2.1--- /dev/null Thu Jan 01 00:00:00 1970 +0000
2.2+++ b/etc/gitlab/gitlab.yml Thu Jan 11 19:08:58 2024 -0500
2.3@@ -0,0 +1,1692 @@
2.4+# # # # # # # # # # # # # # # # # #
2.5+# GitLab application config file #
2.6+# # # # # # # # # # # # # # # # # #
2.7+#
2.8+########################### NOTE #####################################
2.9+# This file should not receive new settings. All configuration options #
2.10+# * are being moved to ApplicationSetting model! #
2.11+# If a setting requires an application restart say so in that screen. #
2.12+# If you change this file in a merge request, please also create #
2.13+# a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests. #
2.14+# For more details see https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md #
2.15+# Be sure to create a MR against the GDK configuration #
2.16+# file (https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/support/templates/gitlab/config/gitlab.yml.erb) too. #
2.17+########################################################################
2.18+#
2.19+#
2.20+# How to use:
2.21+# 1. Copy file as gitlab.yml
2.22+# 2. Update gitlab -> host with your fully qualified domain name
2.23+# 3. Update gitlab -> email_from
2.24+# 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git
2.25+# IMPORTANT: If Git was installed in a different location use that instead.
2.26+# You can check with `which git`. If a wrong path of Git is specified, it will
2.27+# result in various issues such as failures of GitLab CI builds.
2.28+# 5. Review this configuration file for other settings you may want to adjust
2.29+
2.30+production: &base
2.31+ #
2.32+ # 1. GitLab app settings
2.33+ # ==========================
2.34+
2.35+ ## GitLab settings
2.36+ gitlab:
2.37+ ## Web server settings (note: host is the FQDN, do not include http://)
2.38+ host: localhost
2.39+ port: 80 # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
2.40+ https: false # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
2.41+
2.42+ # Uncomment this line if you want to configure the Rails asset host for a CDN.
2.43+ # cdn_host: localhost
2.44+
2.45+ # The maximum time Puma can spend on the request. This needs to be smaller than the worker timeout.
2.46+ # Default is 95% of the worker timeout
2.47+ max_request_duration_seconds: 57
2.48+
2.49+ # Uncomment this line below if your ssh host is different from HTTP/HTTPS one
2.50+ # (you'd obviously need to replace ssh.host_example.com with your own host).
2.51+ # Otherwise, ssh host will be set to the `host:` value above
2.52+ # ssh_host: ssh.host_example.com
2.53+
2.54+ # Relative URL support
2.55+ # WARNING: We recommend using an FQDN to host GitLab in a root path instead
2.56+ # of using a relative URL.
2.57+ # Documentation: http://doc.gitlab.com/ce/install/relative_url.html
2.58+ # Uncomment and customize the following line to run in a non-root path
2.59+ #
2.60+ # relative_url_root: /gitlab
2.61+
2.62+ # Content Security Policy
2.63+ # See https://guides.rubyonrails.org/security.html#content-security-policy
2.64+ content_security_policy:
2.65+ enabled: true
2.66+ report_only: false
2.67+ directives:
2.68+ base_uri:
2.69+ child_src:
2.70+ connect_src: "'self' http://localhost:* ws://localhost:* wss://localhost:*"
2.71+ default_src: "'self'"
2.72+ font_src:
2.73+ form_action:
2.74+ frame_ancestors: "'self'"
2.75+ frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
2.76+ img_src: "* data: blob:"
2.77+ manifest_src:
2.78+ media_src:
2.79+ object_src: "'none'"
2.80+ script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
2.81+ style_src: "'self' 'unsafe-inline'"
2.82+ worker_src: "'self' blob:"
2.83+ report_uri:
2.84+
2.85+ allowed_hosts: []
2.86+
2.87+ # Trusted Proxies
2.88+ # Customize if you have GitLab behind a reverse proxy which is running on a different machine.
2.89+ # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
2.90+ trusted_proxies:
2.91+ # Examples:
2.92+ #- 192.168.1.0/24
2.93+ #- 192.168.2.1
2.94+ #- 2001:0db8::/32
2.95+
2.96+ # Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
2.97+ # user: git
2.98+
2.99+ ## Date & Time settings
2.100+ # Uncomment and customize if you want to change the default time zone of GitLab application.
2.101+ # To see all available zones, run `bundle exec rake time:zones:all RAILS_ENV=production`
2.102+ # time_zone: 'UTC'
2.103+
2.104+ ## Email settings
2.105+ # Uncomment and set to false if you need to disable email sending from GitLab (default: true)
2.106+ # email_enabled: true
2.107+ # Email address used in the "From" field in mails sent by GitLab
2.108+ email_from: example@example.com
2.109+ email_display_name: GitLab
2.110+ email_reply_to: noreply@example.com
2.111+ email_subject_suffix: ''
2.112+ email_smime:
2.113+ # Uncomment and set to true if you need to enable email S/MIME signing (default: false)
2.114+ # enabled: false
2.115+ # S/MIME private key file in PEM format, unencrypted
2.116+ # Default is '.gitlab_smime_key' relative to Rails.root (i.e. root of the GitLab app).
2.117+ # key_file: /home/git/gitlab/.gitlab_smime_key
2.118+ # S/MIME public certificate key in PEM format, will be attached to signed messages
2.119+ # Default is '.gitlab_smime_cert' relative to Rails.root (i.e. root of the GitLab app).
2.120+ # cert_file: /home/git/gitlab/.gitlab_smime_cert
2.121+ # S/MIME extra CA public certificates in PEM format, will be attached to signed messages
2.122+ # Optional
2.123+ # ca_certs_file: /home/git/gitlab/.gitlab_smime_ca_certs
2.124+
2.125+ # Email server smtp settings are in config/initializers/smtp_settings.rb.sample
2.126+ # File location to read encrypted SMTP secrets from
2.127+ # email_smtp_secret_file: /mnt/gitlab/smtp.yaml.enc # Default: shared/encrypted_settings/smtp.yaml.enc
2.128+
2.129+ # default_can_create_group: false # default: true
2.130+ # username_changing_enabled: false # default: true - User can change their username/namespace
2.131+ ## Default theme ID
2.132+ ## 1 - Indigo
2.133+ ## 2 - Gray
2.134+ ## 3 - Light Gray
2.135+ ## 4 - Blue
2.136+ ## 5 - Green
2.137+ ## 6 - Light Indigo
2.138+ ## 7 - Light Blue
2.139+ ## 8 - Light Green
2.140+ ## 9 - Red
2.141+ ## 10 - Light Red
2.142+ ## 11 - Dark Mode (alpha)
2.143+ # default_theme: 1 # default: 1
2.144+
2.145+ ## Automatic issue closing
2.146+ # If a commit message matches this regular expression, all issues referenced from the matched text will be closed.
2.147+ # This happens when the commit is pushed or merged into the default branch of a project.
2.148+ # When not specified the default issue_closing_pattern as specified below will be used.
2.149+ # Tip: you can test your closing pattern at http://rubular.com.
2.150+ # issue_closing_pattern: '\b((?:[Cc]los(?:e[sd]?|ing)|\b[Ff]ix(?:e[sd]|ing)?|\b[Rr]esolv(?:e[sd]?|ing)|\b[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)'
2.151+
2.152+ ## Default project features settings
2.153+ default_projects_features:
2.154+ issues: true
2.155+ merge_requests: true
2.156+ wiki: true
2.157+ snippets: true
2.158+ builds: true
2.159+ container_registry: true
2.160+
2.161+ ## Webhook settings
2.162+ # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)
2.163+ # webhook_timeout: 10
2.164+
2.165+ ### GraphQL Settings
2.166+ # Tells the rails application how long it has to complete a GraphQL request.
2.167+ # We suggest this value to be higher than the database timeout value
2.168+ # and lower than the worker timeout set in Puma. (default: 30)
2.169+ # graphql_timeout: 30
2.170+
2.171+ ## Repository downloads directory
2.172+ # When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory.
2.173+ # The default is 'shared/cache/archive/' relative to the root of the Rails app.
2.174+ # repository_downloads_path: shared/cache/archive/
2.175+
2.176+ ## Impersonation settings
2.177+ impersonation_enabled: true
2.178+
2.179+ ## Disable jQuery and CSS animations
2.180+ # disable_animations: true
2.181+
2.182+ ## Application settings cache expiry in seconds (default: 60)
2.183+ # application_settings_cache_seconds: 60
2.184+
2.185+ ## Print initial root password to stdout during initialization (default: false)
2.186+ # WARNING: setting this to true means that the root password will be printed in
2.187+ # plaintext. This can be a security risk.
2.188+ # display_initial_root_password: false
2.189+
2.190+ # Allows delivery of emails using Microsoft Graph API with OAuth 2.0 client credentials flow.
2.191+ microsoft_graph_mailer:
2.192+ enabled: false
2.193+ # The unique identifier for the user. To use Microsoft Graph on behalf of the user.
2.194+ # user_id: "YOUR-USER-ID"
2.195+ # The directory tenant the application plans to operate against, in GUID or domain-name format.
2.196+ # tenant: "YOUR-TENANT-ID"
2.197+ # The application ID that's assigned to your app. You can find this information in the portal where you registered your app.
2.198+ # client_id: "YOUR-CLIENT-ID"
2.199+ # The client secret that you generated for your app in the app registration portal.
2.200+ # client_secret: "YOUR-CLIENT-SECRET-ID"
2.201+ # Defaults to "https://login.microsoftonline.com".
2.202+ # azure_ad_endpoint:
2.203+ # Defaults to "https://graph.microsoft.com".
2.204+ # graph_endpoint:
2.205+
2.206+ ## Reply by email
2.207+ # Allow users to comment on issues and merge requests by replying to notification emails.
2.208+ # For documentation on how to set this up, see https://docs.gitlab.com/ee/administration/reply_by_email.html
2.209+ incoming_email:
2.210+ enabled: false
2.211+
2.212+ # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
2.213+ # The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`).
2.214+ # Please be aware that a placeholder is required for the Service Desk feature to work.
2.215+ address: "gitlab-incoming+%{key}@gmail.com"
2.216+
2.217+ # Email account username
2.218+ # With third party providers, this is usually the full email address.
