mirror of
https://github.com/sameersbn/docker-gitlab.git
synced 2025-07-23 00:28:52 +00:00
2379 lines
82 KiB
Bash
2379 lines
82 KiB
Bash
#!/bin/bash
|
|
set -e
|
|
|
|
for file in /gitlab-configs /run/secrets/gitlab-secrets; do
|
|
if [[ -e "$file" ]]; then
|
|
echo "Loading $file"
|
|
source "$file"
|
|
fi
|
|
done
|
|
echo "Loading ${GITLAB_RUNTIME_DIR}/env-defaults"
|
|
source ${GITLAB_RUNTIME_DIR}/env-defaults
|
|
|
|
SYSCONF_TEMPLATES_DIR="${GITLAB_RUNTIME_DIR}/config"
|
|
USERCONF_TEMPLATES_DIR="${GITLAB_DATA_DIR}/config"
|
|
|
|
GITLAB_CONFIG="${GITLAB_INSTALL_DIR}/config/gitlab.yml"
|
|
GITLAB_DATABASE_CONFIG="${GITLAB_INSTALL_DIR}/config/database.yml"
|
|
GITLAB_PUMA_CONFIG="${GITLAB_INSTALL_DIR}/config/puma.rb"
|
|
GITLAB_RELATIVE_URL_CONFIG="${GITLAB_INSTALL_DIR}/config/initializers/relative_url.rb"
|
|
GITLAB_SMTP_CONFIG="${GITLAB_INSTALL_DIR}/config/initializers/smtp_settings.rb"
|
|
GITLAB_RESQUE_CONFIG="${GITLAB_INSTALL_DIR}/config/resque.yml"
|
|
GITLAB_ACTIONCABLE_CONFIG="${GITLAB_INSTALL_DIR}/config/cable.yml"
|
|
GITLAB_SECRETS_CONFIG="${GITLAB_INSTALL_DIR}/config/secrets.yml"
|
|
GITLAB_ROBOTS_CONFIG="${GITLAB_INSTALL_DIR}/public/robots.txt"
|
|
GITLAB_SHELL_CONFIG="${GITLAB_SHELL_INSTALL_DIR}/config.yml"
|
|
GITLAB_NGINX_CONFIG="/etc/nginx/conf.d/gitlab.conf"
|
|
GITLAB_CI_NGINX_CONFIG="/etc/nginx/conf.d/gitlab_ci.conf"
|
|
GITLAB_REGISTRY_NGINX_CONFIG="/etc/nginx/conf.d/gitlab-registry.conf"
|
|
GITLAB_PAGES_NGINX_CONFIG="/etc/nginx/conf.d/gitlab-pages.conf"
|
|
GITLAB_PAGES_CONFIG="${GITLAB_INSTALL_DIR}/gitlab-pages-config"
|
|
GITLAB_GITALY_CONFIG="${GITLAB_GITALY_INSTALL_DIR}/config.toml"
|
|
|
|
# Compares two version strings `a` and `b`
|
|
# Returns
|
|
# - negative integer, if `a` is less than `b`
|
|
# - 0, if `a` and `b` are equal
|
|
# - non-negative integer, if `a` is greater than `b`
|
|
vercmp() {
|
|
expr '(' "$1" : '\([^.]*\)' ')' '-' '(' "$2" : '\([^.]*\)' ')' '|' \
|
|
'(' "$1.0" : '[^.]*[.]\([^.]*\)' ')' '-' '(' "$2.0" : '[^.]*[.]\([^.]*\)' ')' '|' \
|
|
'(' "$1.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' '-' '(' "$2.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' '|' \
|
|
'(' "$1.0.0.0" : '[^.]*[.][^.]*[.][^.]*[.]\([^.]*\)' ')' '-' '(' "$2.0.0.0" : '[^.]*[.][^.]*[.][^.]*[.]\([^.]*\)' ')'
|
|
}
|
|
|
|
## Execute a command as GITLAB_USER
|
|
exec_as_git() {
|
|
if [[ $(whoami) == ${GITLAB_USER} ]]; then
|
|
$@
|
|
else
|
|
sudo -HEu ${GITLAB_USER} "$@"
|
|
fi
|
|
}
|
|
|
|
## Copies configuration template to the destination as the specified USER
|
|
### Looks up for overrides in ${USERCONF_TEMPLATES_DIR} before using the defaults from ${SYSCONF_TEMPLATES_DIR}
|
|
# $1: copy-as user
|
|
# $2: source file
|
|
# $3: destination location
|
|
# $4: mode of destination
|
|
install_template() {
|
|
local OWNERSHIP=${1}
|
|
local SRC=${2}
|
|
local DEST=${3}
|
|
local MODE=${4:-0644}
|
|
if [[ -f ${USERCONF_TEMPLATES_DIR}/${SRC} ]]; then
|
|
cp ${USERCONF_TEMPLATES_DIR}/${SRC} ${DEST}
|
|
elif [[ -f ${SYSCONF_TEMPLATES_DIR}/${SRC} ]]; then
|
|
cp ${SYSCONF_TEMPLATES_DIR}/${SRC} ${DEST}
|
|
fi
|
|
chmod ${MODE} ${DEST}
|
|
chown ${OWNERSHIP} ${DEST}
|
|
}
|
|
|
|
## Replace placeholders with values
|
|
# $1: file with placeholders to replace
|
|
# $x: placeholders to replace
|
|
update_template() {
|
|
local FILE=${1?missing argument}
|
|
shift
|
|
|
|
[[ ! -f ${FILE} ]] && return 1
|
|
|
|
local VARIABLES=($@)
|
|
local USR=$(stat -c %U ${FILE})
|
|
local tmp_file=$(mktemp)
|
|
cp -a "${FILE}" ${tmp_file}
|
|
|
|
local variable
|
|
for variable in ${VARIABLES[@]}; do
|
|
# Keep the compatibilty: {{VAR}} => ${VAR}
|
|
sed -ri "s/[{]{2}$variable[}]{2}/\${$variable}/g" ${tmp_file}
|
|
done
|
|
|
|
# Replace placeholders
|
|
(
|
|
export ${VARIABLES[@]}
|
|
local IFS=":"; sudo -HEu ${USR} envsubst "${VARIABLES[*]/#/$}" < ${tmp_file} > ${FILE}
|
|
)
|
|
rm -f ${tmp_file}
|
|
}
|
|
|
|
gitlab_finalize_database_parameters() {
|
|
# is a postgresql database linked?
|
|
# requires that the postgresql containers have exposed port 5432.
|
|
DB_HOST=${DB_HOST:-${POSTGRESQL_PORT_5432_TCP_ADDR}}
|
|
DB_PORT=${DB_PORT:-${POSTGRESQL_PORT_5432_TCP_PORT}}
|
|
|
|
# support for linked official postgres image
|
|
DB_USER=${DB_USER:-${POSTGRESQL_ENV_POSTGRES_USER}}
|
|
DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_POSTGRES_PASSWORD}}
|
|
DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_POSTGRES_DB}}
|
|
DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_POSTGRES_USER}}
|
|
|
|
# support for linked sameersbn/postgresql image
|
|
DB_USER=${DB_USER:-${POSTGRESQL_ENV_DB_USER}}
|
|
DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_DB_PASS}}
|
|
DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_DB_NAME}}
|
|
|
|
# support for linked orchardup/postgresql image
|
|
DB_USER=${DB_USER:-${POSTGRESQL_ENV_POSTGRESQL_USER}}
|
|
DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_POSTGRESQL_PASS}}
|
|
DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_POSTGRESQL_DB}}
|
|
|
|
# support for linked paintedfox/postgresql image
|
|
DB_USER=${DB_USER:-${POSTGRESQL_ENV_USER}}
|
|
DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_PASS}}
|
|
DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_DB}}
|
|
|
|
|
|
if [[ -z ${DB_HOST} ]]; then
|
|
echo
|
|
echo "ERROR: "
|
|
echo " Please configure the database connection."
|
|
echo " Refer http://git.io/wkYhyA for more information."
|
|
echo " Cannot continue without a database. Aborting..."
|
|
echo
|
|
return 1
|
|
fi
|
|
|
|
# set default port number if not specified
|
|
DB_PORT=${DB_PORT:-5432}
|
|
|
|
DB_ENCODING=${DB_ENCODING:-unicode}
|
|
|
|
# set default user and database
|
|
DB_USER=${DB_USER:-root}
|
|
DB_NAME=${DB_NAME:-gitlabhq_production}
|
|
}
|
|
|
|
gitlab_check_database_connection() {
|
|
|
|
prog=$(command -v pg_isready)
|
|
prog="${prog} -h ${DB_HOST} -p ${DB_PORT} -U ${DB_USER} -d ${DB_NAME} -t 1"
|
|
|
|
timeout=60
|
|
while ! ${prog} >/dev/null 2>&1
|
|
do
|
|
timeout=$(expr $timeout - 1)
|
|
if [[ $timeout -eq 0 ]]; then
|
|
echo
|
|
echo "Could not connect to database server. Aborting..."
|
|
return 1
|
|
fi
|
|
echo -n "."
|
|
sleep 1
|
|
done
|
|
echo
|
|
}
|
|
|
|
gitlab_generate_postgresqlrc() {
|
|
echo "Configuring /home/${GITLAB_USER}/.postgresqlrc to avoid version mismatch on dumping"
|
|
# server_version_num property is a number built from version string:
|
|
# https://www.postgresql.org/docs/15/libpq-status.html#LIBPQ-PQSERVERVERSION
|
|
# > The result is formed by multiplying the server's major version number by 10000 and adding the minor version number.
|
|
# > For example, version 10.1 will be returned as 100001, and version 11.0 will be returned as 110000. Zero is returned if the connection is bad.
|
|
# >
|
|
# > Prior to major version 10, PostgreSQL used three-part version numbers in which the first two parts together represented the major version.
|
|
# > For those versions, PQserverVersion uses two digits for each part;
|
|
# > for example version 9.1.5 will be returned as 90105, and version 9.2.0 will be returned as 90200.
|
|
#
|
|
# This difference also appends to apt package name.
|
|
# For example, in ubuntu:focal, postgresql-client-{8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, 9.5, 9.6, 10, 11, 12, 13, 14, 15} are available.
|
|
#
|
|
DB_SERVER_VERSION=$(PGPASSWORD=${DB_PASS} psql -h "${DB_HOST}" -p "${DB_PORT}" -U "${DB_USER}" -d "${DB_NAME}" -Atw -c "SHOW server_version_num")
|
|
if [[ "${DB_SERVER_VERSION}" -eq 0 ]]; then
|
|
echo
|
|
echo "Could not retrieve database server version correctly. Aborting..."
|
|
return 1
|
|
fi
|
|
|
|
echo "- Detected server version: ${DB_SERVER_VERSION}"
|
|
|
|
# Anyway, we can get major version (8, 9, 10 and so on) by dividing by 10000.
|
|
# DB_SERVER_VERSION_MAJOR=${DB_SERVER_VERSION%%.*}
|
|
DB_SERVER_VERSION_MAJOR=$((DB_SERVER_VERSION/10000))
|
|
DB_CLIENT_VERSION_PACKAGE_NAME=
|
|
|
|
if [[ "${DB_SERVER_VERSION_MAJOR}" -ge 10 ]]; then
|
|
# v10 or later: use "rought major version" as version number in package name
|
|
DB_CLIENT_VERSION_PACKAGE_NAME=${DB_SERVER_VERSION_MAJOR}
|
|
else
|
|
# prior to v10: convert
|
|
# FIXME: rough implementation
|
|
# It exploits the fact that there is no version such as 9.10, and it lacks versatility.
|
|
# divide by 100, then replace first 0 to comma
|
|
DB_CLIENT_VERSION_PACKAGE_NAME=$((DB_SERVER_VERSION/100))
|
|
DB_CLIENT_VERSION_PACKAGE_NAME=${DB_CLIENT_VERSION_PACKAGE_NAME/0/.}
|
|
fi
|
|
|
|
# if exact-match client not found, select latest version from installed clients
|
|
if [[ "$(apt-cache pkgnames postgresql-client | grep -e "-${DB_CLIENT_VERSION_PACKAGE_NAME}" | wc -l)" -ne 1 ]]; then
|
|
LATEST_CLIENT="$(apt-cache pkgnames postgresql-client | grep -v -e "-common" | sort --version-sort | tail -n1)"
|
|
DB_CLIENT_VERSION_PACKAGE_NAME=${LATEST_CLIENT/postgresql-client-/}
|
|
echo "gitlab_generate_postgresqlrc(): WARNING - Suitable client not installed. postgresql-client-${DB_CLIENT_VERSION_PACKAGE_NAME} will be used but you may face issue (database in backup will be empty, for example)"
|
|
fi
|
|
|
|
# generate ~/.postgresqlrc to switch client version
|
|
GITLAB_USER_POSTGRESQLRC="/home/${GITLAB_USER}/.postgresqlrc"
|
|
echo "- Generating ${GITLAB_USER_POSTGRESQLRC}"
|
|
echo "${DB_CLIENT_VERSION_PACKAGE_NAME} ${DB_HOST}:${DB_PORT} ${DB_NAME}" | exec_as_git tee "${GITLAB_USER_POSTGRESQLRC}"
|
|
}
|
|
|
|
gitlab_uninstall_unused_database_client() {
|
|
if [[ -f "/home/${GITLAB_USER}/.postgresqlrc" ]]; then
|
|
# refer /home/${GITLAB_USER}/.postgresqlrc and pick up versions in use
|
|
# .postgresqlrc contains following information per line
|
|
# database_major_version host:port database_name
|
|
# - ignore lines starts with # by specifying pattern /^[^#]/
|
|
# - first field is the version number in use.
|
|
# - cocnat whole lines into single string. convert newline to \|
|
|
# this is escaped regex "OR"
|
|
# now we got the following regex that can be used as an option to grep:
|
|
# \|-12\|-13
|
|
DB_CLIENT_VERSIONS_IN_USE="$(awk '/^[^#]/ {printf("\|-%s",$1)}' "/home/${GITLAB_USER}/.postgresqlrc")"
|
|
|
|
# we also need to keep postgresql-client-common package to switch based on ~/.postgresqlrc
|
|
REGEX_DB_CLIENT_VERSIONS_IN_USE="-common${DB_CLIENT_VERSIONS_IN_USE}"
|
|
|
|
# remove unused client using regex above
|
|
# grep may return non-zero code on mo match, so fake the exit code with the `|| true` to swallow that
|
|
UNUSED_DB_CLIENTS=$(apt-cache pkgnames postgresql-client | grep -v -e "${REGEX_DB_CLIENT_VERSIONS_IN_USE}" || true)
|
|
if [[ "${UNUSED_DB_CLIENTS}" == "" ]]; then
|
|
echo "- All installed version of clients are in use. Did not uninstalled any client..."
