├── LICENSE ├── README.rst ├── gitlab ├── files │ ├── gitlab-database.yml │ ├── gitlab-default │ ├── gitlab-gitconfig │ ├── gitlab-gitlab.yml │ ├── gitlab-logrotate │ ├── gitlab-nginx │ ├── gitlab-nginx-ssl │ ├── gitlab-rack_attack.rb │ ├── gitlab-shell-config.yml │ └── gitlab-unicorn.rb ├── gitlab-shell.sls ├── gitlab.sls ├── init.sls ├── map.jinja ├── nginx.sls ├── packages.sls ├── postgresql.sls ├── repos.sls ├── ruby.sls ├── runner.sls └── user.sls └── pillar.example /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, and 10 | distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by the copyright 13 | owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all other entities 16 | that control, are controlled by, or are under common control with that entity. 17 | For the purposes of this definition, "control" means (i) the power, direct or 18 | indirect, to cause the direction or management of such entity, whether by 19 | contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the 20 | outstanding shares, or (iii) beneficial ownership of such entity. 21 | 22 | "You" (or "Your") shall mean an individual or Legal Entity exercising 23 | permissions granted by this License. 24 | 25 | "Source" form shall mean the preferred form for making modifications, including 26 | but not limited to software source code, documentation source, and configuration 27 | files. 28 | 29 | "Object" form shall mean any form resulting from mechanical transformation or 30 | translation of a Source form, including but not limited to compiled object code, 31 | generated documentation, and conversions to other media types. 32 | 33 | "Work" shall mean the work of authorship, whether in Source or Object form, made 34 | available under the License, as indicated by a copyright notice that is included 35 | in or attached to the work (an example is provided in the Appendix below). 36 | 37 | "Derivative Works" shall mean any work, whether in Source or Object form, that 38 | is based on (or derived from) the Work and for which the editorial revisions, 39 | annotations, elaborations, or other modifications represent, as a whole, an 40 | original work of authorship. For the purposes of this License, Derivative Works 41 | shall not include works that remain separable from, or merely link (or bind by 42 | name) to the interfaces of, the Work and Derivative Works thereof. 43 | 44 | "Contribution" shall mean any work of authorship, including the original version 45 | of the Work and any modifications or additions to that Work or Derivative Works 46 | thereof, that is intentionally submitted to Licensor for inclusion in the Work 47 | by the copyright owner or by an individual or Legal Entity authorized to submit 48 | on behalf of the copyright owner. For the purposes of this definition, 49 | "submitted" means any form of electronic, verbal, or written communication sent 50 | to the Licensor or its representatives, including but not limited to 51 | communication on electronic mailing lists, source code control systems, and 52 | issue tracking systems that are managed by, or on behalf of, the Licensor for 53 | the purpose of discussing and improving the Work, but excluding communication 54 | that is conspicuously marked or otherwise designated in writing by the copyright 55 | owner as "Not a Contribution." 56 | 57 | "Contributor" shall mean Licensor and any individual or Legal Entity on behalf 58 | of whom a Contribution has been received by Licensor and subsequently 59 | incorporated within the Work. 60 | 61 | 2. Grant of Copyright License. 62 | 63 | Subject to the terms and conditions of this License, each Contributor hereby 64 | grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, 65 | irrevocable copyright license to reproduce, prepare Derivative Works of, 66 | publicly display, publicly perform, sublicense, and distribute the Work and such 67 | Derivative Works in Source or Object form. 68 | 69 | 3. Grant of Patent License. 70 | 71 | Subject to the terms and conditions of this License, each Contributor hereby 72 | grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, 73 | irrevocable (except as stated in this section) patent license to make, have 74 | made, use, offer to sell, sell, import, and otherwise transfer the Work, where 75 | such license applies only to those patent claims licensable by such Contributor 76 | that are necessarily infringed by their Contribution(s) alone or by combination 77 | of their Contribution(s) with the Work to which such Contribution(s) was 78 | submitted. If You institute patent litigation against any entity (including a 79 | cross-claim or counterclaim in a lawsuit) alleging that the Work or a 80 | Contribution incorporated within the Work constitutes direct or contributory 81 | patent infringement, then any patent licenses granted to You under this License 82 | for that Work shall terminate as of the date such litigation is filed. 83 | 84 | 4. Redistribution. 85 | 86 | You may reproduce and distribute copies of the Work or Derivative Works thereof 87 | in any medium, with or without modifications, and in Source or Object form, 88 | provided that You meet the following conditions: 89 | 90 | You must give any other recipients of the Work or Derivative Works a copy of 91 | this License; and 92 | You must cause any modified files to carry prominent notices stating that You 93 | changed the files; and 94 | You must retain, in the Source form of any Derivative Works that You distribute, 95 | all copyright, patent, trademark, and attribution notices from the Source form 96 | of the Work, excluding those notices that do not pertain to any part of the 97 | Derivative Works; and 98 | If the Work includes a "NOTICE" text file as part of its distribution, then any 99 | Derivative Works that You distribute must include a readable copy of the 100 | attribution notices contained within such NOTICE file, excluding those notices 101 | that do not pertain to any part of the Derivative Works, in at least one of the 102 | following places: within a NOTICE text file distributed as part of the 103 | Derivative Works; within the Source form or documentation, if provided along 104 | with the Derivative Works; or, within a display generated by the Derivative 105 | Works, if and wherever such third-party notices normally appear. The contents of 106 | the NOTICE file are for informational purposes only and do not modify the 107 | License. You may add Your own attribution notices within Derivative Works that 108 | You distribute, alongside or as an addendum to the NOTICE text from the Work, 109 | provided that such additional attribution notices cannot be construed as 110 | modifying the License. 111 | You may add Your own copyright statement to Your modifications and may provide 112 | additional or different license terms and conditions for use, reproduction, or 113 | distribution of Your modifications, or for any such Derivative Works as a whole, 114 | provided Your use, reproduction, and distribution of the Work otherwise complies 115 | with the conditions stated in this License. 116 | 117 | 5. Submission of Contributions. 118 | 119 | Unless You explicitly state otherwise, any Contribution intentionally submitted 120 | for inclusion in the Work by You to the Licensor shall be under the terms and 121 | conditions of this License, without any additional terms or conditions. 122 | Notwithstanding the above, nothing herein shall supersede or modify the terms of 123 | any separate license agreement you may have executed with Licensor regarding 124 | such Contributions. 