Notes:
Default admin account has been configured with following details:
Username: root
Password: You didn't opt-in to print initial root password to STDOUT.
Password stored to /etc/gitlab/initial_root_password. This file will be cleaned up in first reconfigure run after 24 hours.
NOTE: Because these credentials might be present in your log files in plain text, it is highly recommended to reset the password following https://docs.gitlab.com/ee/security/reset_user_password.html#reset-your-root-password.
gitlab Reconfigured!
*. *.
*** ***
***** *****
.****** *******
******** ********
,,,,,,,,,***********,,,,,,,,,
,,,,,,,,,,,*********,,,,,,,,,,,
.,,,,,,,,,,,*******,,,,,,,,,,,,
,,,,,,,,,*****,,,,,,,,,.
,,,,,,,****,,,,,,
.,,,***,,,,
,*,.
_______ __ __ __
/ ____(_) /_/ / ____ _/ /_
/ / __/ / __/ / / __ `/ __ \
/ /_/ / / /_/ /___/ /_/ / /_/ /
\____/_/\__/_____/\__,_/_.___/
Thank you for installing GitLab!
GitLab should be available at https://git.example.com
For a comprehensive list of configuration options please see the Omnibus GitLab readme
https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md
Help us improve the installation experience, let us know how we did with a 1 minute survey:
https://gitlab.fra1.qualtrics.com/jfe/form/SV_6kVqZANThUQ1bZb?installation=omnibus&release=17-11
Verifying : libatomic-14.2.1-7.amzn2023.0.1.aarch64 1/2
Verifying : gitlab-ee-17.11.1-ee.0.amazon2023.aarch64 2/2
Installed:
gitlab-ee-17.11.1-ee.0.amazon2023.aarch64 libatomic-14.2.1-7.amzn2023.0.1.aarch64
Complete!
# cat /etc/gitlab/initial_root_password# WARNING: This value is valid only in the following conditions# 1. If provided manually (either via `GITLAB_ROOT_PASSWORD` environment variable or via `gitlab_rails['initial_root_password']` setting in `gitlab.rb`, it was provided before database was seeded for the first time (usually, the first reconfigure run).# 2. Password hasn't been changed manually, either via UI or via command line.## If the password shown here doesn't work, you must reset the admin password following https://docs.gitlab.com/ee/security/reset_user_password.html#reset-your-root-password.
Password: 0123456789ABCDEF0123456789ABCDEF0123456789AB
# NOTE: This file will be automatically deleted in the first reconfigure run after 24 hours.
インストール時に EXTERNAL_URL として指定した URL へ Web ブラウザでアクセスします (今回の例では gitlab.example.com)。 すると以下のようなフォームが表示されます。
## GitLab configuration settings##! This file is generated during initial installation and **is not** modified##! during upgrades.##! Check out the latest version of this file to know about the different##! settings that can be configured, when they were introduced and why:##! https://gitlab.com/gitlab-org/omnibus-gitlab/blame/master/files/gitlab-config-template/gitlab.rb.template##! Locally, the complete template corresponding to the installed version can be found at:##! /opt/gitlab/etc/gitlab.rb.template##! You can run `gitlab-ctl diff-config` to compare the contents of the current gitlab.rb with##! the gitlab.rb.template from the currently running version.##! You can run `gitlab-ctl show-config` to display the configuration that will be generated by##! running `gitlab-ctl reconfigure`##! In general, the values specified here should reflect what the default value of the attribute will be.##! There are instances where this behavior is not possible or desired. For example, when providing passwords,##! or connecting to third party services.##! In those instances, we endeavour to provide an example configuration.## GitLab URL##! URL on which GitLab will be reachable.##! For more details on configuring external_url see:##! https://docs.gitlab.com/omnibus/settings/configuration.html#configuring-the-external-url-for-gitlab##!##! Note: During installation/upgrades, the value of the environment variable##! EXTERNAL_URL will be used to populate/replace this value.##! On AWS EC2 instances, we also attempt to fetch the public hostname/IP##! address from AWS. For more details, see:##! https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.htmlexternal_url'https://gitlab.example.com'## Roles for multi-instance GitLab##! The default is to have no roles enabled, which results in GitLab running as an all-in-one instance.##! Options:##! application_role##! redis_sentinel_role##! redis_master_role##! redis_replica_role##! monitoring_role##! geo_primary_role##! geo_secondary_role##! postgres_role##! patroni_role##! consul_role##! pgbouncer_role##! pages_role##! sidekiq_role##! spamcheck_role##! gitaly_role##! For more details on each role, see:##! https://docs.gitlab.com/omnibus/roles/index.html#roles##!# roles ['redis_sentinel_role', 'redis_master_role']## Legend##! The following notations at the beginning of each line may be used to##! differentiate between components of this file and to easily select them using##! a regex.##! ## Titles, subtitles etc##! ##! More information - Description, Docs, Links, Issues etc.##! Configuration settings have a single # followed by a single space at the##! beginning; Remove them to enable the setting.##! **Configuration settings below are optional.**################################################################################################################################################################## Configuration Settings for GitLab CE and EE #################################################################################################################################################################################################################################################### gitlab.yml configuration##! Docs: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md################################################################################# gitlab_rails['enable'] = true # do not disable unless explicitly told to do so in docs# gitlab_rails['gitlab_ssh_host'] = 'ssh.host_example.com'# gitlab_rails['gitlab_ssh_user'] = ''# gitlab_rails['time_zone'] = 'UTC'### Rails asset / CDN host###! Defines a url for a host/cdn to use for the Rails assets###! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#set-a-content-delivery-network-url# gitlab_rails['cdn_host'] = 'https://mycdnsubdomain.fictional-cdn.com'### Request duration###! Tells the rails application how long it has to complete a request###! This value needs to be lower than the worker timeout set in puma.###! By default, we'll allow 95% of the the worker timeout# gitlab_rails['max_request_duration_seconds'] = 57### GitLab email server settings###! Docs: https://docs.gitlab.com/omnibus/settings/smtp.html###! **Use smtp instead of sendmail/postfix.**# gitlab_rails['smtp_enable'] = true# gitlab_rails['smtp_address'] = "smtp.server"# gitlab_rails['smtp_port'] = 465# gitlab_rails['smtp_user_name'] = "smtp user"# gitlab_rails['smtp_password'] = "smtp password"# gitlab_rails['smtp_domain'] = "example.com"# gitlab_rails['smtp_authentication'] = "login"# gitlab_rails['smtp_enable_starttls_auto'] = true# gitlab_rails['smtp_tls'] = false# gitlab_rails['smtp_pool'] = false###! **Can be: 'none', 'peer', 'client_once', 'fail_if_no_peer_cert'**###! Docs: http://api.rubyonrails.org/classes/ActionMailer/Base.html# gitlab_rails['smtp_openssl_verify_mode'] = 'none'# gitlab_rails['smtp_ca_path'] = "/etc/ssl/certs"# gitlab_rails['smtp_ca_file'] = "/etc/ssl/certs/ca-certificates.crt"### Email Settings# gitlab_rails['gitlab_email_enabled'] = true###! If your SMTP server does not like the default 'From: gitlab@gitlab.example.com'###! can change the 'From' with this setting.# gitlab_rails['gitlab_email_from'] = 'example@example.com'# gitlab_rails['gitlab_email_display_name'] = 'Example'# gitlab_rails['gitlab_email_reply_to'] = 'noreply@example.com'# gitlab_rails['gitlab_email_subject_suffix'] = ''# gitlab_rails['gitlab_email_smime_enabled'] = false# gitlab_rails['gitlab_email_smime_key_file'] = '/etc/gitlab/ssl/gitlab_smime.key'# gitlab_rails['gitlab_email_smime_cert_file'] = '/etc/gitlab/ssl/gitlab_smime.crt'# gitlab_rails['gitlab_email_smime_ca_certs_file'] = '/etc/gitlab/ssl/gitlab_smime_cas.crt'### GitLab user privileges# gitlab_rails['gitlab_username_changing_enabled'] = true### Default Theme###! Available values:###! `1` for Indigo###! `2` for Dark###! `3` for Light###! `4` for Blue###! `5` for Green###! `6` for Light Indigo###! `7` for Light Blue###! `8` for Light Green###! `9` for Red###! `10` for Light Red# gitlab_rails['gitlab_default_theme'] = 2### Default Color Mode### Available values:##! `1` for Light mode##! `2` for Dark mode##! `3` for Auto (follow system preferences)# gitlab_rails['gitlab_default_color_mode'] = 1### Custom html header tags###! See https://docs.gitlab.com/ee/administration/custom_html_header_tags.html for more###! In some cases some custom header tags are needed###! e.g., to add the EU cookie consent###! Tip: you must add the externals source to the content_security_policy as###! well, typically the script_src and style_src.# gitlab_rails['custom_html_header_tags'] = nil### Default project feature settings# gitlab_rails['gitlab_default_projects_features_issues'] = true# gitlab_rails['gitlab_default_projects_features_merge_requests'] = true# gitlab_rails['gitlab_default_projects_features_wiki'] = true# gitlab_rails['gitlab_default_projects_features_snippets'] = true# gitlab_rails['gitlab_default_projects_features_builds'] = true# gitlab_rails['gitlab_default_projects_features_container_registry'] = true### Automatic issue closing###! See https://docs.gitlab.com/ee/administration/issue_closing_pattern.html for more###! information about this pattern.# gitlab_rails['gitlab_issue_closing_pattern'] = "\b((?:[Cc]los(?:e[sd]?|ing)|\b[Ff]ix(?:e[sd]|ing)?|\b[Rr]esolv(?:e[sd]?|ing)|\b[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)"### Download location###! When a user clicks e.g. 'Download zip' on a project, a temporary zip file###! is created in the following directory.###! Should not be the same path, or a sub directory of any of the `gitaly['configuration'].storage` paths.# gitlab_rails['gitlab_repository_downloads_path'] = 'tmp/repositories'### Gravatar Settings# gitlab_rails['gravatar_plain_url'] = 'http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon'# gitlab_rails['gravatar_ssl_url'] = 'https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon'### Auxiliary jobs###! Periodically executed jobs, to self-heal Gitlab, do external###! synchronizations, etc.###! Docs: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job###! https://docs.gitlab.com/ee/ci/yaml/index.html#artifactsexpire_in# gitlab_rails['stuck_ci_jobs_worker_cron'] = "0 0 * * *"# gitlab_rails['expire_build_artifacts_worker_cron'] = "*/7 * * * *"# gitlab_rails['environments_auto_stop_cron_worker_cron'] = "24 * * * *"# gitlab_rails['pipeline_schedule_worker_cron'] = "19 * * * *"# gitlab_rails['ci_archive_traces_cron_worker_cron'] = "17 * * * *"# gitlab_rails['repository_check_worker_cron'] = "20 * * * *"# gitlab_rails['admin_email_worker_cron'] = "0 0 * * 0"# gitlab_rails['personal_access_tokens_expiring_worker_cron'] = "0 1 * * *"# gitlab_rails['personal_access_tokens_expired_notification_worker_cron'] = "0 2 * * *"# gitlab_rails['repository_archive_cache_worker_cron'] = "0 * * * *"# gitlab_rails['pages_domain_verification_cron_worker'] = "*/15 * * * *"# gitlab_rails['pages_domain_ssl_renewal_cron_worker'] = "*/10 * * * *"# gitlab_rails['pages_domain_removal_cron_worker'] = "47 0 * * *"# gitlab_rails['remove_unaccepted_member_invites_cron_worker'] = "10 15 * * *"# gitlab_rails['schedule_migrate_external_diffs_worker_cron'] = "15 * * * *"# gitlab_rails['ci_platform_metrics_update_cron_worker'] = '47 9 * * *'# gitlab_rails['analytics_usage_trends_count_job_trigger_worker_cron'] = "50 23 */1 * *"# gitlab_rails['member_invitation_reminder_emails_worker_cron'] = "0 0 * * *"# gitlab_rails['user_status_cleanup_batch_worker_cron'] = "* * * * *"# gitlab_rails['namespaces_in_product_marketing_emails_worker_cron'] = "0 9 * * *"# gitlab_rails['ssh_keys_expired_notification_worker_cron'] = "0 2 * * *"# gitlab_rails['ssh_keys_expiring_soon_notification_worker_cron'] = "0 1 * * *"# gitlab_rails['loose_foreign_keys_cleanup_worker_cron'] = "*/5 * * * *"# gitlab_rails['ci_runner_versions_reconciliation_worker_cron'] = "@daily"# gitlab_rails['ci_runners_stale_machines_cleanup_worker_cron'] = "36 * * * *"# gitlab_rails['ci_catalog_resources_process_sync_events_worker_cron'] = "*/1 * * * *"# gitlab_rails['ci_click_house_finished_pipelines_sync_worker_cron'] = "*/4 * * * *"# gitlab_rails['ci_click_house_finished_pipelines_sync_worker_args'] = [1]### Webhook Settings###! Number of seconds to wait for HTTP response after sending webhook HTTP POST###! request (default: 10)# gitlab_rails['webhook_timeout'] = 10### HTTP client settings###! This is for setting up the mutual TLS client cert and password for the certificate file.# gitlab_rails['http_client']['tls_client_cert_file'] = nil# gitlab_rails['http_client']['tls_client_cert_password'] = nil### GraphQL Settings###! Tells the rails application how long it has to complete a GraphQL request.###! We suggest this value to be higher than the database timeout value###! and lower than the worker timeout set in puma. (default: 30)# gitlab_rails['graphql_timeout'] = 30### Trusted proxies###! Customize if you have GitLab behind a reverse proxy which is running on a###! different machine.###! **Add the IP address for your reverse proxy to the list, otherwise users###! will appear signed in from that address.**# gitlab_rails['trusted_proxies'] = []### Content Security Policy###! Customize if you want to enable the Content-Security-Policy header, which###! can help thwart JavaScript cross-site scripting (XSS) attacks.###! See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP# gitlab_rails['content_security_policy'] = {# 'enabled' => false,# 'report_only' => false,# # Each directive is a String (e.g. "'self'").# # This section only needs to be set if you need custom CSP directives# # See https://docs.gitlab.com/omnibus/settings/configuration.html#set-a-content-security-policy# 'directives' => {# 'base_uri' => nil,# 'child_src' => nil,# 'connect_src' => nil,# 'default_src' => nil,# 'font_src' => nil,# 'form_action' => nil,# 'frame_ancestors' => nil,# 'frame_src' => nil,# 'img_src' => nil,# 'manifest_src' => nil,# 'media_src' => nil,# 'object_src' => nil,# 'script_src' => nil,# 'style_src' => nil,# 'worker_src' => nil,# 'report_uri' => nil,# }# }### Allowed hosts###! Customize the `host` headers that should be catered by the Rails###! application. By default, everything is allowed.# gitlab_rails['allowed_hosts'] = []### Monitoring settings###! IP whitelist controlling access to monitoring endpoints# gitlab_rails['monitoring_whitelist'] = ['127.0.0.0/8', '::1/128']### Shutdown settings###! Defines an interval to block healthcheck,###! but continue accepting application requests.# gitlab_rails['shutdown_blackout_seconds'] = 10### Microsoft Graph Mailer###! Allows delivery of emails using Microsoft Graph API with OAuth 2.0 client###! credentials flow.###! Docs: https://docs.gitlab.com/omnibus/settings/microsoft_graph_mailer.html# gitlab_rails['microsoft_graph_mailer_enabled'] = false# gitlab_rails['microsoft_graph_mailer_user_id'] = "YOUR-USER-ID"# gitlab_rails['microsoft_graph_mailer_tenant'] = "YOUR-TENANT-ID"# gitlab_rails['microsoft_graph_mailer_client_id'] = "YOUR-CLIENT-ID"# gitlab_rails['microsoft_graph_mailer_client_secret'] = "YOUR-CLIENT-SECRET-ID"# gitlab_rails['microsoft_graph_mailer_azure_ad_endpoint'] = "https://login.microsoftonline.com"# gitlab_rails['microsoft_graph_mailer_graph_endpoint'] = "https://graph.microsoft.com"################################################################## Reply by email###################################################################! Allow users to comment on issues and merge requests by replying to###! notification emails.###! Docs: https://docs.gitlab.com/ee/administration/reply_by_email.html# gitlab_rails['incoming_email_enabled'] = true### Incoming Email Address###! The email address including the `%{key}` placeholder that will be replaced###! to reference the item being replied to.###! **The placeholder can be omitted but if present, it must appear in the###! "user" part of the address (before the `@`).**# gitlab_rails['incoming_email_address'] = "gitlab-incoming+%{key}@gmail.com"#### Email account username####! **With third party providers, this is usually the full email address.**####! **With self-hosted email servers, this is usually the user part of the####! email address.**# gitlab_rails['incoming_email_email'] = "gitlab-incoming@gmail.com"#### Email account password# gitlab_rails['incoming_email_password'] = "[REDACTED]"#### IMAP Settings# gitlab_rails['incoming_email_host'] = "imap.gmail.com"# gitlab_rails['incoming_email_port'] = 993# gitlab_rails['incoming_email_ssl'] = true# gitlab_rails['incoming_email_start_tls'] = false#### Incoming Mailbox Settings (via `mail_room`)####! The mailbox where incoming mail will end up. Usually "inbox".# gitlab_rails['incoming_email_mailbox_name'] = "inbox"####! The IDLE command timeout.# gitlab_rails['incoming_email_idle_timeout'] = 60####! The file name for internal `mail_room` JSON logfile# gitlab_rails['incoming_email_log_file'] = "/var/log/gitlab/mailroom/mail_room_json.log"####! This marks incoming messages deleted after delivery.####! If you are using Microsoft Graph API instead of IMAP, set this to false to retain####! messages in the inbox since deleted messages are auto-expunged after some time.# gitlab_rails['incoming_email_delete_after_delivery'] = true####! Permanently remove messages from the mailbox when they are marked as deleted after delivery####! Only applies to IMAP. Microsoft Graph will auto-expunge any deleted messages.# gitlab_rails['incoming_email_expunge_deleted'] = false#### Inbox options (for Microsoft Graph)# gitlab_rails['incoming_email_inbox_method'] = 'microsoft_graph'# gitlab_rails['incoming_email_inbox_options'] = {# 'tenant_id': 'YOUR-TENANT-ID',# 'client_id': 'YOUR-CLIENT-ID',# 'client_secret': 'YOUR-CLIENT-SECRET',# 'poll_interval': 60 # Optional# }####! How incoming emails are delivered to Rails process. Accept either sidekiq####! or webhook. The default config is webhook.# gitlab_rails['incoming_email_delivery_method'] = "webhook"####! Token to authenticate webhook requests. The token must be exactly 32 bytes,####! encoded with base64# gitlab_rails['incoming_email_auth_token'] = nil####! The format of mail_room crash logs# mailroom['exit_log_format'] = "plain"### Consolidated (simplified) object storage configuration###! This uses a single credential for object storage with multiple buckets.###! It also enables Workhorse to upload files directly with its own S3 client###! instead of using pre-signed URLs.###!