|
|
return
|
|
fi
|
|
|
|
# just to get clean log, convert newline (package name delimiter) to single whitespace
|
|
UNUSED_DB_CLIENTS=$(echo ${UNUSED_DB_CLIENTS} | tr '\n' ' ')
|
|
|
|
echo "- Uninstalling unused client(s): ${UNUSED_DB_CLIENTS}"
|
|
DEBIAN_FRONTEND=noninteractive apt-get -qq -y purge -- ${UNUSED_DB_CLIENTS} >/dev/null
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_database() {
|
|
echo -n "Configuring gitlab::database"
|
|
|
|
gitlab_finalize_database_parameters
|
|
gitlab_check_database_connection
|
|
gitlab_generate_postgresqlrc
|
|
gitlab_uninstall_unused_database_client
|
|
|
|
update_template ${GITLAB_DATABASE_CONFIG} \
|
|
DB_ENCODING \
|
|
DB_HOST \
|
|
DB_PORT \
|
|
DB_NAME \
|
|
DB_USER \
|
|
DB_PASS \
|
|
DB_POOL \
|
|
DB_PREPARED_STATEMENTS
|
|
}
|
|
|
|
gitlab_finalize_redis_parameters() {
|
|
# is a redis container linked?
|
|
if [[ -n ${REDISIO_PORT_6379_TCP_ADDR} ]]; then
|
|
REDIS_HOST=${REDIS_HOST:-${REDISIO_PORT_6379_TCP_ADDR}}
|
|
REDIS_PORT=${REDIS_PORT:-${REDISIO_PORT_6379_TCP_PORT}}
|
|
fi
|
|
|
|
# set default redis port if not specified
|
|
REDIS_PORT=${REDIS_PORT:-6379}
|
|
|
|
if [[ -z ${REDIS_HOST} ]]; then
|
|
echo
|
|
echo "ERROR: "
|
|
echo " Please configure the redis connection."
|
|
echo " Refer http://git.io/PMnRSw for more information."
|
|
echo " Cannot continue without a redis connection. Aborting..."
|
|
echo
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
gitlab_check_redis_connection() {
|
|
timeout=60
|
|
while ! redis-cli -h ${REDIS_HOST} -p ${REDIS_PORT} -n ${REDIS_DB_NUMBER} ping >/dev/null 2>&1
|
|
do
|
|
timeout=$(expr $timeout - 1)
|
|
if [[ $timeout -eq 0 ]]; then
|
|
echo ""
|
|
echo "Could not connect to redis server. Aborting..."
|
|
return 1
|
|
fi
|
|
echo -n "."
|
|
sleep 1
|
|
done
|
|
echo
|
|
}
|
|
|
|
gitlab_configure_redis() {
|
|
echo -n "Configuring gitlab::redis"
|
|
|
|
gitlab_finalize_redis_parameters
|
|
gitlab_check_redis_connection
|
|
|
|
update_template ${GITLAB_RESQUE_CONFIG} \
|
|
REDIS_HOST \
|
|
REDIS_PORT \
|
|
REDIS_DB_NUMBER
|
|
}
|
|
|
|
gitlab_configure_actioncable() {
|
|
echo -n "Configuring gitlab::actioncable"
|
|
|
|
gitlab_finalize_redis_parameters
|
|
gitlab_check_redis_connection
|
|
|
|
update_template ${GITLAB_ACTIONCABLE_CONFIG} \
|
|
REDIS_HOST \
|
|
REDIS_PORT \
|
|
REDIS_DB_NUMBER
|
|
}
|
|
|
|
gitlab_configure_gitaly() {
|
|
echo "Configuring gitlab::gitaly..."
|
|
update_template ${GITLAB_GITALY_CONFIG} \
|
|
GITALY_SOCKET_PATH \
|
|
GITLAB_GITALY_INSTALL_DIR \
|
|
GITLAB_LOG_DIR \
|
|
GITLAB_REPOS_DIR \
|
|
GITLAB_SHELL_INSTALL_DIR \
|
|
GITLAB_RELATIVE_URL_ROOT
|
|
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITALY_CLIENT_PATH \
|
|
GITALY_TOKEN
|
|
|
|
}
|
|
|
|
gitlab_configure_monitoring() {
|
|
echo "Configuring gitlab::monitoring..."
|
|
|
|
if [ "${GITLAB_MONITORING_IP_WHITELIST}" == "" ]; then
|
|
exec_as_git sed -i "/{{GITLAB_MONITORING_IP_WHITELIST}}/d" ${GITLAB_CONFIG}
|
|
fi
|
|
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL \
|
|
GITLAB_MONITORING_IP_WHITELIST \
|
|
GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED \
|
|
GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS \
|
|
GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT
|
|
}
|
|
|
|
gitlab_configure_gitlab_workhorse() {
|
|
echo "Configuring gitlab::gitlab-workhorse..."
|
|
update_template /etc/supervisor/conf.d/gitlab-workhorse.conf \
|
|
GITLAB_RELATIVE_URL_ROOT \
|
|
GITLAB_WORKHORSE_TIMEOUT
|
|
}
|
|
|
|
gitlab_configure_puma() {
|
|
echo "Configuring gitlab::puma..."
|
|
if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then
|
|
update_template ${GITLAB_PUMA_CONFIG} GITLAB_RELATIVE_URL_ROOT
|
|
else
|
|
exec_as_git sed -i "/{{GITLAB_RELATIVE_URL_ROOT}}/d" ${GITLAB_PUMA_CONFIG}
|
|
fi
|
|
|
|
update_template ${GITLAB_PUMA_CONFIG} \
|
|
GITLAB_INSTALL_DIR \
|
|
PUMA_THREADS_MIN \
|
|
PUMA_THREADS_MAX \
|
|
PUMA_WORKERS \
|
|
PUMA_PER_WORKER_MAX_MEMORY_MB \
|
|
PUMA_MASTER_MAX_MEMORY_MB \
|
|
PUMA_TIMEOUT
|
|
}
|
|
|
|
gitlab_configure_relative_url() {
|
|
if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then
|
|
echo "Configuring gitlab::relative_url..."
|
|
update_template ${GITLAB_RELATIVE_URL_CONFIG} GITLAB_RELATIVE_URL_ROOT
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_trusted_proxies() {
|
|
if [[ -n ${GITLAB_TRUSTED_PROXIES} ]]; then
|
|
echo "Configuring gitlab::trusted_proxies..."
|
|
update_template ${GITLAB_CONFIG} GITLAB_TRUSTED_PROXIES
|
|
else
|
|
exec_as_git sed -i "/{{GITLAB_TRUSTED_PROXIES}}/d" ${GITLAB_CONFIG}
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_timezone() {
|
|
echo "Configuring gitlab::timezone..."
|
|
update_template ${GITLAB_CONFIG} GITLAB_TIMEZONE
|
|
}
|
|
|
|
gitlab_configure_mail_delivery() {
|
|
if [[ ${SMTP_ENABLED} == true ]]; then
|
|
echo "Configuring gitlab::smtp_settings..."
|
|
|
|
if [[ -z "${SMTP_USER}" ]]; then
|
|
exec_as_git sed -i \
|
|
-e '/{{SMTP_USER}}/d' \
|
|
-e '/{{SMTP_PASS}}/d' \
|
|
${GITLAB_SMTP_CONFIG}
|
|
else
|
|
if [[ -z "${SMTP_PASS}" ]]; then
|
|
exec_as_git sed -i '/{{SMTP_PASS}}/d' ${GITLAB_SMTP_CONFIG}
|
|
fi
|
|
fi
|
|
|
|
update_template ${GITLAB_SMTP_CONFIG} \
|
|
SMTP_USER \
|
|
SMTP_PASS \
|
|
SMTP_HOST \
|
|
SMTP_PORT \
|
|
SMTP_DOMAIN \
|
|
SMTP_STARTTLS \
|
|
SMTP_TLS \
|
|
SMTP_OPENSSL_VERIFY_MODE
|
|
|
|
case ${SMTP_AUTHENTICATION} in
|
|
"") exec_as_git sed -i "/{{SMTP_AUTHENTICATION}}/d" ${GITLAB_SMTP_CONFIG} ;;
|
|
*) update_template ${GITLAB_SMTP_CONFIG} SMTP_AUTHENTICATION ;;
|
|
esac
|
|
|
|
if [[ ${SMTP_CA_ENABLED} == true ]]; then
|
|
if [[ -d ${SMTP_CA_PATH} ]]; then
|
|
update_template ${GITLAB_SMTP_CONFIG} SMTP_CA_PATH
|
|
fi
|
|
if [[ -f ${SMTP_CA_FILE} ]]; then
|
|
update_template ${GITLAB_SMTP_CONFIG} SMTP_CA_FILE
|
|
fi
|
|
else
|
|
exec_as_git sed -i \
|
|
-e "/{{SMTP_CA_PATH}}/d" \
|
|
-e "/{{SMTP_CA_FILE}}/d" \
|
|
${GITLAB_SMTP_CONFIG}
|
|
fi
|
|
fi
|
|
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_EMAIL_ENABLED \
|
|
GITLAB_EMAIL \
|
|
GITLAB_EMAIL_DISPLAY_NAME \
|
|
GITLAB_EMAIL_REPLY_TO \
|
|
GITLAB_EMAIL_SUBJECT_SUFFIX
|
|
|
|
if [[ ${GITLAB_EMAIL_SMIME_ENABLE} == true ]]; then
|
|
exec_as_git sed -i "/#start-email-smime/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/#end-email-smime/d" ${GITLAB_CONFIG}
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_EMAIL_SMIME_ENABLE \
|
|
GITLAB_EMAIL_SMIME_KEY_FILE \
|
|
GITLAB_EMAIL_SMIME_CERT_FILE
|
|
else
|
|
exec_as_git sed -i "/#start-email-smime/,/#end-email-smime/d" ${GITLAB_CONFIG}
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_mailroom() {
|
|
if [[ ${IMAP_ENABLED} == true ]]; then
|
|
echo "Configuring gitlab::incoming_email..."
|
|
|
|
if [[ -z "${IMAP_USER}" ]]; then
|
|
exec_as_git sed -i \
|
|
-e '/{{IMAP_USER}}/d' \
|
|
-e '/{{IMAP_PASS}}/d' \
|
|
${GITLAB_CONFIG}
|
|
else
|
|
if [[ -z "${IMAP_PASS}" ]]; then
|
|
exec_as_git sed -i '/{{IMAP_PASS}}/d' ${GITLAB_CONFIG}
|
|
fi
|
|
fi
|
|
else
|
|
exec_as_git sed -i \
|
|
-e "/{{IMAP_USER}}/d" \
|
|
-e "/{{IMAP_PASS}}/d" \
|
|
-e "/{{IMAP_HOST}}/d" \
|
|
-e "/{{IMAP_PORT}}/d" \
|
|
-e "/{{IMAP_SSL}}/d" \
|
|
-e "/{{IMAP_STARTTLS}}/d" \
|
|
-e "/{{IMAP_MAILBOX}}/d" \
|
|
-e "/{{IMAP_TIMEOUT}}/d" \
|
|
${GITLAB_CONFIG}
|
|
fi
|
|
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_INCOMING_EMAIL_ADDRESS \
|
|
GITLAB_INCOMING_EMAIL_ENABLED \
|
|
IMAP_USER \
|
|
IMAP_PASS \
|
|
IMAP_HOST \
|
|
IMAP_PORT \
|
|
IMAP_SSL \
|
|
IMAP_STARTTLS \
|
|
IMAP_MAILBOX \
|
|
IMAP_TIMEOUT
|
|
|
|
# enable/disable startup of mailroom
|
|
echo "mail_room_enabled=${GITLAB_INCOMING_EMAIL_ENABLED}" >> /etc/default/gitlab
|
|
update_template /etc/supervisor/conf.d/mail_room.conf GITLAB_INCOMING_EMAIL_ENABLED
|
|
}
|
|
|
|
gitlab_configure_ldap() {
|
|
echo "Configuring gitlab::ldap..."
|
|
update_template ${GITLAB_CONFIG} \
|
|
LDAP_ENABLED \
|
|
LDAP_HOST \
|
|
LDAP_PORT \
|
|
LDAP_UID \
|
|
LDAP_METHOD \
|
|
LDAP_VERIFY_SSL \
|
|
LDAP_CA_FILE \
|
|
LDAP_SSL_VERSION \
|
|
LDAP_BIND_DN \
|
|
LDAP_PASS \
|
|
LDAP_TIMEOUT \
|
|
LDAP_ACTIVE_DIRECTORY \
|
|
LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN \
|
|
LDAP_BLOCK_AUTO_CREATED_USERS \
|
|
LDAP_BASE \
|
|
LDAP_USER_FILTER \
|
|
LDAP_LOWERCASE_USERNAMES \
|
|
LDAP_USER_ATTRIBUTE_USERNAME \
|
|
LDAP_USER_ATTRIBUTE_MAIL \
|
|
LDAP_USER_ATTRIBUTE_NAME \
|
|
LDAP_USER_ATTRIBUTE_FIRSTNAME \
|
|
LDAP_USER_ATTRIBUTE_LASTNAME \
|
|
LDAP_LABEL \
|
|
LDAP_PREVENT_LDAP_SIGN_IN
|
|
}
|
|
|
|
gitlab_configure_oauth_cas3() {
|
|
if [[ -n ${OAUTH_CAS3_SERVER} ]]; then
|
|
echo "Configuring gitlab::oauth::cas3..."
|
|
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
|
|
update_template ${GITLAB_CONFIG} \
|
|
OAUTH_CAS3_LABEL \
|
|
OAUTH_CAS3_SERVER \
|
|
OAUTH_CAS3_DISABLE_SSL_VERIFICATION \
|
|
OAUTH_CAS3_LOGIN_URL \
|
|
OAUTH_CAS3_VALIDATE_URL \
|
|
OAUTH_CAS3_LOGOUT_URL
|
|
else
|
|
exec_as_git sed -i "/name: 'cas3'/,/{{OAUTH_CAS3_LOGOUT_URL}}/d" ${GITLAB_CONFIG}
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_oauth_google() {
|
|
if [[ -n ${OAUTH_GOOGLE_API_KEY} && -n ${OAUTH_GOOGLE_APP_SECRET} ]]; then
|
|
echo "Configuring gitlab::oauth::google..."
|
|
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
|
|
if [[ -n ${OAUTH_GOOGLE_RESTRICT_DOMAIN} ]]; then
|
|
update_template ${GITLAB_CONFIG} \
|
|
OAUTH_GOOGLE_API_KEY \
|
|
OAUTH_GOOGLE_APP_SECRET \
|
|
OAUTH_GOOGLE_RESTRICT_DOMAIN \
|
|
OAUTH_GOOGLE_APPROVAL_PROMPT
|
|
else
|
|
exec_as_git sed -i "/ hd\: \[{{OAUTH_GOOGLE_RESTRICT_DOMAIN}}\]/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "s/approval_prompt: '{{OAUTH_GOOGLE_APPROVAL_PROMPT}}',/approval_prompt: '{{OAUTH_GOOGLE_APPROVAL_PROMPT}}' } }/" ${GITLAB_CONFIG}
|
|
update_template ${GITLAB_CONFIG} \
|
|
OAUTH_GOOGLE_API_KEY \
|
|
OAUTH_GOOGLE_APP_SECRET \
|
|
OAUTH_GOOGLE_APPROVAL_PROMPT
|
|
fi
|
|
else
|
|
exec_as_git sed -i "/name: 'google_oauth2'/,/{{OAUTH_GOOGLE_RESTRICT_DOMAIN}}/d" ${GITLAB_CONFIG}
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_oauth_facebook() {
|
|
if [[ -n ${OAUTH_FACEBOOK_API_KEY} && -n ${OAUTH_FACEBOOK_APP_SECRET} ]]; then
|
|
echo "Configuring gitlab::oauth::facebook..."