125 | 126 | 6. Trademarks. 127 | 128 | This License does not grant permission to use the trade names, trademarks, 129 | service marks, or product names of the Licensor, except as required for 130 | reasonable and customary use in describing the origin of the Work and 131 | reproducing the content of the NOTICE file. 132 | 133 | 7. Disclaimer of Warranty. 134 | 135 | Unless required by applicable law or agreed to in writing, Licensor provides the 136 | Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, 137 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, 138 | including, without limitation, any warranties or conditions of TITLE, 139 | NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are 140 | solely responsible for determining the appropriateness of using or 141 | redistributing the Work and assume any risks associated with Your exercise of 142 | permissions under this License. 143 | 144 | 8. Limitation of Liability. 145 | 146 | In no event and under no legal theory, whether in tort (including negligence), 147 | contract, or otherwise, unless required by applicable law (such as deliberate 148 | and grossly negligent acts) or agreed to in writing, shall any Contributor be 149 | liable to You for damages, including any direct, indirect, special, incidental, 150 | or consequential damages of any character arising as a result of this License or 151 | out of the use or inability to use the Work (including but not limited to 152 | damages for loss of goodwill, work stoppage, computer failure or malfunction, or 153 | any and all other commercial damages or losses), even if such Contributor has 154 | been advised of the possibility of such damages. 155 | 156 | 9. Accepting Warranty or Additional Liability. 157 | 158 | While redistributing the Work or Derivative Works thereof, You may choose to 159 | offer, and charge a fee for, acceptance of support, warranty, indemnity, or 160 | other liability obligations and/or rights consistent with this License. However, 161 | in accepting such obligations, You may act only on Your own behalf and on Your 162 | sole responsibility, not on behalf of any other Contributor, and only if You 163 | agree to indemnify, defend, and hold each Contributor harmless for any liability 164 | incurred by, or claims asserted against, such Contributor by reason of your 165 | accepting any such warranty or additional liability. 166 | 167 | END OF TERMS AND CONDITIONS 168 | 169 | APPENDIX: How to apply the Apache License to your work 170 | 171 | To apply the Apache License to your work, attach the following boilerplate 172 | notice, with the fields enclosed by brackets "[]" replaced with your own 173 | identifying information. (Don't include the brackets!) The text should be 174 | enclosed in the appropriate comment syntax for the file format. We also 175 | recommend that a file or class name and description of purpose be included on 176 | the same "printed page" as the copyright notice for easier identification within 177 | third-party archives. 178 | 179 | Copyright [yyyy] [name of copyright owner] 180 | 181 | Licensed under the Apache License, Version 2.0 (the "License"); 182 | you may not use this file except in compliance with the License. 183 | You may obtain a copy of the License at 184 | 185 | http://www.apache.org/licenses/LICENSE-2.0 186 | 187 | Unless required by applicable law or agreed to in writing, software 188 | distributed under the License is distributed on an "AS IS" BASIS, 189 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 190 | See the License for the specific language governing permissions and 191 | limitations under the License. 192 | -------------------------------------------------------------------------------- /README.rst: -------------------------------------------------------------------------------- 1 | gitlab-formula 2 | ============== 3 | 4 | SaltStack formula to install GitLab 5 | 6 | Salt state for installing GitLab - https://gitlab.com/gitlab-org/gitlab-ce 7 | 8 | Following original install docs ( https://gitlab.com/gitlab-org/gitlab-ce/blob/6-5-stable/doc/install/installation.md ) as close as possible, with some exceptions: 9 | 10 | * ruby 1.9.3 is enough for it to work, so I'm using system packages for that 11 | * Using PostgreSQL "because". 12 | 13 | Currently tested only on Debian, further systems planned. 14 | 15 | Initial work done for CentOS but doesn't work there yet, heavily inspired by https://github.com/gitlabhq/gitlab-recipes/tree/master/install/centos 16 | 17 | There are some initial bits for supporting RVM, but it's not working yet. 18 | 19 | I chose to use PostgreSQL "because", planning to make this tunable via pillar. 20 | 21 | I assume you're running gitlab under your node's FQDN, not under another name. 22 | 23 | Attempt made to have most settings tunable via pillars. 24 | 25 | Formula Dependencies 26 | ==================== 27 | 28 | * git: https://github.com/saltstack-formulas/git-formula 29 | 30 | Available states 31 | ================ 32 | 33 | .. contents:: 34 | :local: 35 | 36 | ``gitlab.runner`` 37 | ----------------- 38 | 39 | Install and configure from pillar, gitlab-runner for gitlab-ci. Using https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/gitlab-ci/README.md 40 | -------------------------------------------------------------------------------- /gitlab/files/gitlab-database.yml: -------------------------------------------------------------------------------- 1 | # 2 | # PRODUCTION 3 | # 4 | production: 5 | adapter: postgresql 6 | encoding: unicode 7 | database: {{ salt['pillar.get']('gitlab:db_name') }} 8 | pool: 10 9 | username: {{ salt['pillar.get']('gitlab:db_user') }} 10 | password: {{ salt['pillar.get']('gitlab:db_pass') }} 11 | # host: localhost 12 | # port: 5432 13 | # socket: /tmp/postgresql.sock 14 | 15 | # 16 | # Development specific 17 | # 18 | development: 19 | adapter: postgresql 20 | encoding: unicode 21 | database: gitlabhq_development 22 | pool: 5 23 | username: postgres 24 | password: 25 | # socket: /tmp/postgresql.sock 26 | 27 | # 28 | # Staging specific 29 | # 30 | staging: 31 | adapter: postgresql 32 | encoding: unicode 33 | database: gitlabhq_staging 34 | pool: 5 35 | username: postgres 36 | password: 37 | # socket: /tmp/postgresql.sock 38 | 39 | # Warning: The database defined as "test" will be erased and 40 | # re-generated from your development database when you run "rake". 41 | # Do not set this db to the same as development or production. 42 | test: &test 43 | adapter: postgresql 44 | encoding: unicode 45 | database: gitlabhq_test 46 | pool: 5 47 | username: postgres 48 | password: 49 | # socket: /tmp/postgresql.sock 50 | 51 | -------------------------------------------------------------------------------- /gitlab/files/gitlab-default: -------------------------------------------------------------------------------- 1 | # Copy this lib/support/init.d/gitlab.default.example file to 2 | # /etc/default/gitlab in order for it to apply to your system. 3 | 4 | 5 | # RAILS_ENV defines the type of installation that is running. 6 | # Normal values are "production", "test" and "development". 7 | RAILS_ENV="production" 8 | 9 | # app_user defines the user that GitLab is run as. 10 | # The default is "git". 11 | app_user="git" 12 | 13 | # app_root defines the folder in which gitlab and it's components are installed. 