diff options
Diffstat (limited to 'gitlab-server/usr/share/gitlab-install/gitlab')
6 files changed, 523 insertions, 0 deletions
diff --git a/gitlab-server/usr/share/gitlab-install/gitlab/config/database.yml b/gitlab-server/usr/share/gitlab-install/gitlab/config/database.yml new file mode 100644 index 00000000..66960551 --- /dev/null +++ b/gitlab-server/usr/share/gitlab-install/gitlab/config/database.yml @@ -0,0 +1,49 @@ +# +# PRODUCTION +# +production: + adapter: postgresql + encoding: unicode + database: gitlabhq_production + pool: 10 + # username: git + # password: + # host: localhost + # port: 5432 + # socket: /tmp/postgresql.sock + +# +# Development specific +# +development: + adapter: postgresql + encoding: unicode + database: gitlabhq_development + pool: 5 + username: postgres + password: + # socket: /tmp/postgresql.sock + +# +# Staging specific +# +staging: + adapter: postgresql + encoding: unicode + database: gitlabhq_staging + pool: 5 + username: postgres + password: + # socket: /tmp/postgresql.sock + +# Warning: The database defined as "test" will be erased and +# re-generated from your development database when you run "rake". +# Do not set this db to the same as development or production. +test: &test + adapter: postgresql + encoding: unicode + database: gitlabhq_test + pool: 5 + username: postgres + password: + # socket: /tmp/postgresql.sock diff --git a/gitlab-server/usr/share/gitlab-install/gitlab/config/gitlab.yml b/gitlab-server/usr/share/gitlab-install/gitlab/config/gitlab.yml new file mode 100644 index 00000000..06d2cee5 --- /dev/null +++ b/gitlab-server/usr/share/gitlab-install/gitlab/config/gitlab.yml @@ -0,0 +1,270 @@ +# # # # # # # # # # # # # # # # # # +# GitLab application config file # +# # # # # # # # # # # # # # # # # # +# +# How to use: +# 1. copy file as gitlab.yml +# 2. Replace gitlab -> host with your domain +# 3. Replace gitlab -> email_from + +production: &base + # + # 1. GitLab app settings + # ========================== + + ## GitLab settings + gitlab: + ## Web server settings (note: host is the FQDN, do not include http://) + host: ##GITLAB_HOSTNAME## + port: ##GITLAB_PORT## + https: false + + # Uncomment and customize the last line to run in a non-root path + # WARNING: We recommend creating a FQDN to host GitLab in a root path instead of this. + # Note that four settings need to be changed for this to work. + # 1) In your application.rb file: config.relative_url_root = "/gitlab" + # 2) In your gitlab.yml file: relative_url_root: /gitlab + # 3) In your unicorn.rb: ENV['RAILS_RELATIVE_URL_ROOT'] = "/gitlab" + # 4) In ../gitlab-shell/config.yml: gitlab_url: "http://127.0.0.1/gitlab" + # To update the path, run: sudo -u git -H bundle exec rake assets:precompile RAILS_ENV=production + # + # relative_url_root: /gitlab + + # Uncomment and customize if you can't use the default user to run GitLab (default: 'git') + # user: git + + ## Email settings + # Email address used in the "From" field in mails sent by GitLab + email_from: ##GITLAB_EMAIL## + + # Email address of your support contact (default: same as email_from) + support_email: ##GITLAB_EMAIL## + + ## User settings + default_projects_limit: 10 + # default_can_create_group: false # default: true + # username_changing_enabled: false # default: true - User can change her username/namespace + ## Default theme + ## BASIC = 1 + ## MARS = 2 + ## MODERN = 3 + ## GRAY = 4 + ## COLOR = 5 + # default_theme: 2 # default: 2 + + + ## Users management + # default: false - Account passwords are not sent via the email if signup is enabled. + # signup_enabled: true + # + # default: true - If set to false, standard login form won't be shown on the sign-in page + # signin_enabled: false + + + # Restrict setting visibility levels for non-admin users. + # The default is to allow all levels. + #restricted_visibility_levels: [ "public" ] + + ## Automatic issue closing + # If a commit message matches this regular expression, all issues referenced from the matched text will be closed. + # This happens when the