#!/bin/bash set -e for file in /gitlab-configs /run/secrets/gitlab-secrets; do if [[ -e "$file" ]]; then echo "Loading $file" source "$file" fi done echo "Loading ${GITLAB_RUNTIME_DIR}/env-defaults" source ${GITLAB_RUNTIME_DIR}/env-defaults SYSCONF_TEMPLATES_DIR="${GITLAB_RUNTIME_DIR}/config" USERCONF_TEMPLATES_DIR="${GITLAB_DATA_DIR}/config" GITLAB_CONFIG="${GITLAB_INSTALL_DIR}/config/gitlab.yml" GITLAB_DATABASE_CONFIG="${GITLAB_INSTALL_DIR}/config/database.yml" GITLAB_PUMA_CONFIG="${GITLAB_INSTALL_DIR}/config/puma.rb" GITLAB_RELATIVE_URL_CONFIG="${GITLAB_INSTALL_DIR}/config/initializers/relative_url.rb" GITLAB_SMTP_CONFIG="${GITLAB_INSTALL_DIR}/config/initializers/smtp_settings.rb" GITLAB_RESQUE_CONFIG="${GITLAB_INSTALL_DIR}/config/resque.yml" GITLAB_ACTIONCABLE_CONFIG="${GITLAB_INSTALL_DIR}/config/cable.yml" GITLAB_SECRETS_CONFIG="${GITLAB_INSTALL_DIR}/config/secrets.yml" GITLAB_ROBOTS_CONFIG="${GITLAB_INSTALL_DIR}/public/robots.txt" GITLAB_SHELL_CONFIG="${GITLAB_SHELL_INSTALL_DIR}/config.yml" GITLAB_NGINX_CONFIG="/etc/nginx/conf.d/gitlab.conf" GITLAB_CI_NGINX_CONFIG="/etc/nginx/conf.d/gitlab_ci.conf" GITLAB_REGISTRY_NGINX_CONFIG="/etc/nginx/conf.d/gitlab-registry.conf" GITLAB_PAGES_NGINX_CONFIG="/etc/nginx/conf.d/gitlab-pages.conf" GITLAB_PAGES_CONFIG="${GITLAB_INSTALL_DIR}/gitlab-pages-config" GITLAB_GITALY_CONFIG="${GITLAB_GITALY_INSTALL_DIR}/config.toml" # Compares two version strings `a` and `b` # Returns # - negative integer, if `a` is less than `b` # - 0, if `a` and `b` are equal # - non-negative integer, if `a` is greater than `b` vercmp() { expr '(' "$1" : '\([^.]*\)' ')' '-' '(' "$2" : '\([^.]*\)' ')' '|' \ '(' "$1.0" : '[^.]*[.]\([^.]*\)' ')' '-' '(' "$2.0" : '[^.]*[.]\([^.]*\)' ')' '|' \ '(' "$1.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' '-' '(' "$2.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' '|' \ '(' "$1.0.0.0" : '[^.]*[.][^.]*[.][^.]*[.]\([^.]*\)' ')' '-' '(' "$2.0.0.0" : '[^.]*[.][^.]*[.][^.]*[.]\([^.]*\)' ')' } ## Execute a command as GITLAB_USER exec_as_git() { if [[ $(whoami) == ${GITLAB_USER} ]]; then $@ else sudo -HEu ${GITLAB_USER} "$@" fi } ## Copies configuration template to the destination as the specified USER ### Looks up for overrides in ${USERCONF_TEMPLATES_DIR} before using the defaults from ${SYSCONF_TEMPLATES_DIR} # $1: copy-as user # $2: source file # $3: destination location # $4: mode of destination install_template() { local OWNERSHIP=${1} local SRC=${2} local DEST=${3} local MODE=${4:-0644} if [[ -f ${USERCONF_TEMPLATES_DIR}/${SRC} ]]; then cp ${USERCONF_TEMPLATES_DIR}/${SRC} ${DEST} elif [[ -f ${SYSCONF_TEMPLATES_DIR}/${SRC} ]]; then cp ${SYSCONF_TEMPLATES_DIR}/${SRC} ${DEST} fi chmod ${MODE} ${DEST} chown ${OWNERSHIP} ${DEST} } ## Replace placeholders with values # $1: file with placeholders to replace # $x: placeholders to replace update_template() { local FILE=${1?missing argument} shift [[ ! -f ${FILE} ]] && return 1 local VARIABLES=($@) local USR=$(stat -c %U ${FILE}) local tmp_file=$(mktemp) cp -a "${FILE}" ${tmp_file} local variable for variable in ${VARIABLES[@]}; do # Keep the compatibilty: {{VAR}} => ${VAR} sed -ri "s/[{]{2}$variable[}]{2}/\${$variable}/g" ${tmp_file} done # Replace placeholders ( export ${VARIABLES[@]} local IFS=":"; sudo -HEu ${USR} envsubst "${VARIABLES[*]/#/$}" < ${tmp_file} > ${FILE} ) rm -f ${tmp_file} } gitlab_finalize_database_parameters() { # is a postgresql database linked? # requires that the postgresql containers have exposed port 5432. DB_HOST=${DB_HOST:-${POSTGRESQL_PORT_5432_TCP_ADDR}} DB_PORT=${DB_PORT:-${POSTGRESQL_PORT_5432_TCP_PORT}} # support for linked official postgres image DB_USER=${DB_USER:-${POSTGRESQL_ENV_POSTGRES_USER}} DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_POSTGRES_PASSWORD}} DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_POSTGRES_DB}} DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_POSTGRES_USER}} # support for linked sameersbn/postgresql image DB_USER=${DB_USER:-${POSTGRESQL_ENV_DB_USER}} DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_DB_PASS}} DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_DB_NAME}} # support for linked orchardup/postgresql image DB_USER=${DB_USER:-${POSTGRESQL_ENV_POSTGRESQL_USER}} DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_POSTGRESQL_PASS}} DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_POSTGRESQL_DB}} # support for linked paintedfox/postgresql image DB_USER=${DB_USER:-${POSTGRESQL_ENV_USER}} DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_PASS}} DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_DB}} if [[ -z ${DB_HOST} ]]; then echo echo "ERROR: " echo " Please configure the database connection." echo " Refer http://git.io/wkYhyA for more information." echo " Cannot continue without a database. Aborting..." echo return 1 fi # set default port number if not specified DB_PORT=${DB_PORT:-5432} DB_ENCODING=${DB_ENCODING:-unicode} # set default user and database DB_USER=${DB_USER:-root} DB_NAME=${DB_NAME:-gitlabhq_production} } gitlab_check_database_connection() { prog=$(command -v pg_isready) prog="${prog} -h ${DB_HOST} -p ${DB_PORT} -U ${DB_USER} -d ${DB_NAME} -t 1" timeout=60 while ! ${prog} >/dev/null 2>&1 do timeout=$(expr $timeout - 1) if [[ $timeout -eq 0 ]]; then echo echo "Could not connect to database server. Aborting..." return 1 fi echo -n "." sleep 1 done echo } gitlab_generate_postgresqlrc() { echo "Configuring /home/${GITLAB_USER}/.postgresqlrc to avoid version mismatch on dumping" # server_version_num property is a number built from version string: # https://www.postgresql.org/docs/15/libpq-status.html#LIBPQ-PQSERVERVERSION # > The result is formed by multiplying the server's major version number by 10000 and adding the minor version number. # > For example, version 10.1 will be returned as 100001, and version 11.0 will be returned as 110000. Zero is returned if the connection is bad. # > # > Prior to major version 10, PostgreSQL used three-part version numbers in which the first two parts together represented the major version. # > For those versions, PQserverVersion uses two digits for each part; # > for example version 9.1.5 will be returned as 90105, and version 9.2.0 will be returned as 90200. # # This difference also appends to apt package name. # For example, in ubuntu:focal, postgresql-client-{8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, 9.5, 9.6, 10, 11, 12, 13, 14, 15} are available. # DB_SERVER_VERSION=$(PGPASSWORD=${DB_PASS} psql -h "${DB_HOST}" -p "${DB_PORT}" -U "${DB_USER}" -d "${DB_NAME}" -Atw -c "SHOW server_version_num") if [[ "${DB_SERVER_VERSION}" -eq 0 ]]; then echo echo "Could not retrieve database server version correctly. Aborting..." return 1 fi echo "- Detected server version: ${DB_SERVER_VERSION}" # Anyway, we can get major version (8, 9, 10 and so on) by dividing by 10000. # DB_SERVER_VERSION_MAJOR=${DB_SERVER_VERSION%%.*} DB_SERVER_VERSION_MAJOR=$((DB_SERVER_VERSION/10000)) DB_CLIENT_VERSION_PACKAGE_NAME= if [[ "${DB_SERVER_VERSION_MAJOR}" -ge 10 ]]; then # v10 or later: use "rought major version" as version number in package name DB_CLIENT_VERSION_PACKAGE_NAME=${DB_SERVER_VERSION_MAJOR} else # prior to v10: convert # FIXME: rough implementation # It exploits the fact that there is no version such as 9.10, and it lacks versatility. # divide by 100, then replace first 0 to comma DB_CLIENT_VERSION_PACKAGE_NAME=$((DB_SERVER_VERSION/100)) DB_CLIENT_VERSION_PACKAGE_NAME=${DB_CLIENT_VERSION_PACKAGE_NAME/0/.} fi # if exact-match client not found, select latest version from installed clients if [[ "$(apt-cache pkgnames postgresql-client | grep -e "-${DB_CLIENT_VERSION_PACKAGE_NAME}" | wc -l)" -ne 1 ]]; then LATEST_CLIENT="$(apt-cache pkgnames postgresql-client | grep -v -e "-common" | sort --version-sort | tail -n1)" DB_CLIENT_VERSION_PACKAGE_NAME=${LATEST_CLIENT/postgresql-client-/} echo "gitlab_generate_postgresqlrc(): WARNING - Suitable client not installed. postgresql-client-${DB_CLIENT_VERSION_PACKAGE_NAME} will be used but you may face issue (database in backup will be empty, for example)" fi # generate ~/.postgresqlrc to switch client version GITLAB_USER_POSTGRESQLRC="/home/${GITLAB_USER}/.postgresqlrc" echo "- Generating ${GITLAB_USER_POSTGRESQLRC}" echo "${DB_CLIENT_VERSION_PACKAGE_NAME} ${DB_HOST}:${DB_PORT} ${DB_NAME}" | exec_as_git tee "${GITLAB_USER_POSTGRESQLRC}" } gitlab_uninstall_unused_database_client() { if [[ -f "/home/${GITLAB_USER}/.postgresqlrc" ]]; then # refer /home/${GITLAB_USER}/.postgresqlrc and pick up versions in use # .postgresqlrc contains following information per line # database_major_version host:port database_name # - ignore lines starts with # by specifying pattern /^[^#]/ # - first field is the version number in use. # - cocnat whole lines into single string. convert newline to \| # this