gitlab.yml.example 62.5 KB
Newer Older
1
# # # # # # # # # # # # # # # # # #
2
# GitLab application config file  #
3
# # # # # # # # # # # # # # # # # #
4
#
5
6
###########################  NOTE  #####################################
# This file should not receive new settings. All configuration options #
7
# * are being moved to ApplicationSetting model!                       #
8
# If a setting requires an application restart say so in that screen.  #
9
# If you change this file in a merge request, please also create       #
10
# a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests. #
11
# For more details see https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md #
12
13
########################################################################
#
14
#
15
# How to use:
Ben Bodenmiller's avatar
Ben Bodenmiller committed
16
17
# 1. Copy file as gitlab.yml
# 2. Update gitlab -> host with your fully qualified domain name
18
# 3. Update gitlab -> email_from
Ben Bodenmiller's avatar
Ben Bodenmiller committed
19
# 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git
20
21
22
#    IMPORTANT: If Git was installed in a different location use that instead.
#    You can check with `which git`. If a wrong path of Git is specified, it will
#     result in various issues such as failures of GitLab CI builds.
Ben Bodenmiller's avatar
Ben Bodenmiller committed
23
# 5. Review this configuration file for other settings you may want to adjust
24

25
26
27
28
29
30
31
production: &base
  #
  # 1. GitLab app settings
  # ==========================

  ## GitLab settings
  gitlab:
32
    ## Web server settings (note: host is the FQDN, do not include http://)
33
    host: localhost
Ben Bodenmiller's avatar
Ben Bodenmiller committed
34
35
    port: 80 # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
    https: false # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
36
37
38
39

    # Uncomment this line if you want to configure the Rails asset host for a CDN.
    # cdn_host: localhost

40
    # The maximum time Puma can spend on the request. This needs to be smaller than the worker timeout.
41
    # Default is 95% of the worker timeout
42
    max_request_duration_seconds: 57
43

44
    # Uncomment this line below if your ssh host is different from HTTP/HTTPS one
45
46
47
48
    # (you'd obviously need to replace ssh.host_example.com with your own host).
    # Otherwise, ssh host will be set to the `host:` value above
    # ssh_host: ssh.host_example.com

49
    # Relative URL support
Achilleas Pipinellis's avatar
Achilleas Pipinellis committed
50
51
    # WARNING: We recommend using an FQDN to host GitLab in a root path instead
    # of using a relative URL.
52
53
54
    # Documentation: http://doc.gitlab.com/ce/install/relative_url.html
    # Uncomment and customize the following line to run in a non-root path
    #
55
56
    # relative_url_root: /gitlab

57
58
59
    # Content Security Policy
    # See https://guides.rubyonrails.org/security.html#content-security-policy
    content_security_policy:
60
      enabled: true
61
62
63
64
      report_only: false
      directives:
        base_uri:
        child_src:
65
        connect_src: "'self' http://localhost:* ws://localhost:* wss://localhost:*"
66
67
68
69
70
        default_src: "'self'"
        font_src:
        form_action:
        frame_ancestors: "'self'"
        frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
71
        img_src: "* data: blob:"
72
73
        manifest_src:
        media_src:
74
75
        object_src: "'none'"
        script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
76
        style_src: "'self' 'unsafe-inline'"
77
        worker_src: "'self' blob:"
78
79
        report_uri:

80
81
    allowed_hosts: []

82
83
84
85
86
87
88
89
90
    # Trusted Proxies
    # Customize if you have GitLab behind a reverse proxy which is running on a different machine.
    # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
    trusted_proxies:
      # Examples:
      #- 192.168.1.0/24
      #- 192.168.2.1
      #- 2001:0db8::/32

91
92
93
    # Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
    # user: git

94
95
    ## Date & Time settings
    # Uncomment and customize if you want to change the default time zone of GitLab application.
96
    # To see all available zones, run `bundle exec rake time:zones:all RAILS_ENV=production`
97
98
    # time_zone: 'UTC'

99
100
101
102
103
104
105
    ## Email settings
    # Uncomment and set to false if you need to disable email sending from GitLab (default: true)
    # email_enabled: true
    # Email address used in the "From" field in mails sent by GitLab
    email_from: example@example.com
    email_display_name: GitLab
    email_reply_to: noreply@example.com
Fu Xu's avatar
Fu Xu committed
106
    email_subject_suffix: ''
107
108
109
110
111
112
113
114
115
    email_smime:
      # Uncomment and set to true if you need to enable email S/MIME signing (default: false)
      # enabled: false
      # S/MIME private key file in PEM format, unencrypted
      # Default is '.gitlab_smime_key' relative to Rails.root (i.e. root of the GitLab app).
      # key_file: /home/git/gitlab/.gitlab_smime_key
      # S/MIME public certificate key in PEM format, will be attached to signed messages
      # Default is '.gitlab_smime_cert' relative to Rails.root (i.e. root of the GitLab app).
      # cert_file: /home/git/gitlab/.gitlab_smime_cert
116
117
118
      # S/MIME extra CA public certificates in PEM format, will be attached to signed messages
      # Optional
      # ca_certs_file: /home/git/gitlab/.gitlab_smime_ca_certs
119
120

    # Email server smtp settings are in config/initializers/smtp_settings.rb.sample
121
122
    # File location to read encrypted SMTP secrets from
    # email_smtp_secret_file: /mnt/gitlab/smtp.yaml.enc # Default: shared/encrypted_settings/smtp.yaml.enc
123

124
    # default_can_create_group: false  # default: true
charlie ablett's avatar
charlie ablett committed
125
    # username_changing_enabled: false # default: true - User can change their username/namespace
126
    ## Default theme ID
127
    ##   1 - Indigo
128
129
130
    ##   2 - Dark
    ##   3 - Light
    ##   4 - Blue
131
    ##   5 - Green
132
133
134
135
136
    ##   6 - Light Indigo
    ##   7 - Light Blue
    ##   8 - Light Green
    ##   9 - Red
    ##   10 - Light Red
137
    # default_theme: 1 # default: 1
Izaak Alpert's avatar
Izaak Alpert committed
138

139
    ## Automatic issue closing
Sytse Sijbrandij's avatar
Sytse Sijbrandij committed
140
    # If a commit message matches this regular expression, all issues referenced from the matched text will be closed.
Julien Kirch's avatar
Julien Kirch committed
141
    # This happens when the commit is pushed or merged into the default branch of a project.
Sytse Sijbrandij's avatar
Sytse Sijbrandij committed
142
    # When not specified the default issue_closing_pattern as specified below will be used.
Achilleas Pipinellis's avatar
Achilleas Pipinellis committed
143
    # Tip: you can test your closing pattern at http://rubular.com.
144
    # issue_closing_pattern: '\b((?:[Cc]los(?:e[sd]?|ing)|\b[Ff]ix(?:e[sd]|ing)?|\b[Rr]esolv(?:e[sd]?|ing)|\b[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)'
145

146
147
148
149
150
    ## Default project features settings
    default_projects_features:
      issues: true
      merge_requests: true
      wiki: true
151
      snippets: true
152
      builds: true
153
      container_registry: true
154

155
156
157
158
    ## Webhook settings
    # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)
    # webhook_timeout: 10