commit is pushed or merged into the default branch of a project. + # When not specified the default issue_closing_pattern as specified below will be used. + # issue_closing_pattern: '([Cc]lose[sd]|[Ff]ixe[sd]) #(\d+)' + + ## Default project features settings + default_projects_features: + issues: true + merge_requests: true + wiki: true + wall: false + snippets: false + visibility_level: "private" # can be "private" | "internal" | "public" + + ## Repository downloads directory + # When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory. + # The default is 'tmp/repositories' relative to the root of the Rails app. + # repository_downloads_path: tmp/repositories + + ## External issues trackers + issues_tracker: + # redmine: + # title: "Redmine" + # ## If not nil, link 'Issues' on project page will be replaced with this + # ## Use placeholders: + # ## :project_id - GitLab project identifier + # ## :issues_tracker_id - Project Name or Id in external issue tracker + # project_url: "http://redmine.sample/projects/:issues_tracker_id" + # + # ## If not nil, links from /#\d/ entities from commit messages will replaced with this + # ## Use placeholders: + # ## :project_id - GitLab project identifier + # ## :issues_tracker_id - Project Name or Id in external issue tracker + # ## :id - Issue id (from commit messages) + # issues_url: "http://redmine.sample/issues/:id" + # + # ## If not nil, linkis to creating new issues will be replaced with this + # ## Use placeholders: + # ## :project_id - GitLab project identifier + # ## :issues_tracker_id - Project Name or Id in external issue tracker + # new_issue_url: "http://redmine.sample/projects/:issues_tracker_id/issues/new" + # + # jira: + # title: "Atlassian Jira" + # project_url: "http://jira.sample/issues/?jql=project=:issues_tracker_id" + # issues_url: "http://jira.sample/browse/:id" + # new_issue_url: "http://jira.sample/secure/CreateIssue.jspa" + + ## Gravatar + gravatar: + enabled: true # Use user avatar image from Gravatar.com (default: true) + # plain_url: "http://..." # default: http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=mm + # ssl_url: "https://..." # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm + + # + # 2. Auth settings + # ========================== + + ## LDAP settings + # You can inspect a sample of the LDAP users with login access by running: + # bundle exec rake gitlab:ldap:check RAILS_ENV=production + ldap: + enabled: false + host: '_your_ldap_server' + port: 636 + uid: 'sAMAccountName' + method: 'ssl' # "tls" or "ssl" or "plain" + bind_dn: '_the_full_dn_of_the_user_you_will_bind_with' + password: '_the_password_of_the_bind_user' + # If allow_username_or_email_login is enabled, GitLab will ignore everything + # after the first '@' in the LDAP username submitted by the user on login. + # + # Example: + # - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials; + # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'. + # + # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to + # disable this setting, because the userPrincipalName contains an '@'. + allow_username_or_email_login: true + + # Base where we can search for users + # + # Ex. ou=People,dc=gitlab,dc=example + # + base: '' + + # Filter LDAP users + # + # Format: RFC 4515 + # Ex. (employeeType=developer) + # + user_filter: '' + + + ## OmniAuth settings + omniauth: + # Allow login via Twitter, Google, etc. using OmniAuth providers + enabled: false + + # CAUTION! + # This allows users to login without having a user account first (default: false). + # User accounts will be created automatically when authentication was successful. + allow_single_sign_on: false + # Locks down those users until they have been cleared by the admin (default: true). + block_auto_created_users: true + + ## Auth providers + # Uncomment the following lines and fill in the data of the auth provider you want to use + # If your favorite auth provider is not listed you can use others: + # see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations + # The 'app_id' and 