is escaped regex "OR" # now we got the following regex that can be used as an option to grep: # \|-12\|-13 DB_CLIENT_VERSIONS_IN_USE="$(awk '/^[^#]/ {printf("\|-%s",$1)}' "/home/${GITLAB_USER}/.postgresqlrc")" # we also need to keep postgresql-client-common package to switch based on ~/.postgresqlrc REGEX_DB_CLIENT_VERSIONS_IN_USE="-common${DB_CLIENT_VERSIONS_IN_USE}" # remove unused client using regex above # grep may return non-zero code on mo match, so fake the exit code with the `|| true` to swallow that UNUSED_DB_CLIENTS=$(apt-cache pkgnames postgresql-client | grep -v -e "${REGEX_DB_CLIENT_VERSIONS_IN_USE}" || true) if [[ "${UNUSED_DB_CLIENTS}" == "" ]]; then echo "- All installed version of clients are in use. Did not uninstalled any client..." return fi # just to get clean log, convert newline (package name delimiter) to single whitespace UNUSED_DB_CLIENTS=$(echo ${UNUSED_DB_CLIENTS} | tr '\n' ' ') echo "- Uninstalling unused client(s): ${UNUSED_DB_CLIENTS}" DEBIAN_FRONTEND=noninteractive apt-get -qq -y purge -- ${UNUSED_DB_CLIENTS} >/dev/null fi } gitlab_configure_database() { echo -n "Configuring gitlab::database" gitlab_finalize_database_parameters gitlab_check_database_connection gitlab_generate_postgresqlrc gitlab_uninstall_unused_database_client update_template ${GITLAB_DATABASE_CONFIG} \ DB_ENCODING \ DB_HOST \ DB_PORT \ DB_NAME \ DB_USER \ DB_PASS \ DB_POOL \ DB_PREPARED_STATEMENTS } gitlab_finalize_redis_parameters() { # is a redis container linked? if [[ -n ${REDISIO_PORT_6379_TCP_ADDR} ]]; then REDIS_HOST=${REDIS_HOST:-${REDISIO_PORT_6379_TCP_ADDR}} REDIS_PORT=${REDIS_PORT:-${REDISIO_PORT_6379_TCP_PORT}} fi # set default redis port if not specified REDIS_PORT=${REDIS_PORT:-6379} if [[ -z ${REDIS_HOST} ]]; then echo echo "ERROR: " echo " Please configure the redis connection." echo " Refer http://git.io/PMnRSw for more information." echo " Cannot continue without a redis connection. Aborting..." echo return 1 fi } gitlab_check_redis_connection() { timeout=60 while ! redis-cli -h ${REDIS_HOST} -p ${REDIS_PORT} -n ${REDIS_DB_NUMBER} ping >/dev/null 2>&1 do timeout=$(expr $timeout - 1) if [[ $timeout -eq 0 ]]; then echo "" echo "Could not connect to redis server. Aborting..." return 1 fi echo -n "." sleep 1 done echo } gitlab_configure_redis() { echo -n "Configuring gitlab::redis" gitlab_finalize_redis_parameters gitlab_check_redis_connection update_template ${GITLAB_RESQUE_CONFIG} \ REDIS_HOST \ REDIS_PORT \ REDIS_DB_NUMBER } gitlab_configure_actioncable() { echo -n "Configuring gitlab::actioncable" gitlab_finalize_redis_parameters gitlab_check_redis_connection update_template ${GITLAB_ACTIONCABLE_CONFIG} \ REDIS_HOST \ REDIS_PORT \ REDIS_DB_NUMBER } gitlab_configure_gitaly() { echo "Configuring gitlab::gitaly..." update_template ${GITLAB_GITALY_CONFIG} \ GITALY_SOCKET_PATH \ GITLAB_GITALY_INSTALL_DIR \ GITLAB_LOG_DIR \ GITLAB_REPOS_DIR \ GITLAB_SHELL_INSTALL_DIR \ GITLAB_RELATIVE_URL_ROOT update_template ${GITLAB_CONFIG} \ GITALY_CLIENT_PATH \ GITALY_TOKEN } gitlab_configure_monitoring() { echo "Configuring gitlab::monitoring..." if [ "${GITLAB_MONITORING_IP_WHITELIST}" == "" ]; then exec_as_git sed -i "/{{GITLAB_MONITORING_IP_WHITELIST}}/d" ${GITLAB_CONFIG} fi update_template ${GITLAB_CONFIG} \ GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL \ GITLAB_MONITORING_IP_WHITELIST \ GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED \ GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS \ GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT } gitlab_configure_gitlab_workhorse() { echo "Configuring gitlab::gitlab-workhorse..." update_template /etc/supervisor/conf.d/gitlab-workhorse.conf \ GITLAB_RELATIVE_URL_ROOT \ GITLAB_WORKHORSE_TIMEOUT } gitlab_configure_puma() { echo "Configuring gitlab::puma..." if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then update_template ${GITLAB_PUMA_CONFIG} GITLAB_RELATIVE_URL_ROOT else exec_as_git sed -i "/{{GITLAB_RELATIVE_URL_ROOT}}/d" ${GITLAB_PUMA_CONFIG} fi update_template ${GITLAB_PUMA_CONFIG} \ GITLAB_INSTALL_DIR \ PUMA_THREADS_MIN \ PUMA_THREADS_MAX \ PUMA_WORKERS \ PUMA_PER_WORKER_MAX_MEMORY_MB \ PUMA_MASTER_MAX_MEMORY_MB \ PUMA_TIMEOUT } gitlab_configure_relative_url() { if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then echo "Configuring gitlab::relative_url..." update_template ${GITLAB_RELATIVE_URL_CONFIG} GITLAB_RELATIVE_URL_ROOT fi } gitlab_configure_trusted_proxies() { if [[ -n ${GITLAB_TRUSTED_PROXIES} ]]; then echo "Configuring gitlab::trusted_proxies..." update_template ${GITLAB_CONFIG} GITLAB_TRUSTED_PROXIES else exec_as_git sed -i "/{{GITLAB_TRUSTED_PROXIES}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_timezone() { echo "Configuring gitlab::timezone..." update_template ${GITLAB_CONFIG} GITLAB_TIMEZONE } gitlab_configure_mail_delivery() { if [[ ${SMTP_ENABLED} == true ]]; then echo "Configuring gitlab::smtp_settings..." if [[ -z "${SMTP_USER}" ]]; then exec_as_git sed -i \ -e '/{{SMTP_USER}}/d' \ -e '/{{SMTP_PASS}}/d' \ ${GITLAB_SMTP_CONFIG} else if [[ -z "${SMTP_PASS}" ]]; then exec_as_git sed -i '/{{SMTP_PASS}}/d' ${GITLAB_SMTP_CONFIG} fi fi update_template ${GITLAB_SMTP_CONFIG} \ SMTP_USER \ SMTP_PASS \ SMTP_HOST \ SMTP_PORT \ SMTP_DOMAIN \ SMTP_STARTTLS \ SMTP_TLS \ SMTP_OPENSSL_VERIFY_MODE case ${SMTP_AUTHENTICATION} in "") exec_as_git sed -i "/{{SMTP_AUTHENTICATION}}/d" ${GITLAB_SMTP_CONFIG} ;; *) update_template ${GITLAB_SMTP_CONFIG} SMTP_AUTHENTICATION ;; esac if [[ ${SMTP_CA_ENABLED} == true ]]; then if [[ -d ${SMTP_CA_PATH} ]]; then update_template ${GITLAB_SMTP_CONFIG} SMTP_CA_PATH fi if [[ -f ${SMTP_CA_FILE} ]]; then update_template ${GITLAB_SMTP_CONFIG} SMTP_CA_FILE fi else exec_as_git sed -i \ -e "/{{SMTP_CA_PATH}}/d" \ -e "/{{SMTP_CA_FILE}}/d" \ ${GITLAB_SMTP_CONFIG} fi fi update_template ${GITLAB_CONFIG} \ GITLAB_EMAIL_ENABLED \ GITLAB_EMAIL \ GITLAB_EMAIL_DISPLAY_NAME \ GITLAB_EMAIL_REPLY_TO \ GITLAB_EMAIL_SUBJECT_SUFFIX if [[ ${GITLAB_EMAIL_SMIME_ENABLE} == true ]]; then exec_as_git sed -i "/#start-email-smime/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-email-smime/d" ${GITLAB_CONFIG} update_template ${GITLAB_CONFIG} \ GITLAB_EMAIL_SMIME_ENABLE \ GITLAB_EMAIL_SMIME_KEY_FILE \ GITLAB_EMAIL_SMIME_CERT_FILE else exec_as_git sed -i "/#start-email-smime/,/#end-email-smime/d" ${GITLAB_CONFIG} fi } gitlab_configure_mailroom() { if [[ ${IMAP_ENABLED} == true ]]; then echo "Configuring gitlab::incoming_email..." if [[ -z "${IMAP_USER}" ]]; then exec_as_git sed -i \ -e '/{{IMAP_USER}}/d' \ -e '/{{IMAP_PASS}}/d' \ ${GITLAB_CONFIG} else if [[ -z "${IMAP_PASS}" ]]; then exec_as_git sed -i '/{{IMAP_PASS}}/d' ${GITLAB_CONFIG} fi fi else exec_as_git sed -i \ -e "/{{IMAP_USER}}/d" \ -e "/{{IMAP_PASS}}/d" \ -e "/{{IMAP_HOST}}/d" \ -e "/{{IMAP_PORT}}/d" \ -e "/{{IMAP_SSL}}/d" \ -e "/{{IMAP_STARTTLS}}/d" \ -e "/{{IMAP_MAILBOX}}/d" \ -e "/{{IMAP_TIMEOUT}}/d" \ ${GITLAB_CONFIG} fi update_template ${GITLAB_CONFIG} \ GITLAB_INCOMING_EMAIL_ADDRESS \ GITLAB_INCOMING_EMAIL_ENABLED \ IMAP_USER \ IMAP_PASS \ IMAP_HOST \ IMAP_PORT \ IMAP_SSL \ IMAP_STARTTLS \ IMAP_MAILBOX \ IMAP_TIMEOUT # enable/disable startup of mailroom echo "mail_room_enabled=${GITLAB_INCOMING_EMAIL_ENABLED}" >> /etc/default/gitlab update_template /etc/supervisor/conf.d/mail_room.conf GITLAB_INCOMING_EMAIL_ENABLED } gitlab_configure_ldap() { echo "Configuring gitlab::ldap..." update_template ${GITLAB_CONFIG} \ LDAP_ENABLED \ LDAP_HOST \ LDAP_PORT \ LDAP_UID \ LDAP_METHOD \ LDAP_VERIFY_SSL \ LDAP_CA_FILE \ LDAP_SSL_VERSION \ LDAP_BIND_DN \ LDAP_PASS \ LDAP_TIMEOUT \ LDAP_ACTIVE_DIRECTORY \ LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN \ LDAP_BLOCK_AUTO_CREATED_USERS \ LDAP_BASE \ LDAP_USER_FILTER \ LDAP_LOWERCASE_USERNAMES \ LDAP_USER_ATTRIBUTE_USERNAME \ LDAP_USER_ATTRIBUTE_MAIL \ LDAP_USER_ATTRIBUTE_NAME \ LDAP_USER_ATTRIBUTE_FIRSTNAME \ LDAP_USER_ATTRIBUTE_LASTNAME \ LDAP_LABEL \ LDAP_PREVENT_LDAP_SIGN_IN } gitlab_configure_oauth_cas3() { if [[ -n ${OAUTH_CAS3_SERVER} ]]; then echo "Configuring gitlab::oauth::cas3..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_CAS3_LABEL \ OAUTH_CAS3_SERVER \ OAUTH_CAS3_DISABLE_SSL_VERIFICATION \ OAUTH_CAS3_LOGIN_URL \ OAUTH_CAS3_VALIDATE_URL \ OAUTH_CAS3_LOGOUT_URL else exec_as_git sed -i "/name: 'cas3'/,/{{OAUTH_CAS3_LOGOUT_URL}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_google() { if [[ -n ${OAUTH_GOOGLE_API_KEY} && -n ${OAUTH_GOOGLE_APP_SECRET} ]]; then echo "Configuring gitlab::oauth::google..