159
160
161
    ### GraphQL Settings
    # Tells the rails application how long it has to complete a GraphQL request.
    # We suggest this value to be higher than the database timeout value
162
    # and lower than the worker timeout set in Puma. (default: 30)
163
164
    # graphql_timeout: 30

165
166
    ## Repository downloads directory
    # When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory.
167
168
    # The default is 'shared/cache/archive/' relative to the root of the Rails app.
    # repository_downloads_path: shared/cache/archive/
169

170
171
172
    ## Impersonation settings
    impersonation_enabled: true

173
174
175
    ## Disable jQuery and CSS animations
    # disable_animations: true

176
177
178
    ## Application settings cache expiry in seconds (default: 60)
    # application_settings_cache_seconds: 60

179
180
181
182
    ## Print initial root password to stdout during initialization (default: false)
    # WARNING: setting this to true means that the root password will be printed in
    # plaintext. This can be a security risk.
    # display_initial_root_password: false
183

Douwe Maan's avatar
Douwe Maan committed
184
  ## Reply by email
Douwe Maan's avatar
Douwe Maan committed
185
  # Allow users to comment on issues and merge requests by replying to notification emails.
186
  # For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html
187
  incoming_email:
Douwe Maan's avatar
Douwe Maan committed
188
    enabled: false
189
190

    # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
191
    # The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`).
192
    # Please be aware that a placeholder is required for the Service Desk feature to work.
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
    address: "gitlab-incoming+%{key}@gmail.com"

    # Email account username
    # With third party providers, this is usually the full email address.
    # With self-hosted email servers, this is usually the user part of the email address.
    user: "gitlab-incoming@gmail.com"
    # Email account password
    password: "[REDACTED]"

    # IMAP server host
    host: "imap.gmail.com"
    # IMAP server port
    port: 993
    # Whether the IMAP server uses SSL
    ssl: true
    # Whether the IMAP server uses StartTLS
    start_tls: false

    # The mailbox where incoming mail will end up. Usually "inbox".
    mailbox: "inbox"
213
    # The IDLE command timeout.
214
    idle_timeout: 60
charlie ablett's avatar
charlie ablett committed
215
216
217
218
219
    # The log file path for the structured log file.
    # Since `mail_room` is run independently of Rails, an absolute path is preferred.
    # The default is 'log/mail_room_json.log' relative to the root of the Rails app.
    #
    # log_path: log/mail_room_json.log
Douwe Maan's avatar
Douwe Maan committed
220

221
222
223
    # Whether to expunge (permanently remove) messages from the mailbox when they are deleted after delivery
    expunge_deleted: false

224
225
226
227
228
229
230
    # For Microsoft Graph support
    # inbox_method: microsoft_graph
    # inbox_options:
    #   tenant_id: "YOUR-TENANT-ID"
    #   client_id: "YOUR-CLIENT-ID"
    #   client_secret: "YOUR-CLIENT-SECRET"

231
232
233
234
235
236
237
238
239
240
241
242
243
  ## Consolidated object store config
  ## This will only take effect if the object_store sections are not defined
  ## within the types (e.g. artifacts, lfs, etc.).
  # object_store:
  #   enabled: false
  #   proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
  #   connection:
  #     provider: AWS # Only AWS supported at the moment
  #     aws_access_key_id: AWS_ACCESS_KEY_ID
  #     aws_secret_access_key: AWS_SECRET_ACCESS_KEY
  #     region: us-east-1
  #     aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
  #     endpoint: 'https://s3.amazonaws.com' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
244
245
246
  #   storage_options:
  #     server_side_encryption: AES256 # AES256, aws:kms
  #     server_side_encryption_kms_key_id: # Amazon Resource Name. See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
247
248
249
250
251
252
253
254
255
256
257
258
259
260
  #   objects:
  #     artifacts:
  #       bucket: artifacts
  #     external_diffs:
  #       bucket: external-diffs
  #     lfs:
  #       bucket: lfs-objects
  #     uploads:
  #       bucket: uploads
  #     packages:
  #       bucket: packages
  #     dependency_proxy:
  #       bucket: dependency_proxy

Kamil Trzciński's avatar
Kamil Trzciński committed
261
262
263
264
265
  ## Build Artifacts
  artifacts:
    enabled: true
    # The location where build artifacts are stored (default: shared/artifacts).
    # path: shared/artifacts
266
267
    # object_store:
    #   enabled: false
268
269
    #   remote_directory: artifacts # The bucket name
    #   background_upload: false # Temporary option to limit automatic upload (Default: true)
270
    #   proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
271
272
273
274
    #   connection:
    #     provider: AWS # Only AWS supported at the moment
    #     aws_access_key_id: AWS_ACCESS_KEY_ID
    #     aws_secret_access_key: AWS_SECRET_ACCESS_KEY
275
    #     region: us-east-1
276
    #     aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
Richard Hancock's avatar
Richard Hancock committed
277
    #     endpoint: 'https://s3.amazonaws.com' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
278

279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
  ## Merge request external diff storage
  external_diffs:
    # If disabled (the default), the diffs are in-database. Otherwise, they can
    # be stored on disk, or in object storage
    enabled: false
    # The location where external diffs are stored (default: shared/lfs-external-diffs).
    # storage_path: shared/external-diffs
    # object_store:
    #   enabled: false
    #   remote_directory: external-diffs
    #   background_upload: false
    #   proxy_download: false
    #   connection:
    #     provider: AWS
    #     aws_access_key_id: AWS_ACCESS_KEY_ID
    #     aws_secret_access_key: AWS_SECRET_ACCESS_KEY
    #     region: us-east-1
Kamil Trzciński's avatar
Kamil Trzciński committed
296

Marin Jankovski's avatar
Marin Jankovski committed
297
298
  ## Git LFS
  lfs:
Marin Jankovski's avatar
Marin Jankovski committed
299
    enabled: true
Marin Jankovski's avatar
Marin Jankovski committed
300
301
    # The location where LFS objects are stored (default: shared/lfs-objects).
    # storage_path: shared/lfs-objects
302
303
304
    object_store:
      enabled: false
      remote_directory: lfs-objects # Bucket name
305
      # direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false)
306
      # background_upload: false # Temporary option to limit automatic upload (Default: true)
307
      # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
308
309
310
311
      connection:
        provider: AWS
        aws_access_key_id: AWS_ACCESS_KEY_ID
        aws_secret_access_key: AWS_SECRET_ACCESS_KEY
312
        region: us-east-1
313
314
315
        # Use the following options to configure an AWS compatible host
        # host: 'localhost' # default: s3.amazonaws.com
        # endpoint: 'http://127.0.0.1:9000' # default: nil
Richard Hancock's avatar
Richard Hancock committed
316
        # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
317
        # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
Marin Jankovski's avatar
Marin Jankovski committed
318