14 | # The default is "/home/$app_user/gitlab" 15 | app_root="/home/$app_user/gitlab" 16 | 17 | {% if salt['pillar.get']('gitlab:use_rvm', false) %} 18 | # Load RVM variables 19 | . /home/$app_user/.rvm/scripts/rvm 20 | 21 | {% endif %} 22 | 23 | # pid_path defines a folder in which the gitlab and it's components place their pids. 24 | # This variable is also used below to define the relevant pids for the gitlab components. 25 | # The default is "$app_root/tmp/pids" 26 | pid_path="$app_root/tmp/pids" 27 | 28 | # socket_path defines the folder in which gitlab places the sockets 29 | #The default is "$app_root/tmp/sockets" 30 | socket_path="$app_root/tmp/sockets" 31 | 32 | # web_server_pid_path defines the path in which to create the pid file fo the web_server 33 | # The default is "$pid_path/unicorn.pid" 34 | web_server_pid_path="$pid_path/unicorn.pid" 35 | 36 | # sidekiq_pid_path defines the path in which to create the pid file for sidekiq 37 | # The default is "$pid_path/sidekiq.pid" 38 | sidekiq_pid_path="$pid_path/sidekiq.pid" 39 | 40 | -------------------------------------------------------------------------------- /gitlab/files/gitlab-gitconfig: -------------------------------------------------------------------------------- 1 | [user] 2 | name = GitLab 3 | email = gitlab@{{ grains['fqdn'] }} 4 | [core] 5 | autocrlf = input 6 | 7 | -------------------------------------------------------------------------------- /gitlab/files/gitlab-gitlab.yml: -------------------------------------------------------------------------------- 1 | # # # # # # # # # # # # # # # # # # 2 | # GitLab application config file # 3 | # # # # # # # # # # # # # # # # # # 4 | # 5 | # How to use: 6 | # 1. copy file as gitlab.yml 7 | # 2. Replace gitlab -> host with your domain 8 | # 3. Replace gitlab -> email_from 9 | 10 | production: &base 11 | # 12 | # 1. GitLab app settings 13 | # ========================== 14 | 15 | ## GitLab settings 16 | gitlab: 17 | ## Web server settings 18 | host: {{ grains['fqdn'] }} 19 | {%- if salt['pillar.get']('gitlab:https', false) %} 20 | port: 443 21 | https: true 22 | {% else %} 23 | port: 80 24 | https: false 25 | {% endif %} 26 | 27 | # Uncomment and customize the last line to run in a non-root path 28 | # WARNING: We recommend creating a FQDN to host GitLab in a root path instead of this. 29 | # Note that four settings need to be changed for this to work. 30 | # 1) In your application.rb file: config.relative_url_root = "/gitlab" 31 | # 2) In your gitlab.yml file: relative_url_root: /gitlab 32 | # 3) In your unicorn.rb: ENV['RAILS_RELATIVE_URL_ROOT'] = "/gitlab" 33 | # 4) In ../gitlab-shell/config.yml: gitlab_url: "http://127.0.0.1/gitlab" 34 | # To update the path, run: sudo -u git -H bundle exec rake assets:precompile RAILS_ENV=production 35 | # 36 | # relative_url_root: /gitlab 37 | 38 | # Uncomment and customize if you can't use the default user to run GitLab (default: 'git') 39 | # user: git 40 | 41 | ## Email settings 42 | # Email address used in the "From" field in mails sent by GitLab 43 | email_from: gitlab@{{ grains['fqdn'] }} 44 | 45 | # Email address of your support contact (default: same as email_from) 46 | support_email: support@{{ grains['fqdn'] }} 47 | 48 | ## User settings 49 | default_projects_limit: 10 50 | # default_can_create_group: false # default: true 51 | # username_changing_enabled: false # default: true - User can change her username/namespace 52 | ## Default theme 53 | ## BASIC = 1 54 | ## MARS = 2 55 | ## MODERN = 3 56 | ## GRAY = 4 57 | ## COLOR = 5 58 | # default_theme: 2 # default: 2 59 | 60 | 61 | ## Users management 62 | # default: false - Account passwords are not sent via the email if signup is enabled. 63 | # signup_enabled: true 64 | 65 | # Restrict setting visibility levels for non-admin users. 66 | # The default is to allow all levels. 67 | #restricted_visibility_levels: [ "public" ] 68 | 69 | ## Automatic issue closing 70 | # If a commit message matches this regular expression, all issues referenced from the matched text will be closed. 71 | # This happens when the commit is pushed or merged into the default branch of a project. 72 | # When not specified the default issue_closing_pattern as specified below will be used. 73 | # issue_closing_pattern: '([Cc]lose[sd]|[Ff]ixe[sd]) +#\d+' 74 | 75 | ## Default project features settings 76 | default_projects_features: 77 | issues: true 78 | merge_requests: true 79 | wiki: true 80 | wall: false 81 | snippets: false 82 | visibility_level: "private" # can be "private" | "internal" | "public" 83 | 84 | ## External issues trackers 85 | issues_tracker: 86 | # redmine: 87 | # title: "Redmine" 88 | # ## If not nil, link 'Issues' on project page will be replaced with this 89 | # ## Use placeholders: 90 | # ## :project_id - GitLab project identifier 91 | # ## :issues_tracker_id - Project Name or Id in external issue tracker 92 | # project_url: "http://redmine.sample/projects/:issues_tracker_id" 93 | # 94 | # ## If not nil, links from /#\d/ entities from commit messages will replaced with this 95 | # ## Use placeholders: 96 | # ## :project_id - GitLab project identifier 97 | # ## :issues_tracker_id - Project Name or Id in external issue tracker 98 | # ## :id - Issue id (from commit messages) 99 | # issues_url: "http://redmine.sample/issues/:id" 100 | # 101 | # ## If not nil, linkis to creating new issues will be replaced with this 102 | # ## Use placeholders: 103 | # ## :project_id - GitLab project identifier 104 | # ## :issues_tracker_id - Project Name or Id in external issue tracker 105 | # new_issue_url: "http://redmine.sample/projects/:issues_tracker_id/issues/new" 106 | # 107 | # jira: 108 | # title: "Atlassian Jira" 109 | # project_url: "http://jira.sample/issues/?jql=project=:issues_tracker_id" 110 | # issues_url: "http://jira.sample/browse/:id" 111 | # new_issue_url: "http://jira.sample/secure/CreateIssue.jspa" 112 | 113 | ## Gravatar 114 | gravatar: 115 | enabled: {{ salt['pillar.get']('gitlab:gravatar:enabled', true) }} # Use user avatar image from Gravatar.com (default: true) 116 | # plain_url: "http://..." # default: http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=mm 117 | # ssl_url: "https://..." # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm 118 | 119 | # 120 | # 2. Auth settings 121 | # ========================== 122 | 123 | ## LDAP settings 124 | # You can inspect a sample of the LDAP users with login access by running: 125 | # bundle exec rake gitlab:ldap:check RAILS_ENV=production 126 | ldap: 127 | enabled: {{ salt['pillar.get']('gitlab:ldap:enabled', false) }} 128 | host: '{{ salt['pillar.get']('gitlab:ldap:host', '') }}' 129 | base: '{{ salt['pillar.get']('gitlab:ldap:base', '') }}' 130 | port: {{ salt['pillar.get']('gitlab:ldap:port', 636) }} 131 | uid: '{{ salt['pillar.get']('gitlab:ldap:uid', 'sAMAccountName') }}' 132 | method: '{{ salt['pillar.get']('gitlab:ldap:method', 'ssl') }}' # "ssl" or "plain" 133 | bind_dn: '{{ salt['pillar.get']('gitlab:ldap:bind_dn', '') }}' 134 | password: '{{ salt['pillar.get']('gitlab:ldap:password', '') }}' 135 | # If allow_username_or_email_login is enabled, GitLab will ignore everything 136 | # after the first '@' in the LDAP username submitted by the user on login. 137 | # 138 | # Example: 139 | # - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials; 140 | # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'. 141 | # 142 | # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to 143 | # disable this setting, because the userPrincipalName contains an '@'. 144 | allow_username_or_email_login: '{{ salt['pillar.get']('gitlab:ldap:allow_username_or_email_login', true) }}' 145 | 146 | ## OmniAuth settings 147 | omniauth: 148 | # Allow login via Twitter, Google, etc. using OmniAuth providers 149 | enabled: {{ salt['pillar.get']('gitlab:omniauth:enabled', false) }} 150 | 151 | # CAUTION! 