diff --git a/README.rst b/README.rst index 3d45436..69c2d0e 100644 --- a/README.rst +++ b/README.rst @@ -1,6 +1,16 @@ gitlab-formula ============== +Modification from original formula : + +* No hardcoded path : possibilty to install gitlab where you want +* Use of Postgresql / Nginx formulas +* Original initd script from Gitlab setup +* Proxy for git.latest / gem +* Install package from archive +* Configuration keys for secret_key and secret_file (gitlab_shell_secret) +* Lot of little things... + SaltStack formula to install GitLab Salt state for installing GitLab - https://gitlab.com/gitlab-org/gitlab-ce @@ -8,17 +18,6 @@ Salt state for installing GitLab - https://gitlab.com/gitlab-org/gitlab-ce Following original install docs ( https://gitlab.com/gitlab-org/gitlab-ce/blob/6-5-stable/doc/install/installation.md ) as close as possible, with some exceptions: * ruby 1.9.3 is enough for it to work, so I'm using system packages for that -* Using PostgreSQL "because". - -Currently tested only on Debian, further systems planned. - -Initial work done for CentOS but doesn't work there yet, heavily inspired by https://github.com/gitlabhq/gitlab-recipes/tree/master/install/centos - -There are some initial bits for supporting RVM, but it's not working yet. - -I chose to use PostgreSQL "because", planning to make this tunable via pillar. - -I assume you're running gitlab under your node's FQDN, not under another name. Attempt made to have most settings tunable via pillars. diff --git a/gitlab/files/dl.yarn.com.key b/gitlab/files/dl.yarn.com.key new file mode 100644 index 0000000..e1cb0b6 --- /dev/null +++ b/gitlab/files/dl.yarn.com.key @@ -0,0 +1,153 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2 + +mQINBFf0j5oBEADS6cItqCbf4lOLICohq2aHqM5I1jsz3DC4ddIU5ONbKXP1t0wk +FEUPRzd6m80cTo7Q02Bw7enh4J6HvM5XVBSSGKENP6XAsiOZnY9nkXlcQAPFRnCn +CjEfoOPZ0cBKjn2IpIXXcC+7xh4p1yruBpOsCbT6BuzA+Nm9j4cpRjdRdWSSmdID +TyMZClmYm/NIfCPduYvNZxZXhW3QYeieP7HIonhZSHVu/jauEUyHLVsieUIvAOJI +cXYpwLlrw0yy4flHe1ORJzuA7EZ4eOWCuKf1PgowEnVSS7Qp7lksCuljtfXgWelB +XGJlAMD90mMbsNpQPF8ywQ2wjECM8Q6BGUcQuGMDBtFihobb+ufJxpUOm4uDt0y4 +zaw+MVSi+a56+zvY0VmMGVyJstldPAcUlFYBDsfC9+zpzyrAqRY+qFWOT2tj29R5 +ZNYvUUjEmA/kXPNIwmEr4oj7PVjSTUSpwoKamFFE6Bbha1bzIHpdPIRYc6cEulp3 +dTOWfp+Cniiblp9gwz3HeXOWu7npTTvJBnnyRSVtQgRnZrrtRt3oLZgmj2fpZFCE +g8VcnQOb0iFcIM7VlWL0QR4SOz36/GFyezZkGsMlJwIGjXkqGhcEHYVDpg0nMoq1 +qUvizxv4nKLanZ5jKrV2J8V09PbL+BERIi6QSeXhXQIui/HfV5wHXC6DywARAQAB +tBxZYXJuIFBhY2thZ2luZyA8eWFybkBkYW4uY3g+iQI5BBMBCAAjBQJX9I+aAhsD +BwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQFkawG4blAxB52Q/9FcyGIEK2 +QamDhookuoUGGYjIeN+huQPWmc6mLPEKS2Vahk5jnJKVtAFiaqINiUtt/1jZuhF2 +bVGITvZK79kM6lg42xQcnhypzQPgkN7GQ/ApYqeKqCh1wV43KzT/CsJ9TrI0SC34 +qYHTEXXUprAuwQitgAJNi5QMdMtauCmpK+Xtl/72aetvL8jMFElOobeGwKgfLo9+ +We2EkKhSwyiy3W5TYI1UlV+evyyT+N0pmhRUSH6sJpzDnVYYPbCWa2b+0D/PHjXi +edKcely/NvqyVGoWZ+j41wkp5Q0wK2ybURS1ajfaKt0OcMhRf9XCfeXAQvU98mEk +FlfPaq0CXsjOy8eJXDeoc1dwxjDi2YbfHel0CafjrNp6qIFG9v3JxPUU19hG9lxD +Iv7VXftvMpjJCo/J4Qk+MOv7KsabgXg1iZHmllyyH3TY4AA4VA+mlceiiOHdXbKk +Q3BfS1jdXPV+2kBfqM4oWANArlrFTqtop8PPsDNqh/6SrVsthr7WTvC5q5h/Lmxy +Krm4Laf7JJMvdisfAsBbGZcR0Xv/Vw9cf2OIEzeOWbj5xul0kHT1vHhVNrBNanfe +t79RTDGESPbqz+bTS7olHWctl6TlwxA0/qKlI/PzXfOg63Nqy15woq9buca+uTcS +ccYO5au+g4Z70IEeQHsq5SC56qDR5/FvYyu5Ag0EV/SPmgEQANDSEMBKp6ER86y+ +udfKdSLP9gOv6hPsAgCHhcvBsks+ixeX9U9KkK7vj/1q6wodKf9oEbbdykHgIIB1 +lzY1l7u7/biAtQhTjdEZPh/dt3vjogrJblUEC0rt+fZe325ociocS4Bt9I75Ttkd +nWgkE4uOBJsSllpUbqfLBfYR58zz2Rz1pkBqRTkmJFetVNYErYi2tWbeJ59GjUN7 +w1K3GhxqbMbgx4dF5+rjGs+KI9k6jkGeeQHqhDk+FU70oLVLuH2Dmi9IFjklKmGa +3BU7VpNxvDwdoV7ttRYEBcBnPOmL24Sn4Xhe2MDCqgJwwyohd9rk8neV7GtavVea +Tv6bnzi1iJRgDld51HFWG8X+y55i5cYWaiXHdHOAG1+t35QUrczm9+sgkiKSk1II +TlEFsfwRl16NTCMGzjP5kGCm/W+yyyvBMw7CkENQcd23fMsdaQ/2UNYJau2PoRH/ +m+IoRehIcmE0npKeLVTDeZNCzpmfY18T542ibK49kdjZiK6G/VyBhIbWEFVu5Ll9 ++8GbcO9ucYaaeWkFS8Hg0FZafMk59VxKiICKLZ5he/C4f0UssXdyRYU6C5BH8UTC +QLg0z8mSSL+Wb2iFVPrn39Do7Zm8ry6LBCmfCf3pI99Q/1VaLDauorooJV3rQ5kC +JEiAeqQtLOvyoXIex1VbzlRUXmElABEBAAGJAh8EGAEIAAkFAlf0j5oCGwwACgkQ +FkawG4blAxAUUQ//afD0KLHjClHsA/dFiW+5qVzI8kPMHwO1QcUjeXrB6I3SluOT +rLSPhOsoS72yAaU9hFuq8g9ecmFrl3Skp/U4DHZXioEmozyZRp7eVsaHTewlfaOb +6g7+v52ktYdomcp3BM5v/pPZCnB5rLrH2KaUWbpY6V6tqtCHbF7zftDqcBENJDXf +hiCqS19J08GZFjDEqGDrEj3YEmEXZMN7PcXEISPIz6NYI6rw4yVH8AXfQW6vpPzm +ycHwI0QsVW2NQdcZ6zZt+phm6shNUbN2iDdg3BJICmIvQf8qhO3bOh0Bwc11FLHu +MKuGVxnWN82HyIsuUB7WDLBHEOtg61Zf1nAF1PQK52YuQz3EWI4LL9OqVqfSTY1J +jqIfj+u1PY2UHrxZfxlz1M8pXb1grozjKQ5aNqBKRrcMZNx71itR5rv18qGjGR2i +Sciu/xah7zAroEQrx72IjYt03tbk/007CvUlUqFIFB8kY1bbfX8JAA+TxelUniUR +2CY8eom5HnaPpKE3kGXZ0jWkudbWb7uuWcW1FE/bO+VtexpBL3SoXmwbVMGnJIEi +Uvy8m6ez0kzLXzJ/4K4b8bDO4NjFX2ocKdzLA89Z95KcZUxEG0O7kaDCu0x3BEge +uArJLecD5je2/2HXAdvkOAOUi6Gc/LiJrtInc0vUFsdqWCUK5Ao/MKvdMFW5Ag0E +V/SP2AEQALRcYv/hiv1n3VYuJbFnEfMkGwkdBYLGo3hiHKY8xrsFVePl9SkL8aqd +C310KUFNI42gGY/lz54RUHOqfMszTdafFrmwU18ECWGo4oG9qEutIKG7fkxcvk2M +tgsOMZFJqVDS1a9I4QTIkv1ellLBhVub9S7vhe/0jDjXs9IyOBpYQrpCXAm6SypC +fpqkDJ4qt/yFheATcm3s8ZVTsk2hiz2jnbqfvpte3hr3XArDjZXr3mGAp3YY9JFT +zVBOhyhT/92e6tURz8a/+IrMJzhSyIDel9L+2sHHo9E+fA3/h3lg2mo6EZmRTuvE +v9GXf5xeP5lSCDwS6YBXevJ8OSPlocC8Qm8ziww6dy/23XTxPg4YTkdf42i7VOpS +pa7EvBGne8YrmUzfbrxyAArK05lo56ZWb9ROgTnqM62wfvrCbEqSHidN3WQQEhMH +N7vtXeDPhAd8vaDhYBk4A/yWXIwgIbMczYf7Pl7oY3bXlQHb0KW/y7N3OZCr5mPW +94VLLH/v+T5R4DXaqTWeWtDGXLih7uXrG9vdlyrULEW+FDSpexKFUQe83a+Vkp6x +GX7FdMC9tNKYnPeRYqPF9UQEJg+MSbfkHSAJgky+bbacz+eqacLXMNCEk2LXFV1B +66u2EvSkGZiH7+6BNOar84I3qJrU7LBD7TmKBDHtnRr9JXrAxee3ABEBAAGJBEQE +GAEIAA8FAlf0j9gCGwIFCQHhM4ACKQkQFkawG4blAxDBXSAEGQEIAAYFAlf0j9gA +CgkQ0QH3iZ1B88PaoA//VuGdF5sjxRIOAOYqXypOD9/Kd7lYyxmtCwnvKdM7f8O5 +iD8oR2Pk1RhYHjpkfMRVjMkaLfxIRXfGQsWfKN2Zsa4zmTuNy7H6X26XW3rkFWpm +dECz1siGRvcpL6NvwLPIPQe7tST72q03u1H7bcyLGk0sTppgMoBND7yuaBTBZkAO +WizR+13x7FV+Y2j430Ft/DOe/NTc9dAlp6WmF5baOZClULfFzCTf9OcS2+bo68oP +gwWwnciJHSSLm6WRjsgoDxo5f3xBJs0ELKCr4jMwpSOTYqbDgEYOQTmHKkX8ZeQA +7mokc9guA0WK+DiGZis85lU95mneyJ2RuYcz6/VDwvT84ooe1swVkC2palDqBMwg +jZSTzbcUVqZRRnSDCe9jtpvF48WK4ZRiqtGO6Avzg1ZwMmWSr0zHQrLrUMTq/62W +KxLyj2oPxgptRg589hIwXVxJRWQjFijvK/xSjRMLgg73aNTq6Ojh98iyKAQ3HfzW +6iXBLLuGfvxflFednUSdWorr38MspcFvjFBOly+NDSjPHamNQ2h19iHLrYT7t4ve +nU9PvC+ORvXGxTN8mQR9btSdienQ8bBuU/mg/c417w6WbY7tkkqHqUuQC9LoaVdC +QFeE/SKGNe+wWN/EKi0QhXR9+UgWA41Gddi83Bk5deuTwbUeYkMDeUlOq3yyemcG +VxAA0PSktXnJgUj63+cdXu7ustVqzMjVJySCKSBtwJOge5aayonCNxz7KwoPO34m +Gdr9P4iJfc9kjawNV79aQ5aUH9uU2qFlbZOdO8pHOTjy4E+J0wbJb3VtzCJc1Eaa +83kZLFtJ45Fv2WQQ2Nv3Fo+yqAtkOkaBZv9Yq0UTaDkSYE9MMzHDVFx11TT21NZD +xu2QiIiqBcZfqJtIFHN5jONjwPG08xLAQKfUNROzclZ1h4XYUT+TWouopmpNeay5 +JSNcp5LsC2Rn0jSFuZGPJ1rBwB9vSFVA/GvOj8qEdfhjN3XbqPLVdOeChKuhlK0/ +sOLZZG91SHmT5SjP2zM6QKKSwNgHX4xZt4uugSZiY13+XqnrOGO9zRH8uumhsQmI +eFEdT27fsXTDTkWPI2zlHTltQjH1iebqqM9gfa2KUt671WyoL1yLhWrgePvDE+He +r002OslvvW6aAIIBki3FntPDqdIH89EEB4UEGqiA1eIZ6hGaQfinC7/IOkkm/mEa +qdeoI6NRS521/yf7i34NNj3IaL+rZQFbVWdbTEzAPtAs+bMJOHQXSGZeUUFrEQ/J +ael6aNg7mlr7cacmDwZWYLoCfY4w9GW6JHi6i63np8EA34CXecfor7cAX4XfaokB +XjyEkrnfV6OWYS7f01JJOcqYANhndxz1Ph8bxoRPelf5q+W5Ag0EWBU7dwEQAL1p +wH4prFMFMNV7MJPAwEug0Mxf3OsTBtCBnBYNvgFB+SFwKQLyDXUujuGQudjqQPCz +/09MOJPwGCOi0uA0BQScJ5JAfOq33qXi1iXCj9akeCfZXCOWtG3Izc3ofS6uee7K +fWUF1hNyA3PUwpRtM2pll+sQEO3y/EN7xYGUOM0mlCawrYGtxSNMlWBlMk/y5HK9 +upz+iHwUaEJ4PjV+P4YmDq0PnPvXE4qhTIvxx0kO5oZF0tAJCoTg1HE7o99/xq9Z +rejDR1JJj6btNw1YFQsRDLxRZv4rL9He10lmLhiQE8QN7zOWzyJbRP++tWY2d2zE +yFzvsOsGPbBqLDNkbb9d8Bfvp+udG13sHAEtRzI2UWe5SEdVHobAgu5l+m10WlsN +TG/L0gJe1eD1bwceWlnSrbqw+y+pam9YKWqdu18ETN6CeAbNo4w7honRkcRdZyoG +p9zZf3o1bGBBMla6RbLuJBoRDOy2Ql7B+Z87N0td6KlHI6X8fNbatbtsXR7qLUBP +5oRb6nXX4+DnTMDbvFpE2zxnkg+C354Tw5ysyHhM6abB2+zCXcZ3holeyxC+BUrO +gGPyLH/s01mg2zmttwC1UbkaGkQ6SwCoQoFEVq9Dp96B6PgZxhEw0GMrKRw53LoX +4rZif9Exv6qUFsGY8U9daEdDPF5UHYe7t/nPpfW3ABEBAAGJBD4EGAEIAAkFAlgV +O3cCGwICKQkQFkawG4blAxDBXSAEGQEIAAYFAlgVO3cACgkQRsITDf0kl/VynQ/+ +P3Vksu4fno26vA7ml9bzV3mu/X/gzU1HqySqYv9Zwzk2o512Z4QkoT/8lRepIG7v +AFRQzPn56Pz/vpMfiMDaf6thxs8wpv4y3m+rcQIQKO4sN3wwFPPbvM8wGoY6fGav +IkLKKIXy1BpzRGltGduf0c29+ycvzccQpyuTrZk4Zl73kLyBS8fCt+MZWejMMolD +uuLJiHbXci6+Pdi3ImabyStbNnJYmSyruNHcLHlgIbyugTiAcdTy0Bi/z8MfeYwj +VAwEkX4b2NwtuweYLzupBOTv0SqYCmBduZObkS5LHMZ+5Yh9Hfrd04uMdO5cIiy0 +AsGehTRC3Xyaea7Qk993rNcGEzX7LNB1GB2BXSq9FYPb+q0ewf8k8Lr9E0WG0dvD +OaJSkSGedgdA1QzvTgpAAkVWsXlksShVf4NVskxNUGDRaPLeRB+IV/5jO+kRsFuO +g5Tlkn6cgu1+Bn5gIfv0ny9K7TeC697gRQIcK8db1t8XidgSKbRmsSYEaRCy3c9x +w2/N7DLU/Js3gV8FUd7cZpaYN+k/erMdyfqLA7oFd+HLbA5Du/971yF8/6Bof8zp +jB9+QPRIARpcROEcQXz09dtl8wW8M0r09xpna+0Jk6JxF+stD97+hzikQXIxUtCX +j35ps9USSxv1cuz0MaFdWGW13OugtN4bQ2DNgelbTDUEKg//YTbBl9oGYQxHv9S5 +qvZVNvV3DuI18E5VW5ddyo/JfW24+Tukli/ZjPQYnMOP86nnIqo/LPGb4nV1uWL4 +KhmOCbH7t43+TkAwdwoxLjYP7iOqQp9VRPFjomUfvtmLjHp4r3cVEt5QeJEZLiSC +zSKMjPKqRMo5nNs3Et+/FyWCMRYdSggwhBfkbKKo44H9pmL3bTLqyir7EJAcArla +zjKMyZqRsK3gZfQgoASN5xAhemVWHnnecVSAqrOW599EBkc7Kf6lXjTVHtHN02vX +YYRZ16zrEjrfwb23LR+lAxSfWxLDovKLBg2SPbpduEv1GxyEFgF7v9fco4aQbuh/ +fOGvA8nuXkC5nI6ukw4c4zwmJ5+SNQthFUYKWLd4hR4qrCoJkMEWZmsCRtqxjVCJ +/i9ygRJHOGAWaam7bS+U7pdmq2mgF+qTxb2vX6mSzI3q3M7drGUA3EdaZo1hPA5u +kWi7tMCGqPQmtUFRnUvHPzCDuXLYT8lRxhTxDi3T5MXdIUlAUTcNpwG8Ill0xkGc +pMlh0D5p44GEdMFfJiXw6AUETHcqC2qZr2rP9kpzvVlapIrsPRg/DU+s70YnccI3 +iMCVm4/WrghFeK232zkjiwRVOm+IEWBlDFrm4MMjfguUeneYbK9WhqJnss9nc4QK +Vhzuyn3GTtg1w/T6CaYVXBjcHFm5Ag0EWbWWowEQALCiEk5Ic40W7/v5hqYNjrRl +xTE/1axOhhzt8eCB7eOeNOMQKwabYxqBceNmol/guzlnFqLtbaA6yZQkzz/K3eNw +WQg7CfXO3+p/dN0HtktPfdCk+kY/t7StKRjINW6S9xk9KshiukmdiDq8JKS0Hgxq +phBB3tDjmo6/RiaOEFMoUlXKSU+BYYpBpLKg53P8F/8nIsK2aZJyk8XuBd0UXKI+ +N1gfCfzoDWnYHs73LQKcjrTaZQauT81J7+TeWoLI28vkVxyjvTXAyjSBnhxTYfwU +NGSoawEXyJ1uKCwhIpklxcCMI9Hykg7sKNsvmJ4uNcRJ7cSRfb0g5DR9dLhR+eEv +Fd+o4PblKk16AI48N8Zg1dLlJuV2cAtl0oBPk+tnbZukvkS5n1IzTSmiiPIXvK2t +506VtfFEw4iZrJWf2Q9//TszBM3r1FPATLH7EAeG5P8RV+ri7L7NvzP6ZQClRDUs +xeimCSe8v/t0OpheCVMlM9TpVcKGMw8ig/WEodoLOP4iqBs4BKR7fuydjDqbU0k/ +sdJTltp7IIdK1e49POIQ7pt+SUrsq/HnPW4woLC1WjouBWyr2M7/a0SldPidZ2BU +AK7O9oXosidZMJT7dBp3eHrspY4bdkSxsd0nshj0ndtqNktxkrSFRkoFpMz0J/M3 +Q93CjdHuTLpTHQEWjm/7ABEBAAGJBEQEGAEIAA8FAlm1lqMCGwIFCQJ2LQACKQkQ +FkawG4blAxDBXSAEGQEIAAYFAlm1lqMACgkQ4HTRbrb/TeMpDQ//eOIsCWY2gYOG +ACw42JzMVvuTDrgRT4hMhgHCGeKzn1wFL1EsbSQV4Z6pYvnNayuEakgIz14wf4UF +s5u1ehfBwatmakSQJn32ANcAvI0INAkLEoqqy81mROjMc9FFrOkdqjcN7yN0BzH9 +jNYL/gsvmOOwOu+dIH3C1Lgei844ZR1BZK1900mohuRwcji0sdROMcrKrGjqd4yb +6f7yl0wbdAxA3IHT3TFGczC7Y41P2OEpaJeVIZZgxkgQsJ14qK/QGpdKvmZAQpjH +BipeO/H+qxyOT5Y+f15VLWGOOVL090+ZdtF7h3m4X2+L7xWsFIgdOprfO60gq3e7 +9YFfgNBYU5BGtJGFGlJ0sGtnpzx5QCRka0j/1E5lIu00sW3WfGItFd48hW6wHClo +yoi7pBR7xqSEoU/U5o7+nC8wHFrDYyqcyO9Q3mZDw4LvlgnyMOM+qLv/fNgO9USE +4T30eSvc0t/5p1hCKNvyxHFghdRSJqn70bm6MQY+kd6+B/k62Oy8eCwRt4PR+LQE +IPnxN7xGuNpVO1oMyhhO41osYruMrodzw81icBRKYFlSuDOQ5jlcSajc6TvF22y+ +VXy7nx1q/CN4tzB/ryUASU+vXS8/QNM6qI/QbbgBy7VtHqDbs2KHp4cP0j9KYQzM +rKwtRwfHqVrwFLkCp61EHwSlPsEFiglpMg/8DQ92O4beY0n7eSrilwEdJg89Ieep +TBm1QYiLM33qWLR9CABYAIiDG7qxviHozVfX6kUwbkntVpyHAXSbWrM3kD6jPs3u +/dimLKVyd29AVrBSn9FC04EjtDWsj1KB7HrFN4oo9o0JLSnXeJb8FnPf3MitaKlt +vj/kZhegozIs+zvpzuri0LvoB4fNA0T4eAmxkGkZBB+mjNCrUHIakyPZVzWGL0QG +sfK1Q9jvw0OErqHJYX8A1wLre/HkBne+e5ezS6Mc7kFW33Y1arfbHFNAe12juPsO +xqK76qNilUbQpPtNvWP3FTpbkAdodMLq/gQ+M5yHwPe8SkpZ8wYCfcwEemz/P+4Q +hQB8tbYbpcPxJ+aQjVjcHpsLdrlSY3JL/gqockR7+97GrCzqXbgvsqiWr16Zyn6m +xYWEHn9HXMh3b+2IYKFFXHffbIBq/mfibDnZtQBrZpn2uyh6F2ZuOsZh0LTD7RL5 +3KV3fi90nS00Gs1kbMkPycL1JLqvYQDpllE2oZ1dKDYkwivGyDQhRNfERL6Jkjyi +SxfZ2c84r2HPgnJTi/WBplloQkM+2NfXrBo6kLHSC6aBndRKk2UmUhrUluGcQUyf +zYRFH5kVueIYfDaBPus9gb+sjnViFRpqVjefwlXSJEDHWP3Cl2cuo2mJjeDghj40 +0U6pjSUW3bIC/PI= +=BxMn +-----END PGP PUBLIC KEY BLOCK----- diff --git a/gitlab/files/gitaly-config.toml b/gitlab/files/gitaly-config.toml new file mode 100644 index 0000000..a152c5a --- /dev/null +++ b/gitlab/files/gitaly-config.toml @@ -0,0 +1,49 @@ +# Example Gitaly configuration file + +socket_path = "{{ sockets_dir }}/private/gitaly.socket" + +# # Optional: listen on a TCP socket. This is insecure (no authentication) +# listen_addr = "localhost:9999" +# + +# # Optional: export metrics via Prometheus +# prometheus_listen_addr = "localhost:9236" +# + +# # Git executable settings +# [git] +# bin_path = "/usr/bin/git" + +[[storage]] +name = "default" +path = "{{ repositories }}" + +# # You can optionally configure more storages for this Gitaly instance to serve up +# +# [[storage]] +# name = "other_storage" +# path = "/mnt/other_storage/repositories" +# + +# # You can optionally configure Gitaly to output JSON-formatted log messages to stdout +# [logging] +# format = "json" +# # Additionally exceptions can be reported to Sentry +# sentry_dsn = "https://:@sentry.io/" + +# # You can optionally configure Gitaly to record histogram latencies on GRPC method calls +# [prometheus] +# grpc_latency_buckets = [0.001, 0.005, 0.025, 0.1, 0.5, 1.0, 10.0, 30.0, 60.0, 300.0, 1500.0] + +[gitaly-ruby] +# The directory where gitaly-ruby is installed +dir = "{{ gitaly_dir_content }}/ruby" + +[gitlab-shell] +# The directory where gitlab-shell is installed +dir = "{{ root_dir }}/gitlab-shell" + +# # You can adjust the concurrency of each RPC endpoint +# [[concurrency]] +# rpc = "/gitaly.RepositoryService/GarbageCollect" +# max_per_repo = 1 diff --git a/gitlab/files/gitlab-database.yml b/gitlab/files/gitlab-database.yml index d052257..d502aa7 100644 --- a/gitlab/files/gitlab-database.yml +++ b/gitlab/files/gitlab-database.yml @@ -1,50 +1,18 @@ -# -# PRODUCTION -# -production: - adapter: postgresql - encoding: unicode - database: {{ salt['pillar.get']('gitlab:db_name') }} - pool: 10 - username: {{ salt['pillar.get']('gitlab:db_user') }} - password: {{ salt['pillar.get']('gitlab:db_pass') }} - # host: localhost - # port: 5432 - # socket: /tmp/postgresql.sock +{%- set db_name = salt['pillar.get']('gitlab:db:name') %} +{%- set db_user = salt['pillar.get']('postgres:databases:' ~ db_name ~ ':owner') %} +{%- set db_pass = salt['pillar.get']('postgres:users:' ~ db_user ~ ':password') %} -# -# Development specific -# -development: - adapter: postgresql - encoding: unicode - database: gitlabhq_development - pool: 5 - username: postgres - password: - # socket: /tmp/postgresql.sock - -# -# Staging specific -# -staging: - adapter: postgresql - encoding: unicode - database: gitlabhq_staging - pool: 5 - username: postgres - password: - # socket: /tmp/postgresql.sock - -# Warning: The database defined as "test" will be erased and -# re-generated from your development database when you run "rake". -# Do not set this db to the same as development or production. -test: &test - adapter: postgresql - encoding: unicode - database: gitlabhq_test - pool: 5 - username: postgres - password: - # socket: /tmp/postgresql.sock +{%- for name, infos in salt['pillar.get']('gitlab:databases', {}).items() %} +{%- set db_user = salt['pillar.get']('postgres:databases:' ~ infos['name'] ~ ':owner') %} +{{ name }}: + adapter: {{ infos['engine'] }} + database: {{ infos['name'] }} + username: {{ db_user }} + password: {{ salt['pillar.get']('postgres:users:' ~ db_user ~ ':password') }} + encoding: {% if 'encoding' in infos %}{{ infos['encoding'] }}{% else %}unicode{% endif %} + pool: {% if 'pool' in infos %}{{ infos['pool'] }}{% else %}5{% endif %} +{%- if 'host' in infos %} + host: {{ infos['host'] }} +{% endif %} +{%- endfor %} diff --git a/gitlab/files/gitlab-default b/gitlab/files/gitlab-default index 00a44e5..285feb5 100644 --- a/gitlab/files/gitlab-default +++ b/gitlab/files/gitlab-default @@ -1,7 +1,11 @@ +{%- set root_dir = salt['pillar.get']('gitlab:lookup:root_dir', '/home/git') %} +{%- set pids_dir = salt['pillar.get']('gitlab:lookup:pids_dir', root_dir ~ '/var/pids') %} +{%- set sockets_dir = salt['pillar.get']('gitlab:lookup:sockets_dir', root_dir ~ '/var/sockets') %} +{%- set logs_dir = salt['pillar.get']('gitlab:lookup:logs_dir', root_dir ~ '/var/log') %} +{%- set workhorse_secret = salt['pillar.get']('gitlab:shell:workhorse:path', root_dir ~ '/.gitlab_workhorse_secret') %} # Copy this lib/support/init.d/gitlab.default.example file to # /etc/default/gitlab in order for it to apply to your system. - # RAILS_ENV defines the type of installation that is running. # Normal values are "production", "test" and "development". RAILS_ENV="production" @@ -10,24 +14,23 @@ RAILS_ENV="production" # The default is "git". app_user="git" -# app_root defines the folder in which gitlab and it's components are installed. +# app_root defines the folder in which gitlab and its components are installed. # The default is "/home/$app_user/gitlab" -app_root="/home/$app_user/gitlab" +app_root="{{ root_dir }}/gitlab" {% if salt['pillar.get']('gitlab:use_rvm', false) %} # Load RVM variables . /home/$app_user/.rvm/scripts/rvm - {% endif %} -# pid_path defines a folder in which the gitlab and it's components place their pids. +# pid_path defines a folder in which the gitlab and its components place their pids. # This variable is also used below to define the relevant pids for the gitlab components. # The default is "$app_root/tmp/pids" -pid_path="$app_root/tmp/pids" +pid_path="{{ pids_dir }}" # socket_path defines the folder in which gitlab places the sockets #The default is "$app_root/tmp/sockets" -socket_path="$app_root/tmp/sockets" +socket_path="{{ sockets_dir }}" # web_server_pid_path defines the path in which to create the pid file fo the web_server # The default is "$pid_path/unicorn.pid" @@ -37,3 +40,64 @@ web_server_pid_path="$pid_path/unicorn.pid" # The default is "$pid_path/sidekiq.pid" sidekiq_pid_path="$pid_path/sidekiq.pid" +# The directory where the gitlab-workhorse binaries are. Usually +# /home/git/gitlab-workhorse . +gitlab_workhorse_dir=$(cd {{ root_dir }}/gitlab-workhorse/bin && pwd) +gitlab_workhorse_pid_path="$pid_path/gitlab-workhorse.pid" + +# The -listenXxx settings determine where gitlab-workhorse +# listens for connections from the web server. By default it listens to a +# socket. To listen on TCP connections (needed by Apache) change to: +# '-listenNetwork tcp -listenAddr 127.0.0.1:8181' +# +# The -authBackend setting tells gitlab-workhorse where it can reach Unicorn. +# For relative URL support change to: +# '-authBackend http://127.0.0.1/8080/gitlab' +# Read more in http://doc.gitlab.com/ce/install/relative_url.html +gitlab_workhorse_options="-listenUmask 0 -listenNetwork unix -listenAddr $socket_path/gitlab-workhorse.socket -authBackend http://127.0.0.1:8080 -authSocket $socket_path/gitlab.socket -secretPath {{ workhorse_secret }} -documentRoot $app_root/public" +gitlab_workhorse_log="{{ logs_dir }}/gitlab-workhorse.log" + +# The GitLab Pages Daemon needs either a separate IP address on which it will +# listen or use different ports than 80 or 443 that will be forwarded to GitLab +# Pages Daemon. +# +# To enable HTTP support for custom domains add the `-listen-http` directive +# in `gitlab_pages_options` below. +# The value of -listen-http must be set to `gitlab.yml > pages > external_http` +# as well. For example: +# +# -listen-http 1.1.1.1:80 -listen-http [2001::1]:80 +# +# To enable HTTPS support for custom domains add the `-listen-https`, +# `-root-cert` and `-root-key` directives in `gitlab_pages_options` below. +# The value of -listen-https must be set to `gitlab.yml > pages > external_https` +# as well. For example: +# +# -listen-https 1.1.1.1:443 -listen-http [2001::1]:443 -root-cert /path/to/example.com.crt -root-key /path/to/example.com.key +# +# The -pages-domain must be specified the same as in `gitlab.yml > pages > host`. +# Set `gitlab_pages_enabled=true` if you want to enable the Pages feature. +gitlab_pages_enabled=false +gitlab_pages_dir=$(cd {{ root_dir }}/gitlab-pages/bin && pwd) +gitlab_pages_options="-pages-domain example.com -pages-root $app_root/shared/pages -listen-proxy 127.0.0.1:8090" +gitlab_pages_log="{{ logs_dir }}/gitlab-pages.log" + +# mail_room_enabled specifies whether mail_room, which is used to process incoming email, is enabled. +# This is required for the Reply by email feature. +# The default is "false" +mail_room_enabled=false + +# mail_room_pid_path defines the path in which to create the pid file for mail_room +# The default is "$pid_path/mail_room.pid" +mail_room_pid_path="$pid_path/mail_room.pid" + +# shell_path defines the path of shell for "$app_user" in case you are using +# shell other than "bash" +# The default is "/bin/bash" +shell_path="/bin/bash" + +# This variable controls whether the init script starts/stops Gitaly +gitaly_enabled=true +gitaly_dir=$(cd {{ root_dir }}/gitaly/bin && pwd) +gitaly_pid_path="$pid_path/gitaly.pid" +gitaly_log="{{ logs_dir }}/gitaly.log" diff --git a/gitlab/files/gitlab-gitconfig b/gitlab/files/gitlab-gitconfig index 2ac30d0..c43520d 100644 --- a/gitlab/files/gitlab-gitconfig +++ b/gitlab/files/gitlab-gitconfig @@ -1,6 +1,7 @@ [user] name = GitLab - email = gitlab@{{ grains['fqdn'] }} + email = gitlab@{{ salt['pillar.get']('gitlab:hostname', grains['fqdn']) }} [core] autocrlf = input - +[repack] + writeBitmaps = true diff --git a/gitlab/files/gitlab-gitlab.yml b/gitlab/files/gitlab-gitlab.yml index c50120f..b8c9bf6 100644 --- a/gitlab/files/gitlab-gitlab.yml +++ b/gitlab/files/gitlab-gitlab.yml @@ -2,10 +2,37 @@ # GitLab application config file # # # # # # # # # # # # # # # # # # # # +########################### NOTE ##################################### +# This file should not receive new settings. All configuration options # +# * are being moved to ApplicationSetting model! # +# If a setting requires an application restart say so in that screen. # +# If you change this file in a Merge Request, please also create # +# a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests # +######################################################################## +# +# # How to use: -# 1. copy file as gitlab.yml -# 2. Replace gitlab -> host with your domain -# 3. Replace gitlab -> email_from +# 1. Copy file as gitlab.yml +# 2. Update gitlab -> host with your fully qualified domain name +# 3. Update gitlab -> email_from +# 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git +# IMPORTANT: If Git was installed in a different location use that instead. +# You can check with `which git`. If a wrong path of Git is specified, it will +# result in various issues such as failures of GitLab CI builds. +# 5. Review this configuration file for other settings you may want to adjust + +{% set root_dir = salt['pillar.get']('gitlab:lookup:root_dir', '/home/git') %} +{% set lib_dir = salt['pillar.get']('gitlab:lookup:lib_dir', root_dir ~ '/libraries') %} +{% set repositories = salt['pillar.get']('gitlab:lookup:repositories', root_dir ~ '/repositories') %} +{% set sockets_dir = salt['pillar.get']('gitlab:lookup:sockets_dir', root_dir ~ '/var/sockets') %} +{%- set workhorse_secret = salt['pillar.get']('gitlab:shell:workhorse:path', root_dir ~ '/.gitlab_workhorse_secret') %} + +{% set shell_dir = lib_dir ~ "/gitlab-shell" %} +{% if salt['pillar.get']('gitlab:archives:enabled', false) %} + {% set shell_dir_content = shell_dir ~ '/' ~ salt['pillar.get']('gitlab:archives:sources:shell:content') %} +{% else %} + {% set shell_dir_content = shell_dir %} +{% endif %} production: &base # @@ -14,8 +41,8 @@ production: &base ## GitLab settings gitlab: - ## Web server settings - host: {{ grains['fqdn'] }} + ## Web server settings (note: host is the FQDN, do not include http://) + host: {{ salt['pillar.get']('gitlab:hostname', grains['fqdn']) }} {%- if salt['pillar.get']('gitlab:https', false) %} port: 443 https: true @@ -24,207 +51,617 @@ production: &base https: false {% endif %} - # Uncomment and customize the last line to run in a non-root path - # WARNING: We recommend creating a FQDN to host GitLab in a root path instead of this. - # Note that four settings need to be changed for this to work. - # 1) In your application.rb file: config.relative_url_root = "/gitlab" - # 2) In your gitlab.yml file: relative_url_root: /gitlab - # 3) In your unicorn.rb: ENV['RAILS_RELATIVE_URL_ROOT'] = "/gitlab" - # 4) In ../gitlab-shell/config.yml: gitlab_url: "http://127.0.0.1/gitlab" - # To update the path, run: sudo -u git -H bundle exec rake assets:precompile RAILS_ENV=production + # Uncommment this line below if your ssh host is different from HTTP/HTTPS one + # (you'd obviously need to replace ssh.host_example.com with your own host). + # Otherwise, ssh host will be set to the `host:` value above + # ssh_host: ssh.host_example.com + + # Relative URL support + # WARNING: We recommend using an FQDN to host GitLab in a root path instead + # of using a relative URL. + # Documentation: http://doc.gitlab.com/ce/install/relative_url.html + # Uncomment and customize the following line to run in a non-root path # # relative_url_root: /gitlab + # Trusted Proxies + # Customize if you have GitLab behind a reverse proxy which is running on a different machine. + # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address. + trusted_proxies: + # Examples: + #- 192.168.1.0/24 + #- 192.168.2.1 + #- 2001:0db8::/32 + # Uncomment and customize if you can't use the default user to run GitLab (default: 'git') # user: git + ## Date & Time settings + # Uncomment and customize if you want to change the default time zone of GitLab application. + # To see all available zones, run `bundle exec rake time:zones:all RAILS_ENV=production` + # time_zone: 'UTC' + ## Email settings + # Uncomment and set to false if you need to disable email sending from GitLab (default: true) + # email_enabled: true # Email address used in the "From" field in mails sent by GitLab - email_from: gitlab@{{ grains['fqdn'] }} + email_from: gitlab@{{ salt['pillar.get']('gitlab:hostname', grains['fqdn']) }} + email_display_name: GitLab + email_reply_to: noreply@{{ salt['pillar.get']('gitlab:hostname', grains['fqdn']) }} + email_subject_suffix: '' - # Email address of your support contact (default: same as email_from) - support_email: support@{{ grains['fqdn'] }} + # Email server smtp settings are in config/initializers/smtp_settings.rb.sample - ## User settings - default_projects_limit: 10 # default_can_create_group: false # default: true # username_changing_enabled: false # default: true - User can change her username/namespace - ## Default theme - ## BASIC = 1 - ## MARS = 2 - ## MODERN = 3 - ## GRAY = 4 - ## COLOR = 5 - # default_theme: 2 # default: 2 - - - ## Users management - # default: false - Account passwords are not sent via the email if signup is enabled. - # signup_enabled: true - - # Restrict setting visibility levels for non-admin users. - # The default is to allow all levels. - #restricted_visibility_levels: [ "public" ] + ## Default theme ID + ## 1 - Indigo + ## 2 - Dark + ## 3 - Light + ## 4 - Blue + ## 5 - Green + # default_theme: 1 # default: 1 ## Automatic issue closing # If a commit message matches this regular expression, all issues referenced from the matched text will be closed. # This happens when the commit is pushed or merged into the default branch of a project. # When not specified the default issue_closing_pattern as specified below will be used. - # issue_closing_pattern: '([Cc]lose[sd]|[Ff]ixe[sd]) +#\d+' + # Tip: you can test your closing pattern at http://rubular.com. + # issue_closing_pattern: '((?:[Cc]los(?:e[sd]?|ing)|[Ff]ix(?:e[sd]|ing)?|[Rr]esolv(?:e[sd]?|ing)|[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)' ## Default project features settings default_projects_features: issues: true merge_requests: true wiki: true - wall: false - snippets: false - visibility_level: "private" # can be "private" | "internal" | "public" + snippets: true + builds: true + container_registry: true + + ## Webhook settings + # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10) + # webhook_timeout: 10 + + ## Repository downloads directory + # When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory. + # The default is 'shared/cache/archive/' relative to the root of the Rails app. + # repository_downloads_path: shared/cache/archive/ + + ## Reply by email + # Allow users to comment on issues and merge requests by replying to notification emails. + # For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html + incoming_email: + enabled: false + + # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to. + # The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`). + address: "gitlab-incoming+%{key}@gmail.com" + + # Email account username + # With third party providers, this is usually the full email address. + # With self-hosted email servers, this is usually the user part of the email address. + user: "gitlab-incoming@gmail.com" + # Email account password + password: "[REDACTED]" + + # IMAP server host + host: "imap.gmail.com" + # IMAP server port + port: 993 + # Whether the IMAP server uses SSL + ssl: true + # Whether the IMAP server uses StartTLS + start_tls: false + + # The mailbox where incoming mail will end up. Usually "inbox". + mailbox: "inbox" + # The IDLE command timeout. + idle_timeout: 60 + + ## Build Artifacts + artifacts: + enabled: true + # The location where build artifacts are stored (default: shared/artifacts). + # path: shared/artifacts + + ## Git LFS + lfs: + enabled: true + # The location where LFS objects are stored (default: shared/lfs-objects). + # storage_path: shared/lfs-objects + + ## Uploads (attachments, avatars, etc...) + uploads: + # The location where uploads objects are stored (default: public/). + # storage_path: public/ + # base_dir: uploads/-/system + + ## GitLab Pages + pages: + enabled: false + # The location where pages are stored (default: shared/pages). + # path: shared/pages + + # The