gitlab.yml.example 37 KB
Newer Older
1
# # # # # # # # # # # # # # # # # #
2
# GitLab application config file  #
3
# # # # # # # # # # # # # # # # # #
4
#
5 6
###########################  NOTE  #####################################
# This file should not receive new settings. All configuration options #
7
# * are being moved to ApplicationSetting model!                       #
8
# If a setting requires an application restart say so in that screen.  #
9 10
# If you change this file in a Merge Request, please also create       #
# a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests  #
11 12
########################################################################
#
13
#
14
# How to use:
15 16
# 1. Copy file as gitlab.yml
# 2. Update gitlab -> host with your fully qualified domain name
17
# 3. Update gitlab -> email_from
18
# 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git
19 20 21
#    IMPORTANT: If Git was installed in a different location use that instead.
#    You can check with `which git`. If a wrong path of Git is specified, it will
#     result in various issues such as failures of GitLab CI builds.
22
# 5. Review this configuration file for other settings you may want to adjust
23

24 25 26 27 28 29 30
production: &base
  #
  # 1. GitLab app settings
  # ==========================

  ## GitLab settings
  gitlab:
31
    ## Web server settings (note: host is the FQDN, do not include http://)
32
    host: localhost
33 34
    port: 80 # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
    https: false # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
35

36
    # Uncomment this line below if your ssh host is different from HTTP/HTTPS one
37 38 39 40
    # (you'd obviously need to replace ssh.host_example.com with your own host).
    # Otherwise, ssh host will be set to the `host:` value above
    # ssh_host: ssh.host_example.com

41
    # Relative URL support
42 43
    # WARNING: We recommend using an FQDN to host GitLab in a root path instead
    # of using a relative URL.
44 45 46
    # Documentation: http://doc.gitlab.com/ce/install/relative_url.html
    # Uncomment and customize the following line to run in a non-root path
    #
47 48
    # relative_url_root: /gitlab

49 50 51 52 53 54 55 56 57
    # Trusted Proxies
    # Customize if you have GitLab behind a reverse proxy which is running on a different machine.
    # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
    trusted_proxies:
      # Examples:
      #- 192.168.1.0/24
      #- 192.168.2.1
      #- 2001:0db8::/32

58 59 60
    # Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
    # user: git

61 62
    ## Date & Time settings
    # Uncomment and customize if you want to change the default time zone of GitLab application.
63
    # To see all available zones, run `bundle exec rake time:zones:all RAILS_ENV=production`
64 65
    # time_zone: 'UTC'

66 67 68 69 70 71 72
    ## Email settings
    # Uncomment and set to false if you need to disable email sending from GitLab (default: true)
    # email_enabled: true
    # Email address used in the "From" field in mails sent by GitLab
    email_from: example@example.com
    email_display_name: GitLab
    email_reply_to: noreply@example.com
73
    email_subject_suffix: ''
74 75 76

    # Email server smtp settings are in config/initializers/smtp_settings.rb.sample

77
    # default_can_create_group: false  # default: true
78
    # username_changing_enabled: false # default: true - User can change her username/namespace
79
    ## Default theme ID
80
    ##   1 - Indigo
81 82 83
    ##   2 - Dark
    ##   3 - Light
    ##   4 - Blue
84
    ##   5 - Green
85 86 87 88 89
    ##   6 - Light Indigo
    ##   7 - Light Blue
    ##   8 - Light Green
    ##   9 - Red
    ##   10 - Light Red
90
    # default_theme: 1 # default: 1
91

92
    ## Automatic issue closing
93
    # If a commit message matches this regular expression, all issues referenced from the matched text will be closed.
94
    # This happens when the commit is pushed or merged into the default branch of a project.
Sytse Sijbrandij's avatar
Sytse Sijbrandij committed
95
    # When not specified the default issue_closing_pattern as specified below will be used.
Achilleas Pipinellis's avatar
Achilleas Pipinellis committed
96
    # Tip: you can test your closing pattern at http://rubular.com.
97
    # issue_closing_pattern: '\b((?:[Cc]los(?:e[sd]?|ing)|\b[Ff]ix(?:e[sd]|ing)?|\b[Rr]esolv(?:e[sd]?|ing)|\b[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)'
98

99 100 101 102 103
    ## Default project features settings
    default_projects_features:
      issues: true
      merge_requests: true
      wiki: true
104
      snippets: true
105
      builds: true
106
      container_registry: true
107

108 109 110 111
    ## Webhook settings
    # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)
    # webhook_timeout: 10

112 113
    ## Repository downloads directory
    # When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory.
114 115
    # The default is 'shared/cache/archive/' relative to the root of the Rails app.
    # repository_downloads_path: shared/cache/archive/
116

117 118 119
    ## Impersonation settings
    impersonation_enabled: true

Douwe Maan's avatar
Douwe Maan committed
120
  ## Reply by email
Douwe Maan's avatar
Douwe Maan committed
121
  # Allow users to comment on issues and merge requests by replying to notification emails.
122
  # For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html
123
  incoming_email:
Douwe Maan's avatar
Douwe Maan committed
124
    enabled: false
125 126

    # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
127
    # The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`).
128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147
    address: "gitlab-incoming+%{key}@gmail.com"

    # Email account username
    # With third party providers, this is usually the full email address.
    # With self-hosted email servers, this is usually the user part of the email address.
    user: "gitlab-incoming@gmail.com"
    # Email account password
    password: "[REDACTED]"

    # IMAP server host
    host: "imap.gmail.com"
    # IMAP server port
    port: 993
    # Whether the IMAP server uses SSL
    ssl: true
    # Whether the IMAP server uses StartTLS
    start_tls: false

    # The mailbox where incoming mail will end up. Usually "inbox".
    mailbox: "inbox"
148
    # The IDLE command timeout.
149
    idle_timeout: 60
Douwe Maan's avatar
Douwe Maan committed
150

Kamil Trzcinski's avatar
Kamil Trzcinski committed
151 152 153 154 155
  ## Build Artifacts
  artifacts:
    enabled: true
    # The location where build artifacts are stored (default: shared/artifacts).
    # path: shared/artifacts
156 157
    # object_store:
    #   enabled: false
158 159
    #   remote_directory: artifacts # The bucket name
    #   background_upload: false # Temporary option to limit automatic upload (Default: true)
160
    #   proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
161 162 163 164
    #   connection:
    #     provider: AWS # Only AWS supported at the moment
    #     aws_access_key_id: AWS_ACCESS_KEY_ID
    #     aws_secret_access_key: AWS_SECRET_ACCESS_KEY
165
    #     region: us-east-1
166
    #     aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
167
    #     endpoint: 'https://s3.amazonaws.com' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
168

169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185
  ## Merge request external diff storage
  external_diffs:
    # If disabled (the default), the diffs are in-database. Otherwise, they can
    # be stored on disk, or in object storage
    enabled: false
    # The location where external diffs are stored (default: shared/lfs-external-diffs).
    # storage_path: shared/external-diffs
    # object_store:
    #   enabled: false
    #   remote_directory: external-diffs
    #   background_upload: false
    #   proxy_download: false
    #   connection:
    #     provider: AWS
    #     aws_access_key_id: AWS_ACCESS_KEY_ID
    #     aws_secret_access_key: AWS_SECRET_ACCESS_KEY
    #     region: us-east-1
Kamil Trzcinski's avatar
Kamil Trzcinski committed
186

187 188
  ## Git LFS
  lfs:
Marin Jankovski's avatar
Marin Jankovski committed
189
    enabled: true
190 191
    # The location where LFS objects are stored (default: shared/lfs-objects).
    # storage_path: shared/lfs-objects
192 193 194
    object_store:
      enabled: false
      remote_directory: lfs-objects # Bucket name
195
      # direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false)
196
      # background_upload: false # Temporary option to limit automatic upload (Default: true)
197
      # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
198 199 200 201
      connection:
        provider: AWS
        aws_access_key_id: AWS_ACCESS_KEY_ID
        aws_secret_access_key: AWS_SECRET_ACCESS_KEY
202
        region: us-east-1
203 204 205
        # Use the following options to configure an AWS compatible host
        # host: 'localhost' # default: s3.amazonaws.com
        # endpoint: 'http://127.0.0.1:9000' # default: nil
206
        # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
207
        # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
208

209 210 211 212 213 214
  ## Uploads (attachments, avatars, etc...)
  uploads:
    # The location where uploads objects are stored (default: public/).
    # storage_path: public/
    # base_dir: uploads/-/system
    object_store:
215
      enabled: false
216
      remote_directory: uploads # Bucket name
217 218 219
      # direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false)
      # background_upload: false # Temporary option to limit automatic upload (Default: true)
      # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
220 221 222 223
      connection:
        provider: AWS
        aws_access_key_id: AWS_ACCESS_KEY_ID
        aws_secret_access_key: AWS_SECRET_ACCESS_KEY
224
        aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
225 226 227 228
        region: us-east-1
        # host: 'localhost' # default: s3.amazonaws.com
        # endpoint: 'http://127.0.0.1:9000' # default: nil
        # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
229

230 231 232 233
  ## Packages (maven repository so far)
  packages:
    enabled: false

Kamil Trzcinski's avatar
Kamil Trzcinski committed
234 235 236
  ## GitLab Pages
  pages:
    enabled: false
237
    access_control: false
Kamil Trzcinski's avatar
Kamil Trzcinski committed
238 239 240 241 242 243
    # The location where pages are stored (default: shared/pages).
    # path: shared/pages