152 | # This allows users to login without having a user account first (default: false). 153 | # User accounts will be created automatically when authentication was successful. 154 | allow_single_sign_on: {{ salt['pillar.get']('gitlab:omniauth:allow_single_sign_on', false) }} 155 | # Locks down those users until they have been cleared by the admin (default: true). 156 | block_auto_created_users: {{ salt['pillar.get']('gitlab:omniauth:block_auto_created_users', true) }} 157 | 158 | ## Auth providers 159 | # Uncomment the following lines and fill in the data of the auth provider you want to use 160 | # If your favorite auth provider is not listed you can use others: 161 | # see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Working-custom-omniauth-provider-configurations 162 | # The 'app_id' and 'app_secret' parameters are always passed as the first two 163 | # arguments, followed by optional 'args' which can be either a hash or an array. 164 | providers: 165 | # - { name: 'google_oauth2', app_id: 'YOUR APP ID', 166 | # app_secret: 'YOUR APP SECRET', 167 | # args: { access_type: 'offline', approval_prompt: '' } } 168 | # - { name: 'twitter', app_id: 'YOUR APP ID', 169 | # app_secret: 'YOUR APP SECRET'} 170 | # - { name: 'github', app_id: 'YOUR APP ID', 171 | # app_secret: 'YOUR APP SECRET', 172 | # args: { scope: 'user:email' } } 173 | 174 | 175 | 176 | # 177 | # 3. Advanced settings 178 | # ========================== 179 | 180 | # GitLab Satellites 181 | satellites: 182 | # Relative paths are relative to Rails.root (default: tmp/repo_satellites/) 183 | path: /home/git/gitlab-satellites/ 184 | 185 | ## Backup settings 186 | backup: 187 | path: "tmp/backups" # Relative paths are relative to Rails.root (default: tmp/backups/) 188 | # keep_time: 604800 # default: 0 (forever) (in seconds) 189 | 190 | ## GitLab Shell settings 191 | gitlab_shell: 192 | path: /home/git/gitlab-shell/ 193 | 194 | # REPOS_PATH MUST NOT BE A SYMLINK!!! 195 | repos_path: /home/git/repositories/ 196 | hooks_path: /home/git/gitlab-shell/hooks/ 197 | 198 | # Git over HTTP 199 | upload_pack: true 200 | receive_pack: true 201 | 202 | # If you use non-standard ssh port you need to specify it 203 | # ssh_port: 22 204 | 205 | ## Git settings 206 | # CAUTION! 207 | # Use the default values unless you really know what you are doing 208 | git: 209 | bin_path: /usr/bin/git 210 | # Max size of a git object (e.g. a commit), in bytes 211 | # This value can be increased if you have very large commits 212 | max_size: 5242880 # 5.megabytes 213 | # Git timeout to read a commit, in seconds 214 | timeout: 10 215 | 216 | # 217 | # 4. Extra customization 218 | # ========================== 219 | 220 | extra: 221 | ## Google analytics. Uncomment if you want it 222 | # google_analytics_id: '_your_tracking_id' 223 | 224 | ## Text under sign-in page (Markdown enabled) 225 | # sign_in_text: | 226 | # ![Company Logo](http://www.companydomain.com/logo.png) 227 | # [Learn more about CompanyName](http://www.companydomain.com/) 228 | 229 | development: 230 | <<: *base 231 | 232 | test: 233 | <<: *base 234 | issues_tracker: 235 | redmine: 236 | title: "Redmine" 237 | project_url: "http://redmine/projects/:issues_tracker_id" 238 | issues_url: "http://redmine/:project_id/:issues_tracker_id/:id" 239 | new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new" 240 | 241 | staging: 242 | <<: *base 243 | 244 | -------------------------------------------------------------------------------- /gitlab/files/gitlab-logrotate: -------------------------------------------------------------------------------- 1 | # GitLab logrotate settings 2 | # based on: http://stackoverflow.com/a/4883967 3 | 4 | /home/git/gitlab/log/*.log { 5 | weekly 6 | missingok 7 | rotate 52 8 | compress 9 | delaycompress 10 | notifempty 11 | copytruncate 12 | } 13 | 14 | /home/git/gitlab-shell/gitlab-shell.log { 15 | weekly 16 | missingok 17 | rotate 52 18 | compress 19 | delaycompress 20 | notifempty 21 | copytruncate 22 | } 23 | 24 | -------------------------------------------------------------------------------- /gitlab/files/gitlab-nginx: -------------------------------------------------------------------------------- 1 | # GITLAB 2 | # Maintainer: @randx 3 | # App Version: 5.0 4 | 5 | upstream gitlab { 6 | server unix:/home/git/gitlab/tmp/sockets/gitlab.socket; 7 | } 8 | 9 | server { 10 | listen *:80 default_server; # e.g., listen 192.168.1.1:80; In most cases *:80 is a good idea 11 | server_name {{ grains['fqdn'] }}; # e.g., server_name source.example.com; 12 | server_tokens off; # don't show the version number, a security best practice 13 | root /home/git/gitlab/public; 14 | 15 | # Set value of client_max_body_size to at least the value of git.max_size in gitlab.yml 16 | client_max_body_size 5m; 17 | 18 | # individual nginx logs for this gitlab vhost 19 | access_log /var/log/nginx/gitlab_access.log; 20 | error_log /var/log/nginx/gitlab_error.log; 21 | 22 | location / { 23 | # serve static files from defined root folder;. 24 | # @gitlab is a named location for the upstream fallback, see below 25 | try_files $uri $uri/index.html $uri.html @gitlab; 26 | } 27 | 28 | # if a file, which is not found in the root folder is requested, 29 | # then the proxy pass the request to the upsteam (gitlab unicorn) 30 | location @gitlab { 31 | proxy_read_timeout 300; # Some requests take more than 30 seconds. 32 | proxy_connect_timeout 300; # Some requests take more than 30 seconds. 33 | proxy_redirect off; 34 | 35 | proxy_set_header X-Forwarded-Proto $scheme; 36 | proxy_set_header Host $http_host; 37 | proxy_set_header X-Real-IP $remote_addr; 38 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 39 | 40 | proxy_pass http://gitlab; 41 | } 42 | } 43 | 44 | -------------------------------------------------------------------------------- /gitlab/files/gitlab-nginx-ssl: -------------------------------------------------------------------------------- 1 | # GITLAB 2 | # Contributors: yin8086, sashkab, orkoden, axilleas 3 | # App Version: 5.4 - 6.0 4 | 5 | # Modified from nginx http version 6 | # Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/ 7 | 8 | # You need to run openssl to generate a self-signed ssl certificate. 9 | # cd /etc/nginx/ 10 | # sudo openssl req -new -x509 -nodes -days 3560 -out gitlab.crt -keyout gitlab.key 11 | # sudo chmod o-r gitlab.key 12 | # Also you need to edit gitlab-shell config. 13 | # 1) Set "gitlab_url" param in gitlab-shell/config.yml to https://{{ grains['fqdn'] }} 14 | # 2) Set "ca_file" to /etc/nginx/gitlab.crt 15 | # 3) Set "self_signed_cert" to true 16 | # You also need to edit gitlab/config/gitlab.yml 17 | # 1) Define port for http "port: 443" 18 | # 2) Enable https "https: true" 19 | # 3) Update ssl for gravatar "ssl_url: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm" 20 | 21 | upstream gitlab { 22 | 23 | ## Uncomment if you have set up puma/unicorn to listen on a unix socket (recommended). 