Files
docker-gitlab/assets/runtime/functions
Steven Achilles 04bfca3805 Merge pull request #3126 from ysicing/master
feat: Add support for Omniauth JWT login.
2025-06-19 19:56:25 +02:00

2379 lines
82 KiB
Bash

#!/bin/bash
set -e
for file in /gitlab-configs /run/secrets/gitlab-secrets; do
if [[ -e "$file" ]]; then
echo "Loading $file"
source "$file"
fi
done
echo "Loading ${GITLAB_RUNTIME_DIR}/env-defaults"
source ${GITLAB_RUNTIME_DIR}/env-defaults
SYSCONF_TEMPLATES_DIR="${GITLAB_RUNTIME_DIR}/config"
USERCONF_TEMPLATES_DIR="${GITLAB_DATA_DIR}/config"
GITLAB_CONFIG="${GITLAB_INSTALL_DIR}/config/gitlab.yml"
GITLAB_DATABASE_CONFIG="${GITLAB_INSTALL_DIR}/config/database.yml"
GITLAB_PUMA_CONFIG="${GITLAB_INSTALL_DIR}/config/puma.rb"
GITLAB_RELATIVE_URL_CONFIG="${GITLAB_INSTALL_DIR}/config/initializers/relative_url.rb"
GITLAB_SMTP_CONFIG="${GITLAB_INSTALL_DIR}/config/initializers/smtp_settings.rb"
GITLAB_RESQUE_CONFIG="${GITLAB_INSTALL_DIR}/config/resque.yml"
GITLAB_ACTIONCABLE_CONFIG="${GITLAB_INSTALL_DIR}/config/cable.yml"
GITLAB_SECRETS_CONFIG="${GITLAB_INSTALL_DIR}/config/secrets.yml"
GITLAB_ROBOTS_CONFIG="${GITLAB_INSTALL_DIR}/public/robots.txt"
GITLAB_SHELL_CONFIG="${GITLAB_SHELL_INSTALL_DIR}/config.yml"
GITLAB_NGINX_CONFIG="/etc/nginx/conf.d/gitlab.conf"
GITLAB_CI_NGINX_CONFIG="/etc/nginx/conf.d/gitlab_ci.conf"
GITLAB_REGISTRY_NGINX_CONFIG="/etc/nginx/conf.d/gitlab-registry.conf"
GITLAB_PAGES_NGINX_CONFIG="/etc/nginx/conf.d/gitlab-pages.conf"
GITLAB_PAGES_CONFIG="${GITLAB_INSTALL_DIR}/gitlab-pages-config"
GITLAB_GITALY_CONFIG="${GITLAB_GITALY_INSTALL_DIR}/config.toml"
# Compares two version strings `a` and `b`
# Returns
# - negative integer, if `a` is less than `b`
# - 0, if `a` and `b` are equal
# - non-negative integer, if `a` is greater than `b`
vercmp() {
expr '(' "$1" : '\([^.]*\)' ')' '-' '(' "$2" : '\([^.]*\)' ')' '|' \
'(' "$1.0" : '[^.]*[.]\([^.]*\)' ')' '-' '(' "$2.0" : '[^.]*[.]\([^.]*\)' ')' '|' \
'(' "$1.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' '-' '(' "$2.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' '|' \
'(' "$1.0.0.0" : '[^.]*[.][^.]*[.][^.]*[.]\([^.]*\)' ')' '-' '(' "$2.0.0.0" : '[^.]*[.][^.]*[.][^.]*[.]\([^.]*\)' ')'
}
## Execute a command as GITLAB_USER
exec_as_git() {
if [[ $(whoami) == ${GITLAB_USER} ]]; then
$@
else
sudo -HEu ${GITLAB_USER} "$@"
fi
}
## Copies configuration template to the destination as the specified USER
### Looks up for overrides in ${USERCONF_TEMPLATES_DIR} before using the defaults from ${SYSCONF_TEMPLATES_DIR}
# $1: copy-as user
# $2: source file
# $3: destination location
# $4: mode of destination
install_template() {
local OWNERSHIP=${1}
local SRC=${2}
local DEST=${3}
local MODE=${4:-0644}
if [[ -f ${USERCONF_TEMPLATES_DIR}/${SRC} ]]; then
cp ${USERCONF_TEMPLATES_DIR}/${SRC} ${DEST}
elif [[ -f ${SYSCONF_TEMPLATES_DIR}/${SRC} ]]; then
cp ${SYSCONF_TEMPLATES_DIR}/${SRC} ${DEST}
fi
chmod ${MODE} ${DEST}
chown ${OWNERSHIP} ${DEST}
}
## Replace placeholders with values
# $1: file with placeholders to replace
# $x: placeholders to replace
update_template() {
local FILE=${1?missing argument}
shift
[[ ! -f ${FILE} ]] && return 1
local VARIABLES=($@)
local USR=$(stat -c %U ${FILE})
local tmp_file=$(mktemp)
cp -a "${FILE}" ${tmp_file}
local variable
for variable in ${VARIABLES[@]}; do
# Keep the compatibilty: {{VAR}} => ${VAR}
sed -ri "s/[{]{2}$variable[}]{2}/\${$variable}/g" ${tmp_file}
done
# Replace placeholders
(
export ${VARIABLES[@]}
local IFS=":"; sudo -HEu ${USR} envsubst "${VARIABLES[*]/#/$}" < ${tmp_file} > ${FILE}
)
rm -f ${tmp_file}
}
gitlab_finalize_database_parameters() {
# is a postgresql database linked?
# requires that the postgresql containers have exposed port 5432.
DB_HOST=${DB_HOST:-${POSTGRESQL_PORT_5432_TCP_ADDR}}
DB_PORT=${DB_PORT:-${POSTGRESQL_PORT_5432_TCP_PORT}}
# support for linked official postgres image
DB_USER=${DB_USER:-${POSTGRESQL_ENV_POSTGRES_USER}}
DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_POSTGRES_PASSWORD}}
DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_POSTGRES_DB}}
DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_POSTGRES_USER}}
# support for linked sameersbn/postgresql image
DB_USER=${DB_USER:-${POSTGRESQL_ENV_DB_USER}}
DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_DB_PASS}}
DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_DB_NAME}}
# support for linked orchardup/postgresql image
DB_USER=${DB_USER:-${POSTGRESQL_ENV_POSTGRESQL_USER}}
DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_POSTGRESQL_PASS}}
DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_POSTGRESQL_DB}}
# support for linked paintedfox/postgresql image
DB_USER=${DB_USER:-${POSTGRESQL_ENV_USER}}
DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_PASS}}
DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_DB}}
if [[ -z ${DB_HOST} ]]; then
echo
echo "ERROR: "
echo " Please configure the database connection."
echo " Refer http://git.io/wkYhyA for more information."
echo " Cannot continue without a database. Aborting..."
echo
return 1
fi
# set default port number if not specified
DB_PORT=${DB_PORT:-5432}
DB_ENCODING=${DB_ENCODING:-unicode}
# set default user and database
DB_USER=${DB_USER:-root}
DB_NAME=${DB_NAME:-gitlabhq_production}
}
gitlab_check_database_connection() {
prog=$(command -v pg_isready)
prog="${prog} -h ${DB_HOST} -p ${DB_PORT} -U ${DB_USER} -d ${DB_NAME} -t 1"
timeout=60
while ! ${prog} >/dev/null 2>&1
do
timeout=$(expr $timeout - 1)
if [[ $timeout -eq 0 ]]; then
echo
echo "Could not connect to database server. Aborting..."
return 1
fi
echo -n "."
sleep 1
done
echo
}
gitlab_generate_postgresqlrc() {
echo "Configuring /home/${GITLAB_USER}/.postgresqlrc to avoid version mismatch on dumping"
# server_version_num property is a number built from version string:
# https://www.postgresql.org/docs/15/libpq-status.html#LIBPQ-PQSERVERVERSION
# > The result is formed by multiplying the server's major version number by 10000 and adding the minor version number.
# > For example, version 10.1 will be returned as 100001, and version 11.0 will be returned as 110000. Zero is returned if the connection is bad.
# >
# > Prior to major version 10, PostgreSQL used three-part version numbers in which the first two parts together represented the major version.
# > For those versions, PQserverVersion uses two digits for each part;
# > for example version 9.1.5 will be returned as 90105, and version 9.2.0 will be returned as 90200.
#
# This difference also appends to apt package name.
# For example, in ubuntu:focal, postgresql-client-{8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, 9.5, 9.6, 10, 11, 12, 13, 14, 15} are available.
#
DB_SERVER_VERSION=$(PGPASSWORD=${DB_PASS} psql -h "${DB_HOST}" -p "${DB_PORT}" -U "${DB_USER}" -d "${DB_NAME}" -Atw -c "SHOW server_version_num")
if [[ "${DB_SERVER_VERSION}" -eq 0 ]]; then
echo
echo "Could not retrieve database server version correctly. Aborting..."
return 1
fi
echo "- Detected server version: ${DB_SERVER_VERSION}"
# Anyway, we can get major version (8, 9, 10 and so on) by dividing by 10000.
# DB_SERVER_VERSION_MAJOR=${DB_SERVER_VERSION%%.*}
DB_SERVER_VERSION_MAJOR=$((DB_SERVER_VERSION/10000))
DB_CLIENT_VERSION_PACKAGE_NAME=
if [[ "${DB_SERVER_VERSION_MAJOR}" -ge 10 ]]; then
# v10 or later: use "rought major version" as version number in package name
DB_CLIENT_VERSION_PACKAGE_NAME=${DB_SERVER_VERSION_MAJOR}
else
# prior to v10: convert
# FIXME: rough implementation
# It exploits the fact that there is no version such as 9.10, and it lacks versatility.
# divide by 100, then replace first 0 to comma
DB_CLIENT_VERSION_PACKAGE_NAME=$((DB_SERVER_VERSION/100))
DB_CLIENT_VERSION_PACKAGE_NAME=${DB_CLIENT_VERSION_PACKAGE_NAME/0/.}
fi
# if exact-match client not found, select latest version from installed clients
if [[ "$(apt-cache pkgnames postgresql-client | grep -e "-${DB_CLIENT_VERSION_PACKAGE_NAME}" | wc -l)" -ne 1 ]]; then
LATEST_CLIENT="$(apt-cache pkgnames postgresql-client | grep -v -e "-common" | sort --version-sort | tail -n1)"
DB_CLIENT_VERSION_PACKAGE_NAME=${LATEST_CLIENT/postgresql-client-/}
echo "gitlab_generate_postgresqlrc(): WARNING - Suitable client not installed. postgresql-client-${DB_CLIENT_VERSION_PACKAGE_NAME} will be used but you may face issue (database in backup will be empty, for example)"
fi
# generate ~/.postgresqlrc to switch client version
GITLAB_USER_POSTGRESQLRC="/home/${GITLAB_USER}/.postgresqlrc"
echo "- Generating ${GITLAB_USER_POSTGRESQLRC}"
echo "${DB_CLIENT_VERSION_PACKAGE_NAME} ${DB_HOST}:${DB_PORT} ${DB_NAME}" | exec_as_git tee "${GITLAB_USER_POSTGRESQLRC}"
}
gitlab_uninstall_unused_database_client() {
if [[ -f "/home/${GITLAB_USER}/.postgresqlrc" ]]; then
# refer /home/${GITLAB_USER}/.postgresqlrc and pick up versions in use
# .postgresqlrc contains following information per line
# database_major_version host:port database_name
# - ignore lines starts with # by specifying pattern /^[^#]/
# - first field is the version number in use.
# - cocnat whole lines into single string. convert newline to \|
# this is escaped regex "OR"
# now we got the following regex that can be used as an option to grep:
# \|-12\|-13
DB_CLIENT_VERSIONS_IN_USE="$(awk '/^[^#]/ {printf("\|-%s",$1)}' "/home/${GITLAB_USER}/.postgresqlrc")"
# we also need to keep postgresql-client-common package to switch based on ~/.postgresqlrc
REGEX_DB_CLIENT_VERSIONS_IN_USE="-common${DB_CLIENT_VERSIONS_IN_USE}"
# remove unused client using regex above
# grep may return non-zero code on mo match, so fake the exit code with the `|| true` to swallow that
UNUSED_DB_CLIENTS=$(apt-cache pkgnames postgresql-client | grep -v -e "${REGEX_DB_CLIENT_VERSIONS_IN_USE}" || true)
if [[ "${UNUSED_DB_CLIENTS}" == "" ]]; then
echo "- All installed version of clients are in use. Did not uninstalled any client..."