|
|
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
|
|
update_template ${GITLAB_CONFIG} \
|
|
OAUTH_FACEBOOK_API_KEY \
|
|
OAUTH_FACEBOOK_APP_SECRET
|
|
else
|
|
exec_as_git sed -i "/name: 'facebook'/,/{{OAUTH_FACEBOOK_APP_SECRET}}/d" ${GITLAB_CONFIG}
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_oauth_twitter() {
|
|
if [[ -n ${OAUTH_TWITTER_API_KEY} && -n ${OAUTH_TWITTER_APP_SECRET} ]]; then
|
|
echo "Configuring gitlab::oauth::twitter..."
|
|
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
|
|
update_template ${GITLAB_CONFIG} \
|
|
OAUTH_TWITTER_API_KEY \
|
|
OAUTH_TWITTER_APP_SECRET
|
|
else
|
|
exec_as_git sed -i "/name: 'twitter'/,/{{OAUTH_TWITTER_APP_SECRET}}/d" ${GITLAB_CONFIG}
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_oauth_authentiq() {
|
|
if [[ -n ${OAUTH_AUTHENTIQ_CLIENT_ID} && -n ${OAUTH_AUTHENTIQ_CLIENT_SECRET} ]]; then
|
|
echo "Configuring gitlab::oauth::authentiq..."
|
|
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
|
|
update_template ${GITLAB_CONFIG} \
|
|
OAUTH_AUTHENTIQ_CLIENT_ID \
|
|
OAUTH_AUTHENTIQ_CLIENT_SECRET \
|
|
OAUTH_AUTHENTIQ_SCOPE \
|
|
OAUTH_AUTHENTIQ_REDIRECT_URI
|
|
else
|
|
exec_as_git sed -i "/name: 'authentiq'/,/{{OAUTH_AUTHENTIQ_SCOPE}}/d" ${GITLAB_CONFIG}
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_oauth_github() {
|
|
if [[ -n ${OAUTH_GITHUB_API_KEY} && -n ${OAUTH_GITHUB_APP_SECRET} ]]; then
|
|
echo "Configuring gitlab::oauth::github..."
|
|
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
|
|
update_template ${GITLAB_CONFIG} \
|
|
OAUTH_GITHUB_API_KEY \
|
|
OAUTH_GITHUB_APP_SECRET \
|
|
OAUTH_GITHUB_URL \
|
|
OAUTH_GITHUB_VERIFY_SSL \
|
|
OAUTH_GITHUB_SCOPE
|
|
else
|
|
exec_as_git sed -i "/name: 'github'/,/{{OAUTH_GITHUB_SCOPE}}/d" ${GITLAB_CONFIG}
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_oauth_gitlab() {
|
|
if [[ -n ${OAUTH_GITLAB_API_KEY} && -n ${OAUTH_GITLAB_APP_SECRET} ]]; then
|
|
echo "Configuring gitlab::oauth::gitlab..."
|
|
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
|
|
update_template ${GITLAB_CONFIG} \
|
|
OAUTH_GITLAB_API_KEY \
|
|
OAUTH_GITLAB_APP_SECRET \
|
|
OAUTH_GITLAB_SCOPE
|
|
else
|
|
exec_as_git sed -i "/name: 'gitlab'/,/{{OAUTH_GITLAB_SCOPE}}/d" ${GITLAB_CONFIG}
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_oauth_bitbucket() {
|
|
if [[ -n ${OAUTH_BITBUCKET_API_KEY} && -n ${OAUTH_BITBUCKET_APP_SECRET} ]]; then
|
|
echo "Configuring gitlab::oauth::bitbucket..."
|
|
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
|
|
update_template ${GITLAB_CONFIG} \
|
|
OAUTH_BITBUCKET_API_KEY \
|
|
OAUTH_BITBUCKET_APP_SECRET \
|
|
OAUTH_BITBUCKET_URL
|
|
else
|
|
exec_as_git sed -i "/name: 'bitbucket'/,/{{OAUTH_BITBUCKET_URL}}/d" ${GITLAB_CONFIG}
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_oauth_saml_attribute_statements() {
|
|
if [[ -n ${OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL} ]]; then
|
|
echo "Configuring gitlab::oauth::saml::attribute_statements..."
|
|
update_template ${GITLAB_CONFIG} \
|
|
OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL \
|
|
OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME \
|
|
OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME \
|
|
OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME \
|
|
OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME
|
|
# Remove undefined optional attributes
|
|
exec_as_git sed -i "/email: \\[''\\],/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/name: \\[''\\],/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/username: \\[''\\],/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/first_name: \\[''\\],/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/last_name: \\[''\\],/d" ${GITLAB_CONFIG}
|
|
else
|
|
exec_as_git sed -i "/attribute_statements:/,/{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL}}/d" ${GITLAB_CONFIG}
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_oauth_saml() {
|
|
if [[ -n ${OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL} && \
|
|
-n ${OAUTH_SAML_IDP_CERT_FINGERPRINT} && \
|
|
-n ${OAUTH_SAML_IDP_SSO_TARGET_URL} && \
|
|
-n ${OAUTH_SAML_ISSUER} && \
|
|
-n ${OAUTH_SAML_NAME_IDENTIFIER_FORMAT} ]]; then
|
|
echo "Configuring gitlab::oauth::saml..."
|
|
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
|
|
update_template ${GITLAB_CONFIG} \
|
|
OAUTH_SAML_LABEL \
|
|
OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL \
|
|
OAUTH_SAML_IDP_CERT_FINGERPRINT \
|
|
OAUTH_SAML_IDP_SSO_TARGET_URL \
|
|
OAUTH_SAML_ISSUER \
|
|
OAUTH_SAML_NAME_IDENTIFIER_FORMAT \
|
|
OAUTH_SAML_GROUPS_ATTRIBUTE \
|
|
OAUTH_SAML_EXTERNAL_GROUPS
|
|
exec_as_git sed -i "/groups_attribute: '',/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/external_groups: \\[\\],/d" ${GITLAB_CONFIG}
|
|
gitlab_configure_oauth_saml_attribute_statements
|
|
else
|
|
exec_as_git sed -i "/name: 'saml'/,/{{OAUTH_SAML_NAME_IDENTIFIER_FORMAT}}/d" ${GITLAB_CONFIG}
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_oauth2_generic() {
|
|
if [[ -n ${OAUTH2_GENERIC_APP_ID} && \
|
|
-n ${OAUTH2_GENERIC_APP_SECRET} ]]; then
|
|
echo "Configuring gitlab::oauth::generic..."
|
|
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
|
|
update_template ${GITLAB_CONFIG} \
|
|
OAUTH2_GENERIC_APP_ID \
|
|
OAUTH2_GENERIC_APP_SECRET \
|
|
OAUTH2_GENERIC_CLIENT_SITE \
|
|
OAUTH2_GENERIC_CLIENT_USER_INFO_URL \
|
|
OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL \
|
|
OAUTH2_GENERIC_CLIENT_TOKEN_URL \
|
|
OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT \
|
|
OAUTH2_GENERIC_ID_PATH \
|
|
OAUTH2_GENERIC_USER_UID \
|
|
OAUTH2_GENERIC_USER_NAME \
|
|
OAUTH2_GENERIC_USER_EMAIL \
|
|
OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE \
|
|
OAUTH2_GENERIC_LABEL \
|
|
OAUTH2_GENERIC_NAME
|
|
else
|
|
exec_as_git sed -i "/name: 'oauth2_generic'/,/{{OAUTH2_GENERIC_NAME}}/d" ${GITLAB_CONFIG}
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_oauth_crowd() {
|
|
if [[ -n ${OAUTH_CROWD_SERVER_URL} && \
|
|
-n ${OAUTH_CROWD_APP_NAME} && \
|
|
-n ${OAUTH_CROWD_APP_PASSWORD} ]]; then
|
|
echo "Configuring gitlab::oauth::crowd..."
|
|
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
|
|
update_template ${GITLAB_CONFIG} \
|
|
OAUTH_CROWD_SERVER_URL \
|
|
OAUTH_CROWD_APP_NAME \
|
|
OAUTH_CROWD_APP_PASSWORD
|
|
else
|
|
exec_as_git sed -i "/name: 'crowd'/,/{{OAUTH_CROWD_APP_PASSWORD}}/d" ${GITLAB_CONFIG}
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_oauth_auth0() {
|
|
if [[ -n ${OAUTH_AUTH0_CLIENT_ID} && \
|
|
-n ${OAUTH_AUTH0_CLIENT_SECRET} && \
|
|
-n ${OAUTH_AUTH0_SCOPE} && \
|
|
-n ${OAUTH_AUTH0_DOMAIN} ]]; then
|
|
echo "Configuring gitlab::oauth::auth0..."
|
|
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
|
|
update_template ${GITLAB_CONFIG} \
|
|
OAUTH_AUTH0_CLIENT_ID \
|
|
OAUTH_AUTH0_CLIENT_SECRET \
|
|
OAUTH_AUTH0_DOMAIN \
|
|
OAUTH_AUTH0_SCOPE
|
|
else
|
|
exec_as_git sed -i "/name: 'auth0'/,/{{OAUTH_AUTH0_SCOPE}}/d" ${GITLAB_CONFIG}
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_oauth_azure() {
|
|
if [[ -n ${OAUTH_AZURE_API_KEY} && \
|
|
-n ${OAUTH_AZURE_API_SECRET} && \
|
|
-n ${OAUTH_AZURE_TENANT_ID} ]]; then
|
|
echo "Configuring gitlab::oauth::azure..."
|
|
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
|
|
update_template ${GITLAB_CONFIG} \
|
|
OAUTH_AZURE_API_KEY \
|
|
OAUTH_AZURE_API_SECRET \
|
|
OAUTH_AZURE_TENANT_ID
|
|
else
|
|
exec_as_git sed -i "/name: 'azure_oauth2'/,/{{OAUTH_AZURE_TENANT_ID}}/d" ${GITLAB_CONFIG}
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_oauth_azure_ad_v2() {
|
|
# we don't check if OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL because it is optional
|
|
if [[ -n ${OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID} && \
|
|
-n ${OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET} && \
|
|
-n ${OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID} ]]; then
|
|
echo "Configuring gitlab::oauth::azure_activedirectory_v2..."
|
|
update_template ${GITLAB_CONFIG} \
|
|
OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL \
|
|
OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID \
|
|
OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET \
|
|
OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID
|
|
else
|
|
exec_as_git sed -i "/name: 'azure_activedirectory_v2'/,/{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID}}/d" ${GITLAB_CONFIG}
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_oauth_oidc() {
|
|
if [[ -n ${OAUTH_OIDC_ISSUER} && \
|
|
-n ${OAUTH_OIDC_CLIENT_ID} ]]; then
|
|
echo "Configuring gitlab::oauth::oidc..."
|
|
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
|
|
update_template ${GITLAB_CONFIG} \
|
|
OAUTH_OIDC_LABEL \
|
|
OAUTH_OIDC_ICON \
|
|
OAUTH_OIDC_SCOPE \
|
|
OAUTH_OIDC_RESPONSE_TYPE \
|
|
OAUTH_OIDC_ISSUER \
|
|
OAUTH_OIDC_DISCOVERY \
|
|
OAUTH_OIDC_CLIENT_AUTH_METHOD \
|
|
OAUTH_OIDC_UID_FIELD \
|
|
OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP \
|
|
OAUTH_OIDC_PKCE \
|
|
OAUTH_OIDC_CLIENT_ID \
|
|
OAUTH_OIDC_CLIENT_SECRET \
|
|
OAUTH_OIDC_REDIRECT_URI
|
|
else
|
|
exec_as_git sed -i "/name: 'openid_connect'/,/{{OAUTH_OIDC_REDIRECT_URI}}/d" ${GITLAB_CONFIG}
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_oauth_jwt() {
|
|
if [[ -n ${OAUTH_JWT_SECRET} && \
|
|
-n ${OAUTH_JWT_AUTH_URL} ]]; then
|
|
echo "Configuring gitlab::oauth::jwt..."
|
|
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
|
|
update_template ${GITLAB_CONFIG} \
|
|
OAUTH_JWT_LABEL \
|
|
OAUTH_JWT_SECRET \
|
|
OAUTH_JWT_ALGORITHM \
|
|
OAUTH_JWT_UID_CLAIM \
|
|
OAUTH_JWT_REQUIRED_CLAIMS \
|
|
OAUTH_JWT_INFO_MAP_NAME \
|
|
OAUTH_JWT_INFO_MAP_EMAIL \
|
|
OAUTH_JWT_AUTH_URL \
|
|
OAUTH_JWT_VALID_WITHIN
|
|
else
|
|
exec_as_git sed -i "/name: 'jwt'/,/{{OAUTH_JWT_VALID_WITHIN}}/d" ${GITLAB_CONFIG}
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_oauth() {
|
|
echo "Configuring gitlab::oauth..."
|
|
|
|
gitlab_configure_oauth_cas3
|
|
gitlab_configure_oauth_google
|
|
gitlab_configure_oauth_facebook
|
|
gitlab_configure_oauth_twitter
|
|
gitlab_configure_oauth_authentiq
|
|
gitlab_configure_oauth_github
|
|
gitlab_configure_oauth_gitlab
|
|
gitlab_configure_oauth_bitbucket
|
|
gitlab_configure_oauth_saml
|
|
gitlab_configure_oauth2_generic
|
|
gitlab_configure_oauth_crowd
|
|
gitlab_configure_oauth_auth0
|
|
gitlab_configure_oauth_azure
|
|
gitlab_configure_oauth_azure_ad_v2
|
|
gitlab_configure_oauth_oidc
|
|
gitlab_configure_oauth_jwt
|
|
|
|
OAUTH_ENABLED=${OAUTH_ENABLED:-false}
|
|
update_template ${GITLAB_CONFIG} \
|
|
OAUTH_ENABLED \
|
|
OAUTH_ALLOW_SSO \
|
|
OAUTH_BLOCK_AUTO_CREATED_USERS \
|
|
OAUTH_AUTO_LINK_LDAP_USER \
|
|
OAUTH_AUTO_LINK_SAML_USER \
|
|
OAUTH_AUTO_LINK_USER \
|
|
OAUTH_EXTERNAL_PROVIDERS \
|
|
OAUTH_ALLOW_BYPASS_TWO_FACTOR
|
|
|
|
case ${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER} in
|
|
cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd|azure_oauth2|azure_activedirectory_v2|oauth2_generic|$OAUTH2_GENERIC_NAME|oidc|jwt)
|
|
update_template ${GITLAB_CONFIG} OAUTH_AUTO_SIGN_IN_WITH_PROVIDER
|
|
;;
|
|
*)
|
|
exec_as_git sed -i "/{{OAUTH_AUTO_SIGN_IN_WITH_PROVIDER}}/d" ${GITLAB_CONFIG}
|
|
;;
|
|
esac
|
|
}
|
|
|
|
gitlab_configure_secrets() {
|
|
echo "Configuring gitlab::secrets..."
