Commit e8241592 authored by shu's avatar shu

initial commit

parents
Pipeline #162 canceled with stage
root = true
[*]
end_of_line = lf
charset = utf-8
trim_trailing_whitespace = true
insert_final_newline = true
indent_style = space
indent_size = 4
*~
.DS_Store
services:
- docker:dind
variables:
IMAGE_NAME: thallian/gitlab
build:
stage: build
script:
- docker login -u $DOCKER_USER -p $DOCKER_PASSWORD $DOCKER_REGISTRY
- docker build -t $IMAGE_NAME:$CI_COMMIT_SHA .
- docker build -t $IMAGE_NAME:$CI_COMMIT_REF_NAME .
- docker build -t $IMAGE_NAME:latest .
- docker push $IMAGE_NAME:$CI_COMMIT_SHA
- docker push $IMAGE_NAME:$CI_COMMIT_REF_NAME
- docker push $IMAGE_NAME:latest
FROM alpine:3.10 AS builder
ENV RAILS_ENV="production"
ENV NODE_ENV="production"
ENV GITLAB_VERSION=v11.11.3
# the grpc gem must be compiled with gcc < 8
RUN apk --no-cache add \
go \
gcc6 \
yarn \
ruby-dev \
ruby-etc \
ruby-io-console \
ruby-bigdecimal \
ruby-irb \
ruby-json \
ruby-webrick \
ruby-doc \
icu-dev \
postgresql-dev \
zlib-dev \
re2-dev \
cmake \
git \
linux-headers \
build-base \
tzdata \
nodejs
# because it somehow has some unsatisfied dependency
RUN apk --no-cache fetch g++6
RUN tar -xf g++6-6.4.0-r9.apk --directory /
RUN gem install bundler -v 1.17.3 --no-document
RUN mkdir -p /home/git
RUN git clone https://gitlab.com/gitlab-org/gitlab-ce.git -b $GITLAB_VERSION /home/git/gitlab
WORKDIR /home/git/gitlab
RUN cp /home/git/gitlab/config/resque.yml.example /home/git/gitlab/config/resque.yml
RUN cp /home/git/gitlab/config/gitlab.yml.example /home/git/gitlab/config/gitlab.yml
RUN cp /home/git/gitlab/config/database.yml.postgresql /home/git/gitlab/config/database.yml
RUN CC="gcc-6" CXX="g++-6" BUNDLE_FORCE_RUBY_PLATFORM=1 bundle install --deployment --without development test mysql aws kerberos
RUN yarn install --production --pure-lockfile
RUN bundle exec rake gitlab:shell:install REDIS_URL=unix:/var/run/redis/redis.sock SKIP_STORAGE_VALIDATION=true
RUN bundle exec rake "gitlab:workhorse:install[/home/git/gitlab-workhorse]"
RUN CC="gcc-6" CXX="g++-6" bundle exec rake "gitlab:gitaly:install[/home/git/gitaly,/home/git/repositories]"
RUN bundle exec rake gettext:compile
RUN bundle exec rake gitlab:assets:compile
RUN rm -rf \
/home/git/gitlab/.git \
/home/git/gitaly/.git \
/home/git/gitlab-shell/.git \
/home/git/gitlab-workhorse/.git \
/home/git/gitlab/node_modules
WORKDIR /src
RUN git clone https://gitlab.com/gitlab-org/gitlab-pages.git
WORKDIR /src/gitlab-pages
RUN git checkout v$(cat /home/git/gitlab/GITLAB_PAGES_VERSION)
RUN make
FROM thallian/confd-env:latest
ENV RAILS_ENV="production"
ENV NODE_ENV="production"
ENV HOME=/home/git
ENV SSL_CERT_FILE=/etc/ssl/cert.pem
ENV SIDEKIQ_MEMORY_KILLER_MAX_RSS=2000000
RUN addgroup -g 2222 git
RUN adduser -h /home/git -s /bin/sh -S -D -u 2222 -G git git
COPY --from=builder --chown=git:git /home/git /home/git/
COPY --from=builder /src/gitlab-pages/gitlab-pages /bin/gitlab-pages
RUN apk --no-cache add \
redis \
ruby \
ruby-dev \
ruby-etc \
ruby-io-console \
ruby-bigdecimal \
ruby-irb \
ruby-json \
ruby-webrick \
ruby-doc \
icu \
postgresql-client \
zlib \
re2 \
tzdata \
git \
nodejs \
openssl \
openssh-server-pam
RUN gem install bundler -v 1.17.3 --no-document
RUN gem install --no-document omniauth-oauth2-generic
RUN ln -s /home/git/gitlab-workhorse/gitlab-zip-metadata /usr/bin/gitlab-zip-metadata
RUN ln -s /home/git/gitlab-workhorse/gitlab-zip-cat /usr/bin/gitlab-zip-cat
RUN mkdir -p /home/git/repositories /etc/ssh/keys
RUN chmod 0700 /home/git/gitlab/tmp/sockets/private
RUN chown git /home/git/gitlab/tmp/sockets/private
RUN mkdir -p /home/git/gitlab/shared/pages
RUN chown redis /run/redis
WORKDIR /
ADD rootfs /
EXPOSE 8181
VOLUME [ "/home/git/gitlab/shared" "/home/git/.ssh/" "/home/git/repositories/" "/home/git/gitlab/shared/pages" "/var/lib/redis/"]
[Gitlab CE(https://gitlab.com/gitlab-org/gitlab-ce/) server with postgres backend.