domain under which the pages are served: + # http://group.example.com/project + # or project path can be a group page: group.example.com + host: example.com + port: 80 # Set to 443 if you serve the pages with HTTPS + https: false # Set to true if you serve the pages with HTTPS + artifacts_server: true + # external_http: ["1.1.1.1:80", "[2001::1]:80"] # If defined, enables custom domain support in GitLab Pages + # external_https: ["1.1.1.1:443", "[2001::1]:443"] # If defined, enables custom domain and certificate support in GitLab Pages + + ## Mattermost + ## For enabling Add to Mattermost button + mattermost: + enabled: false + host: 'https://mattermost.example.com' - ## External issues trackers - issues_tracker: - # redmine: - # title: "Redmine" - # ## If not nil, link 'Issues' on project page will be replaced with this - # ## Use placeholders: - # ## :project_id - GitLab project identifier - # ## :issues_tracker_id - Project Name or Id in external issue tracker - # project_url: "http://redmine.sample/projects/:issues_tracker_id" + ## Gravatar + ## If using gravatar.com, there's nothing to change here. For Libravatar + ## you'll need to provide the custom URLs. For more information, + ## see: https://docs.gitlab.com/ee/customization/libravatar.html + gravatar: + # Gravatar/Libravatar URLs: possible placeholders: %{hash} %{size} %{email} %{username} + # plain_url: "http://..." # default: https://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon + # ssl_url: "https://..." # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon + + ## Auxiliary jobs + # Periodically executed jobs, to self-heal GitLab, do external synchronizations, etc. + # Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job + cron_jobs: + # Flag stuck CI jobs as failed + stuck_ci_jobs_worker: + cron: "0 * * * *" + # Execute scheduled triggers + pipeline_schedule_worker: + cron: "19 * * * *" + # Remove expired build artifacts + expire_build_artifacts_worker: + cron: "50 * * * *" + # Periodically run 'git fsck' on all repositories. If started more than + # once per hour you will have concurrent 'git fsck' jobs. + repository_check_worker: + cron: "20 * * * *" + # Send admin emails once a week + admin_email_worker: + cron: "0 0 * * 0" + + # Remove outdated repository archives + repository_archive_cache_worker: + cron: "0 * * * *" + + # Verify custom GitLab Pages domains + pages_domain_verification_cron_worker: + cron: "*/15 * * * *" + + registry: + # enabled: true + # host: registry.example.com + # port: 5005 + # api_url: http://localhost:5000/ # internal address to the registry, will be used by GitLab to directly communicate with API + # key: config/registry.key + # path: shared/registry + # issuer: gitlab-issuer + + # + # 2. GitLab CI settings + # ========================== + + gitlab_ci: + # Default project notifications settings: # - # ## If not nil, links from /#\d/ entities from commit messages will replaced with this - # ## Use placeholders: - # ## :project_id - GitLab project identifier - # ## :issues_tracker_id - Project Name or Id in external issue tracker - # ## :id - Issue id (from commit messages) - # issues_url: "http://redmine.sample/issues/:id" + # Send emails only on broken builds (default: true) + # all_broken_builds: true # - # ## If not nil, linkis to creating new issues will be replaced with this - # ## Use placeholders: - # ## :project_id - GitLab project identifier - # ## :issues_tracker_id - Project Name or Id in external issue tracker - # new_issue_url: "http://redmine.sample/projects/:issues_tracker_id/issues/new" - # - # jira: - # title: "Atlassian Jira" - # project_url: "http://jira.sample/issues/?jql=project=:issues_tracker_id" - # issues_url: "http://jira.sample/browse/:id" - # new_issue_url: "http://jira.sample/secure/CreateIssue.jspa" + # Add pusher to recipients list (default: false) + # add_pusher: true - ## Gravatar - gravatar: - enabled: {{ salt['pillar.get']('gitlab:gravatar:enabled', true) }} # Use user avatar image from Gravatar.com (default: true) - # plain_url: "http://..." # default: http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=mm - # ssl_url: "https://..." # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm + # The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root + # builds_path: builds/ # - # 2. Auth settings + # 3. Auth settings # ========================== ## LDAP settings - # You can inspect a sample of the LDAP users with login access by running: + # You can test connections and inspect a sample of the LDAP users with login + # access by running: # bundle exec rake gitlab:ldap:check RAILS_ENV=production ldap: enabled: {{ salt['pillar.get']('gitlab:ldap:enabled', false) }} - host: '{{ salt['pillar.get']('gitlab:ldap:host', '') }}' - base: '{{ salt['pillar.get']('gitlab:ldap:base', '') }}' - port: {{ salt['pillar.get']('gitlab:ldap:port', 636) }} - uid: '{{ salt['pillar.get']('gitlab:ldap:uid', 'sAMAccountName') }}' - method: '{{ salt['pillar.get']('gitlab:ldap:method', 'ssl') }}' # "ssl" or "plain" - bind_dn: '{{ salt['pillar.get']('gitlab:ldap:bind_dn', '') }}' - password: '{{ salt['pillar.get']('gitlab:ldap:password', '') }}' - # If allow_username_or_email_login is enabled, GitLab will ignore everything - # after the first '@' in the LDAP username submitted by the user on login. - # - # Example: - # - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials; - # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'. - # - # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to - # disable this setting, because the userPrincipalName contains an '@'. - allow_username_or_email_login: '{{ salt['pillar.get']('gitlab:ldap:allow_username_or_email_login', true) }}' + servers: + ########################################################################## + # + # Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab + # Enterprise Edition now supports connecting to multiple LDAP servers. + # + # If you are updating from the old (pre-7.4) syntax, you MUST give your + # old server the ID 'main'. + # + ########################################################################## + main: # 'main' is the GitLab 'provider ID' of this LDAP server + ## label + # + # A human-friendly name for your LDAP server. It is OK to change the label later, + # for instance if you find out it is too large to fit on the web page. + # + # Example: 'Paris' or 'Acme, Ltd.' + label: {{ salt['pillar.get']('gitlab:ldap:label', 'LDAP') }} + + # Example: 'ldap.mydomain.com' + host: '{{ salt['pillar.get']('gitlab:ldap:host', '') }}' + port: {{ salt['pillar.get']('gitlab:ldap:port', 636) }} + uid: '{{ salt['pillar.get']('gitlab:ldap:uid', 'sAMAccountName') }}' + + # Examples: 'america\\momo' or 'CN=Gitlab Git,CN=Users,DC=mydomain,DC=com' + bind_dn: '{{ salt['pillar.get']('gitlab:ldap:bind_dn', '') }}' + password: '{{ salt['pillar.get']('gitlab:ldap:password', '') }}' + + # Encryption method. The "method" key is deprecated in favor of + # "encryption". + # + # Examples: "start_tls" or "simple_tls" or "plain" + # + # Deprecated values: "tls" was replaced with "start_tls" and "ssl" was + # replaced with "simple_tls". + # + encryption: {{ salt['pillar.get']('gitlab:ldap:encryption', 'plain') }} + + # Enables SSL certificate verification if encryption method is + # "start_tls" or "simple_tls". Defaults to true. + verify_certificates: {{ salt['pillar.get']('gitlab:ldap:verify_certificates', false) }} + + # Specifies the path to a file containing a PEM-format CA certificate, + # e.g. if you need to use an internal CA. + # + # Example: '/etc/ca.pem' + # + ca_file: {{ salt['pillar.get']('gitlab:ldap:ca_file', '') }} + + # Specifies the SSL version for OpenSSL to use, if the OpenSSL default + # is not appropriate. + # + # Example: 'TLSv1_1' + # + ssl_version: {{ salt['pillar.get']('gitlab:ldap:ssl_version', '') }} + + # Set a timeout, in seconds, for LDAP queries. This helps avoid blocking + # a request if the LDAP server becomes unresponsive. + # A value of 0 means there is no timeout. + timeout: {{ salt['pillar.get']('gitlab:ldap:timeout', 10) }} + + # This setting specifies if LDAP server is Active Directory LDAP server. + # For non AD servers it skips the AD specific queries. + # If your LDAP server is not AD, set this to false. + active_directory: {{ salt['pillar.get']('gitlab:ldap:active_directory', false) }} + + # If allow_username_or_email_login is enabled, GitLab will ignore everything + # after the first '@' in the LDAP username submitted by the user on login. + # + # Example: + # - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials; + # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'. + # + # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to + # disable this setting, because the userPrincipalName contains an '@'. + allow_username_or_email_login: {{ salt['pillar.get']('gitlab:ldap:allow_username_or_email_login', true) }} + + # To maintain tight control over the number of active users on your GitLab installation, + # enable this setting to keep new users blocked until they have been cleared by the admin + # (default: false). + block_auto_created_users: {{ salt['pillar.get']('gitlab:ldap:block_auto_created_users', true) }} + + # Base where we can search for users + # + # Ex. 'ou=People,dc=gitlab,dc=example' or 'DC=mydomain,DC=com' + # + base: {{ salt['pillar.get']('gitlab:ldap:base', '') }} + + # Filter LDAP users + # + # Format: RFC 4515 https://tools.ietf.org/search/rfc4515 + # Ex. (employeeType=developer) + # + # Note: GitLab does not support omniauth-ldap's custom filter syntax. + # + # Example for getting only specific users: + # '(&(objectclass=user)(|(samaccountname=momo)(samaccountname=toto)))' + # + user_filter: {{ salt['pillar.get']('gitlab:ldap:user_filter', '') }} + + # LDAP attributes that GitLab will use to create an account for the LDAP user. + # The specified attribute can either be the attribute name as a string (e.g. 'mail'), + # or an array of attribute names to try in order (e.g. ['mail', 'email']). + # Note that the user's LDAP login will always be the attribute specified as `uid` above. + attributes: + # The username will be used in paths for the user's own projects + # (like `gitlab.example.com/username/project`) and when mentioning + # them in issues, merge request and comments (like `@username`). + # If the attribute specified for `username` contains an email address, + # the GitLab username will be the part of the email address before the '@'. + username: ['uid', 'userid', 'sAMAccountName'] + email: ['mail', 'email', 'userPrincipalName'] + + # If no full name could be found at the attribute specified for `name`, + # the full name is determined using the attributes specified for + # `first_name` and `last_name`. + name: 'cn' + first_name: 'givenName' + last_name: 'sn' + + # If lowercase_usernames is enabled, GitLab will lower case the username. + lowercase_usernames: false + + # GitLab EE only: add more LDAP servers + # Choose an ID made of a-z and 0-9 . This ID will be stored in the database + # so that GitLab can remember which LDAP server a user belongs to. + # uswest2: + # label: + # host: + # .... + ## OmniAuth settings omniauth: # Allow login via Twitter, Google, etc. using OmniAuth providers enabled: {{ salt['pillar.get']('gitlab:omniauth:enabled', false) }} + # Uncomment this to automatically sign in with a specific omniauth provider's without + # showing GitLab's sign-in page (default: show the GitLab sign-in page) + # auto_sign_in_with_provider: saml + + # Sync user's profile from the specified Omniauth providers every time the user logs in (default: empty). + # Define the allowed providers using an array, e.g. ["cas3", "saml", "twitter"], + # or as true/false to allow all providers or none. + # When authenticating using LDAP, the user's email is always synced. + # sync_profile_from_provider: [] + + # Select which info to sync from the providers above. (default: email). + # Define the synced profile info using an array. Available options are "name", "email" and "location" + # e.g. ["name", "email", "location"] or as true to sync all available. + # This consequently will make the selected attributes read-only. + # sync_profile_attributes: true + # CAUTION! - # This allows users to login without having a user account first (default: false). + # This allows users to login without having a user account first. Define the allowed providers + # using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none. # User accounts will be created automatically when authentication was successful. allow_single_sign_on: {{ salt['pillar.get']('gitlab:omniauth:allow_single_sign_on', false) }} + # Locks down those users until they have been cleared by the admin (default: true). block_auto_created_users: {{ salt['pillar.get']('gitlab:omniauth:block_auto_created_users', true) }} + # Look up new users in LDAP servers. If a match is found (same uid), automatically + # link the omniauth identity with the LDAP account. (default: false) + auto_link_ldap_user: false + + # Allow users with existing accounts to login and auto link their account via SAML + # login, without having to do a manual login first and manually add SAML + # (default: false) + auto_link_saml_user: false + + # Set different Omniauth providers as external so that all users creating accounts + # via these providers will not be able to have access to internal projects. You + # will need to use the full name of the provider, like `google_oauth2` for Google. + # Refer to the examples below for the full names of the supported providers. + # (default: []) + external_providers: [] ## Auth providers # Uncomment the following lines and fill in the data of the auth provider you want to use # If your favorite auth provider is not listed you can use others: - # see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Working-custom-omniauth-provider-configurations + # see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations # The 'app_id' and 'app_secret' parameters are always passed as the first two # arguments, followed by optional 'args' which can be either a hash or an array. + # Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html providers: - # - { name: 'google_oauth2', app_id: 'YOUR APP ID', - # app_secret: 'YOUR APP SECRET', - # args: { access_type: 'offline', approval_prompt: '' } } - # - { name: 'twitter', app_id: 'YOUR APP ID', - # app_secret: 'YOUR APP SECRET'} - # - { name: 'github', app_id: 'YOUR APP ID', - # app_secret: 'YOUR APP SECRET', + # See omniauth-cas3 for more configuration details + # - { name: 'cas3', + # label: 'cas3', + # args: { + # url: 'https://sso.example.com', + # disable_ssl_verification: false, + # login_url: '/cas/login', + # service_validate_url: '/cas/p3/serviceValidate', + # logout_url: '/cas/logout'} } + # - { name: 'authentiq', + # # for client credentials (client ID and secret), go to https://www.authentiq.com/developers + # app_id: 'YOUR_CLIENT_ID', + # app_secret: 'YOUR_CLIENT_SECRET', + # args: { + # scope: 'aq:name email~rs address aq:push' + # # callback_url parameter is optional except when 'gitlab.host' in this file is set to 'localhost' + # # callback_url: 'YOUR_CALLBACK_URL' + # } + # } + # - { name: 'github', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET', + # url: "https://github.com/", + # verify_ssl: true, # args: { scope: 'user:email' } } - - + # - { name: 'bitbucket', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET' } + # - { name: 'gitlab', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET', + # args: { scope: 'api' } } + # - { name: 'google_oauth2', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET', + # args: { access_type: 'offline', approval_prompt: '' } } + # - { name: 'facebook', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET' } + # - { name: 'twitter', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET' } + # + # - { name: 'saml', + # label: 'Our SAML Provider', + # groups_attribute: 'Groups', + # external_groups: ['Contractors', 'Freelancers'], + # args: { + # assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback', + # idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8', + # idp_sso_target_url: 'https://login.example.com/idp', + # issuer: 'https://gitlab.example.com', + # name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' + # } } + # + # - { name: 'crowd', + # args: { + # crowd_server_url: 'CROWD SERVER URL', + # application_name: 'YOUR_APP_NAME', + # application_password: 'YOUR_APP_PASSWORD' } } + # + # - { name: 'auth0', + # args: { + # client_id: 'YOUR_AUTH0_CLIENT_ID', + # client_secret: 'YOUR_AUTH0_CLIENT_SECRET', + # namespace: 'YOUR_AUTH0_DOMAIN' } } + + # SSO maximum session duration in seconds. Defaults to CAS default of 8 hours. + # cas3: + # session_duration: 28800 + + # Shared file storage settings + shared: + # path: /mnt/gitlab # Default: shared + + # Gitaly settings + gitaly: + # Path to the directory containing Gitaly client executables. + client_path: {{ root_dir }}/gitaly/bin + # Default Gitaly authentication token. Can be overriden per storage. Can + # be left blank when Gitaly is running locally on a Unix socket, which + # is the normal way to deploy Gitaly. + token: # - # 3. Advanced settings + # 4. Advanced settings # ========================== - # GitLab Satellites - satellites: - # Relative paths are relative to Rails.root (default: tmp/repo_satellites/) - path: /home/git/gitlab-satellites/ + ## Repositories settings + repositories: + # Paths where repositories can be stored. Give the canonicalized absolute pathname. + # IMPORTANT: None of the path components may be symlink, because + # gitlab-shell invokes Dir.pwd inside the repository path and that results + # real path not the symlink. + storages: # You must have at least a `default` storage path. + default: + path: {{ repositories }} + gitaly_address: unix:{{ sockets_dir }}/private/gitaly.socket # TCP connections are supported too (e.g. tcp://host:port) + # gitaly_token: 'special token' # Optional: override global gitaly.token for this storage. ## Backup settings backup: path: "tmp/backups" # Relative paths are relative to Rails.root (default: tmp/backups/) + # archive_permissions: 0640 # Permissions for the resulting backup.tar file (default: 0600) # keep_time: 604800 # default: 0 (forever) (in seconds) + # pg_schema: public # default: nil, it means that all schemas will be backed up + # upload: + # # Fog storage connection settings, see http://fog.io/storage/ . + # connection: + # provider: AWS + # region: eu-west-1 + # aws_access_key_id: AKIAKIAKI + # aws_secret_access_key: 'secret123' + # # The remote 'directory' to store your backups. For S3, this would be the bucket name. + # remote_directory: 'my.s3.bucket' + # # Use multipart uploads when file size reaches 100MB, see + # # http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html + # multipart_chunk_size: 104857600 + # # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional + # # encryption: 'AES256' + # # Specifies Amazon S3 storage class to use for backups, this is optional + # # storage_class: 'STANDARD' ## GitLab Shell settings gitlab_shell: - path: /home/git/gitlab-shell/ + path: {{ root_dir }}/gitlab-shell/ + hooks_path: {{ root_dir }}/gitlab-shell/hooks/ - # REPOS_PATH MUST NOT BE A SYMLINK!!! - repos_path: /home/git/repositories/ - hooks_path: /home/git/gitlab-shell/hooks/ + # File that contains the secret key for verifying access for gitlab-shell. + # Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app). + secret_file: "{{ salt['pillar.get']('gitlab:secret_file', root_dir ~ '/.gitlab_shell_secret') }}" # Git over HTTP upload_pack: true receive_pack: true + # Git import/fetch timeout, in seconds. Defaults to 3 hours. + # git_timeout: 10800 + # If you use non-standard ssh port you need to specify it # ssh_port: 22 + workhorse: + # File that contains the secret key for verifying access for gitlab-workhorse. + # Default is '.gitlab_workhorse_secret' relative to Rails.root (i.e. root of the GitLab app). + secret_file: {{ workhorse_secret }} + ## Git settings # CAUTION! # Use the default values unless you really know what you are doing git: bin_path: /usr/bin/git - # Max size of a git object (e.g. a commit), in bytes - # This value can be increased if you have very large commits - max_size: 5242880 # 5.megabytes - # Git timeout to read a commit, in seconds - timeout: 10 + + ## Webpack settings + # If enabled, this will tell rails to serve frontend assets from the webpack-dev-server running + # on a given port instead of serving directly from /assets/webpack. This is only indended for use + # in development. + webpack: + # dev_server: + # enabled: true + # host: localhost + # port: 3808 + + ## Monitoring + # Built in monitoring settings + monitoring: + # Time between sampling of unicorn socket metrics, in seconds + # unicorn_sampler_interval: 10 + # IP whitelist to access monitoring endpoints + ip_whitelist: + - 127.0.0.0/8 + + # Sidekiq exporter is webserver built in to Sidekiq to expose Prometheus metrics + sidekiq_exporter: + # enabled: true + # address: localhost + # port: 3807 # - # 4. Extra customization + # 5. Extra customization # ========================== extra: ## Google analytics. Uncomment if you want it # google_analytics_id: '_your_tracking_id' - ## Text under sign-in page (Markdown enabled) - # sign_in_text: | - # ![Company Logo](http://www.companydomain.com/logo.png) - # [Learn more about CompanyName](http://www.companydomain.com/) + ## Piwik analytics. + # piwik_url: '_your_piwik_url' + # piwik_site_id: '_your_piwik_site_id' + + rack_attack: + git_basic_auth: + # Rack Attack IP banning enabled + # enabled: true + # + # Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers + # ip_whitelist: ["127.0.0.1"] + # + # Limit the number of Git HTTP authentication attempts per IP + # maxretry: 10 + # + # Reset the auth attempt counter per IP after 60 seconds + # findtime: 60 + # + # Ban an IP for one hour (3600s) after too many auth attempts + # bantime: 3600 development: <<: *base @@ -240,4 +677,3 @@ test: staging: <<: *base - diff --git a/gitlab/files/gitlab-logrotate b/gitlab/files/gitlab-logrotate index 6df8685..acb5b50 100644 --- a/gitlab/files/gitlab-logrotate +++ b/gitlab/files/gitlab-logrotate @@ -1,23 +1,14 @@ # GitLab logrotate settings # based on: http://stackoverflow.com/a/4883967 -/home/git/gitlab/log/*.log { - weekly - missingok - rotate 52 - compress - delaycompress - notifempty - copytruncate -} +{%- set root_dir = salt['pillar.get']('gitlab:lookup:root_dir', '/home/git') %} +{%- set logs_dir = salt['pillar.get']('gitlab:lookup:logs_dir', root_dir ~ '/var/logs') %} -/home/git/gitlab-shell/gitlab-shell.log { - weekly +{{ logs_dir }}/*.log { + daily missingok - rotate 52 + rotate 90 compress - delaycompress notifempty copytruncate } - diff --git a/gitlab/files/gitlab-nginx b/gitlab/files/gitlab-nginx deleted file mode 100644 index 9c23dd3..0000000 --- a/gitlab/files/gitlab-nginx +++ /dev/null @@ -1,43 +0,0 @@ -# GITLAB -# Maintainer: @randx -# App Version: 5.0 - -upstream gitlab { - server unix:/home/git/gitlab/tmp/sockets/gitlab.socket; -} - -server { - listen *:80 default_server; # e.g., listen 192.168.1.1:80; In most cases *:80 is a good idea - server_name {{ grains['fqdn'] }}; # e.g., server_name source.example.com; - server_tokens off; # don't show the version number, a security best practice - root /home/git/gitlab/public; - - # Set value of client_max_body_size to at least the value of git.max_size in gitlab.yml - client_max_body_size 5m; - - # individual nginx logs for this gitlab vhost - access_log /var/log/nginx/gitlab_access.log; - error_log /var/log/nginx/gitlab_error.log; - - location / { - # serve static files from defined root folder;. - # @gitlab is a named location for the upstream fallback, see below - try_files $uri $uri/index.html $uri.html @gitlab; - } - - # if a file, which is not found in the root folder is requested, - # then the proxy pass the request to the upsteam (gitlab unicorn) - location @gitlab { - proxy_read_timeout 300; # Some requests take more than 30 seconds. - proxy_connect_timeout 300; # Some requests take more than 30 seconds. - proxy_redirect off; - - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_pass http://gitlab; - } -} - diff --git a/gitlab/files/gitlab-nginx-ssl b/gitlab/files/gitlab-nginx-ssl deleted file mode 100644 index 60d8f87..0000000 --- a/gitlab/files/gitlab-nginx-ssl +++ /dev/null @@ -1,78 +0,0 @@ -# GITLAB -# Contributors: yin8086, sashkab, orkoden, axilleas -# App Version: 5.4 - 6.0 - -# Modified from nginx http version -# Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/ - -# You need to run openssl to generate a self-signed ssl certificate. -# cd /etc/nginx/ -# sudo openssl req -new -x509 -nodes -days 3560 -out gitlab.crt -keyout gitlab.key -# sudo chmod o-r gitlab.key -# Also you need to edit gitlab-shell config. -# 1) Set "gitlab_url" param in gitlab-shell/config.yml to https://{{ grains['fqdn'] }} -# 2) Set "ca_file" to /etc/nginx/gitlab.crt -# 3) Set "self_signed_cert" to true -# You also need to edit gitlab/config/gitlab.yml -# 1) Define port for http "port: 443" -# 2) Enable https "https: true" -# 3) Update ssl for gravatar "ssl_url: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm" - -upstream gitlab { - - ## Uncomment if you have set up puma/unicorn to listen on a unix socket (recommended). - server unix:/home/git/gitlab/tmp/sockets/gitlab.socket; - - ## Uncomment if puma/unicorn are configured to listen on a tcp port. - ## Check the port number in /home/git/gitlab/config/{puma.rb/unicorn.rb} - # server 127.0.0.1:9292; -} - -# This is a normal HTTP host which redirects all traffic to the HTTPS host. -# Replace {{ grains['fqdn'] }} with your FQDN. -server { - listen *:80; - server_name {{ grains['fqdn'] }}; - server_tokens off; - root /nowhere; # this doesn't have to be a valid path since we are redirecting, you don't have to change it. - rewrite ^ https://$server_name$request_uri permanent; -} -server { - listen 443 ssl; - server_name {{ grains['fqdn'] }}; - server_tokens off; - root /home/git/gitlab/public; - - ssl on; - ssl_certificate /etc/nginx/gitlab.crt; - ssl_certificate_key /etc/nginx/gitlab.key; - ssl_protocols SSLv3 TLSv1 TLSv1.2; - ssl_ciphers AES:HIGH:!ADH:!MD5; - ssl_prefer_server_ciphers on; - - # individual nginx logs for this gitlab vhost - access_log /var/log/nginx/gitlab_access.log; - error_log /var/log/nginx/gitlab_error.log; - - location / { - # serve static files from defined root folder;. - # @gitlab is a named location for the upstream fallback, see below - try_files $uri $uri/index.html $uri.html @gitlab; - } - - # if a file, which is not found in the root folder is requested, - # then the proxy pass the request to the upsteam (gitlab unicorn) - location @gitlab { - proxy_read_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694 - proxy_connect_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694 - proxy_redirect off; - - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-Ssl on; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - - proxy_pass http://gitlab; - } -} - diff --git a/gitlab/files/gitlab-resque.yml b/gitlab/files/gitlab-resque.yml new file mode 100644 index 0000000..b69c77d --- /dev/null +++ b/gitlab/files/gitlab-resque.yml @@ -0,0 +1,34 @@ +# If you change this file in a Merge Request, please also create +# a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests +# +development: + url: redis://localhost:6379 + # sentinels: + # - + # host: localhost + # port: 26380 # point to sentinel, not to redis port + # - + # host: slave2 + # port: 26381 # point to sentinel, not to redis port +test: + url: redis://localhost:6379 +production: + # Redis (single instance) + url: {{ salt['pillar.get']('gitlab:databases:production:redis:url', 'redis://localhost:6379') }} + ## + # Redis + Sentinel (for HA) + # + # Please read instructions carefully before using it as you may lose data: + # http://redis.io/topics/sentinel + # + # You must specify a list of a few sentinels that will handle client connection + # please read here for more information: https://docs.gitlab.com/ce/administration/high_availability/redis.html + ## + # url: redis://master:6379 + # sentinels: + # - + # host: slave1 + # port: 26379 # point to sentinel, not to redis port + # - + # host: slave2 + # port: 26379 # point to sentinel, not to redis port diff --git a/gitlab/files/gitlab-secrets.yml b/gitlab/files/gitlab-secrets.yml new file mode 100644 index 0000000..cd77006 --- /dev/null +++ b/gitlab/files/gitlab-secrets.yml @@ -0,0 +1,9 @@ +--- +{%- for name, infos in salt['pillar.get']('gitlab:databases', {}).items() %} +{%- if 'secrets' in infos %} +{{ name }}: + {%- for key, value in infos['secrets'].items() %} + {{ key }}: {{ value|yaml_dquote }} + {%- endfor %} +{%- endif %} +{%- endfor %} diff --git a/gitlab/files/gitlab-shell-config.yml b/gitlab/files/gitlab-shell-config.yml index f6e0da9..1719658 100644 --- a/gitlab/files/gitlab-shell-config.yml +++ b/gitlab/files/gitlab-shell-config.yml @@ -1,11 +1,15 @@ # GitLab user. git by default user: git +{% set root_dir = salt['pillar.get']('gitlab:lookup:root_dir', '/home/git') %} +{% set repo_dir = salt['pillar.get']('gitlab:lookup:repo_dir', root_dir ~ '/repositories') %} +{% set logs_dir = salt['pillar.get']('gitlab:lookup:logs_dir', root_dir ~ '/logs') %} + # Url to gitlab instance. Used for