更新
更旧
# # # # # # # # # # # # # # # # # #
########################### NOTE #####################################
# This file should not receive new settings. All configuration options #
# * are being moved to ApplicationSetting model! #
# If a setting requires an application restart say so in that screen. #
# If you change this file in a merge request, please also create #
# a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests. #
# For more details see https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md #
# Be sure to create a MR against the GDK configuration #
# file (https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/support/templates/gitlab/config/gitlab.yml.erb) too. #
########################################################################
#
Marin Jankovski
已提交
#
# 1. Copy file as gitlab.yml
# 2. Update gitlab -> host with your fully qualified domain name
# 3. Update gitlab -> email_from
# 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git
# IMPORTANT: If Git was installed in a different location use that instead.
# You can check with `which git`. If a wrong path of Git is specified, it will
# result in various issues such as failures of GitLab CI builds.
# 5. Review this configuration file for other settings you may want to adjust
production: &base
#
# 1. GitLab app settings
# ==========================
## GitLab settings
gitlab:
## Web server settings (note: host is the FQDN, do not include http://)
port: 80 # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
https: false # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
# Uncomment this line if you want to configure the Rails asset host for a CDN.
# cdn_host: localhost
# The maximum time Puma can spend on the request. This needs to be smaller than the worker timeout.
# Default is 95% of the worker timeout
# Uncomment this line below if your ssh host is different from HTTP/HTTPS one
# (you'd obviously need to replace ssh.host_example.com with your own host).
# Otherwise, ssh host will be set to the `host:` value above
# ssh_host: ssh.host_example.com
# Relative URL support
# WARNING: We recommend using an FQDN to host GitLab in a root path instead
# of using a relative URL.
# Documentation: http://doc.gitlab.com/ce/install/relative_url.html
# Uncomment and customize the following line to run in a non-root path
#
# Content Security Policy
# See https://guides.rubyonrails.org/security.html#content-security-policy
content_security_policy:
report_only: false
directives:
base_uri:
child_src:
connect_src: "'self' http://localhost:* ws://localhost:* wss://localhost:*"
default_src: "'self'"
font_src:
form_action:
frame_ancestors: "'self'"
frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
object_src: "'none'"
script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
allowed_hosts: []
DJ Mountney
已提交
# Trusted Proxies
# Customize if you have GitLab behind a reverse proxy which is running on a different machine.
# Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
trusted_proxies:
# Examples:
#- 192.168.1.0/24
#- 192.168.2.1
#- 2001:0db8::/32
# Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
# user: git
## Date & Time settings
# Uncomment and customize if you want to change the default time zone of GitLab application.
# To see all available zones, run `bundle exec rake time:zones:all RAILS_ENV=production`
## Email settings
# Uncomment and set to false if you need to disable email sending from GitLab (default: true)
# email_enabled: true
# Email address used in the "From" field in mails sent by GitLab
email_from: example@example.com
email_display_name: GitLab
email_reply_to: noreply@example.com
email_smime:
# Uncomment and set to true if you need to enable email S/MIME signing (default: false)
# enabled: false
# S/MIME private key file in PEM format, unencrypted
# Default is '.gitlab_smime_key' relative to Rails.root (i.e. root of the GitLab app).
# key_file: /home/git/gitlab/.gitlab_smime_key
# S/MIME public certificate key in PEM format, will be attached to signed messages
# Default is '.gitlab_smime_cert' relative to Rails.root (i.e. root of the GitLab app).
# cert_file: /home/git/gitlab/.gitlab_smime_cert
# S/MIME extra CA public certificates in PEM format, will be attached to signed messages
# Optional
# ca_certs_file: /home/git/gitlab/.gitlab_smime_ca_certs
# Email server smtp settings are in config/initializers/smtp_settings.rb.sample
# File location to read encrypted SMTP secrets from
# email_smtp_secret_file: /mnt/gitlab/smtp.yaml.enc # Default: shared/encrypted_settings/smtp.yaml.enc
# default_can_create_group: false # default: true
# username_changing_enabled: false # default: true - User can change their username/namespace
## 6 - Light Indigo
## 7 - Light Blue
## 8 - Light Green
## 9 - Red
## 10 - Light Red
## Automatic issue closing
# If a commit message matches this regular expression, all issues referenced from the matched text will be closed.
# This happens when the commit is pushed or merged into the default branch of a project.
# When not specified the default issue_closing_pattern as specified below will be used.
# Tip: you can test your closing pattern at http://rubular.com.
# issue_closing_pattern: '\b((?:[Cc]los(?:e[sd]?|ing)|\b[Ff]ix(?:e[sd]|ing)?|\b[Rr]esolv(?:e[sd]?|ing)|\b[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)'
## Default project features settings
default_projects_features:
issues: true
merge_requests: true
wiki: true
## Webhook settings
# Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)
# webhook_timeout: 10
### GraphQL Settings
# Tells the rails application how long it has to complete a GraphQL request.
# We suggest this value to be higher than the database timeout value
# and lower than the worker timeout set in Puma. (default: 30)
# graphql_timeout: 30
## Repository downloads directory
# When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory.
# The default is 'shared/cache/archive/' relative to the root of the Rails app.
# repository_downloads_path: shared/cache/archive/
## Impersonation settings
impersonation_enabled: true
## Disable jQuery and CSS animations
# disable_animations: true
## Application settings cache expiry in seconds (default: 60)
# application_settings_cache_seconds: 60
## Print initial root password to stdout during initialization (default: false)
# WARNING: setting this to true means that the root password will be printed in
# plaintext. This can be a security risk.
# display_initial_root_password: false
# Allows delivery of emails using Microsoft Graph API with OAuth 2.0 client credentials flow.
microsoft_graph_mailer:
enabled: false
# The unique identifier for the user. To use Microsoft Graph on behalf of the user.
# user_id: "YOUR-USER-ID"
# The directory tenant the application plans to operate against, in GUID or domain-name format.
# tenant: "YOUR-TENANT-ID"
# The application ID that's assigned to your app. You can find this information in the portal where you registered your app.
# client_id: "YOUR-CLIENT-ID"
# The client secret that you generated for your app in the app registration portal.
# client_secret: "YOUR-CLIENT-SECRET-ID"
# Defaults to "https://login.microsoftonline.com".
# azure_ad_endpoint:
# Defaults to "https://graph.microsoft.com".
# graph_endpoint:
# Allow users to comment on issues and merge requests by replying to notification emails.
# For documentation on how to set this up, see https://docs.gitlab.com/ee/administration/reply_by_email.html
incoming_email:
# The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
# The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`).
# Please be aware that a placeholder is required for the Service Desk feature to work.
address: "gitlab-incoming+%{key}@gmail.com"
# Email account username
# With third party providers, this is usually the full email address.
# With self-hosted email servers, this is usually the user part of the email address.
user: "gitlab-incoming@gmail.com"
# Email account password
password: "[REDACTED]"
# IMAP server host
host: "imap.gmail.com"
# IMAP server port
port: 993
# Whether the IMAP server uses SSL
ssl: true
# Whether the IMAP server uses StartTLS
start_tls: false
# The mailbox where incoming mail will end up. Usually "inbox".
mailbox: "inbox"