    # The domain under which the pages are served:
    # http://group.example.com/project
    # or project path can be a group page: group.example.com
244
    host: example.com
245 246
    port: 80 # Set to 443 if you serve the pages with HTTPS
    https: false # Set to true if you serve the pages with HTTPS
247
    artifacts_server: true
248 249
    # external_http: ["1.1.1.1:80", "[2001::1]:80"] # If defined, enables custom domain support in GitLab Pages
    # external_https: ["1.1.1.1:443", "[2001::1]:443"] # If defined, enables custom domain and certificate support in GitLab Pages
250 251
    admin:
      address: unix:/home/git/gitlab/tmp/sockets/private/pages-admin.socket # TCP connections are supported too (e.g. tcp://host:port)
Kamil Trzcinski's avatar
Kamil Trzcinski committed
252

253 254 255 256 257 258
  ## Mattermost
  ## For enabling Add to Mattermost button
  mattermost:
    enabled: false
    host: 'https://mattermost.example.com'

259
  ## Gravatar
260 261 262
  ## If using gravatar.com, there's nothing to change here. For Libravatar
  ## you'll need to provide the custom URLs. For more information,
  ## see: https://docs.gitlab.com/ee/customization/libravatar.html
263
  gravatar:
264 265
    # Gravatar/Libravatar URLs: possible placeholders: %{hash} %{size} %{email} %{username}
    # plain_url: "http://..."     # default: https://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
266
    # ssl_url:   "https://..."    # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
267

268 269 270 271
  ## Sidekiq
  sidekiq:
    log_format: default # (json is also supported)

272
  ## Auxiliary jobs
273
  # Periodically executed jobs, to self-heal GitLab, do external synchronizations, etc.
274 275
  # Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job
  cron_jobs:
276 277
    # Flag stuck CI jobs as failed
    stuck_ci_jobs_worker:
278
      cron: "0 * * * *"
Shinya Maeda's avatar
Shinya Maeda committed
279
    # Execute scheduled triggers
280
    pipeline_schedule_worker:
281
      cron: "19 * * * *"
282 283
    # Remove expired build artifacts
    expire_build_artifacts_worker:
284
      cron: "50 * * * *"
Jacob Vosmaer's avatar
Jacob Vosmaer committed
285 286
    # Periodically run 'git fsck' on all repositories. If started more than
    # once per hour you will have concurrent 'git fsck' jobs.
287
    repository_check_worker:
Jacob Vosmaer's avatar
Jacob Vosmaer committed
288
      cron: "20 * * * *"
289 290 291
    # Archive live traces which have not been archived yet
    ci_archive_traces_cron_worker:
      cron: "17 * * * *"
292
    # Send admin emails once a week
Jacob Vosmaer's avatar
Jacob Vosmaer committed
293
    admin_email_worker:
294
      cron: "0 0 * * 0"
295

296 297 298
    # Remove outdated repository archives
    repository_archive_cache_worker:
      cron: "0 * * * *"
299

300 301 302 303
    # Verify custom GitLab Pages domains
    pages_domain_verification_cron_worker:
      cron: "*/15 * * * *"

Kamil Trzcinski's avatar
Kamil Trzcinski committed
304 305
  registry:
    # enabled: true
306
    # host: registry.example.com
307 308
    # port: 5005
    # api_url: http://localhost:5000/ # internal address to the registry, will be used by GitLab to directly communicate with API
309
    # key: config/registry.key
310
    # path: shared/registry
311
    # issuer: gitlab-issuer
Kamil Trzcinski's avatar
Kamil Trzcinski committed
312

313
  #
314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330
  # 2. GitLab CI settings
  # ==========================

  gitlab_ci:
    # Default project notifications settings:
    #
    # Send emails only on broken builds (default: true)
    # all_broken_builds: true
    #
    # Add pusher to recipients list (default: false)
    # add_pusher: true

    # The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root
    # builds_path: builds/

  #
  # 3. Auth settings
331 332 333
  # ==========================

  ## LDAP settings
334 335
  # You can test connections and inspect a sample of the LDAP users with login
  # access by running:
336
  #   bundle exec rake gitlab:ldap:check RAILS_ENV=production
337 338
  ldap:
    enabled: false
339
    servers:
340 341 342 343 344 345 346 347 348
      ##########################################################################
      #
      # Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab
      # Enterprise Edition now supports connecting to multiple LDAP servers.
      #
      # If you are updating from the old (pre-7.4) syntax, you MUST give your
      # old server the ID 'main'.
      #
      ##########################################################################
349
      main: # 'main' is the GitLab 'provider ID' of this LDAP server
350 351 352 353 354 355 356 357
        ## label
        #
        # A human-friendly name for your LDAP server. It is OK to change the label later,
        # for instance if you find out it is too large to fit on the web page.
        #
        # Example: 'Paris' or 'Acme, Ltd.'
        label: 'LDAP'

358
        # Example: 'ldap.mydomain.com'
359
        host: '_your_ldap_server'
360 361 362 363 364
        # This port is an example, it is sometimes different but it is always an integer and not a string
        port: 389 # usually 636 for SSL
        uid: 'sAMAccountName' # This should be the attribute, not the value that maps to uid.

