├── .gitignore ├── .kitchen.yml ├── .rspec ├── .rubocop.yml ├── .travis.yml ├── Berksfile ├── CHANGELOG.md ├── Gemfile ├── README.md ├── Rakefile ├── attributes └── default.rb ├── chefignore ├── files └── default │ └── rack_attack.rb ├── metadata.rb ├── recipes ├── default.rb ├── git.rb ├── mysql.rb └── postgres.rb ├── spec ├── default_spec.rb └── spec_helper.rb ├── templates └── default │ ├── database.yml.erb │ ├── gitaly.toml.erb │ ├── gitconfig.erb │ ├── gitlab.yml.erb │ ├── id_rsa.erb │ ├── id_rsa.pub.erb │ ├── nginx.gitlab.erb │ ├── shell_config.yml.erb │ ├── ssh_config.erb │ └── unicorn.rb.erb └── test └── integration ├── default └── bats │ └── default.bats ├── https ├── bats │ └── default.bats ├── data_bags │ └── certificates │ │ └── test.json └── encrypted_data_bag_secret ├── metadata.rb └── recipes └── default.rb /.gitignore: -------------------------------------------------------------------------------- 1 | metadata.json 2 | *.lock 3 | .kitchen/ 4 | .kitchen.local.yml 5 | .coverage 6 | -------------------------------------------------------------------------------- /.kitchen.yml: -------------------------------------------------------------------------------- 1 | --- 2 | driver_plugin: vagrant 3 | driver_config: 4 | customize: 5 | memory: 2048 6 | 7 | provisioner: 8 | name: chef_zero 9 | 10 | platforms: 11 | - name: ubuntu-14.04 12 | driver_config: 13 | network: 14 | - ["forwarded_port", {guest: 80, host: 8080}] 15 | - ["forwarded_port", {guest: 443, host: 8443}] 16 | run_list: 17 | - recipe[apt] 18 | #attributes: 19 | #apt: 20 | #- compile_time_update: true 21 | - name: ubuntu-12.04 22 | driver_config: 23 | network: 24 | - ["forwarded_port", {guest: 80, host: 8081}] 25 | - ["forwarded_port", {guest: 443, host: 8444}] 26 | run_list: 27 | - recipe[apt] 28 | #attributes: 29 | #apt: 30 | #- compile_time_update: true 31 | - name: centos-7.4 32 | driver_config: 33 | network: 34 | - ["forwarded_port", {guest: 80, host: 8082}] 35 | - ["forwarded_port", {guest: 443, host: 8445}] 36 | - name: centos-6.8 37 | driver_config: 38 | network: 39 | - ["forwarded_port", {guest: 80, host: 8083}] 40 | - ["forwarded_port", {guest: 443, host: 8446}] 41 | 42 | suites: 43 | - name: default 44 | run_list: 45 | - recipe[gitlab-test] 46 | - recipe[gitlab] 47 | attributes: 48 | gitlab: 49 | database: 50 | type: postgres 51 | authorization: 52 | sudo: 53 | groups: 54 | - sudo 55 | - wheel 56 | - name: https 57 | data_bags_path: "test/integration/https/data_bags" 58 | encrypted_data_bag_secret_key_path: "test/integration/https/encrypted_data_bag_secret" 59 | run_list: 60 | - recipe[gitlab-test] 61 | - recipe[gitlab] 62 | attributes: 63 | gitlab: 64 | https: true 65 | certificate_databag_id: test 66 | database: 67 | type: postgres 68 | -------------------------------------------------------------------------------- /.rspec: -------------------------------------------------------------------------------- 1 | --color 2 | -f documentation 3 | -------------------------------------------------------------------------------- /.rubocop.yml: -------------------------------------------------------------------------------- 1 | LineLength: 2 | Max: 125 3 | SpaceBeforeFirstArg: 4 | Exclude: 5 | - metadata.rb 6 | 7 | AllCops: 8 | Exclude: 9 | - '.kitchen/*' 10 | - '.vagrant/*' 11 | Encoding: 12 | Enabled: False 13 | LineLength: 14 | Max: 200 15 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: ruby 2 | rvm: 3 | - 2.1.0 4 | install: bundle install --without integration 5 | script: bundle exec rake 6 | -------------------------------------------------------------------------------- /Berksfile: -------------------------------------------------------------------------------- 1 | source 'https://api.berkshelf.com' 2 | 3 | metadata 4 | 5 | group :integration do 6 | cookbook 'apt', '~> 2.0' 7 | cookbook 'gitlab-test', path: 'test/integration' 8 | end 9 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | Gitlab Cookbook Changelog 2 | ========================= 3 | 4 | v8.0.1 5 | ------ 6 | 7 | * Merge all pull requests in the queue 8 | * Upgrade to gitlab 8-0-stable branch (update configuration, new gitlab-git-http-server, security.yml) 9 | * In Fix 8.0.1 - Update gitlab.init.erb 10 | 11 | v7.7.1 12 | ------ 13 | 14 | * Closes #90, incorrect instance variable in template. 15 | 16 | v7.7.0 17 | ------ 18 | 19 | * Credit to @jeremyolliver for doing most of the work for an 7.x release. 20 | - gitlab branch targets 7-7-stable. 21 | - gitlab shell branch targets 2.4.1. 22 | - Ruby version is 2.1.2. 23 | * mysql cookbook 6.0 related changes. 24 | - This is a potentially breaking change. The gitlab::mysql recipe now sets up 25 | a mysql server since the mysql::server recipe no longer exists in the 6.0 26 | version of the mysql cookbook. 27 | - A future release of this cookbook may separate the duties of the mysql server, and 28 | the mysql database initialization for gitlab. 29 | - NOTE the database initialization for postgres remains unchanged, and backwards 30 | compatible with prior releases. 31 | 32 | 33 | v6.9.0 34 | ------ 35 | 36 | * Fix Rubocop warnings 37 | * Issue #76 38 | * Bump version to 6.9 39 | * depsolv problem with modernizr 40 | * Issue #74 41 | * Use database::mysql and database::postgresql for database cookbook 42 | library functionality as mysql::ruby postgres::ruby deprecrated. 43 | 44 | v6.4.5 - v6.4.6 45 | --------------- 46 | 47 | * Add regression tests for #66 hackery 48 | * Issue #66, #71 regression, update-alternatives hack does not work when install_ruby_path 49 | is changed. 50 | 51 | v6.4.4 52 | ------ 53 | 54 | * Issue #62, certificate resource does not exist if nil, and used as name attribute. 55 | 56 | v6.4.3 57 | ------ 58 | 59 | * Issue #66, gitlab service needs a priority > 20, on debian platform. 60 | * Issue #66, update-alternatives hack so gitlab-shell can find Ruby. 61 | * Issue #69, Correct gitlab_url in gitlab-shell config.yml, add regression tests. 62 | * Issue #67, soften cookbook dependencies on unknown platforms. 63 | * Issue #62, Add new user attributes to gitlab.yml, and update documentation. 64 | 65 | v6.4.2 66 | ------ 67 | 68 | * Add a profile script shim, so init script can correct Ruby. 69 | 70 | v6.4.1 71 | ------ 72 | 73 | * Issue #60 - thanks to @nickryand 74 | - Modified the bundle install command to drop a file on successful 75 | completion 76 | - Added the absolute path to the bundler binary installed into the 77 | system ruby path. 78 | - Added a more accurate pattern matcher to gitlab service resource 79 | so Chef can find unicorn_rails processes instead of finding processes that 80 | have the 'gitlab' string in them. 81 | - Changed the background call to script/web and script/background_jobs 82 | in the startup script. These are now foreground calls forcing the start 83 | script to block until they return (after the processes are up). This 84 | prevents the Chef run from completing before the unicorn_rails processes 85 | are up. 86 | 87 | * Other fixes/tweaks 88 | - Remove yum dependency hell. 89 | - Change init/database.yml order due to service subscription. 90 | - Add a :80 redirect to :443, avoids default site showing on :80 91 | when `gitlab['https']` set. 92 | 93 | * Update test files 94 | - Pin omnibus version at 11.8.2, redisio remote file resource failure. 95 | - Remove explicit nil on databag_certificate_id, fails on default suite 96 | - Remove support Gemfile, and update travis.yml 97 | - Add bats tests for default/https suites 98 | 99 | v6.4.0 100 | ------ 101 | 102 | * Bump gitlab-shell to v1.8.0 103 | * Bump gitlab to 6.4.0 104 | * Remove stale nginx config file 105 | * Default recipe changes 106 | - Update gitlab-shell config to point at /usr/local/bin/redis-cli 107 | - Fix permissions on .ssh/authorized_keys 108 | - Add rack_attack file 109 | - Add precompile assets execute 110 | - Add logrotate dependency and configuration 111 | 112 | v6.1.21 113 | ------- 114 | 115 | * Add node['database']['userhost'] attribute, fixes #57 116 | * Fix gitlab['listen_port']/gitlab['https'] condition, fixes #58 117 | * Add node['gitlab']['self_signed_cert'] and documentation, fixes #58 118 | * Revert yum-epel changes, COOK-4164 blocking, will re-open 119 | - Fix dependency hell w/ nginx cookbook 120 | * Add rubocop linting 121 | * Add chefspec mysql/postgres http/https branching specs 122 | * Remove unneeded python dependency 123 | 124 | v6.1.10 125 | ------- 126 | 127 | Bugs squashed: 128 | 129 | * Re-order database components to fix Ubuntu Test-Kitchen run. #44 130 | * Update port forwarding configuration in kitchen.yml. #46 131 | * Update Satellite paths to fix Gitlab forking. #50 132 | * ruby-build installs to node['gitlab']['home'], avoiding PATH hacks 133 | for Rake. Use node['gitlab']['install_ruby_path'] to override. #16 134 | * ruby-build failing on 1.9.3-p448, bump version to 1.9.3-p484. 135 | * Pinned yum dependency on < 3.0.0 136 | 137 | Features added: 138 | 139 | * Add knob for disabling Gravatar. #51 140 | * Add LDAP Authentication support. #49 141 | 142 | Removed: 143 | 144 | * sudo cookbook dependency removed. #52 145 | 146 | v6.1.0 147 | ------ 148 | 149 | Clean up some of the code to target [6-1-stable branch](https://github.com/gitlabhq/gitlabhq/blob/6-1-stable/doc/install/installation.md) 150 | 151 | * Move gitlab.home to /srv/git - [FHS 2.3](http://www.pathname.com/fhs/pub/fhs-2.3.html) 152 | * Use ruby_build to compile 1.9.3 by default per gitlabhq documentation. 153 | * Clean up both cookbook and package dependencies. 154 | * Remove ruby-shadow, included in Omnibus, not needed anyway as no 155 | password is set. 156 | * Use gitconfig template, instead of execute. 157 | * Add test-kitchen skeleton, and certificate data_bag integration. 158 | - Add gitlab.certificate_databag_id to deploy certificate from encrypted databag. 159 | * Minor sudo fix in gitlab init script. 160 | * Use nginx_site definition to disable default nginx site. 161 | * Add nginx_server_names array for hostname match precedence over potential default sites matching `_`. 162 | 163 | v0.5.0 164 | ------ 165 | 166 | * Database back-end changes via @sethvargo 167 | - Adds a mysql and postgresql database creation 168 | - **Breaking change**: developed against githlabhq/master (sqlite no longer supported) 169 | 170 | * Gitolite deploy changes via @dscheu 171 | - Deploy gitlabhq/gitolite, not sitaramc/gitolite 172 | 173 | * Add configurable backup paths to Gitlab configuration via @dscheu 174 | 175 | v0.3.4 176 | ------ 177 | 178 | Fix issues with stable snapshot v3.x 179 | 180 | * Avoid installing pg, gem which adds extra dependencies 181 | * Add change to default gitolite.rc per upgrade instructions 182 | 183 | v0.3.3 184 | ------ 185 | 186 | Issues #9 and #10 187 | 188 | Issue 9: this version MAY fix issues with key generation when 189 | cookbook is invocated via chef-solo. There may exist other 190 | chef-solo blockers within the cookbook. Specifically, `File.exists?` 191 | guards were added to SSH public key generation code blocks. 192 | 193 | Issue 10: this version fixes one minor dependency bug with EPEL 194 | dependencies via metadata and inclusion. 195 | 196 | v0.3.2 197 | ------ 198 | 199 | * Default gitlab branch to stable 200 | 201 | v0.3.1 202 | ------ 203 | 204 | * ISSUE 7: public key template fails to render 205 | * ISSUE 8: unicorn_rails script fails on ruby package platforms 206 | 207 | v0.3.0 208 | ------ 209 | 210 | * Missing bracket 211 | * Change single-quote variable to symbol notation 212 | * install python and symlink redis-cli so hooks work 213 | * HTTPS options for nginx 214 | * Ubuntu/Debian platform compatibility fixes 215 | * [FC035](http://acrmp.github.com/foodcritic/#FC035): Template uses node attribute directly 216 | 217 | v0.2.1 218 | ------ 219 | 220 | Thanks to Fletcher Nichol for the feedback and fixes :) 221 | 222 | * Add `gitlab_branch` attribute. 223 | * Fix directory block syntax (do). 224 | 225 | v0.2.0 226 | ------ 227 | 228 | * Epic public release 229 | * Moar testing 230 | * Clean up init script 231 | * Fix unicorn config 232 | * Fix gitlab home permissions for nginx 233 | 234 | v0.1.0 235 | ------ 236 | 237 | #Epic refactor 238 | 239 | * Write long README 240 | * variable renaming to simplify readability 241 | * refactor dependencies and package lists 242 | * generate ssh keys in Ruby, import to gitolite 243 | * Integrate gitolite recipe into cookbook 244 | * Fix broken ssh problems 245 | * fixup git home permissions 246 | * use system ruby instead of chef-full bundler 247 | * Re-work dependencies; Prefer ruby_build rubies over Redhat shipped 248 | 249 | v0.0.1 - v0.0.40 250 | ---------------- 251 | 252 | #Prototyping 253 | 254 | Added cookbook dependencies for gitlab/gitolite 255 | Prototype attributes for gitlab cookbook 256 | Fixed gitolite support for gitlab in default.rb 257 | Fixed permissions & gl-setup in gitlab default.rb 258 | Edit default.rb in gitlab & gitolite cookbooks 259 | Edit gitolite cmd to add .pub key 260 | Fix code blocks in wrong order gitolite/gitlab ckbks 261 | Refactor gitolite/gitlab ckbks again. Works now. 262 | Add cookbooks redisio & sqlite. Install pkgs for gitlab 263 | Install Gems. Rename config files 4 gitlab cookbook 264 | Config Sqlite DB for gitlab 265 | Add ability to start gitlab & resque 266 | -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | source 'http://rubygems.org' 2 | 3 | gem 'berkshelf' 4 | gem 'chefspec' 5 | gem 'foodcritic' 6 | gem 'rubocop' 7 | 8 | group :integration do 9 | gem 'test-kitchen' 10 | gem 'kitchen-vagrant' 11 | end 12 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Gitlab Cookbook 2 | 3 | [![Build Status](https://travis-ci.org/atomic-penguin/cookbook-gitlab.png?branch=master)](https://travis-ci.org/atomic-penguin/cookbook-gitlab) 4 | 5 | This cookbook will deploy gitlab; a free project and repository management 6 | application. 7 | 8 | Gitlab code is hosted [here](https://gitlab.com/gitlab-org/gitlab-ce). 9 | 10 | ## Important changes 11 | 12 | Going forward, the cookbook major version (i.e. 6.1.x) will target the 13 | matching stable branch (i.e. 6-1-stable) of the Gitlab application. 14 | The 6.1.x release is not backwards compatible with previous versions targeting 15 | Gitlab master. 16 | 17 | For the 7.7.x release of the cookbook, the default Ruby will 18 | be 2.1.2 compiled with [ruby_build](http://fnichol.github.com/chef-ruby_build/). 19 | Using a compiled Ruby follows the Gitlab installation guidelines upstream. 20 | If you have a better approach which reduced complexity or reduces converge time, 21 | please open a pull request on Github. 22 | 23 | The application home is located in `/srv/git/gitlab` 24 | in accordance with the [Filesystem Hierarchy Standard (FHS) version 2.3](http://www.pathname.com/fhs/). 25 | 26 | ## Requirements 27 | ============ 28 | 29 | * Hard disk space 30 | - About 600 Mb, plus enough space for repositories in application home 31 | 32 | * You need to add `mysql::server` or `postgresql::server` to your run\_list 33 | if you intend to run the whole application stack on a single instance. 34 | The `gitlab::mysql` and `gitlab::postgresql` recipes set up the RDBMS 35 | connection only, to allow for multi-instance architecture. See 36 | `Database Attributes` documentation below for RDBMS connection 37 | parameters. 38 | 39 | ## Cookbook dependencies 40 | ============ 41 | 42 | * [ruby\_build](http://fnichol.github.com/chef-ruby_build/) 43 | - Thanks to Fletcher Nichol for his awesome ruby\_build cookbook. 44 | This ruby\_build LWRP is used to build Ruby 1.9.3 for gitlab. 45 | 46 | * [redisio](http://community.opscode.com/cookbooks/redisio) 47 | - Thanks to Brian Bianco for this Redis cookbook. 