├── .gitmodules ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── app-server ├── README.md └── puma │ ├── README.md │ └── puma.rb ├── database ├── migrate-mysql-to-postgres │ └── README.md └── usage_postgresql_9.3 │ └── README.md ├── e-mail └── configure_email.md ├── import ├── bitbucket │ ├── LICENSE │ ├── README.md │ └── bitbucket2gitlab.rb └── github │ ├── enterprise │ ├── README.md │ ├── jk.rb │ ├── jk │ │ ├── ad.rb │ │ ├── githubz.rb │ │ └── gitlabz.rb │ ├── migrate.rb │ ├── update_gitlab.rb │ └── update_hooks.rb │ └── import_all.rb ├── init ├── README.md ├── init │ └── freebsd │ │ └── gitlab-unicorn ├── systemd │ ├── README.md │ ├── gitlab-gitaly.service │ ├── gitlab-mailroom.service │ ├── gitlab-sidekiq.service │ ├── gitlab-unicorn.service │ └── gitlab-workhorse.service └── sysvinit │ ├── centos │ ├── README.md │ ├── gitlab-only-sidekiq │ ├── gitlab-puma │ └── gitlab-unicorn │ └── debian │ ├── README.md │ └── gitlab-puma ├── install ├── README.md ├── archlinux │ └── README.md ├── centos │ └── README.md ├── freebsd │ ├── README.md │ └── freebsd-10.md ├── gentoo │ └── README.md └── pkgr │ └── README.md ├── misc ├── change-git-home-directory │ └── README.md ├── multiple-instances │ └── README.md └── ssl-certificate-implemented │ └── README.md └── web-server ├── README.md ├── apache ├── README.md ├── gitlab-apache22.conf ├── gitlab-apache24.conf ├── gitlab-omnibus-apache22.conf ├── gitlab-omnibus-apache24.conf ├── gitlab-omnibus-ssl-apache22.conf ├── gitlab-omnibus-ssl-apache24.conf ├── gitlab-ssl-apache22.conf └── gitlab-ssl-apache24.conf ├── caddy ├── Caddyfile └── README.md ├── lighttpd ├── 10-gitlab.conf └── README.md └── nginx ├── README.md ├── gitlab-omnibus-nginx.conf └── gitlab-omnibus-ssl-nginx.conf /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "database/migrate-mysql-to-postgres/mysql-postgresql-converter"] 2 | path = database/migrate-mysql-to-postgres/mysql-postgresql-converter 3 | url = https://github.com/lanyrd/mysql-postgresql-converter.git 4 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | ## Developer Certificate of Origin + License 2 | 3 | By contributing to GitLab B.V., You accept and agree to the following terms and 4 | conditions for Your present and future Contributions submitted to GitLab B.V. 5 | Except for the license granted herein to GitLab B.V. and recipients of software 6 | distributed by GitLab B.V., You reserve all right, title, and interest in and to 7 | Your Contributions. All Contributions are subject to the following DCO + License 8 | terms. 9 | 10 | [DCO + License](https://gitlab.com/gitlab-org/dco/blob/master/README.md) 11 | 12 | _This notice should stay as the first item in the CONTRIBUTING.md file._ 13 | 14 | # Contribute to GitLab recipes 15 | 16 | This guide details how to use issues and pull requests to improve GitLab recipes. 17 | 18 | Please stick as close as possible to the guidelines. That way we ensure quality guides 19 | and easy to merge requests. 20 | 21 | Your Pull Request will be reviewed by one of our devs/volunteers and you will be 22 | asked to reformat it if needed. We don't bite and we will try to be as flexible 23 | as possible, so don't get intimidated by the extent of the guidelines :) 24 | 25 | For better maintainance and clarity, some naming guidelines should be followed. 26 | See details in each section below. 27 | 28 | ## License 29 | 30 | MIT, see [LICENSE](LICENSE). 31 | 32 | ## Merge Request title 33 | 34 | Try to be as more descriptive as you can in your Merge Request title. 35 | 36 | Particularly if you are submitting a new script or guide, include in the title, 37 | information about GitLab version, OS tested on and any other relevant info. 38 | 39 | For example some good titles would be: 40 | 41 | * [Installation script] GitLab 6.x - Ubuntu 12.04 - Apache 42 | * [Guide] GitLab 6.1 - FreeBSD - postgres, rvm 43 | 44 | ## Guides 45 | 46 | Each installation guide has its own namespace and it should be provided in a 47 | `README` file so that it renders first when viewing the repository. Submit a new 48 | one in `install/platform/README.md` (it doesn't have to be strictly in markdown though). 49 | 50 | ## Scripts 51 | 52 | Installation scripts reside in `install/platform/scripts/`, so if you have one, 53 | submit it there. They should named after the following scheme: `platform-platform_version`. 54 | 55 | Example: `ubuntu-server-12.04.sh` 56 | 57 | You are strongly encouraged to also provide a `README` file that describes 58 | how to use the script. You may have included all the needed info in the script 59 | itself (recommended), so you could simply write something between the lines: 60 | 61 | > This script installs GitLab 6.0 on Archlinux. Run it with `./archlinux.sh your_domain_name` 62 | > 63 | > For more info and variables you can change, read the comments in the script. 64 | 65 | 66 | ### Scripts doing similar things 67 | 68 | There is a strong possibility that your script will do similar things to what a 69 | script already in this repo do. In that case, please work on the existing script 70 | and enhance it with your changes. No need to duplicate things. 71 | 72 | ## What information to put on your guide/script etc (mandatory) 73 | 74 | If you have an installation guide to provide, fill in the template and place it on top 75 | of it or include it in your installation script (commented), again on top. Try to 76 | include as many items of this template as you can. 77 | 78 | ### Template 79 | 80 | ``` 81 | Distribution : 82 | GitLab version : 83 | Web Server : 84 | Init system : 85 | Database : 86 | Contributors : 87 | Additional Notes : 88 | ``` 89 | 90 | ### Explanation 91 | 92 | | Label | Explanation | 93 | | ---------------- | ------------------------- | 94 | | Distribution | The official name and version of the platform/distribution, case sensitive. | 95 | | GitLab version | GitLab version on which the guide/script was tested. | 96 | | Web Server | The web server used to serve GitLab. May be two-fold, eg. apache with mod_passenger. | 97 | | Init system | (Optional but recommended) The init system used by the platform if any. Examples: `sysvinit`, `systemd`, `upstart`, `openrc`, etc | 98 | | Database | The database used for installation. Examples: `mysql`, `postrgres`, `mariadb`. 99 | | Contributors | Your github username (recommended in order to track you and give credits) or your real name or both. Example of the latter: **thedude (Jeffrey Lebowski)** | 100 | | Additional Notes | Anything else you want to add. Any deviations form the official guide can be reported here. Eg. using rvm for ruby install, storing in different locations, etc.| 101 | 102 | 103 | ### Example 104 | 105 | ``` 106 | Distribution : Fedora 19 107 | GitLab version : 5.4 108 | Web Server : apache with mod_passenger 109 | Init system : systemd 110 | Database : mariadb 111 | Contributors : thedude 112 | Additional Notes : the script uses rvm to install ruby 113 | ``` 114 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2011-2017 GitLab B.V. 2 | 3 | With regard to the GitLab Software: 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in 13 | all copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | THE SOFTWARE. 22 | 23 | For all third party components incorporated into the GitLab Software, those 24 | components are licensed under the original license provided by the owner of the 25 | applicable component. 26 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## GitLab recipes: unofficial guides for using GitLab with different software 2 | 3 | For configuring the Omnibus packages with a non-packaged webservers, database, redis please see the [Omnibus docs](http://doc.gitlab.com/omnibus/) 4 | 5 | Here you will find unofficial guides for using GitLab with different software (operating systems, web servers, etc.) 6 | provided by the community, for systems other than the officially supported (Debian/Ubuntu). 7 | 8 | Bare in mind that this repository is co-maintained by volunteers/contributors like you. 9 | 10 | ## Contributing 11 | 12 | See [contributing.md](CONTRIBUTING.md) for contribution guidelines. 13 | 14 | ## Notes on the reliability of guides/scripts 15 | 16 | * We will try to test everything before accepting PRs, in a clean, newly installed platform. 17 | * You should read a script and understand what it does prior to running it. 18 | * If something goes wrong during installation and you think the guide/script needs fixing, file a bug report or a submit a Pull Request. 19 | -------------------------------------------------------------------------------- /app-server/README.md: -------------------------------------------------------------------------------- 1 | In this section there are provided additional configuration files for various application servers. 2 | 3 | If you have something to contribute please read the [contributing guidelines](../CONTRIBUTING.md). 4 | 5 | -------------------------------------------------------------------------------- /app-server/puma/README.md: -------------------------------------------------------------------------------- 1 | Alternative configuration file for the `puma` application server. Copy it under `/home/git/gitlab/config/`. 2 | 3 | ## How to replace unicorn with puma 4 | 5 | The easiest solution is to create a separate branch from the latest stable release 6 | and work from there. Then, with every release we can merge the stable branch into ours. 7 | Replace `latest-stable` with the latest stable branch. 8 | 9 | ``` 10 | su 11 | service gitlab stop 12 | su - git 13 | cd gitlab/ 14 | git checkout latest-stable 15 | git checkout -b puma 16 | sed -i 's/unicorn/puma/' Gemfile 17 | 18 | # For mysql 19 | bundle install --without development test postgres --path vendor/bundle --no-deployment 20 | 21 | # For postgres 22 | bundle install --without development test mysql --path vendor/bundle --no-deployment 23 | ``` 24 | 25 | ### Update GitLab version 26 | 27 | When a new release is out all you have to do is merge it in puma branch. 28 | 29 | ``` 30 | # As git user 31 | 32 | cd /home/git/gitlab/ 33 | git checkout master 34 | git fetch 35 | git checkout puma 36 | git merge latest-stable 37 | ``` 38 | 39 | Then follow the official update instructions about migrations and the bundle install command. 40 | -------------------------------------------------------------------------------- /app-server/puma/puma.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env puma 2 | 3 | # Start Puma with next command: 4 | # RAILS_ENV=production bundle exec puma -C ./config/puma.rb 5 | 6 | # uncomment and customize to run in non-root path 7 | # note that config/gitlab.yml web path should also be changed 8 | # ENV['RAILS_RELATIVE_URL_ROOT'] = "/gitlab" 9 | 10 | application_path = '/home/git/gitlab' 11 | directory application_path 12 | environment 'production' 13 | daemonize true 14 | pidfile "#{application_path}/tmp/pids/puma.pid" 15 | state_path "#{application_path}/tmp/pids/puma.state" 16 | stdout_redirect "#{application_path}/log/puma.stdout.log", "#{application_path}/log/puma.stderr.log" 17 | 18 | # Configure “min” to be the minimum number of threads to use to answer 19 | # requests and “max” the maximum. 20 | # 21 | # The default is “0, 16”. 22 | # 23 | # threads 0, 16 24 | 25 | # Bind the server to “url”. “tcp://”, “unix://” and “ssl://” are the only 26 | # accepted protocols. 27 | # 28 | # 29 | # The default is “tcp://0.0.0.0:9292”. 30 | # 31 | # bind 'tcp://0.0.0.0:9292' 32 | # bind 'unix:///var/run/puma.sock' 33 | # bind 'unix:///var/run/puma.sock?umask=0777' 34 | # bind 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert' 35 | # 36 | ## Comment the next line if you use apache. 37 | bind "unix://#{application_path}/tmp/sockets/gitlab.socket" 38 | 39 | # Instead of “bind 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert'” you 40 | # can also use the “ssl_bind” option. 41 | # 42 | # ssl_bind '127.0.0.1', '9292', { key: path_to_key, cert: path_to_cert } 43 | 44 | # Code to run before doing a restart. This code should 45 | # close log files, database connections, etc. 46 | # 47 | # This can be called multiple times to add code each time. 48 | # 49 | # on_restart do 50 | # puts 'On restart...' 51 | # end 52 | 53 | # Command to use to restart puma. This should be just how to 54 | # load puma itself (ie. 'ruby -Ilib bin/puma'), not the arguments 55 | # to puma, as those are the same as the original process. 56 | # 57 | # restart_command '/u/app/lolcat/bin/restart_puma' 58 | 59 | # === Cluster mode === 60 | 61 | # How many worker processes to run. 62 | # 63 | # The default is “0”. 64 | # 65 | # workers 2 66 | 67 | # GitLab cluster mode recommendations 68 | # If you have more than 1 GB RAM, uncomment one of the following lines: 69 | # 70 | # workers 2 # if you have at least 1.5 GB RAM 71 | # workers 3 # if you have at least 2 GB RAM 72 | # workers 4 # if you have at least 2.5 GB RAM 73 | 74 | # Code to run when a worker boots to setup the process before booting 75 | # the app. 76 | # 77 | # This can be called multiple times to add hooks. 78 | # 79 | # on_worker_boot do 80 | # puts 'On worker boot...' 81 | # end 82 | 83 | # === Puma control rack application === 84 | 85 | # Start the puma control rack application on “url”. This application can 86 | # be communicated with to control the main server. Additionally, you can 87 | # provide an authentication token, so all requests to the control server 88 | # will need to include that token as a query parameter. This allows for 89 | # simple authentication. 90 | # 91 | # Check out https://github.com/puma/puma/blob/master/lib/puma/app/status.rb 92 | # to see what the app has available. 93 | # 94 | # activate_control_app 'unix:///var/run/pumactl.sock' 95 | # activate_control_app 'unix:///var/run/pumactl.sock', { auth_token: '12345' } 96 | # activate_control_app 'unix:///var/run/pumactl.sock', { no_token: true } 97 | -------------------------------------------------------------------------------- /database/migrate-mysql-to-postgres/README.md: -------------------------------------------------------------------------------- 1 | ***The following howto assumes that you are running Debian 7 (wheezy)*** 2 | 3 | # Stop Gitlab 4 | 5 | ```bash 6 | service gitlab stop 7 | ``` 8 | 9 | # Install postgresql 10 | 11 | ```bash 12 | sudo apt-get install -y postgresql-9.1 postgresql-client libpq-dev 13 | ``` 14 | 15 | # Initial Setup 16 | 17 | The following initial setup was taken from installation.md from the main installtion doc 18 | 19 | ```bash 20 | # Login to PostgreSQL 21 | sudo -u postgres psql -d template1 22 | 23 | # Create a user for GitLab. 24 | template1=# CREATE USER git; 25 | 26 | # Create the GitLab production database & grant all privileges on database 27 | template1=# CREATE DATABASE gitlabhq_production OWNER git; 28 | 29 | # Quit the database session 30 | template1=# \q 31 | 32 | # Try connecting to the new database with the new user 33 | sudo -u git -H psql -d gitlabhq_production 34 | ``` 35 | 36 | # Install postgres gem 37 | 38 | ```bash 39 | cd ~git/gitlab 40 | sudo -u git -H bundle install --deployment --without development test mysql aws 41 | ``` 42 | 43 | # Dump the mysql database 44 | 45 | Make sure you do this as root, and therefore you will also need the root password for mysql as well 46 | 47 | ```bash 48 | mysqldump --compatible=postgresql --default-character-set=utf8 -r /tmp/gitlabhq_production.mysql -u root -p gitlabhq_production 49 | ``` 50 | 51 | # Convert the mysql to postgres import 52 | 53 | ```bash 54 | wget https://raw.github.com/lanyrd/mysql-postgresql-converter/master/db_converter.py -O /tmp/db_converter.py 55 | python /tmp/db_converter.py /tmp/gitlabhq_production.mysql /tmp/gitlabhq_production.psql 56 | ``` 57 | 58 | ***Note:*** This was tested using debian 7, with python 2.7.3 59 | 60 | # Import the database 61 | 62 | ```bash 63 | sudo -u git -H psql -d gitlabhq_production -f /tmp/gitlabhq_production.psql 64 | ``` 65 | 66 | # Update database config 67 | 68 | ```bash 69 | cd ~git/gitlab/config 70 | sudo -u git -H cp database.yml database.yml.backup 71 | sudo -u git -H cp database.yml.postgresql database.yml 72 | ``` 73 | 74 | The defaults from the database.yml should work if you have not made any modifications to the postgres authentication. You may need to change database.yml to suite your config. 75 | 76 | # Start Gitlab service 77 | 78 | ```bash 79 | service gitlab start 80 | service nginx restart 81 | ``` 82 | 83 | # Check application Status 84 | 85 | Check if GitLab and its environment are configured correctly: 86 | 87 | ```bash 88 | cd ~git/gitlab 89 | sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production 90 | ``` 91 | 92 | To make sure you didn't miss anything run a more thorough check with: 93 | 94 | ```bash 95 | cd ~git/gitlab 96 | sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production 97 | ``` 98 | 99 | -------------------------------------------------------------------------------- /database/usage_postgresql_9.3/README.md: -------------------------------------------------------------------------------- 1 | # Usage of PostgreSQL 9.3 2 | 3 | ``` 4 | Distribution : Debian Wheezy 5 | GitLab version : 7.x 6 | Database : PostgreSQL 7 | Contributors : @bionix 8 | ``` 9 | 10 | This recipe shows how to upgrade the PostrgreSQL database from version 9.1 to 9.3. 11 | It is **strongly recommended** to take a [backup][] of your GitLab database before 12 | following the next steps. 13 | 14 | ## Install PostgreSQL 9.3 15 | 16 | Install the [official PostgreSQL Debian/Ubuntu repository][apt]: 17 | 18 | cat >> /etc/apt/sources.list.d/pgdg.list << EOF 19 | deb http://apt.postgresql.org/pub/repos/apt/ wheezy-pgdg main 20 | EOF 21 | 22 | Install the repository signing key: 23 | 24 | sudo apt-get install wget ca-certificates 25 | wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add - 26 | 27 | Update your apt lists: 28 | 29 | sudo apt-get update 30 | 31 | Upgrade your installed packages: 32 | 33 | sudo apt-get upgrade 34 | 35 | ## Intregation in the manual installation process 36 | 37 | If you arrive the point 4 in the manual [4. Database][db-manual], replace the 38 | first step with the following command: 39 | 40 | sudo apt-get install -y postgresql-9.3 postgresql-client-9.3 libpq-dev 41 | 42 | After that, follow the normal manual instructions. 43 | 44 | ## Upgrade from PostgreSQL version 9.1 to 9.3 45 | 46 | Stop your Gitlab service: 47 | 48 | sudo service gitlab stop 49 | 50 | Install all PostgreSQL packages for your environment: 51 | 52 | sudo apt-get install -y postgresql-9.3 postgresql-server-dev-9.3 postgresql-contrib-9.3 postgresql-client-9.3 libpq-dev 53 | 54 | Extend your PostgreSQL 9.3. server with your extensions: 55 | 56 | sudo su - postgres -c "psql template1 -p 5433 -c 'CREATE EXTENSION IF NOT EXISTS hstore;'" 57 | sudo su - postgres -c "psql template1 -p 5433 -c 'CREATE EXTENSION IF NOT EXISTS \"uuid-ossp\";'" 58 | 59 | Stop your PostgreSQL server daemons (both!): 60 | 61 | sudo service postgresql stop 62 | 63 | Make the migration from 9.1 to 9.3: 64 | 65 | sudo su - postgres -c '/usr/lib/postgresql/9.3/bin/pg_upgrade \ 66 | -b /usr/lib/postgresql/9.1/bin \ 67 | -B /usr/lib/postgresql/9.3/bin \ 68 | -d /var/lib/postgresql/9.1/main/ \ 69 | -D /var/lib/postgresql/9.3/main/ \ 70 | -O " -c config_file=/etc/postgresql/9.3/main/postgresql.conf" \ 71 | -o " -c config_file=/etc/postgresql/9.1/main/postgresql.conf"' 72 | 73 | Remove your old PostgreSQL version, if you have no issues: 74 | 75 | sudo apt-get remove -y postgresql-9.1 76 | 77 | Change the listen port of your PostgreSQL 9.3 server: 78 | 79 | sudo sed -i "s:5433:5432:g" /etc/postgresql/9.3/main/postgresql.conf 80 | 81 | Start your PostgreSQL service: 82 | 83 | sudo service postgresql start 84 | 85 | Start your Gitlab service: 86 | 87 | sudo service gitlab start 88 | 89 | Done! 90 | 91 | [backup]: http://doc.gitlab.com/ce/raketasks/backup_restore.html 92 | [apt]: https://wiki.postgresql.org/wiki/Apt 93 | [db-manual]: https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/install/installation.md#4-database 94 | -------------------------------------------------------------------------------- /e-mail/configure_email.md: -------------------------------------------------------------------------------- 1 | ## Centos - Sendmail 2 | 3 | su - 4 | yum -y install sendmail-cf 5 | cd /etc/mail 6 | vim /etc/mail/sendmail.mc 7 | 8 | Add a line with the smtp gateway hostname 9 | 10 | define(`SMART_HOST', `smtp.example.com')dnl 11 | 12 | Then replace this line: 13 | 14 | EXPOSED_USER(`root')dnl 15 | 16 | with: 17 | 18 | dnl EXPOSED_USER(`root')dnl 19 | 20 | Now enable these settings with: 21 | 22 | make 23 | chkconfig sendmail on 24 | 25 | ### Forwarding all emails 26 | 27 | Now we want all logging of the system to be forwarded to a central email address: 28 | 29 | su - 30 | echo adminlogs@example.com > /root/.forward 31 | chown root /root/.forward 32 | chmod 600 /root/.forward 33 | restorecon /root/.forward 34 | 35 | echo adminlogs@example.com > /home/git/.forward 36 | chown git /home/git/.forward 37 | chmod 600 /home/git/.forward 38 | restorecon /home/git/.forward -------------------------------------------------------------------------------- /import/bitbucket/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2014, Inbot, Inc. 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining 4 | a copy of this software and associated documentation files (the 5 | "Software"), to deal in the Software without restriction, including 6 | without limitation the rights to use, copy, modify, merge, publish, 7 | distribute, sublicense, and/or sell copies of the Software, and to 8 | permit persons to whom the Software is furnished to do so, subject to 9 | the following conditions: 10 | 11 | The above copyright notice and this permission notice shall be included 12 | in all copies or substantial portions of the Software. 13 | 14 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 15 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 16 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 17 | IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY 18 | CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, 19 | TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 20 | SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 21 | -------------------------------------------------------------------------------- /import/bitbucket/README.md: -------------------------------------------------------------------------------- 1 | # bitbucket2gitlab 2 | 3 | Port your issues over from bitbucket. 4 | 5 | > This script is kindly taken from . 6 | > Modified README for the gitlab-recipes repository. 7 | 8 | ### Instructions 9 | 10 | **Note:** It is recommended to test this with a test project in GitLab that you 11 | can discard before running this against the real thing. 12 | 13 | 1. From bitbucket go to the project's settings and then select **Import & export**. 14 | Start the export and you should get a zip file with a json file inside. 15 | 1. Unzip it and place `db-1.0.json` in the same folder as the script. 16 | 1. Modify the global variables inside `bitbucket2gitlab.rb` to match your 17 | project settings. 18 | 1. Run `ruby ./bitbucket2gitlab.rb`. 19 | 1. Repeat steps 1-4 for all your other projects. 20 | 21 | ### Limitations 22 | 23 | - It gets you the raw content (comments and issues) but things like milestones, 24 | assignments, create timestamps, etc. are lost. 25 | - The order of the imported comments is probably wrong (should be sorted by timestamp). 26 | - There is no duplication check, which is annoying if the script breaks mid import 27 | for whatever reason and you need to run it again. 28 | - Attachments are not supported currently. 29 | -------------------------------------------------------------------------------- /import/bitbucket/bitbucket2gitlab.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | require 'json' 4 | require 'net/http' 5 | 6 | ################################################################ 7 | ## Modify the following global variables to match yout setup. ## 8 | ################################################################ 9 | ## GitLab host without the 'http(s)://' prefix. This is your FQDN. 10 | @host="host" 11 | @base_url="https://#{@host}/" 12 | 13 | def gitlab_key(email,password) 14 | uri = URI("#{@base_url}/api/v3/session") 15 | res = Net::HTTP.post_form(uri, 'email' => email, 'password' => password) 16 | JSON.parse(res.body)['private_token'] 17 | end 18 | 19 | ## Add your credentials here 20 | @token=gitlab_key('user','password') 21 | 22 | ## Note the %2F to separate namespace and project. 23 | ## For example if your project will be named https://example.com/foo/bar, 24 | ## replace below with 'foo%2Fbar'. 25 | @project='namespace%2Fproject' 26 | 27 | ## Change to 80 if you are not going to use ssl (although you should). 28 | @http = Net::HTTP.new("#{@host}",443) 29 | 30 | ## Set to false if you are not going to use ssl (although you should). 31 | @http.use_ssl=true 32 | 33 | ######################### 34 | ## Kick off the import ## 35 | ######################### 36 | 37 | def load_bitbucket() 38 | JSON.parse(IO.read('db-1.0.json')) 39 | end 40 | 41 | def post_issue(title,description) 42 | uri = URI("#{@base_url}/api/v3/projects/#{@project}/issues") 43 | res = Net::HTTP.post_form(uri, 'title' => title, 'description' => description, 'private_token' => @token, 'labels' => ['bitbucket2gitlab']) 44 | created=JSON.parse(res.body) 45 | puts created.to_json 46 | created['id'] 47 | end 48 | 49 | def close_issue(id) 50 | 51 | # uri = URI("#{@base_url}/api/v3/projects/#{@project}/issues") 52 | 53 | request = Net::HTTP::Put.new("/api/v3/projects/#{@project}/issues/#{id}") 54 | 55 | request.set_form_data({'private_token' => @token,'state_event'=>'close'}) 56 | response=@http.request(request) 57 | puts response.inspect 58 | puts response.body 59 | end 60 | 61 | def post_comment(id,content) 62 | uri = URI("#{@base_url}/api/v3/projects/#{@project}/issues/#{id}/notes") 63 | res = Net::HTTP.post_form(uri, 'body' => content,'private_token' => @token) 64 | created=JSON.parse(res.body) 65 | puts created.to_json 66 | end 67 | 68 | def import(bitbucket_json) 69 | id_map={} 70 | bitbucket_json['issues'].each do |issue| 71 | issue_id=issue['id'] 72 | gitlab_id=post_issue(issue['title'],issue['content']) 73 | id_map[issue_id]=gitlab_id 74 | if('resolved' == issue['status']) 75 | close_issue(gitlab_id) 76 | end 77 | end 78 | bitbucket_json['comments'].each do |comment| 79 | if comment['content'] 80 | post_comment(id_map[comment['issue']],"#{comment['content']}\n\n#{comment['user']} - #{comment['created_on']}") 81 | end 82 | end 83 | 84 | end 85 | 86 | import(load_bitbucket()) 87 | 88 | def get_issues() 89 | request = Net::HTTP::Get.new("/api/v3/projects/#{@project}/issues?private_token=#{@token}") 90 | response=@http.request(request) 91 | puts response.inspect 92 | puts response.body 93 | end 94 | -------------------------------------------------------------------------------- /import/github/enterprise/README.md: -------------------------------------------------------------------------------- 1 | # Github Enterprise Migration and Gitlab Active Directory Sync Example 2 | 3 | This directory contains example code that was used to migrate an installation of Github Enterprise to Gitlab. It also has a script created to periodically sync LDAP/Active Directory users with Gitlab and assign permissions based on group membership. Finally a simple script to add a custom hook to all group repositories is included. 