###! This configuration will only take effect if the object_store###! sections are not defined within the types. For example, enabling###! gitlab_rails['artifacts_object_store_enabled'] or###! gitlab_rails['lfs_object_store_enabled'] will prevent the###! consolidated settings from being used.###!###! Be sure to use different buckets for each type of object.###! Docs: https://docs.gitlab.com/ee/administration/object_storage.html# gitlab_rails['object_store']['enabled'] = false# gitlab_rails['object_store']['connection'] = {}# gitlab_rails['object_store']['storage_options'] = {}# gitlab_rails['object_store']['proxy_download'] = false# gitlab_rails['object_store']['objects']['artifacts']['bucket'] = nil# gitlab_rails['object_store']['objects']['external_diffs']['bucket'] = nil# gitlab_rails['object_store']['objects']['lfs']['bucket'] = nil# gitlab_rails['object_store']['objects']['uploads']['bucket'] = nil# gitlab_rails['object_store']['objects']['packages']['bucket'] = nil# gitlab_rails['object_store']['objects']['dependency_proxy']['bucket'] = nil# gitlab_rails['object_store']['objects']['terraform_state']['bucket'] = nil# gitlab_rails['object_store']['objects']['ci_secure_files']['bucket'] = nil# gitlab_rails['object_store']['objects']['pages']['bucket'] = nil### Job Artifacts# gitlab_rails['artifacts_enabled'] = true# gitlab_rails['artifacts_path'] = "/var/opt/gitlab/gitlab-rails/shared/artifacts"###! Job artifacts Object Store###! Docs: https://docs.gitlab.com/ee/administration/job_artifacts.html#using-object-storage# gitlab_rails['artifacts_object_store_enabled'] = false# gitlab_rails['artifacts_object_store_proxy_download'] = false# gitlab_rails['artifacts_object_store_remote_directory'] = "artifacts"# gitlab_rails['artifacts_object_store_connection'] = {# 'provider' => 'AWS',# 'region' => 'eu-west-1',# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',# # # The below options configure an S3 compatible host instead of AWS# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces# # 'host' => 's3.amazonaws.com',# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'# }### External merge request diffs# gitlab_rails['external_diffs_enabled'] = false# gitlab_rails['external_diffs_when'] = nil# gitlab_rails['external_diffs_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/external-diffs"# gitlab_rails['external_diffs_object_store_enabled'] = false# gitlab_rails['external_diffs_object_store_proxy_download'] = false# gitlab_rails['external_diffs_object_store_remote_directory'] = "external-diffs"# gitlab_rails['external_diffs_object_store_connection'] = {# 'provider' => 'AWS',# 'region' => 'eu-west-1',# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',# # # The below options configure an S3 compatible host instead of AWS# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces# # 'host' => 's3.amazonaws.com',# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'# }### Git LFS# gitlab_rails['lfs_enabled'] = true# gitlab_rails['lfs_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/lfs-objects"# gitlab_rails['lfs_object_store_enabled'] = false# gitlab_rails['lfs_object_store_proxy_download'] = false# gitlab_rails['lfs_object_store_remote_directory'] = "lfs-objects"# gitlab_rails['lfs_object_store_connection'] = {# 'provider' => 'AWS',# 'region' => 'eu-west-1',# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',# # # The below options configure an S3 compatible host instead of AWS# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces# # 'host' => 's3.amazonaws.com',# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'# }### GitLab uploads###! Docs: https://docs.gitlab.com/ee/administration/uploads.html# gitlab_rails['uploads_directory'] = "/var/opt/gitlab/gitlab-rails/uploads"# gitlab_rails['uploads_storage_path'] = "/opt/gitlab/embedded/service/gitlab-rails/public"# gitlab_rails['uploads_base_dir'] = "uploads/-/system"# gitlab_rails['uploads_object_store_enabled'] = false# gitlab_rails['uploads_object_store_proxy_download'] = false# gitlab_rails['uploads_object_store_remote_directory'] = "uploads"# gitlab_rails['uploads_object_store_connection'] = {# 'provider' => 'AWS',# 'region' => 'eu-west-1',# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',# # # The below options configure an S3 compatible host instead of AWS# # 'host' => 's3.amazonaws.com',# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'# }### Terraform state###! Docs: https://docs.gitlab.com/ee/administration/terraform_state# gitlab_rails['terraform_state_enabled'] = true# gitlab_rails['terraform_state_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/terraform_state"# gitlab_rails['terraform_state_object_store_enabled'] = false# gitlab_rails['terraform_state_object_store_remote_directory'] = "terraform"# gitlab_rails['terraform_state_object_store_connection'] = {# 'provider' => 'AWS',# 'region' => 'eu-west-1',# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',# # # The below options configure an S3 compatible host instead of AWS# # 'host' => 's3.amazonaws.com',# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'# }### CI Secure Files# gitlab_rails['ci_secure_files_enabled'] = true# gitlab_rails['ci_secure_files_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/ci_secure_files"# gitlab_rails['ci_secure_files_object_store_enabled'] = false# gitlab_rails['ci_secure_files_object_store_remote_directory'] = "ci-secure-files"# gitlab_rails['ci_secure_files_object_store_connection'] = {# 'provider' => 'AWS',# 'region' => 'eu-west-1',# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',# # # The below options configure an S3 compatible host instead of AWS# # 'host' => 's3.amazonaws.com',# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'# }### GitLab Pages# gitlab_rails['pages_object_store_enabled'] = false# gitlab_rails['pages_object_store_remote_directory'] = "pages"# gitlab_rails['pages_object_store_connection'] = {# 'provider' => 'AWS',# 'region' => 'eu-west-1',# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',# # # The below options configure an S3 compatible host instead of AWS# # 'host' => 's3.amazonaws.com',# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'# }# gitlab_rails['pages_local_store_enabled'] = true# gitlab_rails['pages_local_store_path'] = "/var/opt/gitlab/gitlab-rails/shared/pages"### Impersonation settings# gitlab_rails['impersonation_enabled'] = true### Disable jQuery and CSS animations# gitlab_rails['disable_animations'] = false### Application settings cache expiry in seconds. (default: 60)# gitlab_rails['application_settings_cache_seconds'] = 60### Usage Statistics# gitlab_rails['usage_ping_enabled'] = true### GitLab Mattermost###! These settings are void if Mattermost is installed on the same omnibus###! install# gitlab_rails['mattermost_host'] = "https://mattermost.example.com"### LDAP Settings###! Docs: https://docs.gitlab.com/ee/administration/auth/ldap/index.html###! **Be careful not to break the indentation in the ldap_servers block. It is###! in yaml format and the spaces must be retained. Using tabs will not work.**# gitlab_rails['ldap_enabled'] = false# gitlab_rails['prevent_ldap_sign_in'] = false###! **remember to close this block with 'EOS' below**# gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'# main: # 'main' is the GitLab 'provider ID' of this LDAP server# label: 'LDAP'# host: '_your_ldap_server'# port: 389# uid: 'sAMAccountName'# bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'# password: '_the_password_of_the_bind_user'# encryption: 'plain' # "start_tls" or "simple_tls" or "plain"# verify_certificates: true# smartcard_auth: false# active_directory: true# smartcard_ad_cert_field: 'altSecurityIdentities'# smartcard_ad_cert_format: null # 'issuer_and_serial_number', 'issuer_and_subject' , 'principal_name'# allow_username_or_email_login: false# lowercase_usernames: false# block_auto_created_users: false# base: ''# user_filter: ''# ## EE only# group_base: ''# admin_group: ''# sync_ssh_keys: false## secondary: # 'secondary' is the GitLab 'provider ID' of second LDAP server# label: 'LDAP'# host: '_your_ldap_server'# port: 389# uid: 'sAMAccountName'# bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'# password: '_the_password_of_the_bind_user'# encryption: 'plain' # "start_tls" or "simple_tls" or "plain"# verify_certificates: true# smartcard_auth: false# active_directory: true# smartcard_ad_cert_field: 'altSecurityIdentities'# smartcard_ad_cert_format: null # 'issuer_and_serial_number', 'issuer_and_subject' , 'principal_name'# allow_username_or_email_login: false# lowercase_usernames: false# block_auto_created_users: false# base: ''# user_filter: ''# ## EE only# group_base: ''# admin_group: ''# sync_ssh_keys: false# EOS### Smartcard authentication settings###! Docs: https://docs.gitlab.com/ee/administration/auth/smartcard.html# gitlab_rails['smartcard_enabled'] = false# gitlab_rails['smartcard_ca_file'] = "/etc/gitlab/ssl/CA.pem"# gitlab_rails['smartcard_client_certificate_required_host'] = 'smartcard.gitlab.example.com'# gitlab_rails['smartcard_client_certificate_required_port'] = 3444# gitlab_rails['smartcard_required_for_git_access'] = false# gitlab_rails['smartcard_san_extensions'] = false### OmniAuth Settings###! Docs: https://docs.gitlab.com/ee/integration/omniauth.html# gitlab_rails['omniauth_enabled'] = nil# gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']# gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'# gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']# gitlab_rails['omniauth_sync_profile_attributes'] = ['email']# gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'# gitlab_rails['omniauth_block_auto_created_users'] = true# gitlab_rails['omniauth_auto_link_ldap_user'] = false# gitlab_rails['omniauth_auto_link_saml_user'] = false# gitlab_rails['omniauth_auto_link_user'] = ['twitter']# gitlab_rails['omniauth_external_providers'] = ['twitter', 'google_oauth2']# gitlab_rails['omniauth_allow_bypass_two_factor'] = ['google_oauth2']# gitlab_rails['omniauth_providers'] = [# {# "name" => "google_oauth2",# "app_id" => "YOUR APP ID",# "app_secret" => "YOUR APP SECRET",# "args" => { "access_type" => "offline", "approval_prompt" => "" }# }# ]# gitlab_rails['omniauth_cas3_session_duration'] = 28800# gitlab_rails['omniauth_saml_message_max_byte_size'] = 250000### OIDC settings# Configure a custom duration for ID Tokens (defaults to 120 seconds).#! Docs: https://docs.gitlab.com/administration/auth/oidc/?tab=Linux+package+%28Omnibus%29#configure-a-custom-duration-for-id-tokens# gitlab_rails['oidc_provider_openid_id_token_expire_in_seconds'] = 120### FortiAuthenticator authentication settings# gitlab_rails['forti_authenticator_enabled'] = false# gitlab_rails['forti_authenticator_host'] = 'forti_authenticator.example.com'# gitlab_rails['forti_authenticator_port'] = 443# gitlab_rails['forti_authenticator_username'] = 'admin'# gitlab_rails['forti_authenticator_access_token'] = 's3cr3t'### FortiToken Cloud authentication settings# gitlab_rails['forti_token_cloud_enabled'] = false# gitlab_rails['forti_token_cloud_client_id'] = 'forti_token_cloud_client_id'# gitlab_rails['forti_token_cloud_client_secret'] = 's3cr3t'### DuoAuth authentication settings# gitlab_rails['duo_auth_enabled'] = false# gitlab_rails['duo_auth_integration_key'] = 'duo_auth_integration_key'# gitlab_rails['duo_auth_secret_key'] = 'duo_auth_secret_key'# gitlab_rails['duo_auth_hostname'] = 'duo_auth.example.com'### Backup Settings###! Docs: https://docs.gitlab.com/omnibus/settings/backups.html# gitlab_rails['manage_backup_path'] = true# gitlab_rails['backup_path'] = "/var/opt/gitlab/backups"# gitlab_rails['backup_gitaly_backup_path'] = "/opt/gitlab/embedded/bin/gitaly-backup"###! Docs: https://docs.gitlab.com/ee/administration/backup_restore/backup_gitlab.html#backup-archive-permissions# gitlab_rails['backup_archive_permissions'] = 0644# gitlab_rails['backup_pg_schema'] = 'public'###! The duration in seconds to keep backups before they are allowed to be deleted# gitlab_rails['backup_keep_time'] = 604800# gitlab_rails['backup_upload_connection'] = {# 'provider' => 'AWS',# 'region' => 'eu-west-1',# 'aws_access_key_id' => 'AKIAKIAKI',# 'aws_secret_access_key' => 'secret123',# # # If IAM profile use is enabled, remove aws_access_key_id and aws_secret_access_key# 'use_iam_profile' => false# }# gitlab_rails['backup_upload_remote_directory'] = 'my.s3.bucket'# gitlab_rails['backup_multipart_chunk_size'] = 104857600###! **Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for###! backups**# gitlab_rails['backup_encryption'] = 'AES256'###! The encryption key to use with AWS Server-Side Encryption.###! Setting this value will enable Server-Side Encryption with customer provided keys;###! otherwise S3-managed keys are used.# gitlab_rails['backup_encryption_key'] = '<base64-encoded encryption key>'###! **Turns on AWS Server-Side Encryption with Amazon SSE-KMS (AWS managed but customer-master key)# gitlab_rails['backup_upload_storage_options'] = {# 'server_side_encryption' => 'aws:kms',# 'server_side_encryption_kms_key_id' => 'arn:aws:kms:YOUR-KEY-ID-HERE'# }###! **Specifies Amazon S3 storage class to use for backups. Valid values###! include 'STANDARD', 'STANDARD_IA', and 'REDUCED_REDUNDANCY'**# gitlab_rails['backup_storage_class'] = 'STANDARD'###! Skip parts of the backup. Comma separated.###! Docs: https://docs.gitlab.com/ee/administration/backup_restore/backup_gitlab.html#excluding-specific-data-from-the-backup#gitlab_rails['env'] = {# "SKIP" => "db,uploads,repositories,builds,artifacts,lfs,registry,pages"#}### Gitaly settings# gitlab_rails['gitaly_token'] = 'secret token'# gitlab_rails['repositories_storages'] = {# 'default' => {# 'gitaly_address' => 'tcp://praefect-lb:2305',# 'gitaly_token' => 'secret_token'# }# }### For storing GitLab application uploads, eg. LFS objects, build artifacts###! Docs: https://docs.gitlab.com/ee/development/shared_files.html# gitlab_rails['shared_path'] = '/var/opt/gitlab/gitlab-rails/shared'### For storing encrypted configuration files###! Docs: https://docs.gitlab.com/ee/administration/encrypted_configuration.html# gitlab_rails['encrypted_settings_path'] = '/var/opt/gitlab/gitlab-rails/shared/encrypted_settings'### Wait for file system to be mounted###! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#start-linux-package-installation-services-only-after-a-given-file-system-is-mounted# high_availability['mountpoint'] = ["/var/opt/gitlab/git-data", "/var/opt/gitlab/gitlab-rails/shared"]### GitLab Shell settings for GitLab# gitlab_rails['gitlab_shell_ssh_port'] = 22# gitlab_rails['gitlab_shell_git_timeout'] = 800### Extra customization# gitlab_rails['extra_google_analytics_id'] = '_your_tracking_id'# gitlab_rails['extra_google_tag_manager_id'] = '_your_tracking_id'# gitlab_rails['extra_one_trust_id'] = '_your_one_trust_id'# gitlab_rails['extra_google_tag_manager_nonce_id'] = '_your_google_tag_manager_id'# gitlab_rails['extra_bizible'] = false# gitlab_rails['extra_matomo_url'] = '_your_matomo_url'# gitlab_rails['extra_matomo_site_id'] = '_your_matomo_site_id'# gitlab_rails['extra_matomo_disable_cookies'] = false# gitlab_rails['extra_maximum_text_highlight_size_kilobytes'] = 512##! Docs: https://docs.gitlab.com/omnibus/settings/environment-variables.html# gitlab_rails['env'] = {# 'BUNDLE_GEMFILE' => "/opt/gitlab/embedded/service/gitlab-rails/Gemfile",# 'PATH' => "/opt/gitlab/bin:/opt/gitlab/embedded/bin:/bin:/usr/bin"# }# gitlab_rails['rack_attack_git_basic_auth'] = {# 'enabled' => false,# 'ip_whitelist' => ["127.0.0.1"],# 'maxretry' => 10,# 'findtime' => 60,# 'bantime' => 3600# }# gitlab_rails['dir'] = "/var/opt/gitlab/gitlab-rails"# gitlab_rails['log_directory'] = "/var/log/gitlab/gitlab-rails"# gitlab_rails['log_group'] = nil#### Change the initial default admin password and shared runner registration tokens.####! **Only applicable on initial setup, changing these settings after database####! is created and seeded won't yield any change.**# gitlab_rails['initial_root_password'] = "password"# gitlab_rails['initial_shared_runners_registration_token'] = "token"### Product Usage Data# This setting enables product usage data in the GitLab instance.# It will be read on initial installation only. Once GitLab is up and running,# this setting should be toggled from the admin pages in the UI.# gitlab_rails['initial_gitlab_product_usage_data'] = nil#### Toggle if root password should be printed to STDOUT during initialization# gitlab_rails['display_initial_root_password'] = false#### Toggle if initial root password should be written to /etc/gitlab/initial_root_password# gitlab_rails['store_initial_root_password'] = true#### Set path to an initial license to be used while bootstrapping GitLab.####! **Only applicable on initial setup, future license updates need to be done via UI.####! Updating the file specified in this path won't yield any change after the first reconfigure run.# gitlab_rails['initial_license_file'] = '/etc/gitlab/company.gitlab-license'####! Enable or disable automatic database migrations# gitlab_rails['auto_migrate'] = true####! This is advanced feature used by large gitlab deployments where loading####! whole RAILS env takes a lot of time.# gitlab_rails['rake_cache_clear'] = true### GitLab database settings###! Docs: https://docs.gitlab.com/omnibus/settings/database.html###! **Only needed if you use an external database.