gitlab.yml.example 38 KB
Newer Older
1
# # # # # # # # # # # # # # # # # #
2
# GitLab application config file  #
3
# # # # # # # # # # # # # # # # # #
4
#
5 6
###########################  NOTE  #####################################
# This file should not receive new settings. All configuration options #
7
# * are being moved to ApplicationSetting model!                       #
8
# If a setting requires an application restart say so in that screen.  #
9
# If you change this file in a Merge Request, please also create       #
10 11
# a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests. #
# For more details see https://gitlab.com/gitlab-org/omnibus-gitlab/blob/0928cfb09f43993fd9454b0b14dbd1924b1407bc/doc/settings/gitlab.yml.md #
12 13
########################################################################
#
14
#
15
# How to use:
16 17
# 1. Copy file as gitlab.yml
# 2. Update gitlab -> host with your fully qualified domain name
18
# 3. Update gitlab -> email_from
19
# 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git
20 21 22
#    IMPORTANT: If Git was installed in a different location use that instead.
#    You can check with `which git`. If a wrong path of Git is specified, it will
#     result in various issues such as failures of GitLab CI builds.
23
# 5. Review this configuration file for other settings you may want to adjust
24

25 26 27 28 29 30 31
production: &base
  #
  # 1. GitLab app settings
  # ==========================

  ## GitLab settings
  gitlab:
32
    ## Web server settings (note: host is the FQDN, do not include http://)
33
    host: localhost
34 35
    port: 80 # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
    https: false # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
36

37
    # Uncomment this line below if your ssh host is different from HTTP/HTTPS one
38 39 40 41
    # (you'd obviously need to replace ssh.host_example.com with your own host).
    # Otherwise, ssh host will be set to the `host:` value above
    # ssh_host: ssh.host_example.com

42
    # Relative URL support
43 44
    # WARNING: We recommend using an FQDN to host GitLab in a root path instead
    # of using a relative URL.
45 46 47
    # Documentation: http://doc.gitlab.com/ce/install/relative_url.html
    # Uncomment and customize the following line to run in a non-root path
    #
48 49
    # relative_url_root: /gitlab

50 51 52 53 54 55 56 57 58
    # Trusted Proxies
    # Customize if you have GitLab behind a reverse proxy which is running on a different machine.
    # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
    trusted_proxies:
      # Examples:
      #- 192.168.1.0/24
      #- 192.168.2.1
      #- 2001:0db8::/32

59 60 61
    # Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
    # user: git

62 63
    ## Date & Time settings
    # Uncomment and customize if you want to change the default time zone of GitLab application.
64
    # To see all available zones, run `bundle exec rake time:zones:all RAILS_ENV=production`
65 66
    # time_zone: 'UTC'

67 68 69 70 71 72 73
    ## Email settings
    # Uncomment and set to false if you need to disable email sending from GitLab (default: true)
    # email_enabled: true
    # Email address used in the "From" field in mails sent by GitLab
    email_from: example@example.com
    email_display_name: GitLab
    email_reply_to: noreply@example.com
74
    email_subject_suffix: ''
75 76 77

    # Email server smtp settings are in config/initializers/smtp_settings.rb.sample

78
    # default_can_create_group: false  # default: true
79
    # username_changing_enabled: false # default: true - User can change her username/namespace
80
    ## Default theme ID
81
    ##   1 - Indigo
82 83 84
    ##   2 - Dark
    ##   3 - Light
    ##   4 - Blue
85
    ##   5 - Green
86 87 88 89 90
    ##   6 - Light Indigo
    ##   7 - Light Blue
    ##   8 - Light Green
    ##   9 - Red
    ##   10 - Light Red
91
    # default_theme: 1 # default: 1
92

93
    ## Automatic issue closing
94
    # If a commit message matches this regular expression, all issues referenced from the matched text will be closed.
95
    # This happens when the commit is pushed or merged into the default branch of a project.
Sytse Sijbrandij's avatar
Sytse Sijbrandij committed
96
    # When not specified the default issue_closing_pattern as specified below will be used.
Achilleas Pipinellis's avatar
Achilleas Pipinellis committed
97
    # Tip: you can test your closing pattern at http://rubular.com.
98
    # issue_closing_pattern: '\b((?:[Cc]los(?:e[sd]?|ing)|\b[Ff]ix(?:e[sd]|ing)?|\b[Rr]esolv(?:e[sd]?|ing)|\b[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)'
99

100 101 102 103 104
    ## Default project features settings
    default_projects_features:
      issues: true
      merge_requests: true
      wiki: true
105
      snippets: true
106
      builds: true
107
      container_registry: true
108

109 110 111 112
    ## Webhook settings
    # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)
    # webhook_timeout: 10

113 114
    ## Repository downloads directory
    # When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory.
115 116
    # The default is 'shared/cache/archive/' relative to the root of the Rails app.
    # repository_downloads_path: shared/cache/archive/
117

118 119 120
    ## Impersonation settings
    impersonation_enabled: true

Douwe Maan's avatar
Douwe Maan committed
121
  ## Reply by email
Douwe Maan's avatar
Douwe Maan committed
122
  # Allow users to comment on issues and merge requests by replying to notification emails.
123
  # For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html
124
  incoming_email:
Douwe Maan's avatar
Douwe Maan committed
125
    enabled: false
126 127

    # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
128
    # The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`).
129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148
    address: "gitlab-incoming+%{key}@gmail.com"

    # Email account username
    # With third party providers, this is usually the full email address.
    # With self-hosted email servers, this is usually the user part of the email address.
    user: "gitlab-incoming@gmail.com"
    # Email account password
    password: "[REDACTED]"

    # IMAP server host
    host: "imap.gmail.com"
    # IMAP server port
    port: 993
    # Whether the IMAP server uses SSL
    ssl: true
    # Whether the IMAP server uses StartTLS
    start_tls: false

    # The mailbox where incoming mail will end up. Usually "inbox".
    mailbox: "inbox"
149
    # The IDLE command timeout.
150
    idle_timeout: 60
Douwe Maan's avatar
Douwe Maan committed
151

Kamil Trzciński's avatar
Kamil Trzciński committed
152 153 154 155 156
  ## Build Artifacts
  artifacts:
    enabled: true
    # The location where build artifacts are stored (default: shared/artifacts).
    # path: shared/artifacts
157 158
    # object_store:
    #   enabled: false
159 160
    #   remote_directory: artifacts # The bucket name
    #   background_upload: false # Temporary option to limit automatic upload (Default: true)
161
    #   proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
162 163 164 165
    #   connection:
    #     provider: AWS # Only AWS supported at the moment
    #     aws_access_key_id: AWS_ACCESS_KEY_ID
    #     aws_secret_access_key: AWS_SECRET_ACCESS_KEY
166
    #     region: us-east-1
167
    #     aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
168
    #     endpoint: 'https://s3.amazonaws.com' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
169

170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186
  ## Merge request external diff storage
  external_diffs:
    # If disabled (the default), the diffs are in-database. Otherwise, they can
    # be stored on disk, or in object storage
    enabled: false
    # The location where external diffs are stored (default: shared/lfs-external-diffs).
    # storage_path: shared/external-diffs
    # object_store:
    #   enabled: false
    #   remote_directory: external-diffs
    #   background_upload: false
    #   proxy_download: false
    #   connection:
    #     provider: AWS
    #     aws_access_key_id: AWS_ACCESS_KEY_ID
    #     aws_secret_access_key: AWS_SECRET_ACCESS_KEY
    #     region: us-east-1
Kamil Trzciński's avatar
Kamil Trzciński committed
187

188 189
  ## Git LFS
  lfs:
Marin Jankovski's avatar
Marin Jankovski committed
190
    enabled: true
191 192
    # The location where LFS objects are stored (default: shared/lfs-objects).
    # storage_path: shared/lfs-objects
193 194 195
    object_store:
      enabled: false
      remote_directory: lfs-objects # Bucket name
196
      # direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false)
197
      # background_upload: false # Temporary option to limit automatic upload (Default: true)
198
      # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
199 200 201 202
      connection:
        provider: AWS
        aws_access_key_id: AWS_ACCESS_KEY_ID
        aws_secret_access_key: AWS_SECRET_ACCESS_KEY
203
        region: us-east-1
204 205 206
        # Use the following options to configure an AWS compatible host
        # host: 'localhost' # default: s3.amazonaws.com
        # endpoint: 'http://127.0.0.1:9000' # default: nil
207
        # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
208
        # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
209

210 211 212 213 214 215
  ## Uploads (attachments, avatars, etc...)
  uploads:
    # The location where uploads objects are stored (default: public/).
    # storage_path: public/
    # base_dir: uploads/-/system
    object_store:
216
      enabled: false
217
      remote_directory: uploads # Bucket name
218 219 220
      # direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false)
      # background_upload: false # Temporary option to limit automatic upload (Default: true)
      # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
221 222 223 224
      connection:
        provider: AWS
        aws_access_key_id: AWS_ACCESS_KEY_ID
        aws_secret_access_key: AWS_SECRET_ACCESS_KEY
225
        aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
226 227 228 229
        region: us-east-1
        # host: 'localhost' # default: s3.amazonaws.com
        # endpoint: 'http://127.0.0.1:9000' # default: nil
        # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
230

231
  ## Packages (maven repository, npm registry, etc...)
232 233 234
  packages:
    enabled: false

Kamil Trzciński's avatar
Kamil Trzciński committed
235 236 237
  ## GitLab Pages
  pages:
    enabled: false
238
    access_control: false
Kamil Trzciński's avatar
Kamil Trzciński committed
239 240 241 242 243 244
    # The location where pages are stored (default: shared/pages).
    # path: shared/pages