|
|
if [[ -z $GITLAB_SECRETS_DB_KEY_BASE ]]; then
|
|
echo "ERROR: "
|
|
echo " Please configure the GITLAB_SECRETS_DB_KEY_BASE parameter."
|
|
echo " Cannot continue. Aborting..."
|
|
return 1
|
|
fi
|
|
|
|
if [[ -z $GITLAB_SECRETS_SECRET_KEY_BASE ]]; then
|
|
echo "ERROR: "
|
|
echo " Please configure the GITLAB_SECRETS_SECRET_KEY_BASE parameter."
|
|
echo " Cannot continue. Aborting..."
|
|
return 1
|
|
fi
|
|
|
|
if [[ -z $GITLAB_SECRETS_OTP_KEY_BASE ]]; then
|
|
echo "ERROR: "
|
|
echo " Please configure the GITLAB_SECRETS_OTP_KEY_BASE parameter."
|
|
echo " Cannot continue. Aborting..."
|
|
return 1
|
|
fi
|
|
|
|
update_template ${GITLAB_SECRETS_CONFIG} \
|
|
GITLAB_SECRETS_DB_KEY_BASE \
|
|
GITLAB_SECRETS_SECRET_KEY_BASE \
|
|
GITLAB_SECRETS_OTP_KEY_BASE \
|
|
GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE \
|
|
GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY \
|
|
GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY \
|
|
GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
|
|
|
|
local shell_secret="${GITLAB_INSTALL_DIR}/.gitlab_shell_secret"
|
|
if [[ ! -f "${shell_secret}" ]]; then
|
|
exec_as_git openssl rand -hex -out "${shell_secret}" 16
|
|
chmod 600 "${shell_secret}"
|
|
fi
|
|
|
|
local workhorse_secret="${GITLAB_INSTALL_DIR}/.gitlab_workhorse_secret"
|
|
if [[ ! -f "${workhorse_secret}" ]]; then
|
|
exec_as_git openssl rand -base64 -out "${workhorse_secret}" 32
|
|
chmod 600 "${workhorse_secret}"
|
|
fi
|
|
|
|
local pages_secret="${GITLAB_INSTALL_DIR}/.gitlab_pages_secret"
|
|
if [[ ! -f "${pages_secret}" ]]; then
|
|
exec_as_git openssl rand -base64 -out "${pages_secret}" 32
|
|
chmod 600 "${pages_secret}"
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_sidekiq() {
|
|
echo "Configuring gitlab::sidekiq..."
|
|
|
|
# configure gitlab sidekiq log format
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_SIDEKIQ_LOG_FORMAT
|
|
|
|
# configure sidekiq
|
|
update_template /etc/supervisor/conf.d/sidekiq.conf \
|
|
SIDEKIQ_CONCURRENCY \
|
|
SIDEKIQ_SHUTDOWN_TIMEOUT
|
|
|
|
# enable SidekiqMemoryKiller
|
|
## The MemoryKiller is enabled by gitlab if the `SIDEKIQ_MEMORY_KILLER_MAX_RSS` is
|
|
## defined in the programs environment and has a non-zero value.
|
|
##
|
|
## Simply exporting the variable makes it available in the programs environment and
|
|
## therefore should enable the MemoryKiller.
|
|
##
|
|
## Every other MemoryKiller option specified in the docker env will automatically
|
|
## be exported, so why bother
|
|
export SIDEKIQ_MEMORY_KILLER_MAX_RSS
|
|
}
|
|
|
|
gitlab_configure_backups_schedule() {
|
|
case ${GITLAB_BACKUP_SCHEDULE} in
|
|
daily|weekly|monthly)
|
|
if ! crontab -u ${GITLAB_USER} -l >/tmp/cron.${GITLAB_USER} 2>/dev/null || ! grep -q 'bundle exec rake gitlab:backup:create' /tmp/cron.${GITLAB_USER}; then
|
|
echo "Configuring gitlab::backups::schedule..."
|
|
gitlab_backup_log="${GITLAB_LOG_DIR}/gitlab/gitlab-backup.log"
|
|
read -r hour min <<< "${GITLAB_BACKUP_TIME//[:]/ }"
|
|
day_of_month="*"
|
|
month="*"
|
|
day_of_week="*"
|
|
case ${GITLAB_BACKUP_SCHEDULE} in
|
|
daily) ;;
|
|
weekly) day_of_week=0 ;;
|
|
monthly) day_of_month=01 ;;
|
|
esac
|
|
if [[ -n ${GITLAB_BACKUP_DIR_GROUP} ]]; then
|
|
echo "$min $hour $day_of_month $month $day_of_week /bin/bash -l -c 'cd ${GITLAB_INSTALL_DIR} && bundle exec rake gitlab:backup:create SKIP=${GITLAB_BACKUP_SKIP} DIRECTORY=${GITLAB_BACKUP_DIR_GROUP} RAILS_ENV=${RAILS_ENV}' >> ${gitlab_backup_log} 2>&1" >> "/tmp/cron.${GITLAB_USER}"
|
|
else
|
|
echo "$min $hour $day_of_month $month $day_of_week /bin/bash -l -c 'cd ${GITLAB_INSTALL_DIR} && bundle exec rake gitlab:backup:create SKIP=${GITLAB_BACKUP_SKIP} RAILS_ENV=${RAILS_ENV}' >> ${gitlab_backup_log} 2>&1" >> "/tmp/cron.${GITLAB_USER}"
|
|
fi
|
|
crontab -u ${GITLAB_USER} /tmp/cron.${GITLAB_USER}
|
|
fi
|
|
rm -rf /tmp/cron.${GITLAB_USER}
|
|
;;
|
|
esac
|
|
}
|
|
|
|
gitlab_configure_backups_aws() {
|
|
echo "Configuring gitlab::backups::aws..."
|
|
exec_as_git sed -i "/#start-gcs/,/#end-gcs/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/#start-aws/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/#end-aws/d" ${GITLAB_CONFIG}
|
|
|
|
if [[ -z ${AWS_BACKUP_MULTIPART_CHUNK_SIZE} ]]; then
|
|
exec_as_git sed -i "/#start-multipart/,/#end-multipart/d" ${GITLAB_CONFIG}
|
|
fi
|
|
|
|
if [[ -z ${AWS_BACKUP_MULTIPART_CHUNK_SIZE} ]]; then
|
|
exec_as_git sed -i "/#start-multipart-aws/,/#end-multipart-aws/d" ${GITLAB_CONFIG}
|
|
fi
|
|
|
|
if [[ ${AWS_BACKUP_ENCRYPTION} != true ]]; then
|
|
exec_as_git sed -i "/#start-encryption-aws/,/#end-encryption-aws/d" ${GITLAB_CONFIG}
|
|
fi
|
|
|
|
if [[ -z ${AWS_BACKUP_REGION} && -z ${AWS_BACKUP_ENDPOINT} ]]; then
|
|
echo "\nMissing AWS region or endpoint. Aborting...\n"
|
|
return 1
|
|
fi
|
|
|
|
if [[ ! -z ${AWS_BACKUP_ENDPOINT} ]]; then
|
|
AWS_BACKUP_PATH_STYLE="true"
|
|
fi
|
|
|
|
if [[ -z ${AWS_BACKUP_ACCESS_KEY_ID} || -z ${AWS_BACKUP_SECRET_ACCESS_KEY} || -z ${AWS_BACKUP_BUCKET} ]]; then
|
|
echo "\nMissing AWS options. Aborting...\n"
|
|
return 1
|
|
fi
|
|
|
|
update_template ${GITLAB_CONFIG} \
|
|
AWS_BACKUP_REGION \
|
|
AWS_BACKUP_ENDPOINT \
|
|
AWS_BACKUP_PATH_STYLE \
|
|
AWS_BACKUP_ACCESS_KEY_ID \
|
|
AWS_BACKUP_SECRET_ACCESS_KEY \
|
|
AWS_BACKUP_BUCKET \
|
|
AWS_BACKUP_MULTIPART_CHUNK_SIZE \
|
|
AWS_BACKUP_STORAGE_CLASS \
|
|
AWS_BACKUP_SIGNATURE_VERSION
|
|
}
|
|
|
|
gitlab_configure_backup_gcs() {
|
|
echo "Configuring gitlab::backups::gcs..."
|
|
exec_as_git sed -i "/#start-aws/,/#end-aws/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/#start-gcs/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/#end-gcs/d" ${GITLAB_CONFIG}
|
|
if [[ -z ${GCS_BACKUP_ACCESS_KEY_ID} || -z ${GCS_BACKUP_SECRET_ACCESS_KEY} || -z ${GCS_BACKUP_BUCKET} ]]; then
|
|
printf "\nMissing GCS options. Aborting...\n"
|
|
return 1
|
|
fi
|
|
update_template ${GITLAB_CONFIG} \
|
|
GCS_BACKUP_ACCESS_KEY_ID \
|
|
GCS_BACKUP_SECRET_ACCESS_KEY \
|
|
GCS_BACKUP_BUCKET
|
|
}
|
|
|
|
gitlab_configure_backups() {
|
|
echo "Configuring gitlab::backups..."
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_BACKUP_DIR \
|
|
GITLAB_BACKUP_EXPIRY \
|
|
GITLAB_BACKUP_PG_SCHEMA \
|
|
GITLAB_BACKUP_ARCHIVE_PERMISSIONS
|
|
gitlab_configure_backups_schedule
|
|
if [[ ${AWS_BACKUPS} != true && ${GCS_BACKUPS} != true ]]; then
|
|
exec_as_git sed -i "/\s\+#start-aws/,/#end-gcs/d" ${GITLAB_CONFIG}
|
|
return 0
|
|
fi
|
|
if [[ ${AWS_BACKUPS} == true && ${GCS_BACKUPS} == true ]]; then
|
|
printf "\nAWS and GCE cannot be enabled together, please choose one...\n"
|
|
return 1
|
|
fi
|
|
if [[ ${AWS_BACKUPS} == true ]]; then
|
|
gitlab_configure_backups_aws
|
|
fi
|
|
if [[ ${GCS_BACKUPS} == true ]]; then
|
|
gitlab_configure_backup_gcs
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_gravatar() {
|
|
update_template ${GITLAB_CONFIG} GITLAB_GRAVATAR_ENABLED
|
|
|
|
if [[ -n ${GITLAB_GRAVATAR_HTTP_URL} ]]; then
|
|
echo "Configuring gitlab::gravatar::http..."
|
|
update_template ${GITLAB_CONFIG} GITLAB_GRAVATAR_HTTP_URL
|
|
else
|
|
exec_as_git sed -i "/{{GITLAB_GRAVATAR_HTTP_URL}}/d" ${GITLAB_CONFIG}
|
|
fi
|
|
|
|
if [[ -n ${GITLAB_GRAVATAR_HTTPS_URL} ]]; then
|
|
echo "Configuring gitlab::gravatar::https..."
|
|
update_template ${GITLAB_CONFIG} GITLAB_GRAVATAR_HTTPS_URL
|
|
else
|
|
exec_as_git sed -i "/{{GITLAB_GRAVATAR_HTTPS_URL}}/d" ${GITLAB_CONFIG}
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_cron_jobs() {
|
|
echo "Configuring gitlab::cron_jobs..."
|
|
|
|
if [[ -n "${GITLAB_PIPELINE_SCHEDULE_WORKER_CRON}" ]]; then
|
|
update_template ${GITLAB_CONFIG} GITLAB_PIPELINE_SCHEDULE_WORKER_CRON
|
|
else
|
|
exec_as_git sed -i "/{{GITLAB_PIPELINE_SCHEDULE_WORKER_CRON}}/d" ${GITLAB_CONFIG}
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_analytics_google() {
|
|
if [[ -n ${GOOGLE_ANALYTICS_ID} ]]; then
|
|
echo "Configuring gitlab::analytics:google..."
|
|
update_template ${GITLAB_CONFIG} GOOGLE_ANALYTICS_ID
|
|
else
|
|
exec_as_git sed -i "/{{GOOGLE_ANALYTICS_ID}}/d" ${GITLAB_CONFIG}
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_analytics_piwik() {
|
|
if [[ -n ${PIWIK_URL} && -n ${PIWIK_SITE_ID} ]]; then
|
|
echo "Configuring gitlab::analytics:piwik..."
|
|
update_template ${GITLAB_CONFIG} \
|
|
PIWIK_URL \
|
|
PIWIK_SITE_ID
|
|
else
|
|
exec_as_git sed -i \
|
|
-e "/{{PIWIK_URL}}/d" \
|
|
-e "/{{PIWIK_SITE_ID}}/d" \
|
|
${GITLAB_CONFIG}
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_analytics() {
|
|
gitlab_configure_analytics_google
|
|
gitlab_configure_analytics_piwik
|
|
}
|
|
|
|
gitlab_configure_rack_attack() {
|
|
echo "Configuring gitlab::rack_attack..."
|
|
|
|
# validity check : RACK_ATTACK_WHITELIST should be an array of valid IP Address string
|
|
echo " Validating RACK_ATTACK_WHITELIST..."
|
|
/usr/bin/env ruby << SCRIPT
|
|
require 'ipaddr'
|
|
${RACK_ATTACK_WHITELIST}.each do |host|
|
|
begin
|
|
printf(" input=%s, to_range=%s\n", host, IPAddr.new(host).to_range)
|
|
rescue IPAddr::InvalidAddressError => e
|
|
p e
|
|
exit 1
|
|
rescue => e
|
|
put "Unexpected error", e
|
|
exit 1
|
|
end
|
|
end
|
|
SCRIPT
|
|
|
|
update_template ${GITLAB_CONFIG} \
|
|
RACK_ATTACK_ENABLED \
|
|
RACK_ATTACK_WHITELIST \
|
|
RACK_ATTACK_MAXRETRY \
|
|
RACK_ATTACK_FINDTIME \
|
|
RACK_ATTACK_BANTIME
|
|
}
|
|
|
|
gitlab_configure_ci() {
|
|
echo "Configuring gitlab::ci..."
