1# # # # # # # # # # # # # # # # # # 2# GitLab application config file # 3# # # # # # # # # # # # # # # # # # 4# 5########################### NOTE ##################################### 6# This file should not receive new settings. All configuration options # 7# * are being moved to ApplicationSetting model! # 8# If a setting requires an application restart say so in that screen. # 9# If you change this file in a merge request, please also create # 10# a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests. # 11# For more details see https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md # 12######################################################################## 13# 14# 15# How to use: 16# 1. Copy file as gitlab.yml 17# 2. Update gitlab -> host with your fully qualified domain name 18# 3. Update gitlab -> email_from 19# 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git 20# IMPORTANT: If Git was installed in a different location use that instead. 21# You can check with `which git`. If a wrong path of Git is specified, it will 22# result in various issues such as failures of GitLab CI builds. 23# 5. Review this configuration file for other settings you may want to adjust 24 25production: &base 26 # 27 # 1. GitLab app settings 28 # ========================== 29 30 ## GitLab settings 31 gitlab: 32 ## Web server settings (note: host is the FQDN, do not include http://) 33 host: localhost 34 port: 80 # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details 35 https: false # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details 36 37 # Uncomment this line if you want to configure the Rails asset host for a CDN. 38 # cdn_host: localhost 39 40 # The maximum time Puma can spend on the request. This needs to be smaller than the worker timeout. 41 # Default is 95% of the worker timeout 42 max_request_duration_seconds: 57 43 44 # Uncomment this line below if your ssh host is different from HTTP/HTTPS one 45 # (you'd obviously need to replace ssh.host_example.com with your own host). 46 # Otherwise, ssh host will be set to the `host:` value above 47 # ssh_host: ssh.host_example.com 48 49 # Relative URL support 50 # WARNING: We recommend using an FQDN to host GitLab in a root path instead 51 # of using a relative URL. 52 # Documentation: http://doc.gitlab.com/ce/install/relative_url.html 53 # Uncomment and customize the following line to run in a non-root path 54 # 55 # relative_url_root: /gitlab 56 57 # Content Security Policy 58 # See https://guides.rubyonrails.org/security.html#content-security-policy 59 content_security_policy: 60 enabled: true 61 report_only: false 62 directives: 63 base_uri: 64 child_src: 65 connect_src: "'self' http://localhost:* ws://localhost:* wss://localhost:*" 66 default_src: "'self'" 67 font_src: 68 form_action: 69 frame_ancestors: "'self'" 70 frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com" 71 img_src: "* data: blob:" 72 manifest_src: 73 media_src: 74 object_src: "'none'" 75 script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com" 76 style_src: "'self' 'unsafe-inline'" 77 worker_src: "'self' blob:" 78 report_uri: 79 80 allowed_hosts: [] 81 82 # Trusted Proxies 83 # Customize if you have GitLab behind a reverse proxy which is running on a different machine. 84 # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address. 85 trusted_proxies: 86 # Examples: 87 #- 192.168.1.0/24 88 #- 192.168.2.1 89 #- 2001:0db8::/32 90 91 # Uncomment and customize if you can't use the default user to run GitLab (default: 'git') 92 # user: git 93 94 ## Date & Time settings 95 # Uncomment and customize if you want to change the default time zone of GitLab application. 96 # To see all available zones, run `bundle exec rake time:zones:all RAILS_ENV=production` 97 # time_zone: 'UTC' 98 99 ## Email settings 100 # Uncomment and set to false if you need to disable email sending from GitLab (default: true) 101 # email_enabled: true 102 # Email address used in the "From" field in mails sent by GitLab 103 email_from: example@example.com 104 email_display_name: GitLab 105 email_reply_to: noreply@example.com 106 email_subject_suffix: '' 107 email_smime: 108 # Uncomment and set to true if you need to enable email S/MIME signing (default: false) 109 # enabled: false 110 # S/MIME private key file in PEM format, unencrypted 111 # Default is '.gitlab_smime_key' relative to Rails.root (i.e. root of the GitLab app). 112 # key_file: /home/git/gitlab/.gitlab_smime_key 113 # S/MIME public certificate key in PEM format, will be attached to signed messages 114 # Default is '.gitlab_smime_cert' relative to Rails.root (i.e. root of the GitLab app). 115 # cert_file: /home/git/gitlab/.gitlab_smime_cert 116 # S/MIME extra CA public certificates in PEM format, will be attached to signed messages 117 # Optional 118 # ca_certs_file: /home/git/gitlab/.gitlab_smime_ca_certs 119 120 # Email server smtp settings are in config/initializers/smtp_settings.rb.sample 121 # File location to read encrypted SMTP secrets from 122 # email_smtp_secret_file: /mnt/gitlab/smtp.yaml.enc # Default: shared/encrypted_settings/smtp.yaml.enc 123 124 # default_can_create_group: false # default: true 125 # username_changing_enabled: false # default: true - User can change their username/namespace 126 ## Default theme ID 127 ## 1 - Indigo 128 ## 2 - Dark 129 ## 3 - Light 130 ## 4 - Blue 131 ## 5 - Green 132 ## 6 - Light Indigo 133 ## 7 - Light Blue 134 ## 8 - Light Green 135 ## 9 - Red 136 ## 10 - Light Red 137 # default_theme: 1 # default: 1 138 139 ## Automatic issue closing 140 # If a commit message matches this regular expression, all issues referenced from the matched text will be closed. 141 # This happens when the commit is pushed or merged into the default branch of a project. 142 # When not specified the default issue_closing_pattern as specified below will be used. 143 # Tip: you can test your closing pattern at http://rubular.com. 144 # issue_closing_pattern: '\b((?:[Cc]los(?:e[sd]?|ing)|\b[Ff]ix(?:e[sd]|ing)?|\b[Rr]esolv(?:e[sd]?|ing)|\b[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)' 145 146 ## Default project features settings 147 default_projects_features: 148 issues: true 149 merge_requests: true 150 wiki: true 151 snippets: true 152 builds: true 153 container_registry: true 154 155 ## Webhook settings 156 # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10) 157 # webhook_timeout: 10 158 159 ### GraphQL Settings 160 # Tells the rails application how long it has to complete a GraphQL request. 161 # We suggest this value to be higher than the database timeout value 162 # and lower than the worker timeout set in Puma. (default: 30) 163 # graphql_timeout: 30 164 165 ## Repository downloads directory 166 # When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory. 167 # The default is 'shared/cache/archive/' relative to the root of the Rails app. 168 # repository_downloads_path: shared/cache/archive/ 169 170 ## Impersonation settings 171 impersonation_enabled: true 172 173 ## Disable jQuery and CSS animations 174 # disable_animations: true 175 176 ## Application settings cache expiry in seconds (default: 60) 177 # application_settings_cache_seconds: 60 178 179 ## Print initial root password to stdout during initialization (default: false) 180 # WARNING: setting this to true means that the root password will be printed in 181 # plaintext. This can be a security risk. 182 # display_initial_root_password: false 183 184 ## Reply by email 185 # Allow users to comment on issues and merge requests by replying to notification emails. 