return
fi
# just to get clean log, convert newline (package name delimiter) to single whitespace
UNUSED_DB_CLIENTS=$(echo ${UNUSED_DB_CLIENTS} | tr '\n' ' ')
echo "- Uninstalling unused client(s): ${UNUSED_DB_CLIENTS}"
DEBIAN_FRONTEND=noninteractive apt-get -qq -y purge -- ${UNUSED_DB_CLIENTS} >/dev/null
fi
}
gitlab_configure_database() {
echo -n "Configuring gitlab::database"
gitlab_finalize_database_parameters
gitlab_check_database_connection
gitlab_generate_postgresqlrc
gitlab_uninstall_unused_database_client
update_template ${GITLAB_DATABASE_CONFIG} \
DB_ENCODING \
DB_HOST \
DB_PORT \
DB_NAME \
DB_USER \
DB_PASS \
DB_POOL \
DB_PREPARED_STATEMENTS
}
gitlab_finalize_redis_parameters() {
# is a redis container linked?
if [[ -n ${REDISIO_PORT_6379_TCP_ADDR} ]]; then
REDIS_HOST=${REDIS_HOST:-${REDISIO_PORT_6379_TCP_ADDR}}
REDIS_PORT=${REDIS_PORT:-${REDISIO_PORT_6379_TCP_PORT}}
fi
# set default redis port if not specified
REDIS_PORT=${REDIS_PORT:-6379}
if [[ -z ${REDIS_HOST} ]]; then
echo
echo "ERROR: "
echo " Please configure the redis connection."
echo " Refer http://git.io/PMnRSw for more information."
echo " Cannot continue without a redis connection. Aborting..."
echo
return 1
fi
}
gitlab_check_redis_connection() {
timeout=60
while ! redis-cli -h ${REDIS_HOST} -p ${REDIS_PORT} -n ${REDIS_DB_NUMBER} ping >/dev/null 2>&1
do
timeout=$(expr $timeout - 1)
if [[ $timeout -eq 0 ]]; then
echo ""
echo "Could not connect to redis server. Aborting..."
return 1
fi
echo -n "."
sleep 1
done
echo
}
gitlab_configure_redis() {
echo -n "Configuring gitlab::redis"
gitlab_finalize_redis_parameters
gitlab_check_redis_connection
update_template ${GITLAB_RESQUE_CONFIG} \
REDIS_HOST \
REDIS_PORT \
REDIS_DB_NUMBER
}
gitlab_configure_actioncable() {
echo -n "Configuring gitlab::actioncable"
gitlab_finalize_redis_parameters
gitlab_check_redis_connection
update_template ${GITLAB_ACTIONCABLE_CONFIG} \
REDIS_HOST \
REDIS_PORT \
REDIS_DB_NUMBER
}
gitlab_configure_gitaly() {
echo "Configuring gitlab::gitaly..."
update_template ${GITLAB_GITALY_CONFIG} \
GITALY_SOCKET_PATH \
GITLAB_GITALY_INSTALL_DIR \
GITLAB_LOG_DIR \
GITLAB_REPOS_DIR \
GITLAB_SHELL_INSTALL_DIR \
GITLAB_RELATIVE_URL_ROOT
update_template ${GITLAB_CONFIG} \
GITALY_CLIENT_PATH \
GITALY_TOKEN
}
gitlab_configure_monitoring() {
echo "Configuring gitlab::monitoring..."
if [ "${GITLAB_MONITORING_IP_WHITELIST}" == "" ]; then
exec_as_git sed -i "/{{GITLAB_MONITORING_IP_WHITELIST}}/d" ${GITLAB_CONFIG}
fi
update_template ${GITLAB_CONFIG} \
GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL \
GITLAB_MONITORING_IP_WHITELIST \
GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED \
GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS \
GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT
}
gitlab_configure_gitlab_workhorse() {
echo "Configuring gitlab::gitlab-workhorse..."
update_template /etc/supervisor/conf.d/gitlab-workhorse.conf \
GITLAB_RELATIVE_URL_ROOT \
GITLAB_WORKHORSE_TIMEOUT
}
gitlab_configure_puma() {
echo "Configuring gitlab::puma..."
if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then
update_template ${GITLAB_PUMA_CONFIG} GITLAB_RELATIVE_URL_ROOT
else
exec_as_git sed -i "/{{GITLAB_RELATIVE_URL_ROOT}}/d" ${GITLAB_PUMA_CONFIG}
fi
update_template ${GITLAB_PUMA_CONFIG} \
GITLAB_INSTALL_DIR \
PUMA_THREADS_MIN \
PUMA_THREADS_MAX \
PUMA_WORKERS \
PUMA_PER_WORKER_MAX_MEMORY_MB \
PUMA_MASTER_MAX_MEMORY_MB \
PUMA_TIMEOUT
}
gitlab_configure_relative_url() {
if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then
echo "Configuring gitlab::relative_url..."
update_template ${GITLAB_RELATIVE_URL_CONFIG} GITLAB_RELATIVE_URL_ROOT
fi
}
gitlab_configure_trusted_proxies() {
if [[ -n ${GITLAB_TRUSTED_PROXIES} ]]; then
echo "Configuring gitlab::trusted_proxies..."
update_template ${GITLAB_CONFIG} GITLAB_TRUSTED_PROXIES
else
exec_as_git sed -i "/{{GITLAB_TRUSTED_PROXIES}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_timezone() {
echo "Configuring gitlab::timezone..."
update_template ${GITLAB_CONFIG} GITLAB_TIMEZONE
}
gitlab_configure_mail_delivery() {
if [[ ${SMTP_ENABLED} == true ]]; then
echo "Configuring gitlab::smtp_settings..."
if [[ -z "${SMTP_USER}" ]]; then
exec_as_git sed -i \
-e '/{{SMTP_USER}}/d' \
-e '/{{SMTP_PASS}}/d' \
${GITLAB_SMTP_CONFIG}
else
if [[ -z "${SMTP_PASS}" ]]; then
exec_as_git sed -i '/{{SMTP_PASS}}/d' ${GITLAB_SMTP_CONFIG}
fi
fi
update_template ${GITLAB_SMTP_CONFIG} \
SMTP_USER \
SMTP_PASS \
SMTP_HOST \
SMTP_PORT \
SMTP_DOMAIN \
SMTP_STARTTLS \
SMTP_TLS \
SMTP_OPENSSL_VERIFY_MODE
case ${SMTP_AUTHENTICATION} in
"") exec_as_git sed -i "/{{SMTP_AUTHENTICATION}}/d" ${GITLAB_SMTP_CONFIG} ;;
*) update_template ${GITLAB_SMTP_CONFIG} SMTP_AUTHENTICATION ;;
esac
if [[ ${SMTP_CA_ENABLED} == true ]]; then
if [[ -d ${SMTP_CA_PATH} ]]; then
update_template ${GITLAB_SMTP_CONFIG} SMTP_CA_PATH
fi
if [[ -f ${SMTP_CA_FILE} ]]; then
update_template ${GITLAB_SMTP_CONFIG} SMTP_CA_FILE
fi
else
exec_as_git sed -i \
-e "/{{SMTP_CA_PATH}}/d" \
-e "/{{SMTP_CA_FILE}}/d" \
${GITLAB_SMTP_CONFIG}
fi
fi
update_template ${GITLAB_CONFIG} \
GITLAB_EMAIL_ENABLED \
GITLAB_EMAIL \
GITLAB_EMAIL_DISPLAY_NAME \
GITLAB_EMAIL_REPLY_TO \
GITLAB_EMAIL_SUBJECT_SUFFIX
if [[ ${GITLAB_EMAIL_SMIME_ENABLE} == true ]]; then
exec_as_git sed -i "/#start-email-smime/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-email-smime/d" ${GITLAB_CONFIG}
update_template ${GITLAB_CONFIG} \
GITLAB_EMAIL_SMIME_ENABLE \
GITLAB_EMAIL_SMIME_KEY_FILE \
GITLAB_EMAIL_SMIME_CERT_FILE
else
exec_as_git sed -i "/#start-email-smime/,/#end-email-smime/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_mailroom() {
if [[ ${IMAP_ENABLED} == true ]]; then
echo "Configuring gitlab::incoming_email..."
if [[ -z "${IMAP_USER}" ]]; then
exec_as_git sed -i \
-e '/{{IMAP_USER}}/d' \
-e '/{{IMAP_PASS}}/d' \
${GITLAB_CONFIG}
else
if [[ -z "${IMAP_PASS}" ]]; then
exec_as_git sed -i '/{{IMAP_PASS}}/d' ${GITLAB_CONFIG}
fi
fi
else
exec_as_git sed -i \
-e "/{{IMAP_USER}}/d" \
-e "/{{IMAP_PASS}}/d" \
-e "/{{IMAP_HOST}}/d" \
-e "/{{IMAP_PORT}}/d" \
-e "/{{IMAP_SSL}}/d" \
-e "/{{IMAP_STARTTLS}}/d" \
-e "/{{IMAP_MAILBOX}}/d" \
-e "/{{IMAP_TIMEOUT}}/d" \
${GITLAB_CONFIG}
fi
update_template ${GITLAB_CONFIG} \
GITLAB_INCOMING_EMAIL_ADDRESS \
GITLAB_INCOMING_EMAIL_ENABLED \
IMAP_USER \
IMAP_PASS \
IMAP_HOST \
IMAP_PORT \
IMAP_SSL \
IMAP_STARTTLS \
IMAP_MAILBOX \
IMAP_TIMEOUT
# enable/disable startup of mailroom
echo "mail_room_enabled=${GITLAB_INCOMING_EMAIL_ENABLED}" >> /etc/default/gitlab
update_template /etc/supervisor/conf.d/mail_room.conf GITLAB_INCOMING_EMAIL_ENABLED
}
gitlab_configure_ldap() {
echo "Configuring gitlab::ldap..."