# The log file path for the structured log file.
# Since `mail_room` is run independently of Rails, an absolute path is preferred.
# The default is 'log/mail_room_json.log' relative to the root of the Rails app.
#
# log_path: log/mail_room_json.log
# If you are using Microsoft Graph instead of IMAP, set this to false to retain
# messages in the inbox since deleted messages are auto-expunged after some time.
delete_after_delivery: true
# Whether to expunge (permanently remove) messages from the mailbox when they are marked as deleted after delivery
# Only applies to IMAP. Microsoft Graph will auto-expunge any deleted messages.
expunge_deleted: false
# For Microsoft Graph support
# inbox_method: microsoft_graph
# inbox_options:
# tenant_id: "YOUR-TENANT-ID"
# client_id: "YOUR-CLIENT-ID"
# client_secret: "YOUR-CLIENT-SECRET"
# How mailroom delivers email content to Rails. There are two methods at the moment:
# - sidekiq: mailroom pushes the email content to Sidekiq directly. This job
# is then picked up by Sidekiq.
# - webhook: mailroom triggers a HTTP POST request to Rails web server. The
# content is embedded into the request body.
# Default is sidekiq.
# delivery_method: sidekiq
# When the delivery method is webhook, those configs tell the url that
# mailroom can contact to. Note that the combined url must not end with "/".
# At the moment, the webhook delivery method doesn't support HTTP/HTTPs via
# UNIX socket.
# gitlab_url: "http://gitlab.example"
# When the delivery method is webhook, this config is the file that
# contains the shared secret key for verifying access for mailroom's
# incoming_email.
# Default is '.gitlab_mailroom_secret' relative to Rails.root (i.e. root of the GitLab app).
# secret_file: /home/git/gitlab/.gitlab_mailroom_secret
# File location to read encrypted incoming email secrets from
# encrypted_secret_file: /mnt/gitlab/smtp.yaml.enc
# Default: shared/encrypted_settings/incoming_email.yaml.enc
## Consolidated object store config
## This will only take effect if the object_store sections are not defined
## within the types (e.g. artifacts, lfs, etc.).
# object_store:
# enabled: false
# proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
# connection:
# provider: AWS # Only AWS supported at the moment
# aws_access_key_id: AWS_ACCESS_KEY_ID
# aws_secret_access_key: AWS_SECRET_ACCESS_KEY
# region: us-east-1
# aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
# endpoint: 'https://s3.amazonaws.com' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
# storage_options:
# server_side_encryption: AES256 # AES256, aws:kms
# server_side_encryption_kms_key_id: # Amazon Resource Name. See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
# objects:
# artifacts:
# bucket: artifacts
# external_diffs:
# bucket: external-diffs
# lfs:
# bucket: lfs-objects
# uploads:
# bucket: uploads
# packages:
# bucket: packages
# dependency_proxy:
# bucket: dependency_proxy
## Build Artifacts
artifacts:
enabled: true
# The location where build artifacts are stored (default: shared/artifacts).
# path: shared/artifacts
# object_store:
# enabled: false
# remote_directory: artifacts # The bucket name
# proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
# connection:
# provider: AWS # Only AWS supported at the moment
# aws_access_key_id: AWS_ACCESS_KEY_ID
# aws_secret_access_key: AWS_SECRET_ACCESS_KEY
# aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
# endpoint: 'https://s3.amazonaws.com' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
## Merge request external diff storage
external_diffs:
# If disabled (the default), the diffs are in-database. Otherwise, they can
# be stored on disk, or in object storage
enabled: false
# The location where external diffs are stored (default: shared/lfs-external-diffs).
# storage_path: shared/external-diffs
# object_store:
# enabled: false
# remote_directory: external-diffs
# proxy_download: false
# connection:
# provider: AWS
# aws_access_key_id: AWS_ACCESS_KEY_ID
# aws_secret_access_key: AWS_SECRET_ACCESS_KEY
# region: us-east-1
# The location where LFS objects are stored (default: shared/lfs-objects).
# storage_path: shared/lfs-objects
object_store:
enabled: false
remote_directory: lfs-objects # Bucket name
# proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
connection:
provider: AWS
aws_access_key_id: AWS_ACCESS_KEY_ID
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
# Use the following options to configure an AWS compatible host
# host: 'localhost' # default: s3.amazonaws.com
# endpoint: 'http://127.0.0.1:9000' # default: nil
# aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
# path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
## Uploads (attachments, avatars, etc...)
uploads:
# The location where uploads objects are stored (default: public/).
# storage_path: public/
# base_dir: uploads/-/system
object_store:
remote_directory: uploads # Bucket name
# proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
connection:
provider: AWS
aws_access_key_id: AWS_ACCESS_KEY_ID
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
region: us-east-1
# host: 'localhost' # default: s3.amazonaws.com
# endpoint: 'http://127.0.0.1:9000' # default: nil
# path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
## Packages (maven repository, npm registry, etc...)
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
# The location where build packages are stored (default: shared/packages).
# storage_path: shared/packages
object_store:
enabled: false
remote_directory: packages # The bucket name
# proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
connection:
provider: AWS
aws_access_key_id: AWS_ACCESS_KEY_ID
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
region: us-east-1
# host: 'localhost' # default: s3.amazonaws.com
# endpoint: 'http://127.0.0.1:9000' # default: nil
# aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
# path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
## Dependency Proxy
dependency_proxy:
enabled: true
# The location where build packages are stored (default: shared/dependency_proxy).
# storage_path: shared/dependency_proxy
object_store:
enabled: false
remote_directory: dependency_proxy # The bucket name
# proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
connection:
provider: AWS
aws_access_key_id: AWS_ACCESS_KEY_ID
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
region: us-east-1
# host: 'localhost' # default: s3.amazonaws.com
# endpoint: 'http://127.0.0.1:9000' # default: nil
# aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
# path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
## Terraform state
terraform_state:
enabled: true
# The location where Terraform state files are stored (default: shared/terraform_state).
# storage_path: shared/terraform_state
object_store:
enabled: false
remote_directory: terraform # The bucket name
connection:
provider: AWS
aws_access_key_id: AWS_ACCESS_KEY_ID
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
region: us-east-1
# host: 'localhost' # default: s3.amazonaws.com
# endpoint: 'http://127.0.0.1:9000' # default: nil
# aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
# path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
## CI Secure Files
ci_secure_files:
enabled: true
# storage_path: shared/ci_secure_files
object_store:
enabled: false
remote_directory: ci-secure-files # The bucket name
connection:
provider: AWS
aws_access_key_id: AWS_ACCESS_KEY_ID
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
region: us-east-1
# host: 'localhost' # default: s3.amazonaws.com
# endpoint: 'http://127.0.0.1:9000' # default: nil
# aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
# path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
# The location where pages are stored (default: shared/pages).
# path: shared/pages
# The domain under which the pages are served:
# http://group.example.com/project
# or project path can be a group page: group.example.com
port: 80 # Set to 443 if you serve the pages with HTTPS
https: false # Set to true if you serve the pages with HTTPS
artifacts_server: true # Set to false if you want to disable online view of HTML artifacts
Nick Thomas
已提交
# external_http: ["1.1.1.1:80", "[2001::1]:80"] # If defined, enables custom domain support in GitLab Pages
# external_https: ["1.1.1.1:443", "[2001::1]:443"] # If defined, enables custom domain and certificate support in GitLab Pages
# File that contains the shared secret key for verifying access for gitlab-pages.
# Default is '.gitlab_pages_secret' relative to Rails.root (i.e. root of the GitLab app).
# secret_file: /home/git/gitlab/.gitlab_pages_secret
object_store:
enabled: false
remote_directory: pages # The bucket name
connection:
provider: AWS
aws_access_key_id: AWS_ACCESS_KEY_ID
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
region: us-east-1
local_store:
enabled: true
# The location where pages are stored (default: shared/pages).
# path: shared/pages
## Mattermost
## For enabling Add to Mattermost button
mattermost:
enabled: false
host: 'https://mattermost.example.com'
## Jira connect
## To switch to a Jira connect development environment
jira_connect:
# atlassian_js_url: 'http://localhost:9292/atlassian.js'
# enforce_jira_base_url_https: false
# additional_iframe_ancestors: ['localhost:*']
## If using gravatar.com, there's nothing to change here. For Libravatar
## you'll need to provide the custom URLs. For more information,
## see: https://docs.gitlab.com/ee/administration/libravatar.html
# Gravatar/Libravatar URLs: possible placeholders: %{hash} %{size} %{email} %{username}
# plain_url: "http://..." # default: https://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
# ssl_url: "https://..." # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
log_format: json # (text is the original format)