2.219+ # With self-hosted email servers, this is usually the user part of the email address.
2.220+ user: "gitlab-incoming@gmail.com"
2.221+ # Email account password
2.222+ password: "[REDACTED]"
2.223+
2.224+ # IMAP server host
2.225+ host: "imap.gmail.com"
2.226+ # IMAP server port
2.227+ port: 993
2.228+ # Whether the IMAP server uses SSL
2.229+ ssl: true
2.230+ # Whether the IMAP server uses StartTLS
2.231+ start_tls: false
2.232+
2.233+ # The mailbox where incoming mail will end up. Usually "inbox".
2.234+ mailbox: "inbox"
2.235+ # The IDLE command timeout.
2.236+ idle_timeout: 60
2.237+ # The log file path for the structured log file.
2.238+ # Since `mail_room` is run independently of Rails, an absolute path is preferred.
2.239+ # The default is 'log/mail_room_json.log' relative to the root of the Rails app.
2.240+ #
2.241+ # log_path: log/mail_room_json.log
2.242+
2.243+ # If you are using Microsoft Graph instead of IMAP, set this to false to retain
2.244+ # messages in the inbox since deleted messages are auto-expunged after some time.
2.245+ delete_after_delivery: true
2.246+
2.247+ # Whether to expunge (permanently remove) messages from the mailbox when they are marked as deleted after delivery
2.248+ # Only applies to IMAP. Microsoft Graph will auto-expunge any deleted messages.
2.249+ expunge_deleted: false
2.250+
2.251+ # For Microsoft Graph support
2.252+ # inbox_method: microsoft_graph
2.253+ # inbox_options:
2.254+ # tenant_id: "YOUR-TENANT-ID"
2.255+ # client_id: "YOUR-CLIENT-ID"
2.256+ # client_secret: "YOUR-CLIENT-SECRET"
2.257+
2.258+ # How mailroom delivers email content to Rails. There are two methods at the moment:
2.259+ # - sidekiq: mailroom pushes the email content to Sidekiq directly. This job
2.260+ # is then picked up by Sidekiq.
2.261+ # - webhook: mailroom triggers a HTTP POST request to Rails web server. The
2.262+ # content is embedded into the request body.
2.263+ # Default is sidekiq.
2.264+ # delivery_method: sidekiq
2.265+
2.266+ # When the delivery method is webhook, those configs tell the url that
2.267+ # mailroom can contact to. Note that the combined url must not end with "/".
2.268+ # At the moment, the webhook delivery method doesn't support HTTP/HTTPs via
2.269+ # UNIX socket.
2.270+ # gitlab_url: "http://gitlab.example"
2.271+
2.272+ # When the delivery method is webhook, this config is the file that
2.273+ # contains the shared secret key for verifying access for mailroom's
2.274+ # incoming_email.
2.275+ # Default is '.gitlab_mailroom_secret' relative to Rails.root (i.e. root of the GitLab app).
2.276+ # secret_file: /home/git/gitlab/.gitlab_mailroom_secret
2.277+
2.278+ # File location to read encrypted incoming email secrets from
2.279+ # encrypted_secret_file: /mnt/gitlab/smtp.yaml.enc
2.280+ # Default: shared/encrypted_settings/incoming_email.yaml.enc
2.281+
2.282+ ## Consolidated object store config
2.283+ ## This will only take effect if the object_store sections are not defined
2.284+ ## within the types (e.g. artifacts, lfs, etc.).
2.285+ # object_store:
2.286+ # enabled: false
2.287+ # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
2.288+ # connection:
2.289+ # provider: AWS # Only AWS supported at the moment
2.290+ # aws_access_key_id: AWS_ACCESS_KEY_ID
2.291+ # aws_secret_access_key: AWS_SECRET_ACCESS_KEY
2.292+ # region: us-east-1
2.293+ # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
2.294+ # endpoint: 'https://s3.amazonaws.com' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
2.295+ # storage_options:
2.296+ # server_side_encryption: AES256 # AES256, aws:kms
2.297+ # server_side_encryption_kms_key_id: # Amazon Resource Name. See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
2.298+ # objects:
2.299+ # artifacts:
2.300+ # bucket: artifacts
2.301+ # external_diffs:
2.302+ # bucket: external-diffs
2.303+ # lfs:
2.304+ # bucket: lfs-objects
2.305+ # uploads:
2.306+ # bucket: uploads
2.307+ # packages:
2.308+ # bucket: packages
2.309+ # dependency_proxy:
2.310+ # bucket: dependency_proxy
2.311+
2.312+ ## Build Artifacts
2.313+ artifacts:
2.314+ enabled: true
2.315+ # The location where build artifacts are stored (default: shared/artifacts).
2.316+ # path: shared/artifacts
2.317+ # object_store:
2.318+ # enabled: false
2.319+ # remote_directory: artifacts # The bucket name
2.320+ # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
2.321+ # connection:
2.322+ # provider: AWS # Only AWS supported at the moment
2.323+ # aws_access_key_id: AWS_ACCESS_KEY_ID
2.324+ # aws_secret_access_key: AWS_SECRET_ACCESS_KEY
2.325+ # region: us-east-1
2.326+ # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
2.327+ # endpoint: 'https://s3.amazonaws.com' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
2.328+
2.329+ ## Merge request external diff storage
2.330+ external_diffs:
2.331+ # If disabled (the default), the diffs are in-database. Otherwise, they can
2.332+ # be stored on disk, or in object storage
2.333+ enabled: false
2.334+ # The location where external diffs are stored (default: shared/lfs-external-diffs).
2.335+ # storage_path: shared/external-diffs
2.336+ # object_store:
2.337+ # enabled: false
2.338+ # remote_directory: external-diffs
2.339+ # proxy_download: false
2.340+ # connection:
2.341+ # provider: AWS
2.342+ # aws_access_key_id: AWS_ACCESS_KEY_ID
2.343+ # aws_secret_access_key: AWS_SECRET_ACCESS_KEY
2.344+ # region: us-east-1
2.345+
2.346+ ## Git LFS
2.347+ lfs:
2.348+ enabled: true
2.349+ # The location where LFS objects are stored (default: shared/lfs-objects).
2.350+ # storage_path: shared/lfs-objects
2.351+ object_store:
2.352+ enabled: false
2.353+ remote_directory: lfs-objects # Bucket name
2.354+ # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
2.355+ connection:
2.356+ provider: AWS
2.357+ aws_access_key_id: AWS_ACCESS_KEY_ID
2.358+ aws_secret_access_key: AWS_SECRET_ACCESS_KEY
2.359+ region: us-east-1
2.360+ # Use the following options to configure an AWS compatible host
2.361+ # host: 'localhost' # default: s3.amazonaws.com
2.362+ # endpoint: 'http://127.0.0.1:9000' # default: nil
2.363+ # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
2.364+ # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
2.365+
2.366+ ## Uploads (attachments, avatars, etc...)
2.367+ uploads:
2.368+ # The location where uploads objects are stored (default: public/).
2.369+ # storage_path: public/
2.370+ # base_dir: uploads/-/system
2.371+ object_store:
2.372+ enabled: false
2.373+ remote_directory: uploads # Bucket name
2.374+ # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
2.375+ connection:
2.376+ provider: AWS
2.377+ aws_access_key_id: AWS_ACCESS_KEY_ID
2.378+ aws_secret_access_key: AWS_SECRET_ACCESS_KEY
2.379+ aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
2.380+ region: us-east-1
2.381+ # host: 'localhost' # default: s3.amazonaws.com
2.382+ # endpoint: 'http://127.0.0.1:9000' # default: nil
2.383+ # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
2.384+
2.385+ ## Packages (maven repository, npm registry, etc...)
2.386+ packages:
2.387+ enabled: true
2.388+ dpkg_deb_path: /usr/bin/dpkg-deb
2.389+ # The location where build packages are stored (default: shared/packages).
2.390+ # storage_path: shared/packages
2.391+ object_store:
2.392+ enabled: false
2.393+ remote_directory: packages # The bucket name
2.394+ # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
2.395+ connection:
2.396+ provider: AWS
2.397+ aws_access_key_id: AWS_ACCESS_KEY_ID
2.398+ aws_secret_access_key: AWS_SECRET_ACCESS_KEY
2.399+ region: us-east-1
2.400+ # host: 'localhost' # default: s3.amazonaws.com
2.401+ # endpoint: 'http://127.0.0.1:9000' # default: nil
2.402+ # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
2.403+ # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
2.404+
2.405+ ## Dependency Proxy
2.406+ dependency_proxy:
2.407+ enabled: true
2.408+ # The location where build packages are stored (default: shared/dependency_proxy).
2.409+ # storage_path: shared/dependency_proxy
2.410+ object_store:
2.411+ enabled: false
2.412+ remote_directory: dependency_proxy # The bucket name
2.413+ # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
2.414+ connection:
2.415+ provider: AWS
2.416+ aws_access_key_id: AWS_ACCESS_KEY_ID
2.417+ aws_secret_access_key: AWS_SECRET_ACCESS_KEY
2.418+ region: us-east-1
2.419+ # host: 'localhost' # default: s3.amazonaws.com
2.420+ # endpoint: 'http://127.0.0.1:9000' # default: nil
2.421+ # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
2.422+ # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
2.423+
2.424+ ## Terraform state
2.425+ terraform_state:
2.426+ enabled: true
2.427+ # The location where Terraform state files are stored (default: shared/terraform_state).
2.428+ # storage_path: shared/terraform_state
2.429+ object_store:
2.430+ enabled: false
2.431+ remote_directory: terraform # The bucket name
2.432+ connection:
2.433+ provider: AWS
2.434+ aws_access_key_id: AWS_ACCESS_KEY_ID
2.435+ aws_secret_access_key: AWS_SECRET_ACCESS_KEY
2.436+ region: us-east-1
2.437+ # host: 'localhost' # default: s3.amazonaws.com
2.438+ # endpoint: 'http://127.0.0.1:9000' # default: nil
2.439+ # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
2.440+ # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
2.441+
2.442+ ## CI Secure Files
2.443+ ci_secure_files:
2.444+ enabled: true
2.445+ # storage_path: shared/ci_secure_files
2.446+ object_store:
2.447+ enabled: false
2.448+ remote_directory: ci-secure-files # The bucket name
2.449+ connection:
2.450+ provider: AWS
2.451+ aws_access_key_id: AWS_ACCESS_KEY_ID
2.452+ aws_secret_access_key: AWS_SECRET_ACCESS_KEY
2.453+ region: us-east-1
2.454+ # host: 'localhost' # default: s3.amazonaws.com
2.455+ # endpoint: 'http://127.0.0.1:9000' # default: nil
2.456+ # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
2.457+ # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
2.458+
2.459+ ## GitLab Pages
2.460+ pages:
2.461+ enabled: false
2.462+ access_control: false
2.463+ # The location where pages are stored (default: shared/pages).