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} if [[ -n ${OAUTH_GOOGLE_RESTRICT_DOMAIN} ]]; then update_template ${GITLAB_CONFIG} \ OAUTH_GOOGLE_API_KEY \ OAUTH_GOOGLE_APP_SECRET \ OAUTH_GOOGLE_RESTRICT_DOMAIN \ OAUTH_GOOGLE_APPROVAL_PROMPT else exec_as_git sed -i "/ hd\: \[{{OAUTH_GOOGLE_RESTRICT_DOMAIN}}\]/d" ${GITLAB_CONFIG} exec_as_git sed -i "s/approval_prompt: '{{OAUTH_GOOGLE_APPROVAL_PROMPT}}',/approval_prompt: '{{OAUTH_GOOGLE_APPROVAL_PROMPT}}' } }/" ${GITLAB_CONFIG} update_template ${GITLAB_CONFIG} \ OAUTH_GOOGLE_API_KEY \ OAUTH_GOOGLE_APP_SECRET \ OAUTH_GOOGLE_APPROVAL_PROMPT fi else exec_as_git sed -i "/name: 'google_oauth2'/,/{{OAUTH_GOOGLE_RESTRICT_DOMAIN}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_facebook() { if [[ -n ${OAUTH_FACEBOOK_API_KEY} && -n ${OAUTH_FACEBOOK_APP_SECRET} ]]; then echo "Configuring gitlab::oauth::facebook..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_FACEBOOK_API_KEY \ OAUTH_FACEBOOK_APP_SECRET else exec_as_git sed -i "/name: 'facebook'/,/{{OAUTH_FACEBOOK_APP_SECRET}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_twitter() { if [[ -n ${OAUTH_TWITTER_API_KEY} && -n ${OAUTH_TWITTER_APP_SECRET} ]]; then echo "Configuring gitlab::oauth::twitter..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_TWITTER_API_KEY \ OAUTH_TWITTER_APP_SECRET else exec_as_git sed -i "/name: 'twitter'/,/{{OAUTH_TWITTER_APP_SECRET}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_authentiq() { if [[ -n ${OAUTH_AUTHENTIQ_CLIENT_ID} && -n ${OAUTH_AUTHENTIQ_CLIENT_SECRET} ]]; then echo "Configuring gitlab::oauth::authentiq..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_AUTHENTIQ_CLIENT_ID \ OAUTH_AUTHENTIQ_CLIENT_SECRET \ OAUTH_AUTHENTIQ_SCOPE \ OAUTH_AUTHENTIQ_REDIRECT_URI else exec_as_git sed -i "/name: 'authentiq'/,/{{OAUTH_AUTHENTIQ_SCOPE}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_github() { if [[ -n ${OAUTH_GITHUB_API_KEY} && -n ${OAUTH_GITHUB_APP_SECRET} ]]; then echo "Configuring gitlab::oauth::github..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_GITHUB_API_KEY \ OAUTH_GITHUB_APP_SECRET \ OAUTH_GITHUB_URL \ OAUTH_GITHUB_VERIFY_SSL \ OAUTH_GITHUB_SCOPE else exec_as_git sed -i "/name: 'github'/,/{{OAUTH_GITHUB_SCOPE}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_gitlab() { if [[ -n ${OAUTH_GITLAB_API_KEY} && -n ${OAUTH_GITLAB_APP_SECRET} ]]; then echo "Configuring gitlab::oauth::gitlab..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_GITLAB_API_KEY \ OAUTH_GITLAB_APP_SECRET \ OAUTH_GITLAB_SCOPE else exec_as_git sed -i "/name: 'gitlab'/,/{{OAUTH_GITLAB_SCOPE}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_bitbucket() { if [[ -n ${OAUTH_BITBUCKET_API_KEY} && -n ${OAUTH_BITBUCKET_APP_SECRET} ]]; then echo "Configuring gitlab::oauth::bitbucket..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_BITBUCKET_API_KEY \ OAUTH_BITBUCKET_APP_SECRET \ OAUTH_BITBUCKET_URL else exec_as_git sed -i "/name: 'bitbucket'/,/{{OAUTH_BITBUCKET_URL}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_saml_attribute_statements() { if [[ -n ${OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL} ]]; then echo "Configuring gitlab::oauth::saml::attribute_statements..." update_template ${GITLAB_CONFIG} \ OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL \ OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME \ OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME \ OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME \ OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME # Remove undefined optional attributes exec_as_git sed -i "/email: \\[''\\],/d" ${GITLAB_CONFIG} exec_as_git sed -i "/name: \\[''\\],/d" ${GITLAB_CONFIG} exec_as_git sed -i "/username: \\[''\\],/d" ${GITLAB_CONFIG} exec_as_git sed -i "/first_name: \\[''\\],/d" ${GITLAB_CONFIG} exec_as_git sed -i "/last_name: \\[''\\],/d" ${GITLAB_CONFIG} else exec_as_git sed -i "/attribute_statements:/,/{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_saml() { if [[ -n ${OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL} && \ -n ${OAUTH_SAML_IDP_CERT_FINGERPRINT} && \ -n ${OAUTH_SAML_IDP_SSO_TARGET_URL} && \ -n ${OAUTH_SAML_ISSUER} && \ -n ${OAUTH_SAML_NAME_IDENTIFIER_FORMAT} ]]; then echo "Configuring gitlab::oauth::saml..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_SAML_LABEL \ OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL \ OAUTH_SAML_IDP_CERT_FINGERPRINT \ OAUTH_SAML_IDP_SSO_TARGET_URL \ OAUTH_SAML_ISSUER \ OAUTH_SAML_NAME_IDENTIFIER_FORMAT \ OAUTH_SAML_GROUPS_ATTRIBUTE \ OAUTH_SAML_EXTERNAL_GROUPS exec_as_git sed -i "/groups_attribute: '',/d" ${GITLAB_CONFIG} exec_as_git sed -i "/external_groups: \\[\\],/d" ${GITLAB_CONFIG} gitlab_configure_oauth_saml_attribute_statements else exec_as_git sed -i "/name: 'saml'/,/{{OAUTH_SAML_NAME_IDENTIFIER_FORMAT}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth2_generic() { if [[ -n ${OAUTH2_GENERIC_APP_ID} && \ -n ${OAUTH2_GENERIC_APP_SECRET} ]]; then echo "Configuring gitlab::oauth::generic..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH2_GENERIC_APP_ID \ OAUTH2_GENERIC_APP_SECRET \ OAUTH2_GENERIC_CLIENT_SITE \ OAUTH2_GENERIC_CLIENT_USER_INFO_URL \ OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL \ OAUTH2_GENERIC_CLIENT_TOKEN_URL \ OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT \ OAUTH2_GENERIC_ID_PATH \ OAUTH2_GENERIC_USER_UID \ OAUTH2_GENERIC_USER_NAME \ OAUTH2_GENERIC_USER_EMAIL \ OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE \ OAUTH2_GENERIC_LABEL \ OAUTH2_GENERIC_NAME else exec_as_git sed -i "/name: 'oauth2_generic'/,/{{OAUTH2_GENERIC_NAME}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_crowd() { if [[ -n ${OAUTH_CROWD_SERVER_URL} && \ -n ${OAUTH_CROWD_APP_NAME} && \ -n ${OAUTH_CROWD_APP_PASSWORD} ]]; then echo "Configuring gitlab::oauth::crowd..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_CROWD_SERVER_URL \ OAUTH_CROWD_APP_NAME \ OAUTH_CROWD_APP_PASSWORD else exec_as_git sed -i "/name: 'crowd'/,/{{OAUTH_CROWD_APP_PASSWORD}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_auth0() { if [[ -n ${OAUTH_AUTH0_CLIENT_ID} && \ -n ${OAUTH_AUTH0_CLIENT_SECRET} && \ -n ${OAUTH_AUTH0_SCOPE} && \ -n ${OAUTH_AUTH0_DOMAIN} ]]; then echo "Configuring gitlab::oauth::auth0..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_AUTH0_CLIENT_ID \ OAUTH_AUTH0_CLIENT_SECRET \ OAUTH_AUTH0_DOMAIN \ OAUTH_AUTH0_SCOPE else exec_as_git sed -i "/name: 'auth0'/,/{{OAUTH_AUTH0_SCOPE}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_azure() { if [[ -n ${OAUTH_AZURE_API_KEY} && \ -n ${OAUTH_AZURE_API_SECRET} && \ -n ${OAUTH_AZURE_TENANT_ID} ]]; then echo "Configuring gitlab::oauth::azure..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_AZURE_API_KEY \ OAUTH_AZURE_API_SECRET \ OAUTH_AZURE_TENANT_ID else exec_as_git sed -i "/name: 'azure_oauth2'/,/{{OAUTH_AZURE_TENANT_ID}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_azure_ad_v2() { # we don't check if OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL because it is optional if [[ -n ${OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID} && \ -n ${OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET} && \ -n ${OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID} ]]; then echo "Configuring gitlab::oauth::azure_activedirectory_v2..." update_template ${GITLAB_CONFIG} \ OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL \ OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID \ OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET \ OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID else exec_as_git sed -i "/name: 'azure_activedirectory_v2'/,/{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_oidc() { if [[ -n ${OAUTH_OIDC_ISSUER} && \ -n ${OAUTH_OIDC_CLIENT_ID} ]]; then echo "Configuring gitlab::oauth::oidc..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_OIDC_LABEL \ OAUTH_OIDC_ICON \ OAUTH_OIDC_SCOPE \ OAUTH_OIDC_RESPONSE_TYPE \ OAUTH_OIDC_ISSUER \ OAUTH_OIDC_DISCOVERY \ OAUTH_OIDC_CLIENT_AUTH_METHOD \ OAUTH_OIDC_UID_FIELD \ OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP \ OAUTH_OIDC_PKCE \ OAUTH_OIDC_CLIENT_ID \ OAUTH_OIDC_CLIENT_SECRET \ OAUTH_OIDC_REDIRECT_URI else exec_as_git sed -i "/name: 'openid_connect'/,/{{OAUTH_OIDC_REDIRECT_URI}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_jwt() { if [[ -n ${OAUTH_JWT_SECRET} && \ -n ${OAUTH_JWT_AUTH_URL} ]]; then echo "Configuring gitlab::oauth::jwt..