# An array of tuples indicating the rules for re-routing a worker to a
# desirable queue before scheduling. For example:
# routing_rules:
# - ["resource_boundary=cpu", "cpu_boundary"]
# - ["feature_category=pages", null]
# - ["*", "default"]
# Periodically executed jobs, to self-heal GitLab, do external synchronizations, etc.
# Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job
cron_jobs:
# Interval, in seconds, for each Sidekiq process to check for scheduled cron jobs that need to be enqueued. If not
# set, the interval scales dynamically with the number of Sidekiq processes. If set to 0, disable polling for cron
# jobs entirely.
# poll_interval: 30
# Flag stuck CI jobs as failed
stuck_ci_jobs_worker:
cron: "0 * * * *"
pipeline_schedule_worker:
cron: "3-59/10 * * * *"
# Remove expired build artifacts
expire_build_artifacts_worker:
# Remove expired pipeline artifacts
ci_pipelines_expire_artifacts_worker:
cron: "*/23 * * * *"
# Remove files from object storage
ci_schedule_delete_objects_worker:
cron: "*/16 * * * *"
# Stop expired environments
environments_auto_stop_cron_worker:
cron: "24 * * * *"
# Delete stopped environments
environments_auto_delete_cron_worker:
cron: "34 * * * *"
# Periodically run 'git fsck' on all repositories. If started more than
# once per hour you will have concurrent 'git fsck' jobs.
# Archive live traces which have not been archived yet
ci_archive_traces_cron_worker:
cron: "17 * * * *"
# Send emails for personal tokens which are about to expire
personal_access_tokens_expiring_worker:
cron: "0 1 * * *"
# Remove outdated repository archives
repository_archive_cache_worker:
cron: "0 * * * *"
# Verify custom GitLab Pages domains
pages_domain_verification_cron_worker:
cron: "*/15 * * * *"
# Periodically migrate diffs from the database to external storage
schedule_migrate_external_diffs_worker:
cron: "15 * * * *"
# Update CI Platform Metrics daily
ci_platform_metrics_update_cron_worker:
cron: "47 9 * * *"
# Periodically update ci_runner_versions table with up-to-date versions and status.
ci_runner_versions_reconciliation_worker:
# Periodically clean up stale runner machines.
ci_runners_stale_machines_cleanup_worker:
cron: "36 * * * *"
# GitLab EE only jobs. These jobs are automatically enabled for an EE
# installation, and ignored for a CE installation.
ee_cron_jobs:
# Schedule snapshots for all devops adoption segments
analytics_devops_adoption_create_all_snapshots_worker:
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
# Snapshot active users statistics
historical_data_worker:
cron: "0 12 * * *"
# In addition to refreshing users when they log in,
# periodically refresh LDAP users membership.
# NOTE: This will only take effect if LDAP is enabled
ldap_sync_worker:
cron: "30 1 * * *"
# Periodically refresh LDAP groups membership.
# NOTE: This will only take effect if LDAP is enabled
ldap_group_sync_worker:
cron: "0 * * * *"
# GitLab Geo metrics update worker
# NOTE: This will only take effect if Geo is enabled
geo_metrics_update_worker:
cron: "*/1 * * * *"
# GitLab Geo prune event log worker
# NOTE: This will only take effect if Geo is enabled (primary node only)
geo_prune_event_log_worker:
cron: "*/5 * * * *"
# GitLab Geo repository sync worker
# NOTE: This will only take effect if Geo is enabled (secondary nodes only)
geo_repository_sync_worker:
cron: "*/1 * * * *"
# GitLab Geo registry backfill worker
# NOTE: This will only take effect if Geo is enabled (secondary nodes only)
geo_secondary_registry_consistency_worker:
cron: "* * * * *"
# GitLab Geo blob registry sync worker (for backfilling)
# NOTE: This will only take effect if Geo is enabled (secondary nodes only)
geo_registry_sync_worker:
cron: "*/1 * * * *"
# GitLab Geo repository registry sync worker (for backfilling)
# NOTE: This will only take effect if Geo is enabled (secondary nodes only)
geo_repository_registry_sync_worker:
cron: "*/1 * * * *"