48 | 49 | * Opscode, Inc cookbooks 50 | - [git](http://community.opscode.com/cookbooks/git) 51 | - [build-essential](http://community.opscode.com/cookbooks/build-essential) 52 | - [nginx](http://community.opscode.com/cookbooks/nginx) 53 | - [logrotate](http://community.opscode.com/cookbooks/logrotate) 54 | - [openssh](http://community.opscode.com/cookbooks/openssh) 55 | - [perl](http://community.opscode.com/cookbooks/perl) 56 | - [xml](http://community.opscode.com/cookbooks/xml) 57 | - [zlib](http://community.opscode.com/cookbooks/zlib) 58 | - [database](http://community.opscode.com/cookbooks/database) 59 | 60 | 61 | Attributes 62 | ========== 63 | 64 | * `gitlab['user']` & `gitlab['group']` 65 | - Gitlab service user and group for Unicorn Rails app, default `git` 66 | 67 | * `gitlab['home']` 68 | - Gitlab top-level home for service account, default `/srv/git` 69 | 70 | * `gitlab['app_home']` 71 | - Gitlab application home, default `/srv/git/gitlab` 72 | 73 | * `gitlab['email_from']` 74 | - Gitlab email from, default `gitlab@ + node.fqdn` 75 | 76 | * `gitlab['git_url']` 77 | - Gitlab repository address, default https://gitlab.com/gitlab-org/gitlab-ce.git 78 | 79 | * `gitlab['git_branch']` 80 | - Defaults to stable GitlabHQ branch matching the major version of this cookbook. e.g. 6.1.x => 6-1-stable 81 | 82 | * `gitlab['packages']` 83 | - Platform specific OS packages 84 | 85 | * `gitlab['trust_local_sshkeys']` 86 | - `ssh_config` key for gitlab to trust localhost keys automatically, default yes 87 | 88 | * `gitlab['install_ruby']` 89 | - Attribute to determine whether vendor packages are installed, 90 | or Rubies are built, defaults 2.1.2 for Debian and RHEL family platforms. 91 | - If you choose to use a vendor provided package, you will need to use 92 | a role to override the `gitlab['packages']` array. 93 | 94 | * `gitlab['https']` 95 | - Whether https should be used. Default false 96 | 97 | * `gitlab['self_signed_cert']` 98 | - Allows self-signed certificates over https protocol. Default false 99 | 100 | * `gitlab['certificate_databag_id']` 101 | - Encrypted databag name containing certificate file, CA bundle, and key. Default nil 102 | - See [certificate cookbook](http://community.opscode.com/cookbooks/certificate) for further information. 103 | 104 | * `gitlab['backup_path']` 105 | - Path in file system where backups are stored. Default `gitlab['app_home'] + backups/` 106 | 107 | * `gitlab['backup_keep_time']` 108 | - Units are seconds. Older backups will automatically be deleted when new backup is created. Set to 0 to keep backups forever. 109 | - Defaults to 604800 110 | 111 | * `gitlab['listen_ip']` 112 | - IP address that nginx will listen on, default `*` (listen on all IPs) 113 | 114 | * `gitlab['listen_port']` 115 | - Port that nginx will listen on, default to 80 if gitlab['https'] is set to false, 443 if set to true 116 | 117 | * `gitlab['web_fqdn']` 118 | - An overridable service name, used in gitlab and unicorn configuration files. 119 | Useful if `hostname -f` is not the same as the customer facing hostname. 120 | Default is unset. Effective default is node['fqdn'] 121 | 122 | * `gitlab['nginx_server_names']` 123 | - An array with nginx `server_name` matches. Helpful to override default test site pages 124 | shipping with some nginx packages. Default `[ 'gitlab.*', node['fqdn'] ]`. 125 | See [nginx server_name documentation](http://nginx.org/en/docs/http/server_names.html) 126 | for valid matching patterns. 127 | 128 | * `gitlab['unicorn']['timeout']` 129 | - Timeout in seconds to Unicorn 130 | - Default: 60 131 | 132 | * `gitlab['shell']['gitlab_host']` 133 | - Custom hostname for Gitlab Shell 134 | - Default: nil (To be overwritten by `gitalb['web_fqdn']` or `node['fqdn']`) 135 | 136 | ### User privileges 137 | 138 | **Note**, This attributes are useful when you want only admins to create projects and groups. And to restrict username changing. 139 | 140 | * `gitlab['default_can_create_group']` 141 | - When you create a user this value is their `can_create_group` profile setting. 142 | - Default, true. 143 | 144 | * `gitlab['username_changing_enabled']` 145 | - Disable/enable users changing their username. 146 | - Default, true. 147 | 148 | ### Database Attributes 149 | 150 | **Note**, most of the database attributes have sane defaults. You will only need to change these configuration options if 151 | you're using a non-standard installation. Please see `attributes/default.rb` for more information on how a dynamic attribute 152 | is calculated. 153 | 154 | * `gitlab['database']['type']` 155 | - The database (datastore) to use. 156 | - Options: "mysql", "postgres" 157 | - Default "mysql" 158 | 159 | * `gitlab['database']['adapter']` 160 | - The Rails adapter to use with the database type 161 | - Options: "mysql", "postgresql" 162 | - Default (varies based on `type`) 163 | 164 | * `gitlab['database']['socket']` 165 | - The socket to use for connection 166 | - Default /var/run/mysqld/mysqld.sock 167 | 168 | * `gitlab['database']['encoding']` 169 | - The database encoding 170 | - Default (varies based on `type`) 171 | 172 | * `gitlab['database']['host']` 173 | - The host (fqdn) where the database exists 174 | - Default `127.0.0.1` 175 | 176 | * `gitlab['database']['userhost']` 177 | - The host (fqdn) from which the database user may connect. 178 | - Default `127.0.0.1` 179 | 180 | * `gitlab['database']['pool']` 181 | - The maximum number of connections to allow 182 | - Default 5 183 | 184 | * `gitlab['database']['database']` 185 | - The name of the database 186 | - Default `gitlab` 187 | 188 | * `gitlab['database']['username']` 189 | - The username for the database 190 | - Default `gitlab` 191 | 192 | ### LDAP Authentication Attributes 193 | 194 | * `gitlab'['ldap']['enabled']` 195 | - Use LDAP for authentication 196 | - Default: false 197 | 198 | * `gitlab['ldap']['host']` 199 | - Hostname of your LDAP server 200 | - Default: "_your_ldap_server" 201 | 202 | * `gitlab['ldap']['base']` 203 | - Base DN for users (e.g. dc=users,dc=example,dc=com) 204 | - Default: "_the_base_where_you_search_for_users" 205 | 206 | * `gitlab['ldap']['port']` 207 | - LDAP server port 208 | - Default: 636 209 | 210 | * `gitlab['ldap']['uid']` 211 | - User ID used when searching for users (e.g. uid, cn, or sAMAccountName) 212 | - Default: "sAMAccountName" 213 | 214 | * `gitlab['ldap']['method']` 215 | - Connection method used with LDAP server 216 | - Options: "ssl", "plain" 217 | - Default: "ssl" 218 | 219 | * `gitlab['ldap']['bind_dn']` 220 | - Some servers require a username in order to bind. 221 | - Leave default if your server supports anonymous bind. 222 | - Default: "_the_full_dn_of_the_user_you_will_bind_with" 223 | 224 | * `gitlab['ldap']['password']` 225 | - Some servers require a password in order to bind 226 | - Leave default if your server supports anonymous bind. 227 | - Default: "_the_password_of_the_bind_user" 228 | 229 | * `gitlab['ldap']['allow_username_or_email_login']` 230 | - If you want to allow users to login using both username and email address even though username (uid) will actually be used 231 | - Default: true 232 | 233 | * `gitlab['ldap']['user_filter']` 234 | - You can provide a query string here to filter which users will be selected 235 | - Default: "" 236 | 237 | Recipes 238 | ======= 239 | 240 | ## default 241 | 242 | This installs and starts GitLab with nginx and your chosen database. 243 | 244 | ## mysql, postgres 245 | 246 | These are internal, set `gitlab['database']['type']` instead. 247 | 248 | Usage 249 | ===== 250 | 251 | Optionally override application paths using gitlab['git\_home'] and gitlab['home']. 252 | 253 | Add recipe gitlab::default to run\_list. Go grab a lunch, or two, if Ruby has to build. 254 | 255 | The default admin credentials for the gitlab application are as follows: 256 | 257 | User: admin@local.host 258 | Password: 5iveL!fe 259 | 260 | Of course you should change these first thing, once deployed. 261 | 262 | ## Role example for Gitlab with https, and MySQL 263 | 264 | ``` 265 | name "gitlab_https" 266 | description "Configures and installs gitlab w/ https, and mysql server" 267 | override_attributes "gitlab" => { 268 | "https" => true, 269 | "certificate_databag_id" => "wildcard" 270 | } 271 | run_list "recipe[gitlab]" 272 | ``` 273 | 274 | 275 | Upgrade 276 | ======= 277 | 278 | As of now it's not supported in the cookbook out of the box, however following steps document this process. 279 | 280 | ## Upgrade from chef cookbook higher version 281 | 282 | To upgrade Gitlab version make sure you: 283 | 284 | * upload new gitlab cookbook to chef server 285 | * override node attributes (example for Gitlab 8.x): 286 | ``` 287 | override['gitlab']['git_branch'] = '8-0-stable' 288 | override['gitlab']['shell']['git_branch'] = 'v2.6.5' 289 | override['languages']['ruby']['default_version'] = '2.1.6' 290 | ``` 291 | * Follow appropriate steps on official gitlab docs: http://doc.gitlab.com/ce/update/7.14-to-8.0.html 292 | 293 | You may skip merging all configuration files, init.d scripts etc. 294 | 295 | In general this procedure consist of following steps: 296 | 297 | ``` 298 | sudo service gitlab stop 299 | sudo su - git 300 | cd /srv/git/gitlab 301 | # bundle install 302 | bundle exec rake gitlab:backup:create RAILS_ENV=production 303 | git fetch --all 304 | git checkout -- db/schema.rb # local changes will be restored automatically 305 | git checkout 8-0-stable 306 | cd /srv/git/gitlab-shell 307 | git fetch 308 | git checkout v2.6.5 309 | # for 8x somewhere here should gitlab cookbook generate new configuration files 310 | # MySQL installations 311 | bundle install --without postgres development test --deployment 312 | # PostgreSQL installations 313 | bundle install --without mysql development test --deployment 314 | bundle exec rake db:migrate RAILS_ENV=production 315 | bundle exec rake assets:clean assets:precompile cache:clear RAILS_ENV=production 316 | sudo service gitlab start 317 | sudo service nginx restart 318 | ``` 319 | 320 | NOTE: Don't forget to make trusted backups first! 321 | 322 | 323 | 324 | 325 | License and Author 326 | ================== 327 | 328 | Author: Gerald L. Hevener Jr., M.S. 329 | Copyright: 2012 330 | 331 | Author: Eric G. Wolfe 332 | Copyright: 2012 333 | 334 | Licensed under the Apache License, Version 2.0 (the "License"); 335 | you may not use this file except in compliance with the License. 336 | You may obtain a copy of the License at 337 | http://www.apache.org/licenses/LICENSE-2.0 338 | 339 | Unless required by applicable law or agreed to in writing, software 340 | distributed under the License is distributed on an "AS IS" BASIS, 341 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 342 | See the License for the specific language governing permissions and 343 | limitations under the License. 344 | -------------------------------------------------------------------------------- /Rakefile: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env rake 2 | 3 | # chefspec task against spec/*_spec.rb 4 | require 'rspec/core/rake_task' 5 | RSpec::Core::RakeTask.new(:chefspec) 6 | 7 | # rubocop rake task 8 | desc 'Ruby style guide linter, fails on Error or Warn' 9 | task :rubocop do 10 | sh 'rubocop --fail-level W' 11 | end 12 | 13 | # foodcritic task 14 | desc 'Runs foodcritic linter' 15 | task :foodcritic do 16 | if Gem::Version.new('1.9.2') <= Gem::Version.new(RUBY_VERSION.dup) 17 | sh 'foodcritic --epic-fail any -f ~FC014 -f ~FC015 -f ~FC024 -f ~FC043 .' 18 | else 19 | puts "WARN: foodcritic run is skipped as Ruby #{RUBY_VERSION} is < 1.9.2." 20 | end 21 | end 22 | 23 | task default: %w(foodcritic rubocop chefspec) 24 | 25 | begin 26 | require 'kitchen/rake_tasks' 27 | Kitchen::RakeTasks.new 28 | rescue LoadError 29 | puts '>>>>> Kitchen gem not loaded, omitting tasks' unless ENV['CI'] 30 | end 31 | -------------------------------------------------------------------------------- /attributes/default.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook Name:: gitlab 3 | # Attributes:: default 4 | # 5 | # Copyright 2012, Gerald L. Hevener Jr., M.S. 6 | # Copyright 2012, Eric G. Wolfe 7 | # Copyright 2013, Johannes Becker 8 | # 9 | # Licensed under the Apache License, Version 2.0 (the "License"); 10 | # you may not use this file except in compliance with the License. 11 | # You may obtain a copy of the License at 12 | # 13 | # http://www.apache.org/licenses/LICENSE-2.0 14 | # 15 | # Unless required by applicable law or agreed to in writing, software 16 | # distributed under the License is distributed on an "AS IS" BASIS, 17 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 18 | # See the License for the specific language governing permissions and 19 | # limitations under the License. 20 | 21 | # Set attributes for the git user 22 | default['gitlab']['user'] = 'git' 23 | default['gitlab']['group'] = 'git' 24 | default['gitlab']['home'] = '/srv/git' 25 | default['gitlab']['app_home'] = node['gitlab']['home'] + '/gitlab' 26 | default['gitlab']['web_fqdn'] = node['fqdn'] 27 | default['gitlab']['nginx_server_names'] = ['gitlab.*', node['fqdn']] 28 | default['gitlab']['email_from'] = "gitlab@#{node['domain']}" 29 | default['gitlab']['unicorn']['timeout'] = 60 30 | 31 | # User default privileges 32 | default['gitlab']['default_can_create_group'] = true 33 | default['gitlab']['username_changing_enabled'] = true 34 | 35 | # Set github URL for gitlab 36 | default['gitlab']['git_url'] = 'https://gitlab.com/gitlab-org/gitlab-ce.git' 37 | default['gitlab']['git_branch'] = '10-8-stable' 38 | 39 | # gitlab-shell attributes 40 | default['gitlab']['shell']['home'] = node['gitlab']['home'] + '/gitlab-shell' 41 | default['gitlab']['shell']['git_url'] = 'https://gitlab.com/gitlab-org/gitlab-shell.git' 42 | default['gitlab']['shell']['git_branch'] = 'v7.1.2' 43 | default['gitlab']['shell']['gitlab_host'] = nil 44 | 45 | # Database setup 46 | default['gitlab']['database']['type'] = 'mysql' 47 | default['gitlab']['database']['adapter'] = node['gitlab']['database']['type'] == 'mysql' ? 'mysql2' : 'postgresql' 48 | default['gitlab']['database']['encoding'] = node['gitlab']['database']['type'] == 'mysql' ? 'utf8' : 'unicode' 49 | default['gitlab']['database']['collation'] = 'utf8_general_ci' 50 | default['gitlab']['database']['host'] = '127.0.0.1' 51 | default['gitlab']['database']['socket'] = '/var/run/mysql-default/mysqld.sock' 52 | default['gitlab']['database']['pool'] = 5 53 | default['gitlab']['database']['database'] = 'gitlab' 54 | default['gitlab']['database']['username'] = 'gitlab' 55 | default['gitlab']['database']['userhost'] = '127.0.0.1' 56 | default['gitlab']['database']['password'] = nil 57 | 58 | # Ruby setup 59 | include_attribute 'ruby_build' 60 | default['ruby_build']['upgrade'] = 'sync' 61 | default['gitlab']['install_ruby'] = '2.3.7' 62 | default['gitlab']['install_ruby_path'] = node['gitlab']['home'] 63 | default['gitlab']['cookbook_dependencies'] = %w( 64 | zlib 65 | readline 66 | ncurses 67 | openssh 68 | logrotate 69 | redisio::default 70 | redisio::enable 71 | ruby_build 72 | nodejs::install 73 | yarn 74 | ) 75 | 76 | # redisio instance 77 | default['gitlab']['redis_instance'] = 'redisgitlab' 78 | default['redisio']['servers'] = [ 79 | { 80 | 'name' => 'gitlab', 81 | 'user' => node['gitlab']['user'], 82 | 'group' => node['gitlab']['group'], 83 | 'datadir' => '/var/lib/redis/gitlab', 84 | 'unixsocket' => '/var/run/redis/gitlab/redis.sock', 85 | 'unixsocketperm' => '660', 86 | 'port' => 0 87 | } 88 | ] 89 | 90 | # Required packages for Gitlab 91 | default['gitlab']['packages'] = %w( 92 | cmake 93 | curl 94 | golang 95 | python-docutils 96 | sudo 97 | wget 98 | ) 99 | case node['platform_family'] 100 | when 'debian' 101 | default['gitlab']['packages'] += %w( 102 | checkinstall 103 | libcurl4-openssl-dev 104 | libffi-dev 105 | libgdbm-dev 106 | libicu-dev 107 | libkrb5-dev 108 | libre2-dev 109 | libssl-dev 110 | libyaml-dev 111 | pkg-config 112 | ) 113 | when 'rhel' 114 | default['gitlab']['packages'] += %w( 115 | gdbm-devel 116 | jemalloc 117 | jemalloc-devel 118 | krb5-devel 119 | libcurl-devel 120 | libffi-devel 121 | libicu-devel 122 | libyaml-devel 123 | openssl-devel 124 | pkgconfig 125 | re2-devel 126 | ) 127 | end 128 | 129 | # How to install git? 130 | default['gitlab']['git_recipe'] = value_for_platform( 131 | %w( redhat centos scientific oracle ) => { '< 8' => 'source' }, 132 | 'amazon' => { '>= 0' => 'source' }, 133 | 'fedora' => { '< 25' => 'source' }, 134 | 'debian' => { '< 9' => 'source' }, 135 | 'ubuntu' => { '< 17.04' => 'source' }, 136 | 'default' => 'package' 137 | ) 138 | 139 | default['gitlab']['trust_local_sshkeys'] = 'yes' 140 | 141 | default['gitlab']['https'] = false 142 | default['gitlab']['certificate_databag_id'] = nil 143 | default['gitlab']['self_signed_cert'] = false 144 | default['gitlab']['ssl_certificate'] = "/etc/nginx/ssl/certs/#{node['fqdn']}.pem" 145 | default['gitlab']['ssl_certificate_key'] = "/etc/nginx/ssl/private/#{node['fqdn']}.key" 146 | 147 | # Backwards compatible ciphers needed for Java IDEs 148 | default['gitlab']['ssl_ciphers'] = 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4' 149 | default['gitlab']['ssl_protocols'] = 'TLSv1 TLSv1.1 TLSv1.2' 150 | 151 | default['gitlab']['backup_path'] = node['gitlab']['app_home'] + '/backups' 152 | default['gitlab']['backup_keep_time'] = 604_800 153 | 154 | # Ip and port nginx will be serving requests on 155 | default['gitlab']['listen_ip'] = '*' 156 | default['gitlab']['listen_port'] = nil 157 | default['gitlab']['listen_ipv6'] = !node['network']['ip6address'].nil? 158 | 159 | # LDAP authentication 160 | default['gitlab']['ldap']['enabled'] = false 161 | default['gitlab']['ldap']['host'] = '_your_ldap_server' 162 | default['gitlab']['ldap']['base'] = '_the_base_where_you_search_for_users' 163 | default['gitlab']['ldap']['port'] = 636 164 | default['gitlab']['ldap']['active_directory'] = true 165 | default['gitlab']['ldap']['uid'] = 'sAMAccountName' 166 | default['gitlab']['ldap']['method'] = 'simple_tls' 167 | default['gitlab']['ldap']['bind_dn'] = '_the_full_dn_of_the_user_you_will_bind_with' 168 | default['gitlab']['ldap']['password'] = '_the_password_of_the_bind_user' 169 | default['gitlab']['ldap']['allow_username_or_email_login'] = true 170 | default['gitlab']['ldap']['user_filter'] = '' 171 | 172 | # Mysql 173 | default['mysql']['server_root_password'] = 'Ch4ngm3' 174 | default['build-essential']['compile_time'] = true # needed for mysql chef_gem 175 | 176 | # PostgreSQL 177 | default['postgresql']['contrib']['extensions'] = ['pg_trgm'] 178 | default['postgresql']['pg_gem']['version'] = '0.21.0' # https://github.com/sous-chefs/postgresql/issues/480 179 | 180 | # nginx 181 | default['nginx']['default_site_enabled'] = false 182 | 183 | # GitLab Workhorse 184 | default['gitlab']['workhorse_revision'] = 'v4.2.0' 185 | default['gitlab']['workhorse_repository'] = 'https://gitlab.com/gitlab-org/gitlab-workhorse.git' 186 | 187 | # Gitaly 188 | default['gitlab']['gitaly_revision'] = 'v0.100.1' 189 | default['gitlab']['gitaly_repository'] = 'https://gitlab.com/gitlab-org/gitaly.git' 190 | -------------------------------------------------------------------------------- /chefignore: -------------------------------------------------------------------------------- 1 | # Put files/directories that should be ignored in this file. 2 | # Lines that start with '# ' are comments. 3 | 4 | # gitignore 5 | \.gitignore 6 | 7 | # emacs 8 | *~ 9 | 10 | # vim 11 | *.sw[a-z] 12 | 13 | # subversion 14 | */.svn/* 15 | -------------------------------------------------------------------------------- /files/default/rack_attack.rb: -------------------------------------------------------------------------------- 1 | # 1. Rename this file to rack_attack.rb 2 | # 2. Review the paths_to_be_protected and add any other path you need protecting 3 | # 4 | 5 | paths_to_be_protected = [ 6 | "#{Rails.application.config.relative_url_root}/users/password", 7 | "#{Rails.application.config.relative_url_root}/users/sign_in", 8 | "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json", 9 | "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session", 10 | "#{Rails.application.config.relative_url_root}/users" 11 | ] 12 | 13 | unless Rails.env.test? 14 | Rack::Attack.throttle('protected paths', limit: 10, period: 60.seconds) do |req| 15 | req.ip if paths_to_be_protected.include?(req.path) && req.post? 16 | end 17 | end 18 | -------------------------------------------------------------------------------- /metadata.rb: -------------------------------------------------------------------------------- 1 | maintainer 'Eric G. Wolfe' 2 | maintainer_email 'eric.wolfe@gmail.com' 3 | license 'Apache 2.0' 4 | description 'Installs/Configures gitlab' 5 | long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) 6 | name 'gitlab' 7 | version '10.8.0' 8 | issues_url 'https://github.com/atomic-penguin/cookbook-gitlab/issues' 9 | source_url 'https://github.com/atomic-penguin/cookbook-gitlab' 10 | 11 | %w( 12 | apt 13 | build-essential 14 | certificate 15 | chef_nginx 16 | database 17 | git 18 | logrotate 19 | ncurses 20 | nodejs 21 | openssh 22 | readline 23 | redisio 24 | ruby_build 25 | xml 26 | yarn 27 | yum-epel 28 | zlib 29 | ).each do |cb_depend| 30 | depends cb_depend 31 | end 32 | depends 'mysql', '~> 6.0' 33 | depends 'mysql2_chef_gem', '~> 1.0' 34 | depends 'postgresql', '~> 6.0' 35 | depends 'selinux_policy', '>= 2.1.0' 36 | 37 | %w(redhat centos scientific amazon debian ubuntu).each do |os| 38 | supports os 39 | end 40 | -------------------------------------------------------------------------------- /recipes/default.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook Name:: gitlab 3 | # Recipe:: default 4 | # 5 | # Copyright 2012, Gerald L. Hevener Jr., M.S. 6 | # Copyright 2012, Eric G. Wolfe 7 | # 8 | # Licensed under the Apache License, Version 2.0 (the "License"); 9 | # you may not use this file except in compliance with the License. 10 | # You may obtain a copy of the License at 11 | # 12 | # http://www.apache.org/licenses/LICENSE-2.0 13 | # 14 | # Unless required by applicable law or agreed to in writing, software 15 | # distributed under the License is distributed on an "AS IS" BASIS, 16 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 17 | # See the License for the specific language governing permissions and 18 | # limitations under the License. 19 | # 20 | 21 | case node['platform_family'] 22 | when 'debian' 23 | include_recipe 'apt' 24 | when 'rhel' 25 | include_recipe 'yum-epel' 26 | end 27 | 28 | # Install new enough git version 29 | include_recipe 'gitlab::git' 30 | 31 | # Setup the database connection 32 | case node['gitlab']['database']['type'] 33 | when 'mysql' 34 | include_recipe 'gitlab::mysql' 35 | when 'postgres' 36 | include_recipe 'gitlab::postgres' 37 | else 38 | Chef::Log.error "#{node['gitlab']['database']['type']} is not a valid type. Please use 'mysql' or 'postgres'!" 39 | end 40 | 41 | # Install SELinux tools where appropriate 42 | extend SELinuxPolicy::Helpers 43 | include_recipe 'selinux_policy::install' if use_selinux 44 | 45 | # Add a git user for Gitlab 46 | user node['gitlab']['user'] do 47 | comment 'Gitlab User' 48 | home node['gitlab']['home'] 49 | shell '/bin/bash' 50 | supports manage_home: true 51 | end 52 | 53 | # Install the required packages via cookbook 54 | node['gitlab']['cookbook_dependencies'].each do |requirement| 55 | include_recipe requirement 56 | end 57 | 58 | # Install required packages for Gitlab 59 | package node['gitlab']['packages'] 60 | 61 | # Fix home permissions for nginx 62 | directory node['gitlab']['home'] do 63 | owner node['gitlab']['user'] 64 | group node['gitlab']['group'] 65 | mode '0755' 66 | end 67 | 68 | # Treat gitlab home as regular home for SELinux 69 | selinux_policy_fcontext node['gitlab']['home'] do 70 | secontext 'user_home_dir_t' 71 | end 72 | 73 | # Create a $HOME/.ssh folder 74 | directory "#{node['gitlab']['home']}/.ssh" do 75 | owner node['gitlab']['user'] 76 | group node['gitlab']['group'] 77 | mode '0700' 78 | end 79 | 80 | file "#{node['gitlab']['home']}/.ssh/authorized_keys" do 81 | owner node['gitlab']['user'] 82 | group node['gitlab']['group'] 83 | mode '0600' 84 | end 85 | 86 | # Allow SSH connections under SELinux 87 | selinux_policy_fcontext "#{node['gitlab']['home']}/.ssh(/.*)?" do 88 | secontext 'ssh_home_t' 89 | end 90 | 91 | # Allow SSH key generation via /tmp under SELinux 92 | selinux_policy_module 'gitlab-ssh' do 93 | content <<-EOF 94 | module gitlab-ssh 0.1; 95 | 96 | require { 97 | type ssh_keygen_t; 98 | type initrc_tmp_t; 99 | class file open; 100 | } 101 | 102 | allow ssh_keygen_t initrc_tmp_t:file open; 103 | EOF 104 | end 105 | 106 | # Drop off git config 107 | template "#{node['gitlab']['home']}/.gitconfig" do 108 | source 'gitconfig.erb' 109 | owner node['gitlab']['user'] 110 | group node['gitlab']['group'] 111 | mode '0644' 112 | end 113 | 114 | # Configure gitlab user to auto-accept localhost SSH keys 115 | template "#{node['gitlab']['home']}/.ssh/config" do 116 | source 'ssh_config.erb' 117 | owner node['gitlab']['user'] 118 | group node['gitlab']['group'] 119 | mode '0644' 120 | variables( 121 | fqdn: node['fqdn'], 122 | trust_local_sshkeys: node['gitlab']['trust_local_sshkeys'] 123 | ) 124 | end 125 | 126 | # The recommended Ruby is >= 1.9.3 127 | # We'll use Fletcher Nichol's ruby_build cookbook to compile a Ruby. 128 | if node['gitlab']['install_ruby'] !~ /package/ 129 | ruby_build_ruby node['gitlab']['install_ruby'] do 130 | prefix_path node['gitlab']['install_ruby_path'] 131 | user node['gitlab']['user'] 132 | group node['gitlab']['user'] 133 | end 134 | 135 | # This hack put here to reliably find Ruby 136 | # cross-platform. Issue #66 137 | execute 'update-alternatives-ruby' do 138 | command "update-alternatives --install /usr/local/bin/ruby ruby #{node['gitlab']['install_ruby_path']}/bin/ruby 10" 139 | not_if { ::File.exist?('/usr/local/bin/ruby') } 140 | end 141 | 142 | # Install required Ruby Gems for Gitlab with ~git/bin/gem 143 | %w(charlock_holmes bundler).each do |gempkg| 144 | gem_package gempkg do 145 | gem_binary "#{node['gitlab']['install_ruby_path']}/bin/gem" 146 | action :install 147 | options('--no-ri --no-rdoc') 148 | end 149 | end 150 | else 151 | # Install required Ruby Gems for Gitlab with system gem 152 | %w(charlock_holmes bundler).each do |gempkg| 153 | gem_package gempkg do 154 | action :install 155 | options('--no-ri --no-rdoc') 156 | end 157 | end 158 | end 159 | 160 | # setup gitlab-shell 161 | # Clone Gitlab-shell repo 162 | git node['gitlab']['shell']['home'] do 163 | repository node['gitlab']['shell']['git_url'] 164 | revision node['gitlab']['shell']['git_branch'] 165 | action :sync 166 | user node['gitlab']['user'] 167 | group node['gitlab']['group'] 168 | notifies :run, 'bash[compile-shell]', :immediately 169 | end 170 | 171 | bash 'compile-shell' do 172 | action :run 173 | cwd node['gitlab']['shell']['home'] 174 | code "#{node['gitlab']['install_ruby_path']}/bin/ruby ./bin/compile" 175 | user node['gitlab']['user'] 176 | group node['gitlab']['group'] 177 | not_if { ::File.exist?("#{node['gitlab']['shell']['home']}/bin/gitaly-receive-pack") } 178 | end 179 | 180 | # Either listen_port has been configured elsewhere or we calculate it 181 | # depending on the https flag 182 | listen_port = \ 183 | node['gitlab']['listen_port'] || (node['gitlab']['https'] ? 443 : 80) 184 | 185 | # Address of gitlab api for which gitlab-shell should connect, prefered is 186 | # using custom URL. If prefered URL is defined we are using 'gitlab_host' 187 | # otherwise we just refer back to 'web_fqdn'. 188 | api_fqdn = \ 189 | node['gitlab']['shell']['gitlab_host'] || node['gitlab']['web_fqdn'] 190 | 191 | redis_socket = \ 192 | node['redisio']['servers'].find { |s| s['name'] == 'gitlab' }['unixsocket'] 193 | 194 | # render gitlab-shell config 195 | template node['gitlab']['shell']['home'] + '/config.yml' do 196 | owner node['gitlab']['user'] 197 | group node['gitlab']['group'] 198 | mode '0644' 199 | source 'shell_config.yml.erb' 200 | variables( 201 | fqdn: api_fqdn, 202 | listen_port: listen_port, 203 | redis_socket: redis_socket 204 | ) 205 | end 206 | 207 | # Clone Gitlab repo from github 208 | git node['gitlab']['app_home'] do 209 | repository node['gitlab']['git_url'] 210 | revision node['gitlab']['git_branch'] 211 | action :checkout 212 | user node['gitlab']['user'] 213 | group node['gitlab']['group'] 214 | end 215 | 216 | # Render gitlab init script 217 | # This needs to happen before gitlab.yml is rendered. 218 | # So when the service is subscribed, the init file will be in place 219 | file '/etc/init.d/gitlab' do 220 | owner 'root' 221 | group 'root' 222 | mode '0755' 223 | content( 224 | lazy do 225 | File.read("#{node['gitlab']['app_home']}/lib/support/init.d/gitlab").tap do |data| 226 | data.sub!(/(?<=# Required-Start:)(.*)\bredis-server\b/, '\1' + node['gitlab']['redis_instance']) 227 | data.sub!(/^(\s*app_user=).*/, '\1' + Shellwords.escape(node['gitlab']['user'])) 228 | data.sub!(/^(\s*app_root=).*/, '\1' + Shellwords.escape(node['gitlab']['app_home'])) 229 | end 230 | end 231 | ) 232 | end 233 | 234 | # Write the database.yml 235 | template "#{node['gitlab']['app_home']}/config/database.yml" do 236 | source 'database.yml.erb' 237 | owner 'root' 238 | group node['gitlab']['group'] 239 | mode '0640' 240 | variables( 241 | adapter: node['gitlab']['database']['adapter'], 242 | encoding: node['gitlab']['database']['encoding'], 243 | collation: node['gitlab']['database']['collation'], 244 | host: node['gitlab']['database']['host'], 245 | database: node['gitlab']['database']['database'], 246 | pool: node['gitlab']['database']['pool'], 247 | username: node['gitlab']['database']['username'], 248 | password: node['gitlab']['database']['password'] 249 | ) 250 | end 251 | 252 | file "#{node['gitlab']['app_home']}/config/resque.yml" do 253 | owner 'root' 254 | group node['gitlab']['group'] 255 | mode '0640' 256 | content lazy { 257 | { 'production' => { 'url' => "unix:#{redis_socket}" } }.to_yaml 258 | } 259 | end 260 | 261 | # Render gitlab config file 262 | template "#{node['gitlab']['app_home']}/config/gitlab.yml" do 263 | owner node['gitlab']['user'] 264 | group node['gitlab']['group'] 265 | mode '0644' 266 | variables( 267 | fqdn: node['gitlab']['web_fqdn'] || node['fqdn'], 268 | https_boolean: node['gitlab']['https'], 269 | git_user: node['gitlab']['user'], 270 | git_home: node['gitlab']['home'], 271 | git_app_home: node['gitlab']['app_home'], 272 | backup_path: node['gitlab']['backup_path'], 273 | backup_keep_time: node['gitlab']['backup_keep_time'], 274 | listen_port: listen_port 275 | ) 276 | end 277 | 278 | # Copy file rack_attack.rb 279 | cookbook_file "#{node['gitlab']['app_home']}/config/initializers/rack_attack.rb" do 280 | owner node['gitlab']['user'] 281 | group node['gitlab']['group'] 282 | mode '0644' 283 | end 284 | 285 | # Create some world-readable directories 286 | %w(log tmp tmp/pids tmp/sockets public).each do |dir| 287 | directory File.join(node['gitlab']['app_home'], dir) do 288 | user node['gitlab']['user'] 289 | group node['gitlab']['group'] 290 | mode '0755' 291 | recursive true 292 | action :create 293 | end 294 | end 295 | 296 | # Create some restricted directories 297 | %w(tmp/sockets/private public/uploads).each do |dir| 298 | directory File.join(node['gitlab']['app_home'], dir) do 299 | user node['gitlab']['user'] 300 | group node['gitlab']['group'] 301 | mode '0700' 302 | action :create 303 | end 304 | end 305 | 306 | # Allow nginx to connect to gitlab.socket under SELinux 307 | selinux_policy_fcontext "#{node['gitlab']['app_home']}/tmp/sockets(/.*)?" do 308 | secontext 'httpd_var_run_t' 309 | end 310 | 311 | selinux_policy_module 'gitlab-nginx-socket' do 312 | content <<-EOF 313 | module gitlab-nginx-socket 0.1; 314 | 315 | require { 316 | type httpd_t; 317 | type initrc_t; 318 | class unix_stream_socket connectto; 319 | } 320 | 321 | allow httpd_t initrc_t:unix_stream_socket connectto; 322 | EOF 323 | end 324 | 325 | # Set SELinux context for log files, necessary for sendmail to work 326 | ["#{node['gitlab']['app_home']}/log(/.*)?", "#{node['gitlab']['shell']['home']}/gitlab-shell\\.log.*"].each do |path| 327 | selinux_policy_fcontext path do 328 | secontext 'var_log_t' 329 | end 330 | end 331 | 332 | # logrotate gitlab-shell and gitlab 333 | logrotate_app 'gitlab' do 334 | frequency 'weekly' 335 | su node['gitlab']['user'] + ' ' + node['gitlab']['group'] 336 | path [ 337 | "#{node['gitlab']['app_home']}/log/*.log", 338 | "#{node['gitlab']['shell']['home']}/gitlab-shell.log" 339 | ] 340 | rotate 52 341 | options %w(compress delaycompress notifempty copytruncate) 342 | end 343 | 344 | # create gitlab-satellites directory 345 | directory File.join(node['gitlab']['home'], 'gitlab-satellites') do 346 | user node['gitlab']['user'] 347 | group node['gitlab']['group'] 348 | mode '0755' 349 | recursive true 350 | action :create 351 | end 352 | 353 | # create repositories directory 354 | directory File.join(node['gitlab']['home'], 'repositories') do 355 | user node['gitlab']['user'] 356 | group node['gitlab']['group'] 357 | mode '2770' 358 | recursive true 359 | action :create 360 | end 361 | 362 | # create backup_path 363 | directory node['gitlab']['backup_path'] do 364 | owner node['gitlab']['user'] 365 | group node['gitlab']['group'] 366 | mode '00755' 367 | action :create 368 | end 369 | 370 | # Render unicorn template 371 | template "#{node['gitlab']['app_home']}/config/unicorn.rb" do 372 | owner node['gitlab']['user'] 373 | group node['gitlab']['group'] 374 | mode '0644' 375 | variables( 376 | fqdn: node['fqdn'], 377 | gitlab_app_home: node['gitlab']['app_home'], 378 | gitlab_unicorn_timeout: node['gitlab']['unicorn']['timeout'] 379 | ) 380 | end 381 | 382 | without_group = node['gitlab']['database']['type'] == 'mysql' ? 