    # The domain under which the pages are served:
    # http://group.example.com/project
    # or project path can be a group page: group.example.com
245
    host: example.com
246 247
    port: 80 # Set to 443 if you serve the pages with HTTPS
    https: false # Set to true if you serve the pages with HTTPS
248
    artifacts_server: true # Set to false if you want to disable online view of HTML artifacts
249 250
    # external_http: ["1.1.1.1:80", "[2001::1]:80"] # If defined, enables custom domain support in GitLab Pages
    # external_https: ["1.1.1.1:443", "[2001::1]:443"] # If defined, enables custom domain and certificate support in GitLab Pages
251 252
    admin:
      address: unix:/home/git/gitlab/tmp/sockets/private/pages-admin.socket # TCP connections are supported too (e.g. tcp://host:port)
Kamil Trzciński's avatar
Kamil Trzciński committed
253

254 255 256 257 258 259
  ## Mattermost
  ## For enabling Add to Mattermost button
  mattermost:
    enabled: false
    host: 'https://mattermost.example.com'

260
  ## Gravatar
261 262 263
  ## If using gravatar.com, there's nothing to change here. For Libravatar
  ## you'll need to provide the custom URLs. For more information,
  ## see: https://docs.gitlab.com/ee/customization/libravatar.html
264
  gravatar:
265 266
    # Gravatar/Libravatar URLs: possible placeholders: %{hash} %{size} %{email} %{username}
    # plain_url: "http://..."     # default: https://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
267
    # ssl_url:   "https://..."    # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
268

269 270 271 272
  ## Sidekiq
  sidekiq:
    log_format: default # (json is also supported)

273
  ## Auxiliary jobs
274
  # Periodically executed jobs, to self-heal GitLab, do external synchronizations, etc.
275 276
  # Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job
  cron_jobs:
277 278
    # Flag stuck CI jobs as failed
    stuck_ci_jobs_worker:
279
      cron: "0 * * * *"
shinya maeda's avatar
shinya maeda committed
280
    # Execute scheduled triggers
281
    pipeline_schedule_worker:
282
      cron: "19 * * * *"
283 284
    # Remove expired build artifacts
    expire_build_artifacts_worker:
285
      cron: "50 * * * *"
Jacob Vosmaer's avatar
Jacob Vosmaer committed
286 287
    # Periodically run 'git fsck' on all repositories. If started more than
    # once per hour you will have concurrent 'git fsck' jobs.
288
    repository_check_worker:
Jacob Vosmaer's avatar
Jacob Vosmaer committed
289
      cron: "20 * * * *"
290 291 292
    # Archive live traces which have not been archived yet
    ci_archive_traces_cron_worker:
      cron: "17 * * * *"
293
    # Send admin emails once a week
Jacob Vosmaer's avatar
Jacob Vosmaer committed
294
    admin_email_worker:
295
      cron: "0 0 * * 0"
296

297 298 299
    # Remove outdated repository archives
    repository_archive_cache_worker:
      cron: "0 * * * *"
300

301 302 303 304
    # Verify custom GitLab Pages domains
    pages_domain_verification_cron_worker:
      cron: "*/15 * * * *"

305 306 307 308
    # Periodically migrate diffs from the database to external storage
    schedule_migrate_external_diffs_worker:
      cron: "15 * * * *"

Kamil Trzciński's avatar
Kamil Trzciński committed
309 310
  registry:
    # enabled: true
311
    # host: registry.example.com
312 313
    # port: 5005
    # api_url: http://localhost:5000/ # internal address to the registry, will be used by GitLab to directly communicate with API
314
    # key: config/registry.key
315
    # path: shared/registry
316
    # issuer: gitlab-issuer
Kamil Trzciński's avatar
Kamil Trzciński committed
317

318 319 320 321 322

  ## Error Reporting and Logging with Sentry
  sentry:
    # enabled: false
    # dsn: https://<key>@sentry.io/<project>
323
    # clientside_dsn: https://<key>@sentry.io/<project>
324 325
    # environment: 'production' # e.g. development, staging, production

326
  #
327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343
  # 2. GitLab CI settings
  # ==========================

  gitlab_ci:
    # Default project notifications settings:
    #
    # Send emails only on broken builds (default: true)
    # all_broken_builds: true
    #
    # Add pusher to recipients list (default: false)
    # add_pusher: true

    # The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root
    # builds_path: builds/

  #
  # 3. Auth settings
344 345 346
  # ==========================

  ## LDAP settings
347 348
  # You can test connections and inspect a sample of the LDAP users with login
  # access by running:
349
  #   bundle exec rake gitlab:ldap:check RAILS_ENV=production
350 351
  ldap:
    enabled: false
352
    servers:
353 354 355 356 357 358 359 360 361
      ##########################################################################
      #
      # Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab
      # Enterprise Edition now supports connecting to multiple LDAP servers.
      #
      # If you are updating from the old (pre-7.4) syntax, you MUST give your
      # old server the ID 'main'.
      #
      ##########################################################################
362
      main: # 'main' is the GitLab 'provider ID' of this LDAP server
363 364 365 366 367 368 369 370
        ## label
        #
        # A human-friendly name for your LDAP server. It is OK to change the label later,
        # for instance if you find out it is too large to fit on the web page.
        #
        # Example: 'Paris' or 'Acme, Ltd.'
        label: 'LDAP'

371
        # Example: 'ldap.mydomain.com'
372
        host: '_your_ldap_server'
373 374 375 376 377
        # This port is an example, it is sometimes different but it is always an integer and not a string
        port: 389 # usually 636 for SSL
        uid: 'sAMAccountName' # This should be the attribute, not the value that maps to uid.