319
320
321
322
323
324
  ## Uploads (attachments, avatars, etc...)
  uploads:
    # The location where uploads objects are stored (default: public/).
    # storage_path: public/
    # base_dir: uploads/-/system
    object_store:
Micaël Bergeron's avatar
Micaël Bergeron committed
325
      enabled: false
326
      remote_directory: uploads # Bucket name
327
328
329
      # direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false)
      # background_upload: false # Temporary option to limit automatic upload (Default: true)
      # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
330
331
332
333
      connection:
        provider: AWS
        aws_access_key_id: AWS_ACCESS_KEY_ID
        aws_secret_access_key: AWS_SECRET_ACCESS_KEY
334
        aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
335
336
337
338
        region: us-east-1
        # host: 'localhost' # default: s3.amazonaws.com
        # endpoint: 'http://127.0.0.1:9000' # default: nil
        # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
339

340
  ## Packages (maven repository, npm registry, etc...)
341
  packages:
342
    enabled: true
343
    dpkg_deb_path: /usr/bin/dpkg-deb
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
    # The location where build packages are stored (default: shared/packages).
    # storage_path: shared/packages
    object_store:
      enabled: false
      remote_directory: packages # The bucket name
      # direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false)
      # background_upload: false # Temporary option to limit automatic upload (Default: true)
      # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
      connection:
        provider: AWS
        aws_access_key_id: AWS_ACCESS_KEY_ID
        aws_secret_access_key: AWS_SECRET_ACCESS_KEY
        region: us-east-1
        # host: 'localhost' # default: s3.amazonaws.com
        # endpoint: 'http://127.0.0.1:9000' # default: nil
        # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
        # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'

  ## Dependency Proxy
  dependency_proxy:
    enabled: true
    # The location where build packages are stored (default: shared/dependency_proxy).
    # storage_path: shared/dependency_proxy
    object_store:
      enabled: false
      remote_directory: dependency_proxy # The bucket name
      # direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false)
      # background_upload: false # Temporary option to limit automatic upload (Default: true)
      # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
      connection:
        provider: AWS
        aws_access_key_id: AWS_ACCESS_KEY_ID
        aws_secret_access_key: AWS_SECRET_ACCESS_KEY
        region: us-east-1
        # host: 'localhost' # default: s3.amazonaws.com
        # endpoint: 'http://127.0.0.1:9000' # default: nil
        # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
        # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
382

383
384
385
386
387
388
389
  ## Terraform state
  terraform_state:
    enabled: true
    # The location where Terraform state files are stored (default: shared/terraform_state).
    # storage_path: shared/terraform_state
    object_store:
      enabled: false
390
      remote_directory: terraform # The bucket name
391
392
393
394
395
396
397
398
399
400
      connection:
        provider: AWS
        aws_access_key_id: AWS_ACCESS_KEY_ID
        aws_secret_access_key: AWS_SECRET_ACCESS_KEY
        region: us-east-1
        # host: 'localhost' # default: s3.amazonaws.com
        # endpoint: 'http://127.0.0.1:9000' # default: nil
        # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
        # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'

Kamil Trzciński's avatar
Kamil Trzciński committed
401
402
403
  ## GitLab Pages
  pages:
    enabled: false
404
    access_control: false
Kamil Trzciński's avatar
Kamil Trzciński committed
405
406
407
408
409
410
    # The location where pages are stored (default: shared/pages).
    # path: shared/pages

    # The domain under which the pages are served:
    # http://group.example.com/project
    # or project path can be a group page: group.example.com
Kamil Trzciński's avatar
Kamil Trzciński committed
411
    host: example.com
412
413
    port: 80 # Set to 443 if you serve the pages with HTTPS
    https: false # Set to true if you serve the pages with HTTPS
414
    artifacts_server: true # Set to false if you want to disable online view of HTML artifacts
415
416
    # external_http: ["1.1.1.1:80", "[2001::1]:80"] # If defined, enables custom domain support in GitLab Pages
    # external_https: ["1.1.1.1:443", "[2001::1]:443"] # If defined, enables custom domain and certificate support in GitLab Pages
417

418
    # File that contains the shared secret key for verifying access for gitlab-pages.
419
420
    # Default is '.gitlab_pages_secret' relative to Rails.root (i.e. root of the GitLab app).
    # secret_file: /home/git/gitlab/.gitlab_pages_secret
421
422
423
424
425
426
427
428
    object_store:
      enabled: false
      remote_directory: pages # The bucket name
      connection:
        provider: AWS
        aws_access_key_id: AWS_ACCESS_KEY_ID
        aws_secret_access_key: AWS_SECRET_ACCESS_KEY
        region: us-east-1
429
430
431
432
    local_store:
      enabled: true
      # The location where pages are stored (default: shared/pages).
      # path: shared/pages
Kamil Trzciński's avatar
Kamil Trzciński committed
433

434
435
436
437
438
439
  ## Mattermost
  ## For enabling Add to Mattermost button
  mattermost:
    enabled: false
    host: 'https://mattermost.example.com'

440
  ## Gravatar
441
442
  ## If using gravatar.com, there's nothing to change here. For Libravatar
  ## you'll need to provide the custom URLs. For more information,
443
  ## see: https://docs.gitlab.com/ee/administration/libravatar.html
444
  gravatar:
445
446
    # Gravatar/Libravatar URLs: possible placeholders: %{hash} %{size} %{email} %{username}
    # plain_url: "http://..."     # default: https://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
447
    # ssl_url:   "https://..."    # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
448

Stan Hu's avatar
Stan Hu committed
449
450
  ## Sidekiq
  sidekiq:
451
    log_format: json # (default is the original format)
452
453
454
455
456
457
    # An array of tuples indicating the rules for re-routing a worker to a
    # desirable queue before scheduling. For example:
    # routing_rules:
    #   - ["resource_boundary=cpu", "cpu_boundary"]
    #   - ["feature_category=pages", null]
    #   - ["*", "default"]
Stan Hu's avatar
Stan Hu committed
458

459
  ## Auxiliary jobs
460
  # Periodically executed jobs, to self-heal GitLab, do external synchronizations, etc.
461
462
  # Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job
  cron_jobs:
463
464
    # Flag stuck CI jobs as failed
    stuck_ci_jobs_worker:
465
      cron: "0 * * * *"
shinya maeda's avatar
shinya maeda committed
466
    # Execute scheduled triggers
467
    pipeline_schedule_worker:
468
      cron: "3-59/10 * * * *"
469
470
    # Remove expired build artifacts
    expire_build_artifacts_worker:
471
      cron: "*/7 * * * *"
472
473
474
    # Remove expired pipeline artifacts
    ci_pipelines_expire_artifacts_worker:
      cron: "*/23 * * * *"
475
476
477
    # Remove files from object storage
    ci_schedule_delete_objects_worker:
      cron: "*/16 * * * *"
478
479
480
    # Stop expired environments
    environments_auto_stop_cron_worker:
      cron: "24 * * * *"
481
482
483
    # Delete stopped environments
    environments_auto_delete_cron_worker:
      cron: "34 * * * *"
Jacob Vosmaer's avatar
Jacob Vosmaer committed
484
485
    # Periodically run 'git fsck' on all repositories. If started more than
    # once per hour you will have concurrent 'git fsck' jobs.
Jacob Vosmaer's avatar
Jacob Vosmaer committed
486
    repository_check_worker:
Jacob Vosmaer's avatar
Jacob Vosmaer committed
487
      cron: "20 * * * *"
488
489
490
    # Archive live traces which have not been archived yet
    ci_archive_traces_cron_worker:
      cron: "17 * * * *"
491
    # Send admin emails once a week
Jacob Vosmaer's avatar
Jacob Vosmaer committed
492
    admin_email_worker:
493
      cron: "0 0 * * 0"
494
495
496
    # Send emails for personal tokens which are about to expire
    personal_access_tokens_expiring_worker:
      cron: "0 1 * * *"
497