'postgres' : 'mysql' 383 | 384 | bundler_env = { 385 | 'PATH' => "#{node['gitlab']['install_ruby_path']}/bin:#{ENV['PATH']}", 386 | 'HOME' => node['gitlab']['app_home'], 387 | 'LANG' => 'en_US.UTF-8', 388 | 'LC_ALL' => 'en_US.UTF-8' 389 | } 390 | 391 | # Install Gems with bundle install 392 | execute 'gitlab-bundle-install' do 393 | command "bundle install --deployment --binstubs --without development test #{without_group} aws" 394 | cwd node['gitlab']['app_home'] 395 | user node['gitlab']['user'] 396 | group node['gitlab']['group'] 397 | environment bundler_env 398 | end 399 | 400 | # Install GitLab Workhorse 401 | git "#{node['gitlab']['home']}/gitlab-workhorse" do 402 | # default repository 'https://gitlab.com/gitlab-org/gitlab-workhorse.git 403 | repository node['gitlab']['workhorse_repository'] 404 | revision node['gitlab']['workhorse_revision'] 405 | action :sync 406 | user node['gitlab']['user'] 407 | group node['gitlab']['group'] 408 | notifies :run, 'bash[compile-workhorse]', :immediately 409 | end 410 | 411 | bash 'compile-workhorse' do 412 | action :run 413 | cwd "#{node['gitlab']['home']}/gitlab-workhorse" 414 | code <<-EOH 415 | make 416 | EOH 417 | user node['gitlab']['user'] 418 | group node['gitlab']['group'] 419 | not_if { ::File.exist?("#{node['gitlab']['home']}/gitlab-workhorse/gitlab-workhorse") } 420 | end 421 | 422 | yarn_install 'gitlab' do 423 | dir node['gitlab']['app_home'] 424 | 425 | # Only root and vagrant can use vagrant-cachier. Files are owned by 426 | # vagrant:vagrant and execute does not respect secondary groups. :( 427 | if ENV['TEST_KITCHEN'].to_i == 1 428 | user 'root' 429 | else 430 | user node['gitlab']['user'] 431 | user_home node['gitlab']['home'] 432 | end 433 | end 434 | 435 | # Compile assets 436 | execute 'gitlab-bundle-compile' do 437 | command 'bundle exec rake gettext:pack gettext:po_to_json gitlab:assets:compile RAILS_ENV=production NODE_ENV=production && touch .gitlab-compiled' 438 | cwd node['gitlab']['app_home'] 439 | user node['gitlab']['user'] 440 | group node['gitlab']['group'] 441 | environment bundler_env 442 | not_if { File.exist?("#{node['gitlab']['app_home']}/.gitlab-compiled") } 443 | end 444 | 445 | # Initialize database 446 | execute 'gitlab-bundle-rake' do 447 | # Check the task list below against setup.rake. We can't use 448 | # gitlab:setup because db:reset DROPs the database and we don't want 449 | # to give the database user permission to create new databases. 450 | # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/tasks/gitlab/setup.rake 451 | command 'bundle exec rake db:schema:load add_limits_mysql setup_postgresql db:seed_fu RAILS_ENV=production && touch .gitlab-setup' 452 | cwd node['gitlab']['app_home'] 453 | user node['gitlab']['user'] 454 | group node['gitlab']['group'] 455 | environment bundler_env 456 | not_if { File.exist?("#{node['gitlab']['app_home']}/.gitlab-setup") } 457 | end 458 | 459 | # Install Gitaly 460 | git "#{node['gitlab']['home']}/gitaly" do 461 | repository node['gitlab']['gitaly_repository'] 462 | revision node['gitlab']['gitaly_revision'] 463 | action :sync 464 | user node['gitlab']['user'] 465 | group node['gitlab']['group'] 466 | notifies :run, 'bash[compile-gitaly]', :immediately 467 | end 468 | 469 | bash 'compile-gitaly' do 470 | action :run 471 | cwd "#{node['gitlab']['home']}/gitaly" 472 | code 'make' 473 | user node['gitlab']['user'] 474 | group node['gitlab']['group'] 475 | environment bundler_env 476 | not_if { ::File.exist?("#{node['gitlab']['home']}/gitaly/gitaly") } 477 | end 478 | 479 | # Render Gitaly config file 480 | template "#{node['gitlab']['home']}/gitaly/config.toml" do 481 | owner node['gitlab']['user'] 482 | group node['gitlab']['group'] 483 | mode '0644' 484 | source 'gitaly.toml.erb' 485 | variables( 486 | git_home: node['gitlab']['home'], 487 | git_app_home: node['gitlab']['app_home'] 488 | ) 489 | end 490 | 491 | # Use certificate cookbook for keys. 492 | # Look for `search_id` in data_bag `certificates` 493 | certificate_manage 'gitlab' do 494 | search_id node['gitlab']['certificate_databag_id'] 495 | cert_path '/etc/nginx/ssl' 496 | owner node['gitlab']['user'] 497 | group node['gitlab']['user'] 498 | nginx_cert true 499 | not_if { node['gitlab']['certificate_databag_id'].nil? } 500 | only_if { node['gitlab']['https'] } 501 | end 502 | 503 | # Install nginx 504 | include_recipe 'chef_nginx' 505 | 506 | # Allow nginx to access static content under SELinux 507 | selinux_policy_fcontext "#{node['gitlab']['app_home']}/public(/.*)?" do 508 | secontext 'httpd_sys_content_t' 509 | end 510 | 511 | # Render and activate nginx default vhost config 512 | template '/etc/nginx/sites-available/gitlab' do 513 | owner 'root' 514 | group 'root' 515 | mode '0644' 516 | source 'nginx.gitlab.erb' 517 | notifies :restart, 'service[nginx]' 518 | variables( 519 | server_name: node['gitlab']['nginx_server_names'].join(' '), 520 | hostname: node['hostname'], 521 | gitlab_app_home: node['gitlab']['app_home'], 522 | https_boolean: node['gitlab']['https'], 523 | ssl_certificate: node['gitlab']['ssl_certificate'], 524 | ssl_certificate_key: node['gitlab']['ssl_certificate_key'], 525 | ssl_ciphers: node['gitlab']['ssl_ciphers'], 526 | ssl_protocols: node['gitlab']['ssl_protocols'], 527 | listen: "#{node['gitlab']['listen_ip']}:#{listen_port}", 528 | listen_ipv6: node['gitlab']['listen_ipv6'] 529 | ) 530 | end 531 | 532 | # Enable gitlab site 533 | nginx_site 'gitlab' do 534 | enable true 535 | end 536 | 537 | # Enable and start unicorn and sidekiq service 538 | service 'gitlab' do 539 | priority 30 540 | pattern "unicorn_rails master -D -c #{node['gitlab']['app_home']}/config/unicorn.rb" 541 | action [:enable, :start] 542 | subscribes :restart, "template[#{node['gitlab']['app_home']}/config/gitlab.yml]", :delayed 543 | subscribes :restart, "file[#{node['gitlab']['app_home']}/config/resque.yml]", :delayed 544 | end 545 | -------------------------------------------------------------------------------- /recipes/git.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook Name:: gitlab 3 | # Recipe:: git 4 | # 5 | # Copyright 2018, Yakara Ltd 6 | # 7 | # Licensed under the Apache License, Version 2.0 (the "License"); 8 | # you may not use this file except in compliance with the License. 9 | # You may obtain a copy of the License at 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, software 14 | # distributed under the License is distributed on an "AS IS" BASIS, 15 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | # See the License for the specific language governing permissions and 17 | # limitations under the License. 18 | # 19 | 20 | git_recipe = node['gitlab']['git_recipe'] 21 | include_recipe "git::#{git_recipe}" 22 | -------------------------------------------------------------------------------- /recipes/mysql.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook Name:: gitlab 3 | # Recipe:: mysql 4 | # 5 | # Copyright 2012, Seth Vargo 6 | # 7 | # Licensed under the Apache License, Version 2.0 (the "License"); 8 | # you may not use this file except in compliance with the License. 9 | # You may obtain a copy of the License at 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, software 14 | # distributed under the License is distributed on an "AS IS" BASIS, 15 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | # See the License for the specific language governing permissions and 17 | # limitations under the License. 18 | # 19 | mysql2_chef_gem 'default' do 20 | client_version node['mysql']['version'] if node['mysql'] && node['mysql']['version'] 21 | action :install 22 | end 23 | 24 | # Enable secure password generation 25 | unless node['gitlab']['database']['password'] 26 | require 'securerandom' 27 | pw = SecureRandom.urlsafe_base64 28 | node.normal['gitlab']['database']['password'] = pw 29 | 30 | unless Chef::Config[:solo] 31 | node2 = Chef::Node.load node.name 32 | node2.normal['gitlab']['database']['password'] = pw 33 | node2.save 34 | end 35 | end 36 | 37 | # install mysql database 38 | mysql_service 'default' do 39 | port '3306' 40 | version node['mysql']['version'] if node['mysql'] && node['mysql']['version'] 41 | initial_root_password node['mysql']['server_root_password'] 42 | action [:create, :start] 43 | end 44 | 45 | # Helper variables 46 | database = node['gitlab']['database']['database'] 47 | database_user = node['gitlab']['database']['username'] 48 | database_password = node['gitlab']['database']['password'] 49 | database_userhost = node['gitlab']['database']['userhost'] 50 | database_host = node['gitlab']['database']['host'] 51 | database_host = node['gitlab']['database']['socket'] 52 | database_connection = { 53 | host: database_host, 54 | username: 'root', 55 | password: node['mysql']['server_root_password'], 56 | socket: node['mysql']['socket'] 57 | } 58 | 59 | # Create the database 60 | mysql_database database do 61 | connection database_connection 62 | action :create 63 | end 64 | 65 | # Create the database user 66 | mysql_database_user database_user do 67 | connection database_connection 68 | password database_password 69 | host database_userhost 70 | database_name database 71 | action :create 72 | end 73 | 74 | # Grant all privileges to user on database 75 | mysql_database_user database_user do 76 | connection database_connection 77 | database_name database 78 | privileges ['SELECT', 'LOCK TABLES', 'INSERT', 'UPDATE', 'DELETE', 'CREATE', 'DROP', 'INDEX', 'ALTER'] 79 | action :grant 80 | end 81 | -------------------------------------------------------------------------------- /recipes/postgres.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook Name:: gitlab 3 | # Recipe:: postgres 4 | # 5 | # Copyright 2012, Seth Vargo 6 | # 7 | # Licensed under the Apache License, Version 2.0 (the "License"); 8 | # you may not use this file except in compliance with the License. 9 | # You may obtain a copy of the License at 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, software 14 | # distributed under the License is distributed on an "AS IS" BASIS, 15 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | # See the License for the specific language governing permissions and 17 | # limitations under the License. 18 | # 19 | 20 | include_recipe 'postgresql::server' 21 | include_recipe 'database::postgresql' 22 | 23 | # Enable secure password generation 24 | unless node['gitlab']['database']['password'] 25 | require 'securerandom' 26 | pw = SecureRandom.urlsafe_base64 27 | node.normal['gitlab']['database']['password'] = pw 28 | 29 | unless Chef::Config[:solo] 30 | node2 = Chef::Node.load node.name 31 | node2.normal['gitlab']['database']['password'] = pw 32 | node2.save 33 | end 34 | end 35 | 36 | # Create the database user 37 | postgresql_database_user node['gitlab']['database']['username'] do 38 | connection :host => 'localhost' 39 | password node['gitlab']['database']['password'] 40 | action :create 41 | end 42 | 43 | # Create the database 44 | postgresql_database node['gitlab']['database']['database'] do 45 | connection :host => 'localhost' 46 | owner node['gitlab']['database']['username'] 47 | action :create 48 | end 49 | 50 | # FIXME: Add extension resource to postgresql cookbook 51 | node.force_override['postgresql']['database_name'] = node['gitlab']['database']['database'] 52 | include_recipe 'postgresql::contrib' 53 | -------------------------------------------------------------------------------- /spec/default_spec.rb: -------------------------------------------------------------------------------- 1 | require 'spec_helper' 2 | 3 | describe 'gitlab::default' do 4 | before do 5 | stub_command('git --version >/dev/null').and_return(true) 6 | stub_command('which nginx').and_return(true) 7 | 8 | %w(go godoc gofmt).each do |l| 9 | stub_command("test -e /usr/local/bin/#{l}").and_return(false) 10 | stub_command("test -e /usr/local/go/bin/#{l}").and_return(true) 11 | # File.stub(:exists?).with("/usr/bin/#{l}").and_return(false) 12 | # File.stub(:exists?).with("/usr/local/bin/#{l}").and_return(true) 13 | end 14 | end 15 | 16 | context 'on Centos 6.5 with mysql and https' do 17 | let(:chef_run) do 18 | ChefSpec::SoloRunner.new(platform: 'centos', version: 6.5) do |node| 19 | node.override['gitlab']['database']['type'] = 'mysql' 20 | node.override['mysql']['server_root_password'] = 'test' 21 | node.override['gitlab']['https'] = true 22 | node.override['gitlab']['web_fqdn'] = 'gitlab.example.com' 23 | end.converge(described_recipe) 24 | end 25 | 26 | it 'includes gitlab::mysql' do 27 | expect(chef_run).to include_recipe('gitlab::mysql') 28 | end 29 | 30 | it 'renders gitlab-shell/config.yml with https://.*:443' do 31 | expect(chef_run).to render_file('/srv/git/gitlab-shell/config.yml').with_content(%r{gitlab_url: "https://.*:443/"}) 32 | end 33 | 34 | it 'renders config/gitlab.yml with https: true' do 35 | expect(chef_run).to render_file('/srv/git/gitlab/config/gitlab.yml').with_content(/https: true/) 36 | end 37 | 38 | it 'renders database.yml with mysql2 adapter and utf8 encoding' do 39 | expect(chef_run).to render_file('/srv/git/gitlab/config/database.yml').with_content(/adapter:\s+mysql2/) 40 | expect(chef_run).to render_file('/srv/git/gitlab/config/database.yml').with_content(/encoding:\s+utf8/) 41 | end 42 | 43 | it 'runs execute without postgres' do 44 | expect(chef_run).to run_execute(/bundle install --deployment.+--without.+postgres.+/) 45 | end 46 | 47 | it 'ISSUE #67 does not include cookbook sudo' do 48 | expect(chef_run).to_not include_recipe('sudo') 49 | end 50 | 51 | it 'ISSUE #67 includes package sudo' do 52 | expect(chef_run).to install_package('sudo') 53 | end 54 | 55 | it 'ISSUE #69 renders gitlab shell config with gitlab_url' do 56 | expect(chef_run).to render_file('/srv/git/gitlab-shell/config.yml').with_content(%r{gitlab_url:.*https://gitlab.example.com}) 57 | end 58 | 59 | it 'ISSUE #69 does not render gitlab shell config with boolean' do 60 | expect(chef_run).to_not render_file('/srv/git/gitlab-shell/config.yml').with_content(%r{gitlab_url:.*https://(true|false)}) 61 | end 62 | end 63 | 64 | context 'on Centos 6.5 with postgres and http' do 65 | let(:chef_run) do 66 | ChefSpec::SoloRunner.new(platform: 'centos', version: 6.5) do |node| 67 | node.override['gitlab']['database']['type'] = 'postgres' 68 | node.override['gitlab']['web_fqdn'] = 'gitlab.example.com' 69 | end.converge(described_recipe) 70 | end 71 | 72 | it 'includes gitlab::postgres' do 73 | expect(chef_run).to include_recipe('gitlab::postgres') 74 | end 75 | 76 | it 'renders gitlab-shell/config.yml with gitlab_url: http://*:80' do 77 | expect(chef_run).to render_file('/srv/git/gitlab-shell/config.yml').with_content(%r{gitlab_url: "http://.*:80/"}) 78 | end 79 | 80 | it 'renders config/gitlab.yml with https: false' do 81 | expect(chef_run).to render_file('/srv/git/gitlab/config/gitlab.yml').with_content(/https: false/) 82 | end 83 | 84 | it 'renders database.yml with postgresql adapter and unicode encoding' do 85 | expect(chef_run).to render_file('/srv/git/gitlab/config/database.yml').with_content(/adapter:\s+postgresql/) 86 | expect(chef_run).to render_file('/srv/git/gitlab/config/database.yml').with_content(/encoding:\s+unicode/) 87 | end 88 | 89 | it 'runs execute without postgres' do 90 | expect(chef_run).to run_execute(/bundle install --deployment.+--without.+mysql.+/) 91 | end 92 | 93 | it 'ISSUE #67 does not include cookbook sudo' do 94 | expect(chef_run).to_not include_recipe('sudo') 95 | end 96 | 97 | it 'ISSUE #67 includes package sudo' do 98 | expect(chef_run).to install_package('sudo') 99 | end 100 | 101 | it 'ISSUE #69 renders gitlab shell config with gitlab_url' do 102 | expect(chef_run).to render_file('/srv/git/gitlab-shell/config.yml').with_content(%r{gitlab_url:.