api calls. Should end with a slash. {%- if salt['pillar.get']('gitlab:https', false) %} -gitlab_url: "https://{{ grains['fqdn'] }}/" +gitlab_url: "https://{{ salt['pillar.get']('gitlab:hostname', grains['fqdn']) }}/" {% else %} -gitlab_url: "http://{{ grains['fqdn'] }}/" +gitlab_url: "http://{{ salt['pillar.get']('gitlab:hostname', grains['fqdn']) }}/" {% endif %} http_settings: @@ -23,10 +27,14 @@ http_settings: # Give the canonicalized absolute pathname, # REPOS_PATH MUST NOT CONTAIN ANY SYMLINK!!! # Check twice that none of the components is a symlink, including "/home". -repos_path: "/home/git/repositories" +repos_path: "{{ repo_dir }}" # File used as authorized_keys for gitlab user -auth_file: "/home/git/.ssh/authorized_keys" +auth_file: "{{ root_dir }}/.ssh/authorized_keys" + +# File that contains the secret key for verifying access to GitLab. +# Default is .gitlab_shell_secret in the root directory. +secret_file: "{{ salt['pillar.get']('gitlab:shell:secret:path', '/opt/git/.gitlab_shell_secret') }}" # Redis settings used for pushing commit notices to gitlab redis: @@ -38,7 +46,7 @@ redis: # Log file. # Default is gitlab-shell.log in the root directory. -# log_file: "/home/git/gitlab-shell/gitlab-shell.log" +log_file: "{{ logs_dir }}/gitlab-shell.log" # Log level. INFO by default log_level: {{ salt['pillar.get']('gitlab:shell:log_level', 'INFO') }} diff --git a/gitlab/files/gitlab-unicorn.rb b/gitlab/files/gitlab-unicorn.rb index cc23145..d1eaaf5 100644 --- a/gitlab/files/gitlab-unicorn.rb +++ b/gitlab/files/gitlab-unicorn.rb @@ -8,6 +8,11 @@ # See http://unicorn.bogomips.org/Unicorn/Configurator.html for complete # documentation. +{% set root_dir = salt['pillar.get']('gitlab:lookup:root_dir', '/home/git') %} +{% set sockets_dir = salt['pillar.get']('gitlab:lookup:sockets_dir', root_dir ~ '/var/sockets') %} +{% set pids_dir = salt['pillar.get']('gitlab:lookup:pids_dir', root_dir ~ '/var/pids') %} +{% set logs_dir = salt['pillar.get']('gitlab:lookup:logs_dir', root_dir ~ '/var/logs') %} + # Uncomment and customize the last line to run in a non-root path # WARNING: We recommend creating a FQDN to host GitLab in a root path instead of this. # Note that four settings need to be changed for this to work. @@ -32,24 +37,24 @@ # Help ensure your application will always spawn in the symlinked # "current" directory that Capistrano sets up. -working_directory "/home/git/gitlab" # available in 0.94.0+ +working_directory "{{ root_dir }}/gitlab" # available in 0.94.0+ # listen on both a Unix domain socket and a TCP port, # we use a shorter backlog for quicker failover when busy -listen "/home/git/gitlab/tmp/sockets/gitlab.socket", :backlog => 64 +listen "{{ sockets_dir }}/gitlab.socket", :backlog => 64 listen "127.0.0.1:8080", :tcp_nopush => true # nuke workers after 30 seconds instead of 60 seconds (the default) timeout {{ salt['pillar.get']('gitlab:unicorn:timeout', 30) }} # feel free to point this anywhere accessible on the filesystem -pid "/home/git/gitlab/tmp/pids/unicorn.pid" +pid "{{ pids_dir }}/unicorn.pid" # By default, the Unicorn logger will write to stderr. # Additionally, some applications/frameworks log to stderr or stdout, # so prevent them from going to /dev/null when daemonized here: -stderr_path "/home/git/gitlab/log/unicorn.stderr.log" -stdout_path "/home/git/gitlab/log/unicorn.stdout.log" +stderr_path "{{ logs_dir }}/unicorn.stderr.log" +stdout_path "{{ logs_dir }}/unicorn.stdout.log" # combine Ruby 2.0.0dev or REE with "preload_app true" for memory savings # http://rubyenterpriseedition.com/faq.html#adapt_apps_for_cow diff --git a/gitlab/files/initd b/gitlab/files/initd new file mode 100755 index 0000000..2f2de08 --- /dev/null +++ b/gitlab/files/initd @@ -0,0 +1,499 @@ +#! /bin/sh + +# GITLAB +# Maintainer: @randx +# Authors: rovanion.luckey@gmail.com, @randx + +### BEGIN INIT INFO +# Provides: gitlab +# Required-Start: $local_fs $remote_fs $network $syslog redis-server +# Required-Stop: $local_fs $remote_fs $network $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: GitLab git repository management +# Description: GitLab git repository management +# chkconfig: - 85 14 +### END INIT INFO + + +### +# DO NOT EDIT THIS FILE! +# This file will be overwritten on update. +# Instead add/change your variables in /etc/default/gitlab +# An example defaults file can be found in lib/support/init.d/gitlab.default.example +### + + +### Environment variables +RAILS_ENV="production" + +# Script variable names should be lower-case not to conflict with +# internal /bin/sh variables such as PATH, EDITOR or SHELL. +app_user="git" +app_root="/home/$app_user/gitlab" +pid_path="$app_root/tmp/pids" +socket_path="$app_root/tmp/sockets" +rails_socket="$socket_path/gitlab.socket" +web_server_pid_path="$pid_path/unicorn.pid" +sidekiq_pid_path="$pid_path/sidekiq.pid" +mail_room_enabled=false +mail_room_pid_path="$pid_path/mail_room.pid" +gitlab_workhorse_dir=$(cd $app_root/../gitlab-workhorse 2> /dev/null && pwd) +gitlab_workhorse_pid_path="$pid_path/gitlab-workhorse.pid" +gitlab_workhorse_options="-listenUmask 0 -listenNetwork unix -listenAddr $socket_path/gitlab-workhorse.socket -authBackend http://127.0.0.1:8080 -authSocket $rails_socket -documentRoot $app_root/public" +gitlab_workhorse_log="$app_root/log/gitlab-workhorse.log" +gitlab_pages_enabled=false +gitlab_pages_dir=$(cd $app_root/../gitlab-pages 2> /dev/null && pwd) +gitlab_pages_pid_path="$pid_path/gitlab-pages.pid" +gitlab_pages_options="-pages-domain example.com -pages-root $app_root/shared/pages -listen-proxy 127.0.0.1:8090" +gitlab_pages_log="$app_root/log/gitlab-pages.log" +shell_path="/bin/bash" +gitaly_enabled=true +gitaly_dir=$(cd $app_root/../gitaly 2> /dev/null && pwd) +gitaly_pid_path="$pid_path/gitaly.pid" +gitaly_log="$app_root/log/gitaly.log" + +# Read configuration variable file if it is present +test -f /etc/default/gitlab && . /etc/default/gitlab + +# Switch to the app_user if it is not he/she who is running the script. +if [ `whoami` != "$app_user" ]; then + eval su - "$app_user" -c $(echo \")$shell_path -l -c \'$0 "$@"\'$(echo \"); exit; +fi + +# Switch to the gitlab path, exit on failure. +if ! cd "$app_root" ; then + echo "Failed to cd into $app_root, exiting!"; exit 1 +fi + + +### Init Script functions + +## Gets the pids from the files +check_pids(){ + if ! mkdir -p "$pid_path"; then + echo "Could not create the path $pid_path needed to store the pids." + exit 1 + fi + # If there exists a file which should hold the value of the Unicorn pid: read it. + if [ -f "$web_server_pid_path" ]; then + wpid=$(cat "$web_server_pid_path") + else + wpid=0 + fi + if [ -f "$sidekiq_pid_path" ]; then + spid=$(cat "$sidekiq_pid_path") + else + spid=0 + fi + if [ -f "$gitlab_workhorse_pid_path" ]; then + hpid=$(cat "$gitlab_workhorse_pid_path") + else + hpid=0 + fi + if [ "$mail_room_enabled" = true ]; then + if [ -f "$mail_room_pid_path" ]; then + mpid=$(cat "$mail_room_pid_path") + else + mpid=0 + fi + fi + if [ "$gitlab_pages_enabled" = true ]; then + if [ -f "$gitlab_pages_pid_path" ]; then + gppid=$(cat "$gitlab_pages_pid_path") + else + gppid=0 + fi + fi + if [ "$gitaly_enabled" = true ]; then + if [ -f "$gitaly_pid_path" ]; then + gapid=$(cat "$gitaly_pid_path") + else + gapid=0 + fi + fi +} + +## Called when we have started the two processes and are waiting for their pid files. +wait_for_pids(){ + # We are sleeping a bit here mostly because sidekiq is slow at writing its pid + i=0; + while [ ! -f $web_server_pid_path ] || [ ! -f $sidekiq_pid_path ] || [ ! -f $gitlab_workhorse_pid_path ] || { [ "$mail_room_enabled" = true ] && [ ! -f $mail_room_pid_path ]; } || { [ "$gitlab_pages_enabled" = true ] && [ ! -f $gitlab_pages_pid_path ]; } || { [ "$gitaly_enabled" = true ] && [ ! -f $gitaly_pid_path ]; }; do + sleep 0.1; + i=$((i+1)) + if [ $((i%10)) = 0 ]; then + echo -n "." + elif [ $((i)) = 301 ]; then + echo "Waited 30s for the processes to write their pids, something probably went wrong." + exit 1; + fi + done + echo +} + +# We use the pids in so many parts of the script it makes sense to always check them. +# Only after start() is run should the pids change. Sidekiq sets its own pid. +check_pids + + +## Checks whether the different parts of the service are already running or not. +check_status(){ + check_pids + # If the web server is running kill -0 $wpid returns true, or rather 0. + # Checks of *_status should only check for == 0 or != 0, never anything else. + if [ $wpid -ne 0 ]; then + kill -0 "$wpid" 2>/dev/null + web_status="$?" + else + web_status="-1" + fi + if [ $spid -ne 0 ]; then + kill -0 "$spid" 2>/dev/null + sidekiq_status="$?" + else + sidekiq_status="-1" + fi + if [ $hpid -ne 0 ]; then + kill -0 "$hpid" 2>/dev/null + gitlab_workhorse_status="$?" + else + gitlab_workhorse_status="-1" + fi + if [ "$mail_room_enabled" = true ]; then + if [ $mpid -ne 0 ]; then + kill -0 "$mpid" 2>/dev/null + mail_room_status="$?" + else + mail_room_status="-1" + fi + fi + if [ "$gitlab_pages_enabled" = true ]; then + if [ $gppid -ne 0 ]; then + kill -0 "$gppid" 2>/dev/null + gitlab_pages_status="$?" + else + gitlab_pages_status="-1" + fi + fi + if [ "$gitaly_enabled" = true ]; then + if [ $gapid -ne 0 ]; then + kill -0 "$gapid" 2>/dev/null + gitaly_status="$?" + else + gitaly_status="-1" + fi + fi + if [ $web_status = 0 ] && [ $sidekiq_status = 0 ] && [ $gitlab_workhorse_status = 0 ] && { [ "$mail_room_enabled" != true ] || [ $mail_room_status = 0 ]; } && { [ "$gitlab_pages_enabled" != true ] || [ $gitlab_pages_status = 0 ]; } && { [ "$gitaly_enabled" != true ] || [ $gitaly_status = 0 ]; }; then + gitlab_status=0 + else + # http://refspecs.linuxbase.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/iniscrptact.html + # code 3 means 'program is not running' + gitlab_status=3 + fi +} + +## Check for stale pids and remove them if necessary. +check_stale_pids(){ + check_status + # If there is a pid it is something else than 0, the service is running if + # *_status is == 0. + if [ "$wpid" != "0" ] && [ "$web_status" != "0" ]; then + echo "Removing stale Unicorn web server pid. This is most likely caused by the web server crashing the last time it ran." + if ! rm "$web_server_pid_path"; then + echo "Unable to remove stale pid, exiting." + exit 1 + fi + fi + if [ "$spid" != "0" ] && [ "$sidekiq_status" != "0" ]; then + echo "Removing stale Sidekiq job dispatcher pid. This is most likely caused by Sidekiq crashing the last time it ran." + if ! rm "$sidekiq_pid_path"; then + echo "Unable to remove stale pid, exiting" + exit 1 + fi + fi + if [ "$hpid" != "0" ] && [ "$gitlab_workhorse_status" != "0" ]; then + echo "Removing stale GitLab Workhorse pid. This is most likely caused by GitLab Workhorse crashing the last time it ran." + if ! rm "$gitlab_workhorse_pid_path"; then + echo "Unable to remove stale pid, exiting" + exit 1 + fi + fi + if [ "$mail_room_enabled" = true ] && [ "$mpid" != "0" ] && [ "$mail_room_status" != "0" ]; then + echo "Removing stale MailRoom job dispatcher pid. This is most likely caused by MailRoom crashing the last time it ran." + if ! rm "$mail_room_pid_path"; then + echo "Unable to remove stale pid, exiting" + exit 1 + fi + fi + if [ "$gitlab_pages_enabled" = true ] && [ "$gppid" != "0" ] && [ "$gitlab_pages_status" != "0" ]; then + echo "Removing stale GitLab Pages job dispatcher pid. This is most likely caused by GitLab Pages crashing the last time it ran." + if ! rm "$gitlab_pages_pid_path"; then + echo "Unable to remove stale pid, exiting" + exit 1 + fi + fi + if [ "$gitaly_enabled" = true ] && [ "$gapid" != "0" ] && [ "$gitaly_status" != "0" ]; then + echo "Removing stale Gitaly pid. This is most likely caused by Gitaly crashing the last time it ran." + if ! rm "$gitaly_pid_path"; then + echo "Unable to remove stale pid, exiting" + exit 1 + fi + fi +} + +## If no parts of the service is running, bail out. +exit_if_not_running(){ + check_stale_pids + if [ "$web_status" != "0" ] && [ "$sidekiq_status" != "0" ] && [ "$gitlab_workhorse_status" != "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" != "0" ]; } && { [ "$gitlab_pages_enabled" != true ] || [ "$gitlab_pages_status" != "0" ]; } && { [ "$gitaly_enabled" != true ] || [ "$gitaly_status" != "0" ]; }; then + echo "GitLab is not running." + exit + fi +} + +## Starts Unicorn and Sidekiq if they're not running. +start_gitlab() { + check_stale_pids + + if [ "$web_status" != "0" ]; then + echo "Starting GitLab Unicorn" + fi + if [ "$sidekiq_status" != "0" ]; then + echo "Starting GitLab Sidekiq" + fi + if [ "$gitlab_workhorse_status" != "0" ]; then + echo "Starting GitLab Workhorse" + fi + if [ "$mail_room_enabled" = true ] && [ "$mail_room_status" != "0" ]; then + echo "Starting GitLab MailRoom" + fi + if [ "$gitlab_pages_enabled" = true ] && [ "$gitlab_pages_status" != "0" ]; then + echo "Starting GitLab Pages" + fi + if [ "$gitaly_enabled" = true ] && [ "$gitaly_status" != "0" ]; then + echo "Starting Gitaly" + fi + + # Then check if the service is running. If it is: don't start again. + if [ "$web_status" = "0" ]; then + echo "The Unicorn web server already running with pid $wpid, not restarting." + else + # Remove old socket if it exists + rm -f "$rails_socket" 2>/dev/null + # Start the web server + RAILS_ENV=$RAILS_ENV bin/web start + fi + + # If sidekiq is already running, don't start it again. + if [ "$sidekiq_status" = "0" ]; then + echo "The Sidekiq job dispatcher is already running with pid $spid, not restarting" + else + RAILS_ENV=$RAILS_ENV bin/background_jobs start & + fi + + if [ "$gitlab_workhorse_status" = "0" ]; then + echo "The GitLab Workhorse is already running with pid $hpid, not restarting" + else + # No need to remove a socket, gitlab-workhorse does this itself. + # Because gitlab-workhorse has multiple executables we need to fix + # the PATH. + $app_root/bin/daemon_with_pidfile $gitlab_workhorse_pid_path \ + /usr/bin/env PATH=$gitlab_workhorse_dir:$PATH \ + gitlab-workhorse $gitlab_workhorse_options \ + >> $gitlab_workhorse_log 2>&1 & + fi + + if [ "$mail_room_enabled" = true ]; then + # If MailRoom is already running, don't start it again. + if [ "$mail_room_status" = "0" ]; then + echo "The MailRoom email processor is already running with pid $mpid, not restarting" + else + RAILS_ENV=$RAILS_ENV bin/mail_room start & + fi + fi + + if [ "$gitlab_pages_enabled" = true ]; then + if [ "$gitlab_pages_status" = "0" ]; then + echo "The GitLab Pages is already running with pid $gppid, not restarting" + else + $app_root/bin/daemon_with_pidfile $gitlab_pages_pid_path \ + $gitlab_pages_dir/gitlab-pages $gitlab_pages_options \ + >> $gitlab_pages_log 2>&1 & + fi + fi + + if [ "$gitaly_enabled" = true ]; then + if [ "$gitaly_status" = "0" ]; then + echo "Gitaly is already running with pid $gapid, not restarting" + else + $app_root/bin/daemon_with_pidfile $gitaly_pid_path \ + $gitaly_dir/gitaly $gitaly_dir/config.toml >> $gitaly_log 2>&1 & + fi + fi + + # Wait for the pids to be planted + wait_for_pids + # Finally check the status to tell wether or not GitLab is running + print_status +} + +## Asks Unicorn, Sidekiq and MailRoom if they would be so kind as to stop, if not kills them. +stop_gitlab() { + exit_if_not_running + + if [ "$web_status" = "0" ]; then + echo "Shutting down GitLab Unicorn" + RAILS_ENV=$RAILS_ENV bin/web stop + fi + if [ "$sidekiq_status" = "0" ]; then + echo "Shutting down GitLab Sidekiq" + RAILS_ENV=$RAILS_ENV bin/background_jobs stop + fi + if [ "$gitlab_workhorse_status" = "0" ]; then + echo "Shutting down GitLab Workhorse" + kill -- $(cat $gitlab_workhorse_pid_path) + fi + if [ "$mail_room_enabled" = true ] && [ "$mail_room_status" = "0" ]; then + echo "Shutting down GitLab MailRoom" + RAILS_ENV=$RAILS_ENV bin/mail_room stop + fi + if [ "$gitlab_pages_status" = "0" ]; then + echo "Shutting down gitlab-pages" + kill -- $(cat $gitlab_pages_pid_path) + fi + if [ "$gitaly_status" = "0" ]; then + echo "Shutting down Gitaly" + kill -- $(cat $gitaly_pid_path) + fi + + # If something needs to be stopped, lets wait for it to stop. Never use SIGKILL in a script. + while [ "$web_status" = "0" ] || [ "$sidekiq_status" = "0" ] || [ "$gitlab_workhorse_status" = "0" ] || { [ "$mail_room_enabled" = true ] && [ "$mail_room_status" = "0" ]; } || { [ "$gitlab_pages_enabled" = true ] && [ "$gitlab_pages_status" = "0" ]; } || { [ "$gitaly_enabled" = true ] && [ "$gitaly_status" = "0" ]; }; do + sleep 1 + check_status + printf "." + if [ "$web_status" != "0" ] && [ "$sidekiq_status" != "0" ] && [ "$gitlab_workhorse_status" != "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" != "0" ]; } && { [ "$gitlab_pages_enabled" != true ] || [ "$gitlab_pages_status" != "0" ]; } && { [ "$gitaly_enabled" != true ] || [ "$gitaly_status" != "0" ]; }; then + printf "\n" + break + fi + done + + sleep 1 + # Cleaning up unused pids + rm "$web_server_pid_path" 2>/dev/null + # rm "$sidekiq_pid_path" 2>/dev/null # Sidekiq seems to be cleaning up its own pid. + rm -f "$gitlab_workhorse_pid_path" + if [ "$mail_room_enabled" = true ]; then + rm "$mail_room_pid_path" 2>/dev/null + fi + rm -f "$gitlab_pages_pid_path" + rm -f "$gitaly_pid_path" + + print_status +} + +## Prints the status of GitLab and its components. +print_status() { + check_status + if [ "$web_status" != "0" ] && [ "$sidekiq_status" != "0" ] && [ "$gitlab_workhorse_status" != "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" != "0" ]; } && { [ "$gitlab_pages_enabled" != true ] || [ "$gitlab_pages_status" != "0" ]; } && { [ "$gitaly_enabled" != true ] || [ "$gitaly_status" != "0" ]; }; then + echo "GitLab is not running." + return + fi + if [ "$web_status" = "0" ]; then + echo "The GitLab Unicorn web server with pid $wpid is running." + else + printf "The GitLab Unicorn web server is \033[31mnot running\033[0m.\n" + fi + if [ "$sidekiq_status" = "0" ]; then + echo "The GitLab Sidekiq job dispatcher with pid $spid is running." + else + printf "The GitLab Sidekiq job dispatcher is \033[31mnot running\033[0m.\n" + fi + if [ "$gitlab_workhorse_status" = "0" ]; then + echo "The GitLab Workhorse with pid $hpid is running." + else + printf "The GitLab Workhorse is \033[31mnot running\033[0m.\n" + fi + if [ "$mail_room_enabled" = true ]; then + if [ "$mail_room_status" = "0" ]; then + echo "The GitLab MailRoom email processor with pid $mpid is running." + else + printf "The GitLab MailRoom email processor is \033[31mnot running\033[0m.\n" + fi + fi + if [ "$gitlab_pages_enabled" = true ]; then + if [ "$gitlab_pages_status" = "0" ]; then + echo "The GitLab Pages with pid $gppid is running." + else + printf "The GitLab Pages is \033[31mnot running\033[0m.\n" + fi + fi + if [ "$gitaly_enabled" = true ]; then + if [ "$gitaly_status" = "0" ]; then + echo "Gitaly with pid $gapid is running." + else + printf "Gitaly is \033[31mnot running\033[0m.\n" + fi + fi + if [ "$web_status" = "0" ] && [ "$sidekiq_status" = "0" ] && [ "$gitlab_workhorse_status" = "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" = "0" ]; } && { [ "$gitlab_pages_enabled" != true ] || [ "$gitlab_pages_status" = "0" ]; } && { [ "$gitaly_enabled" != true ] || [ "$gitaly_status" = "0" ]; }; then + printf "GitLab and all its components are \033[32mup and running\033[0m.\n" + fi +} + +## Tells unicorn to reload its config and Sidekiq to restart +reload_gitlab(){ + exit_if_not_running + if [ "$wpid" = "0" ];then + echo "The GitLab Unicorn Web server is not running thus its configuration can't be reloaded." + exit 1 + fi + printf "Reloading GitLab Unicorn configuration... " + RAILS_ENV=$RAILS_ENV bin/web reload + echo "Done." + + echo "Restarting GitLab Sidekiq since it isn't capable of reloading its config..." + RAILS_ENV=$RAILS_ENV bin/background_jobs restart + + if [ "$mail_room_enabled" != true ]; then + echo "Restarting GitLab MailRoom since it isn't capable of reloading its config..." + RAILS_ENV=$RAILS_ENV bin/mail_room restart + fi + + wait_for_pids + print_status +} + +## Restarts Sidekiq and Unicorn. +restart_gitlab(){ + check_status + if [ "$web_status" = "0" ] || [ "$sidekiq_status" = "0" ] || [ "$gitlab_workhorse" = "0" ] || { [ "$mail_room_enabled" = true ] && [ "$mail_room_status" = "0" ]; } || { [ "$gitlab_pages_enabled" = true ] && [ "$gitlab_pages_status" = "0" ]; } || { [ "$gitaly_enabled" = true ] && [ "$gitaly_status" = "0" ]; }; then + stop_gitlab + fi + start_gitlab +} + + +### Finally the input handling. + +case "$1" in + start) + start_gitlab + ;; + stop) + stop_gitlab + ;; + restart) + restart_gitlab + ;; + reload|force-reload) + reload_gitlab + ;; + status) + print_status + exit $gitlab_status + ;; + *) + echo "Usage: service gitlab {start|stop|restart|reload|status}" + exit 1 + ;; +esac + +exit diff --git a/gitlab/files/nodesource.gpg.key b/gitlab/files/nodesource.gpg.key new file mode 100644 index 0000000..1dc1d10 --- /dev/null +++ b/gitlab/files/nodesource.gpg.key @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1 +Comment: GPGTools - https://gpgtools.org + +mQINBFObJLYBEADkFW8HMjsoYRJQ4nCYC/6Eh0yLWHWfCh+/9ZSIj4w/pOe2V6V+ +W6DHY3kK3a+2bxrax9EqKe7uxkSKf95gfns+I9+R+RJfRpb1qvljURr54y35IZgs +fMG22Np+TmM2RLgdFCZa18h0+RbH9i0b+ZrB9XPZmLb/h9ou7SowGqQ3wwOtT3Vy +qmif0A2GCcjFTqWW6TXaY8eZJ9BCEqW3k/0Cjw7K/mSy/utxYiUIvZNKgaG/P8U7 +89QyvxeRxAf93YFAVzMXhoKxu12IuH4VnSwAfb8gQyxKRyiGOUwk0YoBPpqRnMmD +Dl7SdmY3oQHEJzBelTMjTM8AjbB9mWoPBX5G8t4u47/FZ6PgdfmRg9hsKXhkLJc7 +C1btblOHNgDx19fzASWX+xOjZiKpP6MkEEzq1bilUFul6RDtxkTWsTa5TGixgCB/ +G2fK8I9JL/yQhDc6OGY9mjPOxMb5PgUlT8ox3v8wt25erWj9z30QoEBwfSg4tzLc +Jq6N/iepQemNfo6Is+TG+JzI6vhXjlsBm/Xmz0ZiFPPObAH/vGCY5I6886vXQ7ft +qWHYHT8jz/R4tigMGC+tvZ/kcmYBsLCCI5uSEP6JJRQQhHrCvOX0UaytItfsQfLm +EYRd2F72o1yGh3yvWWfDIBXRmaBuIGXGpajC0JyBGSOWb9UxMNZY/2LJEwARAQAB +tB9Ob2RlU291cmNlIDxncGdAbm9kZXNvdXJjZS5jb20+iQI4BBMBAgAiBQJTmyS2 +AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAWVaCraFdigHTmD/9OKhUy +jJ+h8gMRg6ri5EQxOExccSRU0i7UHktecSs0DVC4lZG9AOzBe+Q36cym5Z1di6JQ +kHl69q3zBdV3KTW+H1pdmnZlebYGz8paG9iQ/wS9gpnSeEyx0Enyi167Bzm0O4A1 +GK0prkLnz/yROHHEfHjsTgMvFwAnf9uaxwWgE1d1RitIWgJpAnp1DZ5O0uVlsPPm +XAhuBJ32mU8S5BezPTuJJICwBlLYECGb1Y65Cil4OALU7T7sbUqfLCuaRKxuPtcU +VnJ6/qiyPygvKZWhV6Od0Yxlyed1kftMJyYoL8kPHfeHJ+vIyt0s7cropfiwXoka +1iJB5nKyt/eqMnPQ9aRpqkm9ABS/r7AauMA/9RALudQRHBdWIzfIg0Mlqb52yyTI +IgQJHNGNX1T3z1XgZhI+Vi8SLFFSh8x9FeUZC6YJu0VXXj5iz+eZmk/nYjUt4Mtc +pVsVYIB7oIDIbImODm8ggsgrIzqxOzQVP1zsCGek5U6QFc9GYrQ+Wv3/fG8hfkDn +xXLww0OGaEQxfodm8cLFZ5b8JaG3+Yxfe7JkNclwvRimvlAjqIiW5OK0vvfHco+Y +gANhQrlMnTx//IdZssaxvYytSHpPZTYw+qPEjbBJOLpoLrz8ZafN1uekpAqQjffI +AOqW9SdIzq/kSHgl0bzWbPJPw86XzzftewjKNbkCDQRTmyS2ARAAxSSdQi+WpPQZ +fOflkx9sYJa0cWzLl2w++FQnZ1Pn5F09D/kPMNh4qOsyvXWlekaV/SseDZtVziHJ +Km6V8TBG3flmFlC3DWQfNNFwn5+pWSB8WHG4bTA5RyYEEYfpbekMtdoWW/Ro8Kmh +41nuxZDSuBJhDeFIp0ccnN2Lp1o6XfIeDYPegyEPSSZqrudfqLrSZhStDlJgXjea +JjW6UP6txPtYaaila9/Hn6vF87AQ5bR2dEWB/xRJzgNwRiax7KSU0xca6xAuf+TD +xCjZ5pp2JwdCjquXLTmUnbIZ9LGV54UZ/MeiG8yVu6pxbiGnXo4Ekbk6xgi1ewLi +vGmz4QRfVklV0dba3Zj0fRozfZ22qUHxCfDM7ad0eBXMFmHiN8hg3IUHTO+UdlX/ +aH3gADFAvSVDv0v8t6dGc6XE9Dr7mGEFnQMHO4zhM1HaS2Nh0TiL2tFLttLbfG5o +QlxCfXX9/nasj3K9qnlEg9G3+4T7lpdPmZRRe1O8cHCI5imVg6cLIiBLPO16e0fK +yHIgYswLdrJFfaHNYM/SWJxHpX795zn+iCwyvZSlLfH9mlegOeVmj9cyhN/VOmS3 +QRhlYXoA2z7WZTNoC6iAIlyIpMTcZr+ntaGVtFOLS6fwdBqDXjmSQu66mDKwU5Ek +fNlbyrpzZMyFCDWEYo4AIR/18aGZBYUAEQEAAYkCHwQYAQIACQUCU5sktgIbDAAK +CRAWVaCraFdigIPQEACcYh8rR19wMZZ/hgYv5so6Y1HcJNARuzmffQKozS/rxqec +0xM3wceL1AIMuGhlXFeGd0wRv/RVzeZjnTGwhN1DnCDy1I66hUTgehONsfVanuP1 +PZKoL38EAxsMzdYgkYH6T9a4wJH/IPt+uuFTFFy3o8TKMvKaJk98+Jsp2X/QuNxh +qpcIGaVbtQ1bn7m+k5Qe/fz+bFuUeXPivafLLlGc6KbdgMvSW9EVMO7yBy/2JE15 +ZJgl7lXKLQ31VQPAHT3an5IV2C/ie12eEqZWlnCiHV/wT+zhOkSpWdrheWfBT+ac +hR4jDH80AS3F8jo3byQATJb3RoCYUCVc3u1ouhNZa5yLgYZ/iZkpk5gKjxHPudFb +DdWjbGflN9k17VCf4Z9yAb9QMqHzHwIGXrb7ryFcuROMCLLVUp07PrTrRxnO9A/4 +xxECi0l/BzNxeU1gK88hEaNjIfviPR/h6Gq6KOcNKZ8rVFdwFpjbvwHMQBWhrqfu +G3KaePvbnObKHXpfIKoAM7X2qfO+IFnLGTPyhFTcrl6vZBTMZTfZiC1XDQLuGUnd +sckuXINIU3DFWzZGr0QrqkuE/jyr7FXeUJj9B7cLo+s/TXo+RaVfi3kOc9BoxIvy +/qiNGs/TKy2/Ujqp/affmIMoMXSozKmga81JSwkADO1JMgUy6dApXz9kP4EE3g== +=CLGF +-----END PGP PUBLIC KEY BLOCK----- diff --git a/gitlab/git.sls b/gitlab/git.sls new file mode 100644 index 0000000..661ff40 --- /dev/null +++ b/gitlab/git.sls @@ -0,0 +1,9 @@ + +{% if salt['pillar.get']('gitlab:proxy:enabled', false) %} +gitproxy: + git.config: + - name: http.proxy + - value: {{ salt['pillar.get']('gitlab:proxy:address') }} + - is_global: True +{% endif %} + diff --git a/gitlab/gitaly.sls b/gitlab/gitaly.sls new file mode 100644 index 0000000..1f74c73 --- /dev/null +++ b/gitlab/gitaly.sls @@ -0,0 +1,107 @@ +{%- set root_dir = salt['pillar.get']('gitlab:lookup:root_dir', '/home/git') %} +{%- set repositories = salt['pillar.get']('gitlab:lookup:repositories', root_dir ~ '/repositories') %} +{%- set sockets_dir = salt['pillar.get']('gitlab:lookup:sockets_dir', root_dir ~ '/var/sockets') %} +{%- set lib_dir = salt['pillar.get']('gitlab:lookup:lib_dir', root_dir ~ '/libraries') %} + +{%- set gitaly_dir = lib_dir ~ "/gitaly" %} + +{%- if salt['pillar.get']('gitlab:archives:enabled', false) %} + {%- set gitaly_dir_content = gitaly_dir ~ '/' ~ salt['pillar.get']('gitlab:archives:sources:gitaly:content') %} +{%- else %} + {%- set gitaly_dir_content = gitaly_dir %} +{%- endif %} + +{%- if salt['pillar.get']('gitlab:archives:enabled', false) %} +gitaly-fetcher: + archive.extracted: + - name: {{ gitaly_dir }} + - source: {{ salt['pillar.get']('gitlab:archives:sources:gitaly:source') }} + - source_hash: md5={{ salt['pillar.get']('gitlab:archives:sources:gitaly:md5') }} + - archive_format: tar + - if_missing: {{ gitaly_dir_content }} + - keep: True + +gitaly-chown: + file.directory: + - name: {{ gitaly_dir }} + - user: git + - group: git + - recurse: + - user + - onchanges: + - archive: gitaly-fetcher +{%- else %} +gitaly-fetcher: + git.latest: + - name: https://gitlab.com/gitlab-org/gitaly.git + - rev: {{ salt['pillar.get']('gitlab:gitaly_version') }} + - target: {{ gitaly_dir_content }} + - user: git + - force: True + - require: + - pkg: gitlab-deps + - pkg: git + - sls: gitlab.ruby + - file: git-home +{%- endif %} + +gitaly-private-sockets-dir: + file.directory: + - name: {{ sockets_dir }}/private + - user: git + - group: git + - mode: 700 + +gitaly-bin-dir: + file.directory: + - name: {{ root_dir }}/gitaly + - user: git + - group: git + - mode: 750 + +{% if pillar.gitlab.nokogiri_system_libs|default(False) %} +gitaly-bundle-config: + cmd.run: + - name: bundle config build.nokogiri --use-system-libraries --with-xml2-config=/usr/bin/xml2-config --with-xslt-config=/usr/bin/xslt-config + - user: git + - cwd: {{ gitaly_dir_content }} + - onlyif: bundle config build.nokogiri |grep -q "not configured" +{% endif %} + +gitaly-make: + cmd.run: + - name: make build install DESTDIR={{ root_dir }}/gitaly PREFIX= + - user: git + - cwd: {{ gitaly_dir_content }} + - env: + {%- if salt['pillar.get']('gitlab:proxy:address') %} + - HTTP_PROXY: {{ pillar.gitlab.proxy.address }} + - HTTPS_PROXY: {{ pillar.gitlab.proxy.address }} + {%- endif %} + - onchanges: + - gitaly-fetcher + - require: + {% if pillar.gitlab.nokogiri_system_libs|default(False) %} + - cmd: gitaly-bundle-config + {% endif %} + - file: gitaly-bin-dir + +# https://gitlab.com/gitlab-org/gitaly/blob/master/config.toml.example +# gitaly looks for configuration in the same directory it is running from +gitaly-config: + file.managed: + - name: {{ root_dir }}/gitaly/bin/config.toml + - source: salt://gitlab/files/gitaly-config.toml + - template: jinja + - user: git + - group: git + - mode: 644 + - context: + root_dir: {{ root_dir }} + sockets_dir: {{ sockets_dir }} + repositories: {{ repositories }} + gitaly_dir_content: {{ gitaly_dir_content }} + - require: + - gitaly-fetcher + - file: gitaly-bin-dir + - cmd: gitaly-make diff --git a/gitlab/gitlab-shell.sls b/gitlab/gitlab-shell.sls index 559c442..d79dcae 100644 --- a/gitlab/gitlab-shell.sls +++ b/gitlab/gitlab-shell.sls @@ -2,37 +2,141 @@ include: - gitlab.user - gitlab.ruby -gitlab-shell-git: +{% set root_dir = salt['pillar.get']('gitlab:lookup:root_dir', '/home/git') %} +{% set lib_dir = salt['pillar.get']('gitlab:lookup:lib_dir', root_dir ~ '/libraries') %} + +{% set shell_dir = lib_dir ~ "/gitlab-shell" %} + +{% if salt['pillar.get']('gitlab:archives:enabled', false) %} + {% set shell_dir_content = shell_dir ~ '/' ~ salt['pillar.get']('gitlab:archives:sources:shell:content') %} +{% else %} + {% set shell_dir_content = shell_dir %} +{% endif %} + +{% if salt['pillar.get']('gitlab:archives:enabled', false) %} +gitlab-shell-fetcher: + archive.extracted: + - name: {{ shell_dir }} + - source: {{ salt['pillar.get']('gitlab:archives:sources:shell:source') }} + - source_hash: md5={{ salt['pillar.get']('gitlab:archives:sources:shell:md5') }} + - archive_format: tar + - if_missing: {{ shell_dir_content }} + - keep: True + +gitlab-shell-chown: + file.directory: + - name: {{ shell_dir }} + - user: git + - group: git + - recurse: + - user + - onchanges: + - archive: gitlab-shell-fetcher +{% else %} +gitlab-shell-fetcher: git.latest: - name: https://gitlab.com/gitlab-org/gitlab-shell.git - rev: {{ salt['pillar.get']('gitlab:shell_version') }} - - target: /home/git/gitlab-shell + - target: {{ shell_dir }} - user: git + - force: True - require: - pkg: gitlab-deps - pkg: git - sls: gitlab.ruby - file: git-home +{% endif %} # https://gitlab.com/gitlab-org/gitlab-shell/blob/master/config.yml.example