        # Examples: 'america\\momo' or 'CN=Gitlab Git,CN=Users,DC=mydomain,DC=com'
378 379
        bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
        password: '_the_password_of_the_bind_user'
380

Michael Kozono's avatar
Michael Kozono committed
381 382 383 384 385 386 387 388 389 390 391
        # Encryption method. The "method" key is deprecated in favor of
        # "encryption".
        #
        #   Examples: "start_tls" or "simple_tls" or "plain"
        #
        #   Deprecated values: "tls" was replaced with "start_tls" and "ssl" was
        #   replaced with "simple_tls".
        #
        encryption: 'plain'

        # Enables SSL certificate verification if encryption method is
392 393
        # "start_tls" or "simple_tls". Defaults to true.
        verify_certificates: true
Michael Kozono's avatar
Michael Kozono committed
394

395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442
        # OpenSSL::SSL::SSLContext options.
        tls_options:
          # Specifies the path to a file containing a PEM-format CA certificate,
          # e.g. if you need to use an internal CA.
          #
          #   Example: '/etc/ca.pem'
          #
          ca_file: ''

          # Specifies the SSL version for OpenSSL to use, if the OpenSSL default
          # is not appropriate.
          #
          #   Example: 'TLSv1_1'
          #
          ssl_version: ''

          # Specific SSL ciphers to use in communication with LDAP servers.
          #
          # Example: 'ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2'
          ciphers: ''

          # Client certificate
          #
          # Example:
          #   cert: |
          #     -----BEGIN CERTIFICATE-----
          #     MIIDbDCCAlSgAwIBAgIGAWkJxLmKMA0GCSqGSIb3DQEBCwUAMHcxFDASBgNVBAoTC0dvb2dsZSBJ
          #     bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQDEwtMREFQIENsaWVudDEPMA0GA1UE
          #     CxMGR1N1aXRlMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTAeFw0xOTAyMjAwNzE4
          #     rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl
          #     ...
          #     4SbuJPAiJxC1LQ0t39dR6oMCAMab3hXQqhL56LrR6cRBp6Mtlphv7alu9xb/x51y2x+g2zWtsf80
          #     Jrv/vKMsIh/sAyuogb7hqMtp55ecnKxceg==
          #     -----END CERTIFICATE -----
          cert: ''

          # Client private key
          #   key: |
          #     -----BEGIN PRIVATE KEY-----
          #     MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC3DmJtLRmJGY4xU1QtI3yjvxO6
          #     bNuyE4z1NF6Xn7VSbcAaQtavWQ6GZi5uukMo+W5DHVtEkgDwh92ySZMuJdJogFbNvJvHAayheCdN
          #     7mCQ2UUT9jGXIbmksUn9QMeJVXTZjgJWJzPXToeUdinx9G7+lpVa62UATEd1gaI3oyL72WmpDy/C
          #     rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl
          #     ...
          #     +9IhSYX+XIg7BZOVDeYqlPfxRvQh8vy3qjt/KUihmEPioAjLaGiihs1Fk5ctLk9A2hIUyP+sEQv9
          #     l6RG+a/mW+0rCWn8JAd464Ps9hE=
          #     -----END PRIVATE KEY-----
          key: ''
Michael Kozono's avatar
Michael Kozono committed
443

444 445 446 447 448
        # Set a timeout, in seconds, for LDAP queries. This helps avoid blocking
        # a request if the LDAP server becomes unresponsive.
        # A value of 0 means there is no timeout.
        timeout: 10

449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464
        # This setting specifies if LDAP server is Active Directory LDAP server.
        # For non AD servers it skips the AD specific queries.
        # If your LDAP server is not AD, set this to false.
        active_directory: true

        # If allow_username_or_email_login is enabled, GitLab will ignore everything
        # after the first '@' in the LDAP username submitted by the user on login.
        #
        # Example:
        # - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials;
        # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'.
        #
        # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
        # disable this setting, because the userPrincipalName contains an '@'.
        allow_username_or_email_login: false

465
        # To maintain tight control over the number of active users on your GitLab installation,
466
        # enable this setting to keep new users blocked until they have been cleared by the admin
467
        # (default: false).
468 469
        block_auto_created_users: false

470 471
        # Base where we can search for users
        #
472
        #   Ex. 'ou=People,dc=gitlab,dc=example' or 'DC=mydomain,DC=com'
473 474 475 476 477
        #
        base: ''

        # Filter LDAP users
        #
478
        #   Format: RFC 4515 https://tools.ietf.org/search/rfc4515
479 480 481 482
        #   Ex. (employeeType=developer)
        #
        #   Note: GitLab does not support omniauth-ldap's custom filter syntax.
        #
483 484 485
        #   Example for getting only specific users:
        #   '(&(objectclass=user)(|(samaccountname=momo)(samaccountname=toto)))'
        #
486
        user_filter: ''
487