update_template ${GITLAB_CONFIG} \
LDAP_ENABLED \
LDAP_HOST \
LDAP_PORT \
LDAP_UID \
LDAP_METHOD \
LDAP_VERIFY_SSL \
LDAP_CA_FILE \
LDAP_SSL_VERSION \
LDAP_BIND_DN \
LDAP_PASS \
LDAP_TIMEOUT \
LDAP_ACTIVE_DIRECTORY \
LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN \
LDAP_BLOCK_AUTO_CREATED_USERS \
LDAP_BASE \
LDAP_USER_FILTER \
LDAP_LOWERCASE_USERNAMES \
LDAP_USER_ATTRIBUTE_USERNAME \
LDAP_USER_ATTRIBUTE_MAIL \
LDAP_USER_ATTRIBUTE_NAME \
LDAP_USER_ATTRIBUTE_FIRSTNAME \
LDAP_USER_ATTRIBUTE_LASTNAME \
LDAP_LABEL \
LDAP_PREVENT_LDAP_SIGN_IN
}
gitlab_configure_oauth_cas3() {
if [[ -n ${OAUTH_CAS3_SERVER} ]]; then
echo "Configuring gitlab::oauth::cas3..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_CAS3_LABEL \
OAUTH_CAS3_SERVER \
OAUTH_CAS3_DISABLE_SSL_VERIFICATION \
OAUTH_CAS3_LOGIN_URL \
OAUTH_CAS3_VALIDATE_URL \
OAUTH_CAS3_LOGOUT_URL
else
exec_as_git sed -i "/name: 'cas3'/,/{{OAUTH_CAS3_LOGOUT_URL}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_google() {
if [[ -n ${OAUTH_GOOGLE_API_KEY} && -n ${OAUTH_GOOGLE_APP_SECRET} ]]; then
echo "Configuring gitlab::oauth::google..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
if [[ -n ${OAUTH_GOOGLE_RESTRICT_DOMAIN} ]]; then
update_template ${GITLAB_CONFIG} \
OAUTH_GOOGLE_API_KEY \
OAUTH_GOOGLE_APP_SECRET \
OAUTH_GOOGLE_RESTRICT_DOMAIN \
OAUTH_GOOGLE_APPROVAL_PROMPT
else
exec_as_git sed -i "/ hd\: \[{{OAUTH_GOOGLE_RESTRICT_DOMAIN}}\]/d" ${GITLAB_CONFIG}
exec_as_git sed -i "s/approval_prompt: '{{OAUTH_GOOGLE_APPROVAL_PROMPT}}',/approval_prompt: '{{OAUTH_GOOGLE_APPROVAL_PROMPT}}' } }/" ${GITLAB_CONFIG}
update_template ${GITLAB_CONFIG} \
OAUTH_GOOGLE_API_KEY \
OAUTH_GOOGLE_APP_SECRET \
OAUTH_GOOGLE_APPROVAL_PROMPT
fi
else
exec_as_git sed -i "/name: 'google_oauth2'/,/{{OAUTH_GOOGLE_RESTRICT_DOMAIN}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_facebook() {
if [[ -n ${OAUTH_FACEBOOK_API_KEY} && -n ${OAUTH_FACEBOOK_APP_SECRET} ]]; then
echo "Configuring gitlab::oauth::facebook..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_FACEBOOK_API_KEY \
OAUTH_FACEBOOK_APP_SECRET
else
exec_as_git sed -i "/name: 'facebook'/,/{{OAUTH_FACEBOOK_APP_SECRET}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_twitter() {
if [[ -n ${OAUTH_TWITTER_API_KEY} && -n ${OAUTH_TWITTER_APP_SECRET} ]]; then
echo "Configuring gitlab::oauth::twitter..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_TWITTER_API_KEY \
OAUTH_TWITTER_APP_SECRET
else
exec_as_git sed -i "/name: 'twitter'/,/{{OAUTH_TWITTER_APP_SECRET}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_authentiq() {
if [[ -n ${OAUTH_AUTHENTIQ_CLIENT_ID} && -n ${OAUTH_AUTHENTIQ_CLIENT_SECRET} ]]; then
echo "Configuring gitlab::oauth::authentiq..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_AUTHENTIQ_CLIENT_ID \
OAUTH_AUTHENTIQ_CLIENT_SECRET \
OAUTH_AUTHENTIQ_SCOPE \
OAUTH_AUTHENTIQ_REDIRECT_URI
else
exec_as_git sed -i "/name: 'authentiq'/,/{{OAUTH_AUTHENTIQ_SCOPE}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_github() {
if [[ -n ${OAUTH_GITHUB_API_KEY} && -n ${OAUTH_GITHUB_APP_SECRET} ]]; then
echo "Configuring gitlab::oauth::github..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_GITHUB_API_KEY \
OAUTH_GITHUB_APP_SECRET \
OAUTH_GITHUB_URL \
OAUTH_GITHUB_VERIFY_SSL \
OAUTH_GITHUB_SCOPE
else
exec_as_git sed -i "/name: 'github'/,/{{OAUTH_GITHUB_SCOPE}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_gitlab() {
if [[ -n ${OAUTH_GITLAB_API_KEY} && -n ${OAUTH_GITLAB_APP_SECRET} ]]; then
echo "Configuring gitlab::oauth::gitlab..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_GITLAB_API_KEY \
OAUTH_GITLAB_APP_SECRET \
OAUTH_GITLAB_SCOPE
else
exec_as_git sed -i "/name: 'gitlab'/,/{{OAUTH_GITLAB_SCOPE}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_bitbucket() {
if [[ -n ${OAUTH_BITBUCKET_API_KEY} && -n ${OAUTH_BITBUCKET_APP_SECRET} ]]; then
echo "Configuring gitlab::oauth::bitbucket..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_BITBUCKET_API_KEY \
OAUTH_BITBUCKET_APP_SECRET \
OAUTH_BITBUCKET_URL
else
exec_as_git sed -i "/name: 'bitbucket'/,/{{OAUTH_BITBUCKET_URL}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_saml_attribute_statements() {
if [[ -n ${OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL} ]]; then
echo "Configuring gitlab::oauth::saml::attribute_statements..."
update_template ${GITLAB_CONFIG} \
OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL \
OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME \
OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME \
OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME \
OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME
# Remove undefined optional attributes
exec_as_git sed -i "/email: \\[''\\],/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/name: \\[''\\],/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/username: \\[''\\],/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/first_name: \\[''\\],/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/last_name: \\[''\\],/d" ${GITLAB_CONFIG}
else
exec_as_git sed -i "/attribute_statements:/,/{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_saml() {
if [[ -n ${OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL} && \
-n ${OAUTH_SAML_IDP_CERT_FINGERPRINT} && \
-n ${OAUTH_SAML_IDP_SSO_TARGET_URL} && \
-n ${OAUTH_SAML_ISSUER} && \
-n ${OAUTH_SAML_NAME_IDENTIFIER_FORMAT} ]]; then
echo "Configuring gitlab::oauth::saml..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_SAML_LABEL \
OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL \
OAUTH_SAML_IDP_CERT_FINGERPRINT \
OAUTH_SAML_IDP_SSO_TARGET_URL \
OAUTH_SAML_ISSUER \
OAUTH_SAML_NAME_IDENTIFIER_FORMAT \
OAUTH_SAML_GROUPS_ATTRIBUTE \
OAUTH_SAML_EXTERNAL_GROUPS
exec_as_git sed -i "/groups_attribute: '',/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/external_groups: \\[\\],/d" ${GITLAB_CONFIG}
gitlab_configure_oauth_saml_attribute_statements
else
exec_as_git sed -i "/name: 'saml'/,/{{OAUTH_SAML_NAME_IDENTIFIER_FORMAT}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth2_generic() {
if [[ -n ${OAUTH2_GENERIC_APP_ID} && \
-n ${OAUTH2_GENERIC_APP_SECRET} ]]; then
echo "Configuring gitlab::oauth::generic..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH2_GENERIC_APP_ID \
OAUTH2_GENERIC_APP_SECRET \
OAUTH2_GENERIC_CLIENT_SITE \
OAUTH2_GENERIC_CLIENT_USER_INFO_URL \
OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL \
OAUTH2_GENERIC_CLIENT_TOKEN_URL \
OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT \
OAUTH2_GENERIC_ID_PATH \
OAUTH2_GENERIC_USER_UID \
OAUTH2_GENERIC_USER_NAME \
OAUTH2_GENERIC_USER_EMAIL \
OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE \
OAUTH2_GENERIC_LABEL \
OAUTH2_GENERIC_NAME
else
exec_as_git sed -i "/name: 'oauth2_generic'/,/{{OAUTH2_GENERIC_NAME}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_crowd() {
if [[ -n ${OAUTH_CROWD_SERVER_URL} && \
-n ${OAUTH_CROWD_APP_NAME} && \
-n ${OAUTH_CROWD_APP_PASSWORD} ]]; then
echo "Configuring gitlab::oauth::crowd..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_CROWD_SERVER_URL \
OAUTH_CROWD_APP_NAME \
OAUTH_CROWD_APP_PASSWORD
else
exec_as_git sed -i "/name: 'crowd'/,/{{OAUTH_CROWD_APP_PASSWORD}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_auth0() {
if [[ -n ${OAUTH_AUTH0_CLIENT_ID} && \
-n ${OAUTH_AUTH0_CLIENT_SECRET} && \
-n ${OAUTH_AUTH0_SCOPE} && \
-n ${OAUTH_AUTH0_DOMAIN} ]]; then
echo "Configuring gitlab::oauth::auth0..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_AUTH0_CLIENT_ID \
OAUTH_AUTH0_CLIENT_SECRET \
OAUTH_AUTH0_DOMAIN \
OAUTH_AUTH0_SCOPE
else
exec_as_git sed -i "/name: 'auth0'/,/{{OAUTH_AUTH0_SCOPE}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_azure() {
if [[ -n ${OAUTH_AZURE_API_KEY} && \
-n ${OAUTH_AZURE_API_SECRET} && \
-n ${OAUTH_AZURE_TENANT_ID} ]]; then
echo "Configuring gitlab::oauth::azure..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_AZURE_API_KEY \
OAUTH_AZURE_API_SECRET \
OAUTH_AZURE_TENANT_ID
else
exec_as_git sed -i "/name: 'azure_oauth2'/,/{{OAUTH_AZURE_TENANT_ID}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_azure_ad_v2() {
# we don't check if OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL because it is optional
if [[ -n ${OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID} && \
-n ${OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET} && \
-n ${OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID} ]]; then
echo "Configuring gitlab::oauth::azure_activedirectory_v2..."
update_template ${GITLAB_CONFIG} \
OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL \
OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID \
OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET \
OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID
else
exec_as_git sed -i "/name: 'azure_activedirectory_v2'/,/{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_oidc() {
if [[ -n ${OAUTH_OIDC_ISSUER} && \
-n ${OAUTH_OIDC_CLIENT_ID} ]]; then
echo "Configuring gitlab::oauth::oidc..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_OIDC_LABEL \
OAUTH_OIDC_ICON \
OAUTH_OIDC_SCOPE \
OAUTH_OIDC_RESPONSE_TYPE \
OAUTH_OIDC_ISSUER \
OAUTH_OIDC_DISCOVERY \
OAUTH_OIDC_CLIENT_AUTH_METHOD \
OAUTH_OIDC_UID_FIELD \
OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP \
OAUTH_OIDC_PKCE \
OAUTH_OIDC_CLIENT_ID \
OAUTH_OIDC_CLIENT_SECRET \
OAUTH_OIDC_REDIRECT_URI
else
exec_as_git sed -i "/name: 'openid_connect'/,/{{OAUTH_OIDC_REDIRECT_URI}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_jwt() {
if [[ -n ${OAUTH_JWT_SECRET} && \
-n ${OAUTH_JWT_AUTH_URL} ]]; then
echo "Configuring gitlab::oauth::jwt..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_JWT_LABEL \
OAUTH_JWT_SECRET \
OAUTH_JWT_ALGORITHM \
OAUTH_JWT_UID_CLAIM \
OAUTH_JWT_REQUIRED_CLAIMS \
OAUTH_JWT_INFO_MAP_NAME \
OAUTH_JWT_INFO_MAP_EMAIL \
OAUTH_JWT_AUTH_URL \
OAUTH_JWT_VALID_WITHIN
else
exec_as_git sed -i "/name: 'jwt'/,/{{OAUTH_JWT_VALID_WITHIN}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth() {
echo "Configuring gitlab::oauth..."
gitlab_configure_oauth_cas3
gitlab_configure_oauth_google
gitlab_configure_oauth_facebook
gitlab_configure_oauth_twitter
gitlab_configure_oauth_authentiq
gitlab_configure_oauth_github
gitlab_configure_oauth_gitlab
gitlab_configure_oauth_bitbucket
gitlab_configure_oauth_saml
gitlab_configure_oauth2_generic
gitlab_configure_oauth_crowd
gitlab_configure_oauth_auth0
gitlab_configure_oauth_azure
gitlab_configure_oauth_azure_ad_v2
gitlab_configure_oauth_oidc
gitlab_configure_oauth_jwt
OAUTH_ENABLED=${OAUTH_ENABLED:-false}
update_template ${GITLAB_CONFIG} \
OAUTH_ENABLED \
OAUTH_ALLOW_SSO \
OAUTH_BLOCK_AUTO_CREATED_USERS \
OAUTH_AUTO_LINK_LDAP_USER \
OAUTH_AUTO_LINK_SAML_USER \
OAUTH_AUTO_LINK_USER \
OAUTH_EXTERNAL_PROVIDERS \
OAUTH_ALLOW_BYPASS_TWO_FACTOR
case ${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER} in
cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd|azure_oauth2|azure_activedirectory_v2|oauth2_generic|$OAUTH2_GENERIC_NAME|oidc|jwt)
update_template ${GITLAB_CONFIG} OAUTH_AUTO_SIGN_IN_WITH_PROVIDER
;;
*)
exec_as_git sed -i "/{{OAUTH_AUTO_SIGN_IN_WITH_PROVIDER}}/d" ${GITLAB_CONFIG}
;;
esac
}
gitlab_configure_secrets() {
echo "Configuring gitlab::secrets..."
if [[ -z $GITLAB_SECRETS_DB_KEY_BASE ]]; then
echo "ERROR: "
echo " Please configure the GITLAB_SECRETS_DB_KEY_BASE parameter."
echo " Cannot continue. Aborting..."
return 1
fi
if [[ -z $GITLAB_SECRETS_SECRET_KEY_BASE ]]; then
echo "ERROR: "
echo " Please configure the GITLAB_SECRETS_SECRET_KEY_BASE parameter."
echo " Cannot continue. Aborting..."
return 1
fi
if [[ -z $GITLAB_SECRETS_OTP_KEY_BASE ]]; then
echo "ERROR: "
echo " Please configure the GITLAB_SECRETS_OTP_KEY_BASE parameter."
echo " Cannot continue. Aborting..."
return 1
fi
update_template ${GITLAB_SECRETS_CONFIG} \
GITLAB_SECRETS_DB_KEY_BASE \
GITLAB_SECRETS_SECRET_KEY_BASE \
GITLAB_SECRETS_OTP_KEY_BASE \
GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE \
GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY \
GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY \
GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
local shell_secret="${GITLAB_INSTALL_DIR}/.gitlab_shell_secret"
if [[ ! -f "${shell_secret}" ]]; then
exec_as_git openssl rand -hex -out "${shell_secret}" 16
chmod 600 "${shell_secret}"
fi
local workhorse_secret="${GITLAB_INSTALL_DIR}/.gitlab_workhorse_secret"
if [[ ! -f "${workhorse_secret}" ]]; then
exec_as_git openssl rand -base64 -out "${workhorse_secret}" 32
chmod 600 "${workhorse_secret}"
fi
local pages_secret="${GITLAB_INSTALL_DIR}/.gitlab_pages_secret"
if [[ ! -f "${pages_secret}" ]]; then
exec_as_git openssl rand -base64 -out "${pages_secret}" 32
chmod 600 "${pages_secret}"
fi
}
gitlab_configure_sidekiq() {
echo "Configuring gitlab::sidekiq..."