4 | 5 | All code relies solely on the Github and Gitlab APIs for interaction (octokit, gitlab, git, and net/ldap gems). All configuration is done in the top level scripts (migrate.rb, update_gitlab.rb, and update_hooks.rb). All LDAP, Github, and Gitlab specific code is fairly generic and decoupled in classes located in corresponding files under ./jk 6 | 7 | The Github migration should be run as a user that has admin access to all organizations and repositories you wish to migrate. The Gitlab code should also run as an admin user. 8 | 9 | Of course this code will likely require heavy modification to suite individual needs but should serve as a decent example. 10 | -------------------------------------------------------------------------------- /import/github/enterprise/jk.rb: -------------------------------------------------------------------------------- 1 | #!/opt/gitlab/embedded/bin/ruby 2 | # require 'openssl' 3 | require './jk/ad' 4 | require './jk/githubz' 5 | require './jk/gitlabz' 6 | 7 | # ruby lets us redefine constants, so we should do it. right? 8 | # OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE 9 | 10 | -------------------------------------------------------------------------------- /import/github/enterprise/jk/ad.rb: -------------------------------------------------------------------------------- 1 | require 'net/ldap' 2 | 3 | module Jk 4 | class Ad 5 | 6 | def initialize(host, username, password, base) 7 | @ldap = Net::LDAP.new :host => host, 8 | :port => 389, 9 | :auth => { 10 | :method => :simple, 11 | :username => username, 12 | :password => password 13 | } 14 | @treebase = base 15 | end 16 | 17 | def get_user_login_from_cn(user_name, search_term = "cn") 18 | attrs = ['samaccountname', 'title', 'displayname', 'memberOf'] 19 | user_hash = {} 20 | 21 | filter = Net::LDAP::Filter.eq(search_term, user_name) 22 | 23 | @ldap.search(:base => @treebase, :filter => filter, 24 | :attributes => attrs) { |ls| 25 | ls.each { |key, vals| 26 | vals.each { |val| 27 | user_hash[key] = val 28 | } 29 | } 30 | } 31 | return user_hash 32 | end 33 | 34 | def get_user_cn_from_login(user_name, search_term = "samaccountname") 35 | atr = 'dn' 36 | attrs = [atr] 37 | users_hash = {} 38 | 39 | filter = Net::LDAP::Filter.eq(search_term, user_name) 40 | 41 | @ldap.search(:base => @treebase, :filter => filter, 42 | :attributes => attrs) { |entry| 43 | entry[atr.to_sym].each { |value| 44 | if (value =~ /^CN=(.+)/) then 45 | user_name = value 46 | end 47 | } 48 | } 49 | return user_name 50 | end 51 | 52 | def get_ldap_group_members_info_hash(group_name) 53 | mem_atr = 'member' 54 | 55 | attrs = [mem_atr] 56 | users_hash = {} 57 | 58 | filter = Net::LDAP::Filter.eq("cn", group_name) 59 | 60 | @ldap.search(:base => @treebase, :filter => filter, 61 | :attributes => attrs) { |entry| 62 | 63 | entry[mem_atr.to_sym].each { |value| 64 | if (value =~ /^CN=([^,]+)/) then 65 | user_name = $1 66 | user_cn = value 67 | user_info = get_user_login_from_cn(user_name); 68 | users_hash[user_cn] = user_info 69 | end 70 | } 71 | } 72 | return users_hash 73 | end 74 | 75 | def get_ldap_group_members_cn_array(group_name) 76 | mem_atr = 'member' 77 | attrs = [mem_atr] 78 | users_arr = [] 79 | 80 | filter = Net::LDAP::Filter.eq("cn", group_name) 81 | 82 | # if this group exists in AD we want to get the current group 83 | # members 84 | @ldap.search(:base => @treebase, :filter => filter, 85 | :attributes => attrs) { |entry| 86 | entry[mem_atr.to_sym].each { |value| 87 | if (value =~ /^CN=([^,]+)/) then 88 | user_name = $1 89 | user_cn = value 90 | users_arr.push(user_cn) 91 | end 92 | } 93 | } 94 | return users_arr 95 | end 96 | 97 | # Pass in a hash of team_name => members and a hash of org_name => teams 98 | # Gitlab has no concept of teams so we'll just grant them access directly 99 | # to each gitlab group (github orgs == gitlab groups) 100 | # 101 | # From github, the team hash => member name array is in form of github logins 102 | # eg "sbody" or whatever 103 | # What we want to end up with is team_name => array of user_ldap_cns 104 | # eg "CN=Some Body,OU=Users,OU=ad,DC=testersDC=com" 105 | # 106 | # The reason we want a key of CN is due to querying ldap membership returning 107 | # only CNs. We want a quick lookup on that. 108 | def get_membership_hashes(orgs_hash, groups_hash, ldap_github_group) 109 | @ad_groups = groups_hash 110 | @orgs = orgs_hash 111 | 112 | github_ad_members = get_ldap_group_members_info_hash(ldap_github_group) 113 | 114 | @ad_groups.each { |ad_group_name, value| 115 | # if there is a ad group we'll pull members from there and 116 | # ignore what was already in this hash for this ad_group_name (which 117 | # likely came in from github and was an array of user_names 118 | # instead of CNs) 119 | user_hash_array = get_ldap_group_members_cn_array(ad_group_name) 120 | if (user_hash_array.size > 0) 121 | @ad_groups[ad_group_name] = user_hash_array 122 | else 123 | # if there was no corresponding ad group then we'll replace 124 | # the user names with CNs 125 | # eg: "sbody" becomes "CN=Some Body,OU=Users,OU=testers,DC=com" 126 | user_cns = [] 127 | @ad_groups[ad_group_name].each { |user_name| 128 | user_cns.push(get_user_cn_from_login(user_name)) 129 | } 130 | @ad_groups[ad_group_name] = user_cns 131 | end 132 | } 133 | return @orgs, @ad_groups, github_ad_members 134 | end 135 | 136 | end 137 | 138 | end 139 | -------------------------------------------------------------------------------- /import/github/enterprise/jk/githubz.rb: -------------------------------------------------------------------------------- 1 | require 'set' 2 | require 'octokit' 3 | 4 | module Jk 5 | class Githubz 6 | 7 | def initialize(login, password, api_endpoint, web_endpoint) 8 | @gh_client = Octokit::Client.new( 9 | :login => login, 10 | :password => password, 11 | :api_endpoint => api_endpoint, 12 | :web_endpoint => web_endpoint 13 | ) 14 | @per_page=100 15 | end 16 | 17 | def get_org_repo_hash 18 | org_repo_hash = {} 19 | @gh_client.organizations(:per_page => @per_page).each { |org| 20 | org_repo_hash[org.login] = [] 21 | repos = @gh_client.repositories(org.login, :per_page => @per_page) 22 | repos.each { |repo| 23 | org_repo_hash[org.login].push(repo.name) 24 | } 25 | } 26 | return org_repo_hash 27 | end 28 | 29 | def get_org_teams 30 | org_teams = {} 31 | team_members = {} 32 | @gh_client.organizations.each { |org| 33 | org_teams[org.login.to_sym] = [] 34 | ts = @gh_client.organization_teams(org.login) 35 | ts.each { |t| 36 | if (t.name == 'Owners') 37 | team_name = org.login + '.' + t.name 38 | else 39 | team_name = t.name 40 | end 41 | org_teams[org.login.to_sym].push(team_name) 42 | team_members[team_name.to_sym] = [] if !team_members[team_name.to_sym] 43 | members = @gh_client.team_members(t.id) 44 | members.each { |m| 45 | team_members[team_name.to_sym].push(m.login.downcase) 46 | } 47 | } 48 | } 49 | # I could have just created Sets to begin with but whatevs 50 | # simple hack to get rid of dupes 51 | team_members.each { |k,v| team_members[k] = Set.new(team_members[k]).to_a } 52 | return org_teams, team_members 53 | end 54 | 55 | def get_user_key_hash 56 | user_keys = {} 57 | last_id_seen = 0; 58 | 59 | users = [] 60 | loop { 61 | users_ = @gh_client.all_users(:since => last_id_seen) 62 | 63 | if (users_.size > 0) 64 | cur_last_id = users_[users_.size - 1].id 65 | if (last_id_seen == cur_last_id) 66 | break 67 | end 68 | last_id_seen = cur_last_id 69 | users.concat(users_) 70 | else 71 | break 72 | end 73 | } 74 | 75 | users.each { |user| 76 | next if user.id == 1 || user.type != 'User' 77 | user_login = user.login.downcase 78 | user_keys[user_login] = [] 79 | @gh_client.user_keys(user_login).each { |key| 80 | user_keys[user_login].push(key.key) 81 | } 82 | } 83 | user_keys 84 | end 85 | 86 | # return array of hashes containing pull request number, title, commits, 87 | # and comments 88 | def get_pull_requests_comments_for_repo(repo_full_name) 89 | return_array = [] 90 | 91 | page = 1 92 | prs = [] 93 | 94 | begin 95 | loop { 96 | prs_ = @gh_client.pull_requests(repo_full_name, :per_page => @per_page, 97 | :state => 'closed', :page => page) 98 | prs.concat(prs_) 99 | page += 1 100 | break if prs_.size < @per_page 101 | } 102 | page = 1 103 | loop { 104 | prs_ = @gh_client.pull_requests(repo_full_name, :per_page => @per_page, 105 | :state => 'open', :page => page) 106 | prs.concat(prs_) 107 | page += 1 108 | break if prs_.size < @per_page 109 | } 110 | rescue Exception => e 111 | puts("Unable to get pull requests for #{repo_full_name} #{e}") 112 | return return_array 113 | end 114 | 115 | prs.sort_by! { |p| p.number } 116 | 117 | if (prs.size == 0) 118 | puts("#{repo_full_name} has no pull requests") 119 | end 120 | 121 | cnt = 1 122 | prs.each { |pr| 123 | # if we don't have contiguous pull request numbers we'll create 124 | # a dummy to keep our pull request numbers equal from github to gitlab 125 | # this happens if an issue was created in github which was not 126 | # an actual pull request. We're only migrating pull requests here. 127 | while (pr.number > cnt) 128 | puts("making dummy #{pr.number} #{cnt}") 129 | current_pull_hash = {} 130 | current_pull_hash[:number] = cnt 131 | current_pull_hash[:title] = "Dummy issue" 132 | current_pull_hash[:body] = "" 133 | current_pull_hash[:commits] = [] 134 | current_pull_hash[:comments] = [] 135 | return_array.push(current_pull_hash) 136 | cnt += 1 137 | end 138 | puts("getting #{repo_full_name}##{pr.number} #{cnt}") 139 | cnt += 1 140 | 141 | current_pull_hash = {} 142 | current_pull_hash[:number] = pr.number 143 | current_pull_hash[:title] = pr.title 144 | current_pull_hash[:body] = pr.body 145 | 146 | # COMMITS ---------------------------------------- 147 | page = 1 148 | #commits = [] 149 | #loop { 150 | commits = @gh_client.pull_request_commits(repo_full_name, pr.number, 151 | :per_page => @per_page, :page => page) 152 | #commits.concat(commits_) 153 | #page += 1 154 | #break if commits_.size < @per_page 155 | #} 156 | 157 | current_pull_hash[:commits] = [] 158 | commits.each { |c| 159 | commit_hash = {} 160 | user = c.commit.author.email 161 | user = user[0,(user.rindex('@')||user.length)] 162 | commit_hash[:username] = user 163 | commit_hash[:sha] = c.sha[0,7] 164 | commit_hash[:date] = c.commit.author.date 165 | commit_hash[:message] = c.commit.message 166 | current_pull_hash[:commits].push(commit_hash) 167 | } 168 | 169 | # COMMENTS ---------------------------------------- 170 | page = 1 171 | comments = [] 172 | #loop { 173 | comments.concat(@gh_client.pull_request_comments( 174 | repo_full_name, pr.number, :per_page => @per_page, :page => page)) 175 | comments.concat(@gh_client.issue_comments(repo_full_name, pr.number, 176 | :per_page => @per_page, :page => page)) 177 | #:per_page => @per_page, :page => page) 178 | #comments.concat(comments_) 179 | #page += 1 180 | #break if comments_.size < @per_page 181 | #} 182 | current_pull_hash[:comments] = [] 183 | comments.each { |c| 184 | comment_hash = {} 185 | comment_hash[:username] = c.user.login 186 | comment_hash[:date] = c.created_at 187 | comment_hash[:body] = c.body 188 | current_pull_hash[:comments].push(comment_hash) 189 | } 190 | return_array.push(current_pull_hash) 191 | } 192 | return_array 193 | end 194 | end 195 | end 196 | -------------------------------------------------------------------------------- /import/github/enterprise/jk/gitlabz.rb: -------------------------------------------------------------------------------- 1 | require 'set' 2 | require 'cgi' 3 | require 'gitlab' 4 | 5 | class Gitlab::Client 6 | # for some reason these don't exist in the gem api impl. :( 7 | # so we'll add our own defs for the missing api implementations 8 | module Users 9 | def create_key_for_user_id(user_id, title, key) 10 | post("/users/#{user_id}/keys", :body => {:title => title, :key => key}) 11 | end 12 | end 13 | 14 | module Projects 15 | def edit_project(project_id, options={}) 16 | put("/projects/#{project_id}", :body => options) 17 | end 18 | end 19 | 20 | end 21 | 22 | 23 | module Jk 24 | class Gitlabz 25 | 26 | def initialize(api_endpoint, admin_token) 27 | @gl_client = Gitlab::Client.new( 28 | :endpoint => api_endpoint, 29 | :private_token => admin_token) 30 | @user_cn_hash = {} 31 | @user_id_hash = {} 32 | @group_id_hash = {} 33 | @proj_name_id_hash = {} 34 | @per_page = 100 35 | end 36 | 37 | def add_key_for_user(user_name, key_name, key) 38 | user_id = get_users_id_hash()[user_name] 39 | return if !user_id 40 | begin 41 | @gl_client.create_key_for_user_id(user_id, key_name, key) 42 | rescue Gitlab::Error::BadRequest => br 43 | # if this key exists we don't care 44 | end 45 | end 46 | 47 | def get_users_id_hash 48 | return @user_id_hash if @user_id_hash.size > 0 49 | 50 | page = 1 51 | loop { 52 | user_arr = @gl_client.users( 53 | {:per_page => @per_page, :page => page}) 54 | user_arr.each { |user| 55 | @user_id_hash[user.username.downcase] = user.id 56 | } 57 | page += 1 58 | break if user_arr.size < @per_page 59 | } 60 | @user_id_hash 61 | end 62 | 63 | def get_users_cn_hash(force_update = false) 64 | return @user_cn_hash if @user_cn_hash.size > 0 && !force_update 65 | 66 | page = 1 67 | loop { 68 | user_arr = @gl_client.users( 69 | {:per_page => @per_page, :page => page}) 70 | user_arr.each { |user| 71 | if (user.identities.size > 0) 72 | extern_uid = user.identities[0]["extern_uid"] 73 | @user_cn_hash[extern_uid] = user.id 74 | end 75 | } 76 | page += 1 77 | break if user_arr.size < @per_page 78 | } 79 | @user_cn_hash 80 | end 81 | 82 | def is_group_member(group_id, user_id) 83 | if (!@group_members_hash) 84 | @group_members_hash = {} 85 | else 86 | if (!@group_members_hash[group_id]) 87 | @group_members_hash[group_id] = get_group_members(group_id) 88 | end 89 | return @group_members_hash[group_id].include?(user_id) 90 | end 91 | end 92 | 93 | def get_group_members(group_id) 94 | ret_set = Set.new() 95 | page = 1 96 | loop { 97 | group_mem = @gl_client.group_members(group_id, 98 | {:per_page => @per_page, :page => page}) 99 | group_mem.each { |member| 100 | ret_set.add(member.id) 101 | } 102 | page += 1 103 | break if group_mem.size < @per_page 104 | } 105 | ret_set 106 | end 107 | 108 | def get_groups_hash 109 | return @group_id_hash if @group_id_hash.size > 0 110 | 111 | page = 1 112 | loop { 113 | group_arr = @gl_client.groups( 114 | {:per_page => @per_page, :page => page}) 115 | group_arr.each { |group| 116 | @group_id_hash[group.name] = group.id 117 | } 118 | page += 1 119 | break if group_arr.size < @per_page 120 | } 121 | @group_id_hash 122 | end 123 | 124 | def add_dev_to_group(user_id, group_id, perm="30") 125 | begin 126 | @gl_client.add_group_member(group_id, user_id, perm) 127 | rescue Exception => nfe 128 | puts(nfe) 129 | end 130 | end 131 | 132 | def add_user(email, password, username, name, ldap_cn, bio) 133 | username = username.downcase 134 | if ! get_users_id_hash()[username] 135 | user = @gl_client.create_user( 136 | email, 137 | password, 138 | :username => username, 139 | :name => name, 140 | :provider => "ldap", 141 | :extern_uid => ldap_cn, 142 | :bio => bio, 143 | :confirm => 0 144 | ) 145 | get_users_id_hash()[user.username] = user.id 146 | end 147 | get_users_id_hash()[username] 148 | end 149 | 150 | def create_or_get_group_id(org_name) 151 | begin 152 | group = @gl_client.group(org_name) 153 | rescue Gitlab::Error::NotFound => nfe 154 | group = @gl_client.create_group(org_name, org_name) 155 | @group_id_hash[group.name] = group.id 156 | end 157 | return group.id 158 | end 159 | 160 | def create_and_get_project_id(repo_name, org_name) 161 | new_repo_name = repo_name.gsub('.', '_') 162 | puts("Creating #{org_name}/#{new_repo_name}") 163 | #begin 164 | #project = @gl_client.project(CGI.escape(org_name + "/" + repo_name)) 165 | #rescue Gitlab::Error::NotFound => nfe 166 | group_id = create_or_get_group_id(org_name) 167 | project = @gl_client.create_project( 168 | new_repo_name, 169 | :namespace_id => group_id 170 | ) 171 | # gitlab won't allow us to create repos that are Camel Cased or have 172 | # dots in the name (super cool) but it will let me rename them 173 | # once I create them (makes total sense) 174 | @gl_client.edit_project(project.id, :name => repo_name, :path => repo_name) 175 | #end 176 | return project.id 177 | end 178 | 179 | def edit_project_name(org_name, new_name, curr_name) 180 | begin 181 | project = @gl_client.project(CGI.escape(org_name + "/" + curr_name)) 182 | @gl_client.edit_project(project.id, :name => new_name, :path => new_name) 183 | return project.id 184 | rescue Gitlab::Error::NotFound => nfe 185 | puts("#{curr_name} not found") 186 | end 187 | end 188 | 189 | def get_project_name_id_hash 190 | return @proj_name_id_hash if @proj_name_id_hash.size > 0 191 | page = 1 192 | loop { 193 | pa = @gl_client.projects(:per_page => @per_page, :page => page) 194 | pa.each { |proj| 195 | @proj_name_id_hash[proj.path_with_namespace] = proj.id 196 | } 197 | page += 1 198 | break if pa.size < @per_page 199 | } 200 | @proj_name_id_hash 201 | end 202 | 203 | def create_issue(repo_full_name, title, body) 204 | #begin 205 | project_id = get_project_name_id_hash()[repo_full_name] 206 | gl_issue = @gl_client.create_issue(project_id, title, :description => body) 207 | @gl_client.close_issue(project_id, gl_issue.id) 208 | #rescue Exception => e 209 | #puts(e) 210 | #end 211 | end 212 | 213 | def unprotect_branches_for_project(project_id) 214 | @gl_client.branches(project_id).each { |branch| 215 | puts("Unprotecting #{project_id} #{branch.name}") 216 | @gl_client.unprotect_branch(project_id, branch.name) 217 | } 218 | end 219 | 220 | def add_hook_to_proj(proj_id, url) 221 | hooks = @gl_client.project_hooks(proj_id, :per_page => @per_page) 222 | hooks.each { |hook| 223 | if(hook.url == url) 224 | #puts("#{url} already added to proj id #{proj_id}") 225 | return 226 | end 227 | } 228 | 229 | puts("Adding #{url} to proj id #{proj_id}") 230 | @gl_client.add_project_hook( 231 | proj_id, 232 | url, 233 | :push_events => 1, 234 | :issues_events => 0, 235 | :merge_requests => 0, 236 | :tag_push_events => 0 237 | ) 238 | end 239 | end 240 | end 241 | -------------------------------------------------------------------------------- /import/github/enterprise/migrate.rb: -------------------------------------------------------------------------------- 1 | #!/opt/gitlab/embedded/bin/ruby 2 | require './jk' 3 | require 'git' 4 | 5 | # Migration script for Github -> Gitlab 6 | def do_migration 7 | my_domain = "your.domain" 8 | gh_ssh_url_base="git@github.your.domain" 9 | gl_ssh_url_base="git@gitlab.your.domain" 10 | tmp_git_dir="/git-data/tmp" 11 | hook_url = "https://your.domain/jira/gitlab_hook" 12 | 13 | ldap_github_group = "GithubUsersGroup" 14 | 15 | ad_username = "user@your.domain" 16 | ad_password = "xxxxxxxxxxxxxxxxxxxxxx" 17 | ad_base = "dc=your,dc=domain" 18 | ad_host = "your.ad.host" 19 | 20 | gh_login = "github_user", 21 | gh_password = "xxxxxxxxxxxxxxxxxxxxxx" 22 | gh_api_endpoint = "https://github.your.domain/api/v3/" 23 | gh_web_endpoint = "https://github.your.domain/" 24 | 25 | gl_api_endpoint = 'https://gitlab.your.domain/api/v3' 26 | gl_admin_token = 'xxxxxxxxxxxxxxxxxxxx' 27 | 28 | gh = Jk::Githubz.new(gh_login, gh_password, gh_api_endpoint, gh_web_endpoint) 29 | gl = Jk::Gitlabz.new(gl_api_endpoint, gl_admin_token) 30 | 31 | org_teams_hash,teams_members_hash = gh.get_org_teams 32 | ad = Jk::Ad.new(ad_host, ad_username, ad_password, ad_base) 33 | org_teams_hash,teams_members_hash,cn_user_info_hash = 34 | ad.get_membership_hashes(org_teams_hash, teams_members_hash, ldap_github_group) 35 | 36 | # create users from our github group in ldap 37 | cn_user_info_hash.each { |cn, user_info_hash| 38 | #"CN=Some Body,OU=Users,OU=ad,DC=testers,DC=com" => { 39 | # :dn=>"CN=Some Body,OU=Users,OU=ad,DC=testers,DC=com", 40 | # :title=>"Senior Wizard", 41 | # :displayname=>"Some Body", 42 | # :memberof=>"CN=.All Users,OU=Distribution Lists,OU=Users,DC=testers,DC=com", 43 | # :samaccountname=>"SBody" 44 | # } 45 | puts("Adding #{user_info_hash[:displayname]}") 46 | gl.add_user( 47 | "#{user_info_hash[:samaccountname].downcase}@#{my_domain}", 48 | "2689009d91eb2837804a9ca1c598c461", # password doesn't matter for ldap 49 | user_info_hash[:samaccountname].downcase, 50 | user_info_hash[:displayname], 51 | cn, 52 | "#{user_info_hash[:title]}" 53 | ) 54 | } 55 | 56 | # get user keys from github and store them in gitlab per user 57 | user_key_hash = gh.get_user_key_hash 58 | user_key_hash.each { |username, keys| 59 | cnt = 1 60 | keys.each { |key| 61 | puts("adding #{username} Key import #{cnt} #{key}") 62 | gl.add_key_for_user(username, "Key import #{cnt}", key) 63 | cnt += 1 64 | } 65 | } 66 | 67 | # create groups (org) and projects (repos) 68 | gh_org_repos = gh.get_org_repo_hash 69 | gh_org_repos.each { |gh_org_name, gh_repo_name_arr| 70 | gl_org_id = gl.create_or_get_group_id(gh_org_name) 71 | gh_repo_name_arr.each { |gh_repo_name| 72 | gl_proj_id = gl.create_and_get_project_id(gh_repo_name, gh_org_name) 73 | } 74 | } 75 | 76 | # take github org teams and apply the perms to gitlab 77 | # gitlab has no team concept so we'll give either owner or dev 78 | # privs to each user based on their github privs. 79 | org_teams_hash.each { |gh_org_name, gh_teams| 80 | gh_teams.each { |gh_team| 81 | teams_members_hash[gh_team.to_sym].each { |user_cn| 82 | gl_org_id = gl.create_or_get_group_id(gh_org_name) 83 | user_hash = cn_user_info_hash[user_cn] 84 | if user_hash 85 | user_id = user_hash[:samaccountname].downcase 86 | if (gh_team =~ /Owners$/) 87 | puts("Adding OWNER user #{user_id} to org #{gh_org_name} with org id #{gl_org_id} for team #{gh_team}") 88 | perm = 50 89 | else 90 | puts("Adding user #{user_id} to org #{gh_org_name} with org id #{gl_org_id} for team #{gh_team}") 91 | perm = 30 92 | end 93 | if (gl.get_users_id_hash()[user_id]) 94 | gl.add_dev_to_group(gl.get_users_id_hash()[user_id], gl_org_id, perm) 95 | else 96 | puts("Can't find #{user_id}") 97 | end 98 | end 99 | } 100 | } 101 | } 102 | 103 | # time to clone git repos 104 | gh_org_repos = gh.get_org_repo_hash 105 | 106 | gh_org_repos.each { |gh_org_name, gh_repo_name_arr| 107 | gh_repo_name_arr.each { |gh_repo_name| 108 | repo_name = gh_repo_name 109 | gh_ssh_url = "#{gh_ssh_url_base}:#{gh_org_name}/#{gh_repo_name}.git" 110 | local_repo_name = "#{repo_name}.git" 111 | puts("clone #{gh_ssh_url} to #{gh_org_name}/#{local_repo_name}") 112 | 113 | FileUtils.mkdir_p("#{tmp_git_dir}/#{gh_org_name}") 114 | if File.directory?("#{tmp_git_dir}/#{gh_org_name}/#{local_repo_name}") 115 | git_repo = Git.bare("#{tmp_git_dir}/#{gh_org_name}/#{local_repo_name}") 116 | git_repo.fetch 117 | else 118 | git_repo = Git.clone(gh_ssh_url, "#{local_repo_name}", :path => "#{tmp_git_dir}/#{gh_org_name}", :bare => 1) 119 | git_repo.add_remote("gitlab", "#{gl_ssh_url_base}:#{gh_org_name}/#{local_repo_name}") 120 | end 121 | git_repo.push('gitlab', '--mirror') 122 | } 123 | } 124 | 125 | # merge github pull requests to gitlab issues 126 | gl.get_project_name_id_hash().each { |repo, proj_id| 127 | gh.get_pull_requests_comments_for_repo(repo).each { |pr| 128 | commits_str = "| User | SHA | Date | Message |\n" 129 | commits_str += "| ---- | ---- | ---- | ---- |\n" 130 | pr[:commits].each { |c| 131 | commits_str += "|@#{c[:username]}|#{repo}@#{c[:sha]}|#{c[:date]}|#{c[:message].split("\n").first}|\n" 132 | } 133 | 134 | comments_str = "" 135 | pr[:comments].each { |c| 136 | body = "#{c[:body]}" 137 | body = body.gsub(/^/, "> ") 138 | comments_str += "#### Comment by @#{c[:username]} on #{c[:date]}\n" 139 | comments_str += "#{body}\n\n" 140 | } 141 | comments_str = "(no comments)" if comments_str.length == 0 142 | 143 | output_str = "### Pull request #{pr[:number]} migrated from Github 144 | 145 | #{pr[:body]} 146 | 147 | #### Commits 148 | #{commits_str} 149 | 150 | #{comments_str} 151 | 152 | " 153 | puts("Creating issue #{pr[:number]} for #{repo}") 154 | gl.create_issue(repo, pr[:title], output_str) 155 | } 156 | } 157 | 158 | # gitlab marks master branches protected by default, we'll unprotect so our 159 | # devs can push directly if they please, not ideal but some teams rely on it 160 | gl.get_project_name_id_hash().each { |repo, proj_id| 161 | gl.unprotect_branches_for_project(proj_id) 162 | } 163 | 164 | # Added our custom push hook url to each repo 165 | gl.get_project_name_id_hash().each { |repo, proj_id| 166 | gl.add_hook_to_proj(proj_id, hook_url) 167 | } 168 | end 169 | 170 | #do_migration 171 | -------------------------------------------------------------------------------- /import/github/enterprise/update_gitlab.rb: -------------------------------------------------------------------------------- 1 | #!/opt/gitlab/embedded/bin/ruby 2 | require './jk' 3 | 4 | # This script is scheduled via cron to perdiodically update perms 5 | # perms are currently never revoked, only granted. 6 | def update_perms 7 | 8 | ldap_github_group = "GithubUsersGroup" 9 | 10 | # The below names corespond to ldap/active directory groups 11 | # that are used to apply permissions to orgs/gitlab groups 12 | # each group key will point to an array of user CNs once populated. 13 | teams_members_hash = { 14 | :"Group1" => [], 15 | :"Group2" => [], 16 | :"Group3" => [], 17 | :"Group4" => [], 18 | :"Group5" => [], 19 | :"Group6" => [], 20 | :"Group7" => [], 21 | :"Group8" => [], 22 | :"GithubUsersGroup" => [], 23 | } 24 | 25 | # list of gitlab groups (orgs) and the LDAP groups that should have 26 | # permissions apllied 27 | org_teams_hash = { 28 | :org1=>["Group4", "Group8"], 29 | :org2=>["Group5", "Group6", "Group7"], 30 | :org3=>["Group1", "Group2", "Group3", "Group8"], 31 | :org4=>["Group3", "Group8"], 32 | :org5=>["Group3", "Group8"], 33 | :org6=>["GithubUsersGroup"], 34 | :org7=>["Group1", "Group3", "Group8"], 35 | :org8=>["Group2", "Group6", "Group7"], 36 | :org9=>["GithubUsersGroup"], 37 | :org10=>["Group1", "Group3"], 38 | :org11=>["Group1", "Group3", "Group8"], 39 | :org12=>[], 40 | :org13=>["Group1"] 41 | } 42 | 43 | my_domain = "your.domain" 44 | 45 | ad_username = "user@your.domain" 46 | ad_password = "xxxxxxxxxxxxxxxxxxxxxxxxxx" 47 | ad_base = "dc=your,dc=domain" 48 | ad_host = "your.ad.host" 49 | 50 | gl_api_endpoint = 'https://gitlab.your.domain/api/v3' 51 | gl_admin_token = 'xxxxxxxxxxxxxxxxxxxx' 52 | 53 | gl = Jk::Gitlabz.new(gl_api_endpoint, gl_admin_token) 54 | ad = Jk::Ad.new(ad_host, ad_username, ad_password, ad_base) 55 | 56 | org_teams_hash, teams_members_hash, cn_user_info_hash = 57 | ad.get_membership_hashes(org_teams_hash, teams_members_hash, ldap_github_group) 58 | 59 | need_to_update = false 60 | 61 | cn_user_info_hash.each { |user_cn, user_info| 62 | if ! gl.get_users_cn_hash()[user_cn] 63 | need_to_update = true 64 | puts("Adding #{user_cn}") 65 | gl.add_user( 66 | "#{user_info[:samaccountname].downcase}@#{my_domain}", 67 | "2689009d91eb2837804a9ca1c598c461", # password doesn't matter for ldap 68 | user_info[:samaccountname].downcase, 69 | user_info[:displayname], 70 | user_cn, 71 | "#{user_info[:title]}" 72 | ) 73 | end 74 | } 75 | 76 | gl.get_users_cn_hash(need_to_update) 77 | 78 | org_teams_hash.each { |gh_org_name, gh_teams| 79 | gh_teams.each { |gh_team| 80 | teams_members_hash[gh_team.to_sym].each { |user_cn| 81 | gl_org_id = gl.get_groups_hash()[gh_org_name.to_s] 82 | if (!gl_org_id) 83 | gl_org_id = gl.create_or_get_group_id(gh_org_name) 84 | end 85 | user_hash = cn_user_info_hash[user_cn] 86 | if user_hash 87 | user_id = user_hash[:samaccountname].downcase 88 | if (gh_team =~ /Owners$/) 89 | perm = 50 90 | else 91 | perm = 30 92 | end 93 | if (gl.get_users_cn_hash()[user_cn]) 94 | if(!gl.is_group_member(gl_org_id, gl.get_users_cn_hash()[user_cn])) 95 | puts("#{user_id} added to #{gh_org_name}") 96 | gl.add_dev_to_group( 97 | gl.get_users_cn_hash()[user_cn], gl_org_id, perm) 98 | #else 99 | #puts("#{user_id} already a member of #{gh_org_name}") 100 | end 101 | else 102 | puts("Can't find #{user_id} #{user_cn}") 103 | end 104 | end 105 | } 106 | } 107 | } 108 | end 109 | 110 | update_perms 111 | -------------------------------------------------------------------------------- /import/github/enterprise/update_hooks.rb: -------------------------------------------------------------------------------- 1 | #!