'app_secret' parameters are always passed as the first two + # arguments, followed by optional 'args' which can be either a hash or an array. + # Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html + providers: + # - { name: 'google_oauth2', app_id: 'YOUR APP ID', + # app_secret: 'YOUR APP SECRET', + # args: { access_type: 'offline', approval_prompt: '' } } + # - { name: 'twitter', app_id: 'YOUR APP ID', + # app_secret: 'YOUR APP SECRET'} + # - { name: 'github', app_id: 'YOUR APP ID', + # app_secret: 'YOUR APP SECRET', + # args: { scope: 'user:email' } } + + + + # + # 3. Advanced settings + # ========================== + + # GitLab Satellites + satellites: + # Relative paths are relative to Rails.root (default: tmp/repo_satellites/) + path: /home/git/gitlab-satellites/ + + ## Backup settings + backup: + path: "tmp/backups" # Relative paths are relative to Rails.root (default: tmp/backups/) + # keep_time: 604800 # default: 0 (forever) (in seconds) + + ## GitLab Shell settings + gitlab_shell: + path: /home/git/gitlab-shell/ + + # REPOS_PATH MUST NOT BE A SYMLINK!!! + repos_path: /home/git/repositories/ + hooks_path: /home/git/gitlab-shell/hooks/ + + # Git over HTTP + upload_pack: true + receive_pack: true + + # If you use non-standard ssh port you need to specify it + # ssh_port: 22 + + ## Git settings + # CAUTION! + # Use the default values unless you really know what you are doing + git: + bin_path: /usr/bin/git + # The next value is the maximum memory size grit can use + # Given in number of bytes per git object (e.g. a commit) + # This value can be increased if you have very large commits + max_size: 5242880 # 5.megabytes + # Git timeout to read a commit, in seconds + timeout: 10 + + # + # 4. Extra customization + # ========================== + + extra: + ## Google analytics. Uncomment if you want it + # google_analytics_id: '_your_tracking_id' + + ## Piwik analytics. + # piwik_url: '_your_piwik_url' + # piwik_site_id: '_your_piwik_site_id' + + ## Text under sign-in page (Markdown enabled) + # sign_in_text: | + #  + # [Learn more about CompanyName](http://www.companydomain.com/) + +development: + <<: *base + +test: + <<: *base + gravatar: + enabled: true + gitlab: + host: localhost + port: 80 + issues_tracker: + redmine: + title: "Redmine" + project_url: "http://redmine/projects/:issues_tracker_id" + issues_url: "http://redmine/:project_id/:issues_tracker_id/:id" + new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new" + +staging: + <<: *base diff --git a/gitlab-server/usr/share/gitlab-install/gitlab/config/initializers/rack_attack.rb b/gitlab-server/usr/share/gitlab-install/gitlab/config/initializers/rack_attack.rb new file mode 100644 index 00000000..bc3234bf --- /dev/null +++ b/gitlab-server/usr/share/gitlab-install/gitlab/config/initializers/rack_attack.rb @@ -0,0 +1,18 @@ +# 1. Rename this file to rack_attack.rb +# 2. Review the paths_to_be_protected and add any other path you need protecting +# + +paths_to_be_protected = [ + "#{Rails.application.config.relative_url_root}/users/password", + "#{Rails.application.config.relative_url_root}/users/sign_in", + "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json", + "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session", + "#{Rails.application.config.relative_url_root}/users", + "#{Rails.application.config.relative_url_root}/users/confirmation" +] + +unless Rails.env.test? + Rack::Attack.throttle('protected paths', limit: 10, period: 60.seconds) do |req| + req.ip if paths_to_be_protected.include?