2.464+ # path: shared/pages
2.465+
2.466+ # The domain under which the pages are served:
2.467+ # http://group.example.com/project
2.468+ # or project path can be a group page: group.example.com
2.469+ host: example.com
2.470+ port: 80 # Set to 443 if you serve the pages with HTTPS
2.471+ https: false # Set to true if you serve the pages with HTTPS
2.472+ artifacts_server: true # Set to false if you want to disable online view of HTML artifacts
2.473+ # external_http: ["1.1.1.1:80", "[2001::1]:80"] # If defined, enables custom domain support in GitLab Pages
2.474+ # external_https: ["1.1.1.1:443", "[2001::1]:443"] # If defined, enables custom domain and certificate support in GitLab Pages
2.475+
2.476+ # File that contains the shared secret key for verifying access for gitlab-pages.
2.477+ # Default is '.gitlab_pages_secret' relative to Rails.root (i.e. root of the GitLab app).
2.478+ # secret_file: /home/git/gitlab/.gitlab_pages_secret
2.479+ object_store:
2.480+ enabled: false
2.481+ remote_directory: pages # The bucket name
2.482+ connection:
2.483+ provider: AWS
2.484+ aws_access_key_id: AWS_ACCESS_KEY_ID
2.485+ aws_secret_access_key: AWS_SECRET_ACCESS_KEY
2.486+ region: us-east-1
2.487+ local_store:
2.488+ enabled: true
2.489+ # The location where pages are stored (default: shared/pages).
2.490+ # path: shared/pages
2.491+
2.492+ ## Mattermost
2.493+ ## For enabling Add to Mattermost button
2.494+ mattermost:
2.495+ enabled: false
2.496+ host: 'https://mattermost.example.com'
2.497+
2.498+ ## Jira connect
2.499+ ## To switch to a Jira connect development environment
2.500+ jira_connect:
2.501+ # atlassian_js_url: 'http://localhost:9292/atlassian.js'
2.502+ # enforce_jira_base_url_https: false
2.503+ # additional_iframe_ancestors: ['localhost:*']
2.504+
2.505+ ## Gravatar
2.506+ ## If using gravatar.com, there's nothing to change here. For Libravatar
2.507+ ## you'll need to provide the custom URLs. For more information,
2.508+ ## see: https://docs.gitlab.com/ee/administration/libravatar.html
2.509+ gravatar:
2.510+ # Gravatar/Libravatar URLs: possible placeholders: %{hash} %{size} %{email} %{username}
2.511+ # plain_url: "http://..." # default: https://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
2.512+ # ssl_url: "https://..." # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
2.513+
2.514+ ## Sidekiq
2.515+ sidekiq:
2.516+ log_format: json # (text is the original format)
2.517+ # An array of tuples indicating the rules for re-routing a worker to a
2.518+ # desirable queue before scheduling. For example:
2.519+ # routing_rules:
2.520+ # - ["resource_boundary=cpu", "cpu_boundary"]
2.521+ # - ["feature_category=pages", null]
2.522+ # - ["*", "default"]
2.523+
2.524+ ## Auxiliary jobs
2.525+ # Periodically executed jobs, to self-heal GitLab, do external synchronizations, etc.
2.526+ # Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job
2.527+ cron_jobs:
2.528+ # Interval, in seconds, for each Sidekiq process to check for scheduled cron jobs that need to be enqueued. If not
2.529+ # set, the interval scales dynamically with the number of Sidekiq processes. If set to 0, disable polling for cron
2.530+ # jobs entirely.
2.531+ # poll_interval: 30
2.532+
2.533+ # Flag stuck CI jobs as failed
2.534+ stuck_ci_jobs_worker:
2.535+ cron: "0 * * * *"
2.536+ # Execute scheduled triggers
2.537+ pipeline_schedule_worker:
2.538+ cron: "3-59/10 * * * *"
2.539+ # Remove expired build artifacts
2.540+ expire_build_artifacts_worker:
2.541+ cron: "*/7 * * * *"
2.542+ # Remove expired pipeline artifacts
2.543+ ci_pipelines_expire_artifacts_worker:
2.544+ cron: "*/23 * * * *"
2.545+ # Remove files from object storage
2.546+ ci_schedule_delete_objects_worker:
2.547+ cron: "*/16 * * * *"
2.548+ # Stop expired environments
2.549+ environments_auto_stop_cron_worker:
2.550+ cron: "24 * * * *"
2.551+ # Delete stopped environments
2.552+ environments_auto_delete_cron_worker:
2.553+ cron: "34 * * * *"
2.554+ # Periodically run 'git fsck' on all repositories. If started more than
2.555+ # once per hour you will have concurrent 'git fsck' jobs.
2.556+ repository_check_worker:
2.557+ cron: "20 * * * *"
2.558+ # Archive live traces which have not been archived yet
2.559+ ci_archive_traces_cron_worker:
2.560+ cron: "17 * * * *"
2.561+ # Send admin emails once a week
2.562+ admin_email_worker:
2.563+ cron: "0 0 * * 0"
2.564+ # Send emails for personal tokens which are about to expire
2.565+ personal_access_tokens_expiring_worker:
2.566+ cron: "0 1 * * *"
2.567+
2.568+ # Remove outdated repository archives
2.569+ repository_archive_cache_worker:
2.570+ cron: "0 * * * *"
2.571+
2.572+ # Verify custom GitLab Pages domains
2.573+ pages_domain_verification_cron_worker:
2.574+ cron: "*/15 * * * *"
2.575+
2.576+ # Periodically migrate diffs from the database to external storage
2.577+ schedule_migrate_external_diffs_worker:
2.578+ cron: "15 * * * *"
2.579+
2.580+ # Update CI Platform Metrics daily
2.581+ ci_platform_metrics_update_cron_worker:
2.582+ cron: "47 9 * * *"
2.583+
2.584+ # Periodically update ci_runner_versions table with up-to-date versions and status.
2.585+ ci_runner_versions_reconciliation_worker:
2.586+ cron: "@daily"
2.587+
2.588+ # Periodically clean up stale runner machines.
2.589+ ci_runners_stale_machines_cleanup_worker:
2.590+ cron: "36 * * * *"
2.591+
2.592+ # GitLab EE only jobs. These jobs are automatically enabled for an EE
2.593+ # installation, and ignored for a CE installation.
2.594+ ee_cron_jobs:
2.595+ # Schedule snapshots for all devops adoption segments
2.596+ analytics_devops_adoption_create_all_snapshots_worker:
2.597+ cron: 0 0 1 * *
2.598+
2.599+ # Snapshot active users statistics
2.600+ historical_data_worker:
2.601+ cron: "0 12 * * *"
2.602+
2.603+ # In addition to refreshing users when they log in,
2.604+ # periodically refresh LDAP users membership.
2.605+ # NOTE: This will only take effect if LDAP is enabled
2.606+ ldap_sync_worker:
2.607+ cron: "30 1 * * *"
2.608+
2.609+ # Periodically refresh LDAP groups membership.
2.610+ # NOTE: This will only take effect if LDAP is enabled
2.611+ ldap_group_sync_worker:
2.612+ cron: "0 * * * *"
2.613+
2.614+ # GitLab Geo metrics update worker
2.615+ # NOTE: This will only take effect if Geo is enabled
2.616+ geo_metrics_update_worker:
2.617+ cron: "*/1 * * * *"
2.618+
2.619+ # GitLab Geo prune event log worker
2.620+ # NOTE: This will only take effect if Geo is enabled (primary node only)
2.621+ geo_prune_event_log_worker:
2.622+ cron: "*/5 * * * *"
2.623+
2.624+ # GitLab Geo repository sync worker
2.625+ # NOTE: This will only take effect if Geo is enabled (secondary nodes only)
2.626+ geo_repository_sync_worker:
2.627+ cron: "*/1 * * * *"
2.628+
2.629+ # GitLab Geo registry backfill worker
2.630+ # NOTE: This will only take effect if Geo is enabled (secondary nodes only)
2.631+ geo_secondary_registry_consistency_worker:
2.632+ cron: "* * * * *"
2.633+
2.634+ # GitLab Geo blob registry sync worker (for backfilling)
2.635+ # NOTE: This will only take effect if Geo is enabled (secondary nodes only)
2.636+ geo_registry_sync_worker:
2.637+ cron: "*/1 * * * *"
2.638+
2.639+ # GitLab Geo repository registry sync worker (for backfilling)
2.640+ # NOTE: This will only take effect if Geo is enabled (secondary nodes only)
2.641+ geo_repository_registry_sync_worker:
2.642+ cron: "*/1 * * * *"
2.643+
2.644+ # Elasticsearch bulk updater for incremental updates.
2.645+ # NOTE: This will only take effect if elasticsearch is enabled.
2.646+ elastic_index_bulk_cron_worker:
2.647+ cron: "*/1 * * * *"
2.648+
2.649+ # Elasticsearch bulk updater for initial updates.
2.650+ # NOTE: This will only take effect if elasticsearch is enabled.
2.651+ elastic_index_initial_bulk_cron_worker:
2.652+ cron: "*/1 * * * *"
2.653+
2.654+ # Elasticsearch reindexing worker
2.655+ # NOTE: This will only take effect if elasticsearch is enabled.
2.656+ elastic_index_initial_bulk_cron_worker:
2.657+ cron: "*/10 * * * *"
2.658+
2.659+ # Periodically prune stale runners from namespaces having opted-in.