/opt/gitlab/embedded/bin/ruby 2 | require './jk' 3 | 4 | # repos are created less frequently than users, schedule this to run 5 | # accordingly. This will make a hit for every single repo to check for the 6 | # existence of our hook, so it takes a minute to run. 7 | def update_hooks 8 | hook_url = "https://your.domain/jira/gitlab_hook" 9 | 10 | gl_api_endpoint = 'https://gitlab.your.domain/api/v3' 11 | gl_admin_token = 'xxxxxxxxxxxxxxxxxxxx' 12 | 13 | gl = Jk::Gitlabz.new(gl_api_endpoint, gl_admin_token) 14 | 15 | # Added our custom push hook url to each repo 16 | gl.get_project_name_id_hash().each { |repo, proj_id| 17 | gl.add_hook_to_proj(proj_id, hook_url) 18 | } 19 | end 20 | 21 | update_hooks 22 | -------------------------------------------------------------------------------- /import/github/import_all.rb: -------------------------------------------------------------------------------- 1 | # Community contributed script to import from GitHub to GitLab 2 | # It imports repositories, issues and the wiki's. 3 | # This script is not maintained, please send merge requests to improve it, do not file bugs. 4 | # The issue import might concatenate all comments of an issue into one, if so feel free to fix this. 5 | 6 | require 'bundler/setup' 7 | require 'octokit' 8 | require 'optparse' 9 | require 'git' 10 | require 'gitlab' 11 | require 'pp' 12 | 13 | #deal with options from cli, like username and pw 14 | options = {:usr => nil, 15 | :pw => nil, 16 | :api => 'https://api.github.com', 17 | :web => 'https://github.com/', 18 | :space => nil, 19 | :group => nil, 20 | :ssh => false, 21 | :private => false, 22 | :gitlab_api => 'http://gitlab.example.com/api/v3', 23 | :gitlab_token => 'secret' 24 | } 25 | optparse = OptionParser.new do |opts| 26 | opts.on('-u', '--user USER', "user to connect to GitHub with") do |u| 27 | options[:usr] = u 28 | end 29 | opts.on('-p', '--pw PASSWORD', 'password for user to connect to GitHub with') do |p| 30 | options[:pw] = p 31 | end 32 | opts.on('--api API', String, 'API endpoint for GitHub') do |a| 33 | options[:api] = a 34 | end 35 | opts.on('--gitlab-api API', String, 'API endpoint for GitLab') do |a| 36 | options[:gitlab_api] = a 37 | end 38 | opts.on('-t', '--gitlab-token TOKEN', String, 'Private token for GitLab') do |t| 39 | options[:gitlab_token] = t 40 | end 41 | opts.on('--web', 'Web endpoint for GitHub') do |w| 42 | options[:web] = w 43 | end 44 | opts.on('--ssh', 'Use ssh for GitHub') do |s| 45 | options[:ssh] = s 46 | end 47 | opts.on('--private', 'Import only private GitHub repositories (enables ssh)') do |p| 48 | options[:private] = p 49 | options[:ssh] = true 50 | end 51 | opts.on('-s', '--space SPACE', 'The space to import repositories from (User or Organization)') do |s| 52 | options[:space] = s 53 | end 54 | opts.on('-g', '--group GROUP', 'The GitLab group to import projects to') do |g| 55 | options[:group] = g 56 | end 57 | opts.on('-h', '--help', 'Display this screen') do 58 | puts opts 59 | exit 60 | end 61 | end 62 | 63 | optparse.parse! 64 | if options[:usr].nil? or options[:pw].nil? 65 | puts "Missing parameter ..." 66 | puts options 67 | exit 68 | end 69 | 70 | if options[:group].nil? 71 | if options[:space].nil? 72 | raise 'Both group and space can\'t be empty!' 73 | end 74 | 75 | options[:group] = options[:space] 76 | end 77 | 78 | Octokit.configure do |c| 79 | c.api_endpoint = options[:api] 80 | c.web_endpoint = options[:web] 81 | end 82 | 83 | #set the gitlab options 84 | Gitlab.configure do |c| 85 | c.endpoint = options[:gitlab_api] 86 | c.private_token = options[:gitlab_token] 87 | end 88 | 89 | #setup the clients 90 | gh_client = Octokit::Client.new(:login => options[:usr], :password => options[:pw]) 91 | gl_client = Gitlab.client() 92 | #get all of the repos that are in the specified space (user or org) 93 | gh_repos = gh_client.repositories(options[:space], {:type => options[:private] ? 'private' : 'all'}) 94 | gh_repos.each do |gh_r| 95 | # 96 | ## clone the repo from the github server 97 | # 98 | git_repo = nil 99 | if File.directory?("/tmp/clones/#{gh_r.name}") 100 | git_repo = Git.open("/tmp/clones/#{gh_r.name}") 101 | git_repo.pull 102 | else 103 | git_repo = Git.clone(options[:ssh] ? gh_r.ssh_url : gh_r.git_url, gh_r.name, :path => '/tmp/clones') 104 | end 105 | 106 | `for branch in $(git --git-dir /tmp/clones/#{gh_r.name}/.git branch -a | grep remotes | grep -v HEAD | grep -v master); do git --git-dir /tmp/clones/#{gh_r.name}/.git branch --track ${branch##*/} $branch; done` 107 | 108 | # 109 | ## Push the cloned repo to gitlab 110 | # 111 | project_list = [] 112 | 113 | push_group = nil 114 | #I should be able to search for a group by name 115 | gl_client.groups.each do |g| 116 | if g.name == options[:group] 117 | push_group = g 118 | end 119 | end 120 | 121 | #if the group wasn't found, create it 122 | if push_group.nil? 123 | push_group = gl_client.create_group(options[:group], options[:group]) 124 | end 125 | 126 | #edge case, gitlab didn't like names that didn't start with an alpha. Can't remember how I ran into this. 127 | name = gh_r.name 128 | if gh_r.name !~ /^[a-zA-Z]/ 129 | name = "gh-#{gh_r.name}" 130 | end 131 | 132 | puts gh_r.name 133 | #create and push the project to GitLab 134 | new_project = gl_client.create_project(name) 135 | git_repo.add_remote("gitlab", new_project.ssh_url_to_repo) 136 | git_repo.push('gitlab', '--all') 137 | 138 | # Copy labels for this project 139 | labels = gh_client.labels(gh_r.full_name) 140 | labels.each do |l| 141 | gl_client.create_label(new_project.id, l.name, '#'+l.color) 142 | end 143 | 144 | # 145 | ## Look for issues in GitHub for this project and push them to GitLab 146 | ## I wish the GitLab API let me create comments for issues. Oh well, smashing it all into the body of the issue. 147 | # 148 | if gh_r.has_issues 149 | issues = [] 150 | 151 | # Get opened issues 152 | page = 1 153 | loop do 154 | issues_ = gh_client.list_issues(gh_r.full_name, :page => page) 155 | issues.concat(issues_) 156 | page = page + 1 157 | break if issues_.size() < 30 # Github returns 30 issues per page 158 | end 159 | 160 | # Get closed issues 161 | page = 1 162 | loop do 163 | issues_ = gh_client.list_issues(gh_r.full_name, :page => page, :state => 'closed') 164 | issues.concat(issues_) 165 | page = page + 1 166 | break if issues_.size() < 30 167 | end 168 | 169 | issues.sort_by! { |i| i.number } # Sorting isues by number 170 | 171 | issues.each do |i| 172 | comments = gh_client.issue_comments(gh_r.full_name, i['number']) 173 | body = i.body 174 | if comments.any? 175 | body += "\n\n\nComments from GitHub import:\n" 176 | comments.each do |c| 177 | body += "\n\n#{c.body}\nBy #{c.user.login} on #{c.created_at}" 178 | end 179 | end 180 | 181 | labels = i.labels.map {|l| l.name }.join(sep=',') 182 | 183 | gl_issue = gl_client.create_issue(new_project.id, i.title, :description => body, :labels => labels) 184 | 185 | if i.state == 'closed' 186 | gl_client.close_issue(new_project.id, gl_issue.id) 187 | end 188 | 189 | pp i.number.to_s + ' ' + i.title + ' ' + i.state + ' ' + labels 190 | end 191 | end 192 | 193 | # 194 | ## Look for wiki pages for this repo in GitHub and migrate them to GitLab 195 | # 196 | if gh_r.has_wiki 197 | #this is dumb. The only way to know if a repo has a wiki is to attempt to clone it and then ignore failure if it doesn't have one 198 | begin 199 | gh_wiki_url = gh_r.git_url.gsub(/\.git/, ".wiki.git") 200 | wiki_name = gh_r.name + '.wiki' 201 | wiki_repo = Git.clone(gh_wiki_url, wiki_name, :path => '/tmp/clones') 202 | 203 | #this is a pain, have to visit the wiki page on the web ui before being able to work with it as a git repo 204 | `wget -q --save-cookies /tmp/junk/gl_login.txt -P /tmp/junk --post-data "username=#{options[:usr]}&password=#{options[:pw]}" gitlab.example.com/users/auth/ldap/callback` 205 | `wget -q --load-cookies /tmp/junk/gl_login.txt -P /tmp/junk -p #{new_project.web_url}/wikis/home` 206 | `rm -fr /tmp/junk/*` 207 | 208 | gl_wiki_url = new_project.ssh_url_to_repo.gsub(/\.git/, ".wiki.git") 209 | wiki_repo.add_remote('gitlab', gl_wiki_url) 210 | wiki_repo.push('gitlab') 211 | rescue 212 | end 213 | end 214 | 215 | # change the owner of this new project to the group we found it in 216 | gl_client.transfer_project_to_group(push_group.id, new_project.id) 217 | end 218 | -------------------------------------------------------------------------------- /init/README.md: -------------------------------------------------------------------------------- 1 | In this section there are provided additional configuration files for various init systems. 2 | 3 | If you have something to contribute please read the [contributing guidelines](../CONTRIBUTING.md). 4 | -------------------------------------------------------------------------------- /init/init/freebsd/gitlab-unicorn: -------------------------------------------------------------------------------- 1 | #! /bin/sh 2 | 3 | # GITLAB 4 | # Maintainer: @charlienewey 5 | # Authors: @charlienewey, rovanion.luckey@gmail.com, @randx 6 | 7 | # PROVIDE: ghost 8 | # KEYWORD: shutdown 9 | PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin" 10 | 11 | . /etc/rc.subr 12 | 13 | name="gitlab" 14 | rcvar="gitlab_enable" 15 | extra_commands="status" 16 | 17 | load_rc_config gitlab 18 | : ${gitlab_enable:="NO"} 19 | 20 | status_cmd="print_status" 21 | start_cmd="start_gitlab" 22 | stop_cmd="stop_gitlab" 23 | restart_cmd="restart_gitlab" 24 | 25 | ### Environment variables 26 | RAILS_ENV="production" 27 | 28 | # Script variable names should be lower-case not to conflict with 29 | # internal /bin/sh variables such as PATH, EDITOR or SHELL. 30 | app_user="git" 31 | app_root="/home/$app_user/gitlab" 32 | pid_path="$app_root/tmp/pids" 33 | socket_path="$app_root/tmp/sockets" 34 | web_server_pid_path="$pid_path/unicorn.pid" 35 | sidekiq_pid_path="$pid_path/sidekiq.pid" 36 | mail_room_enabled=false 37 | mail_room_pid_path="$pid_path/mail_room.pid" 38 | gitlab_workhorse_pid_path="$pid_path/gitlab-workhorse.pid" 39 | gitlab_workhorse_options="-listenUmask 0 -listenNetwork unix -listenAddr $socket_path/gitlab-workhorse.socket -authBackend http://127.0.0.1:8080" 40 | gitlab_workhorse_log="$app_root/log/gitlab-workhorse.log" 41 | 42 | # Read configuration variable file if it is present 43 | test -f /etc/default/gitlab && . /etc/default/gitlab 44 | 45 | # Switch to the app_user if it is not he/she who is running the script. 46 | if [ "$USER" != "$app_user" ]; then 47 | eval su - "$app_user" -c $(echo \")$0 "$@"$(echo \"); exit; 48 | fi 49 | 50 | # Switch to the gitlab path, exit on failure. 51 | if ! cd "$app_root" ; then 52 | echo "Failed to cd into $app_root, exiting!"; exit 1 53 | fi 54 | 55 | 56 | ### Init Script functions 57 | 58 | ## Gets the pids from the files 59 | check_pids(){ 60 | if ! mkdir -p "$pid_path"; then 61 | echo "Could not create the path $pid_path needed to store the pids." 62 | exit 1 63 | fi 64 | # If there exists a file which should hold the value of the Unicorn pid: read it. 65 | if [ -f "$web_server_pid_path" ]; then 66 | wpid=$(cat "$web_server_pid_path") 67 | else 68 | wpid=0 69 | fi 70 | if [ -f "$sidekiq_pid_path" ]; then 71 | spid=$(cat "$sidekiq_pid_path") 72 | else 73 | spid=0 74 | fi 75 | if [ -f "$gitlab_workhorse_pid_path" ]; then 76 | hpid=$(cat "$gitlab_workhorse_pid_path") 77 | else 78 | hpid=0 79 | fi 80 | if [ "$mail_room_enabled" = true ]; then 81 | if [ -f "$mail_room_pid_path" ]; then 82 | mpid=$(cat "$mail_room_pid_path") 83 | else 84 | mpid=0 85 | fi 86 | fi 87 | } 88 | 89 | ## Called when we have started the two processes and are waiting for their pid files. 90 | wait_for_pids(){ 91 | # We are sleeping a bit here mostly because sidekiq is slow at writing it's pid 92 | i=0; 93 | while [ ! -f $web_server_pid_path ] || [ ! -f $sidekiq_pid_path ] || [ ! -f $gitlab_workhorse_pid_path ] || { [ "$mail_room_enabled" = true ] && [ ! -f $mail_room_pid_path ]; }; do 94 | sleep 0.1; 95 | i=$((i+1)) 96 | if [ $((i%10)) = 0 ]; then 97 | echo -n "." 98 | elif [ $((i)) = 301 ]; then 99 | echo "Waited 30s for the processes to write their pids, something probably went wrong." 100 | exit 1; 101 | fi 102 | done 103 | echo 104 | } 105 | 106 | # We use the pids in so many parts of the script it makes sense to always check them. 107 | # Only after start() is run should the pids change. Sidekiq sets it's own pid. 108 | check_pids 109 | 110 | 111 | ## Checks whether the different parts of the service are already running or not. 112 | check_status(){ 113 | check_pids 114 | # If the web server is running kill -0 $wpid returns true, or rather 0. 115 | # Checks of *_status should only check for == 0 or != 0, never anything else. 116 | if [ $wpid -ne 0 ]; then 117 | kill -0 "$wpid" 2>/dev/null 118 | web_status="$?" 119 | else 120 | web_status="-1" 121 | fi 122 | if [ $spid -ne 0 ]; then 123 | kill -0 "$spid" 2>/dev/null 124 | sidekiq_status="$?" 125 | else 126 | sidekiq_status="-1" 127 | fi 128 | if [ $hpid -ne 0 ]; then 129 | kill -0 "$hpid" 2>/dev/null 130 | gitlab_workhorse_status="$?" 131 | else 132 | gitlab_workhorse_status="-1" 133 | fi 134 | if [ "$mail_room_enabled" = true ]; then 135 | if [ $mpid -ne 0 ]; then 136 | kill -0 "$mpid" 2>/dev/null 137 | mail_room_status="$?" 138 | else 139 | mail_room_status="-1" 140 | fi 141 | fi 142 | if [ $web_status = 0 ] && [ $sidekiq_status = 0 ] && [ $gitlab_workhorse_status = 0 ] && { [ "$mail_room_enabled" != true ] || [ $mail_room_status = 0 ]; }; then 143 | gitlab_status=0 144 | else 145 | # http://refspecs.linuxbase.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/iniscrptact.html 146 | # code 3 means 'program is not running' 147 | gitlab_status=3 148 | fi 149 | } 150 | 151 | ## Check for stale pids and remove them if necessary. 152 | check_stale_pids(){ 153 | check_status 154 | # If there is a pid it is something else than 0, the service is running if 155 | # *_status is == 0. 156 | if [ "$wpid" != "0" ] && [ "$web_status" != "0" ]; then 157 | echo "Removing stale Unicorn web server pid. This is most likely caused by the web server crashing the last time it ran." 158 | if ! rm "$web_server_pid_path"; then 159 | echo "Unable to remove stale pid, exiting." 160 | exit 1 161 | fi 162 | fi 163 | if [ "$spid" != "0" ] && [ "$sidekiq_status" != "0" ]; then 164 | echo "Removing stale Sidekiq job dispatcher pid. This is most likely caused by Sidekiq crashing the last time it ran." 165 | if ! rm "$sidekiq_pid_path"; then 166 | echo "Unable to remove stale pid, exiting" 167 | exit 1 168 | fi 169 | fi 170 | if [ "$hpid" != "0" ] && [ "$gitlab_workhorse_status" != "0" ]; then 171 | echo "Removing stale gitlab-workhorse pid. This is most likely caused by gitlab-workhorse crashing the last time it ran." 172 | if ! rm "$gitlab_workhorse_pid_path"; then 173 | echo "Unable to remove stale pid, exiting" 174 | exit 1 175 | fi 176 | fi 177 | if [ "$mail_room_enabled" = true ] && [ "$mpid" != "0" ] && [ "$mail_room_status" != "0" ]; then 178 | echo "Removing stale MailRoom job dispatcher pid. This is most likely caused by MailRoom crashing the last time it ran." 179 | if ! rm "$mail_room_pid_path"; then 180 | echo "Unable to remove stale pid, exiting" 181 | exit 1 182 | fi 183 | fi 184 | } 185 | 186 | ## If no parts of the service is running, bail out. 187 | exit_if_not_running(){ 188 | check_stale_pids 189 | if [ "$web_status" != "0" ] && [ "$sidekiq_status" != "0" ] && [ "$gitlab_workhorse_status" != "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" != "0" ]; }; then 190 | echo "GitLab is not running." 191 | exit 192 | fi 193 | } 194 | 195 | ## Starts Unicorn and Sidekiq if they're not running. 196 | start_gitlab() { 197 | check_stale_pids 198 | 199 | if [ "$web_status" != "0" ]; then 200 | echo "Starting GitLab Unicorn" 201 | fi 202 | if [ "$sidekiq_status" != "0" ]; then 203 | echo "Starting GitLab Sidekiq" 204 | fi 205 | if [ "$gitlab_workhorse_status" != "0" ]; then 206 | echo "Starting gitlab-workhorse" 207 | fi 208 | if [ "$mail_room_enabled" = true ] && [ "$mail_room_status" != "0" ]; then 209 | echo "Starting GitLab MailRoom" 210 | fi 211 | 212 | # Then check if the service is running. If it is: don't start again. 213 | if [ "$web_status" = "0" ]; then 214 | echo "The Unicorn web server already running with pid $wpid, not restarting." 215 | else 216 | # Remove old socket if it exists 217 | rm -f "$socket_path"/gitlab.socket 2>/dev/null 218 | # Start the web server 219 | RAILS_ENV=$RAILS_ENV bin/web start 220 | fi 221 | 222 | # If sidekiq is already running, don't start it again. 223 | if [ "$sidekiq_status" = "0" ]; then 224 | echo "The Sidekiq job dispatcher is already running with pid $spid, not restarting" 225 | else 226 | RAILS_ENV=$RAILS_ENV bin/background_jobs start & 227 | fi 228 | 229 | if [ "$gitlab_workhorse_status" = "0" ]; then 230 | echo "The gitlab-workhorse is already running with pid $spid, not restarting" 231 | else 232 | # No need to remove a socket, gitlab-workhorse does this itself 233 | $app_root/bin/daemon_with_pidfile $gitlab_workhorse_pid_path \ 234 | $app_root/../gitlab-workhorse/gitlab-workhorse \ 235 | $gitlab_workhorse_options \ 236 | >> $gitlab_workhorse_log 2>&1 & 237 | fi 238 | 239 | if [ "$mail_room_enabled" = true ]; then 240 | # If MailRoom is already running, don't start it again. 241 | if [ "$mail_room_status" = "0" ]; then 242 | echo "The MailRoom email processor is already running with pid $mpid, not restarting" 243 | else 244 | RAILS_ENV=$RAILS_ENV bin/mail_room start & 245 | fi 246 | fi 247 | 248 | # Wait for the pids to be planted 249 | wait_for_pids 250 | # Finally check the status to tell wether or not GitLab is running 251 | print_status 252 | } 253 | 254 | ## Asks Unicorn, Sidekiq and MailRoom if they would be so kind as to stop, if not kills them. 255 | stop_gitlab() { 256 | exit_if_not_running 257 | 258 | if [ "$web_status" = "0" ]; then 259 | echo "Shutting down GitLab Unicorn" 260 | RAILS_ENV=$RAILS_ENV bin/web stop 261 | fi 262 | if [ "$sidekiq_status" = "0" ]; then 263 | echo "Shutting down GitLab Sidekiq" 264 | RAILS_ENV=$RAILS_ENV bin/background_jobs stop 265 | fi 266 | if [ "$gitlab_workhorse_status" = "0" ]; then 267 | echo "Shutting down gitlab-workhorse" 268 | kill -- $(cat $gitlab_workhorse_pid_path) 269 | fi 270 | if [ "$mail_room_enabled" = true ] && [ "$mail_room_status" = "0" ]; then 271 | echo "Shutting down GitLab MailRoom" 272 | RAILS_ENV=$RAILS_ENV bin/mail_room stop 273 | fi 274 | 275 | # If something needs to be stopped, lets wait for it to stop. Never use SIGKILL in a script. 276 | while [ "$web_status" = "0" ] || [ "$sidekiq_status" = "0" ] || [ "$gitlab_workhorse_status" = "0" ] || { [ "$mail_room_enabled" = true ] && [ "$mail_room_status" = "0" ]; }; do 277 | sleep 1 278 | check_status 279 | printf "." 280 | if [ "$web_status" != "0" ] && [ "$sidekiq_status" != "0" ] && [ "$gitlab_workhorse_status" != "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" != "0" ]; }; then 281 | printf "\n" 282 | break 283 | fi 284 | done 285 | 286 | sleep 1 287 | # Cleaning up unused pids 288 | rm "$web_server_pid_path" 2>/dev/null 289 | # rm "$sidekiq_pid_path" 2>/dev/null # Sidekiq seems to be cleaning up it's own pid. 290 | rm -f "$gitlab_workhorse_pid_path" 291 | if [ "$mail_room_enabled" = true ]; then 292 | rm "$mail_room_pid_path" 2>/dev/null 293 | fi 294 | 295 | print_status 296 | } 297 | 298 | ## Prints the status of GitLab and it's components. 299 | print_status() { 300 | check_status 301 | if [ "$web_status" != "0" ] && [ "$sidekiq_status" != "0" ] && [ "$gitlab_workhorse_status" != "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" != "0" ]; }; then 302 | echo "GitLab is not running." 303 | return 304 | fi 305 | if [ "$web_status" = "0" ]; then 306 | echo "The GitLab Unicorn web server with pid $wpid is running." 307 | else 308 | printf "The GitLab Unicorn web server is \033[31mnot running\033[0m.\n" 309 | fi 310 | if [ "$sidekiq_status" = "0" ]; then 311 | echo "The GitLab Sidekiq job dispatcher with pid $spid is running." 312 | else 313 | printf "The GitLab Sidekiq job dispatcher is \033[31mnot running\033[0m.\n" 314 | fi 315 | if [ "$gitlab_workhorse_status" = "0" ]; then 316 | echo "The gitlab-workhorse with pid $hpid is running." 317 | else 318 | printf "The gitlab-workhorse is \033[31mnot running\033[0m.\n" 319 | fi 320 | if [ "$mail_room_enabled" = true ]; then 321 | if [ "$mail_room_status" = "0" ]; then 322 | echo "The GitLab MailRoom email processor with pid $mpid is running." 323 | else 324 | printf "The GitLab MailRoom email processor is \033[31mnot running\033[0m.\n" 325 | fi 326 | fi 327 | if [ "$web_status" = "0" ] && [ "$sidekiq_status" = "0" ] && { [ "$mail_room_enabled" != true ] || [ "$mail_room_status" = "0" ]; }; then 328 | printf "GitLab and all its components are \033[32mup and running\033[0m.\n" 329 | fi 330 | } 331 | 332 | ## Tells unicorn to reload it's config and Sidekiq to restart 333 | reload_gitlab(){ 334 | exit_if_not_running 335 | if [ "$wpid" = "0" ];then 336 | echo "The GitLab Unicorn Web server is not running thus its configuration can't be reloaded." 337 | exit 1 338 | fi 339 | printf "Reloading GitLab Unicorn configuration... " 340 | RAILS_ENV=$RAILS_ENV bin/web reload 341 | echo "Done." 342 | 343 | echo "Restarting GitLab Sidekiq since it isn't capable of reloading its config..." 344 | RAILS_ENV=$RAILS_ENV bin/background_jobs restart 345 | 346 | if [ "$mail_room_enabled" != true ]; then 347 | echo "Restarting GitLab MailRoom since it isn't capable of reloading its config..." 348 | RAILS_ENV=$RAILS_ENV bin/mail_room restart 349 | fi 350 | 351 | wait_for_pids 352 | print_status 353 | } 354 | 355 | ## Restarts Sidekiq and Unicorn. 356 | restart_gitlab(){ 357 | check_status 358 | if [ "$web_status" = "0" ] || [ "$sidekiq_status" = "0" ] || [ "$gitlab_workhorse" = "0" ] || { [ "$mail_room_enabled" = true ] && [ "$mail_room_status" = "0" ]; }; then 359 | stop_gitlab 360 | fi 361 | start_gitlab 362 | } 363 | 364 | 365 | ### Finally the input handling. 366 | 367 | case "$1" in 368 | start) 369 | start_gitlab 370 | ;; 371 | stop) 372 | stop_gitlab 373 | ;; 374 | restart) 375 | restart_gitlab 376 | ;; 377 | reload|force-reload) 378 | reload_gitlab 379 | ;; 380 | status) 381 | print_status 382 | exit $gitlab_status 383 | ;; 384 | *) 385 | echo "Usage: service gitlab {start|stop|restart|reload|status}" 386 | exit 1 387 | ;; 388 | esac 389 | 390 | exit -------------------------------------------------------------------------------- /init/systemd/README.md: -------------------------------------------------------------------------------- 1 | ## GitLab startup services for systemd (Archlinux, Fedora, etc) 2 | 3 | GitLab requires a couple of services: 4 | * Web server (apache, nginx, etc.) 5 | * Redis server 6 | * Mail server (postfix or other) 7 | * GitLab Sidekiq service (`gitlab-sidekiq.service`) 8 | * Unicorn service (`gitlab-unicorn.service`) 9 | * Gitlab Workhorse server for slow HTTP requests (`gitlab-workhorse.service`) 10 | * Gitaly, the Git RPC service for handling all the git calls made by GitLab (`gitlab-gitaly.service`) 11 | 12 | ## Setup GitLab services 13 | 14 | Copy files to `/etc/systemd/system/`: 15 | 16 | ``` 17 | sudo su 18 | cd /etc/systemd/system/ 19 | wget -O gitlab-sidekiq.service https://gitlab.com/gitlab-org/gitlab-recipes/raw/master/init/systemd/gitlab-sidekiq.service 20 | wget -O gitlab-unicorn.service https://gitlab.com/gitlab-org/gitlab-recipes/raw/master/init/systemd/gitlab-unicorn.service 21 | wget -O gitlab-workhorse.service https://gitlab.com/gitlab-org/gitlab-recipes/raw/master/init/systemd/gitlab-workhorse.service 22 | wget -O gitlab-mailroom.service https://gitlab.com/gitlab-org/gitlab-recipes/raw/master/init/systemd/gitlab-mailroom.service 23 | wget -O gitlab-gitaly.service https://gitlab.com/gitlab-org/gitlab-recipes/raw/master/init/systemd/gitlab-gitaly.service 24 | ``` 25 | 26 | Reload systemd: 27 | 28 | sudo systemctl daemon-reload 29 | 30 | Start the services: 31 | 32 | sudo systemctl start gitlab-sidekiq.service gitlab-unicorn.service gitlab-workhorse.service gitlab-mailroom.service gitlab-gitaly.service 33 | 34 | Enable them to start at boot: 35 | 36 | sudo systemctl enable gitlab-sidekiq.service gitlab-unicorn.service gitlab-workhorse.service gitlab-mailroom.service gitlab-gitaly.service 37 | 38 | ## Notes 39 | 40 | * If you installed GitLab in other path than `/home/git/gitlab` change the service files accordingly. 41 | 42 | * `/etc/systemd/system/` have a higher precedence over `/usr/lib/systemd/system`. 43 | -------------------------------------------------------------------------------- /init/systemd/gitlab-gitaly.service: -------------------------------------------------------------------------------- 1 | ##################################################### 2 | # 3 | # GitLab version : 9.x 4 | # Contributors : axil 5 | # Downloaded from : https://gitlab.com/gitlab-org/gitlab-recipes/tree/master/init/systemd 6 | # 7 | #################################################### 8 | 9 | [Unit] 10 | Description=Gitaly is a Git RPC service for handling all the git calls made by GitLab. 