(req.path) && req.post? + end +end diff --git a/gitlab-server/usr/share/gitlab-install/gitlab/config/resque.yml b/gitlab-server/usr/share/gitlab-install/gitlab/config/resque.yml new file mode 100644 index 00000000..f42ffe78 --- /dev/null +++ b/gitlab-server/usr/share/gitlab-install/gitlab/config/resque.yml @@ -0,0 +1,3 @@ +development: redis://127.0.0.1:6379 +test: redis://127.0.0.1:6379 +production: redis://127.0.0.1:6379 diff --git a/gitlab-server/usr/share/gitlab-install/gitlab/config/unicorn.rb b/gitlab-server/usr/share/gitlab-install/gitlab/config/unicorn.rb new file mode 100644 index 00000000..02dbd98a --- /dev/null +++ b/gitlab-server/usr/share/gitlab-install/gitlab/config/unicorn.rb @@ -0,0 +1,113 @@ +# Sample verbose configuration file for Unicorn (not Rack) +# +# This configuration file documents many features of Unicorn +# that may not be needed for some applications. See +# http://unicorn.bogomips.org/examples/unicorn.conf.minimal.rb +# for a much simpler configuration file. +# +# See http://unicorn.bogomips.org/Unicorn/Configurator.html for complete +# documentation. + +# Uncomment and customize the last line to run in a non-root path +# WARNING: We recommend creating a FQDN to host GitLab in a root path instead of this. +# Note that four settings need to be changed for this to work. +# 1) In your application.rb file: config.relative_url_root = "/gitlab" +# 2) In your gitlab.yml file: relative_url_root: /gitlab +# 3) In your unicorn.rb: ENV['RAILS_RELATIVE_URL_ROOT'] = "/gitlab" +# 4) In ../gitlab-shell/config.yml: gitlab_url: "http://127.0.0.1/gitlab" +# To update the path, run: sudo -u git -H bundle exec rake assets:precompile RAILS_ENV=production +# +# ENV['RAILS_RELATIVE_URL_ROOT'] = "/gitlab" + +# Use at least one worker per core if you're on a dedicated server, +# more will usually help for _short_ waits on databases/caches. +worker_processes 2 + +# Since Unicorn is never exposed to outside clients, it does not need to +# run on the standard HTTP port (80), there is no reason to start Unicorn +# as root unless it's from system init scripts. +# If running the master process as root and the workers as an unprivileged +# user, do this to switch euid/egid in the workers (also chowns logs): +# user "unprivileged_user", "unprivileged_group" + +# Help ensure your application will always spawn in the symlinked +# "current" directory that Capistrano sets up. +working_directory "/home/git/gitlab" # available in 0.94.0+ + +# listen on both a Unix domain socket and a TCP port, +# we use a shorter backlog for quicker failover when busy +listen "/home/git/gitlab/tmp/sockets/gitlab.socket", :backlog => 64 +listen "127.0.0.1:##UNICORN_PORT##", :tcp_nopush => true + +# nuke workers after 30 seconds instead of 60 seconds (the default) +timeout 30 + +# feel free to point this anywhere accessible on the filesystem +pid "/home/git/gitlab/tmp/pids/unicorn.pid" + +# By default, the Unicorn logger will write to stderr. +# Additionally, some applications/frameworks log to stderr or stdout, +# so prevent them from going to /dev/null when daemonized here: +stderr_path "/home/git/gitlab/log/unicorn.stderr.log" +stdout_path "/home/git/gitlab/log/unicorn.stdout.log" + +# combine Ruby 2.0.0dev or REE with "preload_app true" for memory savings +# http://rubyenterpriseedition.com/faq.html#adapt_apps_for_cow +preload_app true +GC.respond_to?(:copy_on_write_friendly=) and + GC.copy_on_write_friendly = true + +# Enable this flag to have unicorn test client connections by writing the +# beginning of the HTTP headers before calling the application. This +# prevents calling the application for connections that have disconnected +# while queued. This is only guaranteed to detect clients on the same +# host unicorn runs on, and unlikely to detect disconnects even on a +# fast LAN. +check_client_connection false + +before_fork do |server, worker| + # the following is highly recomended for Rails + "preload_app true" + # as there's no need for the master process to hold a connection + defined?