# configure gitlab sidekiq log format
update_template ${GITLAB_CONFIG} \
GITLAB_SIDEKIQ_LOG_FORMAT
# configure sidekiq
update_template /etc/supervisor/conf.d/sidekiq.conf \
SIDEKIQ_CONCURRENCY \
SIDEKIQ_SHUTDOWN_TIMEOUT
# enable SidekiqMemoryKiller
## The MemoryKiller is enabled by gitlab if the `SIDEKIQ_MEMORY_KILLER_MAX_RSS` is
## defined in the programs environment and has a non-zero value.
##
## Simply exporting the variable makes it available in the programs environment and
## therefore should enable the MemoryKiller.
##
## Every other MemoryKiller option specified in the docker env will automatically
## be exported, so why bother
export SIDEKIQ_MEMORY_KILLER_MAX_RSS
}
gitlab_configure_backups_schedule() {
case ${GITLAB_BACKUP_SCHEDULE} in
daily|weekly|monthly)
if ! crontab -u ${GITLAB_USER} -l >/tmp/cron.${GITLAB_USER} 2>/dev/null || ! grep -q 'bundle exec rake gitlab:backup:create' /tmp/cron.${GITLAB_USER}; then
echo "Configuring gitlab::backups::schedule..."
gitlab_backup_log="${GITLAB_LOG_DIR}/gitlab/gitlab-backup.log"
read -r hour min <<< "${GITLAB_BACKUP_TIME//[:]/ }"
day_of_month="*"
month="*"
day_of_week="*"
case ${GITLAB_BACKUP_SCHEDULE} in
daily) ;;
weekly) day_of_week=0 ;;
monthly) day_of_month=01 ;;
esac
if [[ -n ${GITLAB_BACKUP_DIR_GROUP} ]]; then
echo "$min $hour $day_of_month $month $day_of_week /bin/bash -l -c 'cd ${GITLAB_INSTALL_DIR} && bundle exec rake gitlab:backup:create SKIP=${GITLAB_BACKUP_SKIP} DIRECTORY=${GITLAB_BACKUP_DIR_GROUP} RAILS_ENV=${RAILS_ENV}' >> ${gitlab_backup_log} 2>&1" >> "/tmp/cron.${GITLAB_USER}"
else
echo "$min $hour $day_of_month $month $day_of_week /bin/bash -l -c 'cd ${GITLAB_INSTALL_DIR} && bundle exec rake gitlab:backup:create SKIP=${GITLAB_BACKUP_SKIP} RAILS_ENV=${RAILS_ENV}' >> ${gitlab_backup_log} 2>&1" >> "/tmp/cron.${GITLAB_USER}"
fi
crontab -u ${GITLAB_USER} /tmp/cron.${GITLAB_USER}
fi
rm -rf /tmp/cron.${GITLAB_USER}
;;
esac
}
gitlab_configure_backups_aws() {
echo "Configuring gitlab::backups::aws..."
exec_as_git sed -i "/#start-gcs/,/#end-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-aws/d" ${GITLAB_CONFIG}
if [[ -z ${AWS_BACKUP_MULTIPART_CHUNK_SIZE} ]]; then
exec_as_git sed -i "/#start-multipart/,/#end-multipart/d" ${GITLAB_CONFIG}
fi
if [[ -z ${AWS_BACKUP_MULTIPART_CHUNK_SIZE} ]]; then
exec_as_git sed -i "/#start-multipart-aws/,/#end-multipart-aws/d" ${GITLAB_CONFIG}
fi
if [[ ${AWS_BACKUP_ENCRYPTION} != true ]]; then
exec_as_git sed -i "/#start-encryption-aws/,/#end-encryption-aws/d" ${GITLAB_CONFIG}
fi
if [[ -z ${AWS_BACKUP_REGION} && -z ${AWS_BACKUP_ENDPOINT} ]]; then
echo "\nMissing AWS region or endpoint. Aborting...\n"
return 1
fi
if [[ ! -z ${AWS_BACKUP_ENDPOINT} ]]; then
AWS_BACKUP_PATH_STYLE="true"
fi
if [[ -z ${AWS_BACKUP_ACCESS_KEY_ID} || -z ${AWS_BACKUP_SECRET_ACCESS_KEY} || -z ${AWS_BACKUP_BUCKET} ]]; then
echo "\nMissing AWS options. Aborting...\n"
return 1
fi
update_template ${GITLAB_CONFIG} \
AWS_BACKUP_REGION \
AWS_BACKUP_ENDPOINT \
AWS_BACKUP_PATH_STYLE \
AWS_BACKUP_ACCESS_KEY_ID \
AWS_BACKUP_SECRET_ACCESS_KEY \
AWS_BACKUP_BUCKET \
AWS_BACKUP_MULTIPART_CHUNK_SIZE \
AWS_BACKUP_STORAGE_CLASS \
AWS_BACKUP_SIGNATURE_VERSION
}
gitlab_configure_backup_gcs() {
echo "Configuring gitlab::backups::gcs..."
exec_as_git sed -i "/#start-aws/,/#end-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-gcs/d" ${GITLAB_CONFIG}
if [[ -z ${GCS_BACKUP_ACCESS_KEY_ID} || -z ${GCS_BACKUP_SECRET_ACCESS_KEY} || -z ${GCS_BACKUP_BUCKET} ]]; then
printf "\nMissing GCS options. Aborting...\n"
return 1
fi
update_template ${GITLAB_CONFIG} \
GCS_BACKUP_ACCESS_KEY_ID \
GCS_BACKUP_SECRET_ACCESS_KEY \
GCS_BACKUP_BUCKET
}
gitlab_configure_backups() {
echo "Configuring gitlab::backups..."
update_template ${GITLAB_CONFIG} \
GITLAB_BACKUP_DIR \
GITLAB_BACKUP_EXPIRY \
GITLAB_BACKUP_PG_SCHEMA \
GITLAB_BACKUP_ARCHIVE_PERMISSIONS
gitlab_configure_backups_schedule
if [[ ${AWS_BACKUPS} != true && ${GCS_BACKUPS} != true ]]; then
exec_as_git sed -i "/\s\+#start-aws/,/#end-gcs/d" ${GITLAB_CONFIG}
return 0
fi
if [[ ${AWS_BACKUPS} == true && ${GCS_BACKUPS} == true ]]; then
printf "\nAWS and GCE cannot be enabled together, please choose one...\n"
return 1
fi
if [[ ${AWS_BACKUPS} == true ]]; then
gitlab_configure_backups_aws
fi
if [[ ${GCS_BACKUPS} == true ]]; then
gitlab_configure_backup_gcs
fi
}
gitlab_configure_gravatar() {
update_template ${GITLAB_CONFIG} GITLAB_GRAVATAR_ENABLED
if [[ -n ${GITLAB_GRAVATAR_HTTP_URL} ]]; then
echo "Configuring gitlab::gravatar::http..."
update_template ${GITLAB_CONFIG} GITLAB_GRAVATAR_HTTP_URL
else
exec_as_git sed -i "/{{GITLAB_GRAVATAR_HTTP_URL}}/d" ${GITLAB_CONFIG}
fi
if [[ -n ${GITLAB_GRAVATAR_HTTPS_URL} ]]; then
echo "Configuring gitlab::gravatar::https..."
update_template ${GITLAB_CONFIG} GITLAB_GRAVATAR_HTTPS_URL
else
exec_as_git sed -i "/{{GITLAB_GRAVATAR_HTTPS_URL}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_cron_jobs() {
echo "Configuring gitlab::cron_jobs..."
if [[ -n "${GITLAB_PIPELINE_SCHEDULE_WORKER_CRON}" ]]; then
update_template ${GITLAB_CONFIG} GITLAB_PIPELINE_SCHEDULE_WORKER_CRON
else
exec_as_git sed -i "/{{GITLAB_PIPELINE_SCHEDULE_WORKER_CRON}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_analytics_google() {
if [[ -n ${GOOGLE_ANALYTICS_ID} ]]; then
echo "Configuring gitlab::analytics:google..."
update_template ${GITLAB_CONFIG} GOOGLE_ANALYTICS_ID
else
exec_as_git sed -i "/{{GOOGLE_ANALYTICS_ID}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_analytics_piwik() {
if [[ -n ${PIWIK_URL} && -n ${PIWIK_SITE_ID} ]]; then
echo "Configuring gitlab::analytics:piwik..."
update_template ${GITLAB_CONFIG} \
PIWIK_URL \
PIWIK_SITE_ID
else
exec_as_git sed -i \
-e "/{{PIWIK_URL}}/d" \
-e "/{{PIWIK_SITE_ID}}/d" \
${GITLAB_CONFIG}
fi
}
gitlab_configure_analytics() {
gitlab_configure_analytics_google
gitlab_configure_analytics_piwik
}
gitlab_configure_rack_attack() {
echo "Configuring gitlab::rack_attack..."
# validity check : RACK_ATTACK_WHITELIST should be an array of valid IP Address string
echo " Validating RACK_ATTACK_WHITELIST..."
/usr/bin/env ruby << SCRIPT
require 'ipaddr'
${RACK_ATTACK_WHITELIST}.each do |host|
begin
printf(" input=%s, to_range=%s\n", host, IPAddr.new(host).to_range)
rescue IPAddr::InvalidAddressError => e
p e
exit 1
rescue => e
put "Unexpected error", e
exit 1
end
end
SCRIPT
update_template ${GITLAB_CONFIG} \
RACK_ATTACK_ENABLED \
RACK_ATTACK_WHITELIST \
RACK_ATTACK_MAXRETRY \
RACK_ATTACK_FINDTIME \
RACK_ATTACK_BANTIME
}
gitlab_configure_ci() {
echo "Configuring gitlab::ci..."
update_template ${GITLAB_CONFIG} \
GITLAB_NOTIFY_ON_BROKEN_BUILDS \
GITLAB_NOTIFY_PUSHER GITLAB_BUILDS_DIR
}
gitlab_configure_artifacts() {
update_template ${GITLAB_CONFIG} \
GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED
if [[ ${GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED} == true ]]; then
echo "Configuring gitlab::artifacts:object_store"
if [[ "${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then
echo " -> Google ARTIFACTS provider selected removing aws config"
exec_as_git sed -i "/#start-artifacts-aws/,/#end-artifacts-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-artifacts-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-artifacts-gcs/d" ${GITLAB_CONFIG}
fi
if [[ "${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then
echo " -> AWS ARTIFACTS provider selected removing Google config"
exec_as_git sed -i "/#start-artifacts-gcs/,/#end-artifacts-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-artifacts-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-artifacts-aws/d" ${GITLAB_CONFIG}
fi
update_template ${GITLAB_CONFIG} \
GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY \
GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD \
GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD \
GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION
else
exec_as_git sed -i -e "/path: {{GITLAB_ARTIFACTS_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG}
fi
echo "Configuring gitlab::artifacts..."