498
499
500
    # Remove outdated repository archives
    repository_archive_cache_worker:
      cron: "0 * * * *"
501

502
503
504
505
    # Verify custom GitLab Pages domains
    pages_domain_verification_cron_worker:
      cron: "*/15 * * * *"

506
507
508
509
    # Periodically migrate diffs from the database to external storage
    schedule_migrate_external_diffs_worker:
      cron: "15 * * * *"

510
511
512
513
    # Update CI Platform Metrics daily
    ci_platform_metrics_update_cron_worker:
      cron: "47 9 * * *"

514
515
516
  # GitLab EE only jobs. These jobs are automatically enabled for an EE
  # installation, and ignored for a CE installation.
  ee_cron_jobs:
Pavel Shutsin's avatar
Pavel Shutsin committed
517
518
    # Schedule snapshots for all devops adoption segments
    analytics_devops_adoption_create_all_snapshots_worker:
519
      cron: 0 0 1 * *
Pavel Shutsin's avatar
Pavel Shutsin committed
520

521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
    # Snapshot active users statistics
    historical_data_worker:
      cron: "0 12 * * *"

    # In addition to refreshing users when they log in,
    # periodically refresh LDAP users membership.
    # NOTE: This will only take effect if LDAP is enabled
    ldap_sync_worker:
      cron: "30 1 * * *"

    # Periodically refresh LDAP groups membership.
    # NOTE: This will only take effect if LDAP is enabled
    ldap_group_sync_worker:
      cron: "0 * * * *"

    # GitLab Geo metrics update worker
    # NOTE: This will only take effect if Geo is enabled
    geo_metrics_update_worker:
      cron: "*/1 * * * *"

    # GitLab Geo prune event log worker
    # NOTE: This will only take effect if Geo is enabled (primary node only)
    geo_prune_event_log_worker:
      cron: "*/5 * * * *"

    # GitLab Geo repository sync worker
    # NOTE: This will only take effect if Geo is enabled (secondary nodes only)
    geo_repository_sync_worker:
      cron: "*/1 * * * *"

Mike Kozono's avatar
Mike Kozono committed
551
552
553
554
555
    # GitLab Geo registry backfill worker
    # NOTE: This will only take effect if Geo is enabled (secondary nodes only)
    geo_secondary_registry_consistency_worker:
      cron: "* * * * *"

556
557
558
559
560
    # GitLab Geo file download dispatch worker
    # NOTE: This will only take effect if Geo is enabled (secondary nodes only)
    geo_file_download_dispatch_worker:
      cron: "*/1 * * * *"

561
562
563
564
565
    # GitLab Geo registry sync worker (for backfilling)
    # NOTE: This will only take effect if Geo is enabled (secondary nodes only)
    geo_registry_sync_worker:
      cron: "*/1 * * * *"

566
567
568
569
    # Export pseudonymized data in CSV format for analysis
    pseudonymizer_worker:
      cron: "0 * * * *"

570
571
572
573
    # Elasticsearch bulk updater for incremental updates.
    # NOTE: This will only take effect if elasticsearch is enabled.
    elastic_index_bulk_cron_worker:
      cron: "*/1 * * * *"
574

Dmitry Gruzd's avatar
Dmitry Gruzd committed
575
576
577
578
    # Elasticsearch bulk updater for initial updates.
    # NOTE: This will only take effect if elasticsearch is enabled.
    elastic_index_initial_bulk_cron_worker:
      cron: "*/1 * * * *"
579

Dmitry Gruzd's avatar
Dmitry Gruzd committed
580
581
582
583
584
    # Elasticsearch reindexing worker
    # NOTE: This will only take effect if elasticsearch is enabled.
    elastic_index_initial_bulk_cron_worker:
      cron: "*/10 * * * *"

Kamil Trzciński's avatar
Kamil Trzciński committed
585
586
  registry:
    # enabled: true
587
    # host: registry.example.com
588
589
    # port: 5005
    # api_url: http://localhost:5000/ # internal address to the registry, will be used by GitLab to directly communicate with API
590
    # key: config/registry.key
591
    # path: shared/registry
592
    # issuer: gitlab-issuer
593
    # notification_secret: '' # only set it when you use Geo replication feature without built-in Registry
Kamil Trzciński's avatar
Kamil Trzciński committed
594

595
596
597
598
599
600
601
602
603
    # Add notification settings if you plan to use Geo Replication for the registry
    # notifications:
    # - name: geo_event
    #   url: https://example.com/api/v4/container_registry_event/events
    #   timeout: 2s
    #   threshold: 5
    #   backoff: 1s
    #   headers:
    #     Authorization: secret_phrase
604
605
606
607
608

  ## Error Reporting and Logging with Sentry
  sentry:
    # enabled: false
    # dsn: https://<key>@sentry.io/<project>
609
    # clientside_dsn: https://<key>@sentry.io/<project>
610
611
    # environment: 'production' # e.g. development, staging, production

612
613
614
615
616
617
618
619
620
621
  ## Geo
  # NOTE: These settings will only take effect if Geo is enabled
  geo:
    # This is an optional identifier which Geo nodes can use to identify themselves.
    # For example, if external_url is the same for two secondaries, you must specify
    # a unique Geo node name for those secondaries.
    #
    # If it is blank, it defaults to external_url.
    node_name: ''

622
623
624
625
    registry_replication:
      # enabled: true
      # primary_api_url: http://localhost:5000/ # internal address to the primary registry, will be used by GitLab to directly communicate with primary registry API

626
  ## Feature Flag https://docs.gitlab.com/ee/operations/feature_flags.html
627
628
629
630
631
632
  feature_flags:
    unleash:
      # enabled: false
      # url: https://gitlab.com/api/v4/feature_flags/unleash/<project_id>
      # app_name: gitlab.com # Environment name of your GitLab instance
      # instance_id: INSTANCE_ID
633

634
  #
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
  # 2. GitLab CI settings
  # ==========================

  gitlab_ci:
    # Default project notifications settings:
    #
    # Send emails only on broken builds (default: true)
    # all_broken_builds: true
    #
    # Add pusher to recipients list (default: false)
    # add_pusher: true

    # The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root
    # builds_path: builds/

  #
  # 3. Auth settings
652
653
654
  # ==========================

  ## LDAP settings
655
656
  # You can test connections and inspect a sample of the LDAP users with login
  # access by running:
657
  #   bundle exec rake gitlab:ldap:check RAILS_ENV=production
658
659
  ldap:
    enabled: false
660
    prevent_ldap_sign_in: false
661

DJ Mountney's avatar
DJ Mountney committed
662
663
664
    # File location to read encrypted secrets from
    # secret_file: /mnt/gitlab/ldap.yaml.enc # Default: shared/encrypted_settings/ldap.yaml.enc