        # Examples: 'america\\momo' or 'CN=Gitlab Git,CN=Users,DC=mydomain,DC=com'
365 366
        bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
        password: '_the_password_of_the_bind_user'
367

Michael Kozono's avatar
Michael Kozono committed
368 369 370 371 372 373 374 375 376 377 378
        # Encryption method. The "method" key is deprecated in favor of
        # "encryption".
        #
        #   Examples: "start_tls" or "simple_tls" or "plain"
        #
        #   Deprecated values: "tls" was replaced with "start_tls" and "ssl" was
        #   replaced with "simple_tls".
        #
        encryption: 'plain'

        # Enables SSL certificate verification if encryption method is
379 380
        # "start_tls" or "simple_tls". Defaults to true.
        verify_certificates: true
Michael Kozono's avatar
Michael Kozono committed
381

382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429
        # OpenSSL::SSL::SSLContext options.
        tls_options:
          # Specifies the path to a file containing a PEM-format CA certificate,
          # e.g. if you need to use an internal CA.
          #
          #   Example: '/etc/ca.pem'
          #
          ca_file: ''

          # Specifies the SSL version for OpenSSL to use, if the OpenSSL default
          # is not appropriate.
          #
          #   Example: 'TLSv1_1'
          #
          ssl_version: ''

          # Specific SSL ciphers to use in communication with LDAP servers.
          #
          # Example: 'ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2'
          ciphers: ''

          # Client certificate
          #
          # Example:
          #   cert: |
          #     -----BEGIN CERTIFICATE-----
          #     MIIDbDCCAlSgAwIBAgIGAWkJxLmKMA0GCSqGSIb3DQEBCwUAMHcxFDASBgNVBAoTC0dvb2dsZSBJ
          #     bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQDEwtMREFQIENsaWVudDEPMA0GA1UE
          #     CxMGR1N1aXRlMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTAeFw0xOTAyMjAwNzE4
          #     rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl
          #     ...
          #     4SbuJPAiJxC1LQ0t39dR6oMCAMab3hXQqhL56LrR6cRBp6Mtlphv7alu9xb/x51y2x+g2zWtsf80
          #     Jrv/vKMsIh/sAyuogb7hqMtp55ecnKxceg==
          #     -----END CERTIFICATE -----
          cert: ''

          # Client private key
          #   key: |
          #     -----BEGIN PRIVATE KEY-----
          #     MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC3DmJtLRmJGY4xU1QtI3yjvxO6
          #     bNuyE4z1NF6Xn7VSbcAaQtavWQ6GZi5uukMo+W5DHVtEkgDwh92ySZMuJdJogFbNvJvHAayheCdN
          #     7mCQ2UUT9jGXIbmksUn9QMeJVXTZjgJWJzPXToeUdinx9G7+lpVa62UATEd1gaI3oyL72WmpDy/C
          #     rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl
          #     ...
          #     +9IhSYX+XIg7BZOVDeYqlPfxRvQh8vy3qjt/KUihmEPioAjLaGiihs1Fk5ctLk9A2hIUyP+sEQv9
          #     l6RG+a/mW+0rCWn8JAd464Ps9hE=
          #     -----END PRIVATE KEY-----
          key: ''
Michael Kozono's avatar
Michael Kozono committed
430

431 432 433 434 435
        # Set a timeout, in seconds, for LDAP queries. This helps avoid blocking
        # a request if the LDAP server becomes unresponsive.
        # A value of 0 means there is no timeout.
        timeout: 10

436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451
        # This setting specifies if LDAP server is Active Directory LDAP server.
        # For non AD servers it skips the AD specific queries.
        # If your LDAP server is not AD, set this to false.
        active_directory: true

        # If allow_username_or_email_login is enabled, GitLab will ignore everything
        # after the first '@' in the LDAP username submitted by the user on login.
        #
        # Example:
        # - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials;
        # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'.
        #
        # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
        # disable this setting, because the userPrincipalName contains an '@'.
        allow_username_or_email_login: false

452
        # To maintain tight control over the number of active users on your GitLab installation,
453
        # enable this setting to keep new users blocked until they have been cleared by the admin
454
        # (default: false).
455 456
        block_auto_created_users: false

457 458
        # Base where we can search for users
        #
459
        #   Ex. 'ou=People,dc=gitlab,dc=example' or 'DC=mydomain,DC=com'
460 461 462 463 464
        #
        base: ''

        # Filter LDAP users
        #
465
        #   Format: RFC 4515 https://tools.ietf.org/search/rfc4515
466 467 468 469
        #   Ex. (employeeType=developer)
        #
        #   Note: GitLab does not support omniauth-ldap's custom filter syntax.
        #
470 471 472
        #   Example for getting only specific users:
        #   '(&(objectclass=user)(|(samaccountname=momo)(samaccountname=toto)))'
        #
473
        user_filter: ''
474