*http://gitlab.example.com}) 103 | end 104 | 105 | it 'ISSUE #69 does not render gitlab shell config with boolean' do 106 | expect(chef_run).to_not render_file('/srv/git/gitlab-shell/config.yml').with_content(%r{gitlab_url:.*http://(true|false)}) 107 | end 108 | end 109 | 110 | context 'on centos 6.5 with /srv/git home, and default install_ruby_path' do 111 | let(:chef_run) do 112 | ChefSpec::SoloRunner.new(platform: 'centos', version: 6.5) do |node| 113 | node.override['mysql']['server_root_password'] = 'test' 114 | node.override['gitlab']['home'] = '/srv/git' 115 | end.converge(described_recipe) 116 | end 117 | 118 | it 'ISSUE #66 creates user git with home /srv/git' do 119 | expect(chef_run).to create_user('git').with(home: '/srv/git') 120 | end 121 | 122 | it 'ISSUE #66 installs gems using /srv/git/bin/gem' do 123 | %w(charlock_holmes bundler).each do |gem| 124 | expect(chef_run).to install_gem_package(gem).with(gem_binary: '/srv/git/bin/gem') 125 | end 126 | end 127 | 128 | it 'ISSUE #66 runs update-alternatives on /srv/git/bin/ruby' do 129 | expect(chef_run).to run_execute('update-alternatives --install /usr/local/bin/ruby ruby /srv/git/bin/ruby 10') 130 | end 131 | end 132 | 133 | context 'on centos 6.5 with /srv/git home, and /var/lib/git install_ruby_path' do 134 | let(:chef_run) do 135 | ChefSpec::SoloRunner.new(platform: 'centos', version: '6.5') do |node| 136 | node.override['mysql']['server_root_password'] = 'test' 137 | node.override['gitlab']['home'] = '/srv/git' 138 | node.override['gitlab']['install_ruby_path'] = '/var/lib/git' 139 | end.converge(described_recipe) 140 | end 141 | 142 | it 'ISSUE #66 creates user git with home /srv/git' do 143 | expect(chef_run).to create_user('git').with(home: '/srv/git') 144 | end 145 | 146 | it 'ISSUE #66 installs gems using /var/lib/git/bin/gem' do 147 | %w(charlock_holmes bundler).each do |gem| 148 | expect(chef_run).to install_gem_package(gem).with(gem_binary: '/var/lib/git/bin/gem') 149 | end 150 | end 151 | 152 | it 'ISSUE #66 runs update-alternatives on /var/lib/git/bin/ruby' do 153 | expect(chef_run).to run_execute('update-alternatives --install /usr/local/bin/ruby ruby /var/lib/git/bin/ruby 10') 154 | end 155 | end 156 | 157 | context 'on centos 6.5 with Ruby package' do 158 | let(:chef_run) do 159 | ChefSpec::SoloRunner.new(platform: 'centos', version: '6.5') do |node| 160 | node.override['mysql']['server_root_password'] = 'test' 161 | node.override['gitlab']['install_ruby'] = 'package' 162 | end.converge(described_recipe) 163 | end 164 | 165 | it 'ISSUE #66 installs gems using system gem' do 166 | %w(charlock_holmes bundler).each do |gem| 167 | expect(chef_run).to install_gem_package(gem).with(gem_binary: nil) 168 | end 169 | end 170 | 171 | it 'ISSUE #66 does not run update-alternatives-ruby' do 172 | expect(chef_run).to_not run_execute('update-alternatives-ruby') 173 | end 174 | end 175 | end 176 | -------------------------------------------------------------------------------- /spec/spec_helper.rb: -------------------------------------------------------------------------------- 1 | require 'chefspec' 2 | require 'chefspec/berkshelf' 3 | -------------------------------------------------------------------------------- /templates/default/database.yml.erb: -------------------------------------------------------------------------------- 1 | # This file was generated by Chef for <%= node['fqdn'] %> 2 | # Do not change this file by hand! 3 | 4 | production: 5 | adapter: <%= @adapter %> 6 | encoding: <%= @encoding %> 7 | collation: <%= @collation %> 8 | host: <%= @host %> 9 | pool: <%= @pool %> 10 | database: <%= @database %> 11 | username: <%= @username %> 12 | password: <%= @password %> 13 | # socket: /tmp/<%= @adapter %>.sock 14 | -------------------------------------------------------------------------------- /templates/default/gitaly.toml.erb: -------------------------------------------------------------------------------- 1 | # Gitaly configuration file 2 | 3 | socket_path = "<%= @git_app_home %>/tmp/sockets/private/gitaly.socket" 4 | 5 | # The directory where Gitaly's executables are stored 6 | bin_dir = "<%= @git_home %>/gitaly" 7 | 8 | # # Optional: listen on a TCP socket. This is insecure (no authentication) 9 | # listen_addr = "localhost:9999" 10 | # 11 | 12 | # # Optional: export metrics via Prometheus 13 | # prometheus_listen_addr = "localhost:9236" 14 | 15 | # # Git executable settings 16 | # [git] 17 | # bin_path = "/usr/bin/git" 18 | 19 | [[storage]] 20 | name = "default" 21 | path = "<%= @git_home %>/repositories" 22 | 23 | # # You can optionally configure more storages for this Gitaly instance to serve up 24 | # 25 | # [[storage]] 26 | # name = "other_storage" 27 | # path = "/mnt/other_storage/repositories" 28 | # 29 | 30 | # # You can optionally configure Gitaly to output JSON-formatted log messages to stdout 31 | # [logging] 32 | # format = "json" 33 | # # Optional: Set log level to only log entries with that severity or above 34 | # # One of, in order: debug, info, warn, errror, fatal, panic 35 | # # Defaults to "info" 36 | # level = "warn" 37 | # 38 | # # Additionally exceptions from the Go server can be reported to Sentry 39 | # sentry_dsn = "https://:@sentry.io/" 40 | # # Exceptions from gitaly-ruby can also be reported to Sentry 41 | # ruby_sentry_dsn = "https://:@sentry.io/" 42 | 43 | # # You can optionally configure Gitaly to record histogram latencies on GRPC method calls 44 | # [prometheus] 45 | # grpc_latency_buckets = [0.001, 0.005, 0.025, 0.1, 0.5, 1.0, 10.0, 30.0, 60.0, 300.0, 1500.0] 46 | 47 | [gitaly-ruby] 48 | # The directory where gitaly-ruby is installed 49 | dir = "<%= @git_home %>/gitaly/ruby" 50 | 51 | # # Gitaly-ruby resident set size (RSS) that triggers a memory restart (bytes) 52 | # max_rss = 300000000 53 | # 54 | # # Grace period before a gitaly-ruby process is forcibly terminated after exceeding max_rss (seconds) 55 | # graceful_restart_timeout = "10m" 56 | # 57 | # # Time that gitaly-ruby memory must remain high before a restart (seconds) 58 | # restart_delay = "5m" 59 | 60 | [gitlab-shell] 61 | # The directory where gitlab-shell is installed 62 | dir = "<%= @git_home %>/gitlab-shell" 63 | 64 | # # You can adjust the concurrency of each RPC endpoint 65 | # [[concurrency]] 66 | # rpc = "/gitaly.RepositoryService/GarbageCollect" 67 | # max_per_repo = 1 68 | -------------------------------------------------------------------------------- /templates/default/gitconfig.erb: -------------------------------------------------------------------------------- 1 | # Configured by Chef for <%= node['fqdn'] %> 2 | [user] 3 | email = <%= node['gitlab']['email_from'] %> 4 | name = GitLab 5 | 6 | [core] 7 | autocrlf = input 8 | 9 | [rewrite] 10 | writeBitmaps = true 11 | -------------------------------------------------------------------------------- /templates/default/gitlab.yml.erb: -------------------------------------------------------------------------------- 1 | # # # # # # # # # # # # # # # # # # 2 | # GitLab application config file # 3 | # # # # # # # # # # # # # # # # # # 4 | # 5 | ########################### NOTE ##################################### 6 | # This file should not receive new settings. All configuration options # 7 | # * are being moved to ApplicationSetting model! # 8 | # If a setting requires an application restart say so in that screen. # 9 | # If you change this file in a Merge Request, please also create # 10 | # a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests # 11 | ######################################################################## 12 | # 13 | # 14 | # How to use: 15 | # 1. Copy file as gitlab.yml 16 | # 2. Update gitlab -> host with your fully qualified domain name 17 | # 3. Update gitlab -> email_from 18 | # 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git 19 | # IMPORTANT: If Git was installed in a different location use that instead. 20 | # You can check with `which git`. If a wrong path of Git is specified, it will 21 | # result in various issues such as failures of GitLab CI builds. 22 | # 5. Review this configuration file for other settings you may want to adjust 23 | 24 | production: &base 25 | # 26 | # 1. GitLab app settings 27 | # ========================== 28 | 29 | ## GitLab settings 30 | gitlab: 31 | ## Web server settings (note: host is the FQDN, do not include http://) 32 | host: <%= @fqdn %> 33 | port: <%= @listen_port %> 34 | https: <%= @https_boolean %> 35 | 36 | # Uncommment this line below if your ssh host is different from HTTP/HTTPS one 37 | # (you'd obviously need to replace ssh.host_example.com with your own host). 38 | # Otherwise, ssh host will be set to the `host:` value above 39 | # ssh_host: ssh.host_example.com 40 | 41 | # Relative URL support 42 | # WARNING: We recommend using an FQDN to host GitLab in a root path instead 43 | # of using a relative URL. 44 | # Documentation: http://doc.gitlab.com/ce/install/relative_url.html 45 | # Uncomment and customize the following line to run in a non-root path 46 | # 47 | # relative_url_root: /gitlab 48 | 49 | # Trusted Proxies 50 | # Customize if you have GitLab behind a reverse proxy which is running on a different machine. 51 | # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address. 52 | trusted_proxies: 53 | # Examples: 54 | #- 192.168.1.0/24 55 | #- 192.168.2.1 56 | #- 2001:0db8::/32 57 | 58 | # Uncomment and customize if you can't use the default user to run GitLab (default: 'git') 59 | user: <%= node['gitlab']['user'] %> 60 | 61 | ## Date & Time settings 62 | # Uncomment and customize if you want to change the default time zone of GitLab application. 63 | # To see all available zones, run `bundle exec rake time:zones:all RAILS_ENV=production` 64 | # time_zone: 'UTC' 65 | 66 | ## Email settings 67 | # Uncomment and set to false if you need to disable email sending from GitLab (default: true) 68 | # email_enabled: true 69 | # Email address used in the "From" field in mails sent by GitLab 70 | email_from: <%= node['gitlab']['email_from'] %> 71 | email_display_name: GitLab # TODO, gitlab attributes 72 | email_reply_to: noreply@gitlab.<%= node['domain'] %> # TODO, gitlab attributes 73 | email_subject_suffix: '' 74 | 75 | # Email server smtp settings are in config/initializers/smtp_settings.rb.sample 76 | 77 | default_can_create_group: <%= node['gitlab']['default_can_create_group'] %> # default: true 78 | username_changing_enabled: <%= node['gitlab']['username_changing_enabled'] %> # default: true - User can change her username/namespace 79 | ## Default theme ID 80 | ## 1 - Indigo 81 | ## 2 - Dark 82 | ## 3 - Light 83 | ## 4 - Blue 84 | ## 5 - Green 85 | # default_theme: 1 # default: 1 86 | 87 | ## Automatic issue closing 88 | # If a commit message matches this regular expression, all issues referenced from the matched text will be closed. 89 | # This happens when the commit is pushed or merged into the default branch of a project. 90 | # When not specified the default issue_closing_pattern as specified below will be used. 91 | # Tip: you can test your closing pattern at http://rubular.com. 92 | # issue_closing_pattern: '((?:[Cc]los(?:e[sd]?|ing)|[Ff]ix(?:e[sd]|ing)?|[Rr]esolv(?:e[sd]?|ing)|[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)' 93 | 94 | ## Default project features settings 95 | default_projects_features: 96 | issues: true 97 | merge_requests: true 98 | wiki: true 99 | snippets: true 100 | builds: true 101 | container_registry: true 102 | 103 | ## Webhook settings 104 | # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10) 105 | # webhook_timeout: 10 106 | 107 | ## Repository downloads directory 108 | # When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory. 109 | # The default is 'shared/cache/archive/' relative to the root of the Rails app. 110 | # repository_downloads_path: shared/cache/archive/ 111 | 112 | ## Reply by email 113 | # Allow users to comment on issues and merge requests by replying to notification emails. 114 | # For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html 115 | incoming_email: 116 | enabled: false 117 | 118 | # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to. 119 | # The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`). 120 | address: "incoming+%{key}@gitlab.<%= node['domain'] %>" # TODO, gitlab attributes 121 | 122 | # Email account username 123 | # With third party providers, this is usually the full email address. 124 | # With self-hosted email servers, this is usually the user part of the email address. 125 | user: "gitlab-incoming@gmail.com" 126 | # Email account password 127 | password: "[REDACTED]" 128 | 129 | # IMAP server host 130 | host: "imap.gmail.com" 131 | # IMAP server port 132 | port: 993 133 | # Whether the IMAP server uses SSL 134 | ssl: true 135 | # Whether the IMAP server uses StartTLS 136 | start_tls: false 137 | 138 | # The mailbox where incoming mail will end up. Usually "inbox". 139 | mailbox: "inbox" 140 | # The IDLE command timeout. 141 | idle_timeout: 60 142 | 143 | ## Build Artifacts 144 | artifacts: 145 | enabled: true 146 | # The location where build artifacts are stored (default: shared/artifacts). 147 | # path: shared/artifacts 148 | # object_store: 149 | # enabled: false 150 | # remote_directory: artifacts # The bucket name 151 | # background_upload: false # Temporary option to limit automatic upload (Default: true) 152 | # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage 153 | # connection: 154 | # provider: AWS # Only AWS supported at the moment 155 | # aws_access_key_id: AWS_ACCESS_KEY_ID 156 | # aws_secret_access_key: AWS_SECRET_ACCESS_KEY 157 | # region: us-east-1 158 | 159 | ## Git LFS 160 | lfs: 161 | enabled: true 162 | # The location where LFS objects are stored (default: shared/lfs-objects). 163 | # storage_path: shared/lfs-objects 164 | object_store: 165 | enabled: false 166 | remote_directory: lfs-objects # Bucket name 167 | # direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false) 168 | # background_upload: false # Temporary option to limit automatic upload (Default: true) 169 | # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage 170 | connection: 171 | provider: AWS 172 | aws_access_key_id: AWS_ACCESS_KEY_ID 173 | aws_secret_access_key: AWS_SECRET_ACCESS_KEY 174 | region: us-east-1 175 | # Use the following options to configure an AWS compatible host 176 | # host: 'localhost' # default: s3.amazonaws.com 177 | # endpoint: 'http://127.0.0.1:9000' # default: nil 178 | # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' 179 | 180 | ## Uploads (attachments, avatars, etc...) 181 | uploads: 182 | # The location where uploads objects are stored (default: public/). 183 | # storage_path: public/ 184 | # base_dir: uploads/-/system 185 | object_store: 186 | enabled: false 187 | remote_directory: uploads # Bucket name 188 | # direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false) 189 | # background_upload: false # Temporary option to limit automatic upload (Default: true) 190 | # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage 191 | connection: 192 | provider: AWS 193 | aws_access_key_id: AWS_ACCESS_KEY_ID 194 | aws_secret_access_key: AWS_SECRET_ACCESS_KEY 195 | region: us-east-1 196 | # host: 'localhost' # default: s3.amazonaws.com 197 | # endpoint: 'http://127.0.0.1:9000' # default: nil 198 | # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' 199 | 200 | ## GitLab Pages 201 | pages: 202 | enabled: false 203 | # The location where pages are stored (default: shared/pages). 