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_NOTIFY_ON_BROKEN_BUILDS \
|
|
GITLAB_NOTIFY_PUSHER GITLAB_BUILDS_DIR
|
|
}
|
|
|
|
gitlab_configure_artifacts() {
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED
|
|
|
|
if [[ ${GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED} == true ]]; then
|
|
echo "Configuring gitlab::artifacts:object_store"
|
|
|
|
if [[ "${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then
|
|
echo " -> Google ARTIFACTS provider selected removing aws config"
|
|
exec_as_git sed -i "/#start-artifacts-aws/,/#end-artifacts-aws/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/#start-artifacts-gcs/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/#end-artifacts-gcs/d" ${GITLAB_CONFIG}
|
|
fi
|
|
if [[ "${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then
|
|
echo " -> AWS ARTIFACTS provider selected removing Google config"
|
|
exec_as_git sed -i "/#start-artifacts-gcs/,/#end-artifacts-gcs/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/#start-artifacts-aws/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/#end-artifacts-aws/d" ${GITLAB_CONFIG}
|
|
fi
|
|
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY \
|
|
GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD \
|
|
GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD \
|
|
GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD \
|
|
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER \
|
|
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \
|
|
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \
|
|
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION \
|
|
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST \
|
|
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \
|
|
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \
|
|
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \
|
|
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \
|
|
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \
|
|
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION
|
|
else
|
|
exec_as_git sed -i -e "/path: {{GITLAB_ARTIFACTS_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG}
|
|
fi
|
|
|
|
echo "Configuring gitlab::artifacts..."
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_ARTIFACTS_ENABLED \
|
|
GITLAB_ARTIFACTS_DIR
|
|
}
|
|
|
|
|
|
gitlab_configure_packages() {
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_PACKAGES_OBJECT_STORE_ENABLED
|
|
|
|
if [[ ${GITLAB_PACKAGES_OBJECT_STORE_ENABLED} == true ]]; then
|
|
echo "Configuring gitlab::packages:object_store"
|
|
|
|
if [[ "${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then
|
|
echo " -> Google PACKAGES provider selected removing aws config"
|
|
exec_as_git sed -i "/#start-packages-aws/,/#end-packages-aws/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/#start-packages-gcs/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/#end-packages-gcs/d" ${GITLAB_CONFIG}
|
|
fi
|
|
if [[ "${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then
|
|
echo " -> AWS PACKAGES provider selected removing Google config"
|
|
exec_as_git sed -i "/#start-packages-gcs/,/#end-packages-gcs/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/#start-packages-aws/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/#end-packages-aws/d" ${GITLAB_CONFIG}
|
|
fi
|
|
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY \
|
|
GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD \
|
|
GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD \
|
|
GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD \
|
|
GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER \
|
|
GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \
|
|
GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \
|
|
GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION \
|
|
GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST \
|
|
GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \
|
|
GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \
|
|
GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \
|
|
GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \
|
|
GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \
|
|
GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION
|
|
else
|
|
exec_as_git sed -i -e "/path: {{GITLAB_PACKAGES_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG}
|
|
fi
|
|
|
|
echo "Configuring gitlab::packages..."
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_PACKAGES_ENABLED \
|
|
GITLAB_PACKAGES_DIR
|
|
}
|
|
|
|
gitlab_configure_terraform_state() {
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED
|
|
|
|
if [[ ${GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED} == true ]]; then
|
|
echo "Configuring gitlab::terraform_state:object_store"
|
|
|
|
if [[ "${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then
|
|
echo " -> Google TERRAFORM STATE provider selected removing aws config"
|
|
exec_as_git sed -i "/#start-terraform_state-aws/,/#end-terraform_state-aws/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/#start-terraform_state-gcs/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/#end-terraform_state-gcs/d" ${GITLAB_CONFIG}
|
|
fi
|
|
if [[ "${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then
|
|
echo " -> AWS TERRAFORM STATE provider selected removing Google config"
|
|
exec_as_git sed -i "/#start-terraform_state-gcs/,/#end-terraform_state-gcs/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/#start-terraform_state-aws/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/#end-terraform_state-aws/d" ${GITLAB_CONFIG}
|
|
fi
|
|
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_TERRAFORM_STATE_OBJECT_STORE_REMOTE_DIRECTORY \
|
|
GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER \
|
|
GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \
|
|
GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \
|
|
GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION \
|
|
GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST \
|
|
GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \
|
|
GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \
|
|
GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \
|
|
GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \
|
|
GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \
|
|
GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION
|
|
else
|
|
exec_as_git sed -i -e "/storage_path: {{GITLAB_TERRAFORM_STATE_STORAGE_PATH}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG}
|
|
fi
|
|
|
|
echo "Configuring gitlab::terraform_state..."
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_TERRAFORM_STATE_ENABLED \
|
|
GITLAB_TERRAFORM_STATE_STORAGE_PATH
|
|
}
|
|
|
|
gitlab_configure_lfs() {
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_LFS_OBJECT_STORE_ENABLED \
|
|
|
|
if [[ ${GITLAB_LFS_OBJECT_STORE_ENABLED} == true ]]; then
|
|
echo "Configuring gitlab::lfs:object_store"
|
|
|
|
if [[ "${GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then
|
|
echo " -> Google LFS provider selected removing aws config"
|
|
exec_as_git sed -i "/#start-lfs-aws/,/#end-lfs-aws/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/#start-lfs-gcs/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/#end-lfs-gcs/d" ${GITLAB_CONFIG}
|
|
fi
|
|
if [[ "${GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then
|
|
echo " -> AWS LFS provider selected removing Google config"
|
|
exec_as_git sed -i "/#start-lfs-gcs/,/#end-lfs-gcs/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/#start-lfs-aws/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/#end-lfs-aws/d" ${GITLAB_CONFIG}
|
|
fi
|
|
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY \
|
|
GITLAB_LFS_OBJECT_STORE_DIRECT_UPLOAD \
|
|
GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD \
|
|
GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD \
|
|
GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER \
|
|
GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \
|
|
GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \
|
|
GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION \
|
|
GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST \
|
|
GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \
|
|
GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \
|
|
GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \
|
|
GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \
|
|
GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \
|
|
GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION
|
|
else
|
|
exec_as_git sed -i -e "/path: {{GITLAB_LFS_OBJECTS_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG}
|
|
fi
|
|
|
|
echo "Configuring gitlab::lfs..."
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_LFS_ENABLED \
|
|
GITLAB_LFS_OBJECTS_DIR
|
|
}
|
|
|
|
gitlab_configure_uploads() {
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_UPLOADS_OBJECT_STORE_ENABLED
|
|
|
|
if [[ ${GITLAB_UPLOADS_OBJECT_STORE_ENABLED} == true ]]; then
|
|
echo "Configuring gitlab::uploads:object_store"
|
|
|
|
if [[ "${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then
|
|
echo " -> Google UPLOADS provider selected removing aws config"
|
|
exec_as_git sed -i "/#start-uploads-aws/,/#end-uploads-aws/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/#start-uploads-gcs/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/#end-uploads-gcs/d" ${GITLAB_CONFIG}
|
|
fi
|
|
if [[ "${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then
|
|
echo " -> AWS UPLOADS provider selected removing Google config"
|
|
exec_as_git sed -i "/#start-uploads-gcs/,/#end-uploads-gcs/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/#start-uploads-aws/d" ${GITLAB_CONFIG}
|
|
exec_as_git sed -i "/#end-uploads-aws/d" ${GITLAB_CONFIG}
|
|
fi
|
|
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY \
|
|
GITLAB_UPLOADS_OBJECT_STORE_DIRECT_UPLOAD \
|
|
GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD \
|
|
GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD \
|
|
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER \
|
|
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \
|
|
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \
|
|
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION \
|
|
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST \
|
|
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \
|
|
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \
|
|
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \
|
|
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \
|
|
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \
|
|
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION
|
|
|
|
else
|
|
exec_as_git sed -i -e "/base_dir: {{GITLAB_UPLOADS_BASE_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG}
|
|
fi
|
|
|
|
echo "Configuring gitlab::uploads..."
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_UPLOADS_STORAGE_PATH \
|
|
GITLAB_UPLOADS_BASE_DIR
|
|
}
|
|
|
|
gitlab_configure_mattermost() {
|
|
echo "Configuring gitlab::mattermost..."
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_MATTERMOST_ENABLED \
|
|
GITLAB_MATTERMOST_URL
|
|
}
|
|
|
|
gitlab_configure_project_features() {
|
|
echo "Configuring gitlab::project_features..."
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_PROJECTS_ISSUES \
|
|
GITLAB_PROJECTS_MERGE_REQUESTS \
|
|
GITLAB_PROJECTS_WIKI \
|
|
GITLAB_PROJECTS_SNIPPETS \
|
|
GITLAB_PROJECTS_BUILDS \
|
|
GITLAB_PROJECTS_CONTAINER_REGISTRY \
|
|
GITLAB_WEBHOOK_TIMEOUT
|
|
}
|
|
|
|
gitlab_configure_registry(){
|
|
echo "Configuring gitlab::registry..."
|
|
|
|
if [[ ${GITLAB_REGISTRY_PORT} == 443 ]]; then
|
|
# Sets GITLAB_REGISTRY_PORT empty for the scope of this function.
|
|
# This helps us to add an empty key to `.gitlab-ci.yml`.
|
|
# Because 443 is the default https port it doesn't need to be included in docker push/pull commands
|
|
# and shouldn't be displayed on the gitlab ui.
|
|
# Example: `docker pull registry:443/some/image` is the same as `docker pull registry/some/image`
|
|
local GITLAB_REGISTRY_PORT=""
|
|
fi
|
|
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_REGISTRY_ENABLED \
|
|
GITLAB_REGISTRY_DIR \
|
|
GITLAB_REGISTRY_HOST \
|
|
GITLAB_REGISTRY_PORT \
|
|
GITLAB_REGISTRY_API_URL \
|
|
GITLAB_REGISTRY_KEY_PATH \
|
|
GITLAB_REGISTRY_ISSUER
|
|
}
|
|
|
|
gitlab_configure_pages(){
|
|
echo "Configuring gitlab::pages..."
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_PAGES_ENABLED \
|
|
GITLAB_PAGES_DOMAIN \
|
|
GITLAB_PAGES_PORT \
|
|
GITLAB_PAGES_HTTPS \
|
|
GITLAB_PAGES_ARTIFACTS_SERVER \
|
|
GITLAB_PAGES_ACCESS_CONTROL
|
|
|
|
if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTP} ]]; then
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_PAGES_EXTERNAL_HTTP
|
|
else
|
|
exec_as_git sed -ie "/{{GITLAB_PAGES_EXTERNAL_HTTP}}/d" ${GITLAB_CONFIG}
|
|
fi
|
|
|
|
if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTPS} ]]; then
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_PAGES_EXTERNAL_HTTPS
|
|
else
|
|
exec_as_git sed -ie "/{{GITLAB_PAGES_EXTERNAL_HTTPS}}/d" ${GITLAB_CONFIG}
|
|
fi
|
|
}
|
|
|
|
gitlab_configure_sentry(){
|
|
echo "Configuring gitlab::sentry..."
|
|
update_template ${GITLAB_CONFIG} \
|
|
SENTRY_ENABLED \
|
|
SENTRY_DSN \
|
|
SENTRY_CLIENTSIDE_DSN \
|
|
SENTRY_ENVIRONMENT
|
|
}
|
|
|
|
gitlab_configure_content_security_policy(){
|
|
echo "Configuring gitlab::content_security_policy..."
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_CONTENT_SECURITY_POLICY_ENABLED \
|
|
GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY \
|
|
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI \
|
|
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC \
|
|
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC \
|
|
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC \
|
|
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC \
|
|
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION \
|
|
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS \
|
|
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC \
|
|
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC \
|
|
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC \
|
|
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC \
|
|
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC \
|
|
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC \
|
|
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC \
|
|
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC \
|
|
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI
|
|
}
|
|
|
|
nginx_configure_gitlab_ssl() {
|
|
if [[ ${GITLAB_HTTPS} == true && -f ${SSL_CERTIFICATE_PATH} && -f ${SSL_KEY_PATH} && -f ${SSL_DHPARAM_PATH} ]]; then
|
|
echo "Configuring nginx::gitlab::ssl..."
|
|
|
|
if [[ ! -f ${SSL_CA_CERTIFICATES_PATH} ]]; then
|
|
sed -i "/{{SSL_CA_CERTIFICATES_PATH}}/d" ${GITLAB_NGINX_CONFIG}
|
|
fi
|
|
update_template ${GITLAB_NGINX_CONFIG} \
|
|
SSL_CERTIFICATE_PATH \
|
|
SSL_KEY_PATH \
|
|
SSL_DHPARAM_PATH \
|
|
SSL_VERIFY_CLIENT \
|
|
SSL_CA_CERTIFICATES_PATH \
|
|
SSL_CIPHERS \
|
|
SSL_PROTOCOLS
|
|
fi
|
|
}
|
|
|
|
nginx_configure_gitlab_hsts() {
|
|
if [[ ${GITLAB_HTTPS} == true ]]; then
|
|
echo "Configuring nginx::gitlab::hsts..."
|
|
if [[ ${NGINX_HSTS_ENABLED} != true ]]; then
|
|
sed -i "/{{NGINX_HSTS_MAXAGE}}/d" ${GITLAB_NGINX_CONFIG}
|
|
fi
|
|
update_template ${GITLAB_NGINX_CONFIG} NGINX_HSTS_MAXAGE
|
|
else
|
|
sed -i "/{{NGINX_HSTS_MAXAGE}}/d" ${GITLAB_NGINX_CONFIG}
|
|
fi
|
|
}
|
|
|
|
nginx_configure_gitlab_ipv6() {
|
|
if [[ ! -f /proc/net/if_inet6 ]]; then
|
|
# disable ipv6 support in nginx for gitlab
|
|
sed -i \
|
|
-e "/listen \[::\]:80/d" \
|
|
-e "/listen \[::\]:443/d" \
|
|
${GITLAB_NGINX_CONFIG}
|
|
# disable ipv6 support in nginx for pages
|
|
if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then
|
|
if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then
|
|
sed -i \
|
|
-e "/listen \[::\]:80/d" \
|
|
-e "/listen \[::\]:443/d" \
|
|
${GITLAB_PAGES_NGINX_CONFIG}
|
|
fi
|
|
fi
|
|
fi
|
|
}
|
|
|
|
nginx_configure_gitlab_real_ip() {
|
|
if [[ ${NGINX_REAL_IP_RECURSIVE} == on && \
|
|
-n ${NGINX_REAL_IP_TRUSTED_ADDRESSES} ]]; then
|
|
echo "Configuring nginx::gitlab::real_ip..."
|
|
update_template ${GITLAB_NGINX_CONFIG} \
|
|
NGINX_REAL_IP_RECURSIVE \
|
|
NGINX_REAL_IP_TRUSTED_ADDRESSES
|
|
else
|
|
NGINX_REAL_IP_RECURSIVE="off"
|
|
update_template ${GITLAB_NGINX_CONFIG} \
|
|
NGINX_REAL_IP_RECURSIVE
|
|
sed -i "/{{NGINX_REAL_IP_TRUSTED_ADDRESSES}}/d" ${GITLAB_NGINX_CONFIG}
|
|
fi
|
|
}
|
|
|
|
nginx_configure_gitlab() {
|
|
echo "Configuring nginx::gitlab..."