**# gitlab_rails['db_adapter'] = "postgresql"# gitlab_rails['db_encoding'] = "unicode"# gitlab_rails['db_collation'] = nil# gitlab_rails['db_database'] = "gitlabhq_production"# gitlab_rails['db_username'] = "gitlab"# gitlab_rails['db_password'] = nil# gitlab_rails['db_host'] = nil# gitlab_rails['db_port'] = 5432# gitlab_rails['db_socket'] = nil# gitlab_rails['db_sslmode'] = nil# gitlab_rails['db_sslcompression'] = 0# gitlab_rails['db_sslrootcert'] = nil# gitlab_rails['db_sslcert'] = nil# gitlab_rails['db_sslkey'] = nil# gitlab_rails['db_prepared_statements'] = false# gitlab_rails['db_statements_limit'] = 1000# gitlab_rails['db_connect_timeout'] = nil# gitlab_rails['db_keepalives'] = nil# gitlab_rails['db_keepalives_idle'] = nil# gitlab_rails['db_keepalives_interval'] = nil# gitlab_rails['db_keepalives_count'] = nil# gitlab_rails['db_tcp_user_timeout'] = nil# gitlab_rails['db_application_name'] = nil# gitlab_rails['db_database_tasks'] = true##! Command to generate extra database configuration# gitlab_rails['db_extra_config_command'] = nil### Gitlab decomposed database settings###! Docs: https://docs.gitlab.com/omnibus/settings/database.html# gitlab_rails['databases']['main']['db_database'] = 'gitlabhq_production'# gitlab_rails['databases']['main']['database_tasks'] = true# gitlab_rails['databases']['ci']['enable'] = true# gitlab_rails['databases']['ci']['db_database'] = 'gitlabhq_production'# gitlab_rails['databases']['ci']['database_tasks'] = false### GitLab ClickHouse connection settings###! EXPERIMENTAL# gitlab_rails['clickhouse_databases']['main']['database'] = 'dbname'# gitlab_rails['clickhouse_databases']['main']['url'] = 'https://example.com/path'# gitlab_rails['clickhouse_databases']['main']['username'] = 'gitlab'# gitlab_rails['clickhouse_databases']['main']['password'] = 'password'### GitLab Redis settings###! Connect to your own Redis instance###! Docs: https://docs.gitlab.com/omnibus/settings/redis.html#### Redis TCP connection# gitlab_rails['redis_host'] = "127.0.0.1"# gitlab_rails['redis_port'] = 6379# gitlab_rails['redis_ssl'] = false# gitlab_rails['redis_password'] = nil# gitlab_rails['redis_database'] = 0# gitlab_rails['redis_enable_client'] = true# gitlab_rails['redis_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'# gitlab_rails['redis_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'# gitlab_rails['redis_tls_client_cert_file'] = nil# gitlab_rails['redis_tls_client_key_file'] = nil# gitlab_rails['redis_connect_timeout'] = nil# gitlab_rails['redis_read_timeout'] = nil# gitlab_rails['redis_write_timeout'] = nil#### Redis local UNIX socket (will be disabled if TCP method is used)# gitlab_rails['redis_socket'] = "/var/opt/gitlab/redis/redis.socket"#### Cells# gitlab_rails['cell'] = {# enabled: false,# id: nil,# database: {# skip_sequence_alteration: false# },# topology_service_client: {# address: 'topology-service.gitlab.example.com:443',# ca_file: 'path/to/your/ca/.pem',# certificate_file: 'path/to/your/cert/.pem',# private_key_file: 'path/to/your/key/.pem'# }# }#### Session cookie settings# gitlab_rails['session_store_session_cookie_token_prefix'] = ''#### Sentinel support####! To have Sentinel working, you must enable Redis TCP connection support####! above and define a few Sentinel hosts below (to get a reliable setup####! at least 3 hosts).####! **You don't need to list every sentinel host, but the ones not listed will####! not be used in a fail-over situation to query for the new master.**# gitlab_rails['redis_sentinels'] = [# {'host' => '127.0.0.1', 'port' => 26379},# ]# gitlab_rails['redis_sentinels_password'] = 'sentinel-requirepass-goes-here'# gitlab_rails['redis_sentinel_master'] = nil# gitlab_rails['redis_sentinel_master_ip'] = nil# gitlab_rails['redis_sentinel_master_port'] = nil#### Cluster support####! Cluster support is only available for selected Redis instances. `resque.yml` will not####! support cluster mode to maintain full-compatibility with the GitLab rails application.####!####! To have Redis Cluster working, you must declare `redis_{instance}_cluster_nodes`####! `redis_{instance}_username` and `redis_{instance}_password` are required if ACL####! is enabled for the Redis servers.# gitlab_rails['redis_xxxx_cluster_nodes'] = [# {'host' => '127.0.0.1', 'port' => 6379},# ]#### Separate instances support####! Docs: https://docs.gitlab.com/omnibus/settings/redis.html#running-with-multiple-redis-instances# gitlab_rails['redis_cache_instance'] = nil# gitlab_rails['redis_cache_sentinels'] = nil# gitlab_rails['redis_cache_sentinels_password'] = nil# gitlab_rails['redis_cache_username'] = nil# gitlab_rails['redis_cache_password'] = nil# gitlab_rails['redis_cache_cluster_nodes'] = nil# gitlab_rails['redis_cache_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'# gitlab_rails['redis_cache_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'# gitlab_rails['redis_cache_tls_client_cert_file'] = nil# gitlab_rails['redis_cache_tls_client_key_file'] = nil# gitlab_rails['redis_queues_instance'] = nil# gitlab_rails['redis_queues_sentinels'] = nil# gitlab_rails['redis_queues_sentinels_password'] = nil# gitlab_rails['redis_queues_username'] = nil# gitlab_rails['redis_queues_password'] = nil# gitlab_rails['redis_queues_cluster_nodes'] = nil# gitlab_rails['redis_queues_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'# gitlab_rails['redis_queues_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'# gitlab_rails['redis_queues_tls_client_cert_file'] = nil# gitlab_rails['redis_queues_tls_client_key_file'] = nil# gitlab_rails['redis_shared_state_instance'] = nil# gitlab_rails['redis_shared_state_sentinels'] = nil# gitlab_rails['redis_shared_state_sentinels_password'] = nil# gitlab_rails['redis_shared_state_username'] = nil# gitlab_rails['redis_shared_state_password'] = nil# gitlab_rails['redis_shared_state_cluster_nodes'] = nil# gitlab_rails['redis_shared_state_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'# gitlab_rails['redis_shared_state_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'# gitlab_rails['redis_shared_state_tls_client_cert_file'] = nil# gitlab_rails['redis_shared_state_tls_client_key_file'] = nil# gitlab_rails['redis_trace_chunks_instance'] = nil# gitlab_rails['redis_trace_chunks_sentinels'] = nil# gitlab_rails['redis_trace_chunks_sentinels_password'] = nil# gitlab_rails['redis_trace_chunks_username'] = nil# gitlab_rails['redis_trace_chunks_password'] = nil# gitlab_rails['redis_trace_chunks_cluster_nodes'] = nil# gitlab_rails['redis_trace_chunks_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'# gitlab_rails['redis_trace_chunks_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'# gitlab_rails['redis_trace_chunks_tls_client_cert_file'] = nil# gitlab_rails['redis_trace_chunks_tls_client_key_file'] = nil# gitlab_rails['redis_actioncable_instance'] = nil# gitlab_rails['redis_actioncable_sentinels'] = nil# gitlab_rails['redis_actioncable_sentinels_password'] = nil# gitlab_rails['redis_actioncable_username'] = nil# gitlab_rails['redis_actioncable_password'] = nil# gitlab_rails['redis_actioncable_cluster_nodes'] = nil# gitlab_rails['redis_actioncable_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'# gitlab_rails['redis_actioncable_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'# gitlab_rails['redis_actioncable_tls_client_cert_file'] = nil# gitlab_rails['redis_actioncable_tls_client_key_file'] = nil# gitlab_rails['redis_rate_limiting_instance'] = nil# gitlab_rails['redis_rate_limiting_sentinels'] = nil# gitlab_rails['redis_rate_limiting_sentinels_password'] = nil# gitlab_rails['redis_rate_limiting_username'] = nil# gitlab_rails['redis_rate_limiting_password'] = nil# gitlab_rails['redis_rate_limiting_cluster_nodes'] = nil# gitlab_rails['redis_rate_limiting_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'# gitlab_rails['redis_rate_limiting_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'# gitlab_rails['redis_rate_limiting_tls_client_cert_file'] = nil# gitlab_rails['redis_rate_limiting_tls_client_key_file'] = nil# gitlab_rails['redis_sessions_instance'] = nil# gitlab_rails['redis_sessions_sentinels'] = nil# gitlab_rails['redis_sessions_sentinels_password'] = nil# gitlab_rails['redis_sessions_username'] = nil# gitlab_rails['redis_sessions_password'] = nil# gitlab_rails['redis_sessions_cluster_nodes'] = nil# gitlab_rails['redis_sessions_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'# gitlab_rails['redis_sessions_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'# gitlab_rails['redis_sessions_tls_client_cert_file'] = nil# gitlab_rails['redis_sessions_tls_client_key_file'] = nil# gitlab_rails['redis_cluster_rate_limiting_instance'] = nil# gitlab_rails['redis_cluster_rate_limiting_sentinels'] = nil# gitlab_rails['redis_cluster_rate_limiting_sentinels_password'] = nil# gitlab_rails['redis_cluster_rate_limiting_username'] = nil# gitlab_rails['redis_cluster_rate_limiting_password'] = nil# gitlab_rails['redis_cluster_rate_limiting_cluster_nodes'] = nil# gitlab_rails['redis_cluster_rate_limiting_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'# gitlab_rails['redis_cluster_rate_limiting_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'# gitlab_rails['redis_cluster_rate_limiting_tls_client_cert_file'] = nil# gitlab_rails['redis_cluster_rate_limiting_tls_client_key_file'] = nil# gitlab_rails['redis_repository_cache_instance'] = nil# gitlab_rails['redis_repository_cache_sentinels'] = nil# gitlab_rails['redis_repository_cache_sentinels_password'] = nil# gitlab_rails['redis_repository_cache_username'] = nil# gitlab_rails['redis_repository_cache_password'] = nil# gitlab_rails['redis_repository_cache_cluster_nodes'] = nil# gitlab_rails['redis_repository_cache_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'# gitlab_rails['redis_repository_cache_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'# gitlab_rails['redis_repository_cache_tls_client_cert_file'] = nil# gitlab_rails['redis_repository_cache_tls_client_key_file'] = nil# gitlab_rails['redis_workhorse_instance'] = nil# gitlab_rails['redis_workhorse_sentinels'] = nil# gitlab_rails['redis_workhorse_sentinels_password'] = nil# gitlab_rails['redis_workhorse_username'] = nil# gitlab_rails['redis_workhorse_password'] = nil# gitlab_rails['redis_workhorse_cluster_nodes'] = nil# gitlab_rails['redis_workhorse_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'# gitlab_rails['redis_workhorse_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'# gitlab_rails['redis_workhorse_tls_client_cert_file'] = nil# gitlab_rails['redis_workhorse_tls_client_key_file'] = nil# gitlab_rails['redis_workhorse_sentinel_master'] = nil# gitlab_rails['redis_yml_override'] = nil################################################################################## Container Registry settings##! Docs: https://docs.gitlab.com/ee/administration/packages/container_registry.html################################################################################# registry_external_url 'https://registry.example.com'### Settings used by GitLab application# gitlab_rails['registry_enabled'] = true# gitlab_rails['registry_host'] = "registry.gitlab.example.com"# gitlab_rails['registry_port'] = "5005"# gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry"###! Notification secret, it's used to authenticate notification requests to GitLab application###! You only need to change this when you use external Registry service, otherwise###! it will be taken directly from notification settings of your Registry# gitlab_rails['registry_notification_secret'] = nil###! **Do not change the following 3 settings unless you know what you are###! doing**# gitlab_rails['registry_api_url'] = "http://127.0.0.1:5000"# gitlab_rails['registry_key_path'] = "/var/opt/gitlab/gitlab-rails/certificate.key"# gitlab_rails['registry_issuer'] = "omnibus-gitlab-issuer"### Settings used by Registry application# registry['enable'] = true# registry['username'] = "registry"# registry['group'] = "registry"# registry['uid'] = nil# registry['gid'] = nil# registry['dir'] = "/var/opt/gitlab/registry"# registry['shell'] = "/usr/sbin/nologin"# registry['registry_http_addr'] = "127.0.0.1:5000"# registry['debug_addr'] = "localhost:5001"# registry['log_directory'] = "/var/log/gitlab/registry"# registry['env_directory'] = "/opt/gitlab/etc/registry/env"# registry['env'] = {# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"# }# registry['log_level'] = "info"# registry['log_formatter'] = "text"# registry['rootcertbundle'] = "/var/opt/gitlab/registry/certificate.crt"# registry['health_storagedriver_enabled'] = true# registry['middleware'] = nil# registry['storage_delete_enabled'] = true# registry['validation_enabled'] = false# registry['autoredirect'] = false# registry['compatibility_schema1_enabled'] = false# registry['database'] = nil### Registry backend storage###! Docs: https://docs.gitlab.com/ee/administration/packages/container_registry.html#configure-storage-for-the-container-registry# registry['storage'] = {# 's3' => {# 'accesskey' => 's3-access-key',# 'secretkey' => 's3-secret-key-for-access-key',# 'bucket' => 'your-s3-bucket',# 'region' => 'your-s3-region',# 'regionendpoint' => 'your-s3-regionendpoint'# },# 'redirect' => {# 'disable' => false# }# }### Registry database###! Docs: https://docs.gitlab.com/ee/administration/packages/container_registry_metadata_database.html#new-installations# registry['database'] = {# 'enabled' => true,# 'host' => 'localhost',# 'port' => 5432,# 'user' => 'postgres',# 'password' => 'postgres',# 'dbname' => 'registry',# 'sslmode' => 'verify-full',# 'sslcert' => '/path/to/client.crt',# 'sslkey' => '/path/to/client.key',# 'sslrootcert' => '/path/to/root.crt',# 'connecttimeout' => '5s',# 'draintimeout' => '2m',# 'preparedstatements' => false,# 'primary' => 'primary.record.fqdn',# 'pool' => {# 'maxidle' => 25,# 'maxopen' => 25,# 'maxlifetime' => '5m'# }# }### Registry garbage collection###! Docs: https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md?ref_type=heads#gc# registry['gc'] = {# 'disabled' => false,# 'maxbackoff' => '24h',# 'noidlebackoff' => false,# 'transactiontimeout' => '10s',# 'reviewafter' => '24h',# 'manifests' => {# 'disabled' => false,# 'interval' => '5s'# },# 'blobs' => {# 'disabled' => false,# 'interval' => '5s',# 'storagetimeout' => '5s'# }# }### Registry notifications endpoints# registry['notifications'] = [# {# 'name' => 'test_endpoint',# 'url' => 'https://gitlab.example.com/notify2',# 'timeout' => '500ms',# 'threshold' => 5, # DEPRECATED: use maxretries instead https://gitlab.com/gitlab-org/container-registry/-/issues/1243# 'maxretries' => 5,# 'backoff' => '1s',# 'headers' => {# "Authorization" => ["AUTHORIZATION_EXAMPLE_TOKEN"]# }# }# ]### Default registry notifications# registry['default_notifications_timeout'] = "500ms"# registry['default_notifications_threshold'] = 5# registry['default_notifications_maxretries'] = 5# registry['default_notifications_backoff'] = "1s"# registry['default_notifications_headers'] = {}################################################################################## Error Reporting and Logging with Sentry################################################################################# gitlab_rails['sentry_enabled'] = false# gitlab_rails['sentry_dsn'] = 'https://<key>@sentry.io/<project>'# gitlab_rails['sentry_clientside_dsn'] = 'https://<key>@sentry.io/<project>'# gitlab_rails['sentry_environment'] = 'production'################################################################################## GitLab Workhorse##! Docs: https://gitlab.com/gitlab-org/gitlab/-/blob/master/workhorse/README.md################################################################################# gitlab_workhorse['enable'] = true# gitlab_workhorse['ha'] = false# gitlab_workhorse['alt_document_root'] = nil##! Duration to wait for all requests to finish (e.g. "10s" for 10##! seconds). By default this is disabled to preserve the existing##! behavior of fast shutdown. This should not be set higher than 30##! seconds, since gitlab-ctl will wait up to 30 seconds (as defined by##! the SVWAIT variable) and report a timeout error if the process has##! not shut down.# gitlab_workhorse['shutdown_timeout'] = nil# gitlab_workhorse['listen_network'] = "unix"# gitlab_workhorse['listen_umask'] = 000# gitlab_workhorse['listen_addr'] = "/var/opt/gitlab/gitlab-workhorse/sockets/socket"# gitlab_workhorse['auth_backend'] = "http://localhost:8080"##! Enable Redis keywatcher, if this setting is not present it defaults to true# gitlab_workhorse['workhorse_keywatcher'] = true##! the empty string is the default in gitlab-workhorse option parser# gitlab_workhorse['auth_socket'] = "''"##! put an empty string on the command line# gitlab_workhorse['pprof_listen_addr'] = "''"# gitlab_workhorse['prometheus_listen_addr'] = "localhost:9229"# gitlab_workhorse['dir'] = "/var/opt/gitlab/gitlab-workhorse"# gitlab_workhorse['log_directory'] = "/var/log/gitlab/gitlab-workhorse"# gitlab_workhorse['proxy_headers_timeout'] = "1m0s"##! limit number of concurrent API requests, defaults to 0 which is unlimited# gitlab_workhorse['api_limit'] = 0##! limit number of API requests allowed to be queued, defaults to 0 which##! disables queuing# gitlab_workhorse['api_queue_limit'] = 0##! duration after which we timeout requests if they sit too long in the queue# gitlab_workhorse['api_queue_duration'] = "30s"##! Long polling duration for job requesting for runners# gitlab_workhorse['api_ci_long_polling_duration'] = "60s"##! Propagate X-Request-Id if available. Workhorse will generate a random value otherwise.# gitlab_workhorse['propagate_correlation_id'] = false##! A list of CIDR blocks to allow for propagation of correlation ID.##! propagate_correlation_id should also be set to true.##! For example: %w(127.0.0.1/32 192.168.0.1/32)# gitlab_workhorse['trusted_cidrs_for_propagation'] = nil##! A list of CIDR blocks that must match remote IP addresses to use##! X-Forwarded-For HTTP header for the actual client IP. Used in##! conjuction with propagate_correlation_id and##! trusted_cidrs_for_propagation.##! For example: %w(127.0.0.1/32 192.168.0.1/32)# gitlab_workhorse['trusted_cidrs_for_x_forwarded_for'] = nil##! Log format: default is json, can also be text or none.# gitlab_workhorse['log_format'] = "json"# gitlab_workhorse['env_directory'] = "/opt/gitlab/etc/gitlab-workhorse/env"# gitlab_workhorse['env'] = {# 'PATH' => "/opt/gitlab/bin:/opt/gitlab/embedded/bin:/bin:/usr/bin",# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"# }##! Resource limitations for the dynamic image scaler.##! Exceeding these thresholds will cause Workhorse to serve images in their original size.##!##! Maximum number of scaler processes that are allowed to execute concurrently.##! It is recommended for this not to exceed the number of CPUs available.# gitlab_workhorse['image_scaler_max_procs'] = 4##!##! Maximum file size in bytes for an image to be considered eligible for rescaling# gitlab_workhorse['image_scaler_max_filesize'] = 250000##! Service name used to register GitLab Workhorse as a Consul service# gitlab_workhorse['consul_service_name'] = 'workhorse'##! Semantic metadata used when registering GitLab Workhorse as a Consul service# gitlab_workhorse['consul_service_meta'] = {}##! Redis settings specific for GitLab Workhorse##! To be used when Workhorse is supposed to use a different Redis instance than##! other components. The settings specified here should match##! `gitlab_rails['redis_workhorse_*']` settings, if specified. If not specified,##! they are inferred from the below values. `gitlab_rails['redis_workhorse_*']`##! settings tell the Rails app which Redis has channels to publish messages to,##! and `gitlab_workhorse['redis_*']` tells Workhorse which Redis has channels to##! subscribe to. Hence, the requirement of the settings to match.# gitlab_workhorse['redis_socket'] = "/var/opt/gitlab/redis/redis.socket"# gitlab_workhorse['redis_host'] = "127.0.0.1"# gitlab_workhorse['redis_port'] = nil# gitlab_workhorse['redis_database'] = nil# gitlab_workhorse['redis_username'] = nil# gitlab_workhorse['redis_password'] = nil# gitlab_workhorse['redis_ssl'] = false# gitlab_workhorse['redis_cluster_nodes'] = []# gitlab_workhorse['redis_sentinels'] = []# gitlab_workhorse['redis_sentinels_password'] = nil# gitlab_workhorse['redis_sentinel_master'] = nil# gitlab_workhorse['redis_sentinel_master_ip'] = nil# gitlab_workhorse['redis_sentinel_master_port'] = nil##! Command to generate extra configuration# gitlab_workhorse['extra_config_command'] = nil##! Metadata configuration section# gitlab_workhorse['metadata_zip_reader_limit_bytes'] = nil################################################################################## GitLab User Settings##! Modify default git user.##! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#change-the-name-of-the-git-user-or-group################################################################################# user['username'] = "git"# user['group'] = "git"# user['uid'] = nil# user['gid'] = nil##! The shell for the git user# user['shell'] = "/bin/sh"##! The home directory for the git user# user['home'] = "/var/opt/gitlab"# user['git_user_name'] = "GitLab"# user['git_user_email'] = "gitlab@#{node['fqdn']}"################################################################################## GitLab Puma##! Tweak puma settings.##! Docs: https://docs.gitlab.com/ee/administration/operations/puma.html################################################################################# puma['enable'] = true# puma['ha'] = false# puma['worker_timeout'] = 60# puma['worker_processes'] = 2# puma['min_threads'] = 4# puma['max_threads'] = 4### Advanced settings# puma['listen'] = '127.0.0.1'# puma['port'] = 8080# puma['socket'] = '/var/opt/gitlab/gitlab-rails/sockets/gitlab.socket'# puma['somaxconn'] = 2048### SSL settings# puma['ssl_listen'] = nil# puma['ssl_port'] = nil# puma['ssl_certificate'] = nil# puma['ssl_certificate_key'] = nil# puma['ssl_client_certificate'] = nil# puma['ssl_cipher_filter'] = nil# puma['ssl_key_password_command'] = nil# puma['ssl_verify_mode'] = 'none'# puma['pidfile'] = '/opt/gitlab/var/puma/puma.pid'# puma['state_path'] = '/opt/gitlab/var/puma/puma.state'###! **We do not recommend changing this setting**# puma['log_directory'] = "/var/log/gitlab/puma"###! **Only change these settings if you understand well what they mean**###! Docs: https://github.com/schneems/puma_worker_killer# puma['per_worker_max_memory_mb'] = 1024# puma['exporter_enabled'] = false# puma['exporter_address'] = "127.0.0.1"# puma['exporter_port'] = 8083# puma['exporter_tls_enabled'] = false# puma['exporter_tls_cert_path'] = ""# puma['exporter_tls_key_path'] = ""# puma['prometheus_scrape_scheme'] = 'http'# puma['prometheus_scrape_tls_server_name'] = 'localhost'# puma['prometheus_scrape_tls_skip_verification'] = false##! Service name used to register Puma as a Consul service# puma['consul_service_name'] = 'rails'##! Semantic metadata used when registering Puma as a Consul service# puma['consul_service_meta'] = {}################################################################################## GitLab Sidekiq##################################################################################! GitLab allows one to start multiple sidekiq processes. These##! processes can be used to consume a dedicated set of queues. This##! can be used to ensure certain queues are able to handle additional workload.##! https://docs.gitlab.com/ee/administration/sidekiq/extra_sidekiq_processes.html# sidekiq['enable'] = true# sidekiq['log_directory'] = "/var/log/gitlab/sidekiq"# sidekiq['log_format'] = "json"# sidekiq['shutdown_timeout'] = 4# sidekiq['interval'] = nil# sidekiq['concurrency'] = 20##! GitLab allows route a job to a particular queue determined by an array of ##! routing rules.##! Each routing rule is a tuple of queue selector query and corresponding queue. By default,##! the routing rules are not configured (empty array)# sidekiq['routing_rules'] = []##! Each entry in the queue_groups array denotes a group of queues that have to be processed by a##! Sidekiq process. Multiple queues can be processed by the same process by##! separating them with a comma within the group entry, a `*` will process all queues# sidekiq['queue_groups'] = ['*']##! Specifies where Prometheus metrics endpoints should be made available for Sidekiq processes.# sidekiq['metrics_enabled'] = true# sidekiq['exporter_log_enabled'] = false# sidekiq['exporter_tls_enabled'] = false# sidekiq['exporter_tls_cert_path'] = ""# sidekiq['exporter_tls_key_path'] = ""# sidekiq['listen_address'] = "localhost"# sidekiq['listen_port'] = 8082##! Specifies where health-check endpoints should be made available for Sidekiq processes.##! Defaults to the same settings as for Prometheus metrics (see above).# sidekiq['health_checks_enabled'] = true# sidekiq['health_checks_listen_address'] = "localhost"# sidekiq['health_checks_listen_port'] = 8092##! Service name used to register Sidekiq as a Consul service# sidekiq['consul_service_name'] = 'sidekiq'##! Semantic metadata used when registering Sidekiq as a Consul service# sidekiq['consul_service_meta'] = {}################################################################################## gitlab-shell################################################################################# gitlab_shell['audit_usernames'] = false# gitlab_shell['log_level'] = 'INFO'# gitlab_shell['log_format'] = 'json'# gitlab_shell['http_settings'] = { user: 'username', password: 'password', ca_file: '/etc/ssl/cert.pem', ca_path: '/etc/pki/tls/certs'}# gitlab_shell['log_directory'] = "/var/log/gitlab/gitlab-shell"# gitlab_shell['auth_file'] = "/var/opt/gitlab/.ssh/authorized_keys"### Migration to Go feature flags# gitlab_shell['migration'] = { enabled: true, features: [] } # DEPRECATED: see https://gitlab.com/groups/gitlab-org/-/epics/14845.### Git trace log file.###! If set, git commands receive GIT_TRACE* environment variables###! Docs: https://git-scm.com/book/en/v2/Git-Internals-Environment-Variables#_debugging###! An absolute path starting with / - the trace output will be appended to###! that file. It needs to exist so we can check permissions and avoid###! throwing warnings to the users.# gitlab_shell['git_trace_log_file'] = "/var/log/gitlab/gitlab-shell/gitlab-shell-git-trace.log"##! **We do not recommend changing this directory.**# gitlab_shell['dir'] = "/var/opt/gitlab/gitlab-shell"# gitlab_shell['lfs_pure_ssh_protocol'] = false# gitlab_shell['pat'] = { enabled: true, allowed_scopes: [] }################################################################################## gitlab-sshd################################################################################# gitlab_sshd['enable'] = false# gitlab_sshd['generate_host_keys'] = true# gitlab_sshd['dir'] = "/var/opt/gitlab/gitlab-sshd"###! gitlab-sshd outputs most logs to /var/log/gitlab/gitlab-shell/gitlab-shell.log.###! This directory only stores stdout/stderr output from the daemon.# gitlab_sshd['log_directory'] = "/var/log/gitlab/gitlab-sshd/"# gitlab_sshd['env_directory'] = '/opt/gitlab/etc/gitlab-sshd/env'# gitlab_sshd['listen_address'] = 'localhost:2222'# gitlab_sshd['metrics_address'] = 'localhost:9122'# gitlab_sshd['concurrent_sessions_limit'] = 100# gitlab_sshd['proxy_protocol'] = false# gitlab_sshd['proxy_policy'] = 'use'# gitlab_sshd['proxy_header_timeout'] = '500ms'# gitlab_sshd['grace_period'] = 55# gitlab_sshd['client_alive_interval'] = nil# gitlab_sshd['ciphers'] = nil# gitlab_sshd['kex_algorithms'] = nil# gitlab_sshd['macs'] = nil##! A list of the to be accepted public key algorithms.##! For example: %w(ssh-ed25519 ecdsa-sha2-nistp256 rsa-sha2-256 rsa-sha2-512)# gitlab_sshd['public_key_algorithms'] = nil# gitlab_sshd['login_grace_time'] = 60# gitlab_sshd['host_keys_dir'] = '/var/opt/gitlab/gitlab-sshd'# gitlab_sshd['host_keys_glob'] = 'ssh_host_*_key'# gitlab_sshd['host_certs_dir'] = '/var/opt/gitlab/gitlab-sshd'# gitlab_sshd['host_certs_glob'] = 'ssh_host_*-cert.pub'################################################################## GitLab PostgreSQL##################################################################! Changing any of these settings requires a restart of postgresql.##! By default, reconfigure reloads postgresql if it is running. If you##! change any of these settings, be sure to run `gitlab-ctl restart postgresql`##! after reconfigure in order for the changes to take effect.# postgresql['enable'] = true# postgresql['listen_address'] = nil# postgresql['port'] = 5432##! Only used when Patroni is enabled. This is the port that PostgreSQL responds to other##! cluster members. This port is used by Patroni to advertize the PostgreSQL connection##! endpoint to the cluster. By default it is the same as postgresql['port'].# postgresql['connect_port'] = 5432##! **recommend value is 1/4 of total RAM, up to 14GB.**##! For Docker containers, the default of 256 MB is set in docker/assets/gitlab.rb.##! Otherwise, 1/4 of the total RAM is used in files/gitlab-cookbooks/postgresql/attributes/default.rb.# postgresql['shared_buffers'] = "256MB"### Advanced settings# postgresql['ha'] = false# postgresql['dir'] = "/var/opt/gitlab/postgresql"# postgresql['log_directory'] = "/var/log/gitlab/postgresql"# postgresql['log_destination'] = nil# postgresql['logging_collector'] = nil# postgresql['log_truncate_on_rotation'] = nil# postgresql['log_rotation_age'] = nil# postgresql['log_rotation_size'] = nil# postgresql['log_connections'] = "off"# postgresql['log_disconnections'] = "off"##! 'username' affects the system and PostgreSQL user accounts created during installation and cannot be changed##! on an existing installation. See https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/3606 for more details.# postgresql['username'] = "gitlab-psql"# postgresql['group'] = "gitlab-psql"##! `SQL_USER_PASSWORD_HASH` can be generated using the command `gitlab-ctl pg-password-md5 gitlab`# postgresql['sql_user_password'] = 'SQL_USER_PASSWORD_HASH'# postgresql['uid'] = nil# postgresql['gid'] = nil# postgresql['shell'] = "/bin/sh"# postgresql['home'] = "/var/opt/gitlab/postgresql"# postgresql['user_path'] = "/opt/gitlab/embedded/bin:/opt/gitlab/bin:$PATH"# postgresql['sql_user'] = "gitlab"# postgresql['max_connections'] = 400# postgresql['md5_auth_cidr_addresses'] = []# postgresql['trust_auth_cidr_addresses'] = []# postgresql['wal_buffers'] = "-1"# postgresql['autovacuum_max_workers'] = "3"# postgresql['autovacuum_freeze_max_age'] = "200000000"# postgresql['log_statement'] = nil# postgresql['track_activity_query_size'] = "1024"# postgresql['shared_preload_libraries'] = nil# postgresql['dynamic_shared_memory_type'] = nil# postgresql['hot_standby'] = "off"### SSL settings###! See https://www.postgresql.org/docs/13/static/runtime-config-connection.html#GUC-SSL-CERT-FILE for more details# postgresql['ssl'] = 'on'# postgresql['hostssl'] = false# postgresql['ssl_ciphers'] = 'HIGH:MEDIUM:+3DES:!aNULL:!SSLv3:!TLSv1'# postgresql['ssl_cert_file'] = 'server.crt'# postgresql['ssl_key_file'] = 'server.key'# postgresql['ssl_ca_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'# postgresql['ssl_crl_file'] = nil# postgresql['cert_auth_addresses'] = {# 'ADDRESS' => {# database: 'gitlabhq_production',# user: 'gitlab'# }# }### Replication settings###! Note, some replication settings do not require a full restart. They are documented below.# postgresql['wal_level'] = "hot_standby"# postgresql['wal_log_hints'] = 'off'# postgresql['max_wal_senders'] = 5# postgresql['max_replication_slots'] = 0# postgresql['max_locks_per_transaction'] = 128### Backup/Archive settings# postgresql['archive_mode'] = "off"###! Changing any of these settings only requires a reload of postgresql. You do not need to###! restart postgresql if you change any of these and run reconfigure.# postgresql['work_mem'] = "16MB"# postgresql['maintenance_work_mem'] = "16MB"# postgresql['checkpoint_timeout'] = "5min"# postgresql['checkpoint_completion_target'] = 0.9# postgresql['effective_io_concurrency'] = 1# postgresql['checkpoint_warning'] = "30s"# postgresql['effective_cache_size'] = "1MB"# postgresql['shmmax'] = 17179869184 # or 4294967295# postgresql['shmall'] = 4194304 # or 1048575# postgresql['autovacuum'] = "on"# postgresql['log_autovacuum_min_duration'] = "-1"# postgresql['autovacuum_naptime'] = "1min"# postgresql['autovacuum_vacuum_threshold'] = "50"# postgresql['autovacuum_analyze_threshold'] = "50"# postgresql['autovacuum_vacuum_scale_factor'] = "0.02"# postgresql['autovacuum_analyze_scale_factor'] = "0.01"# postgresql['autovacuum_vacuum_cost_delay'] = "20ms"# postgresql['autovacuum_vacuum_cost_limit'] = "-1"# postgresql['statement_timeout'] = "60000"# postgresql['idle_in_transaction_session_timeout'] = "60000"# postgresql['log_line_prefix'] = "%a"# postgresql['max_worker_processes'] = 8# postgresql['max_parallel_workers_per_gather'] = 0# postgresql['log_lock_waits'] = 1# postgresql['deadlock_timeout'] = '5s'# postgresql['track_io_timing'] = 0# postgresql['default_statistics_target'] = 1000### Available in PostgreSQL 9.6 and later# postgresql['min_wal_size'] = "80MB"# postgresql['max_wal_size'] = "1GB"### Backup/Archive settings# postgresql['archive_command'] = nil# postgresql['archive_timeout'] = "0"### Replication settings# postgresql['sql_replication_user'] = "gitlab_replicator"# postgresql['sql_replication_password'] = "md5 hash of postgresql password" # You can generate with `gitlab-ctl pg-password-md5 <dbuser>`# postgresql['wal_keep_segments'] = 10# postgresql['max_standby_archive_delay'] = "30s"# postgresql['max_standby_streaming_delay'] = "30s"# postgresql['synchronous_commit'] = on# postgresql['synchronous_standby_names'] = ''# postgresql['hot_standby_feedback'] = 'off'# postgresql['random_page_cost'] = 2.0# postgresql['log_temp_files'] = -1# postgresql['log_checkpoints'] = 'off'###! To add custom entries to pg_hba.conf use the following# postgresql['custom_pg_hba_entries'] = {# APPLICATION: [ # APPLICATION should identify what the settings are used for# {# type: example,# database: example,# user: example,# cidr: example,# method: example,# option: example# }# ]# }###! See https://www.postgresql.org/docs/13/static/auth-pg-hba-conf.html for an explanation###! of the values### Version settings# Set this if you have disabled the bundled PostgreSQL but still want to use the backup rake tasks# postgresql['version'] = 16##! Automatically restart PostgreSQL service when version changes.# postgresql['auto_restart_on_version_change'] = true################################################################################## GitLab Redis##! **Can be disabled if you are using your own Redis instance.**##! Docs: https://docs.gitlab.com/omnibus/settings/redis.html################################################################################# redis['enable'] = true# redis['ha'] = false# redis['start_down'] = false# redis['set_replicaof'] = false# redis['hz'] = 10# redis['dir'] = "/var/opt/gitlab/redis"# redis['log_directory'] = "/var/log/gitlab/redis"# redis['log_group'] = nil# redis['username'] = "gitlab-redis"# redis['group'] = "gitlab-redis"# redis['maxclients'] = "10000"# redis['open_files_ulimit'] = nil # Maximum number of open files allowed for the redis process (defaults to ope# redis['maxmemory'] = "0"# redis['maxmemory_policy'] = "noeviction"# redis['maxmemory_samples'] = "5"# redis['stop_writes_on_bgsave_error'] = true# redis['tcp_backlog'] = 511# redis['tcp_timeout'] = "60"# redis['tcp_keepalive'] = "300"# redis['uid'] = nil# redis['gid'] = nil# redis['startup_delay'] = 0### Redis TLS settings###! To run Redis over TLS, specify values for the following settings# redis['tls_port'] = nil# redis['tls_cert_file'] = nil# redis['tls_key_file'] = nil###! Other TLS related optional settings# redis['tls_dh_params_file'] = nil# redis['tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'# redis['tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'# redis['tls_auth_clients'] = 'optional'# redis['tls_replication'] = nil# redis['tls_cluster'] = nil# redis['tls_protocols'] = nil# redis['tls_ciphers'] = nil# redis['tls_ciphersuites'] = nil# redis['tls_prefer_server_ciphers'] = nil# redis['tls_session_caching'] = nil# redis['tls_session_cache_size'] = nil# redis['tls_session_cache_timeout'] = nil###! Disable or obfuscate unnecessary redis command names###! Uncomment and edit this block to add or remove entries.###! See https://docs.gitlab.com/omnibus/settings/redis.html#renamed-commands###! for detailed usage###!# redis['rename_commands'] = {# 'KEYS': ''# }###! Configure timeout (in seconds) for runit's sv commands used for managing###! the Redis service# redis['runit_sv_timeout'] = nil###! **To enable only Redis service in this machine, uncomment###! one of the lines below (choose master or replica instance types).**###! Docs: https://docs.gitlab.com/omnibus/settings/redis.html###! https://docs.gitlab.com/ee/administration/redis/replication_and_failover.html# redis_master_role['enable'] = true# redis_replica_role['enable'] = true### Redis TCP support (will disable UNIX socket transport)# redis['bind'] = '0.0.0.0' # or specify an IP to bind to a single one# redis['port'] = 6379# redis['password'] = 'redis-password-goes-here'### Redis Sentinel support###! **You need a master replica Redis replication to be able to do failover**###! **Please read the documentation before enabling it to understand the###! caveats:**###! Docs: https://docs.gitlab.com/ee/administration/redis/replication_and_failover.html### Replication support#### Replica Redis instance# redis['master'] = false # by default this is true#### Replica and Sentinel shared configuration####! **Both need to point to the master Redis instance to get replication and####! heartbeat monitoring**# redis['master_name'] = 'gitlab-redis'# redis['master_ip'] = nil# redis['master_port'] = 6379#### Support to run redis replicas in a Docker or NAT environment####! Docs: https://redis.io/topics/replication#configuring-replication-in-docker-and-nat# redis['announce_ip'] = nil# redis['announce_port'] = nil# redis['announce_ip_from_hostname'] = false####! **Master password should have the same value defined in####! redis['password'] to enable the instance to transition to/from####! master/replica in a failover event.**# redis['master_password'] = 'redis-password-goes-here'####! Increase these values when your replicas can't catch up with master# redis['client_output_buffer_limit_normal'] = '0 0 0'# redis['client_output_buffer_limit_replica'] = '256mb 64mb 60'# redis['client_output_buffer_limit_pubsub'] = '32mb 8mb 60'#####! Redis snapshotting frequency#####! Set to [] to disable#####! Set to [''] to clear previously set values# redis['save'] = [ '900 1', '300 10', '60 10000' ]#####! Redis lazy freeing#####! Defaults to false# redis['lazyfree_lazy_eviction'] = true# redis['lazyfree_lazy_expire'] = true# redis['lazyfree_lazy_server_del'] = true# redis['replica_lazy_flush'] = true#####! Redis threaded I/O#####! Defaults to disabled# redis['io_threads'] = 4# redis['io_threads_do_reads'] = true################################################################################## GitLab Web server##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#using-a-non-bundled-web-server##################################################################################! When bundled nginx is disabled we need to add the external webserver user to##! the GitLab webserver group.