204 | # path: shared/pages 205 | 206 | # The domain under which the pages are served: 207 | # http://group.example.com/project 208 | # or project path can be a group page: group.example.com 209 | host: example.com 210 | port: 80 # Set to 443 if you serve the pages with HTTPS 211 | https: false # Set to true if you serve the pages with HTTPS 212 | artifacts_server: true 213 | # external_http: ["1.1.1.1:80", "[2001::1]:80"] # If defined, enables custom domain support in GitLab Pages 214 | # external_https: ["1.1.1.1:443", "[2001::1]:443"] # If defined, enables custom domain and certificate support in GitLab Pages 215 | admin: 216 | address: unix:<%= @git_app_home %>/tmp/sockets/private/pages-admin.socket # TCP connections are supported too (e.g. tcp://host:port) 217 | 218 | ## Mattermost 219 | ## For enabling Add to Mattermost button 220 | mattermost: 221 | enabled: false 222 | host: 'https://mattermost.example.com' 223 | 224 | ## Gravatar 225 | ## If using gravatar.com, there's nothing to change here. For Libravatar 226 | ## you'll need to provide the custom URLs. For more information, 227 | ## see: https://docs.gitlab.com/ee/customization/libravatar.html 228 | gravatar: 229 | # Gravatar/Libravatar URLs: possible placeholders: %{hash} %{size} %{email} %{username} 230 | # plain_url: "http://..." # default: https://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon 231 | # ssl_url: "https://..." # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon 232 | 233 | ## Sidekiq 234 | sidekiq: 235 | log_format: default # (json is also supported) 236 | 237 | ## Auxiliary jobs 238 | # Periodically executed jobs, to self-heal GitLab, do external synchronizations, etc. 239 | # Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job 240 | cron_jobs: 241 | # Flag stuck CI jobs as failed 242 | stuck_ci_jobs_worker: 243 | cron: "0 * * * *" 244 | # Execute scheduled triggers 245 | pipeline_schedule_worker: 246 | cron: "19 * * * *" 247 | # Remove expired build artifacts 248 | expire_build_artifacts_worker: 249 | cron: "50 * * * *" 250 | # Periodically run 'git fsck' on all repositories. If started more than 251 | # once per hour you will have concurrent 'git fsck' jobs. 252 | repository_check_worker: 253 | cron: "20 * * * *" 254 | # Send admin emails once a week 255 | admin_email_worker: 256 | cron: "0 0 * * 0" 257 | 258 | # Remove outdated repository archives 259 | repository_archive_cache_worker: 260 | cron: "0 * * * *" 261 | 262 | # Verify custom GitLab Pages domains 263 | pages_domain_verification_cron_worker: 264 | cron: "*/15 * * * *" 265 | 266 | registry: 267 | # enabled: true 268 | # host: registry.example.com 269 | # port: 5005 270 | # api_url: http://localhost:5000/ # internal address to the registry, will be used by GitLab to directly communicate with API 271 | # key: config/registry.key 272 | # path: shared/registry 273 | # issuer: gitlab-issuer 274 | 275 | # 276 | # 2. GitLab CI settings 277 | # ========================== 278 | 279 | gitlab_ci: 280 | # Default project notifications settings: 281 | # 282 | # Send emails only on broken builds (default: true) 283 | # all_broken_builds: true 284 | # 285 | # Add pusher to recipients list (default: false) 286 | # add_pusher: true 287 | 288 | # The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root 289 | # builds_path: builds/ 290 | 291 | # 292 | # 3. Auth settings 293 | # ========================== 294 | 295 | ## LDAP settings 296 | # You can test connections and inspect a sample of the LDAP users with login 297 | # access by running: 298 | # bundle exec rake gitlab:ldap:check RAILS_ENV=production 299 | ldap: 300 | enabled: <%= node['gitlab']['ldap']['enabled'] %> 301 | servers: 302 | ########################################################################## 303 | # 304 | # Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab 305 | # Enterprise Edition now supports connecting to multiple LDAP servers. 306 | # 307 | # If you are updating from the old (pre-7.4) syntax, you MUST give your 308 | # old server the ID 'main'. 309 | # 310 | ########################################################################## 311 | main: # 'main' is the GitLab 'provider ID' of this LDAP server 312 | ## label 313 | # 314 | # A human-friendly name for your LDAP server. It is OK to change the label later, 315 | # for instance if you find out it is too large to fit on the web page. 316 | # 317 | # Example: 'Paris' or 'Acme, Ltd.' 318 | label: 'LDAP' 319 | 320 | host: <%= node['gitlab']['ldap']['host'] %> 321 | port: <%= node['gitlab']['ldap']['port'] %> 322 | uid: <%= node['gitlab']['ldap']['uid'] %> 323 | <% if node['gitlab']['ldap']['password'].nil? || node['gitlab']['ldap']['bind_dn'].start_with?('_') %># <% end %>bind_dn: <%= node['gitlab']['ldap']['bind_dn'] %> 324 | <% if node['gitlab']['ldap']['password'].nil? || node['gitlab']['ldap']['password'].start_with?('_') %># <% end %>password: <%= node['gitlab']['ldap']['password'] %> 325 | 326 | # Encryption method. The "method" key is deprecated in favor of 327 | # "encryption". 328 | # 329 | # Examples: "start_tls" or "simple_tls" or "plain" 330 | # 331 | # Deprecated values: "tls" was replaced with "start_tls" and "ssl" was 332 | # replaced with "simple_tls". 333 | # 334 | encryption: <%= node['gitlab']['ldap']['method'] %> 335 | 336 | # Enables SSL certificate verification if encryption method is 337 | # "start_tls" or "simple_tls". Defaults to true. 338 | verify_certificates: true 339 | 340 | # Specifies the path to a file containing a PEM-format CA certificate, 341 | # e.g. if you need to use an internal CA. 342 | # 343 | # Example: '/etc/ca.pem' 344 | # 345 | ca_file: '' 346 | 347 | # Specifies the SSL version for OpenSSL to use, if the OpenSSL default 348 | # is not appropriate. 349 | # 350 | # Example: 'TLSv1_1' 351 | # 352 | ssl_version: '' 353 | 354 | # Set a timeout, in seconds, for LDAP queries. This helps avoid blocking 355 | # a request if the LDAP server becomes unresponsive. 356 | # A value of 0 means there is no timeout. 357 | timeout: 10 358 | 359 | # This setting specifies if LDAP server is Active Directory LDAP server. 360 | # For non AD servers it skips the AD specific queries. 361 | # If your LDAP server is not AD, set this to false. 362 | active_directory: <%= node['gitlab']['ldap']['active_directory'] %> 363 | 364 | # If allow_username_or_email_login is enabled, GitLab will ignore everything 365 | # after the first '@' in the LDAP username submitted by the user on login. 366 | # 367 | # Example: 368 | # - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials; 369 | # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'. 370 | # 371 | # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to 372 | # disable this setting, because the userPrincipalName contains an '@'. 373 | allow_username_or_email_login: <%= node['gitlab']['ldap']['allow_username_or_email_login'] %> 374 | 375 | # To maintain tight control over the number of active users on your GitLab installation, 376 | # enable this setting to keep new users blocked until they have been cleared by the admin 377 | # (default: false). 378 | block_auto_created_users: false 379 | 380 | # Base where we can search for users 381 | # 382 | # Ex. 'ou=People,dc=gitlab,dc=example' or 'DC=mydomain,DC=com' 383 | # 384 | base: '<%= node['gitlab']['ldap']['base'] %>' 385 | 386 | # Filter LDAP users 387 | # 388 | # Format: RFC 4515 https://tools.ietf.org/search/rfc4515 389 | # Ex. (employeeType=developer) 390 | # 391 | # Note: GitLab does not support omniauth-ldap's custom filter syntax. 392 | # 393 | # Example for getting only specific users: 394 | # '(&(objectclass=user)(|(samaccountname=momo)(samaccountname=toto)))' 395 | # 396 | user_filter: '<%= node['gitlab']['ldap']['user_filter'] %>' 397 | 398 | # LDAP attributes that GitLab will use to create an account for the LDAP user. 399 | # The specified attribute can either be the attribute name as a string (e.g. 'mail'), 400 | # or an array of attribute names to try in order (e.g. ['mail', 'email']). 401 | # Note that the user's LDAP login will always be the attribute specified as `uid` above. 402 | attributes: 403 | # The username will be used in paths for the user's own projects 404 | # (like `gitlab.example.com/username/project`) and when mentioning 405 | # them in issues, merge request and comments (like `@username`). 406 | # If the attribute specified for `username` contains an email address, 407 | # the GitLab username will be the part of the email address before the '@'. 408 | username: ['uid', 'userid', 'sAMAccountName'] 409 | email: ['mail', 'email', 'userPrincipalName'] 410 | 411 | # If no full name could be found at the attribute specified for `name`, 412 | # the full name is determined using the attributes specified for 413 | # `first_name` and `last_name`. 414 | name: 'cn' 415 | first_name: 'givenName' 416 | last_name: 'sn' 417 | 418 | # If lowercase_usernames is enabled, GitLab will lower case the username. 419 | lowercase_usernames: false 420 | 421 | # GitLab EE only: add more LDAP servers 422 | # Choose an ID made of a-z and 0-9 . This ID will be stored in the database 423 | # so that GitLab can remember which LDAP server a user belongs to. 424 | # uswest2: 425 | # label: 426 | # host: 427 | # .... 428 | 429 | 430 | ## OmniAuth settings 431 | omniauth: 432 | # Allow login via Twitter, Google, etc. using OmniAuth providers 433 | enabled: false 434 | 435 | # Uncomment this to automatically sign in with a specific omniauth provider's without 436 | # showing GitLab's sign-in page (default: show the GitLab sign-in page) 437 | # auto_sign_in_with_provider: saml 438 | 439 | # Sync user's profile from the specified Omniauth providers every time the user logs in (default: empty). 440 | # Define the allowed providers using an array, e.g. ["cas3", "saml", "twitter"], 441 | # or as true/false to allow all providers or none. 442 | # When authenticating using LDAP, the user's email is always synced. 443 | # sync_profile_from_provider: [] 444 | 445 | # Select which info to sync from the providers above. (default: email). 446 | # Define the synced profile info using an array. Available options are "name", "email" and "location" 447 | # e.g. ["name", "email", "location"] or as true to sync all available. 448 | # This consequently will make the selected attributes read-only. 449 | # sync_profile_attributes: true 450 | 451 | # CAUTION! 452 | # This allows users to login without having a user account first. Define the allowed providers 453 | # using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none. 454 | # User accounts will be created automatically when authentication was successful. 455 | allow_single_sign_on: ["saml"] 456 | 457 | # Locks down those users until they have been cleared by the admin (default: true). 458 | block_auto_created_users: true 459 | # Look up new users in LDAP servers. If a match is found (same uid), automatically 460 | # link the omniauth identity with the LDAP account. (default: false) 461 | auto_link_ldap_user: false 462 | 463 | # Allow users with existing accounts to login and auto link their account via SAML 464 | # login, without having to do a manual login first and manually add SAML 465 | # (default: false) 466 | auto_link_saml_user: false 467 | 468 | # Set different Omniauth providers as external so that all users creating accounts 469 | # via these providers will not be able to have access to internal projects. You 470 | # will need to use the full name of the provider, like `google_oauth2` for Google. 471 | # Refer to the examples below for the full names of the supported providers. 472 | # (default: []) 473 | external_providers: [] 474 | 475 | ## Auth providers 476 | # Uncomment the following lines and fill in the data of the auth provider you want to use 477 | # If your favorite auth provider is not listed you can use others: 478 | # see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations 479 | # The 'app_id' and 'app_secret' parameters are always passed as the first two 480 | # arguments, followed by optional 'args' which can be either a hash or an array. 481 | # Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html 482 | providers: 483 | # See omniauth-cas3 for more configuration details 484 | # - { name: 'cas3', 485 | # label: 'cas3', 486 | # args: { 487 | # url: 'https://sso.example.com', 488 | # disable_ssl_verification: false, 489 | # login_url: '/cas/login', 490 | # service_validate_url: '/cas/p3/serviceValidate', 491 | # logout_url: '/cas/logout'} } 492 | # - { name: 'authentiq', 493 | # # for client credentials (client ID and secret), go to https://www.authentiq.com/developers 494 | # app_id: 'YOUR_CLIENT_ID', 495 | # app_secret: 'YOUR_CLIENT_SECRET', 496 | # args: { 497 | # scope: 'aq:name email~rs address aq:push' 498 | # # callback_url parameter is optional except when 'gitlab.host' in this file is set to 'localhost' 499 | # # callback_url: 'YOUR_CALLBACK_URL' 500 | # } 501 | # } 502 | # - { name: 'github', 503 | # app_id: 'YOUR_APP_ID', 504 | # app_secret: 'YOUR_APP_SECRET', 505 | # url: "https://github.com/", 506 | # verify_ssl: true, 507 | # args: { scope: 'user:email' } } 508 | # - { name: 'bitbucket', 509 | # app_id: 'YOUR_APP_ID', 510 | # app_secret: 'YOUR_APP_SECRET' } 511 | # - { name: 'gitlab', 512 | # app_id: 'YOUR_APP_ID', 513 | # app_secret: 'YOUR_APP_SECRET', 514 | # args: { scope: 'api' } } 515 | # - { name: 'google_oauth2', 516 | # app_id: 'YOUR_APP_ID', 517 | # app_secret: 'YOUR_APP_SECRET', 518 | # args: { access_type: 'offline', approval_prompt: '' } } 519 | # - { name: 'facebook', 520 | # app_id: 'YOUR_APP_ID', 521 | # app_secret: 'YOUR_APP_SECRET' } 522 | # - { name: 'twitter', 523 | # app_id: 'YOUR_APP_ID', 524 | # app_secret: 'YOUR_APP_SECRET' } 525 | # - { name: 'jwt', 526 | # app_secret: 'YOUR_APP_SECRET', 527 | # args: { 528 | # algorithm: 'HS256', 529 | # uid_claim: 'email', 530 | # required_claims: ["name", "email"], 531 | # info_map: { name: "name", email: "email" }, 532 | # auth_url: 'https://example.com/', 533 | # valid_within: null, 534 | # } 535 | # } 536 | # - { name: 'saml', 537 | # label: 'Our SAML Provider', 538 | # groups_attribute: 'Groups', 539 | # external_groups: ['Contractors', 'Freelancers'], 540 | # args: { 541 | # assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback', 542 | # idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8', 543 | # idp_sso_target_url: 'https://login.example.com/idp', 544 | # issuer: 'https://gitlab.example.com', 545 | # name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' 546 | # } } 547 | # 548 | # - { name: 'crowd', 549 | # args: { 550 | # crowd_server_url: 'CROWD SERVER URL', 551 | # application_name: 'YOUR_APP_NAME', 552 | # application_password: 'YOUR_APP_PASSWORD' } } 553 | # 554 | # - { name: 'auth0', 555 | # args: { 556 | # client_id: 'YOUR_AUTH0_CLIENT_ID', 557 | # client_secret: 'YOUR_AUTH0_CLIENT_SECRET', 558 | # namespace: 'YOUR_AUTH0_DOMAIN' } } 559 | 560 | # SSO maximum session duration in seconds. Defaults to CAS default of 8 hours. 561 | # cas3: 562 | # session_duration: 28800 563 | 564 | # Shared file storage settings 565 | shared: 566 | # path: /mnt/gitlab # Default: shared 567 | 568 | # Gitaly settings 569 | gitaly: 570 | # Path to the directory containing Gitaly client executables. 571 | client_path: <%= @git_home %>/gitaly 572 | # Default Gitaly authentication token. Can be overriden per storage. Can 573 | # be left blank when Gitaly is running locally on a Unix socket, which 574 | # is the normal way to deploy Gitaly. 575 | token: 576 | 577 | # 578 | # 4. Advanced settings 579 | # ========================== 580 | 581 | ## Repositories settings 582 | repositories: 583 | # Paths where repositories can be stored. Give the canonicalized absolute pathname. 584 | # IMPORTANT: None of the path components may be symlink, because 585 | # gitlab-shell invokes Dir.pwd inside the repository path and that results 586 | # real path not the symlink. 587 | storages: # You must have at least a `default` storage path. 588 | default: 589 | path: <%= @git_home %>/repositories 590 | gitaly_address: unix:<%= @git_app_home %>/tmp/sockets/private/gitaly.socket # TCP connections are supported too (e.g. tcp://host:port) 591 | # gitaly_token: 'special token' # Optional: override global gitaly.token for this storage. 592 | 593 | ## Backup settings 594 | backup: 595 | path: "<%= @backup_path %>" # Relative paths are relative to Rails.root (default: tmp/backups/) 596 | # archive_permissions: 0640 # Permissions for the resulting backup.tar file (default: 0600) 597 | keep_time: <%= @backup_keep_time %> # default: 0 (forever) (in seconds) 598 | # pg_schema: public # default: nil, it means that all schemas will be backed up 599 | # upload: 600 | # # Fog storage connection settings, see http://fog.io/storage/ . 