11 | Requires=gitlab-unicorn.service 12 | Wants=gitlab-unicorn.service 13 | After=gitlab-unicorn.service 14 | 15 | [Service] 16 | Type=simple 17 | User=git 18 | WorkingDirectory=/home/git/gitaly 19 | SyslogIdentifier=gitlab-gitaly 20 | 21 | ExecStart=/home/git/gitaly/gitaly /home/git/gitaly/config.toml 22 | 23 | [Install] 24 | WantedBy=multi-user.target 25 | -------------------------------------------------------------------------------- /init/systemd/gitlab-mailroom.service: -------------------------------------------------------------------------------- 1 | ##################################################### 2 | # 3 | # GitLab version : 8.x - 8.x 4 | # Contributors : davispuh, mtorromeo, axilleas, boeserwolf91, Stefan Tatschner (rumpelsepp) 5 | # Downloaded from : https://gitlab.com/gitlab-org/gitlab-recipes/tree/master/init/systemd 6 | # 7 | #################################################### 8 | 9 | [Unit] 10 | Description=Gitlab mailroom Worker 11 | Requires=gitlab-unicorn.service 12 | Wants=gitlab-unicorn.service 13 | After=gitlab-unicorn.service 14 | 15 | [Service] 16 | User=git 17 | Environment=RAILS_ENV=production 18 | WorkingDirectory=/home/git/gitlab 19 | SyslogIdentifier=gitlab-mailroom 20 | PIDFile=/home/git/gitlab/tmp/pids/gitlab-mailroom.pid 21 | Type=oneshot 22 | RemainAfterExit=yes 23 | 24 | ExecStart=/home/git/gitlab/bin/mail_room start 25 | ExecStop=/home/git/gitlab/bin/mail_room stop 26 | 27 | [Install] 28 | WantedBy=multi-user.target -------------------------------------------------------------------------------- /init/systemd/gitlab-sidekiq.service: -------------------------------------------------------------------------------- 1 | ##################################################### 2 | # 3 | # GitLab version : 5.x - 7.x 4 | # Contributors : davispuh, mtorromeo, axilleas, boeserwolf91, Stefan Tatschner (rumpelsepp) 5 | # Downloaded from : https://gitlab.com/gitlab-org/gitlab-recipes/tree/master/init/systemd 6 | # 7 | #################################################### 8 | 9 | [Unit] 10 | Description=GitLab Sidekiq Worker 11 | Requires=redis.service 12 | Wants=mysqld.service postgresql.service 13 | After=redis.service mysqld.service postgresql.service 14 | 15 | [Service] 16 | Type=forking 17 | User=git 18 | WorkingDirectory=/home/git/gitlab 19 | Environment=RAILS_ENV=production 20 | SyslogIdentifier=gitlab-sidekiq 21 | PIDFile=/home/git/gitlab/tmp/pids/sidekiq.pid 22 | 23 | ExecStart=/usr/bin/bundle exec "sidekiq -C config/sidekiq_queues.yml -c 5 -e production -P tmp/pids/sidekiq.pid -d -L log/sidekiq.log >> log/sidekiq.log 2>&1" 24 | ExecStop=/usr/bin/bundle exec "sidekiqctl stop /home/git/gitlab/tmp/pids/sidekiq.pid >> /home/git/gitlab/log/sidekiq.log 2>&1" 25 | 26 | [Install] 27 | WantedBy=multi-user.target 28 | -------------------------------------------------------------------------------- /init/systemd/gitlab-unicorn.service: -------------------------------------------------------------------------------- 1 | ##################################################### 2 | # 3 | # GitLab version : 5.x - 7.x 4 | # Contributors : davispuh, mtorromeo, axilleas, boeserwolf91, Stefan Tatschner (rumpelsepp) 5 | # Downloaded from : https://gitlab.com/gitlab-org/gitlab-recipes/tree/master/init/systemd 6 | # 7 | #################################################### 8 | 9 | [Unit] 10 | Description=GitLab Unicorn Server 11 | Requires=redis.service 12 | Wants=mysqld.service postgresql.service 13 | After=redis.service mysqld.service postgresql.service 14 | 15 | [Service] 16 | User=git 17 | WorkingDirectory=/home/git/gitlab 18 | Environment=RAILS_ENV=production 19 | SyslogIdentifier=gitlab-unicorn 20 | PIDFile=/home/git/gitlab/tmp/pids/unicorn.pid 21 | 22 | ExecStart=/usr/bin/bundle exec "unicorn_rails -D -c /home/git/gitlab/config/unicorn.rb -E production" 23 | 24 | [Install] 25 | WantedBy=multi-user.target 26 | -------------------------------------------------------------------------------- /init/systemd/gitlab-workhorse.service: -------------------------------------------------------------------------------- 1 | ##################################################### 2 | # 3 | # GitLab version : 8.2 - 8.x 4 | # Contributors : bjorn-oivind 5 | # Downloaded from : https://gitlab.com/gitlab-org/gitlab-recipes/tree/master/init/systemd 6 | # 7 | #################################################### 8 | 9 | [Unit] 10 | Description=Gitlab Workhorse handles slow HTTP requests for Gitlab. 11 | Requires=gitlab-unicorn.service 12 | Wants=gitlab-unicorn.service 13 | After=gitlab-unicorn.service 14 | 15 | [Service] 16 | Type=simple 17 | User=git 18 | WorkingDirectory=/home/git/gitlab-workhorse 19 | SyslogIdentifier=gitlab-workhorse 20 | 21 | ExecStart=/home/git/gitlab-workhorse/gitlab-workhorse -listenUmask 0 -listenNetwork unix -listenAddr /home/git/gitlab/tmp/sockets/gitlab-workhorse.socket -authBackend http://127.0.0.1:8080 -authSocket /home/git/gitlab/tmp/sockets/gitlab.socket -secretPath /home/git/gitlab/.gitlab_workhorse_secret -documentRoot /home/git/gitlab/public 22 | 23 | [Install] 24 | WantedBy=multi-user.target 25 | -------------------------------------------------------------------------------- /init/sysvinit/centos/README.md: -------------------------------------------------------------------------------- 1 | # CentOS daemon scripts for gitlab service 2 | 3 | ## Related (kudos @4sak3n0ne): 4 | 5 | * https://github.com/gitlabhq/gitlabhq/issues/1049#issuecomment-8386882 6 | 7 | * https://gist.github.com/3062860 8 | 9 | ## Notes 10 | 11 | Add the service to chkconfig with: 12 | 13 | chkconfig --add gitlab 14 | 15 | Related services (redis, mysql, nginx) should also be added to chkconfig. 16 | 17 | Check chkconfig state with 18 | 19 | chkconfig -l 20 | 21 | And if any of the services are not set properly, run: 22 | 23 | chkconfig --levels 2345 [name] on 24 | 25 | -------------------------------------------------------------------------------- /init/sysvinit/centos/gitlab-only-sidekiq: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # GitLab 4 | # Contributors : @elvanja, @troyanov, @eiyaya, @foyo23, @nielsbasjes, @relip, @JasonMing, @andronat, @axilleas 5 | # App Version : 6.x - 7.x 6 | 7 | # chkconfig: 2345 82 55 8 | # processname: sidekiq 9 | # description: Runs sidekiq for nginx integration. 10 | 11 | # Related (kudos @4sak3n0ne): 12 | # https://github.com/gitlabhq/gitlabhq/issues/1049#issuecomment-8386882 13 | # https://gist.github.com/3062860 14 | 15 | # Include RedHat function library 16 | . /etc/rc.d/init.d/functions 17 | 18 | # The name of the service 19 | NAME=${0##*/} 20 | 21 | ### Environment variables 22 | RAILS_ENV="production" 23 | 24 | # The username and path to the gitlab source 25 | USER=git 26 | APP_PATH=/home/git/gitlab 27 | 28 | # The PID and LOCK files used by unicorn and sidekiq 29 | SPID=$APP_PATH/tmp/pids/sidekiq.pid 30 | SLOCK=/var/lock/subsys/sidekiq 31 | 32 | # Evaluate the real path for the user (should already have RVM) 33 | PATH_PATCH="PATH=$(su $USER -l -c "echo \"\$PATH\"") && export PATH && " 34 | 35 | start() { 36 | cd $APP_PATH 37 | 38 | # Start sidekiq 39 | echo -n $"Starting sidekiq: " 40 | daemon --pidfile=$SPID --user=$USER "$PATH_PATCH RAILS_ENV=$RAILS_ENV bin/background_jobs start" 41 | sidekiq=$? 42 | [ $sidekiq -eq 0 ] && touch $SLOCK 43 | echo 44 | 45 | retval=$sidekiq 46 | return $retval 47 | } 48 | 49 | stop() { 50 | cd $APP_PATH 51 | 52 | # Stop sidekiq 53 | echo -n $"Stopping sidekiq: " 54 | killproc -p $SPID 55 | sidekiq=$? 56 | [ $sidekiq -eq 0 ] && rm -f $SLOCK 57 | echo 58 | 59 | retval=$sidekiq 60 | return $retval 61 | } 62 | 63 | restart() { 64 | stop 65 | start 66 | } 67 | 68 | get_status() { 69 | status -p $SPID sidekiq 70 | sidekiq=$? 71 | 72 | retval=$sidekiq 73 | return $retval 74 | } 75 | 76 | query_status() { 77 | get_status >/dev/null 2>&1 78 | return $? 79 | } 80 | 81 | case "$1" in 82 | start) 83 | query_status && exit 0 84 | start 85 | ;; 86 | stop) 87 | query_status || exit 0 88 | stop 89 | ;; 90 | restart) 91 | restart 92 | ;; 93 | status) 94 | get_status 95 | exit $? 96 | ;; 97 | *) 98 | N=/etc/init.d/$NAME 99 | echo "Usage: $N {start|stop|restart|status}" >&2 100 | exit 1 101 | ;; 102 | esac 103 | 104 | exit 0 105 | 106 | -------------------------------------------------------------------------------- /init/sysvinit/centos/gitlab-puma: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # GitLab 4 | # Contributors : @elvanja, @troyanov, @eiyaya, @foyo23, @nielsbasjes, @relip, @JasonMing, @andronat 5 | # App Version : 6.x -7.x 6 | 7 | # chkconfig: 2345 82 55 8 | # processname: puma 9 | # processname: sidekiq 10 | # description: Runs puma and sidekiq for nginx integration. 11 | 12 | # Related (kudos @4sak3n0ne): 13 | # https://github.com/gitlabhq/gitlabhq/issues/1049#issuecomment-8386882 14 | # https://gist.github.com/3062860 15 | 16 | # Save original $PATH 17 | # /etc/rc.d/init.d/functions resets $PATH to default(/sbin:/usr/sbin:/bin:/usr/bin). 18 | # Consequently, rvm and compiled ruby with custom path (which isn't /usr/bin) cannot be executed. 19 | ORIGINAL_PATH=$PATH 20 | 21 | # Include RedHat function library 22 | . /etc/rc.d/init.d/functions 23 | 24 | # Restore original $PATH 25 | PATH=$ORIGINAL_PATH 26 | 27 | ### Environment variables 28 | RAILS_ENV="production" 29 | 30 | # The name of the service 31 | NAME=git 32 | 33 | # The username and path to the gitlab source 34 | USER=git 35 | APP_PATH=/home/$USER/gitlab 36 | 37 | # The PID and LOCK files used by puma and sidekiq 38 | UPID=$APP_PATH/tmp/pids/puma.pid 39 | PLOCK=/var/lock/subsys/puma 40 | SPID=$APP_PATH/tmp/pids/sidekiq.pid 41 | SLOCK=/var/lock/subsys/sidekiq 42 | 43 | # The options to use when running puma 44 | OPTS="-C $APP_PATH/config/puma.rb -e production" 45 | 46 | # Ruby related path update 47 | RVM_PATH="/usr/local/rvm/bin" 48 | RUBY_PATH_PATCH="PATH=/usr/local/bin:/usr/local/lib:/home/git/bin:$RVM_PATH:$PATH && export PATH && " 49 | 50 | start() { 51 | cd $APP_PATH 52 | 53 | # Start puma 54 | echo -n $"Starting puma: " 55 | daemon --pidfile=$UPID --user=$USER "$RUBY_PATH_PATCH bundle exec puma $OPTS" 56 | puma=$? 57 | [ $puma -eq 0 ] && touch $PLOCK 58 | echo 59 | 60 | # Start sidekiq 61 | echo -n $"Starting sidekiq: " 62 | daemon --pidfile=$SPID --user=$USER "$RUBY_PATH_PATCH RAILS_ENV=$RAILS_ENV bin/background_jobs start" 63 | sidekiq=$? 64 | [ $sidekiq -eq 0 ] && touch $SLOCK 65 | echo 66 | 67 | retval=$puma || $sidekiq 68 | return $retval 69 | } 70 | 71 | stop() { 72 | cd $APP_PATH 73 | 74 | # Stop puma 75 | echo -n $"Stopping puma: " 76 | killproc -p $UPID 77 | puma=$? 78 | [ $puma -eq 0 ] && rm -f $PLOCK 79 | echo 80 | 81 | # Stop sidekiq 82 | echo -n $"Stopping sidekiq: " 83 | killproc -p $SPID 84 | sidekiq=$? 85 | [ $sidekiq -eq 0 ] && rm -f $SLOCK 86 | echo 87 | 88 | retval=$puma || $sidekiq 89 | return $retval 90 | } 91 | 92 | restart() { 93 | stop 94 | start 95 | } 96 | 97 | get_status() { 98 | status -p $PPID puma 99 | status -p $SPID sidekiq 100 | } 101 | 102 | query_status() { 103 | get_status >/dev/null 2>&1 104 | } 105 | 106 | case "$1" in 107 | start) 108 | query_status && exit 0 109 | start 110 | ;; 111 | stop) 112 | query_status || exit 0 113 | stop 114 | ;; 115 | restart) 116 | restart 117 | ;; 118 | status) 119 | get_status 120 | ;; 121 | *) 122 | N=/etc/init.d/$NAME 123 | echo "Usage: $N {start|stop|restart|status}" >&2 124 | exit 1 125 | ;; 126 | esac 127 | 128 | exit 0 129 | 130 | -------------------------------------------------------------------------------- /init/sysvinit/centos/gitlab-unicorn: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # GitLab 4 | # Contributors : @elvanja, @troyanov, @eiyaya, @foyo23, @nielsbasjes, @relip, @JasonMing, @andronat, @axilleas, @mdirkse 5 | # App Version : 6.x - 7.x 6 | 7 | # chkconfig: 2345 82 55 8 | # processname: unicorn 9 | # processname: sidekiq 10 | # description: Runs unicorn and sidekiq for nginx integration. 11 | 12 | # Related (kudos @4sak3n0ne): 13 | # https://github.com/gitlabhq/gitlabhq/issues/1049#issuecomment-8386882 14 | # https://gist.github.com/3062860 15 | 16 | # Include RedHat function library 17 | . /etc/rc.d/init.d/functions 18 | 19 | # The name of the service 20 | NAME=${0##*/} 21 | 22 | ### Environment variables 23 | RAILS_ENV="production" 24 | 25 | # The username and path to the gitlab source 26 | USER=git 27 | APP_PATH=/home/$USER/gitlab 28 | 29 | # The PID and LOCK files used by unicorn and sidekiq 30 | UPID=$APP_PATH/tmp/pids/unicorn.pid 31 | ULOCK=/var/lock/subsys/unicorn 32 | SPID=$APP_PATH/tmp/pids/sidekiq.pid 33 | SLOCK=/var/lock/subsys/sidekiq 34 | 35 | # Evaluate the real path for the user (should already have RVM) 36 | PATH_PATCH="PATH=$(su $USER -s /bin/bash -l -c "echo \"\$PATH\"") && export PATH && " 37 | 38 | start() { 39 | cd $APP_PATH 40 | 41 | # Start unicorn 42 | echo -n $"Starting unicorn: " 43 | daemon --pidfile=$UPID --user=$USER "$PATH_PATCH RAILS_ENV=$RAILS_ENV bin/web start" 44 | unicorn=$? 45 | [ $unicorn -eq 0 ] && touch $ULOCK 46 | echo 47 | 48 | # Start sidekiq 49 | echo -n $"Starting sidekiq: " 50 | daemon --pidfile=$SPID --user=$USER "$PATH_PATCH RAILS_ENV=$RAILS_ENV bin/background_jobs start" 51 | sidekiq=$? 52 | [ $sidekiq -eq 0 ] && touch $SLOCK 53 | echo 54 | 55 | retval=$unicorn || $sidekiq 56 | return $retval 57 | } 58 | 59 | stop() { 60 | cd $APP_PATH 61 | 62 | # Stop unicorn 63 | echo -n $"Stopping unicorn: " 64 | killproc -p $UPID 65 | unicorn=$? 66 | [ $unicorn -eq 0 ] && rm -f $ULOCK 67 | echo 68 | 69 | # Stop sidekiq 70 | echo -n $"Stopping sidekiq: " 71 | killproc -p $SPID 72 | sidekiq=$? 73 | [ $sidekiq -eq 0 ] && rm -f $SLOCK 74 | echo 75 | 76 | retval=$unicorn || $sidekiq 77 | return $retval 78 | } 79 | 80 | restart() { 81 | stop 82 | start 83 | } 84 | 85 | get_status() { 86 | status -p $UPID unicorn 87 | unicorn=$? 88 | 89 | status -p $SPID sidekiq 90 | sidekiq=$? 91 | 92 | retval=$unicorn || $sidekiq 93 | return $retval 94 | } 95 | 96 | query_status() { 97 | get_status >/dev/null 2>&1 98 | return $? 99 | } 100 | 101 | case "$1" in 102 | start) 103 | query_status && exit 0 104 | start || exit 1 105 | ;; 106 | stop) 107 | query_status || exit 0 108 | stop || exit 1 109 | ;; 110 | restart) 111 | restart || exit 1 112 | ;; 113 | status) 114 | get_status 115 | exit $? 116 | ;; 117 | *) 118 | N=/etc/init.d/$NAME 119 | echo "Usage: $N {start|stop|restart|status}" >&2 120 | exit 1 121 | ;; 122 | esac 123 | 124 | exit 0 125 | -------------------------------------------------------------------------------- /init/sysvinit/debian/README.md: -------------------------------------------------------------------------------- 1 | Alternative sysvinit file for puma. Tested on Debian/Ubuntu but this should work for all Debian based distros. 2 | Make sure you have the `puma` gem installed and `puma.rb` in `/home/git/gitlab/config/`. 3 | 4 | Get `gitlab-puma` in your `/etc/init.d/` directory: 5 | 6 | wget -O /etc/init.d/gitlab https://gitlab.com/gitlab-org/gitlab-recipes/raw/master/init/sysvinit/debian/gitlab-puma 7 | 8 | Then start the service with: 9 | 10 | service gitlab start 11 | -------------------------------------------------------------------------------- /init/sysvinit/debian/gitlab-puma: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | # GITLAB 4 | # Maintainer: @randx 5 | # App Version: 5.2 6 | 7 | ### BEGIN INIT INFO 8 | # Provides: gitlab 9 | # Required-Start: $local_fs $remote_fs $network $syslog redis-server 10 | # Required-Stop: $local_fs $remote_fs $network $syslog 11 | # Default-Start: 2 3 4 5 12 | # Default-Stop: 0 1 6 13 | # Short-Description: GitLab git repository management 14 | # Description: GitLab git repository management 15 | ### END INIT INFO 16 | 17 | 18 | APP_ROOT="/home/git/gitlab" 19 | APP_USER="git" 20 | DAEMON_OPTS="-C $APP_ROOT/config/puma.rb" 21 | PID_PATH="$APP_ROOT/tmp/pids" 22 | SOCKET_PATH="$APP_ROOT/tmp/sockets" 23 | SOCKET_FILE="$SOCKET_PATH/gitlab.socket" 24 | WEB_SERVER_PID="$PID_PATH/puma.pid" 25 | SIDEKIQ_PID="$PID_PATH/sidekiq.pid" 26 | STOP_SIDEKIQ="RAILS_ENV=production bundle exec rake sidekiq:stop" 27 | START_SIDEKIQ="RAILS_ENV=production bundle exec rake sidekiq:start" 28 | NAME="gitlab" 29 | DESC="GitLab service" 30 | 31 | check_pid(){ 32 | if [ -f $WEB_SERVER_PID ]; then 33 | PID=`cat $WEB_SERVER_PID` 34 | SPID=`cat $SIDEKIQ_PID` 35 | STATUS=`ps aux | grep $PID | grep -v grep | wc -l` 36 | else 37 | STATUS=0 38 | PID=0 39 | fi 40 | } 41 | 42 | execute() { 43 | sudo -u $APP_USER -H bash -l -c "$1" 44 | } 45 | 46 | start() { 47 | cd $APP_ROOT 48 | check_pid 49 | if [ "$PID" -ne 0 -a "$STATUS" -ne 0 ]; then 50 | # Program is running, exit with error code 1. 51 | echo "Error! $DESC $NAME is currently running!" 52 | exit 1 53 | else 54 | if [ `whoami` = root ]; then 55 | ! [ -e $SOCKET_FILE ] || execute "rm $SOCKET_FILE" 56 | execute "RAILS_ENV=production bundle exec puma $DAEMON_OPTS" 57 | execute "mkdir -p $PID_PATH && $START_SIDEKIQ > /dev/null 2>&1 &" 58 | echo "$DESC started" 59 | fi 60 | fi 61 | } 62 | 63 | stop() { 64 | cd $APP_ROOT 65 | check_pid 66 | if [ "$PID" -ne 0 -a "$STATUS" -ne 0 ]; then 67 | ## Program is running, stop it. 68 | kill -QUIT `cat $WEB_SERVER_PID` 69 | ! [ -e $SOCKET_FILE ] || execute "rm $SOCKET_FILE" 70 | execute "mkdir -p $PID_PATH && $STOP_SIDEKIQ > /dev/null 2>&1 &" 71 | rm "$WEB_SERVER_PID" >> /dev/null 72 | echo "$DESC stopped" 73 | else 74 | ## Program is not running, exit with error. 75 | echo "Error! $DESC is not started!" 76 | exit 1 77 | fi 78 | } 79 | 80 | restart() { 81 | cd $APP_ROOT 82 | check_pid 83 | if [ "$PID" -ne 0 -a "$STATUS" -ne 0 ]; then 84 | echo "Restarting $DESC..." 85 | kill -USR2 `cat $WEB_SERVER_PID` 86 | execute "mkdir -p $PID_PATH && $STOP_SIDEKIQ > /dev/null 2>&1" 87 | if [ `whoami` = root ]; then 88 | execute "mkdir -p $PID_PATH && $START_SIDEKIQ > /dev/null 2>&1 &" 89 | fi 90 | echo "$DESC restarted." 91 | else 92 | echo "Error, $NAME not running!" 93 | exit 1 94 | fi 95 | } 96 | 97 | status() { 98 | cd $APP_ROOT 99 | check_pid 100 | if [ "$PID" -ne 0 -a "$STATUS" -ne 0 ]; then 101 | echo "$DESC / Puma with PID $PID is running." 102 | echo "$DESC / Sidekiq with PID $SPID is running." 103 | else 104 | echo "$DESC is not running." 105 | exit 1 106 | fi 107 | } 108 | 109 | ## Check to see if we are running as root first. 110 | ## Found at http://www.cyberciti.biz/tips/shell-root-user-check-script.html 111 | if [ "$(id -u)" != "0" ]; then 112 | echo "This script must be run as root" 113 | exit 1 114 | fi 115 | 116 | case "$1" in 117 | start) 118 | start 119 | ;; 120 | stop) 121 | stop 122 | ;; 123 | restart) 124 | restart 125 | ;; 126 | reload|force-reload) 127 | echo -n "Reloading $NAME configuration: " 128 | kill -HUP `cat $PID` 129 | echo "done." 130 | ;; 131 | status) 132 | status 133 | ;; 134 | *) 135 | echo "Usage: sudo service gitlab {start|stop|restart|reload}" >&2 136 | exit 1 137 | ;; 138 | esac 139 | 140 | exit 0 141 | -------------------------------------------------------------------------------- /install/README.md: -------------------------------------------------------------------------------- 1 | In this section there are provided additional installation guides and scripts for various platforms. 2 | 3 | If you have something to contribute please read the [contributing guidelines](../CONTRIBUTING.md). 4 | -------------------------------------------------------------------------------- /install/archlinux/README.md: -------------------------------------------------------------------------------- 1 | Welcome to the Arch Linux GitLab recipes. GitLab is now part of the `[community]` 2 | repository, follow the installation guide in the ArchWiki. 3 | 4 | If you have any questions, please write them in the talk section 5 | https://wiki.archlinux.org/index.php/Talk:Gitlab. 6 | 7 | - [GitLab ArchWiki](https://wiki.archlinux.org/index.php/Gitlab) 8 | - [GitLab package in [community]](https://www.archlinux.org/packages/?q=gitlab) 9 | -------------------------------------------------------------------------------- /install/centos/README.md: -------------------------------------------------------------------------------- 1 | ``` 2 | Distribution : CentOS 6.8 Minimal 3 | GitLab version : 8.9 4 | Web Server : Apache, Nginx 5 | Init system : sysvinit 6 | Database : MySQL, PostgreSQL 7 | Contributors : @nielsbasjes, @axilleas, @mairin, @ponsjuh, @yorn, @psftw, @etcet, @mdirkse, @nszceta, @herkalurk, @mjmaenpaa 8 | Additional Notes : In order to get a proper Ruby & Git setup we build them from source 9 | ``` 10 | 11 | ## Overview 12 | 13 | Please read [requirements.md](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/install/requirements.md) for hardware and platform requirements. 14 | 15 | ### Important Notes 16 | 17 | The following steps have been known to work and should be followed from up to bottom. 18 | If you deviate from this guide, do it with caution and make sure you don't violate 19 | any assumptions GitLab makes about its environment. We have also tried this on 20 | RHEL 6.3 and found that there are subtle differences which are documented in part. 21 | Look for the **RHEL Notes** note. 22 | 23 | **This guide assumes that you run every command as root.** 24 | 25 | #### If you find a bug 26 | 27 | If you find a bug/error in this guide please submit an issue or a Merge Request 28 | following the contribution guide (see [CONTRIBUTING.md](https://gitlab.com/gitlab-org/gitlab-recipes/blob/master/CONTRIBUTING.md)). 29 | 30 | #### Security 31 | 32 | Many setup guides of Linux software simply state: "disable selinux and firewall". 33 | This guide does not disable any of them, we simply configure them as they were intended. 34 | [Stop disabling SELinux](http://stopdisablingselinux.com/). 35 | 36 | - - - 37 | 38 | The GitLab installation consists of setting up the following components: 39 | 40 | 1. Install the base operating system (CentOS 6.8 Minimal) and Packages / Dependencies 41 | 1. Ruby 42 | 1. Go 43 | 1. System Users 44 | 1. Database 45 | 1. Redis 46 | 1. GitLab 47 | 1. Web server 48 | 1. Firewall 49 | 50 | ---------- 51 | 52 | ## 1. Installing the operating system (CentOS 6.8 Minimal) 53 | 54 | We start with a completely clean CentOS 6.8 "minimal" installation which can be 55 | accomplished by downloading the appropriate installation iso file. Just boot the 56 | system of the iso file and install the system. 57 | 58 | Note that during the installation you use the *"Configure Network"* option (it's a 59 | button in the same screen where you specify the hostname) to enable the *"Connect automatically"* 60 | option for the network interface and hand (usually eth0). 61 | 62 | **If you forget this option the network will NOT start at boot.** 63 | 64 | The end result is a bare minimum CentOS installation that effectively only has 65 | network connectivity and (almost) no services at all. 66 | 67 | ## Updating and adding basic software and services 68 | 69 | ### Add EPEL repository 70 | 71 | [EPEL][] is a volunteer-based community effort from the Fedora project to create 72 | a repository of high-quality add-on packages that complement the Fedora-based 73 | Red Hat Enterprise Linux (RHEL) and its compatible spinoffs, such as CentOS and Scientific Linux. 74 | 75 | As part of the Fedora packaging community, EPEL packages are 100% free/libre open source software (FLOSS). 76 | 77 | Download the GPG key for EPEL repository from [fedoraproject][keys] and install it on your system: 78 | 79 | wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 https://getfedora.org/static/0608B895.txt 80 | rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 81 | 82 | Verify that the key got installed successfully: 83 | 84 | rpm -qa gpg* 85 | gpg-pubkey-0608b895-4bd22942 86 | 87 | Now install the `epel-release-6-8.noarch` package, which will enable EPEL repository on your system: 88 | 89 | rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm 90 | 91 | **Note:** Don't mind the `x86_64`, if you install on a i686 system you can use the same commands. 92 | 93 | ### Add Remi's RPM repository 94 | 95 | [Remi's RPM Repository][REMI] is unofficial repository for Centos/RHEL that provides latest versions of some software. We take advantage of Remi's RPM repository to obtain up-to-date version of Redis. 96 | 97 | Download the GPG key for Remi's repository and install it on your system: 98 | 99 | wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-remi http://rpms.famillecollet.com/RPM-GPG-KEY-remi 100 | rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-remi 101 | 102 | Verify that the key got installed successfully: 103 | 104 | rpm -qa gpg* 105 | gpg-pubkey-00f97f56-467e318a 106 | 107 | Now install the `remi-release-6` package, which will enable remi-safe repository on your system: 108 | 109 | rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm 110 | 111 | Verify that the EPEL and remi-safe repositories are enabled as shown below: 112 | 113 | yum repolist 114 | 115 | repo id repo name status 116 | base CentOS-6 - Base 6696 117 | epel Extra Packages for Enterprise Linux 6 - x86_64 12125 118 | extras CentOS-6 - Extras 61 119 | remi-safe Safe Remi's RPM repository for Enterprise Linux 6 - x86_64 827 120 | updates CentOS-6 - Updates 137 121 | repolist: 19846 122 | 123 | If you can't see them listed, use the folowing command (from `yum-utils` package) to enable them: 124 | 125 | yum-config-manager --enable epel --enable remi-safe 126 | 127 | ### Install the required tools for GitLab 128 | 129 | yum -y update 130 | yum -y groupinstall 'Development Tools' 131 | yum -y install readline readline-devel ncurses-devel gdbm-devel glibc-devel tcl-devel openssl-devel curl-devel expat-devel db4-devel byacc sqlite-devel libyaml libyaml-devel libffi libffi-devel libxml2 libxml2-devel libxslt libxslt-devel libicu libicu-devel system-config-firewall-tui redis sudo wget crontabs logwatch logrotate perl-Time-HiRes git cmake libcom_err-devel.i686 libcom_err-devel.x86_64 nodejs 132 | 133 | # For reStructuredText markup language support, install required package: 134 | yum -y install python-docutils 135 | 136 | **RHEL Notes** 137 | 138 | If some packages (eg. gdbm-devel, libffi-devel and libicu-devel) are NOT installed, 139 | add the rhel6 optional packages repo to your server to get those packages: 140 | 141 | yum-config-manager --enable rhel-6-server-optional-rpms 142 | 143 | Tip taken from [here](https://github.com/gitlabhq/gitlab-recipes/issues/62). 144 | 145 | ### Install mail server 146 | 147 | In order to receive mail notifications, make sure to install a 148 | mail server. The recommended one is postfix and you can install it with: 149 | 150 | yum -y install postfix 151 | 152 | To use and configure sendmail instead of postfix see [Advanced Email Configurations](../../e-mail/configure_email.md). 153 | 154 | ### Configure the default editor 155 | 156 | During this installation some files will need to be edited manually. 157 | You can choose between editors such as nano, vi, vim, etc. 158 | 159 | In this case we will use vim as the default editor for consistency. 160 | If you are familiar with vim set it as default editor with the commands below. 161 | 162 | # Install vim and set as default editor 163 | yum -y install vim-enhanced 164 | ln -s /usr/bin/vim /usr/bin/editor 165 | 166 | To remove this alias in the future: 167 | 168 | rm -i /usr/bin/editor 169 | 170 | ### Install Git from Source 171 | 172 | Make sure Git is version 2.13.6 or higher 173 | 174 | git --version 175 | 176 | If not, install it from source. First remove the system Git: 177 | 178 | yum -y remove git 179 | 180 | Install the pre-requisite files for Git compilation: 181 | 182 | yum install zlib-devel perl-CPAN gettext curl-devel expat-devel gettext-devel openssl-devel 183 | 184 | Download and extract it: 185 | 186 | mkdir /tmp/git && cd /tmp/git 187 | curl --progress https://www.kernel.org/pub/software/scm/git/git-2.9.0.tar.gz | tar xz 188 | cd git-2.9.0 189 | ./configure 190 | make 191 | make prefix=/usr/local install 192 | 193 | Make sure Git is in your `$PATH`: 194 | 195 | which git 196 | 197 | You might have to logout and login again for the `$PATH` to take effect. 198 | **Note:** When editing `config/gitlab.yml` (step 7), change the git `bin_path` to `/usr/local/bin/git`. 199 | 200 | ---------- 201 | 202 | ## 2. Ruby 203 | 204 | The use of ruby version managers such as [RVM](http://rvm.io/), [rbenv](https://github.com/sstephenson/rbenv) or [chruby](https://github.com/postmodern/chruby) with GitLab in production frequently leads to hard to diagnose problems. Version managers are not supported and we strongly advise everyone to follow the instructions below to use a system ruby. 205 | 206 | Remove the old Ruby 1.8 package if present. GitLab only supports the Ruby 2.1 release series: 207 | 208 | yum remove ruby 209 | 210 | Remove any other Ruby build if it is still present: 211 | 212 | cd 213 | make uninstall 214 | 215 | Download Ruby and compile it: 216 | 217 | mkdir /tmp/ruby && cd /tmp/ruby 218 | curl --progress https://cache.ruby-lang.org/pub/ruby/2.1/ruby-2.1.9.tar.gz | tar xz 219 | cd ruby-2.1.9 220 | ./configure --disable-install-rdoc 221 | make 222 | make prefix=/usr/local install 223 | 224 | Install the Bundler Gem: 225 | 226 | gem install bundler --no-doc 227 | 228 | Logout and login again for the `$PATH` to take effect. Check that ruby is properly 229 | installed with: 230 | 231 | which ruby 232 | # /usr/local/bin/ruby 233 | ruby -v 234 | # ruby 2.1.10p492 (2016-04-01 revision 54464) [x86_64-linux] 235 | 236 | 237 | ---------- 238 | 239 | ## 3. Go 240 | 241 | Since GitLab 8.0, Git HTTP requests are handled by gitlab-workhorse (formerly gitlab-git-http-server). This is a small daemon written in Go. To install gitlab-workhorse we need a Go compiler. 