665
666
667
668
669
670
671
672
673
674
675
676
    # This setting controls the number of seconds between LDAP permission checks
    # for each user. After this time has expired for a given user, their next
    # interaction with GitLab (a click in the web UI, a git pull, etc.) will be
    # slower because the LDAP permission check is being performed. How much
    # slower depends on your LDAP setup, but it is not uncommon for this check
    # to add seconds of waiting time. The default value is to have a "slow
    # click" once every 3600 seconds (i.e., once per hour).
    #
    # Warning: if you set this value too low, every click in GitLab will be a
    # "slow click" for all of your LDAP users.
    # sync_time: 3600

677
    servers:
678
679
680
681
682
683
684
685
686
      ##########################################################################
      #
      # Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab
      # Enterprise Edition now supports connecting to multiple LDAP servers.
      #
      # If you are updating from the old (pre-7.4) syntax, you MUST give your
      # old server the ID 'main'.
      #
      ##########################################################################
687
      main: # 'main' is the GitLab 'provider ID' of this LDAP server
688
689
690
691
692
693
694
695
        ## label
        #
        # A human-friendly name for your LDAP server. It is OK to change the label later,
        # for instance if you find out it is too large to fit on the web page.
        #
        # Example: 'Paris' or 'Acme, Ltd.'
        label: 'LDAP'

696
        # Example: 'ldap.mydomain.com'
697
        host: '_your_ldap_server'
698
699
700
701
702
        # This port is an example, it is sometimes different but it is always an integer and not a string
        port: 389 # usually 636 for SSL
        uid: 'sAMAccountName' # This should be the attribute, not the value that maps to uid.

        # Examples: 'america\\momo' or 'CN=Gitlab Git,CN=Users,DC=mydomain,DC=com'
703
704
        bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
        password: '_the_password_of_the_bind_user'
705

Mike Kozono's avatar
Mike Kozono committed
706
707
708
709
710
711
712
713
714
715
716
        # Encryption method. The "method" key is deprecated in favor of
        # "encryption".
        #
        #   Examples: "start_tls" or "simple_tls" or "plain"
        #
        #   Deprecated values: "tls" was replaced with "start_tls" and "ssl" was
        #   replaced with "simple_tls".
        #
        encryption: 'plain'

        # Enables SSL certificate verification if encryption method is
717
718
        # "start_tls" or "simple_tls". Defaults to true.
        verify_certificates: true
Mike Kozono's avatar
Mike Kozono committed
719

720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
        # OpenSSL::SSL::SSLContext options.
        tls_options:
          # Specifies the path to a file containing a PEM-format CA certificate,
          # e.g. if you need to use an internal CA.
          #
          #   Example: '/etc/ca.pem'
          #
          ca_file: ''

          # Specifies the SSL version for OpenSSL to use, if the OpenSSL default
          # is not appropriate.
          #
          #   Example: 'TLSv1_1'
          #
          ssl_version: ''

          # Specific SSL ciphers to use in communication with LDAP servers.
          #
          # Example: 'ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2'
          ciphers: ''

          # Client certificate
          #
          # Example:
          #   cert: |
          #     -----BEGIN CERTIFICATE-----
          #     MIIDbDCCAlSgAwIBAgIGAWkJxLmKMA0GCSqGSIb3DQEBCwUAMHcxFDASBgNVBAoTC0dvb2dsZSBJ
          #     bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQDEwtMREFQIENsaWVudDEPMA0GA1UE
          #     CxMGR1N1aXRlMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTAeFw0xOTAyMjAwNzE4
          #     rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl
          #     ...
          #     4SbuJPAiJxC1LQ0t39dR6oMCAMab3hXQqhL56LrR6cRBp6Mtlphv7alu9xb/x51y2x+g2zWtsf80
          #     Jrv/vKMsIh/sAyuogb7hqMtp55ecnKxceg==
          #     -----END CERTIFICATE -----
          cert: ''

          # Client private key
          #   key: |
          #     -----BEGIN PRIVATE KEY-----
          #     MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC3DmJtLRmJGY4xU1QtI3yjvxO6
          #     bNuyE4z1NF6Xn7VSbcAaQtavWQ6GZi5uukMo+W5DHVtEkgDwh92ySZMuJdJogFbNvJvHAayheCdN
          #     7mCQ2UUT9jGXIbmksUn9QMeJVXTZjgJWJzPXToeUdinx9G7+lpVa62UATEd1gaI3oyL72WmpDy/C
          #     rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl
          #     ...
          #     +9IhSYX+XIg7BZOVDeYqlPfxRvQh8vy3qjt/KUihmEPioAjLaGiihs1Fk5ctLk9A2hIUyP+sEQv9
          #     l6RG+a/mW+0rCWn8JAd464Ps9hE=
          #     -----END PRIVATE KEY-----
          key: ''
Mike Kozono's avatar
Mike Kozono committed
768

769
770
771
772
773
        # Set a timeout, in seconds, for LDAP queries. This helps avoid blocking
        # a request if the LDAP server becomes unresponsive.
        # A value of 0 means there is no timeout.
        timeout: 10

774
775
776
777
        # Enable smartcard authentication against the LDAP server. Valid values
        # are "false", "optional", and "required".
        smartcard_auth: false

778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
        # This setting specifies if LDAP server is Active Directory LDAP server.
        # For non AD servers it skips the AD specific queries.
        # If your LDAP server is not AD, set this to false.
        active_directory: true

        # If allow_username_or_email_login is enabled, GitLab will ignore everything
        # after the first '@' in the LDAP username submitted by the user on login.
        #
        # Example:
        # - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials;
        # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'.
        #
        # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
        # disable this setting, because the userPrincipalName contains an '@'.
        allow_username_or_email_login: false

794
        # To maintain tight control over the number of active users on your GitLab installation,
795
        # enable this setting to keep new users blocked until they have been cleared by the admin
796
        # (default: false).
797
798
        block_auto_created_users: false

799
800
        # Base where we can search for users
        #
801
        #   Ex. 'ou=People,dc=gitlab,dc=example' or 'DC=mydomain,DC=com'
802
803
804
805
806
        #
        base: ''

        # Filter LDAP users
        #
807
        #   Format: RFC 4515 https://tools.ietf.org/search/rfc4515
808
809
810
811
        #   Ex. (employeeType=developer)
        #
        #   Note: GitLab does not support omniauth-ldap's custom filter syntax.
        #
812
813
814
        #   Example for getting only specific users:
        #   '(&(objectclass=user)(|(samaccountname=momo)(samaccountname=toto)))'
        #
815
        user_filter: ''
816

817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
        # Base where we can search for groups
        #
        #   Ex. ou=Groups,dc=gitlab,dc=example
        #
        group_base: ''

        # LDAP group of users who should be admins in GitLab
        #
        #   Ex. GLAdmins
        #
        admin_group: ''

        # LDAP group of users who should be marked as external users in GitLab
        #
        #   Ex. ['Contractors', 'Interns']
        #
        external_groups: []

        # Name of attribute which holds a ssh public key of the user object.
        # If false or nil, SSH key syncronisation will be disabled.
        #
        #   Ex. sshpublickey
        #
        sync_ssh_keys: false

842
843
844
845
846
        # Retry ldap search connection if got empty results with specified response code(s)
        #
        #   Ex. [80]
        # retry_empty_result_with_codes: []