475
        # LDAP attributes that GitLab will use to create an account for the LDAP user.
Douwe Maan's avatar
Douwe Maan committed
476 477
        # The specified attribute can either be the attribute name as a string (e.g. 'mail'),
        # or an array of attribute names to try in order (e.g. ['mail', 'email']).
478 479 480 481 482
        # Note that the user's LDAP login will always be the attribute specified as `uid` above.
        attributes:
          # The username will be used in paths for the user's own projects
          # (like `gitlab.example.com/username/project`) and when mentioning
          # them in issues, merge request and comments (like `@username`).
483
          # If the attribute specified for `username` contains an email address,
484 485 486 487 488
          # the GitLab username will be the part of the email address before the '@'.
          username: ['uid', 'userid', 'sAMAccountName']
          email:    ['mail', 'email', 'userPrincipalName']

          # If no full name could be found at the attribute specified for `name`,
489
          # the full name is determined using the attributes specified for
490 491 492 493 494
          # `first_name` and `last_name`.
          name:       'cn'
          first_name: 'givenName'
          last_name:  'sn'

495 496 497
        # If lowercase_usernames is enabled, GitLab will lower case the username.
        lowercase_usernames: false

498 499 500 501 502 503 504
      # GitLab EE only: add more LDAP servers
      # Choose an ID made of a-z and 0-9 . This ID will be stored in the database
      # so that GitLab can remember which LDAP server a user belongs to.
      # uswest2:
      #   label:
      #   host:
      #   ....
505 506


507
  ## OmniAuth settings
508
  omniauth:
509
    # Allow login via Twitter, Google, etc. using OmniAuth providers
Nick Thomas's avatar
Nick Thomas committed
510
    # enabled: true
511

512 513 514 515
    # Uncomment this to automatically sign in with a specific omniauth provider's without
    # showing GitLab's sign-in page (default: show the GitLab sign-in page)
    # auto_sign_in_with_provider: saml

516 517 518
    # Sync user's profile from the specified Omniauth providers every time the user logs in (default: empty).
    # Define the allowed providers using an array, e.g. ["cas3", "saml", "twitter"],
    # or as true/false to allow all providers or none.
519
    # When authenticating using LDAP, the user's email is always synced.
520 521 522 523 524 525 526
    # sync_profile_from_provider: []

    # Select which info to sync from the providers above. (default: email).
    # Define the synced profile info using an array. Available options are "name", "email" and "location"
    # e.g. ["name", "email", "location"] or as true to sync all available.
    # This consequently will make the selected attributes read-only.
    # sync_profile_attributes: true
527

528
    # CAUTION!
529 530
    # This allows users to login without having a user account first. Define the allowed providers
    # using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none.
531
    # User accounts will be created automatically when authentication was successful.
532 533
    allow_single_sign_on: ["saml"]

534
    # Locks down those users until they have been cleared by the admin (default: true).
535
    block_auto_created_users: true
536 537 538
    # Look up new users in LDAP servers. If a match is found (same uid), automatically
    # link the omniauth identity with the LDAP account. (default: false)
    auto_link_ldap_user: false
539

540 541 542 543 544
    # Allow users with existing accounts to login and auto link their account via SAML
    # login, without having to do a manual login first and manually add SAML
    # (default: false)
    auto_link_saml_user: false

Patricio Cano's avatar
Patricio Cano committed
545 546 547 548 549 550 551
    # Set different Omniauth providers as external so that all users creating accounts
    # via these providers will not be able to have access to internal projects. You
    # will need to use the full name of the provider, like `google_oauth2` for Google.
    # Refer to the examples below for the full names of the supported providers.
    # (default: [])
    external_providers: []

