diff --git a/README.md b/README.md index 3440105..5798720 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ If you don't have YunoHost, please see [here](https://yunohost.org/#/install) to GitLab is a web-based Git-repository manager providing wiki, issue-tracking and CI/CD pipeline features, using an open-source license, developed by GitLab Inc. -**Shipped version:** 12.1.3 +**Shipped version:** 12.4.0 ## Screenshots diff --git a/conf/gitlab.rb b/conf/gitlab.rb index a45339c..b81c81e 100644 --- a/conf/gitlab.rb +++ b/conf/gitlab.rb @@ -22,6 +22,16 @@ ##! settings that can be configured by this file, which may be found at: ##! https://gitlab.com/gitlab-org/omnibus-gitlab/raw/master/files/gitlab-config-template/gitlab.rb.template +##! You can run `gitlab-ctl diff-config` to compare the contents of the current gitlab.rb with +##! the gitlab.rb.template from the currently running version. + +##! You can run `gitlab-ctl show-config` to display the configuration that will be generated by +##! running `gitlab-ctl reconfigure` + +##! In general, the values specified here should reflect what the default value of the attribute will be. +##! There are instances where this behavior is not possible or desired. For example, when providing passwords, +##! or connecting to third party services. +##! In those instances, we endeavour to provide an example configuration. ## GitLab URL ##! URL on which GitLab will be reachable. @@ -48,8 +58,6 @@ external_url '__GENERATED_EXTERNAL_URL__' ##! beginning; Remove them to enable the setting. ##! **Configuration settings below are optional.** -##! **The values currently assigned are only examples and ARE NOT the default -##! values.** ################################################################################ @@ -71,6 +79,9 @@ external_url '__GENERATED_EXTERNAL_URL__' # gitlab_rails['gitlab_email_display_name'] = 'Example' # gitlab_rails['gitlab_email_reply_to'] = 'noreply@example.com' # gitlab_rails['gitlab_email_subject_suffix'] = '' +# gitlab_rails['gitlab_email_smime_enabled'] = false +# gitlab_rails['gitlab_email_smime_key_file'] = '/etc/gitlab/ssl/gitlab_smime.key' +# gitlab_rails['gitlab_email_smime_cert_file'] = '/etc/gitlab/ssl/gitlab_smime.crt' ### GitLab user privileges # gitlab_rails['gitlab_default_can_create_group'] = true @@ -109,7 +120,7 @@ external_url '__GENERATED_EXTERNAL_URL__' ###! https://docs.gitlab.com/ce/ci/yaml/README.html#artifacts:expire_in # gitlab_rails['stuck_ci_jobs_worker_cron'] = "0 0 * * *" # gitlab_rails['expire_build_artifacts_worker_cron'] = "50 * * * *" -# gitlab_rails['pipeline_schedule_worker_cron'] = "41 * * * *" +# gitlab_rails['pipeline_schedule_worker_cron'] = "19 * * * *" # gitlab_rails['ci_archive_traces_cron_worker_cron'] = "17 * * * *" # gitlab_rails['repository_check_worker_cron'] = "20 * * * *" # gitlab_rails['admin_email_worker_cron'] = "0 0 * * 0" @@ -131,6 +142,34 @@ external_url '__GENERATED_EXTERNAL_URL__' ###! will appear signed in from that address.** # gitlab_rails['trusted_proxies'] = [] +### Content Security Policy +####! Customize if you want to enable the Content-Security-Policy header, which +####! can help thwart JavaScript cross-site scripting (XSS) attacks. +####! See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP +# gitlab_rails['content_security_policy'] = { +# 'enabled' => false, +# 'report_only' => false, +# # Each directive is a String (e.g. "'self'"). +# 'directives' => { +# 'base_uri' => nil, +# 'child_src' => nil, +# 'connect_src' => nil, +# 'default_src' => nil, +# 'font_src' => nil, +# 'form_action' => nil, +# 'frame_ancestors' => nil, +# 'frame_src' => nil, +# 'img_src' => nil, +# 'manifest_src' => nil, +# 'media_src' => nil, +# 'object_src' => nil, +# 'script_src' => nil, +# 'style_src' => nil, +# 'worker_src' => nil, +# 'report_uri' => nil, +# } +# } + ### Monitoring settings ###! IP whitelist controlling access to monitoring endpoints # gitlab_rails['monitoring_whitelist'] = ['127.0.0.0/8', '::1/128'] @@ -274,6 +313,50 @@ external_url '__GENERATED_EXTERNAL_URL__' gitlab_rails['ldap_enabled'] = true ###! **remember to close this block with 'EOS' below** +# gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' +# main: # 'main' is the GitLab 'provider ID' of this LDAP server +# label: 'LDAP' +# host: '_your_ldap_server' +# port: 389 +# uid: 'sAMAccountName' +# bind_dn: '_the_full_dn_of_the_user_you_will_bind_with' +# password: '_the_password_of_the_bind_user' +# encryption: 'plain' # "start_tls" or "simple_tls" or "plain" +# verify_certificates: true +# smartcard_auth: false +# active_directory: true +# allow_username_or_email_login: false +# lowercase_usernames: false +# block_auto_created_users: false +# base: '' +# user_filter: '' +# ## EE only +# group_base: '' +# admin_group: '' +# sync_ssh_keys: false +# +# secondary: # 'secondary' is the GitLab 'provider ID' of second LDAP server +# label: 'LDAP' +# host: '_your_ldap_server' +# port: 389 +# uid: 'sAMAccountName' +# bind_dn: '_the_full_dn_of_the_user_you_will_bind_with' +# password: '_the_password_of_the_bind_user' +# encryption: 'plain' # "start_tls" or "simple_tls" or "plain" +# verify_certificates: true +# smartcard_auth: false +# active_directory: true +# allow_username_or_email_login: false +# lowercase_usernames: false +# block_auto_created_users: false +# base: '' +# user_filter: '' +# ## EE only +# group_base: '' +# admin_group: '' +# sync_ssh_keys: false +# EOS + gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below main: # 'main' is the GitLab 'provider ID' of this LDAP server label: 'LDAP' @@ -296,6 +379,7 @@ EOS # gitlab_rails['smartcard_ca_file'] = "/etc/gitlab/ssl/CA.pem" # gitlab_rails['smartcard_client_certificate_required_port'] = 3444 # gitlab_rails['smartcard_required_for_git_access'] = false +# gitlab_rails['smartcard_san_extensions'] = false ### OmniAuth Settings ###! Docs: https://docs.gitlab.com/ce/integration/omniauth.html @@ -309,6 +393,7 @@ EOS # gitlab_rails['omniauth_auto_link_ldap_user'] = false # gitlab_rails['omniauth_auto_link_saml_user'] = false # gitlab_rails['omniauth_external_providers'] = ['twitter', 'google_oauth2'] +# gitlab_rails['omniauth_allow_bypass_two_factor'] = ['google_oauth2'] # gitlab_rails['omniauth_providers'] = [ # { # "name" => "google_oauth2", @@ -353,6 +438,11 @@ EOS ###! include 'STANDARD', 'STANDARD_IA', and 'REDUCED_REDUNDANCY'** # gitlab_rails['backup_storage_class'] = 'STANDARD' +###! Skip parts of the backup. Comma separated. +###! Docs: https://docs.gitlab.com/ee/raketasks/backup_restore.html#excluding-specific-directories-from-the-backup +#gitlab_rails['env'] = { +# "SKIP" => "db,uploads,repositories,builds,artifacts,lfs,registry,pages" +#} ### Pseudonymizer Settings # gitlab_rails['pseudonymizer_manifest'] = 'config/pseudonymizer.yml' @@ -409,17 +499,6 @@ gitlab_rails['gitlab_shell_ssh_port'] = __SSH_PORT__ # 'bantime' => 3600 # } -# gitlab_rails['rack_attack_protected_paths'] = [ -# '/users/password', -# '/users/sign_in', -# '/api/#{API::API.version}/session.json', -# '/api/#{API::API.version}/session', -# '/users', -# '/users/confirmation', -# '/unsubscribes/', -# '/import/github/personal_access_token' -# ] - ###! **We do not recommend changing these directories.** # gitlab_rails['dir'] = "/var/opt/gitlab/gitlab-rails" # gitlab_rails['log_directory'] = "/var/log/gitlab/gitlab-rails" @@ -438,7 +517,7 @@ gitlab_rails['gitlab_shell_ssh_port'] = __SSH_PORT__ #### Set path to an initial license to be used while bootstrapping GitLab. ####! **Only applicable on initial setup, future license updations need to be done via UI. ####! Updating the file specified in this path won't yield any change after the first reconfigure run. -# gitlab_rails['iniitial_license_file'] = '/etc/gitlab/company.gitlab-license' +# gitlab_rails['initial_license_file'] = '/etc/gitlab/company.gitlab-license' #### Enable or disable automatic database migrations # gitlab_rails['auto_migrate'] = true @@ -463,6 +542,8 @@ gitlab_rails['gitlab_shell_ssh_port'] = __SSH_PORT__ # gitlab_rails['db_sslmode'] = nil # gitlab_rails['db_sslcompression'] = 0 # gitlab_rails['db_sslrootcert'] = nil +# gitlab_rails['db_sslcert'] = nil +# gitlab_rails['db_sslkey'] = nil # gitlab_rails['db_prepared_statements'] = false # gitlab_rails['db_statements_limit'] = 1000 @@ -527,7 +608,7 @@ gitlab_rails['gitlab_shell_ssh_port'] = __SSH_PORT__ ##! Docs: https://docs.gitlab.com/ce/administration/container_registry.html ################################################################################ -# registry_external_url 'https://registry.gitlab.example.com' +# registry_external_url 'https://registry.example.com' ### Settings used by GitLab application # gitlab_rails['registry_enabled'] = true @@ -535,6 +616,11 @@ gitlab_rails['gitlab_shell_ssh_port'] = __SSH_PORT__ # gitlab_rails['registry_port'] = "5005" # gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry" +# Notification secret, it's used to authenticate notification requests to GitLab application +# You only need to change this when you use external Registry service, otherwise +# it will be taken directly from notification settings of your Registry +# gitlab_rails['registry_notification_secret'] = nil + ###! **Do not change the following 3 settings unless you know what you are ###! doing** # gitlab_rails['registry_api_url'] = "http://localhost:5000" @@ -570,6 +656,7 @@ gitlab_rails['gitlab_shell_ssh_port'] = __SSH_PORT__ # 's3' => { # 'accesskey' => 'AKIAKIAKI', # 'secretkey' => 'secret123', +# 'region' => 'us-east-1', # 'bucket' => 'gitlab-registry-bucket-AKIAKIAKI' # } # } @@ -676,7 +763,7 @@ gitlab_rails['gitlab_shell_ssh_port'] = __SSH_PORT__ # unicorn['enable'] = true # unicorn['worker_timeout'] = 60 ###! Minimum worker_processes is 2 at this moment -###! See https://gitlab.com/gitlab-org/gitlab-ce/issues/18771 +###! See https://gitlab.com/gitlab-org/gitlab-foss/issues/18771 unicorn['worker_processes'] = __UNICORN_WORKER_PROCESSES__ ### Advanced settings @@ -699,6 +786,11 @@ unicorn['port'] = __UNICORN_PORT__ # unicorn['worker_memory_limit_min'] = "400 * 1 << 20" # unicorn['worker_memory_limit_max'] = "650 * 1 << 20" +# unicorn['exporter_enabled'] = false +# unicorn['exporter_address'] = "127.0.0.1" +# unicorn['exporter_port'] = 8083 +# unicorn['exporter_blackout_seconds'] = 10 + ################################################################################ ## GitLab Puma ##! Tweak puma settings. You should only use Unicorn or Puma, not both. @@ -724,7 +816,12 @@ unicorn['port'] = __UNICORN_PORT__ ### **Only change these settings if you understand well what they mean** ###! Docs: https://github.com/schneems/puma_worker_killer -# puma['per_worker_max_memory_mb'] = 650 +# puma['per_worker_max_memory_mb'] = 850 + +# puma['exporter_enabled'] = false +# puma['exporter_address'] = "127.0.0.1" +# puma['exporter_port'] = 8083 +# puma['exporter_blackout_seconds'] = 10 ################################################################################ ## GitLab Sidekiq @@ -894,6 +991,9 @@ sidekiq['listen_port'] = __SIDEKIQ_PORT__ # See https://www.postgresql.org/docs/9.6/static/auth-pg-hba-conf.html for an explanation # of the values +### Version settings +# Set this if you have disabled the bundled PostgreSQL but still want to use the backup rake tasks +# postgresql['version'] = 10 ################################################################################ ## GitLab Redis @@ -918,6 +1018,16 @@ sidekiq['listen_port'] = __SIDEKIQ_PORT__ # redis['uid'] = nil # redis['gid'] = nil +### Disable or obfuscate unnecessary redis command names +### Uncomment and edit this block to add or remove entries. +### See https://docs.gitlab.com/omnibus/settings/redis.html#renamed-commands +### for detailed usage +### +# redis['rename_commands'] = { +# 'KEYS': '' +#} +# + ###! **To enable only Redis service in this machine, uncomment ###! one of the lines below (choose master or slave instance types).** ###! Docs: https://docs.gitlab.com/omnibus/settings/redis.html @@ -1003,12 +1113,12 @@ nginx['client_max_body_size'] = '__CLIENT_MAX_BODY_SIZE__' # nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt" # nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key" -# nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256" +# nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256" # nginx['ssl_prefer_server_ciphers'] = "on" ##! **Recommended by: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ##! https://cipherli.st/** -# nginx['ssl_protocols'] = "TLSv1.2" +# nginx['ssl_protocols'] = "TLSv1.2 TLSv1.3" ##! **Recommended in: https://nginx.org/en/docs/http/ngx_http_ssl_module.html** # nginx['ssl_session_cache'] = "builtin:1000 shared:SSL:10m" @@ -1140,6 +1250,7 @@ nginx['listen_https'] = false ##! You can disable built in logrotate feature. ################################################################################ # logrotate['enable'] = true +# logrotate['log_directory'] = "/var/log/gitlab/logrotate" ################################################################################ ## Users and groups accounts @@ -1248,16 +1359,6 @@ nginx['listen_https'] = false ##! Specifies the maximum SSL/TLS version ("ssl3", "tls1.0", "tls1.1" or "tls1.2") # gitlab_pages['tls_max_version'] = "tls1.2" -##! Configure the pages admin API -# gitlab_pages['admin_secret_token'] = 'custom secret' -# gitlab_pages['admin_https_listener'] = '0.0.0.0:5678' -# gitlab_pages['admin_https_cert'] = '/etc/gitlab/pages-admin.crt' -# gitlab_pages['admin_https_key'] = '/etc/gitlab/pages-admin.key' - -##! Client side configuration for gitlab-pages admin API, in case pages runs on a different host -# gitlab_rails['pages_admin_address'] = 'pages.gitlab.example.com:5678' -# gitlab_rails['pages_admin_certificate'] = '/etc/gitlab/pages-admin.crt' - ##! Pages access control # gitlab_pages['access_control'] = false # gitlab_pages['gitlab_id'] = nil # Automatically generated if not present @@ -1266,6 +1367,9 @@ nginx['listen_https'] = false # gitlab_pages['gitlab_server'] = nil # Defaults to external_url # gitlab_pages['auth_secret'] = nil # Generated if not present +##! Define custom gitlab-pages HTTP headers for the whole instance +# gitlab_pages['headers'] = [] + ################################################################################ ## GitLab Pages NGINX ################################################################################ @@ -1440,9 +1544,9 @@ nginx['listen_https'] = false ### Custom Prometheus flags # # prometheus['flags'] = { -# 'storage.tsdb.path' => "#{node['gitlab']['prometheus']['home']}/data", +# 'storage.tsdb.path' => "/var/opt/gitlab/prometheus/data", # 'storage.tsdb.retention.time' => "15d", -# 'config.file' => "#{node['gitlab']['prometheus']['home']}/prometheus.yml" +# 'config.file' => "/var/opt/gitlab/prometheus/prometheus.yml" # } ##! Advanced settings. Should be changed only if absolutely needed. @@ -1457,9 +1561,9 @@ nginx['listen_https'] = false # alertmanager['log_directory'] = '/var/log/gitlab/alertmanager' # alertmanager['admin_email'] = 'admin@example.com' # alertmanager['flags'] = { -# 'web.listen-address' => "#{node['gitlab']['alertmanager']['listen_address']}" -# 'storage.path' => "#{node['gitlab']['alertmanager']['home']}/data" -# 'config.file' => "#{node['gitlab']['alertmanager']['home']}/alertmanager.yml" +# 'web.listen-address' => "localhost:9093" +# 'storage.path' => "/var/opt/gitlab/alertmanager/data" +# 'config.file' => "/var/opt/gitlab/alertmanager/alertmanager.yml" # } # alertmanager['env_directory'] = '/opt/gitlab/etc/alertmanager/env' # alertmanager['env'] = { @@ -1468,6 +1572,7 @@ nginx['listen_https'] = false ##! Advanced settings. Should be changed only if absolutely needed. # alertmanager['listen_address'] = 'localhost:9093' +# alertmanager['global'] = {} ################################################################################ ## Prometheus Node Exporter @@ -1478,7 +1583,7 @@ nginx['listen_https'] = false # node_exporter['home'] = '/var/opt/gitlab/node-exporter' # node_exporter['log_directory'] = '/var/log/gitlab/node-exporter' # node_exporter['flags'] = { -# 