|
|
update_template ${GITLAB_NGINX_CONFIG} \
|
|
GITLAB_HOME \
|
|
GITLAB_INSTALL_DIR \
|
|
GITLAB_LOG_DIR \
|
|
GITLAB_HOST \
|
|
GITLAB_PORT \
|
|
NGINX_PROXY_BUFFERING \
|
|
NGINX_ACCEL_BUFFERING \
|
|
NGINX_X_FORWARDED_PROTO \
|
|
NGINX_CUSTOM_GITLAB_SERVER_CONFIG
|
|
|
|
nginx_configure_gitlab_ssl
|
|
nginx_configure_gitlab_hsts
|
|
nginx_configure_gitlab_ipv6
|
|
nginx_configure_gitlab_real_ip
|
|
}
|
|
|
|
nginx_configure_gitlab_ci() {
|
|
if [[ -n $GITLAB_CI_HOST ]]; then
|
|
echo "Configuring nginx::gitlab_ci..."
|
|
DNS_RESOLVERS=$(cat /etc/resolv.conf | grep '^\s*nameserver' | awk '{print $2}' ORS=' ')
|
|
update_template ${GITLAB_CI_NGINX_CONFIG} \
|
|
GITLAB_LOG_DIR \
|
|
GITLAB_HOST \
|
|
GITLAB_CI_HOST \
|
|
DNS_RESOLVERS
|
|
fi
|
|
}
|
|
|
|
nginx_configure_gitlab_registry() {
|
|
if [[ $GITLAB_REGISTRY_ENABLED == true && -f ${SSL_REGISTRY_CERT_PATH} && -f ${SSL_REGISTRY_KEY_PATH} ]]; then
|
|
echo "Configuring nginx::gitlab-registry..."
|
|
update_template ${GITLAB_REGISTRY_NGINX_CONFIG} \
|
|
GITLAB_LOG_DIR \
|
|
GITLAB_REGISTRY_PORT \
|
|
GITLAB_REGISTRY_HOST \
|
|
GITLAB_REGISTRY_API_URL \
|
|
SSL_REGISTRY_KEY_PATH \
|
|
SSL_REGISTRY_CERT_PATH \
|
|
SSL_REGISTRY_CIPHERS \
|
|
SSL_REGISTRY_PROTOCOLS
|
|
fi
|
|
}
|
|
|
|
nginx_configure_pages(){
|
|
local GITLAB_PAGES_DOMAIN=$(echo $GITLAB_PAGES_DOMAIN | sed 's/\./\\\\./g')
|
|
if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then
|
|
echo "Configuring nginx::gitlab-pages..."
|
|
if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then
|
|
if [[ ${GITLAB_PAGES_HTTPS} == true ]]; then
|
|
update_template ${GITLAB_PAGES_NGINX_CONFIG} \
|
|
GITLAB_PORT \
|
|
GITLAB_PAGES_DOMAIN \
|
|
GITLAB_PAGES_PORT \
|
|
GITLAB_LOG_DIR \
|
|
GITLAB_PAGES_DOMAIN \
|
|
SSL_PAGES_CERT_PATH \
|
|
SSL_PAGES_KEY_PATH \
|
|
SSL_PAGES_CIPHERS \
|
|
SSL_PAGES_PROTOCOLS \
|
|
SSL_DHPARAM_PATH \
|
|
GITLAB_LOG_DIR
|
|
else
|
|
update_template ${GITLAB_PAGES_NGINX_CONFIG} \
|
|
GITLAB_PAGES_DOMAIN \
|
|
GITLAB_LOG_DIR
|
|
fi
|
|
else
|
|
echo "Gitlab pages nginx proxy disabled"
|
|
echo "Assuming custom domain setup with own HTTP(S) load balancer'"
|
|
fi
|
|
fi
|
|
}
|
|
|
|
|
|
# _|_|_| _| _| _|
|
|
# _| _| _| _| _|_|_| _| _|_|_|
|
|
# _|_|_| _| _| _| _| _| _| _|
|
|
# _| _| _| _| _| _| _| _|
|
|
# _| _|_|_| _|_|_| _| _| _|_|_|
|
|
|
|
map_uidgid() {
|
|
USERMAP_ORIG_UID=$(id -u ${GITLAB_USER})
|
|
USERMAP_ORIG_GID=$(id -g ${GITLAB_USER})
|
|
USERMAP_GID=${USERMAP_GID:-${USERMAP_UID:-$USERMAP_ORIG_GID}}
|
|
USERMAP_UID=${USERMAP_UID:-$USERMAP_ORIG_UID}
|
|
if [[ ${USERMAP_UID} != ${USERMAP_ORIG_UID} ]] || [[ ${USERMAP_GID} != ${USERMAP_ORIG_GID} ]]; then
|
|
echo "Mapping UID and GID for ${GITLAB_USER}:${GITLAB_USER} to $USERMAP_UID:$USERMAP_GID"
|
|
groupmod -o -g ${USERMAP_GID} ${GITLAB_USER}
|
|
sed -i -e "s|:${USERMAP_ORIG_UID}:${USERMAP_GID}:|:${USERMAP_UID}:${USERMAP_GID}:|" /etc/passwd
|
|
find ${GITLAB_HOME} -path ${GITLAB_DATA_DIR}/\* -prune -o -print0 | xargs -0 chown -h ${GITLAB_USER}:
|
|
fi
|
|
}
|
|
|
|
update_ca_certificates() {
|
|
if [[ -f ${SSL_CERTIFICATE_PATH} || -f ${SSL_CA_CERTIFICATES_PATH} || -f ${SSL_REGISTRY_CERT_PATH} ]]; then
|
|
echo "Updating CA certificates..."
|
|
[[ -f ${SSL_CERTIFICATE_PATH} ]] && cp "${SSL_CERTIFICATE_PATH}" /usr/local/share/ca-certificates/gitlab.crt
|
|
[[ -f ${SSL_CA_CERTIFICATES_PATH} ]] && cp "${SSL_CA_CERTIFICATES_PATH}" /usr/local/share/ca-certificates/ca.crt
|
|
[[ -f ${SSL_REGISTRY_CERT_PATH} ]] && cp "${SSL_REGISTRY_CERT_PATH}" /usr/local/share/ca-certificates/registry-ca.crt
|
|
update-ca-certificates --fresh >/dev/null
|
|
fi
|
|
}
|
|
|
|
initialize_logdir() {
|
|
echo "Initializing logdir..."
|
|
mkdir -p ${GITLAB_LOG_DIR}/supervisor
|
|
chmod -R 0755 ${GITLAB_LOG_DIR}/supervisor
|
|
chown -R root: ${GITLAB_LOG_DIR}/supervisor
|
|
|
|
mkdir -p ${GITLAB_LOG_DIR}/nginx
|
|
chmod -R 0755 ${GITLAB_LOG_DIR}/nginx
|
|
chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/nginx
|
|
|
|
mkdir -p ${GITLAB_LOG_DIR}/gitlab
|
|
chmod -R 0755 ${GITLAB_LOG_DIR}/gitlab
|
|
chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/gitlab
|
|
|
|
mkdir -p ${GITLAB_LOG_DIR}/gitlab-shell
|
|
chmod -R 0755 ${GITLAB_LOG_DIR}/gitlab-shell
|
|
chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/gitlab-shell
|
|
|
|
mkdir -p ${GITLAB_LOG_DIR}/gitaly
|
|
chmod -R 0755 ${GITLAB_LOG_DIR}/gitaly
|
|
chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/gitaly
|
|
}
|
|
|
|
initialize_datadir() {
|
|
echo "Initializing datadir..."
|
|
chmod 755 ${GITLAB_DATA_DIR}
|
|
chown ${GITLAB_USER}: ${GITLAB_DATA_DIR}
|
|
|
|
# create the ssh directory for server keys
|
|
mkdir -p ${GITLAB_DATA_DIR}/ssh
|
|
chown -R root: ${GITLAB_DATA_DIR}/ssh
|
|
|
|
# create the repositories directory and make sure it has the right permissions
|
|
mkdir -p ${GITLAB_REPOS_DIR}
|
|
chown ${GITLAB_USER}: ${GITLAB_REPOS_DIR}
|
|
chmod ug+rwX,o-rwx ${GITLAB_REPOS_DIR}
|
|
exec_as_git chmod g+s ${GITLAB_REPOS_DIR}
|
|
|
|
# create build traces directory
|
|
mkdir -p ${GITLAB_BUILDS_DIR}
|
|
chmod u+rwX ${GITLAB_BUILDS_DIR}
|
|
chown ${GITLAB_USER}: ${GITLAB_BUILDS_DIR}
|
|
|
|
# gitlab:backup:create does not respect the builds_path configuration, so we
|
|
# symlink ${GITLAB_INSTALL_DIR}/builds -> ${GITLAB_BUILDS_DIR}
|
|
rm -rf ${GITLAB_INSTALL_DIR}/builds
|
|
ln -sf ${GITLAB_BUILDS_DIR} ${GITLAB_INSTALL_DIR}/builds
|
|
|
|
# create downloads directory
|
|
mkdir -p ${GITLAB_DOWNLOADS_DIR}
|
|
chmod u+rwX ${GITLAB_DOWNLOADS_DIR}
|
|
chown ${GITLAB_USER}: ${GITLAB_DOWNLOADS_DIR}
|
|
|
|
# create shared directory
|
|
mkdir -p ${GITLAB_SHARED_DIR}
|
|
chmod u+rwX ${GITLAB_SHARED_DIR}
|
|
chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}
|
|
|
|
# create the ci_secure_files directory
|
|
mkdir -p ${GITLAB_SHARED_DIR}/ci_secure_files
|
|
chmod u+rwX ${GITLAB_SHARED_DIR}/ci_secure_files
|
|
chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}/ci_secure_files
|
|
|
|
# create external-diffs dir
|
|
mkdir -p ${GITLAB_SHARED_DIR}/external-diffs
|
|
chmod u+rwX ${GITLAB_SHARED_DIR}/external-diffs
|
|
chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}/external-diffs
|
|
|
|
# create artifacts dir
|
|
mkdir -p ${GITLAB_ARTIFACTS_DIR}
|
|
chmod u+rwX ${GITLAB_ARTIFACTS_DIR}
|
|
chown ${GITLAB_USER}: ${GITLAB_ARTIFACTS_DIR}
|
|
|
|
# create pages dir
|
|
mkdir -p ${GITLAB_PAGES_DIR}
|
|
chmod u+rwX ${GITLAB_PAGES_DIR}
|
|
chown ${GITLAB_USER}: ${GITLAB_PAGES_DIR}
|
|
|
|
# symlink ${GITLAB_INSTALL_DIR}/shared -> ${GITLAB_DATA_DIR}/shared
|
|
rm -rf ${GITLAB_INSTALL_DIR}/shared
|
|
ln -sf ${GITLAB_SHARED_DIR} ${GITLAB_INSTALL_DIR}/shared
|
|
|
|
# create lfs-objects directory
|
|
mkdir -p ${GITLAB_LFS_OBJECTS_DIR}
|
|
chmod u+rwX ${GITLAB_LFS_OBJECTS_DIR}
|
|
chown ${GITLAB_USER}: ${GITLAB_LFS_OBJECTS_DIR}
|
|
|
|
# create terraform_state directory
|
|
if [[ ${GITLAB_TERRAFORM_STATE_ENABLED} == true ]]; then
|
|
mkdir -p ${GITLAB_TERRAFORM_STATE_STORAGE_PATH}
|
|
chmod u+rwX ${GITLAB_TERRAFORM_STATE_STORAGE_PATH}
|
|
chown ${GITLAB_USER}: ${GITLAB_TERRAFORM_STATE_STORAGE_PATH}
|
|
fi
|
|
|
|
# create registry dir
|
|
if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then
|
|
mkdir -p ${GITLAB_REGISTRY_DIR}
|
|
chmod u+rwX ${GITLAB_REGISTRY_DIR}
|
|
chown ${GITLAB_USER}: ${GITLAB_REGISTRY_DIR}
|
|
fi
|
|
|
|
# create packages directory
|
|
if [[ ${GITLAB_PACKAGES_ENABLED} == true ]]; then
|
|
mkdir -p ${GITLAB_PACKAGES_DIR}
|
|
chmod u+rwX ${GITLAB_PACKAGES_DIR}
|
|
chown ${GITLAB_USER}: ${GITLAB_PACKAGES_DIR}
|
|
fi
|
|
|
|
# create the backups directory
|
|
mkdir -p ${GITLAB_BACKUP_DIR}
|
|
if [[ ${GITLAB_BACKUP_DIR_CHOWN} == true ]]; then
|
|
chown ${GITLAB_USER}: ${GITLAB_BACKUP_DIR}
|
|
fi
|
|
|
|
# create the uploads directory
|
|
mkdir -p ${GITLAB_DATA_DIR}/uploads
|
|
chmod 0700 ${GITLAB_DATA_DIR}/uploads
|
|
chown ${GITLAB_USER}: ${GITLAB_DATA_DIR}/uploads
|
|
|
|
# create the .ssh directory
|
|
mkdir -p ${GITLAB_DATA_DIR}/.ssh
|
|
touch ${GITLAB_DATA_DIR}/.ssh/authorized_keys
|
|
chmod 700 ${GITLAB_DATA_DIR}/.ssh
|
|
chmod 600 ${GITLAB_DATA_DIR}/.ssh/authorized_keys
|
|
chown -R ${GITLAB_USER}: ${GITLAB_DATA_DIR}/.ssh
|
|
}
|
|
|
|
sanitize_datadir() {
|
|
echo "Sanitizing datadir. Please be patient..."
|
|
chmod -R ug+rwX,o-rwx ${GITLAB_REPOS_DIR}/
|
|
chmod -R ug-s ${GITLAB_REPOS_DIR}/
|
|
find ${GITLAB_REPOS_DIR}/ -type d -print0 | xargs -0 chmod g+s
|
|
chown -R ${GITLAB_USER}: ${GITLAB_REPOS_DIR}
|
|
|
|
chmod -R u+rwX ${GITLAB_BUILDS_DIR}
|
|
chown -R ${GITLAB_USER}: ${GITLAB_BUILDS_DIR}
|
|
|
|
chmod -R u+rwX ${GITLAB_DOWNLOADS_DIR}
|
|
chown -R ${GITLAB_USER}: ${GITLAB_DOWNLOADS_DIR}
|
|
|
|
chmod -R u+rwX ${GITLAB_TEMP_DIR}
|
|
chown -R ${GITLAB_USER}: ${GITLAB_TEMP_DIR}
|
|
|
|
chmod -R u+rwX ${GITLAB_SHARED_DIR}
|
|
chown -R ${GITLAB_USER}: ${GITLAB_SHARED_DIR}
|
|
|
|
chmod -R u+rwX ${GITLAB_ARTIFACTS_DIR}
|
|
chown -R ${GITLAB_USER}: ${GITLAB_ARTIFACTS_DIR}
|
|
|
|
chmod -R u+rwX ${GITLAB_PAGES_DIR}
|
|
chown -R ${GITLAB_USER}: ${GITLAB_PAGES_DIR}
|
|
|
|
chmod -R u+rwX ${GITLAB_LFS_OBJECTS_DIR}
|
|
chown -R ${GITLAB_USER}: ${GITLAB_LFS_OBJECTS_DIR}
|
|
|
|
# create terraform_state directory
|
|
# TODO : wrap with "if [[ _ENABLED ]]" condition
|
|
chmod u+rwX ${GITLAB_SHARED_DIR}/terraform_state
|
|
chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}/terraform_state
|
|
|
|
if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then
|
|
chmod -R u+rwX ${GITLAB_REGISTRY_DIR}
|
|
chown -R ${GITLAB_USER}: ${GITLAB_REGISTRY_DIR}
|
|
fi
|
|
|
|
if [[ ${GITLAB_PACKAGES_ENABLED} ]]; then
|
|
chmod u+rwX ${GITLAB_PACKAGES_DIR}
|
|
chown ${GITLAB_USER}: ${GITLAB_PACKAGES_DIR}
|
|
fi
|
|
|
|
find ${GITLAB_DATA_DIR}/uploads -type f -exec chmod 0644 {} \;
|
|
find ${GITLAB_DATA_DIR}/uploads -type d -not -path ${GITLAB_DATA_DIR}/uploads -exec chmod 0755 {} \;
|
|
chmod 0700 ${GITLAB_DATA_DIR}/uploads/
|
|
chown ${GITLAB_USER}: ${GITLAB_DATA_DIR}/uploads/
|
|
|
|
echo "Creating gitlab-shell hooks..."