2.660+ ci_runners_stale_group_runners_prune_worker_cron:
2.661+ cron: "30 * * * *"
2.662+
2.663+ # Periodically queue syncing of finished builds from p_ci_finished_build_ch_sync_events to ClickHouse
2.664+ click_house_ci_finished_builds_sync_worker:
2.665+ cron: "*/3 * * * *"
2.666+
2.667+ registry:
2.668+ # enabled: true
2.669+ # host: registry.example.com
2.670+ # port: 5005
2.671+ # api_url: http://localhost:5000/ # internal address to the registry, will be used by GitLab to directly communicate with API
2.672+ # key: config/registry.key
2.673+ # path: shared/registry
2.674+ # issuer: gitlab-issuer
2.675+ # notification_secret: '' # only set it when you use Geo replication feature without built-in Registry
2.676+
2.677+ # Add notification settings if you plan to use Geo Replication for the registry
2.678+ # notifications:
2.679+ # - name: geo_event
2.680+ # url: https://example.com/api/v4/container_registry_event/events
2.681+ # timeout: 2s
2.682+ # threshold: 5
2.683+ # backoff: 1s
2.684+ # headers:
2.685+ # Authorization: secret_phrase
2.686+
2.687+ ## Error Reporting and Logging with Sentry
2.688+ sentry:
2.689+ # enabled: false
2.690+ # dsn: https://<key>@sentry.io/<project>
2.691+ # clientside_dsn: https://<key>@sentry.io/<project>
2.692+ # environment: 'production' # e.g. development, staging, production
2.693+
2.694+ ## Geo
2.695+ # NOTE: These settings will only take effect if Geo is enabled
2.696+ geo:
2.697+ # This is an optional identifier which Geo nodes can use to identify themselves.
2.698+ # For example, if external_url is the same for two secondaries, you must specify
2.699+ # a unique Geo node name for those secondaries.
2.700+ #
2.701+ # If it is blank, it defaults to external_url.
2.702+ node_name: ''
2.703+
2.704+ registry_replication:
2.705+ # enabled: true
2.706+ # primary_api_url: http://localhost:5000/ # internal address to the primary registry, will be used by GitLab to directly communicate with primary registry API
2.707+
2.708+ ## Feature Flag https://docs.gitlab.com/ee/operations/feature_flags.html
2.709+ feature_flags:
2.710+ unleash:
2.711+ # enabled: false
2.712+ # url: https://gitlab.com/api/v4/feature_flags/unleash/<project_id>
2.713+ # app_name: gitlab.com # Environment name of your GitLab instance
2.714+ # instance_id: INSTANCE_ID
2.715+
2.716+ #
2.717+ # 2. GitLab CI settings
2.718+ # ==========================
2.719+
2.720+ gitlab_ci:
2.721+ # Default project notifications settings:
2.722+
2.723+ # The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root
2.724+ # builds_path: builds/
2.725+
2.726+ #
2.727+ # 3. Auth settings
2.728+ # ==========================
2.729+
2.730+ ## LDAP settings
2.731+ # You can test connections and inspect a sample of the LDAP users with login
2.732+ # access by running:
2.733+ # bundle exec rake gitlab:ldap:check RAILS_ENV=production
2.734+ ldap:
2.735+ enabled: false
2.736+ prevent_ldap_sign_in: false
2.737+
2.738+ # File location to read encrypted secrets from
2.739+ # secret_file: /mnt/gitlab/ldap.yaml.enc # Default: shared/encrypted_settings/ldap.yaml.enc
2.740+
2.741+ # This setting controls the number of seconds between LDAP permission checks
2.742+ # for each user. After this time has expired for a given user, their next
2.743+ # interaction with GitLab (a click in the web UI, a git pull, etc.) will be
2.744+ # slower because the LDAP permission check is being performed. How much
2.745+ # slower depends on your LDAP setup, but it is not uncommon for this check
2.746+ # to add seconds of waiting time. The default value is to have a "slow
2.747+ # click" once every 3600 seconds (i.e., once per hour).
2.748+ #
2.749+ # Warning: if you set this value too low, every click in GitLab will be a
2.750+ # "slow click" for all of your LDAP users.
2.751+ # sync_time: 3600
2.752+
2.753+ servers:
2.754+ ##########################################################################
2.755+ #
2.756+ # Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab
2.757+ # Enterprise Edition now supports connecting to multiple LDAP servers.
2.758+ #
2.759+ # If you are updating from the old (pre-7.4) syntax, you MUST give your
2.760+ # old server the ID 'main'.
2.761+ #
2.762+ ##########################################################################
2.763+ main: # 'main' is the GitLab 'provider ID' of this LDAP server
2.764+ ## label
2.765+ #
2.766+ # A human-friendly name for your LDAP server. It is OK to change the label later,
2.767+ # for instance if you find out it is too large to fit on the web page.
2.768+ #
2.769+ # Example: 'Paris' or 'Acme, Ltd.'
2.770+ label: 'LDAP'
2.771+
2.772+ # Example: 'ldap.mydomain.com'
2.773+ host: '_your_ldap_server'
2.774+ # This port is an example, it is sometimes different but it is always an integer and not a string
2.775+ port: 389 # usually 636 for SSL
2.776+ uid: 'sAMAccountName' # This should be the attribute, not the value that maps to uid.
2.777+
2.778+ # Examples: 'america\\momo' or 'CN=Gitlab Git,CN=Users,DC=mydomain,DC=com'
2.779+ bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
2.780+ password: '_the_password_of_the_bind_user'
2.781+
2.782+ # Encryption method. The "method" key is deprecated in favor of
2.783+ # "encryption".
2.784+ #
2.785+ # Examples: "start_tls" or "simple_tls" or "plain"
2.786+ #
2.787+ # Deprecated values: "tls" was replaced with "start_tls" and "ssl" was
2.788+ # replaced with "simple_tls".
2.789+ #
2.790+ encryption: 'plain'
2.791+
2.792+ # Enables SSL certificate verification if encryption method is
2.793+ # "start_tls" or "simple_tls". Defaults to true.
2.794+ verify_certificates: true
2.795+
2.796+ # OpenSSL::SSL::SSLContext options.
2.797+ tls_options:
2.798+ # Specifies the path to a file containing a PEM-format CA certificate,
2.799+ # e.g. if you need to use an internal CA.
2.800+ #
2.801+ # Example: '/etc/ca.pem'
2.802+ #
2.803+ ca_file: ''
2.804+
2.805+ # Specifies the SSL version for OpenSSL to use, if the OpenSSL default
2.806+ # is not appropriate.
2.807+ #
2.808+ # Example: 'TLSv1_1'
2.809+ #
2.810+ ssl_version: ''
2.811+
2.812+ # Specific SSL ciphers to use in communication with LDAP servers.
2.813+ #
2.814+ # Example: 'ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2'
2.815+ ciphers: ''
2.816+
2.817+ # Client certificate
2.818+ #
2.819+ # Example:
2.820+ # cert: |
2.821+ # -----BEGIN CERTIFICATE-----
2.822+ # MIIDbDCCAlSgAwIBAgIGAWkJxLmKMA0GCSqGSIb3DQEBCwUAMHcxFDASBgNVBAoTC0dvb2dsZSBJ
2.823+ # bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQDEwtMREFQIENsaWVudDEPMA0GA1UE
2.824+ # CxMGR1N1aXRlMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTAeFw0xOTAyMjAwNzE4
2.825+ # rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl
2.826+ # ...
2.827+ # 4SbuJPAiJxC1LQ0t39dR6oMCAMab3hXQqhL56LrR6cRBp6Mtlphv7alu9xb/x51y2x+g2zWtsf80
2.828+ # Jrv/vKMsIh/sAyuogb7hqMtp55ecnKxceg==
2.829+ # -----END CERTIFICATE -----
2.830+ cert: ''
2.831+
2.832+ # Client private key
2.833+ # key: |
2.834+ # -----BEGIN PRIVATE KEY-----
2.835+ # MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC3DmJtLRmJGY4xU1QtI3yjvxO6
2.836+ # bNuyE4z1NF6Xn7VSbcAaQtavWQ6GZi5uukMo+W5DHVtEkgDwh92ySZMuJdJogFbNvJvHAayheCdN
2.837+ # 7mCQ2UUT9jGXIbmksUn9QMeJVXTZjgJWJzPXToeUdinx9G7+lpVa62UATEd1gaI3oyL72WmpDy/C
2.838+ # rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl
2.839+ # ...
2.840+ # +9IhSYX+XIg7BZOVDeYqlPfxRvQh8vy3qjt/KUihmEPioAjLaGiihs1Fk5ctLk9A2hIUyP+sEQv9
2.841+ # l6RG+a/mW+0rCWn8JAd464Ps9hE=
2.842+ # -----END PRIVATE KEY-----
2.843+ key: ''
2.844+
2.845+ # Set a timeout, in seconds, for LDAP queries. This helps avoid blocking
2.846+ # a request if the LDAP server becomes unresponsive.
2.847+ # A value of 0 means there is no timeout.
2.848+ timeout: 10
2.849+
2.850+ # Enable smartcard authentication against the LDAP server. Valid values
2.851+ # are "false", "optional", and "required".
2.852+ smartcard_auth: false
2.853+
2.854+ # This setting specifies if LDAP server is Active Directory LDAP server.
2.855+ # For non AD servers it skips the AD specific queries.
2.856+ # If your LDAP server is not AD, set this to false.
2.857+ active_directory: true
2.858+
2.859+ # If allow_username_or_email_login is enabled, GitLab will ignore everything
2.860+ # after the first '@' in the LDAP username submitted by the user on login.
2.861+ #
2.862+ # Example:
2.863+ # - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials;
2.864+ # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'.
2.865+ #
2.866+ # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
2.867+ # disable this setting, because the userPrincipalName contains an '@'.
2.868+ allow_username_or_email_login: false
2.869+
2.870+ # To maintain tight control over the number of active users on your GitLab installation,
2.871+ # enable this setting to keep new users blocked until they have been cleared by the admin
2.872+ # (default: false).
2.873+ block_auto_created_users: false
2.874+
2.875+ # Base where we can search for users
2.876+ #
2.877+ # Ex. 'ou=People,dc=gitlab,dc=example' or 'DC=mydomain,DC=com'
2.878+ #
2.879+ base: ''
2.880+
2.881+ # Filter LDAP users
2.882+ #
2.883+ # Format: RFC 4515 https://www.rfc-editor.org/rfc/rfc4515
2.884+ # Ex. (employeeType=developer)
2.885+ #
2.886+ # Note: GitLab does not support omniauth-ldap's custom filter syntax.