(ActiveRecord::Base) and + ActiveRecord::Base.connection.disconnect! + + # The following is only recommended for memory/DB-constrained + # installations. It is not needed if your system can house + # twice as many worker_processes as you have configured. + # + # This allows a new master process to incrementally + # phase out the old master process with SIGTTOU to avoid a + # thundering herd (especially in the "preload_app false" case) + # when doing a transparent upgrade. The last worker spawned + # will then kill off the old master process with a SIGQUIT. + old_pid = "#{server.config[:pid]}.oldbin" + if old_pid != server.pid + begin + sig = (worker.nr + 1) >= server.worker_processes ? :QUIT : :TTOU + Process.kill(sig, File.read(old_pid).to_i) + rescue Errno::ENOENT, Errno::ESRCH + end + end + # + # Throttle the master from forking too quickly by sleeping. Due + # to the implementation of standard Unix signal handlers, this + # helps (but does not completely) prevent identical, repeated signals + # from being lost when the receiving process is busy. + # sleep 1 +end + +after_fork do |server, worker| + # per-process listener ports for debugging/admin/migrations + # addr = "127.0.0.1:#{9293 + worker.nr}" + # server.listen(addr, :tries => -1, :delay => 5, :tcp_nopush => true) + + # the following is *required* for Rails + "preload_app true", + defined?(ActiveRecord::Base) and + ActiveRecord::Base.establish_connection + + # if preload_app is true, then you may also want to check and + # restart any other shared sockets/descriptors such as Memcached, + # and Redis. TokyoCabinet file handles are safe to reuse + # between any number of forked children (assuming your kernel + # correctly implements pread()/pwrite() system calls) +end diff --git a/gitlab-server/usr/share/gitlab-install/gitlab/lib/support/nginx/gitlab b/gitlab-server/usr/share/gitlab-install/gitlab/lib/support/nginx/gitlab new file mode 100644 index 00000000..e9d3b1f0 --- /dev/null +++ b/gitlab-server/usr/share/gitlab-install/gitlab/lib/support/nginx/gitlab @@ -0,0 +1,70 @@ +# GITLAB +# Maintainer: @randx + +# CHUNKED TRANSFER +# It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] which is not +# supported by Nginx < 1.3.9 [1]. As a result, pushing a large object with Git (i.e. a single large file) +# can lead to a 411 error. In theory you can get around this by tweaking this configuration file and either +# - installing an old version of Nginx with the chunkin module [2] compiled in, or +# - using a newer version of Nginx. +# +# At the time of writing we do not know if either of these theoretical solutions works. As a workaround +# users can use Git over SSH to push large files. +# +# [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99 +# [1] https://github.com/agentzh/chunkin-nginx-module#status +# [2] https://github.com/agentzh/chunkin-nginx-module + +upstream gitlab { + server unix:/home/git/gitlab/tmp/sockets/gitlab.socket; +} + +server { + listen *:##GITLAB_PORT## default_server; # e.g., listen 192.168.1.1:80; In most cases *:80 is a good idea + server_name ##GITLAB_HOSTNAME##; # e.g., server_name source.example.com; + server_tokens off; # don't show the version number, a security best practice + root /home/git/gitlab/public; + + # Increase this if you want to upload large attachments + # Or if you want to accept large git objects over http + client_max_body_size 20m; + + # individual nginx logs for this gitlab vhost + access_log /var/log/nginx/gitlab_access.log; + error_log /var/log/nginx/gitlab_error.log; + + location / { + # serve static files from defined root folder;. + # @gitlab is a named location for the upstream fallback, see below + try_files $uri $uri/index.html $uri.html @gitlab; + } + + # if a file, which is not found in the root folder is requested, + # then the proxy pass the request to the upsteam (gitlab unicorn) + location @gitlab { + # If you use https make sure you disable gzip compression + # to be safe against BREACH attack + # gzip off; + + proxy_read_timeout 300; # Some requests take more than 30 seconds. + proxy_connect_timeout 300; # Some requests take more than 30 seconds. + proxy_redirect off; + + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_pass http://gitlab; + } + + # Enable gzip compression as per rails guide: http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression + location ~ ^/(assets)/ { + root /home/git/gitlab/public; + #gzip_static on; # to serve pre-gzipped version + expires max; + add_header Cache-Control public; + } + + error_page 502 /502.html; +} |