# web_server['external_users'] = []# web_server['username'] = 'gitlab-www'# web_server['group'] = 'gitlab-www'# web_server['uid'] = nil# web_server['gid'] = nil# web_server['shell'] = '/bin/false'# web_server['home'] = '/var/opt/gitlab/nginx'################################################################################## GitLab NGINX##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html################################################################################# nginx['enable'] = true# nginx['client_max_body_size'] = '0'# nginx['redirect_http_to_https'] = false# nginx['redirect_http_to_https_port'] = 80##! Most root CA's are included by default# nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt"##! enable/disable 2-way SSL client authentication# nginx['ssl_verify_client'] = "off"##! if ssl_verify_client on, verification depth in the client certificates chain# nginx['ssl_verify_depth'] = "1"# nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"# nginx['ssl_ciphers'] = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"# nginx['ssl_prefer_server_ciphers'] = "off"##! **Recommended by: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html# nginx['ssl_protocols'] = "TLSv1.2 TLSv1.3"##! **Recommended in: https://nginx.org/en/docs/http/ngx_http_ssl_module.html**# nginx['ssl_session_cache'] = "shared:SSL:10m"##! **Recommended in: https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&ocsp=false&guideline=5.6**# nginx['ssl_session_tickets'] = "off"##! **Default according to https://nginx.org/en/docs/http/ngx_http_ssl_module.html**# nginx['ssl_session_timeout'] = "1d"# nginx['ssl_dhparam'] = nil # Path to dhparams.pem, eg. /etc/gitlab/ssl/dhparams.pem# nginx['ssl_password_file'] = nil # Path to file with passphrases for ssl certificate secret keys# nginx['listen_addresses'] = ['*']##! **Defaults to forcing web browsers to always communicate using only HTTPS**##! Docs: https://docs.gitlab.com/omnibus/settings/ssl/#configure-the-http-strict-transport-security-hsts# nginx['hsts_max_age'] = 63072000# nginx['hsts_include_subdomains'] = false##! Defaults to stripping path information when making cross-origin requests# nginx['referrer_policy'] = 'strict-origin-when-cross-origin'##! **Docs: http://nginx.org/en/docs/http/ngx_http_gzip_module.html**# nginx['gzip_enabled'] = true##! **Override only if you use a reverse proxy**##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-the-nginx-listen-port# nginx['listen_port'] = nil##! **Override only if your reverse proxy internally communicates over HTTP**##! Docs: https://docs.gitlab.com/omnibus/settings/ssl/#configure-a-reverse-proxy-or-load-balancer-ssl-termination# nginx['listen_https'] = nil##! **Override only if you use a reverse proxy with proxy protocol enabled**##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#configuring-the-proxy-protocol# nginx['proxy_protocol'] = false# nginx['custom_gitlab_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n"# nginx['custom_nginx_config'] = "include /etc/nginx/conf.d/example.conf;"# nginx['proxy_read_timeout'] = 3600# nginx['proxy_connect_timeout'] = 300# nginx['proxy_set_headers'] = {# "Host" => "$http_host_with_default",# "X-Real-IP" => "$remote_addr",# "X-Forwarded-For" => "$proxy_add_x_forwarded_for",# "Upgrade" => "$http_upgrade",# "Connection" => "$connection_upgrade"# }# nginx['proxy_cache_path'] = 'proxy_cache keys_zone=gitlab:10m max_size=1g levels=1:2'# nginx['proxy_cache'] = 'gitlab'# nginx['proxy_custom_buffer_size'] = nil# nginx['http2_enabled'] = true# nginx['real_ip_trusted_addresses'] = []# nginx['real_ip_header'] = nil# nginx['real_ip_recursive'] = nil# nginx['custom_error_pages'] = {# '404' => {# 'title' => 'Example title',# 'header' => 'Example header',# 'message' => 'Example message'# }# }### Advanced settings# nginx['dir'] = "/var/opt/gitlab/nginx"# nginx['log_directory'] = "/var/log/gitlab/nginx"# nginx['log_group'] = nil# nginx['error_log_level'] = "error"# nginx['worker_processes'] = 4# nginx['worker_connections'] = 10240# nginx['log_format'] = '$remote_addr - $remote_user [$time_local] "$request_method $filtered_request_uri $server_protocol" $status $body_bytes_sent "$filtered_http_referer" "$http_user_agent" $gzip_ratio'# nginx['sendfile'] = 'on'# nginx['tcp_nopush'] = 'on'# nginx['tcp_nodelay'] = 'on'# nginx['hide_server_tokens'] = 'off'# nginx['gzip_http_version'] = "1.0"# nginx['gzip_comp_level'] = "2"# nginx['gzip_proxied'] = "any"# nginx['gzip_types'] = [ "text/plain", "text/css", "application/x-javascript", "text/xml", "application/xml", "application/xml+rss", "text/javascript", "application/json" ]# nginx['keepalive_timeout'] = 65# nginx['keepalive_time'] = '1h'# nginx['cache_max_size'] = '5000m'# nginx['server_names_hash_bucket_size'] = 64##! These paths have proxy_request_buffering disabled# nginx['request_buffering_off_path_regex'] = "/api/v\\d/jobs/\\d+/artifacts$|/import/gitlab_project$|\\.git/git-receive-pack$|\\.git/ssh-receive-pack$|\\.git/ssh-upload-pack$|\\.git/gitlab-lfs/objects|\\.git/info/lfs/objects/batch$"### Nginx status# nginx['status'] = {# "enable" => true,# "listen_addresses" => ["127.0.0.1"],# "fqdn" => "dev.example.com",# "port" => 9999,# "vts_enable" => true,# "options" => {# "server_tokens" => "off", # Don't show the version of NGINX# "access_log" => "off", # Disable logs for stats# "allow" => "127.0.0.1", # Only allow access from localhost# "deny" => "all" # Deny access to anyone else# }# }##! Service name used to register Nginx as a Consul service# nginx['consul_service_name'] = 'nginx'##! Semantic metadata used when registering NGINX as a Consul service# nginx['consul_service_meta'] = {}################################################################################## GitLab Logging##! Docs: https://docs.gitlab.com/omnibus/settings/logs.html################################################################################# logging['svlogd_size'] = 200 * 1024 * 1024 # rotate after 200 MB of log data# logging['svlogd_num'] = 30 # keep 30 rotated log files# logging['svlogd_timeout'] = 24 * 60 * 60 # rotate after 24 hours# logging['svlogd_filter'] = "gzip" # compress logs with gzip# logging['svlogd_udp'] = nil # transmit log messages via UDP# logging['svlogd_prefix'] = nil # custom prefix for log messages# logging['logrotate_frequency'] = "daily" # rotate logs daily# logging['logrotate_maxsize'] = nil # rotate logs when they grow bigger than size bytes even before the specified time interval (daily, weekly, monthly, or yearly)# logging['logrotate_size'] = nil # do not rotate by size by default# logging['logrotate_rotate'] = 30 # keep 30 rotated logs# logging['logrotate_compress'] = "compress" # see 'man logrotate'# logging['logrotate_method'] = "copytruncate" # see 'man logrotate'# logging['logrotate_postrotate'] = nil # no postrotate command by default# logging['logrotate_dateformat'] = nil # use date extensions for rotated files rather than numbers e.g. a value of "-%Y-%m-%d" would give rotated files like production.log-2016-03-09.gz# logging['log_group'] = nil # assign this group to specified log directories and use it for runit-managed logs, can be overridden per-service### UDP log forwarding##! Docs: http://docs.gitlab.com/omnibus/settings/logs.html#udp-log-forwarding##! remote host to ship log messages to via UDP# logging['udp_log_shipping_host'] = nil##! override the hostname used when logs are shipped via UDP,##! by default the system hostname will be used.# logging['udp_log_shipping_hostname'] = nil##! remote port to ship log messages to via UDP# logging['udp_log_shipping_port'] = 514################################################################################## Logrotate##! Docs: https://docs.gitlab.com/omnibus/settings/logs.html#logrotate##! You can disable built in logrotate feature.################################################################################# logrotate['enable'] = true# logrotate['log_directory'] = "/var/log/gitlab/logrotate"# logrotate['log_group'] = nil################################################################################## Users and groups accounts##! Disable management of users and groups accounts.##! **Set only if creating accounts manually**##! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#disable-user-and-group-account-management################################################################################# manage_accounts['enable'] = true################################################################################## Storage directories##! Disable managing storage directories##! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#disable-storage-directories-management##################################################################################! **Set only if the select directories are created manually**# manage_storage_directories['enable'] = false# manage_storage_directories['manage_etc'] = false################################################################################## Runtime directory##! Docs: https://docs.gitlab.com//omnibus/settings/configuration.html#configure-the-runtime-directory################################################################################# runtime_dir '/run'################################################################################## Git##! Advanced setting for configuring git system settings for omnibus-gitlab##! internal git##################################################################################! The format of the Omnibus gitconfig is:##! { "section" => ["subsection = value"] }##! For example:##! { "pack" => ["threads = 1"] }##! For multiple options under one header use array of comma separated values,##! eg.:##! { "receive" => ["fsckObjects = true"], "alias" => ["st = status", "co = checkout"] }# omnibus_gitconfig['system'] = {}################################################################################## GitLab Pages##! Docs: https://docs.gitlab.com/ee/administration/pages/##################################################################################! Define to enable GitLab Pages# pages_external_url "http://pages.example.com/"# gitlab_pages['enable'] = false##! Configure to expose GitLab Pages on external IP address, serving the HTTP# gitlab_pages['external_http'] = []##! Configure to expose GitLab Pages on external IP address, serving the HTTPS# gitlab_pages['external_https'] = []##! Configure to expose GitLab Pages on external IP address, serving the HTTPS over PROXYv2# gitlab_pages['external_https_proxyv2'] = []##! Configure cert when using external IP address# gitlab_pages['cert'] = "/etc/gitlab/ssl/#{Gitlab['gitlab_pages']['domain']}.crt"# gitlab_pages['cert_key'] = "/etc/gitlab/ssl/#{Gitlab['gitlab_pages']['domain']}.key"##! Configure to use the default list of cipher suites# gitlab_pages['insecure_ciphers'] = false##! Configure to enable health check endpoint on GitLab Pages# gitlab_pages['status_uri'] = "/@status"##! Tune the maximum number of concurrent connections GitLab Pages will handle.##! Default to 0 for unlimited connections.# gitlab_pages['max_connections'] = 0##! Configure the maximum length of URIs accepted by GitLab Pages##! By default is limited for security reasons. Set 0 for unlimited# gitlab_pages['max_uri_length'] = 1024##! Setting the propagate_correlation_id to true allows installations behind a reverse proxy##! generate and set a correlation ID to requests sent to GitLab Pages. If a reverse proxy##! sets the header value X-Request-ID, the value will be propagated in the request chain.# gitlab_pages['propagate_correlation_id'] = false##! Configure to use JSON structured logging in GitLab Pages# gitlab_pages['log_format'] = "json"##! Configure verbose logging for GitLab Pages# gitlab_pages['log_verbose'] = false##! Error Reporting and Logging with Sentry# gitlab_pages['sentry_enabled'] = false# gitlab_pages['sentry_dsn'] = 'https://<key>@sentry.io/<project>'# gitlab_pages['sentry_environment'] = 'production'##! Listen for requests forwarded by reverse proxy# gitlab_pages['listen_proxy'] = "localhost:8090"# gitlab_pages['redirect_http'] = true# gitlab_pages['use_http2'] = true# gitlab_pages['dir'] = "/var/opt/gitlab/gitlab-pages"# gitlab_pages['log_directory'] = "/var/log/gitlab/gitlab-pages"# gitlab_pages['log_group'] = nil# gitlab_pages['artifacts_server'] = true# gitlab_pages['artifacts_server_url'] = nil # Defaults to external_url + '/api/v4'# gitlab_pages['artifacts_server_timeout'] = 10##! Prometheus metrics for Pages docs: https://gitlab.com/gitlab-org/gitlab-pages/#enable-prometheus-metrics# gitlab_pages['metrics_address'] = ":9235"##! Specifies the minimum TLS version ("tls1.2" or "tls1.3")# gitlab_pages['tls_min_version'] = "tls1.2"##! Specifies the maximum TLS version ("tls1.2" or "tls1.3")# gitlab_pages['tls_max_version'] = "tls1.3"##! Pages access control# gitlab_pages['access_control'] = false# gitlab_pages['gitlab_id'] = nil # Automatically generated if not present# gitlab_pages['gitlab_secret'] = nil # Generated if not present# gitlab_pages['auth_redirect_uri'] = nil # Defaults to projects subdomain of pages_external_url and + '/auth'# gitlab_pages['gitlab_server'] = nil # Defaults to external_url# gitlab_pages['internal_gitlab_server'] = nil # Defaults to gitlab_server, can be changed to internal load balancer# gitlab_pages['auth_secret'] = nil # Generated if not present# gitlab_pages['auth_scope'] = nil # Defaults to api, can be changed to read_api to increase security# gitlab_pages['auth_timeout'] = "5s" # GitLab application client timeout for authentication# gitlab_pages['auth_cookie_session_timeout'] = "10m" # Authentication cookie session timeout (truncated to seconds). A zero value means the cookie will be deleted after the browser session ends##! GitLab Pages Server Shutdown Timeout##! Duration ("30s" for 30 seconds)# gitlab_pages['server_shutdown_timeout'] = "30s"##! GitLab API HTTP client connection timeout# gitlab_pages['gitlab_client_http_timeout'] = "10s"##! GitLab API JWT Token expiry time# gitlab_pages['gitlab_client_jwt_expiry'] = "30s"##! Advanced settings for API-based configuration for GitLab Pages.##! The recommended default values are set inside GitLab Pages.##! Should be changed only if absolutely needed.##! The maximum time a domain's configuration is stored in the cache.# gitlab_pages['gitlab_cache_expiry'] = "600s"##! The interval at which a domain's configuration is set to be due to refresh (default: 60s).# gitlab_pages['gitlab_cache_refresh'] = "60s"##! The interval at which expired items are removed from the cache (default: 60s).# gitlab_pages['gitlab_cache_cleanup'] = "60s"##! The maximum time to wait for a response from the GitLab API per request.# gitlab_pages['gitlab_retrieval_timeout'] = "30s"##! The interval to wait before retrying to resolve a domain's configuration via the GitLab API.# gitlab_pages['gitlab_retrieval_interval'] = "1s"##! The maximum number of times to retry to resolve a domain's configuration via the API# gitlab_pages['gitlab_retrieval_retries'] = 3##! Define custom gitlab-pages HTTP headers for the whole instance# gitlab_pages['headers'] = []##! Shared secret used for authentication between Pages and GitLab# gitlab_pages['api_secret_key'] = nil # Will be generated if not set. Base64 encoded and exactly 32 bytes long.##! Advanced settings for serving GitLab Pages from zip archives.##! The recommended default values are set inside GitLab Pages.##! Should be changed only if absolutely needed.##! The maximum time an archive will be cached in memory.# gitlab_pages['zip_cache_expiration'] = "60s"##! Zip archive cache cleaning interval.# gitlab_pages['zip_cache_cleanup'] = "30s"##! The interval to refresh a cache archive if accessed before expiring.# gitlab_pages['zip_cache_refresh'] = "30s"##! The maximum amount of time it takes to open a zip archive from the file system or object storage.# gitlab_pages['zip_open_timeout'] = "30s"##! Zip HTTP Client timeout# gitlab_pages['zip_http_client_timeout'] = "30m"##! ReadTimeout is the maximum duration for reading the entire request, including the body. A zero or negative value means there will be no timeout.# gitlab_pages['server_read_timeout'] = "5s"##! ReadHeaderTimeout is the amount of time allowed to read request headers. A zero or negative value means there will be no timeout.# gitlab_pages['server_read_header_timeout'] = "1s"##! WriteTimeout is the maximum duration before timing out writes of the response. A zero or negative value means there will be no timeout.# gitlab_pages['server_write_timeout'] = "5m"##! KeepAlive specifies the keep-alive period for network connections accepted by this listener. If zero, keep-alives are enabled if supported by the protocol and operating system. If negative, keep-alives are disabled.# gitlab_pages['server_keep_alive'] = "15s"##! Enable serving content from disk instead of Object Storage# gitlab_pages['enable_disk'] = nil##! Rate-limiting options below work in report-only mode:##! they only count rejected requests, but don't reject them##! enable `FF_ENABLE_RATE_LIMITER=true` environment variable to##! reject requests.##! Rate limits as described in https://docs.gitlab.com/ee/administration/pages/#rate-limits##! Rate limit HTTP requests per second from a single IP, 0 means is disabled# gitlab_pages['rate_limit_source_ip'] = 50.0##! Rate limit HTTP requests from a single IP, maximum burst allowed per second# gitlab_pages['rate_limit_source_ip_burst'] = 600##! Rate limit HTTP requests per second to a single domain, 0 means is disabled# gitlab_pages['rate_limit_domain'] = 0##! Rate limit HTTP requests to a single domain, maximum burst allowed per second# gitlab_pages['rate_limit_domain_burst'] = 10000##! Rate limit new TLS connections per second from a single IP, 0 means is disabled# gitlab_pages['rate_limit_tls_source_ip'] = 50.0##! Rate limit new TLS connections from a single IP, maximum burst allowed per second# gitlab_pages['rate_limit_tls_source_ip_burst'] = 600##!Rate limit new TLS connections per second from to a single domain, 0 means is disabled# gitlab_pages['rate_limit_tls_domain'] = 0##! Rate limit new TLS connections to a single domain, maximum burst allowed per second# gitlab_pages['rate_limit_tls_domain_burst'] = 10000##! The maximum size of the _redirects file, in bytes# gitlab_pages['redirects_max_config_size'] = 65536##! The maximum number of path segments allowed in _redirects rules URLs# gitlab_pages['redirects_max_path_segments'] = 25##! The maximum number of rules allowed in _redirects# gitlab_pages['redirects_max_rule_count'] = 1000# gitlab_pages['env_directory'] = "/opt/gitlab/etc/gitlab-pages/env"# gitlab_pages['env'] = {# 'SSL_CERT_DIR' => "#{node['package']['install-dir']}/embedded/ssl/certs/"# }##! Experimental - Enable namespace in path# gitlab_pages['namespace_in_path'] = false##! Configure GitLab Pages client cert and client key which will be used as mutual TLS with GitLab API# gitlab_pages['client_cert'] = "/path/to/client.crt"# gitlab_pages['client_key'] = "/path/to/client.key"##! Configure root CA certs used to sign client certs which will be used with GitLab API# gitlab_pages['client_ca_certs'] = "/path/to/ca.crt"################################################################################## GitLab Pages NGINX##################################################################################! All the settings defined in the "GitLab Nginx" section are also available in##! this "GitLab Pages NGINX" section, using the key `pages_nginx`. However,##! those settings should be explicitly set. That is, settings given as##! `nginx['some_setting']` WILL NOT be automatically replicated as##! `pages_nginx['some_setting']` and should be set separately.