242 | 243 | yum install golang golang-bin golang-src 244 | 245 | ---------- 246 | 247 | ## 4. System Users 248 | 249 | Create a `git` user for Gitlab: 250 | 251 | adduser --system --shell /bin/bash --comment 'GitLab' --create-home --home-dir /home/git/ git 252 | 253 | **Important:** In order to include `/usr/local/bin` to git user's PATH, one way is to edit the sudoers file. As root run: 254 | 255 | visudo 256 | 257 | Then search for this line: 258 | 259 | Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin 260 | 261 | and append `/usr/local/bin` like so: 262 | 263 | Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin 264 | 265 | Save and exit. 266 | 267 | ---------- 268 | 269 | ## 5. Database 270 | 271 | ### 5.1 PostgreSQL (recommended) 272 | 273 | NOTE: because we need to make use of extensions we need at least pgsql 9.1 and the default 8.x on centos will not work. We need to get the PGDG repositories enabled 274 | 275 | If there are any previous versions remove them: 276 | 277 | yum remove postgresql 278 | 279 | Install the pgdg repositories: 280 | 281 | rpm -Uvh http://yum.postgresql.org/9.3/redhat/rhel-6-x86_64/pgdg-centos93-9.3-2.noarch.rpm 282 | 283 | Install `postgresql93-server`, `postgreqsql93-devel` and the `postgresql93-contrib` libraries: 284 | 285 | yum install postgresql93-server postgresql93-devel postgresql93-contrib 286 | 287 | Rename the service script: 288 | 289 | mv /etc/init.d/{postgresql-9.3,postgresql} 290 | 291 | Initialize the database: 292 | 293 | service postgresql initdb 294 | 295 | Start the service and configure service to start on boot: 296 | 297 | service postgresql start 298 | chkconfig postgresql on 299 | 300 | Configure the database user and password: 301 | 302 | su - postgres 303 | psql -d template1 304 | 305 | psql (9.4.3) 306 | Type "help" for help. 307 | template1=# CREATE USER git CREATEDB; 308 | CREATE ROLE 309 | template1=# CREATE DATABASE gitlabhq_production OWNER git; 310 | CREATE DATABASE 311 | template1=# CREATE EXTENSION IF NOT EXISTS pg_trgm; 312 | template1=# \q 313 | exit # exit uid=postgres, return to root 314 | 315 | Test the connection as the gitlab (uid=git) user. You should be root to begin this test: 316 | 317 | whoami 318 | 319 | Attempt to log in to Postgres as the git user: 320 | 321 | sudo -u git psql -d gitlabhq_production 322 | 323 | If you see the following: 324 | 325 | gitlabhq_production=> 326 | 327 | your password has been accepted successfully and you can type \q to quit. 328 | 329 | Check if the `pg_trgm` extension is enabled: 330 | 331 | SELECT true AS enabled 332 | FROM pg_available_extensions 333 | WHERE name = 'pg_trgm' 334 | AND installed_version IS NOT NULL; 335 | 336 | If the extension is enabled this will produce the following output: 337 | 338 | enabled 339 | --------- 340 | t 341 | (1 row) 342 | 343 | Ensure you are using the right settings in your `/var/lib/pgsql/9.3/data/pg_hba.conf` 344 | to not get ident issues (you can use trust over ident): 345 | 346 | host all all 127.0.0.1/32 trust 347 | 348 | Check the official [documentation][psql-doc-auth] for more information on 349 | authentication methods. 350 | 351 | ### 5.2 MySQL 352 | 353 | #### Note 354 | 355 | We do not recommend using MySQL due to various issues. For example, case [(in)sensitivity](https://dev.mysql.com/doc/refman/5.0/en/case-sensitivity.html) and [problems](https://bugs.mysql.com/bug.php?id=65830) that [suggested](https://bugs.mysql.com/bug.php?id=50909) [fixes](https://bugs.mysql.com/bug.php?id=65830) [have](https://bugs.mysql.com/bug.php?id=63164). 356 | 357 | #### MySQL 358 | 359 | Install `mysql` and enable the `mysqld` service to start on boot: 360 | 361 | yum install -y mysql-server mysql-devel 362 | chkconfig mysqld on 363 | service mysqld start 364 | 365 | Ensure you have MySQL version 5.5.14 or later: 366 | 367 | mysql --version 368 | 369 | Secure your installation: 370 | 371 | mysql_secure_installation 372 | 373 | Login to MySQL (type the database root password): 374 | 375 | mysql -u root -p 376 | 377 | 378 | Create a user for GitLab (change $password in the command below to a real password you pick): 379 | 380 | CREATE USER 'git'@'localhost' IDENTIFIED BY '$password'; 381 | 382 | Ensure you can use the InnoDB engine which is necessary to support long indexes. 383 | If this fails, check your MySQL config files (e.g. `/etc/mysql/*.cnf`, `/etc/mysql/conf.d/*`) for the setting "innodb = off". 384 | 385 | SET storage_engine=INNODB; 386 | 387 | Create the GitLab production database: 388 | 389 | CREATE DATABASE IF NOT EXISTS `gitlabhq_production` DEFAULT CHARACTER SET `utf8` COLLATE `utf8_unicode_ci`; 390 | 391 | Grant the GitLab user necessary permissions on the table: 392 | 393 | GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, CREATE TEMPORARY TABLES, DROP, INDEX, ALTER, LOCK TABLES, REFERENCES ON `gitlabhq_production`.* TO 'git'@'localhost'; 394 | 395 | Quit the database session: 396 | 397 | \q 398 | 399 | Try connecting to the new database with the new user: 400 | 401 | sudo -u git -H mysql -u git -p -D gitlabhq_production 402 | 403 | Type the password you replaced $password with earlier. 404 | Quit the database session: 405 | 406 | \q 407 | 408 | ---------- 409 | 410 | ## 6. Redis 411 | 412 | GitLab requires at least Redis 2.8. 413 | 414 | Remove old version: 415 | 416 | yum remove redis 417 | 418 | Install new version from Remi's RPM repository: 419 | 420 | yum --enablerepo=remi,remi-test install redis 421 | 422 | Make sure redis is started on boot: 423 | 424 | chkconfig redis on 425 | 426 | Configure redis to use sockets: 427 | 428 | cp /etc/redis.conf /etc/redis.conf.orig 429 | 430 | Disable Redis listening on TCP by setting 'port' to 0: 431 | 432 | sed 's/^port .*/port 0/' /etc/redis.conf.orig | sudo tee /etc/redis.conf 433 | 434 | Enable Redis socket for default CentOS path: 435 | 436 | echo 'unixsocket /var/run/redis/redis.sock' | sudo tee -a /etc/redis.conf 437 | echo -e 'unixsocketperm 0770' | sudo tee -a /etc/redis.conf 438 | 439 | Create the directory which contains the socket 440 | 441 | mkdir /var/run/redis 442 | chown redis:redis /var/run/redis 443 | chmod 755 /var/run/redis 444 | 445 | Persist the directory which contains the socket, if applicable 446 | 447 | if [ -d /etc/tmpfiles.d ]; then 448 | echo 'd /var/run/redis 0755 redis redis 10d -' | sudo tee -a /etc/tmpfiles.d/redis.conf 449 | fi 450 | 451 | Activate the changes to redis.conf: 452 | 453 | service redis restart 454 | 455 | Add git to the redis group: 456 | 457 | usermod -aG redis git 458 | 459 | ------ 460 | 461 | ## 7. GitLab 462 | 463 | # We'll install GitLab into home directory of the user "git" 464 | cd /home/git 465 | 466 | ### Clone the Source 467 | 468 | # Clone GitLab repository 469 | sudo -u git -H git clone https://gitlab.com/gitlab-org/gitlab-ce.git -b 8-9-stable gitlab 470 | 471 | **Note:** You can change `8-9-stable` to `master` if you want the *bleeding edge* version, but do so with caution! 472 | 473 | ### Configure it 474 | 475 | # Go to GitLab installation folder 476 | cd /home/git/gitlab 477 | 478 | # Copy the example GitLab config 479 | sudo -u git -H cp config/gitlab.yml.example config/gitlab.yml 480 | 481 | # Update GitLab config file, follow the directions at top of file 482 | sudo -u git -H editor config/gitlab.yml 483 | 484 | # Copy the example secrets file 485 | sudo -u git -H cp config/secrets.yml.example config/secrets.yml 486 | sudo -u git -H chmod 0600 config/secrets.yml 487 | 488 | # Make sure GitLab can write to the log/ and tmp/ directories 489 | sudo chown -R git log/ 490 | sudo chown -R git tmp/ 491 | sudo chmod -R u+rwX,go-w log/ 492 | sudo chmod -R u+rwX tmp/ 493 | 494 | # Make sure GitLab can write to the tmp/pids/ and tmp/sockets/ directories 495 | sudo chmod -R u+rwX tmp/pids/ 496 | sudo chmod -R u+rwX tmp/sockets/ 497 | 498 | # Create the public/uploads/ directory 499 | sudo -u git -H mkdir public/uploads/ 500 | 501 | # Make sure only the GitLab user has access to the public/uploads/ directory 502 | # now that files in public/uploads are served by gitlab-workhorse 503 | sudo chmod 0700 public/uploads 504 | 505 | sudo chmod ug+rwX,o-rwx /home/git/repositories/ 506 | 507 | # Change the permissions of the directory where CI build traces are stored 508 | sudo chmod -R u+rwX builds/ 509 | 510 | # Change the permissions of the directory where CI artifacts are stored 511 | sudo chmod -R u+rwX shared/artifacts/ 512 | 513 | # Copy the example Unicorn config 514 | sudo -u git -H cp config/unicorn.rb.example config/unicorn.rb 515 | 516 | # Find number of cores 517 | nproc 518 | 519 | # Enable cluster mode if you expect to have a high load instance 520 | # Ex. change amount of workers to 3 for 2GB RAM server 521 | # Set the number of workers to at least the number of cores 522 | sudo -u git -H editor config/unicorn.rb 523 | 524 | # Copy the example Rack attack config 525 | sudo -u git -H cp config/initializers/rack_attack.rb.example config/initializers/rack_attack.rb 526 | 527 | # Configure Git global settings for git user 528 | # 'autocrlf' is needed for the web editor 529 | sudo -u git -H git config --global core.autocrlf input 530 | 531 | # Disable 'git gc --auto' because GitLab already runs 'git gc' when needed 532 | sudo -u git -H git config --global gc.auto 0 533 | 534 | # Configure Redis connection settings 535 | sudo -u git -H cp config/resque.yml.example config/resque.yml 536 | 537 | # Change the Redis socket path if you are not using the default CentOS configuration 538 | sudo -u git -H editor config/resque.yml 539 | 540 | **Important Note:** Make sure to edit both `gitlab.yml` and `unicorn.rb` to match your setup. 541 | 542 | **Note:** If you want to use HTTPS, see [Using HTTPS][https] for the additional steps. 543 | 544 | ### Configure GitLab DB settings 545 | 546 | # PostgreSQL only: 547 | sudo -u git cp config/database.yml.postgresql config/database.yml 548 | 549 | # MySQL only: 550 | sudo -u git cp config/database.yml.mysql config/database.yml 551 | 552 | # MySQL and remote PostgreSQL only: 553 | # Update username/password in config/database.yml. 554 | # You only need to adapt the production settings (first part). 555 | # If you followed the database guide then please do as follows: 556 | # Change 'secure password' with the value you have given to $password 557 | # You can keep the double quotes around the password 558 | sudo -u git -H editor config/database.yml 559 | 560 | # PostgreSQL and MySQL: 561 | # Make config/database.yml readable to git only 562 | sudo -u git -H chmod o-rwx config/database.yml 563 | 564 | ### Install Gems 565 | 566 | **Note:** As of bundler 1.5.2, you can invoke `bundle install -jN` 567 | (where `N` the number of your processor cores) and enjoy the parallel gems installation with measurable 568 | difference in completion time (~60% faster). Check the number of your cores with `nproc`. 569 | For more information check this [post](http://robots.thoughtbot.com/parallel-gem-installing-using-bundler). 570 | First make sure you have bundler >= 1.5.2 (run `bundle -v`) as it addresses some [issues](https://devcenter.heroku.com/changelog-items/411) 571 | that were [fixed](https://github.com/bundler/bundler/pull/2817) in 1.5.2. 572 | 573 | cd /home/git/gitlab 574 | 575 | # For PostgreSQL (note, the option says "without ... mysql") 576 | sudo -u git -H bundle config build.pg --with-pg-config=/usr/pgsql-9.3/bin/pg_config 577 | sudo -u git -H bundle install --deployment --without development test mysql aws kerberos 578 | 579 | # Or for MySQL (note, the option says "without ... postgres") 580 | sudo -u git -H bundle install --deployment --without development test postgres aws kerberos 581 | 582 | **Note:** If you want to use Kerberos for user authentication, then omit `kerberos` 583 | in the `--without` option above. 584 | 585 | ### Install GitLab shell 586 | 587 | GitLab Shell is an SSH access and repository management software developed specially for GitLab. 588 | 589 | # Run the installation task for gitlab-shell (replace `REDIS_URL` if needed): 590 | sudo -u git -H bundle exec rake gitlab:shell:install[v3.0.0] REDIS_URL=unix:/var/run/redis/redis.sock RAILS_ENV=production 591 | 592 | # By default, the gitlab-shell config is generated from your main GitLab config. 593 | # You can review (and modify) the gitlab-shell config as follows: 594 | sudo -u git -H editor /home/git/gitlab-shell/config.yml 595 | 596 | # Ensure the correct SELinux contexts are set 597 | # Read http://wiki.centos.org/HowTos/Network/SecuringSSH 598 | restorecon -Rv /home/git/.ssh 599 | 600 | **Note:** If you want to use HTTPS, see [Using HTTPS](#using-https) for the additional steps. 601 | 602 | **Note:** Make sure your hostname can be resolved on the machine itself by either a 603 | proper DNS record or an additional line in /etc/hosts ("127.0.0.1 604 | hostname"). This might be necessary for example if you set up GitLab behind a 605 | reverse proxy. If the hostname cannot be resolved, the final installation check 606 | will fail with "Check GitLab API access: FAILED. code: 401" and pushing commits 607 | will be rejected with "[remote rejected] master -> master (hook declined)". 608 | 609 | ### Install gitlab-workhorse 610 | 611 | cd /home/git 612 | sudo -u git -H git clone https://gitlab.com/gitlab-org/gitlab-workhorse.git 613 | cd gitlab-workhorse 614 | sudo -u git -H git checkout v0.7.5 615 | sudo -u git -H make 616 | 617 | ### Initialize Database and Activate Advanced Features 618 | 619 | # Go to GitLab installation folder 620 | 621 | cd /home/git/gitlab 622 | 623 | sudo -u git -H bundle exec rake gitlab:setup RAILS_ENV=production 624 | 625 | # Type 'yes' to create the database tables. 626 | 627 | # When done you see 'Administrator account created:' 628 | 629 | **Note:** You can set the Administrator/root password and e-mail by supplying 630 | them in environmental variables, `GITLAB_ROOT_PASSWORD` and 631 | `GITLAB_ROOT_EMAIL` respectively, as seen below. If you don't set the 632 | password (and it is set to the default one) please wait with exposing GitLab 633 | to the public internet until the installation is done and you've logged into 634 | the server the first time. During the first login you'll be forced to change 635 | the default password. 636 | 637 | sudo -u git -H bundle exec rake gitlab:setup RAILS_ENV=production GITLAB_ROOT_PASSWORD=yourpassword GITLAB_ROOT_EMAIL=youremail 638 | 639 | ### Secure secrets.yml 640 | 641 | The `secrets.yml` file stores encryption keys for sessions and secure variables. 642 | Backup `secrets.yml` someplace safe, but don't store it in the same place as your 643 | database backups. Otherwise your secrets are exposed if one of your backups is 644 | compromised. 645 | 646 | ### Install Init Script 647 | 648 | Download the init script (will be `/etc/init.d/gitlab`): 649 | 650 | cp lib/support/init.d/gitlab /etc/init.d/gitlab 651 | 652 | And if you are installing with a non-default folder or user copy and edit the defaults file: 653 | 654 | cp lib/support/init.d/gitlab.default.example /etc/default/gitlab 655 | 656 | If you installed GitLab in another directory or as a user other than the default you should change these settings in `/etc/default/gitlab`. Do not edit `/etc/init.d/gitlab` as it will be 657 | changed on upgrade. 658 | 659 | Make GitLab start on boot: 660 | 661 | chkconfig gitlab on 662 | 663 | ### Set up logrotate 664 | 665 | cp lib/support/logrotate/gitlab /etc/logrotate.d/gitlab 666 | 667 | ### Check Application Status 668 | 669 | Check if GitLab and its environment are configured correctly: 670 | 671 | sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production 672 | 673 | ### Compile assets 674 | 675 | sudo -u git -H bundle exec rake assets:precompile RAILS_ENV=production 676 | 677 | ### Start your GitLab instance 678 | 679 | service gitlab start 680 | 681 | ------ 682 | 683 | ## 8. Configure the web server 684 | 685 | Use either Nginx or Apache, not both. Official installation guide recommends nginx. 686 | 687 | ### Nginx 688 | 689 | #### Installation 690 | 691 | You will need a new version of nginx otherwise you might encounter an issue like [this][issue-nginx]. 692 | To do so, follow the instructions provided by the [nginx wiki][nginx-centos] and then install nginx with: 693 | 694 | yum update 695 | yum -y install nginx 696 | chkconfig nginx on 697 | 698 | #### Site Configuration 699 | 700 | cp lib/support/nginx/gitlab /etc/nginx/conf.d/gitlab.conf 701 | 702 | Make sure to edit the config file to match your setup: 703 | 704 | # Change YOUR_SERVER_FQDN to the fully-qualified 705 | # domain name of your host serving GitLab. 706 | 707 | **Note:** If you want to use HTTPS, replace the `gitlab` Nginx config with `gitlab-ssl`. See [Using HTTPS](#using-https) for HTTPS configuration details. 708 | 709 | Add `nginx` user to `git` group: 710 | 711 | usermod -a -G git nginx 712 | chmod g+rx /home/git/ 713 | 714 | #### Test Configuration 715 | 716 | Validate your `gitlab` or `gitlab-ssl` Nginx config file with the following command: 717 | 718 | nginx -t 719 | 720 | You should receive `syntax is okay` and `test is successful` messages. If you receive errors check your `gitlab` or `gitlab-ssl` Nginx config file for typos, etc. as indiciated in the error message given. 721 | 722 | 723 | #### Restart 724 | 725 | service nginx restart 726 | 727 | ### Apache 728 | 729 | Httpd can be configured with or without SSL support. Please choose appropriate commands in next steps. 730 | 731 | #### GitLab-Workhorse 732 | 733 | Apache installation requires changes to gitlab-workhorse configuration. Change 734 | `gitlab_workhorse_options` in `/etc/default/gitlab` to the following: 735 | 736 | gitlab_workhorse_options="-listenUmask 0 -listenNetwork tcp -listenAddr 127.0.0.1:8181 -authBackend http://127.0.0.1:8080" 737 | 738 | And restart: 739 | 740 | service gitlab restart 741 | 742 | #### HTTPS 743 | 744 | We will configure apache with module `mod_proxy` which is loaded by default when 745 | installing apache and `mod_ssl` which will provide ssl support: 746 | 747 | yum -y install httpd mod_ssl 748 | chkconfig httpd on 749 | wget -O /etc/httpd/conf.d/gitlab.conf https://gitlab.com/gitlab-org/gitlab-recipes/raw/master/web-server/apache/gitlab-ssl-apache22.conf 750 | mv /etc/httpd/conf.d/ssl.conf{,.bak} 751 | sed -i 's/logs\///g' /etc/httpd/conf.d/gitlab.conf 752 | 753 | Open `/etc/httpd/conf.d/gitlab.conf` with your editor and replace `YOUR_SERVER_FQDN` with your FQDN. Also make sure the path to your certificates is valid. 754 | 755 | Add `LoadModule ssl_module /etc/httpd/modules/mod_ssl.so` in `/etc/httpd/conf/httpd.conf`. 756 | 757 | #### HTTP 758 | 759 | We will configure apache with module `mod_proxy` which is loaded by default when 760 | installing apache: 761 | 762 | yum -y install httpd 763 | chkconfig httpd on 764 | wget -O /etc/httpd/conf.d/gitlab.conf https://gitlab.com/gitlab-org/gitlab-recipes/raw/master/web-server/apache/gitlab-apache22.conf 765 | sed -i 's/logs\///g' /etc/httpd/conf.d/gitlab.conf 766 | 767 | Open `/etc/httpd/conf.d/gitlab.conf` with your editor and replace `YOUR_SERVER_FQDN` with your FQDN. 768 | 769 | #### SELinux 770 | 771 | To configure SELinux read the **SELinux modifications** section in [README](https://gitlab.com/gitlab-org/gitlab-recipes/blob/master/web-server/apache/README.md). 772 | 773 | Finally, start apache: 774 | 775 | service httpd start 776 | 777 | **Note:** 778 | If you want to run other websites on the same system, you'll need to add in `/etc/httpd/conf/httpd.conf`: 779 | 780 | NameVirtualHost *:80 781 | 782 | # If you add NameVirtualHost *:443 here, you will also have to change 783 | # the VirtualHost statement in /etc/httpd/conf.d/gitlab.conf 784 | # to 785 | NameVirtualHost *:443 786 | Listen 443 787 | 788 | 789 | ------ 790 | 791 | ## 9. Configure the firewall 792 | 793 | Poke an iptables hole so users can access the web server (http and https ports) and ssh. 794 | 795 | lokkit -s http -s https -s ssh 796 | 797 | Restart the service for the changes to take effect: 798 | 799 | service iptables restart 800 | 801 | ## Done! 802 | 803 | ### Double-check Application Status 804 | 805 | To make sure you didn't miss anything run a more thorough check with: 806 | 807 | cd /home/git/gitlab 808 | sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production 809 | 810 | If all items are green, then congratulations on successfully installing GitLab! 811 | 812 | **NOTE:** Supply `SANITIZE=true` environment variable to `gitlab:check` to omit project names from the output of the check command. 813 | 814 | ## Initial Login 815 | 816 | If you didn't [provide a root password during setup](#initialize-database-and-activate-advanced-features), 817 | you'll be redirected to a password reset screen to provide the password for the 818 | initial administrator account. Enter your desired password and you'll be 819 | redirected back to the login screen. 820 | 821 | The default account's username is **root**. Provide the password you created 822 | earlier and login. After login you can change the username if you wish. 823 | 824 | **Enjoy!** 825 | 826 | You can use `sudo service gitlab start` and `sudo service gitlab stop` to start and stop GitLab. 827 | 828 | You can also check some [Advanced Setup Tips][tips]. 829 | 830 | ## Links used in this guide 831 | 832 | - [EPEL information](http://www.thegeekstuff.com/2012/06/enable-epel-repository/) 833 | - [SELinux booleans](http://wiki.centos.org/TipsAndTricks/SelinuxBooleans) 834 | 835 | [https]: https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/install/installation.md#using-https 836 | [EPEL]: https://fedoraproject.org/wiki/EPEL 837 | [REMI]: http://rpms.famillecollet.com/ 838 | [PUIAS]: https://puias.math.ias.edu/wiki/YumRepositories6#Computational 839 | [SDL]: https://puias.math.ias.edu 840 | [PU]: http://www.princeton.edu/ 841 | [IAS]: http://www.ias.edu/ 842 | [keys]: https://fedoraproject.org/keys 843 | [issue-nginx]: https://github.com/gitlabhq/gitlabhq/issues/5774 844 | [nginx-centos]: http://wiki.nginx.org/Install#Official_Red_Hat.2FCentOS_packages 845 | [psql-doc-auth]: http://www.postgresql.org/docs/9.3/static/auth-methods.html 846 | [tips]: https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/install/installation.md#advanced-setup-tips 847 | -------------------------------------------------------------------------------- /install/freebsd/README.md: -------------------------------------------------------------------------------- 1 | # FreeBsd 8 / 9 Install Troubleshooting 2 | 3 | ## Naughty Gems 4 | 5 | 6 | - [charlock_holmes](#charlock-holmes-gem-install-fails-or-breaks-after-pkg-upgrade) 7 | 8 | - [rugged](#rugged-gem-install-fails-wo-gmake) 9 | 10 | ### Charlock Holmes-Gem install fails or breaks after `pkg upgrade` 11 | 12 | Every now and then `devel/icu` - or other dependencies of charlock_holmes - will get updated, sometimes invalidating the gem installation in the gitlab directory. 13 | 14 | N.B. Your running server will continue normal operation in that case, but updates and/or rake commands in general may suddenly fail. 15 | 16 | __Cure__ ([Kudos to herrBeesch](https://github.com/brianmario/charlock_holmes/issues/9#issuecomment-10370071)) 17 | 18 | On FreeBSD we need to tell the gem install routine where to look for certain dependencies: 19 | 20 | ``` 21 | sudo gem install charlock_holmes -- --with-icu-dir=/usr/lib --with-opt-include=/usr/local/include/ 22 | ``` 23 | 24 | This process _should_ now succeed, provided _that_ it does, let's store those values in the build configuration for gitlab: 25 | 26 | ``` 27 | sudo -u git -H bundle config build.charlock_holmes --with-opt-include=/usr/local/include/ --with-opt-lib=/usr/local/lib/ 28 | ``` 29 | 30 | Now you should be able to pickup where you were when you bumped into this :) 31 | 32 | 33 | 34 | ### Rugged-Gem install fails w/o gmake 35 | 36 | ``` 37 | checking for gmake... no 38 | checking for make... yes 39 | -- /usr/bin/make -f Makefile.embed 40 | *** extconf.rb failed *** 41 | Could not create Makefile due to some reason, probably lack of necessary 42 | libraries and/or headers. Check the mkmf.log file for more details. You may 43 | need configuration options. 44 | ``` 45 | __Remedy__: 46 | 47 | Make gmake available `sudo pkg install gmake` (or whatever freebsd install routine you prefer) and retry. 48 | 49 | -------------------------------------------------------------------------------- /install/freebsd/freebsd-10.md: -------------------------------------------------------------------------------- 1 | Installing GitLab on FreeBSD 10 2 | =============================== 3 | 4 | ##### Preface 5 | Mileage with this guide may vary; different configurations of FreeBSD on 6 | different hardware and with different packages may introduce other unexpected 7 | issues. To make full use of this guide, read the [official GitLab installation guide](https://github.com/gitlabhq/gitlabhq/blob/7-6-stable/doc/install/installation.md) 8 | before attempting anything in here. 9 | 10 | **Note:** These steps were tested on a FreeBSD droplet at DigitalOcean. 11 | 12 | 1. Update system and Enable UTF-8 13 | --------------------------------- 14 | 15 | Follow [this guide](https://www.b1c1l1.com/blog/2011/05/09/using-utf-8-unicode-on-freebsd/) 16 | to enable UTF-8 on your system. This will allow you to create the GitLab 17 | database later on. 18 | 19 | Update your system: 20 | ``` 21 | pkg update 22 | pkg upgrade 23 | ``` 24 | 25 | 2. Install dependencies 26 | ----------------------- 27 | 28 | Install system packages: 29 | ``` 30 | pkg install sudo bash icu cmake pkgconf git nginx node ruby ruby22-gems logrotate redis postgresql95-server postgresql95-contrib postfix krb5 gmake go 31 | ``` 32 | 33 | Install bundler gem system-wide: 34 | 35 | ```bash 36 | gem install bundler --no-ri --no-rdoc 37 | ``` 38 | 39 | Add this to `/etc/rc.conf`: 40 | 41 | ``` 42 | # Core services 43 | sshd_enable="YES" 44 | ntpd_enable="YES" 45 | ntpd_sync_on_start="YES" 46 | 47 | # GitLab services 48 | redis_enable="YES" 49 | postgresql_enable="YES" 50 | gitlab_enable="YES" 51 | 52 | # Web server 53 | nginx_enable="YES" 54 | 55 | # Postfix/Sendmail 56 | postfix_enable="YES" 57 | sendmail_enable="NO" 58 | sendmail_submit_enable="NO" 59 | sendmail_outbound_enable="NO" 60 | sendmail_msp_queue_enable="NO" 61 | ``` 62 | 63 | 3. Create `git` user for GitLab 64 | ------------------------------- 65 | 66 | Set up user and groups: 67 | 68 | ``` 69 | # Create user 70 | pw add user -n git -m -s /usr/local/bin/bash -c "GitLab" 71 | 72 | # Add 'git' user to 'redis' group (this will come in useful later!) 73 | pw groupmod redis -m git 74 | ``` 75 | 76 | 4. Set up Postgres database 77 | --------------------------- 78 | 79 | Set up the database: 80 | 81 | ``` 82 | # Initialize First start of PG DB 83 | service postgresql initdb 84 | 85 | # Initialise Postgres db 86 | service postgresql start 87 | 88 | # Log in to Postgres user account 89 | su - pgsql 90 | 91 | # Connect to Postgres database 92 | psql -d template1 93 | ``` 94 | 95 | When logged into the database: 96 | 97 | ``` 98 | # Do not type the 'template1=#', this is part of the prompt 99 | 100 | # Set up pg_trgm extension (required for GitLab 8.6+) 101 | template1=# CREATE EXTENSION IF NOT EXISTS pg_trgm; 102 | 103 | # Create a user for GitLab 104 | template1=# CREATE USER git CREATEDB; 105 | 106 | # Create the GitLab production database & grant all privileges on database 107 | template1=# CREATE DATABASE gitlabhq_production OWNER git encoding='UTF8'; 108 | 109 | # Quit the database session 110 | template1=# \q 111 | ``` 112 | 113 | Then type `exit` to drop back to the `root` user. 114 | Try connecting to the new database with the `git` user: 115 | 116 | ``` 117 | su - git 118 | psql -d gitlabhq_production 119 | ``` 120 | 121 | If this succeeds, quit the database session by typing `\q` or hitting CTRL-D. 122 | 123 | 5. Install and set up Redis 124 | --------------------------- 125 | 126 | Back up the original Redis config file: 127 | 128 | ``` 129 | cp /usr/local/etc/redis.conf /usr/local/etc/redis.conf.orig 130 | ``` 131 | 132 | Run the following commands to get Redis working: 133 | 134 | ``` 135 | # Disable Redis listening on TCP by setting 'port' to 0 136 | sed 's/^port .