update_template ${GITLAB_CONFIG} \
GITLAB_ARTIFACTS_ENABLED \
GITLAB_ARTIFACTS_DIR
}
gitlab_configure_packages() {
update_template ${GITLAB_CONFIG} \
GITLAB_PACKAGES_OBJECT_STORE_ENABLED
if [[ ${GITLAB_PACKAGES_OBJECT_STORE_ENABLED} == true ]]; then
echo "Configuring gitlab::packages:object_store"
if [[ "${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then
echo " -> Google PACKAGES provider selected removing aws config"
exec_as_git sed -i "/#start-packages-aws/,/#end-packages-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-packages-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-packages-gcs/d" ${GITLAB_CONFIG}
fi
if [[ "${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then
echo " -> AWS PACKAGES provider selected removing Google config"
exec_as_git sed -i "/#start-packages-gcs/,/#end-packages-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-packages-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-packages-aws/d" ${GITLAB_CONFIG}
fi
update_template ${GITLAB_CONFIG} \
GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY \
GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD \
GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD \
GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD \
GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER \
GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \
GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \
GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION \
GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST \
GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \
GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \
GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \
GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \
GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \
GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION
else
exec_as_git sed -i -e "/path: {{GITLAB_PACKAGES_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG}
fi
echo "Configuring gitlab::packages..."
update_template ${GITLAB_CONFIG} \
GITLAB_PACKAGES_ENABLED \
GITLAB_PACKAGES_DIR
}
gitlab_configure_terraform_state() {
update_template ${GITLAB_CONFIG} \
GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED
if [[ ${GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED} == true ]]; then
echo "Configuring gitlab::terraform_state:object_store"
if [[ "${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then
echo " -> Google TERRAFORM STATE provider selected removing aws config"
exec_as_git sed -i "/#start-terraform_state-aws/,/#end-terraform_state-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-terraform_state-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-terraform_state-gcs/d" ${GITLAB_CONFIG}
fi
if [[ "${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then
echo " -> AWS TERRAFORM STATE provider selected removing Google config"
exec_as_git sed -i "/#start-terraform_state-gcs/,/#end-terraform_state-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-terraform_state-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-terraform_state-aws/d" ${GITLAB_CONFIG}
fi
update_template ${GITLAB_CONFIG} \
GITLAB_TERRAFORM_STATE_OBJECT_STORE_REMOTE_DIRECTORY \
GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER \
GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \
GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \
GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION \
GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST \
GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \
GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \
GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \
GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \
GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \
GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION
else
exec_as_git sed -i -e "/storage_path: {{GITLAB_TERRAFORM_STATE_STORAGE_PATH}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG}
fi
echo "Configuring gitlab::terraform_state..."
update_template ${GITLAB_CONFIG} \
GITLAB_TERRAFORM_STATE_ENABLED \
GITLAB_TERRAFORM_STATE_STORAGE_PATH
}
gitlab_configure_lfs() {
update_template ${GITLAB_CONFIG} \
GITLAB_LFS_OBJECT_STORE_ENABLED \
if [[ ${GITLAB_LFS_OBJECT_STORE_ENABLED} == true ]]; then
echo "Configuring gitlab::lfs:object_store"
if [[ "${GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then
echo " -> Google LFS provider selected removing aws config"
exec_as_git sed -i "/#start-lfs-aws/,/#end-lfs-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-lfs-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-lfs-gcs/d" ${GITLAB_CONFIG}
fi
if [[ "${GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then
echo " -> AWS LFS provider selected removing Google config"
exec_as_git sed -i "/#start-lfs-gcs/,/#end-lfs-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-lfs-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-lfs-aws/d" ${GITLAB_CONFIG}
fi
update_template ${GITLAB_CONFIG} \
GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY \
GITLAB_LFS_OBJECT_STORE_DIRECT_UPLOAD \
GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD \
GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD \
GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER \
GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \
GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \
GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION \
GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST \
GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \
GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \
GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \
GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \
GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \
GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION
else
exec_as_git sed -i -e "/path: {{GITLAB_LFS_OBJECTS_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG}
fi
echo "Configuring gitlab::lfs..."
update_template ${GITLAB_CONFIG} \
GITLAB_LFS_ENABLED \
GITLAB_LFS_OBJECTS_DIR
}
gitlab_configure_uploads() {
update_template ${GITLAB_CONFIG} \
GITLAB_UPLOADS_OBJECT_STORE_ENABLED
if [[ ${GITLAB_UPLOADS_OBJECT_STORE_ENABLED} == true ]]; then
echo "Configuring gitlab::uploads:object_store"
if [[ "${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then
echo " -> Google UPLOADS provider selected removing aws config"
exec_as_git sed -i "/#start-uploads-aws/,/#end-uploads-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-uploads-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-uploads-gcs/d" ${GITLAB_CONFIG}
fi
if [[ "${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then
echo " -> AWS UPLOADS provider selected removing Google config"
exec_as_git sed -i "/#start-uploads-gcs/,/#end-uploads-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-uploads-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-uploads-aws/d" ${GITLAB_CONFIG}
fi
update_template ${GITLAB_CONFIG} \
GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY \
GITLAB_UPLOADS_OBJECT_STORE_DIRECT_UPLOAD \
GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD \
GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION
else
exec_as_git sed -i -e "/base_dir: {{GITLAB_UPLOADS_BASE_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG}
fi
echo "Configuring gitlab::uploads..."
update_template ${GITLAB_CONFIG} \
GITLAB_UPLOADS_STORAGE_PATH \
GITLAB_UPLOADS_BASE_DIR
}
gitlab_configure_mattermost() {
echo "Configuring gitlab::mattermost..."
update_template ${GITLAB_CONFIG} \
GITLAB_MATTERMOST_ENABLED \
GITLAB_MATTERMOST_URL
}
gitlab_configure_project_features() {
echo "Configuring gitlab::project_features..."
update_template ${GITLAB_CONFIG} \
GITLAB_PROJECTS_ISSUES \
GITLAB_PROJECTS_MERGE_REQUESTS \
GITLAB_PROJECTS_WIKI \
GITLAB_PROJECTS_SNIPPETS \
GITLAB_PROJECTS_BUILDS \
GITLAB_PROJECTS_CONTAINER_REGISTRY \
GITLAB_WEBHOOK_TIMEOUT
}
gitlab_configure_registry(){
echo "Configuring gitlab::registry..."
if [[ ${GITLAB_REGISTRY_PORT} == 443 ]]; then
# Sets GITLAB_REGISTRY_PORT empty for the scope of this function.
# This helps us to add an empty key to `.gitlab-ci.yml`.
# Because 443 is the default https port it doesn't need to be included in docker push/pull commands
# and shouldn't be displayed on the gitlab ui.
# Example: `docker pull registry:443/some/image` is the same as `docker pull registry/some/image`
local GITLAB_REGISTRY_PORT=""
fi
update_template ${GITLAB_CONFIG} \
GITLAB_REGISTRY_ENABLED \
GITLAB_REGISTRY_DIR \
GITLAB_REGISTRY_HOST \
GITLAB_REGISTRY_PORT \
GITLAB_REGISTRY_API_URL \
GITLAB_REGISTRY_KEY_PATH \
GITLAB_REGISTRY_ISSUER
}
gitlab_configure_pages(){
echo "Configuring gitlab::pages..."
update_template ${GITLAB_CONFIG} \
GITLAB_PAGES_ENABLED \
GITLAB_PAGES_DOMAIN \
GITLAB_PAGES_PORT \
GITLAB_PAGES_HTTPS \
GITLAB_PAGES_ARTIFACTS_SERVER \
GITLAB_PAGES_ACCESS_CONTROL
if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTP} ]]; then
update_template ${GITLAB_CONFIG} \
GITLAB_PAGES_EXTERNAL_HTTP
else
exec_as_git sed -ie "/{{GITLAB_PAGES_EXTERNAL_HTTP}}/d" ${GITLAB_CONFIG}
fi
if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTPS} ]]; then
update_template ${GITLAB_CONFIG} \
GITLAB_PAGES_EXTERNAL_HTTPS
else
exec_as_git sed -ie "/{{GITLAB_PAGES_EXTERNAL_HTTPS}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_sentry(){
echo "Configuring gitlab::sentry..."
update_template ${GITLAB_CONFIG} \
SENTRY_ENABLED \
SENTRY_DSN \
SENTRY_CLIENTSIDE_DSN \
SENTRY_ENVIRONMENT
}
gitlab_configure_content_security_policy(){
echo "Configuring gitlab::content_security_policy..."
update_template ${GITLAB_CONFIG} \
GITLAB_CONTENT_SECURITY_POLICY_ENABLED \
GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY \
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI \
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC \
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC \
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC \
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC \
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION \
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS \
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC \
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC \
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC \
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC \
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC \
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC \
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC \
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC \
GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI
}
nginx_configure_gitlab_ssl() {
if [[ ${GITLAB_HTTPS} == true && -f ${SSL_CERTIFICATE_PATH} && -f ${SSL_KEY_PATH} && -f ${SSL_DHPARAM_PATH} ]]; then
echo "Configuring nginx::gitlab::ssl..."
if [[ ! -f ${SSL_CA_CERTIFICATES_PATH} ]]; then
sed -i "/{{SSL_CA_CERTIFICATES_PATH}}/d" ${GITLAB_NGINX_CONFIG}
fi
update_template ${GITLAB_NGINX_CONFIG} \
SSL_CERTIFICATE_PATH \
SSL_KEY_PATH \
SSL_DHPARAM_PATH \
SSL_VERIFY_CLIENT \
SSL_CA_CERTIFICATES_PATH \
SSL_CIPHERS \
SSL_PROTOCOLS
fi
}
nginx_configure_gitlab_hsts() {
if [[ ${GITLAB_HTTPS} == true ]]; then
echo "Configuring nginx::gitlab::hsts..."
if [[ ${NGINX_HSTS_ENABLED} != true ]]; then
sed -i "/{{NGINX_HSTS_MAXAGE}}/d" ${GITLAB_NGINX_CONFIG}
fi
update_template ${GITLAB_NGINX_CONFIG} NGINX_HSTS_MAXAGE
else
sed -i "/{{NGINX_HSTS_MAXAGE}}/d" ${GITLAB_NGINX_CONFIG}
fi
}
nginx_configure_gitlab_ipv6() {
if [[ ! -f /proc/net/if_inet6 ]]; then
# disable ipv6 support in nginx for gitlab
sed -i \
-e "/listen \[::\]:80/d" \
-e "/listen \[::\]:443/d" \
${GITLAB_NGINX_CONFIG}
# disable ipv6 support in nginx for pages
if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then
if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then
sed -i \
-e "/listen \[::\]:80/d" \
-e "/listen \[::\]:443/d" \
${GITLAB_PAGES_NGINX_CONFIG}
fi
fi
fi
}
nginx_configure_gitlab_real_ip() {
if [[ ${NGINX_REAL_IP_RECURSIVE} == on && \
-n ${NGINX_REAL_IP_TRUSTED_ADDRESSES} ]]; then
echo "Configuring nginx::gitlab::real_ip..."
update_template ${GITLAB_NGINX_CONFIG} \
NGINX_REAL_IP_RECURSIVE \
NGINX_REAL_IP_TRUSTED_ADDRESSES
else
NGINX_REAL_IP_RECURSIVE="off"
update_template ${GITLAB_NGINX_CONFIG} \
NGINX_REAL_IP_RECURSIVE
sed -i "/{{NGINX_REAL_IP_TRUSTED_ADDRESSES}}/d" ${GITLAB_NGINX_CONFIG}
fi
}
nginx_configure_gitlab() {
echo "Configuring nginx::gitlab..."
update_template ${GITLAB_NGINX_CONFIG} \
GITLAB_HOME \
GITLAB_INSTALL_DIR \
GITLAB_LOG_DIR \
GITLAB_HOST \
GITLAB_PORT \
NGINX_PROXY_BUFFERING \
NGINX_ACCEL_BUFFERING \
NGINX_X_FORWARDED_PROTO \
NGINX_CUSTOM_GITLAB_SERVER_CONFIG
nginx_configure_gitlab_ssl
nginx_configure_gitlab_hsts
nginx_configure_gitlab_ipv6
nginx_configure_gitlab_real_ip
}
nginx_configure_gitlab_ci() {
if [[ -n $GITLAB_CI_HOST ]]; then
echo "Configuring nginx::gitlab_ci..."