gitlab-shell-config: file.managed: - - name: /home/git/gitlab-shell/config.yml + - name: {{ shell_dir_content }}/config.yml - source: salt://gitlab/files/gitlab-shell-config.yml - template: jinja - user: git - group: git - mode: 644 - require: - - git: gitlab-shell-git + {% if salt['pillar.get']('gitlab:archives:enabled', false) %} + - archive: gitlab-shell-fetcher + {% else %} + - git: gitlab-shell-fetcher + {% endif %} + +gitlab-shell-compile: + cmd.run: + - user: git + - cwd: {{ shell_dir_content }} + - name: ./bin/compile + - onchanges: + {% if salt['pillar.get']('gitlab:archives:enabled', false) %} + - archive: gitlab-shell-fetcher + {% else %} + - git: gitlab-shell-fetcher + {% endif %} gitlab-shell: cmd.wait: - user: git - - cwd: /home/git/gitlab-shell + - cwd: {{ shell_dir_content }} - name: ./bin/install - shell: /bin/bash - watch: - - git: gitlab-shell-git + {% if salt['pillar.get']('gitlab:archives:enabled', false) %} + - archive: gitlab-shell-fetcher + {% else %} + - git: gitlab-shell-fetcher + {% endif %} - require: - file: gitlab-shell-config + - cmd: gitlab-shell-compile + +#gitlab-shell-chmod-bin: +# file.directory: +# - name: {{ shell_dir }}/bin +# - file_mode: 0770 +# - recurse: +# - mode + + +{% if salt['pillar.get']('gitlab:archives:enabled', false) %} +{# + Symlink is not good because Shell run 'File.expand_path' on + Shell installation path and convert it to absolute version... +#} + +{# +gitlab-shell-symlink: + file.symlink: + - name: {{ root_dir }}/gitlab-shell + - target: {{ shell_dir_content }} + - require: + - file: git-var-mkdir +#} + +gitlab-shell-mkdir: + file.directory: + - name: {{ root_dir }}/gitlab-shell + - user: git + - group: git + - clean: true + - onchanges: + - archive: gitlab-shell-fetcher + +gitlab-shell-copy: + cmd.run: + - user: git + - cwd: {{ shell_dir_content }} + - name: cp -r {{ shell_dir_content }}/* {{ root_dir }}/gitlab-shell/ + - shell: /bin/bash + - onchanges: + - archive: gitlab-shell-fetcher +{% endif %} + +gitlab-shell-secret_file: + file.managed: + - name: {{ salt['pillar.get']('gitlab:shell:secret:path', root_dir ~ '/.gitlab_shell_secret') }} + - contents_pillar: gitlab:shell:secret:value + - user: git + - group: git + - mode: 640 diff --git a/gitlab/gitlab-workhorse.sls b/gitlab/gitlab-workhorse.sls new file mode 100644 index 0000000..ec4aaac --- /dev/null +++ b/gitlab/gitlab-workhorse.sls @@ -0,0 +1,72 @@ + +{% set root_dir = salt['pillar.get']('gitlab:lookup:root_dir', '/home/git') %} +{% set lib_dir = salt['pillar.get']('gitlab:lookup:lib_dir', root_dir ~ '/libraries') %} + +{% set workhorse_dir = lib_dir ~ "/gitlab-workhorse" %} + +{% if salt['pillar.get']('gitlab:archives:enabled', false) %} + {% set workhorse_dir_content = workhorse_dir ~ '/' ~ salt['pillar.get']('gitlab:archives:sources:workhorse:content') %} +{% else %} + {% set workhorse_dir_content = workhorse_dir %} +{% endif %} + +{% if salt['pillar.get']('gitlab:archives:enabled', false) %} +gitlab-workhorse-fetcher: + archive.extracted: + - name: {{ workhorse_dir }} + - source: {{ salt['pillar.get']('gitlab:archives:sources:workhorse:source') }} + - source_hash: md5={{ salt['pillar.get']('gitlab:archives:sources:workhorse:md5') }} + - archive_format: tar + - if_missing: {{ workhorse_dir_content }} + - keep: True + +gitlab-workhorse-chown: + file.directory: + - name: {{ workhorse_dir }} + - user: git + - group: git + - recurse: + - user + - onchanges: + - archive: gitlab-workhorse-fetcher +{% else %} +gitlab-workhorse-fetcher: + git.latest: + - name: https://gitlab.com/gitlab-org/gitlab-workhorse.git + - rev: {{ salt['pillar.get']('gitlab:workhorse_version') }} + - target: {{ workhorse_dir }} + - user: git + - force: True + - require: + - pkg: gitlab-deps + - pkg: git + - sls: gitlab.ruby + - file: git-home +{% endif %} + +{{ root_dir }}/gitlab-workhorse: + file.directory: + - user: git + - group: git + - mode: 750 + +gitlab-workhorse-make: + cmd.run: + - user: git + - cwd: {{ workhorse_dir_content }} + - name: make install DESTDIR={{ root_dir }}/gitlab-workhorse PREFIX= + - shell: /bin/bash + - onchanges: + {% if salt['pillar.get']('gitlab:archives:enabled', false) %} + - archive: gitlab-workhorse-fetcher + {% else %} + - git: gitlab-workhorse-fetcher + {% endif %} + +gitlab-workhorse-secret_file: + file.managed: + - name: {{ salt['pillar.get']('gitlab:shell:workhorse:path', root_dir ~ '/.gitlab_workhorse_secret') }} + - contents_pillar: gitlab:workhorse:secret:value + - user: git + - group: git + - mode: 640 diff --git a/gitlab/gitlab.sls b/gitlab/gitlab.sls index 3e23e13..8c975c3 100644 --- a/gitlab/gitlab.sls +++ b/gitlab/gitlab.sls @@ -1,73 +1,163 @@ include: + - postgres - gitlab.ruby -gitlab-git: +{% set root_dir = salt['pillar.get']('gitlab:lookup:root_dir', '/home/git') %} +{% set repositories = salt['pillar.get']('gitlab:lookup:repositories', root_dir ~ '/repositories') %} +{% set sockets_dir = salt['pillar.get']('gitlab:lookup:sockets_dir', root_dir ~ '/var/sockets') %} +{% set pids_dir = salt['pillar.get']('gitlab:lookup:pids_dir', root_dir ~ '/var/pids') %} +{% set logs_dir = salt['pillar.get']('gitlab:lookup:logs_dir', root_dir ~ '/var/logs') %} +{% set uploads_dir = salt['pillar.get']('gitlab:lookup:uploads_dir', root_dir ~ '/var/uploads') %} +{% set lib_dir = salt['pillar.get']('gitlab:lookup:lib_dir', root_dir ~ '/libraries') %} + +{% set active_db = salt['pillar.get']('gitlab:databases:production', 'paf') %} +{% set db_user, db_user_infos = salt['pillar.get']('postgres:users').items()[0] %} + +{% set gitlab_dir = root_dir ~ "/gitlab" %} +{% if salt['pillar.get']('gitlab:archives:enabled', false) %} + {% set gitlab_dir_content = lib_dir ~ '/gitlab/' ~ salt['pillar.get']('gitlab:archives:sources:gitlab:content') %} +{% else %} + {% set gitlab_dir_content = gitlab_dir %} +{% endif %} + +{% if salt['pillar.get']('gitlab:archives:enabled', false) %} +gitlab-fetcher: + archive.extracted: + - name: {{ lib_dir }}/gitlab + - source: {{ salt['pillar.get']('gitlab:archives:sources:gitlab:source') }} + - source_hash: md5={{ salt['pillar.get']('gitlab:archives:sources:gitlab:md5') }} + - archive_format: tar + - if_missing: {{ gitlab_dir_content }} + - keep: True + +gitlab-chown: + file.directory: + - name: {{ gitlab_dir_content }} + - user: git + - group: git + - recurse: + - user + - onchanges: + - archive: gitlab-fetcher + +gitlab-lib-symlink: + file.symlink: + - name: {{ gitlab_dir }} + - target: {{ gitlab_dir_content }} + require: + - file: gitlab-fetcher +{% else %} +gitlab-fetcher: git.latest: - name: https://gitlab.com/gitlab-org/gitlab-ce.git - rev: {{ salt['pillar.get']('gitlab:gitlab_version') }} - user: git - - target: /home/git/gitlab + - target: {{ gitlab_dir }} + - force: True - require: - pkg: gitlab-deps - pkg: git - sls: gitlab.ruby - cmd: gitlab-shell - user: git-user +{% endif %} # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/gitlab.yml.example gitlab-config: file.managed: - - name: /home/git/gitlab/config/gitlab.yml + - name: {{ root_dir }}/gitlab/config/gitlab.yml - source: salt://gitlab/files/gitlab-gitlab.yml - template: jinja - user: git - group: git - mode: 640 - require: - - git: gitlab-git + {% if salt['pillar.get']('gitlab:archives:enabled', false) %} + - archive: gitlab-fetcher + {% else %} + - git: gitlab-fetcher + {% endif %} - user: git-user # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/database.yml.postgresql gitlab-db-config: file.managed: - - name: /home/git/gitlab/config/database.yml + - name: {{ root_dir }}/gitlab/config/database.yml - source: salt://gitlab/files/gitlab-database.yml - template: jinja - user: git - group: git - mode: 640 - require: - - git: gitlab-git + {% if salt['pillar.get']('gitlab:archives:enabled', false) %} + - archive: gitlab-fetcher + {% else %} + - git: gitlab-fetcher + {% endif %} - user: git-user +gitlab-redis-config: + file.managed: + - name: {{ root_dir }}/gitlab/config/resque.yml + - source: salt://gitlab/files/gitlab-resque.yml + - template: jinja + - user: git + - group: git + - mode: 640 + - require: + - user: git-user + +gitlab-db-secrets: + file.managed: + - name: {{ root_dir }}/gitlab/config/secrets.yml + - source: salt://gitlab/files/gitlab-secrets.yml + - template: jinja + - user: git + - group: git + - mode: 600 + - require: + {% if salt['pillar.get']('gitlab:archives:enabled', false) %} + - archive: gitlab-fetcher + {% else %} + - git: gitlab-fetcher + {% endif %} + # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/unicorn.rb.example unicorn-config: file.managed: - - name: /home/git/gitlab/config/unicorn.rb + - name: {{ root_dir }}/gitlab/config/unicorn.rb - source: salt://gitlab/files/gitlab-unicorn.rb - template: jinja - user: git - group: git - mode: 640 - require: - - git: gitlab-git + {% if salt['pillar.get']('gitlab:archives:enabled', false) %} + - archive: gitlab-fetcher + {% else %} + - git: gitlab-fetcher + {% endif %} - user: git-user # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/initializers/rack_attack.rb.example rack_attack-config: file.managed: - - name: /home/git/gitlab/config/initializers/rack_attack.rb + - name: {{ root_dir }}/gitlab/config/initializers/rack_attack.rb - source: salt://gitlab/files/gitlab-rack_attack.rb - user: git - group: git - mode: 640 - require: - - git: gitlab-git + {% if salt['pillar.get']('gitlab:archives:enabled', false) %} + - archive: gitlab-fetcher + {% else %} + - git: gitlab-fetcher + {% endif %} - user: git-user git-config: file.managed: - - name: /home/git/.gitconfig + - name: {{ root_dir }}/.gitconfig - source: salt://gitlab/files/gitlab-gitconfig - template: jinja - user: git @@ -76,40 +166,64 @@ git-config: - require: - user: git-user -{% for dir in ['gitlab-satellites', 'gitlab/tmp/pids', 'gitlab/tmp/sockets', 'gitlab/public/uploads'] %} -/home/git/{{ dir }}: +git-var-mkdir: file.directory: + - name: {{ root_dir }}/var + - user: git + - group: git + - mode: 750 + +# pids_dir +{% for dir in [ sockets_dir, logs_dir ] %} +git-{{ dir }}-mkdir: + file.directory: + - name: {{ dir }} - user: git - group: git - mode: 750 - - require: - - user: git-user - - git: gitlab-git {% endfor %} -gitlab-initialize: - cmd.wait: +gitlab-uploads_dir-mkdir: + file.directory: + - name: {{ uploads_dir }} - user: git - - cwd: /home/git/gitlab - - name: echo yes | bundle exec rake gitlab:setup RAILS_ENV=production - - shell: /bin/bash - - unless: psql -U {{ salt['pillar.get']('gitlab:db_user') }} {{ salt['pillar.get']('gitlab:db_name') }} -c 'select * from users;' - - watch: - - git: gitlab-git + - group: git + - mode: 700 + +gitlab-uploads_dir-symlink: + file.symlink: + - name: {{ gitlab_dir }}/public/uploads + - target: {{ uploads_dir }} - require: - - cmd: gitlab-gems - - postgres_database: gitlab-db + - file: gitlab-config + - file: gitlab-uploads_dir-mkdir + +# Hardcoded in gitlab, so, we have to create symlink +gitlab-pids_dir-symlink: + file.symlink: + - name: {{ pids_dir }} + - target: {{ gitlab_dir }}/tmp/pids + require: + - file: gitlab-config # When code changes, trigger upgrade procedure # Based on https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/gitlab/upgrader.rb gitlab-gems: - cmd.wait: + cmd.run: - user: git - - cwd: /home/git/gitlab - - name: bundle install --deployment --without development test mysql aws - - shell: /bin/bash - - watch: - - git: gitlab-git + - cwd: {{ gitlab_dir }} + - name: bundle install --deployment --without development test mysql aws kerberos + - env: + {%- if salt['pillar.get']('gitlab:proxy:address') %} + - HTTP_PROXY: {{ pillar.gitlab.proxy.address }} + - HTTPS_PROXY: {{ pillar.gitlab.proxy.address }} + {%- endif %} + - onchanges: + {% if salt['pillar.get']('gitlab:archives:enabled', false) %} + - archive: gitlab-fetcher + {% else %} + - git: gitlab-fetcher + {% endif %} - require: - file: gitlab-db-config - file: gitlab-config @@ -117,51 +231,108 @@ gitlab-gems: - file: rack_attack-config - sls: gitlab.ruby -gitlab-migrate-db: - cmd.wait: +gitlab-initialize: + cmd.run: - user: git - - cwd: /home/git/gitlab - - name: bundle exec rake db:migrate RAILS_ENV=production - - shell: /bin/bash + - cwd: {{ gitlab_dir }} + - name: bundle exec rake gitlab:setup + - env: + - force: yes + - RAILS_ENV: production + - unless: PGPASSWORD={{ db_user_infos.password }} psql -h {{ active_db.host }} -U {{ db_user }} {{ active_db.name }} -c 'select * from users;' - watch: - - git: gitlab-git + {% if salt['pillar.get']('gitlab:archives:enabled', false) %} + - archive: gitlab-fetcher + {% else %} + - git: gitlab-fetcher + {% endif %} - require: - cmd: gitlab-gems - - cmd: gitlab-initialize - - postgres_database: gitlab-db + - file: gitlab-db-config -gitlab-recompile-assets: - cmd.wait: +gitlab-migrate-db: + cmd.run: - user: git - - cwd: /home/git/gitlab - - name: bundle exec rake assets:clean assets:precompile RAILS_ENV=production - - shell: /bin/bash - - watch: - - git: gitlab-git + - cwd: {{ gitlab_dir }} + - name: bundle exec rake db:migrate + - env: + - RAILS_ENV: production + - onchanges: + {% if salt['pillar.get']('gitlab:archives:enabled', false) %} + - archive: gitlab-fetcher + {% else %} + - git: gitlab-fetcher + {% endif %} + - require: + - file: gitlab-db-config + - file: gitlab-redis-config + - cmd: gitlab-gems + +gitlab-build-translations: + cmd.run: + - user: git + - cwd: {{ gitlab_dir }} + - name: bundle exec rake gettext:pack gettext:po_to_json + - env: + - RAILS_ENV: production + - onchanges: + {% if salt['pillar.get']('gitlab:archives:enabled', false) %} + - archive: gitlab-fetcher + {% else %} + - git: gitlab-fetcher + {% endif %} - require: - - cmd: gitlab-migrate-db + - cmd: gitlab-gems -gitlab-clear-cache: - cmd.wait: +gitlab-yarn-install: + cmd.run: + - name: bundle exec rake yarn:install - user: git - - cwd: /home/git/gitlab - - name: bundle exec rake cache:clear RAILS_ENV=production - - shell: /bin/bash - - watch: - - git: gitlab-git + - cwd: {{ gitlab_dir }} + - env: + - RAILS_ENV: production + - NODE_ENV: production + {%- if salt['pillar.get']('gitlab:proxy:address') %} + - YARN_PROXY: {{ pillar.gitlab.proxy.address }} + - HTTP_PROXY: {{ pillar.gitlab.proxy.address }} + - HTTPS_PROXY: {{ pillar.gitlab.proxy.address }} + {%- endif %} + - onchanges: + {% if salt['pillar.get']('gitlab:archives:enabled', false) %} + - archive: gitlab-fetcher + {% else %} + - git: gitlab-fetcher + {% endif %} - require: - - cmd: gitlab-recompile-assets + - cmd: gitlab-build-translations +gitlab-recompile-assets-cache: + cmd.run: + - user: git + - cwd: {{ gitlab_dir }} + - name: bundle exec rake gitlab:assets:clean gitlab:assets:compile cache:clear + - env: + - RAILS_ENV: production + - NODE_ENV: production + - onchanges: + {% if