552
    ## Auth providers
553 554
    # Uncomment the following lines and fill in the data of the auth provider you want to use
    # If your favorite auth provider is not listed you can use others:
555
    # see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations
556 557
    # The 'app_id' and 'app_secret' parameters are always passed as the first two
    # arguments, followed by optional 'args' which can be either a hash or an array.
dosire's avatar
dosire committed
558
    # Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html
559
    providers:
tduehr's avatar
tduehr committed
560 561 562 563 564 565 566 567 568
      # See omniauth-cas3 for more configuration details
      # - { name: 'cas3',
      #     label: 'cas3',
      #     args: {
      #             url: 'https://sso.example.com',
      #             disable_ssl_verification: false,
      #             login_url: '/cas/login',
      #             service_validate_url: '/cas/p3/serviceValidate',
      #             logout_url: '/cas/logout'} }
569
      # - { name: 'authentiq',
570
      #     # for client credentials (client ID and secret), go to https://www.authentiq.com/developers
571 572 573 574
      #     app_id: 'YOUR_CLIENT_ID',
      #     app_secret: 'YOUR_CLIENT_SECRET',
      #     args: {
      #             scope: 'aq:name email~rs address aq:push'
575 576
      #             # callback_url parameter is optional except when 'gitlab.host' in this file is set to 'localhost'
      #             # callback_url: 'YOUR_CALLBACK_URL'
577 578
      #           }
      #   }
579 580
      # - { name: 'github',
      #     app_id: 'YOUR_APP_ID',
Douwe Maan's avatar
Douwe Maan committed
581
      #     app_secret: 'YOUR_APP_SECRET',
582 583
      #     url: "https://github.com/",
      #     verify_ssl: true,
584
      #     args: { scope: 'user:email' } }
Douwe Maan's avatar
Douwe Maan committed
585 586 587
      # - { name: 'bitbucket',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET' }
588 589
      # - { name: 'gitlab',
      #     app_id: 'YOUR_APP_ID',
Douwe Maan's avatar
Douwe Maan committed
590
      #     app_secret: 'YOUR_APP_SECRET',
591
      #     args: { scope: 'api' } }
Douwe Maan's avatar
Douwe Maan committed
592 593 594 595 596
      # - { name: 'google_oauth2',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET',
      #     args: { access_type: 'offline', approval_prompt: '' } }
      # - { name: 'facebook',
597
      #     app_id: 'YOUR_APP_ID',
598
      #     app_secret: 'YOUR_APP_SECRET' }
Douwe Maan's avatar
Douwe Maan committed
599 600 601
      # - { name: 'twitter',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET' }
602 603
      # - { name: 'jwt',
      #     args: {
604 605 606 607 608 609 610 611
      #       secret: 'YOUR_APP_SECRET',
      #       algorithm: 'HS256', # Supported algorithms: 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512'
      #       uid_claim: 'email',
      #       required_claims: ['name', 'email'],
      #       info_map: { name: 'name', email: 'email' },
      #       auth_url: 'https://example.com/',
      #       valid_within: 3600 # 1 hour
      #     }
612
      #   }
613
      # - { name: 'saml',
614
      #     label: 'Our SAML Provider',
Patricio Cano's avatar
Patricio Cano committed
615 616
      #     groups_attribute: 'Groups',
      #     external_groups: ['Contractors', 'Freelancers'],
617 618 619 620 621 622 623
      #     args: {
      #             assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
      #             idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
      #             idp_sso_target_url: 'https://login.example.com/idp',
      #             issuer: 'https://gitlab.example.com',
      #             name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
      #           } }
Patricio Cano's avatar
Patricio Cano committed
624
      #
Valery Sizov's avatar
Valery Sizov committed
625 626 627 628 629
      # - { name: 'crowd',
      #     args: {
      #       crowd_server_url: 'CROWD SERVER URL',
      #       application_name: 'YOUR_APP_NAME',
      #       application_password: 'YOUR_APP_PASSWORD' } }
630 631 632 633 634 635
      #
      # - { name: 'auth0',
      #     args: {
      #       client_id: 'YOUR_AUTH0_CLIENT_ID',
      #       client_secret: 'YOUR_AUTH0_CLIENT_SECRET',
      #       namespace: 'YOUR_AUTH0_DOMAIN' } }
636

tduehr's avatar
tduehr committed
637 638 639 640
    # SSO maximum session duration in seconds. Defaults to CAS default of 8 hours.
    # cas3:
    #   session_duration: 28800

641 642 643 644
  # Shared file storage settings
  shared:
    # path: /mnt/gitlab # Default: shared

645 646
  # Gitaly settings
  gitaly:
647
    # Path to the directory containing Gitaly client executables.
648
    client_path: /home/git/gitaly/bin
649
    # Default Gitaly authentication token. Can be overridden per storage. Can
650 651 652
    # be left blank when Gitaly is running locally on a Unix socket, which
    # is the normal way to deploy Gitaly.
    token:
653 654

  #
655
  # 4. Advanced settings
656 657
  # ==========================

658 659 660
  ## Repositories settings
  repositories:
    # Paths where repositories can be stored. Give the canonicalized absolute pathname.
661 662 663
    # IMPORTANT: None of the path components may be symlink, because
    # gitlab-shell invokes Dir.pwd inside the repository path and that results
    # real path not the symlink.
664
    storages: # You must have at least a `default` storage path.
665 666
      default:
        path: /home/git/repositories/
667
        gitaly_address: unix:/home/git/gitlab/tmp/sockets/private/gitaly.socket # TCP connections are supported too (e.g. tcp://host:port). TLS connections are also supported using the system certificate pool (eg: tls://host:port).
668
        # gitaly_token: 'special token' # Optional: override global gitaly.token for this storage.
669