DNS_RESOLVERS=$(cat /etc/resolv.conf | grep '^\s*nameserver' | awk '{print $2}' ORS=' ')
update_template ${GITLAB_CI_NGINX_CONFIG} \
GITLAB_LOG_DIR \
GITLAB_HOST \
GITLAB_CI_HOST \
DNS_RESOLVERS
fi
}
nginx_configure_gitlab_registry() {
if [[ $GITLAB_REGISTRY_ENABLED == true && -f ${SSL_REGISTRY_CERT_PATH} && -f ${SSL_REGISTRY_KEY_PATH} ]]; then
echo "Configuring nginx::gitlab-registry..."
update_template ${GITLAB_REGISTRY_NGINX_CONFIG} \
GITLAB_LOG_DIR \
GITLAB_REGISTRY_PORT \
GITLAB_REGISTRY_HOST \
GITLAB_REGISTRY_API_URL \
SSL_REGISTRY_KEY_PATH \
SSL_REGISTRY_CERT_PATH \
SSL_REGISTRY_CIPHERS \
SSL_REGISTRY_PROTOCOLS
fi
}
nginx_configure_pages(){
local GITLAB_PAGES_DOMAIN=$(echo $GITLAB_PAGES_DOMAIN | sed 's/\./\\\\./g')
if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then
echo "Configuring nginx::gitlab-pages..."
if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then
if [[ ${GITLAB_PAGES_HTTPS} == true ]]; then
update_template ${GITLAB_PAGES_NGINX_CONFIG} \
GITLAB_PORT \
GITLAB_PAGES_DOMAIN \
GITLAB_PAGES_PORT \
GITLAB_LOG_DIR \
GITLAB_PAGES_DOMAIN \
SSL_PAGES_CERT_PATH \
SSL_PAGES_KEY_PATH \
SSL_PAGES_CIPHERS \
SSL_PAGES_PROTOCOLS \
SSL_DHPARAM_PATH \
GITLAB_LOG_DIR
else
update_template ${GITLAB_PAGES_NGINX_CONFIG} \
GITLAB_PAGES_DOMAIN \
GITLAB_LOG_DIR
fi
else
echo "Gitlab pages nginx proxy disabled"
echo "Assuming custom domain setup with own HTTP(S) load balancer'"
fi
fi
}
# _|_|_| _| _| _|
# _| _| _| _| _|_|_| _| _|_|_|
# _|_|_| _| _| _| _| _| _| _|
# _| _| _| _| _| _| _| _|
# _| _|_|_| _|_|_| _| _| _|_|_|
map_uidgid() {
USERMAP_ORIG_UID=$(id -u ${GITLAB_USER})
USERMAP_ORIG_GID=$(id -g ${GITLAB_USER})
USERMAP_GID=${USERMAP_GID:-${USERMAP_UID:-$USERMAP_ORIG_GID}}
USERMAP_UID=${USERMAP_UID:-$USERMAP_ORIG_UID}
if [[ ${USERMAP_UID} != ${USERMAP_ORIG_UID} ]] || [[ ${USERMAP_GID} != ${USERMAP_ORIG_GID} ]]; then
echo "Mapping UID and GID for ${GITLAB_USER}:${GITLAB_USER} to $USERMAP_UID:$USERMAP_GID"
groupmod -o -g ${USERMAP_GID} ${GITLAB_USER}
sed -i -e "s|:${USERMAP_ORIG_UID}:${USERMAP_GID}:|:${USERMAP_UID}:${USERMAP_GID}:|" /etc/passwd
find ${GITLAB_HOME} -path ${GITLAB_DATA_DIR}/\* -prune -o -print0 | xargs -0 chown -h ${GITLAB_USER}:
fi
}
update_ca_certificates() {
if [[ -f ${SSL_CERTIFICATE_PATH} || -f ${SSL_CA_CERTIFICATES_PATH} || -f ${SSL_REGISTRY_CERT_PATH} ]]; then
echo "Updating CA certificates..."
[[ -f ${SSL_CERTIFICATE_PATH} ]] && cp "${SSL_CERTIFICATE_PATH}" /usr/local/share/ca-certificates/gitlab.crt
[[ -f ${SSL_CA_CERTIFICATES_PATH} ]] && cp "${SSL_CA_CERTIFICATES_PATH}" /usr/local/share/ca-certificates/ca.crt
[[ -f ${SSL_REGISTRY_CERT_PATH} ]] && cp "${SSL_REGISTRY_CERT_PATH}" /usr/local/share/ca-certificates/registry-ca.crt
update-ca-certificates --fresh >/dev/null
fi
}
initialize_logdir() {
echo "Initializing logdir..."
mkdir -p ${GITLAB_LOG_DIR}/supervisor
chmod -R 0755 ${GITLAB_LOG_DIR}/supervisor
chown -R root: ${GITLAB_LOG_DIR}/supervisor
mkdir -p ${GITLAB_LOG_DIR}/nginx
chmod -R 0755 ${GITLAB_LOG_DIR}/nginx
chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/nginx
mkdir -p ${GITLAB_LOG_DIR}/gitlab
chmod -R 0755 ${GITLAB_LOG_DIR}/gitlab
chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/gitlab
mkdir -p ${GITLAB_LOG_DIR}/gitlab-shell
chmod -R 0755 ${GITLAB_LOG_DIR}/gitlab-shell
chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/gitlab-shell
mkdir -p ${GITLAB_LOG_DIR}/gitaly
chmod -R 0755 ${GITLAB_LOG_DIR}/gitaly
chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/gitaly
}
initialize_datadir() {
echo "Initializing datadir..."
chmod 755 ${GITLAB_DATA_DIR}
chown ${GITLAB_USER}: ${GITLAB_DATA_DIR}
# create the ssh directory for server keys
mkdir -p ${GITLAB_DATA_DIR}/ssh
chown -R root: ${GITLAB_DATA_DIR}/ssh
# create the repositories directory and make sure it has the right permissions
mkdir -p ${GITLAB_REPOS_DIR}
chown ${GITLAB_USER}: ${GITLAB_REPOS_DIR}
chmod ug+rwX,o-rwx ${GITLAB_REPOS_DIR}
exec_as_git chmod g+s ${GITLAB_REPOS_DIR}
# create build traces directory
mkdir -p ${GITLAB_BUILDS_DIR}
chmod u+rwX ${GITLAB_BUILDS_DIR}
chown ${GITLAB_USER}: ${GITLAB_BUILDS_DIR}
# gitlab:backup:create does not respect the builds_path configuration, so we
# symlink ${GITLAB_INSTALL_DIR}/builds -> ${GITLAB_BUILDS_DIR}
rm -rf ${GITLAB_INSTALL_DIR}/builds
ln -sf ${GITLAB_BUILDS_DIR} ${GITLAB_INSTALL_DIR}/builds
# create downloads directory
mkdir -p ${GITLAB_DOWNLOADS_DIR}
chmod u+rwX ${GITLAB_DOWNLOADS_DIR}
chown ${GITLAB_USER}: ${GITLAB_DOWNLOADS_DIR}
# create shared directory
mkdir -p ${GITLAB_SHARED_DIR}
chmod u+rwX ${GITLAB_SHARED_DIR}
chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}
# create the ci_secure_files directory
mkdir -p ${GITLAB_SHARED_DIR}/ci_secure_files
chmod u+rwX ${GITLAB_SHARED_DIR}/ci_secure_files
chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}/ci_secure_files
# create external-diffs dir
mkdir -p ${GITLAB_SHARED_DIR}/external-diffs
chmod u+rwX ${GITLAB_SHARED_DIR}/external-diffs
chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}/external-diffs
# create artifacts dir
mkdir -p ${GITLAB_ARTIFACTS_DIR}
chmod u+rwX ${GITLAB_ARTIFACTS_DIR}
chown ${GITLAB_USER}: ${GITLAB_ARTIFACTS_DIR}
# create pages dir
mkdir -p ${GITLAB_PAGES_DIR}
chmod u+rwX ${GITLAB_PAGES_DIR}
chown ${GITLAB_USER}: ${GITLAB_PAGES_DIR}
# symlink ${GITLAB_INSTALL_DIR}/shared -> ${GITLAB_DATA_DIR}/shared
rm -rf ${GITLAB_INSTALL_DIR}/shared
ln -sf ${GITLAB_SHARED_DIR} ${GITLAB_INSTALL_DIR}/shared
# create lfs-objects directory
mkdir -p ${GITLAB_LFS_OBJECTS_DIR}
chmod u+rwX ${GITLAB_LFS_OBJECTS_DIR}
chown ${GITLAB_USER}: ${GITLAB_LFS_OBJECTS_DIR}
# create terraform_state directory
if [[ ${GITLAB_TERRAFORM_STATE_ENABLED} == true ]]; then
mkdir -p ${GITLAB_TERRAFORM_STATE_STORAGE_PATH}
chmod u+rwX ${GITLAB_TERRAFORM_STATE_STORAGE_PATH}
chown ${GITLAB_USER}: ${GITLAB_TERRAFORM_STATE_STORAGE_PATH}
fi
# create registry dir
if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then
mkdir -p ${GITLAB_REGISTRY_DIR}
chmod u+rwX ${GITLAB_REGISTRY_DIR}
chown ${GITLAB_USER}: ${GITLAB_REGISTRY_DIR}
fi
# create packages directory
if [[ ${GITLAB_PACKAGES_ENABLED} == true ]]; then
mkdir -p ${GITLAB_PACKAGES_DIR}
chmod u+rwX ${GITLAB_PACKAGES_DIR}
chown ${GITLAB_USER}: ${GITLAB_PACKAGES_DIR}
fi
# create the backups directory
mkdir -p ${GITLAB_BACKUP_DIR}
if [[ ${GITLAB_BACKUP_DIR_CHOWN} == true ]]; then
chown ${GITLAB_USER}: ${GITLAB_BACKUP_DIR}
fi
# create the uploads directory
mkdir -p ${GITLAB_DATA_DIR}/uploads
chmod 0700 ${GITLAB_DATA_DIR}/uploads
chown ${GITLAB_USER}: ${GITLAB_DATA_DIR}/uploads
# create the .ssh directory
mkdir -p ${GITLAB_DATA_DIR}/.ssh
touch ${GITLAB_DATA_DIR}/.ssh/authorized_keys
chmod 700 ${GITLAB_DATA_DIR}/.ssh
chmod 600 ${GITLAB_DATA_DIR}/.ssh/authorized_keys
chown -R ${GITLAB_USER}: ${GITLAB_DATA_DIR}/.ssh
}
sanitize_datadir() {
echo "Sanitizing datadir. Please be patient..."
chmod -R ug+rwX,o-rwx ${GITLAB_REPOS_DIR}/
chmod -R ug-s ${GITLAB_REPOS_DIR}/
find ${GITLAB_REPOS_DIR}/ -type d -print0 | xargs -0 chmod g+s
chown -R ${GITLAB_USER}: ${GITLAB_REPOS_DIR}
chmod -R u+rwX ${GITLAB_BUILDS_DIR}
chown -R ${GITLAB_USER}: ${GITLAB_BUILDS_DIR}
chmod -R u+rwX ${GITLAB_DOWNLOADS_DIR}
chown -R ${GITLAB_USER}: ${GITLAB_DOWNLOADS_DIR}
chmod -R u+rwX ${GITLAB_TEMP_DIR}
chown -R ${GITLAB_USER}: ${GITLAB_TEMP_DIR}
chmod -R u+rwX ${GITLAB_SHARED_DIR}
chown -R ${GITLAB_USER}: ${GITLAB_SHARED_DIR}
chmod -R u+rwX ${GITLAB_ARTIFACTS_DIR}
chown -R ${GITLAB_USER}: ${GITLAB_ARTIFACTS_DIR}
chmod -R u+rwX ${GITLAB_PAGES_DIR}
chown -R ${GITLAB_USER}: ${GITLAB_PAGES_DIR}
chmod -R u+rwX ${GITLAB_LFS_OBJECTS_DIR}
chown -R ${GITLAB_USER}: ${GITLAB_LFS_OBJECTS_DIR}
# create terraform_state directory
# TODO : wrap with "if [[ _ENABLED ]]" condition
chmod u+rwX ${GITLAB_SHARED_DIR}/terraform_state
chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}/terraform_state
if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then
chmod -R u+rwX ${GITLAB_REGISTRY_DIR}
chown -R ${GITLAB_USER}: ${GITLAB_REGISTRY_DIR}
fi
if [[ ${GITLAB_PACKAGES_ENABLED} ]]; then
chmod u+rwX ${GITLAB_PACKAGES_DIR}
chown ${GITLAB_USER}: ${GITLAB_PACKAGES_DIR}
fi
find ${GITLAB_DATA_DIR}/uploads -type f -exec chmod 0644 {} \;
find ${GITLAB_DATA_DIR}/uploads -type d -not -path ${GITLAB_DATA_DIR}/uploads -exec chmod 0755 {} \;
chmod 0700 ${GITLAB_DATA_DIR}/uploads/
chown ${GITLAB_USER}: ${GITLAB_DATA_DIR}/uploads/
echo "Creating gitlab-shell hooks..."