488
        # LDAP attributes that GitLab will use to create an account for the LDAP user.
Douwe Maan's avatar
Douwe Maan committed
489 490
        # The specified attribute can either be the attribute name as a string (e.g. 'mail'),
        # or an array of attribute names to try in order (e.g. ['mail', 'email']).
491 492 493 494 495
        # Note that the user's LDAP login will always be the attribute specified as `uid` above.
        attributes:
          # The username will be used in paths for the user's own projects
          # (like `gitlab.example.com/username/project`) and when mentioning
          # them in issues, merge request and comments (like `@username`).
496
          # If the attribute specified for `username` contains an email address,
497 498 499 500 501
          # the GitLab username will be the part of the email address before the '@'.
          username: ['uid', 'userid', 'sAMAccountName']
          email:    ['mail', 'email', 'userPrincipalName']

          # If no full name could be found at the attribute specified for `name`,
502
          # the full name is determined using the attributes specified for
503 504 505 506 507
          # `first_name` and `last_name`.
          name:       'cn'
          first_name: 'givenName'
          last_name:  'sn'

508 509 510
        # If lowercase_usernames is enabled, GitLab will lower case the username.
        lowercase_usernames: false

511 512 513 514 515 516 517
      # GitLab EE only: add more LDAP servers
      # Choose an ID made of a-z and 0-9 . This ID will be stored in the database
      # so that GitLab can remember which LDAP server a user belongs to.
      # uswest2:
      #   label:
      #   host:
      #   ....
518 519


520
  ## OmniAuth settings
521
  omniauth:
522
    # Allow login via Twitter, Google, etc. using OmniAuth providers
Nick Thomas's avatar
Nick Thomas committed
523
    # enabled: true
524

525 526 527 528
    # Uncomment this to automatically sign in with a specific omniauth provider's without
    # showing GitLab's sign-in page (default: show the GitLab sign-in page)
    # auto_sign_in_with_provider: saml

529 530 531
    # Sync user's profile from the specified Omniauth providers every time the user logs in (default: empty).
    # Define the allowed providers using an array, e.g. ["cas3", "saml", "twitter"],
    # or as true/false to allow all providers or none.
532
    # When authenticating using LDAP, the user's email is always synced.
533 534 535 536 537 538 539
    # sync_profile_from_provider: []

    # Select which info to sync from the providers above. (default: email).
    # Define the synced profile info using an array. Available options are "name", "email" and "location"
    # e.g. ["name", "email", "location"] or as true to sync all available.
    # This consequently will make the selected attributes read-only.
    # sync_profile_attributes: true
540

541
    # CAUTION!
542 543
    # This allows users to login without having a user account first. Define the allowed providers
    # using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none.
544
    # User accounts will be created automatically when authentication was successful.
545 546
    allow_single_sign_on: ["saml"]

547
    # Locks down those users until they have been cleared by the admin (default: true).
548
    block_auto_created_users: true
549 550 551
    # Look up new users in LDAP servers. If a match is found (same uid), automatically
    # link the omniauth identity with the LDAP account. (default: false)
    auto_link_ldap_user: false
552

553 554 555 556 557
    # Allow users with existing accounts to login and auto link their account via SAML
    # login, without having to do a manual login first and manually add SAML
    # (default: false)
    auto_link_saml_user: false

Patricio Cano's avatar
Patricio Cano committed
558 559 560 561 562 563 564
    # Set different Omniauth providers as external so that all users creating accounts
    # via these providers will not be able to have access to internal projects. You
    # will need to use the full name of the provider, like `google_oauth2` for Google.
    # Refer to the examples below for the full names of the supported providers.
    # (default: [])
    external_providers: []