salt['pillar.get']('gitlab:archives:enabled', false) %} + - archive: gitlab-fetcher + {% else %} + - git: gitlab-fetcher + {% endif %} + - require: + - cmd: gitlab-yarn-install + +{% if not salt['pillar.get']('gitlab:archives:enabled', false) %} # Needed to be able to update tree via git gitlab-stash: cmd.wait: - user: git - - cwd: /home/git/gitlab + - cwd: {{ gitlab_dir }} - name: git stash - - watch: - - git: gitlab-git - - require: - - cmd: gitlab-clear-cache + - onchanges: + - git: gitlab-fetcher +{% endif %} # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/init.d/gitlab.default.example gitlab-default: @@ -173,33 +344,54 @@ gitlab-default: - group: root - mode: 644 +# https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/logrotate/gitlab +gitlab-logwatch: + file.managed: + - name: /etc/logrotate.d/gitlab + - source: salt://gitlab/files/gitlab-logrotate + - template: jinja + - user: root + - group: root + - mode: 644 + +gitlab-respositories-dir: + file.directory: + - name: {{ repositories }} + - user: git + - group: git + - file_mode: 0660 + - dir_mode: 2770 + gitlab-service: - file.symlink: + file.managed: - name: /etc/init.d/gitlab - - target: /home/git/gitlab/lib/support/init.d/gitlab + - source: salt://gitlab/files/initd + - mode: 0755 + - template: jinja - require: - - git: gitlab-git + {% if salt['pillar.get']('gitlab:archives:enabled', false) %} + - archive: gitlab-fetcher + {% else %} + - git: gitlab-fetcher + {% endif %} service: - name: gitlab - running - enable: True + - reload: True - require: - - cmd: gitlab-initialize + - file: gitlab-service +# - cmd: gitlab-initialize + - file: gitlab-pids_dir-symlink + - file: gitlab-uploads_dir-symlink - watch: - - git: gitlab-git - - cmd: gitlab-clear-cache + {% if salt['pillar.get']('gitlab:archives:enabled', false) %} + - archive: gitlab-fetcher + {% else %} + - git: gitlab-fetcher + {% endif %} - file: gitlab-config - file: gitlab-db-config - file: gitlab-default - - file: gitlab-service - file: rack_attack-config - file: unicorn-config - -# https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/logrotate/gitlab -gitlab-logwatch: - file.managed: - - name: /etc/logrotate.d/gitlab - - source: salt://gitlab/files/gitlab-logrotate - - user: root - - group: root - - mode: 644 diff --git a/gitlab/init.sls b/gitlab/init.sls index 12d7de6..ba1c4b8 100644 --- a/gitlab/init.sls +++ b/gitlab/init.sls @@ -1,13 +1,13 @@ include: - - postgresql - {% if grains['os_family'] == 'RedHat' %} - gitlab.repos + {% if not salt['pillar.get']('gitlab:archives:enabled', false) %} + - gitlab.git {% endif %} - gitlab.packages - redis - - gitlab.postgresql - gitlab.user - gitlab.ruby - gitlab.gitlab-shell + - gitlab.gitlab-workhorse + - gitlab.gitaly - gitlab.gitlab - - gitlab.nginx diff --git a/gitlab/nginx.sls b/gitlab/nginx.sls deleted file mode 100644 index 2429b0f..0000000 --- a/gitlab/nginx.sls +++ /dev/null @@ -1,78 +0,0 @@ -{% if grains['os_family'] == 'Debian' %} -{% set nginx_user = 'www-data' %} -{% set nginx_path = '/etc/nginx/sites-enabled' %} -{% elif grains['os_family'] == 'RedHat' %} -{% set nginx_user = 'nginx' %} -{% set nginx_path = '/etc/nginx/conf.d' %} -{% endif %} - -nginx: - pkg.installed: [] - service.running: - - enable: True - - require: - - pkg: nginx - - user: nginx - - watch: - - file: gitlab-nginx - file.absent: - - name: {{ nginx_path }}/default.conf - user.present: - - name: {{ nginx_user }} - - groups: - - git - - require: - - pkg: nginx - -{%- if salt['pillar.get']('gitlab:https', false) %} - -# https://gitlab.com/gitlab-org/gitlab-recipes/blob/master/web-server/nginx/gitlab-ssl -gitlab-nginx: - file.managed: - - name: {{ nginx_path }}/gitlab.conf - - source: salt://gitlab/files/gitlab-nginx-ssl - - template: jinja - - user: root - - group: root - - mode: 644 - - require: - - pkg: nginx - - file: nginx-ssl-key - - file: nginx-ssl-cert - -nginx-ssl-key: - file.managed: - - name: /etc/nginx/gitlab.key - - user: root - - group: {{ nginx_user }} - - mode: 640 - - contents_pillar: gitlab:ssl_key - - watch_in: - - service: nginx - -nginx-ssl-cert: - file.managed: - - name: /etc/nginx/gitlab.crt - - user: root - - group: {{ nginx_user }} - - mode: 644 - - contents_pillar: gitlab:ssl_cert - - watch_in: - - service: nginx - -{% else %} - -# https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/gitlab -gitlab-nginx: - file.managed: - - name: {{ nginx_path }}/gitlab.conf - - source: salt://gitlab/files/gitlab-nginx - - template: jinja - - user: root - - group: root - - mode: 644 - - require: - - pkg: nginx - -{% endif %} - diff --git a/gitlab/packages.sls b/gitlab/packages.sls index 053d9c8..921a73b 100644 --- a/gitlab/packages.sls +++ b/gitlab/packages.sls @@ -1,5 +1,16 @@ -include: - - git +{%- if grains.os_family == 'Debian' %} +# aptpkg does not deal with >= versions +gitlab-golang-deps: + pkg.installed: + - pkgs: + - golang + - golang-1.8 + {%- if grains.os == "Ubuntu" and grains.osrelease_info[0] < 17 %} + - fromrepo: artful + {%- endif %} + - require: + - pkgrepo: gitlab-distro-backports +{%- endif %} gitlab-deps: pkg.installed: @@ -74,25 +85,39 @@ gitlab-deps: - build-essential - checkinstall - curl + - cmake - libcurl4-openssl-dev - libffi-dev - libgdbm-dev - libicu-dev - libncurses5-dev + - libre2-dev - libreadline-dev + {%- if (grains['os'] == 'Ubuntu' and grains['osrelease_info'][0] >= 17) or (grains['os'] == 'Debian' and grains['osrelease_info'][0] >= 9) %} + - libssl1.0-dev + {%- else %} - libssl-dev + {%- endif %} - libxml2-dev - libxslt1-dev - libyaml-dev - logrotate - openssh-server + - nodejs: latest + - pkg-config - python - python-docutils + - rake - redis-server + - yarn: latest - zlib1g-dev - {% if salt['pillar.get']('gitlab:db_engine', 'postgresql') == 'postgresql' %} + {% if salt['pillar.get']('gitlab:db:engine', 'postgresql') == 'postgresql' %} - libpq-dev {% endif %} + - require: + - pkgrepo: gitlab-nodejs-repo + - pkgrepo: gitlab-yarn-repo + - pkg: gitlab-golang-deps {% endif %} {% if salt['pillar.get']('gitlab:use_rvm', False) %} diff --git a/gitlab/postgresql.sls b/gitlab/postgresql.sls deleted file mode 100644 index 177cfc5..0000000 --- a/gitlab/postgresql.sls +++ /dev/null @@ -1,19 +0,0 @@ -include: - - postgresql - -gitlab-db: - postgres_user.present: - - name: {{ salt['pillar.get']('gitlab:db_user') }} - - password: {{ salt['pillar.get']('gitlab:db_pass') }} - - require: - - pkg: postgresql-server - - service: postgresql-server - postgres_database.present: - - name: {{ salt['pillar.get']('gitlab:db_name') }} - - owner: {{ salt['pillar.get']('gitlab:db_user') }} - - template: template1 - - require: - - file: gitlab-service - - pkg: postgresql-server - - service: postgresql-server - - postgres_user: gitlab-db diff --git a/gitlab/repos.sls b/gitlab/repos.sls index 47335de..66ef4c9 100644 --- a/gitlab/repos.sls +++ b/gitlab/repos.sls @@ -7,16 +7,59 @@ PUIAS_6_computational: - gpgkey: http://springdale.math.ias.edu/data/puias/6/x86_64/os/RPM-GPG-KEY-puias - mirrorlist: http://puias.math.ias.edu/data/puias/computational/$releasever/$basearch/mirrorlist -{% if not salt['pillar.get']('gilab:use_rvm', false) %} -include: - - gitlab.ruby - -ruby-scl: +{% elif grains['os_family'] == 'Debian' %} +{# TODO: Handling of packages should be moved to map.jinja #} +{# Gitlab 9.2+ requires golang-1.8+ which requires backports on Debian 9 and Artful repositories on Ubuntu #} +{%- set distro = grains.oscodename %} +gitlab-distro-backports: + file.managed: + - name: /etc/apt/preferences.d/55_gitlab_req_backports + {%- if grains.os == "Ubuntu" and grains.osrelease_info[0] < 17 %} + - contents: | + Package: golang + Pin: release o=Ubuntu,a=artful + Pin-Priority: 901 + {%- else %} + - contents: | + Package: golang + Pin: release o=Debian Backports,a={{ distro }}-backports + Pin-Priority: 901 + {%- endif %} pkgrepo.managed: - - humanname: Ruby 1.9.3 Dynamic Software Collection - - gpgcheck: 0 - - baseurl: http://people.redhat.com/bkabrda/ruby193-rhel-6/ + {%- if grains.os == "Ubuntu" and grains.osrelease_info[0] < 17 %} + - name: deb http://archive.ubuntu.com/ubuntu artful main + {%- else %} + - name: deb http://httpredir.debian.org/debian {{ distro }}-backports main + {%- endif %} + - file: /etc/apt/sources.list.d/gitlab_req_backports.list + +{# Gitlab 10.3+ requires nodejs-6+ but is not available in Debian 10 and not before Ubuntu 17.10 #} +gitlab-nodejs-repo-mgmt-pkgs: + pkg.installed: + - names: + - python-apt + - apt-transport-https - require_in: - - pkg: gitlab-ruby -{% endif %} + - pkgrepo: gitlab-nodejs-repo + - pkgrepo: gitlab-yarn-repo + +gitlab-nodejs-repo: + pkgrepo.managed: + - name: deb https://deb.nodesource.com/node_6.x {{ grains.oscodename|lower }} main + - file: /etc/apt/sources.list.d/nodesource_6.list + - key_url: salt://gitlab/files/nodesource.gpg.key + +gitlab-nodejs-preference: + file.managed: + - name: /etc/apt/preferences.d/90_nodesource + - contents: | + Package: nodejs + Pin: release o=Node source,l=Node source + Pin-Priority: 901 + +gitlab-yarn-repo: + pkgrepo.managed: + - name: deb https://dl.yarnpkg.com/debian/ stable main + - file: /etc/apt/sources.list.d/yarn.list + - key_url: salt://gitlab/files/dl.yarn.com.key {% endif %} diff --git a/gitlab/ruby.sls b/gitlab/ruby.sls index 847cc30..b61dc3b 100644 --- a/gitlab/ruby.sls +++ b/gitlab/ruby.sls @@ -1,7 +1,7 @@ gitlab-ruby: {% if salt['pillar.get']('gitlab:use_rvm', false) %} rvm.installed: - - name: ruby-{{ salt['pillar.get']('gitlab:rvm_ruby', '2.1.0') }} + - name: ruby-{{ salt['pillar.get']('gitlab:rvm_ruby', '2.3.3') }} - default: True - user: git - require: @@ -9,24 +9,22 @@ gitlab-ruby: - pkg: rvm-deps gem.installed: - user: git - - ruby: ruby-2.1.0 + - ruby: ruby-2.3.3 - require: - rvm: gitlab-ruby {% else %} {% if grains['os_family'] == 'Debian' %} pkg.installed: - pkgs: - - ruby - - ruby-dev + - ruby: ">=2.3" + - ruby-dev: ">=2.3" gem.installed: - name: bundler + - version: ">= 1.14, <1.15" - require: - pkg: gitlab-ruby - {% elif grains['os_family'] == 'RedHat' %} - pkg.installed: - - pkgs: - - ruby193-ruby - - ruby193-ruby-devel - - ruby193-rubygem-bundler + {% if salt['pillar.get']('gitlab:proxy:enabled', false) %} + - proxy: {{ salt['pillar.get']('gitlab:proxy:address') }} + {% endif %} {% endif %} {% endif %} diff --git a/gitlab/test.sls b/gitlab/test.sls new file mode 100644 index 0000000..0e8d03a --- /dev/null +++ b/gitlab/test.sls @@ -0,0 +1,25 @@ +{% set root_dir = salt['pillar.get']('gitlab:lookup:root_dir', '/home/git') %} + +{% set active_db = salt['pillar.get']('gitlab:databases:production', 'paf') %} +{% set user, user_infos = salt['pillar.get']('postgres:users').items()[0] %} + +/tmp/test: + file.managed: + - source: salt://gitlab/files/test + - template: jinja + - user: root + - group: root + - mode: 644 + +gitlab-initialize: + cmd.run: + - user: git + - cwd: {{ root_dir }}/gitlab + - name: force=yes bundle exec rake gitlab:setup RAILS_ENV=production + - shell: /bin/bash + - unless: PGPASSWORD={{ user_infos.password }} psql -h {{ active_db.host }} -U {{ user }} {{ active_db.name }} -c 'select * from users;' +# - watch: +# - git: gitlab-fetcher +# - require: +# - cmd: gitlab-gems +# - file: gitlab-db-config diff --git a/gitlab/user.sls b/gitlab/user.sls index 7d145f0..182279f 100644 --- a/gitlab/user.sls +++ b/gitlab/user.sls @@ -1,14 +1,16 @@ +{% set root_dir = salt['pillar.get']('gitlab:lookup:root_dir', '/home/git') %} + git-user: user.present: - name : git - system: True - shell: /bin/bash - fullname: GitLab - - home: /home/git + - home: {{ root_dir }} git-home: file.directory: - - name: /home/git + - name: {{ root_dir }} - user: git - group: git - mode: 750 diff --git a/pillar.example b/pillar.example index 874cad6..bdbdfe0 100644 --- a/pillar.example +++ b/pillar.example @@ -1,12 +1,56 @@ gitlab: + lookup: + root_dir: /opt/git + lib_dir: /opt/git/libraries + repo_dir: /opt/git/repositories + pids_dir: /opt/git/var/pids + sockets_dir: /opt/git/var/sockets + logs_dir: /opt/git/var/logs + uploads_dir: /opt/git/var/uploads + hostname: localhost + proxy: + enabled: false + address: http://ourproxy:port + archives: + enabled: false + sources: + gitlab: + source: https://gitlab.com/gitlab-org/gitlab-ce/repository/archive.tar.gz?ref=v8.7.2 + md5: 0a63803fd87766d034cf3ff4d4133fce + content: gitlab-ce-v8.7.2-213974bc9bfca79136db32d47f4854b02e0e7fc2 + workhorse: + source: https://gitlab.com/gitlab-org/gitlab-workhorse/repository/archive.tar.gz?ref=0.7.2 + md5: c0b266285bf54ed7cef806f25a7e8aa9 + content: gitlab-workhorse-0.7.2-7a2c97cb8f98a2af9b8ec80fcafc2721ef4a8e97 + shell: + source: https://gitlab.com/gitlab-org/gitlab-shell/repository/archive.tar.gz?ref=v2.7.2 + md5: 1835e858d9285ac9941eec320e2ecac6 + content: gitlab-shell-v2.7.2-c615ca4650dfb4b17bf073276024f886e52b74a3 use_rvm: False - rvm_ruby: 2.1.0 - shell_version: v1.8.0 - gitlab_version: 6-5-stable - db_engine: postgresql - db_name: 'gitlabhq_production' - db_user: 'git' - db_pass: 'MyVerySecretGitLabPassword' + rvm_ruby: 2.3.3 + shell_version: v2.7.2 + gitlab_version: 8-7-stable + workhorse_version: v0.7.1 + databases: + production: &production + engine: postgresql + name: gitlab + pool: 10 + host: localhost + secrets: + db_key_base: + secret_key_base: + otp_key_base: + development: + engine: postgresql + name: gitlab + staging: + engine: postgresql + name: gitlab + test: + engine: postgresql + name: gitlab + active_database: *production gravatar: enabled: false ldap: @@ -39,25 +83,24 @@ gitlab: #{% elif grains['os_family'] == 'Debian' %} #ca_path: /etc/ssl/certs #{% endif %} + secret: + value: 0123456789abcdef0123456789abcde + path: "/opt/git/.gitlab_shell_secret" + workhorse + secret: + value: 0123456789abcdef0123456789zyxwvu + path: "/opt/git/.gitlab_workhorse_secret" unicorn: worker_processes: 2 timeout: 30 - https: True - ssl_key: | - -----BEGIN PRIVATE KEY----- - ABC= - -----END PRIVATE KEY----- - ssl_cert: | - -----BEGIN CERTIFICATE----- - ABC= - -----END CERTIFICATE----- + https: false #runner - runner: - downloadpath: "https://s3-eu-west-1.amazonaws.com/downloads-packages/ubuntu-14.04/gitlab-runner_5.2.0~omnibus.1-1_amd64.deb" - #(default debian wget https://s3-eu-west-1.amazonaws.com/downloads-packages/ubuntu-14.04/gitlab-runner_5.2.0~omnibus.1-1_amd64.deb ) - username: "gitlab-runner" - # default: gitlab-runner - url: "url gitlab-ci" - token: "token gitlab-ci" +# runner: +# downloadpath: "https://s3-eu-west-1.amazonaws.com/downloads-packages/ubuntu-14.04/gitlab-runner_5.2.0~omnibus.1-1_amd64.deb" +# #(default debian wget https://s3-eu-west-1.amazonaws.com/downloads-packages/ubuntu-14.04/gitlab-runner_5.2.0~omnibus.1-1_amd64.deb ) +# username: "gitlab-runner" +# # default: gitlab-runner +# url: "url gitlab-ci" +# token: "token gitlab-ci"