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_JWT_LABEL \ OAUTH_JWT_SECRET \ OAUTH_JWT_ALGORITHM \ OAUTH_JWT_UID_CLAIM \ OAUTH_JWT_REQUIRED_CLAIMS \ OAUTH_JWT_INFO_MAP_NAME \ OAUTH_JWT_INFO_MAP_EMAIL \ OAUTH_JWT_AUTH_URL \ OAUTH_JWT_VALID_WITHIN else exec_as_git sed -i "/name: 'jwt'/,/{{OAUTH_JWT_VALID_WITHIN}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth() { echo "Configuring gitlab::oauth..." gitlab_configure_oauth_cas3 gitlab_configure_oauth_google gitlab_configure_oauth_facebook gitlab_configure_oauth_twitter gitlab_configure_oauth_authentiq gitlab_configure_oauth_github gitlab_configure_oauth_gitlab gitlab_configure_oauth_bitbucket gitlab_configure_oauth_saml gitlab_configure_oauth2_generic gitlab_configure_oauth_crowd gitlab_configure_oauth_auth0 gitlab_configure_oauth_azure gitlab_configure_oauth_azure_ad_v2 gitlab_configure_oauth_oidc gitlab_configure_oauth_jwt OAUTH_ENABLED=${OAUTH_ENABLED:-false} update_template ${GITLAB_CONFIG} \ OAUTH_ENABLED \ OAUTH_ALLOW_SSO \ OAUTH_BLOCK_AUTO_CREATED_USERS \ OAUTH_AUTO_LINK_LDAP_USER \ OAUTH_AUTO_LINK_SAML_USER \ OAUTH_AUTO_LINK_USER \ OAUTH_EXTERNAL_PROVIDERS \ OAUTH_ALLOW_BYPASS_TWO_FACTOR case ${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER} in cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd|azure_oauth2|azure_activedirectory_v2|oauth2_generic|$OAUTH2_GENERIC_NAME|oidc|jwt) update_template ${GITLAB_CONFIG} OAUTH_AUTO_SIGN_IN_WITH_PROVIDER ;; *) exec_as_git sed -i "/{{OAUTH_AUTO_SIGN_IN_WITH_PROVIDER}}/d" ${GITLAB_CONFIG} ;; esac } gitlab_configure_secrets() { echo "Configuring gitlab::secrets..." if [[ -z $GITLAB_SECRETS_DB_KEY_BASE ]]; then echo "ERROR: " echo " Please configure the GITLAB_SECRETS_DB_KEY_BASE parameter." echo " Cannot continue. Aborting..." return 1 fi if [[ -z $GITLAB_SECRETS_SECRET_KEY_BASE ]]; then echo "ERROR: " echo " Please configure the GITLAB_SECRETS_SECRET_KEY_BASE parameter." echo " Cannot continue. Aborting..." return 1 fi if [[ -z $GITLAB_SECRETS_OTP_KEY_BASE ]]; then echo "ERROR: " echo " Please configure the GITLAB_SECRETS_OTP_KEY_BASE parameter." echo " Cannot continue. Aborting..." return 1 fi update_template ${GITLAB_SECRETS_CONFIG} \ GITLAB_SECRETS_DB_KEY_BASE \ GITLAB_SECRETS_SECRET_KEY_BASE \ GITLAB_SECRETS_OTP_KEY_BASE \ GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE \ GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY \ GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY \ GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT local shell_secret="${GITLAB_INSTALL_DIR}/.gitlab_shell_secret" if [[ ! -f "${shell_secret}" ]]; then exec_as_git openssl rand -hex -out "${shell_secret}" 16 chmod 600 "${shell_secret}" fi local workhorse_secret="${GITLAB_INSTALL_DIR}/.gitlab_workhorse_secret" if [[ ! -f "${workhorse_secret}" ]]; then exec_as_git openssl rand -base64 -out "${workhorse_secret}" 32 chmod 600 "${workhorse_secret}" fi local pages_secret="${GITLAB_INSTALL_DIR}/.gitlab_pages_secret" if [[ ! -f "${pages_secret}" ]]; then exec_as_git openssl rand -base64 -out "${pages_secret}" 32 chmod 600 "${pages_secret}" fi } gitlab_configure_sidekiq() { echo "Configuring gitlab::sidekiq..." # configure gitlab sidekiq log format update_template ${GITLAB_CONFIG} \ GITLAB_SIDEKIQ_LOG_FORMAT # configure sidekiq update_template /etc/supervisor/conf.d/sidekiq.conf \ SIDEKIQ_CONCURRENCY \ SIDEKIQ_SHUTDOWN_TIMEOUT # enable SidekiqMemoryKiller ## The MemoryKiller is enabled by gitlab if the `SIDEKIQ_MEMORY_KILLER_MAX_RSS` is ## defined in the programs environment and has a non-zero value. ## ## Simply exporting the variable makes it available in the programs environment and ## therefore should enable the MemoryKiller. ## ## Every other MemoryKiller option specified in the docker env will automatically ## be exported, so why bother export SIDEKIQ_MEMORY_KILLER_MAX_RSS } gitlab_configure_backups_schedule() { case ${GITLAB_BACKUP_SCHEDULE} in daily|weekly|monthly) if ! crontab -u ${GITLAB_USER} -l >/tmp/cron.${GITLAB_USER} 2>/dev/null || ! grep -q 'bundle exec rake gitlab:backup:create' /tmp/cron.${GITLAB_USER}; then echo "Configuring gitlab::backups::schedule..." gitlab_backup_log="${GITLAB_LOG_DIR}/gitlab/gitlab-backup.log" read -r hour min <<< "${GITLAB_BACKUP_TIME//[:]/ }" day_of_month="*" month="*" day_of_week="*" case ${GITLAB_BACKUP_SCHEDULE} in daily) ;; weekly) day_of_week=0 ;; monthly) day_of_month=01 ;; esac if [[ -n ${GITLAB_BACKUP_DIR_GROUP} ]]; then echo "$min $hour $day_of_month $month $day_of_week /bin/bash -l -c 'cd ${GITLAB_INSTALL_DIR} && bundle exec rake gitlab:backup:create SKIP=${GITLAB_BACKUP_SKIP} DIRECTORY=${GITLAB_BACKUP_DIR_GROUP} RAILS_ENV=${RAILS_ENV}' >> ${gitlab_backup_log} 2>&1" >> "/tmp/cron.${GITLAB_USER}" else echo "$min $hour $day_of_month $month $day_of_week /bin/bash -l -c 'cd ${GITLAB_INSTALL_DIR} && bundle exec rake gitlab:backup:create SKIP=${GITLAB_BACKUP_SKIP} RAILS_ENV=${RAILS_ENV}' >> ${gitlab_backup_log} 2>&1" >> "/tmp/cron.${GITLAB_USER}" fi crontab -u ${GITLAB_USER} /tmp/cron.${GITLAB_USER} fi rm -rf /tmp/cron.${GITLAB_USER} ;; esac } gitlab_configure_backups_aws() { echo "Configuring gitlab::backups::aws..." exec_as_git sed -i "/#start-gcs/,/#end-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-aws/d" ${GITLAB_CONFIG} if [[ -z ${AWS_BACKUP_MULTIPART_CHUNK_SIZE} ]]; then exec_as_git sed -i "/#start-multipart/,/#end-multipart/d" ${GITLAB_CONFIG} fi if [[ -z ${AWS_BACKUP_MULTIPART_CHUNK_SIZE} ]]; then exec_as_git sed -i "/#start-multipart-aws/,/#end-multipart-aws/d" ${GITLAB_CONFIG} fi if [[ ${AWS_BACKUP_ENCRYPTION} != true ]]; then exec_as_git sed -i "/#start-encryption-aws/,/#end-encryption-aws/d" ${GITLAB_CONFIG} fi if [[ -z ${AWS_BACKUP_REGION} && -z ${AWS_BACKUP_ENDPOINT} ]]; then echo "\nMissing AWS region or endpoint. Aborting...\n" return 1 fi if [[ ! -z ${AWS_BACKUP_ENDPOINT} ]]; then AWS_BACKUP_PATH_STYLE="true" fi if [[ -z ${AWS_BACKUP_ACCESS_KEY_ID} || -z ${AWS_BACKUP_SECRET_ACCESS_KEY} || -z ${AWS_BACKUP_BUCKET} ]]; then echo "\nMissing AWS options. Aborting...\n" return 1 fi update_template ${GITLAB_CONFIG} \ AWS_BACKUP_REGION \ AWS_BACKUP_ENDPOINT \ AWS_BACKUP_PATH_STYLE \ AWS_BACKUP_ACCESS_KEY_ID \ AWS_BACKUP_SECRET_ACCESS_KEY \ AWS_BACKUP_BUCKET \ AWS_BACKUP_MULTIPART_CHUNK_SIZE \ AWS_BACKUP_STORAGE_CLASS \ AWS_BACKUP_SIGNATURE_VERSION } gitlab_configure_backup_gcs() { echo "Configuring gitlab::backups::gcs..." exec_as_git sed -i "/#start-aws/,/#end-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-gcs/d" ${GITLAB_CONFIG} if [[ -z ${GCS_BACKUP_ACCESS_KEY_ID} || -z ${GCS_BACKUP_SECRET_ACCESS_KEY} || -z ${GCS_BACKUP_BUCKET} ]]; then printf "\nMissing GCS options. Aborting...\n" return 1 fi update_template ${GITLAB_CONFIG} \ GCS_BACKUP_ACCESS_KEY_ID \ GCS_BACKUP_SECRET_ACCESS_KEY \ GCS_BACKUP_BUCKET } gitlab_configure_backups() { echo "Configuring gitlab::backups..." update_template ${GITLAB_CONFIG} \ GITLAB_BACKUP_DIR \ GITLAB_BACKUP_EXPIRY \ GITLAB_BACKUP_PG_SCHEMA \ GITLAB_BACKUP_ARCHIVE_PERMISSIONS gitlab_configure_backups_schedule if [[ ${AWS_BACKUPS} != true && ${GCS_BACKUPS} != true ]]; then exec_as_git sed -i "/\s\+#start-aws/,/#end-gcs/d" ${GITLAB_CONFIG} return 0 fi if [[ ${AWS_BACKUPS} == true && ${GCS_BACKUPS} == true ]]; then printf "\nAWS and GCE cannot be enabled together, please choose one...\n" return 1 fi if [[ ${AWS_BACKUPS} == true ]]; then gitlab_configure_backups_aws fi if [[ ${GCS_BACKUPS} == true ]]; then gitlab_configure_backup_gcs fi } gitlab_configure_gravatar() { update_template ${GITLAB_CONFIG} GITLAB_GRAVATAR_ENABLED if [[ -n ${GITLAB_GRAVATAR_HTTP_URL} ]]; then echo "Configuring gitlab::gravatar::http..." update_template ${GITLAB_CONFIG} GITLAB_GRAVATAR_HTTP_URL else exec_as_git sed -i "/{{GITLAB_GRAVATAR_HTTP_URL}}/d" ${GITLAB_CONFIG} fi if [[ -n ${GITLAB_GRAVATAR_HTTPS_URL} ]]; then echo "Configuring gitlab::gravatar::https..." update_template ${GITLAB_CONFIG} GITLAB_GRAVATAR_HTTPS_URL else exec_as_git sed -i "/{{GITLAB_GRAVATAR_HTTPS_URL}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_cron_jobs() { echo "Configuring gitlab::cron_jobs..." if [[ -n "${GITLAB_PIPELINE_SCHEDULE_WORKER_CRON}" ]]; then update_template ${GITLAB_CONFIG} GITLAB_PIPELINE_SCHEDULE_WORKER_CRON else exec_as_git sed -i "/{{GITLAB_PIPELINE_SCHEDULE_WORKER_CRON}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_analytics_google() { if [[ -n ${GOOGLE_ANALYTICS_ID} ]]; then echo "Configuring gitlab::analytics:google..." update_template ${GITLAB_CONFIG} GOOGLE_ANALYTICS_ID else exec_as_git sed -i "/{{GOOGLE_ANALYTICS_ID}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_analytics_piwik() { if [[ -n ${PIWIK_URL} && -n ${PIWIK_SITE_ID} ]]; then echo "Configuring gitlab::analytics:piwik..." update_template ${GITLAB_CONFIG} \ PIWIK_URL \ PIWIK_SITE_ID else exec_as_git sed -i \ -e "/{{PIWIK_URL}}/d" \ -e "/{{PIWIK_SITE_ID}}/d" \ ${GITLAB_CONFIG} fi } gitlab_configure_analytics() { gitlab_configure_analytics_google gitlab_configure_analytics_piwik } gitlab_configure_rack_attack() { echo "Configuring gitlab::rack_attack..." # validity check : RACK_ATTACK_WHITELIST should be an array of valid IP Address string echo " Validating RACK_ATTACK_WHITELIST..." /usr/bin/env ruby << SCRIPT require 'ipaddr' ${RACK_ATTACK_WHITELIST}.each do |host| begin printf(" input=%s, to_range=%s\n", host, IPAddr.new(host).to_range) rescue IPAddr::InvalidAddressError => e p e exit 1 rescue => e put "Unexpected error", e exit 1 end end SCRIPT update_template ${GITLAB_CONFIG} \ RACK_ATTACK_ENABLED \ RACK_ATTACK_WHITELIST \ RACK_ATTACK_MAXRETRY \ RACK_ATTACK_FINDTIME \ RACK_ATTACK_BANTIME } gitlab_configure_ci() { echo "Configuring gitlab::ci..." update_template ${GITLAB_CONFIG} \ GITLAB_NOTIFY_ON_BROKEN_BUILDS \ GITLAB_NOTIFY_PUSHER GITLAB_BUILDS_DIR } gitlab_configure_artifacts() { update_template ${GITLAB_CONFIG} \ GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED if [[ ${GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED} == true ]]; then echo "Configuring gitlab::artifacts:object_store" if [[ "${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then echo " -> Google ARTIFACTS provider selected removing aws config" exec_as_git sed -i "/#start-artifacts-aws/,/#end-artifacts-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-artifacts-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-artifacts-gcs/d" ${GITLAB_CONFIG} fi if [[ "${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then echo " -> AWS ARTIFACTS provider selected removing Google config" exec_as_git sed -i "/#start-artifacts-gcs/,/#end-artifacts-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-artifacts-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-artifacts-aws/d" ${GITLAB_CONFIG} fi update_template ${GITLAB_CONFIG} \ GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY \ GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD \ GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD \ GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION else exec_as_git sed -i -e "/path: {{GITLAB_ARTIFACTS_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG} fi echo "Configuring gitlab::artifacts..." update_template ${GITLAB_CONFIG} \ GITLAB_ARTIFACTS_ENABLED \ GITLAB_ARTIFACTS_DIR } gitlab_configure_packages() { update_template ${GITLAB_CONFIG} \ GITLAB_PACKAGES_OBJECT_STORE_ENABLED if [[ ${GITLAB_PACKAGES_OBJECT_STORE_ENABLED} == true ]]; then echo "Configuring gitlab::packages:object_store" if [[ "${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then echo " -> Google PACKAGES provider selected removing aws config" exec_as_git sed -i "/#start-packages-aws/,/#end-packages-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-packages-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-packages-gcs/d" ${GITLAB_CONFIG} fi if [[ "${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then echo " -> AWS PACKAGES provider selected removing Google config" exec_as_git sed -i "/#start-packages-gcs/,/#end-packages-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-packages-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-packages-aws/d" ${GITLAB_CONFIG} fi update_template ${GITLAB_CONFIG} \ GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY \ GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD \ GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD \ GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION else exec_as_git sed -i -e "/path: {{GITLAB_PACKAGES_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG} fi echo "Configuring gitlab::packages..." update_template ${GITLAB_CONFIG} \ GITLAB_PACKAGES_ENABLED \ GITLAB_PACKAGES_DIR } gitlab_configure_terraform_state() { update_template ${GITLAB_CONFIG} \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED if [[ ${GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED} == true ]]; then echo "Configuring gitlab::terraform_state:object_store" if [[ "${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then echo " -> Google TERRAFORM STATE provider selected removing aws config" exec_as_git sed -i "/#start-terraform_state-aws/,/#end-terraform_state-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-terraform_state-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-terraform_state-gcs/d" ${GITLAB_CONFIG} fi if [[ "${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then echo " -> AWS TERRAFORM STATE provider selected removing Google config" exec_as_git sed -i "/#start-terraform_state-gcs/,/#end-terraform_state-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-terraform_state-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-terraform_state-aws/d" ${GITLAB_CONFIG} fi update_template ${GITLAB_CONFIG} \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_REMOTE_DIRECTORY \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION else exec_as_git sed -i -e "/storage_path: {{GITLAB_TERRAFORM_STATE_STORAGE_PATH}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG} fi echo "Configuring gitlab::terraform_state..." update_template ${GITLAB_CONFIG} \ GITLAB_TERRAFORM_STATE_ENABLED \ GITLAB_TERRAFORM_STATE_STORAGE_PATH } gitlab_configure_lfs() { update_template ${GITLAB_CONFIG} \ GITLAB_LFS_OBJECT_STORE_ENABLED \ if [[ ${GITLAB_LFS_OBJECT_STORE_ENABLED} == true ]]; then echo "Configuring gitlab::lfs:object_store" if [[ "${GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then echo " -> Google LFS provider selected removing aws config" exec_as_git sed -i "/#start-lfs-aws/,/#end-lfs-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-lfs-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-lfs-gcs/d" ${GITLAB_CONFIG} fi if [[ "${GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then echo " -> AWS LFS provider selected removing Google config" exec_as_git sed -i "/#start-lfs-gcs/,/#end-lfs-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-lfs-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-lfs-aws/d" ${GITLAB_CONFIG} fi update_template ${GITLAB_CONFIG} \ GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY \ GITLAB_LFS_OBJECT_STORE_DIRECT_UPLOAD \ GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD \ GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD \ GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER \ GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \ GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \ GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION \ GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST \ GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \ GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \ GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \ GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \ GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \ GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION else exec_as_git sed -i -e "/path: {{GITLAB_LFS_OBJECTS_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG} fi echo "Configuring gitlab::lfs..." update_template ${GITLAB_CONFIG} \ GITLAB_LFS_ENABLED \ GITLAB_LFS_OBJECTS_DIR } gitlab_configure_uploads() { update_template ${GITLAB_CONFIG} \ GITLAB_UPLOADS_OBJECT_STORE_ENABLED if [[ ${GITLAB_UPLOADS_OBJECT_STORE_ENABLED} == true ]]; then echo "Configuring gitlab::uploads:object_store" if [[ "${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then echo " -> Google UPLOADS provider selected removing aws config" exec_as_git sed -i "/#start-uploads-aws/,/#end-uploads-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-uploads-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-uploads-gcs/d" ${GITLAB_CONFIG} fi if [[ "${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then echo " -> AWS UPLOADS provider selected removing Google config" exec_as_git sed -i "/#start-uploads-gcs/,/#end-uploads-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-uploads-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-uploads-aws/d" ${GITLAB_CONFIG} fi update_template ${GITLAB_CONFIG} \ GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY \ GITLAB_UPLOADS_OBJECT_STORE_DIRECT_UPLOAD \ GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD \ GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION else exec_as_git sed -i -e "/base_dir: {{GITLAB_UPLOADS_BASE_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG} fi echo "Configuring gitlab::uploads..." update_template ${GITLAB_CONFIG} \ GITLAB_UPLOADS_STORAGE_PATH \ GITLAB_UPLOADS_BASE_DIR } gitlab_configure_mattermost() { echo "Configuring gitlab::mattermost..." update_template ${GITLAB_CONFIG} \ GITLAB_MATTERMOST_ENABLED \ GITLAB_MATTERMOST_URL } gitlab_configure_project_features() { echo "Configuring gitlab::project_features..." update_template ${GITLAB_CONFIG} \ GITLAB_PROJECTS_ISSUES \ GITLAB_PROJECTS_MERGE_REQUESTS \ GITLAB_PROJECTS_WIKI \ GITLAB_PROJECTS_SNIPPETS \ GITLAB_PROJECTS_BUILDS \ GITLAB_PROJECTS_CONTAINER_REGISTRY \ GITLAB_WEBHOOK_TIMEOUT } gitlab_configure_registry(){ echo "Configuring gitlab::registry..." if [[ ${GITLAB_REGISTRY_PORT} == 443 ]]; then # Sets GITLAB_REGISTRY_PORT empty for the scope of this function. # This helps us to add an empty key to `.gitlab-ci.yml`. # Because 443 is the default https port it doesn't need to be included in docker push/pull commands # and shouldn't be displayed on the gitlab ui. # Example: `docker pull registry:443/some/image` is the same as `docker pull registry/some/image` local GITLAB_REGISTRY_PORT="" fi update_template ${GITLAB_CONFIG} \ GITLAB_REGISTRY_ENABLED \ GITLAB_REGISTRY_DIR \ GITLAB_REGISTRY_HOST \ GITLAB_REGISTRY_PORT \ GITLAB_REGISTRY_API_URL \ GITLAB_REGISTRY_KEY_PATH \ GITLAB_REGISTRY_ISSUER } gitlab_configure_pages(){ echo "Configuring gitlab::pages..." update_template ${GITLAB_CONFIG} \ GITLAB_PAGES_ENABLED \ GITLAB_PAGES_DOMAIN \ GITLAB_PAGES_PORT \ GITLAB_PAGES_HTTPS \ GITLAB_PAGES_ARTIFACTS_SERVER \ GITLAB_PAGES_ACCESS_CONTROL if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTP} ]]; then update_template ${GITLAB_CONFIG} \ GITLAB_PAGES_EXTERNAL_HTTP else exec_as_git sed -ie "/{{GITLAB_PAGES_EXTERNAL_HTTP}}/d" ${GITLAB_CONFIG} fi if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTPS} ]]; then update_template ${GITLAB_CONFIG} \ GITLAB_PAGES_EXTERNAL_HTTPS else exec_as_git sed -ie "/{{GITLAB_PAGES_EXTERNAL_HTTPS}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_sentry(){ echo "Configuring gitlab::sentry..." update_template ${GITLAB_CONFIG} \ SENTRY_ENABLED \ SENTRY_DSN \ SENTRY_CLIENTSIDE_DSN \ SENTRY_ENVIRONMENT } gitlab_configure_content_security_policy(){ echo "Configuring gitlab::content_security_policy..." update_template ${GITLAB_CONFIG} \ GITLAB_CONTENT_SECURITY_POLICY_ENABLED \ GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC \ GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI } nginx_configure_gitlab_ssl() { if [[ ${GITLAB_HTTPS} == true && -f ${SSL_CERTIFICATE_PATH} && -f ${SSL_KEY_PATH} && -f ${SSL_DHPARAM_PATH} ]]; then echo "Configuring nginx::gitlab::ssl..." if [[ ! -f ${SSL_CA_CERTIFICATES_PATH} ]]; then sed -i "/{{SSL_CA_CERTIFICATES_PATH}}/d" ${GITLAB_NGINX_CONFIG} fi update_template ${GITLAB_NGINX_CONFIG} \ SSL_CERTIFICATE_PATH \ SSL_KEY_PATH \ SSL_DHPARAM_PATH \ SSL_VERIFY_CLIENT \ SSL_CA_CERTIFICATES_PATH \ SSL_CIPHERS \ SSL_PROTOCOLS fi } nginx_configure_gitlab_hsts() { if [[ ${GITLAB_HTTPS} == true ]]; then echo "Configuring nginx::gitlab::hsts..." if [[ ${NGINX_HSTS_ENABLED} != true ]]; then sed -i "/{{NGINX_HSTS_MAXAGE}}/d" ${GITLAB_NGINX_CONFIG} fi update_template ${GITLAB_NGINX_CONFIG} NGINX_HSTS_MAXAGE else sed -i "/{{NGINX_HSTS_MAXAGE}}/d" ${GITLAB_NGINX_CONFIG} fi } nginx_configure_gitlab_ipv6() { if [[ ! -f /proc/net/if_inet6 ]]; then # disable ipv6 support in nginx for gitlab sed -i \ -e "/listen \[::\]:80/d" \ -e "/listen \[::\]:443/d" \ ${GITLAB_NGINX_CONFIG} # disable ipv6 support in nginx for pages if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then sed -i \ -e "/listen \[::\]:80/d" \ -e "/listen \[::\]:443/d" \ ${GITLAB_PAGES_NGINX_CONFIG} fi fi fi } nginx_configure_gitlab_real_ip() { if [[ ${NGINX_REAL_IP_RECURSIVE} == on && \ -n ${NGINX_REAL_IP_TRUSTED_ADDRESSES} ]]; then echo "Configuring nginx::gitlab::real_ip..." update_template ${GITLAB_NGINX_CONFIG} \ NGINX_REAL_IP_RECURSIVE \ NGINX_REAL_IP_TRUSTED_ADDRESSES else NGINX_REAL_IP_RECURSIVE="off" update_template ${GITLAB_NGINX_CONFIG} \ NGINX_REAL_IP_RECURSIVE sed -i "/{{NGINX_REAL_IP_TRUSTED_ADDRESSES}}/d" ${GITLAB_NGINX_CONFIG} fi } nginx_configure_gitlab() { echo "Configuring nginx::gitlab..." update_template ${GITLAB_NGINX_CONFIG} \ GITLAB_HOME \ GITLAB_INSTALL_DIR \ GITLAB_LOG_DIR \ GITLAB_HOST \ GITLAB_PORT \ NGINX_PROXY_BUFFERING \ NGINX_ACCEL_BUFFERING \ NGINX_X_FORWARDED_PROTO \ NGINX_CUSTOM_GITLAB_SERVER_CONFIG nginx_configure_gitlab_ssl nginx_configure_gitlab_hsts nginx_configure_gitlab_ipv6 nginx_configure_gitlab_real_ip } nginx_configure_gitlab_ci() { if [[ -n $GITLAB_CI_HOST ]]; then echo "Configuring nginx::gitlab_ci..." DNS_RESOLVERS=$(cat /etc/resolv.conf | grep '^\s*nameserver' | awk '{print $2}' ORS=' ') update_template ${GITLAB_CI_NGINX_CONFIG} \ GITLAB_LOG_DIR \ GITLAB_HOST \ GITLAB_CI_HOST \ DNS_RESOLVERS fi } nginx_configure_gitlab_registry() { if [[ $GITLAB_REGISTRY_ENABLED == true && -f ${SSL_REGISTRY_CERT_PATH} && -f ${SSL_REGISTRY_KEY_PATH} ]]; then echo "Configuring nginx::gitlab-registry..." update_template ${GITLAB_REGISTRY_NGINX_CONFIG} \ GITLAB_LOG_DIR \ GITLAB_REGISTRY_PORT \ GITLAB_REGISTRY_HOST \ GITLAB_REGISTRY_API_URL \ SSL_REGISTRY_KEY_PATH \ SSL_REGISTRY_CERT_PATH \ SSL_REGISTRY_CIPHERS \ SSL_REGISTRY_PROTOCOLS fi } nginx_configure_pages(){ local GITLAB_PAGES_DOMAIN=$(echo $GITLAB_PAGES_DOMAIN | sed 's/\./\\\\./g') if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then echo "Configuring nginx::gitlab-pages..." if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then if [[ ${GITLAB_PAGES_HTTPS} == true ]]; then update_template ${GITLAB_PAGES_NGINX_CONFIG} \ GITLAB_PORT \ GITLAB_PAGES_DOMAIN \ GITLAB_PAGES_PORT \ GITLAB_LOG_DIR \ GITLAB_PAGES_DOMAIN \ SSL_PAGES_CERT_PATH \ SSL_PAGES_KEY_PATH \ SSL_PAGES_CIPHERS \ SSL_PAGES_PROTOCOLS \ SSL_DHPARAM_PATH \ GITLAB_LOG_DIR else update_template ${GITLAB_PAGES_NGINX_CONFIG} \ GITLAB_PAGES_DOMAIN \ GITLAB_LOG_DIR fi else echo "Gitlab pages nginx proxy disabled" echo "Assuming custom domain setup with own HTTP(S) load balancer'" fi fi } # _|_|_| _| _| _| # _| _| _| _| _|_|_| _| _|_|_| # _|_|_| _| _| _| _| _| _| _| # _| _| _| _| _| _| _| _| # _| _|_|_| _|_|_| _| _| _|_|_| map_uidgid() { USERMAP_ORIG_UID=$(id -u ${GITLAB_USER}) USERMAP_ORIG_GID=$(id -g ${GITLAB_USER}) USERMAP_GID=${USERMAP_GID:-${USERMAP_UID:-$USERMAP_ORIG_GID}} USERMAP_UID=${USERMAP_UID:-$USERMAP_ORIG_UID} if [[ ${USERMAP_UID} != ${USERMAP_ORIG_UID} ]] || [[ ${USERMAP_GID} != ${USERMAP_ORIG_GID} ]]; then echo "Mapping UID and GID for ${GITLAB_USER}:${GITLAB_USER} to $USERMAP_UID:$USERMAP_GID" groupmod -o -g ${USERMAP_GID} ${GITLAB_USER} sed -i -e "s|:${USERMAP_ORIG_UID}:${USERMAP_GID}:|:${USERMAP_UID}:${USERMAP_GID}:|" /etc/passwd find ${GITLAB_HOME} -path ${GITLAB_DATA_DIR}/\* -prune -o -print0 | xargs -0 chown -h ${GITLAB_USER}: fi } update_ca_certificates() { if [[ -f ${SSL_CERTIFICATE_PATH} || -f ${SSL_CA_CERTIFICATES_PATH} || -f ${SSL_REGISTRY_CERT_PATH} ]]; then echo "Updating CA certificates..." [[ -f ${SSL_CERTIFICATE_PATH} ]] && cp "${SSL_CERTIFICATE_PATH}" /usr/local/share/ca-certificates/gitlab.crt [[ -f ${SSL_CA_CERTIFICATES_PATH} ]] && cp "${SSL_CA_CERTIFICATES_PATH}" /usr/local/share/ca-certificates/ca.crt [[ -f ${SSL_REGISTRY_CERT_PATH} ]] && cp "${SSL_REGISTRY_CERT_PATH}" /usr/local/share/ca-certificates/registry-ca.crt update-ca-certificates --fresh >/dev/null fi } initialize_logdir() { echo "Initializing logdir..." mkdir -p ${GITLAB_LOG_DIR}/supervisor chmod -R 0755 ${GITLAB_LOG_DIR}/supervisor chown -R root: ${GITLAB_LOG_DIR}/supervisor mkdir -p ${GITLAB_LOG_DIR}/nginx chmod -R 0755 ${GITLAB_LOG_DIR}/nginx chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/nginx mkdir -p ${GITLAB_LOG_DIR}/gitlab chmod -R 0755 ${GITLAB_LOG_DIR}/gitlab chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/gitlab mkdir -p ${GITLAB_LOG_DIR}/gitlab-shell chmod -R 0755 ${GITLAB_LOG_DIR}/gitlab-shell chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/gitlab-shell mkdir -p ${GITLAB_LOG_DIR}/gitaly chmod -R 0755 ${GITLAB_LOG_DIR}/gitaly chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/gitaly } initialize_datadir() { echo "Initializing datadir..." chmod 755 ${GITLAB_DATA_DIR} chown ${GITLAB_USER}: ${GITLAB_DATA_DIR} # create the ssh directory for server keys mkdir -p ${GITLAB_DATA_DIR}/ssh chown -R root: ${GITLAB_DATA_DIR}/ssh # create the repositories directory and make sure it has the right permissions mkdir -p ${GITLAB_REPOS_DIR} chown ${GITLAB_USER}: ${GITLAB_REPOS_DIR} chmod ug+rwX,o-rwx ${GITLAB_REPOS_DIR} exec_as_git chmod g+s ${GITLAB_REPOS_DIR} # create build traces directory mkdir -p ${GITLAB_BUILDS_DIR} chmod u+rwX ${GITLAB_BUILDS_DIR} chown ${GITLAB_USER}: ${GITLAB_BUILDS_DIR} # gitlab:backup:create does not respect the builds_path configuration, so we # symlink ${GITLAB_INSTALL_DIR}/builds -> ${GITLAB_BUILDS_DIR} rm -rf ${GITLAB_INSTALL_DIR}/builds ln -sf ${GITLAB_BUILDS_DIR} ${GITLAB_INSTALL_DIR}/builds # create downloads directory mkdir -p ${GITLAB_DOWNLOADS_DIR} chmod u+rwX ${GITLAB_DOWNLOADS_DIR} chown ${GITLAB_USER}: ${GITLAB_DOWNLOADS_DIR} # create shared directory mkdir -p ${GITLAB_SHARED_DIR} chmod u+rwX ${GITLAB_SHARED_DIR} chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR} # create the ci_secure_files directory mkdir -p ${GITLAB_SHARED_DIR}/ci_secure_files chmod u+rwX ${GITLAB_SHARED_DIR}/ci_secure_files chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}/ci_secure_files # create external-diffs dir mkdir -p ${GITLAB_SHARED_DIR}/external-diffs chmod u+rwX ${GITLAB_SHARED_DIR}/external-diffs chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}/external-diffs # create artifacts dir mkdir -p ${GITLAB_ARTIFACTS_DIR} chmod u+rwX ${GITLAB_ARTIFACTS_DIR} chown ${GITLAB_USER}: ${GITLAB_ARTIFACTS_DIR} # create pages dir mkdir -p ${GITLAB_PAGES_DIR} chmod u+rwX ${GITLAB_PAGES_DIR} chown ${GITLAB_USER}: ${GITLAB_PAGES_DIR} # symlink ${GITLAB_INSTALL_DIR}/shared -> ${GITLAB_DATA_DIR}/shared