601 | # connection: 602 | # provider: AWS 603 | # region: eu-west-1 604 | # aws_access_key_id: AKIAKIAKI 605 | # aws_secret_access_key: 'secret123' 606 | # # The remote 'directory' to store your backups. For S3, this would be the bucket name. 607 | # remote_directory: 'my.s3.bucket' 608 | # # Use multipart uploads when file size reaches 100MB, see 609 | # # http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html 610 | # multipart_chunk_size: 104857600 611 | # # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional 612 | # # encryption: 'AES256' 613 | # # Specifies Amazon S3 storage class to use for backups, this is optional 614 | # # storage_class: 'STANDARD' 615 | 616 | ## GitLab Shell settings 617 | gitlab_shell: 618 | path: <%= @git_home %>/gitlab-shell/ 619 | hooks_path: <%= @git_home %>/gitlab-shell/hooks/ 620 | 621 | # File that contains the secret key for verifying access for gitlab-shell. 622 | # Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app). 623 | # secret_file: <%= @git_app_home %>/.gitlab_shell_secret 624 | 625 | # Git over HTTP 626 | upload_pack: true 627 | receive_pack: true 628 | 629 | # Git import/fetch timeout, in seconds. Defaults to 3 hours. 630 | # git_timeout: 10800 631 | 632 | # If you use non-standard ssh port you need to specify it 633 | # ssh_port: 22 634 | 635 | workhorse: 636 | # File that contains the secret key for verifying access for gitlab-workhorse. 637 | # Default is '.gitlab_workhorse_secret' relative to Rails.root (i.e. root of the GitLab app). 638 | # secret_file: <%= @git_app_home %>/.gitlab_workhorse_secret 639 | 640 | ## Git settings 641 | # CAUTION! 642 | # Use the default values unless you really know what you are doing 643 | git: 644 | bin_path: git 645 | 646 | ## Webpack settings 647 | # If enabled, this will tell rails to serve frontend assets from the webpack-dev-server running 648 | # on a given port instead of serving directly from /assets/webpack. This is only indended for use 649 | # in development. 650 | webpack: 651 | # dev_server: 652 | # enabled: true 653 | # host: localhost 654 | # port: 3808 655 | 656 | ## Monitoring 657 | # Built in monitoring settings 658 | monitoring: 659 | # Time between sampling of unicorn socket metrics, in seconds 660 | # unicorn_sampler_interval: 10 661 | # IP whitelist to access monitoring endpoints 662 | ip_whitelist: 663 | - 127.0.0.0/8 664 | 665 | # Sidekiq exporter is webserver built in to Sidekiq to expose Prometheus metrics 666 | sidekiq_exporter: 667 | # enabled: true 668 | # address: localhost 669 | # port: 3807 670 | 671 | # 672 | # 5. Extra customization 673 | # ========================== 674 | 675 | extra: 676 | ## Google analytics. Uncomment if you want it 677 | # google_analytics_id: '_your_tracking_id' 678 | 679 | ## Piwik analytics. 680 | # piwik_url: '_your_piwik_url' 681 | # piwik_site_id: '_your_piwik_site_id' 682 | 683 | rack_attack: 684 | git_basic_auth: 685 | # Rack Attack IP banning enabled 686 | # enabled: true 687 | # 688 | # Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers 689 | # ip_whitelist: ["127.0.0.1"] 690 | # 691 | # Limit the number of Git HTTP authentication attempts per IP 692 | # maxretry: 10 693 | # 694 | # Reset the auth attempt counter per IP after 60 seconds 695 | # findtime: 60 696 | # 697 | # Ban an IP for one hour (3600s) after too many auth attempts 698 | # bantime: 3600 699 | 700 | development: 701 | <<: *base 702 | 703 | test: 704 | <<: *base 705 | gravatar: 706 | enabled: true 707 | lfs: 708 | enabled: false 709 | # The location where LFS objects are stored (default: shared/lfs-objects). 710 | # storage_path: shared/lfs-objects 711 | object_store: 712 | enabled: false 713 | remote_directory: lfs-objects # The bucket name 714 | connection: 715 | provider: AWS # Only AWS supported at the moment 716 | aws_access_key_id: AWS_ACCESS_KEY_ID 717 | aws_secret_access_key: AWS_SECRET_ACCESS_KEY 718 | region: us-east-1 719 | artifacts: 720 | path: tmp/tests/artifacts 721 | enabled: true 722 | # The location where build artifacts are stored (default: shared/artifacts). 723 | # path: shared/artifacts 724 | object_store: 725 | enabled: false 726 | remote_directory: artifacts # The bucket name 727 | background_upload: false 728 | connection: 729 | provider: AWS # Only AWS supported at the moment 730 | aws_access_key_id: AWS_ACCESS_KEY_ID 731 | aws_secret_access_key: AWS_SECRET_ACCESS_KEY 732 | region: us-east-1 733 | uploads: 734 | storage_path: tmp/tests/public 735 | object_store: 736 | enabled: false 737 | connection: 738 | provider: AWS # Only AWS supported at the moment 739 | aws_access_key_id: AWS_ACCESS_KEY_ID 740 | aws_secret_access_key: AWS_SECRET_ACCESS_KEY 741 | region: us-east-1 742 | gitlab: 743 | host: localhost 744 | port: 80 745 | 746 | # When you run tests we clone and setup gitlab-shell 747 | # In order to setup it correctly you need to specify 748 | # your system username you use to run GitLab 749 | # user: YOUR_USERNAME 750 | pages: 751 | path: tmp/tests/pages 752 | repositories: 753 | storages: 754 | default: 755 | path: tmp/tests/repositories/ 756 | gitaly_address: unix:tmp/tests/gitaly/gitaly.socket 757 | broken: 758 | path: tmp/tests/non-existent-repositories 759 | gitaly_address: unix:tmp/tests/gitaly/gitaly.socket 760 | 761 | gitaly: 762 | client_path: tmp/tests/gitaly 763 | token: secret 764 | backup: 765 | path: tmp/tests/backups 766 | gitlab_shell: 767 | path: tmp/tests/gitlab-shell/ 768 | hooks_path: tmp/tests/gitlab-shell/hooks/ 769 | issues_tracker: 770 | redmine: 771 | title: "Redmine" 772 | project_url: "http://redmine/projects/:issues_tracker_id" 773 | issues_url: "http://redmine/:project_id/:issues_tracker_id/:id" 774 | new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new" 775 | jira: 776 | title: "JIRA" 777 | url: https://sample_company.atlassian.net 778 | project_key: PROJECT 779 | 780 | omniauth: 781 | enabled: true 782 | allow_single_sign_on: true 783 | external_providers: [] 784 | 785 | providers: 786 | - { name: 'cas3', 787 | label: 'cas3', 788 | args: { url: 'https://sso.example.com', 789 | disable_ssl_verification: false, 790 | login_url: '/cas/login', 791 | service_validate_url: '/cas/p3/serviceValidate', 792 | logout_url: '/cas/logout'} } 793 | - { name: 'github', 794 | app_id: 'YOUR_APP_ID', 795 | app_secret: 'YOUR_APP_SECRET', 796 | url: "https://github.com/", 797 | verify_ssl: false, 798 | args: { scope: 'user:email' } } 799 | - { name: 'bitbucket', 800 | app_id: 'YOUR_APP_ID', 801 | app_secret: 'YOUR_APP_SECRET' } 802 | - { name: 'gitlab', 803 | app_id: 'YOUR_APP_ID', 804 | app_secret: 'YOUR_APP_SECRET', 805 | args: { scope: 'api' } } 806 | - { name: 'google_oauth2', 807 | app_id: 'YOUR_APP_ID', 808 | app_secret: 'YOUR_APP_SECRET', 809 | args: { access_type: 'offline', approval_prompt: '' } } 810 | - { name: 'facebook', 811 | app_id: 'YOUR_APP_ID', 812 | app_secret: 'YOUR_APP_SECRET' } 813 | - { name: 'twitter', 814 | app_id: 'YOUR_APP_ID', 815 | app_secret: 'YOUR_APP_SECRET' } 816 | - { name: 'jwt', 817 | app_secret: 'YOUR_APP_SECRET', 818 | args: { 819 | algorithm: 'HS256', 820 | uid_claim: 'email', 821 | required_claims: ["name", "email"], 822 | info_map: { name: "name", email: "email" }, 823 | auth_url: 'https://example.com/', 824 | valid_within: null, 825 | } 826 | } 827 | - { name: 'auth0', 828 | args: { 829 | client_id: 'YOUR_AUTH0_CLIENT_ID', 830 | client_secret: 'YOUR_AUTH0_CLIENT_SECRET', 831 | namespace: 'YOUR_AUTH0_DOMAIN' } } 832 | - { name: 'authentiq', 833 | app_id: 'YOUR_CLIENT_ID', 834 | app_secret: 'YOUR_CLIENT_SECRET', 835 | args: { scope: 'aq:name email~rs address aq:push' } } 836 | ldap: 837 | enabled: false 838 | servers: 839 | main: 840 | label: ldap 841 | host: 127.0.0.1 842 | port: 3890 843 | uid: 'uid' 844 | encryption: 'plain' # "start_tls" or "simple_tls" or "plain" 845 | base: 'dc=example,dc=com' 846 | user_filter: '' 847 | group_base: 'ou=groups,dc=example,dc=com' 848 | admin_group: '' 849 | 850 | staging: 851 | <<: *base 852 | -------------------------------------------------------------------------------- /templates/default/id_rsa.erb: -------------------------------------------------------------------------------- 1 | <%= @private_key -%> 2 | -------------------------------------------------------------------------------- /templates/default/id_rsa.pub.erb: -------------------------------------------------------------------------------- 1 | <%= @public_key %> 2 | -------------------------------------------------------------------------------- /templates/default/nginx.gitlab.erb: -------------------------------------------------------------------------------- 1 | ## GitLab 2 | ## 3 | ## Modified from nginx http version 4 | ## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/ 5 | ## Modified from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html 6 | ## 7 | ## Lines starting with two hashes (##) are comments with information. 8 | ## Lines starting with one hash (#) are configuration parameters that can be uncommented. 9 | ## 10 | ################################## 11 | ## CONTRIBUTING ## 12 | ################################## 13 | ## 14 | ## If you change this file in a Merge Request, please also create 15 | ## a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests 16 | ## 17 | ################################### 18 | ## configuration ## 19 | ################################### 20 | ## 21 | ## See installation.md#using-https for additional HTTPS configuration details. 22 | 23 | upstream gitlab-workhorse { 24 | server unix:<%= @gitlab_app_home %>/tmp/sockets/gitlab-workhorse.socket fail_timeout=0; 25 | } 26 | 27 | map $http_upgrade $connection_upgrade_gitlab { 28 | default upgrade; 29 | '' close; 30 | } 31 | 32 | 33 | ## NGINX 'combined' log format with filtered query strings 34 | log_format gitlab_access $remote_addr - $remote_user [$time_local] "$request_method $gitlab_filtered_request_uri $server_protocol" $status $body_bytes_sent "$gitlab_filtered_http_referer" "$http_user_agent"; 35 | 36 | ## Remove private_token from the request URI 37 | # In: /foo?private_token=unfiltered&authenticity_token=unfiltered&rss_token=unfiltered&... 38 | # Out: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&... 39 | map $request_uri $gitlab_temp_request_uri_1 { 40 | default $request_uri; 41 | ~(?i)^(?.*)(?[\?&]private[\-_]token)=[^&]*(?.*)$ "$start$temp=[FILTERED]$rest"; 42 | } 43 | 44 | ## Remove authenticity_token from the request URI 45 | # In: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&... 46 | # Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&... 47 | map $gitlab_temp_request_uri_1 $gitlab_temp_request_uri_2 { 48 | default $gitlab_temp_request_uri_1; 49 | ~(?i)^(?.*)(?[\?&]authenticity[\-_]token)=[^&]*(?.*)$ "$start$temp=[FILTERED]$rest"; 50 | } 51 | 52 | ## Remove rss_token from the request URI 53 | # In: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&... 54 | # Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=[FILTERED]&... 55 | map $gitlab_temp_request_uri_2 $gitlab_filtered_request_uri { 56 | default $gitlab_temp_request_uri_2; 57 | ~(?i)^(?.*)(?[\?&]rss[\-_]token)=[^&]*(?.*)$ "$start$temp=[FILTERED]$rest"; 58 | } 59 | 60 | ## A version of the referer without the query string 61 | map $http_referer $gitlab_filtered_http_referer { 62 | default $http_referer; 63 | ~^(?.*)\? $temp; 64 | } 65 | 66 | 67 | <% if @https_boolean %> 68 | ## Redirects all HTTP traffic to the HTTPS host 69 | server { 70 | ## Either remove "default_server" from the listen line below, 71 | ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab 72 | ## to be served if you visit any address that your server responds to, eg. 73 | ## the ip address of the server (http://x.x.x.x/) 74 | listen 0.0.0.0:80; 75 | <% if @listen_ipv6 %> 76 | listen [::]:80 ipv6only=on default_server; 77 | <% end %> 78 | server_name <%= @server_name %>; 79 | server_tokens off; ## Don't show the nginx version number, a security best practice 80 | return 301 https://$http_host$request_uri; 81 | access_log /var/log/nginx/<%= @hostname %>_access.log gitlab_access; 82 | error_log /var/log/nginx/<%= @hostname %>_error.log; 83 | } 84 | <% end %> 85 | 86 | ## HTTPS host 87 | server { 88 | listen <%= @listen %>; 89 | server_name <%= @server_name %>; 90 | server_tokens off; ## Don't show the nginx version number, a security best practice 91 | 92 | <% if @https_boolean %> 93 | <% if @listen_ipv6 %> 94 | listen [::]:443 ipv6only=on default_server; 95 | <% end %> 96 | 97 | ## Strong SSL Security 98 | ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ 99 | ssl on; 100 | ssl_certificate <%= @ssl_certificate %>; 101 | ssl_certificate_key <%= @ssl_certificate_key %>; 102 | 103 | ssl_ciphers <%= @ssl_ciphers %>; 104 | ssl_protocols <%= @ssl_protocols %>; 105 | ssl_prefer_server_ciphers on; 106 | ssl_session_cache shared:SSL:10m; 107 | ssl_session_timeout 5m; 108 | 109 | ## See app/controllers/application_controller.rb for headers set 110 | 111 | ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. 112 | ## Replace with your ssl_trusted_certificate. For more info see: 113 | ## - https://medium.com/devops-programming/4445f4862461 114 | ## - https://www.ruby-forum.com/topic/4419319 115 | ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx 116 | # ssl_stapling on; 117 | # ssl_stapling_verify on; 118 | # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; 119 | # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired 120 | # resolver_timeout 5s; 121 | 122 | ## [Optional] Generate a stronger DHE parameter: 123 | ## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 124 | ## 125 | # ssl_dhparam /etc/ssl/certs/dhparam.pem; 126 | 127 | ## [Optional] Enable HTTP Strict Transport Security 128 | # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; 129 | <% end %> 130 | 131 | ## Real IP Module Config 132 | ## http://nginx.org/en/docs/http/ngx_http_realip_module.html 133 | real_ip_header X-Real-IP; ## X-Real-IP or X-Forwarded-For or proxy_protocol 134 | real_ip_recursive off; ## If you enable 'on' 135 | ## If you have a trusted IP address, uncomment it and set it 136 | # set_real_ip_from YOUR_TRUSTED_ADDRESS; ## Replace this with something like 192.168.1.0/24 137 | 138 | ## Individual nginx logs for this GitLab vhost 139 | access_log /var/log/nginx/<%= @hostname %>_access.log; 140 | error_log /var/log/nginx/<%= @hostname %>_error.log; 141 | 142 | location / { 143 | client_max_body_size 0; 144 | gzip off; 145 | 146 | ## https://github.com/gitlabhq/gitlabhq/issues/694 147 | ## Some requests take more than 30 seconds. 148 | proxy_read_timeout 300; 149 | proxy_connect_timeout 300; 150 | proxy_redirect off; 151 | 152 | proxy_http_version 1.1; 153 | 154 | proxy_set_header Host $http_host; 155 | proxy_set_header X-Real-IP $remote_addr; 156 | <% if @https_boolean %> 157 | proxy_set_header X-Forwarded-Ssl on; 158 | <% end %> 159 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 160 | proxy_set_header X-Forwarded-Proto <%= @https_boolean ? "https" : "http" %>; 161 | proxy_set_header Upgrade $http_upgrade; 162 | proxy_set_header Connection $connection_upgrade_gitlab; 163 | 164 | proxy_pass http://gitlab-workhorse; 165 | } 166 | 167 | error_page 404 /404.html; 168 | error_page 422 /422.html; 169 | error_page 500 /500.html; 170 | error_page 502 /502.html; 171 | error_page 503 /503.html; 172 | location ~ ^/(404|422|500|502|503)\.html$ { 173 | root <%= @gitlab_app_home %>/public; 174 | internal; 175 | } 176 | } 177 | -------------------------------------------------------------------------------- /templates/default/shell_config.yml.erb: -------------------------------------------------------------------------------- 1 | # GitLab user. git by default 2 | user: <%= node['gitlab']['user'] %> 3 | 4 | # URL to GitLab instance, used for API calls. Default: http://localhost:8080. 5 | # For relative URL support read http://doc.gitlab.com/ce/install/relative_url.html 6 | # You only have to change the default if you have configured Unicorn 7 | # to listen on a custom port, or if you have configured Unicorn to 8 | # only listen on a Unix domain socket. For Unix domain sockets use 9 | # "http+unix://", e.g. 10 | # "http+unix://%2Fpath%2Fto%2Fsocket" 11 | gitlab_url: "http+unix://<%= URI.encode_www_form_component node['gitlab']['home'] + '/gitlab/tmp/sockets/gitlab.socket' %>" 12 | 13 | # See installation.md#using-https for additional HTTPS configuration details. 