186 # For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html 187 incoming_email: 188 enabled: false 189 190 # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to. 191 # The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`). 192 # Please be aware that a placeholder is required for the Service Desk feature to work. 193 address: "gitlab-incoming+%{key}@gmail.com" 194 195 # Email account username 196 # With third party providers, this is usually the full email address. 197 # With self-hosted email servers, this is usually the user part of the email address. 198 user: "gitlab-incoming@gmail.com" 199 # Email account password 200 password: "[REDACTED]" 201 202 # IMAP server host 203 host: "imap.gmail.com" 204 # IMAP server port 205 port: 993 206 # Whether the IMAP server uses SSL 207 ssl: true 208 # Whether the IMAP server uses StartTLS 209 start_tls: false 210 211 # The mailbox where incoming mail will end up. Usually "inbox". 212 mailbox: "inbox" 213 # The IDLE command timeout. 214 idle_timeout: 60 215 # The log file path for the structured log file. 216 # Since `mail_room` is run independently of Rails, an absolute path is preferred. 217 # The default is 'log/mail_room_json.log' relative to the root of the Rails app. 218 # 219 # log_path: log/mail_room_json.log 220 221 # Whether to expunge (permanently remove) messages from the mailbox when they are deleted after delivery 222 expunge_deleted: false 223 224 # For Microsoft Graph support 225 # inbox_method: microsoft_graph 226 # inbox_options: 227 # tenant_id: "YOUR-TENANT-ID" 228 # client_id: "YOUR-CLIENT-ID" 229 # client_secret: "YOUR-CLIENT-SECRET" 230 231 ## Consolidated object store config 232 ## This will only take effect if the object_store sections are not defined 233 ## within the types (e.g. artifacts, lfs, etc.). 234 # object_store: 235 # enabled: false 236 # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage 237 # connection: 238 # provider: AWS # Only AWS supported at the moment 239 # aws_access_key_id: AWS_ACCESS_KEY_ID 240 # aws_secret_access_key: AWS_SECRET_ACCESS_KEY 241 # region: us-east-1 242 # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. 243 # endpoint: 'https://s3.amazonaws.com' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces 244 # storage_options: 245 # server_side_encryption: AES256 # AES256, aws:kms 246 # server_side_encryption_kms_key_id: # Amazon Resource Name. See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html 247 # objects: 248 # artifacts: 249 # bucket: artifacts 250 # external_diffs: 251 # bucket: external-diffs 252 # lfs: 253 # bucket: lfs-objects 254 # uploads: 255 # bucket: uploads 256 # packages: 257 # bucket: packages 258 # dependency_proxy: 259 # bucket: dependency_proxy 260 261 ## Build Artifacts 262 artifacts: 263 enabled: true 264 # The location where build artifacts are stored (default: shared/artifacts). 265 # path: shared/artifacts 266 # object_store: 267 # enabled: false 268 # remote_directory: artifacts # The bucket name 269 # background_upload: false # Temporary option to limit automatic upload (Default: true) 270 # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage 271 # connection: 272 # provider: AWS # Only AWS supported at the moment 273 # aws_access_key_id: AWS_ACCESS_KEY_ID 274 # aws_secret_access_key: AWS_SECRET_ACCESS_KEY 275 # region: us-east-1 276 # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. 277 # endpoint: 'https://s3.amazonaws.com' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces 278 279 ## Merge request external diff storage 280 external_diffs: 281 # If disabled (the default), the diffs are in-database. Otherwise, they can 282 # be stored on disk, or in object storage 283 enabled: false 284 # The location where external diffs are stored (default: shared/lfs-external-diffs). 285 # storage_path: shared/external-diffs 286 # object_store: 287 # enabled: false 288 # remote_directory: external-diffs 289 # background_upload: false 290 # proxy_download: false 291 # connection: 292 # provider: AWS 293 # aws_access_key_id: AWS_ACCESS_KEY_ID 294 # aws_secret_access_key: AWS_SECRET_ACCESS_KEY 295 # region: us-east-1 296 297 ## Git LFS 298 lfs: 299 enabled: true 300 # The location where LFS objects are stored (default: shared/lfs-objects). 301 # storage_path: shared/lfs-objects 302 object_store: 303 enabled: false 304 remote_directory: lfs-objects # Bucket name 305 # direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false) 306 # background_upload: false # Temporary option to limit automatic upload (Default: true) 307 # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage 308 connection: 309 provider: AWS 310 aws_access_key_id: AWS_ACCESS_KEY_ID 311 aws_secret_access_key: AWS_SECRET_ACCESS_KEY 312 region: us-east-1 313 # Use the following options to configure an AWS compatible host 314 # host: 'localhost' # default: s3.amazonaws.com 315 # endpoint: 'http://127.0.0.1:9000' # default: nil 316 # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. 317 # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' 318 319 ## Uploads (attachments, avatars, etc...) 320 uploads: 321 # The location where uploads objects are stored (default: public/). 322 # storage_path: public/ 323 # base_dir: uploads/-/system 324 object_store: 325 enabled: false 326 remote_directory: uploads # Bucket name 327 # direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false) 328 # background_upload: false # Temporary option to limit automatic upload (Default: true) 329 # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage 330 connection: 331 provider: AWS 332 aws_access_key_id: AWS_ACCESS_KEY_ID 333 aws_secret_access_key: AWS_SECRET_ACCESS_KEY 334 aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. 335 region: us-east-1 336 # host: 'localhost' # default: s3.amazonaws.com 337 # endpoint: 'http://127.0.0.1:9000' # default: nil 338 # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' 339 340 ## Packages (maven repository, npm registry, etc...) 341 packages: 342 enabled: true 343 dpkg_deb_path: /usr/bin/dpkg-deb 344 # The location where build packages are stored (default: shared/packages). 345 # storage_path: shared/packages 346 object_store: 347 enabled: false 348 remote_directory: packages # The bucket name 349 # direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false) 350 # background_upload: false # Temporary option to limit automatic upload (Default: true) 351 # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage 352 connection: 353 provider: AWS 354 aws_access_key_id: AWS_ACCESS_KEY_ID 355 aws_secret_access_key: AWS_SECRET_ACCESS_KEY 356 region: us-east-1 357 # host: 'localhost' # default: s3.amazonaws.com 358 # endpoint: 'http://127.0.0.1:9000' # default: nil 359 # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. 360 # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' 361 362 ## Dependency Proxy 363 dependency_proxy: 364 enabled: true 365 # The location where build packages are stored (default: shared/dependency_proxy). 366 # storage_path: shared/dependency_proxy 367 object_store: 368 enabled: false 369 remote_directory: dependency_proxy # The bucket name 370 # direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false) 371 # background_upload: false # Temporary option to limit automatic upload (Default: true) 372 # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage 373 connection: 374 provider: AWS 375 aws_access_key_id: AWS_ACCESS_KEY_ID 376 aws_secret_access_key: AWS_SECRET_ACCESS_KEY 377 region: us-east-1 378 # host: 'localhost' # default: s3.amazonaws.com 379 # endpoint: 'http://127.0.0.1:9000' # default: nil 380 # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. 