Douwe Maan's avatar
Douwe Maan committed
847
        # LDAP attributes that GitLab will use to create an account for the LDAP user.
Douwe Maan's avatar
Douwe Maan committed
848
849
        # The specified attribute can either be the attribute name as a string (e.g. 'mail'),
        # or an array of attribute names to try in order (e.g. ['mail', 'email']).
Douwe Maan's avatar
Douwe Maan committed
850
851
852
853
854
        # Note that the user's LDAP login will always be the attribute specified as `uid` above.
        attributes:
          # The username will be used in paths for the user's own projects
          # (like `gitlab.example.com/username/project`) and when mentioning
          # them in issues, merge request and comments (like `@username`).
855
          # If the attribute specified for `username` contains an email address,
Douwe Maan's avatar
Douwe Maan committed
856
857
858
859
860
          # the GitLab username will be the part of the email address before the '@'.
          username: ['uid', 'userid', 'sAMAccountName']
          email:    ['mail', 'email', 'userPrincipalName']

          # If no full name could be found at the attribute specified for `name`,
861
          # the full name is determined using the attributes specified for
Douwe Maan's avatar
Douwe Maan committed
862
863
864
865
866
          # `first_name` and `last_name`.
          name:       'cn'
          first_name: 'givenName'
          last_name:  'sn'

867
868
869
        # If lowercase_usernames is enabled, GitLab will lower case the username.
        lowercase_usernames: false

870
871
872
873
874
875
876
      # GitLab EE only: add more LDAP servers
      # Choose an ID made of a-z and 0-9 . This ID will be stored in the database
      # so that GitLab can remember which LDAP server a user belongs to.
      # uswest2:
      #   label:
      #   host:
      #   ....
877

878
879
880
881
882
  ## Smartcard authentication settings
  smartcard:
    # Allow smartcard authentication
    enabled: false

883
    # Path to a file containing a CA certificate bundle
884
885
    ca_file: '/etc/ssl/certs/CA.pem'

886
887
888
    # Host and port where the client side certificate is requested by the
    # webserver (NGINX/Apache)
    # client_certificate_required_host: smartcard.gitlab.example.com
889
890
    # client_certificate_required_port: 3444

891
892
893
    # Browser session with smartcard sign-in is required for Git access
    # required_for_git_access: false

894
895
896
897
    # Use X.509 SAN extensions certificates to identify GitLab users
    # Add a subjectAltName to your certificates like: email:user
    # san_extensions: true

898
899
900
901
902
903
904
905
906
907
908
909
910
911
  ## Kerberos settings
  kerberos:
    # Allow the HTTP Negotiate authentication method for Git clients
    enabled: false

    # Kerberos 5 keytab file. The keytab file must be readable by the GitLab user,
    # and should be different from other keytabs in the system.
    # (default: use default keytab from Krb5 config)
    # keytab: /etc/http.keytab

    # The Kerberos service name to be used by GitLab.
    # (default: accept any service name in keytab file)
    # service_principal_name: HTTP/gitlab.example.com@EXAMPLE.COM

912
913
914
915
916
917
    # Kerberos realms/domains that are allowed to automatically link LDAP identities.
    # By default, GitLab accepts a realm that matches the domain derived from the
    # LDAP `base` DN. For example, `ou=users,dc=example,dc=com` would allow users
    # with a realm matching `example.com`.
    # simple_ldap_linking_allowed_realms: ['example.com','kerberos.example.com']

918
919
920
921
922
923
924
    # Dedicated port: Git before 2.4 does not fall back to Basic authentication if Negotiate fails.
    # To support both Basic and Negotiate methods with older versions of Git, configure
    # nginx to proxy GitLab on an extra port (e.g. 8443) and uncomment the following lines
    # to dedicate this port to Kerberos authentication. (default: false)
    # use_dedicated_port: true
    # port: 8443
    # https: true
925

926
  ## OmniAuth settings
927
  omniauth:
928
    # Allow login via Twitter, Google, etc. using OmniAuth providers
Nick Thomas's avatar
Nick Thomas committed
929
    # enabled: true
930

931
932
933
934
    # Uncomment this to automatically sign in with a specific omniauth provider's without
    # showing GitLab's sign-in page (default: show the GitLab sign-in page)
    # auto_sign_in_with_provider: saml

935
936
937
    # Sync user's profile from the specified Omniauth providers every time the user logs in (default: empty).
    # Define the allowed providers using an array, e.g. ["cas3", "saml", "twitter"],
    # or as true/false to allow all providers or none.
938
    # When authenticating using LDAP, the user's email is always synced.
939
940
941
942
943
944
945
    # sync_profile_from_provider: []

    # Select which info to sync from the providers above. (default: email).
    # Define the synced profile info using an array. Available options are "name", "email" and "location"
    # e.g. ["name", "email", "location"] or as true to sync all available.
    # This consequently will make the selected attributes read-only.
    # sync_profile_attributes: true
946

947
    # CAUTION!
948
949
    # This allows users to login without having a user account first. Define the allowed providers
    # using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none.
950
    # User accounts will be created automatically when authentication was successful.
951
952
    allow_single_sign_on: ["saml"]

953
    # Locks down those users until they have been cleared by the admin (default: true).
954
    block_auto_created_users: true
955
956
957
    # Look up new users in LDAP servers. If a match is found (same uid), automatically
    # link the omniauth identity with the LDAP account. (default: false)
    auto_link_ldap_user: false
958

959
960
961
962
963
    # Allow users with existing accounts to login and auto link their account via SAML
    # login, without having to do a manual login first and manually add SAML
    # (default: false)
    auto_link_saml_user: false

964
965
966
967
968
    # CAUTION!
    # Allows larger SAML messages to be received. Numeric value in bytes (default: 250000)
    # Too high limits exposes instance to decompression DDoS attack type.
    saml_message_max_byte_size: 250000

969
    # Allow users with existing accounts to sign in and auto link their account via OmniAuth
970
    # login, without having to do a manual login first and manually add OmniAuth. Links on email.
971
972
    # Define the allowed providers using an array, e.g. ["saml", "twitter"], or as true/false to
    # allow all providers or none.
973
    # (default: false)
974
    auto_link_user: ["saml", "twitter"]
975

Patricio Cano's avatar
Patricio Cano committed
976
977
978
979
980
981
982
    # Set different Omniauth providers as external so that all users creating accounts
    # via these providers will not be able to have access to internal projects. You
    # will need to use the full name of the provider, like `google_oauth2` for Google.
    # Refer to the examples below for the full names of the supported providers.
    # (default: [])
    external_providers: []

983
984
985
    # CAUTION!
    # This allows users to login with the specified providers without two factor. Define the allowed providers
    # using an array, e.g. ["twitter", 'google_oauth2'], or as true/false to allow all providers or none.
986
    # This option should only be configured for providers which already have two factor.
987
988
989
990
    # This configration dose not apply to SAML.
    # (default: false)
    allow_bypass_two_factor: ["twitter", 'google_oauth2']