14 | http_settings: 15 | # read_timeout: 300 16 | # user: someone 17 | # password: somepass 18 | # ca_file: /etc/ssl/cert.pem 19 | # ca_path: /etc/pki/tls/certs 20 | self_signed_cert: <%= node['gitlab']['self_signed_cert'] %> 21 | 22 | # File used as authorized_keys for gitlab user 23 | auth_file: <%= node['gitlab']['home'] %>/.ssh/authorized_keys 24 | 25 | # File that contains the secret key for verifying access to GitLab. 26 | # Default is .gitlab_shell_secret in the gitlab-shell directory. 27 | # secret_file: <%= node['gitlab']['home'] %>/gitlab-shell/.gitlab_shell_secret 28 | 29 | # Parent directory for global custom hook directories (pre-receive.d, update.d, post-receive.d) 30 | # Default is hooks in the gitlab-shell directory. 31 | # custom_hooks_dir: <%= node['gitlab']['home'] %>/gitlab-shell/hooks 32 | 33 | # Log file. 34 | # Default is gitlab-shell.log in the root directory. 35 | # log_file: <%= node['gitlab']['home'] %>/gitlab-shell/gitlab-shell.log 36 | 37 | # Log level. INFO by default 38 | log_level: INFO 39 | 40 | # Log format. 'text' by default 41 | # log_format: json 42 | 43 | # Audit usernames. 44 | # Set to true to see real usernames in the logs instead of key ids, which is easier to follow, but 45 | # incurs an extra API call on every gitlab-shell command. 46 | audit_usernames: false 47 | 48 | # Git trace log file. 49 | # If set, git commands receive GIT_TRACE* environment variables 50 | # See https://git-scm.com/book/es/v2/Git-Internals-Environment-Variables#Debugging for documentation 51 | # An absolute path starting with / – the trace output will be appended to that file. 52 | # It needs to exist so we can check permissions and avoid to throwing warnings to the users. 53 | git_trace_log_file: 54 | -------------------------------------------------------------------------------- /templates/default/ssh_config.erb: -------------------------------------------------------------------------------- 1 | # Generated by Chef for <%= @fqdn %> 2 | # Local modifications will be overwritten. 3 | NoHostAuthenticationForLocalhost <%= @trust_local_sshkeys %> 4 | -------------------------------------------------------------------------------- /templates/default/unicorn.rb.erb: -------------------------------------------------------------------------------- 1 | # Generated by Chef for <%= @fqdn %> 2 | # Local modifications will be overwritten. 3 | 4 | # Read about unicorn workers here: 5 | # http://doc.gitlab.com/ee/install/requirements.html#unicorn-workers 6 | # 7 | worker_processes 2 8 | 9 | # Since Unicorn is never exposed to outside clients, it does not need to 10 | # run on the standard HTTP port (80), there is no reason to start Unicorn 11 | # as root unless it's from system init scripts. 12 | # If running the master process as root and the workers as an unprivileged 13 | # user, do this to switch euid/egid in the workers (also chowns logs): 14 | # user "unprivileged_user", "unprivileged_group" 15 | 16 | app_dir = "<%= @gitlab_app_home %>" 17 | working_directory app_dir 18 | 19 | # Listen on a Unix domain socket only. 20 | # If you are load-balancing multiple Unicorn masters, lower the backlog 21 | # setting to e.g. 64 for faster failover. 22 | listen "#{app_dir}/tmp/sockets/gitlab.socket", :backlog => 1024 23 | 24 | # nuke workers after <%= @gitlab_unicorn_timeout %> seconds instead of 60 seconds (the default) 25 | # 26 | # NOTICE: git push over http depends on this value. 27 | # If you want to be able to push huge amount of data to git repository over http 28 | # you will have to increase this value too. 29 | # 30 | # Example of output if you try to push 1GB repo to GitLab over http. 31 | # -> git push http://gitlab.... master 32 | # 33 | # error: RPC failed; result=18, HTTP code = 200 34 | # fatal: The remote end hung up unexpectedly 35 | # fatal: The remote end hung up unexpectedly 36 | # 37 | # For more information see http://stackoverflow.com/a/21682112/752049 38 | # 39 | timeout <%= @gitlab_unicorn_timeout %> 40 | 41 | # feel free to point this anywhere accessible on the filesystem 42 | pid "#{app_dir}/tmp/pids/unicorn.pid" 43 | 44 | # By default, the Unicorn logger will write to stderr. 45 | # Additionally, some applications/frameworks log to stderr or stdout, 46 | # so prevent them from going to /dev/null when daemonized here: 47 | stderr_path "#{app_dir}/log/unicorn.stderr.log" 48 | stdout_path "#{app_dir}/log/unicorn.stdout.log" 49 | 50 | # combine Ruby 2.0.0dev or REE with "preload_app true" for memory savings 51 | # http://rubyenterpriseedition.com/faq.html#adapt_apps_for_cow 52 | preload_app true 53 | GC.respond_to?(:copy_on_write_friendly=) and 54 | GC.copy_on_write_friendly = true 55 | 56 | # Enable this flag to have unicorn test client connections by writing the 57 | # beginning of the HTTP headers before calling the application. This 58 | # prevents calling the application for connections that have disconnected 59 | # while queued. This is only guaranteed to detect clients on the same 60 | # host unicorn runs on, and unlikely to detect disconnects even on a 61 | # fast LAN. 62 | check_client_connection false 63 | 64 | before_fork do |server, worker| 65 | # the following is highly recommended for Rails + "preload_app true" 66 | # as there's no need for the master process to hold a connection 67 | defined?(ActiveRecord::Base) and 68 | ActiveRecord::Base.connection.disconnect! 69 | 70 | # The following is only recommended for memory/DB-constrained 71 | # installations. It is not needed if your system can house 72 | # twice as many worker_processes as you have configured. 73 | # 74 | # This allows a new master process to incrementally 75 | # phase out the old master process with SIGTTOU to avoid a 76 | # thundering herd (especially in the "preload_app false" case) 77 | # when doing a transparent upgrade. The last worker spawned 78 | # will then kill off the old master process with a SIGQUIT. 79 | old_pid = "#{server.config[:pid]}.oldbin" 80 | if old_pid != server.pid 81 | begin 82 | sig = (worker.nr + 1) >= server.worker_processes ? :QUIT : :TTOU 83 | Process.kill(sig, File.read(old_pid).to_i) 84 | rescue Errno::ENOENT, Errno::ESRCH 85 | end 86 | end 87 | # 88 | # Throttle the master from forking too quickly by sleeping. Due 89 | # to the implementation of standard Unix signal handlers, this 90 | # helps (but does not completely) prevent identical, repeated signals 91 | # from being lost when the receiving process is busy. 92 | # sleep 1 93 | end 94 | 95 | after_fork do |server, worker| 96 | # per-process listener ports for debugging/admin/migrations 97 | # addr = "127.0.0.1:#{9293 + worker.nr}" 98 | # server.listen(addr, :tries => -1, :delay => 5, :tcp_nopush => true) 99 | 100 | # the following is *required* for Rails + "preload_app true", 101 | defined?(ActiveRecord::Base) and 102 | ActiveRecord::Base.establish_connection 103 | 104 | # reset prometheus client, this will cause any opened metrics files to be closed 105 | defined?(::Prometheus::Client.reinitialize_on_pid_change) && 106 | Prometheus::Client.reinitialize_on_pid_change 107 | 108 | # if preload_app is true, then you may also want to check and 109 | # restart any other shared sockets/descriptors such as Memcached, 110 | # and Redis. TokyoCabinet file handles are safe to reuse 111 | # between any number of forked children (assuming your kernel 112 | # correctly implements pread()/pwrite() system calls) 113 | end 114 | -------------------------------------------------------------------------------- /test/integration/default/bats/default.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | @test 'unicorn rails is listening on gitlab.socket' { 4 | test -S /srv/git/gitlab/tmp/sockets/gitlab.socket 5 | } 6 | 7 | @test 'redis-server is running' { 8 | pgrep redis-server 9 | } 10 | 11 | @test 'mysql schema is initialized and has projects* tables' { 12 | echo 'show tables;' | mysql -h 127.0.0.1 -u root --password='test' gitlab | grep 'projects' 13 | } 14 | 15 | @test 'nginx is running' { 16 | pgrep nginx 17 | } 18 | 19 | @test 'nginx is listening on :80' { 20 | netstat -lnp | grep ':80' | grep 'nginx' 21 | } 22 | -------------------------------------------------------------------------------- /test/integration/https/bats/default.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | @test 'unicorn rails is listening on gitlab.socket' { 4 | test -S /srv/git/gitlab/tmp/sockets/gitlab.socket 5 | } 6 | 7 | @test 'redis-server is running' { 8 | pgrep redis-server 9 | } 10 | 11 | 12 | @test 'mysql schema is initialized and has projects* tables' { 13 | for PREFIX in '/var/lib' '/var/run'; do 14 | test -z $SOCK || break 15 | for INSTANCE in 'mysql' 'mysql-default'; do 16 | test -z $SOCK || break 17 | for SOCKNAME in 'mysql' 'mysqld'; do 18 | SOCK=$PREFIX/$INSTANCE/$SOCKNAME.sock 19 | test -e $SOCK && { 20 | export SOCK 21 | break 22 | } 23 | unset SOCK 24 | done 25 | done 26 | done 27 | echo 'show tables;' | mysql -S $SOCK -u root --password='test' gitlab | grep 'projects' 28 | } 29 | 30 | @test 'nginx is running' { 31 | pgrep nginx 32 | } 33 | 34 | @test 'nginx is listening on :443' { 35 | netstat -lnp | grep ':443' | grep 'nginx' 36 | } 37 | -------------------------------------------------------------------------------- /test/integration/https/data_bags/certificates/test.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "test", 3 | "cert": { 4 | "encrypted_data": "xdjyZ3v19B8ihyP0bVoeM4pH/Xe9tB9fTWwrIEBpCtfSI9OKObE3BANW3y/R\nLl3zPCNop9FIj4fVHyunH00l2KwWa3FLmy+76uzEDenrDWJVIBHuNrO6gYEv\n06I0zDan+TpFlNJ1dlYUsMKFkA1++0IzDwDmPNKcz6X0YCY7QCU77F+lM1Wu\nE3i29F5YSAKXBnl8XEgsO7KXcEkhkcH+iwnw83O1jT74sbd3wTgMZiMu1ORH\nZpr5M8CTSE8uLVcEJP2ZCOmyM7VdYDfLv84ZS+VvbgqmnRMItKwY+h9VCx68\nC0hop/pBo3wSihZqG4o+mHkn0Vv9fuKrHTdIGwaRN0LNOKNITsP3/pd9t0k8\nXWo2+0OJ5eypSS8/4RZS0sNTvakycC5AXcd2W7I1CFvxZbtQIU+AvkCLXC95\nTi+mx+sI+w2j0pemuDPfmPSW6ptV9wQldyg6Bq2x2Qv5BODZmvW/hHN2RDfn\nySnVZmqA474crtV/hHXZStpUge9xgu/+5eWicRY1KrjB2u4wzkAfWVP2r/sY\nAoH6lUGy9yohyFhrXWC5Gz86tp3YDlKACUA6u3q6Jh9yXDDKwX727gS5cLyN\nkp4YAjTShqsj1u1R4mSo7JXtvNUzQ6+aNCIcalGeYJfgekbkhL7iPHTmtyAr\n2K1kdAXapxsijcg2CoTXqucilolWZNzZDFyFZY4iWQlCRBS4lRVtodLrKeBF\nfvKGfQU7hxYfQkeZMPbUhLqPhz+hbJgzTWSw8PguNs+dRax3PR4Kuz9Frf5h\nQpIka8sZT3iyhyfLE4IAyM9qr3jTki+zt/Q9s75fGyVJlgyHHht0kvqx/l0f\nIh6xULE+Ul0eHX1VyaU/uXJkzZXu2nBTONFIdtXjTIzaIV5CyMPN5reCnITw\ns4THzSASxQRqijEOiYSmXtqRebHXVSgiiZptRRradRTL6SzqqI7hw7aK25jn\nVxMpFh5pE4RfntrAqTq5FjnlsCwBQ8tuNuNozAQ/esRahiFmY2yz2atW8Gqr\n+VK3eZyTmtchHFH/EM6EZnMQK9WybkhbQBUhRzVsBeg1VxWQdgABXYsfOFua\nkbpeW3+C8aaQd3Y3/kwmON4Akd8DVvdStjuYBV+/DUXI96/DltgGZ5CwvqUV\nTXfIwfaB445BwOhjbsWkaNrYVUPVgPhDJjRWojd7mqqwsmQkn5jn3cZG1TEN\n2dmyVflddFjiYS0tHjsHLl9Gj0m91WGPMVubQ88nGaTHjIHn1VN7uvK3bjSI\n95OpigSMYRyMf0ncvgQ8SW0V9jJGIjJZ5aOwR0C2sxrpdvoech+QfQalm7Ue\n6XXcAZPOG4CCgPVBMx0ev3KHr/sK2RJruLKsiq5dn5PZBA7qN10Z0VrHwNgr\nixGCvfl8w7sKtx6PuDnrYbQSFuAAY1YBd5oO5bGjthBgIpP8huTjHI+sKIsg\nhKsHMg9acNjbJo5T+1x7HCMQ+GFUjl/ZCTL5vX2bpmLbP/2GWpVXs+b0qEbY\nE8POUgrt708ceuSoQuGnXILH3WMor61YNkWb8+CmpwJtxcEWZvEOs6SDj+qq\nioZvXqVv8iS1xkaB2bL7W3oPvrIxmy1l+UQJravyH+OgHrTr5zUCV2gSxRo2\nN9bEy2SpiSpH7ElYFdiTZ4uAvUbEoQQDHsVBuK6DiYOz40HPBe+F4Res7saw\niibydZyqbi+iVspCi0TjUgmISQk=\n", 5 | "iv": "cuhZvXf3P0Kx+nPrrSM4FA==\n", 6 | "version": 1, 7 | "cipher": "aes-256-cbc" 8 | }, 9 | "key": { 10 | "encrypted_data": "bWOCTcxeyXOKNgZGT5Nze9nvbR21W2nEBs0GEw1vZ3c2ARsZkCg0DrCGmbdX\net6s1qHAfbMcB5bhb347KTLQvqUvxL24nm11/AM7FLqhANEI7kqCurP6Ag8z\nK0A5B00kgrfdJGP55cuQId9d/JhjdzDuKGcFL0vCX7ZB4fHAEuV9e6/9g9g3\nIKEfMb+zgyohRGfL1bHbAExgyd9CtmhToTdeGAEXJ+79dOC9d5qsVviklqv9\n8wU2YJmHCDCVFm9jxWezEU40/wJnnScseq96g1YwwKWGr6irUSVmfKYUBib/\nJ8Erj23LO1NDRaajAUACJkO7sbmGs93AxpV9HynZdfUoaHm9VNtaesacMpb0\nAOCsWF+vRjGrwnog1QJ20elZQcxLzaxVnc7x+1qQzA7262XVq7pDYPZIveRl\nqeN7w69teBnLu/rRgIGJq81hApw8krSPqissHDkIRG6vecUeJxm1ohR751DM\neXsXK2vOw4dmR1X/KqAHhj877KeLIDjWfQMcVuh0i8kqno815oTg114zp4dK\nkBPmWuDoYXWSm8UsxrzwD3KfRZw6e64yZacXfoknsSj/fvIdo2eyCiGEF8Wk\nulCCVuYZuEwVUTuZndlSG/jqfsqT1afKuNcRap0jz1s07leaGnkPoa+2Mw3u\nuTMnsKzxodEnR4HBI0szSY6ciYJ9Ea+LHjOpybX9GG1ZBAXS6/QwvPuUnQut\nKmk8YGUWJByWgUPfhayCLXVe1jjAES2OTSWFdZS+YrSN/9GPPNPYx6AV59fq\npGa3gKaYO7O9YbqQVKpaUxNy+6f2DG7jW/SlD4AzxVn1Jg4uvvBW37th4EvF\njwHdQ1kKBzVAlypSDqSKAWy55aD2Ftb68pd4bndK/3pAzzhcamqpGiqdw+8k\nK0sUiyJjhT8JwV7GO6lwz//SS8af+meFMT25zRcgpuIz6U0CjT2cJBn/sEGP\ns7jDhAnKmAwHWfhNzO0yKXKagV3jYjjsiEBjv0Do0KnKPXmbzT2CJbitMr0h\noZU6QY4esZ65ix/Y7udWYi0xNO0s7lAm8ZQdD4BWUE/kXCKuqR86G1c0e00z\nn39rQVzQ8ryCDFHhMw3sYtOSMuhdvYJP7M9UN7Rif8qKAE9YxdQQDjukk+YY\nbXBBBX+z6PMc2oMsNqpk0b5ajeS0pb4/BskiPGv7ZWpJZoOtlrtdE9CNMhz1\np95LfrU9tKLZgM1ZO3Ul4rFN9+z1SNh00We9ZyCV6Mh6Xi6vN5jDfhfrqfGw\n3OPHq7iGT8QjZW57tyzzmC+bdtrMe6GUpBt55CXMHJ5RVr4hdSzrmem2UI+X\nzc/qWouSKBcfYA2o7dWXREo35G8ohbCQHTbb0yHvIMzS5rpeIsOO8QnEpTNm\nwf8rWdE2yH//xrcck5HDLSPLlxxtU6cokPr7cv2EFkjoEO3YKanYOe1UyZkm\nQCipmb+9ktOxmUKaBZfCB7A1GhVt2j27RQJtU/1oWzzVo2hoP4F3p4HKbFDi\ni0LP46jUwBrPcm9uof0/9pIeFFheLlbUd+4JV+uAj20CQnFuSohupdra79Ic\nwD50mw2E+SAcUGEyvqxyS26cqFqv6BmF7LkNjISojNvp0ddiOE++lLCZyj3n\nMlCSWILBQaS4eqSbxbjlWyHHj04GJTstQyICHTkeWZdqOP6lcZEUNamAav1G\n/vVWpDorKbwPC6z4Fb0bQirYkUB1F5/j92Nvh+dQagroubNOEOWM9MvpxGjR\nQ/2sXaxLvehZtUEdHTW5XMg5uQKD+9ff9LCy4udKeKMi4yQ/1k5X6vB+7/ba\nq8nZTtF2NJyuczStofeF2Pxs8tUaecz0TQofcpZ1I887RRGyhjoZdhUoJKMB\nUpFtln5BJipTebWtcJD3xw6083v2W0+lPVv6r6CR8yrIgAn7fYEb4GTPkmYF\naaY82AVv4C47od4/XRM9+Di+NtOhCCg+Bhbi45YLsiUUutuN7l6N+/vstsUD\n+KhNhAdj27Mu6e9fhh4Gyyo72yhCshBrc2U71C/HftKZLDNqkKJKc62NGbtl\nmWoTOGd9SZSo/hGATL00p+lOVTAlUJuWV5TipIatz7KvdnB2rNMjBjRTemSJ\nC8bZUlaCQFzX6g37j8PVcpQgTkOBes+EVNTlhHZsHLKnhO2vhyWAy3AajHk+\ncf1Vp/7MdDk+06p+9fpkvL9WyALKHxHyXiZHkHTKNFnObaYaWFga/wOLAtm9\n2Uez9JdaSOsYl23TNaNOBYvLshANksohg3QUzlNtBx/IAKfUqB8lfZrQFG5h\nNDwDVJZqePjmzKar8YGhkCIw\n", 11 | "iv": "NX/qw1XFNGQ/ZxeFBD9lmA==\n", 12 | "version": 1, 13 | "cipher": "aes-256-cbc" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /test/integration/https/encrypted_data_bag_secret: -------------------------------------------------------------------------------- 1 | XvR9kZGUU3jS1efd5a8rkMUWWughp8xIKdNfHnBtBISyoJ7oxXaKw8Ruf0eMAZgA 2 | xDv6KAw/SN3YYzxdKEFcyoFRdX9ZxlozU2JTLcUV0vdkj9IlMsy9a22QaEDzZq6m 3 | AwtL4mgLDokS+8zbRkCfpi0EmItHoPMO/qV++jBac8AfVv4gW0Ee01dTzvhjmMio 4 | CQD08b4rtzhaVwPcQnt+8vewJ6HkbGqDiYpb/3BvhSe8ZN8ghfwRm548jd6O/Whu 5 | GP2ymSlmAjJmcJQdfqB6MAl4XdgAE/Vp6itoxeCKsRi8reE1+bUYBp9Y8Pyf2q1Z 6 | OK15C0J0z/t+uL56EKHI2Et3QN/oY5qnPy6TGOv6apL2ESV5tCUi+idlaDe0NSHb 7 | OggM63ZsT4Gk+EmoAIt7+SZpMuWINrwc7f10x7eJss3EwH721vayJIwNgDnQAQHD 8 | R2z/D6NQMGmZC3LUw45MiFQFPkiBQVNpJgEKk7rB1uUakSLOjLOaFwO9JEwMEaMT 9 | Tv7YNckGtERhLiGXWopTLP2p6brdRiapiqJ0RpgkA2hFBfx1QmtyRrKltS57MysI 10 | KzyDXtQNCkGZNwUlCkZO0s/CV64eV9SpXKy1h4Dg3jxeXBo1j/4lKXB39EUh+AAD 11 | oSZeKm7SEBSmqRltuMJca/d2VD1eYiCfWP4OBmU2J88= 12 | -------------------------------------------------------------------------------- /test/integration/metadata.rb: -------------------------------------------------------------------------------- 1 | name 'gitlab-test' 2 | maintainer 'James Le Cuirot' 3 | maintainer_email 'james.le-cuirot@yakara.com' 4 | license 'Apache 2.0' 5 | description 'Test cookbook for gitlab' 6 | long_description 'Test cookbook for gitlab' 7 | version '0.1.0' 8 | -------------------------------------------------------------------------------- /test/integration/recipes/default.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Author:: James Le Cuirot 3 | # Cookbook Name:: gitlab-test 4 | # Recipe:: default 5 | # 6 | # Copyright (C) 2017 Yakara Ltd 7 | # 8 | # Licensed under the Apache License, Version 2.0 (the "License"); 9 | # you may not use this file except in compliance with the License. 10 | # You may obtain a copy of the License at 11 | # 12 | # http://www.apache.org/licenses/LICENSE-2.0 13 | # 14 | # Unless required by applicable law or agreed to in writing, software 15 | # distributed under the License is distributed on an "AS IS" BASIS, 16 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 17 | # See the License for the specific language governing permissions and 18 | # limitations under the License. 19 | # 20 | 21 | directory '/tmp/vagrant-cache/npm' do 22 | recursive true 23 | end 24 | 25 | link ENV['HOME'] + '/.npm' do 26 | to '/tmp/vagrant-cache/npm' 27 | end 28 | 29 | directory '/tmp/vagrant-cache/yarn' do 30 | recursive true 31 | end 32 | 33 | directory '/usr/local/share/.cache' do 34 | recursive true 35 | end 36 | 37 | link '/usr/local/share/.cache/yarn' do 38 | to '/tmp/vagrant-cache/yarn' 39 | end 40 | --------------------------------------------------------------------------------