2.887+ #
2.888+ # Example for getting only specific users:
2.889+ # '(&(objectclass=user)(|(samaccountname=momo)(samaccountname=toto)))'
2.890+ #
2.891+ user_filter: ''
2.892+
2.893+ # Base where we can search for groups
2.894+ #
2.895+ # Ex. ou=Groups,dc=gitlab,dc=example
2.896+ #
2.897+ group_base: ''
2.898+
2.899+ # LDAP group of users who should be admins in GitLab
2.900+ #
2.901+ # Ex. GLAdmins
2.902+ #
2.903+ admin_group: ''
2.904+
2.905+ # LDAP group of users who should be marked as external users in GitLab
2.906+ #
2.907+ # Ex. ['Contractors', 'Interns']
2.908+ #
2.909+ external_groups: []
2.910+
2.911+ # Name of attribute which holds a ssh public key of the user object.
2.912+ # If false or nil, SSH key syncronisation will be disabled.
2.913+ #
2.914+ # Ex. sshpublickey
2.915+ #
2.916+ sync_ssh_keys: false
2.917+
2.918+ # Retry ldap search connection if got empty results with specified response code(s)
2.919+ #
2.920+ # Ex. [80]
2.921+ # retry_empty_result_with_codes: []
2.922+
2.923+ # LDAP attributes that GitLab will use to create an account for the LDAP user.
2.924+ # The specified attribute can either be the attribute name as a string (e.g. 'mail'),
2.925+ # or an array of attribute names to try in order (e.g. ['mail', 'email']).
2.926+ # Note that the user's LDAP login will always be the attribute specified as `uid` above.
2.927+ attributes:
2.928+ # The username will be used in paths for the user's own projects
2.929+ # (like `gitlab.example.com/username/project`) and when mentioning
2.930+ # them in issues, merge request and comments (like `@username`).
2.931+ # If the attribute specified for `username` contains an email address,
2.932+ # the GitLab username will be the part of the email address before the '@'.
2.933+ username: ['uid', 'userid', 'sAMAccountName']
2.934+ email: ['mail', 'email', 'userPrincipalName']
2.935+
2.936+ # If no full name could be found at the attribute specified for `name`,
2.937+ # the full name is determined using the attributes specified for
2.938+ # `first_name` and `last_name`.
2.939+ name: 'cn'
2.940+ first_name: 'givenName'
2.941+ last_name: 'sn'
2.942+
2.943+ # If lowercase_usernames is enabled, GitLab will lower case the username.
2.944+ lowercase_usernames: false
2.945+
2.946+ # GitLab EE only: add more LDAP servers
2.947+ # Choose an ID made of a-z and 0-9 . This ID will be stored in the database
2.948+ # so that GitLab can remember which LDAP server a user belongs to.
2.949+ # uswest2:
2.950+ # label:
2.951+ # host:
2.952+ # ....
2.953+
2.954+ ## Smartcard authentication settings
2.955+ smartcard:
2.956+ # Allow smartcard authentication
2.957+ enabled: false
2.958+
2.959+ # Path to a file containing a CA certificate bundle
2.960+ ca_file: '/etc/ssl/certs/CA.pem'
2.961+
2.962+ # Host and port where the client side certificate is requested by the
2.963+ # webserver (NGINX/Apache)
2.964+ # client_certificate_required_host: smartcard.gitlab.example.com
2.965+ # client_certificate_required_port: 3444
2.966+
2.967+ # Browser session with smartcard sign-in is required for Git access
2.968+ # required_for_git_access: false
2.969+
2.970+ # Use X.509 SAN extensions certificates to identify GitLab users
2.971+ # Add a subjectAltName to your certificates like: email:user
2.972+ # san_extensions: true
2.973+
2.974+ ## Kerberos settings
2.975+ kerberos:
2.976+ # Allow the HTTP Negotiate authentication method for Git clients
2.977+ enabled: false
2.978+
2.979+ # Kerberos 5 keytab file. The keytab file must be readable by the GitLab user,
2.980+ # and should be different from other keytabs in the system.
2.981+ # (default: use default keytab from Krb5 config)
2.982+ # keytab: /etc/http.keytab
2.983+
2.984+ # The Kerberos service name to be used by GitLab.
2.985+ # (default: accept any service name in keytab file)
2.986+ # service_principal_name: HTTP/gitlab.example.com@EXAMPLE.COM
2.987+
2.988+ # Kerberos realms/domains that are allowed to automatically link LDAP identities.
2.989+ # By default, GitLab accepts a realm that matches the domain derived from the
2.990+ # LDAP `base` DN. For example, `ou=users,dc=example,dc=com` would allow users
2.991+ # with a realm matching `example.com`.
2.992+ # simple_ldap_linking_allowed_realms: ['example.com','kerberos.example.com']
2.993+
2.994+ # Dedicated port: Git before 2.4 does not fall back to Basic authentication if Negotiate fails.
2.995+ # To support both Basic and Negotiate methods with older versions of Git, configure
2.996+ # nginx to proxy GitLab on an extra port (e.g. 8443) and uncomment the following lines
2.997+ # to dedicate this port to Kerberos authentication. (default: false)
2.998+ # use_dedicated_port: true
2.999+ # port: 8443
2.1000+ # https: true
2.1001+
2.1002+ ## OmniAuth settings
2.1003+ omniauth:
2.1004+ # Allow login via Twitter, Google, etc. using OmniAuth providers
2.1005+ # enabled: true
2.1006+
2.1007+ # Uncomment this to automatically sign in with a specific omniauth provider's without
2.1008+ # showing GitLab's sign-in page (default: show the GitLab sign-in page)
2.1009+ # auto_sign_in_with_provider: saml
2.1010+
2.1011+ # Sync user's profile from the specified Omniauth providers every time the user logs in (default: empty).
2.1012+ # Define the allowed providers using an array, e.g. ["saml", "twitter"],
2.1013+ # or as true/false to allow all providers or none.
2.1014+ # When authenticating using LDAP, the user's email is always synced.
2.1015+ # sync_profile_from_provider: []
2.1016+
2.1017+ # Select which info to sync from the providers above. (default: email).
2.1018+ # Define the synced profile info using an array. Available options are "name", "email" and "location"
2.1019+ # e.g. ["name", "email", "location"] or as true to sync all available.
2.1020+ # This consequently will make the selected attributes read-only.
2.1021+ # sync_profile_attributes: true
2.1022+
2.1023+ # CAUTION!
2.1024+ # This allows users to login without having a user account first. Define the allowed providers
2.1025+ # using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none.
2.1026+ # User accounts will be created automatically when authentication was successful.
2.1027+ allow_single_sign_on: ["saml"]
2.1028+
2.1029+ # Locks down those users until they have been cleared by the admin (default: true).
2.1030+ block_auto_created_users: true
2.1031+ # Look up new users in LDAP servers. If a match is found (same uid), automatically
2.1032+ # link the omniauth identity with the LDAP account. (default: false)
2.1033+ auto_link_ldap_user: false
2.1034+
2.1035+ # Allow users with existing accounts to login and auto link their account via SAML
2.1036+ # login, without having to do a manual login first and manually add SAML
2.1037+ # (default: false)
2.1038+ auto_link_saml_user: false
2.1039+
2.1040+ # CAUTION!
2.1041+ # Allows larger SAML messages to be received. Numeric value in bytes (default: 250000)
2.1042+ # Too high limits exposes instance to decompression DDoS attack type.
2.1043+ saml_message_max_byte_size: 250000
2.1044+
2.1045+ # Allow users with existing accounts to sign in and auto link their account via OmniAuth
2.1046+ # login, without having to do a manual login first and manually add OmniAuth. Links on email.
2.1047+ # Define the allowed providers using an array, e.g. ["saml", "twitter"], or as true/false to
2.1048+ # allow all providers or none.
2.1049+ # (default: false)
2.1050+ auto_link_user: ["saml", "twitter"]
2.1051+
2.1052+ # Set different Omniauth providers as external so that all users creating accounts
2.1053+ # via these providers will not be able to have access to internal projects. You
2.1054+ # will need to use the full name of the provider, like `google_oauth2` for Google.
2.1055+ # Refer to the examples below for the full names of the supported providers.
2.1056+ # (default: [])
2.1057+ external_providers: []
2.1058+
2.1059+ # CAUTION!
2.1060+ # This allows users to login with the specified providers without two factor. Define the allowed providers
2.1061+ # using an array, e.g. ["twitter", 'google_oauth2'], or as true/false to allow all providers or none.
2.1062+ # This option should only be configured for providers which already have two factor.
2.1063+ # This configration dose not apply to SAML.
2.1064+ # (default: false)
2.1065+ allow_bypass_two_factor: ["twitter", 'google_oauth2']
2.1066+
2.1067+ ## Auth providers
2.1068+ # Uncomment the following lines and fill in the data of the auth provider you want to use
2.1069+ # If your favorite auth provider is not listed you can use others:
2.1070+ # see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations
2.1071+ # The 'app_id' and 'app_secret' parameters are always passed as the first two
2.1072+ # arguments, followed by optional 'args' which can be either a hash or an array.
