => true,
2719# 'server' => false
2720# }
2721# consul['services'] = []
2722# consul['service_config'] = {
2723# 'postgresql' => {
2724# 'service' => {
2725# 'name' => "postgresql",
2726# 'address' => '',
2727# 'port' => 5432,
2728# 'checks' => [
2729# {
2730# 'script' => "/var/opt/gitlab/consul/scripts/check_postgresql",
2731# 'interval' => "10s"
2732# }
2733# ]
2734# }
2735# }
2736# }
2737# consul['watchers'] = {
2738# 'postgresql' => {
2739# enable: false,
2740# handler: 'failover_pgbouncer'
2741# }
2742# }
2743################################################################################
2744# Service desk email settings (EEP only)
2745################################################################################
2746### Service desk email
2747###! Allow users to create new service desk issues by sending an email to
2748###! service desk address.
2749###! Docs: https://docs.gitlab.com/ee/administration/reply_by_email.html
2750# gitlab_rails['service_desk_email_enabled'] = false
2751
2752#### Service Desk Mailbox Settings (via `mail_room`)
2753#### Service Desk Email Address
2754####! The email address including the `%{key}` placeholder that will be replaced
2755####! to reference the item being replied to.
2756####! **The placeholder can be omitted but if present, it must appear in the
2757####! "user" part of the address (before the `@`).**
2758# gitlab_rails['service_desk_email_address'] = "contact_project+%{key}@gmail.com"
2759
2760#### Service Desk Email account username
2761####! **With third party providers, this is usually the full email address.**
2762####! **With self-hosted email servers, this is usually the user part of the
2763####! email address.**
2764# gitlab_rails['service_desk_email_email'] = "contact_project@gmail.com"
2765
2766#### Service Desk Email account password
2767# gitlab_rails['service_desk_email_password'] = "[REDACTED]"
2768
2769####! The mailbox where service desk mail will end up. Usually "inbox".
2770# gitlab_rails['service_desk_email_mailbox_name'] = "inbox"
2771####! The IDLE command timeout.
2772# gitlab_rails['service_desk_email_idle_timeout'] = 60
2773####! The file name for internal `mail_room` JSON logfile
2774# gitlab_rails['service_desk_email_log_file'] = "/var/log/gitlab/mailroom/mail_room_json.log"
2775
2776#### Service Desk IMAP Settings
2777# gitlab_rails['service_desk_email_host'] = "imap.gmail.com"
2778# gitlab_rails['service_desk_email_port'] = 993
2779# gitlab_rails['service_desk_email_ssl'] = true
2780# gitlab_rails['service_desk_email_start_tls'] = false
2781