# Prerequisites
The `pg_trgm` must be enabled on the database (something like this:
`CREATE EXTENSION pg_trgm;`).
# Volumes
- `/home/git/gitlab/shared`
- `/home/git/.ssh/`
- `/home/git/repositories/`
- `/home/git/gitlab/shared/pages`
- `/var/lib/redis/`
# Ports
- 8181 (webserver)
- 2222 (ssh)
# Environment Variables
## FQDN
Fully qualified name of the gitlab server.
## SSH_PORT
- default: 22
The ssh port to use when generating links.
## SMTP_DISPLAY_NAME
- default: Gitlab
Display name for email sending.
## SMTP_REPLY_TO
Reply to addrss for email sending.
## SMTP_FROM
Mail from address.
## SMTP_HOST
Smtp host used to send emails.
## SMTP_PORT
- default: 587
Smtp port used on the smtp server.
## SMTP_USER
User for smtp authentication.
## SMTP_PASSWORD
Password for the smtp user.
## SMTP_AUTH
- default: plain
One of:
- plain
- login
- cram_md5
## LDAP_ENABLED
- default: false
Whether ldap authentication is enabled.
## LDAP_HOST
Ldap host.
## LDAP_PORT
- default: 389
Ldap port.
## LDAP_UID
- default: cn
Ldap attribute name for the username.
## LDAP_BIND_USER
Bind DN to use when connecting to the ldap host.
## LDAP_BIND_PASSWORD
Password to use when connecting to the ldap host.
## LDAP_ENCRYPTION
- default: plain
One of:
- plain
- start_tls
- simple_tls
## LDAP_IS_AD
- default: false
If true, AD specific queries get run.
## LDAP_USER_BASE_DN
Base DN when searching for users.
## LDAP_USER_FILTER
Ldap filter to find valid users.
## LDAP_EMAIL_ATTR
- default: mail
Ldap attribute for the user email.
## DATABASE_HOST
Database hostname. Only relevant if not using sqlite.
## DATABASE_NAME
Database name.
## DATABASE_USER
Database username.
## DATABASE_PASSWORD
Password for the database user.
## DATABASE_KEY
Used to encrypt variables in the database.
Must be random and at least 30 characters.
## SECRET_KEY
Secret key for sessions and such.
## OTP_KEY
Private key for OTP.
## OPENID_KEY
OpenID signing key. Can be created like this: `openssl genrsa 2048 | awk '{print " " $0}'`.
## PAGES_DOMAIN
Domain for gitlab pages.
## OMNIAUTH_ENABLED
- default: false
Whether to allow login with [omniauth](https://github.com/omniauth/omniauth).
## ALLOW_SSO_PROVIDER
Allowed omniauth providers. Right now it is limited to one because you can
configure only one ;)
## OMNIAUTH_PROVIDER
Configuration for the omniauth provider.
Example for Nextcloud:
```
{
name: "oauth2_generic",
app_id: "mylongappid",
app_secret: "mylongappsecret",
args:
{
name: "Nextcloud",
strategy_class: "OmniAuth::Strategies::OAuth2Generic",
access_type: "offline",
approval_prompt: "",
client_options:
{
site: "https://cloud.host.example",
authorize_url: "/apps/oauth2/authorize",
token_url: "/apps/oauth2/api/v1/token",
user_info_url: "/ocs/v2.php/cloud/user?format=json"
},
user_response_structure:
{
root_path: ["ocs", "data"],
attributes:
{
nickname: "id",
name: "display-name",
email: "email"
}
}
}
}
```
The name defines what your callback URI looks like.