*/port 0/' /usr/local/etc/redis.conf.orig | sudo tee /usr/local/etc/redis.conf 137 | 138 | # Enable Redis socket 139 | echo 'unixsocket /usr/local/var/run/redis/redis.sock' | sudo tee -a /usr/local/etc/redis.conf 140 | 141 | # Grant permission to the socket to all members of the redis group 142 | echo 'unixsocketperm 770' | sudo tee -a /usr/local/etc/redis.conf 143 | 144 | # Create the directory which contains the socket 145 | mkdir -p /usr/local/var/run/redis 146 | chown redis:redis /usr/local/var/run/redis 147 | chmod 755 /usr/local/var/run/redis 148 | 149 | # Restart redis 150 | sudo service redis restart 151 | ``` 152 | 153 | 6. Install and set up GitLab 154 | ---------------------------- 155 | 156 | ``` 157 | # Change to git home directory 158 | cd /home/git 159 | 160 | # Clone GitLab source 161 | sudo -u git -H git clone https://gitlab.com/gitlab-org/gitlab-ce.git -b 8-10-stable gitlab 162 | 163 | # Go to GitLab source folder 164 | cd /home/git/gitlab 165 | 166 | # Copy the example GitLab config 167 | sudo -u git -H cp config/gitlab.yml.example config/gitlab.yml 168 | ``` 169 | 170 | Edit the GitLab configuration file 171 | (`sudo -u git -H vim config/gitlab.yml`) 172 | * The option `host:` should be set to your domain, e.g. "gitlab.mysite.com". 173 | * The line `bin_path:` should be set to FreeBSD's `git` location: `/usr/local/bin/git`. 174 | * Change /home/* to be /usr/home/* (home is a symbolic link that doesn't work) 175 | 176 | As root: 177 | 178 | ``` 179 | cd /home/git/gitlab 180 | 181 | # Copy the example secrets file 182 | sudo -u git -H cp config/secrets.yml.example config/secrets.yml 183 | sudo -u git -H chmod 0600 config/secrets.yml 184 | 185 | # Make sure GitLab can write to the log/ and tmp/ directories 186 | sudo chown -R git log/ 187 | sudo chown -R git tmp/ 188 | sudo chmod -R u+rwX,go-w log/ 189 | sudo chmod -R u+rwX tmp/ 190 | 191 | # Make sure GitLab can write to the tmp/pids/ and tmp/sockets/ directories 192 | sudo chmod -R u+rwX tmp/pids/ 193 | sudo chmod -R u+rwX tmp/sockets/ 194 | 195 | # Create the public/uploads/ directory 196 | sudo -u git -H mkdir public/uploads/ 197 | 198 | # Make sure only the GitLab user has access to the public/uploads/ directory 199 | # now that files in public/uploads are served by gitlab-workhorse 200 | sudo chmod 0700 public/uploads 201 | 202 | # Change the permissions of the directory where CI build traces are stored 203 | sudo chmod -R u+rwX builds/ 204 | 205 | # Change the permissions of the directory where CI artifacts are stored 206 | sudo chmod -R u+rwX shared/artifacts/ 207 | 208 | # Copy the example Unicorn config 209 | sudo -u git -H cp config/unicorn.rb.example config/unicorn.rb 210 | 211 | # Find number of cores 212 | sysctl hw.ncpu 213 | 214 | # Enable cluster mode if you expect to have a high load instance 215 | # Set the number of workers to at least the number of cores 216 | # Ex. change amount of workers to 3 for 2GB RAM server 217 | sudo -u git -H vim config/unicorn.rb 218 | 219 | # Copy the example Rack attack config 220 | sudo -u git -H cp config/initializers/rack_attack.rb.example config/initializers/rack_attack.rb 221 | 222 | # Configure Git global settings for git user 223 | # 'autocrlf' is needed for the web editor 224 | sudo -u git -H git config --global core.autocrlf input 225 | 226 | # Disable 'git gc --auto' because GitLab already runs 'git gc' when needed 227 | sudo -u git -H git config --global gc.auto 0 228 | 229 | # Configure Redis connection settings 230 | sudo -u git -H cp config/resque.yml.example config/resque.yml 231 | 232 | # Change the Redis socket path to /usr/local/var/run/redis/redis.sock 233 | sudo -u git -H sed -i '' 's|/var/run/redis/redis.sock|/usr/local/var/run/redis/redis.sock|g' config/resque.yml 234 | ``` 235 | 236 | Configure the GitLab DB Settings: 237 | 238 | ``` 239 | sudo -u git cp config/database.yml.postgresql config/database.yml 240 | 241 | # Make config/database.yml readable to git only 242 | sudo -u git -H chmod o-rwx config/database.yml 243 | ``` 244 | 245 | Install Gems: 246 | 247 | ``` 248 | sudo -u git -H bundle install --deployment --without development test mysql aws kerberos 249 | 250 | ``` 251 | 252 | 7. GitLab Shell 253 | --------------- 254 | 255 | ``` 256 | # create repositories path 257 | sudo -u git -H mkdir /home/git/repositories 258 | 259 | # Run the rake task for installing gitlab-shell 260 | sudo -u git -H bundle exec rake gitlab:shell:install REDIS_URL=unix:/usr/local/var/run/redis/redis.sock RAILS_ENV=production 261 | 262 | # Edit the gitlab-shell config 263 | # Change /home/* to be /usr/home/* (home is a symbolic link that doesn't work) 264 | # Change the 'gitlab_url' option to 'http://localhost:8080/' 265 | # Don't bother configuring any SSL stuff in here because it's used internally 266 | sudo -u git -H vim /home/git/gitlab-shell/config.yml 267 | ``` 268 | 269 | 8. Gitlab Workhorse 270 | ---------------------- 271 | 272 | ``` 273 | cd /home/git 274 | sudo -u git -H git clone https://gitlab.com/gitlab-org/gitlab-workhorse.git 275 | cd gitlab-workhorse 276 | sudo -u git -H git checkout v0.7.9 277 | sudo -u git -H gmake 278 | ``` 279 | 280 | 281 | 9. Initialize Database 282 | ---------------------- 283 | 284 | Initialize Database and Activate Advanced Features 285 | 286 | ``` 287 | cd /home/git/gitlab 288 | sudo -u git -H bundle exec rake gitlab:setup RAILS_ENV=production 289 | # Type 'yes' to create the database tables. 290 | # When done you see 'Administrator account created:' 291 | ``` 292 | 293 | **Note**: You can set the Administrator/root password by supplying it in the 294 | environmental variable GITLAB_ROOT_PASSWORD as seen below. If you don't set the 295 | password (and it is set to the default one) please wait with exposing GitLab to 296 | the public internet until the installation is done and you've logged into the 297 | server the first time. During the first login you'll be forced to change the 298 | default password. 299 | 300 | ``` 301 | sudo -u git -H bundle exec rake gitlab:setup RAILS_ENV=production GITLAB_ROOT_PASSWORD=yourpassword 302 | ``` 303 | 304 | 10. Init script 305 | -------------- 306 | 307 | Download the FreeBSD init script as root: 308 | 309 | ``` 310 | fetch -o /usr/local/etc/rc.d/gitlab https://gitlab.com/gitlab-org/gitlab-recipes/raw/master/init/init/freebsd/gitlab-unicorn 311 | chmod 555 /usr/local/etc/rc.d/gitlab 312 | ``` 313 | 314 | 11. Check Configuration and Compile Assets 315 | ------------------------------------------ 316 | 317 | ``` 318 | cd /home/git/gitlab 319 | sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production 320 | ``` 321 | 322 | If this all passes (all green and/or no errors are reported), then go ahead and 323 | compile all of the assets for GitLab. This can take ~10-15 minutes on a 324 | smaller machine, so don't panic if it takes a while! 325 | 326 | ``` 327 | sudo -u git -H bundle exec rake assets:precompile RAILS_ENV=production 328 | ``` 329 | 330 | 12. Start GitLab service 331 | ------------------------ 332 | 333 | If all of the above steps complete with no errors and everything has gone 334 | smoothly, then start the GitLab service. 335 | 336 | As root: 337 | ``` 338 | service gitlab start 339 | ``` 340 | 341 | 13. Nginx 342 | --------- 343 | 344 | **Note:** The default version of `nginx` on FreeBSD is compiled without the 345 | `gzip_static` module, which means you need to remove the appropriate directives 346 | from the `nginx` configuration. 347 | 348 | ``` 349 | mkdir -p /usr/local/etc/nginx/conf.d 350 | mkdir -p /usr/local/etc/nginx/ssl 351 | mkdir -p /var/log/nginx 352 | 353 | # SSL 354 | fetch -o /usr/local/etc/nginx/conf.d/gitlab.conf https://gitlab.com/gitlab-org/gitlab-ce/raw/master/lib/support/nginx/gitlab-ssl 355 | 356 | # HTTP 357 | fetch -o /usr/local/etc/nginx/conf.d/gitlab.conf https://gitlab.com/gitlab-org/gitlab-ce/raw/master/lib/support/nginx/gitlab 358 | ``` 359 | 360 | Edit `/usr/local/etc/nginx/nginx.conf`: 361 | ``` 362 | load_module /usr/local/libexec/nginx/ngx_mail_module.so; 363 | load_module /usr/local/libexec/nginx/ngx_stream_module.so; 364 | 365 | #user nobody; 366 | worker_processes 1; 367 | 368 | #error_log logs/error.log; 369 | #error_log logs/error.log notice; 370 | #error_log logs/error.log info; 371 | 372 | #pid logs/nginx.pid; 373 | 374 | 375 | events { 376 | worker_connections 1024; 377 | } 378 | 379 | 380 | http { 381 | include mime.types; 382 | default_type application/octet-stream; 383 | 384 | #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 385 | # '$status $body_bytes_sent "$http_referer" ' 386 | # '"$http_user_agent" "$http_x_forwarded_for"'; 387 | 388 | #access_log logs/access.log main; 389 | 390 | sendfile on; 391 | #tcp_nopush on; 392 | 393 | #keepalive_timeout 0; 394 | keepalive_timeout 65; 395 | 396 | #gzip on; 397 | 398 | include /usr/local/etc/nginx/conf.d/*; 399 | } 400 | ``` 401 | 402 | Edit `/usr/local/etc/nginx/conf.d/gitlab.conf` 403 | * Change any reference to /etc/* to /usr/local/etc/* 404 | * Replace `git.example.com` with your FQDN. 405 | 406 | Make sure to read the comments in order to properly set up SSL. 407 | 408 | Example to set up self-signed SSL: 409 | ``` 410 | cd /usr/local/etc/nginx/ssl 411 | openssl genrsa -out gitlab.key 412 | openssl req -new -batch -subj "/C=US/ST=gitlab/L=gitlab/O=gitlab/CN=gitlab" -key gitlab.key -out gitlab.csr 413 | openssl x509 -req -days 3650 -in gitlab.csr -signkey gitlab.key -out gitlab.crt 414 | ``` 415 | 416 | Add `www` user to `git` group: 417 | 418 | pw groupmod git -m www 419 | chmod g+rx /home/git/ 420 | 421 | Set up the log directory 422 | 423 | mkdir /var/log/nginx 424 | 425 | Finally start nginx with: 426 | 427 | service nginx start 428 | 429 | #### Test Configuration 430 | 431 | Validate your `gitlab` or `gitlab-ssl` Nginx config file with the following command: 432 | 433 | nginx -t 434 | 435 | You should receive `syntax is okay` and `test is successful` messages. If you 436 | receive errors check your `gitlab` or `gitlab-ssl` Nginx config file for typos, 437 | etc. as indiciated in the error message given. 438 | 439 | Restart `nginx` with `sudo service nginx restart`, and you should be up and 440 | running. 441 | 442 | Good to Go 443 | ---------- 444 | 445 | Check everything with this command just to be sure: 446 | ``` 447 | cd /home/git/gitlab 448 | sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production 449 | ``` 450 | 451 | If everything comes up green, then GitLab should work. 452 | 453 | If some things show up as red, blue, pink or any colour that's not green - read any error messages thoroughly before trying any suggested fixes. Google comes in extremely handy when trying to diagnose unhelpful Ruby error messages. 454 | 455 | 456 | Troubleshooting 457 | =============== 458 | 459 | `504 - Gateway Timed Out` errors 460 | -------------------------------- 461 | 462 | This can be caused by several different things with GitLab. The best bet is to 463 | go back up through the install guide and check each step has been properly 464 | executed. 465 | 466 | * Check the logs! Look in `/home/git/gitlab/log` for clues. 467 | * Check what's running! The command `sockstat -4l` usually gives an idea of 468 | which services are running on which ports. (Redis uses port `6379`, 469 | Unicorn uses port `8080`, and Postgres uses port `5432`). 470 | 471 | What it usually boils down to: 472 | 1. GitLab's assets haven't been precompiled (there is a command above) 473 | 2. Postgres isn't running or the database isn't set up properly 474 | 3. Redis isn't running 475 | 4. Nginx isn't set up properly 476 | 477 | 478 | Gem `timfel-krb5-auth` fails to build 479 | ------------------------------------- 480 | 481 | Install the Kerberos package: `pkg install krb5`. As far as I know, there's no 482 | way to disable the Kerberos authentication in GitLab (even if it's unused) so 483 | unfortunately the only solution is to install the missing packages. 484 | 485 | EDIT: The new version of timfel-krb5-auth fails to build even with `krb5` installed. The only solution is to change the package version to `0.8.2`. [(More info here)](https://github.com/gitlabhq/gitlabhq/issues/8478#issuecomment-71328552) 486 | 487 | 488 | Postfix/sendmail: "postdrop: warning: unable to look up public/pickup: No such file or directory" 489 | ------------------------------------------------------------------------------------------------- 490 | 491 | Sometimes Postfix and/or sendmail might complain if they're not set up 492 | correctly or have only just been installed. 493 | 494 | ``` 495 | mkfifo /var/spool/postfix/public/pickup 496 | killall $(pgrep sendmail) # Kill all sendmail processes 497 | sudo service postfix restart # Restart Postfix 498 | ``` 499 | [(Source)](http://www.databasically.com/2009/12/02/ubuntu-postfix-error-postdrop-warning-unable-to-look-up-publicpickup-no-such-file-or-directory/) 500 | 501 | 502 | Unicorn / nginx: "Failed to set accept\_filter=httpready" 503 | --------------------------------------------------------- 504 | 505 | This is to do with an HTTP buffering kernel module in FreeBSD that some HTTP 506 | servers expect to be loaded. Run this: 507 | ``` 508 | kldload accf_http 509 | echo 'accf_http_load="YES"' >> /boot/loader.conf 510 | 511 | sudo service gitlab restart 512 | sudo service redis restart 513 | sudo service nginx restart 514 | ``` 515 | [(Source)](http://www.cyberciti.biz/faq/failed-to-enable-the-httpready-accept-filter/) 516 | 517 | PostgreSQL: "FATAL: could not create shared memory segment: Function not implemented" 518 | ------------------------------------------------------------------------------------- 519 | 520 | You're trying to run PostgreSQL in a FreeBSD jail, which needs some sysctl tweaks. Set the following options in your jail's config (assuming you're using ezjail): 521 | ``` 522 | export jail_**MY_JAIL_NAME**_parameters="allow.raw_sockets=1 allow.sysvipc=1" 523 | ``` 524 | [(Source)](https://dan.langille.org/2013/07/09/fatal-could-not-create-shared-memory-segment-function-not-implemented/) 525 | 526 | References 527 | ========== 528 | 529 | * [GitLab official installation guide](https://github.com/gitlabhq/gitlabhq/blob/7-6-stable/doc/install/installation.md) 530 | * [Luiz Gustavo's GitLab/FreeBSD guide (Portuguese)](http://www.luizgustavo.pro.br/blog/2014/08/21/instalacao-gitlab-no-freebsd/) 531 | -------------------------------------------------------------------------------- /install/gentoo/README.md: -------------------------------------------------------------------------------- 1 | ## Links 2 | 3 | * [Unofficial ebuild](https://github.com/cvut/gentoo-overlay/wiki/Installation-guide-for-GitLab-6.x) 4 | * [Gentoo wiki GitLab page](http://wiki.gentoo.org/wiki/GitLab) 5 | * [GitLab init script for Gentoo](https://gist.github.com/int128/2360407) 6 | -------------------------------------------------------------------------------- /install/pkgr/README.md: -------------------------------------------------------------------------------- 1 | ``` 2 | Distribution : Ubuntu 14.04, Ubuntu 12.04, Debian 7.4 3 | GitLab version : 6.9+ 4 | Web Server : Apache, Nginx 5 | Init system : upstart, sysvinit 6 | Database : PostgreSQL 7 | Contributors : @crohr 8 | Additional Notes : This install guide uses packages generated on https://packager.io 9 | ``` 10 | 11 | ## Overview 12 | 13 | This install guide makes use of prepackaged versions of Gitlab, available on . 14 | 15 | ### Important Notes 16 | 17 | The following steps have been known to work and should be followed from up to bottom. 18 | If you deviate from this guide, do it with caution and make sure you don't violate 19 | any assumptions GitLab makes about its environment. 20 | 21 | #### If you find a bug 22 | 23 | If you find a bug/error in this guide please submit an issue or a Merge Request 24 | following the contribution guide (see [CONTRIBUTING.md](https://gitlab.com/gitlab-org/gitlab-recipes/blob/master/CONTRIBUTING.md)). 25 | Should you encounter any issues regarding the pkgr.io package, please open an issue 26 | starting with [pkgrio]. 27 | 28 | - - - 29 | 30 | The GitLab installation consists of setting up the following components: 31 | 32 | 1. Install the package 33 | 1. Setup the peripheral services (mail, postgres, redis) 34 | 1. Configure the package 35 | 1. Web server 36 | 1. Maintenance 37 | 38 | **This guide assumes that you run every command as root.** 39 | 40 | ## 1. Install the package 41 | 42 | We assume that you're starting from a clean install of any of the supported distributions. Then, use the section dedicated to your distribution to install the package. 43 | 44 | ### Ubuntu Trusty 14.04 45 | 46 | ```shell 47 | wget -qO - https://deb.packager.io/key | apt-key add - 48 | echo "deb https://deb.packager.io/gh/gitlabhq/gitlabhq trusty 6-9-stable" | tee -a /etc/apt/sources.list.d/gitlab-ce.list 49 | ``` 50 | 51 | ### Ubuntu Precise 12.04 52 | 53 | ```shell 54 | wget -qO - https://deb.packager.io/key | apt-key add - 55 | echo "deb https://deb.packager.io/gh/gitlabhq/gitlabhq precise 6-9-stable" | tee -a /etc/apt/sources.list.d/gitlab-ce.list 56 | ``` 57 | 58 | ### Debian Wheezy 7.4 59 | 60 | ```shell 61 | apt-get install -y apt-transport-https 62 | wget -qO - https://deb.packager.io/key | apt-key add - 63 | echo "deb https://deb.packager.io/gh/gitlabhq/gitlabhq wheezy 6-9-stable" | tee -a /etc/apt/sources.list.d/gitlab-ce.list 64 | ``` 65 | 66 | For all distributions, install the package by doing: 67 | 68 | ```shell 69 | apt-get update 70 | apt-get install gitlab-ce 71 | ``` 72 | 73 | ## 2. Setup the peripheral services 74 | 75 | GitLab needs a running mail server, redis server, and postgres server. Let's install that: 76 | 77 | ```shell 78 | apt-get install -y postgresql postgresql-contrib redis-server postfix ruby1.9.1 79 | ``` 80 | 81 | Now create a new postgres user and database: 82 | 83 | ```shell 84 | echo "CREATE USER \"user\" SUPERUSER PASSWORD 'pass';" | su - postgres -c psql && \ 85 | echo "CREATE DATABASE gitlab;" | su - postgres -c psql && \ 86 | echo "GRANT ALL PRIVILEGES ON DATABASE \"gitlab\" TO \"user\";" | su - postgres -c psql 87 | ``` 88 | 89 | ## 3. Configure the package 90 | 91 | All packages come with a command line utility to help with various aspects of GitLab. It closely mirrors the heroku toolbelt, so if you ever deployed an app on Heroku you should be at home. 92 | 93 | In the rest of the guide, we will assume that the `SERVER_HOST` variable contains the hostname you will be using for GitLab. e.g. `SERVER_HOST=example.com` 94 | 95 | Set the url corresponding to the database we just created: 96 | 97 | gitlab-ce config:set DATABASE_URL=postgres://user:pass@127.0.0.1/gitlab 98 | 99 | Set the url to the redis server: 100 | 101 | gitlab-ce config:set REDIS_URL=redis://127.0.0.1:6379 102 | 103 | Set the url to your GitLab server: 104 | 105 | gitlab-ce config:set GITLAB_URL="http://${SERVER_HOST}" 106 | 107 | Set the port on which the ruby server will listen (defaults to 6000): 108 | 109 | gitlab-ce config:set PORT=6000 110 | 111 | You can now configure `gitlab-shell`: 112 | 113 | gitlab-ce run rake gitlab:shell:install[v1.9.4] 114 | 115 | Finally, initialize the database: 116 | 117 | gitlab-ce run rake db:schema:load db:seed_fu 118 | 119 | And create the initialization scripts for the web and worker processes: 120 | 121 | gitlab-ce scale web=1 worker=1 122 | 123 | ## 4. Web Server 124 | 125 | ### NginX 126 | 127 | ```shell 128 | apt-get install -y nginx 129 | 130 | cat > /etc/nginx/sites-available/default < /etc/apache2/sites-available/default < 151 | ServerName ${SERVER_HOST} 152 | 153 | ProxyPass http://localhost:6000/ 154 | 155 | 156 | EOF 157 | # restart apache 158 | sudo service apache2 restart 159 | ``` 160 | 161 | ## Done! 162 | 163 | Visit SERVER_HOST in your web browser for your first GitLab login. 164 | The setup has created an admin account for you. You can use it to log in: 165 | 166 | root 167 | 5iveL!fe 168 | 169 | **Important Note:** 170 | Please go over to your profile page and immediately change the password, so 171 | nobody can access your GitLab by using this login information later on. 172 | 173 | ## Maintenance 174 | 175 | If you wish to further configure GitLab, you can copy the example gitlab.yml configuration file to `/etc/gitlab-ce`, and edit it at your convenience. It will not be overwritten when you upgrade your GitLab installation: 176 | 177 | gitlab-ce run cp config/gitlab.yml /etc/gitlab-ce/ && chmod 0640 /etc/gitlab-ce/gitlab.yml 178 | vi /etc/gitlab-ce/gitlab.yml # edit any setting and save 179 | gitlab-ce config:set GITLAB_CONFIG=/etc/gitlab-ce/gitlab.yml 180 | service gitlab-ce restart 181 | 182 | If you need to upgrade to a newer version, run the following commands: 183 | 184 | apt-get update 185 | apt-get install gitlab-ce 186 | gitlab-ce run rake db:migrate 187 | service gitlab-ce restart 188 | 189 | Finally, have a look at what the command-line utility that ships with the package has to offer. It's a great way to interact with your package installation: 190 | 191 | gitlab-ce [run|scale|logs|config|config:set|config:get] 192 | 193 | ## Release cycle 194 | 195 | New packages are automatically generated whenever code is pushed into the `6-9-stable` branch of GitLab, so once you're pinned to a specific branch, only backwards compatible changes should get into the packages. 196 | 197 | Whenever a new main branch is released (let's say `7-0-stable`), you can either modify your `gitlab-ce.list` file to upgrade, or just keep using the version you're pointing to. 198 | 199 | If you're feeling adventurous and want to test the latest an greatest, you can also try pointing to `master` branch. Find out about all the latest releases at . 200 | 201 | **Enjoy!** 202 | -------------------------------------------------------------------------------- /misc/change-git-home-directory/README.md: -------------------------------------------------------------------------------- 1 | # Move home directory from /home/git to /var/lib/git 2 | 3 | ### 0. Stop services 4 | 5 | ```bash 6 | service gitlab stop 7 | service nginx stop 8 | ``` 9 | 10 | ### 1. Update passwd/group file 11 | 12 | Update the `/etc/group` file, and change the gid of the group 13 | 14 | ```bash 15 | git:x:500: 16 | ``` 17 | or you can run the following command 18 | 19 | ```bash 20 | groupmod -g 500 git 21 | ``` 22 | 23 | Amend the `/etc/passwd` file to change the uid, gid and the home directory for git 24 | 25 | ```bash 26 | git:x:500:500:GitLab,,,:/var/lib/git:/bin/bash 27 | ``` 28 | or you can run the following command 29 | 30 | ```bash 31 | usermod -d /var/lib/git -g 500 -u 500 git 32 | ``` 33 | 34 | ### 2. Copy the git folder 35 | 36 | ```bash 37 | cp -r /home/git /var/lib/ 38 | ``` 39 | 40 | ### 3. Change permissions to use the new uid/gid 41 | 42 | ```bash 43 | chown -R git:git /var/lib/git 44 | ``` 45 | 46 | ### 4. Update Gitlab config files 47 | 48 | Update `~git/gitlab/config/gitlab.yml`, using the following command 49 | 50 | ```bash 51 | sed -i -e 's/\/home/\/var\/lib/g' ~git/gitlab/config/gitlab.yml 52 | ``` 53 | 54 | You should see the following difference after running the command 55 | 56 | ```diff 57 | --- gitlab.yml.example 2013-12-20 16:27:14.784403409 -0500 58 | +++ gitlab.yml 2014-01-05 15:11:17.706013229 -0500 59 | @@ -165,7 +166,7 @@ 60 | # GitLab Satellites 61 | satellites: 62 | # Relative paths are relative to Rails.root (default: tmp/repo_satellites/) 63 | - path: /home/git/gitlab-satellites/ 64 | + path: /var/lib/git/gitlab-satellites/ 65 | 66 | ## Backup 67 | @@ -174,11 +175,11 @@ 68 | 69 | ## GitLab Shell settings 70 | gitlab_shell: 71 | - path: /home/git/gitlab-shell/ 72 | + path: /var/lib/git/gitlab-shell/ 73 | 74 | # REPOS_PATH MUST NOT BE A SYMLINK!!! 75 | - repos_path: /home/git/repositories/ 76 | - hooks_path: /home/git/gitlab-shell/hooks/ 77 | + repos_path: /var/lib/git/repositories/ 78 | + hooks_path: /var/lib/git/gitlab-shell/hooks/ 79 | 80 | # Git over HTTP 81 | upload_pack: true 82 | ``` 83 | Update `~git/gitlab/config/unicorb.rb`, using the following command 84 | 85 | ```bash 86 | sed -i -e 's/\/home/\/var\/lib/g' ~git/gitlab/config/unicorn.rb 87 | ``` 88 | 89 | You should see the following difference after running the command 90 | 91 | ```diff 92 | --- unicorn.rb.example 2013-12-20 16:27:14.795402739 -0500 93 | +++ unicorn.rb 2014-01-07 07:47:33.786389865 -0500 94 | @@ -32,24 +32,24 @@ 95 | 96 | # Help ensure your application will always spawn in the symlinked 97 | # "current" directory that Capistrano sets up. 98 | -working_directory "/home/git/gitlab" # available in 0.94.0+ 99 | +working_directory "/var/lib/git/gitlab" # available in 0.94.0+ 100 | 101 | # listen on both a Unix domain socket and a TCP port, 102 | # we use a shorter backlog for quicker failover when busy 103 | -listen "/home/git/gitlab/tmp/sockets/gitlab.socket", :backlog => 64 104 | +listen "/var/lib/git/gitlab/tmp/sockets/gitlab.socket", :backlog => 64 105 | listen "127.0.0.1:8080", :tcp_nopush => true 106 | 107 | # nuke workers after 30 seconds instead of 60 seconds (the default) 108 | timeout 30 109 | 110 | # feel free to point this anywhere accessible on the filesystem 111 | -pid "/home/git/gitlab/tmp/pids/unicorn.pid" 112 | +pid "/var/lib/git/gitlab/tmp/pids/unicorn.pid" 113 | 114 | # By default, the Unicorn logger will write to stderr. 115 | # Additionally, some applications/frameworks log to stderr or stdout, 116 | # so prevent them from going to /dev/null when daemonized here: 117 | -stderr_path "/home/git/gitlab/log/unicorn.stderr.log" 118 | -stdout_path "/home/git/gitlab/log/unicorn.stdout.log" 119 | +stderr_path "/var/lib/git/gitlab/log/unicorn.stderr.log" 120 | +stdout_path "/var/lib/git/gitlab/log/unicorn.stdout.log" 121 | 122 | # combine Ruby 2.0.0dev or REE with "preload_app true" for memory savings 123 | # http://rubyenterpriseedition.com/faq.html#adapt_apps_for_cow 124 | ``` 125 | 126 | ### 5. Update Gitlab shell config file 127 | 128 | Update `~git/gitlab-shell/config.yml`, using the following command 129 | 130 | ```bash 131 | sed -i -e 's/\/home/\/var\/lib/g' ~git/gitlab-shell/config.yml 132 | ``` 133 | 134 | You should see the following difference after running the command 135 | 136 | ```diff 137 | --- config.yml.old 2014-01-07 09:00:41.522352570 -0500 138 | +++ config.yml 2014-01-05 15:12:59.695840545 -0500 139 | @@ -15,10 +15,10 @@ 140 | # Give the canonicalized absolute pathname, 141 | # REPOS_PATH MUST NOT CONTAIN ANY SYMLINK!!! 142 | # Check twice that none of the components is a symlink, including "/home". 