|
|
exec_as_git ${GITLAB_SHELL_INSTALL_DIR}/bin/create-hooks
|
|
}
|
|
|
|
generate_ssh_key() {
|
|
echo -n "${1^^} "
|
|
ssh-keygen -qt ${1} -N '' -f ${2}
|
|
}
|
|
|
|
generate_ssh_host_keys() {
|
|
sed -i "s|^[#]*MaxStartups[^$]*|MaxStartups ${GITLAB_SSH_MAXSTARTUPS}|" /etc/ssh/sshd_config
|
|
sed -i "s|#HostKey /etc/ssh/|HostKey ${GITLAB_DATA_DIR}/ssh/|g" /etc/ssh/sshd_config
|
|
if [[ ! -e ${GITLAB_DATA_DIR}/ssh/ssh_host_rsa_key ]]; then
|
|
echo -n "Generating OpenSSH host keys... "
|
|
generate_ssh_key rsa ${GITLAB_DATA_DIR}/ssh/ssh_host_rsa_key
|
|
generate_ssh_key dsa ${GITLAB_DATA_DIR}/ssh/ssh_host_dsa_key
|
|
generate_ssh_key ecdsa ${GITLAB_DATA_DIR}/ssh/ssh_host_ecdsa_key
|
|
generate_ssh_key ed25519 ${GITLAB_DATA_DIR}/ssh/ssh_host_ed25519_key
|
|
echo
|
|
fi
|
|
|
|
# ensure existing host keys have the right permissions
|
|
chmod 0600 ${GITLAB_DATA_DIR}/ssh/*_key
|
|
chmod 0644 ${GITLAB_DATA_DIR}/ssh/*.pub
|
|
}
|
|
|
|
update_ssh_listen_port() {
|
|
sed -i "s|#Port 22|Port ${GITLAB_SSH_LISTEN_PORT}|g" /etc/ssh/sshd_config
|
|
}
|
|
|
|
generate_healthcheck_script() {
|
|
# configure healthcheck script
|
|
## https://docs.gitlab.com/ee/user/admin_area/monitoring/health_check.html
|
|
local HEALTHCHECK_PROTOCOL="http"
|
|
if [[ "${GITLAB_HTTPS}" == true && "${SSL_SELF_SIGNED}" == false ]]; then
|
|
HEALTHCHECK_PROTOCOL="${HEALTHCHECK_PROTOCOL}s"
|
|
fi
|
|
cat > /usr/local/sbin/healthcheck <<EOF
|
|
#!/bin/bash
|
|
url=${HEALTHCHECK_PROTOCOL}://127.0.0.1${GITLAB_RELATIVE_URL_ROOT}/-/liveness
|
|
options=( '--insecure' '--silent' )
|
|
curl "\${options[@]}" \$url
|
|
[[ "\$(curl \${options[@]} -o /dev/null -I -w '%{http_code}' \$url)" == "200" ]]
|
|
EOF
|
|
chmod +x /usr/local/sbin/healthcheck
|
|
}
|
|
|
|
configure_container_timezone() {
|
|
# Perform sanity check of provided timezone value
|
|
if [ -e /usr/share/zoneinfo/${TIMEZONE} ]; then
|
|
# Configured timezone is available
|
|
|
|
# Set localtime
|
|
ln -snf /usr/share/zoneinfo/${TIMEZONE} /etc/localtime
|
|
|
|
# Set timezone
|
|
echo ${TIMEZONE} > /etc/timezone
|
|
|
|
echo "Container TimeZone -> ${TIMEZONE}"
|
|
fi
|
|
}
|
|
|
|
initialize_system() {
|
|
map_uidgid
|
|
initialize_logdir
|
|
initialize_datadir
|
|
update_ca_certificates
|
|
generate_ssh_host_keys
|
|
update_ssh_listen_port
|
|
configure_container_timezone
|
|
install_configuration_templates
|
|
rm -rf /var/run/supervisor.sock
|
|
}
|
|
|
|
install_configuration_templates() {
|
|
echo "Installing configuration templates..."
|
|
install_template ${GITLAB_USER}: gitlabhq/gitlab.yml ${GITLAB_CONFIG} 0640
|
|
install_template ${GITLAB_USER}: gitlabhq/database.yml ${GITLAB_DATABASE_CONFIG} 0640
|
|
install_template ${GITLAB_USER}: gitlabhq/puma.rb ${GITLAB_PUMA_CONFIG} 0644
|
|
install_template ${GITLAB_USER}: gitlabhq/resque.yml ${GITLAB_RESQUE_CONFIG} 0640
|
|
install_template ${GITLAB_USER}: gitlabhq/secrets.yml ${GITLAB_SECRETS_CONFIG} 0600
|
|
install_template ${GITLAB_USER}: gitlab-shell/config.yml ${GITLAB_SHELL_CONFIG} 0640
|
|
install_template ${GITLAB_USER}: gitlabhq/cable.yml ${GITLAB_ACTIONCABLE_CONFIG} 0640
|
|
|
|
if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then
|
|
install_template ${GITLAB_USER}: gitlabhq/relative_url.rb ${GITLAB_RELATIVE_URL_CONFIG} 0644
|
|
fi
|
|
|
|
if [[ ${SMTP_ENABLED} == true ]]; then
|
|
install_template ${GITLAB_USER}: gitlabhq/smtp_settings.rb ${GITLAB_SMTP_CONFIG}
|
|
fi
|
|
|
|
# custom user specified robots.txt
|
|
if [[ -f ${GITLAB_ROBOTS_PATH} ]]; then
|
|
exec_as_git cp ${GITLAB_ROBOTS_PATH} ${GITLAB_ROBOTS_CONFIG}
|
|
fi
|
|
|
|
## ${GITLAB_NGINX_CONFIG}
|
|
if [[ ${GITLAB_HTTPS} == true ]]; then
|
|
if [[ -f ${SSL_CERTIFICATE_PATH} && -f ${SSL_KEY_PATH} && -f ${SSL_DHPARAM_PATH} ]]; then
|
|
install_template root: nginx/gitlab-ssl ${GITLAB_NGINX_CONFIG}
|
|
else
|
|
echo "SSL Key, SSL Certificate and DHParam were not found."
|
|
echo "Assuming that the container is running behind a HTTPS enabled load balancer."
|
|
install_template root: nginx/gitlab ${GITLAB_NGINX_CONFIG}
|
|
fi
|
|
else
|
|
install_template root: nginx/gitlab ${GITLAB_NGINX_CONFIG}
|
|
fi
|
|
|
|
|
|
## ${GITLAB_PAGES_NGINX_CONFIG}
|
|
if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then
|
|
install_template ${GITLAB_USER}: gitlab-pages/config ${GITLAB_PAGES_CONFIG} 0640
|
|
if [[ ${GITLAB_PAGES_HTTPS} == true && -f ${SSL_PAGES_CERT_PATH} && -f ${SSL_PAGES_KEY_PATH} ]]; then
|
|
if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then
|
|
install_template root: nginx/gitlab-pages-ssl ${GITLAB_PAGES_NGINX_CONFIG}
|
|
else
|
|
echo "Gitlab pages nginx proxy disabled"
|
|
echo "Assuming custom domain setup with own HTTP(S) load balancer'"
|
|
fi
|
|
else
|
|
if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then
|
|
echo "SSL Key, SSL Certificate were not found."
|
|
echo "Assuming that the container is running behind a HTTPS enabled load balancer."
|
|
install_template root: nginx/gitlab-pages ${GITLAB_PAGES_NGINX_CONFIG}
|
|
else
|
|
echo "Gitlab pages nginx proxy disabled"
|
|
echo "Assuming custom domain setup with own HTTP(S) load balancer'"
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
|
|
|
|
if [[ -n $GITLAB_CI_HOST ]]; then
|
|
install_template root: nginx/gitlab_ci ${GITLAB_CI_NGINX_CONFIG}
|
|
fi
|
|
|
|
if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then
|
|
if [[ -f ${SSL_REGISTRY_CERT_PATH} && -f ${SSL_REGISTRY_KEY_PATH} ]]; then
|
|
install_template root: nginx/gitlab-registry ${GITLAB_REGISTRY_NGINX_CONFIG}
|
|
else
|
|
echo "SSL key and certificates for Registry were not found"
|
|
echo "Assuming that the Registry is running behind a HTTPS enabled load balancer."
|
|
fi
|
|
fi
|
|
|
|
install_template ${GITLAB_USER}: gitaly/config.toml ${GITLAB_GITALY_CONFIG}
|
|
}
|
|
|
|
configure_gitlab() {
|
|
echo "Configuring gitlab..."
|
|
update_template ${GITLAB_CONFIG} \
|
|
GITLAB_INSTALL_DIR \
|
|
GITLAB_SHELL_INSTALL_DIR \
|
|
GITLAB_DATA_DIR \
|
|
GITLAB_REPOS_DIR \
|
|
GITLAB_DOWNLOADS_DIR \
|
|
GITLAB_SHARED_DIR \
|
|
GITLAB_HOME \
|
|
GITLAB_HOST \
|
|
GITLAB_PORT \
|
|
GITLAB_RELATIVE_URL_ROOT \
|
|
GITLAB_HTTPS \
|
|
GITLAB_SSH_HOST \
|
|
GITLAB_SSH_LISTEN_PORT \
|
|
GITLAB_SSH_PORT \
|
|
GITLAB_SIGNUP_ENABLED \
|
|
GITLAB_IMPERSONATION_ENABLED \
|
|
GITLAB_PROJECTS_LIMIT \
|
|
GITLAB_USERNAME_CHANGE \
|
|
GITLAB_DEFAULT_THEME \
|
|
GITLAB_CREATE_GROUP \
|
|
GITLAB_ISSUE_CLOSING_PATTERN
|
|
|
|
gitlab_configure_database
|
|
gitlab_configure_redis
|
|
gitlab_configure_actioncable
|
|
gitlab_configure_secrets
|
|
gitlab_configure_sidekiq
|
|
gitlab_configure_gitaly
|
|
gitlab_configure_monitoring
|
|
gitlab_configure_gitlab_workhorse
|
|
gitlab_configure_relative_url
|
|
gitlab_configure_trusted_proxies
|
|
gitlab_configure_puma
|
|
gitlab_configure_timezone
|
|
gitlab_configure_rack_attack
|
|
gitlab_configure_ci
|
|
gitlab_configure_artifacts
|
|
gitlab_configure_packages
|
|
gitlab_configure_terraform_state
|
|
gitlab_configure_lfs
|
|
gitlab_configure_uploads
|
|
gitlab_configure_mattermost
|
|
gitlab_configure_project_features
|
|
gitlab_configure_mail_delivery
|
|
gitlab_configure_mailroom
|
|
gitlab_configure_oauth
|
|
gitlab_configure_ldap
|
|
gitlab_configure_gravatar
|
|
gitlab_configure_cron_jobs
|
|
gitlab_configure_analytics
|
|
gitlab_configure_backups
|
|
generate_registry_certificates
|
|
gitlab_configure_registry
|
|
gitlab_configure_pages
|
|
gitlab_configure_sentry
|
|
generate_healthcheck_script
|
|
gitlab_configure_content_security_policy
|
|
|
|
# remove stale gitlab.socket
|
|
rm -rf ${GITLAB_INSTALL_DIR}/tmp/sockets/gitlab.socket
|
|
}
|
|
|
|
# feature flags are recorded to database (schema "application_settings") so requires DB is (at least) initialized
|
|
gitlab_configure_feature_flags() {
|
|
echo "Configuring gitlab::feature_flags..."
|
|
|
|
if [[ -z "${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}" && -z "${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}" ]]; then
|
|
# Do nothing and reports no error if no targets specified
|
|
echo "- No targets specified. skipping..."
|
|
return 0
|
|
fi
|
|
|
|
# Build command line argument for script only when target is specified
|
|
# If not, scripts fails because option specifier is recognized as feature flags for example
|
|
# like "--disable --enable" : for this case, --disable is recognized as a value of option "--enable"
|
|
if [[ -n "${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS}" ]]; then
|
|
GITLAB_FEATURE_FLAGS_DISABLE_TARGETS="--disable ${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS}"
|
|
fi
|
|
# The same goes for --enable (this is the last option passed to "rails runner" that will be run below)
|
|
# For this case (final option), it throws "missing argument" error for execution like:
|
|
# like "--disable feature1,feature2 --enable"
|
|
if [[ -n "${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}" ]]; then
|
|
GITLAB_FEATURE_FLAGS_ENABLE_TARGETS="--enable ${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}"
|
|
fi
|
|
|
|
PWD_ORG=${PWD}
|
|
cd "${GITLAB_INSTALL_DIR}"
|
|
|
|
# copy the script to temporal directory : to avoid permission issue
|
|
cp "${GITLAB_RUNTIME_DIR}/scripts/configure_feature_flags.rb" "${GITLAB_TEMP_DIR}/"
|
|
chown "${GITLAB_USER}:" "${GITLAB_TEMP_DIR}/configure_feature_flags.rb"
|
|
|
|
echo "- Launching rails runner to set feature flags. This will take some time...."
|
|
|
|
# If arguments are empty, the script will do nothing and print object dump like below:
|
|
# - specified feature flags: {:to_be_disabled=>[], :to_be_enabled=>[]}
|
|
# DO NOT qupte variables : word splitting must be enabled.
|
|
# If disabled, whole string like '--disable feature_name_1,feature_name_2'
|
|
# will be recognized as single option and results to invalid argument error
|
|
#
|
|
# shellcheck disable=SC2086
|
|
exec_as_git bundle exec rails runner "${GITLAB_TEMP_DIR}/configure_feature_flags.rb" \
|
|
${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS} \
|
|
${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}
|
|
|
|
rm "${GITLAB_TEMP_DIR}/configure_feature_flags.rb"
|
|
cd "${PWD_ORG}"
|
|
}
|
|
|
|
configure_gitlab_requires_db() {
|
|
gitlab_configure_feature_flags
|
|
}
|
|
|
|
configure_gitlab_shell() {
|
|
echo "Configuring gitlab-shell..."