565
    ## Auth providers
566 567
    # Uncomment the following lines and fill in the data of the auth provider you want to use
    # If your favorite auth provider is not listed you can use others:
568
    # see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations
569 570
    # The 'app_id' and 'app_secret' parameters are always passed as the first two
    # arguments, followed by optional 'args' which can be either a hash or an array.
Sid Sijbrandij's avatar
Sid Sijbrandij committed
571
    # Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html
572
    providers:
tduehr's avatar
tduehr committed
573 574 575 576 577 578 579 580 581
      # See omniauth-cas3 for more configuration details
      # - { name: 'cas3',
      #     label: 'cas3',
      #     args: {
      #             url: 'https://sso.example.com',
      #             disable_ssl_verification: false,
      #             login_url: '/cas/login',
      #             service_validate_url: '/cas/p3/serviceValidate',
      #             logout_url: '/cas/logout'} }
582
      # - { name: 'authentiq',
583
      #     # for client credentials (client ID and secret), go to https://www.authentiq.com/developers
584 585 586 587
      #     app_id: 'YOUR_CLIENT_ID',
      #     app_secret: 'YOUR_CLIENT_SECRET',
      #     args: {
      #             scope: 'aq:name email~rs address aq:push'
588 589
      #             # callback_url parameter is optional except when 'gitlab.host' in this file is set to 'localhost'
      #             # callback_url: 'YOUR_CALLBACK_URL'
590 591
      #           }
      #   }
592 593
      # - { name: 'github',
      #     app_id: 'YOUR_APP_ID',
Douwe Maan's avatar
Douwe Maan committed
594
      #     app_secret: 'YOUR_APP_SECRET',
595 596
      #     url: "https://github.com/",
      #     verify_ssl: true,
597
      #     args: { scope: 'user:email' } }
Douwe Maan's avatar
Douwe Maan committed
598 599 600
      # - { name: 'bitbucket',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET' }
601 602
      # - { name: 'gitlab',
      #     app_id: 'YOUR_APP_ID',
Douwe Maan's avatar
Douwe Maan committed
603
      #     app_secret: 'YOUR_APP_SECRET',
604
      #     args: { scope: 'api' } }
Douwe Maan's avatar
Douwe Maan committed
605 606 607 608 609
      # - { name: 'google_oauth2',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET',
      #     args: { access_type: 'offline', approval_prompt: '' } }
      # - { name: 'facebook',
610
      #     app_id: 'YOUR_APP_ID',
611
      #     app_secret: 'YOUR_APP_SECRET' }
Douwe Maan's avatar
Douwe Maan committed
612 613 614
      # - { name: 'twitter',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET' }
615 616
      # - { name: 'jwt',
      #     args: {
617 618 619 620 621 622 623 624
      #       secret: 'YOUR_APP_SECRET',
      #       algorithm: 'HS256', # Supported algorithms: 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512'
      #       uid_claim: 'email',
      #       required_claims: ['name', 'email'],
      #       info_map: { name: 'name', email: 'email' },
      #       auth_url: 'https://example.com/',
      #       valid_within: 3600 # 1 hour
      #     }
625
      #   }
626
      # - { name: 'saml',
627
      #     label: 'Our SAML Provider',
Patricio Cano's avatar
Patricio Cano committed
628 629
      #     groups_attribute: 'Groups',
      #     external_groups: ['Contractors', 'Freelancers'],
630 631 632 633 634 635 636
      #     args: {
      #             assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
      #             idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
      #             idp_sso_target_url: 'https://login.example.com/idp',
      #             issuer: 'https://gitlab.example.com',
      #             name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
      #           } }
Patricio Cano's avatar
Patricio Cano committed
637
      #
Valeriy's avatar
Valeriy committed
638 639 640 641 642
      # - { name: 'crowd',
      #     args: {
      #       crowd_server_url: 'CROWD SERVER URL',
      #       application_name: 'YOUR_APP_NAME',
      #       application_password: 'YOUR_APP_PASSWORD' } }
643 644 645 646 647 648
      #
      # - { name: 'auth0',
      #     args: {
      #       client_id: 'YOUR_AUTH0_CLIENT_ID',
      #       client_secret: 'YOUR_AUTH0_CLIENT_SECRET',
      #       namespace: 'YOUR_AUTH0_DOMAIN' } }
649

tduehr's avatar
tduehr committed
650 651 652 653
    # SSO maximum session duration in seconds. Defaults to CAS default of 8 hours.
    # cas3:
    #   session_duration: 28800

654 655 656 657
  # Shared file storage settings
  shared:
    # path: /mnt/gitlab # Default: shared

658 659
  # Gitaly settings
  gitaly:
660
    # Path to the directory containing Gitaly client executables.
661
    client_path: /home/git/gitaly/bin
662
    # Default Gitaly authentication token. Can be overridden per storage. Can
663 664 665
    # be left blank when Gitaly is running locally on a Unix socket, which
    # is the normal way to deploy Gitaly.
    token:
666 667

  #
668
  # 4. Advanced settings
669 670
  # ==========================

671 672 673
  ## Repositories settings
  repositories:
    # Paths where repositories can be stored. Give the canonicalized absolute pathname.
674 675 676
    # IMPORTANT: None of the path components may be symlink, because
    # gitlab-shell invokes Dir.pwd inside the repository path and that results
    # real path not the symlink.
677
    storages: # You must have at least a `default` storage path.
678 679
      default:
        path: /home/git/repositories/
680
        gitaly_address: unix:/home/git/gitlab/tmp/sockets/private/gitaly.socket # TCP connections are supported too (e.g. tcp://host:port). TLS connections are also supported using the system certificate pool (eg: tls://host:port).
681
        # gitaly_token: 'special token' # Optional: override global gitaly.token for this storage.
682

683 684 685
  ## Backup settings
  backup:
    path: "tmp/backups"   # Relative paths are relative to Rails.root (default: tmp/backups/)
686
    # archive_permissions: 0640 # Permissions for the resulting backup.tar file (default: 0600)
687
    # keep_time: 604800   # default: 0 (forever) (in seconds)
Valeriy's avatar
Valeriy committed
688
    # pg_schema: public     # default: nil, it means that all schemas will be backed up
689 690 691 692
    # upload:
    #   # Fog storage connection settings, see http://fog.io/storage/ .
    #   connection:
    #     provider: AWS
693
    #     region: eu-west-1
694 695 696 697
    #     aws_access_key_id: AKIAKIAKI
    #     aws_secret_access_key: 'secret123'
    #   # The remote 'directory' to store your backups. For S3, this would be the bucket name.
    #   remote_directory: 'my.s3.bucket'
698 699 700
    #   # Use multipart uploads when file size reaches 100MB, see
    #   #  http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html
    #   multipart_chunk_size: 104857600
701 702
    #   # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional
    #   # encryption: 'AES256'
703
    #   # Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional
704 705
    #   #   This should be set to the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data.
    #   #   'encryption' must also be set in order for this to have any effect.
706
    #   # encryption_key: '<base64 key>'
707 708
    #   # Specifies Amazon S3 storage class to use for backups, this is optional
    #   # storage_class: 'STANDARD'
709