991
    ## Auth providers
992
993
    # Uncomment the following lines and fill in the data of the auth provider you want to use
    # If your favorite auth provider is not listed you can use others:
Drew Blessing's avatar
Drew Blessing committed
994
    # see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations
995
996
    # The 'app_id' and 'app_secret' parameters are always passed as the first two
    # arguments, followed by optional 'args' which can be either a hash or an array.
Sid Sijbrandij's avatar
Sid Sijbrandij committed
997
    # Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html
998
    providers:
tduehr's avatar
tduehr committed
999
1000
1001
1002
1003
1004
1005
1006
1007
      # See omniauth-cas3 for more configuration details
      # - { name: 'cas3',
      #     label: 'cas3',
      #     args: {
      #             url: 'https://sso.example.com',
      #             disable_ssl_verification: false,
      #             login_url: '/cas/login',
      #             service_validate_url: '/cas/p3/serviceValidate',
      #             logout_url: '/cas/logout'} }
1008
      # - { name: 'authentiq',
1009
      #     # for client credentials (client ID and secret), go to https://www.authentiq.com/developers
1010
1011
1012
1013
      #     app_id: 'YOUR_CLIENT_ID',
      #     app_secret: 'YOUR_CLIENT_SECRET',
      #     args: {
      #             scope: 'aq:name email~rs address aq:push'
1014
1015
      #             # callback_url parameter is optional except when 'gitlab.host' in this file is set to 'localhost'
      #             # callback_url: 'YOUR_CALLBACK_URL'
1016
1017
      #           }
      #   }
1018
1019
      # - { name: 'github',
      #     app_id: 'YOUR_APP_ID',
Douwe Maan's avatar
Douwe Maan committed
1020
      #     app_secret: 'YOUR_APP_SECRET',
1021
1022
      #     url: "https://github.com/",
      #     verify_ssl: true,
1023
      #     args: { scope: 'user:email' } }
Douwe Maan's avatar
Douwe Maan committed
1024
1025
1026
      # - { name: 'bitbucket',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET' }
1027
1028
1029
      # - { name: 'dingtalk',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET' }
1030
1031
      # - { name: 'gitlab',
      #     app_id: 'YOUR_APP_ID',
Douwe Maan's avatar
Douwe Maan committed
1032
      #     app_secret: 'YOUR_APP_SECRET',
1033
      #     args: { scope: 'api' } }
Douwe Maan's avatar
Douwe Maan committed
1034
1035
1036
1037
1038
      # - { name: 'google_oauth2',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET',
      #     args: { access_type: 'offline', approval_prompt: '' } }
      # - { name: 'facebook',
1039
      #     app_id: 'YOUR_APP_ID',
1040
      #     app_secret: 'YOUR_APP_SECRET' }
Douwe Maan's avatar
Douwe Maan committed
1041
1042
1043
      # - { name: 'twitter',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET' }
Tiago Botelho's avatar
Tiago Botelho committed
1044
1045
      # - { name: 'jwt',
      #     args: {
1046
1047
1048
1049
1050
1051
1052
1053
      #       secret: 'YOUR_APP_SECRET',
      #       algorithm: 'HS256', # Supported algorithms: 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512'
      #       uid_claim: 'email',
      #       required_claims: ['name', 'email'],
      #       info_map: { name: 'name', email: 'email' },
      #       auth_url: 'https://example.com/',
      #       valid_within: 3600 # 1 hour
      #     }
Tiago Botelho's avatar
Tiago Botelho committed
1054
      #   }
1055
      # - { name: 'saml',
1056
      #     label: 'Our SAML Provider',
Patricio Cano's avatar
Patricio Cano committed
1057
1058
      #     groups_attribute: 'Groups',
      #     external_groups: ['Contractors', 'Freelancers'],
Alex Lossent's avatar
Alex Lossent committed
1059
1060
1061
1062
1063
1064
1065
      #     args: {
      #             assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
      #             idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
      #             idp_sso_target_url: 'https://login.example.com/idp',
      #             issuer: 'https://gitlab.example.com',
      #             name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
      #           } }
Patricio Cano's avatar
Patricio Cano committed
1066
      #
1067
1068
      # - { name: 'group_saml' }
      #
Valeriy's avatar
Valeriy committed
1069
1070
1071
1072
1073
      # - { name: 'crowd',
      #     args: {
      #       crowd_server_url: 'CROWD SERVER URL',
      #       application_name: 'YOUR_APP_NAME',
      #       application_password: 'YOUR_APP_PASSWORD' } }
1074
1075
1076
1077
1078
1079
      #
      # - { name: 'auth0',
      #     args: {
      #       client_id: 'YOUR_AUTH0_CLIENT_ID',
      #       client_secret: 'YOUR_AUTH0_CLIENT_SECRET',
      #       namespace: 'YOUR_AUTH0_DOMAIN' } }
Alex Lossent's avatar
Alex Lossent committed
1080

tduehr's avatar
tduehr committed
1081
1082
1083
1084
    # SSO maximum session duration in seconds. Defaults to CAS default of 8 hours.
    # cas3:
    #   session_duration: 28800

1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
  # FortiAuthenticator settings
  forti_authenticator:
    # Allow using FortiAuthenticator as OTP provider
    enabled: false

    # Host and port of FortiAuthenticator instance
    # host: forti_authenticator.example.com
    # port: 443

    # Username for accessing FortiAuthenticator API
    # username: john

    # Access token for FortiAuthenticator API
    # access_token: 123s3cr3t456

1100
1101
1102
1103
1104
1105
1106
1107
1108
  # FortiToken Cloud settings
  forti_token_cloud:
    # Allow using FortiToken Cloud as OTP provider
    enabled: false

    # Client ID and Secret to access FortiToken Cloud API
    # client_id: 'YOUR_FORTI_TOKEN_CLOUD_CLIENT_ID'
    # client_secret: 'YOUR_FORTI_TOKEN_CLOUD_CLIENT_SECRET'

1109
1110
1111
1112
  # Shared file storage settings
  shared:
    # path: /mnt/gitlab # Default: shared

1113
1114
1115
1116
  # Encrypted Settings configuration
  encrypted_settings:
    # path: /mnt/gitlab/encrypted_settings  # Default: shared/encrypted_settings

1117
1118
  # Gitaly settings
  gitaly:
1119
    # Default Gitaly authentication token. Can be overridden per storage. Can
Jacob Vosmaer's avatar
Jacob Vosmaer committed
1120
1121
1122
    # be left blank when Gitaly is running locally on a Unix socket, which
    # is the normal way to deploy Gitaly.
    token:
1123
1124

  #
1125
  # 4. Advanced settings
1126
1127
  # ==========================

1128
1129
1130
  ## Repositories settings
  repositories:
    # Paths where repositories can be stored. Give the canonicalized absolute pathname.
Elan Ruusamäe's avatar
Elan Ruusamäe committed
1131
1132
1133
    # IMPORTANT: None of the path components may be symlink, because
    # gitlab-shell invokes Dir.pwd inside the repository path and that results
    # real path not the symlink.
1134
    storages: # You must have at least a `default` storage path.
1135
1136
      default:
        path: /home/git/repositories/
1137
        gitaly_address: unix:/home/git/gitlab/tmp/sockets/private/gitaly.socket # TCP connections are supported too (e.g. tcp://host:port). TLS connections are also supported using the system certificate pool (eg: tls://host:port).
1138
        # gitaly_token: 'special token' # Optional: override global gitaly.token for this storage.
1139