# Elasticsearch bulk updater for incremental updates.
# NOTE: This will only take effect if elasticsearch is enabled.
elastic_index_bulk_cron_worker:
cron: "*/1 * * * *"
# Elasticsearch bulk updater for initial updates.
# NOTE: This will only take effect if elasticsearch is enabled.
elastic_index_initial_bulk_cron_worker:
cron: "*/1 * * * *"
# Elasticsearch reindexing worker
# NOTE: This will only take effect if elasticsearch is enabled.
elastic_index_initial_bulk_cron_worker:
cron: "*/10 * * * *"
# Periodically prune stale runners from namespaces having opted-in.
# Periodically queue syncing of finished builds from p_ci_finished_build_ch_sync_events to ClickHouse
click_house_ci_finished_builds_sync_worker:
cron: "*/3 * * * *"
# port: 5005
# api_url: http://localhost:5000/ # internal address to the registry, will be used by GitLab to directly communicate with API
# issuer: gitlab-issuer
# notification_secret: '' # only set it when you use Geo replication feature without built-in Registry
# Add notification settings if you plan to use Geo Replication for the registry
# notifications:
# - name: geo_event
# url: https://example.com/api/v4/container_registry_event/events
# timeout: 2s
# threshold: 5
# backoff: 1s
# headers:
# Authorization: secret_phrase
## Error Reporting and Logging with Sentry
sentry:
# enabled: false
# dsn: https://<key>@sentry.io/<project>
# clientside_dsn: https://<key>@sentry.io/<project>
# environment: 'production' # e.g. development, staging, production
## Geo
# NOTE: These settings will only take effect if Geo is enabled
geo:
# This is an optional identifier which Geo nodes can use to identify themselves.
# For example, if external_url is the same for two secondaries, you must specify
# a unique Geo node name for those secondaries.
#
# If it is blank, it defaults to external_url.
node_name: ''
registry_replication:
# enabled: true
# primary_api_url: http://localhost:5000/ # internal address to the primary registry, will be used by GitLab to directly communicate with primary registry API
## Feature Flag https://docs.gitlab.com/ee/operations/feature_flags.html
feature_flags:
unleash:
# enabled: false
# url: https://gitlab.com/api/v4/feature_flags/unleash/<project_id>
# app_name: gitlab.com # Environment name of your GitLab instance
# instance_id: INSTANCE_ID
# 2. GitLab CI settings
# ==========================
gitlab_ci:
# Default project notifications settings:
# The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root
# builds_path: builds/
#
# 3. Auth settings
# ==========================
## LDAP settings
# You can test connections and inspect a sample of the LDAP users with login
# access by running:
# bundle exec rake gitlab:ldap:check RAILS_ENV=production
# File location to read encrypted secrets from
# secret_file: /mnt/gitlab/ldap.yaml.enc # Default: shared/encrypted_settings/ldap.yaml.enc
# This setting controls the number of seconds between LDAP permission checks
# for each user. After this time has expired for a given user, their next
# interaction with GitLab (a click in the web UI, a git pull, etc.) will be
# slower because the LDAP permission check is being performed. How much
# slower depends on your LDAP setup, but it is not uncommon for this check
# to add seconds of waiting time. The default value is to have a "slow
# click" once every 3600 seconds (i.e., once per hour).
#
# Warning: if you set this value too low, every click in GitLab will be a
# "slow click" for all of your LDAP users.
# sync_time: 3600
##########################################################################
#
# Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab
# Enterprise Edition now supports connecting to multiple LDAP servers.
#
# If you are updating from the old (pre-7.4) syntax, you MUST give your
# old server the ID 'main'.
#
##########################################################################
main: # 'main' is the GitLab 'provider ID' of this LDAP server
## label
#
# A human-friendly name for your LDAP server. It is OK to change the label later,
# for instance if you find out it is too large to fit on the web page.
#
# Example: 'Paris' or 'Acme, Ltd.'
label: 'LDAP'
host: '_your_ldap_server'
# This port is an example, it is sometimes different but it is always an integer and not a string
port: 389 # usually 636 for SSL
uid: 'sAMAccountName' # This should be the attribute, not the value that maps to uid.