##! Below you can find settings that are exclusive to "GitLab Pages NGINX"# pages_nginx['enable'] = true# gitlab_rails['pages_path'] = "/var/opt/gitlab/gitlab-rails/shared/pages"################################################################################## GitLab CI##! Docs: https://docs.gitlab.com/ee/ci/quick_start/################################################################################# gitlab_ci['gitlab_ci_all_broken_builds'] = true# gitlab_ci['gitlab_ci_add_pusher'] = true# gitlab_ci['builds_directory'] = '/var/opt/gitlab/gitlab-ci/builds'################################################################################## GitLab Kubernetes Agent Server##! Docs: https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/blob/master/README.md##################################################################################! Settings used by the GitLab application# gitlab_rails['gitlab_kas_enabled'] = true# gitlab_rails['gitlab_kas_external_url'] = 'ws://gitlab.example.com/-/kubernetes-agent/'# gitlab_rails['gitlab_kas_internal_url'] = 'grpc://localhost:8153'# gitlab_rails['gitlab_kas_external_k8s_proxy_url'] = 'https://gitlab.example.com/-/kubernetes-agent/k8s-proxy/'##! Define to enable GitLab KAS# gitlab_kas_external_url "ws://gitlab.example.com/-/kubernetes-agent/"# gitlab_kas['enable'] = true##! Agent configuration for GitLab KAS# gitlab_kas['agent_configuration_poll_period'] = 300# gitlab_kas['agent_gitops_poll_period'] = 300# gitlab_kas['agent_gitops_project_info_cache_ttl'] = 300# gitlab_kas['agent_gitops_project_info_cache_error_ttl'] = 60# gitlab_kas['agent_info_cache_ttl'] = 300# gitlab_kas['agent_info_cache_error_ttl'] = 60##! Shared secret used for authentication between KAS and GitLab# gitlab_kas['api_secret_key'] = nil # Will be generated if not set. Base64 encoded and exactly 32 bytes long.##! Shared secret used for authentication between different KAS instances in a multi-node setup# gitlab_kas['private_api_secret_key'] = nil # Will be generated if not set. Base64 encoded and exactly 32 bytes long.###! Secret used for WebSocket Token signing and verification. Must be shared in multi-node setup# gitlab_kas['websocket_token_secret_key'] = nil # Will be generated if not set. Base64 encoded and exactly 72 bytes long.##! Listen configuration for GitLab KAS# gitlab_kas['listen_address'] = 'localhost:8150'# gitlab_kas['listen_network'] = 'tcp'# gitlab_kas['listen_websocket'] = true# gitlab_kas['certificate_file'] = "/path/to/certificate.pem"# gitlab_kas['key_file'] = "/path/to/key.pem"# gitlab_kas['observability_listen_network'] = 'tcp'# gitlab_kas['observability_listen_address'] = 'localhost:8151'# gitlab_kas['internal_api_listen_network'] = 'tcp'# gitlab_kas['internal_api_listen_address'] = 'localhost:8153'# gitlab_kas['internal_api_certificate_file'] = "/path/to/certificate.pem"# gitlab_kas['internal_api_key_file'] = "/path/to/key.pem"# gitlab_kas['kubernetes_api_listen_address'] = 'localhost:8154'# gitlab_kas['kubernetes_api_certificate_file'] = "/path/to/certificate.pem"# gitlab_kas['kubernetes_api_key_file'] = "/path/to/key.pem"# gitlab_kas['private_api_listen_network'] = 'tcp'# gitlab_kas['private_api_listen_address'] = 'localhost:8155'# gitlab_kas['private_api_certificate_file'] = "/path/to/certificate.pem"# gitlab_kas['private_api_key_file'] = "/path/to/key.pem"##! Metrics configuration for GitLab KAS# gitlab_kas['metrics_usage_reporting_period'] = 60##! Log configuration for GitLab KAS# gitlab_kas['log_level'] = 'info'# gitlab_kas['grpc_log_level'] = 'error'##! Environment variables for GitLab KAS# gitlab_kas['env'] = {# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/",# # In a multi-node setup, this address MUST be reachable from other KAS instances. In a single-node setup,# # it can be on localhost for simplicity.# # Use OWN_PRIVATE_API_CIDR + OWN_PRIVATE_API_PORT (optional) + OWN_PRIVATE_API_SCHEME (optional) if you cannot# # specify a correct address for each KAS instance in OWN_PRIVATE_API_URL.# # 'OWN_PRIVATE_API_URL' => 'grpc://localhost:8155'# # 'OWN_PRIVATE_API_CIDR' => '10.0.0.0/8', # IPv4 example# # 'OWN_PRIVATE_API_CIDR' => '2001:db8:8a2e:370::7334/64', # IPv6 example# # 'OWN_PRIVATE_API_PORT' => '8155', # if not set, port from private_api_listen_address is used# # 'OWN_PRIVATE_API_SCHEME' => 'grpc', # use grpcs when using TLS on private API endpoint# # OWN_PRIVATE_API_HOST is used to verify the TLS cert hostname.# # Set KAS' host name if you want to use TLS for KAS->KAS communication.# # 'OWN_PRIVATE_API_HOST' => '<server-name-from-cert>',# }##! Error Reporting and Logging with Sentry# gitlab_kas['sentry_dsn'] = 'https://<key>@sentry.io/<project>'# gitlab_kas['sentry_environment'] = 'production'##! Directories for GitLab KAS# gitlab_kas['dir'] = '/var/opt/gitlab/gitlab-kas'# gitlab_kas['log_directory'] = '/var/log/gitlab/gitlab-kas'# gitlab_kas['log_group'] = nil# gitlab_kas['env_directory'] = '/opt/gitlab/etc/gitlab-kas/env'##! Redis settings for GitLab KAS# gitlab_kas['redis_socket'] = ''# gitlab_kas['redis_host'] = '127.0.0.1'# gitlab_kas['redis_port'] = '6379'# gitlab_kas['redis_password'] = nil# gitlab_kas['redis_sentinels'] = []# gitlab_kas['redis_sentinels_master_name'] = nil# gitlab_kas['redis_sentinels_password'] = ''# gitlab_kas['redis_ssl'] = false# gitlab_kas['redis_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'# gitlab_kas['redis_tls_client_cert_file'] = nil# gitlab_kas['redis_tls_client_key_file'] = nil##! Command to generate extra configuration# gitlab_kas['extra_config_command'] = nil################################################################################## GitLab Suggested Reviewers (EE Only)##! Docs: https://docs.gitlab.com/ee/user/project/merge_requests/reviews/#suggested-reviewers##################################################################################! Shared secret used for authentication between Suggested Reviewers and GitLab# suggested_reviewers['api_secret_key'] = nil # Will be generated if not set. Base64 encoded and exactly 32 bytes long.################################################################################## GitLab Mattermost##! Docs: https://docs.gitlab.com/ee/integration/mattermost/################################################################################# mattermost_external_url 'http://mattermost.example.com'# mattermost['enable'] = false# mattermost['username'] = 'mattermost'# mattermost['group'] = 'mattermost'# mattermost['uid'] = nil# mattermost['gid'] = nil# mattermost['home'] = '/var/opt/gitlab/mattermost'# mattermost['database_name'] = 'mattermost_production'# mattermost['env'] = {# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"# }# mattermost['service_address'] = "127.0.0.1"# mattermost['service_port'] = "8065"# mattermost['service_site_url'] = nil# mattermost['service_allowed_untrusted_internal_connections'] = ""# mattermost['service_enable_api_team_deletion'] = true# mattermost['team_site_name'] = "GitLab Mattermost"# mattermost['sql_driver_name'] = 'mysql'# mattermost['sql_data_source'] = "mmuser:mostest@tcp(dockerhost:3306)/mattermost_test?charset=utf8mb4,utf8"# mattermost['log_file_directory'] = '/var/log/gitlab/mattermost/'# mattermost['gitlab_enable'] = false# mattermost['gitlab_id'] = "12345656"# mattermost['gitlab_secret'] = "123456789"# mattermost['gitlab_scope'] = ""# mattermost['gitlab_auth_endpoint'] = "http://gitlab.example.com/oauth/authorize"# mattermost['gitlab_token_endpoint'] = "http://gitlab.example.com/oauth/token"# mattermost['gitlab_user_api_endpoint'] = "http://gitlab.example.com/api/v4/user"# mattermost['file_directory'] = "/var/opt/gitlab/mattermost/data"# mattermost['plugin_directory'] = "/var/opt/gitlab/mattermost/plugins"# mattermost['plugin_client_directory'] = "/var/opt/gitlab/mattermost/client-plugins"################################################################################## Mattermost NGINX##################################################################################! All the settings defined in the "GitLab Nginx" section are also available in##! this "Mattermost NGINX" section, using the key `mattermost_nginx`. However,##! those settings should be explicitly set. That is, settings given as##! `nginx['some_setting']` WILL NOT be automatically replicated as##! `mattermost_nginx['some_setting']` and should be set separately.##! Below you can find settings that are exclusive to "Mattermost NGINX"# mattermost_nginx['enable'] = false# mattermost_nginx['custom_gitlab_mattermost_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n"# mattermost_nginx['proxy_set_headers'] = {# "Host" => "$http_host",# "X-Real-IP" => "$remote_addr",# "X-Forwarded-For" => "$proxy_add_x_forwarded_for",# "X-Frame-Options" => "SAMEORIGIN",# "X-Forwarded-Proto" => "https",# "X-Forwarded-Ssl" => "on",# "Upgrade" => "$http_upgrade",# "Connection" => "$connection_upgrade"# }################################################################################## Registry NGINX##################################################################################! All the settings defined in the "GitLab Nginx" section are also available in##! this "Registry NGINX" section, using the key `registry_nginx`. However, those##! settings should be explicitly set. That is, settings given as##! `nginx['some_setting']` WILL NOT be automatically replicated as##! `registry_nginx['some_setting']` and should be set separately.##! Below you can find settings that are exclusive to "Registry NGINX"# registry_nginx['enable'] = false# registry_nginx['proxy_set_headers'] = {# "Host" => "$http_host",# "X-Real-IP" => "$remote_addr",# "X-Forwarded-For" => "$proxy_add_x_forwarded_for",# "X-Forwarded-Proto" => "https",# "X-Forwarded-Ssl" => "on"# }##! When the registry is automatically enabled using the same domain as `external_url`,##! it listens on this port# registry_nginx['listen_port'] = 5050################################################################################## Prometheus##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/###################################################################################! **To enable only Monitoring service in this machine, uncomment###! the line below.**# monitoring_role['enable'] = true# prometheus['enable'] = true# prometheus['monitor_kubernetes'] = true# prometheus['username'] = 'gitlab-prometheus'# prometheus['group'] = 'gitlab-prometheus'# prometheus['uid'] = nil# prometheus['gid'] = nil# prometheus['shell'] = '/bin/sh'# prometheus['home'] = '/var/opt/gitlab/prometheus'# prometheus['log_directory'] = '/var/log/gitlab/prometheus'# prometheus['log_group'] = nil# prometheus['rules_files'] = ['/var/opt/gitlab/prometheus/rules/*.rules']# prometheus['scrape_interval'] = 15# prometheus['scrape_timeout'] = 15# prometheus['external_labels'] = { }# prometheus['env_directory'] = '/opt/gitlab/etc/prometheus/env'# prometheus['env'] = {# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"# }### Custom scrape configs###! Prometheus can scrape additional jobs via scrape_configs. The default automatically###! includes all of the exporters supported by the omnibus config.###!###! See: https://prometheus.io/docs/operating/configuration/#scrape_config# prometheus['scrape_configs'] = [# {# 'job_name': 'example',# 'static_configs' => [# 'targets' => ['hostname:port'],# ],# },# ]### Custom alertmanager config###! To configure external alertmanagers, create an alertmanager config.###! See: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config# prometheus['alertmanagers'] = [# {# 'static_configs' => [# {# 'targets' => [# 'hostname:port'# ]# }# ]# }# ]### Custom Prometheus flags# prometheus['flags'] = {# 'storage.tsdb.path' => "/var/opt/gitlab/prometheus/data",# 'storage.tsdb.retention.time' => "15d",# 'config.file' => "/var/opt/gitlab/prometheus/prometheus.yml"# }###! Advanced settings. Should be changed only if absolutely needed.# prometheus['listen_address'] = 'localhost:9090'####! Service name used to register Prometheus as a Consul service# prometheus['consul_service_name'] = 'prometheus'###! Semantic metadata used when registering Prometheus as a Consul service# prometheus['consul_service_meta'] = {}###! **Only needed if Prometheus and Rails are not on the same server.**###! For example, in a multi-node architecture, Prometheus will be installed on the monitoring node, while Rails will be on the Rails node.###! https://docs.gitlab.com/ee/administration/monitoring/prometheus/index.html#using-an-external-prometheus-server###! This value should be the address at which Prometheus is available to a GitLab Rails(Puma, Sidekiq) node.# gitlab_rails['prometheus_address'] = 'your.prom:9090'################################################################################## Prometheus Alertmanager################################################################################# alertmanager['enable'] = true# alertmanager['home'] = '/var/opt/gitlab/alertmanager'# alertmanager['log_directory'] = '/var/log/gitlab/alertmanager'# alertmanager['log_group'] = nil# alertmanager['admin_email'] = 'admin@example.com'# alertmanager['flags'] = {# 'web.listen-address' => "localhost:9093",# 'storage.path' => "/var/opt/gitlab/alertmanager/data",# 'config.file' => "/var/opt/gitlab/alertmanager/alertmanager.yml"# }# alertmanager['env_directory'] = '/opt/gitlab/etc/alertmanager/env'# alertmanager['env'] = {# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"# }##! Advanced settings. Should be changed only if absolutely needed.# alertmanager['listen_address'] = 'localhost:9093'# alertmanager['global'] = {}################################################################################## Prometheus Node Exporter##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/node_exporter.html################################################################################# node_exporter['enable'] = true# node_exporter['home'] = '/var/opt/gitlab/node-exporter'# node_exporter['log_directory'] = '/var/log/gitlab/node-exporter'# node_exporter['log_group'] = nil# node_exporter['flags'] = {# 'collector.textfile.directory' => "/var/opt/gitlab/node-exporter/textfile_collector"# }# node_exporter['env_directory'] = '/opt/gitlab/etc/node-exporter/env'# node_exporter['env'] = {# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"# }##! Advanced settings. Should be changed only if absolutely needed.# node_exporter['listen_address'] = 'localhost:9100'##! Service name used to register Node Exporter as a Consul service# node_exporter['consul_service_name'] = 'node-exporter'##! Semantic metadata used when registering Node Exporter as a Consul service# node_exporter['consul_service_meta'] = {}################################################################################## Prometheus Redis exporter##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/redis_exporter.html################################################################################# redis_exporter['enable'] = true# redis_exporter['log_directory'] = '/var/log/gitlab/redis-exporter'# redis_exporter['log_group'] = nil# redis_exporter['flags'] = {# 'redis.addr' => "unix:///var/opt/gitlab/redis/redis.socket",# }# redis_exporter['env_directory'] = '/opt/gitlab/etc/redis-exporter/env'# redis_exporter['env'] = {# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"# }##! Advanced settings. Should be changed only if absolutely needed.# redis_exporter['listen_address'] = 'localhost:9121'##! Service name used to register Redis Exporter as a Consul service# redis_exporter['consul_service_name'] = 'redis-exporter'##! Semantic metadata used when registering Redis Exporter as a Consul service# redis_exporter['consul_service_meta'] = {}################################################################################## Prometheus Postgres exporter##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/postgres_exporter.html################################################################################# postgres_exporter['enable'] = true# postgres_exporter['home'] = '/var/opt/gitlab/postgres-exporter'# postgres_exporter['log_directory'] = '/var/log/gitlab/postgres-exporter'# postgres_exporter['log_group'] = nil# postgres_exporter['flags'] = {# 'collector.stat_user_tables' => false,# 'collector.postmaster' => true# }# postgres_exporter['listen_address'] = 'localhost:9187'# postgres_exporter['env_directory'] = '/opt/gitlab/etc/postgres-exporter/env'# postgres_exporter['env'] = {# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"# }# postgres_exporter['sslmode'] = nil##! Service name used to register Postgres Exporter as a Consul service# postgres_exporter['consul_service_name'] = 'postgres-exporter'##! Semantic metadata used when registering Postgres Exporter as a Consul service# postgres_exporter['consul_service_meta'] = {}################################################################################## Prometheus PgBouncer exporter (EE only)##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/pgbouncer_exporter.html################################################################################# pgbouncer_exporter['enable'] = false# pgbouncer_exporter['log_directory'] = "/var/log/gitlab/pgbouncer-exporter"# pgbouncer_exporter['log_group'] = nil# pgbouncer_exporter['listen_address'] = 'localhost:9188'# pgbouncer_exporter['env_directory'] = '/opt/gitlab/etc/pgbouncer-exporter/env'# pgbouncer_exporter['env'] = {# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"# }################################################################################## Prometheus Gitlab exporter##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/gitlab_exporter.html################################################################################# gitlab_exporter['enable'] = true# gitlab_exporter['log_directory'] = "/var/log/gitlab/gitlab-exporter"# gitlab_exporter['log_group'] = nil# gitlab_exporter['home'] = "/var/opt/gitlab/gitlab-exporter"##! Advanced settings. Should be changed only if absolutely needed.# gitlab_exporter['server_name'] = 'webrick'# gitlab_exporter['listen_address'] = 'localhost'# gitlab_exporter['listen_port'] = '9168'##! TLS settings.