2.1073+ # Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html
2.1074+ providers:
2.1075+ # - { name: 'alicloud',
2.1076+ # app_id: 'YOUR_APP_ID',
2.1077+ # app_secret: 'YOUR_APP_SECRET' }
2.1078+ # - { name: 'github',
2.1079+ # app_id: 'YOUR_APP_ID',
2.1080+ # app_secret: 'YOUR_APP_SECRET',
2.1081+ # url: "https://github.com/",
2.1082+ # verify_ssl: true,
2.1083+ # args: { scope: 'user:email' } }
2.1084+ # - { name: 'bitbucket',
2.1085+ # app_id: 'YOUR_APP_ID',
2.1086+ # app_secret: 'YOUR_APP_SECRET' }
2.1087+ # - { name: 'dingtalk',
2.1088+ # app_id: 'YOUR_APP_ID',
2.1089+ # app_secret: 'YOUR_APP_SECRET' }
2.1090+ # - { name: 'gitlab',
2.1091+ # app_id: 'YOUR_APP_ID',
2.1092+ # app_secret: 'YOUR_APP_SECRET',
2.1093+ # args: { scope: 'api' } }
2.1094+ # - { name: 'google_oauth2',
2.1095+ # app_id: 'YOUR_APP_ID',
2.1096+ # app_secret: 'YOUR_APP_SECRET',
2.1097+ # args: { access_type: 'offline', approval_prompt: '' } }
2.1098+ # - { name: 'facebook',
2.1099+ # app_id: 'YOUR_APP_ID',
2.1100+ # app_secret: 'YOUR_APP_SECRET' }
2.1101+ # - { name: 'twitter',
2.1102+ # app_id: 'YOUR_APP_ID',
2.1103+ # app_secret: 'YOUR_APP_SECRET' }
2.1104+ # - { name: 'jwt',
2.1105+ # args: {
2.1106+ # secret: 'YOUR_APP_SECRET',
2.1107+ # algorithm: 'HS256', # Supported algorithms: 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512'
2.1108+ # uid_claim: 'email',
2.1109+ # required_claims: ['name', 'email'],
2.1110+ # info_map: { name: 'name', email: 'email' },
2.1111+ # auth_url: 'https://example.com/',
2.1112+ # valid_within: 3600 # 1 hour
2.1113+ # }
2.1114+ # }
2.1115+ # - { name: 'saml',
2.1116+ # label: 'Our SAML Provider',
2.1117+ # groups_attribute: 'Groups',
2.1118+ # external_groups: ['Contractors', 'Freelancers'],
2.1119+ # args: {
2.1120+ # assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
2.1121+ # idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
2.1122+ # idp_sso_target_url: 'https://login.example.com/idp',
2.1123+ # issuer: 'https://gitlab.example.com',
2.1124+ # name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
2.1125+ # } }
2.1126+ #
2.1127+ # - { name: 'group_saml' }
2.1128+ #
2.1129+ # - { name: 'crowd',
2.1130+ # args: {
2.1131+ # crowd_server_url: 'CROWD SERVER URL',
2.1132+ # application_name: 'YOUR_APP_NAME',
2.1133+ # application_password: 'YOUR_APP_PASSWORD' } }
2.1134+ #
2.1135+ # - { name: 'auth0',
2.1136+ # args: {
2.1137+ # client_id: 'YOUR_AUTH0_CLIENT_ID',
2.1138+ # client_secret: 'YOUR_AUTH0_CLIENT_SECRET',
2.1139+ # namespace: 'YOUR_AUTH0_DOMAIN' } }
2.1140+
2.1141+ # FortiAuthenticator settings
2.1142+ forti_authenticator:
2.1143+ # Allow using FortiAuthenticator as OTP provider
2.1144+ enabled: false
2.1145+
2.1146+ # Host and port of FortiAuthenticator instance
2.1147+ # host: forti_authenticator.example.com
2.1148+ # port: 443
2.1149+
2.1150+ # Username for accessing FortiAuthenticator API
2.1151+ # username: john
2.1152+
2.1153+ # Access token for FortiAuthenticator API
2.1154+ # access_token: 123s3cr3t456
2.1155+
2.1156+ # FortiToken Cloud settings
2.1157+ forti_token_cloud:
2.1158+ # Allow using FortiToken Cloud as OTP provider
2.1159+ enabled: false
2.1160+
2.1161+ # Client ID and Secret to access FortiToken Cloud API
2.1162+ # client_id: 'YOUR_FORTI_TOKEN_CLOUD_CLIENT_ID'
2.1163+ # client_secret: 'YOUR_FORTI_TOKEN_CLOUD_CLIENT_SECRET'
2.1164+
2.1165+ # Duo Auth settings
2.1166+ duo_auth:
2.1167+ # Allow using Duo as an OTP provider
2.1168+ enabled: false
2.1169+
2.1170+ # Client ID and Secret to access Duo's API
2.1171+ # integration_key: 'YOUR_DUO_INTEGRATION_KEY'
2.1172+ # secret_key: 'YOUR_DUO_SECRET_KEY'
2.1173+ # hostname: 'YOUR_DUO_API_FQDN'
2.1174+
2.1175+ # Shared file storage settings
2.1176+ shared:
2.1177+ # path: /mnt/gitlab # Default: shared
2.1178+
2.1179+ # Encrypted Settings configuration
2.1180+ encrypted_settings:
2.1181+ # path: /mnt/gitlab/encrypted_settings # Default: shared/encrypted_settings
2.1182+
2.1183+ # Gitaly settings
2.1184+ gitaly:
2.1185+ # Default Gitaly authentication token. Can be overridden per storage. Can
2.1186+ # be left blank when Gitaly is running locally on a Unix socket, which
2.1187+ # is the normal way to deploy Gitaly.
2.1188+ token:
2.1189+
2.1190+ #
2.1191+ # 4. Advanced settings
2.1192+ # ==========================
2.1193+
2.1194+ ## Repositories settings
2.1195+ repositories:
2.1196+ # Paths where repositories can be stored. Give the canonicalized absolute pathname.
2.1197+ # IMPORTANT: None of the path components may be symlink, because
2.1198+ # gitlab-shell invokes Dir.pwd inside the repository path and that results
2.1199+ # real path not the symlink.
2.1200+ storages: # You must have at least a `default` storage path.
2.1201+ default:
2.1202+ path: /home/git/repositories/
2.1203+ gitaly_address: unix:/home/git/gitlab/tmp/sockets/private/gitaly.socket # TCP connections are supported too (e.g. tcp://host:port). TLS connections are also supported using the system certificate pool (eg: tls://host:port).
2.1204+ # gitaly_token: 'special token' # Optional: override global gitaly.token for this storage.
2.1205+ hgitaly_address: unix:/home/git/gitlab/tmp/sockets/private/hgitaly.socket # TCP connections are supported too (e.g. tcp://host:port). TLS connections are *not* at this point (tracking issue is hgitaly#3)
2.1206+
2.1207+ ## Backup settings
2.1208+ backup:
2.1209+ path: "tmp/backups" # Relative paths are relative to Rails.root (default: tmp/backups/)
2.1210+ # gitaly_backup_path: /home/git/gitaly/_build/bin/gitaly-backup # Path of the gitaly-backup binary (default: searches $PATH)
2.1211+ # archive_permissions: 0640 # Permissions for the resulting backup.tar file (default: 0600)
2.1212+ # keep_time: 604800 # default: 0 (forever) (in seconds)
2.1213+ # pg_schema: public # default: nil, it means that all schemas will be backed up
2.1214+ # upload:
2.1215+ # # Fog storage connection settings, see https://fog.io/storage/ .
2.1216+ # connection:
2.1217+ # provider: AWS
2.1218+ # region: eu-west-1
2.1219+ # aws_access_key_id: AKIAKIAKI
2.1220+ # aws_secret_access_key: 'secret123'
2.1221+ # # The remote 'directory' to store your backups. For S3, this would be the bucket name.
2.1222+ # remote_directory: 'my.s3.bucket'
2.1223+ # # Use multipart uploads when file size reaches 100MB, see
2.1224+ # # http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html
2.1225+ # multipart_chunk_size: 104857600
2.1226+ # # Specifies Amazon S3 storage class to use for backups (optional)
2.1227+ # # storage_class: 'STANDARD'
2.1228+ # # Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional
2.1229+ # # 'encryption' must be set in order for this to have any effect.
2.1230+ # # 'encryption_key' should be set to the 256-bit encryption key for Amazon S3 to use to encrypt or decrypt your data.
2.1231+ # # encryption: 'AES256'
2.1232+ # # encryption_key: '<key>'
2.1233+ # #
2.1234+ # # Turns on AWS Server-Side Encryption with Amazon S3-Managed keys (optional)
2.1235+ # # https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html
2.1236+ # # For SSE-S3, set 'server_side_encryption' to 'AES256'.
2.1237+ # # For SS3-KMS, set 'server_side_encryption' to 'aws:kms'. Set
2.1238+ # # 'server_side_encryption_kms_key_id' to the ARN of customer master key.
2.1239+ # # storage_options:
2.1240+ # # server_side_encryption: 'aws:kms'
2.1241+ # # server_side_encryption_kms_key_id: 'arn:aws:kms:YOUR-KEY-ID-HERE'
2.1242+
2.1243+ ## GitLab Shell settings
2.1244+ gitlab_shell:
2.1245+ path: /home/git/gitlab-shell/
2.1246+ authorized_keys_file: /home/git/.ssh/authorized_keys
2.1247+
2.1248+ # File that contains the secret key for verifying access for gitlab-shell.
2.1249+ # Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app).
2.1250+ # secret_file: /home/git/gitlab/.gitlab_shell_secret
2.1251+
2.1252+ # Git over HTTP
2.1253+ upload_pack: true
2.1254+ receive_pack: true
2.1255+
2.1256+ # Git import/fetch timeout, in seconds. Defaults to 3 hours.
2.1257+ # git_timeout: 10800
2.1258+
2.1259+ # If you use non-standard ssh port you need to specify it
2.1260+ # ssh_port: 22
2.1261+
2.1262+ workhorse:
2.1263+ # File that contains the secret key for verifying access for gitlab-workhorse.
2.1264+ # Default is '.gitlab_workhorse_secret' relative to Rails.root (i.e. root of the GitLab app).
2.1265+ # secret_file: /home/git/gitlab/.gitlab_workhorse_secret
2.1266+
2.1267+ gitlab_kas:
2.1268+ # enabled: true
2.1269+ # File that contains the secret key for verifying access for gitlab-kas.
2.1270+ # Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app).
2.1271+ # secret_file: /home/git/gitlab/.gitlab_kas_secret
2.1272+
2.1273+ # The URL to the external KAS API (used by the Kubernetes agents)
2.1274+ # external_url: wss://kas.example.com
2.1275+
2.1276+ # The URL to the internal KAS API (used by the GitLab backend)
2.1277+ # internal_url: grpc://localhost:8153
2.1278+
2.1279+ # The URL to the Kubernetes API proxy (used by GitLab users)
2.1280+ # external_k8s_proxy_url: https://localhost:8154 # default: nil
2.1281+
2.1282+ suggested_reviewers:
2.1283+ # File that contains the secret key for verifying access to GitLab internal API for Suggested Reviewers.