exec_as_git ${GITLAB_SHELL_INSTALL_DIR}/bin/create-hooks
}
generate_ssh_key() {
echo -n "${1^^} "
ssh-keygen -qt ${1} -N '' -f ${2}
}
generate_ssh_host_keys() {
sed -i "s|^[#]*MaxStartups[^$]*|MaxStartups ${GITLAB_SSH_MAXSTARTUPS}|" /etc/ssh/sshd_config
sed -i "s|#HostKey /etc/ssh/|HostKey ${GITLAB_DATA_DIR}/ssh/|g" /etc/ssh/sshd_config
if [[ ! -e ${GITLAB_DATA_DIR}/ssh/ssh_host_rsa_key ]]; then
echo -n "Generating OpenSSH host keys... "
generate_ssh_key rsa ${GITLAB_DATA_DIR}/ssh/ssh_host_rsa_key
generate_ssh_key dsa ${GITLAB_DATA_DIR}/ssh/ssh_host_dsa_key
generate_ssh_key ecdsa ${GITLAB_DATA_DIR}/ssh/ssh_host_ecdsa_key
generate_ssh_key ed25519 ${GITLAB_DATA_DIR}/ssh/ssh_host_ed25519_key
echo
fi
# ensure existing host keys have the right permissions
chmod 0600 ${GITLAB_DATA_DIR}/ssh/*_key
chmod 0644 ${GITLAB_DATA_DIR}/ssh/*.pub
}
update_ssh_listen_port() {
sed -i "s|#Port 22|Port ${GITLAB_SSH_LISTEN_PORT}|g" /etc/ssh/sshd_config
}
generate_healthcheck_script() {
# configure healthcheck script
## https://docs.gitlab.com/ee/user/admin_area/monitoring/health_check.html
local HEALTHCHECK_PROTOCOL="http"
if [[ "${GITLAB_HTTPS}" == true && "${SSL_SELF_SIGNED}" == false ]]; then
HEALTHCHECK_PROTOCOL="${HEALTHCHECK_PROTOCOL}s"
fi
cat > /usr/local/sbin/healthcheck <<EOF
#!/bin/bash
url=${HEALTHCHECK_PROTOCOL}://127.0.0.1${GITLAB_RELATIVE_URL_ROOT}/-/liveness
options=( '--insecure' '--silent' )
curl "\${options[@]}" \$url
[[ "\$(curl \${options[@]} -o /dev/null -I -w '%{http_code}' \$url)" == "200" ]]
EOF
chmod +x /usr/local/sbin/healthcheck
}
configure_container_timezone() {
# Perform sanity check of provided timezone value
if [ -e /usr/share/zoneinfo/${TIMEZONE} ]; then
# Configured timezone is available
# Set localtime
ln -snf /usr/share/zoneinfo/${TIMEZONE} /etc/localtime
# Set timezone
echo ${TIMEZONE} > /etc/timezone
echo "Container TimeZone -> ${TIMEZONE}"
fi
}
initialize_system() {
map_uidgid
initialize_logdir
initialize_datadir
update_ca_certificates
generate_ssh_host_keys
update_ssh_listen_port
configure_container_timezone
install_configuration_templates
rm -rf /var/run/supervisor.sock
}
install_configuration_templates() {
echo "Installing configuration templates..."
install_template ${GITLAB_USER}: gitlabhq/gitlab.yml ${GITLAB_CONFIG} 0640
install_template ${GITLAB_USER}: gitlabhq/database.yml ${GITLAB_DATABASE_CONFIG} 0640
install_template ${GITLAB_USER}: gitlabhq/puma.rb ${GITLAB_PUMA_CONFIG} 0644
install_template ${GITLAB_USER}: gitlabhq/resque.yml ${GITLAB_RESQUE_CONFIG} 0640
install_template ${GITLAB_USER}: gitlabhq/secrets.yml ${GITLAB_SECRETS_CONFIG} 0600
install_template ${GITLAB_USER}: gitlab-shell/config.yml ${GITLAB_SHELL_CONFIG} 0640
install_template ${GITLAB_USER}: gitlabhq/cable.yml ${GITLAB_ACTIONCABLE_CONFIG} 0640
if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then
install_template ${GITLAB_USER}: gitlabhq/relative_url.rb ${GITLAB_RELATIVE_URL_CONFIG} 0644
fi
if [[ ${SMTP_ENABLED} == true ]]; then
install_template ${GITLAB_USER}: gitlabhq/smtp_settings.rb ${GITLAB_SMTP_CONFIG}
fi
# custom user specified robots.txt
if [[ -f ${GITLAB_ROBOTS_PATH} ]]; then
exec_as_git cp ${GITLAB_ROBOTS_PATH} ${GITLAB_ROBOTS_CONFIG}
fi
## ${GITLAB_NGINX_CONFIG}
if [[ ${GITLAB_HTTPS} == true ]]; then
if [[ -f ${SSL_CERTIFICATE_PATH} && -f ${SSL_KEY_PATH} && -f ${SSL_DHPARAM_PATH} ]]; then
install_template root: nginx/gitlab-ssl ${GITLAB_NGINX_CONFIG}
else
echo "SSL Key, SSL Certificate and DHParam were not found."
echo "Assuming that the container is running behind a HTTPS enabled load balancer."
install_template root: nginx/gitlab ${GITLAB_NGINX_CONFIG}
fi
else
install_template root: nginx/gitlab ${GITLAB_NGINX_CONFIG}
fi
## ${GITLAB_PAGES_NGINX_CONFIG}
if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then
install_template ${GITLAB_USER}: gitlab-pages/config ${GITLAB_PAGES_CONFIG} 0640
if [[ ${GITLAB_PAGES_HTTPS} == true && -f ${SSL_PAGES_CERT_PATH} && -f ${SSL_PAGES_KEY_PATH} ]]; then
if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then
install_template root: nginx/gitlab-pages-ssl ${GITLAB_PAGES_NGINX_CONFIG}
else
echo "Gitlab pages nginx proxy disabled"
echo "Assuming custom domain setup with own HTTP(S) load balancer'"
fi
else
if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then
echo "SSL Key, SSL Certificate were not found."
echo "Assuming that the container is running behind a HTTPS enabled load balancer."
install_template root: nginx/gitlab-pages ${GITLAB_PAGES_NGINX_CONFIG}
else
echo "Gitlab pages nginx proxy disabled"
echo "Assuming custom domain setup with own HTTP(S) load balancer'"
fi
fi
fi
if [[ -n $GITLAB_CI_HOST ]]; then
install_template root: nginx/gitlab_ci ${GITLAB_CI_NGINX_CONFIG}
fi
if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then
if [[ -f ${SSL_REGISTRY_CERT_PATH} && -f ${SSL_REGISTRY_KEY_PATH} ]]; then
install_template root: nginx/gitlab-registry ${GITLAB_REGISTRY_NGINX_CONFIG}
else
echo "SSL key and certificates for Registry were not found"
echo "Assuming that the Registry is running behind a HTTPS enabled load balancer."
fi
fi
install_template ${GITLAB_USER}: gitaly/config.toml ${GITLAB_GITALY_CONFIG}
}
configure_gitlab() {
echo "Configuring gitlab..."
update_template ${GITLAB_CONFIG} \
GITLAB_INSTALL_DIR \
GITLAB_SHELL_INSTALL_DIR \
GITLAB_DATA_DIR \
GITLAB_REPOS_DIR \
GITLAB_DOWNLOADS_DIR \
GITLAB_SHARED_DIR \
GITLAB_HOME \
GITLAB_HOST \
GITLAB_PORT \
GITLAB_RELATIVE_URL_ROOT \
GITLAB_HTTPS \
GITLAB_SSH_HOST \
GITLAB_SSH_LISTEN_PORT \
GITLAB_SSH_PORT \
GITLAB_SIGNUP_ENABLED \
GITLAB_IMPERSONATION_ENABLED \
GITLAB_PROJECTS_LIMIT \
GITLAB_USERNAME_CHANGE \
GITLAB_DEFAULT_THEME \
GITLAB_CREATE_GROUP \
GITLAB_ISSUE_CLOSING_PATTERN
gitlab_configure_database
gitlab_configure_redis
gitlab_configure_actioncable
gitlab_configure_secrets
gitlab_configure_sidekiq
gitlab_configure_gitaly
gitlab_configure_monitoring
gitlab_configure_gitlab_workhorse
gitlab_configure_relative_url
gitlab_configure_trusted_proxies
gitlab_configure_puma
gitlab_configure_timezone
gitlab_configure_rack_attack
gitlab_configure_ci
gitlab_configure_artifacts
gitlab_configure_packages
gitlab_configure_terraform_state
gitlab_configure_lfs
gitlab_configure_uploads
gitlab_configure_mattermost
gitlab_configure_project_features
gitlab_configure_mail_delivery
gitlab_configure_mailroom
gitlab_configure_oauth
gitlab_configure_ldap
gitlab_configure_gravatar
gitlab_configure_cron_jobs
gitlab_configure_analytics
gitlab_configure_backups
generate_registry_certificates
gitlab_configure_registry
gitlab_configure_pages
gitlab_configure_sentry
generate_healthcheck_script
gitlab_configure_content_security_policy
# remove stale gitlab.socket
rm -rf ${GITLAB_INSTALL_DIR}/tmp/sockets/gitlab.socket
}
# feature flags are recorded to database (schema "application_settings") so requires DB is (at least) initialized
gitlab_configure_feature_flags() {
echo "Configuring gitlab::feature_flags..."
if [[ -z "${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}" && -z "${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}" ]]; then
# Do nothing and reports no error if no targets specified
echo "- No targets specified. skipping..."
return 0
fi
# Build command line argument for script only when target is specified
# If not, scripts fails because option specifier is recognized as feature flags for example
# like "--disable --enable" : for this case, --disable is recognized as a value of option "--enable"
if [[ -n "${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS}" ]]; then
GITLAB_FEATURE_FLAGS_DISABLE_TARGETS="--disable ${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS}"
fi
# The same goes for --enable (this is the last option passed to "rails runner" that will be run below)
# For this case (final option), it throws "missing argument" error for execution like:
# like "--disable feature1,feature2 --enable"
if [[ -n "${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}" ]]; then
GITLAB_FEATURE_FLAGS_ENABLE_TARGETS="--enable ${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}"
fi
PWD_ORG=${PWD}
cd "${GITLAB_INSTALL_DIR}"
# copy the script to temporal directory : to avoid permission issue
cp "${GITLAB_RUNTIME_DIR}/scripts/configure_feature_flags.rb" "${GITLAB_TEMP_DIR}/"
chown "${GITLAB_USER}:" "${GITLAB_TEMP_DIR}/configure_feature_flags.rb"
echo "- Launching rails runner to set feature flags. This will take some time...."