# gitlab_exporter['tls_enabled'] = false# gitlab_exporter['tls_cert_path'] = '/etc/gitlab/ssl/gitlab-exporter.crt'# gitlab_exporter['tls_key_path'] = '/etc/gitlab/ssl/gitlab-exporter.key'##! Prometheus scrape related configs# gitlab_exporter['prometheus_scrape_scheme'] = 'http'# gitlab_exporter['prometheus_scrape_tls_server_name'] = 'localhost'# gitlab_exporter['prometheus_scrape_tls_skip_verification'] = false##! Manage gitlab-exporter sidekiq probes. false by default when Sentinels are##! found.# gitlab_exporter['probe_sidekiq'] = true##! Manage gitlab-exporter elasticsearch probes. Add authorization header if security##! is enabled.# gitlab_exporter['probe_elasticsearch'] = false# gitlab_exporter['elasticsearch_url'] = 'http://localhost:9200'# gitlab_exporter['elasticsearch_authorization'] = 'Basic <yourbase64encodedcredentials>'##! Service name used to register GitLab Exporter as a Consul service# gitlab_exporter['consul_service_name'] = 'gitlab-exporter'##! Semantic metadata used when registering GitLab Exporter as a Consul service# gitlab_exporter['consul_service_meta'] = {}##! Command to generate extra configuration# gitlab_exporter['extra_config_command'] = nil##! To completely disable prometheus, and all of it's exporters, set to false# prometheus_monitoring['enable'] = true################################################################################## Gitaly##! Docs: https://docs.gitlab.com/ee/administration/gitaly/configure_gitaly.html##################################################################################! The gitaly['enable'] option exists for the purpose of cluster##! deployments, see https://docs.gitlab.com/ee/administration/gitaly/index.html .# gitaly['enable'] = true# gitaly['dir'] = "/var/opt/gitlab/gitaly"# gitaly['log_group'] = nil# gitaly['bin_path'] = "/opt/gitlab/embedded/bin/gitaly"# gitaly['use_wrapper'] = true# gitaly['env_directory'] = "/opt/gitlab/etc/gitaly/env"# gitaly['env'] = {# 'PATH' => "/opt/gitlab/bin:/opt/gitlab/embedded/bin:/bin:/usr/bin",# 'HOME' => '/var/opt/gitlab',# 'TZ' => ':/etc/localtime',# 'PYTHONPATH' => "/opt/gitlab/embedded/lib/python3.9/site-packages",# 'ICU_DATA' => "/opt/gitlab/embedded/share/icu/current",# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/",# 'WRAPPER_JSON_LOGGING' => true# }# gitaly['gitlab_secret'] = <secret># gitaly['open_files_ulimit'] = 15000 # Maximum number of open files allowed for the gitaly process##! Service name used to register Gitaly as a Consul service# gitaly['consul_service_name'] = 'gitaly'##! Semantic metadata used when registering Gitaly as a Consul service# gitaly['consul_service_meta'] = {}# gitaly['configuration'] = {# socket_path: '/var/opt/gitlab/gitaly/gitaly.socket',# runtime_dir: '/var/opt/gitlab/gitaly/run',# listen_addr: 'localhost:8075',# prometheus_listen_addr: 'localhost:9236',# tls_listen_addr: 'localhost:9075',# tls: {# certificate_path: '/var/opt/gitlab/gitaly/certificate.pem',# key_path: '/var/opt/gitlab/gitaly/key.pem',# },# graceful_restart_timeout: '1m', # Grace time for a gitaly process to finish ongoing requests# logging: {# dir: "/var/log/gitlab/gitaly",# level: 'warn',# format: 'json',# sentry_dsn: 'https://<key>:<secret>@sentry.io/<project>',# sentry_environment: 'production',# },# prometheus: {# grpc_latency_buckets: [0.001, 0.005, 0.025, 0.1, 0.5, 1.0, 10.0, 30.0, 60.0, 300.0, 1500.0],# },# auth: {# token: '<secret>',# transitioning: false, # When true, auth is logged to Prometheus but NOT enforced# },# git: {# catfile_cache_size: 100, # Number of 'git cat-file' processes kept around for re-use# bin_path: '/opt/gitlab/embedded/bin/git', # A custom path for the 'git' executable# use_bundled_binaries: true, # Whether to use bundled Git.# signing_key: '/var/opt/gitlab/gitaly/signing_key.gpg',# ## Gitaly knows to set up the required default configuration for spawned Git# ## commands automatically. It should thus not be required to configure anything# ## here, except in very special situations where you must e.g. tweak specific# ## performance-related settings or enable debugging facilities. It is not safe in# ## general to set Git configuration that may change Git output in ways that are# ## unexpected by Gitaly.# config: [# { key: 'pack.threads', value: '4' },# { key: 'http.http://example.com.proxy', value: 'http://example.proxy.com' },# ],# },# gitlab: {# url: 'http://localhost:9999',# relative_url_root: '/gitlab-ee',# },# hooks: {# custom_hooks_dir: '/var/opt/gitlab/gitaly/custom_hooks',# },# daily_maintenance: {# disabled: false,# start_hour: 22,# start_minute: 30,# duration: '30m',# storages: ['default'],# },# cgroups: {# mountpoint: '/sys/fs/cgroup',# hierarchy_root: 'gitaly',# memory_bytes: 1048576,# cpu_shares: 512,# cpu_quota_us: 400000,# repositories: {# count: 1000,# memory_bytes: 12884901888,# cpu_shares: 128,# cpu_quota_us: 200000# max_cgroups_per_repo: 2# },# },# concurrency: [# {# rpc: '/gitaly.SmartHTTPService/PostReceivePack',# max_per_repo: 20,# },# {# rpc: '/gitaly.SSHService/SSHUploadPack',# max_per_repo: 5,# },# ],# rate_limiting: [# {# rpc: '/gitaly.SmartHTTPService/PostReceivePack',# interval: '1m',# burst: 10,# },# {# rpc: '/gitaly.SSHService/SSHUploadPack',# interval: '1m',# burst: 5,# },# ],# pack_objects_cache: {# enabled: true,# dir: '/var/opt/gitlab/git-data/repositories/+gitaly/PackObjectsCache',# max_age: '5m',# },# storage: [# {# name: 'gitaly-1',# path: '/var/opt/gitlab/git-data/repositories',# },# ],# }################################################################################## Praefect##! Docs: https://docs.gitlab.com/ee/administration/gitaly/praefect.html################################################################################# praefect['enable'] = false# praefect['dir'] = "/var/opt/gitlab/praefect"# praefect['log_directory'] = "/var/log/gitlab/praefect"# praefect['log_group'] = nil# praefect['env_directory'] = "/opt/gitlab/etc/praefect/env"# praefect['env'] = {# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/",# 'GITALY_PID_FILE' => "/var/opt/gitlab/praefect/praefect.pid",# 'WRAPPER_JSON_LOGGING' => true# }# praefect['wrapper_path'] = "/opt/gitlab/embedded/bin/gitaly-wrapper"# praefect['auto_migrate'] = true##! Service name used to register Praefect as a Consul service# praefect['consul_service_name'] = 'praefect'##! Semantic metadata used when registering Praefect as a Consul service# praefect['consul_service_meta'] = {}# praefect['configuration'] = {# listen_addr: 'localhost:2305',# prometheus_listen_addr: 'localhost:9652',# tls_listen_addr: 'localhost:3305',# auth: {# token: '',# transitioning: false,# },# logging: {# format: 'json',# level: 'warn',# },# failover: {# enabled: true,# },# background_verification: {# delete_invalid_records: false,# verification_interval: '72h',# },# reconciliation: {# scheduling_interval: '5m',# histogram_buckets: [0.001, 0.005, 0.025, 0.1, 0.5, 1.0, 10.0],# },# tls: {# certificate_path: '/var/opt/gitlab/prafect/certificate.pem',# key_path: '/var/opt/gitlab/prafect/key.pem',# },# database: {# host: 'postgres.external',# port: 6432,# user: 'praefect',# password: 'secret',# dbname: 'praefect_production',# sslmode: 'disable',# sslcert: '/path/to/client-cert',# sslkey: '/path/to/client-key',# sslrootcert: '/path/to/rootcert',# session_pooled: {# host: 'postgres.internal',# port: 5432,# user: 'praefect',# password: 'secret',# dbname: 'praefect_production_direct',# sslmode: 'disable',# sslcert: '/path/to/client-cert',# sslkey: '/path/to/client-key',# sslrootcert: '/path/to/rootcert',# },# },# sentry: {# sentry_dsn: 'https://<key>:<secret>@sentry.io/<project>',# sentry_environment: 'production',# },# prometheus: {# grpc_latency_buckets: [0.001, 0.005, 0.025, 0.1, 0.5, 1.0, 10.0, 30.0, 60.0, 300.0, 1500.0],# },# graceful_stop_timeout: '1m',# virtual_storage: [# {# name: 'default',# default_replication_factor: 3,# node: [# {# storage: 'praefect-internal-0',# address: 'tcp://10.23.56.78:8075',# token: 'abc123',# },# {# storage: 'praefect-internal-1',# address: 'tcp://10.76.23.31:8075',# token: 'xyz456',# },# ],# },# {# name: 'alternative',# node: [# {# storage: 'praefect-internal-2',# address: 'tcp://10.34.1.16:8075',# token: 'abc321',# },# {# storage: 'praefect-internal-3',# address: 'tcp://10.23.18.6:8075',# token: 'xyz890',# },# ],# },# ],# }################################################################################## Storage check################################################################################# storage_check['enable'] = false# storage_check['target'] = 'unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket'# storage_check['log_directory'] = '/var/log/gitlab/storage-check'# storage_check['log_group'] = nil################################################################################## Let's Encrypt integration################################################################################# letsencrypt['enable'] = nil# letsencrypt['contact_emails'] = [] # This should be an array of email addresses to add as contacts# letsencrypt['group'] = 'root'# letsencrypt['key_size'] = 2048# letsencrypt['owner'] = 'root'# letsencrypt['wwwroot'] = '/var/opt/gitlab/nginx/www'##! See https://docs.gitlab.com/omnibus/settings/ssl/index.html#renew-the-certificates-automatically for more on these settings# letsencrypt['auto_renew'] = true# letsencrypt['auto_renew_hour'] = 0# letsencrypt['auto_renew_minute'] = nil # Should be a number or cron expression, if specified.# letsencrypt['auto_renew_day_of_month'] = "*/4"# letsencrypt['auto_renew_log_directory'] = '/var/log/gitlab/lets-encrypt'# letsencrypt['alt_names'] = []##! Turn off automatic init system detection. To skip init detection in##! non-docker containers. Recommended not to change.# package['detect_init'] = true##! Attempt to modify kernel paramaters. To skip this in containers where the##! relevant file system is read-only, set the value to false.# package['modify_kernel_parameters'] = true##! Specify maximum number of tasks that can be created by the systemd unit##! Will be populated as TasksMax value to the unit file if user is on a systemd##! version that supports it (>= 227). Will be a no-op if user is not on systemd.# package['systemd_tasks_max'] = 4915##! Settings to configure order of GitLab's systemd unit.##! Note: We do not recommend changing these values unless absolutely necessary# package['systemd_after'] = 'multi-user.target'# package['systemd_wanted_by'] = 'multi-user.target'##! Settings to control secret generation and storage##! Note: We do not recommend changing these values unless absolutely necessary##! Set to false to only parse secrets from `gitlab-secrets.json` file but not generate them.# package['generate_default_secrets'] = true##! Set to false to prevent creating the default `gitlab-secrets.json` file# package['generate_secrets_json_file'] = true##! Settings to control SELinux policy##! Experimental. Set to 1.0 to switch from legacy multiple policy modules to##! newer single `gitlab` SELinux policy module.# package['selinux_policy_version'] = nil################################################################################################################################################################## Configuration Settings for GitLab EE only #################################################################################################################################################################################################################################################### Auxiliary cron jobs applicable to GitLab EE only################################################################################# gitlab_rails['geo_repository_sync_worker_cron'] = "*/5 * * * *"# gitlab_rails['geo_secondary_registry_consistency_worker'] = "* * * * *"# gitlab_rails['geo_secondary_usage_data_cron_worker'] = "0 0 * * 0"# gitlab_rails['geo_prune_event_log_worker_cron'] = "*/5 * * * *"# gitlab_rails['geo_repository_verification_primary_batch_worker_cron'] = "*/5 * * * *"# gitlab_rails['geo_repository_verification_secondary_scheduler_worker_cron'] = "*/5 * * * *"# gitlab_rails['geo_metrics_update_worker_cron'] = "*/1 * * * *"# gitlab_rails['ldap_sync_worker_cron'] = "30 1 * * *"# gitlab_rails['ldap_group_sync_worker_cron'] = "0 * * * *"# gitlab_rails['historical_data_worker_cron'] = "0 12 * * *"# gitlab_rails['elastic_index_bulk_cron'] = "*/1 * * * *"# gitlab_rails['analytics_devops_adoption_create_all_snapshots_worker_cron'] = "0 4 * * 0"# gitlab_rails['ci_runners_stale_group_runners_prune_worker_cron'] = "30 * * * *"# gitlab_rails['click_house_ci_finished_builds_sync_worker_cron'] = "*/3 * * * *"# gitlab_rails['click_house_ci_finished_builds_sync_worker_args'] = [1]################################################################################## Kerberos (EE Only)##! Docs: https://docs.gitlab.com/ee/integration/kerberos.html#http-git-access################################################################################# gitlab_rails['kerberos_enabled'] = true# gitlab_rails['kerberos_keytab'] = /etc/http.keytab# gitlab_rails['kerberos_service_principal_name'] = HTTP/gitlab.example.com@EXAMPLE.COM# gitlab_rails['kerberos_simple_ldap_linking_allowed_realms'] = ['example.com','kerberos.example.com']# gitlab_rails['kerberos_use_dedicated_port'] = true# gitlab_rails['kerberos_port'] = 8443# gitlab_rails['kerberos_https'] = true################################################################################## Package repository##! Docs: https://docs.gitlab.com/ee/administration/packages/################################################################################# gitlab_rails['packages_enabled'] = true# gitlab_rails['packages_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/packages"# gitlab_rails['packages_object_store_enabled'] = false# gitlab_rails['packages_object_store_proxy_download'] = false# gitlab_rails['packages_object_store_remote_directory'] = "packages"# gitlab_rails['packages_object_store_connection'] = {# 'provider' => 'AWS',# 'region' => 'eu-west-1',# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',# # # The below options configure an S3 compatible host instead of AWS# # 'host' => 's3.amazonaws.com',# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'# }################################################################################## Dependency proxy##! Docs: https://docs.gitlab.com/ee/administration/packages/dependency_proxy.html################################################################################# gitlab_rails['dependency_proxy_enabled'] = true# gitlab_rails['dependency_proxy_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/dependency_proxy"# gitlab_rails['dependency_proxy_object_store_enabled'] = false# gitlab_rails['dependency_proxy_object_store_proxy_download'] = false# gitlab_rails['dependency_proxy_object_store_remote_directory'] = "dependency_proxy"# gitlab_rails['dependency_proxy_object_store_connection'] = {# 'provider' => 'AWS',# 'region' => 'eu-west-1',# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',# # # The below options configure an S3 compatible host instead of AWS# # 'host' => 's3.amazonaws.com',# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'# }################################################################################## GitLab Sentinel (EE Only)##! Docs: https://docs.gitlab.com/ee/administration/redis/replication_and_failover.html##################################################################################! **Make sure you configured all redis['master_*'] keys above before##! continuing.**##! To enable Sentinel and disable all other services in this machine,##! uncomment the line below (if you've enabled Redis role, it will keep it).##! Docs: https://docs.gitlab.com/ee/administration/redis/replication_and_failover.html# redis_sentinel_role['enable'] = true# sentinel['enable'] = true##! Bind to all interfaces, uncomment to specify an IP and bind to a single one# sentinel['bind'] = '0.0.0.0'##! Uncomment to change default port# sentinel['port'] = 26379##! Uncomment to require a Sentinel password. This may be different from the Redis master password.# sentinel['password'] = 'sentinel-password-goes-here'### Support to run sentinels in a Docker or NAT environment###! Docs: https://redis.io/topics/sentinel#sentinel-docker-nat-and-possible-issues###! In an standard case, Sentinel will run in the same network service as Redis, so the same IP will be announce for Redis and Sentinel###! Only define these values if it is needed to announce for Sentinel a differen IP service than Redis# sentinel['announce_ip'] = nil # If not defined, its value will be taken from redis['announce_ip'] or nil if not present# sentinel['announce_port'] = nil # If not defined, its value will be taken from sentinel['port'] or nil if redis['announce_ip'] not present##! Quorum must reflect the amount of voting sentinels it take to start a##! failover.##! **Value must NOT be greater then the amount of sentinels.**##! The quorum can be used to tune Sentinel in two ways:##! 1. If a the quorum is set to a value smaller than the majority of Sentinels##! we deploy, we are basically making Sentinel more sensible to master##! failures, triggering a failover as soon as even just a minority of##! Sentinels is no longer able to talk with the master.##! 2. If a quorum is set to a value greater than the majority of Sentinels, we##! are making Sentinel able to failover only when there are a very large##! number (larger than majority) of well connected Sentinels which agree##! about the master being down.# sentinel['quorum'] = 1### Consider unresponsive server down after x amount of ms.# sentinel['down_after_milliseconds'] = 10000### Specifies the failover timeout in milliseconds.##! It is used in many ways:##!##! - The time needed to re-start a failover after a previous failover was##! already tried against the same master by a given Sentinel, is two##! times the failover timeout.##!##! - The time needed for a replica replicating to a wrong master according##! to a Sentinel current configuration, to be forced to replicate##! with the right master, is exactly the failover timeout (counting since##! the moment a Sentinel detected the misconfiguration).##!##! - The time needed to cancel a failover that is already in progress but##! did not produced any configuration change (REPLICAOF NO ONE yet not##! acknowledged by the promoted replica).##!##! - The maximum time a failover in progress waits for all the replicas to be##! reconfigured as replicas of the new master. However even after this time##! the replicas will be reconfigured by the Sentinels anyway, but not with##! the exact parallel-syncs progression as specified.