143 | -repos_path: "/home/git/repositories" 144 | +repos_path: "/var/lib/git/repositories" 145 | 146 | # File used as authorized_keys for gitlab user 147 | -auth_file: "/home/git/.ssh/authorized_keys" 148 | +auth_file: "/var/lib/git/.ssh/authorized_keys" 149 | 150 | # Redis settings used for pushing commit notices to gitlab 151 | redis: 152 | ``` 153 | 154 | ### 6. Update authorized_keys 155 | 156 | Update the `/var/lib/git/.ssh/authorized_keys`, using the following command 157 | 158 | ```bash 159 | sed -i -e 's/\/home/\/var\/lib/g' ~git/.ssh/authorized_keys 160 | ``` 161 | 162 | ### 7. Update nginx config file 163 | 164 | Update `/etc/nginx/sites-enabled/gitlab`, using the following command 165 | 166 | ```bash 167 | sed -i -e 's/\/home/\/var\/lib/g' /etc/nginx/sites-enabled/gitlab 168 | ``` 169 | 170 | ### 8. Add/Update gitlab service and default files 171 | 172 | If you haven't already, copy the service default file, then do so, and then update the file to point to the new home directory 173 | 174 | ```bash 175 | cp ~git/gitlab/lib/support/init.d/gitlab.default.example /etc/default/gitlab 176 | sed -i -e 's/\/home/\/var\/lib/g' /etc/default/gitlab 177 | ``` 178 | 179 | ### 9. Update gitlab-shell hooks 180 | 181 | The file `~git/gitlab-shell/support/rewrite-hooks.sh`, has the home directory hardcoded, so we need to update this file as well 182 | 183 | ```bash 184 | sed -i -e 's/\/home/\/var\/lib/g' ~git/gitlab-shell/support/rewrite-hooks.sh 185 | ``` 186 | 187 | Now we update all the hooks 188 | 189 | ```bash 190 | cd ~git 191 | sudo -u git -H gitlab-shell/support/rewrite-hooks.sh 192 | ``` 193 | 194 | ### 10. Update deploy.sh 195 | 196 | The file `~git/gitlab/lib/support/deploy/deploy.sh`, also has the home directory hardcoded, again update the file 197 | 198 | ```bash 199 | sed -i -e 's/\/home/\/var\/lib/g' ~git/gitlab/lib/support/deploy/deploy.sh 200 | ``` 201 | 202 | ### 11. Update logrotate files 203 | 204 | ``` 205 | sed -i -e 's/\/home/\/var\/lib/g' /etc/logrotate.d/gitlab 206 | ``` 207 | 208 | ### 12. Restart application 209 | 210 | ```bash 211 | sudo service gitlab restart 212 | sudo service nginx restart 213 | ``` 214 | 215 | ### 13. Check application status 216 | 217 | Check if GitLab and its environment are configured correctly: 218 | 219 | ```bash 220 | cd ~git/gitlab 221 | sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production 222 | ``` 223 | 224 | To make sure you didn't miss anything run a more thorough check with: 225 | 226 | ```bash 227 | cd ~git/gitlab 228 | sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production 229 | ``` 230 | 231 | ### 14. Remove old home 232 | 233 | Once you are happy that everything is now working in the new directory, you can remove the old `/home/git` 234 | 235 | ```bash 236 | rm -rf /home/git 237 | ``` 238 | -------------------------------------------------------------------------------- /misc/multiple-instances/README.md: -------------------------------------------------------------------------------- 1 | ``` 2 | Distribution : Independent 3 | GitLab version : 6.0 - 6.7 4 | Web Server : apache 5 | Init system : sysvinit 6 | Database : Independent 7 | Contributors : @skarllot 8 | ``` 9 | 10 | ## Overview 11 | 12 | To run multiple instances into same computer, some changes are needed to GitLab 13 | function properly. Each instance will run completely independent, no resource 14 | sharing or redundancy will be supported. 15 | 16 | Before you follow this guide you should know how install GitLab as single 17 | instance. This guide focus only on changes needed to another instances run 18 | properly, not into installation itself. 19 | 20 | ### Important Notes 21 | 22 | These steps was tested into CentOS GNU/Linux, but should run into another 23 | flavours with (almost) no differences. 24 | 25 | ## 1. System Users 26 | 27 | Each instance must run into its own user. There's no way to gitlab-shell known 28 | which instance you are calling. 29 | 30 | Then, create a new user to a new GitLab instance. 31 | 32 | ## 2. GitLab Shell 33 | 34 | The following changes are needed to `config.yml` 35 | 36 | - **user**: the new user created from previous step. 37 | - **gitlab_url**: instance-unique http(s) address. 38 | - **repos_path**: instance-unique repository directory. 39 | - **auth_file**: must be changed to match SSH user directory from the created user. 40 | - **redis:namespace**: instance-unique Redis namespace. 41 | 42 | Example: 43 | 44 | ```yaml 45 | # GitLab user. git by default 46 | user: user2 47 | 48 | # Url to gitlab instance. Used for api calls. Should end with a slash. 49 | gitlab_url: "https://user2.example.com/" 50 | 51 | http_settings: 52 | # user: someone 53 | # password: somepass 54 | # ca_file: /etc/ssl/cert.pem 55 | # ca_path: /etc/pki/tls/certs 56 | self_signed_cert: false 57 | 58 | # Repositories path 59 | # Give the canonicalized absolute pathname, 60 | # REPOS_PATH MUST NOT CONTAIN ANY SYMLINK!!! 61 | # Check twice that none of the components is a symlink, including "/home". 62 | repos_path: "/home/user2/repositories" 63 | 64 | # File used as authorized_keys for gitlab user 65 | auth_file: "/home/user2/.ssh/authorized_keys" 66 | 67 | # Redis settings used for pushing commit notices to gitlab 68 | redis: 69 | bin: /usr/bin/redis-cli 70 | host: 127.0.0.1 71 | port: 6379 72 | # socket: /tmp/redis.socket # Only define this if you want to use sockets 73 | namespace: resque:gitlab:user2 74 | 75 | (...) 76 | ``` 77 | 78 | ## 3. Database 79 | 80 | Each GitLab instance should handle its own database schema. It's recommended 81 | that each instance have its own database user. 82 | 83 | ## 4. GitLab 84 | 85 | You must do the following changes to `config/gitlab.yml` 86 | 87 | - **gitlab:host**: instance-unique FQDN. 88 | - **gitlab:user**: the user created at first step. 89 | - **satellites:path**: the path where satellites of new user will be created. 90 | - **gitlab_shell:path**: the path where instance's GitLab Shell was installed. 91 | - **gitlab_shell:repos_path**: the path where instance's Git repositories will be stored. 92 | - **gitlab_shell:hooks_path**: the path where GitLab Shell store its hooks. 93 | 94 | Next, change the following to `config/unicorn.rb` 95 | 96 | - **working_directory**: the path where GitLab was installed. 97 | - **listen[socket]**: change to match instance's GitLab install. 98 | - **listen[TCP]**: instance-unique TCP port. 99 | - **pid**, **stderr_path** and **stdout_path**: change to match instance's GitLab install. 100 | 101 | Next, you need to change `config/initializers/4_sidekiq.rb` to use the same 102 | Redis namespace as configured at second step. 103 | 104 | Example: 105 | 106 | ```ruby 107 | # Custom Redis configuration 108 | config_file = Rails.root.join('config', 'resque.yml') 109 | 110 | resque_url = if File.exists?(config_file) 111 | YAML.load_file(config_file)[Rails.env] 112 | else 113 | "redis://localhost:6379" 114 | end 115 | 116 | Sidekiq.configure_server do |config| 117 | config.redis = { 118 | url: resque_url, 119 | namespace: 'resque:gitlab:user2' 120 | } 121 | end 122 | 123 | Sidekiq.configure_client do |config| 124 | config.redis = { 125 | url: resque_url, 126 | namespace: 'resque:gitlab:user2' 127 | } 128 | end 129 | ``` 130 | 131 | ### Database 132 | 133 | Next, you should ensure that `config/database.yml` is not sharing the same 134 | database from others instances. Then create the database with `gitlab:setup`. 135 | 136 | ### Init Script 137 | 138 | Each instance must have its own init script (eg: `/etc/init.d/gitlab-user2`). 139 | 140 | Next, modify the init script as follows 141 | 142 | - **USER**: the name of the user created at first step. 143 | - **APP_PATH**: the path where GitLab was installed. 144 | - **ULOCK**: instance-unique path to Unicorn lock file. 145 | - **SLOCK**: instance-unique path to Sidekiq lock file. 146 | 147 | ### LogRotate 148 | 149 | Each instance must have its own logrotate script (eg: 150 | `/etc/logrotate.d/gitlab-user2`). 151 | 152 | Next you must modify the paths from logrotate script to match where the logs are 153 | written. 154 | 155 | ## 5. Web Server 156 | 157 | ### Apache 158 | 159 | Each instance must have its own Apache configuration file (eg: 160 | `gitlab-user2.conf`). 161 | 162 | The following changes must be made to configuration file 163 | 164 | - **ServerName**: instance-unique FQDN. 165 | - **ProxyPassReverse** and **RewriteRule**: must change to the port where instance's Unicorn is listening. 166 | - **ErrorLog** and **CustomLog**: instance-unique path where the Apache logs will be written. 167 | 168 | -------------------------------------------------------------------------------- /misc/ssl-certificate-implemented/README.md: -------------------------------------------------------------------------------- 1 | ### 1. Update Nginx config 2 | Added the SSL section and a rewrite of port 80 to 443 in the Nginx configuration 3 | 4 | ```bash 5 | nano /etc/nginx/sites-enabled/gitlab 6 | ``` 7 | 8 | --- 9 | 10 | ```bash 11 | server { 12 | listen 80; 13 | 14 | server_name source.jcid.nl; 15 | rewrite ^ https://$server_name$request_uri? permanent; 16 | } 17 | 18 | server { 19 | listen 443; 20 | server_name source.jcid.nl; 21 | root /home/git/gitlab/public; 22 | 23 | # SSL 24 | # ============================================================================ 25 | ssl on; 26 | ssl_certificate /etc/nginx/ssl/server.crt; 27 | ssl_certificate_key /etc/nginx/ssl/server.key; 28 | ssl_protocols SSLv3 TLSv1; 29 | 30 | #Disables all weak ciphers 31 | ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM; 32 | 33 | # Logs 34 | # ============================================================================ 35 | 36 | access_log /var/log/nginx/gitlab_access.log; 37 | error_log /var/log/nginx/gitlab_error.log; 38 | 39 | location / { 40 | # serve static files from defined root folder;. 41 | # @gitlab is a named location for the upstream fallback, see below 42 | try_files $uri $uri/index.html $uri.html @gitlab; 43 | } 44 | 45 | # if a file, which is not found in the root folder is requested, 46 | # then the proxy pass the request to the upsteam (gitlab unicorn) 47 | location @gitlab { 48 | proxy_read_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694 49 | proxy_connect_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694 50 | proxy_redirect off; 51 | 52 | proxy_set_header X-Forwarded-Proto $scheme; 53 | proxy_set_header Host $http_host; 54 | proxy_set_header X-Real-IP $remote_addr; 55 | 56 | proxy_pass http://gitlab; 57 | } 58 | } 59 | ``` 60 | 61 | ### 2. Place the SSL certificates 62 | Create the folder for the SSL certificates and place the SSL certificates & the SSL certificates key here. In our situation, we combine the SSL Certificate with the CA Root Certificate. 63 | 64 | ```bash 65 | mkdir /etc/nginx/ssl/ -p 66 | cp /home/source.jcid.nl.cert /etc/nginx/ssl/server.crt 67 | cp /home/source.jcid.nl.key /etc/nginx/ssl/server.key 68 | ``` 69 | 70 | ### 3. Update Gitlab config files 71 | Set the Gitlab https settings to true 72 | 73 | ```bash 74 | nano /home/git/gitlab/config/gitlab.yml 75 | ``` 76 | 77 | ```bash 78 | ## GitLab settings 79 | gitlab: 80 | ## Web server settings 81 | host: source.jcid.nl 82 | port: 443 83 | https: true 84 | ``` 85 | 86 | ### 4. Update Gitlab shell config files 87 | Set the Gitlab shell base url 88 | 89 | ```bash 90 | nano /home/git/gitlab-shell/config.yml 91 | ``` 92 | 93 | --- 94 | 95 | ```bash 96 | # Url to gitlab instance. Used for api calls. Should be ends with slash. 97 | gitlab_url: "https://source.jcid.nl/" 98 | ``` 99 | 100 | ### 5. Restart application 101 | 102 | ```bash 103 | sudo service gitlab restart 104 | sudo service nginx restart 105 | ``` 106 | 107 | ### 6. Check application status 108 | 109 | Check if GitLab and its environment are configured correctly: 110 | 111 | sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production 112 | 113 | To make sure you didn't miss anything run a more thorough check with: 114 | 115 | sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production 116 | 117 | If all items are green, then the SSL certificate successfully implemented -------------------------------------------------------------------------------- /web-server/README.md: -------------------------------------------------------------------------------- 1 | In this section there are provided additional configuration files for various web servers. 2 | 3 | If you have something to contribute please read the [contributing guidelines](../CONTRIBUTING.md). 4 | -------------------------------------------------------------------------------- /web-server/apache/README.md: -------------------------------------------------------------------------------- 1 | # Apache 2 version 2 | 3 | The configuration files in this directory are known to work with GitLab 8.3 4 | and newer versions. 5 | 6 | For versions of GitLab 8.2, check the `8-2-stable` branch. 7 | For versions of GitLab 8.0 and 8.1, check the `8-1-stable` branch. 8 | For versions of GitLab older than 8.0, check the `apache-old` branch. 9 | 10 | ## Installations from source 11 | 12 | If you are using Apache version 2.4 or above, please use files 13 | [gitlab-apache24.conf](gitlab-apache24.conf) or [gitlab-ssl-apache24.conf](gitlab-ssl-apache24.conf) 14 | for the HTTP and HTTPS versions of the vhost repectively. 15 | 16 | If you are using Apache version 2.2, please use files 17 | [gitlab-apache22.conf](gitlab-apache22.conf) or [gitlab-ssl-apache22.conf](gitlab-ssl-apache22.conf) 18 | for the HTTP and HTTPS versions of the vhost repectively. 19 | 20 | To allow `gitlab-workhorse` to listen on port 8181, edit or create 21 | `/etc/default/gitlab` and change or add the following: 22 | 23 | ``` 24 | gitlab_workhorse_options="-listenUmask 0 -listenNetwork tcp -listenAddr 127.0.0.1:8181 -authBackend http://127.0.0.1:8080" 25 | ``` 26 | 27 | ## Installations unsing the Omnibus packages 28 | 29 | [Omnibus packages][] use their own bundled Nginx server. If you want to use your 30 | own external Apache server, follow the steps to [configure GitLab][omnibuswebext]. 31 | 32 | In the last step you will need to download the config from this repository. 33 | 34 | # RHEL6/CentOS6 recommendations 35 | 36 | Most of the settings below were tested on CentOS 6, but are probably applicable 37 | to other distributions as well. 38 | 39 | ## Puma or unicorn? 40 | 41 | ### unicorn 42 | 43 | By default, Unicorn (i.e. `unicorn.rb`) is configured to listen on port `8080` 44 | in GitLab's documentation. Therefore, the Apache configuration files do that 45 | by default. 46 | 47 | ### puma 48 | 49 | Info taken from [PR #87](https://github.com/gitlabhq/gitlab-recipes/pull/87). 50 | 51 | As apache's mod_proxy [doesn't support][sock] sockets, the proxy URL must be 52 | configured to use tcp instead of unix sockets. `/home/git/gitlab/config/puma.rb` 53 | should exist and be configured. Two changes must then be made: 54 | 55 | 1. In the Apache conf replace `http://127.0.0.1:8080 ` with `http://0.0.0.0:9292`. 56 | Also replace `ProxyPassreverse http://gitlab.example.com:9292` 57 | 2. Edit `puma.rb`: comment out `bind 'tcp://0.0.0.0:9292'` and comment 58 | `bind "unix://#{application_path}/tmp/sockets/gitlab.socket"` 59 | 60 | ## Assumptions 61 | 62 | It is assumed GitLab will be running in a secure production environment. 63 | This Apache `httpd` configuration is hardened for that purpose. By default this 64 | configuration only allows strong SSL and HTTP is redirected to HTTPS. If self 65 | signed certificates are preferred then see below in this document on managing 66 | SSL certificates. Also see additional security recommendations located at the 67 | bottom of this document for `httpd`. Managing GitLab with plain text HTTP only 68 | is not recommended however the config files have been provided for that purpose. 69 | 70 | ### Encryption assumptions 71 | 72 | Only security ciphers TLSv1.0+ and SSLv3+ are used in Apache ssl configs. 73 | Only strong ciphers 128-bit or higher. Ciphers with known weaknesses 74 | (i.e. MD5 hashed and RC4 based ciphers) have been purposefully excluded. 75 | 76 | ### Run GitLab insecure with HTTP only 77 | 78 | Utilize the configs without ssl in their names to run GitLab without https. 79 | Running a production GitLab instance over plain text HTTP is NOT recommended. 80 | 81 | ## Customize gitlab-ssl-*.conf 82 | 83 | There are a few places where the Apache configs need to be customized for the 84 | GitLab installation. 85 | 86 | 1. `ServerName` is defined in two VirtualHosts. `ServerName` should be set to 87 | host name of the GitLab installation. 88 | 2. `SSLCertificateFile`, `SSLCertificateKeyFile`, and `SSLCACertificateFile` 89 | should be customized for signed certificates. 90 | 3. `ProxyPassReverse http://gitlab.example.com:8080` should be customized for 91 | public host name of the GitLab installation. 92 | 4. At the bottom of `gitlab-ssl.conf` log file names contain `gitlab.example.com`. 93 | The log file names should reflect the GitLab installation host name. 94 | 95 | A quicker method is to use `sed` to modify the file. 96 | 97 | ```bash 98 | sed -i 's/gitlab.example.com/yourhost.com/g' gitlab-ssl-*.conf 99 | ``` 100 | 101 | Even with the quicker method `SSLCertificateFile`, `SSLCertificateKeyFile`, and 102 | `SSLCACertificateFile` should still be modified. 103 | 104 | ## SELinux modifications 105 | 106 | In a RHEL6 production environment it is assumed [SELinux is enabled](http://stopdisablingselinux.com/). 107 | SELinux must be configured with the following: 108 | 109 | ```bash 110 | setsebool -P httpd_can_network_connect on 111 | setsebool -P httpd_can_network_relay on 112 | setsebool -P httpd_read_user_content on 113 | semanage -i - < 13 | ServerName YOUR_SERVER_FQDN 14 | ServerSignature Off 15 | 16 | ProxyPreserveHost On 17 | 18 | # Ensure that encoded slashes are not decoded but left in their encoded state. 19 | # http://doc.gitlab.com/ce/api/projects.html#get-single-project 20 | AllowEncodedSlashes NoDecode 21 | 22 | 23 | Order deny,allow 24 | Allow from all 25 | 26 | #Allow forwarding to gitlab-workhorse 27 | ProxyPassReverse http://127.0.0.1:8181 28 | ProxyPassReverse http://YOUR_SERVER_FQDN/ 29 | 30 | 31 | # Apache equivalent of nginx try files 32 | # http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files 33 | # http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab 34 | RewriteEngine on 35 | 36 | #Forward all requests to gitlab-workhorse except existing files like error documents 37 | RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR] 38 | RewriteCond %{REQUEST_URI} ^/uploads/.* 39 | RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE] 40 | 41 | # needed for downloading attachments 42 | DocumentRoot /home/git/gitlab/public 43 | 44 | #Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up. 45 | ErrorDocument 404 /404.html 46 | ErrorDocument 422 /422.html 47 | ErrorDocument 500 /500.html 48 | ErrorDocument 502 /502.html 49 | ErrorDocument 503 /503.html 50 | 51 | # It is assumed that the log directory is in /var/log/httpd. 52 | # For Debian distributions you might want to change this to 53 | # /var/log/apache2. 54 | LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded 55 | ErrorLog /var/log/httpd/logs/YOUR_SERVER_FQDN_error.log 56 | CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_forwarded.log common_forwarded 57 | CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_access.log combined env=!dontlog 58 | CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN.log combined 59 | 60 | 61 | -------------------------------------------------------------------------------- /web-server/apache/gitlab-apache24.conf: -------------------------------------------------------------------------------- 1 | # This configuration has been tested on GitLab 8.2 2 | # Note this config assumes unicorn is listening on default port 8080 and 3 | # gitlab-workhorse is listening on port 8181. To allow gitlab-workhorse to 4 | # listen on port 8181, edit or create /etc/default/gitlab and change or add the following: 5 | # 6 | # gitlab_workhorse_options="-listenUmask 0 -listenNetwork tcp -listenAddr 127.0.0.1:8181 -authBackend http://127.0.0.1:8080" 7 | # 8 | #Module dependencies 9 | # mod_rewrite 10 | # mod_proxy 11 | # mod_proxy_http 12 | 13 | ServerName YOUR_SERVER_FQDN 14 | ServerSignature Off 15 | 16 | ProxyPreserveHost On 17 | 18 | # Ensure that encoded slashes are not decoded but left in their encoded state. 19 | # http://doc.gitlab.com/ce/api/projects.html#get-single-project 20 | AllowEncodedSlashes NoDecode 21 | 22 | 23 | # New authorization commands for apache 2.4 and up 24 | # http://httpd.apache.org/docs/2.4/upgrading.html#access 25 | Require all granted 26 | 27 | #Allow forwarding to gitlab-workhorse 28 | ProxyPassReverse http://127.0.0.1:8181 29 | ProxyPassReverse http://YOUR_SERVER_FQDN/ 30 | 31 | 32 | # Apache equivalent of nginx try files 33 | # http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files 34 | # http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab 35 | RewriteEngine on 36 | 37 | #Forward all requests to gitlab-workhorse except existing files like error documents 38 | RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR] 39 | RewriteCond %{REQUEST_URI} ^/uploads/.* 40 | RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE] 41 | 42 | # needed for downloading attachments 43 | DocumentRoot /home/git/gitlab/public 44 | 45 | #Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up. 46 | ErrorDocument 404 /404.html 47 | ErrorDocument 422 /422.html 48 | ErrorDocument 500 /500.html 49 | ErrorDocument 502 /502.html 50 | ErrorDocument 503 /503.html 51 | 52 | # It is assumed that the log directory is in /var/log/httpd. 53 | # For Debian distributions you might want to change this to 54 | # /var/log/apache2. 55 | LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded 56 | ErrorLog /var/log/httpd/logs/YOUR_SERVER_FQDN_error.log 57 | CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_forwarded.log common_forwarded 58 | CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_access.log combined env=!dontlog 59 | CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN.log combined 60 | 61 | 62 | -------------------------------------------------------------------------------- /web-server/apache/gitlab-omnibus-apache22.conf: -------------------------------------------------------------------------------- 1 | # This configuration has been tested on GitLab 8.2 2 | # Note this config assumes unicorn is listening on default port 8080 and 3 | # gitlab-workhorse is listening on port 8181. To allow gitlab-workhorse to 4 | # listen on port 8181, edit /etc/gitlab/gitlab.rb and change the following: 5 | # 6 | # gitlab_workhorse['listen_network'] = "tcp" 7 | # gitlab_workhorse['listen_addr'] = "127.0.0.1:8181" 8 | # 9 | #Module dependencies 10 | # mod_rewrite 11 | # mod_proxy 12 | # mod_proxy_http 13 | 14 | ServerName YOUR_SERVER_FQDN 15 | ServerSignature Off 16 | 17 | ProxyPreserveHost On 18 | 19 | # Ensure that encoded slashes are not decoded but left in their encoded state. 20 | # http://doc.gitlab.com/ce/api/projects.html#get-single-project 21 | AllowEncodedSlashes NoDecode 22 | 23 | 24 | Order deny,allow 25 | Allow from all 26 | 27 | #Allow forwarding to gitlab-workhorse 28 | ProxyPassReverse http://127.0.0.1:8181 29 | ProxyPassReverse http://YOUR_SERVER_FQDN/ 30 | 31 | 32 | # Apache equivalent of nginx try files 33 | # http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files 34 | # http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab 35 | RewriteEngine on 36 | 37 | #Forward all requests to gitlab-workhorse except existing files like error documents 38 | RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR] 39 | RewriteCond %{REQUEST_URI} ^/uploads/.* 40 | RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE] 41 | 42 | # needed for downloading attachments 43 | DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public 44 | 45 | #Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up. 46 | ErrorDocument 404 /404.html 47 | ErrorDocument 422 /422.html 48 | ErrorDocument 500 /500.html 49 | ErrorDocument 502 /502.html 50 | ErrorDocument 503 /503.html 51 | 52 | # It is assumed that the log directory is in /var/log/httpd. 53 | # For Debian distributions you might want to change this to 54 | # /var/log/apache2. 55 | LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded 56 | ErrorLog /var/log/httpd/logs/YOUR_SERVER_FQDN_error.log 57 | CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_forwarded.log common_forwarded 58 | CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_access.log combined env=!dontlog 59 | CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN.log combined 60 | 61 | 62 | -------------------------------------------------------------------------------- /web-server/apache/gitlab-omnibus-apache24.conf: -------------------------------------------------------------------------------- 1 | # This configuration has been tested on GitLab 8.2 2 | # Note this config assumes unicorn is listening on default port 8080 and 3 | # gitlab-workhorse is listening on port 8181. To allow gitlab-workhorse to 4 | # listen on port 8181, edit /etc/gitlab/gitlab.rb and change the following: 5 | # 6 | # gitlab_workhorse['listen_network'] = "tcp" 7 | # gitlab_workhorse['listen_addr'] = "127.0.0.1:8181" 8 | # 9 | #Module dependencies 10 | # mod_rewrite 11 | # mod_proxy 12 | # mod_proxy_http 13 | 14 | ServerName YOUR_SERVER_FQDN 15 | ServerSignature Off 16 | 17 | ProxyPreserveHost On 18 | 19 | # Ensure that encoded slashes are not decoded but left in their encoded state. 20 | # http://doc.gitlab.com/ce/api/projects.html#get-single-project 21 | AllowEncodedSlashes NoDecode 22 | 23 | 24 | # New authorization commands for apache 2.4 and up 25 | # http://httpd.apache.org/docs/2.4/upgrading.html#access 26 | Require all granted 27 | 28 | #Allow forwarding to gitlab-workhorse 29 | ProxyPassReverse http://127.0.0.1:8181 30 | ProxyPassReverse http://YOUR_SERVER_FQDN/ 31 | 32 | 33 | # Apache equivalent of nginx try files 34 | # http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files 35 | # http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab 36 | RewriteEngine on 37 | 38 | #Forward all requests to gitlab-workhorse except existing files like error documents 39 | RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR] 40 | RewriteCond %{REQUEST_URI} ^/uploads/.* 41 | RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE] 42 | 43 | # needed for downloading attachments 44 | DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public 45 | 46 | #Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up. 47 | ErrorDocument 404 /404.html 48 | ErrorDocument 422 /422.html 49 | ErrorDocument 500 /500.html 50 | ErrorDocument 502 /502.html 51 | ErrorDocument 503 /503.html 52 | 53 | # It is assumed that the log directory is in /var/log/httpd. 54 | # For Debian distributions you might want to change this to 55 | # /var/log/apache2. 56 | LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded 57 | ErrorLog /var/log/httpd/logs/YOUR_SERVER_FQDN_error.log 58 | CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_forwarded.log common_forwarded 59 | CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_access.log combined env=!dontlog 60 | CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN.log combined 61 | 62 | 63 | -------------------------------------------------------------------------------- /web-server/apache/gitlab-omnibus-ssl-apache22.conf: -------------------------------------------------------------------------------- 1 | # This configuration has been tested on GitLab 8.2 2 | # Note this config assumes unicorn is listening on default port 8080 and 3 | # gitlab-workhorse is listening on port 8181. To allow gitlab-workhorse to 4 | # listen on port 8181, edit /etc/gitlab/gitlab.rb and change the following: 5 | # 6 | # gitlab_workhorse['listen_network'] = "tcp" 7 | # gitlab_workhorse['listen_addr'] = "127.0.0.1:8181" 8 | # 9 | #Module dependencies 10 | # mod_rewrite 11 | # mod_ssl 12 | # mod_proxy 13 | # mod_proxy_http 14 | # mod_headers 15 | 16 | # This section is only needed if you want to redirect http traffic to https. 17 | # You can live without it but clients will have to type in https:// to reach gitlab. 18 | 19 | ServerName YOUR_SERVER_FQDN 20 | ServerSignature Off 21 | 22 | RewriteEngine on 23 | RewriteCond %{HTTPS} !