381 # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' 382 383 ## Terraform state 384 terraform_state: 385 enabled: true 386 # The location where Terraform state files are stored (default: shared/terraform_state). 387 # storage_path: shared/terraform_state 388 object_store: 389 enabled: false 390 remote_directory: terraform # The bucket name 391 connection: 392 provider: AWS 393 aws_access_key_id: AWS_ACCESS_KEY_ID 394 aws_secret_access_key: AWS_SECRET_ACCESS_KEY 395 region: us-east-1 396 # host: 'localhost' # default: s3.amazonaws.com 397 # endpoint: 'http://127.0.0.1:9000' # default: nil 398 # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. 399 # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' 400 401 ## GitLab Pages 402 pages: 403 enabled: false 404 access_control: false 405 # The location where pages are stored (default: shared/pages). 406 # path: shared/pages 407 408 # The domain under which the pages are served: 409 # http://group.example.com/project 410 # or project path can be a group page: group.example.com 411 host: example.com 412 port: 80 # Set to 443 if you serve the pages with HTTPS 413 https: false # Set to true if you serve the pages with HTTPS 414 artifacts_server: true # Set to false if you want to disable online view of HTML artifacts 415 # external_http: ["1.1.1.1:80", "[2001::1]:80"] # If defined, enables custom domain support in GitLab Pages 416 # external_https: ["1.1.1.1:443", "[2001::1]:443"] # If defined, enables custom domain and certificate support in GitLab Pages 417 418 # File that contains the shared secret key for verifying access for gitlab-pages. 419 # Default is '.gitlab_pages_secret' relative to Rails.root (i.e. root of the GitLab app). 420 # secret_file: /home/git/gitlab/.gitlab_pages_secret 421 object_store: 422 enabled: false 423 remote_directory: pages # The bucket name 424 connection: 425 provider: AWS 426 aws_access_key_id: AWS_ACCESS_KEY_ID 427 aws_secret_access_key: AWS_SECRET_ACCESS_KEY 428 region: us-east-1 429 local_store: 430 enabled: true 431 # The location where pages are stored (default: shared/pages). 432 # path: shared/pages 433 434 ## Mattermost 435 ## For enabling Add to Mattermost button 436 mattermost: 437 enabled: false 438 host: 'https://mattermost.example.com' 439 440 ## Gravatar 441 ## If using gravatar.com, there's nothing to change here. For Libravatar 442 ## you'll need to provide the custom URLs. For more information, 443 ## see: https://docs.gitlab.com/ee/administration/libravatar.html 444 gravatar: 445 # Gravatar/Libravatar URLs: possible placeholders: %{hash} %{size} %{email} %{username} 446 # plain_url: "http://..." # default: https://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon 447 # ssl_url: "https://..." # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon 448 449 ## Sidekiq 450 sidekiq: 451 log_format: json # (default is the original format) 452 # An array of tuples indicating the rules for re-routing a worker to a 453 # desirable queue before scheduling. For example: 454 # routing_rules: 455 # - ["resource_boundary=cpu", "cpu_boundary"] 456 # - ["feature_category=pages", null] 457 # - ["*", "default"] 458 459 ## Auxiliary jobs 460 # Periodically executed jobs, to self-heal GitLab, do external synchronizations, etc. 461 # Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job 462 cron_jobs: 463 # Flag stuck CI jobs as failed 464 stuck_ci_jobs_worker: 465 cron: "0 * * * *" 466 # Execute scheduled triggers 467 pipeline_schedule_worker: 468 cron: "3-59/10 * * * *" 469 # Remove expired build artifacts 470 expire_build_artifacts_worker: 471 cron: "*/7 * * * *" 472 # Remove expired pipeline artifacts 473 ci_pipelines_expire_artifacts_worker: 474 cron: "*/23 * * * *" 475 # Remove files from object storage 476 ci_schedule_delete_objects_worker: 477 cron: "*/16 * * * *" 478 # Stop expired environments 479 environments_auto_stop_cron_worker: 480 cron: "24 * * * *" 481 # Delete stopped environments 482 environments_auto_delete_cron_worker: 483 cron: "34 * * * *" 484 # Periodically run 'git fsck' on all repositories. If started more than 485 # once per hour you will have concurrent 'git fsck' jobs. 486 repository_check_worker: 487 cron: "20 * * * *" 488 # Archive live traces which have not been archived yet 489 ci_archive_traces_cron_worker: 490 cron: "17 * * * *" 491 # Send admin emails once a week 492 admin_email_worker: 493 cron: "0 0 * * 0" 494 # Send emails for personal tokens which are about to expire 495 personal_access_tokens_expiring_worker: 496 cron: "0 1 * * *" 497 498 # Remove outdated repository archives 499 repository_archive_cache_worker: 500 cron: "0 * * * *" 501 502 # Verify custom GitLab Pages domains 503 pages_domain_verification_cron_worker: 504 cron: "*/15 * * * *" 505 506 # Periodically migrate diffs from the database to external storage 507 schedule_migrate_external_diffs_worker: 508 cron: "15 * * * *" 509 510 # Update CI Platform Metrics daily 511 ci_platform_metrics_update_cron_worker: 512 cron: "47 9 * * *" 513 514 # GitLab EE only jobs. These jobs are automatically enabled for an EE 515 # installation, and ignored for a CE installation. 516 ee_cron_jobs: 517 # Schedule snapshots for all devops adoption segments 518 analytics_devops_adoption_create_all_snapshots_worker: 519 cron: 0 0 1 * * 520 521 # Snapshot active users statistics 522 historical_data_worker: 523 cron: "0 12 * * *" 524 525 # In addition to refreshing users when they log in, 526 # periodically refresh LDAP users membership. 527 # NOTE: This will only take effect if LDAP is enabled 528 ldap_sync_worker: 529 cron: "30 1 * * *" 530 531 # Periodically refresh LDAP groups membership. 532 # NOTE: This will only take effect if LDAP is enabled 533 ldap_group_sync_worker: 534 cron: "0 * * * *" 535 536 # GitLab Geo metrics update worker 537 # NOTE: This will only take effect if Geo is enabled 538 geo_metrics_update_worker: 539 cron: "*/1 * * * *" 540 541 # GitLab Geo prune event log worker 542 # NOTE: This will only take effect if Geo is enabled (primary node only) 543 geo_prune_event_log_worker: 544 cron: "*/5 * * * *" 545 546 # GitLab Geo repository sync worker 547 # NOTE: This will only take effect if Geo is enabled (secondary nodes only) 548 geo_repository_sync_worker: 549 cron: "*/1 * * * *" 550 551 # GitLab Geo registry backfill worker 552 # NOTE: This will only take effect if Geo is enabled (secondary nodes only) 553 geo_secondary_registry_consistency_worker: 554 cron: "* * * * *" 555 556 # GitLab Geo file download dispatch worker 557 # NOTE: This will only take effect if Geo is enabled (secondary nodes only) 558 geo_file_download_dispatch_worker: 559 cron: "*/1 * * * *" 560 561 # GitLab Geo registry sync worker (for backfilling) 562 # NOTE: This will only take effect if Geo is enabled (secondary nodes only) 563 geo_registry_sync_worker: 564 cron: "*/1 * * * *" 565 566 # Export pseudonymized data in CSV format for analysis 567 pseudonymizer_worker: 568 cron: "0 * * * *" 569 570 # Elasticsearch bulk updater for incremental updates. 571 # NOTE: This will only take effect if elasticsearch is enabled. 