# sentinel['failover_timeout'] = 60000### Sentinel TLS settings###! To run Sentinel over TLS, specify values for the following settings# sentinel['tls_port'] = nil# sentinel['tls_cert_file'] = nil# sentinel['tls_key_file'] = nil###! Other TLS related optional settings# sentinel['tls_dh_params_file'] = nil# sentinel['tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'# sentinel['tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'# sentinel['tls_auth_clients'] = 'optional'# sentinel['tls_replication'] = nil# sentinel['tls_cluster'] = nil# sentinel['tls_protocols'] = nil# sentinel['tls_ciphers'] = nil# sentinel['tls_ciphersuites'] = nil# sentinel['tls_prefer_server_ciphers'] = nil# sentinel['tls_session_caching'] = nil# sentinel['tls_session_cache_size'] = nil# sentinel['tls_session_cache_timeout'] = nil### Sentinel hostname support###! When enabled, Redis will leverage hostname support###! Generally this does not need to be changed as we determine this based on###! the provided input from `redis['announce_ip']`###! * This is configured to `true` when a fully qualified hostname is provided###! * This is configured to `false` when an IP address is provided# sentinel['use_hostnames'] = <calculated>### Sentinel log settings# sentinel['log_directory'] = '/var/log/gitlab/sentinel'################################################################################## Additional Database Settings (EE only)##! Docs: https://docs.gitlab.com/ee/administration/postgresql/database_load_balancing.html################################################################################# gitlab_rails['db_load_balancing'] = { 'hosts' => ['secondary1.example.com'] }################################################################################## GitLab Geo##! Docs: https://docs.gitlab.com/ee/administration/geo/##################################################################################! Geo roles 'geo_primary_role' and 'geo_secondary_role' are set above with##! other roles. For more information, see: https://docs.gitlab.com/omnibus/roles/index.html#roles .##! This is an optional identifier which Geo nodes can use to identify themselves.##! For example, if external_url is the same for two secondaries, you must specify##! a unique Geo node name for those secondaries.##! If it is blank, it defaults to external_url.# gitlab_rails['geo_node_name'] = nil# gitlab_rails['geo_registry_replication_enabled'] = true# gitlab_rails['geo_registry_replication_primary_api_url'] = 'https://example.com:5050'################################################################################## GitLab Geo Secondary (EE only)################################################################################# geo_secondary['auto_migrate'] = true# geo_secondary['db_adapter'] = "postgresql"# geo_secondary['db_encoding'] = "unicode"# geo_secondary['db_collation'] = nil# geo_secondary['db_database'] = "gitlabhq_geo_production"# geo_secondary['db_username'] = "gitlab_geo"# geo_secondary['db_password'] = nil# geo_secondary['db_host'] = "/var/opt/gitlab/geo-postgresql"# geo_secondary['db_port'] = 5431# geo_secondary['db_socket'] = nil# geo_secondary['db_sslmode'] = nil# geo_secondary['db_sslcompression'] = 0# geo_secondary['db_sslrootcert'] = nil# geo_secondary['db_sslca'] = nil# geo_secondary['db_prepared_statements'] = false# geo_secondary['db_database_tasks'] = true################################################################################## GitLab Geo Secondary Tracking Database (EE only)################################################################################# geo_postgresql['enable'] = false# geo_postgresql['ha'] = false# geo_postgresql['dir'] = '/var/opt/gitlab/geo-postgresql'# geo_postgresql['pgbouncer_user'] = nil# geo_postgresql['pgbouncer_user_password'] = nil##! `SQL_USER_PASSWORD_HASH` can be generated using the command `gitlab-ctl pg-password-md5 gitlab`# geo_postgresql['sql_user_password'] = 'SQL_USER_PASSWORD_HASH'# geo_postgresql['log_directory'] = '/var/log/gitlab/geo-postgresql'##! Automatically restart PostgreSQL service when version changes.# geo_postgresql['auto_restart_on_version_change'] = true################################################################################## GitLab Geo Log Cursor Daemon (EE only)################################################################################# geo_logcursor['enable'] = false# geo_logcursor['log_directory'] = '/var/log/gitlab/geo-logcursor'# geo_logcursor['log_group'] = nil################################################################################## Unleash##! These settings are for GitLab internal use.##! They are used to control feature flags during GitLab development.##! Docs: https://docs.gitlab.com/ee/development/feature_flags################################################################################# gitlab_rails['feature_flags_unleash_enabled'] = false# gitlab_rails['feature_flags_unleash_url'] = nil# gitlab_rails['feature_flags_unleash_app_name'] = nil# gitlab_rails['feature_flags_unleash_instance_id'] = nil################################################################################## Pgbouncer (EE only)##! See the GitLab PgBouncer documentation: https://docs.gitlab.com/ee/administration/postgresql/pgbouncer.html##! See the PgBouncer page http://www.pgbouncer.org/config.html for details################################################################################# pgbouncer['enable'] = false# pgbouncer['log_directory'] = '/var/log/gitlab/pgbouncer'# pgbouncer['log_group'] = nil# pgbouncer['data_directory'] = '/var/opt/gitlab/pgbouncer'# pgbouncer['env_directory'] = '/opt/gitlab/etc/pgbouncer/env'# pgbouncer['env'] = {# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"# }# pgbouncer['listen_addr'] = '0.0.0.0'# pgbouncer['listen_port'] = '6432'# pgbouncer['pool_mode'] = 'transaction'# pgbouncer['max_prepared_statements'] = 0# pgbouncer['server_reset_query'] = 'DISCARD ALL'# pgbouncer['application_name_add_host'] = '1'# pgbouncer['max_client_conn'] = '2048'# pgbouncer['default_pool_size'] = '100'# pgbouncer['min_pool_size'] = '0'# pgbouncer['reserve_pool_size'] = '5'# pgbouncer['reserve_pool_timeout'] = '5.0'# pgbouncer['server_round_robin'] = '0'# pgbouncer['log_connections'] = '0'# pgbouncer['server_idle_timeout'] = '30'# pgbouncer['dns_max_ttl'] = '15.0'# pgbouncer['dns_zone_check_period'] = '0'# pgbouncer['dns_nxdomain_ttl'] = '15.0'# pgbouncer['admin_users'] = %w(gitlab-psql postgres pgbouncer)# pgbouncer['stats_users'] = %w(gitlab-psql postgres pgbouncer)# pgbouncer['ignore_startup_parameters'] = 'extra_float_digits'# pgbouncer['track_extra_parameters'] = %w(IntervalStyle)# pgbouncer['databases'] = {# DATABASE_NAME: {# host: HOSTNAME,# port: PORT# user: USERNAME,# password: PASSWORD##! generate this with `echo -n '$password + $username' | md5sum`# }# ...# }# pgbouncer['logfile'] = nil# pgbouncer['unix_socket_dir'] = nil# pgbouncer['unix_socket_mode'] = '0777'# pgbouncer['unix_socket_group'] = nil# pgbouncer['auth_type'] = 'md5'# pgbouncer['auth_hba_file'] = nil# pgbouncer['auth_dbname'] = nil# pgbouncer['auth_query'] = 'SELECT username, password FROM public.pg_shadow_lookup($1)'# pgbouncer['users'] = {# USERNAME: {# 'password': MD5_PASSWORD_HASH,# }# }# postgresql['pgbouncer_user'] = nil# postgresql['pgbouncer_user_password'] = nil# pgbouncer['server_reset_query_always'] = 0# pgbouncer['server_check_query'] = 'select 1'# pgbouncer['server_check_delay'] = 30# pgbouncer['max_db_connections'] = nil# pgbouncer['max_user_connections'] = nil# pgbouncer['syslog'] = 0# pgbouncer['syslog_facility'] = 'daemon'# pgbouncer['syslog_ident'] = 'pgbouncer'# pgbouncer['log_disconnections'] = 1# pgbouncer['log_pooler_errors'] = 1# pgbouncer['stats_period'] = 60# pgbouncer['verbose'] = 0# pgbouncer['server_lifetime'] = 3600# pgbouncer['server_connect_timeout'] = 15# pgbouncer['server_login_retry'] = 15# pgbouncer['query_timeout'] = 0# pgbouncer['query_wait_timeout'] = 120# pgbouncer['client_idle_timeout'] = 0# pgbouncer['client_login_timeout'] = 60# pgbouncer['autodb_idle_timeout'] = 3600# pgbouncer['suspend_timeout'] = 10# pgbouncer['idle_transaction_timeout'] = 0# pgbouncer['cancel_wait_timeout'] = 10# pgbouncer['pkt_buf'] = 4096# pgbouncer['listen_backlog'] = 128# pgbouncer['sbuf_loopcnt'] = 5# pgbouncer['max_packet_size'] = 2147483647# pgbouncer['so_reuseport'] = 0# pgbouncer['tcp_defer_accept'] = 0# pgbouncer['tcp_socket_buffer'] = 0# pgbouncer['tcp_keepalive'] = 1# pgbouncer['tcp_keepcnt'] = 0# pgbouncer['tcp_keepidle'] = 0# pgbouncer['tcp_keepintvl'] = 0# pgbouncer['disable_pqexec'] = 0# default['pgbouncer']['peers'] = {}### Pgbouncer client TLS options# pgbouncer['client_tls_sslmode'] = 'disable'# pgbouncer['client_tls_ca_file'] = nil# pgbouncer['client_tls_key_file'] = nil# pgbouncer['client_tls_cert_file'] = nil# pgbouncer['client_tls_protocols'] = 'all'# pgbouncer['client_tls_dheparams'] = 'auto'# pgbouncer['client_tls_ecdhcurve'] = 'auto'#### Pgbouncer server TLS options# pgbouncer['server_tls_sslmode'] = 'disable'# pgbouncer['server_tls_ca_file'] = nil# pgbouncer['server_tls_key_file'] = nil# pgbouncer['server_tls_cert_file'] = nil# pgbouncer['server_tls_protocols'] = 'all'# pgbouncer['server_tls_ciphers'] = 'fast'################################################################################## Patroni (EE only)################################################################################# patroni['enable'] = false# patroni['dir'] = '/var/opt/gitlab/patroni'# patroni['ctl_command'] = '/opt/gitlab/embedded/bin/patronictl'### Patroni dynamic configuration settings# patroni['loop_wait'] = 10# patroni['ttl'] = 30# patroni['retry_timeout'] = 10# patroni['maximum_lag_on_failover'] = 1_048_576# patroni['max_timelines_history'] = 0# patroni['master_start_timeout'] = 300# patroni['use_pg_rewind'] = true# patroni['remove_data_directory_on_rewind_failure'] = false# patroni['remove_data_directory_on_diverged_timelines'] = false# patroni['use_slots'] = true# patroni['replication_password'] = nil# patroni['replication_slots'] = {}# patroni['callbacks'] = {}# patroni['recovery_conf'] = {}# patroni['tags'] = {}### Standby cluster replication settings# patroni['standby_cluster']['enable'] = false# patroni['standby_cluster']['host'] = nil# patroni['standby_cluster']['port'] = 5432# patroni['standby_cluster']['primary_slot_name'] = nil### Global/Universal settings# patroni['scope'] = 'gitlab-postgresql-ha'# patroni['name'] = nil### Log settings# patroni['log_directory'] = '/var/log/gitlab/patroni'# patroni['log_group'] = nil# patroni['log_level'] = 'INFO'### Consul specific settings# patroni['consul']['url'] = 'http://127.0.0.1:8500'# patroni['consul']['service_check_interval'] = '10s'# patroni['consul']['register_service'] = true# patroni['consul']['checks'] = []### PostgreSQL configuration override# patroni['postgresql']['hot_standby'] = 'on'###! The following must hold the same values on all nodes.###! Leave unassined to use PostgreSQL's default values.# patroni['postgresql']['wal_level'] = 'replica'# patroni['postgresql']['wal_log_hints'] = 'on'# patroni['postgresql']['max_worker_processes'] = 8# patroni['postgresql']['max_locks_per_transaction'] = 64# patroni['postgresql']['max_connections'] = 400# patroni['postgresql']['checkpoint_timeout'] = 30###! The following can hold different values on all nodes.###! Leave unassined to use PostgreSQL's default values.# patroni['postgresql']['wal_keep_segments'] = 8# patroni['postgresql']['max_wal_senders'] = 5# patroni['postgresql']['max_replication_slots'] = 5### Permanent replication slots for Streaming Replication# patroni['replication_slots'] = {# 'geo_secondary' => { 'type' => 'physical' }# }###! The address and port that Patroni API binds to and listens on.# patroni['listen_address'] = nil# patroni['port'] = '8008'###! The address of the Patroni node that is advertized to other cluster###! members to communicate with its API and PostgreSQL. If it is not specified,###! it tries to use the first available private IP and falls back to the default###! network interface.# patroni['connect_address'] = nil###! The port that Patroni API responds to other cluster members. This port is###! advertized and by default is the same as patroni['port'].# patroni['connect_port'] = '8008'###! Specifies the set of hosts that are allowed to call unsafe REST API endpoints.###! Each item can be an hostname, IP address, or CIDR address.###! All hosts are allowed if this is unset.# patroni['allowlist'] = []# patroni['allowlist_include_members'] = false###! The username and password to use for basic auth on write commands to the###! Patroni API. If not specified then the API does not use basic auth.# patroni['username'] = nil# patroni['password'] = nil###! TLS configuration for Patroni API. Both certificate and key files are###! required to enable TLS. If not specified then the API uses plain HTTP.# patroni['tls_certificate_file'] = nil# patroni['tls_key_file'] = nil# patroni['tls_key_password'] = nil# patroni['tls_ca_file'] = nil# patroni['tls_ciphers'] = nil# patroni['tls_client_mode'] = nil# patroni['tls_client_certificate_file'] = nil# patroni['tls_client_key_file'] = nil# patroni['tls_verify'] = true################################################################################## Consul (EE only)################################################################################# consul['enable'] = false# consul['binary_path'] = '/opt/gitlab/embedded/bin/consul'# consul['dir'] = '/var/opt/gitlab/consul'# consul['username'] = 'gitlab-consul'# consul['group'] = 'gitlab-consul'# consul['config_file'] = '/var/opt/gitlab/consul/config.json'# consul['config_dir'] = '/var/opt/gitlab/consul/config.d'# consul['data_dir'] = '/var/opt/gitlab/consul/data'# consul['log_directory'] = '/var/log/gitlab/consul'# consul['log_group'] = nil# consul['env_directory'] = '/opt/gitlab/etc/consul/env'# consul['env'] = {# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"# }# consul['monitoring_service_discovery'] = false# consul['node_name'] = nil# consul['script_directory'] = '/var/opt/gitlab/consul/scripts'# consul['configuration'] = {# 'client_addr' => nil,# 'datacenter' => 'gitlab_consul',# 'enable_script_checks' => false,# 'enable_local_script_checks' => true,# 'server' => false# }# consul['services'] = []# consul['service_config'] = {# 'postgresql' => {# 'service' => {# 'name' => "postgresql",# 'address' => '',# 'port' => 5432,# 'checks' => [# {# 'script' => "/var/opt/gitlab/consul/scripts/check_postgresql",# 'interval' => "10s"# }# ]# }# }# }# consul['watchers'] = []# consul['custom_config_dir'] = '/path/to/service/configs/directory'### HTTP API ports# consul['http_port'] = nil# consul['https_port'] = nil### Gossip encryption# consul['encryption_key'] = nil# consul['encryption_verify_incoming'] = nil# consul['encryption_verify_outgoing'] = nil### TLS settings# consul['use_tls'] = false# consul['tls_ca_file'] = nil# consul['tls_certificate_file'] = nil# consul['tls_key_file'] = nil# consul['tls_verify_client'] = nil################################################################################## Service desk email settings################################################################################### Service desk email###! Allow users to create new service desk issues by sending an email to###! service desk address.###! Docs: https://docs.gitlab.com/ee/user/project/service_desk/index.html# gitlab_rails['service_desk_email_enabled'] = false#### Service Desk Mailbox Settings (via `mail_room`)#### Service Desk Email Address####! The email address including the `%{key}` placeholder that will be replaced####! to reference the item being replied to.####! **The placeholder can be omitted but if present, it must appear in the####! "user" part of the address (before the `@`).**# gitlab_rails['service_desk_email_address'] = "contact_project+%{key}@gmail.com"#### Service Desk Email account username####! **With third party providers, this is usually the full email address.**####! **With self-hosted email servers, this is usually the user part of the####! email address.**# gitlab_rails['service_desk_email_email'] = "contact_project@gmail.com"#### Service Desk Email account password# gitlab_rails['service_desk_email_password'] = "[REDACTED]"####! The mailbox where service desk mail will end up. Usually "inbox".# gitlab_rails['service_desk_email_mailbox_name'] = "inbox"####! The IDLE command timeout.# gitlab_rails['service_desk_email_idle_timeout'] = 60####! The file name for internal `mail_room` JSON logfile# gitlab_rails['service_desk_email_log_file'] = "/var/log/gitlab/mailroom/mail_room_json.log"#### Service Desk IMAP Settings# gitlab_rails['service_desk_email_host'] = "imap.gmail.com"# gitlab_rails['service_desk_email_port'] = 993# gitlab_rails['service_desk_email_ssl'] = true# gitlab_rails['service_desk_email_start_tls'] = false#### Inbox options (for Microsoft Graph)# gitlab_rails['service_desk_email_inbox_method'] = 'microsoft_graph'# gitlab_rails['service_desk_email_inbox_options'] = {# 'tenant_id': 'YOUR-TENANT-ID',# 'client_id': 'YOUR-CLIENT-ID',# 'client_secret': 'YOUR-CLIENT-SECRET',# 'poll_interval': 60 # Optional# }####! How service desk emails are delivered to Rails process. Accept either####! sidekiq or webhook. The default config is webhook.# gitlab_rails['service_desk_email_delivery_method'] = "webhook"####! Token to authenticate webhook requests. The token must be exactly 32 bytes,####! encoded with base64# gitlab_rails['service_desk_email_auth_token'] = nil################################################################################### Spamcheck (EE only)################################################################################## spamcheck['enable'] = false# spamcheck['dir'] = '/var/opt/gitlab/spamcheck'# spamcheck['port'] = 8001# spamcheck['external_port'] = nil# spamcheck['monitoring_address'] = ':8003'# spamcheck['log_level'] = 'info'# spamcheck['log_format'] = 'json'# spamcheck['log_output'] = 'stdout'# spamcheck['monitor_mode'] = false# spamcheck['allowlist'] = {}# spamcheck['denylist'] = {}# spamcheck['log_directory'] = "/var/log/gitlab/spamcheck"# spamcheck['log_group'] = nil# spamcheck['env_directory'] = "/opt/gitlab/etc/spamcheck/env"# spamcheck['env'] = {# 'SSL_CERT_DIR' => '/opt/gitlab/embedded/ssl/cers'# }# spamcheck['classifier']['log_directory'] = "/var/log/gitlab/spam-classifier"################################################################################### (Go-)Crond################################################################################## crond['log_directory'] = '/var/log/gitlab/crond'# crond['cron_d'] = '/var/opt/gitlab/crond'# crond['flags'] = {}################################################################################### gitlab-backup-cli settings################################################################################## gitlab_backup_cli['enable'] = false# gitlab_backup_cli['user'] = 'gitlab-backup'# gitlab_backup_cli['group'] = 'gitlab-backup'# gitlab_backup_cli['dir'] = '/var/opt/gitlab/backups'# gitlab_backup_cli['additional_groups'] = %w[git gitlab-psql registry]