gitlab: Establish proper 1 branch for tracking upstream configs

It was my mistake to establish several tracking lines for tracking upstream changes - e.g. in 61544d87 (gitlab: Import nginx http configuration from omnibus-gitlab) we started not from 6fd7b987 (gitlab: Import gitlab-ce & gitlab-shell configs from omnibus-gitlab) -- the first upstream tracking commit on its own branch -- but from 4c127fdd (gitlab: Setup sidekiq service) i.e. from after some changes which already tweaked upstream configuration files. This makes updating gitlab more work than necessary: instead of switching to upstream branch only once, importing all files, and then switching back to master and merging upstream changes only once, we currently have to do that operation 3 times: - for main gitlab settings, - for nginx settings, and - for gitconfig settings which is not convenient and wastes our time. So establish a proper 1 branch for tracking upstream configs: Here we cherry-pick the following commits 61544d87 (gitlab: Import nginx http configuration from omnibus-gitlab) d17f1f5f (gitlab: Sync nginx http configuration from omnibus gitlab) 8f945bd2 (gitlab: Import gitconfig from omnibus-gitlab) e8461571 (gitlab: Sync gitconfig settings from omnibus-gitlab) and later we'll be updating upstream files on a branch starting from this commit and containing upstream changes only. /cc @kazuhiko, @jerome

gitlab: Establish proper 1 branch for tracking upstream configs
It was my mistake to establish several tracking lines for tracking upstream changes - e.g. in 61544d87 (gitlab: Import nginx http configuration from omnibus-gitlab) we started not from 6fd7b987 (gitlab: Import gitlab-ce & gitlab-shell configs from omnibus-gitlab) -- the first upstream tracking commit on its own branch -- but from 4c127fdd (gitlab: Setup sidekiq service) i.e. from after some changes which already tweaked upstream configuration files. This makes updating gitlab more work than necessary: instead of switching to upstream branch only once, importing all files, and then switching back to master and merging upstream changes only once, we currently have to do that operation 3 times: - for main gitlab settings, - for nginx settings, and - for gitconfig settings which is not convenient and wastes our time. So establish a proper 1 branch for tracking upstream configs: Here we cherry-pick the following commits 61544d87 (gitlab: Import nginx http configuration from omnibus-gitlab) d17f1f5f (gitlab: Sync nginx http configuration from omnibus gitlab) 8f945bd2 (gitlab: Import gitconfig from omnibus-gitlab) e8461571 (gitlab: Sync gitconfig settings from omnibus-gitlab) and later we'll be updating upstream files on a branch starting from this commit and containing upstream changes only. /cc @kazuhiko, @jerome
97dcf455 · Kirill Smelkov · 8c62b063 · 97dcf455 · 97dcf455 · 97dcf455
Commit 97dcf455 authored Jan 08, 2016 by Kirill Smelkov
3 changed files
--- a/software/gitlab/template/gitconfig.erb
+++ b/software/gitlab/template/gitconfig.erb
+# This file is managed by gitlab-ctl. Manual changes will be
+# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
+# and run `sudo gitlab-ctl reconfigure`.
+
+[user]
+        name = <%= node['gitlab']['user']['git_user_name'] %>
+        email = <%= node['gitlab']['user']['git_user_email'] %>
+[core]
+        autocrlf = input
--- a/software/gitlab/template/nginx-gitlab-http.conf.erb
+++ b/software/gitlab/template/nginx-gitlab-http.conf.erb
+# This file is managed by gitlab-ctl. Manual changes will be
+# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
+# and run `sudo gitlab-ctl reconfigure`.
+
+## GitLab
+## Modified from https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/gitlab-ssl & https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/gitlab
+##
+## Lines starting with two hashes (##) are comments with information.
+## Lines starting with one hash (#) are configuration parameters that can be uncommented.
+##
+##################################
+##        CHUNKED TRANSFER      ##
+##################################
+##
+## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0]
+## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object
+## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get
+## around this by tweaking this configuration file and either:
+## - installing an old version of Nginx with the chunkin module [2] compiled in, or
+## - using a newer version of Nginx.
+##
+## At the time of writing we do not know if either of these theoretical solutions works.
+## As a workaround users can use Git over SSH to push large files.