'collector.textfile.directory' => "#{node['gitlab']['node-exporter']['home']}/textfile_collector" +# 'collector.textfile.directory' => "/var/opt/gitlab/node-exporter/textfile_collector" # } # node_exporter['env_directory'] = '/opt/gitlab/etc/node-exporter/env' # node_exporter['env'] = { @@ -1496,7 +1601,7 @@ nginx['listen_https'] = false # redis_exporter['enable'] = true # redis_exporter['log_directory'] = '/var/log/gitlab/redis-exporter' # redis_exporter['flags'] = { -# 'redis.addr' => "unix://#{node['gitlab']['gitlab-rails']['redis_socket']}", +# 'redis.addr' => "unix:///var/opt/gitlab/redis/redis.socket", # } # redis_exporter['env_directory'] = '/opt/gitlab/etc/redis-exporter/env' # redis_exporter['env'] = { @@ -1535,22 +1640,22 @@ nginx['listen_https'] = false # } ################################################################################ -## Prometheus Gitlab monitor -##! Docs: https://docs.gitlab.com/ce/administration/monitoring/prometheus/gitlab_monitor_exporter.html +## Prometheus Gitlab exporter +##! Docs: https://docs.gitlab.com/ce/administration/monitoring/prometheus/gitlab_exporter.html ################################################################################ -# gitlab_monitor['enable'] = true -# gitlab_monitor['log_directory'] = "/var/log/gitlab/gitlab-monitor" -# gitlab_monitor['home'] = "/var/opt/gitlab/gitlab-monitor" +# gitlab_exporter['enable'] = true +# gitlab_exporter['log_directory'] = "/var/log/gitlab/gitlab-exporter" +# gitlab_exporter['home'] = "/var/opt/gitlab/gitlab-exporter" ##! Advanced settings. Should be changed only if absolutely needed. -# gitlab_monitor['listen_address'] = 'localhost' -# gitlab_monitor['listen_port'] = '9168' +# gitlab_exporter['listen_address'] = 'localhost' +# gitlab_exporter['listen_port'] = '9168' -##! Manage gitlab-monitor sidekiq probes. false by default when Sentinels are +##! Manage gitlab-exporter sidekiq probes. false by default when Sentinels are ##! found. -# gitlab_monitor['probe_sidekiq'] = true +# gitlab_exporter['probe_sidekiq'] = true # To completely disable prometheus, and all of it's exporters, set to false # prometheus_monitoring['enable'] = true @@ -1565,6 +1670,8 @@ grafana['enable'] = false # grafana['home'] = '/var/opt/gitlab/grafana' # grafana['admin_password'] = 'admin' # grafana['allow_user_sign_up'] = false +# grafana['basic_auth_enabled'] = false +# grafana['disable_login_form'] = true # grafana['gitlab_application_id'] = 'GITLAB_APPLICATION_ID' # grafana['gitlab_secret'] = 'GITLAB_SECRET' # grafana['env_directory'] = '/opt/gitlab/etc/grafana/env' @@ -1645,9 +1752,11 @@ grafana['enable'] = false # gitaly['auth_transitioning'] = false # When true, auth is logged to Prometheus but NOT enforced # gitaly['graceful_restart_timeout'] = '1m' # Grace time for a gitaly process to finish ongoing requests # gitaly['git_catfile_cache_size'] = 100 # Number of 'git cat-file' processes kept around for re-use +# gitaly['open_files_ulimit'] = 15000 # Maximum number of open files allowed for the gitaly process # gitaly['ruby_max_rss'] = 300000000 # RSS threshold in bytes for triggering a gitaly-ruby restart # gitaly['ruby_graceful_restart_timeout'] = '10m' # Grace time for a gitaly-ruby process to finish ongoing requests # gitaly['ruby_restart_delay'] = '5m' # Period of sustained high RSS that needs to be observed before restarting gitaly-ruby +# gitaly['ruby_rugged_git_config_search_path'] = "/opt/gitlab/embedded/etc" # Location of system-wide gitconfig file # gitaly['ruby_num_workers'] = 3 # Number of gitaly-ruby worker processes. Minimum 2, default 2. # gitaly['storage'] = [ # { @@ -1669,6 +1778,32 @@ grafana['enable'] = false # } # ] +################################################################################ +## Praefect +##! Docs: https://gitlab.com/gitlab-org/gitaly/blob/master/doc/design_ha.md +################################################################################ + +# praefect['enable'] = false +# praefect['virtual_storage_name'] = "praefect" +# praefect['auth_token'] = "" +# praefect['auth_transitioning'] = false +# praefect['listen_addr'] = "localhost:2305" +# praefect['prometheus_listen_addr'] = "localhost:9652" +# praefect['logging_level'] = "warn" +# praefect['logging_format'] = "json" +# praefect['storage_nodes'] = [ +# { +# 'storage' => 'praefect', +# 'address' => 'tcp://12:23:56:78', +# 'token' => 'abc123' +# }, +# { +# 'storoge' => 'praefect-2', +# 'address' => 'tcp://praefect2.internal', +# 'token' => 'xyz456' +# } +# ] + ################################################################################ # Storage check ################################################################################ @@ -1695,6 +1830,11 @@ grafana['enable'] = false ##! non-docker containers. Recommended not to change. # package['detect_init'] = true +##! Specify maximum number of tasks that can be created by the systemd unit +##! Will be populated as TasksMax value to the unit file if user is on a systemd +##! version that supports it (>= 227). Will be a no-op if user is not on systemd. +# package['systemd_tasks_max'] = 4915 + ################################################################################ ################################################################################ ## Configuration Settings for GitLab EE only ## @@ -1894,6 +2034,10 @@ grafana['enable'] = false # If it is blank, it defaults to external_url. # gitlab_rails['geo_node_name'] = nil +# gitlab_rails['geo_registry_replication_enabled'] = true +# gitlab_rails['geo_registry_replication_primary_api_url'] = 'https://example.com:5000' + + ################################################################################ ## GitLab Geo Secondary (EE only) ################################################################################ diff --git a/config_panel.json b/config_panel.json index 4b7ccf8..965a554 100644 --- a/config_panel.json +++ b/config_panel.json @@ -11,9 +11,11 @@ "id": "is_public", "options": [ { - "name": "Is it a public app ?", - "id": "is_public", - "type": "bool", + "name": "is_public", + "ask": { + "en": "Is it a public app ?" + }, + "type": "boolean", "default": true } ] @@ -23,10 +25,12 @@ "id": "overwrite_files", "options": [ { - "name": "Overwrite the nginx config file ?", + "name": "overwrite_nginx", + "ask": { + "en": "Overwrite the nginx config file ?" + }, "help": "If the file is overwritten, a backup will be created.", - "id": "overwrite_nginx", - "type": "bool", + "type": "boolean", "default": true } ] @@ -36,10 +40,91 @@ "id": "users", "options": [ { - "name": "Authorized external user creation ?", + "name": "use_web_account", + "ask": { + "en": "Authorized external user creation ?" + }, "help": "Allow user to be created without yunohost account.", - "id": "use_web_account", - "type": "bool", + "type": "boolean", + "default": true + } + ] + }, + { + "name": "Backup strategy", + "id": "backup_strategy", + "help": "WARNING: If you disable one of these backup, it will not be restored in case of error, use this feature at your own risk", + "options": [ + { + "name": "backup_db", + "ask": { + "en": "Should gitlab backup the database ?" + }, + "help": "https://docs.gitlab.com/ce/raketasks/backup_restore.html#excluding-specific-directories-from-the-backup", + "type": "boolean", + "default": true + }, + { + "name": "backup_uploads", + "ask": { + "en": "Should gitlab backup attachments ?" + }, + "help": "https://docs.gitlab.com/ce/raketasks/backup_restore.html#excluding-specific-directories-from-the-backup", + "type": "boolean", + "default": true + }, + { + "name": "backup_repositories", + "ask": { + "en": "Should gitlab backup git repositories data ?" + }, + "help": "https://docs.gitlab.com/ce/raketasks/backup_restore.html#excluding-specific-directories-from-the-backup", + "type": "boolean", + "default": true + }, + { + "name": "backup_builds", + "ask": { + "en": "Should gitlab backup CI job output logs ?" + }, + "help": "https://docs.gitlab.com/ce/raketasks/backup_restore.html#excluding-specific-directories-from-the-backup", + "type": "boolean", + "default": true + }, + { + "name": "backup_artifacts", + "ask": { + "en": "Should gitlab backup CI job artifacts ?" + }, + "help": "https://docs.gitlab.com/ce/raketasks/backup_restore.html#excluding-specific-directories-from-the-backup", + "type": "boolean", + "default": true + }, + { + "name": "backup_lfs", + "ask": { + "en": "Should gitlab backup LFS objects ?" + }, + "help": "https://docs.gitlab.com/ce/raketasks/backup_restore.html#excluding-specific-directories-from-the-backup", + "type": "boolean", + "default": true + }, + { + "name": "backup_registry", + "ask": { + "en": "Should gitlab backup container registry images ?" + }, + "help": "https://docs.gitlab.com/ce/raketasks/backup_restore.html#excluding-specific-directories-from-the-backup", + "type": "boolean", + "default": true + }, + { + "name": "backup_pages", + "ask": { + "en": "Should gitlab backup pages content ?" + }, + "help": "https://docs.gitlab.com/ce/raketasks/backup_restore.html#excluding-specific-directories-from-the-backup", + "type": "boolean", "default": true } ] diff --git a/manifest.json b/manifest.json index 0453802..9e8d73d 100644 --- a/manifest.json +++ b/manifest.json @@ -2,7 +2,7 @@ "name": "Gitlab", "id": "gitlab", "packaging_format": 1, - "version": "12.1.3~ynh1", + "version": "12.4.0~ynh1", "description": { "en": "GitLab is a Git-repository manager.", "fr": "GitLab est un gestionnaire de dépôts Git." @@ -14,7 +14,7 @@ "email": "pierre@kayou.io" }, "requirements": { - "yunohost": ">= 3.5.0" + "yunohost": ">= 3.6.0" }, "multi_instance": false, "services": [ diff --git a/scripts/_common.sh b/scripts/_common.sh index 1caa856..a7ba0f4 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -4,25 +4,7 @@ # SET ALL CONSTANTS #================================================= -pkg_dependencies="openssh-server" - -#================================================= -# BOOLEAN CONVERTER -#================================================= - -bool_to_01 () { - local var="$1" - [ "$var" = "true" ] && var=1 - [ "$var" = "false" ] && var=0 - echo "$var" -} - -bool_to_true_false () { - local var="$1" - [ "$var" = "1" ] && var=true - [ "$var" = "0" ] && var=false - echo "$var" -} +pkg_dependencies="openssh-server bc" #================================================= # EXPERIMENTAL HELPERS diff --git a/scripts/backup b/scripts/backup index e25ab0b..770025f 100644 --- a/scripts/backup +++ b/scripts/backup @@ -32,6 +32,15 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path) config_path=$(ynh_app_setting_get --app=$app --key=config_path) domain=$(ynh_app_setting_get --app=$app --key=domain) +backup_db=$(ynh_app_setting_get --app="$app" --key=backup_db) +backup_uploads=$(ynh_app_setting_get --app="$app" --key=backup_uploads) +backup_repositories=$(ynh_app_setting_get --app="$app" --key=backup_repositories) +backup_builds=$(ynh_app_setting_get --app="$app" --key=backup_builds) +backup_artifacts=$(ynh_app_setting_get --app="$app" --key=backup_artifacts) +backup_lfs=$(ynh_app_setting_get --app="$app" --key=backup_lfs) +backup_registry=$(ynh_app_setting_get --app="$app" --key=backup_registry) +backup_pages=$(ynh_app_setting_get --app="$app" --key=backup_pages) + #================================================= # STANDARD BACKUP STEPS #================================================= @@ -46,10 +55,45 @@ ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" #================================================= ynh_script_progression --message="Backuping of Gitlab..." --weight=9 +to_skip="" + +if [ $backup_db -eq 0 ]; then + to_skip="db,"$to_skip +fi + +if [ $backup_uploads -eq 0 ]; then + to_skip="uploads,"$to_skip +fi + +if [ $backup_repositories -eq 0 ]; then + to_skip="repositories,"$to_skip +fi + +if [ $backup_builds -eq 0 ]; then + to_skip="builds,"$to_skip +fi + +if [ $backup_artifacts -eq 0 ]; then + to_skip="artifacts,"$to_skip +fi + +if [ $backup_lfs -eq 0 ]; then + to_skip="lfs,"$to_skip +fi + +if [ $backup_registry -eq 0 ]; then + to_skip="registry,"$to_skip +fi + +if [ $backup_pages -eq 0 ]; then + to_skip="pages,"$to_skip +fi + # Use gitlab-rake to backup # For the complete doc: https://docs.gitlab.com/ce/raketasks/backup_restore.html # For the filename: https://docs.gitlab.com/ce/raketasks/backup_restore.html#backup-filename -gitlab-rake gitlab:backup:create BACKUP=last +# For the backup strategy: https://docs.gitlab.com/ce/raketasks/backup_restore.html#excluding-specific-directories-from-the-backup +gitlab-backup create BACKUP=last SKIP=$to_skip ynh_backup --src_path="/var/opt/$app/backups/last_gitlab_backup.tar" diff --git a/scripts/config b/scripts/config index f66658d..efaa386 100644 --- a/scripts/config +++ b/scripts/config @@ -27,19 +27,41 @@ app=${YNH_APP_INSTANCE_NAME:-$YNH_APP_ID} # is_public old_is_public="$(ynh_app_setting_get --app=$app --key=is_public)" -old_is_public=$(bool_to_true_false $old_is_public) is_public="${YNH_CONFIG_MAIN_IS_PUBLIC_IS_PUBLIC:-$old_is_public}" # Overwrite nginx configuration old_overwrite_nginx="$(ynh_app_setting_get --app=$app --key=overwrite_nginx)" -old_overwrite_nginx=$(bool_to_true_false $old_overwrite_nginx) overwrite_nginx="${YNH_CONFIG_MAIN_OVERWRITE_FILES_OVERWRITE_NGINX:-$old_overwrite_nginx}" # use_web_account old_use_web_account="$(ynh_app_setting_get --app=$app --key=use_web_account)" -old_use_web_account=$(bool_to_true_false $old_use_web_account) use_web_account="${YNH_CONFIG_MAIN_USERS_USE_WEB_ACCOUNT:-$old_use_web_account}" +# backup_strategy +old_backup_db="$(ynh_app_setting_get --app=$app --key=backup_db)" +backup_db="${YNH_CONFIG_MAIN_BACKUP_STRATEGY_BACKUP_DB:-$old_backup_db}" + +old_backup_uploads="$(ynh_app_setting_get --app=$app --key=backup_uploads)" +backup_uploads="${YNH_CONFIG_MAIN_BACKUP_STRATEGY_BACKUP_UPLOADS:-$old_backup_uploads}" + +old_backup_repositories="$(ynh_app_setting_get --app=$app --key=backup_repositories)" +backup_repositories="${YNH_CONFIG_MAIN_BACKUP_STRATEGY_BACKUP_REPOSITORIES:-$old_backup_repositories}" + +old_backup_builds="$(ynh_app_setting_get --app=$app --key=backup_builds)" +backup_builds="${YNH_CONFIG_MAIN_BACKUP_STRATEGY_BACKUP_BUILDS:-$old_backup_builds}" + +old_backup_artifacts="$(ynh_app_setting_get --app=$app --key=backup_artifacts)" +backup_artifacts="${YNH_CONFIG_MAIN_BACKUP_STRATEGY_BACKUP_ARTIFACTS:-$old_backup_artifacts}" + +old_backup_lfs="$(ynh_app_setting_get --app=$app --key=backup_lfs)" +backup_lfs="${YNH_CONFIG_MAIN_BACKUP_STRATEGY_BACKUP_LFS:-$old_backup_lfs}" + +old_backup_registry="$(ynh_app_setting_get --app=$app --key=backup_registry)" +backup_registry="${YNH_CONFIG_MAIN_BACKUP_STRATEGY_BACKUP_REGISTRY:-$old_backup_registry}" + +old_backup_pages="$(ynh_app_setting_get --app=$app --key=backup_pages)" +backup_pages="${YNH_CONFIG_MAIN_BACKUP_STRATEGY_BACKUP_PAGES:-$old_backup_pages}" + #================================================= # SHOW_CONFIG FUNCTION FOR 'SHOW' COMMAND #================================================= @@ -48,11 +70,27 @@ show_config() { # here you are supposed to read some config file/database/other then print the values # echo "YNH_CONFIG_${PANEL_ID}_${SECTION_ID}_${OPTION_ID}=value" - echo "YNH_CONFIG_MAIN_IS_PUBLIC_IS_PUBLIC=$is_public" + ynh_return "YNH_CONFIG_MAIN_IS_PUBLIC_IS_PUBLIC=$is_public" - echo "YNH_CONFIG_MAIN_OVERWRITE_FILES_OVERWRITE_NGINX=$overwrite_nginx" + ynh_return "YNH_CONFIG_MAIN_OVERWRITE_FILES_OVERWRITE_NGINX=$overwrite_nginx" - echo "YNH_CONFIG_MAIN_USERS_USE_WEB_ACCOUNT=$use_web_account" + ynh_return "YNH_CONFIG_MAIN_USERS_USE_WEB_ACCOUNT=$use_web_account" + + ynh_return "YNH_CONFIG_MAIN_BACKUP_STRATEGY_BACKUP_DB=$backup_db" + + ynh_return "YNH_CONFIG_MAIN_BACKUP_STRATEGY_BACKUP_UPLOADS=$backup_uploads" + + ynh_return "YNH_CONFIG_MAIN_BACKUP_STRATEGY_BACKUP_REPOSITORIES=$backup_repositories" + + ynh_return "YNH_CONFIG_MAIN_BACKUP_STRATEGY_BACKUP_BUILDS=$backup_builds" + + ynh_return "YNH_CONFIG_MAIN_BACKUP_STRATEGY_BACKUP_ARTIFACTS=$backup_artifacts" + + ynh_return "YNH_CONFIG_MAIN_BACKUP_STRATEGY_BACKUP_LFS=$backup_lfs" + + ynh_return "YNH_CONFIG_MAIN_BACKUP_STRATEGY_BACKUP_REGISTRY=$backup_registry" + + ynh_return "YNH_CONFIG_MAIN_BACKUP_STRATEGY_BACKUP_PAGES=$backup_pages" } #================================================= @@ -61,23 +99,30 @@ show_config() { apply_config() { # Change public accessibility - if [ "$is_public" = "true" ] - then - yunohost app action run $app public_private --args is_public=1 - else - yunohost app action run $app public_private --args is_public=0 - fi + yunohost app action run $app public_private --args is_public=$is_public # Change use_web_account - if [ "$use_web_account" = "true" ] - then - yunohost app action run $app web_account --args use_web_account=1 - else - yunohost app action run $app web_account --args use_web_account=0 - fi + yunohost app action run $app web_account --args use_web_account=$use_web_account # Set overwrite_nginx ynh_app_setting_set --app=$app --key=overwrite_nginx --value="$overwrite_nginx" + + # Set backup_db + ynh_app_setting_set --app=$app --key=backup_db --value="$backup_db" + # Set backup_uploads + ynh_app_setting_set --app=$app --key=backup_uploads --value="$backup_uploads" + # Set backup_repositories + ynh_app_setting_set --app=$app --key=backup_repositories --value="$backup_repositories" + # Set backup_builds + ynh_app_setting_set --app=$app --key=backup_builds --value="$backup_builds" + # Set backup_artifacts + ynh_app_setting_set --app=$app --key=backup_artifacts --value="$backup_artifacts" + # Set backup_lfs + ynh_app_setting_set --app=$app --key=backup_lfs --value="$backup_lfs" + # Set backup_registry + ynh_app_setting_set --app=$app --key=backup_registry --value="$backup_registry" + # Set backup_pages + ynh_app_setting_set --app=$app --key=backup_pages --value="$backup_pages" } #================================================= diff --git a/scripts/install b/scripts/install index ea78098..bdf5ae8 100644 --- a/scripts/install +++ b/scripts/install @@ -54,18 +54,6 @@ else your hardware and the result of the command \"uname -m\"." 1 fi -# https://docs.gitlab.com/ee/install/requirements.html#unicorn-workers -unicorn_worker_processes=$(($(nproc) + 1 )) - -# If the server has at least 2GB of RAM -if [ $(ynh_check_ram --no_swap) -ge 2000 ]; then - # Min 3 worker processes - unicorn_worker_processes=$(($unicorn_worker_processes>3?$unicorn_worker_processes:3)) -else - # 2 worker processes - unicorn_worker_processes=2 -fi - # Could be an option? client_max_body_size="250m" @@ -84,7 +72,6 @@ ynh_app_setting_set --app=$app --key=use_web_account --value=$use_web_account ynh_app_setting_set --app=$app --key=final_path --value=$final_path ynh_app_setting_set --app=$app --key=config_path --value=$config_path ynh_app_setting_set --app=$app --key=architecture --value=$architecture -ynh_app_setting_set --app=$app --key=unicorn_worker_processes --value=$unicorn_worker_processes ynh_app_setting_set --app=$app --key=client_max_body_size --value=$client_max_body_size ynh_app_setting_set --app=$app --key=overwrite_nginx --value="1" @@ -112,6 +99,24 @@ ynh_script_progression --message="Installing dependencies..." --weight=5 ynh_install_app_dependencies $pkg_dependencies +#================================================= +# DEFINE THE NUMBER OF WORKERS USED +#================================================= + +# https://docs.gitlab.com/ce/install/requirements.html#unicorn-workers +unicorn_worker_processes=$(bc <<< "($(nproc) * 1.5 + 1) / 1") + +# If the server has at least 2GB of RAM +if [ $(ynh_check_ram --no_swap) -ge 2000 ]; then + # Min 3 worker processes + unicorn_worker_processes=$(($unicorn_worker_processes>3?$unicorn_worker_processes:3)) +else + # 2 worker processes + unicorn_worker_processes=2 +fi + +ynh_app_setting_set --app=$app --key=unicorn_worker_processes --value=$unicorn_worker_processes + #================================================= # ADD SWAP IF NEEDED #================================================= @@ -120,7 +125,7 @@ total_memory=$(ynh_check_ram) total_swap=$(ynh_check_ram --only_swap) swap_needed=0 -# https://docs.gitlab.com/ee/install/requirements.html#memory +# https://docs.gitlab.com/ce/install/requirements.html#memory if [ $total_memory -lt 8192 ]; then # Need a minimum of 8Go of memory swap_needed=$((8192 - $total_memory)) @@ -212,6 +217,20 @@ newuser.confirmation_token = nil newuser.save ApplicationSetting.last.update_attributes(password_authentication_enabled_for_web: $use_web_account, signup_enabled: $use_web_account)" | gitlab-rails console + +#================================================= +# DEFINE THE BACKUP STRATEGY: https://docs.gitlab.com/ce/raketasks/backup_restore.html#excluding-specific-directories-from-the-backup +#================================================= + +ynh_app_setting_set --app=$app --key=backup_db --value=1 +ynh_app_setting_set --app=$app --key=backup_uploads --value=1 +ynh_app_setting_set --app=$app --key=backup_repositories --value=1 +ynh_app_setting_set --app=$app --key=backup_builds --value=1 +ynh_app_setting_set --app=$app --key=backup_artifacts --value=1 +ynh_app_setting_set --app=$app --key=backup_lfs --value=1 +ynh_app_setting_set --app=$app --key=backup_registry --value=1 +ynh_app_setting_set --app=$app --key=backup_pages --value=1 + #================================================= # RECONFIGURE TO TAKE INTO ACCOUNT