With the above configuration it would look like this: `https://cloud.host.example/users/auth/Nextcloud/callback`
[template]
src = "database.yml.tmpl"
dest = "/home/git/gitlab/config/database.yml"
uid = 2222
mode = "0600"
[template]
src = "gitaly_config.toml.tmpl"
dest = "/home/git/gitaly/config.toml"
uid = 2222
mode = "0600"
[template]
src = "gitlab-shell_config.yml.tmpl"
dest = "/home/git/gitlab-shell/config.yml"
uid = 2222
mode = "0600"
[template]
src = "gitlab.yml.tmpl"
dest = "/home/git/gitlab/config/gitlab.yml"
uid = 2222
mode = "0600"
[template]
src = "rack_attack.rb.tmpl"
dest = "/home/git/gitlab/config/initializers/rack_attack.rb"
uid = 2222
mode = "0600"
[template]
src = "redis.conf.tmpl"
dest = "/etc/redis.conf"
[template]
src = "resque.yml.tmpl"
dest = "/home/git/gitlab/config/resque.yml"
uid = 2222
mode = "0600"
[template]
src = "secrets.yml.tmpl"
dest = "/home/git/gitlab/config/secrets.yml"
uid = 2222
mode = "0600"
[template]
src = "smtp_settings.rb.tmpl"
dest = "/home/git/gitlab/config/initializers/smtp_settings.rb"
uid = 2222
mode = "0600"
[template]
src = "sshd_config.tmpl"
dest = "/etc/ssh/sshd_config"
uid = 2222
mode = "0644"
[template]
src = "unicorn.rb.tmpl"
dest = "/home/git/gitlab/config/unicorn.rb"
uid = 2222
mode = "0600"
#
# PRODUCTION
#
production:
adapter: postgresql
encoding: unicode
database: {{ getenv "DATABASE_NAME" }}
pool: 10
username: {{ getenv "DATABASE_USER" }}
password: "{{ getenv "DATABASE_PASSWORD" }}"
host: {{ getenv "DATABASE_HOST" }}
bin_dir = "/home/git/gitaly"
socket_path = "/home/git/gitlab/tmp/sockets/private/gitaly.socket"
[gitaly-ruby]
dir = "/home/git/gitaly/ruby"
[gitlab-shell]
dir = "/home/git/gitlab-shell"
[[storage]]
name = "default"
path = "/home/git/repositories"
---
user: git
gitlab_url: http://localhost:8181/
http_settings:
self_signed_cert: false
auth_file: "/home/git/.ssh/authorized_keys"
redis:
bin: ''
namespace: resque:gitlab
socket: "/var/run/redis/redis.sock"
log_level: INFO
audit_usernames: false
This diff is collapsed.
# 1. Rename this file to rack_attack.rb
# 2. Review the paths_to_be_protected and add any other path you need protecting
#
# If you change this file in a Merge Request, please also create a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
paths_to_be_protected = [
"#{Rails.application.config.relative_url_root}/users/password",
"#{Rails.application.config.relative_url_root}/users/sign_in",
"#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json",
"#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session",
"#{Rails.application.config.relative_url_root}/users",
"#{Rails.application.config.relative_url_root}/users/confirmation",
"#{Rails.application.config.relative_url_root}/unsubscribes/",
"#{Rails.application.config.relative_url_root}/import/github/personal_access_token"
]
# Create one big regular expression that matches strings starting with any of
# the paths_to_be_protected.
paths_regex = Regexp.union(paths_to_be_protected.map { |path| /\A#{Regexp.escape(path)}/ })
rack_attack_enabled = Gitlab.config.rack_attack.git_basic_auth['enabled']
unless Rails.env.test? || !rack_attack_enabled
Rack::Attack.throttle('protected paths', limit: 10, period: 60.seconds) do |req|
if req.post? && req.path =~ paths_regex
req.ip
end
end
end
This diff is collapsed.
production:
# Redis (single instance)
url: unix:/var/run/redis/redis.sock
---
production:
secret_key_base: {{ getenv "SECRET_KEY" }}
otp_key_base: {{ getenv "OTP_KEY" }}
db_key_base: {{ getenv "DATABASE_KEY" }}
openid_connect_signing_key: {{ getenv "OPENID_KEY" }}
# To enable smtp email delivery for your GitLab instance do the following:
# 1. Rename this file to smtp_settings.rb
# 2. Edit settings inside this file
# 3. Restart GitLab instance
#
# For full list of options and their values see http://api.rubyonrails.org/classes/ActionMailer/Base.html
#
# If you change this file in a Merge Request, please also create a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
if Rails.env.production?