rm -rf ${GITLAB_INSTALL_DIR}/shared ln -sf ${GITLAB_SHARED_DIR} ${GITLAB_INSTALL_DIR}/shared # create lfs-objects directory mkdir -p ${GITLAB_LFS_OBJECTS_DIR} chmod u+rwX ${GITLAB_LFS_OBJECTS_DIR} chown ${GITLAB_USER}: ${GITLAB_LFS_OBJECTS_DIR} # create terraform_state directory if [[ ${GITLAB_TERRAFORM_STATE_ENABLED} == true ]]; then mkdir -p ${GITLAB_TERRAFORM_STATE_STORAGE_PATH} chmod u+rwX ${GITLAB_TERRAFORM_STATE_STORAGE_PATH} chown ${GITLAB_USER}: ${GITLAB_TERRAFORM_STATE_STORAGE_PATH} fi # create registry dir if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then mkdir -p ${GITLAB_REGISTRY_DIR} chmod u+rwX ${GITLAB_REGISTRY_DIR} chown ${GITLAB_USER}: ${GITLAB_REGISTRY_DIR} fi # create packages directory if [[ ${GITLAB_PACKAGES_ENABLED} == true ]]; then mkdir -p ${GITLAB_PACKAGES_DIR} chmod u+rwX ${GITLAB_PACKAGES_DIR} chown ${GITLAB_USER}: ${GITLAB_PACKAGES_DIR} fi # create the backups directory mkdir -p ${GITLAB_BACKUP_DIR} if [[ ${GITLAB_BACKUP_DIR_CHOWN} == true ]]; then chown ${GITLAB_USER}: ${GITLAB_BACKUP_DIR} fi # create the uploads directory mkdir -p ${GITLAB_DATA_DIR}/uploads chmod 0700 ${GITLAB_DATA_DIR}/uploads chown ${GITLAB_USER}: ${GITLAB_DATA_DIR}/uploads # create the .ssh directory mkdir -p ${GITLAB_DATA_DIR}/.ssh touch ${GITLAB_DATA_DIR}/.ssh/authorized_keys chmod 700 ${GITLAB_DATA_DIR}/.ssh chmod 600 ${GITLAB_DATA_DIR}/.ssh/authorized_keys chown -R ${GITLAB_USER}: ${GITLAB_DATA_DIR}/.ssh } sanitize_datadir() { echo "Sanitizing datadir. Please be patient..." chmod -R ug+rwX,o-rwx ${GITLAB_REPOS_DIR}/ chmod -R ug-s ${GITLAB_REPOS_DIR}/ find ${GITLAB_REPOS_DIR}/ -type d -print0 | xargs -0 chmod g+s chown -R ${GITLAB_USER}: ${GITLAB_REPOS_DIR} chmod -R u+rwX ${GITLAB_BUILDS_DIR} chown -R ${GITLAB_USER}: ${GITLAB_BUILDS_DIR} chmod -R u+rwX ${GITLAB_DOWNLOADS_DIR} chown -R ${GITLAB_USER}: ${GITLAB_DOWNLOADS_DIR} chmod -R u+rwX ${GITLAB_TEMP_DIR} chown -R ${GITLAB_USER}: ${GITLAB_TEMP_DIR} chmod -R u+rwX ${GITLAB_SHARED_DIR} chown -R ${GITLAB_USER}: ${GITLAB_SHARED_DIR} chmod -R u+rwX ${GITLAB_ARTIFACTS_DIR} chown -R ${GITLAB_USER}: ${GITLAB_ARTIFACTS_DIR} chmod -R u+rwX ${GITLAB_PAGES_DIR} chown -R ${GITLAB_USER}: ${GITLAB_PAGES_DIR} chmod -R u+rwX ${GITLAB_LFS_OBJECTS_DIR} chown -R ${GITLAB_USER}: ${GITLAB_LFS_OBJECTS_DIR} # create terraform_state directory # TODO : wrap with "if [[ _ENABLED ]]" condition chmod u+rwX ${GITLAB_SHARED_DIR}/terraform_state chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}/terraform_state if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then chmod -R u+rwX ${GITLAB_REGISTRY_DIR} chown -R ${GITLAB_USER}: ${GITLAB_REGISTRY_DIR} fi if [[ ${GITLAB_PACKAGES_ENABLED} ]]; then chmod u+rwX ${GITLAB_PACKAGES_DIR} chown ${GITLAB_USER}: ${GITLAB_PACKAGES_DIR} fi find ${GITLAB_DATA_DIR}/uploads -type f -exec chmod 0644 {} \; find ${GITLAB_DATA_DIR}/uploads -type d -not -path ${GITLAB_DATA_DIR}/uploads -exec chmod 0755 {} \; chmod 0700 ${GITLAB_DATA_DIR}/uploads/ chown ${GITLAB_USER}: ${GITLAB_DATA_DIR}/uploads/ echo "Creating gitlab-shell hooks..." exec_as_git ${GITLAB_SHELL_INSTALL_DIR}/bin/create-hooks } generate_ssh_key() { echo -n "${1^^} " ssh-keygen -qt ${1} -N '' -f ${2} } generate_ssh_host_keys() { sed -i "s|^[#]*MaxStartups[^$]*|MaxStartups ${GITLAB_SSH_MAXSTARTUPS}|" /etc/ssh/sshd_config sed -i "s|#HostKey /etc/ssh/|HostKey ${GITLAB_DATA_DIR}/ssh/|g" /etc/ssh/sshd_config if [[ ! -e ${GITLAB_DATA_DIR}/ssh/ssh_host_rsa_key ]]; then echo -n "Generating OpenSSH host keys... " generate_ssh_key rsa ${GITLAB_DATA_DIR}/ssh/ssh_host_rsa_key generate_ssh_key dsa ${GITLAB_DATA_DIR}/ssh/ssh_host_dsa_key generate_ssh_key ecdsa ${GITLAB_DATA_DIR}/ssh/ssh_host_ecdsa_key generate_ssh_key ed25519 ${GITLAB_DATA_DIR}/ssh/ssh_host_ed25519_key echo fi # ensure existing host keys have the right permissions chmod 0600 ${GITLAB_DATA_DIR}/ssh/*_key chmod 0644 ${GITLAB_DATA_DIR}/ssh/*.pub } update_ssh_listen_port() { sed -i "s|#Port 22|Port ${GITLAB_SSH_LISTEN_PORT}|g" /etc/ssh/sshd_config } generate_healthcheck_script() { # configure healthcheck script ## https://docs.gitlab.com/ee/user/admin_area/monitoring/health_check.html local HEALTHCHECK_PROTOCOL="http" if [[ "${GITLAB_HTTPS}" == true && "${SSL_SELF_SIGNED}" == false ]]; then HEALTHCHECK_PROTOCOL="${HEALTHCHECK_PROTOCOL}s" fi cat > /usr/local/sbin/healthcheck < /etc/timezone echo "Container TimeZone -> ${TIMEZONE}" fi } initialize_system() { map_uidgid initialize_logdir initialize_datadir update_ca_certificates generate_ssh_host_keys update_ssh_listen_port configure_container_timezone install_configuration_templates rm -rf /var/run/supervisor.sock } install_configuration_templates() { echo "Installing configuration templates..." install_template ${GITLAB_USER}: gitlabhq/gitlab.yml ${GITLAB_CONFIG} 0640 install_template ${GITLAB_USER}: gitlabhq/database.yml ${GITLAB_DATABASE_CONFIG} 0640 install_template ${GITLAB_USER}: gitlabhq/puma.rb ${GITLAB_PUMA_CONFIG} 0644 install_template ${GITLAB_USER}: gitlabhq/resque.yml ${GITLAB_RESQUE_CONFIG} 0640 install_template ${GITLAB_USER}: gitlabhq/secrets.yml ${GITLAB_SECRETS_CONFIG} 0600 install_template ${GITLAB_USER}: gitlab-shell/config.yml ${GITLAB_SHELL_CONFIG} 0640 install_template ${GITLAB_USER}: gitlabhq/cable.yml ${GITLAB_ACTIONCABLE_CONFIG} 0640 if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then install_template ${GITLAB_USER}: gitlabhq/relative_url.rb ${GITLAB_RELATIVE_URL_CONFIG} 0644 fi if [[ ${SMTP_ENABLED} == true ]]; then install_template ${GITLAB_USER}: gitlabhq/smtp_settings.rb ${GITLAB_SMTP_CONFIG} fi # custom user specified robots.txt if [[ -f ${GITLAB_ROBOTS_PATH} ]]; then exec_as_git cp ${GITLAB_ROBOTS_PATH} ${GITLAB_ROBOTS_CONFIG} fi ## ${GITLAB_NGINX_CONFIG} if [[ ${GITLAB_HTTPS} == true ]]; then if [[ -f ${SSL_CERTIFICATE_PATH} && -f ${SSL_KEY_PATH} && -f ${SSL_DHPARAM_PATH} ]]; then install_template root: nginx/gitlab-ssl ${GITLAB_NGINX_CONFIG} else echo "SSL Key, SSL Certificate and DHParam were not found." echo "Assuming that the container is running behind a HTTPS enabled load balancer." install_template root: nginx/gitlab ${GITLAB_NGINX_CONFIG} fi else install_template root: nginx/gitlab ${GITLAB_NGINX_CONFIG} fi ## ${GITLAB_PAGES_NGINX_CONFIG} if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then install_template ${GITLAB_USER}: gitlab-pages/config ${GITLAB_PAGES_CONFIG} 0640 if [[ ${GITLAB_PAGES_HTTPS} == true && -f ${SSL_PAGES_CERT_PATH} && -f ${SSL_PAGES_KEY_PATH} ]]; then if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then install_template root: nginx/gitlab-pages-ssl ${GITLAB_PAGES_NGINX_CONFIG} else echo "Gitlab pages nginx proxy disabled" echo "Assuming custom domain setup with own HTTP(S) load balancer'" fi else if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then echo "SSL Key, SSL Certificate were not found." echo "Assuming that the container is running behind a HTTPS enabled load balancer." install_template root: nginx/gitlab-pages ${GITLAB_PAGES_NGINX_CONFIG} else echo "Gitlab pages nginx proxy disabled" echo "Assuming custom domain setup with own HTTP(S) load balancer'" fi fi fi if [[ -n $GITLAB_CI_HOST ]]; then install_template root: nginx/gitlab_ci ${GITLAB_CI_NGINX_CONFIG} fi if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then if [[ -f ${SSL_REGISTRY_CERT_PATH} && -f ${SSL_REGISTRY_KEY_PATH} ]]; then install_template root: nginx/gitlab-registry ${GITLAB_REGISTRY_NGINX_CONFIG} else echo "SSL key and certificates for Registry were not found" echo "Assuming that the Registry is running behind a HTTPS enabled load balancer." fi fi install_template ${GITLAB_USER}: gitaly/config.toml ${GITLAB_GITALY_CONFIG} } configure_gitlab() { echo "Configuring gitlab..." update_template ${GITLAB_CONFIG} \ GITLAB_INSTALL_DIR \ GITLAB_SHELL_INSTALL_DIR \ GITLAB_DATA_DIR \ GITLAB_REPOS_DIR \ GITLAB_DOWNLOADS_DIR \ GITLAB_SHARED_DIR \ GITLAB_HOME \ GITLAB_HOST \ GITLAB_PORT \ GITLAB_RELATIVE_URL_ROOT \ GITLAB_HTTPS \ GITLAB_SSH_HOST \ GITLAB_SSH_LISTEN_PORT \ GITLAB_SSH_PORT \ GITLAB_SIGNUP_ENABLED \ GITLAB_IMPERSONATION_ENABLED \ GITLAB_PROJECTS_LIMIT \ GITLAB_USERNAME_CHANGE \ GITLAB_DEFAULT_THEME \ GITLAB_CREATE_GROUP \ GITLAB_ISSUE_CLOSING_PATTERN gitlab_configure_database gitlab_configure_redis gitlab_configure_actioncable gitlab_configure_secrets gitlab_configure_sidekiq gitlab_configure_gitaly gitlab_configure_monitoring gitlab_configure_gitlab_workhorse gitlab_configure_relative_url gitlab_configure_trusted_proxies gitlab_configure_puma gitlab_configure_timezone gitlab_configure_rack_attack gitlab_configure_ci gitlab_configure_artifacts gitlab_configure_packages gitlab_configure_terraform_state gitlab_configure_lfs gitlab_configure_uploads gitlab_configure_mattermost gitlab_configure_project_features gitlab_configure_mail_delivery gitlab_configure_mailroom