572 elastic_index_bulk_cron_worker: 573 cron: "*/1 * * * *" 574 575 # Elasticsearch bulk updater for initial updates. 576 # NOTE: This will only take effect if elasticsearch is enabled. 577 elastic_index_initial_bulk_cron_worker: 578 cron: "*/1 * * * *" 579 580 # Elasticsearch reindexing worker 581 # NOTE: This will only take effect if elasticsearch is enabled. 582 elastic_index_initial_bulk_cron_worker: 583 cron: "*/10 * * * *" 584 585 registry: 586 # enabled: true 587 # host: registry.example.com 588 # port: 5005 589 # api_url: http://localhost:5000/ # internal address to the registry, will be used by GitLab to directly communicate with API 590 # key: config/registry.key 591 # path: shared/registry 592 # issuer: gitlab-issuer 593 # notification_secret: '' # only set it when you use Geo replication feature without built-in Registry 594 595 # Add notification settings if you plan to use Geo Replication for the registry 596 # notifications: 597 # - name: geo_event 598 # url: https://example.com/api/v4/container_registry_event/events 599 # timeout: 2s 600 # threshold: 5 601 # backoff: 1s 602 # headers: 603 # Authorization: secret_phrase 604 605 ## Error Reporting and Logging with Sentry 606 sentry: 607 # enabled: false 608 # dsn: https://<key>@sentry.io/<project> 609 # clientside_dsn: https://<key>@sentry.io/<project> 610 # environment: 'production' # e.g. development, staging, production 611 612 ## Geo 613 # NOTE: These settings will only take effect if Geo is enabled 614 geo: 615 # This is an optional identifier which Geo nodes can use to identify themselves. 616 # For example, if external_url is the same for two secondaries, you must specify 617 # a unique Geo node name for those secondaries. 618 # 619 # If it is blank, it defaults to external_url. 620 node_name: '' 621 622 registry_replication: 623 # enabled: true 624 # primary_api_url: http://localhost:5000/ # internal address to the primary registry, will be used by GitLab to directly communicate with primary registry API 625 626 ## Feature Flag https://docs.gitlab.com/ee/operations/feature_flags.html 627 feature_flags: 628 unleash: 629 # enabled: false 630 # url: https://gitlab.com/api/v4/feature_flags/unleash/<project_id> 631 # app_name: gitlab.com # Environment name of your GitLab instance 632 # instance_id: INSTANCE_ID 633 634 # 635 # 2. GitLab CI settings 636 # ========================== 637 638 gitlab_ci: 639 # Default project notifications settings: 640 # 641 # Send emails only on broken builds (default: true) 642 # all_broken_builds: true 643 # 644 # Add pusher to recipients list (default: false) 645 # add_pusher: true 646 647 # The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root 648 # builds_path: builds/ 649 650 # 651 # 3. Auth settings 652 # ========================== 653 654 ## LDAP settings 655 # You can test connections and inspect a sample of the LDAP users with login 656 # access by running: 657 # bundle exec rake gitlab:ldap:check RAILS_ENV=production 658 ldap: 659 enabled: false 660 prevent_ldap_sign_in: false 661 662 # File location to read encrypted secrets from 663 # secret_file: /mnt/gitlab/ldap.yaml.enc # Default: shared/encrypted_settings/ldap.yaml.enc 664 665 # This setting controls the number of seconds between LDAP permission checks 666 # for each user. After this time has expired for a given user, their next 667 # interaction with GitLab (a click in the web UI, a git pull, etc.) will be 668 # slower because the LDAP permission check is being performed. How much 669 # slower depends on your LDAP setup, but it is not uncommon for this check 670 # to add seconds of waiting time. The default value is to have a "slow 671 # click" once every 3600 seconds (i.e., once per hour). 672 # 673 # Warning: if you set this value too low, every click in GitLab will be a 674 # "slow click" for all of your LDAP users. 675 # sync_time: 3600 676 677 servers: 678 ########################################################################## 679 # 680 # Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab 681 # Enterprise Edition now supports connecting to multiple LDAP servers. 682 # 683 # If you are updating from the old (pre-7.4) syntax, you MUST give your 684 # old server the ID 'main'. 685 # 686 ########################################################################## 687 main: # 'main' is the GitLab 'provider ID' of this LDAP server 688 ## label 689 # 690 # A human-friendly name for your LDAP server. It is OK to change the label later, 691 # for instance if you find out it is too large to fit on the web page. 692 # 693 # Example: 'Paris' or 'Acme, Ltd.' 694 label: 'LDAP' 695 696 # Example: 'ldap.mydomain.com' 697 host: '_your_ldap_server' 698 # This port is an example, it is sometimes different but it is always an integer and not a string 699 port: 389 # usually 636 for SSL 700 uid: 'sAMAccountName' # This should be the attribute, not the value that maps to uid. 701 702 # Examples: 'america\\momo' or 'CN=Gitlab Git,CN=Users,DC=mydomain,DC=com' 703 bind_dn: '_the_full_dn_of_the_user_you_will_bind_with' 704 password: '_the_password_of_the_bind_user' 705 706 # Encryption method. The "method" key is deprecated in favor of 707 # "encryption". 708 # 709 # Examples: "start_tls" or "simple_tls" or "plain" 710 # 711 # Deprecated values: "tls" was replaced with "start_tls" and "ssl" was 712 # replaced with "simple_tls". 713 # 714 encryption: 'plain' 715 716 # Enables SSL certificate verification if encryption method is 717 # "start_tls" or "simple_tls". Defaults to true. 718 verify_certificates: true 719 720 # OpenSSL::SSL::SSLContext options. 721 tls_options: 722 # Specifies the path to a file containing a PEM-format CA certificate, 723 # e.g. if you need to use an internal CA. 724 # 725 # Example: '/etc/ca.pem' 726 # 727 ca_file: '' 728 729 # Specifies the SSL version for OpenSSL to use, if the OpenSSL default 730 # is not appropriate. 731 # 732 # Example: 'TLSv1_1' 733 # 734 ssl_version: '' 735 736 # Specific SSL ciphers to use in communication with LDAP servers. 737 # 738 # Example: 'ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2' 739 ciphers: '' 740 741 # Client certificate 742 # 743 # Example: 744 # cert: | 745 # -----BEGIN CERTIFICATE----- 746 # MIIDbDCCAlSgAwIBAgIGAWkJxLmKMA0GCSqGSIb3DQEBCwUAMHcxFDASBgNVBAoTC0dvb2dsZSBJ 747 # bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQDEwtMREFQIENsaWVudDEPMA0GA1UE 748 # CxMGR1N1aXRlMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTAeFw0xOTAyMjAwNzE4 749 # rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl 750 # ... 751 # 4SbuJPAiJxC1LQ0t39dR6oMCAMab3hXQqhL56LrR6cRBp6Mtlphv7alu9xb/x51y2x+g2zWtsf80 752 # Jrv/vKMsIh/sAyuogb7hqMtp55ecnKxceg== 753 # -----END CERTIFICATE ----- 754 cert: '' 755 756 # Client private key 757 # key: | 758 # -----BEGIN PRIVATE KEY----- 759 # MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC3DmJtLRmJGY4xU1QtI3yjvxO6 760 # bNuyE4z1NF6Xn7VSbcAaQtavWQ6GZi5uukMo+W5DHVtEkgDwh92ySZMuJdJogFbNvJvHAayheCdN 761 # 7mCQ2UUT9jGXIbmksUn9QMeJVXTZjgJWJzPXToeUdinx9G7+lpVa62UATEd1gaI3oyL72WmpDy/C 762 # rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl 763 # ... 764 # +9IhSYX+XIg7BZOVDeYqlPfxRvQh8vy3qjt/KUihmEPioAjLaGiihs1Fk5ctLk9A2hIUyP+sEQv9 765 # l6RG+a/mW+0rCWn8JAd464Ps9hE= 766 # -----END PRIVATE KEY----- 767 key: '' 768 769 # Set a timeout, in seconds, for LDAP queries. This helps avoid blocking 770 # a request if the LDAP server becomes unresponsive. 771 # A value of 0 means there is no timeout. 