# If arguments are empty, the script will do nothing and print object dump like below:
# - specified feature flags: {:to_be_disabled=>[], :to_be_enabled=>[]}
# DO NOT qupte variables : word splitting must be enabled.
# If disabled, whole string like '--disable feature_name_1,feature_name_2'
# will be recognized as single option and results to invalid argument error
#
# shellcheck disable=SC2086
exec_as_git bundle exec rails runner "${GITLAB_TEMP_DIR}/configure_feature_flags.rb" \
${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS} \
${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}
rm "${GITLAB_TEMP_DIR}/configure_feature_flags.rb"
cd "${PWD_ORG}"
}
configure_gitlab_requires_db() {
gitlab_configure_feature_flags
}
configure_gitlab_shell() {
echo "Configuring gitlab-shell..."
update_template ${GITLAB_SHELL_CONFIG} \
GITLAB_RELATIVE_URL_ROOT \
GITLAB_HOME \
GITLAB_LOG_DIR \
GITLAB_SHELL_INSTALL_DIR \
SSL_SELF_SIGNED \
REDIS_HOST \
REDIS_PORT \
REDIS_DB_NUMBER
# update custom_hooks_dir if set $GITLAB_SHELL_CUSTOM_HOOKS_DIR
if [[ -n ${GITLAB_SHELL_CUSTOM_HOOKS_DIR} ]]; then
exec_as_git sed -i \
"s|custom_hooks_dir:.*|custom_hooks_dir: $GITLAB_SHELL_CUSTOM_HOOKS_DIR|g" \
${GITLAB_SHELL_CONFIG}
fi
}
configure_gitlab_pages() {
if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then
echo "Configuring gitlab-pages..."
cat > /etc/supervisor/conf.d/gitlab-pages.conf <<EOF
[program:gitlab-pages]
priority=20
directory=${GITLAB_INSTALL_DIR}
environment=HOME=${GITLAB_HOME}
command=/usr/local/bin/gitlab-pages
-pages-domain ${GITLAB_PAGES_DOMAIN}
-pages-root ${GITLAB_PAGES_DIR}
-listen-proxy :8090
EOF
if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTP} ]]; then
cat >> /etc/supervisor/conf.d/gitlab-pages.conf <<EOF
-listen-http ${GITLAB_PAGES_EXTERNAL_HTTP}
EOF
fi
if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTPS} ]]; then
cat >> /etc/supervisor/conf.d/gitlab-pages.conf <<EOF
-listen-https ${GITLAB_PAGES_EXTERNAL_HTTPS}
-root-cert ${SSL_PAGES_CERT_PATH}
-root-key ${SSL_PAGES_KEY_PATH}
EOF
fi
if [[ ${GITLAB_PAGES_ACCESS_CONTROL} == true ]]; then
if [[ -z ${GITLAB_PAGES_ACCESS_SECRET} ]]; then
GITLAB_PAGES_ACCESS_SECRET=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 40 ; echo '')
fi
update_template ${GITLAB_PAGES_CONFIG} \
GITLAB_PAGES_ACCESS_CLIENT_ID \
GITLAB_PAGES_ACCESS_CLIENT_SECRET \
GITLAB_PAGES_ACCESS_REDIRECT_URI \
GITLAB_PAGES_ACCESS_SECRET \
GITLAB_PAGES_ACCESS_CONTROL_SERVER \
GITLAB_INSTALL_DIR
if [[ -n ${GITLAB_PAGES_ARTIFACTS_SERVER_URL} ]]; then
update_template ${GITLAB_PAGES_CONFIG} GITLAB_PAGES_ARTIFACTS_SERVER_URL
else
exec_as_git sed -i "/{{GITLAB_PAGES_ARTIFACTS_SERVER_URL}}/d" ${GITLAB_PAGES_CONFIG}
fi
else
update_template ${GITLAB_PAGES_CONFIG} \
GITLAB_INSTALL_DIR
exec_as_git sed -i "/{{GITLAB_PAGES_ACCESS_CLIENT_ID}}/d" ${GITLAB_PAGES_CONFIG}
exec_as_git sed -i "/{{GITLAB_PAGES_ACCESS_CLIENT_SECRET}}/d" ${GITLAB_PAGES_CONFIG}
exec_as_git sed -i "/{{GITLAB_PAGES_ACCESS_REDIRECT_URI}}/d" ${GITLAB_PAGES_CONFIG}
exec_as_git sed -i "/{{GITLAB_PAGES_ACCESS_SECRET}}/d" ${GITLAB_PAGES_CONFIG}
exec_as_git sed -i "/{{GITLAB_PAGES_ACCESS_CONTROL_SERVER}}/d" ${GITLAB_PAGES_CONFIG}
exec_as_git sed -i "/{{GITLAB_PAGES_ARTIFACTS_SERVER_URL}}/d" ${GITLAB_PAGES_CONFIG}
fi
cat >> /etc/supervisor/conf.d/gitlab-pages.conf <<EOF
-config ${GITLAB_PAGES_CONFIG}
EOF
cat >> /etc/supervisor/conf.d/gitlab-pages.conf <<EOF
user=git
autostart=true
autorestart=true
stdout_logfile=${GITLAB_INSTALL_DIR}/log/%(program_name)s.log
stderr_logfile=${GITLAB_INSTALL_DIR}/log/%(program_name)s.log
EOF
fi
}
configure_nginx() {
echo "Configuring nginx..."
sed -i \
-e "s|worker_processes .*|worker_processes ${NGINX_WORKERS};|" \
-e "s|# server_names_hash_bucket_size 64;|server_names_hash_bucket_size ${NGINX_SERVER_NAMES_HASH_BUCKET_SIZE};|" \
/etc/nginx/nginx.conf
nginx_configure_gitlab
nginx_configure_gitlab_ci
nginx_configure_gitlab_registry
nginx_configure_pages
}
migrate_database() {
# run the `gitlab:setup` rake task if required
QUERY="SELECT count(*) FROM information_schema.tables WHERE table_schema = 'public';"
COUNT=$(PGPASSWORD="${DB_PASS}" psql -h ${DB_HOST} -p ${DB_PORT} -U ${DB_USER} -d ${DB_NAME} -Atw -c "${QUERY}")
if [[ -z ${COUNT} || ${COUNT} -eq 0 ]]; then
echo "Setting up GitLab for firstrun. Please be patient, this could take a while..."
exec_as_git force=yes bundle exec rake gitlab:setup \
${GITLAB_ROOT_PASSWORD:+GITLAB_ROOT_PASSWORD=$GITLAB_ROOT_PASSWORD} \
${GITLAB_ROOT_EMAIL:+GITLAB_ROOT_EMAIL=$GITLAB_ROOT_EMAIL} >/dev/null
fi
# migrate database if the gitlab version has changed.
CACHE_VERSION=
[[ -f ${GITLAB_TEMP_DIR}/VERSION ]] && CACHE_VERSION=$(cat ${GITLAB_TEMP_DIR}/VERSION)
if [[ ${GITLAB_VERSION} != ${CACHE_VERSION} ]]; then
## version check, only upgrades are allowed
if [[ -n ${CACHE_VERSION} && $(vercmp ${GITLAB_VERSION} ${CACHE_VERSION}) -lt 0 ]]; then
echo
echo "ERROR: "
echo " Cannot downgrade from GitLab version ${CACHE_VERSION} to ${GITLAB_VERSION}."
echo " Only upgrades are allowed. Please use sameersbn/gitlab:${CACHE_VERSION} or higher."
echo " Cannot continue. Aborting!"
echo
return 1
fi
if [[ $(vercmp ${GITLAB_VERSION} 8.0.0) -gt 0 ]]; then
if [[ -n ${CACHE_VERSION} && $(vercmp ${CACHE_VERSION} 8.0.0) -lt 0 ]]; then
echo
echo "ABORT: "
echo " Upgrading to GitLab ${GITLAB_VERSION} from ${CACHE_VERSION} is not recommended."
echo " Please upgrade to version 8.0.5-1 before upgrading to 8.1.0 or higher."
echo " Refer to https://git.io/vur4j for CI migration instructions."
echo " Aborting for your own safety!"
echo
return 1
fi
fi
echo "Migrating database..."
exec_as_git bundle exec rake db:migrate >/dev/null
echo "${GITLAB_VERSION}" > ${GITLAB_TEMP_DIR}/VERSION
rm -rf ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT # force cache cleanup
fi
# clear cache if relative_url has changed.
[[ -f ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT ]] && CACHE_GITLAB_RELATIVE_URL_ROOT=$(cat ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT)
if [[ ! -f ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT || ${GITLAB_RELATIVE_URL_ROOT} != ${CACHE_GITLAB_RELATIVE_URL_ROOT} ]]; then
echo "Clearing cache..."
exec_as_git bundle exec rake cache:clear >/dev/null 2>&1
echo "${GITLAB_RELATIVE_URL_ROOT}" > ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT
fi
}
execute_raketask() {
if [[ -z ${1} ]]; then
echo "Please specify the rake task to execute. See https://github.com/gitlabhq/gitlabhq/tree/master/doc/raketasks"
return 1
fi
if [[ ${1} == gitlab:backup:create ]]; then
/usr/bin/supervisord -c /etc/supervisor/supervisord.conf
supervisorctl stop gitlab_extensions:*
supervisorctl stop gitlab:*
fi
if [[ ${1} == gitlab:backup:restore ]]; then
/usr/bin/supervisord -c /etc/supervisor/supervisord.conf
supervisorctl stop gitlab_extensions:*
supervisorctl stop gitlab:*
interactive=true
for arg in $@
do
if [[ $arg == BACKUP=* ]]; then
interactive=false
break
fi
done
# user needs to select the backup to restore
if [[ $interactive == true ]]; then
nBackups=$(ls ${GITLAB_BACKUP_DIR}/*_gitlab_backup.tar | wc -l)
if [[ $nBackups -eq 0 ]]; then
echo "No backup present. Cannot continue restore process.".
return 1
fi
echo
for b in $(ls ${GITLAB_BACKUP_DIR} | grep _gitlab_backup | sort -r)
do
echo "$b (created at $(date --date="@${b%%_*_gitlab_backup.tar}" +'%d %b, %G - %H:%M:%S %Z'))"
done
echo
read -p "Select a backup to restore: " file
if [[ -z ${file} ]]; then
echo "Backup not specified. Exiting..."
return 1
fi
if [[ ! -f ${GITLAB_BACKUP_DIR}/${file} ]]; then
echo "Specified backup does not exist. Aborting..."
return 1
fi
BACKUP=${file%%_gitlab_backup.tar}
fi
elif [[ ${1} == gitlab:import:repos ]]; then
# sanitize the datadir to avoid permission issues
sanitize_datadir
fi
echo "Running raketask ${1}..."
exec_as_git bundle exec rake $@ ${BACKUP:+BACKUP=$BACKUP}
}
generate_registry_certificates() {
if [[ ${GITLAB_REGISTRY_GENERATE_INTERNAL_CERTIFICATES} == true ]]; then
echo 'Generating GitLab Registry internal certificates for communication between Gitlab and a Docker Registry'
PREVIOUS_DIRECTORY=$(pwd)
# Get directory from cert file path
if [[ -z $GITLAB_REGISTRY_KEY_PATH ]]; then
echo "\$GITLAB_REGISTRY_KEY_PATH is empty"
return 1
fi
DIRECTORY=$(dirname "$GITLAB_REGISTRY_KEY_PATH")
echo "Registry internal certificates will be generated in directory: $DIRECTORY"
# Make certs directory if it doesn't exists
mkdir -p "$DIRECTORY"
# Go to the temporary directory
cd "$DIRECTORY" || return
# Get key filename
KEY_FILENAME=$(basename "$GITLAB_REGISTRY_KEY_PATH")
echo "Registry internal key filename: $KEY_FILENAME"
# Generate cert filename, by default, in same directory as $KEY_FILENAME, with same name, but with extension .crt
CERT_FILENAME=$(echo "$KEY_FILENAME" | sed "s|key|crt|" -)
echo "Registry internal cert filename: $CERT_FILENAME"
# Generate a random password password_file used in the next commands
if [[ -f password_file ]] ; then
echo "password_file exists"
else
openssl rand -hex -out password_file 32
fi
# Create a PKCS#10 certificate request
echo "Generating internal certificate request"
if [[ -f registry.csr ]] ; then
echo "registry.csr exists"
else
openssl req -new -passout file:password_file -newkey rsa:4096 -batch > registry.csr
fi
# Process RSA key
echo "Processing RSA internal key"
if [[ -f $KEY_FILENAME ]] ; then
echo "$KEY_FILENAME exists"
else
openssl rsa -passin file:password_file -in privkey.pem -out "$KEY_FILENAME"
fi
# Generate certificate
echo "Generating internal certificate"
if [[ -f $CERT_FILENAME ]] ; then
echo "$CERT_FILENAME exists"
else
openssl x509 -in registry.csr -out "$CERT_FILENAME" -req -signkey "$KEY_FILENAME" -days 10000
fi
chown -R ${GITLAB_USER}: ${DIRECTORY}
cd ${PREVIOUS_DIRECTORY}
fi
}