# Examples: 'america\\momo' or 'CN=Gitlab Git,CN=Users,DC=mydomain,DC=com'
bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
password: '_the_password_of_the_bind_user'
# Encryption method. The "method" key is deprecated in favor of
# "encryption".
#
# Examples: "start_tls" or "simple_tls" or "plain"
#
# Deprecated values: "tls" was replaced with "start_tls" and "ssl" was
# replaced with "simple_tls".
#
encryption: 'plain'
# Enables SSL certificate verification if encryption method is
# "start_tls" or "simple_tls". Defaults to true.
verify_certificates: true
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
# OpenSSL::SSL::SSLContext options.
tls_options:
# Specifies the path to a file containing a PEM-format CA certificate,
# e.g. if you need to use an internal CA.
#
# Example: '/etc/ca.pem'
#
ca_file: ''
# Specifies the SSL version for OpenSSL to use, if the OpenSSL default
# is not appropriate.
#
# Example: 'TLSv1_1'
#
ssl_version: ''
# Specific SSL ciphers to use in communication with LDAP servers.
#
# Example: 'ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2'
ciphers: ''
# Client certificate
#
# Example:
# cert: |
# -----BEGIN CERTIFICATE-----
# MIIDbDCCAlSgAwIBAgIGAWkJxLmKMA0GCSqGSIb3DQEBCwUAMHcxFDASBgNVBAoTC0dvb2dsZSBJ
# bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQDEwtMREFQIENsaWVudDEPMA0GA1UE
# CxMGR1N1aXRlMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTAeFw0xOTAyMjAwNzE4
# rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl
# ...
# 4SbuJPAiJxC1LQ0t39dR6oMCAMab3hXQqhL56LrR6cRBp6Mtlphv7alu9xb/x51y2x+g2zWtsf80
# Jrv/vKMsIh/sAyuogb7hqMtp55ecnKxceg==
# -----END CERTIFICATE -----
cert: ''
# Client private key
# key: |
# -----BEGIN PRIVATE KEY-----
# MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC3DmJtLRmJGY4xU1QtI3yjvxO6
# bNuyE4z1NF6Xn7VSbcAaQtavWQ6GZi5uukMo+W5DHVtEkgDwh92ySZMuJdJogFbNvJvHAayheCdN
# 7mCQ2UUT9jGXIbmksUn9QMeJVXTZjgJWJzPXToeUdinx9G7+lpVa62UATEd1gaI3oyL72WmpDy/C
# rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl
# ...
# +9IhSYX+XIg7BZOVDeYqlPfxRvQh8vy3qjt/KUihmEPioAjLaGiihs1Fk5ctLk9A2hIUyP+sEQv9
# l6RG+a/mW+0rCWn8JAd464Ps9hE=
# -----END PRIVATE KEY-----
key: ''
# Set a timeout, in seconds, for LDAP queries. This helps avoid blocking
# a request if the LDAP server becomes unresponsive.
# A value of 0 means there is no timeout.
timeout: 10
# Enable smartcard authentication against the LDAP server. Valid values
# are "false", "optional", and "required".
smartcard_auth: false
# This setting specifies if LDAP server is Active Directory LDAP server.
# For non AD servers it skips the AD specific queries.
# If your LDAP server is not AD, set this to false.
active_directory: true
# If allow_username_or_email_login is enabled, GitLab will ignore everything
# after the first '@' in the LDAP username submitted by the user on login.
#
# Example:
# - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials;
# - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'.
#
# If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
# disable this setting, because the userPrincipalName contains an '@'.
allow_username_or_email_login: false
# To maintain tight control over the number of active users on your GitLab installation,
Marin Jankovski
已提交
# enable this setting to keep new users blocked until they have been cleared by the admin
block_auto_created_users: false
# Base where we can search for users
#
# Ex. 'ou=People,dc=gitlab,dc=example' or 'DC=mydomain,DC=com'
#
base: ''