24 | server unix:/home/git/gitlab/tmp/sockets/gitlab.socket; 25 | 26 | ## Uncomment if puma/unicorn are configured to listen on a tcp port. 27 | ## Check the port number in /home/git/gitlab/config/{puma.rb/unicorn.rb} 28 | # server 127.0.0.1:9292; 29 | } 30 | 31 | # This is a normal HTTP host which redirects all traffic to the HTTPS host. 32 | # Replace {{ grains['fqdn'] }} with your FQDN. 33 | server { 34 | listen *:80; 35 | server_name {{ grains['fqdn'] }}; 36 | server_tokens off; 37 | root /nowhere; # this doesn't have to be a valid path since we are redirecting, you don't have to change it. 38 | rewrite ^ https://$server_name$request_uri permanent; 39 | } 40 | server { 41 | listen 443 ssl; 42 | server_name {{ grains['fqdn'] }}; 43 | server_tokens off; 44 | root /home/git/gitlab/public; 45 | 46 | ssl on; 47 | ssl_certificate /etc/nginx/gitlab.crt; 48 | ssl_certificate_key /etc/nginx/gitlab.key; 49 | ssl_protocols SSLv3 TLSv1 TLSv1.2; 50 | ssl_ciphers AES:HIGH:!ADH:!MD5; 51 | ssl_prefer_server_ciphers on; 52 | 53 | # individual nginx logs for this gitlab vhost 54 | access_log /var/log/nginx/gitlab_access.log; 55 | error_log /var/log/nginx/gitlab_error.log; 56 | 57 | location / { 58 | # serve static files from defined root folder;. 59 | # @gitlab is a named location for the upstream fallback, see below 60 | try_files $uri $uri/index.html $uri.html @gitlab; 61 | } 62 | 63 | # if a file, which is not found in the root folder is requested, 64 | # then the proxy pass the request to the upsteam (gitlab unicorn) 65 | location @gitlab { 66 | proxy_read_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694 67 | proxy_connect_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694 68 | proxy_redirect off; 69 | 70 | proxy_set_header X-Forwarded-Proto https; 71 | proxy_set_header X-Forwarded-Ssl on; 72 | proxy_set_header Host $http_host; 73 | proxy_set_header X-Real-IP $remote_addr; 74 | 75 | proxy_pass http://gitlab; 76 | } 77 | } 78 | 79 | -------------------------------------------------------------------------------- /gitlab/files/gitlab-rack_attack.rb: -------------------------------------------------------------------------------- 1 | # 1. Rename this file to rack_attack.rb 2 | # 2. Review the paths_to_be_protected and add any other path you need protecting 3 | # 4 | 5 | paths_to_be_protected = [ 6 | "#{Rails.application.config.relative_url_root}/users/password", 7 | "#{Rails.application.config.relative_url_root}/users/sign_in", 8 | "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json", 9 | "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session", 10 | "#{Rails.application.config.relative_url_root}/users", 11 | "#{Rails.application.config.relative_url_root}/users/confirmation" 12 | ] 13 | 14 | unless Rails.env.test? 15 | Rack::Attack.throttle('protected paths', limit: 10, period: 60.seconds) do |req| 16 | req.ip if paths_to_be_protected.include?(req.path) && req.post? 17 | end 18 | end 19 | 20 | -------------------------------------------------------------------------------- /gitlab/files/gitlab-shell-config.yml: -------------------------------------------------------------------------------- 1 | # GitLab user. git by default 2 | user: git 3 | 4 | # Url to gitlab instance. Used for api calls. Should end with a slash. 5 | {%- if salt['pillar.get']('gitlab:https', false) %} 6 | gitlab_url: "https://{{ grains['fqdn'] }}/" 7 | {% else %} 8 | gitlab_url: "http://{{ grains['fqdn'] }}/" 9 | {% endif %} 10 | 11 | http_settings: 12 | # user: someone 13 | # password: somepass 14 | {%- if salt['pillar.get']('gitlab:shell:ca_file', false) %} 15 | ca_file: {{salt['pillar.get']('gitlab:shell:ca_file') }} 16 | {% endif %} 17 | {%- if salt['pillar.get']('gitlab:shell:ca_path', false) %} 18 | ca_path: {{ salt['pillar.get']('gitlab:shell:ca_path') }} 19 | {% endif %} 20 | self_signed_cert: {{ salt['pillar.get']('gitlab:shell:self_signed_cert', false) }} 21 | 22 | # Repositories path 23 | # Give the canonicalized absolute pathname, 24 | # REPOS_PATH MUST NOT CONTAIN ANY SYMLINK!!! 25 | # Check twice that none of the components is a symlink, including "/home". 26 | repos_path: "/home/git/repositories" 27 | 28 | # File used as authorized_keys for gitlab user 29 | auth_file: "/home/git/.ssh/authorized_keys" 30 | 31 | # Redis settings used for pushing commit notices to gitlab 32 | redis: 33 | bin: /usr/bin/redis-cli 34 | host: 127.0.0.1 35 | port: 6379 36 | # socket: /tmp/redis.socket # Only define this if you want to use sockets 37 | namespace: resque:gitlab 38 | 39 | # Log file. 40 | # Default is gitlab-shell.log in the root directory. 41 | # log_file: "/home/git/gitlab-shell/gitlab-shell.log" 42 | 43 | # Log level. INFO by default 44 | log_level: {{ salt['pillar.get']('gitlab:shell:log_level', 'INFO') }} 45 | 46 | # Audit usernames. 47 | # Set to true to see real usernames in the logs instead of key ids, which is easier to follow, but 48 | # incurs an extra API call on every gitlab-shell command. 49 | audit_usernames: {{ salt['pillar.get']('gitlab:shell:audit_usernames', false) }} 50 | 51 | -------------------------------------------------------------------------------- /gitlab/files/gitlab-unicorn.rb: -------------------------------------------------------------------------------- 1 | # Sample verbose configuration file for Unicorn (not Rack) 2 | # 3 | # This configuration file documents many features of Unicorn 4 | # that may not be needed for some applications. See 5 | # http://unicorn.bogomips.org/examples/unicorn.conf.minimal.rb 6 | # for a much simpler configuration file. 7 | # 8 | # See http://unicorn.bogomips.org/Unicorn/Configurator.html for complete 9 | # documentation. 10 | 11 | # Uncomment and customize the last line to run in a non-root path 12 | # WARNING: We recommend creating a FQDN to host GitLab in a root path instead of this. 13 | # Note that four settings need to be changed for this to work. 14 | # 1) In your application.rb file: config.relative_url_root = "/gitlab" 15 | # 2) In your gitlab.yml file: relative_url_root: /gitlab 16 | # 3) In your unicorn.rb: ENV['RAILS_RELATIVE_URL_ROOT'] = "/gitlab" 17 | # 4) In ../gitlab-shell/config.yml: gitlab_url: "http://127.0.0.1/gitlab" 18 | # To update the path, run: sudo -u git -H bundle exec rake assets:precompile RAILS_ENV=production 19 | # 20 | # ENV['RAILS_RELATIVE_URL_ROOT'] = "/gitlab" 21 | 22 | # Use at least one worker per core if you're on a dedicated server, 23 | # more will usually help for _short_ waits on databases/caches. 24 | worker_processes {{ salt['pillar.get']('gitlab:unicorn:worker_processes', 2) }} 25 | 26 | # Since Unicorn is never exposed to outside clients, it does not need to 27 | # run on the standard HTTP port (80), there is no reason to start Unicorn 28 | # as root unless it's from system init scripts. 29 | # If running the master process as root and the workers as an unprivileged 30 | # user, do this to switch euid/egid in the workers (also chowns logs): 31 | # user "unprivileged_user", "unprivileged_group" 32 | 33 | # Help ensure your application will always spawn in the symlinked 34 | # "current" directory that Capistrano sets up. 35 | working_directory "/home/git/gitlab" # available in 0.94.0+ 36 | 37 | # listen on both a Unix domain socket and a TCP port, 38 | # we use a shorter backlog for quicker failover when busy 39 | listen "/home/git/gitlab/tmp/sockets/gitlab.socket", :backlog => 64 40 | listen "127.0.0.1:8080", :tcp_nopush => true 41 | 42 | # nuke workers after 30 seconds instead of 60 seconds (the default) 43 | timeout {{ salt['pillar.get']('gitlab:unicorn:timeout', 30) }} 44 | 45 | # feel free to point this anywhere accessible on the filesystem 46 | pid "/home/git/gitlab/tmp/pids/unicorn.pid" 47 | 48 | # By default, the Unicorn logger will write to stderr. 