CHANGES #================================================= diff --git a/scripts/restore b/scripts/restore index bba120c..9914ebb 100644 --- a/scripts/restore +++ b/scripts/restore @@ -71,7 +71,7 @@ total_memory=$(ynh_check_ram) total_swap=$(ynh_check_ram --only_swap) swap_needed=0 -# https://docs.gitlab.com/ee/install/requirements.html#memory +# https://docs.gitlab.com/ce/install/requirements.html#memory if [ $total_memory -lt 8192 ]; then # Need a minimum of 8Go of memory swap_needed=$((8192 - $total_memory)) @@ -137,7 +137,12 @@ gitlab-ctl stop sidekiq # Use gitlab-rake to backup # Doc: https://docs.gitlab.com/ce/raketasks/backup_restore.html#restore-for-omnibus-gitlab-installations -ynh_exec_warn_less gitlab-rake gitlab:backup:restore force=yes BACKUP=$last_backup +ynh_exec_warn_less gitlab-backup restore force=yes BACKUP=$last_backup + +# https://docs.gitlab.com/ce/raketasks/backup_restore.html#container-registry-push-failures-after-restoring-from-a-backup +if ynh_user_exists --username="registry" && [ -d "/var/opt/gitlab/gitlab-rails/shared/registry/docker" ]; then + chown -R registry:registry /var/opt/gitlab/gitlab-rails/shared/registry/docker +fi #================================================= # GENERIC FINALIZATION diff --git a/scripts/upgrade b/scripts/upgrade index 83bd326..7d9df73 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -33,6 +33,15 @@ unicorn_worker_processes=$(ynh_app_setting_get --app="$app" --key=unicorn_worker client_max_body_size=$(ynh_app_setting_get --app="$app" --key=client_max_body_size) overwrite_nginx=$(ynh_app_setting_get --app="$app" --key=overwrite_nginx) +backup_db=$(ynh_app_setting_get --app="$app" --key=backup_db) +backup_uploads=$(ynh_app_setting_get --app="$app" --key=backup_uploads) +backup_repositories=$(ynh_app_setting_get --app="$app" --key=backup_repositories) +backup_builds=$(ynh_app_setting_get --app="$app" --key=backup_builds) +backup_artifacts=$(ynh_app_setting_get --app="$app" --key=backup_artifacts) +backup_lfs=$(ynh_app_setting_get --app="$app" --key=backup_lfs) +backup_registry=$(ynh_app_setting_get --app="$app" --key=backup_registry) +backup_pages=$(ynh_app_setting_get --app="$app" --key=backup_pages) + #================================================= # CHECK VERSION #================================================= @@ -65,7 +74,7 @@ if [ -z "$config_path" ]; then fi if [ -z "$unicorn_worker_processes" ]; then - # https://docs.gitlab.com/ee/install/requirements.html#unicorn-workers + # https://docs.gitlab.com/ce/install/requirements.html#unicorn-workers unicorn_worker_processes=$(($(nproc) + 1 )) # If the server has at least 2GB of RAM @@ -146,6 +155,39 @@ if [ -e "/etc/apt/sources.list.d/gitlab-ce.list" ]; then ynh_secure_remove --file="/etc/apt/sources.list.d/gitlab-ce.list" fi +# Define the backup strategy: https://docs.gitlab.com/ce/raketasks/backup_restore.html#excluding-specific-directories-from-the-backup +if [ -z "$backup_db" ]; then + ynh_app_setting_set --app=$app --key=backup_db --value=1 +fi + +if [ -z "$backup_uploads" ]; then + ynh_app_setting_set --app=$app --key=backup_uploads --value=1 +fi + +if [ -z "$backup_repositories" ]; then + ynh_app_setting_set --app=$app --key=backup_repositories --value=1 +fi + +if [ -z "$backup_builds" ]; then + ynh_app_setting_set --app=$app --key=backup_builds --value=1 +fi + +if [ -z "$backup_artifacts" ]; then + ynh_app_setting_set --app=$app --key=backup_artifacts --value=1 +fi + +if [ -z "$backup_lfs" ]; then + ynh_app_setting_set --app=$app --key=backup_lfs --value=1 +fi + +if [ -z "$backup_registry" ]; then + ynh_app_setting_set --app=$app --key=backup_registry --value=1 +fi + +if [ -z "$backup_pages" ]; then + ynh_app_setting_set --app=$app --key=backup_pages --value=1 +fi + #================================================= # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP #================================================= @@ -188,7 +230,7 @@ total_memory=$(ynh_check_ram) total_swap=$(ynh_check_ram --only_swap) swap_needed=0 -# https://docs.gitlab.com/ee/install/requirements.html#memory +# https://docs.gitlab.com/ce/install/requirements.html#memory if [ $total_memory -lt 8192 ]; then # Need a minimum of 8Go of memory swap_needed=$((8192 - $total_memory)) @@ -236,6 +278,9 @@ if [ "$upgrade_type" == "UPGRADE_APP" ] then ynh_script_progression --message="Setting up source files..." --weight=200 + # To avoid the automatic backup, already performed by YunoHost: https://docs.gitlab.com/omnibus/update/#updating-methods + touch $config_path/skip-auto-backup + current_version=$(grep gitlab-ce /opt/gitlab/version-manifest.txt | cut -d' ' -f2) # Load the last available version diff --git a/scripts/upgrade.d/upgrade.last.sh b/scripts/upgrade.d/upgrade.last.sh index 87fd245..2f65fb0 100644 --- a/scripts/upgrade.d/upgrade.last.sh +++ b/scripts/upgrade.d/upgrade.last.sh @@ -1,8 +1,8 @@ -gitlab_version="12.1.3" +gitlab_version="12.4.0" -gitlab_x86_64_source_sha256="27f49d2249ce8af1750b4eb1133e5b9a9f9ccd4b38004a3b483e3f538ac13167" +gitlab_x86_64_source_sha256="a8e84fe14b8ea1e63b6746478475f1253528d25414f5dd4538cb0f229ed42d82" -gitlab_arm_source_sha256="4ca3f23d7e6d0f2e3dd288e811920bb85b44191f1da7befbd9606badb2a836dc" +gitlab_arm_source_sha256="ab5ae257dc3b26f463a5afaf1344f4218fb545080e8e9a0f071d8cd59da2f259" gitlab_filename="gitlab-ce-${gitlab_version}.deb"