# Filter LDAP users
#
# Format: RFC 4515 https://www.rfc-editor.org/rfc/rfc4515
# Ex. (employeeType=developer)
#
# Note: GitLab does not support omniauth-ldap's custom filter syntax.
#
# Example for getting only specific users:
# '(&(objectclass=user)(|(samaccountname=momo)(samaccountname=toto)))'
#
user_filter: ''
# Base where we can search for groups
#
# Ex. ou=Groups,dc=gitlab,dc=example
#
group_base: ''
# LDAP group of users who should be admins in GitLab
#
# Ex. GLAdmins
#
admin_group: ''
# LDAP group of users who should be marked as external users in GitLab
#
# Ex. ['Contractors', 'Interns']
#
external_groups: []
# Name of attribute which holds a ssh public key of the user object.
# If false or nil, SSH key syncronisation will be disabled.
#
# Ex. sshpublickey
#
sync_ssh_keys: false
# Retry ldap search connection if got empty results with specified response code(s)
#
# Ex. [80]
# retry_empty_result_with_codes: []
# LDAP attributes that GitLab will use to create an account for the LDAP user.
# The specified attribute can either be the attribute name as a string (e.g. 'mail'),
# or an array of attribute names to try in order (e.g. ['mail', 'email']).
# Note that the user's LDAP login will always be the attribute specified as `uid` above.
attributes:
# The username will be used in paths for the user's own projects
# (like `gitlab.example.com/username/project`) and when mentioning
# them in issues, merge request and comments (like `@username`).
# If the attribute specified for `username` contains an email address,
# the GitLab username will be the part of the email address before the '@'.
username: ['uid', 'userid', 'sAMAccountName']
email: ['mail', 'email', 'userPrincipalName']
# If no full name could be found at the attribute specified for `name`,
# the full name is determined using the attributes specified for
# `first_name` and `last_name`.
name: 'cn'
first_name: 'givenName'
last_name: 'sn'
# If lowercase_usernames is enabled, GitLab will lower case the username.
lowercase_usernames: false
# GitLab EE only: add more LDAP servers
# Choose an ID made of a-z and 0-9 . This ID will be stored in the database
# so that GitLab can remember which LDAP server a user belongs to.
# uswest2:
# label:
# host:
# ....
## Smartcard authentication settings
smartcard:
# Allow smartcard authentication
enabled: false
# Path to a file containing a CA certificate bundle
# Host and port where the client side certificate is requested by the
# webserver (NGINX/Apache)
# client_certificate_required_host: smartcard.gitlab.example.com
# client_certificate_required_port: 3444
# Browser session with smartcard sign-in is required for Git access
# required_for_git_access: false
# Use X.509 SAN extensions certificates to identify GitLab users
# Add a subjectAltName to your certificates like: email:user
# san_extensions: true
## Kerberos settings
kerberos:
# Allow the HTTP Negotiate authentication method for Git clients
enabled: false
# Kerberos 5 keytab file. The keytab file must be readable by the GitLab user,
# and should be different from other keytabs in the system.
# (default: use default keytab from Krb5 config)
# keytab: /etc/http.keytab
# The Kerberos service name to be used by GitLab.
# (default: accept any service name in keytab file)
# service_principal_name: HTTP/gitlab.example.com@EXAMPLE.COM
# Kerberos realms/domains that are allowed to automatically link LDAP identities.
# By default, GitLab accepts a realm that matches the domain derived from the
# LDAP `base` DN. For example, `ou=users,dc=example,dc=com` would allow users
# with a realm matching `example.com`.
# simple_ldap_linking_allowed_realms: ['example.com','kerberos.example.com']
# Dedicated port: Git before 2.4 does not fall back to Basic authentication if Negotiate fails.
# To support both Basic and Negotiate methods with older versions of Git, configure
# nginx to proxy GitLab on an extra port (e.g. 8443) and uncomment the following lines
# to dedicate this port to Kerberos authentication. (default: false)
# use_dedicated_port: true
# port: 8443
# https: true