772 timeout: 10 773 774 # Enable smartcard authentication against the LDAP server. Valid values 775 # are "false", "optional", and "required". 776 smartcard_auth: false 777 778 # This setting specifies if LDAP server is Active Directory LDAP server. 779 # For non AD servers it skips the AD specific queries. 780 # If your LDAP server is not AD, set this to false. 781 active_directory: true 782 783 # If allow_username_or_email_login is enabled, GitLab will ignore everything 784 # after the first '@' in the LDAP username submitted by the user on login. 785 # 786 # Example: 787 # - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials; 788 # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'. 789 # 790 # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to 791 # disable this setting, because the userPrincipalName contains an '@'. 792 allow_username_or_email_login: false 793 794 # To maintain tight control over the number of active users on your GitLab installation, 795 # enable this setting to keep new users blocked until they have been cleared by the admin 796 # (default: false). 797 block_auto_created_users: false 798 799 # Base where we can search for users 800 # 801 # Ex. 'ou=People,dc=gitlab,dc=example' or 'DC=mydomain,DC=com' 802 # 803 base: '' 804 805 # Filter LDAP users 806 # 807 # Format: RFC 4515 https://tools.ietf.org/search/rfc4515 808 # Ex. (employeeType=developer) 809 # 810 # Note: GitLab does not support omniauth-ldap's custom filter syntax. 811 # 812 # Example for getting only specific users: 813 # '(&(objectclass=user)(|(samaccountname=momo)(samaccountname=toto)))' 814 # 815 user_filter: '' 816 817 # Base where we can search for groups 818 # 819 # Ex. ou=Groups,dc=gitlab,dc=example 820 # 821 group_base: '' 822 823 # LDAP group of users who should be admins in GitLab 824 # 825 # Ex. GLAdmins 826 # 827 admin_group: '' 828 829 # LDAP group of users who should be marked as external users in GitLab 830 # 831 # Ex. ['Contractors', 'Interns'] 832 # 833 external_groups: [] 834 835 # Name of attribute which holds a ssh public key of the user object. 836 # If false or nil, SSH key syncronisation will be disabled. 837 # 838 # Ex. sshpublickey 839 # 840 sync_ssh_keys: false 841 842 # Retry ldap search connection if got empty results with specified response code(s) 843 # 844 # Ex. [80] 845 # retry_empty_result_with_codes: [] 846 847 # LDAP attributes that GitLab will use to create an account for the LDAP user. 848 # The specified attribute can either be the attribute name as a string (e.g. 'mail'), 849 # or an array of attribute names to try in order (e.g. ['mail', 'email']). 850 # Note that the user's LDAP login will always be the attribute specified as `uid` above. 851 attributes: 852 # The username will be used in paths for the user's own projects 853 # (like `gitlab.example.com/username/project`) and when mentioning 854 # them in issues, merge request and comments (like `@username`). 855 # If the attribute specified for `username` contains an email address, 856 # the GitLab username will be the part of the email address before the '@'. 857 username: ['uid', 'userid', 'sAMAccountName'] 858 email: ['mail', 'email', 'userPrincipalName'] 859 860 # If no full name could be found at the attribute specified for `name`, 861 # the full name is determined using the attributes specified for 862 # `first_name` and `last_name`. 863 name: 'cn' 864 first_name: 'givenName' 865 last_name: 'sn' 866 867 # If lowercase_usernames is enabled, GitLab will lower case the username. 868 lowercase_usernames: false 869 870 # GitLab EE only: add more LDAP servers 871 # Choose an ID made of a-z and 0-9 . This ID will be stored in the database 872 # so that GitLab can remember which LDAP server a user belongs to. 873 # uswest2: 874 # label: 875 # host: 876 # .... 877 878 ## Smartcard authentication settings 879 smartcard: 880 # Allow smartcard authentication 881 enabled: false 882 883 # Path to a file containing a CA certificate bundle 884 ca_file: '/etc/ssl/certs/CA.pem' 885 886 # Host and port where the client side certificate is requested by the 887 # webserver (NGINX/Apache) 888 # client_certificate_required_host: smartcard.gitlab.example.com 889 # client_certificate_required_port: 3444 890 891 # Browser session with smartcard sign-in is required for Git access 892 # required_for_git_access: false 893 894 # Use X.509 SAN extensions certificates to identify GitLab users 895 # Add a subjectAltName to your certificates like: email:user 896 # san_extensions: true 897 898 ## Kerberos settings 899 kerberos: 900 # Allow the HTTP Negotiate authentication method for Git clients 901 enabled: false 902 903 # Kerberos 5 keytab file. The keytab file must be readable by the GitLab user, 904 # and should be different from other keytabs in the system. 905 # (default: use default keytab from Krb5 config) 906 # keytab: /etc/http.keytab 907 908 # The Kerberos service name to be used by GitLab. 909 # (default: accept any service name in keytab file) 910 # service_principal_name: HTTP/gitlab.example.com@EXAMPLE.COM 911 912 # Kerberos realms/domains that are allowed to automatically link LDAP identities. 913 # By default, GitLab accepts a realm that matches the domain derived from the 914 # LDAP `base` DN. For example, `ou=users,dc=example,dc=com` would allow users 915 # with a realm matching `example.com`. 916 # simple_ldap_linking_allowed_realms: ['example.com','kerberos.example.com'] 917 918 # Dedicated port: Git before 2.4 does not fall back to Basic authentication if Negotiate fails. 919 # To support both Basic and Negotiate methods with older versions of Git, configure 920 # nginx to proxy GitLab on an extra port (e.g. 8443) and uncomment the following lines 921 # to dedicate this port to Kerberos authentication. (default: false) 922 # use_dedicated_port: true 923 # port: 8443 924 # https: true 925 926 ## OmniAuth settings 927 omniauth: 928 # Allow login via Twitter, Google, etc. using OmniAuth providers 929 # enabled: true 930 931 # Uncomment this to automatically sign in with a specific omniauth provider's without 932 # showing GitLab's sign-in page (default: show the GitLab sign-in page) 933 # auto_sign_in_with_provider: saml 934 935 # Sync user's profile from the specified Omniauth providers every time the user logs in (default: empty). 936 # Define the allowed providers using an array, e.g. ["cas3", "saml", "twitter"], 937 # or as true/false to allow all providers or none. 938 # When authenticating using LDAP, the user's email is always synced. 939 # sync_profile_from_provider: [] 940 941 # Select which info to sync from the providers above. (default: email). 942 # Define the synced profile info using an array. Available options are "name", "email" and "location" 943 # e.g. ["name", "email", "location"] or as true to sync all available. 944 # This consequently will make the selected attributes read-only. 945 # sync_profile_attributes: true 946 947 # CAUTION! 948 # This allows users to login without having a user account first. Define the allowed providers 949 # using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none. 950 # User accounts will be created automatically when authentication was successful. 951 allow_single_sign_on: ["saml"] 952 953 # Locks down those users until they have been cleared by the admin (default: true). 