710 711
  ## GitLab Shell settings
  gitlab_shell:
712
    path: /home/git/gitlab-shell/
713
    authorized_keys_file: /home/git/.ssh/authorized_keys
714

715 716 717 718
    # File that contains the secret key for verifying access for gitlab-shell.
    # Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app).
    # secret_file: /home/git/gitlab/.gitlab_shell_secret

719 720 721 722
    # Git over HTTP
    upload_pack: true
    receive_pack: true

723 724
    # Git import/fetch timeout, in seconds. Defaults to 3 hours.
    # git_timeout: 10800
725

726
    # If you use non-standard ssh port you need to specify it
727 728
    # ssh_port: 22

729 730 731 732 733
  workhorse:
    # File that contains the secret key for verifying access for gitlab-workhorse.
    # Default is '.gitlab_workhorse_secret' relative to Rails.root (i.e. root of the GitLab app).
    # secret_file: /home/git/gitlab/.gitlab_workhorse_secret

734
  ## Git settings
Riyad Preukschas's avatar
Riyad Preukschas committed
735
  # CAUTION!
736 737 738 739
  # Use the default values unless you really know what you are doing
  git:
    bin_path: /usr/bin/git

740 741 742 743 744 745 746 747 748 749
  ## Webpack settings
  # If enabled, this will tell rails to serve frontend assets from the webpack-dev-server running
  # on a given port instead of serving directly from /assets/webpack. This is only indended for use
  # in development.
  webpack:
    # dev_server:
    #   enabled: true
    #   host: localhost
    #   port: 3808

750 751 752
  ## Monitoring
  # Built in monitoring settings
  monitoring:
753 754
    # Time between sampling of unicorn socket metrics, in seconds
    # unicorn_sampler_interval: 10
755
    # IP whitelist to access monitoring endpoints
756 757
    ip_whitelist:
      - 127.0.0.0/8
758

759 760 761 762 763
    # Sidekiq exporter is webserver built in to Sidekiq to expose Prometheus metrics
    sidekiq_exporter:
    #  enabled: true
    #  address: localhost
    #  port: 3807
764

765
  #
766
  # 5. Extra customization
767 768
  # ==========================

769
  extra:
770 771 772
    ## Google analytics. Uncomment if you want it
    # google_analytics_id: '_your_tracking_id'

Sebastian Winkler's avatar
Sebastian Winkler committed
773 774 775 776
    ## Piwik analytics.
    # piwik_url: '_your_piwik_url'
    # piwik_site_id: '_your_piwik_site_id'

777 778
  rack_attack:
    git_basic_auth:
779 780 781
      # Rack Attack IP banning enabled
      # enabled: true
      #
782 783 784
      # Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers
      # ip_whitelist: ["127.0.0.1"]
      #
785 786 787 788 789 790 791 792 793
      # Limit the number of Git HTTP authentication attempts per IP
      # maxretry: 10
      #
      # Reset the auth attempt counter per IP after 60 seconds
      # findtime: 60
      #
      # Ban an IP for one hour (3600s) after too many auth attempts
      # bantime: 3600

794
development:
795
  <<: *base
796 797

test:
798
  <<: *base
799 800
  gravatar:
    enabled: true
801 802
  external_diffs:
    enabled: false
803 804 805 806
    # Diffs may be `always` external (the default), or they can be made external
    # after they have become `outdated` (i.e., the MR is closed or a new version
    # has been pushed).
    # when: always
807 808 809 810 811 812 813 814 815 816
    # The location where external diffs are stored (default: shared/external-diffs).
    # storage_path: shared/external-diffs
    object_store:
      enabled: false
      remote_directory: external-diffs # The bucket name
      connection:
        provider: AWS # Only AWS supported at the moment
        aws_access_key_id: AWS_ACCESS_KEY_ID
        aws_secret_access_key: AWS_SECRET_ACCESS_KEY
        region: us-east-1
817 818
  lfs:
    enabled: false
819 820 821 822 823 824 825 826 827
    # The location where LFS objects are stored (default: shared/lfs-objects).
    # storage_path: shared/lfs-objects
    object_store:
      enabled: false
      remote_directory: lfs-objects # The bucket name
      connection:
        provider: AWS # Only AWS supported at the moment
        aws_access_key_id: AWS_ACCESS_KEY_ID
        aws_secret_access_key: AWS_SECRET_ACCESS_KEY
828
        region: us-east-1
829
  artifacts:
830
    path: tmp/tests/artifacts
831 832 833 834 835 836
    enabled: true
    # The location where build artifacts are stored (default: shared/artifacts).
    # path: shared/artifacts
    object_store:
      enabled: false
      remote_directory: artifacts # The bucket name
837
      background_upload: false
838 839 840 841
      connection:
        provider: AWS # Only AWS supported at the moment
        aws_access_key_id: AWS_ACCESS_KEY_ID
        aws_secret_access_key: AWS_SECRET_ACCESS_KEY
842
        region: us-east-1
843 844 845 846 847 848 849 850
  uploads:
    storage_path: tmp/tests/public
    object_store:
      enabled: false
      connection:
        provider: AWS # Only AWS supported at the moment
        aws_access_key_id: AWS_ACCESS_KEY_ID
        aws_secret_access_key: AWS_SECRET_ACCESS_KEY
851
        region: us-east-1
852 853
  gitlab:
    host: localhost
854
    port: 80
855