670 671 672
  ## Backup settings
  backup:
    path: "tmp/backups"   # Relative paths are relative to Rails.root (default: tmp/backups/)
673
    # archive_permissions: 0640 # Permissions for the resulting backup.tar file (default: 0600)
674
    # keep_time: 604800   # default: 0 (forever) (in seconds)
675
    # pg_schema: public     # default: nil, it means that all schemas will be backed up
676 677 678 679
    # upload:
    #   # Fog storage connection settings, see http://fog.io/storage/ .
    #   connection:
    #     provider: AWS
680
    #     region: eu-west-1
681 682 683 684
    #     aws_access_key_id: AKIAKIAKI
    #     aws_secret_access_key: 'secret123'
    #   # The remote 'directory' to store your backups. For S3, this would be the bucket name.
    #   remote_directory: 'my.s3.bucket'
685 686 687
    #   # Use multipart uploads when file size reaches 100MB, see
    #   #  http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html
    #   multipart_chunk_size: 104857600
688 689
    #   # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional
    #   # encryption: 'AES256'
690
    #   # Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional
691 692
    #   #   This should be set to the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data.
    #   #   'encryption' must also be set in order for this to have any effect.
693
    #   # encryption_key: '<base64 key>'
694 695
    #   # Specifies Amazon S3 storage class to use for backups, this is optional
    #   # storage_class: 'STANDARD'
696

697 698
  ## GitLab Shell settings
  gitlab_shell:
699
    path: /home/git/gitlab-shell/
700

701 702 703 704
    # File that contains the secret key for verifying access for gitlab-shell.
    # Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app).
    # secret_file: /home/git/gitlab/.gitlab_shell_secret

705 706 707 708
    # Git over HTTP
    upload_pack: true
    receive_pack: true

709 710
    # Git import/fetch timeout, in seconds. Defaults to 3 hours.
    # git_timeout: 10800
711

712
    # If you use non-standard ssh port you need to specify it
713 714
    # ssh_port: 22

715 716 717 718 719
  workhorse:
    # File that contains the secret key for verifying access for gitlab-workhorse.
    # Default is '.gitlab_workhorse_secret' relative to Rails.root (i.e. root of the GitLab app).
    # secret_file: /home/git/gitlab/.gitlab_workhorse_secret

720
  ## Git settings
Riyad Preukschas's avatar
Riyad Preukschas committed
721
  # CAUTION!
722 723 724 725
  # Use the default values unless you really know what you are doing
  git:
    bin_path: /usr/bin/git

726 727 728 729 730 731 732 733 734 735
  ## Webpack settings
  # If enabled, this will tell rails to serve frontend assets from the webpack-dev-server running
  # on a given port instead of serving directly from /assets/webpack. This is only indended for use
  # in development.
  webpack:
    # dev_server:
    #   enabled: true
    #   host: localhost
    #   port: 3808

736 737 738
  ## Monitoring
  # Built in monitoring settings
  monitoring:
739 740
    # Time between sampling of unicorn socket metrics, in seconds
    # unicorn_sampler_interval: 10
741
    # IP whitelist to access monitoring endpoints
742 743
    ip_whitelist:
      - 127.0.0.0/8
744

745 746 747 748 749
    # Sidekiq exporter is webserver built in to Sidekiq to expose Prometheus metrics
    sidekiq_exporter:
    #  enabled: true
    #  address: localhost
    #  port: 3807
750

751
  #
752
  # 5. Extra customization
753 754
  # ==========================

755
  extra:
756 757 758
    ## Google analytics. Uncomment if you want it
    # google_analytics_id: '_your_tracking_id'

Sebastian Winkler's avatar
Sebastian Winkler committed
759 760 761 762
    ## Piwik analytics.
    # piwik_url: '_your_piwik_url'
    # piwik_site_id: '_your_piwik_site_id'

763 764
  rack_attack:
    git_basic_auth:
765 766 767
      # Rack Attack IP banning enabled
      # enabled: true
      #
768 769 770
      # Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers
      # ip_whitelist: ["127.0.0.1"]
      #
771 772 773 774 775 776 777 778 779
      # Limit the number of Git HTTP authentication attempts per IP
      # maxretry: 10
      #
      # Reset the auth attempt counter per IP after 60 seconds
      # findtime: 60
      #
      # Ban an IP for one hour (3600s) after too many auth attempts
      # bantime: 3600

780
development:
781
  <<: *base
782 783

test:
784
  <<: *base
785 786
  gravatar:
    enabled: true
787 788 789 790 791 792 793 794 795 796 797 798
  external_diffs:
    enabled: false
    # The location where external diffs are stored (default: shared/external-diffs).
    # storage_path: shared/external-diffs
    object_store:
      enabled: false
      remote_directory: external-diffs # The bucket name
      connection:
        provider: AWS # Only AWS supported at the moment
        aws_access_key_id: AWS_ACCESS_KEY_ID
        aws_secret_access_key: AWS_SECRET_ACCESS_KEY
        region: us-east-1
799 800
  lfs:
    enabled: false
801 802 803 804 805 806 807 808 809
    # The location where LFS objects are stored (default: shared/lfs-objects).
    # storage_path: shared/lfs-objects
    object_store:
      enabled: false
      remote_directory: lfs-objects # The bucket name
      connection:
        provider: AWS # Only AWS supported at the moment
        aws_access_key_id: AWS_ACCESS_KEY_ID
        aws_secret_access_key: AWS_SECRET_ACCESS_KEY
810
        region: us-east-1
811
  artifacts:
812
    path: tmp/tests/artifacts
813 814 815 816 817 818
    enabled: true
    # The location where build artifacts are stored (default: shared/artifacts).
    # path: shared/artifacts
    object_store:
      enabled: false
      remote_directory: artifacts # The bucket name
819
      background_upload: false
820 821 822 823
      connection:
        provider: AWS # Only AWS supported at the moment
        aws_access_key_id: AWS_ACCESS_KEY_ID
        aws_secret_access_key: AWS_SECRET_ACCESS_KEY
824
        region: us-east-1
825 826 827 828 829 830 831 832
  uploads:
    storage_path: tmp/tests/public
    object_store:
      enabled: false
      connection:
        provider: AWS # Only AWS supported at the moment
        aws_access_key_id: AWS_ACCESS_KEY_ID
        aws_secret_access_key: AWS_SECRET_ACCESS_KEY
833
        region: us-east-1
834 835
  gitlab:
    host: localhost
836
    port: 80
837