1140
1141
1142
  ## Backup settings
  backup:
    path: "tmp/backups"   # Relative paths are relative to Rails.root (default: tmp/backups/)
1143
    # gitaly_backup_path: # Path of the gitaly-backup binary (default: searches $PATH)
1144
    # archive_permissions: 0640 # Permissions for the resulting backup.tar file (default: 0600)
1145
    # keep_time: 604800   # default: 0 (forever) (in seconds)
Valeriy's avatar
Valeriy committed
1146
    # pg_schema: public     # default: nil, it means that all schemas will be backed up
1147
1148
1149
1150
    # upload:
    #   # Fog storage connection settings, see http://fog.io/storage/ .
    #   connection:
    #     provider: AWS
1151
    #     region: eu-west-1
1152
1153
1154
1155
    #     aws_access_key_id: AKIAKIAKI
    #     aws_secret_access_key: 'secret123'
    #   # The remote 'directory' to store your backups. For S3, this would be the bucket name.
    #   remote_directory: 'my.s3.bucket'
1156
1157
1158
    #   # Use multipart uploads when file size reaches 100MB, see
    #   #  http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html
    #   multipart_chunk_size: 104857600
Stan Hu's avatar
Stan Hu committed
1159
1160
    #   # Specifies Amazon S3 storage class to use for backups (optional)
    #   # storage_class: 'STANDARD'
1161
    #   # Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional
Stan Hu's avatar
Stan Hu committed
1162
1163
1164
    #   #   'encryption' must be set in order for this to have any effect.
    #   #   'encryption_key' should be set to the 256-bit encryption key for Amazon S3 to use to encrypt or decrypt your data.
    #   # encryption: 'AES256'
1165
    #   # encryption_key: '<key>'
Stan Hu's avatar
Stan Hu committed
1166
1167
1168
1169
1170
1171
1172
1173
1174
    #   #
    #   # Turns on AWS Server-Side Encryption with Amazon S3-Managed keys (optional)
    #   # https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html
    #   # For SSE-S3, set 'server_side_encryption' to 'AES256'.
    #   # For SS3-KMS, set 'server_side_encryption' to 'aws:kms'. Set
    #   # 'server_side_encryption_kms_key_id' to the ARN of customer master key.
    #   # storage_options:
    #   #   server_side_encryption: 'aws:kms'
    #   #   server_side_encryption_kms_key_id: 'arn:aws:kms:YOUR-KEY-ID-HERE'
1175

1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
  ## Pseudonymizer exporter
  pseudonymizer:
    # Tables manifest that specifies the fields to extract and pseudonymize.
    manifest: config/pseudonymizer.yml
    upload:
      remote_directory: 'gitlab-elt'
      # Fog storage connection settings, see http://fog.io/storage/ .
      connection:
      #   provider: AWS
      #   region: eu-west-1
      #   aws_access_key_id: AKIAKIAKI
      #   aws_secret_access_key: 'secret123'
      #   # The remote 'directory' to store the CSV files. For S3, this would be the bucket name.

1190
1191
  ## GitLab Shell settings
  gitlab_shell:
1192
    path: /home/git/gitlab-shell/
1193
    authorized_keys_file: /home/git/.ssh/authorized_keys
1194

1195
1196
1197
1198
    # File that contains the secret key for verifying access for gitlab-shell.
    # Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app).
    # secret_file: /home/git/gitlab/.gitlab_shell_secret

1199
1200
1201
1202
    # Git over HTTP
    upload_pack: true
    receive_pack: true

1203
1204
    # Git import/fetch timeout, in seconds. Defaults to 3 hours.
    # git_timeout: 10800
1205

1206
    # If you use non-standard ssh port you need to specify it
1207
1208
    # ssh_port: 22

1209
1210
1211
1212
1213
  workhorse:
    # File that contains the secret key for verifying access for gitlab-workhorse.
    # Default is '.gitlab_workhorse_secret' relative to Rails.root (i.e. root of the GitLab app).
    # secret_file: /home/git/gitlab/.gitlab_workhorse_secret

1214
  gitlab_kas:
1215
    # enabled: true
1216
1217
1218
1219
    # File that contains the secret key for verifying access for gitlab-kas.
    # Default is '.gitlab_kas_secret' relative to Rails.root (i.e. root of the GitLab app).
    # secret_file: /home/git/gitlab/.gitlab_kas_secret

1220
1221
1222
1223
1224
1225
    # The URL to the external KAS API (used by the Kubernetes agents)
    # external_url: wss://kas.example.com

    # The URL to the internal KAS API (used by the GitLab backend)
    # internal_url: grpc://localhost:8153

1226
1227
1228
    # The URL to the Kubernetes API proxy (used by GitLab users)
    # external_k8s_proxy_url: https://localhost:8154 # default: nil

Mark Chao's avatar
Mark Chao committed
1229
1230
1231
1232
  ## GitLab Elasticsearch settings
  elasticsearch:
    indexer_path: /home/git/gitlab-elasticsearch-indexer/

1233
  ## Git settings
Riyad Preukschas's avatar
Riyad Preukschas committed
1234
  # CAUTION!
1235
1236
1237
1238
  # Use the default values unless you really know what you are doing
  git:
    bin_path: /usr/bin/git

1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
  ## Webpack settings
  # If enabled, this will tell rails to serve frontend assets from the webpack-dev-server running
  # on a given port instead of serving directly from /assets/webpack. This is only indended for use
  # in development.
  webpack:
    # dev_server:
    #   enabled: true
    #   host: localhost
    #   port: 3808

1249
1250
1251
1252
  ## Monitoring
  # Built in monitoring settings
  monitoring:
    # IP whitelist to access monitoring endpoints
1253
1254
    ip_whitelist:
      - 127.0.0.0/8
1255

1256
1257
1258
    # Sidekiq exporter is webserver built in to Sidekiq to expose Prometheus metrics
    sidekiq_exporter:
    #  enabled: true
1259
    #  log_enabled: false
1260
    #  address: localhost
1261
1262
    #  port: 8082

1263
1264
1265
1266
1267
1268
    sidekiq_health_checks:
    #  enabled: true
    #  log_enabled: false
    #  address: localhost
    #  port: 8082

1269
    # Web exporter is a dedicated Rack server running alongside Puma to expose Prometheus metrics
1270
1271
1272
1273
1274
    # It runs alongside the `/metrics` endpoints to ease the publish of metrics
    web_exporter:
    #  enabled: true
    #  address: localhost
    #  port: 8083
1275

1276
1277
1278
1279
1280
1281
1282
  ## Prometheus settings
  # Do not modify these settings here. They should be modified in /etc/gitlab/gitlab.rb
  # if you installed GitLab via Omnibus.
  # If you installed from source, you need to install and configure Prometheus
  # yourself, and then update the values here.
  # https://docs.gitlab.com/ee/administration/monitoring/prometheus/
  prometheus:
1283
    # enabled: true
1284
1285
1286
1287
1288
    # server_address: 'localhost:9090'

  ## Consul settings
  consul:
    # api_url: 'http://localhost:8500'