2.1284+ # Default is '.gitlab_suggested_reviewers_secret' relative to Rails.root (i.e. root of the GitLab app).
2.1285+ # secret_file: /home/git/gitlab/.gitlab_suggested_reviewers_secret
2.1286+
2.1287+ zoekt:
2.1288+ # Files that contain username and password for basic auth for Zoekt
2.1289+ # Default is '.gitlab_zoekt_username' and '.gitlab_zoekt_password' in Rails.root
2.1290+ # username_file: /home/git/gitlab/.gitlab_zoekt_username
2.1291+ # password_file: /home/git/gitlab/.gitlab_zoekt_password
2.1292+
2.1293+ ## GitLab Elasticsearch settings
2.1294+ elasticsearch:
2.1295+ indexer_path: /home/git/gitlab-elasticsearch-indexer/
2.1296+
2.1297+ ## Git settings
2.1298+ # CAUTION!
2.1299+ # Use the default values unless you really know what you are doing
2.1300+ git:
2.1301+ bin_path: /usr/bin/git
2.1302+
2.1303+ ## Mercurial settings
2.1304+ mercurial:
2.1305+ # application-wide Mercurial settings.
2.1306+ #
2.1307+ # These *must* include the structural and default settings,
2.1308+ # which is typically achieved by listing the `heptapod/required.hgrc`
2.1309+ # file from the `heptapod` Python distribution or include it in one of
2.1310+ # the files listed here.
2.1311+ #
2.1312+ # The settings listed here are themselves overridable by Group and Project
2.1313+ # level HGRC files.
2.1314+ #
2.1315+ # Files that don't exist are safely ignored.
2.1316+ # The default value is tailored for Heptapod Docker installations
2.1317+ # made before version 0.9 without changing their `gitlab.yml` files.
2.1318+ #
2.1319+ # hgrc:
2.1320+ # - /opt/gitlab/etc/docker.hgrc
2.1321+ # - /etc/gitlab/heptapod.hgrc
2.1322+
2.1323+ # The mercurial command. It MUST be able to import the `heptapod`
2.1324+ # extension and its dependencies.
2.1325+ # bin_path: hg
2.1326+
2.1327+ # URL of the `hgserve` service. It MUST be a loopback URL
2.1328+ # (Unix domain socket are not implemented yet)
2.1329+ # hgserve_url: http://127.0.0.1:8000
2.1330+
2.1331+ # Mercurial internal code selection
2.1332+ # Possible values are "c", "rust+c", "pure", "c-allow" and "rust+c-allow"
2.1333+ # The "-allow" variants don't require the corresponding binary to be
2.1334+ # available. The strict ones do.
2.1335+ #
2.1336+ # If not set, the compile-time default is used (usually strict)
2.1337+ # module_policy:
2.1338+
2.1339+ ## Webpack settings
2.1340+ # If enabled, this will tell rails to serve frontend assets from the webpack-dev-server running
2.1341+ # on a given port instead of serving directly from /assets/webpack. This is only indended for use
2.1342+ # in development.
2.1343+ webpack:
2.1344+ # dev_server:
2.1345+ # enabled: true
2.1346+ # host: localhost
2.1347+ # port: 3808
2.1348+
2.1349+ ## Monitoring
2.1350+ # Built in monitoring settings
2.1351+ monitoring:
2.1352+ # IP whitelist to access monitoring endpoints
2.1353+ ip_whitelist:
2.1354+ - 127.0.0.0/8
2.1355+
2.1356+ # Sidekiq exporter is a dedicated Prometheus metrics server optionally running alongside Sidekiq.
2.1357+ sidekiq_exporter:
2.1358+ # enabled: true
2.1359+ # log_enabled: false
2.1360+ # address: localhost
2.1361+ # port: 8082
2.1362+ # tls_enabled: false
2.1363+ # tls_cert_path: /path/to/cert.pem
2.1364+ # tls_key_path: /path/to/key.pem
2.1365+
2.1366+ sidekiq_health_checks:
2.1367+ # enabled: true
2.1368+ # address: localhost
2.1369+ # port: 8092
2.1370+
2.1371+ # Web exporter is a dedicated Prometheus metrics server optionally running alongside Puma.
2.1372+ web_exporter:
2.1373+ # enabled: true
2.1374+ # address: localhost
2.1375+ # port: 8083
2.1376+ # tls_enabled: false
2.1377+ # tls_cert_path: /path/to/cert.pem
2.1378+ # tls_key_path: /path/to/key.pem
2.1379+
2.1380+ ## Prometheus settings
2.1381+ # Do not modify these settings here. They should be modified in /etc/gitlab/gitlab.rb
2.1382+ # if you installed GitLab via Omnibus.
2.1383+ # If you installed from source, you need to install and configure Prometheus
2.1384+ # yourself, and then update the values here.
2.1385+ # https://docs.gitlab.com/ee/administration/monitoring/prometheus/
2.1386+ prometheus:
2.1387+ # enabled: true
2.1388+ # server_address: 'localhost:9090'
2.1389+ snowplow_micro:
2.1390+ enabled: true
2.1391+ address: '127.0.0.1:9091'
2.1392+
2.1393+ ## Consul settings
2.1394+ consul:
2.1395+ # api_url: 'http://localhost:8500'
2.1396+
2.1397+ shutdown:
2.1398+ # # blackout_seconds:
2.1399+ # # defines an interval to block healthcheck,
2.1400+ # # but continue accepting application requests
2.1401+ # # this allows Load Balancer to notice service
2.1402+ # # being shutdown and not interrupt any of the clients
2.1403+ # blackout_seconds: 10
2.1404+
2.1405+ #
2.1406+ # 5. Extra customization
2.1407+ # ==========================
2.1408+
2.1409+ extra:
2.1410+ ## Google analytics. Uncomment if you want it
2.1411+ # google_analytics_id: '_your_tracking_id'
2.1412+
2.1413+ ## Google tag manager
2.1414+ # google_tag_manager_id: '_your_tracking_id'
2.1415+
2.1416+ ## OneTrust
2.1417+ # one_trust_id: '_your_one_trust_id'
2.1418+
2.1419+ ## Bizible.
2.1420+ # bizible: true
2.1421+
2.1422+ ## Matomo analytics.
2.1423+ # matomo_url: '_your_matomo_url'
2.1424+ # matomo_site_id: '_your_matomo_site_id'
2.1425+ # matomo_disable_cookies: false
2.1426+
2.1427+ ## Maximum file size for syntax highlighting
2.1428+ ## https://docs.gitlab.com/ee/user/project/highlighting.html
2.1429+ # maximum_text_highlight_size_kilobytes: 512
2.1430+
2.1431+ rack_attack:
2.1432+ git_basic_auth:
2.1433+ # Rack Attack IP banning enabled
2.1434+ # enabled: true
2.1435+ #
2.1436+ # Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers
2.1437+ # ip_whitelist: ["127.0.0.1"]
2.1438+ #
2.1439+ # Limit the number of Git HTTP authentication attempts per IP
2.1440+ # maxretry: 10
2.1441+ #
2.1442+ # Reset the auth attempt counter per IP after 60 seconds
2.1443+ # findtime: 60
2.1444+ #
2.1445+ # Ban an IP for one hour (3600s) after too many auth attempts
2.1446+ # bantime: 3600
2.1447+
2.1448+development:
2.1449+ <<: *base
2.1450+
2.1451+ # We want to run web/sidekiq exporters for devs
2.1452+ # to catch errors from using them.
2.1453+ #
2.1454+ # We use random port to not block ability to run
2.1455+ # multiple instances of the service
2.1456+ monitoring:
2.1457+ sidekiq_exporter:
2.1458+ enabled: true
2.1459+ address: 127.0.0.1
2.1460+ port: 0
2.1461+ web_exporter:
2.1462+ enabled: true
2.1463+ address: 127.0.0.1
2.1464+ port: 0
2.1465+
2.1466+test:
2.1467+ <<: *base
2.1468+ gravatar:
2.1469+ enabled: true
2.1470+ external_diffs:
2.1471+ enabled: false
2.1472+ # Diffs may be `always` external (the default), or they can be made external
2.1473+ # after they have become `outdated` (i.e., the MR is closed or a new version
2.1474+ # has been pushed).
2.1475+ # when: always
2.1476+ # The location where external diffs are stored (default: shared/external-diffs).
2.1477+ storage_path: tmp/tests/external-diffs
2.1478+ object_store:
2.1479+ enabled: false
2.1480+ remote_directory: external-diffs # The bucket name
2.1481+ connection:
2.1482+ provider: AWS # Only AWS supported at the moment
2.1483+ aws_access_key_id: AWS_ACCESS_KEY_ID
2.1484+ aws_secret_access_key: AWS_SECRET_ACCESS_KEY
2.1485+ region: us-east-1
2.1486+ lfs:
2.1487+ enabled: false
2.1488+ # The location where LFS objects are stored (default: shared/lfs-objects).
2.1489+ # storage_path: shared/lfs-objects
2.1490+ object_store:
2.1491+ enabled: false
2.1492+ remote_directory: lfs-objects # The bucket name
2.1493+ connection:
2.1494+ provider: AWS # Only AWS supported at the moment
2.1495+ aws_access_key_id: AWS_ACCESS_KEY_ID
2.1496+ aws_secret_access_key: AWS_SECRET_ACCESS_KEY
2.1497+ region: us-east-1
2.1498+ artifacts:
2.1499+ path: tmp/tests/artifacts
2.1500+ enabled: true
2.1501+ # The location where build artifacts are stored (default: shared/artifacts).