49 | # Additionally, some applications/frameworks log to stderr or stdout, 50 | # so prevent them from going to /dev/null when daemonized here: 51 | stderr_path "/home/git/gitlab/log/unicorn.stderr.log" 52 | stdout_path "/home/git/gitlab/log/unicorn.stdout.log" 53 | 54 | # combine Ruby 2.0.0dev or REE with "preload_app true" for memory savings 55 | # http://rubyenterpriseedition.com/faq.html#adapt_apps_for_cow 56 | preload_app true 57 | GC.respond_to?(:copy_on_write_friendly=) and 58 | GC.copy_on_write_friendly = true 59 | 60 | # Enable this flag to have unicorn test client connections by writing the 61 | # beginning of the HTTP headers before calling the application. This 62 | # prevents calling the application for connections that have disconnected 63 | # while queued. This is only guaranteed to detect clients on the same 64 | # host unicorn runs on, and unlikely to detect disconnects even on a 65 | # fast LAN. 66 | check_client_connection false 67 | 68 | before_fork do |server, worker| 69 | # the following is highly recomended for Rails + "preload_app true" 70 | # as there's no need for the master process to hold a connection 71 | defined?(ActiveRecord::Base) and 72 | ActiveRecord::Base.connection.disconnect! 73 | 74 | # The following is only recommended for memory/DB-constrained 75 | # installations. It is not needed if your system can house 76 | # twice as many worker_processes as you have configured. 77 | # 78 | # This allows a new master process to incrementally 79 | # phase out the old master process with SIGTTOU to avoid a 80 | # thundering herd (especially in the "preload_app false" case) 81 | # when doing a transparent upgrade. The last worker spawned 82 | # will then kill off the old master process with a SIGQUIT. 83 | old_pid = "#{server.config[:pid]}.oldbin" 84 | if old_pid != server.pid 85 | begin 86 | sig = (worker.nr + 1) >= server.worker_processes ? :QUIT : :TTOU 87 | Process.kill(sig, File.read(old_pid).to_i) 88 | rescue Errno::ENOENT, Errno::ESRCH 89 | end 90 | end 91 | # 92 | # Throttle the master from forking too quickly by sleeping. Due 93 | # to the implementation of standard Unix signal handlers, this 94 | # helps (but does not completely) prevent identical, repeated signals 95 | # from being lost when the receiving process is busy. 96 | # sleep 1 97 | end 98 | 99 | after_fork do |server, worker| 100 | # per-process listener ports for debugging/admin/migrations 101 | # addr = "127.0.0.1:#{9293 + worker.nr}" 102 | # server.listen(addr, :tries => -1, :delay => 5, :tcp_nopush => true) 103 | 104 | # the following is *required* for Rails + "preload_app true", 105 | defined?(ActiveRecord::Base) and 106 | ActiveRecord::Base.establish_connection 107 | 108 | # if preload_app is true, then you may also want to check and 109 | # restart any other shared sockets/descriptors such as Memcached, 110 | # and Redis. TokyoCabinet file handles are safe to reuse 111 | # between any number of forked children (assuming your kernel 112 | # correctly implements pread()/pwrite() system calls) 113 | end 114 | 115 | -------------------------------------------------------------------------------- /gitlab/gitlab-shell.sls: -------------------------------------------------------------------------------- 1 | include: 2 | - gitlab.user 3 | - gitlab.ruby 4 | 5 | gitlab-shell-git: 6 | git.latest: 7 | - name: https://gitlab.com/gitlab-org/gitlab-shell.git 8 | - rev: {{ salt['pillar.get']('gitlab:shell_version') }} 9 | - target: /home/git/gitlab-shell 10 | - user: git 11 | - require: 12 | - pkg: gitlab-deps 13 | - pkg: git 14 | - sls: gitlab.ruby 15 | - file: git-home 16 | 17 | # https://gitlab.com/gitlab-org/gitlab-shell/blob/master/config.yml.example 18 | gitlab-shell-config: 19 | file.managed: 20 | - name: /home/git/gitlab-shell/config.yml 21 | - source: salt://gitlab/files/gitlab-shell-config.yml 22 | - template: jinja 23 | - user: git 24 | - group: git 25 | - mode: 644 26 | - require: 27 | - git: gitlab-shell-git 28 | 29 | gitlab-shell: 30 | cmd.wait: 31 | - user: git 32 | - cwd: /home/git/gitlab-shell 33 | - name: ./bin/install 34 | - shell: /bin/bash 35 | - watch: 36 | - git: gitlab-shell-git 37 | - require: 38 | - file: gitlab-shell-config 39 | -------------------------------------------------------------------------------- /gitlab/gitlab.sls: -------------------------------------------------------------------------------- 1 | include: 2 | - gitlab.ruby 3 | 4 | gitlab-git: 5 | git.latest: 6 | - name: https://gitlab.com/gitlab-org/gitlab-ce.git 7 | - rev: {{ salt['pillar.get']('gitlab:gitlab_version') }} 8 | - user: git 9 | - target: /home/git/gitlab 10 | - require: 11 | - pkg: gitlab-deps 12 | - pkg: git 13 | - sls: gitlab.ruby 14 | - cmd: gitlab-shell 15 | - user: git-user 16 | 17 | # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/gitlab.yml.example 18 | gitlab-config: 19 | file.managed: 20 | - name: /home/git/gitlab/config/gitlab.yml 21 | - source: salt://gitlab/files/gitlab-gitlab.yml 22 | - template: jinja 23 | - user: git 24 | - group: git 25 | - mode: 640 26 | - require: 27 | - git: gitlab-git 28 | - user: git-user 29 | 30 | # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/database.yml.postgresql 31 | gitlab-db-config: 32 | file.managed: 33 | - name: /home/git/gitlab/config/database.yml 34 | - source: salt://gitlab/files/gitlab-database.yml 35 | - template: jinja 36 | - user: git 37 | - group: git 38 | - mode: 640 39 | - require: 40 | - git: gitlab-git 41 | - user: git-user 42 | 43 | # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/unicorn.rb.example 44 | unicorn-config: 45 | file.managed: 46 | - name: /home/git/gitlab/config/unicorn.rb 47 | - source: salt://gitlab/files/gitlab-unicorn.rb 48 | - template: jinja 49 | - user: git 50 | - group: git 51 | - mode: 640 52 | - require: 53 | - git: gitlab-git 54 | - user: git-user 55 | 56 | # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/initializers/rack_attack.rb.example 57 | rack_attack-config: 58 | file.managed: 59 | - name: /home/git/gitlab/config/initializers/rack_attack.rb 60 | - source: salt://gitlab/files/gitlab-rack_attack.rb 61 | - user: git 62 | - group: git 63 | - mode: 640 64 | - require: 65 | - git: gitlab-git 66 | - user: git-user 67 | 68 | git-config: 69 | file.managed: 70 | - name: /home/git/.gitconfig 71 | - source: salt://gitlab/files/gitlab-gitconfig 72 | - template: jinja 73 | - user: git 74 | - group: git 75 | - mode: 640 76 | - require: 77 | - user: git-user 78 | 79 | {% for dir in ['gitlab-satellites', 'gitlab/tmp/pids', 'gitlab/tmp/sockets', 'gitlab/public/uploads'] %} 80 | /home/git/{{ dir }}: 81 | file.directory: 82 | - user: git 83 | - group: git 84 | - mode: 750 85 | - require: 86 | - user: git-user 87 | - git: gitlab-git 88 | {% endfor %} 89 | 90 | gitlab-initialize: 91 | cmd.wait: 92 | - user: git 93 | - cwd: /home/git/gitlab 94 | - name: echo yes | bundle exec rake gitlab:setup RAILS_ENV=production 95 | - shell: /bin/bash 96 | - unless: psql -U {{ salt['pillar.get']('gitlab:db_user') }} {{ salt['pillar.get']('gitlab:db_name') }} -c 'select * from users;' 97 | - watch: 98 | - git: gitlab-git 99 | - require: 100 | - cmd: gitlab-gems 101 | - postgres_database: gitlab-db 102 | 103 | # When code changes, trigger upgrade procedure 104 | # Based on https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/gitlab/upgrader.rb 105 | gitlab-gems: 106 | cmd.wait: 107 | - user: git 108 | - cwd: /home/git/gitlab 109 | - name: bundle install --deployment --without development test mysql aws 110 | - shell: /bin/bash 111 | - watch: 112 | - git: gitlab-git 113 | - require: 114 | - file: gitlab-db-config 115 | - file: gitlab-config 116 | - file: unicorn-config 117 | - file: rack_attack-config 118 | - sls: gitlab.ruby 119 | 120 | gitlab-migrate-db: 121 | cmd.wait: 122 | - user: git 123 | - cwd: /home/git/gitlab 124 | - name: bundle exec rake db:migrate RAILS_ENV=production 125 | - shell: /bin/bash 126 | - watch: 127 | - git: gitlab-git 128 | - require: 129 | - cmd: gitlab-gems 130 | - cmd: gitlab-initialize 131 | - postgres_database: gitlab-db 132 | 133 | gitlab-recompile-assets: 134 | cmd.wait: 135 | - user: git 136 | - cwd: /home/git/gitlab 137 | - name: bundle exec rake assets:clean assets:precompile RAILS_ENV=production 138 | - shell: /bin/bash 139 | - watch: 140 | - git: gitlab-git 141 | - require: 142 | - cmd: gitlab-migrate-db 143 | 144 | gitlab-clear-cache: 145 | cmd.wait: 146 | - user: git 147 | - cwd: /home/git/gitlab 148 | - name: bundle exec rake cache:clear RAILS_ENV=production 149 | - shell: /bin/bash 150 | - watch: 151 | - git: gitlab-git 152 | - require: 153 | - cmd: gitlab-recompile-assets 154 | 155 | # Needed to be able to update tree via git 156 | gitlab-stash: 157 | cmd.wait: 158 | - user: git 159 | - cwd: /home/git/gitlab 160 | - name: git stash 161 | - watch: 162 | - git: gitlab-git 163 | - require: 164 | - cmd: gitlab-clear-cache 165 | 166 | # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/init.d/gitlab.default.example 167 | gitlab-default: 168 | file.managed: 169 | - name: /etc/default/gitlab 170 | - source: salt://gitlab/files/gitlab-default 171 | - template: jinja 172 | - user: root 173 | - group: root 174 | - mode: 644 175 | 176 | gitlab-service: 177 | file.symlink: 178 | - name: /etc/init.d/gitlab 179 | - target: /home/git/gitlab/lib/support/init.d/gitlab 180 | - require: 181 | - git: gitlab-git 182 | service: 183 | - name: gitlab 184 | - running 185 | - enable: True 186 | - require: 187 | - cmd: gitlab-initialize 188 | - watch: 189 | - git: gitlab-git 190 | - cmd: gitlab-clear-cache 191 | - file: gitlab-config 192 | - file: gitlab-db-config 193 | - file: gitlab-default 194 | - file: gitlab-service 195 | - file: rack_attack-config 196 | - file: unicorn-config 197 | 198 | # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/logrotate/gitlab 199 | gitlab-logwatch: 200 | file.managed: 201 | - name: /etc/logrotate.d/gitlab 202 | - source: salt://gitlab/files/gitlab-logrotate 203 | - user: root 204 | - group: root 205 | - mode: 644 206 | -------------------------------------------------------------------------------- /gitlab/init.sls: -------------------------------------------------------------------------------- 1 | include: 2 | - postgresql 3 | {% if grains['os_family'] == 'RedHat' %} 4 | - gitlab.repos 5 | {% endif %} 6 | - gitlab.packages 7 | - redis 8 | - gitlab.postgresql 9 | - gitlab.user 10 | - gitlab.ruby 11 | - gitlab.gitlab-shell 12 | - gitlab.gitlab 13 | - gitlab.nginx 14 | -------------------------------------------------------------------------------- /gitlab/map.jinja: -------------------------------------------------------------------------------- 1 | # vim: sts=2 ts=2 sw=2 et ai 2 | {% set gitlab = salt['grains.filter_by']({ 3 | 'Debian': { 4 | 'runner':{ 5 | 'username': 'gitlab-runner', 6 | 'home': '/home/gitlab-runner', 7 | 'executor': 'shell', 8 | } 9 | }, 10 | 'default': { 11 | 'runner':{ 12 | 'username': 'gitlab-runner', 13 | 'downloadpath': 'https://packages.gitlab.com/runner/gitlab-runner/packages/linuxmint/sonya/gitlab-runner_10.4.0_amd64.deb/download', 14 | 'home': '/home/gitlab-runner', 15 | 'executor': 'shell', 16 | } 17 | }, 18 | }, merge=salt['pillar.get']('gitlab')) %} 19 | -------------------------------------------------------------------------------- /gitlab/nginx.sls: -------------------------------------------------------------------------------- 1 | {% if grains['os_family'] == 'Debian' %} 2 | {% set nginx_user = 'www-data' %} 3 | {% set nginx_path = '/etc/nginx/sites-enabled' %} 4 | {% elif grains['os_family'] == 'RedHat' %} 5 | {% set nginx_user = 'nginx' %} 6 | {% set nginx_path = '/etc/nginx/conf.d' %} 7 | {% endif %} 8 | 9 | install_nginx_gitlab: 10 | pkg.installed: 11 | - name: nginx 12 | 13 | ensure_nginx_service_running: 14 | service.running: 15 | - enable: True 16 | - require: 17 | - pkg: nginx 18 | - user: nginx 19 | - watch: 20 | - file: gitlab-nginx 21 | 22 | Remove_default_nginx_file: 23 | file.absent: 24 | - name: {{ nginx_path }}/default.conf 25 | 26 | Create_nginx_user: 27 | user.present: 28 | - name: {{ nginx_user }} 29 | - groups: 30 | - git 31 | - require: 32 | - pkg: nginx 33 | 34 | {%- if salt['pillar.get']('gitlab:https', false) %} 35 | 36 | # https://gitlab.com/gitlab-org/gitlab-recipes/blob/master/web-server/nginx/gitlab-ssl 37 | gitlab-nginx: 38 | file.managed: 39 | - name: {{ nginx_path }}/gitlab.conf 40 | - source: salt://gitlab/files/gitlab-nginx-ssl 41 | - template: jinja 42 | - user: root 43 | - group: root 44 | - mode: 644 45 | - require: 46 | - pkg: nginx 47 | - file: nginx-ssl-key 48 | - file: nginx-ssl-cert 49 | 50 | nginx-ssl-key: 51 | file.managed: 52 | - name: /etc/nginx/gitlab.key 53 | - user: root 54 | - group: {{ nginx_user }} 55 | - mode: 640 56 | - contents_pillar: gitlab:ssl_key 57 | - watch_in: 58 | - service: nginx 59 | 60 | nginx-ssl-cert: 61 | file.managed: 62 | - name: /etc/nginx/gitlab.crt 63 | - user: root 64 | - group: {{ nginx_user }} 65 | - mode: 644 66 | - contents_pillar: gitlab:ssl_cert 67 | - watch_in: 68 | - service: nginx 69 | 70 | {% else %} 71 | 72 | # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/gitlab 73 | gitlab-nginx: 74 | file.managed: 75 | - name: {{ nginx_path }}/gitlab.conf 76 | - source: salt://gitlab/files/gitlab-nginx 77 | - template: jinja 78 | - user: root 79 | - group: root 80 | - mode: 644 81 | - require: 82 | - pkg: nginx 83 | 84 | {% endif %} 85 | 86 | -------------------------------------------------------------------------------- /gitlab/packages.sls: -------------------------------------------------------------------------------- 1 | include: 2 | - git 3 | 4 | gitlab-deps: 5 | pkg.installed: 6 | {% if grains['os_family'] == 'RedHat' %} 7 | - pkgs: 8 | - autoconf 9 | - automake 10 | - binutils 11 | - bison 12 | - byacc 13 | - crontabs 14 | - cscope 15 | - ctags 16 | - cvs 17 | - db4-devel 18 | - diffstat 19 | - doxygen 20 | - elfutils 21 | - expat-devel 22 | - flex 23 | - gcc 24 | - gcc-c++ 25 | - gcc-gfortran 26 | - gdbm-devel 27 | - gettext 28 | - git 29 | - glibc-devel 30 | - indent 31 | - intltool 32 | - libffi 33 | - libffi-devel 34 | - libicu 35 | - libicu-devel 36 | - libcurl-devel 37 | - libtool 38 | - libxml2 39 | - libxml2-devel 40 | - libxslt 41 | - libxslt-devel 42 | - libyaml 43 | - libyaml-devel 44 | - logrotate 45 | - logwatch 46 | - make 47 | - ncurses-devel 48 | - openssl-devel 49 | - patch 50 | - patchutils 51 | - perl-Time-HiRes 52 | - pkgconfig 53 | - postgresql-devel 54 | - python-devel 55 | - rcs 56 | - readline 57 | - readline-devel 58 | - redhat-rpm-config 59 | - redis 60 | - rpm-build 61 | - sqlite-devel 62 | - subversion 63 | - sudo 64 | - swig 65 | - system-config-firewall-tui 66 | - systemtap 67 | - tcl-devel 68 | - vim-enhanced 69 | - wget 70 | - require: 71 | - pkgrepo: PUIAS_6_computational 72 | {% elif grains['os_family'] == 'Debian' %} 73 | - pkgs: 74 | - build-essential 75 | - checkinstall 76 | - curl 77 | - libcurl4-openssl-dev 78 | - libffi-dev 79 | - libgdbm-dev 80 | - libicu-dev 81 | - libncurses5-dev 82 | - libreadline-dev 83 | - libssl-dev 84 | - libxml2-dev 85 | - libxslt1-dev 86 | - libyaml-dev 87 | - logrotate 88 | - openssh-server 89 | - python 90 | - python-docutils 91 | - redis-server 92 | - zlib1g-dev 93 | {% if salt['pillar.get']('gitlab:db_engine', 'postgresql') == 