838 839
    # When you run tests we clone and set up gitlab-shell
    # In order to set it up correctly you need to specify
840
    # your system username you use to run GitLab
841
    # user: YOUR_USERNAME
842 843
  pages:
    path: tmp/tests/pages
844 845
  repositories:
    storages:
846 847
      default:
        path: tmp/tests/repositories/
848
        gitaly_address: unix:tmp/tests/gitaly/gitaly.socket
849

850
  gitaly:
851
    client_path: tmp/tests/gitaly
852
    token: secret
853
  backup:
854
    path: tmp/tests/backups
855 856
  gitlab_shell:
    path: tmp/tests/gitlab-shell/
857 858
  issues_tracker:
    redmine:
859
      title: "Redmine"
860
      project_url: "http://redmine/projects/:issues_tracker_id"
861
      issues_url: "http://redmine/:project_id/:issues_tracker_id/:id"
862
      new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new"
863 864
    jira:
      title: "JIRA"
865
      url: https://sample_company.atlassian.net
866
      project_key: PROJECT
867 868

  omniauth:
Nick Thomas's avatar
Nick Thomas committed
869
    # enabled: true
870 871 872 873 874 875
    allow_single_sign_on: true
    external_providers: []

    providers:
      - { name: 'cas3',
          label: 'cas3',
Timothy Andrew's avatar
Timothy Andrew committed
876
          args: { url: 'https://sso.example.com',
877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903
                  disable_ssl_verification: false,
                  login_url: '/cas/login',
                  service_validate_url: '/cas/p3/serviceValidate',
                  logout_url: '/cas/logout'} }
      - { name: 'github',
          app_id: 'YOUR_APP_ID',
          app_secret: 'YOUR_APP_SECRET',
          url: "https://github.com/",
          verify_ssl: false,
          args: { scope: 'user:email' } }
      - { name: 'bitbucket',
          app_id: 'YOUR_APP_ID',
          app_secret: 'YOUR_APP_SECRET' }
      - { name: 'gitlab',
          app_id: 'YOUR_APP_ID',
          app_secret: 'YOUR_APP_SECRET',
          args: { scope: 'api' } }
      - { name: 'google_oauth2',
          app_id: 'YOUR_APP_ID',
          app_secret: 'YOUR_APP_SECRET',
          args: { access_type: 'offline', approval_prompt: '' } }
      - { name: 'facebook',
          app_id: 'YOUR_APP_ID',
          app_secret: 'YOUR_APP_SECRET' }
      - { name: 'twitter',
          app_id: 'YOUR_APP_ID',
          app_secret: 'YOUR_APP_SECRET' }
904 905 906 907 908 909 910 911
      - { name: 'jwt',
          app_secret: 'YOUR_APP_SECRET',
          args: {
                  algorithm: 'HS256',
                  uid_claim: 'email',
                  required_claims: ["name", "email"],
                  info_map: { name: "name", email: "email" },
                  auth_url: 'https://example.com/',
912
                  valid_within: null,
913 914
                }
        }
915 916 917 918 919
      - { name: 'auth0',
          args: {
            client_id: 'YOUR_AUTH0_CLIENT_ID',
            client_secret: 'YOUR_AUTH0_CLIENT_SECRET',
            namespace: 'YOUR_AUTH0_DOMAIN' } }
920 921 922 923
      - { name: 'authentiq',
          app_id: 'YOUR_CLIENT_ID',
          app_secret: 'YOUR_CLIENT_SECRET',
          args: { scope: 'aq:name email~rs address aq:push' } }
924 925 926
  ldap:
    enabled: false
    servers:
927
      main:
928 929 930 931
        label: ldap
        host: 127.0.0.1
        port: 3890
        uid: 'uid'
Michael Kozono's avatar
Michael Kozono committed
932
        encryption: 'plain' # "start_tls" or "simple_tls" or "plain"
933 934 935 936
        base: 'dc=example,dc=com'
        user_filter: ''
        group_base: 'ou=groups,dc=example,dc=com'
        admin_group: ''
937 938

staging:
939
  <<: *base