2.1502+ # path: shared/artifacts
2.1503+ object_store:
2.1504+ enabled: false
2.1505+ remote_directory: artifacts # The bucket name
2.1506+ connection:
2.1507+ provider: AWS # Only AWS supported at the moment
2.1508+ aws_access_key_id: AWS_ACCESS_KEY_ID
2.1509+ aws_secret_access_key: AWS_SECRET_ACCESS_KEY
2.1510+ region: us-east-1
2.1511+ uploads:
2.1512+ storage_path: tmp/tests/public
2.1513+ object_store:
2.1514+ enabled: false
2.1515+ connection:
2.1516+ provider: AWS # Only AWS supported at the moment
2.1517+ aws_access_key_id: AWS_ACCESS_KEY_ID
2.1518+ aws_secret_access_key: AWS_SECRET_ACCESS_KEY
2.1519+ region: us-east-1
2.1520+
2.1521+ terraform_state:
2.1522+ enabled: true
2.1523+ storage_path: tmp/tests/terraform_state
2.1524+ object_store:
2.1525+ enabled: false
2.1526+ remote_directory: terraform
2.1527+ connection:
2.1528+ provider: AWS # Only AWS supported at the moment
2.1529+ aws_access_key_id: AWS_ACCESS_KEY_ID
2.1530+ aws_secret_access_key: AWS_SECRET_ACCESS_KEY
2.1531+ region: us-east-1
2.1532+
2.1533+ ci_secure_files:
2.1534+ enabled: true
2.1535+ storage_path: tmp/tests/ci_secure_files
2.1536+ object_store:
2.1537+ enabled: false
2.1538+ remote_directory: ci-secure-files
2.1539+ connection:
2.1540+ provider: AWS # Only AWS supported at the moment
2.1541+ aws_access_key_id: AWS_ACCESS_KEY_ID
2.1542+ aws_secret_access_key: AWS_SECRET_ACCESS_KEY
2.1543+ region: us-east-1
2.1544+
2.1545+ gitlab:
2.1546+ host: localhost
2.1547+ port: 80
2.1548+
2.1549+ content_security_policy:
2.1550+ enabled: true
2.1551+ report_only: false
2.1552+ directives:
2.1553+ base_uri:
2.1554+ child_src:
2.1555+ connect_src:
2.1556+ default_src: "'self'"
2.1557+ font_src:
2.1558+ form_action:
2.1559+ frame_ancestors: "'self'"
2.1560+ frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
2.1561+ img_src: "* data: blob:"
2.1562+ manifest_src:
2.1563+ media_src:
2.1564+ object_src: "'none'"
2.1565+ script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
2.1566+ style_src: "'self' 'unsafe-inline'"
2.1567+ worker_src: "'self' blob:"
2.1568+ report_uri:
2.1569+
2.1570+ # When you run tests we clone and set up gitlab-shell
2.1571+ # In order to set it up correctly you need to specify
2.1572+ # your system username you use to run GitLab
2.1573+ # user: YOUR_USERNAME
2.1574+ pages:
2.1575+ path: tmp/tests/pages
2.1576+ object_store:
2.1577+ enabled: false
2.1578+ remote_directory: pages # The bucket name
2.1579+ connection:
2.1580+ provider: AWS
2.1581+ aws_access_key_id: AWS_ACCESS_KEY_ID
2.1582+ aws_secret_access_key: AWS_SECRET_ACCESS_KEY
2.1583+ region: us-east-1
2.1584+ local_store:
2.1585+ enabled: true
2.1586+ path: tmp/tests/pages
2.1587+ repositories:
2.1588+ storages:
2.1589+ default:
2.1590+ path: tmp/tests/repositories/
2.1591+ gitaly_address: unix:tmp/tests/gitaly/praefect.socket
2.1592+ hgitaly_address: unix:tmp/tests/hgitaly/hgitaly.socket
2.1593+ rhgitaly_address: unix:tmp/tests/hgitaly/rhgitaly.socket
2.1594+
2.1595+ gitaly:
2.1596+ client_path: tmp/tests/gitaly/_build/bin
2.1597+ token: secret
2.1598+ workhorse:
2.1599+ secret_file: tmp/gitlab_workhorse_test_secret
2.1600+ backup:
2.1601+ path: tmp/tests/backups
2.1602+ gitaly_backup_path: tmp/tests/gitaly/_build/bin/gitaly-backup
2.1603+ gitlab_shell:
2.1604+ path: tmp/tests/gitlab-shell/
2.1605+ authorized_keys_file: tmp/tests/authorized_keys
2.1606+ issues_tracker:
2.1607+ redmine:
2.1608+ title: "Redmine"
2.1609+ project_url: "http://redmine/projects/:issues_tracker_id"
2.1610+ issues_url: "http://redmine/:project_id/:issues_tracker_id/:id"
2.1611+ new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new"
2.1612+ jira:
2.1613+ title: "Jira"
2.1614+ url: https://sample_company.atlassian.net
2.1615+ project_key: PROJECT
2.1616+
2.1617+ omniauth:
2.1618+ # enabled: true
2.1619+ allow_single_sign_on: true
2.1620+ external_providers: []
2.1621+
2.1622+ providers:
2.1623+ - { name: 'alicloud',
2.1624+ app_id: 'YOUR_APP_ID',
2.1625+ app_secret: 'YOUR_APP_SECRET' }
2.1626+ - { name: 'github',
2.1627+ app_id: 'YOUR_APP_ID',
2.1628+ app_secret: 'YOUR_APP_SECRET',
2.1629+ url: "https://github.com/",
2.1630+ verify_ssl: false,
2.1631+ args: { scope: 'user:email' } }
2.1632+ - { name: 'bitbucket',
2.1633+ app_id: 'YOUR_APP_ID',
2.1634+ app_secret: 'YOUR_APP_SECRET' }
2.1635+ - { name: 'dingtalk',
2.1636+ app_id: 'YOUR_APP_ID',
2.1637+ app_secret: 'YOUR_APP_SECRET' }
2.1638+ - { name: 'gitlab',
2.1639+ app_id: 'YOUR_APP_ID',
2.1640+ app_secret: 'YOUR_APP_SECRET',
2.1641+ args: { scope: 'api' } }
2.1642+ - { name: 'google_oauth2',
2.1643+ app_id: 'YOUR_APP_ID',
2.1644+ app_secret: 'YOUR_APP_SECRET',
2.1645+ args: { access_type: 'offline', approval_prompt: '' } }
2.1646+ - { name: 'facebook',
2.1647+ app_id: 'YOUR_APP_ID',
2.1648+ app_secret: 'YOUR_APP_SECRET' }
2.1649+ - { name: 'twitter',
2.1650+ app_id: 'YOUR_APP_ID',
2.1651+ app_secret: 'YOUR_APP_SECRET' }
2.1652+ - { name: 'jwt',
2.1653+ app_secret: 'YOUR_APP_SECRET',
2.1654+ args: {
2.1655+ algorithm: 'HS256',
2.1656+ uid_claim: 'email',
2.1657+ required_claims: ["name", "email"],
2.1658+ info_map: { name: "name", email: "email" },
2.1659+ auth_url: 'https://example.com/',
2.1660+ valid_within: null,
2.1661+ }
2.1662+ }
2.1663+ - { name: 'auth0',
2.1664+ args: {
2.1665+ client_id: 'YOUR_AUTH0_CLIENT_ID',
2.1666+ client_secret: 'YOUR_AUTH0_CLIENT_SECRET',
2.1667+ namespace: 'YOUR_AUTH0_DOMAIN' } }
2.1668+ - { name: 'salesforce',
2.1669+ app_id: 'YOUR_CLIENT_ID',
2.1670+ app_secret: 'YOUR_CLIENT_SECRET'
2.1671+ }
2.1672+ - { name: 'atlassian_oauth2',
2.1673+ app_id: 'YOUR_CLIENT_ID',
2.1674+ app_secret: 'YOUR_CLIENT_SECRET',
2.1675+ args: { scope: 'offline_access read:jira-user read:jira-work', prompt: 'consent' }
2.1676+ }
2.1677+ ldap:
2.1678+ enabled: false
2.1679+ servers:
2.1680+ main:
2.1681+ label: ldap
2.1682+ host: 127.0.0.1
2.1683+ port: 3890
2.1684+ uid: 'uid'
2.1685+ encryption: 'plain' # "start_tls" or "simple_tls" or "plain"
2.1686+ base: 'dc=example,dc=com'
2.1687+ user_filter: ''
2.1688+ group_base: 'ou=groups,dc=example,dc=com'
2.1689+ admin_group: ''
2.1690+ prometheus:
2.1691+ enabled: true
2.1692+ server_address: 'localhost:9090'
2.1693+
2.1694+staging:
2.1695+ <<: *base
4.1--- /dev/null Thu Jan 01 00:00:00 1970 +0000
4.2+++ b/etc/systemd/hgitaly.service Thu Jan 11 19:08:58 2024 -0500
4.3@@ -0,0 +1,13 @@
4.4+[Unit]
4.5+Description=HGitaly, internal Heptapod service for Mercurial handling
4.6+After=network.target
4.7+
4.8+[Install]
4.9+WantedBy=multi-user.target
4.10+
4.11+[Service]
4.12+User=heptapod
4.13+Group=heptapod
4.14+Environment=HGRCPATH=/etc/heptapod.hgrc
4.15+ExecStart=/usr/local/bin/hg --config extensions.hgitaly= hgitaly-serve --listen unix:///run/user/1001/hgitaly.socket
4.16+Restart=on-failure
5.1--- /dev/null Thu Jan 01 00:00:00 1970 +0000
5.2+++ b/etc/systemd/rhgitaly.service Thu Jan 11 19:08:58 2024 -0500
5.3@@ -0,0 +1,14 @@
5.4+[Unit]
5.5+Description=Heptapod RHGitaly Server
5.6+After=network.target
5.7+
5.8+[Service]
5.9+User=heptapod
5.10+Group=heptapod
5.11+# HGRCPATH not needed yet but probably will be at some point
5.12+Environment=HGRCPATH=/etc/heptapod.hgrc
5.13+Environment=RHGITALY_LISTEN_URL=unix:///run/user/1001/rhgitaly.socket
5.14+Environment=RHGITALY_REPOSITORIES_ROOT=/home/hg/repositories
5.15+ExecStartPre=/usr/bin/rm -f /run/user/1001/rhgitaly.socket
5.16+ExecStart=/usr/local/bin/rhgitaly
5.17+Restart=on-failure
6.1--- /dev/null Thu Jan 01 00:00:00 1970 +0000
6.2+++ b/scripts/find-heptapod.sh Thu Jan 11 19:08:58 2024 -0500
6.3@@ -0,0 +1,2 @@
6.4+export PY_HEPTAPOD=`$PYTHON -c "import heptapod, os; print(os.path.dirname(heptapod.__file__))"`
6.5+echo $PY_HEPTAPOD