gitlab_configure_oauth gitlab_configure_ldap gitlab_configure_gravatar gitlab_configure_cron_jobs gitlab_configure_analytics gitlab_configure_backups generate_registry_certificates gitlab_configure_registry gitlab_configure_pages gitlab_configure_sentry generate_healthcheck_script gitlab_configure_content_security_policy # remove stale gitlab.socket rm -rf ${GITLAB_INSTALL_DIR}/tmp/sockets/gitlab.socket } # feature flags are recorded to database (schema "application_settings") so requires DB is (at least) initialized gitlab_configure_feature_flags() { echo "Configuring gitlab::feature_flags..." if [[ -z "${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}" && -z "${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}" ]]; then # Do nothing and reports no error if no targets specified echo "- No targets specified. skipping..." return 0 fi # Build command line argument for script only when target is specified # If not, scripts fails because option specifier is recognized as feature flags for example # like "--disable --enable" : for this case, --disable is recognized as a value of option "--enable" if [[ -n "${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS}" ]]; then GITLAB_FEATURE_FLAGS_DISABLE_TARGETS="--disable ${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS}" fi # The same goes for --enable (this is the last option passed to "rails runner" that will be run below) # For this case (final option), it throws "missing argument" error for execution like: # like "--disable feature1,feature2 --enable" if [[ -n "${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}" ]]; then GITLAB_FEATURE_FLAGS_ENABLE_TARGETS="--enable ${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}" fi PWD_ORG=${PWD} cd "${GITLAB_INSTALL_DIR}" # copy the script to temporal directory : to avoid permission issue cp "${GITLAB_RUNTIME_DIR}/scripts/configure_feature_flags.rb" "${GITLAB_TEMP_DIR}/" chown "${GITLAB_USER}:" "${GITLAB_TEMP_DIR}/configure_feature_flags.rb" echo "- Launching rails runner to set feature flags. This will take some time...." # If arguments are empty, the script will do nothing and print object dump like below: # - specified feature flags: {:to_be_disabled=>[], :to_be_enabled=>[]} # DO NOT qupte variables : word splitting must be enabled. # If disabled, whole string like '--disable feature_name_1,feature_name_2' # will be recognized as single option and results to invalid argument error # # shellcheck disable=SC2086 exec_as_git bundle exec rails runner "${GITLAB_TEMP_DIR}/configure_feature_flags.rb" \ ${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS} \ ${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS} rm "${GITLAB_TEMP_DIR}/configure_feature_flags.rb" cd "${PWD_ORG}" } configure_gitlab_requires_db() { gitlab_configure_feature_flags } configure_gitlab_shell() { echo "Configuring gitlab-shell..." update_template ${GITLAB_SHELL_CONFIG} \ GITLAB_RELATIVE_URL_ROOT \ GITLAB_HOME \ GITLAB_LOG_DIR \ GITLAB_SHELL_INSTALL_DIR \ SSL_SELF_SIGNED \ REDIS_HOST \ REDIS_PORT \ REDIS_DB_NUMBER # update custom_hooks_dir if set $GITLAB_SHELL_CUSTOM_HOOKS_DIR if [[ -n ${GITLAB_SHELL_CUSTOM_HOOKS_DIR} ]]; then exec_as_git sed -i \ "s|custom_hooks_dir:.*|custom_hooks_dir: $GITLAB_SHELL_CUSTOM_HOOKS_DIR|g" \ ${GITLAB_SHELL_CONFIG} fi } configure_gitlab_pages() { if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then echo "Configuring gitlab-pages..." cat > /etc/supervisor/conf.d/gitlab-pages.conf <> /etc/supervisor/conf.d/gitlab-pages.conf <> /etc/supervisor/conf.d/gitlab-pages.conf <> /etc/supervisor/conf.d/gitlab-pages.conf <> /etc/supervisor/conf.d/gitlab-pages.conf </dev/null fi # migrate database if the gitlab version has changed. CACHE_VERSION= [[ -f ${GITLAB_TEMP_DIR}/VERSION ]] && CACHE_VERSION=$(cat ${GITLAB_TEMP_DIR}/VERSION) if [[ ${GITLAB_VERSION} != ${CACHE_VERSION} ]]; then ## version check, only upgrades are allowed if [[ -n ${CACHE_VERSION} && $(vercmp ${GITLAB_VERSION} ${CACHE_VERSION}) -lt 0 ]]; then echo echo "ERROR: " echo " Cannot downgrade from GitLab version ${CACHE_VERSION} to ${GITLAB_VERSION}." echo " Only upgrades are allowed. Please use sameersbn/gitlab:${CACHE_VERSION} or higher." echo " Cannot continue. Aborting!" echo return 1 fi if [[ $(vercmp ${GITLAB_VERSION} 8.0.0) -gt 0 ]]; then if [[ -n ${CACHE_VERSION} && $(vercmp ${CACHE_VERSION} 8.0.0) -lt 0 ]]; then echo echo "ABORT: " echo " Upgrading to GitLab ${GITLAB_VERSION} from ${CACHE_VERSION} is not recommended." echo " Please upgrade to version 8.0.5-1 before upgrading to 8.1.0 or higher." echo " Refer to https://git.io/vur4j for CI migration instructions." echo " Aborting for your own safety!" echo return 1 fi fi echo "Migrating database..." exec_as_git bundle exec rake db:migrate >/dev/null echo "${GITLAB_VERSION}" > ${GITLAB_TEMP_DIR}/VERSION rm -rf ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT # force cache cleanup fi # clear cache if relative_url has changed. [[ -f ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT ]] && CACHE_GITLAB_RELATIVE_URL_ROOT=$(cat ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT) if [[ ! -f ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT || ${GITLAB_RELATIVE_URL_ROOT} != ${CACHE_GITLAB_RELATIVE_URL_ROOT} ]]; then echo "Clearing cache..." exec_as_git bundle exec rake cache:clear >/dev/null 2>&1 echo "${GITLAB_RELATIVE_URL_ROOT}" > ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT fi } execute_raketask() { if [[ -z ${1} ]]; then echo "Please specify the rake task to execute. See https://github.com/gitlabhq/gitlabhq/tree/master/doc/raketasks" return 1 fi if [[ ${1} == gitlab:backup:create ]]; then /usr/bin/supervisord -c /etc/supervisor/supervisord.conf supervisorctl stop gitlab_extensions:* supervisorctl stop gitlab:* fi if [[ ${1} == gitlab:backup:restore ]]; then /usr/bin/supervisord -c /etc/supervisor/supervisord.conf supervisorctl stop gitlab_extensions:* supervisorctl stop gitlab:* interactive=true for arg in $@ do if [[ $arg == BACKUP=* ]]; then interactive=false break fi done # user needs to select the backup to restore if [[ $interactive == true ]]; then nBackups=$(ls ${GITLAB_BACKUP_DIR}/*_gitlab_backup.tar | wc -l) if [[ $nBackups -eq 0 ]]; then echo "No backup present. Cannot continue restore process.". return 1 fi echo for b in $(ls ${GITLAB_BACKUP_DIR} | grep _gitlab_backup | sort -r) do echo "‣ $b (created at $(date --date="@${b%%_*_gitlab_backup.tar}" +'%d %b, %G - %H:%M:%S %Z'))" done echo read -p "Select a backup to restore: " file if [[ -z ${file} ]]; then echo "Backup not specified. Exiting..." return 1 fi if [[ ! -f ${GITLAB_BACKUP_DIR}/${file} ]]; then echo "Specified backup does not exist. Aborting..." return 1 fi BACKUP=${file%%_gitlab_backup.tar} fi elif [[ ${1} == gitlab:import:repos ]]; then # sanitize the datadir to avoid permission issues sanitize_datadir fi echo "Running raketask ${1}..." exec_as_git bundle exec rake $@ ${BACKUP:+BACKUP=$BACKUP} } generate_registry_certificates() { if [[ ${GITLAB_REGISTRY_GENERATE_INTERNAL_CERTIFICATES} == true ]]; then echo 'Generating GitLab Registry internal certificates for communication between Gitlab and a Docker Registry' PREVIOUS_DIRECTORY=$(pwd) # Get directory from cert file path if [[ -z $GITLAB_REGISTRY_KEY_PATH ]]; then echo "\$GITLAB_REGISTRY_KEY_PATH is empty" return 1 fi DIRECTORY=$(dirname "$GITLAB_REGISTRY_KEY_PATH") echo "Registry internal certificates will be generated in directory: $DIRECTORY" # Make certs directory if it doesn't exists mkdir -p "$DIRECTORY" # Go to the temporary directory cd "$DIRECTORY" || return # Get key filename KEY_FILENAME=$(basename "$GITLAB_REGISTRY_KEY_PATH") echo "Registry internal key filename: $KEY_FILENAME" # Generate cert filename, by default, in same directory as $KEY_FILENAME, with same name, but with extension .crt CERT_FILENAME=$(echo "$KEY_FILENAME" | sed "s|key|crt|" -) echo "Registry internal cert filename: $CERT_FILENAME" # Generate a random password password_file used in the next commands if [[ -f password_file ]] ; then echo "password_file exists" else openssl rand -hex -out password_file 32 fi # Create a PKCS#10 certificate request echo "Generating internal certificate request" if [[ -f registry.csr ]] ; then echo "registry.csr exists" else openssl req -new -passout file:password_file -newkey rsa:4096 -batch > registry.csr fi # Process RSA key echo "Processing RSA internal key" if [[ -f $KEY_FILENAME ]] ; then echo "$KEY_FILENAME exists" else openssl rsa -passin file:password_file -in privkey.pem -out "$KEY_FILENAME" fi # Generate certificate echo "Generating internal certificate" if [[ -f $CERT_FILENAME ]] ; then echo "$CERT_FILENAME exists" else openssl x509 -in registry.csr -out "$CERT_FILENAME" -req -signkey "$KEY_FILENAME" -days 10000 fi chown -R ${GITLAB_USER}: ${DIRECTORY} cd ${PREVIOUS_DIRECTORY} fi }