Rails.application.config.action_mailer.delivery_method = :smtp
ActionMailer::Base.delivery_method = :smtp
ActionMailer::Base.smtp_settings = {
address: "{{ getenv "SMTP_HOST" }}",
port: {{ getenv "SMTP_PORT" "587" }},
user_name: "{{ getenv "SMTP_USER" }}",
password: "{{ getenv "SMTP_PASSWORD" }}",
domain: "{{ getenv "SMTP_HOST" }}",
authentication: :{{ getenv "SMTP_AUTH" "plain" }},
enable_starttls_auto: true,
openssl_verify_mode: 'peer', # See ActionMailer documentation for other possible options
ca_file: "/etc/ssl/certs/ca-certificates.crt"
}
end
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port 2222
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/keys/ssh_host_rsa_key
HostKey /etc/ssh/keys/ssh_host_ecdsa_key
HostKey /etc/ssh/keys/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
AllowAgentForwarding no
# Feel free to re-enable these if your use case requires them.
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
# Sample verbose configuration file for Unicorn (not Rack)
#
# This configuration file documents many features of Unicorn
# that may not be needed for some applications. See
# http://unicorn.bogomips.org/examples/unicorn.conf.minimal.rb
# for a much simpler configuration file.
#
# See http://unicorn.bogomips.org/Unicorn/Configurator.html for complete
# documentation.
# Note: If you change this file in a Merge Request, please also create a
# Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
# Relative URL support
# WARNING: We recommend using an FQDN to host GitLab in a root path instead
# of using a relative URL.
# Documentation: http://doc.gitlab.com/ce/install/relative_url.html
# Uncomment and customize the following line to run in a non-root path
#
# ENV['RAILS_RELATIVE_URL_ROOT'] = "/gitlab"
# Read about unicorn workers here:
# http://doc.gitlab.com/ee/install/requirements.html#unicorn-workers
#
worker_processes 3
# Since Unicorn is never exposed to outside clients, it does not need to
# run on the standard HTTP port (80), there is no reason to start Unicorn
# as root unless it's from system init scripts.
# If running the master process as root and the workers as an unprivileged
# user, do this to switch euid/egid in the workers (also chowns logs):
# user "unprivileged_user", "unprivileged_group"
# Help ensure your application will always spawn in the symlinked
# "current" directory that Capistrano sets up.
working_directory "/home/git/gitlab" # available in 0.94.0+
# Listen on both a Unix domain socket and a TCP port.
# If you are load-balancing multiple Unicorn masters, lower the backlog
# setting to e.g. 64 for faster failover.
listen "/home/git/gitlab/tmp/sockets/gitlab.socket", :backlog => 1024
listen "127.0.0.1:8080", :tcp_nopush => true
# nuke workers after 30 seconds instead of 60 seconds (the default)
#
# NOTICE: git push over http depends on this value.
# If you want to be able to push huge amount of data to git repository over http
# you will have to increase this value too.
#
# Example of output if you try to push 1GB repo to GitLab over http.
# -> git push http://gitlab.... master
#
# error: RPC failed; result=18, HTTP code = 200
# fatal: The remote end hung up unexpectedly
# fatal: The remote end hung up unexpectedly
#
# For more information see http://stackoverflow.com/a/21682112/752049
#
timeout 60
# feel free to point this anywhere accessible on the filesystem
pid "/home/git/gitlab/tmp/pids/unicorn.pid"
# By default, the Unicorn logger will write to stderr.
# Additionally, some applications/frameworks log to stderr or stdout,
# so prevent them from going to /dev/null when daemonized here:
stderr_path "/home/git/gitlab/log/unicorn.stderr.log"
stdout_path "/home/git/gitlab/log/unicorn.stdout.log"
# Save memory by sharing the application code among multiple Unicorn workers
# with "preload_app true". See:
# https://www.rubydoc.info/gems/unicorn/5.1.0/Unicorn%2FConfigurator:preload_app
# https://brandur.org/ruby-memory#copy-on-write
preload_app true
# Enable this flag to have unicorn test client connections by writing the
# beginning of the HTTP headers before calling the application. This
# prevents calling the application for connections that have disconnected
# while queued. This is only guaranteed to detect clients on the same
# host unicorn runs on, and unlikely to detect disconnects even on a
# fast LAN.
check_client_connection false
require_relative "/home/git/gitlab/lib/gitlab/cluster/lifecycle_events"
before_exec do |server|
# Signal application hooks that we're about to restart
Gitlab::Cluster::LifecycleEvents.do_master_restart
end
before_fork do |server, worker|
# Signal application hooks that we're about to fork
Gitlab::Cluster::LifecycleEvents.do_before_fork
# The following is only recommended for memory/DB-constrained
# installations. It is not needed if your system can house
# twice as many worker_processes as you have configured.
#
# This allows a new master process to incrementally
# phase out the old master process with SIGTTOU to avoid a
# thundering herd (especially in the "preload_app false" case)
# when doing a transparent upgrade. The last worker spawned
# will then kill off the old master process with a SIGQUIT.
old_pid = "#{server.config[:pid]}.oldbin"
if old_pid != server.pid
begin