856 857
    # When you run tests we clone and set up gitlab-shell
    # In order to set it up correctly you need to specify
858
    # your system username you use to run GitLab
859
    # user: YOUR_USERNAME
860 861
  pages:
    path: tmp/tests/pages
862 863
  repositories:
    storages:
864 865
      default:
        path: tmp/tests/repositories/
866
        gitaly_address: unix:tmp/tests/gitaly/gitaly.socket
867

868
  gitaly:
869
    client_path: tmp/tests/gitaly
870
    token: secret
871
  backup:
872
    path: tmp/tests/backups
873 874
  gitlab_shell:
    path: tmp/tests/gitlab-shell/
875
    authorized_keys_file: tmp/tests/authorized_keys
876 877
  issues_tracker:
    redmine:
878
      title: "Redmine"
879
      project_url: "http://redmine/projects/:issues_tracker_id"
880
      issues_url: "http://redmine/:project_id/:issues_tracker_id/:id"
881
      new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new"
Felipe's avatar
Felipe committed
882 883
    jira:
      title: "JIRA"
884
      url: https://sample_company.atlassian.net
Felipe's avatar
Felipe committed
885
      project_key: PROJECT
886 887

  omniauth:
Nick Thomas's avatar
Nick Thomas committed
888
    # enabled: true
889 890 891 892 893 894
    allow_single_sign_on: true
    external_providers: []

    providers:
      - { name: 'cas3',
          label: 'cas3',
Timothy Andrew's avatar
Timothy Andrew committed
895
          args: { url: 'https://sso.example.com',
896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922
                  disable_ssl_verification: false,
                  login_url: '/cas/login',
                  service_validate_url: '/cas/p3/serviceValidate',
                  logout_url: '/cas/logout'} }
      - { name: 'github',
          app_id: 'YOUR_APP_ID',
          app_secret: 'YOUR_APP_SECRET',
          url: "https://github.com/",
          verify_ssl: false,
          args: { scope: 'user:email' } }
      - { name: 'bitbucket',
          app_id: 'YOUR_APP_ID',
          app_secret: 'YOUR_APP_SECRET' }
      - { name: 'gitlab',
          app_id: 'YOUR_APP_ID',
          app_secret: 'YOUR_APP_SECRET',
          args: { scope: 'api' } }
      - { name: 'google_oauth2',
          app_id: 'YOUR_APP_ID',
          app_secret: 'YOUR_APP_SECRET',
          args: { access_type: 'offline', approval_prompt: '' } }
      - { name: 'facebook',
          app_id: 'YOUR_APP_ID',
          app_secret: 'YOUR_APP_SECRET' }
      - { name: 'twitter',
          app_id: 'YOUR_APP_ID',
          app_secret: 'YOUR_APP_SECRET' }
923 924 925 926 927 928 929 930
      - { name: 'jwt',
          app_secret: 'YOUR_APP_SECRET',
          args: {
                  algorithm: 'HS256',
                  uid_claim: 'email',
                  required_claims: ["name", "email"],
                  info_map: { name: "name", email: "email" },
                  auth_url: 'https://example.com/',
931
                  valid_within: null,
932 933
                }
        }
934 935 936 937 938
      - { name: 'auth0',
          args: {
            client_id: 'YOUR_AUTH0_CLIENT_ID',
            client_secret: 'YOUR_AUTH0_CLIENT_SECRET',
            namespace: 'YOUR_AUTH0_DOMAIN' } }
939 940 941 942
      - { name: 'authentiq',
          app_id: 'YOUR_CLIENT_ID',
          app_secret: 'YOUR_CLIENT_SECRET',
          args: { scope: 'aq:name email~rs address aq:push' } }
943 944 945 946
      - { name: 'salesforce',
          app_id: 'YOUR_CLIENT_ID',
          app_secret: 'YOUR_CLIENT_SECRET'
        }
947 948 949
  ldap:
    enabled: false
    servers:
950
      main:
951 952 953 954
        label: ldap
        host: 127.0.0.1
        port: 3890
        uid: 'uid'
Michael Kozono's avatar
Michael Kozono committed
955
        encryption: 'plain' # "start_tls" or "simple_tls" or "plain"
956 957 958 959
        base: 'dc=example,dc=com'
        user_filter: ''
        group_base: 'ou=groups,dc=example,dc=com'
        admin_group: ''
960 961

staging:
962
  <<: *base