954 block_auto_created_users: true 955 # Look up new users in LDAP servers. If a match is found (same uid), automatically 956 # link the omniauth identity with the LDAP account. (default: false) 957 auto_link_ldap_user: false 958 959 # Allow users with existing accounts to login and auto link their account via SAML 960 # login, without having to do a manual login first and manually add SAML 961 # (default: false) 962 auto_link_saml_user: false 963 964 # CAUTION! 965 # Allows larger SAML messages to be received. Numeric value in bytes (default: 250000) 966 # Too high limits exposes instance to decompression DDoS attack type. 967 saml_message_max_byte_size: 250000 968 969 # Allow users with existing accounts to sign in and auto link their account via OmniAuth 970 # login, without having to do a manual login first and manually add OmniAuth. Links on email. 971 # Define the allowed providers using an array, e.g. ["saml", "twitter"], or as true/false to 972 # allow all providers or none. 973 # (default: false) 974 auto_link_user: ["saml", "twitter"] 975 976 # Set different Omniauth providers as external so that all users creating accounts 977 # via these providers will not be able to have access to internal projects. You 978 # will need to use the full name of the provider, like `google_oauth2` for Google. 979 # Refer to the examples below for the full names of the supported providers. 980 # (default: []) 981 external_providers: [] 982 983 # CAUTION! 984 # This allows users to login with the specified providers without two factor. Define the allowed providers 985 # using an array, e.g. ["twitter", 'google_oauth2'], or as true/false to allow all providers or none. 986 # This option should only be configured for providers which already have two factor. 987 # This configration dose not apply to SAML. 988 # (default: false) 989 allow_bypass_two_factor: ["twitter", 'google_oauth2'] 990 991 ## Auth providers 992 # Uncomment the following lines and fill in the data of the auth provider you want to use 993 # If your favorite auth provider is not listed you can use others: 994 # see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations 995 # The 'app_id' and 'app_secret' parameters are always passed as the first two 996 # arguments, followed by optional 'args' which can be either a hash or an array. 997 # Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html 998 providers: 999 # See omniauth-cas3 for more configuration details 1000 # - { name: 'cas3', 1001 # label: 'cas3', 1002 # args: { 1003 # url: 'https://sso.example.com', 1004 # disable_ssl_verification: false, 1005 # login_url: '/cas/login', 1006 # service_validate_url: '/cas/p3/serviceValidate', 1007 # logout_url: '/cas/logout'} } 1008 # - { name: 'authentiq', 1009 # # for client credentials (client ID and secret), go to https://www.authentiq.com/developers 1010 # app_id: 'YOUR_CLIENT_ID', 1011 # app_secret: 'YOUR_CLIENT_SECRET', 1012 # args: { 1013 # scope: 'aq:name email~rs address aq:push' 1014 # # callback_url parameter is optional except when 'gitlab.host' in this file is set to 'localhost' 1015 # # callback_url: 'YOUR_CALLBACK_URL' 1016 # } 1017 # } 1018 # - { name: 'github', 1019 # app_id: 'YOUR_APP_ID', 1020 # app_secret: 'YOUR_APP_SECRET', 1021 # url: "https://github.com/", 1022 # verify_ssl: true, 1023 # args: { scope: 'user:email' } } 1024 # - { name: 'bitbucket', 1025 # app_id: 'YOUR_APP_ID', 1026 # app_secret: 'YOUR_APP_SECRET' } 1027 # - { name: 'dingtalk', 1028 # app_id: 'YOUR_APP_ID', 1029 # app_secret: 'YOUR_APP_SECRET' } 1030 # - { name: 'gitlab', 1031 # app_id: 'YOUR_APP_ID', 1032 # app_secret: 'YOUR_APP_SECRET', 1033 # args: { scope: 'api' } } 1034 # - { name: 'google_oauth2', 1035 # app_id: 'YOUR_APP_ID', 1036 # app_secret: 'YOUR_APP_SECRET', 1037 # args: { access_type: 'offline', approval_prompt: '' } } 1038 # - { name: 'facebook', 1039 # app_id: 'YOUR_APP_ID', 1040 # app_secret: 'YOUR_APP_SECRET' } 1041 # - { name: 'twitter', 1042 # app_id: 'YOUR_APP_ID', 1043 # app_secret: 'YOUR_APP_SECRET' } 1044 # - { name: 'jwt', 1045 # args: { 1046 # secret: 'YOUR_APP_SECRET', 1047 # algorithm: 'HS256', # Supported algorithms: 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512' 1048 # uid_claim: 'email', 1049 # required_claims: ['name', 'email'], 1050 # info_map: { name: 'name', email: 'email' }, 1051 # auth_url: 'https://example.com/', 1052 # valid_within: 3600 # 1 hour 1053 # } 1054 # } 1055 # - { name: 'saml', 1056 # label: 'Our SAML Provider', 1057 # groups_attribute: 'Groups', 1058 # external_groups: ['Contractors', 'Freelancers'], 1059 # args: { 1060 # assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback', 1061 # idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8', 1062 # idp_sso_target_url: 'https://login.example.com/idp', 1063 # issuer: 'https://gitlab.example.com', 1064 # name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' 1065 # } } 1066 # 1067 # - { name: 'group_saml' } 1068 # 1069 # - { name: 'crowd', 1070 # args: { 1071 # crowd_server_url: 'CROWD SERVER URL', 1072 # application_name: 'YOUR_APP_NAME', 1073 # application_password: 'YOUR_APP_PASSWORD' } } 1074 # 1075 # - { name: 'auth0', 1076 # args: { 1077 # client_id: 'YOUR_AUTH0_CLIENT_ID', 1078 # client_secret: 'YOUR_AUTH0_CLIENT_SECRET', 1079 # namespace: 'YOUR_AUTH0_DOMAIN' } } 1080 1081 # SSO maximum session duration in seconds. Defaults to CAS default of 8 hours. 1082 # cas3: 1083 # session_duration: 28800 1084 1085 # FortiAuthenticator settings 1086 forti_authenticator: 1087 # Allow using FortiAuthenticator as OTP provider 1088 enabled: false 1089 1090 # Host and port of FortiAuthenticator instance 1091 # host: forti_authenticator.example.com 1092 # port: 443 1093 1094 # Username for accessing FortiAuthenticator API 1095 # username: john 1096 1097 # Access token for FortiAuthenticator API 1098 # access_token: 123s3cr3t456 1099 1100 # FortiToken Cloud settings 1101 forti_token_cloud: 1102 # Allow using FortiToken Cloud as OTP provider 1103 enabled: false 1104 1105 # Client ID and Secret to access FortiToken Cloud API 1106 # client_id: 'YOUR_FORTI_TOKEN_CLOUD_CLIENT_ID' 1107 # client_secret: 'YOUR_FORTI_TOKEN_CLOUD_CLIENT_SECRET' 1108 1109 # Shared file storage settings 1110 shared: 1111 # path: /mnt/gitlab # Default: shared 1112 1113 # Encrypted Settings configuration 1114 encrypted_settings: 1115 # path: /mnt/gitlab/encrypted_settings # Default: shared/encrypted_settings 1116 1117 # Gitaly settings 1118 gitaly: 1119 # Default Gitaly authentication token. Can be overridden per storage. Can 1120 # be left blank when Gitaly is running locally on a Unix socket, which 1121 # is the normal way to deploy Gitaly. 1122 token: 1123 1124 # 1125 # 4. Advanced settings 1126 # ========================== 1127 1128 ## Repositories settings 1129 repositories: 1130 # Paths where repositories can be stored. Give the canonicalized absolute pathname. 1131 # IMPORTANT: None of the path components may be symlink, because 1132 # gitlab-shell invokes Dir.pwd inside the repository path and that results 1133 # real path not the symlink. 1134 storages: # You must have at least a `default` storage path. 1135 default: 1136 path: /home/git/repositories/ 1137 gitaly_address: unix:/home/git/gitlab/tmp/sockets/private/gitaly.socket # TCP connections are supported too (e.g. tcp://host:port). TLS connections are also supported using the system certificate pool (eg: tls://host:port). 1138 # gitaly_token: 'special token' # Optional: override global gitaly.token for this storage. 