+##
+## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
+## [1] https://github.com/agentzh/chunkin-nginx-module#status
+## [2] https://github.com/agentzh/chunkin-nginx-module
+##
+###################################
+##         configuration         ##
+###################################
+
+upstream gitlab-workhorse {
+  server unix:<%= node['gitlab']['gitlab-workhorse']['listen_addr'] %>;
+}
+
+<% if @https && @redirect_http_to_https %>
+## Redirects all HTTP traffic to the HTTPS host
+server {
+<% @listen_addresses.each do |listen_address| %>
+  listen <%= listen_address %>:<%= @redirect_http_to_https_port %>;
+<% end %>
+  server_name <%= @fqdn %>;
+  server_tokens off; ## Don't show the nginx version number, a security best practice
+  return 301 https://<%= @fqdn %>:<%= @port %>$request_uri;
+  access_log  <%= @log_directory %>/gitlab_access.log gitlab_access;
+  error_log   <%= @log_directory %>/gitlab_error.log;
+}
+<% end %>
+
+server {
+<% @listen_addresses.each do |listen_address| %>
+  listen <%= listen_address %>:<%= @listen_port %><% if @https %> ssl spdy<% end %>;
+
+  <% if @kerberos_enabled && @kerberos_use_dedicated_port %>
+  listen <%= listen_address %>:<%= @kerberos_port %><% if @kerberos_https %> ssl<% end %>;
+  <% end %>
+
+<% end %>
+  server_name <%= @fqdn %>;
+  server_tokens off; ## Don't show the nginx version number, a security best practice
+  root /opt/gitlab/embedded/service/gitlab-rails/public;
+
+  ## Increase this if you want to upload large attachments
+  ## Or if you want to accept large git objects over http
+  client_max_body_size <%= @client_max_body_size %>;
+
+  <% if @https %>
+  ## Strong SSL Security
+  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
+  ssl on;
+  ssl_certificate <%= @ssl_certificate %>;
+  ssl_certificate_key <%= @ssl_certificate_key %>;
+  <% if @ssl_client_certificate %>
+  ssl_client_certificate <%= @ssl_client_certificate%>;
+ 	<% end %>
+
+  # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
+  ssl_ciphers '<%= @ssl_ciphers %>';
+  ssl_protocols  <%= @ssl_protocols %>;
+  ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
+  ssl_session_cache  <%= @ssl_session_cache %>;
+  ssl_session_timeout  <%= @ssl_session_timeout %>;
+
+  <% if @ssl_dhparam %>
+  ssl_dhparam <%= @ssl_dhparam %>;
+  <% end %>
+  <% end %>
+
+  ## Individual nginx logs for this GitLab vhost
+  access_log  <%= @log_directory %>/gitlab_access.log gitlab_access;
+  error_log   <%= @log_directory %>/gitlab_error.log;
+
+  location / {
+    ## If you use HTTPS make sure you disable gzip compression
+    ## to be safe against BREACH attack.
+    <%= 'gzip off;' if @https %>
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      <%= @proxy_read_timeout %>;
+    proxy_connect_timeout   <%= @proxy_connect_timeout %>;
+    proxy_redirect          off;
+
+    proxy_http_version 1.1;
+
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    <% if @https %>
+    proxy_set_header    X-Forwarded-Ssl     on;
+    <% end %>
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   <%= @https ? "https" : "http" %>;
+
+    proxy_pass http://gitlab-workhorse;
+  }
+
+  <%= @custom_gitlab_server_config %>
+}
--- a/software/gitlab/template/nginx.conf.erb
+++ b/software/gitlab/template/nginx.conf.erb
+# This file is managed by gitlab-ctl. Manual changes will be
+# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
+# and run `sudo gitlab-ctl reconfigure`.
+
+user <%= node['gitlab']['web-server']['username'] %> <%= node['gitlab']['web-server']['group']%>;
+worker_processes <%= @worker_processes %>;
+error_log stderr;
+pid nginx.pid;
+
+daemon off;
+
+events {
+  worker_connections <%= @worker_connections %>;
+}
+
+http {
+  log_format gitlab_access '<%= @gitlab_access_log_format %>';
+  log_format gitlab_ci_access '<%= @gitlab_ci_access_log_format %>';
+  log_format gitlab_mattermost_access '<%= @gitlab_mattermost_access_log_format %>';
+
+  sendfile <%= @sendfile %>;
+  tcp_nopush <%= @tcp_nopush %>;
+  tcp_nodelay <%= @tcp_nodelay %>;
+
+  keepalive_timeout <%= @keepalive_timeout %>;
+
+  gzip <%= @gzip %>;
+  gzip_http_version <%= @gzip_http_version %>;
+  gzip_comp_level <%= @gzip_comp_level %>;
+  gzip_proxied <%= @gzip_proxied %>;
+  gzip_types <%= @gzip_types.join(' ') %>;
+
+  include /opt/gitlab/embedded/conf/mime.types;
+
+  <% if @gitlab_http_config %>
+  include <%= @gitlab_http_config %>;
+  <% end %>
+
+  <% if @gitlab_ci_http_config %>
+  include <%= @gitlab_ci_http_config %>;
+  <% end %>
+
+  <% if @gitlab_pages_http_config %>
+  include <%= @gitlab_pages_http_config %>;
+  <% end %>
+
+  <% if @gitlab_mattermost_http_config %>
+  include <%= @gitlab_mattermost_http_config %>;
+  <% end %>
+
+  <%= @custom_nginx_config %>
+}