|
|
update_template ${GITLAB_SHELL_CONFIG} \
|
|
GITLAB_RELATIVE_URL_ROOT \
|
|
GITLAB_HOME \
|
|
GITLAB_LOG_DIR \
|
|
GITLAB_SHELL_INSTALL_DIR \
|
|
SSL_SELF_SIGNED \
|
|
REDIS_HOST \
|
|
REDIS_PORT \
|
|
REDIS_DB_NUMBER
|
|
|
|
# update custom_hooks_dir if set $GITLAB_SHELL_CUSTOM_HOOKS_DIR
|
|
if [[ -n ${GITLAB_SHELL_CUSTOM_HOOKS_DIR} ]]; then
|
|
exec_as_git sed -i \
|
|
"s|custom_hooks_dir:.*|custom_hooks_dir: $GITLAB_SHELL_CUSTOM_HOOKS_DIR|g" \
|
|
${GITLAB_SHELL_CONFIG}
|
|
fi
|
|
}
|
|
|
|
|
|
configure_gitlab_pages() {
|
|
if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then
|
|
echo "Configuring gitlab-pages..."
|
|
cat > /etc/supervisor/conf.d/gitlab-pages.conf <<EOF
|
|
[program:gitlab-pages]
|
|
priority=20
|
|
directory=${GITLAB_INSTALL_DIR}
|
|
environment=HOME=${GITLAB_HOME}
|
|
command=/usr/local/bin/gitlab-pages
|
|
-pages-domain ${GITLAB_PAGES_DOMAIN}
|
|
-pages-root ${GITLAB_PAGES_DIR}
|
|
-listen-proxy :8090
|
|
EOF
|
|
|
|
if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTP} ]]; then
|
|
cat >> /etc/supervisor/conf.d/gitlab-pages.conf <<EOF
|
|
-listen-http ${GITLAB_PAGES_EXTERNAL_HTTP}
|
|
EOF
|
|
fi
|
|
|
|
|
|
if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTPS} ]]; then
|
|
cat >> /etc/supervisor/conf.d/gitlab-pages.conf <<EOF
|
|
-listen-https ${GITLAB_PAGES_EXTERNAL_HTTPS}
|
|
-root-cert ${SSL_PAGES_CERT_PATH}
|
|
-root-key ${SSL_PAGES_KEY_PATH}
|
|
EOF
|
|
fi
|
|
|
|
if [[ ${GITLAB_PAGES_ACCESS_CONTROL} == true ]]; then
|
|
if [[ -z ${GITLAB_PAGES_ACCESS_SECRET} ]]; then
|
|
GITLAB_PAGES_ACCESS_SECRET=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 40 ; echo '')
|
|
fi
|
|
|
|
update_template ${GITLAB_PAGES_CONFIG} \
|
|
GITLAB_PAGES_ACCESS_CLIENT_ID \
|
|
GITLAB_PAGES_ACCESS_CLIENT_SECRET \
|
|
GITLAB_PAGES_ACCESS_REDIRECT_URI \
|
|
GITLAB_PAGES_ACCESS_SECRET \
|
|
GITLAB_PAGES_ACCESS_CONTROL_SERVER \
|
|
GITLAB_INSTALL_DIR
|
|
|
|
if [[ -n ${GITLAB_PAGES_ARTIFACTS_SERVER_URL} ]]; then
|
|
update_template ${GITLAB_PAGES_CONFIG} GITLAB_PAGES_ARTIFACTS_SERVER_URL
|
|
else
|
|
exec_as_git sed -i "/{{GITLAB_PAGES_ARTIFACTS_SERVER_URL}}/d" ${GITLAB_PAGES_CONFIG}
|
|
fi
|
|
else
|
|
update_template ${GITLAB_PAGES_CONFIG} \
|
|
GITLAB_INSTALL_DIR
|
|
|
|
exec_as_git sed -i "/{{GITLAB_PAGES_ACCESS_CLIENT_ID}}/d" ${GITLAB_PAGES_CONFIG}
|
|
exec_as_git sed -i "/{{GITLAB_PAGES_ACCESS_CLIENT_SECRET}}/d" ${GITLAB_PAGES_CONFIG}
|
|
exec_as_git sed -i "/{{GITLAB_PAGES_ACCESS_REDIRECT_URI}}/d" ${GITLAB_PAGES_CONFIG}
|
|
exec_as_git sed -i "/{{GITLAB_PAGES_ACCESS_SECRET}}/d" ${GITLAB_PAGES_CONFIG}
|
|
exec_as_git sed -i "/{{GITLAB_PAGES_ACCESS_CONTROL_SERVER}}/d" ${GITLAB_PAGES_CONFIG}
|
|
exec_as_git sed -i "/{{GITLAB_PAGES_ARTIFACTS_SERVER_URL}}/d" ${GITLAB_PAGES_CONFIG}
|
|
fi
|
|
|
|
cat >> /etc/supervisor/conf.d/gitlab-pages.conf <<EOF
|
|
-config ${GITLAB_PAGES_CONFIG}
|
|
EOF
|
|
|
|
cat >> /etc/supervisor/conf.d/gitlab-pages.conf <<EOF
|
|
user=git
|
|
autostart=true
|
|
autorestart=true
|
|
stdout_logfile=${GITLAB_INSTALL_DIR}/log/%(program_name)s.log
|
|
stderr_logfile=${GITLAB_INSTALL_DIR}/log/%(program_name)s.log
|
|
EOF
|
|
fi
|
|
}
|
|
|
|
configure_nginx() {
|
|
echo "Configuring nginx..."
|
|
sed -i \
|
|
-e "s|worker_processes .*|worker_processes ${NGINX_WORKERS};|" \
|
|
-e "s|# server_names_hash_bucket_size 64;|server_names_hash_bucket_size ${NGINX_SERVER_NAMES_HASH_BUCKET_SIZE};|" \
|
|
/etc/nginx/nginx.conf
|
|
|
|
nginx_configure_gitlab
|
|
nginx_configure_gitlab_ci
|
|
nginx_configure_gitlab_registry
|
|
nginx_configure_pages
|
|
}
|
|
|
|
migrate_database() {
|
|
# run the `gitlab:setup` rake task if required
|
|
QUERY="SELECT count(*) FROM information_schema.tables WHERE table_schema = 'public';"
|
|
COUNT=$(PGPASSWORD="${DB_PASS}" psql -h ${DB_HOST} -p ${DB_PORT} -U ${DB_USER} -d ${DB_NAME} -Atw -c "${QUERY}")
|
|
|
|
|
|
if [[ -z ${COUNT} || ${COUNT} -eq 0 ]]; then
|
|
echo "Setting up GitLab for firstrun. Please be patient, this could take a while..."
|
|
exec_as_git force=yes bundle exec rake gitlab:setup \
|
|
${GITLAB_ROOT_PASSWORD:+GITLAB_ROOT_PASSWORD=$GITLAB_ROOT_PASSWORD} \
|
|
${GITLAB_ROOT_EMAIL:+GITLAB_ROOT_EMAIL=$GITLAB_ROOT_EMAIL} >/dev/null
|
|
fi
|
|
|
|
# migrate database if the gitlab version has changed.
|
|
CACHE_VERSION=
|
|
[[ -f ${GITLAB_TEMP_DIR}/VERSION ]] && CACHE_VERSION=$(cat ${GITLAB_TEMP_DIR}/VERSION)
|
|
if [[ ${GITLAB_VERSION} != ${CACHE_VERSION} ]]; then
|
|
## version check, only upgrades are allowed
|
|
if [[ -n ${CACHE_VERSION} && $(vercmp ${GITLAB_VERSION} ${CACHE_VERSION}) -lt 0 ]]; then
|
|
echo
|
|
echo "ERROR: "
|
|
echo " Cannot downgrade from GitLab version ${CACHE_VERSION} to ${GITLAB_VERSION}."
|
|
echo " Only upgrades are allowed. Please use sameersbn/gitlab:${CACHE_VERSION} or higher."
|
|
echo " Cannot continue. Aborting!"
|
|
echo
|
|
return 1
|
|
fi
|
|
|
|
if [[ $(vercmp ${GITLAB_VERSION} 8.0.0) -gt 0 ]]; then
|
|
if [[ -n ${CACHE_VERSION} && $(vercmp ${CACHE_VERSION} 8.0.0) -lt 0 ]]; then
|
|
echo
|
|
echo "ABORT: "
|
|
echo " Upgrading to GitLab ${GITLAB_VERSION} from ${CACHE_VERSION} is not recommended."
|
|
echo " Please upgrade to version 8.0.5-1 before upgrading to 8.1.0 or higher."
|
|
echo " Refer to https://git.io/vur4j for CI migration instructions."
|
|
echo " Aborting for your own safety!"
|
|
echo
|
|
return 1
|
|
fi
|
|
fi
|
|
|
|
echo "Migrating database..."
|
|
exec_as_git bundle exec rake db:migrate >/dev/null
|
|
|
|
echo "${GITLAB_VERSION}" > ${GITLAB_TEMP_DIR}/VERSION
|
|
rm -rf ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT # force cache cleanup
|
|
fi
|
|
|
|
# clear cache if relative_url has changed.
|
|
[[ -f ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT ]] && CACHE_GITLAB_RELATIVE_URL_ROOT=$(cat ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT)
|
|
if [[ ! -f ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT || ${GITLAB_RELATIVE_URL_ROOT} != ${CACHE_GITLAB_RELATIVE_URL_ROOT} ]]; then
|
|
echo "Clearing cache..."
|
|
exec_as_git bundle exec rake cache:clear >/dev/null 2>&1
|
|
echo "${GITLAB_RELATIVE_URL_ROOT}" > ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT
|
|
fi
|
|
}
|
|
|
|
execute_raketask() {
|
|
if [[ -z ${1} ]]; then
|
|
echo "Please specify the rake task to execute. See https://github.com/gitlabhq/gitlabhq/tree/master/doc/raketasks"
|
|
return 1
|
|
fi
|
|
|
|
if [[ ${1} == gitlab:backup:create ]]; then
|
|
/usr/bin/supervisord -c /etc/supervisor/supervisord.conf
|
|
supervisorctl stop gitlab_extensions:*
|
|
supervisorctl stop gitlab:*
|
|
fi
|
|
|
|
if [[ ${1} == gitlab:backup:restore ]]; then
|
|
/usr/bin/supervisord -c /etc/supervisor/supervisord.conf
|
|
supervisorctl stop gitlab_extensions:*
|
|
supervisorctl stop gitlab:*
|
|
interactive=true
|
|
for arg in $@
|
|
do
|
|
if [[ $arg == BACKUP=* ]]; then
|
|
interactive=false
|
|
break
|
|
fi
|
|
done
|
|
|
|
# user needs to select the backup to restore
|
|
if [[ $interactive == true ]]; then
|
|
nBackups=$(ls ${GITLAB_BACKUP_DIR}/*_gitlab_backup.tar | wc -l)
|
|
if [[ $nBackups -eq 0 ]]; then
|
|
echo "No backup present. Cannot continue restore process.".
|
|
return 1
|
|
fi
|
|
|
|
echo
|
|
for b in $(ls ${GITLAB_BACKUP_DIR} | grep _gitlab_backup | sort -r)
|
|
do
|
|
echo "‣ $b (created at $(date --date="@${b%%_*_gitlab_backup.tar}" +'%d %b, %G - %H:%M:%S %Z'))"
|
|
done
|
|
echo
|
|
|
|
read -p "Select a backup to restore: " file
|
|
|
|
if [[ -z ${file} ]]; then
|
|
echo "Backup not specified. Exiting..."
|
|
return 1
|
|
fi
|
|
|
|
if [[ ! -f ${GITLAB_BACKUP_DIR}/${file} ]]; then
|
|
echo "Specified backup does not exist. Aborting..."
|
|
return 1
|
|
fi
|
|
|
|
BACKUP=${file%%_gitlab_backup.tar}
|
|
fi
|
|
elif [[ ${1} == gitlab:import:repos ]]; then
|
|
# sanitize the datadir to avoid permission issues
|
|
sanitize_datadir
|
|
fi
|
|
echo "Running raketask ${1}..."
|
|
exec_as_git bundle exec rake $@ ${BACKUP:+BACKUP=$BACKUP}
|
|
}
|
|
|
|
generate_registry_certificates() {
|
|
if [[ ${GITLAB_REGISTRY_GENERATE_INTERNAL_CERTIFICATES} == true ]]; then
|
|
echo 'Generating GitLab Registry internal certificates for communication between Gitlab and a Docker Registry'
|
|
PREVIOUS_DIRECTORY=$(pwd)
|
|
# Get directory from cert file path
|
|
if [[ -z $GITLAB_REGISTRY_KEY_PATH ]]; then
|
|
echo "\$GITLAB_REGISTRY_KEY_PATH is empty"
|
|
return 1
|
|
fi
|
|
DIRECTORY=$(dirname "$GITLAB_REGISTRY_KEY_PATH")
|
|
echo "Registry internal certificates will be generated in directory: $DIRECTORY"
|
|
# Make certs directory if it doesn't exists
|
|
mkdir -p "$DIRECTORY"
|
|
# Go to the temporary directory
|
|
cd "$DIRECTORY" || return
|
|
# Get key filename
|
|
KEY_FILENAME=$(basename "$GITLAB_REGISTRY_KEY_PATH")
|
|
echo "Registry internal key filename: $KEY_FILENAME"
|
|
# Generate cert filename, by default, in same directory as $KEY_FILENAME, with same name, but with extension .crt
|
|
CERT_FILENAME=$(echo "$KEY_FILENAME" | sed "s|key|crt|" -)
|
|
echo "Registry internal cert filename: $CERT_FILENAME"
|
|
# Generate a random password password_file used in the next commands
|
|
if [[ -f password_file ]] ; then
|
|
echo "password_file exists"
|
|
else
|
|
openssl rand -hex -out password_file 32
|
|
fi
|
|
# Create a PKCS#10 certificate request
|
|
echo "Generating internal certificate request"
|
|
if [[ -f registry.csr ]] ; then
|
|
echo "registry.csr exists"
|
|
else
|
|
openssl req -new -passout file:password_file -newkey rsa:4096 -batch > registry.csr
|
|
fi
|
|
# Process RSA key
|
|
echo "Processing RSA internal key"
|
|
if [[ -f $KEY_FILENAME ]] ; then
|
|
echo "$KEY_FILENAME exists"
|
|
else
|
|
openssl rsa -passin file:password_file -in privkey.pem -out "$KEY_FILENAME"
|
|
fi
|
|
|
|
# Generate certificate
|
|
echo "Generating internal certificate"
|
|
if [[ -f $CERT_FILENAME ]] ; then
|
|
echo "$CERT_FILENAME exists"
|
|
else
|
|
openssl x509 -in registry.csr -out "$CERT_FILENAME" -req -signkey "$KEY_FILENAME" -days 10000
|
|
fi
|
|
chown -R ${GITLAB_USER}: ${DIRECTORY}
|
|
cd ${PREVIOUS_DIRECTORY}
|
|
fi
|
|
}
|