=on 24 | RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L] 25 | 26 | 27 | 28 | SSLEngine on 29 | #strong encryption ciphers only 30 | #see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html 31 | SSLProtocol all -SSLv2 32 | SSLHonorCipherOrder on 33 | SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" 34 | Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" 35 | SSLCompression Off 36 | SSLCertificateFile /etc/httpd/ssl.crt/YOUR_SERVER_FQDN.crt 37 | SSLCertificateKeyFile /etc/httpd/ssl.key/YOUR_SERVER_FQDN.key 38 | SSLCACertificateFile /etc/httpd/ssl.crt/your-ca.crt 39 | 40 | ServerName YOUR_SERVER_FQDN 41 | ServerSignature Off 42 | 43 | ProxyPreserveHost On 44 | 45 | # Ensure that encoded slashes are not decoded but left in their encoded state. 46 | # http://doc.gitlab.com/ce/api/projects.html#get-single-project 47 | AllowEncodedSlashes NoDecode 48 | 49 | 50 | Order deny,allow 51 | Allow from all 52 | 53 | #Allow forwarding to gitlab-workhorse 54 | ProxyPassReverse http://127.0.0.1:8181 55 | ProxyPassReverse http://YOUR_SERVER_FQDN/ 56 | 57 | 58 | # Apache equivalent of nginx try files 59 | # http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files 60 | # http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab 61 | RewriteEngine on 62 | 63 | #Forward all requests to gitlab-workhorse except existing files like error documents 64 | RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR] 65 | RewriteCond %{REQUEST_URI} ^/uploads/.* 66 | RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE] 67 | 68 | RequestHeader set X_FORWARDED_PROTO 'https' 69 | RequestHeader set X-Forwarded-Ssl on 70 | 71 | # needed for downloading attachments 72 | DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public 73 | 74 | #Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up. 75 | ErrorDocument 404 /404.html 76 | ErrorDocument 422 /422.html 77 | ErrorDocument 500 /500.html 78 | ErrorDocument 502 /502.html 79 | ErrorDocument 503 /503.html 80 | 81 | # It is assumed that the log directory is in /var/log/httpd. 82 | # For Debian distributions you might want to change this to 83 | # /var/log/apache2. 84 | LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded 85 | ErrorLog /var/log/httpd/logs/YOUR_SERVER_FQDN_error.log 86 | CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_forwarded.log common_forwarded 87 | CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_access.log combined env=!dontlog 88 | CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN.log combined 89 | 90 | 91 | -------------------------------------------------------------------------------- /web-server/apache/gitlab-omnibus-ssl-apache24.conf: -------------------------------------------------------------------------------- 1 | # This configuration has been tested on GitLab 8.2 2 | # Note this config assumes unicorn is listening on default port 8080 and 3 | # gitlab-workhorse is listening on port 8181. To allow gitlab-workhorse to 4 | # listen on port 8181, edit /etc/gitlab/gitlab.rb and change the following: 5 | # 6 | # gitlab_workhorse['listen_network'] = "tcp" 7 | # gitlab_workhorse['listen_addr'] = "127.0.0.1:8181" 8 | # 9 | #Module dependencies 10 | # mod_rewrite 11 | # mod_ssl 12 | # mod_proxy 13 | # mod_proxy_http 14 | # mod_headers 15 | 16 | # This section is only needed if you want to redirect http traffic to https. 17 | # You can live without it but clients will have to type in https:// to reach gitlab. 18 | 19 | ServerName YOUR_SERVER_FQDN 20 | ServerSignature Off 21 | 22 | RewriteEngine on 23 | RewriteCond %{HTTPS} !=on 24 | RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L] 25 | 26 | 27 | 28 | SSLEngine on 29 | #strong encryption ciphers only 30 | #see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html 31 | SSLProtocol all -SSLv2 32 | SSLHonorCipherOrder on 33 | SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" 34 | Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" 35 | SSLCompression Off 36 | SSLCertificateFile /etc/httpd/ssl.crt/YOUR_SERVER_FQDN.crt 37 | SSLCertificateKeyFile /etc/httpd/ssl.key/YOUR_SERVER_FQDN.key 38 | SSLCACertificateFile /etc/httpd/ssl.crt/your-ca.crt 39 | 40 | ServerName YOUR_SERVER_FQDN 41 | ServerSignature Off 42 | 43 | ProxyPreserveHost On 44 | 45 | # Ensure that encoded slashes are not decoded but left in their encoded state. 46 | # http://doc.gitlab.com/ce/api/projects.html#get-single-project 47 | AllowEncodedSlashes NoDecode 48 | 49 | 50 | # New authorization commands for apache 2.4 and up 51 | # http://httpd.apache.org/docs/2.4/upgrading.html#access 52 | Require all granted 53 | 54 | #Allow forwarding to gitlab-workhorse 55 | ProxyPassReverse http://127.0.0.1:8181 56 | ProxyPassReverse http://YOUR_SERVER_FQDN/ 57 | 58 | 59 | # Apache equivalent of nginx try files 60 | # http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files 61 | # http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab 62 | RewriteEngine on 63 | 64 | #Forward all requests to gitlab-workhorse except existing files like error documents 65 | RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR] 66 | RewriteCond %{REQUEST_URI} ^/uploads/.* 67 | RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE] 68 | 69 | RequestHeader set X_FORWARDED_PROTO 'https' 70 | RequestHeader set X-Forwarded-Ssl on 71 | 72 | # needed for downloading attachments 73 | DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public 74 | 75 | #Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up. 76 | ErrorDocument 404 /404.html 77 | ErrorDocument 422 /422.html 78 | ErrorDocument 500 /500.html 79 | ErrorDocument 502 /502.html 80 | ErrorDocument 503 /503.html 81 | 82 | # It is assumed that the log directory is in /var/log/httpd. 83 | # For Debian distributions you might want to change this to 84 | # /var/log/apache2. 85 | LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded 86 | ErrorLog /var/log/httpd/logs/YOUR_SERVER_FQDN_error.log 87 | CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_forwarded.log common_forwarded 88 | CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_access.log combined env=!dontlog 89 | CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN.log combined 90 | 91 | 92 | -------------------------------------------------------------------------------- /web-server/apache/gitlab-ssl-apache22.conf: -------------------------------------------------------------------------------- 1 | # This configuration has been tested on GitLab 8.2 2 | # Note this config assumes unicorn is listening on default port 8080 and 3 | # gitlab-workhorse is listening on port 8181. To allow gitlab-workhorse to 4 | # listen on port 8181, edit or create /etc/default/gitlab and change or add the following: 5 | # 6 | # gitlab_workhorse_options="-listenUmask 0 -listenNetwork tcp -listenAddr 127.0.0.1:8181 -authBackend http://127.0.0.1:8080" 7 | # 8 | #Module dependencies 9 | # mod_rewrite 10 | # mod_ssl 11 | # mod_proxy 12 | # mod_proxy_http 13 | # mod_headers 14 | 15 | # This section is only needed if you want to redirect http traffic to https. 16 | # You can live without it but clients will have to type in https:// to reach gitlab. 17 | 18 | ServerName YOUR_SERVER_FQDN 19 | ServerSignature Off 20 | 21 | RewriteEngine on 22 | RewriteCond %{HTTPS} !=on 23 | RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L] 24 | 25 | 26 | 27 | SSLEngine on 28 | #strong encryption ciphers only 29 | #see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html 30 | SSLProtocol all -SSLv2 31 | SSLHonorCipherOrder on 32 | SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" 33 | Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" 34 | SSLCompression Off 35 | SSLCertificateFile /etc/httpd/ssl.crt/YOUR_SERVER_FQDN.crt 36 | SSLCertificateKeyFile /etc/httpd/ssl.key/YOUR_SERVER_FQDN.key 37 | SSLCACertificateFile /etc/httpd/ssl.crt/your-ca.crt 38 | 39 | ServerName YOUR_SERVER_FQDN 40 | ServerSignature Off 41 | 42 | ProxyPreserveHost On 43 | 44 | # Ensure that encoded slashes are not decoded but left in their encoded state. 45 | # http://doc.gitlab.com/ce/api/projects.html#get-single-project 46 | AllowEncodedSlashes NoDecode 47 | 48 | 49 | Order deny,allow 50 | Allow from all 51 | 52 | #Allow forwarding to gitlab-workhorse 53 | ProxyPassReverse http://127.0.0.1:8181 54 | ProxyPassReverse http://YOUR_SERVER_FQDN/ 55 | 56 | 57 | # Apache equivalent of nginx try files 58 | # http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files 59 | # http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab 60 | RewriteEngine on 61 | 62 | #Forward all requests to gitlab-workhorse except existing files like error documents 63 | RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR] 64 | RewriteCond %{REQUEST_URI} ^/uploads/.* 65 | RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE] 66 | 67 | RequestHeader set X_FORWARDED_PROTO 'https' 68 | RequestHeader set X-Forwarded-Ssl on 69 | 70 | # needed for downloading attachments 71 | DocumentRoot /home/git/gitlab/public 72 | 73 | #Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up. 74 | ErrorDocument 404 /404.html 75 | ErrorDocument 422 /422.html 76 | ErrorDocument 500 /500.html 77 | ErrorDocument 502 /502.html 78 | ErrorDocument 503 /503.html 79 | 80 | # It is assumed that the log directory is in /var/log/httpd. 81 | # For Debian distributions you might want to change this to 82 | # /var/log/apache2. 83 | LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded 84 | ErrorLog /var/log/httpd/logs/YOUR_SERVER_FQDN_error.log 85 | CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_forwarded.log common_forwarded 86 | CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_access.log combined env=!dontlog 87 | CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN.log combined 88 | 89 | 90 | -------------------------------------------------------------------------------- /web-server/apache/gitlab-ssl-apache24.conf: -------------------------------------------------------------------------------- 1 | # This configuration has been tested on GitLab 8.2 2 | # Note this config assumes unicorn is listening on default port 8080 and 3 | # gitlab-workhorse is listening on port 8181. To allow gitlab-workhorse to 4 | # listen on port 8181, edit or create /etc/default/gitlab and change or add the following: 5 | # 6 | # gitlab_workhorse_options="-listenUmask 0 -listenNetwork tcp -listenAddr 127.0.0.1:8181 -authBackend http://127.0.0.1:8080" 7 | # 8 | #Module dependencies 9 | # mod_rewrite 10 | # mod_ssl 11 | # mod_proxy 12 | # mod_proxy_http 13 | # mod_headers 14 | 15 | # This section is only needed if you want to redirect http traffic to https. 16 | # You can live without it but clients will have to type in https:// to reach gitlab. 17 | 18 | ServerName YOUR_SERVER_FQDN 19 | ServerSignature Off 20 | 21 | RewriteEngine on 22 | RewriteCond %{HTTPS} !=on 23 | RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L] 24 | 25 | 26 | 27 | SSLEngine on 28 | #strong encryption ciphers only 29 | #see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html 30 | SSLProtocol all -SSLv2 31 | SSLHonorCipherOrder on 32 | SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" 33 | Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" 34 | SSLCompression Off 35 | SSLCertificateFile /etc/httpd/ssl.crt/YOUR_SERVER_FQDN.crt 36 | SSLCertificateKeyFile /etc/httpd/ssl.key/YOUR_SERVER_FQDN.key 37 | SSLCACertificateFile /etc/httpd/ssl.crt/your-ca.crt 38 | 39 | ServerName YOUR_SERVER_FQDN 40 | ServerSignature Off 41 | 42 | ProxyPreserveHost On 43 | 44 | # Ensure that encoded slashes are not decoded but left in their encoded state. 45 | # http://doc.gitlab.com/ce/api/projects.html#get-single-project 46 | AllowEncodedSlashes NoDecode 47 | 48 | 49 | # New authorization commands for apache 2.4 and up 50 | # http://httpd.apache.org/docs/2.4/upgrading.html#access 51 | Require all granted 52 | 53 | #Allow forwarding to gitlab-workhorse 54 | ProxyPassReverse http://127.0.0.1:8181 55 | ProxyPassReverse http://YOUR_SERVER_FQDN/ 56 | 57 | 58 | # Apache equivalent of nginx try files 59 | # http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files 60 | # http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab 61 | RewriteEngine on 62 | 63 | #Forward all requests to gitlab-workhorse except existing files like error documents 64 | RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR] 65 | RewriteCond %{REQUEST_URI} ^/uploads/.* 66 | RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE] 67 | 68 | RequestHeader set X_FORWARDED_PROTO 'https' 69 | RequestHeader set X-Forwarded-Ssl on 70 | 71 | # needed for downloading attachments 72 | DocumentRoot /home/git/gitlab/public 73 | 74 | #Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up. 75 | ErrorDocument 404 /404.html 76 | ErrorDocument 422 /422.html 77 | ErrorDocument 500 /500.html 78 | ErrorDocument 502 /502.html 79 | ErrorDocument 503 /503.html 80 | 81 | # It is assumed that the log directory is in /var/log/httpd. 82 | # For Debian distributions you might want to change this to 83 | # /var/log/apache2. 84 | LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded 85 | ErrorLog /var/log/httpd/logs/YOUR_SERVER_FQDN_error.log 86 | CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_forwarded.log common_forwarded 87 | CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN_access.log combined env=!dontlog 88 | CustomLog /var/log/httpd/logs/YOUR_SERVER_FQDN.log combined 89 | 90 | 91 | -------------------------------------------------------------------------------- /web-server/caddy/Caddyfile: -------------------------------------------------------------------------------- 1 | https://gitlab.example.com { 2 | log git.access.log { 3 | rotate_size 50 4 | rotate_age 90 5 | rotate_keep 20 6 | rotate_compress 7 | } 8 | 9 | errors git.errors.log { 10 | 404 /opt/gitlab/embedded/service/gitlab-rails/public/404.html 11 | 422 /opt/gitlab/embedded/service/gitlab-rails/public/422.html 12 | 500 /opt/gitlab/embedded/service/gitlab-rails/public/500.html 13 | 502 /opt/gitlab/embedded/service/gitlab-rails/public/502.html 14 | } 15 | 16 | proxy / http://127.0.0.1:8181 { 17 | fail_timeout 0s 18 | 19 | header_upstream X-Forwarded-Ssl on 20 | 21 | transparent 22 | } 23 | } 24 | 25 | # Optional GitLab Pages config 26 | *.example.io { 27 | tls { 28 | max_certs 10 29 | } 30 | 31 | proxy / http://127.0.0.1:8090 { 32 | fail_timeout 0s 33 | 34 | transparent 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /web-server/caddy/README.md: -------------------------------------------------------------------------------- 1 | # Caddy 2 | 3 | This is an example configuration of how to use GitLab with [caddy](https://caddyserver.com/). 4 | 5 | ## GitLab 6 | 7 | ### Updating GitLab Configuration 8 | 9 | Open `/etc/gitlab/gitlab.rb` using your favourite text editor and update the following values. 10 | 11 | * Change `external_url` to the https protocol 12 | * Change `gitlab_workhorse['listen_network']` from `"unix"` to `"tcp"` 13 | * Change `gitlab_workhorse['listen_addr']` from `"/var/opt/gitlab/gitlab-workhorse/socket"` to `"127.0.0.1:8181"` 14 | * Add whatever user caddy runs under to `web_server['external_users']` unless root 15 | * Change `nginx['enable'] = "true"` to `nginx['enable'] = "false"` 16 | * Save and exit the configuration file and run `gitlab-ctl reconfigure` to update gitlabs configuration 17 | 18 | #### Issues 19 | 20 | With some repository you can get the following [error](https://gitlab.com/gitlab-org/gitlab-ci-multi-runner/issues/1587) 21 | in order to fix ensure to modify this line in `/etc/gitlab/gitlab.rb` 22 | 23 | * `nginx['custom_gitlab_server_config'] = 'proxy_buffering off;'` 24 | * Save and exit the configuration file and run `gitlab-ctl reconfigure` to update gitlabs configuration 25 | 26 | ### Updating the Caddyfile 27 | 28 | Simply change gitlab.example.com to point to your FQDN. 29 | 30 | ## GitLab Pages 31 | 32 | ### Updating GitLab Configuration 33 | 34 | Change `https://example.io` to point to your pages domain: 35 | 36 | ```ruby 37 | pages_external_url "https://example.io" 38 | 39 | gitlab_pages['enable'] = true 40 | gitlab_pages['listen_proxy'] = "127.0.0.1:8090" 41 | gitlab_pages['redirect_http'] = true 42 | gitlab_pages['use_http2'] = true 43 | gitlab_pages['metrics_address'] = ":9235" 44 | ``` 45 | 46 | ### Updating the Caddyfile 47 | 48 | Simply change `*.example.io` to point to your pages domain (must be different from you GitLab domain). 49 | -------------------------------------------------------------------------------- /web-server/lighttpd/10-gitlab.conf: -------------------------------------------------------------------------------- 1 | # GITLAB 2 | # Maintainer: @tvn87 3 | # App Version: 2.8 4 | 5 | server.modules += ( 6 | "mod_simple_vhost", 7 | "mod_proxy" 8 | ) 9 | 10 | ## The document root of a virtual host is document-root = 11 | ## simple-vhost.server-root + $HTTP["host"] + simple-vhost.document-root 12 | simple-vhost.server-root = "/var/www" 13 | simple-vhost.document-root = "htdocs" 14 | 15 | ## the default host if no host is sent 16 | simple-vhost.default-host = "YOUR_SERVER_FQDN" 17 | 18 | ## uploads must be served as static files 19 | $HTTP["url"] == "^/upload" { 20 | var.vhost.name = "YOUR_SERVER_FQDN" 21 | var.vhost.path = "/home/gitlab/gitlab/public" 22 | } 23 | ## otherwise everything is proxied 24 | else $HTTP["host"] == "YOUR_SERVER_FQDN" { 25 | var.vhost_name = "YOUR_SERVER_FQDN" 26 | var.vhost_path = "/var/www/YOUR_SERVER_FQDN" # This directory should be empty 27 | 28 | proxy.server = ( "" => ( ( 29 | "host" => "127.0.0.1", 30 | "port" => "8080" 31 | ), 32 | ) 33 | ) 34 | ssl.pemfile = "/etc/lighttpd/certs/YOUR_SERVER_FQDN.pem" # If ssl is enabled 35 | } 36 | -------------------------------------------------------------------------------- /web-server/lighttpd/README.md: -------------------------------------------------------------------------------- 1 | Gitlab with lighttpd webserver 2 | ============================== 3 | 4 | * Maintainer: @tvn87 5 | * App Version: 2.8 6 | 7 | This config access gitlab via TCP port instead of sockets because of the 8 | mod_proxy module which seems to be unable to connect via sockets. 9 | 10 | Because the _gitlab_ default config is set for listening to UNIX sockets you 11 | need to change that default configuration in *gitlab/config/unicorn.rb*: 12 | 13 | listen "127.0.0.1:8080" 14 | -------------------------------------------------------------------------------- /web-server/nginx/README.md: -------------------------------------------------------------------------------- 1 | ## Nginx config moved to official repository 2 | 3 | You can find the nginx config in [GitLab official repository][gitlab] which can 4 | be used for source installations. 5 | 6 | ## Omnibus configs 7 | 8 | The configuration files in this directory are known to work with GitLab 8.2 9 | and newer versions. 10 | 11 | For versions of GitLab 8.0 and 8.1, check the `8-1-stable` branch. 12 | 13 | For versions of GitLab 8.2, check the `8-2-stable` branch. 14 | 15 | --- 16 | 17 | GitLab 8.3 introduces major changes in the NGINX configuration. Because all 18 | HTTP requests now pass through gitlab-workhorse, a lot of directives need to be 19 | removed from NGINX. During future upgrades there should be much less changes in 20 | the NGINX configuration because of this. 21 | 22 | [Omnibus packages][] use their own bundled nginx server. If you want to use your 23 | own external Nginx server, follow the first 3 steps to 24 | [configure GitLab][omnibusnginxext] and then download the appropriate config 25 | file (ssl or non-ssl) from this directory. 26 | 27 | After placing the configs in their appropriate location 28 | (read [Different conf directories](#different-conf-directories)), make sure to 29 | restart Nginx. 30 | 31 | ## CentOS related Nginx notes 32 | 33 | ### Different conf directories 34 | 35 | If nginx is installed through the package manager, adjust sites in `/etc/nginx/conf.d/` 36 | instead of `/etc/nginx/sites-available/` or create those directories and tell `nginx` 37 | to monitor them: 38 | 39 | sudo mkdir /etc/nginx/sites-{available,enabled} 40 | 41 | Then edit `/etc/nginx/nginx.conf` and replace `include /etc/nginx/conf.d/*.conf;` 42 | with `/etc/nginx/sites-enabled/*;` 43 | 44 | ### Give nginx access to git group 45 | 46 | In order for GitLab to display properly you have to make either one of the changes 47 | below. The first one is recommended. 48 | 49 | Add `nginx` user to `git` group: 50 | 51 | sudo usermod -a -G git nginx 52 | sudo chmod g+rx /home/git/ 53 | 54 | or replace the default `nginx` user with `git` and group `root` in `/etc/nginx/nginx.conf`: 55 | 56 | #user nginx; 57 | user git root; 58 | 59 | [gitlab]: https://gitlab.com/gitlab-org/gitlab-ce/tree/master/lib/support/nginx "Nginx config for GitLab" 60 | [Omnibus packages]: https://about.gitlab.com/downloads/ 61 | [omnibusnginxext]: http://doc.gitlab.com/omnibus/settings/nginx.html#using-a-non-bundled-web-server 62 | -------------------------------------------------------------------------------- /web-server/nginx/gitlab-omnibus-nginx.conf: -------------------------------------------------------------------------------- 1 | ## GitLab 8.3+ 2 | ## 3 | ## Lines starting with two hashes (##) are comments with information. 4 | ## Lines starting with one hash (#) are configuration parameters that can be uncommented. 5 | ## 6 | ################################## 7 | ## CONTRIBUTING ## 8 | ################################## 9 | ## 10 | ## If you change this file in a Merge Request, please also create 11 | ## a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests 12 | ## 13 | ################################### 14 | ## configuration ## 15 | ################################### 16 | ## 17 | ## See installation.md#using-https for additional HTTPS configuration details. 18 | 19 | upstream gitlab-workhorse { 20 | server unix:/var/opt/gitlab/gitlab-workhorse/socket; 21 | } 22 | 23 | ## Normal HTTP host 24 | server { 25 | ## Either remove "default_server" from the listen line below, 26 | ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab 27 | ## to be served if you visit any address that your server responds to, eg. 28 | ## the ip address of the server (http://x.x.x.x/)n 0.0.0.0:80 default_server; 29 | listen 0.0.0.0:80 default_server; 30 | listen [::]:80 default_server; 31 | server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com 32 | server_tokens off; ## Don't show the nginx version number, a security best practice 33 | root /opt/gitlab/embedded/service/gitlab-rails/public; 34 | 35 | ## See app/controllers/application_controller.rb for headers set 36 | 37 | ## Individual nginx logs for this GitLab vhost 38 | access_log /var/log/nginx/gitlab_access.log; 39 | error_log /var/log/nginx/gitlab_error.log; 40 | 41 | location / { 42 | client_max_body_size 0; 43 | gzip off; 44 | 45 | ## https://github.com/gitlabhq/gitlabhq/issues/694 46 | ## Some requests take more than 30 seconds. 47 | proxy_read_timeout 300; 48 | proxy_connect_timeout 300; 49 | proxy_redirect off; 50 | 51 | proxy_http_version 1.1; 52 | 53 | proxy_set_header Host $http_host; 54 | proxy_set_header X-Real-IP $remote_addr; 55 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 56 | proxy_set_header X-Forwarded-Proto $scheme; 57 | 58 | proxy_pass http://gitlab-workhorse; 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /web-server/nginx/gitlab-omnibus-ssl-nginx.conf: -------------------------------------------------------------------------------- 1 | ## GitLab 2 | ## 3 | ## Modified from nginx http version 4 | ## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/ 5 | ## Modified from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html 6 | ## 7 | ## Lines starting with two hashes (##) are comments with information. 8 | ## Lines starting with one hash (#) are configuration parameters that can be uncommented. 9 | ## 10 | ################################## 11 | ## CONTRIBUTING ## 12 | ################################## 13 | ## 14 | ## If you change this file in a Merge Request, please also create 15 | ## a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests 16 | ## 17 | ################################### 18 | ## configuration ## 19 | ################################### 20 | ## 21 | ## See installation.md#using-https for additional HTTPS configuration details. 22 | 23 | upstream gitlab-workhorse { 24 | server unix:/var/opt/gitlab/gitlab-workhorse/socket fail_timeout=0; 25 | } 26 | 27 | ## Redirects all HTTP traffic to the HTTPS host 28 | server { 29 | ## Either remove "default_server" from the listen line below, 30 | ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab 31 | ## to be served if you visit any address that your server responds to, eg. 32 | ## the ip address of the server (http://x.x.x.x/) 33 | listen 0.0.0.0:80; 34 | listen [::]:80 ipv6only=on default_server; 35 | server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com 36 | server_tokens off; ## Don't show the nginx version number, a security best practice 37 | return 301 https://$http_host$request_uri; 38 | access_log /var/log/nginx/gitlab_access.log; 39 | error_log /var/log/nginx/gitlab_error.log; 40 | } 41 | 42 | ## HTTPS host 43 | server { 44 | listen 0.0.0.0:443 ssl; 45 | listen [::]:443 ipv6only=on ssl default_server; 46 | server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com 47 | server_tokens off; ## Don't show the nginx version number, a security best practice 48 | root /opt/gitlab/embedded/service/gitlab-rails/public; 49 | 50 | ## Strong SSL Security 51 | ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ 52 | ssl on; 53 | ssl_certificate /etc/nginx/ssl/gitlab.crt; 54 | ssl_certificate_key /etc/nginx/ssl/gitlab.key; 55 | 56 | # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs 57 | ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 58 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 59 | ssl_prefer_server_ciphers on; 60 | ssl_session_cache shared:SSL:10m; 61 | ssl_session_timeout 5m; 62 | 63 | ## See app/controllers/application_controller.rb for headers set 64 | 65 | ## [Optional] Enable HTTP Strict Transport Security 66 | ## HSTS is a feature improving protection against MITM attacks 67 | ## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/ 68 | # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; 69 | 70 | ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. 71 | ## Replace with your ssl_trusted_certificate. For more info see: 72 | ## - https://medium.com/devops-programming/4445f4862461 73 | ## - https://www.ruby-forum.com/topic/4419319 74 | ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx 75 | # ssl_stapling on; 76 | # ssl_stapling_verify on; 77 | # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; 78 | # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired 79 | # resolver_timeout 5s; 80 | 81 | ## [Optional] Generate a stronger DHE parameter: 82 | ## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 83 | ## 84 | # ssl_dhparam /etc/ssl/certs/dhparam.pem; 85 | 86 | ## Individual nginx logs for this GitLab vhost 87 | access_log /var/log/nginx/gitlab_access.log; 88 | error_log /var/log/nginx/gitlab_error.log; 89 | 90 | location / { 91 | client_max_body_size 0; 92 | gzip off; 93 | 94 | ## https://github.com/gitlabhq/gitlabhq/issues/694 95 | ## Some requests take more than 30 seconds. 96 | proxy_read_timeout 300; 97 | proxy_connect_timeout 300; 98 | proxy_redirect off; 99 | 100 | proxy_http_version 1.1; 101 | 102 | proxy_set_header Host $http_host; 103 | proxy_set_header X-Real-IP $remote_addr; 104 | proxy_set_header X-Forwarded-Ssl on; 105 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 106 | proxy_set_header X-Forwarded-Proto $scheme; 107 | proxy_pass http://gitlab-workhorse; 108 | } 109 | } 110 | --------------------------------------------------------------------------------