1139 1140 ## Backup settings 1141 backup: 1142 path: "tmp/backups" # Relative paths are relative to Rails.root (default: tmp/backups/) 1143 # gitaly_backup_path: # Path of the gitaly-backup binary (default: searches $PATH) 1144 # archive_permissions: 0640 # Permissions for the resulting backup.tar file (default: 0600) 1145 # keep_time: 604800 # default: 0 (forever) (in seconds) 1146 # pg_schema: public # default: nil, it means that all schemas will be backed up 1147 # upload: 1148 # # Fog storage connection settings, see http://fog.io/storage/ . 1149 # connection: 1150 # provider: AWS 1151 # region: eu-west-1 1152 # aws_access_key_id: AKIAKIAKI 1153 # aws_secret_access_key: 'secret123' 1154 # # The remote 'directory' to store your backups. For S3, this would be the bucket name. 1155 # remote_directory: 'my.s3.bucket' 1156 # # Use multipart uploads when file size reaches 100MB, see 1157 # # http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html 1158 # multipart_chunk_size: 104857600 1159 # # Specifies Amazon S3 storage class to use for backups (optional) 1160 # # storage_class: 'STANDARD' 1161 # # Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional 1162 # # 'encryption' must be set in order for this to have any effect. 1163 # # 'encryption_key' should be set to the 256-bit encryption key for Amazon S3 to use to encrypt or decrypt your data. 1164 # # encryption: 'AES256' 1165 # # encryption_key: '<key>' 1166 # # 1167 # # Turns on AWS Server-Side Encryption with Amazon S3-Managed keys (optional) 1168 # # https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html 1169 # # For SSE-S3, set 'server_side_encryption' to 'AES256'. 1170 # # For SS3-KMS, set 'server_side_encryption' to 'aws:kms'. Set 1171 # # 'server_side_encryption_kms_key_id' to the ARN of customer master key. 1172 # # storage_options: 1173 # # server_side_encryption: 'aws:kms' 1174 # # server_side_encryption_kms_key_id: 'arn:aws:kms:YOUR-KEY-ID-HERE' 1175 1176 ## Pseudonymizer exporter 1177 pseudonymizer: 1178 # Tables manifest that specifies the fields to extract and pseudonymize. 1179 manifest: config/pseudonymizer.yml 1180 upload: 1181 remote_directory: 'gitlab-elt' 1182 # Fog storage connection settings, see http://fog.io/storage/ . 1183 connection: 1184 # provider: AWS 1185 # region: eu-west-1 1186 # aws_access_key_id: AKIAKIAKI 1187 # aws_secret_access_key: 'secret123' 1188 # # The remote 'directory' to store the CSV files. For S3, this would be the bucket name. 1189 1190 ## GitLab Shell settings 1191 gitlab_shell: 1192 path: /home/git/gitlab-shell/ 1193 authorized_keys_file: /home/git/.ssh/authorized_keys 1194 1195 # File that contains the secret key for verifying access for gitlab-shell. 1196 # Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app). 1197 # secret_file: /home/git/gitlab/.gitlab_shell_secret 1198 1199 # Git over HTTP 1200 upload_pack: true 1201 receive_pack: true 1202 1203 # Git import/fetch timeout, in seconds. Defaults to 3 hours. 1204 # git_timeout: 10800 1205 1206 # If you use non-standard ssh port you need to specify it 1207 # ssh_port: 22 1208 1209 workhorse: 1210 # File that contains the secret key for verifying access for gitlab-workhorse. 1211 # Default is '.gitlab_workhorse_secret' relative to Rails.root (i.e. root of the GitLab app). 1212 # secret_file: /home/git/gitlab/.gitlab_workhorse_secret 1213 1214 gitlab_kas: 1215 # enabled: true 1216 # File that contains the secret key for verifying access for gitlab-kas. 1217 # Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app). 1218 # secret_file: /home/git/gitlab/.gitlab_kas_secret 1219 1220 # The URL to the external KAS API (used by the Kubernetes agents) 1221 # external_url: wss://kas.example.com 1222 1223 # The URL to the internal KAS API (used by the GitLab backend) 1224 # internal_url: grpc://localhost:8153 1225 1226 # The URL to the Kubernetes API proxy (used by GitLab users) 1227 # external_k8s_proxy_url: https://localhost:8154 # default: nil 1228 1229 ## GitLab Elasticsearch settings 1230 elasticsearch: 1231 indexer_path: /home/git/gitlab-elasticsearch-indexer/ 1232 1233 ## Git settings 1234 # CAUTION! 1235 # Use the default values unless you really know what you are doing 1236 git: 1237 bin_path: /usr/bin/git 1238 1239 ## Webpack settings 1240 # If enabled, this will tell rails to serve frontend assets from the webpack-dev-server running 1241 # on a given port instead of serving directly from /assets/webpack. This is only indended for use 1242 # in development. 1243 webpack: 1244 # dev_server: 1245 # enabled: true 1246 # host: localhost 1247 # port: 3808 1248 1249 ## Monitoring 1250 # Built in monitoring settings 1251 monitoring: 1252 # IP whitelist to access monitoring endpoints 1253 ip_whitelist: 1254 - 127.0.0.0/8 1255 1256 # Sidekiq exporter is webserver built in to Sidekiq to expose Prometheus metrics 1257 sidekiq_exporter: 1258 # enabled: true 1259 # log_enabled: false 1260 # address: localhost 1261 # port: 8082 1262 1263 sidekiq_health_checks: 1264 # enabled: true 1265 # log_enabled: false 1266 # address: localhost 1267 # port: 8082 1268 1269 # Web exporter is a dedicated Rack server running alongside Puma to expose Prometheus metrics 1270 # It runs alongside the `/metrics` endpoints to ease the publish of metrics 1271 web_exporter: 1272 # enabled: true 1273 # address: localhost 1274 # port: 8083 1275 1276 ## Prometheus settings 1277 # Do not modify these settings here. They should be modified in /etc/gitlab/gitlab.rb 1278 # if you installed GitLab via Omnibus. 1279 # If you installed from source, you need to install and configure Prometheus 1280 # yourself, and then update the values here. 1281 # https://docs.gitlab.com/ee/administration/monitoring/prometheus/ 1282 prometheus: 1283 # enabled: true 1284 # server_address: 'localhost:9090' 1285 1286 ## Consul settings 1287 consul: 1288 # api_url: 'http://localhost:8500' 1289 1290 shutdown: 1291 # # blackout_seconds: 1292 # # defines an interval to block healthcheck, 1293 # # but continue accepting application requests 1294 # # this allows Load Balancer to notice service 1295 # # being shutdown and not interrupt any of the clients 1296 # blackout_seconds: 10 1297 1298 # 1299 # 5. Extra customization 1300 # ========================== 1301 1302 extra: 1303 ## Google analytics. Uncomment if you want it 1304 # google_analytics_id: '_your_tracking_id' 1305 1306 ## Google tag manager 1307 # google_tag_manager_id: '_your_tracking_id' 1308 1309 ## OneTrust 1310 # one_trust_id: '_your_one_trust_id' 1311 1312 ## Matomo analytics. 1313 # matomo_url: '_your_matomo_url' 1314 # matomo_site_id: '_your_matomo_site_id' 1315 # matomo_disable_cookies: false 1316 1317 ## Maximum file size for syntax highlighting 1318 ## https://docs.gitlab.com/ee/user/project/highlighting.html 1319 # maximum_text_highlight_size_kilobytes: 512 1320 1321 rack_attack: 1322 git_basic_auth: 1323 # Rack Attack IP banning enabled 1324 # enabled: true 1325 # 1326 # Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers 1327 # ip_whitelist: ["127.0.0.1"] 1328 # 1329 # Limit the number of Git HTTP authentication attempts per IP 1330 # maxretry: 10 1331 # 1332 # Reset the auth attempt counter per IP after 60 seconds 1333 # findtime: 60 1334 # 1335 # Ban an IP for one hour (3600s) after too many auth attempts 1336 # bantime: 3600 1337 1338development: 1339 <<: *base 1340 1341 # We want to run web/sidekiq exporters for devs 1342 # to catch errors from using them. 1343 # 1344 # We use random port to not block ability to run 1345 # multiple instances of the service 1346 monitoring: 1347 sidekiq_exporter: 1348 enabled: true 1349 address: 127.0.0.1 1350 port: 0 1351 web_exporter: 1352 enabled: true 1353 address: 127.0.0.1 1354 port: 0 1355 1356test: 1357 <<: *base 1358 gravatar: 1359 enabled: true 1360 external_diffs: 1361 enabled: false 1362 # Diffs may be `always` external (the default), or they can be made external 1363 # after they have become `outdated` (i.e., the MR is closed or a new version 1364 # has been pushed). 