'postgresql' %} 94 | - libpq-dev 95 | {% endif %} 96 | {% endif %} 97 | 98 | {% if salt['pillar.get']('gitlab:use_rvm', False) %} 99 | rvm-deps: 100 | pkg.installed: 101 | - pkgs: 102 | {% if grains['os_family'] == 'RedHat' %} 103 | - bash 104 | - bzip2 105 | - coreutils 106 | - curl 107 | - gawk 108 | - gzip 109 | - libtool 110 | - sed 111 | - zlib 112 | - zlib-devel 113 | {% endif %} 114 | {% endif %} 115 | -------------------------------------------------------------------------------- /gitlab/postgresql.sls: -------------------------------------------------------------------------------- 1 | include: 2 | - postgresql 3 | 4 | gitlab-db: 5 | postgres_user.present: 6 | - name: {{ salt['pillar.get']('gitlab:db_user') }} 7 | - password: {{ salt['pillar.get']('gitlab:db_pass') }} 8 | - require: 9 | - pkg: postgresql-server 10 | - service: postgresql-server 11 | postgres_database.present: 12 | - name: {{ salt['pillar.get']('gitlab:db_name') }} 13 | - owner: {{ salt['pillar.get']('gitlab:db_user') }} 14 | - template: template1 15 | - require: 16 | - file: gitlab-service 17 | - pkg: postgresql-server 18 | - service: postgresql-server 19 | - postgres_user: gitlab-db 20 | -------------------------------------------------------------------------------- /gitlab/repos.sls: -------------------------------------------------------------------------------- 1 | {% if grains['os_family'] == 'RedHat' %} 2 | # https://github.com/gitlabhq/gitlab-recipes/tree/master/install/centos 3 | PUIAS_6_computational: 4 | pkgrepo.managed: 5 | - humanname: PUIAS computational Base $releasever - $basearch 6 | - gpgcheck: 1 7 | - gpgkey: http://springdale.math.ias.edu/data/puias/6/x86_64/os/RPM-GPG-KEY-puias 8 | - mirrorlist: http://puias.math.ias.edu/data/puias/computational/$releasever/$basearch/mirrorlist 9 | 10 | 11 | 12 | {% if not salt['pillar.get']('gilab:use_rvm', false) %} 13 | include: 14 | - gitlab.ruby 15 | 16 | ruby-scl: 17 | pkgrepo.managed: 18 | - humanname: Ruby 1.9.3 Dynamic Software Collection 19 | - gpgcheck: 0 20 | - baseurl: http://people.redhat.com/bkabrda/ruby193-rhel-6/ 21 | - require_in: 22 | - pkg: gitlab-ruby 23 | {% endif %} 24 | {% endif %} 25 | -------------------------------------------------------------------------------- /gitlab/ruby.sls: -------------------------------------------------------------------------------- 1 | gitlab-ruby: 2 | {% if salt['pillar.get']('gitlab:use_rvm', false) %} 3 | rvm.installed: 4 | - name: ruby-{{ salt['pillar.get']('gitlab:rvm_ruby', '2.1.0') }} 5 | - default: True 6 | - user: git 7 | - require: 8 | - user: git-user 9 | - pkg: rvm-deps 10 | gem.installed: 11 | - user: git 12 | - ruby: ruby-2.1.0 13 | - require: 14 | - rvm: gitlab-ruby 15 | {% else %} 16 | {% if grains['os_family'] == 'Debian' %} 17 | pkg.installed: 18 | - pkgs: 19 | - ruby 20 | - ruby-dev 21 | gem.installed: 22 | - name: bundler 23 | - require: 24 | - pkg: gitlab-ruby 25 | {% elif grains['os_family'] == 'RedHat' %} 26 | pkg.installed: 27 | - pkgs: 28 | - ruby193-ruby 29 | - ruby193-ruby-devel 30 | - ruby193-rubygem-bundler 31 | {% endif %} 32 | {% endif %} 33 | -------------------------------------------------------------------------------- /gitlab/runner.sls: -------------------------------------------------------------------------------- 1 | # vim: sts=2 ts=2 sw=2 et ai 2 | # 3 | {% from "gitlab/map.jinja" import gitlab with context %} 4 | 5 | {% if grains['os_family'] == 'Debian' %} 6 | gitlab-runner repo: 7 | pkgrepo.managed: 8 | - humanname: gitlab-runner debian repo 9 | - file: /etc/apt/sources.list.d/gitlab-runner.list 10 | - name: deb https://packages.gitlab.com/runner/gitlab-runner/{{ grains['os']|lower }}/ {{ grains['oscodename'] }} main 11 | - key_url: https://packages.gitlab.com/runner/gitlab-runner/gpgkey 12 | - require_in: 13 | - pkg: gitlab-install_pkg 14 | 15 | gitlab-install_pkg: 16 | pkg.installed: 17 | - name: gitlab-runner 18 | {% else %} 19 | gitlab-install_pkg: 20 | pkg.installed: 21 | - sources: 22 | - gitlab-runner: {{gitlab.runner.downloadpath}} 23 | {% endif %} 24 | 25 | gitlab-create_group: 26 | group.present: 27 | - name: "gitlab-runner" 28 | - system: True 29 | - require: 30 | - pkg: gitlab-install_pkg 31 | 32 | gitlab-install_runserver_create_user: 33 | user.present: 34 | - name: {{gitlab.runner.username}} 35 | - shell: /bin/false 36 | - home: {{gitlab.runner.home}} 37 | - groups: 38 | - gitlab-runner 39 | - require: 40 | - group: gitlab-create_group 41 | 42 | gitlab-install_runserver3: 43 | cmd.run: 44 | - name: "CI_SERVER_URL='{{gitlab.runner.url}}' REGISTRATION_TOKEN='{{gitlab.runner.token}}' RUNNER_EXECUTOR='{{gitlab.runner.executor}}' /usr/bin/gitlab-runner register --non-interactive" 45 | - creates: /etc/gitlab-runner/config.toml 46 | - require: 47 | - user: gitlab-install_runserver_create_user 48 | 49 | gitlab-runner: 50 | service.running: 51 | - enable: True 52 | - require: 53 | - pkg: gitlab-install_pkg 54 | - cmd: gitlab-install_runserver3 55 | -------------------------------------------------------------------------------- /gitlab/user.sls: -------------------------------------------------------------------------------- 1 | git-user: 2 | user.present: 3 | - name : git 4 | - system: True 5 | - shell: /bin/bash 6 | - fullname: GitLab 7 | - home: /home/git 8 | 9 | git-home: 10 | file.directory: 11 | - name: /home/git 12 | - user: git 13 | - group: git 14 | - mode: 750 15 | - require: 16 | - user: git 17 | -------------------------------------------------------------------------------- /pillar.example: -------------------------------------------------------------------------------- 1 | gitlab: 2 | use_rvm: False 3 | rvm_ruby: 2.1.0 4 | shell_version: v1.8.0 5 | gitlab_version: 6-5-stable 6 | db_engine: postgresql 7 | db_name: 'gitlabhq_production' 8 | db_user: 'git' 9 | db_pass: 'MyVerySecretGitLabPassword' 10 | gravatar: 11 | enabled: false 12 | ldap: 13 | enabled: false 14 | host: '_your_ldap_server_' 15 | base: '_the_base_where_you_search_for_users' 16 | port: 636 17 | uid: 'sAMAccountName' 18 | method: 'ssl' # "ssl" or "plain" 19 | bind_dn: '_the_full_dn_of_the_user_you_will_bind_with' 20 | password: '_the_password_of_the_bind_user' 21 | allow_username_or_email_login: true 22 | omniauth: 23 | enabled: false 24 | allow_single_sign_on: false 25 | block_auto_created_users: true 26 | shell: 27 | audit_usernames: false 28 | log_level: INFO 29 | self_signed_cert: false 30 | #ca_file: /etc/ssl/cert.pem 31 | {% if grains['os_family'] == 'RedHat' %} 32 | ca_file: /etc/pki/tls/certs/ca.crt 33 | {% elif grains['os_family'] == 'Debian' %} 34 | ca_file: /etc/ssl/certs/ca.crt 35 | {% endif %} 36 | #ca_path: /etc/pki/tls/certs 37 | #{% if grains['os_family'] == 'RedHat' %} 38 | #ca_path: /etc/pki/tls/certs 39 | #{% elif grains['os_family'] == 'Debian' %} 40 | #ca_path: /etc/ssl/certs 41 | #{% endif %} 42 | 43 | unicorn: 44 | worker_processes: 2 45 | timeout: 30 46 | https: True 47 | ssl_key: | 48 | -----BEGIN PRIVATE KEY----- 49 | ABC= 50 | -----END PRIVATE KEY----- 51 | ssl_cert: | 52 | -----BEGIN CERTIFICATE----- 53 | ABC= 54 | -----END CERTIFICATE----- 55 | 56 | #runner 57 | runner: 58 | downloadpath: "https://packages.gitlab.com/runner/gitlab-runner/packages/linuxmint/sonya/gitlab-runner_10.4.0_{{ grains['osarch'] }}.deb/download" 59 | username: "gitlab-runner" 60 | # default: gitlab-runner 61 | url: "url gitlab-ci" # MANDATORY 62 | token: "token gitlab-ci" # MANDATORY 63 | home: /home/gitlab-runner 64 | executor: shell 65 | --------------------------------------------------------------------------------