1365 # when: always 1366 # The location where external diffs are stored (default: shared/external-diffs). 1367 storage_path: tmp/tests/external-diffs 1368 object_store: 1369 enabled: false 1370 remote_directory: external-diffs # The bucket name 1371 connection: 1372 provider: AWS # Only AWS supported at the moment 1373 aws_access_key_id: AWS_ACCESS_KEY_ID 1374 aws_secret_access_key: AWS_SECRET_ACCESS_KEY 1375 region: us-east-1 1376 lfs: 1377 enabled: false 1378 # The location where LFS objects are stored (default: shared/lfs-objects). 1379 # storage_path: shared/lfs-objects 1380 object_store: 1381 enabled: false 1382 remote_directory: lfs-objects # The bucket name 1383 connection: 1384 provider: AWS # Only AWS supported at the moment 1385 aws_access_key_id: AWS_ACCESS_KEY_ID 1386 aws_secret_access_key: AWS_SECRET_ACCESS_KEY 1387 region: us-east-1 1388 artifacts: 1389 path: tmp/tests/artifacts 1390 enabled: true 1391 # The location where build artifacts are stored (default: shared/artifacts). 1392 # path: shared/artifacts 1393 object_store: 1394 enabled: false 1395 remote_directory: artifacts # The bucket name 1396 background_upload: false 1397 connection: 1398 provider: AWS # Only AWS supported at the moment 1399 aws_access_key_id: AWS_ACCESS_KEY_ID 1400 aws_secret_access_key: AWS_SECRET_ACCESS_KEY 1401 region: us-east-1 1402 uploads: 1403 storage_path: tmp/tests/public 1404 object_store: 1405 enabled: false 1406 connection: 1407 provider: AWS # Only AWS supported at the moment 1408 aws_access_key_id: AWS_ACCESS_KEY_ID 1409 aws_secret_access_key: AWS_SECRET_ACCESS_KEY 1410 region: us-east-1 1411 1412 terraform_state: 1413 enabled: true 1414 storage_path: tmp/tests/terraform_state 1415 object_store: 1416 enabled: false 1417 remote_directory: terraform 1418 connection: 1419 provider: AWS # Only AWS supported at the moment 1420 aws_access_key_id: AWS_ACCESS_KEY_ID 1421 aws_secret_access_key: AWS_SECRET_ACCESS_KEY 1422 region: us-east-1 1423 1424 gitlab: 1425 host: localhost 1426 port: 80 1427 1428 content_security_policy: 1429 enabled: true 1430 report_only: false 1431 directives: 1432 base_uri: 1433 child_src: 1434 connect_src: 1435 default_src: "'self'" 1436 font_src: 1437 form_action: 1438 frame_ancestors: "'self'" 1439 frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com" 1440 img_src: "* data: blob:" 1441 manifest_src: 1442 media_src: 1443 object_src: "'none'" 1444 script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com" 1445 style_src: "'self' 'unsafe-inline'" 1446 worker_src: "'self' blob:" 1447 report_uri: 1448 1449 # When you run tests we clone and set up gitlab-shell 1450 # In order to set it up correctly you need to specify 1451 # your system username you use to run GitLab 1452 # user: YOUR_USERNAME 1453 pages: 1454 path: tmp/tests/pages 1455 object_store: 1456 enabled: false 1457 remote_directory: pages # The bucket name 1458 connection: 1459 provider: AWS 1460 aws_access_key_id: AWS_ACCESS_KEY_ID 1461 aws_secret_access_key: AWS_SECRET_ACCESS_KEY 1462 region: us-east-1 1463 local_store: 1464 enabled: true 1465 path: tmp/tests/pages 1466 repositories: 1467 storages: 1468 default: 1469 path: tmp/tests/repositories/ 1470 gitaly_address: unix:tmp/tests/gitaly/praefect.socket 1471 1472 gitaly: 1473 client_path: tmp/tests/gitaly/_build/bin 1474 token: secret 1475 workhorse: 1476 secret_file: tmp/gitlab_workhorse_test_secret 1477 backup: 1478 path: tmp/tests/backups 1479 gitaly_backup_path: tmp/tests/gitaly/_build/bin/gitaly-backup 1480 pseudonymizer: 1481 manifest: config/pseudonymizer.yml 1482 upload: 1483 # The remote 'directory' to store the CSV files. For S3, this would be the bucket name. 1484 remote_directory: gitlab-elt.test 1485 # Fog storage connection settings, see http://fog.io/storage/ 1486 connection: 1487 provider: AWS # Only AWS supported at the moment 1488 aws_access_key_id: AWS_ACCESS_KEY_ID 1489 aws_secret_access_key: AWS_SECRET_ACCESS_KEY 1490 region: us-east-1 1491 gitlab_shell: 1492 path: tmp/tests/gitlab-shell/ 1493 authorized_keys_file: tmp/tests/authorized_keys 1494 issues_tracker: 1495 redmine: 1496 title: "Redmine" 1497 project_url: "http://redmine/projects/:issues_tracker_id" 1498 issues_url: "http://redmine/:project_id/:issues_tracker_id/:id" 1499 new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new" 1500 jira: 1501 title: "Jira" 1502 url: https://sample_company.atlassian.net 1503 project_key: PROJECT 1504 1505 omniauth: 1506 # enabled: true 1507 allow_single_sign_on: true 1508 external_providers: [] 1509 1510 providers: 1511 - { name: 'cas3', 1512 label: 'cas3', 1513 args: { url: 'https://sso.example.com', 1514 disable_ssl_verification: false, 1515 login_url: '/cas/login', 1516 service_validate_url: '/cas/p3/serviceValidate', 1517 logout_url: '/cas/logout'} } 1518 - { name: 'github', 1519 app_id: 'YOUR_APP_ID', 1520 app_secret: 'YOUR_APP_SECRET', 1521 url: "https://github.com/", 1522 verify_ssl: false, 1523 args: { scope: 'user:email' } } 1524 - { name: 'bitbucket', 1525 app_id: 'YOUR_APP_ID', 1526 app_secret: 'YOUR_APP_SECRET' } 1527 - { name: 'dingtalk', 1528 app_id: 'YOUR_APP_ID', 1529 app_secret: 'YOUR_APP_SECRET' } 1530 - { name: 'gitlab', 1531 app_id: 'YOUR_APP_ID', 1532 app_secret: 'YOUR_APP_SECRET', 1533 args: { scope: 'api' } } 1534 - { name: 'google_oauth2', 1535 app_id: 'YOUR_APP_ID', 1536 app_secret: 'YOUR_APP_SECRET', 1537 args: { access_type: 'offline', approval_prompt: '' } } 1538 - { name: 'facebook', 1539 app_id: 'YOUR_APP_ID', 1540 app_secret: 'YOUR_APP_SECRET' } 1541 - { name: 'twitter', 1542 app_id: 'YOUR_APP_ID', 1543 app_secret: 'YOUR_APP_SECRET' } 1544 - { name: 'jwt', 1545 app_secret: 'YOUR_APP_SECRET', 1546 args: { 1547 algorithm: 'HS256', 1548 uid_claim: 'email', 1549 required_claims: ["name", "email"], 1550 info_map: { name: "name", email: "email" }, 1551 auth_url: 'https://example.com/', 1552 valid_within: null, 1553 } 1554 } 1555 - { name: 'auth0', 1556 args: { 1557 client_id: 'YOUR_AUTH0_CLIENT_ID', 1558 client_secret: 'YOUR_AUTH0_CLIENT_SECRET', 1559 namespace: 'YOUR_AUTH0_DOMAIN' } } 1560 - { name: 'authentiq', 1561 app_id: 'YOUR_CLIENT_ID', 1562 app_secret: 'YOUR_CLIENT_SECRET', 1563 args: { scope: 'aq:name email~rs address aq:push' } } 1564 - { name: 'salesforce', 1565 app_id: 'YOUR_CLIENT_ID', 1566 app_secret: 'YOUR_CLIENT_SECRET' 1567 } 1568 - { name: 'atlassian_oauth2', 1569 app_id: 'YOUR_CLIENT_ID', 1570 app_secret: 'YOUR_CLIENT_SECRET', 1571 args: { scope: 'offline_access read:jira-user read:jira-work', prompt: 'consent' } 1572 } 1573 ldap: 1574 enabled: false 1575 servers: 1576 main: 1577 label: ldap 1578 host: 127.0.0.1 1579 port: 3890 1580 uid: 'uid' 1581 encryption: 'plain' # "start_tls" or "simple_tls" or "plain" 1582 base: 'dc=example,dc=com' 1583 user_filter: '' 1584 group_base: 'ou=groups,dc=example,dc=com' 1585 admin_group: '' 1586 prometheus: 1587 enabled: true 1588 server_address: 'localhost:9090' 1589 1590staging: 1591 <<: *base 1592